Update README

This commit is contained in:
Quentin 2022-10-16 11:58:11 +02:00
parent 9a8cbf9121
commit d442b9a068
Signed by untrusted user: quentin
GPG key ID: E9602264D639FF68
3 changed files with 17 additions and 6 deletions

View file

@ -18,6 +18,7 @@ Basically:
- All existing administrators pull their key and sign it - All existing administrators pull their key and sign it
- An existing administrator reencrypt the keystore with this new key and push it - An existing administrator reencrypt the keystore with this new key and push it
- The new administrator clone the repo and check that they can decrypt the secrets - The new administrator clone the repo and check that they can decrypt the secrets
- Finally, the new administrator must choose a password to operate over SSH with `./passwd prod rick` where `rick` is the target username
## How to create files for a new zone ## How to create files for a new zone
@ -26,11 +27,19 @@ Basically:
Basically: Basically:
- Create your `site` file in `cluster/prod/site/` folder - Create your `site` file in `cluster/prod/site/` folder
- Create your `node` files in `cluster/prod/node/` folder - Create your `node` files in `cluster/prod/node/` folder
- Add your wireguard configuration to `cluster/prod/cluster.nix` - Add your wireguard configuration to `cluster/prod/cluster.nix` (you will have to edit your NAT config manually)
## How to deploy a Nix configuration on a fresh node ## How to deploy a Nix configuration on a fresh node
*To be written* We suppose that the node name is `datura`.
Start by doing the deployment one node at a time, you will have plenty of time
in your operator's life to break everything through automation.
Run:
- `./deploy_wg prod datura` - to generate wireguard's keys
- `./deploy_nixos prod datura` - to deploy the nix configuration files (need to be redeployed on all nodes as hte new wireguard conf is needed everywhere)
- `./deploy_password prod datura` - to deploy user's passwords
- `./deploy_pki prod datura` - to deploy Nomad's and Consul's PKI
## How to operate a node ## How to operate a node

View file

@ -7,8 +7,4 @@ copy cluster/$CLUSTER/cluster.nix /etc/nixos/cluster.nix
copy cluster/$CLUSTER/node/$NIXHOST.nix /etc/nixos/node.nix copy cluster/$CLUSTER/node/$NIXHOST.nix /etc/nixos/node.nix
copy cluster/$CLUSTER/node/$NIXHOST.site.nix /etc/nixos/site.nix copy cluster/$CLUSTER/node/$NIXHOST.site.nix /etc/nixos/site.nix
cmd 'mkdir -p /var/lib/deuxfleurs/wireguard-keys'
cmd 'test -f /var/lib/deuxfleurs/wireguard-keys/private || (wg genkey > /var/lib/deuxfleurs/wireguard-keys/private; chmod 600 /var/lib/deuxfleurs/wireguard-keys/private)'
cmd 'echo "Public key: $(wg pubkey < /var/lib/deuxfleurs/wireguard-keys/private)"'
cmd nixos-rebuild switch --show-trace cmd nixos-rebuild switch --show-trace

6
deploy_wg Executable file
View file

@ -0,0 +1,6 @@
#!/usr/bin/env ./sshtool
cmd 'nix-env -i wireguard'
cmd 'mkdir -p /var/lib/deuxfleurs/wireguard-keys'
cmd 'test -f /var/lib/deuxfleurs/wireguard-keys/private || (wg genkey > /var/lib/deuxfleurs/wireguard-keys/private; chmod 600 /var/lib/deuxfleurs/wireguard-keys/private)'
cmd 'echo "Public key: $(wg pubkey < /var/lib/deuxfleurs/wireguard-keys/private)"'