Set up nomad, consul, vault

4 files changed, 136 insertions, 0 deletions

diff --git a/tw/home.scm b/tw/home.scm
index 3c957105..6968ae98 100644
--- a/tw/home.scm
+++ b/tw/home.scm
@@ -87,6 +87,23 @@ auto-expand-secmem
      ;; With #:recursive? #t, Guix keeps the files' permission bits, i.e. makes them executable.
      `((".local/bin/ppscm" ,(local-file "home/files/ppscm" #:recursive? #t))))  ; pretty-print scheme files
 
+   (simple-service 'cern-ci-environment home-environment-variables-service-type
+     ;; Nomad, Consul, Vault
+     ;; Tokens are not defined here as they are stored in pass(1).
+     ;; Shell aliases to use tokens are defined in zshrc.
+     '(("NOMAD_ADDR" . "https://alinomad.cern.ch:443")
+       ("NOMAD_CACERT" . "${XDG_CONFIG_HOME}/cern-ca-bundle.crt")
+       ("NOMAD_CLIENT_CERT" . "${XDG_CONFIG_HOME}/grid-personal-cert.pem")
+       ("NOMAD_CLIENT_KEY" . "${XDG_CONFIG_HOME}/grid-personal-key.pem")
+       ("CONSUL_HTTP_ADDR" . "https://aliconsul.cern.ch:443")
+       ("CONSUL_CACERT" . "${XDG_CONFIG_HOME}/cern-ca-bundle.crt")
+       ("CONSUL_CLIENT_CERT" . "${XDG_CONFIG_HOME}/grid-personal-cert.pem")
+       ("CONSUL_CLIENT_KEY" . "${XDG_CONFIG_HOME}/grid-personal-key.pem")
+       ("VAULT_ADDR" . "https://alivault.cern.ch:443")
+       ("VAULT_CACERT" . "${XDG_CONFIG_HOME}/cern-ca-bundle.crt")
+       ("VAULT_CLIENT_CERT" . "${XDG_CONFIG_HOME}/grid-personal-cert.pem")
+       ("VAULT_CLIENT_KEY" . "${XDG_CONFIG_HOME}/grid-personal-key.pem")))
+
    (simple-service 'common-environment home-environment-variables-service-type
      `(;; Path to my own package definitions. If invoking `guix home'
        ;; afresh, this needs to be set manually to find these packages.
diff --git a/tw/home/files/zshrc b/tw/home/files/zshrc
index dd4a24db..882cf60c 100644
--- a/tw/home/files/zshrc
+++ b/tw/home/files/zshrc
@@ -99,6 +99,12 @@ alias rot13='caesar 13'
 alias wget='\wget --hsts-file="${XDG_CACHE_HOME:-$HOME/.cache}/wget-hsts"'
 alias aurora="REQUESTS_CA_BUNDLE=${XDG_CONFIG_HOME:-$HOME/.config}/cern-ca-bundle.crt \aurora"
 alias aurora_admin="REQUESTS_CA_BUNDLE=${XDG_CONFIG_HOME:-$HOME/.config}/cern-ca-bundle.crt \aurora_admin"
+alias nomad='NOMAD_TOKEN=$(pass cern/ci/nomad-bootstrap-token | head -1) \nomad'
+alias nomad-pack='NOMAD_TOKEN=$(pass cern/ci/nomad-bootstrap-token | head -1) \nomad-pack'
+alias nomad-diskfree='NOMAD_TOKEN=$(pass cern/ci/nomad-bootstrap-token | head -1) \nomad-diskfree'
+alias levant='NOMAD_TOKEN=$(pass cern/ci/nomad-bootstrap-token | head -1) \levant'
+alias consul='CONSUL_HTTP_TOKEN=$(pass cern/ci/consul-bootstrap-token | head -1) \consul'
+alias vault='VAULT_TOKEN=$(pass cern/ci/vault-root-token | head -1) \vault'
 
 # Git aliases
 alias ga='git add'
diff --git a/tw/home/lap.scm b/tw/home/lap.scm
index 57133e0b..fe521592 100644
--- a/tw/home/lap.scm
+++ b/tw/home/lap.scm
@@ -30,6 +30,7 @@
   #:use-module (tw home emacs)
   #:use-module (tw packages alice)
   #:use-module (tw packages catppuccin)
+  #:use-module (tw packages ci)
   #:use-module (tw packages games)
   #:use-module (tw packages xorg)
   #:use-module (tw gexp)
@@ -116,6 +117,7 @@
 
      ;; Work
      s3cmd python-alibuild  ; python-alidistlint
+     hashicorp-nomad-bin hashicorp-consul-bin hashicorp-vault-bin hashicorp-packer-bin
 
      ;; i3 and Xorg. i3 itself must be installed system-wide for gdm to pick it up.
      ;; acpilight is a drop-in xbacklight replacement, as xbacklight doesn't work on my system.
diff --git a/tw/packages/ci.scm b/tw/packages/ci.scm
new file mode 100644
index 00000000..3a2619ac
--- /dev/null
+++ b/tw/packages/ci.scm
@@ -0,0 +1,111 @@
+(define-module (tw packages ci)
+  #:use-module (gnu packages base)
+  #:use-module (gnu packages elf)
+  #:use-module (guix build-system copy)
+  #:use-module (guix download)
+  #:use-module ((guix licenses) #:prefix license:)
+  #:use-module (guix packages)
+  #:use-module (guix utils))
+
+(define-public (hashicorp-arch)
+  (cond
+   ((target-x86-64?) "amd64")
+   ((target-x86-32?) "386")
+   ((target-arm32?) "arm")
+   ((target-aarch64?) "arm64")))
+
+(define-public (hashicorp-download-url name version)
+  (string-append "https://releases.hashicorp.com/" name "/" version "/"
+                 name "_" version "_linux_" (hashicorp-arch) ".zip"))
+
+(define-public hashicorp-packer-bin
+  (package
+    (name "hashicorp-packer")
+    (version "1.8.6")
+    (source
+     (origin
+       (method url-fetch/zipbomb)
+       (uri (hashicorp-download-url "packer" version))
+       (sha256 (base32 "1bl5nckj9gqzdmkfaxjbsi4mv78ka5liiv9nin8n5slaawg43l2p"))))
+    (build-system copy-build-system)
+    (arguments '(#:install-plan '(("packer" "bin/"))))
+    (home-page "https://packer.io/")
+    (synopsis "Build automated machine images")
+    (description "Hashicorp Packer is a tool for creating identical machine
+images for multiple platforms from a single source configuration.")
+    (license license:mpl2.0)))
+
+(define-public hashicorp-consul-bin
+  (package
+    (name "hashicorp-consul")
+    (version "1.14.4")
+    (source
+     (origin
+       (method url-fetch/zipbomb)
+       (uri (hashicorp-download-url "consul" version))
+       (sha256 (base32 "0ypxmnl68fg66rw06g5qldqgyrgkimgk56gspwv1bk797j2pryza"))))
+    (build-system copy-build-system)
+    (arguments '(#:install-plan '(("consul" "bin/"))))
+    (home-page "https://consul.io/")
+    (synopsis "Datacenter service mesh tool")
+    (description "Consul is a distributed, highly available, and data center
+aware solution to connect and configure applications across dynamic,
+distributed infrastructure.")
+    (license license:mpl2.0)))
+
+(define-public hashicorp-vault-bin
+  (package
+    (name "hashicorp-vault")
+    (version "1.12.3")
+    (source
+     (origin
+       (method url-fetch/zipbomb)
+       (uri (hashicorp-download-url "vault" version))
+       (sha256 (base32 "1sxiqjq837mvl3r4awsxakyssf4jrcx45xzg0ys8fxp70snmp0pl"))))
+    (build-system copy-build-system)
+    (arguments '(#:install-plan '(("vault" "bin/"))))
+    (home-page "https://vaultproject.io/")
+    (synopsis "Secrets management, encryption as a service, and privileged
+access management")
+    (description "Vault is a tool for securely accessing secrets.  A secret is
+anything that you want to tightly control access to, such as API keys,
+passwords, certificates, and more.  Vault provides a unified interface to any
+secret, while providing tight access control and recording a detailed audit
+log.")
+    (license license:mpl2.0)))
+
+(define-public hashicorp-nomad-bin
+  (package
+    (name "hashicorp-nomad")
+    (version "1.4.4")
+    (source
+     (origin
+       (method url-fetch/zipbomb)
+       (uri (hashicorp-download-url "nomad" version))
+       (sha256 (base32 "0l73ffffs002jkjfzidj604wzpjf38qfsghyvml7mnn3sz0v9fv3"))))
+    (build-system copy-build-system)
+    (arguments
+     `(#:install-plan '(("nomad" "bin/"))
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'patch-interpreter
+           ;; For some reason, the "nomad" binary has /lib64/ld-linux*.so
+           ;; hardcoded, so fix that.
+           (lambda* (#:key inputs #:allow-other-keys)
+             (let ((patchelf
+                    (string-append (assoc-ref inputs "patchelf")
+                                   "/bin/patchelf"))
+                   (ld-linux.so
+                    (string-append
+                     (assoc-ref inputs "glibc")
+                     "/lib/ld-" ,(package-version glibc) ".so")))
+               (invoke patchelf "--set-interpreter" ld-linux.so "nomad")))))))
+    (inputs (list glibc))
+    (native-inputs (list patchelf))
+    (home-page "https://nomadproject.io/")
+    (synopsis "A simple orchestrator to deploy and manage applications")
+    (description "Nomad is an easy-to-use, flexible, and performant workload
+orchestrator that can deploy a mix of microservice, batch, containerized, and
+non-containerized applications.  Nomad is easy to operate and scale and has
+native Consul and Vault integrations.")
+    (license license:mpl2.0)))