16 files changed, 109 insertions, 26 deletions

diff --git a/cluster/staging/app/core/deploy/core-service.hcl b/cluster/staging/app/core/deploy/core-service.hcl
index e2ec0a0..72f6f0b 100644
--- a/cluster/staging/app/core/deploy/core-service.hcl
+++ b/cluster/staging/app/core/deploy/core-service.hcl
@@ -1,5 +1,5 @@
 job "core-service" {
-  datacenters = ["neptune", "jupiter"]
+  datacenters = ["neptune", "jupiter", "corrin"]
   type = "service"
   priority = 90
 
diff --git a/cluster/staging/app/core/deploy/core-system.hcl b/cluster/staging/app/core/deploy/core-system.hcl
index 722423d..53babd7 100644
--- a/cluster/staging/app/core/deploy/core-system.hcl
+++ b/cluster/staging/app/core/deploy/core-system.hcl
@@ -1,5 +1,5 @@
 job "core-system" {
-  datacenters = ["neptune", "jupiter"]
+  datacenters = ["neptune", "jupiter", "corrin"]
   type = "system"
   priority = 90
 
diff --git a/cluster/staging/app/garage/deploy/garage.hcl b/cluster/staging/app/garage/deploy/garage.hcl
index 03a62cb..f8e14d9 100644
--- a/cluster/staging/app/garage/deploy/garage.hcl
+++ b/cluster/staging/app/garage/deploy/garage.hcl
@@ -2,7 +2,7 @@ job "garage-staging" {
   type = "system"
   priority = 90
 
-  datacenters = [ "neptune", "jupiter" ]
+  datacenters = [ "neptune", "jupiter", "corrin" ]
 
   update {
     max_parallel = 1
diff --git a/cluster/staging/app/telemetry/deploy/telemetry-system.hcl b/cluster/staging/app/telemetry/deploy/telemetry-system.hcl
index cf78053..1f0e64e 100644
--- a/cluster/staging/app/telemetry/deploy/telemetry-system.hcl
+++ b/cluster/staging/app/telemetry/deploy/telemetry-system.hcl
@@ -1,5 +1,5 @@
 job "telemetry-system" {
-  datacenters = ["neptune", "jupiter"]
+  datacenters = ["neptune", "jupiter", "corrin"]
   type = "system"
   priority = "100"
 
diff --git a/cluster/staging/app/telemetry/deploy/telemetry.hcl b/cluster/staging/app/telemetry/deploy/telemetry.hcl
index 4b9af55..a3dacf0 100644
--- a/cluster/staging/app/telemetry/deploy/telemetry.hcl
+++ b/cluster/staging/app/telemetry/deploy/telemetry.hcl
@@ -1,5 +1,5 @@
 job "telemetry" {
-  datacenters = ["neptune", "jupiter"]
+  datacenters = ["neptune", "jupiter", "corrin"]
   type = "service"
 
   group "prometheus" {
diff --git a/cluster/staging/cluster.nix b/cluster/staging/cluster.nix
index 54e4cd8..c2db0fd 100644
--- a/cluster/staging/cluster.nix
+++ b/cluster/staging/cluster.nix
@@ -40,6 +40,14 @@
       lan_endpoint = "192.168.1.33:33799";
       endpoint = "82.64.238.84:33733";
     }
+    {
+      hostname = "piranha";
+      site_name = "corrin";
+      publicKey = "m9rLf+233X1VColmeVrM/xfDGro5W6Gk5N0zqcf32WY=";
+      IP = "10.14.3.1";
+      lan_endpoint = "192.168.1.25:33799";
+      endpoint = "90.49.20.119:33721";
+    }
   ];
 
   # Bootstrap IPs for Consul cluster,
diff --git a/cluster/staging/known_hosts b/cluster/staging/known_hosts
index 68f25c0..0413047 100644
--- a/cluster/staging/known_hosts
+++ b/cluster/staging/known_hosts
@@ -2,3 +2,8 @@ carcajou.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMf/ioVSSb19S
 cariacou.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXTUrXRFhudJBESCqjHCOttzqYPyIzpPOMkI8+SwLRx
 caribou.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtsVFIoIu6tnYrzlcCbBiQXxNkFSWVMhMznUuSxGZ22
 origan.df.trinity.fr.eu.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsZas74RT6lCZwuUOPR23nPdbSdpWORyAmRgjoiMVHK
+piranha.polyno.me,2a01:cb05:8984:3c00:223:24ff:feb0:ea82 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnpO6zpLWsyyugOoOj+2bUow9TUrcWgURFGGaoyu+co
+2001:910:1204:1::23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtsVFIoIu6tnYrzlcCbBiQXxNkFSWVMhMznUuSxGZ22
+2001:910:1204:1::22 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMf/ioVSSb19Slu+HZLgKt4f1/XsL+K9uMxazSWb/+nQ
+2001:910:1204:1::21 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXTUrXRFhudJBESCqjHCOttzqYPyIzpPOMkI8+SwLRx
+2a01:e0a:5e4:1d0:223:24ff:feaf:fdec ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsZas74RT6lCZwuUOPR23nPdbSdpWORyAmRgjoiMVHK
diff --git a/cluster/staging/node/piranha.nix b/cluster/staging/node/piranha.nix
new file mode 100644
index 0000000..22f8108
--- /dev/null
+++ b/cluster/staging/node/piranha.nix
@@ -0,0 +1,21 @@
+# Configuration file local to this node
+
+{ config, pkgs, ... }:
+
+{
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.timeout = 20;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "piranha";
+
+  deuxfleurs.network_interface = "eno1";
+  deuxfleurs.lan_ip = "192.168.1.25";
+  deuxfleurs.ipv6 = "2a01:cb05:8984:3c00:223:24ff:feb0:ea82";
+
+  deuxfleurs.cluster_ip = "10.14.3.1";
+  deuxfleurs.is_raft_server = false;
+
+  system.stateVersion = "22.11";
+}
diff --git a/cluster/staging/node/piranha.site.nix b/cluster/staging/node/piranha.site.nix
new file mode 120000
index 0000000..0a97c41
--- /dev/null
+++ b/cluster/staging/node/piranha.site.nix
@@ -0,0 +1 @@
+../site/corrin.nix
\ No newline at end of file
diff --git a/cluster/staging/site/corrin.nix b/cluster/staging/site/corrin.nix
new file mode 100644
index 0000000..98151f0
--- /dev/null
+++ b/cluster/staging/site/corrin.nix
@@ -0,0 +1,14 @@
+{ config, pkgs, ... }:
+
+{
+  deuxfleurs.site_name = "corrin";
+  deuxfleurs.lan_default_gateway = "192.168.1.1";
+  deuxfleurs.ipv6_default_gateway = "fe80::7ec1:77ff:fe3e:bb90";
+  deuxfleurs.lan_ip_prefix_length = 24;
+  deuxfleurs.ipv6_prefix_length = 64;
+  deuxfleurs.nameservers = [ "192.168.1.1" ];
+  deuxfleurs.cname_target = "corrin.site.staging.deuxfleurs.org.";
+  deuxfleurs.public_ipv4 = "90.49.20.119";
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}
diff --git a/cluster/staging/ssh_config b/cluster/staging/ssh_config
index e1eecc3..c8860a4 100644
--- a/cluster/staging/ssh_config
+++ b/cluster/staging/ssh_config
@@ -11,3 +11,6 @@ Host cariacou
 
 Host origan
 	HostName origan.df.trinity.fr.eu.org
+
+Host piranha
+	HostName piranha.polyno.me
diff --git a/deploy_pki b/deploy_pki
index d7f5832..f114901 100755
--- a/deploy_pki
+++ b/deploy_pki
@@ -14,6 +14,11 @@ do
 	fi
 done
 
+cmd ln -sf /var/lib/consul/pki/consul$YEAR.crt /var/lib/consul/pki/consul.crt
+cmd ln -sf /var/lib/consul/pki/consul$YEAR.key /var/lib/consul/pki/consul.key
+cmd ln -sf /var/lib/consul/pki/consul$YEAR-client.crt /var/lib/consul/pki/consul-client.crt
+cmd ln -sf /var/lib/consul/pki/consul$YEAR-client.key /var/lib/consul/pki/consul-client.key
+
 cmd systemctl restart consul
 cmd sleep 10
 
@@ -27,19 +32,27 @@ do
 	fi
 done
 
+cmd ln -sf /var/lib/nomad/pki/nomad$YEAR.crt /var/lib/nomad/pki/nomad.crt
+cmd ln -sf /var/lib/nomad/pki/nomad$YEAR.key /var/lib/nomad/pki/nomad.key
+cmd ln -sf /var/lib/nomad/pki/nomad$YEAR-client.crt /var/lib/nomad/pki/nomad-client.crt
+cmd ln -sf /var/lib/nomad/pki/nomad$YEAR-client.key /var/lib/nomad/pki/nomad-client.key
+cmd ln -sf /var/lib/nomad/pki/consul$YEAR.crt /var/lib/nomad/pki/consul.crt
+cmd ln -sf /var/lib/nomad/pki/consul$YEAR-client.crt /var/lib/nomad/pki/consul-client.crt
+cmd ln -sf /var/lib/nomad/pki/consul$YEAR-client.key /var/lib/nomad/pki/consul-client.key
+
 cmd systemctl restart nomad
 
 set_env CONSUL_HTTP_ADDR=https://localhost:8501
 set_env CONSUL_CACERT=/var/lib/consul/pki/consul-ca.crt
-set_env CONSUL_CLIENT_CERT=/var/lib/consul/pki/consul$YEAR-client.crt
-set_env CONSUL_CLIENT_KEY=/var/lib/consul/pki/consul$YEAR-client.key
+set_env CONSUL_CLIENT_CERT=/var/lib/consul/pki/consul-client.crt
+set_env CONSUL_CLIENT_KEY=/var/lib/consul/pki/consul-client.key
 
 cmd "consul kv put secrets/consul/consul-ca.crt - < /var/lib/consul/pki/consul-ca.crt"
-cmd "consul kv put secrets/consul/consul.crt - < /var/lib/consul/pki/consul$YEAR.crt"
-cmd "consul kv put secrets/consul/consul-client.crt - < /var/lib/consul/pki/consul$YEAR-client.crt"
-cmd "consul kv put secrets/consul/consul-client.key - < /var/lib/consul/pki/consul$YEAR-client.key"
+cmd "consul kv put secrets/consul/consul.crt - < /var/lib/consul/pki/consul.crt"
+cmd "consul kv put secrets/consul/consul-client.crt - < /var/lib/consul/pki/consul-client.crt"
+cmd "consul kv put secrets/consul/consul-client.key - < /var/lib/consul/pki/consul-client.key"
 
 cmd "consul kv put secrets/nomad/nomad-ca.crt - < /var/lib/nomad/pki/nomad-ca.crt"
-cmd "consul kv put secrets/nomad/nomad.crt - < /var/lib/nomad/pki/nomad$YEAR.crt"
-cmd "consul kv put secrets/nomad/nomad-client.crt - < /var/lib/nomad/pki/nomad$YEAR-client.crt"
-cmd "consul kv put secrets/nomad/nomad-client.key - < /var/lib/nomad/pki/nomad$YEAR-client.key"
+cmd "consul kv put secrets/nomad/nomad.crt - < /var/lib/nomad/pki/nomad.crt"
+cmd "consul kv put secrets/nomad/nomad-client.crt - < /var/lib/nomad/pki/nomad-client.crt"
+cmd "consul kv put secrets/nomad/nomad-client.key - < /var/lib/nomad/pki/nomad-client.key"
diff --git a/doc/architecture.md b/doc/architecture.md
index 53032c2..7d36643 100644
--- a/doc/architecture.md
+++ b/doc/architecture.md
@@ -143,13 +143,31 @@ $ nomad operator scheduler get-config --json
 
 ### Launching services
 
+To launch a service, e.g. `app/core`, use `nomad plan` first:
+
+```
+cd cluster/staging/app/core/deploy
+nomad plan core-system.hcl
+```
+
+If the diff looks fine, then you can run the job for real
+(the index is printed in the output of `nomad plan`):
+
+```
+nomad job run -check-index NNN core-system.hcl
+```
+
+There may be several jobs in the same directory, for instance
+`core-system.hcl` and `core-service.hcl`.
+
+### Which services to launch
+
 Stuff should be started in this order:
 
 1. `app/core`
-2. `app/frontend`
-3. `app/telemetry`
-4. `app/garage`
-5. `app/directory`
+2. `app/telemetry`
+3. `app/garage`
+4. `app/directory`
 
 Then, other stuff can be started in any order, e.g.:
 
diff --git a/doc/onboarding.md b/doc/onboarding.md
index b3bd264..585ec84 100644
--- a/doc/onboarding.md
+++ b/doc/onboarding.md
@@ -12,7 +12,7 @@ Basically:
   - Finally, the new administrator must choose a password to operate over SSH with `./passwd prod rick` where `rick` is the target username
 
 
-## How to operate a node (conncet to Nomad and Consul)
+## How to operate a node (connect to Nomad and Consul)
 
 Edit your `~/.ssh/config` file with content such as the following:
 
diff --git a/nix/deuxfleurs.nix b/nix/deuxfleurs.nix
index 14085c1..e0cb376 100644
--- a/nix/deuxfleurs.nix
+++ b/nix/deuxfleurs.nix
@@ -291,8 +291,8 @@ in
       };
 
       ca_file = "/var/lib/consul/pki/consul-ca.crt";
-      cert_file = "/var/lib/consul/pki/consul2022.crt";
-      key_file = "/var/lib/consul/pki/consul2022.key";
+      cert_file = "/var/lib/consul/pki/consul.crt";
+      key_file = "/var/lib/consul/pki/consul.key";
       verify_incoming = true;
       verify_outgoing = true;
       verify_server_hostname = true;
@@ -324,9 +324,9 @@ in
       };
       consul = {
         address = "localhost:8501";
-        ca_file = "/var/lib/nomad/pki/consul2022.crt";
-        cert_file = "/var/lib/nomad/pki/consul2022-client.crt";
-        key_file = "/var/lib/nomad/pki/consul2022-client.key";
+        ca_file = "/var/lib/nomad/pki/consul.crt";
+        cert_file = "/var/lib/nomad/pki/consul-client.crt";
+        key_file = "/var/lib/nomad/pki/consul-client.key";
         ssl = true;
         checks_use_advertise = true;
       };
@@ -344,8 +344,8 @@ in
         http = true;
         rpc = true;
         ca_file = "/var/lib/nomad/pki/nomad-ca.crt";
-        cert_file = "/var/lib/nomad/pki/nomad2022.crt";
-        key_file = "/var/lib/nomad/pki/nomad2022.key";
+        cert_file = "/var/lib/nomad/pki/nomad.crt";
+        key_file = "/var/lib/nomad/pki/nomad.key";
         verify_server_hostname = true;
         verify_https_client = true;
       };
diff --git a/tlsproxy b/tlsproxy
index bd639b2..1260d21 100755
--- a/tlsproxy
+++ b/tlsproxy
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 set -xe