Nix system configuration for Deuxfleurs clusters
Find a file
2022-01-27 14:51:09 +01:00
app Remove spoutnik for now, and update garage to 0.6.0-rc1 2022-01-27 14:51:09 +01:00
node Cleanup 2021-12-26 13:23:01 +01:00
secrets Add systemd service to mount garage 2021-12-30 13:27:39 +01:00
site Change deletion time 2022-01-18 12:38:16 +01:00
.gitignore Add systemd service to mount garage 2021-12-30 13:27:39 +01:00
configuration.nix Drastically simplify firewall config 2022-01-19 13:30:18 +01:00
deploy.sh Add logging 2022-01-03 23:56:07 +01:00
genpki.sh Add cron job to clean up stuff; fix genpki 2022-01-03 23:47:55 +01:00
README.md Add readme and cleanup a bit 2021-12-30 21:23:24 +01:00
ssh_config add correct ssh port to firewall 2021-11-18 16:13:28 +01:00
ssh_known_hosts fix IPs for nomad 2021-11-18 16:06:17 +01:00
tlsenv.sh Add readme and cleanup a bit 2021-12-30 21:23:24 +01:00
tlsproxy.sh Add readme and cleanup a bit 2021-12-30 21:23:24 +01:00
upgrade.sh Increase security: sudo with password, no more docker group for users 2021-12-30 18:09:20 +01:00

Deuxfleurs on NixOS!

This repository contains code to run Deuxfleur's infrastructure on NixOS.

It sets up the following:

  • A Wireguard mesh between all nodes
  • Consul, with TLS
  • Nomad, with TLS

The following scripts are available here:

  • genpki.sh, a script to generate Consul and Nomad's TLS PKI (run this once only)
  • deploy.sh, the main script that updates the NixOS config and sets up all of the TLS secrets
  • upgrade.sh, a script to upgrade NixOS
  • tlsproxy.sh, a script that allows non-TLS access to the TLS-secured Consul and Nomad, by running a simple local proxy with socat
  • tlsenv.sh, a script to be sourced (source tlsenv.sh) that configures the correct environment variables to use the Nomad and Consul CLI tools with TLS

Stuff should be started in this order:

  • app/core
  • app/frontend
  • app/garage-staging

At this point, we are able to have a systemd service called mountgarage that mounts Garage buckets in /mnt/garage-staging. This is used by the following services that can be launched afterwards:

  • app/im