Config for prod cluster

This commit is contained in:
Alex 2022-02-09 15:38:36 +01:00
parent f03cafd49b
commit b0010b309b
No known key found for this signature in database
GPG key ID: EDABF9711E244EB1
18 changed files with 201 additions and 15 deletions

58
cluster/prod/cluster.nix Normal file
View file

@ -0,0 +1,58 @@
{ config, pkgs, ... } @ args:
{
deuxfleurs.cluster_name = "prod";
deuxfleurs.cluster_nodes = [
{
hostname = "concombre";
publicKey = "VvXT0fPDfWsHxumZqVShpS33dJQAdpJ1E79ZbCBJP34=";
IP = "10.42.1.31";
endpoint = "82.66.112.151:33731";
}
{
hostname = "courgette";
publicKey = "goTkBJGmzrGDOAjUcdH9G0JekipqSMoaYQdB6IHnzi0=";
IP = "10.42.1.32";
endpoint = "82.66.112.151:33732";
}
{
hostname = "celeri";
publicKey = "oZDAb8LoLW87ktUHyFFec0VaIar97bqq47mGbdVqJ0U=";
IP = "10.42.1.33";
endpoint = "82.66.112.151:33733";
}
];
deuxfleurs.admin_nodes = [
{
hostname = "hammerhead";
publicKey = "b5hF+GSTgg3oM6wnjL7jRbfyf1jtsWdVptPPbAh3Qic=";
IP = "10.42.0.1";
endpoint = "5.135.179.11:51349";
}
{
hostname = "robinson";
publicKey = "ETaZFil3mFXlJ0LaJZyWqJVLV2IZUF5PB/8M7WbQSTg=";
IP = "10.42.0.42";
endpoint = "77.141.67.109:33742";
}
{
hostname = "shiki";
publicKey = "QUiUNMk70TEQ75Ut7Uqikr5uGVSXmx8EGNkGM6tANlg=";
IP = "10.42.0.206";
endpoint = "37.187.118.206:51820";
}
{
hostname = "lindy";
publicKey = "wen9GnZy2iLT6RyHfn7ydS/wvdvow1XPmhZxIkrDbks=";
IP = "10.42.0.66";
endpoint = "82.66.112.151:33766";
}
];
deuxfleurs.admin_accounts = {
lx = [
# Keys for accessing nodes from outside
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJpaBZdYxHqMxhv2RExAOa7nkKhPBOHupMP3mYaZ73w9 lx@lindy"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIDdVbA9fEdqSr5UJ77NnoIqDTVp8ca5kHExhZYI4ecBExFJfonJllXMBN9KdC4ukxtY8Ug47PcMOfMaTBZQc+e+KpvDWpkBt15Xpem3RCxmMBES79sLL7LgtAdBXc5mNaCX8EOEVixWKdarjvxRyf6py6the51G5muaiMpoj5fae4ZpRGjhGTPefzc7y7zRWBUUZ8pYHW774BIaK6XT9gn3hyHV+Occjl/UODXvodktk55YtnuPi8adXTYEsHrVVz8AkFhx+cr0U/U8vtQnsTrZG+JmgQLqpXVs0RDw5bE1RefEbMuYNKxutYKUe3L+ZJtDe0M0MqOFI8a4F5TxP5 katchup@konata"
];
};
}

View file

@ -0,0 +1,33 @@
# Configuration file local to this node
{ config, pkgs, ... }:
{
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.timeout = 20;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "celeri";
networking.interfaces.eno1.useDHCP = false;
networking.interfaces.eno1.ipv4.addresses = [
{
address = "192.168.1.33";
prefixLength = 24;
}
];
networking.interfaces.eno1.ipv6.addresses = [
{
address = "2a01:e0a:c:a720::33";
prefixLength = 64;
}
];
deuxfleurs.vpn_ip = "10.42.1.33";
deuxfleurs.vpn_listen_port = 33733;
deuxfleurs.is_raft_server = true;
# Enable netdata monitoring
services.netdata.enable = true;
}

View file

@ -0,0 +1 @@
../site/neptune.nix

View file

@ -0,0 +1,33 @@
# Configuration file local to this node
{ config, pkgs, ... }:
{
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.timeout = 20;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "concombre";
networking.interfaces.eno1.useDHCP = false;
networking.interfaces.eno1.ipv4.addresses = [
{
address = "192.168.1.31";
prefixLength = 24;
}
];
networking.interfaces.eno1.ipv6.addresses = [
{
address = "2a01:e0a:c:a720::31";
prefixLength = 64;
}
];
deuxfleurs.vpn_ip = "10.42.1.31";
deuxfleurs.vpn_listen_port = 33731;
deuxfleurs.is_raft_server = true;
# Enable netdata monitoring
services.netdata.enable = true;
}

View file

@ -0,0 +1 @@
../site/neptune.nix

View file

@ -0,0 +1,33 @@
# Configuration file local to this node
{ config, pkgs, ... }:
{
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.timeout = 20;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "courgette";
networking.interfaces.eno1.useDHCP = false;
networking.interfaces.eno1.ipv4.addresses = [
{
address = "192.168.1.32";
prefixLength = 24;
}
];
networking.interfaces.eno1.ipv6.addresses = [
{
address = "2a01:e0a:c:a720::32";
prefixLength = 64;
}
];
deuxfleurs.vpn_ip = "10.42.1.32";
deuxfleurs.vpn_listen_port = 33732;
deuxfleurs.is_raft_server = true;
# Enable netdata monitoring
services.netdata.enable = true;
}

View file

@ -0,0 +1 @@
../site/neptune.nix

View file

@ -0,0 +1,10 @@
{ config, pkgs, ... }:
{
networking.defaultGateway = {
address = "192.168.1.254";
interface = "eno1";
};
deuxfleurs.site_name = "neptune";
}

10
cluster/prod/ssh_config Normal file
View file

@ -0,0 +1,10 @@
UserKnownHostsFile ./ssh_known_hosts
Host concombre
HostName 10.42.1.31
Host courgette
HostName 10.42.1.32
Host celeri
HostName 10.42.1.33

View file

@ -6,25 +6,25 @@
{ {
hostname = "spoutnik"; hostname = "spoutnik";
publicKey = "fO8qZOZmnug84cA8nvfjl5MUqyWljP0BAz/4tHRZyEg="; publicKey = "fO8qZOZmnug84cA8nvfjl5MUqyWljP0BAz/4tHRZyEg=";
IP = "10.42.0.2"; IP = "10.42.2.2";
endpoint = "77.141.67.109:42136"; endpoint = "77.141.67.109:42136";
} }
{ {
hostname = "cariacou"; hostname = "cariacou";
publicKey = "qxrtfn2zRVnN52Y5NYumyU3/FcRMnh3kJ2C37JfrczA="; publicKey = "qxrtfn2zRVnN52Y5NYumyU3/FcRMnh3kJ2C37JfrczA=";
IP = "10.42.0.21"; IP = "10.42.2.21";
endpoint = "82.66.112.151:33721"; endpoint = "82.66.112.151:33721";
} }
{ {
hostname = "carcajou"; hostname = "carcajou";
publicKey = "7Nm7pMmyS7Nts1MB+loyD8u84ODxHPTkDu+uqQR6yDk="; publicKey = "7Nm7pMmyS7Nts1MB+loyD8u84ODxHPTkDu+uqQR6yDk=";
IP = "10.42.0.22"; IP = "10.42.2.22";
endpoint = "82.66.112.151:33722"; endpoint = "82.66.112.151:33722";
} }
{ {
hostname = "caribou"; hostname = "caribou";
publicKey = "g6ZED/wPn5MPfytJKwPI19808CXtEad0IJUkEAAzwyY="; publicKey = "g6ZED/wPn5MPfytJKwPI19808CXtEad0IJUkEAAzwyY=";
IP = "10.42.0.23"; IP = "10.42.2.23";
endpoint = "82.66.112.151:33723"; endpoint = "82.66.112.151:33723";
} }
]; ];

View file

@ -24,7 +24,7 @@
} }
]; ];
deuxfleurs.vpn_ip = "10.42.0.22"; deuxfleurs.vpn_ip = "10.42.2.22";
deuxfleurs.vpn_listen_port = 33722; deuxfleurs.vpn_listen_port = 33722;
deuxfleurs.is_raft_server = true; deuxfleurs.is_raft_server = true;

View file

@ -24,7 +24,7 @@
} }
]; ];
deuxfleurs.vpn_ip = "10.42.0.21"; deuxfleurs.vpn_ip = "10.42.2.21";
deuxfleurs.vpn_listen_port = 33721; deuxfleurs.vpn_listen_port = 33721;
deuxfleurs.is_raft_server = true; deuxfleurs.is_raft_server = true;

View file

@ -24,7 +24,7 @@
} }
]; ];
deuxfleurs.vpn_ip = "10.42.0.23"; deuxfleurs.vpn_ip = "10.42.2.23";
deuxfleurs.vpn_listen_port = 33723; deuxfleurs.vpn_listen_port = 33723;
deuxfleurs.is_raft_server = true; deuxfleurs.is_raft_server = true;

View file

@ -21,7 +21,7 @@
]; ];
networking.wireguard.interfaces.wg0 = { networking.wireguard.interfaces.wg0 = {
ips = [ "10.42.0.2/16" ]; ips = [ "10.42.2.2/16" ];
listenPort = 42136; listenPort = 42136;
}; };

View file

@ -1,13 +1,13 @@
UserKnownHostsFile ./ssh_known_hosts UserKnownHostsFile ./ssh_known_hosts
Host caribou Host caribou
HostName 10.42.0.23 HostName 10.42.2.23
Host carcajou Host carcajou
HostName 10.42.0.22 HostName 10.42.2.22
Host cariacou Host cariacou
HostName 10.42.0.21 HostName 10.42.2.21
Host spoutnik Host spoutnik
HostName 10.42.0.2 HostName 10.42.0.2

View file

@ -63,8 +63,8 @@ extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names subjectAltName = @alt_names
[alt_names] [alt_names]
DNS.1 = server.staging.$APP DNS.1 = server.$CLUSTER.$APP
DNS.2 = client.staging.$APP DNS.2 = client.$CLUSTER.$APP
DNS.3 = localhost DNS.3 = localhost
DNS.4 = 127.0.0.1 DNS.4 = 127.0.0.1
EOF EOF
@ -104,7 +104,7 @@ extendedKeyUsage = clientAuth
subjectAltName = @alt_names subjectAltName = @alt_names
[alt_names] [alt_names]
DNS.1 = client.staging.$APP DNS.1 = client.$CLUSTER.$APP
EOF EOF
) \ ) \
-CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \ -CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \

View file

@ -79,7 +79,7 @@ in
networking.wireguard.interfaces.wg0 = { networking.wireguard.interfaces.wg0 = {
ips = [ "${cfg.vpn_ip}/16" ]; ips = [ "${cfg.vpn_ip}/16" ];
listenPort = cfg.vpn_listen_port; listenPort = cfg.vpn_listen_port;
privateKeyFile = "/root/wireguard-keys/private"; privateKeyFile = "/var/lib/deuxfleurs/wireguard-keys/private";
peers = map ({ publicKey, endpoint, IP, ... }: { peers = map ({ publicKey, endpoint, IP, ... }: {
publicKey = publicKey; publicKey = publicKey;
allowedIPs = [ "${IP}/32" ]; allowedIPs = [ "${IP}/32" ];

View file

@ -2,3 +2,9 @@
10.42.0.21 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILYIRbHPU1w1xWRpm2+u3QsXOKfMjv1EXrpYbHT+epds 10.42.0.21 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILYIRbHPU1w1xWRpm2+u3QsXOKfMjv1EXrpYbHT+epds
10.42.0.23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICNRilSqrgqdZlLdhN2eOY5ZMbzqpeqAdIf6QuChhXU+ 10.42.0.23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICNRilSqrgqdZlLdhN2eOY5ZMbzqpeqAdIf6QuChhXU+
10.42.0.2 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIORTjNdFaDbhto8kuMPB3hYkfnzdnceZVIELApUe5PPL 10.42.0.2 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIORTjNdFaDbhto8kuMPB3hYkfnzdnceZVIELApUe5PPL
10.42.1.33 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOuY1CvhxBP9BtKkTlmOUu6Hhy8OQTB3R8OCFXbHA/RA
10.42.1.31 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3N0QOFNGkCpVLuOHFdpnBaxIFH925KpdIHV/3F9+BR
10.42.1.32 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPCXJeo6yeQeTN7D7OZwLd8zbyU1jWywlhQ29yyk7x+G
192.168.1.22 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXyY9yZdq/VYpg3K1plBzFvim41tWlu+Dmov3BNSm39
192.168.1.21 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILYIRbHPU1w1xWRpm2+u3QsXOKfMjv1EXrpYbHT+epds
192.168.1.23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICNRilSqrgqdZlLdhN2eOY5ZMbzqpeqAdIf6QuChhXU+