aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README.md75
-rw-r--r--doc/architecture.md (renamed from README.more.md)0
-rw-r--r--doc/nixos-install-luks.md (renamed from doc/nixos-install.md)4
-rw-r--r--doc/quick-start.md73
4 files changed, 85 insertions, 67 deletions
diff --git a/README.md b/README.md
index 412ee46..9514084 100644
--- a/README.md
+++ b/README.md
@@ -8,77 +8,18 @@ It sets up the following:
- Consul, with TLS
- Nomad, with TLS
+## How to use this?
-## How to welcome a new administrator
+See the following documentation topics:
-See: https://guide.deuxfleurs.fr/operations/acces/pass/
+- [Quick start for adding new nodes after NixOS install](doc/quick-start.md)
+- [Architecture of this repo, how the scripts work](doc/architecture.md)
+- [List of TCP and UDP ports used by services](doc/ports)
-Basically:
- - The new administrator generates a GPG key and publishes it on Gitea
- - All existing administrators pull their key and sign it
- - An existing administrator reencrypt the keystore with this new key and push it
- - The new administrator clone the repo and check that they can decrypt the secrets
- - Finally, the new administrator must choose a password to operate over SSH with `./passwd prod rick` where `rick` is the target username
+Additionnal documentation topics:
-
-## How to create files for a new zone
-
-*The documentation is written for the production cluster, the same apply for other clusters.*
-
-Basically:
- - Create your `site` file in `cluster/prod/site/` folder
- - Create your `node` files in `cluster/prod/node/` folder
- - Add your wireguard configuration to `cluster/prod/cluster.nix`
- - You will have to edit your NAT config manually
- - To get your node's wg public key, you must run `./deploy_prod prod <node>`, see the next section for more information
- - Add your nodes to `cluster/prod/ssh_config`, it will be used by the various SSH scripts.
- - If you use `ssh` directly, use `ssh -F ./cluster/prod/ssh_config`
- - Add `User root` for the first time as your user will not be declared yet on the system
-
-## How to deploy a Nix configuration on a fresh node
-
-We suppose that the node name is `datura`.
-Start by doing the deployment one node at a time, you will have plenty of time
-in your operator's life to break everything through automation.
-
-Run:
- - `./deploy_wg prod datura` - to generate wireguard's keys
- - `./deploy_nixos prod datura` - to deploy the nix configuration files
- - need to be redeployed on all nodes as the new wireguard conf is needed everywhere
- - `./deploy_password prod datura` - to deploy user's passwords
- - need to be redeployed on all nodes to setup the password on all nodes
- - `./deploy_pki prod datura` - to deploy Nomad's and Consul's PKI
-
-## How to operate a node
-
-Edit your `~/.ssh/config` file:
-
-```
-Host dahlia
- HostName dahlia.machine.deuxfleurs.fr
- LocalForward 14646 127.0.0.1:4646
- LocalForward 8501 127.0.0.1:8501
- LocalForward 1389 bottin.service.prod.consul:389
- LocalForward 5432 psql-proxy.service.prod.consul:5432
-```
-
-Then run the TLS proxy and leave it running:
-
-```
-./tlsproxy prod
-```
-
-SSH to a production machine (e.g. dahlia) and leave it running:
-
-```
-ssh dahlia
-```
-
-
-Finally you should see be able to access the production Nomad and Consul by browsing:
-
- - Consul: http://localhost:8500
- - Nomad: http://localhost:4646
+- [Succint guide for NixOS installation with LUKX full disk encryption](doc/nixos-install.md) (we don't do that in practice on our servers)
+- [Example `hardware-config.nix` for a full disk encryption scenario](doc/example-hardware-configuration.nix)
## Why not Ansible?
diff --git a/README.more.md b/doc/architecture.md
index 8a9579f..8a9579f 100644
--- a/README.more.md
+++ b/doc/architecture.md
diff --git a/doc/nixos-install.md b/doc/nixos-install-luks.md
index 7b3d137..3f0feca 100644
--- a/doc/nixos-install.md
+++ b/doc/nixos-install-luks.md
@@ -120,6 +120,10 @@ Remotely: `ssh-copy-id <user>@<ip>`. Check SSH access is good.
## Deploy from this repo
+See [this documentation](quick-start.md).
+
+## Old guide
+
It's time!
**Files in this repo to create/change:**
diff --git a/doc/quick-start.md b/doc/quick-start.md
new file mode 100644
index 0000000..1307fde
--- /dev/null
+++ b/doc/quick-start.md
@@ -0,0 +1,73 @@
+# Quick start
+
+## How to welcome a new administrator
+
+See: https://guide.deuxfleurs.fr/operations/acces/pass/
+
+Basically:
+ - The new administrator generates a GPG key and publishes it on Gitea
+ - All existing administrators pull their key and sign it
+ - An existing administrator reencrypt the keystore with this new key and push it
+ - The new administrator clone the repo and check that they can decrypt the secrets
+ - Finally, the new administrator must choose a password to operate over SSH with `./passwd prod rick` where `rick` is the target username
+
+
+## How to create files for a new zone
+
+*The documentation is written for the production cluster, the same apply for other clusters.*
+
+Basically:
+ - Create your `site` file in `cluster/prod/site/` folder
+ - Create your `node` files in `cluster/prod/node/` folder
+ - Add your wireguard configuration to `cluster/prod/cluster.nix`
+ - You will have to edit your NAT config manually to bind one public IPv4 port to each node
+ - Nodes' public wireguard keys are generated during the first run of `deploy_nixos`, see below
+ - Add your nodes to `cluster/prod/ssh_config`, it will be used by the various SSH scripts.
+ - If you use `ssh` directly, use `ssh -F ./cluster/prod/ssh_config`
+ - Add `User root` for the first time as your user will not be declared yet on the system
+
+## How to deploy a Nix configuration on a fresh node
+
+We suppose that the node name is `datura`.
+Start by doing the deployment one node at a time, you will have plenty of time
+in your operator's life to break everything through automation.
+
+Run:
+ - `./deploy_nixos prod datura` - to deploy the nix configuration file;
+ - a new wireguard key is printed if it hadn't been generated before, it has to be
+ added to `cluster.nix`, and then redeployed on all nodes as the new wireguard conf is needed everywhere
+ - `./deploy_passwords prod datura` - to deploy user's passwords
+ - if a user changes their password (using `./passwd`), needs to be redeployed on all nodes to setup the password on all nodes
+ - `./deploy_pki prod datura` - to deploy Nomad's and Consul's PKI
+
+## How to operate a node
+
+Edit your `~/.ssh/config` file:
+
+```
+Host dahlia
+ HostName dahlia.machine.deuxfleurs.fr
+ LocalForward 14646 127.0.0.1:4646
+ LocalForward 8501 127.0.0.1:8501
+ LocalForward 1389 bottin.service.prod.consul:389
+ LocalForward 5432 psql-proxy.service.prod.consul:5432
+```
+
+Then run the TLS proxy and leave it running:
+
+```
+./tlsproxy prod
+```
+
+SSH to a production machine (e.g. dahlia) and leave it running:
+
+```
+ssh dahlia
+```
+
+
+Finally you should see be able to access the production Nomad and Consul by browsing:
+
+ - Consul: http://localhost:8500
+ - Nomad: http://localhost:4646
+