30 files changed, 43 insertions, 34 deletions

diff --git a/README.md b/README.md
index c86a067..3527dbb 100644
--- a/README.md
+++ b/README.md
@@ -2,11 +2,35 @@
 
 This repository contains code to run Deuxfleur's infrastructure on NixOS.
 
-It sets up the following:
+## Our abstraction stack
 
-- A Wireguard mesh between all nodes
-- Consul, with TLS
-- Nomad, with TLS
+We try to build a generic abstraction stack between our different resources (CPU, RAM, disk, etc.) and our services (Chat, Storage, etc.), we develop our own tools when needed.
+
+Our first abstraction level is the NixOS level, which installs a bunch of standard components:
+
+  * **Wireguard:** provides encrypted communication between remote nodes
+  * **Nomad:** schedule containers and handle their lifecycle
+  * **Consul:** distributed key value store + lock + service discovery
+  * **Docker:** package, distribute and isolate applications
+  
+Then, inside our Nomad+Consul orchestrator, we deploy a number of base services:
+
+  * **[Garage](https://git.deuxfleurs.fr/Deuxfleurs/garage/):** S3-compatible lightweight object store for self-hosted geo-distributed deployments (we also have a legacy glusterfs cluster)
+  * **[DiploNAT](https://git.deuxfleurs.fr/Deuxfleurs/diplonat):** network automation (firewalling, upnp igd)
+  * **[Bottin](https://git.deuxfleurs.fr/Deuxfleurs/bottin):** authentication and authorization (LDAP protocol, consul backend)
+  * **[Guichet](https://git.deuxfleurs.fr/Deuxfleurs/guichet):** a dashboard for our users and administrators
+  * **Stolon + PostgreSQL:** distributed relational database
+  * **Prometheus + Grafana:** monitoring
+
+Some services we provide based on this abstraction:
+
+  * **Websites:** Garage (static) + fediverse blog (Plume)
+  * **Chat:** Synapse + Element Web (Matrix protocol)
+  * **Email:** Postfix SMTP + Dovecot IMAP + opendkim DKIM + Sogo webmail  | Alps webmail (experimental)
+  * **Visioconference:** Jitsi
+  * **Collaboration:** CryptPad
+
+As a generic abstraction is provided, deploying new services should be easy.
 
 ## How to use this?
 
@@ -16,11 +40,7 @@ See the following documentation topics:
 - [How to add new nodes to a cluster (rapid overview)](doc/adding-nodes.md)
 - [Architecture of this repo, how the scripts work](doc/architecture.md)
 - [List of TCP and UDP ports used by services](doc/ports)
-
-Additionnal documentation topics:
-
-- [Succint guide for NixOS installation with LUKX full disk encryption](doc/nixos-install-luks.md) (we don't do that in practice on our servers)
-- [Example `hardware-config.nix` for a full disk encryption scenario](doc/example-hardware-configuration.nix)
 - [Why not Ansible?](doc/why-not-ansible.md)
 
 
+
diff --git a/cluster/prod/app/secretmgr b/cluster/prod/app/secretmgr
new file mode 120000
index 0000000..6aff4ad
--- /dev/null
+++ b/cluster/prod/app/secretmgr
@@ -0,0 +1 @@
+../../../secretmgr/secretmgr
\ No newline at end of file
diff --git a/cluster/prod/app/secretmgr.py b/cluster/prod/app/secretmgr.py
deleted file mode 120000
index 107653c..0000000
--- a/cluster/prod/app/secretmgr.py
+++ /dev/null
@@ -1 +0,0 @@
-../../../secretmgr/secretmgr.py
\ No newline at end of file
diff --git a/cluster/prod/app/shell.nix b/cluster/prod/app/shell.nix
deleted file mode 120000
index b10effc..0000000
--- a/cluster/prod/app/shell.nix
+++ /dev/null
@@ -1 +0,0 @@
-../../../secretmgr/shell.nix
\ No newline at end of file
diff --git a/cluster/staging/app/secretmgr b/cluster/staging/app/secretmgr
new file mode 120000
index 0000000..6aff4ad
--- /dev/null
+++ b/cluster/staging/app/secretmgr
@@ -0,0 +1 @@
+../../../secretmgr/secretmgr
\ No newline at end of file
diff --git a/cluster/staging/app/secretmgr.py b/cluster/staging/app/secretmgr.py
deleted file mode 120000
index 107653c..0000000
--- a/cluster/staging/app/secretmgr.py
+++ /dev/null
@@ -1 +0,0 @@
-../../../secretmgr/secretmgr.py
\ No newline at end of file
diff --git a/cluster/staging/app/shell.nix b/cluster/staging/app/shell.nix
deleted file mode 120000
index b10effc..0000000
--- a/cluster/staging/app/shell.nix
+++ /dev/null
@@ -1 +0,0 @@
-../../../secretmgr/shell.nix
\ No newline at end of file
diff --git a/experimental/bad.csi-s3/deploy/csi-s3.hcl b/experimental/app/csi-s3/deploy/csi-s3.hcl
index 8e70c6a..8e70c6a 100644
--- a/experimental/bad.csi-s3/deploy/csi-s3.hcl
+++ b/experimental/app/csi-s3/deploy/csi-s3.hcl
diff --git a/experimental/bad.csi-s3/deploy/dummy-volume.hcl b/experimental/app/csi-s3/deploy/dummy-volume.hcl
index 67dfd39..67dfd39 100644
--- a/experimental/bad.csi-s3/deploy/dummy-volume.hcl
+++ b/experimental/app/csi-s3/deploy/dummy-volume.hcl
diff --git a/experimental/bad.nextcloud/config/litestream.yml b/experimental/app/nextcloud/config/litestream.yml
index 46eca93..46eca93 100644
--- a/experimental/bad.nextcloud/config/litestream.yml
+++ b/experimental/app/nextcloud/config/litestream.yml
diff --git a/experimental/bad.nextcloud/deploy/nextcloud.hcl b/experimental/app/nextcloud/deploy/nextcloud.hcl
index 45d1b6e..45d1b6e 100644
--- a/experimental/bad.nextcloud/deploy/nextcloud.hcl
+++ b/experimental/app/nextcloud/deploy/nextcloud.hcl
diff --git a/experimental/bad.nextcloud/secrets/nextcloud/admin_pass b/experimental/app/nextcloud/secrets/nextcloud/admin_pass
index ffc9830..ffc9830 100644
--- a/experimental/bad.nextcloud/secrets/nextcloud/admin_pass
+++ b/experimental/app/nextcloud/secrets/nextcloud/admin_pass
diff --git a/experimental/bad.nextcloud/secrets/nextcloud/admin_user b/experimental/app/nextcloud/secrets/nextcloud/admin_user
index 7ff2967..7ff2967 100644
--- a/experimental/bad.nextcloud/secrets/nextcloud/admin_user
+++ b/experimental/app/nextcloud/secrets/nextcloud/admin_user
diff --git a/experimental/bad.nextcloud/secrets/nextcloud/s3_access_key b/experimental/app/nextcloud/secrets/nextcloud/s3_access_key
index 692dc34..692dc34 100644
--- a/experimental/bad.nextcloud/secrets/nextcloud/s3_access_key
+++ b/experimental/app/nextcloud/secrets/nextcloud/s3_access_key
diff --git a/experimental/bad.nextcloud/secrets/nextcloud/s3_secret_key b/experimental/app/nextcloud/secrets/nextcloud/s3_secret_key
index 8bef13c..8bef13c 100644
--- a/experimental/bad.nextcloud/secrets/nextcloud/s3_secret_key
+++ b/experimental/app/nextcloud/secrets/nextcloud/s3_secret_key
diff --git a/experimental/bad.ssb/deploy/go-ssb-room.hcl b/experimental/app/ssb/deploy/go-ssb-room.hcl
index c9c4109..c9c4109 100644
--- a/experimental/bad.ssb/deploy/go-ssb-room.hcl
+++ b/experimental/app/ssb/deploy/go-ssb-room.hcl
diff --git a/experimental/bad.ssb/deploy/ssb-room.hcl b/experimental/app/ssb/deploy/ssb-room.hcl
index 049b7dd..049b7dd 100644
--- a/experimental/bad.ssb/deploy/ssb-room.hcl
+++ b/experimental/app/ssb/deploy/ssb-room.hcl
diff --git a/experimental/bad.telemetry-elastic/config/apm-config.yaml b/experimental/app/telemetry-elastic/config/apm-config.yaml
index 07a88bd..07a88bd 100644
--- a/experimental/bad.telemetry-elastic/config/apm-config.yaml
+++ b/experimental/app/telemetry-elastic/config/apm-config.yaml
diff --git a/experimental/bad.telemetry-elastic/config/filebeat.yml b/experimental/app/telemetry-elastic/config/filebeat.yml
index 310afd1..310afd1 100644
--- a/experimental/bad.telemetry-elastic/config/filebeat.yml
+++ b/experimental/app/telemetry-elastic/config/filebeat.yml
diff --git a/experimental/bad.telemetry-elastic/config/grafana-litestream.yml b/experimental/app/telemetry-elastic/config/grafana-litestream.yml
index a537d9c..a537d9c 100644
--- a/experimental/bad.telemetry-elastic/config/grafana-litestream.yml
+++ b/experimental/app/telemetry-elastic/config/grafana-litestream.yml
diff --git a/experimental/bad.telemetry-elastic/config/grafana/provisioning/datasources/elastic.yaml b/experimental/app/telemetry-elastic/config/grafana/provisioning/datasources/elastic.yaml
index 7d2277c..7d2277c 100644
--- a/experimental/bad.telemetry-elastic/config/grafana/provisioning/datasources/elastic.yaml
+++ b/experimental/app/telemetry-elastic/config/grafana/provisioning/datasources/elastic.yaml
diff --git a/experimental/bad.telemetry-elastic/config/otel-config.yaml b/experimental/app/telemetry-elastic/config/otel-config.yaml
index bcf1baa..bcf1baa 100644
--- a/experimental/bad.telemetry-elastic/config/otel-config.yaml
+++ b/experimental/app/telemetry-elastic/config/otel-config.yaml
diff --git a/experimental/bad.telemetry-elastic/deploy/telemetry-system.hcl b/experimental/app/telemetry-elastic/deploy/telemetry-system.hcl
index 3e26c2e..3e26c2e 100644
--- a/experimental/bad.telemetry-elastic/deploy/telemetry-system.hcl
+++ b/experimental/app/telemetry-elastic/deploy/telemetry-system.hcl
diff --git a/experimental/bad.telemetry-elastic/deploy/telemetry.hcl b/experimental/app/telemetry-elastic/deploy/telemetry.hcl
index 21685a1..21685a1 100644
--- a/experimental/bad.telemetry-elastic/deploy/telemetry.hcl
+++ b/experimental/app/telemetry-elastic/deploy/telemetry.hcl
diff --git a/experimental/bad.yugabyte/deploy/yugabyte.hcl b/experimental/app/yugabyte/deploy/yugabyte.hcl
index e7efa7a..e7efa7a 100644
--- a/experimental/bad.yugabyte/deploy/yugabyte.hcl
+++ b/experimental/app/yugabyte/deploy/yugabyte.hcl
diff --git a/doc/example-hardware-configuration.nix b/experimental/luks-fde/example-hardware-configuration.nix
index 0a72bd1..0a72bd1 100644
--- a/doc/example-hardware-configuration.nix
+++ b/experimental/luks-fde/example-hardware-configuration.nix
diff --git a/doc/nixos-install-luks.md b/experimental/luks-fde/nixos-install-luks.md
index 3f0feca..9e173f7 100644
--- a/doc/nixos-install-luks.md
+++ b/experimental/luks-fde/nixos-install-luks.md
@@ -1,6 +1,6 @@
 ## Preparation
 
-Download NixOS 21.11 ISO. Burn to USB.
+Download NixOS. Burn to USB.
 
 ## Booting into install environment
 
@@ -120,7 +120,7 @@ Remotely: `ssh-copy-id <user>@<ip>`. Check SSH access is good.
 
 ## Deploy from this repo
 
-See [this documentation](quick-start.md).
+See the documentation in `/doc` in this repo. The old procedure described here is partly obsolete.
 
 ## Old guide
 
@@ -154,7 +154,7 @@ Reboot.
 
 Check remote unlocking works: `ssh -p 222 root@<ip>`
 
-## Configure wireguard
+### Configure wireguard
 
 ```bash
 # On node being installed
@@ -172,11 +172,11 @@ Redo a deploy (`./deploy.sh <cluster> <nodename>`)
 
 Check VPN works. Change IP in `ssh_config` to use VPN IP instead of LAN IP (required for deploy when away from home).
 
-## Commit changes to `nixcfg` repo
+### Commit changes to `nixcfg` repo
 
 This is a good point to commit your new/modified `.nix` files.
 
-## Configure Nomad and Consul TLS
+### Configure Nomad and Consul TLS
 
 If you are bootstraping a new cluster, you need to `./genpki.sh <cluster>` to
 make a TLS PKI for the Nomad+Consul cluster to work. Then redo a deploy.
diff --git a/secretmgr/secretmgr.py b/secretmgr/secretmgr
index 8b17f61..3c0ec08 100755
--- a/secretmgr/secretmgr.py
+++ b/secretmgr/secretmgr
@@ -1,4 +1,5 @@
-#!/usr/bin/env python3
+#!/usr/bin/env nix-shell
+#!nix-shell -i python3 -p "python3.withPackages(ps: [ ps.pip ps.consul ps.ldap ps.passlib ps.requests ps.six ])"
 
 # DEPENDENCY: python-consul
 import consul
diff --git a/secretmgr/shell.nix b/secretmgr/shell.nix
deleted file mode 100644
index c9b8053..0000000
--- a/secretmgr/shell.nix
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  pkgs ? import <nixpkgs> {}
-}:
-
-with pkgs; mkShell {
-  nativeBuildInputs = [
-    nomad 
-    docker-compose
-    python39Packages.pip 
-    python39Packages.ldap 
-    python39Packages.consul 
-    python39Packages.passlib
-  ];
-}
-
diff --git a/sshtool b/sshtool
index 262f0e3..24c19af 100755
--- a/sshtool
+++ b/sshtool
@@ -1,6 +1,11 @@
 #!/usr/bin/env bash
 
 CMDFILE="$1"
+if [ -z "$CMDFILE" ] || [ ! -f "$CMDFILE" ]; then
+	echo "sshtool is not meant to be called on its own."
+	echo "See scripts that use it (e.g. deploy_nixos) for usage examples."
+	exit 1
+fi
 shift 1
 
 cd $(dirname $CMDFILE)