diff options
| author | Alex Auvolat <alex@adnab.me> | 2022-12-22 23:33:10 +0100 |
|---|---|---|
| committer | Alex Auvolat <alex@adnab.me> | 2022-12-22 23:33:10 +0100 |
| commit | 3e5e2d60cdac107cc996e0efe936ced8fd25c61d (patch) | |
| tree | 5bab6f71b8a800d1e7e9b018c3edab12f3aa54ef /README.md | |
| parent | 912753c7ad7a50ec3310f62e2ae415649aa96c9c (diff) | |
| download | nixcfg-3e5e2d60cdac107cc996e0efe936ced8fd25c61d.tar.gz nixcfg-3e5e2d60cdac107cc996e0efe936ced8fd25c61d.zip | |
reorganize documentation
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 75 |
1 files changed, 8 insertions, 67 deletions
@@ -8,77 +8,18 @@ It sets up the following: - Consul, with TLS - Nomad, with TLS +## How to use this? -## How to welcome a new administrator +See the following documentation topics: -See: https://guide.deuxfleurs.fr/operations/acces/pass/ +- [Quick start for adding new nodes after NixOS install](doc/quick-start.md) +- [Architecture of this repo, how the scripts work](doc/architecture.md) +- [List of TCP and UDP ports used by services](doc/ports) -Basically: - - The new administrator generates a GPG key and publishes it on Gitea - - All existing administrators pull their key and sign it - - An existing administrator reencrypt the keystore with this new key and push it - - The new administrator clone the repo and check that they can decrypt the secrets - - Finally, the new administrator must choose a password to operate over SSH with `./passwd prod rick` where `rick` is the target username +Additionnal documentation topics: - -## How to create files for a new zone - -*The documentation is written for the production cluster, the same apply for other clusters.* - -Basically: - - Create your `site` file in `cluster/prod/site/` folder - - Create your `node` files in `cluster/prod/node/` folder - - Add your wireguard configuration to `cluster/prod/cluster.nix` - - You will have to edit your NAT config manually - - To get your node's wg public key, you must run `./deploy_prod prod <node>`, see the next section for more information - - Add your nodes to `cluster/prod/ssh_config`, it will be used by the various SSH scripts. - - If you use `ssh` directly, use `ssh -F ./cluster/prod/ssh_config` - - Add `User root` for the first time as your user will not be declared yet on the system - -## How to deploy a Nix configuration on a fresh node - -We suppose that the node name is `datura`. -Start by doing the deployment one node at a time, you will have plenty of time -in your operator's life to break everything through automation. - -Run: - - `./deploy_wg prod datura` - to generate wireguard's keys - - `./deploy_nixos prod datura` - to deploy the nix configuration files - - need to be redeployed on all nodes as the new wireguard conf is needed everywhere - - `./deploy_password prod datura` - to deploy user's passwords - - need to be redeployed on all nodes to setup the password on all nodes - - `./deploy_pki prod datura` - to deploy Nomad's and Consul's PKI - -## How to operate a node - -Edit your `~/.ssh/config` file: - -``` -Host dahlia - HostName dahlia.machine.deuxfleurs.fr - LocalForward 14646 127.0.0.1:4646 - LocalForward 8501 127.0.0.1:8501 - LocalForward 1389 bottin.service.prod.consul:389 - LocalForward 5432 psql-proxy.service.prod.consul:5432 -``` - -Then run the TLS proxy and leave it running: - -``` -./tlsproxy prod -``` - -SSH to a production machine (e.g. dahlia) and leave it running: - -``` -ssh dahlia -``` - - -Finally you should see be able to access the production Nomad and Consul by browsing: - - - Consul: http://localhost:8500 - - Nomad: http://localhost:4646 +- [Succint guide for NixOS installation with LUKX full disk encryption](doc/nixos-install.md) (we don't do that in practice on our servers) +- [Example `hardware-config.nix` for a full disk encryption scenario](doc/example-hardware-configuration.nix) ## Why not Ansible? |