From 5ea4cef2946a71467c519db803cd1c31f1ffff20 Mon Sep 17 00:00:00 2001
From: Alex Auvolat <alex@adnab.me>
Date: Thu, 30 Dec 2021 20:56:13 +0100
Subject: Enable TLS for Consul

---
 app/core/deploy/core.hcl                | 24 +++++++++++++++++++++++-
 app/frontend/deploy/frontend-tricot.hcl | 24 +++++++++++++++++++++++-
 2 files changed, 46 insertions(+), 2 deletions(-)

(limited to 'app')

diff --git a/app/core/deploy/core.hcl b/app/core/deploy/core.hcl
index fd4176a..f57f21d 100644
--- a/app/core/deploy/core.hcl
+++ b/app/core/deploy/core.hcl
@@ -18,9 +18,12 @@ job "core" {
       driver = "docker"
 
       config {
-        image = "lxpz/amd64_diplonat:2"
+        image = "lxpz/amd64_diplonat:3"
         network_mode = "host"
         readonly_rootfs = true
+        volumes = [
+          "secrets:/etc/diplonat",
+        ]
       }
 
       restart {
@@ -30,11 +33,30 @@ job "core" {
         mode     = "delay"
       }
 
+      template {
+        data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
+        destination = "secrets/consul-ca.crt"
+      }
+
+      template {
+        data = "{{ key \"secrets/consul/consul-client.crt\" }}"
+        destination = "secrets/consul-client.crt"
+      }
+
+      template {
+        data = "{{ key \"secrets/consul/consul-client.key\" }}"
+        destination = "secrets/consul-client.key"
+      }
+
       template {
         data = <<EOH
 DIPLONAT_REFRESH_TIME=60
 DIPLONAT_EXPIRATION_TIME=300
 DIPLONAT_CONSUL_NODE_NAME={{ env "attr.unique.hostname" }}
+DIPLONAT_CONSUL_URL=https://localhost:8501
+DIPLONAT_CONSUL_CA_CERT=/etc/diplonat/consul-ca.crt
+DIPLONAT_CONSUL_CLIENT_CERT=/etc/diplonat/consul-client.crt
+DIPLONAT_CONSUL_CLIENT_KEY=/etc/diplonat/consul-client.key
 RUST_LOG=debug
 EOH
         destination = "secrets/env"
diff --git a/app/frontend/deploy/frontend-tricot.hcl b/app/frontend/deploy/frontend-tricot.hcl
index 4e35d0d..d20ff40 100644
--- a/app/frontend/deploy/frontend-tricot.hcl
+++ b/app/frontend/deploy/frontend-tricot.hcl
@@ -14,10 +14,13 @@ job "frontend" {
       driver = "docker"
 
       config {
-        image = "lxpz/amd64_tricot:25"
+        image = "lxpz/amd64_tricot:27"
         network_mode = "host"
         readonly_rootfs = true
         ports = [ "http_port", "https_port", "admin_port" ]
+        volumes = [
+          "secrets:/etc/tricot",
+        ]
       }
 
       resources {
@@ -32,11 +35,30 @@ job "frontend" {
         mode     = "delay"
       }
 
+      template {
+        data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
+        destination = "secrets/consul-ca.crt"
+      }
+
+      template {
+        data = "{{ key \"secrets/consul/consul-client.crt\" }}"
+        destination = "secrets/consul-client.crt"
+      }
+
+      template {
+        data = "{{ key \"secrets/consul/consul-client.key\" }}"
+        destination = "secrets/consul-client.key"
+      }
+
       template {
         data = <<EOH
 TRICOT_NODE_NAME={{ env "attr.unique.hostname" }}
 TRICOT_LETSENCRYPT_EMAIL=alex@adnab.me
 TRICOT_ENABLE_COMPRESSION=true
+TRICOT_CONSUL_HOST=https://localhost:8501
+TRICOT_CONSUL_CA_CERT=/etc/tricot/consul-ca.crt
+TRICOT_CONSUL_CLIENT_CERT=/etc/tricot/consul-client.crt
+TRICOT_CONSUL_CLIENT_KEY=/etc/tricot/consul-client.key
 RUST_LOG=tricot=trace
 EOH
         destination = "secrets/env"
-- 
cgit v1.2.3