forked from Deuxfleurs/nixcfg
Update README
This commit is contained in:
parent
9a8cbf9121
commit
d442b9a068
3 changed files with 17 additions and 6 deletions
13
README.md
13
README.md
|
@ -18,6 +18,7 @@ Basically:
|
||||||
- All existing administrators pull their key and sign it
|
- All existing administrators pull their key and sign it
|
||||||
- An existing administrator reencrypt the keystore with this new key and push it
|
- An existing administrator reencrypt the keystore with this new key and push it
|
||||||
- The new administrator clone the repo and check that they can decrypt the secrets
|
- The new administrator clone the repo and check that they can decrypt the secrets
|
||||||
|
- Finally, the new administrator must choose a password to operate over SSH with `./passwd prod rick` where `rick` is the target username
|
||||||
|
|
||||||
## How to create files for a new zone
|
## How to create files for a new zone
|
||||||
|
|
||||||
|
@ -26,11 +27,19 @@ Basically:
|
||||||
Basically:
|
Basically:
|
||||||
- Create your `site` file in `cluster/prod/site/` folder
|
- Create your `site` file in `cluster/prod/site/` folder
|
||||||
- Create your `node` files in `cluster/prod/node/` folder
|
- Create your `node` files in `cluster/prod/node/` folder
|
||||||
- Add your wireguard configuration to `cluster/prod/cluster.nix`
|
- Add your wireguard configuration to `cluster/prod/cluster.nix` (you will have to edit your NAT config manually)
|
||||||
|
|
||||||
## How to deploy a Nix configuration on a fresh node
|
## How to deploy a Nix configuration on a fresh node
|
||||||
|
|
||||||
*To be written*
|
We suppose that the node name is `datura`.
|
||||||
|
Start by doing the deployment one node at a time, you will have plenty of time
|
||||||
|
in your operator's life to break everything through automation.
|
||||||
|
|
||||||
|
Run:
|
||||||
|
- `./deploy_wg prod datura` - to generate wireguard's keys
|
||||||
|
- `./deploy_nixos prod datura` - to deploy the nix configuration files (need to be redeployed on all nodes as hte new wireguard conf is needed everywhere)
|
||||||
|
- `./deploy_password prod datura` - to deploy user's passwords
|
||||||
|
- `./deploy_pki prod datura` - to deploy Nomad's and Consul's PKI
|
||||||
|
|
||||||
## How to operate a node
|
## How to operate a node
|
||||||
|
|
||||||
|
|
|
@ -7,8 +7,4 @@ copy cluster/$CLUSTER/cluster.nix /etc/nixos/cluster.nix
|
||||||
copy cluster/$CLUSTER/node/$NIXHOST.nix /etc/nixos/node.nix
|
copy cluster/$CLUSTER/node/$NIXHOST.nix /etc/nixos/node.nix
|
||||||
copy cluster/$CLUSTER/node/$NIXHOST.site.nix /etc/nixos/site.nix
|
copy cluster/$CLUSTER/node/$NIXHOST.site.nix /etc/nixos/site.nix
|
||||||
|
|
||||||
cmd 'mkdir -p /var/lib/deuxfleurs/wireguard-keys'
|
|
||||||
cmd 'test -f /var/lib/deuxfleurs/wireguard-keys/private || (wg genkey > /var/lib/deuxfleurs/wireguard-keys/private; chmod 600 /var/lib/deuxfleurs/wireguard-keys/private)'
|
|
||||||
cmd 'echo "Public key: $(wg pubkey < /var/lib/deuxfleurs/wireguard-keys/private)"'
|
|
||||||
|
|
||||||
cmd nixos-rebuild switch --show-trace
|
cmd nixos-rebuild switch --show-trace
|
||||||
|
|
6
deploy_wg
Executable file
6
deploy_wg
Executable file
|
@ -0,0 +1,6 @@
|
||||||
|
#!/usr/bin/env ./sshtool
|
||||||
|
|
||||||
|
cmd 'nix-env -i wireguard'
|
||||||
|
cmd 'mkdir -p /var/lib/deuxfleurs/wireguard-keys'
|
||||||
|
cmd 'test -f /var/lib/deuxfleurs/wireguard-keys/private || (wg genkey > /var/lib/deuxfleurs/wireguard-keys/private; chmod 600 /var/lib/deuxfleurs/wireguard-keys/private)'
|
||||||
|
cmd 'echo "Public key: $(wg pubkey < /var/lib/deuxfleurs/wireguard-keys/private)"'
|
Loading…
Reference in a new issue