Nix system configuration for Deuxfleurs clusters
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Go to file
Alex 1a11ff4202 staging: updated garage with new consul registration 5 days ago
cluster staging: updated garage with new consul registration 5 days ago
doc wgautomesh actually on prod 3 months ago
experimental staging: deploy things on bespin 5 months ago
nix Merge branch 'main' into simplify-network-config 4 weeks ago
.gitignore Modularize and prepare to support multiple clusters 1 year ago added a note about forwarding to personal services in the readme (I struggled to find where this was) 2 weeks ago
deploy_nixos wgautomesh actually on prod 3 months ago
deploy_passwords cleanup 6 months ago
deploy_pki added scorpio site and abricot node 3 months ago
gen_pki Fix access to consul for non-server nodes 10 months ago
passwd edited passwd command to set bash as interpreter 7 months ago
restic_summary cleanup 6 months ago
secretmgr Improve secretmgr more, update secrets for staging 5 months ago
sshtool fix cleanup of deploypass 3 months ago
tlsproxy Remove hardcoded years in deuxfleurs.nix 5 months ago
upgrade_nixos upgrade nixos 3 months ago

Deuxfleurs on NixOS!

This repository contains code to run Deuxfleur's infrastructure on NixOS.

Our abstraction stack

We try to build a generic abstraction stack between our different resources (CPU, RAM, disk, etc.) and our services (Chat, Storage, etc.), we develop our own tools when needed.

Our first abstraction level is the NixOS level, which installs a bunch of standard components:

  • Wireguard: provides encrypted communication between remote nodes
  • Nomad: schedule containers and handle their lifecycle
  • Consul: distributed key value store + lock + service discovery
  • Docker: package, distribute and isolate applications

Then, inside our Nomad+Consul orchestrator, we deploy a number of base services:

  • Data management
    • Garage: S3-compatible lightweight object store for self-hosted geo-distributed deployments
    • Stolon + PostgreSQL: distributed relational database
  • Network Control Plane
    • DiploNAT: - network automation (firewalling, upnp igd)
    • D53 - update DNS entries (A and AAAA) dynamically based on Nomad service scheduling and local node info
    • Tricot - a dynamic reverse proxy for nomad+consul inspired by traefik
    • wgautomesh - a dynamic wireguard mesh configurator
  • User Management
    • Bottin: authentication and authorization (LDAP protocol, consul backend)
    • Guichet: a dashboard for our users and administrators7
  • Observability
    • Prometheus + Grafana: monitoring

Some services we provide based on this abstraction:

  • Websites: Garage (static) + fediverse blog (Plume)
  • Chat: Synapse + Element Web (Matrix protocol)
  • Email: Postfix SMTP + Dovecot IMAP + opendkim DKIM + Sogo webmail | Alps webmail (experimental)
  • Visioconference: Jitsi
  • Collaboration: CryptPad

As a generic abstraction is provided, deploying new services should be easy.

How to use this?

See the following documentation topics:

Got personal services in addition to Deuxfleurs at home?

Go check cluster/prod/ In bash, we register a redirect from Tricot to your own services or your personal reverse proxy.