Nix system configuration for Deuxfleurs clusters
app | ||
cluster | ||
doc | ||
nix | ||
.gitignore | ||
deploy_nixos | ||
deploy_passwords | ||
deploy_pki | ||
deploy_wesher_key | ||
gen_pki | ||
gen_wesher_key | ||
passwd | ||
README.md | ||
ssh_known_hosts | ||
sshtool | ||
tlsproxy | ||
upgrade_nixos |
Deuxfleurs on NixOS!
This repository contains code to run Deuxfleur's infrastructure on NixOS.
It sets up the following:
- A Wireguard mesh between all nodes
- Consul, with TLS
- Nomad, with TLS
The following scripts are available here:
deploy_nixos
, the main script that updates the NixOS configgenpki.sh
, a script to generate Consul and Nomad's TLS PKI (run this once only)deploy_pki
, a script that sets up all of the TLS secretsupgrade_nixos
, a script to upgrade NixOStlsproxy.sh
, a script that allows non-TLS access to the TLS-secured Consul and Nomad, by running a simple local proxy with socattlsenv.sh
, a script to be sourced (source tlsenv.sh
) that configures the correct environment variables to use the Nomad and Consul CLI tools with TLS
Stuff should be started in this order:
app/core
app/frontend
app/garage-staging
At this point, we are able to have a systemd service called mountgarage
that mounts Garage buckets in /mnt/garage-staging
. This is used by the following services that can be launched afterwards:
app/im