Config for prod cluster

2022-02-09 15:38:36 +01:00 · 2022-02-09 15:38:36 +01:00 · b0010b309b
parent f03cafd49b
commit b0010b309b
18 changed files with 201 additions and 15 deletions
--- a/cluster/prod/cluster.nix
+++ b/cluster/prod/cluster.nix
@ -0,0 +1,58 @@
+{ config, pkgs, ... } @ args:
+
+{
+  deuxfleurs.cluster_name = "prod";
+  deuxfleurs.cluster_nodes = [
+    {
+      hostname = "concombre";
+      publicKey = "VvXT0fPDfWsHxumZqVShpS33dJQAdpJ1E79ZbCBJP34=";
+      IP = "10.42.1.31";
+      endpoint = "82.66.112.151:33731";
+    }
+    {
+      hostname = "courgette";
+      publicKey = "goTkBJGmzrGDOAjUcdH9G0JekipqSMoaYQdB6IHnzi0=";
+      IP = "10.42.1.32";
+      endpoint = "82.66.112.151:33732";
+    }
+    {
+      hostname = "celeri";
+      publicKey = "oZDAb8LoLW87ktUHyFFec0VaIar97bqq47mGbdVqJ0U=";
+      IP = "10.42.1.33";
+      endpoint = "82.66.112.151:33733";
+    }
+  ];
+  deuxfleurs.admin_nodes = [
+    {
+      hostname = "hammerhead";
+      publicKey = "b5hF+GSTgg3oM6wnjL7jRbfyf1jtsWdVptPPbAh3Qic=";
+      IP = "10.42.0.1";
+      endpoint = "5.135.179.11:51349";
+    }
+    {
+      hostname = "robinson";
+      publicKey = "ETaZFil3mFXlJ0LaJZyWqJVLV2IZUF5PB/8M7WbQSTg=";
+      IP = "10.42.0.42";
+      endpoint = "77.141.67.109:33742";
+    }
+    {
+      hostname = "shiki";
+      publicKey = "QUiUNMk70TEQ75Ut7Uqikr5uGVSXmx8EGNkGM6tANlg=";
+      IP = "10.42.0.206";
+      endpoint = "37.187.118.206:51820";
+    }
+    {
+      hostname = "lindy";
+      publicKey = "wen9GnZy2iLT6RyHfn7ydS/wvdvow1XPmhZxIkrDbks=";
+      IP = "10.42.0.66";
+      endpoint = "82.66.112.151:33766";
+    }
+  ];
+  deuxfleurs.admin_accounts = {
+    lx = [
+      # Keys for accessing nodes from outside
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJpaBZdYxHqMxhv2RExAOa7nkKhPBOHupMP3mYaZ73w9 lx@lindy"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIDdVbA9fEdqSr5UJ77NnoIqDTVp8ca5kHExhZYI4ecBExFJfonJllXMBN9KdC4ukxtY8Ug47PcMOfMaTBZQc+e+KpvDWpkBt15Xpem3RCxmMBES79sLL7LgtAdBXc5mNaCX8EOEVixWKdarjvxRyf6py6the51G5muaiMpoj5fae4ZpRGjhGTPefzc7y7zRWBUUZ8pYHW774BIaK6XT9gn3hyHV+Occjl/UODXvodktk55YtnuPi8adXTYEsHrVVz8AkFhx+cr0U/U8vtQnsTrZG+JmgQLqpXVs0RDw5bE1RefEbMuYNKxutYKUe3L+ZJtDe0M0MqOFI8a4F5TxP5 katchup@konata"
+    ];
+  };
+}
--- a/cluster/prod/node/celeri.nix
+++ b/cluster/prod/node/celeri.nix
@ -0,0 +1,33 @@
+# Configuration file local to this node
+
+{ config, pkgs, ... }:
+
+{
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.timeout = 20;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "celeri";
+
+  networking.interfaces.eno1.useDHCP = false;
+  networking.interfaces.eno1.ipv4.addresses = [
+    {
+      address = "192.168.1.33";
+      prefixLength = 24;
+    }
+  ];
+  networking.interfaces.eno1.ipv6.addresses = [
+    {
+      address = "2a01:e0a:c:a720::33";
+      prefixLength = 64;
+    }
+  ];
+
+  deuxfleurs.vpn_ip = "10.42.1.33";
+  deuxfleurs.vpn_listen_port = 33733;
+  deuxfleurs.is_raft_server = true;
+
+  # Enable netdata monitoring
+  services.netdata.enable = true;
+}
--- a/cluster/prod/node/celeri.site.nix
+++ b/cluster/prod/node/celeri.site.nix
@ -0,0 +1 @@
+../site/neptune.nix
--- a/cluster/prod/node/concombre.nix
+++ b/cluster/prod/node/concombre.nix
@ -0,0 +1,33 @@
+# Configuration file local to this node
+
+{ config, pkgs, ... }:
+
+{
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.timeout = 20;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "concombre";
+
+  networking.interfaces.eno1.useDHCP = false;
+  networking.interfaces.eno1.ipv4.addresses = [
+    {
+      address = "192.168.1.31";
+      prefixLength = 24;
+    }
+  ];
+  networking.interfaces.eno1.ipv6.addresses = [
+    {
+      address = "2a01:e0a:c:a720::31";
+      prefixLength = 64;
+    }
+  ];
+
+  deuxfleurs.vpn_ip = "10.42.1.31";
+  deuxfleurs.vpn_listen_port = 33731;
+  deuxfleurs.is_raft_server = true;
+
+  # Enable netdata monitoring
+  services.netdata.enable = true;
+}
--- a/cluster/prod/node/concombre.site.nix
+++ b/cluster/prod/node/concombre.site.nix
@ -0,0 +1 @@
+../site/neptune.nix
--- a/cluster/prod/node/courgette.nix
+++ b/cluster/prod/node/courgette.nix
@ -0,0 +1,33 @@
+# Configuration file local to this node
+
+{ config, pkgs, ... }:
+
+{
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.timeout = 20;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "courgette";
+
+  networking.interfaces.eno1.useDHCP = false;
+  networking.interfaces.eno1.ipv4.addresses = [
+    {
+      address = "192.168.1.32";
+      prefixLength = 24;
+    }
+  ];
+  networking.interfaces.eno1.ipv6.addresses = [
+    {
+      address = "2a01:e0a:c:a720::32";
+      prefixLength = 64;
+    }
+  ];
+
+  deuxfleurs.vpn_ip = "10.42.1.32";
+  deuxfleurs.vpn_listen_port = 33732;
+  deuxfleurs.is_raft_server = true;
+
+  # Enable netdata monitoring
+  services.netdata.enable = true;
+}
--- a/cluster/prod/node/courgette.site.nix
+++ b/cluster/prod/node/courgette.site.nix
@ -0,0 +1 @@
+../site/neptune.nix
--- a/cluster/prod/site/neptune.nix
+++ b/cluster/prod/site/neptune.nix
@ -0,0 +1,10 @@
+{ config, pkgs, ... }:
+
+{
+  networking.defaultGateway = {
+    address = "192.168.1.254";
+    interface = "eno1";
+  };
+
+  deuxfleurs.site_name = "neptune";
+}
--- a/cluster/prod/ssh_config
+++ b/cluster/prod/ssh_config
@ -0,0 +1,10 @@
+UserKnownHostsFile ./ssh_known_hosts
+
+Host concombre
+	HostName 10.42.1.31
+
+Host courgette
+	HostName 10.42.1.32
+
+Host celeri
+	HostName 10.42.1.33
--- a/cluster/staging/cluster.nix
+++ b/cluster/staging/cluster.nix
@ -6,25 +6,25 @@
    {
      hostname = "spoutnik";
      publicKey = "fO8qZOZmnug84cA8nvfjl5MUqyWljP0BAz/4tHRZyEg=";
-      IP = "10.42.0.2";
+      IP = "10.42.2.2";
      endpoint = "77.141.67.109:42136";
    }
    { 
      hostname = "cariacou";
      publicKey = "qxrtfn2zRVnN52Y5NYumyU3/FcRMnh3kJ2C37JfrczA=";
-      IP = "10.42.0.21";
+      IP = "10.42.2.21";
      endpoint = "82.66.112.151:33721";
    }
    { 
      hostname = "carcajou";
      publicKey = "7Nm7pMmyS7Nts1MB+loyD8u84ODxHPTkDu+uqQR6yDk=";
-      IP = "10.42.0.22";
+      IP = "10.42.2.22";
      endpoint = "82.66.112.151:33722";
    }
    { 
      hostname = "caribou";
      publicKey = "g6ZED/wPn5MPfytJKwPI19808CXtEad0IJUkEAAzwyY=";
-      IP = "10.42.0.23";
+      IP = "10.42.2.23";
      endpoint = "82.66.112.151:33723";
    }
  ];
--- a/cluster/staging/node/carcajou.nix
+++ b/cluster/staging/node/carcajou.nix
@ -24,7 +24,7 @@
    }
  ];

-  deuxfleurs.vpn_ip = "10.42.0.22";
+  deuxfleurs.vpn_ip = "10.42.2.22";
  deuxfleurs.vpn_listen_port = 33722;
  deuxfleurs.is_raft_server = true;

--- a/cluster/staging/node/cariacou.nix
+++ b/cluster/staging/node/cariacou.nix
@ -24,7 +24,7 @@
    }
  ];

-  deuxfleurs.vpn_ip = "10.42.0.21";
+  deuxfleurs.vpn_ip = "10.42.2.21";
  deuxfleurs.vpn_listen_port = 33721;
  deuxfleurs.is_raft_server = true;

--- a/cluster/staging/node/caribou.nix
+++ b/cluster/staging/node/caribou.nix
@ -24,7 +24,7 @@
    }
  ];

-  deuxfleurs.vpn_ip = "10.42.0.23";
+  deuxfleurs.vpn_ip = "10.42.2.23";
  deuxfleurs.vpn_listen_port = 33723;
  deuxfleurs.is_raft_server = true;

--- a/cluster/staging/node/spoutnik.nix
+++ b/cluster/staging/node/spoutnik.nix
@ -21,7 +21,7 @@
  ];

  networking.wireguard.interfaces.wg0 = {
-    ips = [ "10.42.0.2/16" ];
+    ips = [ "10.42.2.2/16" ];
    listenPort = 42136;
  };

--- a/cluster/staging/ssh_config
+++ b/cluster/staging/ssh_config
@ -1,13 +1,13 @@
 UserKnownHostsFile ./ssh_known_hosts

 Host caribou
-	HostName 10.42.0.23
+	HostName 10.42.2.23

 Host carcajou
-	HostName 10.42.0.22
+	HostName 10.42.2.22

 Host cariacou
-	HostName 10.42.0.21
+	HostName 10.42.2.21

 Host spoutnik
 	HostName 10.42.0.2
--- a/genpki.sh
+++ b/genpki.sh
@ -63,8 +63,8 @@ extendedKeyUsage = serverAuth, clientAuth
 subjectAltName = @alt_names

 [alt_names]
-DNS.1 = server.staging.$APP
-DNS.2 = client.staging.$APP
+DNS.1 = server.$CLUSTER.$APP
+DNS.2 = client.$CLUSTER.$APP
 DNS.3 = localhost
 DNS.4 = 127.0.0.1
 EOF
@ -104,7 +104,7 @@ extendedKeyUsage = clientAuth
 subjectAltName = @alt_names

 [alt_names]
-DNS.1 = client.staging.$APP
+DNS.1 = client.$CLUSTER.$APP
 EOF
 	) \
 			-CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \
--- a/nix/deuxfleurs.nix
+++ b/nix/deuxfleurs.nix
@ -79,7 +79,7 @@ in
    networking.wireguard.interfaces.wg0 = {
      ips = [ "${cfg.vpn_ip}/16" ];
      listenPort = cfg.vpn_listen_port;
-      privateKeyFile = "/root/wireguard-keys/private";
+      privateKeyFile = "/var/lib/deuxfleurs/wireguard-keys/private";
      peers = map ({ publicKey, endpoint, IP, ... }: {
        publicKey = publicKey;
        allowedIPs = [ "${IP}/32" ];
--- a/6
+++ b/6
@ -2,3 +2,9 @@
 10.42.0.21 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILYIRbHPU1w1xWRpm2+u3QsXOKfMjv1EXrpYbHT+epds
 10.42.0.23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICNRilSqrgqdZlLdhN2eOY5ZMbzqpeqAdIf6QuChhXU+
 10.42.0.2 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIORTjNdFaDbhto8kuMPB3hYkfnzdnceZVIELApUe5PPL
+10.42.1.33 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOuY1CvhxBP9BtKkTlmOUu6Hhy8OQTB3R8OCFXbHA/RA
+10.42.1.31 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3N0QOFNGkCpVLuOHFdpnBaxIFH925KpdIHV/3F9+BR
+10.42.1.32 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPCXJeo6yeQeTN7D7OZwLd8zbyU1jWywlhQ29yyk7x+G
+192.168.1.22 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXyY9yZdq/VYpg3K1plBzFvim41tWlu+Dmov3BNSm39
+192.168.1.21 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILYIRbHPU1w1xWRpm2+u3QsXOKfMjv1EXrpYbHT+epds
+192.168.1.23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICNRilSqrgqdZlLdhN2eOY5ZMbzqpeqAdIf6QuChhXU+