reorganize some things

author: Alex Auvolat <alex@adnab.me> 2022-12-24 22:59:37 +0100
committer: Alex Auvolat <alex@adnab.me> 2022-12-24 22:59:37 +0100
commit: 8d17a07c9be5cd9d400644c34ea50177535d15f6 (patch)
tree: cac734f62d4c04c898d4e70d1e2ba65f933317ca /experimental
parent: 4b527c4db8060679d21e5bb596bde91ce39df393 (diff)
download: nixcfg-8d17a07c9be5cd9d400644c34ea50177535d15f6.tar.gz
nixcfg-8d17a07c9be5cd9d400644c34ea50177535d15f6.zip
20 files changed, 220 insertions, 0 deletions
diff --git a/experimental/bad.csi-s3/deploy/csi-s3.hcl b/experimental/app/csi-s3/deploy/csi-s3.hcl
index 8e70c6a..8e70c6a 100644
--- a/experimental/bad.csi-s3/deploy/csi-s3.hcl
+++ b/experimental/app/csi-s3/deploy/csi-s3.hcl
diff --git a/experimental/bad.csi-s3/deploy/dummy-volume.hcl b/experimental/app/csi-s3/deploy/dummy-volume.hcl
index 67dfd39..67dfd39 100644
--- a/experimental/bad.csi-s3/deploy/dummy-volume.hcl
+++ b/experimental/app/csi-s3/deploy/dummy-volume.hcl
diff --git a/experimental/bad.nextcloud/config/litestream.yml b/experimental/app/nextcloud/config/litestream.yml
index 46eca93..46eca93 100644
--- a/experimental/bad.nextcloud/config/litestream.yml
+++ b/experimental/app/nextcloud/config/litestream.yml
diff --git a/experimental/bad.nextcloud/deploy/nextcloud.hcl b/experimental/app/nextcloud/deploy/nextcloud.hcl
index 45d1b6e..45d1b6e 100644
--- a/experimental/bad.nextcloud/deploy/nextcloud.hcl
+++ b/experimental/app/nextcloud/deploy/nextcloud.hcl
diff --git a/experimental/bad.nextcloud/secrets/nextcloud/admin_pass b/experimental/app/nextcloud/secrets/nextcloud/admin_pass
index ffc9830..ffc9830 100644
--- a/experimental/bad.nextcloud/secrets/nextcloud/admin_pass
+++ b/experimental/app/nextcloud/secrets/nextcloud/admin_pass
diff --git a/experimental/bad.nextcloud/secrets/nextcloud/admin_user b/experimental/app/nextcloud/secrets/nextcloud/admin_user
index 7ff2967..7ff2967 100644
--- a/experimental/bad.nextcloud/secrets/nextcloud/admin_user
+++ b/experimental/app/nextcloud/secrets/nextcloud/admin_user
diff --git a/experimental/bad.nextcloud/secrets/nextcloud/s3_access_key b/experimental/app/nextcloud/secrets/nextcloud/s3_access_key
index 692dc34..692dc34 100644
--- a/experimental/bad.nextcloud/secrets/nextcloud/s3_access_key
+++ b/experimental/app/nextcloud/secrets/nextcloud/s3_access_key
diff --git a/experimental/bad.nextcloud/secrets/nextcloud/s3_secret_key b/experimental/app/nextcloud/secrets/nextcloud/s3_secret_key
index 8bef13c..8bef13c 100644
--- a/experimental/bad.nextcloud/secrets/nextcloud/s3_secret_key
+++ b/experimental/app/nextcloud/secrets/nextcloud/s3_secret_key
diff --git a/experimental/bad.ssb/deploy/go-ssb-room.hcl b/experimental/app/ssb/deploy/go-ssb-room.hcl
index c9c4109..c9c4109 100644
--- a/experimental/bad.ssb/deploy/go-ssb-room.hcl
+++ b/experimental/app/ssb/deploy/go-ssb-room.hcl
diff --git a/experimental/bad.ssb/deploy/ssb-room.hcl b/experimental/app/ssb/deploy/ssb-room.hcl
index 049b7dd..049b7dd 100644
--- a/experimental/bad.ssb/deploy/ssb-room.hcl
+++ b/experimental/app/ssb/deploy/ssb-room.hcl
diff --git a/experimental/bad.telemetry-elastic/config/apm-config.yaml b/experimental/app/telemetry-elastic/config/apm-config.yaml
index 07a88bd..07a88bd 100644
--- a/experimental/bad.telemetry-elastic/config/apm-config.yaml
+++ b/experimental/app/telemetry-elastic/config/apm-config.yaml
diff --git a/experimental/bad.telemetry-elastic/config/filebeat.yml b/experimental/app/telemetry-elastic/config/filebeat.yml
index 310afd1..310afd1 100644
--- a/experimental/bad.telemetry-elastic/config/filebeat.yml
+++ b/experimental/app/telemetry-elastic/config/filebeat.yml
diff --git a/experimental/bad.telemetry-elastic/config/grafana-litestream.yml b/experimental/app/telemetry-elastic/config/grafana-litestream.yml
index a537d9c..a537d9c 100644
--- a/experimental/bad.telemetry-elastic/config/grafana-litestream.yml
+++ b/experimental/app/telemetry-elastic/config/grafana-litestream.yml
diff --git a/experimental/bad.telemetry-elastic/config/grafana/provisioning/datasources/elastic.yaml b/experimental/app/telemetry-elastic/config/grafana/provisioning/datasources/elastic.yaml
index 7d2277c..7d2277c 100644
--- a/experimental/bad.telemetry-elastic/config/grafana/provisioning/datasources/elastic.yaml
+++ b/experimental/app/telemetry-elastic/config/grafana/provisioning/datasources/elastic.yaml
diff --git a/experimental/bad.telemetry-elastic/config/otel-config.yaml b/experimental/app/telemetry-elastic/config/otel-config.yaml
index bcf1baa..bcf1baa 100644
--- a/experimental/bad.telemetry-elastic/config/otel-config.yaml
+++ b/experimental/app/telemetry-elastic/config/otel-config.yaml
diff --git a/experimental/bad.telemetry-elastic/deploy/telemetry-system.hcl b/experimental/app/telemetry-elastic/deploy/telemetry-system.hcl
index 3e26c2e..3e26c2e 100644
--- a/experimental/bad.telemetry-elastic/deploy/telemetry-system.hcl
+++ b/experimental/app/telemetry-elastic/deploy/telemetry-system.hcl
diff --git a/experimental/bad.telemetry-elastic/deploy/telemetry.hcl b/experimental/app/telemetry-elastic/deploy/telemetry.hcl
index 21685a1..21685a1 100644
--- a/experimental/bad.telemetry-elastic/deploy/telemetry.hcl
+++ b/experimental/app/telemetry-elastic/deploy/telemetry.hcl
diff --git a/experimental/bad.yugabyte/deploy/yugabyte.hcl b/experimental/app/yugabyte/deploy/yugabyte.hcl
index e7efa7a..e7efa7a 100644
--- a/experimental/bad.yugabyte/deploy/yugabyte.hcl
+++ b/experimental/app/yugabyte/deploy/yugabyte.hcl
diff --git a/experimental/luks-fde/example-hardware-configuration.nix b/experimental/luks-fde/example-hardware-configuration.nix
new file mode 100644
index 0000000..0a72bd1
--- /dev/null
+++ b/experimental/luks-fde/example-hardware-configuration.nix
@@ -0,0 +1,38 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  boot.initrd.luks.devices."cryptlvm" = {
+    device = "/dev/disk/by-uuid/5d4fcef7-433d-43a9-be26-be940ce291c0";
+    allowDiscards = true;
+  };
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/5bad79e1-fdbf-48f3-861f-6810adc76195";
+      fsType = "ext4";
+      options = [ "relatime" "discard" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/07E8-5958";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/a3e0bae8-8b07-4e66-a4a7-6955639f2155"; }
+    ];
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
+
diff --git a/experimental/luks-fde/nixos-install-luks.md b/experimental/luks-fde/nixos-install-luks.md
new file mode 100644
index 0000000..9e173f7
--- /dev/null
+++ b/experimental/luks-fde/nixos-install-luks.md
@@ -0,0 +1,182 @@
+## Preparation
+
+Download NixOS. Burn to USB.
+
+## Booting into install environment
+
+Boot the ISO on PC to install.
+
+Become root with `sudo su`
+
+```bash
+loadkeys fr
+setfont sun12x22
+```
+
+Do network config if necessary, see [install guide](https://nixos.org/manual/nixos/stable/index.html#sec-installation-booting-networking)
+
+## Make partitions
+
+```bash
+cgdisk /dev/sda
+```
+
+Recommended layout:
+
+```
+/dev/sda1 	512M 	ef00 	EFI System partition
+/dev/sda2 	100% 	8309 	Linux LUKS 
+```
+
+## Setup cryptography 
+
+```bash
+cryptsetup luksFormat /dev/sda2
+cryptsetup open /dev/sda2 cryptlvm
+```
+
+## Create PV, VG and LVs
+
+```bash
+pvcreate /dev/mapper/cryptlvm
+vgcreate NixosVG /dev/mapper/cryptlvm
+lvcreate -L 8G NixosVG -n swap
+lvcreate -l 100%FREE NixosVG -n root
+```
+
+## Format partitions
+
+```bash
+mkfs.fat -F 32 -n boot /dev/sda1
+mkswap /dev/NixosVG/swap
+mkfs.ext4 /dev/NixosVG/root
+```
+
+## Mount partitions
+
+```bash
+swapon /dev/NixosVG/swap
+mount /dev/NixosVG/root /mnt
+mkdir /mnt/boot
+mount /dev/sda1 /mnt/boot
+```
+
+## Generate base NixOS configuration
+
+```bash
+nixos-generate-config --root /mnt
+```
+
+## Update `hardware-configuration.nix`
+
+This section is needed:
+
+```nix
+  boot.initrd.luks.devices."cryptlvm" = {
+    device = "/dev/disk/by-uuid/<uuid of sda2>";
+    allowDiscards = true;
+  };
+```
+
+And for the root filesystem, remember to add the `relatime` and `discard` options so that it looks like this:
+
+```nix
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/<...>";
+      fsType = "ext4";
+      options = [ "relatime" "discard" ];
+    };
+```
+
+## Update `configuration.nix`
+
+Just enough so that basic tasks can be done from keyboard and remotely:
+
+- timezone
+- keyboard layout
+- font `sun12x22`
+- vim
+- non-root user
+- ssh
+- tcp port 22 in firewall
+
+## Do the installation
+
+```bash
+nixos-install
+```
+
+## First boot
+
+Reboot machine. Login as `root`
+
+```bash
+passwd <nonroot user>
+```
+
+If necessary, assign static IP. E.g. `ip addr add 192.168.1.40/24 dev eno1` or sth (replace ip and device appropriately)
+
+Remotely: `ssh-copy-id <user>@<ip>`. Check SSH access is good.
+
+## Deploy from this repo
+
+See the documentation in `/doc` in this repo. The old procedure described here is partly obsolete.
+
+## Old guide
+
+It's time!
+
+**Files in this repo to create/change:**
+
+- create node `.nix` file and symlink for node `.site.nix` (create site and
+  cluster `.nix` files if necessary; use existing files of e.g.  the staging
+  cluster as examples/templates)
+- make sure values are filled in correctly
+- add node to `ssh_config` with it's LAN IP, we don't have VPN at this stage
+
+**Configuration steps on the node:**
+
+```bash
+# On node being installed
+mkdir -p /var/lib/deuxfleurs/remote-unlock
+cd /var/lib/deuxfleurs/remote-unlock
+ssh-keygen -t ed25519 -N "" -f ./ssh_host_ed25519_key
+```
+
+**Try to deploy:**
+
+```bash
+# In nixcfg repository from your PC
+./deploy.sh <cluster> <nodename>
+```
+
+Reboot.
+
+Check remote unlocking works: `ssh -p 222 root@<ip>`
+
+### Configure wireguard
+
+```bash
+# On node being installed
+mkdir -p /var/lib/deuxfleurs/wireguard-keys
+cd /var/lib/deuxfleurs/wireguard-keys
+wg genkey | tee private | wg pubkey > public
+```
+
+Get the public key, make sure it is in `cluster.nix` so that nodes know one
+another.  Also put it anywhere else like in your local wireguard config for
+instance so that you can access the node from your PC by its wireguard address
+and not only its LAN address.
+
+Redo a deploy (`./deploy.sh <cluster> <nodename>`)
+
+Check VPN works. Change IP in `ssh_config` to use VPN IP instead of LAN IP (required for deploy when away from home).
+
+### Commit changes to `nixcfg` repo
+
+This is a good point to commit your new/modified `.nix` files.
+
+### Configure Nomad and Consul TLS
+
+If you are bootstraping a new cluster, you need to `./genpki.sh <cluster>` to
+make a TLS PKI for the Nomad+Consul cluster to work. Then redo a deploy.
author	Alex Auvolat <alex@adnab.me>	2022-12-24 22:59:37 +0100
committer	Alex Auvolat <alex@adnab.me>	2022-12-24 22:59:37 +0100
commit	8d17a07c9be5cd9d400644c34ea50177535d15f6 (patch)
tree	cac734f62d4c04c898d4e70d1e2ba65f933317ca /experimental
parent	4b527c4db8060679d21e5bb596bde91ce39df393 (diff)
download	nixcfg-8d17a07c9be5cd9d400644c34ea50177535d15f6.tar.gz nixcfg-8d17a07c9be5cd9d400644c34ea50177535d15f6.zip