WIP: Consul ACLs #117
1 changed files with 24 additions and 1 deletions
|
|
@ -35,7 +35,30 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
systemd.services.consul.serviceConfig.Type = "notify";
|
||||
systemd.services = {
|
||||
consul.serviceConfig.Type = "notify";
|
||||
consul-load-smt = {
|
||||
wantedBy = [ "consul.service" ];
|
||||
after = [ "consul.service" ];
|
||||
environment.CONSUL_HTTP_ADDR = config.links.consulAgent.tuple;
|
||||
path = [
|
||||
config.services.consul.package
|
||||
];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
script = ''
|
||||
while ! test -e /run/locksmith/consul-systemManagementToken; do
|
||||
echo Waiting for System Management Token
|
||||
systemctl start locksmith.service
|
||||
|
|
||||
sleep 5
|
||||
done
|
||||
export CONSUL_HTTP_TOKEN_FILE=/run/locksmith/consul-systemManagementToken
|
||||
consul acl set-agent-token default "$(< /run/locksmith/consul-systemManagementToken)" # TODO: don't leak token on cmdline
|
||||
max
commented
Setting the default token means it's no longer required to present a token when connecting to this agent. Should probably limit this to automatic actions only ( Setting the default token means it's no longer required to present a token when connecting to this agent. Should probably limit this to automatic actions only (`dns`, `replication` token types?)
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
services.grafana-agent.settings.integrations.consul_exporter = {
|
||||
enabled = true;
|
||||
|
|
|
|||
Loading…
Reference in a new issue
Find a way to make Locksmith work better while bootstrapping. Polling like this is pretty fucked up. Maybe there should be a proper "Consul is ready without SMT" level and Locksmith and the Chant Listener should be configured to work with that level.