KokaKiwi/nixcfg
1
0
Fork 0
forked from Deuxfleurs/nixcfg
Code Pull requests Activity

udpate README

Browse source
This commit is contained in:
Alex 2022-04-20 18:14:56 +02:00
parent 2685970256
commit c99c0ffd30
Signed by untrusted user: lx
GPG key ID: 0E496D15096376BE
1 changed files with 7 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
README.md
View file

@ -8,15 +8,6 @@ It sets up the following:
- Consul, with TLS - Consul, with TLS
- Nomad, with TLS - Nomad, with TLS
The following scripts are available here:
- `deploy_nixos`, the main script that updates the NixOS config
- `genpki.sh`, a script to generate Consul and Nomad's TLS PKI (run this once only)
- `deploy_pki`, a script that sets up all of the TLS secrets
- `upgrade_nixos`, a script to upgrade NixOS
- `tlsproxy.sh`, a script that allows non-TLS access to the TLS-secured Consul and Nomad, by running a simple local proxy with socat
- `tlsenv.sh`, a script to be sourced (`source tlsenv.sh`) that configures the correct environment variables to use the Nomad and Consul CLI tools with TLS
## Configuring the OS ## Configuring the OS
This repo contains a bunch of scripts to configure NixOS on all cluster nodes. This repo contains a bunch of scripts to configure NixOS on all cluster nodes.
@ -27,12 +18,17 @@ Most scripts are invoked with the following syntax:
- `./deploy_<something> <cluster_name>` to run the deployment script on all nodes of the cluster `<cluster_name>` - `./deploy_<something> <cluster_name>` to run the deployment script on all nodes of the cluster `<cluster_name>`
- `./deploy_<something> <cluster_name> <node1> <node2> ...` to run the deployment script only on nodes `node1, node2, ...` of cluster `<cluster_name>`. - `./deploy_<something> <cluster_name> <node1> <node2> ...` to run the deployment script only on nodes `node1, node2, ...` of cluster `<cluster_name>`.
All deployment scripts can use the following parameters passed as environment variables:
- `SUDO_PASS`: optionnally, the password for `sudo` on cluster nodes. If not set, it will be asked at the begninning.
- `SSH_USER`: optionnally, the user to try to login using SSH. If not set, the username from your local machine will be used.
### Assumptions (how to setup your environment) ### Assumptions (how to setup your environment)
- you have an SSH access to all of your cluster nodes (listed in `cluster/<cluster_name>/ssh_config`) - you have an SSH access to all of your cluster nodes (listed in `cluster/<cluster_name>/ssh_config`)
- your account is in group `wheel` and you know its password (you need it to become root using `sudo`) - your account is in group `wheel` and you know its password (you need it to become root using `sudo`);
the password is the same on all cluster nodes (see below for password management tools)
- you have a clone of the secrets repository in your `pass` password store, for instance at `~/.password-store/deuxfleurs` - you have a clone of the secrets repository in your `pass` password store, for instance at `~/.password-store/deuxfleurs`
(scripts in this repo will read and write all secrets in `pass` under `deuxfleurs/cluster/<cluster_name>/`) (scripts in this repo will read and write all secrets in `pass` under `deuxfleurs/cluster/<cluster_name>/`)
@ -109,7 +105,7 @@ Then, deploy the PKI on all nodes with:
**When adding a node to the cluster:** just do `./deploy_pki <cluster_name> <name_of_new_node>` **When adding a node to the cluster:** just do `./deploy_pki <cluster_name> <name_of_new_node>`
### Adding administrators ### Adding administrators and password management
Adminstrators are defined in the `cluster.nix` file for each cluster (they could also be defined in the site-specific Nix files if necessary). Adminstrators are defined in the `cluster.nix` file for each cluster (they could also be defined in the site-specific Nix files if necessary).
This is where their public SSH keys for remote access are put. This is where their public SSH keys for remote access are put.