finish nomad, add consul, sops

modules/common.nix

@@ -1,23 +1,42 @@
-{ lib, pkgs, config, inputs,  ... }: {
-  
-            imports = [
-            ./mnt-public.nix
-            ./nomad.nix
-            ./odroid-m1-setleds.nix
-            ./odroid-m1.nix
-          ];
-
-
-
-  environment.systemPackages = [
-    pkgs.git
-    pkgs.ncdu
+{
+  lib,
+  pkgs,
+  config,
+  inputs,
+  ...
+}: {
+  imports = [
+    ./mnt-public.nix
+    ./nomad.nix
+    ./odroid-m1-setleds.nix
+    ./odroid-m1.nix
+    inputs.sops-nix.nixosModules.sops
   ];
 
+  ###secretstore path variable
+  options._secretstore = lib.mkOption {
+    type = lib.types.str;
+    default = "${inputs.self}/secrets";
+    description = "Path to the Secrets storage";
+  };
 
-      services.openssh = {
-            enable = true;
-            settings.PermitRootLogin = "yes";
-          };
-          users.extraUsers.root.initialPassword = lib.mkForce "odroid";
-}
+  config = {
+    system.stateVersion = "23.11"; # Did you read the comment?
+
+    sops = {
+      defaultSopsFile = "${config._secretstore}/host-secrets.yaml";
+      age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+    };
+
+    environment.systemPackages = [
+      pkgs.git
+      pkgs.ncdu
+    ];
+
+    services.openssh = {
+      enable = true;
+      settings.PermitRootLogin = "yes";
+    };
+    users.extraUsers.root.initialPassword = lib.mkForce "odroid";
+  };
+}

modules/consul.nix

@@ -0,0 +1,37 @@
+{
+  lib,
+  pkgs,
+  config,
+  inputs,
+  ...
+}: {
+  # virtualisation.docker.enable = true;
+
+  services.consul = {
+    package = pkgs.consul_1_9;
+    enable = true;
+    webUi = true;
+    extra_config = {
+      bootstrap = false;
+      bootstrap_expect = 7;
+      encrypt = config.sops.secrets.consul_encrypt;
+      performance = {
+        raft_multiplier = 5;
+      };
+      recursors = [
+        "192.168.1.1"
+        "8.8.8.8"
+      ];
+
+      retry_join = [
+        "192.168.1.221"
+        "192.168.1.222"
+        "192.168.1.225"
+        "192.168.1.226"
+        "192.168.1.227"
+        "192.168.1.223"
+        "192.168.1.224"
+      ];
+    };
+  };
+}

modules/kboot-conf/default.nix

@@ -1,8 +1,10 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
   cfg = config.boot.loader.kboot-conf;
 
   # The builder used to write during system activation
@@ -19,8 +21,7 @@ let
     path = with pkgs.buildPackages; [coreutils gnused gnugrep];
     inherit (pkgs.buildPackages) bash;
   };
-in
-{
+in {
   options = {
     boot.loader.kboot-conf = {
       enable = mkOption {
@@ -52,9 +53,10 @@ in
   };
   config = let
     args = "-g ${toString cfg.configurationLimit} -n ${config.hardware.deviceTree.name}";
-  in mkIf cfg.enable {
-    system.build.installBootLoader = lib.mkForce "${builder} ${args} -c";
-    system.boot.loader.id = "kboot-conf";
-    boot.loader.kboot-conf.populateCmd = "${populateBuilder} ${args}";
-  };
+  in
+    mkIf cfg.enable {
+      system.build.installBootLoader = lib.mkForce "${builder} ${args} -c";
+      system.boot.loader.id = "kboot-conf";
+      boot.loader.kboot-conf.populateCmd = "${populateBuilder} ${args}";
+    };
 }

modules/mnt-public.nix

@@ -1,10 +1,14 @@
-{ lib, pkgs, config, inputs,  ... }: {
-
-    fileSystems."/mnt/Public" = {
-        device = "//192.168.1.109/Public";
-        fsType = "cifs";
-        # options = ["uid=0,gid=1000"];
-        options = ["guest" "uid=1000"];
-    };
-
-}
+{
+  lib,
+  pkgs,
+  config,
+  inputs,
+  ...
+}: {
+  fileSystems."/mnt/Public" = {
+    device = "//192.168.1.109/Public";
+    fsType = "cifs";
+    # options = ["uid=0,gid=1000"];
+    options = ["guest" "uid=1000"];
+  };
+}

modules/nomad.nix

@@ -1,42 +1,66 @@
-{ lib, pkgs, config, inputs,  ... }: {
+{
+  lib,
+  pkgs,
+  config,
+  inputs,
+  ...
+}: {
+  virtualisation.docker.enable = true;
 
+  services.nomad = {
+    package = pkgs.nomad_1_6;
+    dropPrivileges = false;
+    enableDocker = true;
+    enable = true;
+    settings = {
+      server = {
+        enabled = true;
+        bootstrap_expect = 3;
+        start_join = ["192.168.1.221" "192.168.1.225" "192.168.1.226" "192.168.1.227" "192.168.1.222" "192.168.1.223" "192.168.1.224"];
+        rejoin_after_leave = false;
+        enabled_schedulers = ["service" "batch" "system"];
+        num_schedulers = 4;
+        node_gc_threshold = "24h";
+        eval_gc_threshold = "1h";
+        job_gc_threshold = "4h";
+        deployment_gc_threshold = "1h";
+        encrypt = "";
+        raft_protocol = 3;
+      };
 
-virtualisation.docker.enable = true;
+      client = {
+        enabled = true;
+        node_class = "";
+        no_host_uuid = false;
+        servers = ["192.168.1.221:4647" "192.168.1.225:4647" "192.168.1.226:4647" "192.168.1.227:4647" "192.168.1.222:4647" "192.168.1.223:4647" "192.168.1.224:4647"];
+        max_kill_timeout = "30s";
+        network_speed = 0;
+        cpu_total_compute = 0;
+        gc_interval = "1m";
+        gc_disk_usage_threshold = 80;
+        gc_inode_usage_threshold = 70;
+        gc_parallel_destroys = 2;
+        reserved = {
+          cpu = 0;
+          memory = 200;
+          disk = 0;
+        };
+        options = {
+          "docker.caps.whitelist" = "SYS_ADMIN,NET_ADMIN,chown,dac_override,fsetid,fowner,mknod,net_raw,setgid,setuid,setfcap,setpcap,net_bind_service,sys_chroot,kill,audit_write,sys_module";
+          "driver.raw_exec.enable" = "1";
+          "docker.volumes.enabled" = "True";
+          "docker.privileged.enabled" = "true";
+          "docker.auth.config" = "/root/.docker/config.json";
+        };
+      };
 
-services.nomad = {
-        package = pkgs.nomad_1_6;
-        dropPrivileges = false;
- 	enableDocker = true;
-	enable = true;
-        settings = {
-client = {
-    enabled = true;
-    node_class = "";
-    no_host_uuid = false;
-    servers = ["192.168.1.221:4647" "192.168.1.225:4647" "192.168.1.226:4647" "192.168.1.227:4647" "192.168.1.222:4647" "192.168.1.223:4647" "192.168.1.224:4647"];
-    max_kill_timeout = "30s";
-    network_speed = 0;
-    cpu_total_compute = 0;
-    gc_interval = "1m";
-    gc_disk_usage_threshold = 80;
-    gc_inode_usage_threshold = 70;
-    gc_parallel_destroys = 2;
-    reserved = {
-        cpu = 0;
-        memory = 200;
-        disk = 0;
+      custom = {
+        "telemetry" = {
+          "prometheus_metrics" = true;
+          "publish_allocation_metrics" = true;
+          "publish_node_metrics" = true;
+        };
+      };
     };
-    options = {
-        "docker.caps.whitelist" = "SYS_ADMIN,NET_ADMIN,chown,dac_override,fsetid,fowner,mknod,net_raw,setgid,setuid,setfcap,setpcap,net_bind_service,sys_chroot,kill,audit_write,sys_module";
-        "driver.raw_exec.enable" = "1";
-        "docker.volumes.enabled" = "True";
-        "docker.privileged.enabled" = "true";
-        "docker.auth.config" = "/root/.docker/config.json";
-    };
-    };
-};
-
-
-
-};
-}
+  };
+}

modules/odroid-m1-setleds.nix

@@ -1,13 +1,16 @@
-{ lib, pkgs, config, inputs,  ... }: {
-
-
-systemd.services.setleds = {
-  script = ''
-    echo "Setting Odroid LEDs"
-    echo none > /sys/class/leds/blue\:heartbeat/trigger
-    cat /sys/class/leds/blue\:heartbeat/trigger
-  '';
-  wantedBy = [ "multi-user.target" ];
-};
-
-}
+{
+  lib,
+  pkgs,
+  config,
+  inputs,
+  ...
+}: {
+  systemd.services.setleds = {
+    script = ''
+      echo "Setting Odroid LEDs"
+      echo none > /sys/class/leds/blue\:heartbeat/trigger
+      cat /sys/class/leds/blue\:heartbeat/trigger
+    '';
+    wantedBy = ["multi-user.target"];
+  };
+}

modules/odroid-m1.nix

@@ -1,36 +1,38 @@
-{ lib, pkgs, config, inputs,  ... }: {
+{
+  lib,
+  pkgs,
+  config,
+  inputs,
+  ...
+}: {
+  imports = [
+    ./kboot-conf
+  ];
 
-          imports = [
-            ./kboot-conf
-          ];
+  boot.loader.grub.enable = false;
+  boot.loader.kboot-conf.enable = true;
+  # Use kernel >6.6
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+  # Stop ZFS breasking the build
+  boot.supportedFilesystems = lib.mkForce ["btrfs" "cifs" "f2fs" "jfs" "ntfs" "reiserfs" "vfat" "xfs"];
 
-          boot.loader.grub.enable = false;
-          boot.loader.kboot-conf.enable = true;
-          # Use kernel >6.6 
-          boot.kernelPackages = pkgs.linuxPackages_latest;
-          # Stop ZFS breasking the build
-          boot.supportedFilesystems = lib.mkForce [ "btrfs" "cifs" "f2fs" "jfs" "ntfs" "reiserfs" "vfat" "xfs" ];
+  # I'm not completely sure if some of these could be omitted,
+  # but want to make sure disk access works
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "nvme-core"
+    "phy-rockchip-naneng-combphy"
+    "phy-rockchip-snps-pcie3"
+  ];
+  # Petitboot uses this port and baud rate on the boards serial port,
+  # it's probably good to keep the options same for the running
+  # kernel for serial console access to work well
+  boot.kernelParams = ["console=ttyS2,1500000"];
+  hardware.deviceTree.name = "rockchip/rk3568-odroid-m1.dtb";
 
-          # I'm not completely sure if some of these could be omitted,
-          # but want to make sure disk access works
-          boot.initrd.availableKernelModules = [
-            "nvme"
-            "nvme-core"
-            "phy-rockchip-naneng-combphy"
-            "phy-rockchip-snps-pcie3"
-          ];
-          # Petitboot uses this port and baud rate on the boards serial port,
-          # it's probably good to keep the options same for the running
-          # kernel for serial console access to work well
-          boot.kernelParams = [ "console=ttyS2,1500000" ];       
-          hardware.deviceTree.name = "rockchip/rk3568-odroid-m1.dtb";
-        
-          # Turn on flakes.
-          ##nix.package = pkgs.nixVersions.stable;
-          nix.extraOptions = ''
-            experimental-features = nix-command flakes
-          '';
-
-      system.stateVersion = "23.11"; # Did you read the comment?
-
-}
+  # Turn on flakes.
+  ##nix.package = pkgs.nixVersions.stable;
+  nix.extraOptions = ''
+    experimental-features = nix-command flakes
+  '';
+}