diff --git a/README.md b/README.md index 4e0cd6f..e6914ee 100644 --- a/README.md +++ b/README.md @@ -31,6 +31,9 @@ Basically: - Add your wireguard configuration to `cluster/prod/cluster.nix` - You will have to edit your NAT config manually - To get your node's wg public key, you must run `./deploy_prod prod `, see the next section for more information + - Add your nodes to `cluster/prod/ssh_config`, it will be used by the various SSH scripts. + - If you use `ssh` directly, use `ssh -F ./cluster/prod/ssh_config` + - Add `User root` for the first time as your user will not be declared yet on the system ## How to deploy a Nix configuration on a fresh node @@ -40,13 +43,36 @@ in your operator's life to break everything through automation. Run: - `./deploy_wg prod datura` - to generate wireguard's keys - - `./deploy_nixos prod datura` - to deploy the nix configuration files (need to be redeployed on all nodes as hte new wireguard conf is needed everywhere) + - `./deploy_nixos prod datura` - to deploy the nix configuration files + - need to be redeployed on all nodes as the new wireguard conf is needed everywhere - `./deploy_password prod datura` - to deploy user's passwords + - need to be redeployed on all nodes to setup the password on all nodes - `./deploy_pki prod datura` - to deploy Nomad's and Consul's PKI ## How to operate a node -*To be written* +Edit your `~/.ssh/config` file: + +``` +Host dahlia + HostName dahlia.machine.deuxfleurs.fr + LocalForward 14646 127.0.0.1:4646 + LocalForward 8501 127.0.0.1:8501 + LocalForward 1389 bottin.service.prod.consul:389 + LocalForward 5432 psql-proxy.service.prod.consul:5432 +``` + +And then run the TLS proxy: + +``` +./tlsproxy prod +``` + +And then open in your browser: + + - http://localhost:8500 + - http://localhost:4646 + ## More diff --git a/cluster/prod/app/garage/deploy/garage-light.hcl b/cluster/prod/app/garage/deploy/garage-light.hcl index 90d1cb0..94c388d 100644 --- a/cluster/prod/app/garage/deploy/garage-light.hcl +++ b/cluster/prod/app/garage/deploy/garage-light.hcl @@ -1,5 +1,5 @@ job "garage-light" { - datacenters = ["neptune"] + datacenters = ["neptune", "bespin"] type = "system" priority = 80 diff --git a/cluster/prod/cluster.nix b/cluster/prod/cluster.nix index 1821d03..3d960e4 100644 --- a/cluster/prod/cluster.nix +++ b/cluster/prod/cluster.nix @@ -38,7 +38,7 @@ publicKey = "EtRoWBYCdjqgXX0L+uWLg8KxNfIK8k9OTh30tL19bXU="; IP = "10.83.2.1"; lan_endpoint = "192.168.1.11:33799"; - endpoint = "82.66.80.201:33731"; + endpoint = "82.66.80.201:33731"; } { hostname = "diplotaxis"; @@ -46,8 +46,7 @@ publicKey = "HbLC938mysadMSOxWgq8+qrv+dBKzPP/43OMJp/3phA="; IP = "10.83.2.2"; lan_endpoint = "192.168.1.12:33799"; - endpoint = "82.66.80.201:33732"; - + endpoint = "82.66.80.201:33732"; } { hostname = "doradille"; @@ -55,7 +54,31 @@ publicKey = "e1C8jgTj9eD20ywG08G1FQZ+Js3wMK/msDUE1wO3l1Y="; IP = "10.83.2.3"; lan_endpoint = "192.168.1.13:33799"; - endpoint = "82.66.80.201:33733"; + endpoint = "82.66.80.201:33733"; + } + { + hostname = "df-ykl"; + site_name = "bespin"; + publicKey = "bIjxey/VhBgVrLa0FxN/KISOt2XFmQeSh1MPivUq9gg="; + IP = "10.83.3.1"; + lan_endpoint = "192.168.5.117:33799"; + endpoint = "bespin.site.deuxfleurs.fr:33731"; + } + { + hostname = "df-ymf"; + site_name = "bespin"; + publicKey = "pUIKv8UBl586O7DBrHBsb9BgNU7WlYQ2r2RSNkD+JAQ="; + IP = "10.83.3.2"; + lan_endpoint = "192.168.5.134:33799"; + endpoint = "bespin.site.deuxfleurs.fr:33732"; + } + { + hostname = "df-ymk"; + site_name = "bespin"; + publicKey = "VBmpo15iIJP7250NAsF+ryhZc3j+8TZFnE1Djvn5TXI="; + IP = "10.83.3.3"; + lan_endpoint = "192.168.5.116:33799"; + endpoint = "bespin.site.deuxfleurs.fr:33733"; } ]; @@ -81,7 +104,8 @@ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDs9v4tU1F7rqEJFfLjGAOWeGPi3DMgDCtj0mNine/J4GKgDR0KrWIQgT4jE8VdMXRXpaiKZjOabIczvR7INCQryGwb24NzielB5m98dx+OVoWHoFCb3xFgGkk3TIsJp0+8RuGFTPFh5GA1uQB4aHZs6YP56Y/bkr8Ap6sbOfKgg4mfHuVuhME2pOFe4q0YxWFE6Lq/4ysC/87xwjAhQwRyC+vyDxDVUVPKRCRoPxLg0htV6eOY0fJB+9fKrhdeW+yOu4GlxoMxrZfUKjVeCEtbtgOXzNayVRWQNkCZsAgEBD5gmMfBG25vur60d9dCekVOVmaTc0F56DRjaGOOB0WFPZrf16TBs99XlMMbnkhf8z0IPn/L+Q/jJEL4QjhZZ2mrQhZsHVAOPEATKgaYMw2FRUrwyoUJfNIku0e8YmkJR5vEwHoG0o1A0PCACWCRQ1zcac9uYjMADoSsSMjrCQ8FVUT6enPe+g36MtWEaBxUpfqFx0xvw2bvbWFm5xk0uMM= adrien@pratchett" ]; maximilien = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHMMR6zNzz8NQU80wFquhUCeiXJuGphjP+zNouKbn228GyESu8sfNBwnuZq86vblR11Lz8l2rtCM73GfAKg29qmUWUHRKWvRIYWv2vaUJcCdy0bAxIzcvCvjZX0SpnIKxe9y3Rp0LGO5WLYfw0ZFaavwFZP0Z8w1Kj9/zBmL2X2avbhkaYHi/C1yXhbvESYQysmqLa48EX/TS616MBrgR9zbI9AoTQ9NOHnR14Tve/AP/khcZoBJdm4hTttMbNkEc0wonzdylTDew263SPRs/uoqnQIpUtErdPHqU10Yup8HjXjEyFJsSwcZcM5sZOw5JKckKJwmcd0yjO/x/4/Mk5" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHMMR6zNzz8NQU80wFquhUCeiXJuGphjP+zNouKbn228GyESu8sfNBwnuZq86vblR11Lz8l2rtCM73GfAKg29qmUWUHRKWvRIYWv2vaUJcCdy0bAxIzcvCvjZX0SpnIKxe9y3Rp0LGO5WLYfw0ZFaavwFZP0Z8w1Kj9/zBmL2X2avbhkaYHi/C1yXhbvESYQysmqLa48EX/TS616MBrgR9zbI9AoTQ9NOHnR14Tve/AP/khcZoBJdm4hTttMbNkEc0wonzdylTDew263SPRs/uoqnQIpUtErdPHqU10Yup8HjXjEyFJsSwcZcM5sZOw5JKckKJwmcd0yjO/x/4/Mk5 maximilien@icare" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGioTNbjGE3KblbqhnkEWUfGkYZ2p5UAVqPdQJaUBWoo maximilien@athena" ]; }; diff --git a/cluster/prod/node/celeri.nix b/cluster/prod/node/celeri.nix index d20ade1..4a2a347 100644 --- a/cluster/prod/node/celeri.nix +++ b/cluster/prod/node/celeri.nix @@ -15,5 +15,5 @@ deuxfleurs.ipv6 = "2a06:a003:d019:1::33"; deuxfleurs.cluster_ip = "10.83.1.3"; - deuxfleurs.is_raft_server = true; + deuxfleurs.is_raft_server = false; } diff --git a/cluster/prod/node/df-ykl.nix b/cluster/prod/node/df-ykl.nix new file mode 100644 index 0000000..04a2b35 --- /dev/null +++ b/cluster/prod/node/df-ykl.nix @@ -0,0 +1,24 @@ +# Configuration file local to this node + +{ config, pkgs, ... }: + +{ + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "df-ykl"; + + deuxfleurs.network_interface = "enp0s31f6"; + deuxfleurs.lan_ip = "192.168.5.117"; + deuxfleurs.ipv6 = "2a02:a03f:6510:5102:6e4b:90ff:fe3b:e86c"; + + deuxfleurs.cluster_ip = "10.83.3.1"; + deuxfleurs.is_raft_server = true; + + fileSystems."/mnt" = { + device = "/dev/disk/by-uuid/f7aa396f-23d0-44d3-89cf-3cb00bbb6c3b"; + fsType = "xfs"; + options = [ "nofail" ]; + }; +} diff --git a/cluster/prod/node/df-ykl.site.nix b/cluster/prod/node/df-ykl.site.nix new file mode 120000 index 0000000..24a1723 --- /dev/null +++ b/cluster/prod/node/df-ykl.site.nix @@ -0,0 +1 @@ +../site/bespin.nix \ No newline at end of file diff --git a/cluster/prod/node/df-ymf.nix b/cluster/prod/node/df-ymf.nix new file mode 100644 index 0000000..15c5b1e --- /dev/null +++ b/cluster/prod/node/df-ymf.nix @@ -0,0 +1,24 @@ +# Configuration file local to this node + +{ config, pkgs, ... }: + +{ + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "df-ymf"; + + deuxfleurs.network_interface = "enp0s31f6"; + deuxfleurs.lan_ip = "192.168.5.134"; + deuxfleurs.ipv6 = "2a02:a03f:6510:5102:6e4b:90ff:fe3a:6174"; + + deuxfleurs.cluster_ip = "10.83.3.2"; + deuxfleurs.is_raft_server = false; + + fileSystems."/mnt" = { + device = "/dev/disk/by-uuid/fec20a7e-5019-4747-8f73-77f3f196c122"; + fsType = "xfs"; + options = [ "nofail" ]; + }; +} diff --git a/cluster/prod/node/df-ymf.site.nix b/cluster/prod/node/df-ymf.site.nix new file mode 120000 index 0000000..24a1723 --- /dev/null +++ b/cluster/prod/node/df-ymf.site.nix @@ -0,0 +1 @@ +../site/bespin.nix \ No newline at end of file diff --git a/cluster/prod/node/df-ymk.nix b/cluster/prod/node/df-ymk.nix new file mode 100644 index 0000000..d7deb49 --- /dev/null +++ b/cluster/prod/node/df-ymk.nix @@ -0,0 +1,24 @@ +# Configuration file local to this node + +{ config, pkgs, ... }: + +{ + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "df-ymk"; + + deuxfleurs.network_interface = "enp0s31f6"; + deuxfleurs.lan_ip = "192.168.5.116"; + deuxfleurs.ipv6 = "2a02:a03f:6510:5102:6e4b:90ff:fe3b:e939"; + + deuxfleurs.cluster_ip = "10.83.3.3"; + deuxfleurs.is_raft_server = false; + + fileSystems."/mnt" = { + device = "/dev/disk/by-uuid/51d95b17-0e06-4a73-9e4e-ae5363cc4015"; + fsType = "xfs"; + options = [ "nofail" ]; + }; +} diff --git a/cluster/prod/node/df-ymk.site.nix b/cluster/prod/node/df-ymk.site.nix new file mode 120000 index 0000000..24a1723 --- /dev/null +++ b/cluster/prod/node/df-ymk.site.nix @@ -0,0 +1 @@ +../site/bespin.nix \ No newline at end of file diff --git a/cluster/prod/site/bespin.nix b/cluster/prod/site/bespin.nix new file mode 100644 index 0000000..4b60d4d --- /dev/null +++ b/cluster/prod/site/bespin.nix @@ -0,0 +1,12 @@ +{ config, pkgs, ... }: + +{ + deuxfleurs.site_name = "bespin"; + deuxfleurs.lan_default_gateway = "192.168.5.254"; + deuxfleurs.ipv6_default_gateway = "2a02:a03f:6510:5102::1"; + deuxfleurs.lan_ip_prefix_length = 24; + deuxfleurs.ipv6_prefix_length = 64; + deuxfleurs.nameservers = [ "192.168.5.254" ]; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; +} diff --git a/cluster/prod/ssh_config b/cluster/prod/ssh_config index 7512bda..1fa9019 100644 --- a/cluster/prod/ssh_config +++ b/cluster/prod/ssh_config @@ -21,3 +21,15 @@ Host diplotaxis Host doradille HostName doradille.machine.deuxfleurs.fr +Host df-ykl + HostName df-ykl.machine.deuxfleurs.fr + User root + +Host df-ymf + HostName df-ymf.machine.deuxfleurs.fr + User root + +Host df-ymk + HostName df-ymk.machine.deuxfleurs.fr + User root + diff --git a/deploy_nixos b/deploy_nixos index 0bd1b4c..a716d6b 100755 --- a/deploy_nixos +++ b/deploy_nixos @@ -7,4 +7,5 @@ copy cluster/$CLUSTER/cluster.nix /etc/nixos/cluster.nix copy cluster/$CLUSTER/node/$NIXHOST.nix /etc/nixos/node.nix copy cluster/$CLUSTER/node/$NIXHOST.site.nix /etc/nixos/site.nix -cmd nixos-rebuild switch --show-trace +cmd "nix-channel --add https://nixos.org/channels/nixos-22.05 nixos" +cmd nixos-rebuild switch --upgrade --show-trace diff --git a/nix/configuration.nix b/nix/configuration.nix index 800d36d..2bb56f2 100644 --- a/nix/configuration.nix +++ b/nix/configuration.nix @@ -83,7 +83,7 @@ SystemMaxUse=1G virtualisation.docker = { enable = true; extraOptions = "--config-file=${pkgs.writeText "daemon.json" (builtins.toJSON { - dns = [ "172.17.0.1" "8.8.8.8" "8.8.4.4" ]; + dns = [ "172.17.0.1" ]; })}"; }; diff --git a/ssh_known_hosts b/ssh_known_hosts index e6baaa5..a65f216 100644 --- a/ssh_known_hosts +++ b/ssh_known_hosts @@ -18,3 +18,6 @@ diplotaxis.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcVtfOj0ti 2a06:a003:d019:1::33 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOuY1CvhxBP9BtKkTlmOUu6Hhy8OQTB3R8OCFXbHA/RA 2a06:a003:d019:1::31 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3N0QOFNGkCpVLuOHFdpnBaxIFH925KpdIHV/3F9+BR 2a06:a003:d019:1::32 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPCXJeo6yeQeTN7D7OZwLd8zbyU1jWywlhQ29yyk7x+G +df-ykl.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEwsKl1Bv8HJa+rO2KymEDhKEcDY3s9CQmDQ8i/tHf4E +df-ymk.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIo6bcVtpZ+pRVs0vNaUgC0kY5ddPtWryUmFQTZjA+73 +df-ymf.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2el374ejNXqF+yyMxOOhY2DWSJB9tbjr2H7gFfQtbc diff --git a/tlsproxy b/tlsproxy index 7988737..1ddeafa 100755 --- a/tlsproxy +++ b/tlsproxy @@ -37,10 +37,10 @@ pass $PREFIX/consul$YEAR.crt > $CERTDIR/consul.crt pass $PREFIX/consul$YEAR-client.crt > $CERTDIR/consul-client.crt pass $PREFIX/consul$YEAR-client.key > $CERTDIR/consul-client.key -socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=$CERTDIR/nomad-client.crt,key=$CERTDIR/nomad-client.key,cafile=$CERTDIR/nomad.crt,verify=0 & +socat -dd tcp-listen:4646,reuseaddr,fork,bind=localhost openssl:localhost:14646,cert=$CERTDIR/nomad-client.crt,key=$CERTDIR/nomad-client.key,cafile=$CERTDIR/nomad.crt,verify=0 & child1=$! -socat -dd tcp4-listen:8500,reuseaddr,fork openssl:localhost:8501,cert=$CERTDIR/consul-client.crt,key=$CERTDIR/consul-client.key,cafile=$CERTDIR/consul.crt,verify=0 & +socat -dd tcp-listen:8500,reuseaddr,fork,bind=localhost openssl:localhost:8501,cert=$CERTDIR/consul-client.crt,key=$CERTDIR/consul-client.key,cafile=$CERTDIR/consul.crt,verify=0 & child2=$! wait "$child1"