2022-10-16 14:17:13 +00:00
16 changed files with 166 additions and 13 deletions
--- a/README.md
+++ b/README.md
@ -31,6 +31,9 @@ Basically:
  - Add your wireguard configuration to `cluster/prod/cluster.nix`
    - You will have to edit your NAT config manually
    - To get your node's wg public key, you must run `./deploy_prod prod <node>`, see the next section for more information
+  - Add your nodes to `cluster/prod/ssh_config`, it will be used by the various SSH scripts.
+    - If you use `ssh` directly, use `ssh -F ./cluster/prod/ssh_config`
+    - Add `User root` for the first time as your user will not be declared yet on the system

 ## How to deploy a Nix configuration on a fresh node

@ -40,13 +43,36 @@ in your operator's life to break everything through automation.

 Run:
  - `./deploy_wg prod datura` - to generate wireguard's keys
-  - `./deploy_nixos prod datura` - to deploy the nix configuration files (need to be redeployed on all nodes as hte new wireguard conf is needed everywhere)
+  - `./deploy_nixos prod datura` - to deploy the nix configuration files
+   - need to be redeployed on all nodes as the new wireguard conf is needed everywhere
  - `./deploy_password prod datura` - to deploy user's passwords
+   - need to be redeployed on all nodes to setup the password on all nodes
  - `./deploy_pki prod datura` - to deploy Nomad's and Consul's PKI

 ## How to operate a node

-*To be written*
+Edit your `~/.ssh/config` file:
+
+```
+Host dahlia
+  HostName dahlia.machine.deuxfleurs.fr
+  LocalForward 14646 127.0.0.1:4646
+  LocalForward 8501 127.0.0.1:8501
+  LocalForward 1389 bottin.service.prod.consul:389
+  LocalForward 5432 psql-proxy.service.prod.consul:5432
+```
+
+And then run the TLS proxy:
+
+```
+./tlsproxy prod
+```
+
+And then open in your browser:
+
+ - http://localhost:8500
+ - http://localhost:4646
+

 ## More

--- a/cluster/prod/app/garage/deploy/garage-light.hcl
+++ b/cluster/prod/app/garage/deploy/garage-light.hcl
@ -1,5 +1,5 @@
 job "garage-light" {
-  datacenters = ["neptune"]
+  datacenters = ["neptune", "bespin"]
  type = "system"
  priority = 80

--- a/cluster/prod/cluster.nix
+++ b/cluster/prod/cluster.nix
@ -38,7 +38,7 @@
      publicKey = "EtRoWBYCdjqgXX0L+uWLg8KxNfIK8k9OTh30tL19bXU=";
      IP = "10.83.2.1";
      lan_endpoint = "192.168.1.11:33799";
-      endpoint = "82.66.80.201:33731";  
+      endpoint = "82.66.80.201:33731";
    }
    {
      hostname = "diplotaxis";
@ -46,8 +46,7 @@
      publicKey = "HbLC938mysadMSOxWgq8+qrv+dBKzPP/43OMJp/3phA=";
      IP = "10.83.2.2";
      lan_endpoint = "192.168.1.12:33799";
-      endpoint = "82.66.80.201:33732";  
-
+      endpoint = "82.66.80.201:33732";
    }
    {
      hostname = "doradille";
@ -55,7 +54,31 @@
      publicKey = "e1C8jgTj9eD20ywG08G1FQZ+Js3wMK/msDUE1wO3l1Y=";
      IP = "10.83.2.3";
      lan_endpoint = "192.168.1.13:33799";
-      endpoint = "82.66.80.201:33733";  
+      endpoint = "82.66.80.201:33733";
+    }
+    {
+      hostname = "df-ykl";
+      site_name = "bespin";
+      publicKey = "bIjxey/VhBgVrLa0FxN/KISOt2XFmQeSh1MPivUq9gg=";
+      IP = "10.83.3.1";
+      lan_endpoint = "192.168.5.117:33799";
+      endpoint = "bespin.site.deuxfleurs.fr:33731";
+    }
+    {
+      hostname = "df-ymf";
+      site_name = "bespin";
+      publicKey = "pUIKv8UBl586O7DBrHBsb9BgNU7WlYQ2r2RSNkD+JAQ=";
+      IP = "10.83.3.2";
+      lan_endpoint = "192.168.5.134:33799";
+      endpoint = "bespin.site.deuxfleurs.fr:33732";
+    }
+    {
+      hostname = "df-ymk";
+      site_name = "bespin";
+      publicKey = "VBmpo15iIJP7250NAsF+ryhZc3j+8TZFnE1Djvn5TXI=";
+      IP = "10.83.3.3";
+      lan_endpoint = "192.168.5.116:33799";
+      endpoint = "bespin.site.deuxfleurs.fr:33733";
    }
  ];

@ -81,7 +104,8 @@
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDs9v4tU1F7rqEJFfLjGAOWeGPi3DMgDCtj0mNine/J4GKgDR0KrWIQgT4jE8VdMXRXpaiKZjOabIczvR7INCQryGwb24NzielB5m98dx+OVoWHoFCb3xFgGkk3TIsJp0+8RuGFTPFh5GA1uQB4aHZs6YP56Y/bkr8Ap6sbOfKgg4mfHuVuhME2pOFe4q0YxWFE6Lq/4ysC/87xwjAhQwRyC+vyDxDVUVPKRCRoPxLg0htV6eOY0fJB+9fKrhdeW+yOu4GlxoMxrZfUKjVeCEtbtgOXzNayVRWQNkCZsAgEBD5gmMfBG25vur60d9dCekVOVmaTc0F56DRjaGOOB0WFPZrf16TBs99XlMMbnkhf8z0IPn/L+Q/jJEL4QjhZZ2mrQhZsHVAOPEATKgaYMw2FRUrwyoUJfNIku0e8YmkJR5vEwHoG0o1A0PCACWCRQ1zcac9uYjMADoSsSMjrCQ8FVUT6enPe+g36MtWEaBxUpfqFx0xvw2bvbWFm5xk0uMM= adrien@pratchett"
    ];
    maximilien = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHMMR6zNzz8NQU80wFquhUCeiXJuGphjP+zNouKbn228GyESu8sfNBwnuZq86vblR11Lz8l2rtCM73GfAKg29qmUWUHRKWvRIYWv2vaUJcCdy0bAxIzcvCvjZX0SpnIKxe9y3Rp0LGO5WLYfw0ZFaavwFZP0Z8w1Kj9/zBmL2X2avbhkaYHi/C1yXhbvESYQysmqLa48EX/TS616MBrgR9zbI9AoTQ9NOHnR14Tve/AP/khcZoBJdm4hTttMbNkEc0wonzdylTDew263SPRs/uoqnQIpUtErdPHqU10Yup8HjXjEyFJsSwcZcM5sZOw5JKckKJwmcd0yjO/x/4/Mk5"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHMMR6zNzz8NQU80wFquhUCeiXJuGphjP+zNouKbn228GyESu8sfNBwnuZq86vblR11Lz8l2rtCM73GfAKg29qmUWUHRKWvRIYWv2vaUJcCdy0bAxIzcvCvjZX0SpnIKxe9y3Rp0LGO5WLYfw0ZFaavwFZP0Z8w1Kj9/zBmL2X2avbhkaYHi/C1yXhbvESYQysmqLa48EX/TS616MBrgR9zbI9AoTQ9NOHnR14Tve/AP/khcZoBJdm4hTttMbNkEc0wonzdylTDew263SPRs/uoqnQIpUtErdPHqU10Yup8HjXjEyFJsSwcZcM5sZOw5JKckKJwmcd0yjO/x/4/Mk5 maximilien@icare"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGioTNbjGE3KblbqhnkEWUfGkYZ2p5UAVqPdQJaUBWoo maximilien@athena"
    ];
  };

--- a/cluster/prod/node/celeri.nix
+++ b/cluster/prod/node/celeri.nix
@ -15,5 +15,5 @@
  deuxfleurs.ipv6 = "2a06:a003:d019:1::33";

  deuxfleurs.cluster_ip = "10.83.1.3";
-  deuxfleurs.is_raft_server = true;
+  deuxfleurs.is_raft_server = false;
 }
--- a/cluster/prod/node/df-ykl.nix
+++ b/cluster/prod/node/df-ykl.nix
@ -0,0 +1,24 @@
+# Configuration file local to this node
+
+{ config, pkgs, ... }:
+
+{
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "df-ykl";
+
+  deuxfleurs.network_interface = "enp0s31f6";
+  deuxfleurs.lan_ip = "192.168.5.117";
+  deuxfleurs.ipv6 = "2a02:a03f:6510:5102:6e4b:90ff:fe3b:e86c";
+
+  deuxfleurs.cluster_ip = "10.83.3.1";
+  deuxfleurs.is_raft_server = true;
+
+  fileSystems."/mnt" = {
+    device = "/dev/disk/by-uuid/f7aa396f-23d0-44d3-89cf-3cb00bbb6c3b";
+    fsType = "xfs";
+    options = [ "nofail" ];
+  };
+}
--- a/cluster/prod/node/df-ykl.site.nix
+++ b/cluster/prod/node/df-ykl.site.nix
@ -0,0 +1 @@
+../site/bespin.nix
--- a/cluster/prod/node/df-ymf.nix
+++ b/cluster/prod/node/df-ymf.nix
@ -0,0 +1,24 @@
+# Configuration file local to this node
+
+{ config, pkgs, ... }:
+
+{
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "df-ymf";
+
+  deuxfleurs.network_interface = "enp0s31f6";
+  deuxfleurs.lan_ip = "192.168.5.134";
+  deuxfleurs.ipv6 = "2a02:a03f:6510:5102:6e4b:90ff:fe3a:6174";
+
+  deuxfleurs.cluster_ip = "10.83.3.2";
+  deuxfleurs.is_raft_server = false;
+
+  fileSystems."/mnt" = {
+    device = "/dev/disk/by-uuid/fec20a7e-5019-4747-8f73-77f3f196c122";
+    fsType = "xfs";
+    options = [ "nofail" ];
+  };
+}
--- a/cluster/prod/node/df-ymf.site.nix
+++ b/cluster/prod/node/df-ymf.site.nix
@ -0,0 +1 @@
+../site/bespin.nix
--- a/cluster/prod/node/df-ymk.nix
+++ b/cluster/prod/node/df-ymk.nix
@ -0,0 +1,24 @@
+# Configuration file local to this node
+
+{ config, pkgs, ... }:
+
+{
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "df-ymk";
+
+  deuxfleurs.network_interface = "enp0s31f6";
+  deuxfleurs.lan_ip = "192.168.5.116";
+  deuxfleurs.ipv6 = "2a02:a03f:6510:5102:6e4b:90ff:fe3b:e939";
+
+  deuxfleurs.cluster_ip = "10.83.3.3";
+  deuxfleurs.is_raft_server = false;
+
+  fileSystems."/mnt" = {
+    device = "/dev/disk/by-uuid/51d95b17-0e06-4a73-9e4e-ae5363cc4015";
+    fsType = "xfs";
+    options = [ "nofail" ];
+  };
+}
--- a/cluster/prod/node/df-ymk.site.nix
+++ b/cluster/prod/node/df-ymk.site.nix
@ -0,0 +1 @@
+../site/bespin.nix
--- a/cluster/prod/site/bespin.nix
+++ b/cluster/prod/site/bespin.nix
@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+
+{
+  deuxfleurs.site_name = "bespin";
+  deuxfleurs.lan_default_gateway = "192.168.5.254";
+  deuxfleurs.ipv6_default_gateway = "2a02:a03f:6510:5102::1";
+  deuxfleurs.lan_ip_prefix_length = 24;
+  deuxfleurs.ipv6_prefix_length = 64;
+  deuxfleurs.nameservers = [ "192.168.5.254" ];
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}
--- a/cluster/prod/ssh_config
+++ b/cluster/prod/ssh_config
@ -21,3 +21,15 @@ Host diplotaxis
 Host doradille
    HostName doradille.machine.deuxfleurs.fr

+Host df-ykl
+    HostName df-ykl.machine.deuxfleurs.fr
+    User root
+
+Host df-ymf
+    HostName df-ymf.machine.deuxfleurs.fr
+    User root
+
+Host df-ymk
+    HostName df-ymk.machine.deuxfleurs.fr
+    User root
+
--- a/3
+++ b/3
@ -7,4 +7,5 @@ copy cluster/$CLUSTER/cluster.nix /etc/nixos/cluster.nix
 copy cluster/$CLUSTER/node/$NIXHOST.nix /etc/nixos/node.nix
 copy cluster/$CLUSTER/node/$NIXHOST.site.nix /etc/nixos/site.nix

-cmd nixos-rebuild switch --show-trace
+cmd "nix-channel --add https://nixos.org/channels/nixos-22.05 nixos"
+cmd nixos-rebuild switch --upgrade --show-trace
--- a/nix/configuration.nix
+++ b/nix/configuration.nix
@ -83,7 +83,7 @@ SystemMaxUse=1G
  virtualisation.docker = {
    enable = true;
    extraOptions = "--config-file=${pkgs.writeText "daemon.json" (builtins.toJSON {
-      dns = [ "172.17.0.1" "8.8.8.8" "8.8.4.4" ];
+      dns = [ "172.17.0.1" ];
    })}";
  };

--- a/3
+++ b/3
@ -18,3 +18,6 @@ diplotaxis.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcVtfOj0ti
 2a06:a003:d019:1::33 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOuY1CvhxBP9BtKkTlmOUu6Hhy8OQTB3R8OCFXbHA/RA
 2a06:a003:d019:1::31 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3N0QOFNGkCpVLuOHFdpnBaxIFH925KpdIHV/3F9+BR
 2a06:a003:d019:1::32 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPCXJeo6yeQeTN7D7OZwLd8zbyU1jWywlhQ29yyk7x+G
+df-ykl.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEwsKl1Bv8HJa+rO2KymEDhKEcDY3s9CQmDQ8i/tHf4E
+df-ymk.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIo6bcVtpZ+pRVs0vNaUgC0kY5ddPtWryUmFQTZjA+73
+df-ymf.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2el374ejNXqF+yyMxOOhY2DWSJB9tbjr2H7gFfQtbc
--- a/4
+++ b/4
@ -37,10 +37,10 @@ pass $PREFIX/consul$YEAR.crt > $CERTDIR/consul.crt
 pass $PREFIX/consul$YEAR-client.crt > $CERTDIR/consul-client.crt
 pass $PREFIX/consul$YEAR-client.key > $CERTDIR/consul-client.key

-socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=$CERTDIR/nomad-client.crt,key=$CERTDIR/nomad-client.key,cafile=$CERTDIR/nomad.crt,verify=0 &
+socat -dd tcp-listen:4646,reuseaddr,fork,bind=localhost openssl:localhost:14646,cert=$CERTDIR/nomad-client.crt,key=$CERTDIR/nomad-client.key,cafile=$CERTDIR/nomad.crt,verify=0 &
 child1=$!

-socat -dd tcp4-listen:8500,reuseaddr,fork openssl:localhost:8501,cert=$CERTDIR/consul-client.crt,key=$CERTDIR/consul-client.key,cafile=$CERTDIR/consul.crt,verify=0 &
+socat -dd tcp-listen:8500,reuseaddr,fork,bind=localhost openssl:localhost:8501,cert=$CERTDIR/consul-client.crt,key=$CERTDIR/consul-client.key,cafile=$CERTDIR/consul.crt,verify=0 &
 child2=$!

 wait "$child1"