forked from Deuxfleurs/nixcfg
reorganize documentation
This commit is contained in:
parent
912753c7ad
commit
3e5e2d60cd
4 changed files with 85 additions and 67 deletions
75
README.md
75
README.md
|
@ -8,77 +8,18 @@ It sets up the following:
|
|||
- Consul, with TLS
|
||||
- Nomad, with TLS
|
||||
|
||||
## How to use this?
|
||||
|
||||
## How to welcome a new administrator
|
||||
See the following documentation topics:
|
||||
|
||||
See: https://guide.deuxfleurs.fr/operations/acces/pass/
|
||||
- [Quick start for adding new nodes after NixOS install](doc/quick-start.md)
|
||||
- [Architecture of this repo, how the scripts work](doc/architecture.md)
|
||||
- [List of TCP and UDP ports used by services](doc/ports)
|
||||
|
||||
Basically:
|
||||
- The new administrator generates a GPG key and publishes it on Gitea
|
||||
- All existing administrators pull their key and sign it
|
||||
- An existing administrator reencrypt the keystore with this new key and push it
|
||||
- The new administrator clone the repo and check that they can decrypt the secrets
|
||||
- Finally, the new administrator must choose a password to operate over SSH with `./passwd prod rick` where `rick` is the target username
|
||||
Additionnal documentation topics:
|
||||
|
||||
|
||||
## How to create files for a new zone
|
||||
|
||||
*The documentation is written for the production cluster, the same apply for other clusters.*
|
||||
|
||||
Basically:
|
||||
- Create your `site` file in `cluster/prod/site/` folder
|
||||
- Create your `node` files in `cluster/prod/node/` folder
|
||||
- Add your wireguard configuration to `cluster/prod/cluster.nix`
|
||||
- You will have to edit your NAT config manually
|
||||
- To get your node's wg public key, you must run `./deploy_prod prod <node>`, see the next section for more information
|
||||
- Add your nodes to `cluster/prod/ssh_config`, it will be used by the various SSH scripts.
|
||||
- If you use `ssh` directly, use `ssh -F ./cluster/prod/ssh_config`
|
||||
- Add `User root` for the first time as your user will not be declared yet on the system
|
||||
|
||||
## How to deploy a Nix configuration on a fresh node
|
||||
|
||||
We suppose that the node name is `datura`.
|
||||
Start by doing the deployment one node at a time, you will have plenty of time
|
||||
in your operator's life to break everything through automation.
|
||||
|
||||
Run:
|
||||
- `./deploy_wg prod datura` - to generate wireguard's keys
|
||||
- `./deploy_nixos prod datura` - to deploy the nix configuration files
|
||||
- need to be redeployed on all nodes as the new wireguard conf is needed everywhere
|
||||
- `./deploy_password prod datura` - to deploy user's passwords
|
||||
- need to be redeployed on all nodes to setup the password on all nodes
|
||||
- `./deploy_pki prod datura` - to deploy Nomad's and Consul's PKI
|
||||
|
||||
## How to operate a node
|
||||
|
||||
Edit your `~/.ssh/config` file:
|
||||
|
||||
```
|
||||
Host dahlia
|
||||
HostName dahlia.machine.deuxfleurs.fr
|
||||
LocalForward 14646 127.0.0.1:4646
|
||||
LocalForward 8501 127.0.0.1:8501
|
||||
LocalForward 1389 bottin.service.prod.consul:389
|
||||
LocalForward 5432 psql-proxy.service.prod.consul:5432
|
||||
```
|
||||
|
||||
Then run the TLS proxy and leave it running:
|
||||
|
||||
```
|
||||
./tlsproxy prod
|
||||
```
|
||||
|
||||
SSH to a production machine (e.g. dahlia) and leave it running:
|
||||
|
||||
```
|
||||
ssh dahlia
|
||||
```
|
||||
|
||||
|
||||
Finally you should see be able to access the production Nomad and Consul by browsing:
|
||||
|
||||
- Consul: http://localhost:8500
|
||||
- Nomad: http://localhost:4646
|
||||
- [Succint guide for NixOS installation with LUKX full disk encryption](doc/nixos-install.md) (we don't do that in practice on our servers)
|
||||
- [Example `hardware-config.nix` for a full disk encryption scenario](doc/example-hardware-configuration.nix)
|
||||
|
||||
|
||||
## Why not Ansible?
|
||||
|
|
|
@ -120,6 +120,10 @@ Remotely: `ssh-copy-id <user>@<ip>`. Check SSH access is good.
|
|||
|
||||
## Deploy from this repo
|
||||
|
||||
See [this documentation](quick-start.md).
|
||||
|
||||
## Old guide
|
||||
|
||||
It's time!
|
||||
|
||||
**Files in this repo to create/change:**
|
73
doc/quick-start.md
Normal file
73
doc/quick-start.md
Normal file
|
@ -0,0 +1,73 @@
|
|||
# Quick start
|
||||
|
||||
## How to welcome a new administrator
|
||||
|
||||
See: https://guide.deuxfleurs.fr/operations/acces/pass/
|
||||
|
||||
Basically:
|
||||
- The new administrator generates a GPG key and publishes it on Gitea
|
||||
- All existing administrators pull their key and sign it
|
||||
- An existing administrator reencrypt the keystore with this new key and push it
|
||||
- The new administrator clone the repo and check that they can decrypt the secrets
|
||||
- Finally, the new administrator must choose a password to operate over SSH with `./passwd prod rick` where `rick` is the target username
|
||||
|
||||
|
||||
## How to create files for a new zone
|
||||
|
||||
*The documentation is written for the production cluster, the same apply for other clusters.*
|
||||
|
||||
Basically:
|
||||
- Create your `site` file in `cluster/prod/site/` folder
|
||||
- Create your `node` files in `cluster/prod/node/` folder
|
||||
- Add your wireguard configuration to `cluster/prod/cluster.nix`
|
||||
- You will have to edit your NAT config manually to bind one public IPv4 port to each node
|
||||
- Nodes' public wireguard keys are generated during the first run of `deploy_nixos`, see below
|
||||
- Add your nodes to `cluster/prod/ssh_config`, it will be used by the various SSH scripts.
|
||||
- If you use `ssh` directly, use `ssh -F ./cluster/prod/ssh_config`
|
||||
- Add `User root` for the first time as your user will not be declared yet on the system
|
||||
|
||||
## How to deploy a Nix configuration on a fresh node
|
||||
|
||||
We suppose that the node name is `datura`.
|
||||
Start by doing the deployment one node at a time, you will have plenty of time
|
||||
in your operator's life to break everything through automation.
|
||||
|
||||
Run:
|
||||
- `./deploy_nixos prod datura` - to deploy the nix configuration file;
|
||||
- a new wireguard key is printed if it hadn't been generated before, it has to be
|
||||
added to `cluster.nix`, and then redeployed on all nodes as the new wireguard conf is needed everywhere
|
||||
- `./deploy_passwords prod datura` - to deploy user's passwords
|
||||
- if a user changes their password (using `./passwd`), needs to be redeployed on all nodes to setup the password on all nodes
|
||||
- `./deploy_pki prod datura` - to deploy Nomad's and Consul's PKI
|
||||
|
||||
## How to operate a node
|
||||
|
||||
Edit your `~/.ssh/config` file:
|
||||
|
||||
```
|
||||
Host dahlia
|
||||
HostName dahlia.machine.deuxfleurs.fr
|
||||
LocalForward 14646 127.0.0.1:4646
|
||||
LocalForward 8501 127.0.0.1:8501
|
||||
LocalForward 1389 bottin.service.prod.consul:389
|
||||
LocalForward 5432 psql-proxy.service.prod.consul:5432
|
||||
```
|
||||
|
||||
Then run the TLS proxy and leave it running:
|
||||
|
||||
```
|
||||
./tlsproxy prod
|
||||
```
|
||||
|
||||
SSH to a production machine (e.g. dahlia) and leave it running:
|
||||
|
||||
```
|
||||
ssh dahlia
|
||||
```
|
||||
|
||||
|
||||
Finally you should see be able to access the production Nomad and Consul by browsing:
|
||||
|
||||
- Consul: http://localhost:8500
|
||||
- Nomad: http://localhost:4646
|
||||
|
Loading…
Reference in a new issue