feat(srv0-dmz0): configure nomad holochain cluster

nix/os/devices/srv0-dmz0/configuration.nix

@@ -1,6 +1,7 @@
 {
   modulesPath,
   repoFlake,
+  packages',
   pkgs,
   config,
   ...
@@ -123,6 +124,91 @@ in {
   containers = {
   };
 
+  sops.secrets.holochain-nomad-agent-ca = {
+    sopsFile = ../../../../secrets/holochain-infra/nomad.yaml;
+    owner = config.users.extraUsers.nomad.name;
+    group = config.users.groups.nomad.name;
+  };
+  sops.secrets.holochain-global-nomad-client-cert = {
+    sopsFile = ../../../../secrets/holochain-infra/nomad.yaml;
+    owner = config.users.extraUsers.nomad.name;
+    group = config.users.groups.nomad.name;
+  };
+  sops.secrets.holochain-global-client-nomad-key = {
+    sopsFile = ../../../../secrets/holochain-infra/nomad.yaml;
+    owner = config.users.extraUsers.nomad.name;
+    group = config.users.groups.nomad.name;
+  };
+
+  services.nomad = {
+    enable = true;
+    package = packages'.nomad;
+    enableDocker = false;
+    dropPrivileges = false;
+
+    extraPackages = [
+      pkgs.coreutils
+      pkgs.nix
+      pkgs.bash
+      pkgs.gitFull
+      pkgs.cacert
+    ];
+
+    settings = {
+      server.enabled = false;
+
+      client = {
+        enabled = true;
+        server_join = {
+          retry_join = [
+            "infra.holochain.org"
+          ];
+          retry_interval = "60s";
+        };
+
+        node_class = "testing";
+
+        meta = {
+          inherit (pkgs.targetPlatform) system;
+
+          features = builtins.concatStringsSep "," [
+            "poc-1"
+            "poc-2"
+            "ipv4-nat"
+            "nix"
+            "nixos"
+            "holoport"
+          ];
+
+          machine_type = "baremetal";
+        };
+      };
+
+      tls = {
+        http = true;
+        rpc = true;
+        ca_file = config.sops.secrets.holochain-nomad-agent-ca.path;
+        cert_file = config.sops.secrets.holochain-global-nomad-client-cert.path;
+        key_file = config.sops.secrets.holochain-global-client-nomad-key.path;
+
+        verify_server_hostname = true;
+        verify_https_client = true;
+      };
+
+      plugin.raw_exec.config.enabled = true;
+    };
+  };
+
+  users.extraUsers.nomad.isNormalUser = true;
+  users.extraUsers.nomad.isSystemUser = false;
+  users.extraUsers.nomad.group = "nomad";
+  users.extraUsers.nomad.home = config.services.nomad.settings.data_dir;
+  users.extraUsers.nomad.createHome = true;
+  users.groups.nomad.members = ["nomad"];
+
+  systemd.services.nomad.serviceConfig.User = "nomad";
+  systemd.services.nomad.serviceConfig.Group = "nomad";
+
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave

nix/os/devices/steveej-t14/system.nix

@@ -132,19 +132,4 @@ in {
     sopsFile = ../../../../secrets/zerotierone.txt;
     format = "binary";
   };
-
-  sops.secrets.nomad-holochain-agent-ca = {
-    sopsFile = ../../../../secrets/holochain-infra/nomad.yaml;
-    owner = config.users.extraUsers.steveej.name;
-  };
-
-  sops.secrets.nomad-holochain-cli-cert = {
-    sopsFile = ../../../../secrets/holochain-infra/nomad.yaml;
-    owner = config.users.extraUsers.steveej.name;
-  };
-
-  sops.secrets.nomad-holochain-cli-key = {
-    sopsFile = ../../../../secrets/holochain-infra/nomad.yaml;
-    owner = config.users.extraUsers.steveej.name;
-  };
 }