Deuxfleurs/nixcfg
17
6
Fork 2
Code Issues 9 Pull requests 3 Projects Releases Wiki Activity

Config for prod cluster

Browse source
This commit is contained in:
Alex 2022-02-09 15:38:36 +01:00
parent f03cafd49b
commit b0010b309b
No known key found for this signature in database
GPG key ID: EDABF9711E244EB1
18 changed files with 201 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

58
cluster/prod/cluster.nix Normal file
View file

@ -0,0 +1,58 @@
{ config, pkgs, ... } @ args:
{
deuxfleurs.cluster_name = "prod";
deuxfleurs.cluster_nodes = [
{
hostname = "concombre";
publicKey = "VvXT0fPDfWsHxumZqVShpS33dJQAdpJ1E79ZbCBJP34=";
IP = "10.42.1.31";
endpoint = "82.66.112.151:33731";
}
{
hostname = "courgette";
publicKey = "goTkBJGmzrGDOAjUcdH9G0JekipqSMoaYQdB6IHnzi0=";
IP = "10.42.1.32";
endpoint = "82.66.112.151:33732";
}
{
hostname = "celeri";
publicKey = "oZDAb8LoLW87ktUHyFFec0VaIar97bqq47mGbdVqJ0U=";
IP = "10.42.1.33";
endpoint = "82.66.112.151:33733";
}
];
deuxfleurs.admin_nodes = [
{
hostname = "hammerhead";
publicKey = "b5hF+GSTgg3oM6wnjL7jRbfyf1jtsWdVptPPbAh3Qic=";
IP = "10.42.0.1";
endpoint = "5.135.179.11:51349";
}
{
hostname = "robinson";
publicKey = "ETaZFil3mFXlJ0LaJZyWqJVLV2IZUF5PB/8M7WbQSTg=";
IP = "10.42.0.42";
endpoint = "77.141.67.109:33742";
}
{
hostname = "shiki";
publicKey = "QUiUNMk70TEQ75Ut7Uqikr5uGVSXmx8EGNkGM6tANlg=";
IP = "10.42.0.206";
endpoint = "37.187.118.206:51820";
}
{
hostname = "lindy";
publicKey = "wen9GnZy2iLT6RyHfn7ydS/wvdvow1XPmhZxIkrDbks=";
IP = "10.42.0.66";
endpoint = "82.66.112.151:33766";
}
];
deuxfleurs.admin_accounts = {
lx = [
# Keys for accessing nodes from outside
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJpaBZdYxHqMxhv2RExAOa7nkKhPBOHupMP3mYaZ73w9 lx@lindy"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIDdVbA9fEdqSr5UJ77NnoIqDTVp8ca5kHExhZYI4ecBExFJfonJllXMBN9KdC4ukxtY8Ug47PcMOfMaTBZQc+e+KpvDWpkBt15Xpem3RCxmMBES79sLL7LgtAdBXc5mNaCX8EOEVixWKdarjvxRyf6py6the51G5muaiMpoj5fae4ZpRGjhGTPefzc7y7zRWBUUZ8pYHW774BIaK6XT9gn3hyHV+Occjl/UODXvodktk55YtnuPi8adXTYEsHrVVz8AkFhx+cr0U/U8vtQnsTrZG+JmgQLqpXVs0RDw5bE1RefEbMuYNKxutYKUe3L+ZJtDe0M0MqOFI8a4F5TxP5 katchup@konata"
];
};
}

33
cluster/prod/node/celeri.nix Normal file
View file

@ -0,0 +1,33 @@
# Configuration file local to this node
{ config, pkgs, ... }:
{
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.timeout = 20;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "celeri";
networking.interfaces.eno1.useDHCP = false;
networking.interfaces.eno1.ipv4.addresses = [
{
address = "192.168.1.33";
prefixLength = 24;
}
];
networking.interfaces.eno1.ipv6.addresses = [
{
address = "2a01:e0a:c:a720::33";
prefixLength = 64;
}
];
deuxfleurs.vpn_ip = "10.42.1.33";
deuxfleurs.vpn_listen_port = 33733;
deuxfleurs.is_raft_server = true;
# Enable netdata monitoring
services.netdata.enable = true;
}

1
cluster/prod/node/celeri.site.nix Symbolic link
View file

@ -0,0 +1 @@
../site/neptune.nix

33
cluster/prod/node/concombre.nix Normal file
View file

@ -0,0 +1,33 @@
# Configuration file local to this node
{ config, pkgs, ... }:
{
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.timeout = 20;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "concombre";
networking.interfaces.eno1.useDHCP = false;
networking.interfaces.eno1.ipv4.addresses = [
{
address = "192.168.1.31";
prefixLength = 24;
}
];
networking.interfaces.eno1.ipv6.addresses = [
{
address = "2a01:e0a:c:a720::31";
prefixLength = 64;
}
];
deuxfleurs.vpn_ip = "10.42.1.31";
deuxfleurs.vpn_listen_port = 33731;
deuxfleurs.is_raft_server = true;
# Enable netdata monitoring
services.netdata.enable = true;
}

1
cluster/prod/node/concombre.site.nix Symbolic link
View file

@ -0,0 +1 @@
../site/neptune.nix

33
cluster/prod/node/courgette.nix Normal file
View file

@ -0,0 +1,33 @@
# Configuration file local to this node
{ config, pkgs, ... }:
{
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.timeout = 20;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "courgette";
networking.interfaces.eno1.useDHCP = false;
networking.interfaces.eno1.ipv4.addresses = [
{
address = "192.168.1.32";
prefixLength = 24;
}
];
networking.interfaces.eno1.ipv6.addresses = [
{
address = "2a01:e0a:c:a720::32";
prefixLength = 64;
}
];
deuxfleurs.vpn_ip = "10.42.1.32";
deuxfleurs.vpn_listen_port = 33732;
deuxfleurs.is_raft_server = true;
# Enable netdata monitoring
services.netdata.enable = true;
}

1
cluster/prod/node/courgette.site.nix Symbolic link
View file

@ -0,0 +1 @@
../site/neptune.nix

10
cluster/prod/site/neptune.nix Normal file
View file

@ -0,0 +1,10 @@
{ config, pkgs, ... }:
{
networking.defaultGateway = {
address = "192.168.1.254";
interface = "eno1";
};
deuxfleurs.site_name = "neptune";
}

10
cluster/prod/ssh_config Normal file
View file

@ -0,0 +1,10 @@
UserKnownHostsFile ./ssh_known_hosts
Host concombre
HostName 10.42.1.31
Host courgette
HostName 10.42.1.32
Host celeri
HostName 10.42.1.33

8
cluster/staging/cluster.nix
View file

@ -6,25 +6,25 @@
{ {
hostname = "spoutnik"; hostname = "spoutnik";
publicKey = "fO8qZOZmnug84cA8nvfjl5MUqyWljP0BAz/4tHRZyEg="; publicKey = "fO8qZOZmnug84cA8nvfjl5MUqyWljP0BAz/4tHRZyEg=";
IP = "10.42.0.2"; IP = "10.42.2.2";
endpoint = "77.141.67.109:42136"; endpoint = "77.141.67.109:42136";
} }
{ {
hostname = "cariacou"; hostname = "cariacou";
publicKey = "qxrtfn2zRVnN52Y5NYumyU3/FcRMnh3kJ2C37JfrczA="; publicKey = "qxrtfn2zRVnN52Y5NYumyU3/FcRMnh3kJ2C37JfrczA=";
IP = "10.42.0.21"; IP = "10.42.2.21";
endpoint = "82.66.112.151:33721"; endpoint = "82.66.112.151:33721";
} }
{ {
hostname = "carcajou"; hostname = "carcajou";
publicKey = "7Nm7pMmyS7Nts1MB+loyD8u84ODxHPTkDu+uqQR6yDk="; publicKey = "7Nm7pMmyS7Nts1MB+loyD8u84ODxHPTkDu+uqQR6yDk=";
IP = "10.42.0.22"; IP = "10.42.2.22";
endpoint = "82.66.112.151:33722"; endpoint = "82.66.112.151:33722";
} }
{ {
hostname = "caribou"; hostname = "caribou";
publicKey = "g6ZED/wPn5MPfytJKwPI19808CXtEad0IJUkEAAzwyY="; publicKey = "g6ZED/wPn5MPfytJKwPI19808CXtEad0IJUkEAAzwyY=";
IP = "10.42.0.23"; IP = "10.42.2.23";
endpoint = "82.66.112.151:33723"; endpoint = "82.66.112.151:33723";
} }
]; ];

2
cluster/staging/node/carcajou.nix
View file

@ -24,7 +24,7 @@
} }
]; ];
deuxfleurs.vpn_ip = "10.42.0.22"; deuxfleurs.vpn_ip = "10.42.2.22";
deuxfleurs.vpn_listen_port = 33722; deuxfleurs.vpn_listen_port = 33722;
deuxfleurs.is_raft_server = true; deuxfleurs.is_raft_server = true;

2
cluster/staging/node/cariacou.nix
View file

@ -24,7 +24,7 @@
} }
]; ];
deuxfleurs.vpn_ip = "10.42.0.21"; deuxfleurs.vpn_ip = "10.42.2.21";
deuxfleurs.vpn_listen_port = 33721; deuxfleurs.vpn_listen_port = 33721;
deuxfleurs.is_raft_server = true; deuxfleurs.is_raft_server = true;

2
cluster/staging/node/caribou.nix
View file

@ -24,7 +24,7 @@
} }
]; ];
deuxfleurs.vpn_ip = "10.42.0.23"; deuxfleurs.vpn_ip = "10.42.2.23";
deuxfleurs.vpn_listen_port = 33723; deuxfleurs.vpn_listen_port = 33723;
deuxfleurs.is_raft_server = true; deuxfleurs.is_raft_server = true;

2
cluster/staging/node/spoutnik.nix
View file

@ -21,7 +21,7 @@
]; ];
networking.wireguard.interfaces.wg0 = { networking.wireguard.interfaces.wg0 = {
ips = [ "10.42.0.2/16" ]; ips = [ "10.42.2.2/16" ];
listenPort = 42136; listenPort = 42136;
}; };

6
cluster/staging/ssh_config
View file

@ -1,13 +1,13 @@
UserKnownHostsFile ./ssh_known_hosts UserKnownHostsFile ./ssh_known_hosts
Host caribou Host caribou
HostName 10.42.0.23 HostName 10.42.2.23
Host carcajou Host carcajou
HostName 10.42.0.22 HostName 10.42.2.22
Host cariacou Host cariacou
HostName 10.42.0.21 HostName 10.42.2.21
Host spoutnik Host spoutnik
HostName 10.42.0.2 HostName 10.42.0.2

6
genpki.sh
View file

@ -63,8 +63,8 @@ extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names subjectAltName = @alt_names
[alt_names] [alt_names]
DNS.1 = server.staging.$APP DNS.1 = server.$CLUSTER.$APP
DNS.2 = client.staging.$APP DNS.2 = client.$CLUSTER.$APP
DNS.3 = localhost DNS.3 = localhost
DNS.4 = 127.0.0.1 DNS.4 = 127.0.0.1
EOF EOF
@ -104,7 +104,7 @@ extendedKeyUsage = clientAuth
subjectAltName = @alt_names subjectAltName = @alt_names
[alt_names] [alt_names]
DNS.1 = client.staging.$APP DNS.1 = client.$CLUSTER.$APP
EOF EOF
) \ ) \
-CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \ -CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \

2
nix/deuxfleurs.nix
View file

@ -79,7 +79,7 @@ in
networking.wireguard.interfaces.wg0 = { networking.wireguard.interfaces.wg0 = {
ips = [ "${cfg.vpn_ip}/16" ]; ips = [ "${cfg.vpn_ip}/16" ];
listenPort = cfg.vpn_listen_port; listenPort = cfg.vpn_listen_port;
privateKeyFile = "/root/wireguard-keys/private"; privateKeyFile = "/var/lib/deuxfleurs/wireguard-keys/private";
peers = map ({ publicKey, endpoint, IP, ... }: { peers = map ({ publicKey, endpoint, IP, ... }: {
publicKey = publicKey; publicKey = publicKey;
allowedIPs = [ "${IP}/32" ]; allowedIPs = [ "${IP}/32" ];

6
ssh_known_hosts
View file

@ -2,3 +2,9 @@
10.42.0.21 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILYIRbHPU1w1xWRpm2+u3QsXOKfMjv1EXrpYbHT+epds 10.42.0.21 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILYIRbHPU1w1xWRpm2+u3QsXOKfMjv1EXrpYbHT+epds
10.42.0.23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICNRilSqrgqdZlLdhN2eOY5ZMbzqpeqAdIf6QuChhXU+ 10.42.0.23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICNRilSqrgqdZlLdhN2eOY5ZMbzqpeqAdIf6QuChhXU+
10.42.0.2 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIORTjNdFaDbhto8kuMPB3hYkfnzdnceZVIELApUe5PPL 10.42.0.2 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIORTjNdFaDbhto8kuMPB3hYkfnzdnceZVIELApUe5PPL
10.42.1.33 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOuY1CvhxBP9BtKkTlmOUu6Hhy8OQTB3R8OCFXbHA/RA
10.42.1.31 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3N0QOFNGkCpVLuOHFdpnBaxIFH925KpdIHV/3F9+BR
10.42.1.32 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPCXJeo6yeQeTN7D7OZwLd8zbyU1jWywlhQ29yyk7x+G
192.168.1.22 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXyY9yZdq/VYpg3K1plBzFvim41tWlu+Dmov3BNSm39
192.168.1.21 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILYIRbHPU1w1xWRpm2+u3QsXOKfMjv1EXrpYbHT+epds
192.168.1.23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICNRilSqrgqdZlLdhN2eOY5ZMbzqpeqAdIf6QuChhXU+