Nix system configuration for Deuxfleurs clusters
Find a file
2022-10-16 13:13:43 +02:00
cluster update readme.md 2022-10-16 11:04:46 +02:00
doc Update telemetry to ES 8.2.0 and simplify config a bit 2022-05-04 16:27:46 +02:00
experimental SSB experiment 2022-09-21 19:29:08 +02:00
nix Add docker 2022-10-16 13:13:43 +02:00
secretmgr Clone core module in staging and prod, move bad stuff to experimental 2022-08-24 15:48:18 +02:00
.gitignore Modularize and prepare to support multiple clusters 2022-02-09 12:09:49 +01:00
deploy_nixos Update README 2022-10-16 11:58:11 +02:00
deploy_passwords Add scripts to manage passwords 2022-04-20 15:41:54 +02:00
deploy_pki Reconfigure services to use correct tricot url, TLS fails 2022-08-24 17:31:08 +02:00
deploy_wg Update README 2022-10-16 11:58:11 +02:00
gen_pki Fix access to consul for non-server nodes 2022-08-24 16:58:50 +02:00
passwd Fix passwd script 2022-05-04 16:41:07 +02:00
README.md Improve deployment doc 2022-10-16 12:02:55 +02:00
README.more.md WIP doc 2022-10-16 11:14:50 +02:00
restic-summary Move cryptpad backup job to backup-daily.hcl 2022-09-26 13:02:38 +02:00
ssh_known_hosts IPv6 prefix at Neptune changed again 2022-10-09 17:07:47 +02:00
sshtool Don't make diplotaxis and doradille raft servers, fix sshtool 2022-08-24 14:29:56 +02:00
tlsproxy Add postgres + WIP plume + fix diplonat 2022-08-24 19:54:15 +02:00
upgrade_nixos Update to nixos 22.05 2022-07-27 11:18:23 +02:00

Deuxfleurs on NixOS!

This repository contains code to run Deuxfleur's infrastructure on NixOS.

It sets up the following:

  • A Wireguard mesh between all nodes
  • Consul, with TLS
  • Nomad, with TLS

How to welcome a new administrator

See: https://guide.deuxfleurs.fr/operations/acces/pass/

Basically:

  • The new administrator generates a GPG key and publishes it on Gitea
  • All existing administrators pull their key and sign it
  • An existing administrator reencrypt the keystore with this new key and push it
  • The new administrator clone the repo and check that they can decrypt the secrets
  • Finally, the new administrator must choose a password to operate over SSH with ./passwd prod rick where rick is the target username

How to create files for a new zone

The documentation is written for the production cluster, the same apply for other clusters.

Basically:

  • Create your site file in cluster/prod/site/ folder
  • Create your node files in cluster/prod/node/ folder
  • Add your wireguard configuration to cluster/prod/cluster.nix
    • You will have to edit your NAT config manually
    • To get your node's wg public key, you must run ./deploy_prod prod <node>, see the next section for more information

How to deploy a Nix configuration on a fresh node

We suppose that the node name is datura. Start by doing the deployment one node at a time, you will have plenty of time in your operator's life to break everything through automation.

Run:

  • ./deploy_wg prod datura - to generate wireguard's keys
  • ./deploy_nixos prod datura - to deploy the nix configuration files (need to be redeployed on all nodes as hte new wireguard conf is needed everywhere)
  • ./deploy_password prod datura - to deploy user's passwords
  • ./deploy_pki prod datura - to deploy Nomad's and Consul's PKI

How to operate a node

To be written

More

Please read README.more.md for more detailed information