From ddd587b0778855f2199298d96fdd51792a948ea7 Mon Sep 17 00:00:00 2001 From: Timo Wilken Date: Wed, 22 Feb 2023 11:20:48 +0100 Subject: Set up nomad, consul, vault --- tw/home.scm | 17 ++++++++ tw/home/files/zshrc | 6 +++ tw/home/lap.scm | 2 + tw/packages/ci.scm | 111 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 136 insertions(+) create mode 100644 tw/packages/ci.scm diff --git a/tw/home.scm b/tw/home.scm index 3c957105..6968ae98 100644 --- a/tw/home.scm +++ b/tw/home.scm @@ -87,6 +87,23 @@ auto-expand-secmem ;; With #:recursive? #t, Guix keeps the files' permission bits, i.e. makes them executable. `((".local/bin/ppscm" ,(local-file "home/files/ppscm" #:recursive? #t)))) ; pretty-print scheme files + (simple-service 'cern-ci-environment home-environment-variables-service-type + ;; Nomad, Consul, Vault + ;; Tokens are not defined here as they are stored in pass(1). + ;; Shell aliases to use tokens are defined in zshrc. + '(("NOMAD_ADDR" . "https://alinomad.cern.ch:443") + ("NOMAD_CACERT" . "${XDG_CONFIG_HOME}/cern-ca-bundle.crt") + ("NOMAD_CLIENT_CERT" . "${XDG_CONFIG_HOME}/grid-personal-cert.pem") + ("NOMAD_CLIENT_KEY" . "${XDG_CONFIG_HOME}/grid-personal-key.pem") + ("CONSUL_HTTP_ADDR" . "https://aliconsul.cern.ch:443") + ("CONSUL_CACERT" . "${XDG_CONFIG_HOME}/cern-ca-bundle.crt") + ("CONSUL_CLIENT_CERT" . "${XDG_CONFIG_HOME}/grid-personal-cert.pem") + ("CONSUL_CLIENT_KEY" . "${XDG_CONFIG_HOME}/grid-personal-key.pem") + ("VAULT_ADDR" . "https://alivault.cern.ch:443") + ("VAULT_CACERT" . "${XDG_CONFIG_HOME}/cern-ca-bundle.crt") + ("VAULT_CLIENT_CERT" . "${XDG_CONFIG_HOME}/grid-personal-cert.pem") + ("VAULT_CLIENT_KEY" . "${XDG_CONFIG_HOME}/grid-personal-key.pem"))) + (simple-service 'common-environment home-environment-variables-service-type `(;; Path to my own package definitions. If invoking `guix home' ;; afresh, this needs to be set manually to find these packages. diff --git a/tw/home/files/zshrc b/tw/home/files/zshrc index dd4a24db..882cf60c 100644 --- a/tw/home/files/zshrc +++ b/tw/home/files/zshrc @@ -99,6 +99,12 @@ alias rot13='caesar 13' alias wget='\wget --hsts-file="${XDG_CACHE_HOME:-$HOME/.cache}/wget-hsts"' alias aurora="REQUESTS_CA_BUNDLE=${XDG_CONFIG_HOME:-$HOME/.config}/cern-ca-bundle.crt \aurora" alias aurora_admin="REQUESTS_CA_BUNDLE=${XDG_CONFIG_HOME:-$HOME/.config}/cern-ca-bundle.crt \aurora_admin" +alias nomad='NOMAD_TOKEN=$(pass cern/ci/nomad-bootstrap-token | head -1) \nomad' +alias nomad-pack='NOMAD_TOKEN=$(pass cern/ci/nomad-bootstrap-token | head -1) \nomad-pack' +alias nomad-diskfree='NOMAD_TOKEN=$(pass cern/ci/nomad-bootstrap-token | head -1) \nomad-diskfree' +alias levant='NOMAD_TOKEN=$(pass cern/ci/nomad-bootstrap-token | head -1) \levant' +alias consul='CONSUL_HTTP_TOKEN=$(pass cern/ci/consul-bootstrap-token | head -1) \consul' +alias vault='VAULT_TOKEN=$(pass cern/ci/vault-root-token | head -1) \vault' # Git aliases alias ga='git add' diff --git a/tw/home/lap.scm b/tw/home/lap.scm index 57133e0b..fe521592 100644 --- a/tw/home/lap.scm +++ b/tw/home/lap.scm @@ -30,6 +30,7 @@ #:use-module (tw home emacs) #:use-module (tw packages alice) #:use-module (tw packages catppuccin) + #:use-module (tw packages ci) #:use-module (tw packages games) #:use-module (tw packages xorg) #:use-module (tw gexp) @@ -116,6 +117,7 @@ ;; Work s3cmd python-alibuild ; python-alidistlint + hashicorp-nomad-bin hashicorp-consul-bin hashicorp-vault-bin hashicorp-packer-bin ;; i3 and Xorg. i3 itself must be installed system-wide for gdm to pick it up. ;; acpilight is a drop-in xbacklight replacement, as xbacklight doesn't work on my system. diff --git a/tw/packages/ci.scm b/tw/packages/ci.scm new file mode 100644 index 00000000..3a2619ac --- /dev/null +++ b/tw/packages/ci.scm @@ -0,0 +1,111 @@ +(define-module (tw packages ci) + #:use-module (gnu packages base) + #:use-module (gnu packages elf) + #:use-module (guix build-system copy) + #:use-module (guix download) + #:use-module ((guix licenses) #:prefix license:) + #:use-module (guix packages) + #:use-module (guix utils)) + +(define-public (hashicorp-arch) + (cond + ((target-x86-64?) "amd64") + ((target-x86-32?) "386") + ((target-arm32?) "arm") + ((target-aarch64?) "arm64"))) + +(define-public (hashicorp-download-url name version) + (string-append "https://releases.hashicorp.com/" name "/" version "/" + name "_" version "_linux_" (hashicorp-arch) ".zip")) + +(define-public hashicorp-packer-bin + (package + (name "hashicorp-packer") + (version "1.8.6") + (source + (origin + (method url-fetch/zipbomb) + (uri (hashicorp-download-url "packer" version)) + (sha256 (base32 "1bl5nckj9gqzdmkfaxjbsi4mv78ka5liiv9nin8n5slaawg43l2p")))) + (build-system copy-build-system) + (arguments '(#:install-plan '(("packer" "bin/")))) + (home-page "https://packer.io/") + (synopsis "Build automated machine images") + (description "Hashicorp Packer is a tool for creating identical machine +images for multiple platforms from a single source configuration.") + (license license:mpl2.0))) + +(define-public hashicorp-consul-bin + (package + (name "hashicorp-consul") + (version "1.14.4") + (source + (origin + (method url-fetch/zipbomb) + (uri (hashicorp-download-url "consul" version)) + (sha256 (base32 "0ypxmnl68fg66rw06g5qldqgyrgkimgk56gspwv1bk797j2pryza")))) + (build-system copy-build-system) + (arguments '(#:install-plan '(("consul" "bin/")))) + (home-page "https://consul.io/") + (synopsis "Datacenter service mesh tool") + (description "Consul is a distributed, highly available, and data center +aware solution to connect and configure applications across dynamic, +distributed infrastructure.") + (license license:mpl2.0))) + +(define-public hashicorp-vault-bin + (package + (name "hashicorp-vault") + (version "1.12.3") + (source + (origin + (method url-fetch/zipbomb) + (uri (hashicorp-download-url "vault" version)) + (sha256 (base32 "1sxiqjq837mvl3r4awsxakyssf4jrcx45xzg0ys8fxp70snmp0pl")))) + (build-system copy-build-system) + (arguments '(#:install-plan '(("vault" "bin/")))) + (home-page "https://vaultproject.io/") + (synopsis "Secrets management, encryption as a service, and privileged +access management") + (description "Vault is a tool for securely accessing secrets. A secret is +anything that you want to tightly control access to, such as API keys, +passwords, certificates, and more. Vault provides a unified interface to any +secret, while providing tight access control and recording a detailed audit +log.") + (license license:mpl2.0))) + +(define-public hashicorp-nomad-bin + (package + (name "hashicorp-nomad") + (version "1.4.4") + (source + (origin + (method url-fetch/zipbomb) + (uri (hashicorp-download-url "nomad" version)) + (sha256 (base32 "0l73ffffs002jkjfzidj604wzpjf38qfsghyvml7mnn3sz0v9fv3")))) + (build-system copy-build-system) + (arguments + `(#:install-plan '(("nomad" "bin/")) + #:phases + (modify-phases %standard-phases + (add-after 'unpack 'patch-interpreter + ;; For some reason, the "nomad" binary has /lib64/ld-linux*.so + ;; hardcoded, so fix that. + (lambda* (#:key inputs #:allow-other-keys) + (let ((patchelf + (string-append (assoc-ref inputs "patchelf") + "/bin/patchelf")) + (ld-linux.so + (string-append + (assoc-ref inputs "glibc") + "/lib/ld-" ,(package-version glibc) ".so"))) + (invoke patchelf "--set-interpreter" ld-linux.so "nomad"))))))) + (inputs (list glibc)) + (native-inputs (list patchelf)) + (home-page "https://nomadproject.io/") + (synopsis "A simple orchestrator to deploy and manage applications") + (description "Nomad is an easy-to-use, flexible, and performant workload +orchestrator that can deploy a mix of microservice, batch, containerized, and +non-containerized applications. Nomad is easy to operate and scale and has +native Consul and Vault integrations.") + (license license:mpl2.0))) -- cgit v1.2.3