aboutsummaryrefslogtreecommitdiff
path: root/doc/architecture.md
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2022-12-22 23:44:00 +0100
committerAlex Auvolat <alex@adnab.me>2022-12-22 23:44:00 +0100
commit0e1574a82b7067910d5403cfd46e94bcf929327a (patch)
tree96b2962ce6a8461b10db0c7ea6aea4f03ceaf909 /doc/architecture.md
parent3e5e2d60cdac107cc996e0efe936ced8fd25c61d (diff)
downloadnixcfg-0e1574a82b7067910d5403cfd46e94bcf929327a.tar.gz
nixcfg-0e1574a82b7067910d5403cfd46e94bcf929327a.zip
More doc reorganization
Diffstat (limited to 'doc/architecture.md')
-rw-r--r--doc/architecture.md19
1 files changed, 10 insertions, 9 deletions
diff --git a/doc/architecture.md b/doc/architecture.md
index 8a9579f..ee83dca 100644
--- a/doc/architecture.md
+++ b/doc/architecture.md
@@ -1,4 +1,4 @@
-# Additional README
+# Overall architecture
## Configuring the OS
@@ -15,6 +15,7 @@ All deployment scripts can use the following parameters passed as environment va
- `SUDO_PASS`: optionnally, the password for `sudo` on cluster nodes. If not set, it will be asked at the begninning.
- `SSH_USER`: optionnally, the user to try to login using SSH. If not set, the username from your local machine will be used.
+
### Assumptions (how to setup your environment)
- you have an SSH access to all of your cluster nodes (listed in `cluster/<cluster_name>/ssh_config`)
@@ -25,6 +26,7 @@ All deployment scripts can use the following parameters passed as environment va
- you have a clone of the secrets repository in your `pass` password store, for instance at `~/.password-store/deuxfleurs`
(scripts in this repo will read and write all secrets in `pass` under `deuxfleurs/cluster/<cluster_name>/`)
+
### Deploying the NixOS configuration
The NixOS configuration makes use of a certain number of files:
@@ -48,12 +50,9 @@ or to deploy only on a single node:
To upgrade NixOS, use the `./upgrade_nixos` script instead (it has the same syntax).
-**When adding a node to the cluster:** just do `./deploy_nixos <cluster_name> <name_of_new_node>`
### Generating and deploying a PKI for Consul and Nomad
-This is very similar to how we do for Wesher.
-
First, if the PKI has not yet been created, create it with:
```
@@ -66,7 +65,8 @@ Then, deploy the PKI on all nodes with:
./deploy_pki <cluster_name>
```
-**When adding a node to the cluster:** just do `./deploy_pki <cluster_name> <name_of_new_node>`
+Note that certificates are valid for not much more than one year: every year in January, `gen_pki` and `deploy_pki` have to be re-run to generate certificates for the new year.
+
### Adding administrators and password management
@@ -89,6 +89,7 @@ Then, an administrator that already has root access must run the following (afte
./deploy_passwords <cluster_name>
```
+
## Deploying stuff on Nomad
### Connecting to Nomad
@@ -118,12 +119,12 @@ Stuff should be started in this order:
1. `app/core`
2. `app/frontend`
3. `app/telemetry`
-4. `app/garage-staging`
+4. `app/garage`
5. `app/directory`
-Then, other stuff can be started in any order:
+Then, other stuff can be started in any order, e.g.:
-- `app/im` (cluster `staging` only)
-- `app/cryptpad` (cluster `prod` only)
+- `app/im`
+- `app/cryptpad`
- `app/drone-ci`