Deuxfleurs
/
nixcfg
17
6
Fork 2
Code Issues 8 Pull Requests 1 Projects Releases Wiki Activity
Nix system configuration for Deuxfleurs clusters
122 Commits 8 Branches 0 Tags 1.8 MiB
HCL 40%
JavaScript 24%
Nix 18.7%
Shell 5.4%
Smarty 4.3%
Other 7.6%
Go to file
Alex 6c22f5fdfa
Add scripts to manage passwords 		2022-04-20 15:41:54 +02:00
app garage v0.7.0 on staging 2022-04-12 15:49:57 +02:00
cluster Updates; change crontab 2022-03-07 16:57:43 +01:00
doc permissions for apm writer 2022-03-08 22:41:01 +01:00
nix Wesher secret key in /var/lib/wesher/secrets 2022-04-20 10:50:42 +02:00
.gitignore Modularize and prepare to support multiple clusters 2022-02-09 12:09:49 +01:00
README.md Refactor deployment scripts 2022-04-20 13:03:29 +02:00
deploy_nixos Refactor deployment scripts 2022-04-20 13:03:29 +02:00
deploy_passwords Add scripts to manage passwords 2022-04-20 15:41:54 +02:00
deploy_pki tlsproxy from pass; fix tls stuff 2022-04-20 15:29:24 +02:00
deploy_wesher_key manage wesher key with pass 2022-04-20 14:14:15 +02:00
gen_pki Move pki to pass 2022-04-20 15:03:04 +02:00
gen_wesher_key manage wesher key with pass 2022-04-20 14:14:15 +02:00
passwd Add scripts to manage passwords 2022-04-20 15:41:54 +02:00
ssh_known_hosts Reinstall cariacou with encryption 2022-02-26 00:00:10 +01:00
sshtool tlsproxy from pass; fix tls stuff 2022-04-20 15:29:24 +02:00
tlsproxy tlsproxy from pass; fix tls stuff 2022-04-20 15:29:24 +02:00
upgrade_nixos Refactor deployment scripts 2022-04-20 13:03:29 +02:00

README.md

Deuxfleurs on NixOS!

This repository contains code to run Deuxfleur's infrastructure on NixOS.

It sets up the following:

  • A Wireguard mesh between all nodes
  • Consul, with TLS
  • Nomad, with TLS

The following scripts are available here:

  • deploy_nixos, the main script that updates the NixOS config
  • genpki.sh, a script to generate Consul and Nomad's TLS PKI (run this once only)
  • deploy_pki, a script that sets up all of the TLS secrets
  • upgrade_nixos, a script to upgrade NixOS
  • tlsproxy.sh, a script that allows non-TLS access to the TLS-secured Consul and Nomad, by running a simple local proxy with socat
  • tlsenv.sh, a script to be sourced (source tlsenv.sh) that configures the correct environment variables to use the Nomad and Consul CLI tools with TLS

Stuff should be started in this order:

  • app/core
  • app/frontend
  • app/garage-staging

At this point, we are able to have a systemd service called mountgarage that mounts Garage buckets in /mnt/garage-staging. This is used by the following services that can be launched afterwards:

  • app/im