From 1ade671f964516976151ab8b2e8dc6027aa9e73f Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Thu, 30 Dec 2021 21:23:24 +0100 Subject: Add readme and cleanup a bit --- README.md | 27 +++++++++++++++++++++++++++ env.sh | 12 ------------ sslproxy.sh | 20 -------------------- tlsenv.sh | 12 ++++++++++++ tlsproxy.sh | 20 ++++++++++++++++++++ 5 files changed, 59 insertions(+), 32 deletions(-) create mode 100644 README.md delete mode 100644 env.sh delete mode 100755 sslproxy.sh create mode 100644 tlsenv.sh create mode 100755 tlsproxy.sh diff --git a/README.md b/README.md new file mode 100644 index 0000000..9204a23 --- /dev/null +++ b/README.md @@ -0,0 +1,27 @@ +# Deuxfleurs on NixOS! + +This repository contains code to run Deuxfleur's infrastructure on NixOS. + +It sets up the following: + +- A Wireguard mesh between all nodes +- Consul, with TLS +- Nomad, with TLS + +The following scripts are available here: + +- `genpki.sh`, a script to generate Consul and Nomad's TLS PKI (run this once only) +- `deploy.sh`, the main script that updates the NixOS config and sets up all of the TLS secrets +- `upgrade.sh`, a script to upgrade NixOS +- `tlsproxy.sh`, a script that allows non-TLS access to the TLS-secured Consul and Nomad, by running a simple local proxy with socat +- `tlsenv.sh`, a script to be sourced (`source tlsenv.sh`) that configures the correct environment variables to use the Nomad and Consul CLI tools with TLS + +Stuff should be started in this order: + +- `app/core` +- `app/frontend` +- `app/garage-staging` + +At this point, we are able to have a systemd service called `mountgarage` that mounts Garage buckets in `/mnt/garage-staging`. This is used by the following services that can be launched afterwards: + +- `app/im` diff --git a/env.sh b/env.sh deleted file mode 100644 index 8681e8c..0000000 --- a/env.sh +++ /dev/null @@ -1,12 +0,0 @@ -SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -YEAR=$(date +%Y) - -export NOMAD_ADDR=https://localhost:14646 -export NOMAD_CACERT=$SCRIPT_DIR/secrets/pki/nomad-ca.crt -export NOMAD_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.crt -export NOMAD_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.key - -export CONSUL_HTTP_ADDR=https://localhost:8501 -export CONSUL_CACERT=$SCRIPT_DIR/secrets/pki/consul-ca.crt -export CONSUL_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.crt -export CONSUL_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.key diff --git a/sslproxy.sh b/sslproxy.sh deleted file mode 100755 index aa0006a..0000000 --- a/sslproxy.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh - -YEAR=$(date +%Y) - -_int() { - echo "Caught SIGINT signal!" - kill -INT "$child1" 2>/dev/null - kill -INT "$child2" 2>/dev/null -} - -trap _int SIGINT - -socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt & -child1=$! - -socat -dd tcp4-listen:8500,reuseaddr,fork openssl:localhost:8501,cert=secrets/pki/consul$YEAR-client.crt,key=secrets/pki/consul$YEAR-client.key,cafile=secrets/pki/consul$YEAR.crt & -child2=$! - -wait "$child1" -wait "$child2" diff --git a/tlsenv.sh b/tlsenv.sh new file mode 100644 index 0000000..8681e8c --- /dev/null +++ b/tlsenv.sh @@ -0,0 +1,12 @@ +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +YEAR=$(date +%Y) + +export NOMAD_ADDR=https://localhost:14646 +export NOMAD_CACERT=$SCRIPT_DIR/secrets/pki/nomad-ca.crt +export NOMAD_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.crt +export NOMAD_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.key + +export CONSUL_HTTP_ADDR=https://localhost:8501 +export CONSUL_CACERT=$SCRIPT_DIR/secrets/pki/consul-ca.crt +export CONSUL_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.crt +export CONSUL_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.key diff --git a/tlsproxy.sh b/tlsproxy.sh new file mode 100755 index 0000000..aa0006a --- /dev/null +++ b/tlsproxy.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +YEAR=$(date +%Y) + +_int() { + echo "Caught SIGINT signal!" + kill -INT "$child1" 2>/dev/null + kill -INT "$child2" 2>/dev/null +} + +trap _int SIGINT + +socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt & +child1=$! + +socat -dd tcp4-listen:8500,reuseaddr,fork openssl:localhost:8501,cert=secrets/pki/consul$YEAR-client.crt,key=secrets/pki/consul$YEAR-client.key,cafile=secrets/pki/consul$YEAR.crt & +child2=$! + +wait "$child1" +wait "$child2" -- cgit v1.2.3