Nix system configuration for Deuxfleurs clusters
Find a file
2024-11-28 20:41:52 +01:00
cluster email: migration celeri (site neptune) -> ananas (site scorpio) 2024-11-28 20:41:52 +01:00
doc doc/architecture.md: ajout de la ligne de commande utile pour lancer la CLI garage 2024-05-26 12:43:03 +02:00
experimental staging: deploy things on bespin 2023-01-04 10:06:06 +01:00
nix Revert "openssh: Temporary patch for CVE-2024-6387 mitigation" 2024-07-14 16:09:33 +02:00
.gitignore added personal notes folder to gitignore 2024-11-12 14:22:08 +01:00
deploy_nixos remove unused remote-unlock.nix 2024-02-06 17:46:55 +01:00
deploy_passwords cleanup 2022-12-23 00:07:02 +01:00
deploy_pki prod: nixos 23.11 and nomad 1.5 2024-04-20 10:58:36 +02:00
gather_facts Add small script to gather system information from machines 2024-05-31 11:35:00 +02:00
gen_pki Fix access to consul for non-server nodes 2022-08-24 16:58:50 +02:00
passwd edited passwd command to set bash as interpreter 2022-11-09 19:02:02 +01:00
README.md coquille 2023-11-22 19:43:42 +01:00
restic_restore_gen move emails to lille 2023-08-29 11:43:45 +02:00
restic_summary cleanup 2022-12-23 00:07:02 +01:00
secretmgr Improve secretmgr more, update secrets for staging 2022-12-25 22:12:38 +01:00
sshtool sshtool: improve usage message 2024-05-31 11:34:38 +02:00
tlsproxy tlsproxy: better error message when no argument is passed 2024-04-26 13:15:52 +02:00
upgrade_nixos prod: nixos 23.11 and nomad 1.5 2024-04-20 10:58:36 +02:00

Deuxfleurs on NixOS!

This repository contains code to run Deuxfleurs' infrastructure on NixOS.

Our abstraction stack

We try to build a generic abstraction stack between our different resources (CPU, RAM, disk, etc.) and our services (Chat, Storage, etc.), we develop our own tools when needed.

Our first abstraction level is the NixOS level, which installs a bunch of standard components:

  • Wireguard: provides encrypted communication between remote nodes
  • Nomad: schedule containers and handle their lifecycle
  • Consul: distributed key value store + lock + service discovery
  • Docker: package, distribute and isolate applications

Then, inside our Nomad+Consul orchestrator, we deploy a number of base services:

  • Data management
    • Garage: S3-compatible lightweight object store for self-hosted geo-distributed deployments
    • Stolon + PostgreSQL: distributed relational database
  • Network Control Plane
    • DiploNAT: - network automation (firewalling, upnp igd)
    • D53 - update DNS entries (A and AAAA) dynamically based on Nomad service scheduling and local node info
    • Tricot - a dynamic reverse proxy for nomad+consul inspired by traefik
    • wgautomesh - a dynamic wireguard mesh configurator
  • User Management
    • Bottin: authentication and authorization (LDAP protocol, consul backend)
    • Guichet: a dashboard for our users and administrators7
  • Observability
    • Prometheus + Grafana: monitoring

Some services we provide based on this abstraction:

  • Websites: Garage (static) + fediverse blog (Plume)
  • Chat: Synapse + Element Web (Matrix protocol)
  • Email: Postfix SMTP + Dovecot IMAP + opendkim DKIM + Sogo webmail | Alps webmail (experimental)
  • Visioconference: Jitsi
  • Collaboration: CryptPad

As a generic abstraction is provided, deploying new services should be easy.

How to use this?

See the following documentation topics:

Got personal services in addition to Deuxfleurs at home?

Go check cluster/prod/register_external_services.sh. In bash, we register a redirect from Tricot to your own services or your personal reverse proxy.