nixcfg/README.md

66 lines
2.5 KiB
Markdown
Raw Normal View History

2021-12-30 20:23:24 +00:00
# Deuxfleurs on NixOS!
This repository contains code to run Deuxfleur's infrastructure on NixOS.
It sets up the following:
- A Wireguard mesh between all nodes
- Consul, with TLS
- Nomad, with TLS
2022-12-22 22:33:10 +00:00
## How to use this?
2022-04-20 14:13:14 +00:00
2022-12-22 22:33:10 +00:00
See the following documentation topics:
2022-04-20 14:13:14 +00:00
2022-12-22 22:33:10 +00:00
- [Quick start for adding new nodes after NixOS install](doc/quick-start.md)
- [Architecture of this repo, how the scripts work](doc/architecture.md)
- [List of TCP and UDP ports used by services](doc/ports)
2022-04-20 14:13:14 +00:00
2022-12-22 22:33:10 +00:00
Additionnal documentation topics:
2022-04-20 16:14:56 +00:00
2022-12-22 22:33:10 +00:00
- [Succint guide for NixOS installation with LUKX full disk encryption](doc/nixos-install.md) (we don't do that in practice on our servers)
- [Example `hardware-config.nix` for a full disk encryption scenario](doc/example-hardware-configuration.nix)
2022-04-20 14:13:14 +00:00
2022-12-14 16:52:36 +00:00
## Why not Ansible?
I often get asked why not use Ansible to deploy to remote machines, as this
would look like a typical use case. There are many reasons, which basically
boil down to "I really don't like Ansible":
- Ansible tries to do declarative system configuration, but doesn't do it
correctly at all, like Nix does. Example: in NixOS, to undo something you've
done, just comment the corresponding lines and redeploy.
- Ansible is massive overkill for what we're trying to do here, we're just
copying a few small files and running some basic commands, leaving the rest
to NixOS.
- YAML is a pain to manipulate as soon as you have more than two or three
indentation levels. Also, why in hell would you want to write loops and
conditions in YAML when you could use a proper expression language?
- Ansible's vocabulary is not ours, and it imposes a rigid hierarchy of
directories and files which I don't want.
- Ansible is probably not flexible enough to do what we want, at least not
without getting a migraine when trying. For example, it's inventory
management is too simple to account for the heterogeneity of our cluster
nodes while still retaining a level of organization (some configuration
options are defined cluster-wide, some are defined for each site - physical
location - we deploy on, and some are specific to each node).
- I never remember Ansible's command line flags.
- My distribution's package for Ansible takes almost 400MB once installed,
WTF??? By not depending on it, we're reducing the set of tools we need to
deploy to a bare minimum: Git, OpenSSH, OpenSSL, socat,
[pass](https://www.passwordstore.org/) (and the Consul and Nomad binaries
which are, I'll admit, not small).
2022-10-16 09:14:50 +00:00
## More
2021-12-30 20:23:24 +00:00
2022-10-16 09:14:50 +00:00
Please read README.more.md for more detailed information
2022-12-14 16:52:36 +00:00