Nix system configuration for Deuxfleurs clusters
Alex Auvolat
a0db30ca26
- get rid of outside nameserver, unbound does the recursive resolving itself (and it checks DNSSEC) - remove CAP_NET_BIND_SERVICE for Consul as it is no longer binding on port 53 (was already obsolete) - make unbound config independant of LAN IPv4 address |
||
---|---|---|
cluster | ||
doc | ||
experimental | ||
nix | ||
.gitignore | ||
deploy_nixos | ||
deploy_passwords | ||
deploy_pki | ||
gen_pki | ||
passwd | ||
README.md | ||
restic_summary | ||
secretmgr | ||
sshtool | ||
tlsproxy | ||
upgrade_nixos |
Deuxfleurs on NixOS!
This repository contains code to run Deuxfleur's infrastructure on NixOS.
Our abstraction stack
We try to build a generic abstraction stack between our different resources (CPU, RAM, disk, etc.) and our services (Chat, Storage, etc.), we develop our own tools when needed.
Our first abstraction level is the NixOS level, which installs a bunch of standard components:
- Wireguard: provides encrypted communication between remote nodes
- Nomad: schedule containers and handle their lifecycle
- Consul: distributed key value store + lock + service discovery
- Docker: package, distribute and isolate applications
Then, inside our Nomad+Consul orchestrator, we deploy a number of base services:
- Garage: S3-compatible lightweight object store for self-hosted geo-distributed deployments (we also have a legacy glusterfs cluster)
- DiploNAT: network automation (firewalling, upnp igd)
- Bottin: authentication and authorization (LDAP protocol, consul backend)
- Guichet: a dashboard for our users and administrators
- Stolon + PostgreSQL: distributed relational database
- Prometheus + Grafana: monitoring
Some services we provide based on this abstraction:
- Websites: Garage (static) + fediverse blog (Plume)
- Chat: Synapse + Element Web (Matrix protocol)
- Email: Postfix SMTP + Dovecot IMAP + opendkim DKIM + Sogo webmail | Alps webmail (experimental)
- Visioconference: Jitsi
- Collaboration: CryptPad
As a generic abstraction is provided, deploying new services should be easy.
How to use this?
See the following documentation topics: