aboutsummaryrefslogblamecommitdiff
path: root/README.md
blob: 4975527b87b803c55deffcdb96f33a856ab029a5 (plain) (tree)
1
2
3
4
5
6
7
8
9
10









                                                                         
 
                                     
 
                                                       
 




                                                                                    
                                                                                                                                           
 
 
                                     
 
                                                                                             
 


                                                           


                                                                                                                           

                                                                                            
 
                                                    
 





                                                                              

                                                                                      
                                                                
                                                                          
                                                                   
 
                        
 
               
 
       
 
                                                        
# Deuxfleurs on NixOS!

This repository contains code to run Deuxfleur's infrastructure on NixOS.

It sets up the following:

- A Wireguard mesh between all nodes
- Consul, with TLS
- Nomad, with TLS


## How to welcome a new administrator

See: https://guide.deuxfleurs.fr/operations/acces/pass/

Basically:
  - The new administrator generates a GPG key and publishes it on Gitea
  - All existing administrators pull their key and sign it
  - An existing administrator reencrypt the keystore with this new key and push it
  - The new administrator clone the repo and check that they can decrypt the secrets
  - Finally, the new administrator must choose a password to operate over SSH with `./passwd prod rick` where `rick` is the target username


## How to create files for a new zone

*The documentation is written for the production cluster, the same apply for other clusters.*

Basically:
  - Create your `site` file in `cluster/prod/site/` folder
  - Create your `node` files in `cluster/prod/node/` folder
  - Add your wireguard configuration to `cluster/prod/cluster.nix`
    - You will have to edit your NAT config manually
    - To get your node's wg public key, you must run `./deploy_prod prod <node>`, see the next section for more information
  - Add your nodes to `cluster/prod/ssh_config`, it will be used by the various SSH scripts.
    - If you use `ssh` directly, use `ssh -F ./cluster/prod/ssh_config`

## How to deploy a Nix configuration on a fresh node

We suppose that the node name is `datura`. 
Start by doing the deployment one node at a time, you will have plenty of time
in your operator's life to break everything through automation.

Run:
  - `./deploy_wg prod datura` - to generate wireguard's keys
  - `./deploy_nixos prod datura` - to deploy the nix configuration files
   - need to be redeployed on all nodes as the new wireguard conf is needed everywhere
  - `./deploy_password prod datura` - to deploy user's passwords
   - need to be redeployed on all nodes to setup the password on all nodes
  - `./deploy_pki prod datura` - to deploy Nomad's and Consul's PKI

## How to operate a node

*To be written*

## More

Please read README.more.md for more detailed information