From 1ade671f964516976151ab8b2e8dc6027aa9e73f Mon Sep 17 00:00:00 2001
From: Alex Auvolat <alex@adnab.me>
Date: Thu, 30 Dec 2021 21:23:24 +0100
Subject: Add readme and cleanup a bit

---
 README.md   | 27 +++++++++++++++++++++++++++
 env.sh      | 12 ------------
 sslproxy.sh | 20 --------------------
 tlsenv.sh   | 12 ++++++++++++
 tlsproxy.sh | 20 ++++++++++++++++++++
 5 files changed, 59 insertions(+), 32 deletions(-)
 create mode 100644 README.md
 delete mode 100644 env.sh
 delete mode 100755 sslproxy.sh
 create mode 100644 tlsenv.sh
 create mode 100755 tlsproxy.sh

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..9204a23
--- /dev/null
+++ b/README.md
@@ -0,0 +1,27 @@
+# Deuxfleurs on NixOS!
+
+This repository contains code to run Deuxfleur's infrastructure on NixOS.
+
+It sets up the following:
+
+- A Wireguard mesh between all nodes
+- Consul, with TLS
+- Nomad, with TLS
+
+The following scripts are available here:
+
+- `genpki.sh`, a script to generate Consul and Nomad's TLS PKI (run this once only)
+- `deploy.sh`, the main script that updates the NixOS config and sets up all of the TLS secrets
+- `upgrade.sh`, a script to upgrade NixOS
+- `tlsproxy.sh`, a script that allows non-TLS access to the TLS-secured Consul and Nomad, by running a simple local proxy with socat
+- `tlsenv.sh`, a script to be sourced (`source tlsenv.sh`) that configures the correct environment variables to use the Nomad and Consul CLI tools with TLS
+
+Stuff should be started in this order:
+
+- `app/core`
+- `app/frontend`
+- `app/garage-staging`
+
+At this point, we are able to have a systemd service called `mountgarage` that mounts Garage buckets in `/mnt/garage-staging`. This is used by the following services that can be launched afterwards:
+
+- `app/im`
diff --git a/env.sh b/env.sh
deleted file mode 100644
index 8681e8c..0000000
--- a/env.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-YEAR=$(date +%Y)
-
-export NOMAD_ADDR=https://localhost:14646
-export NOMAD_CACERT=$SCRIPT_DIR/secrets/pki/nomad-ca.crt
-export NOMAD_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.crt
-export NOMAD_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.key
-
-export CONSUL_HTTP_ADDR=https://localhost:8501
-export CONSUL_CACERT=$SCRIPT_DIR/secrets/pki/consul-ca.crt
-export CONSUL_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.crt
-export CONSUL_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.key
diff --git a/sslproxy.sh b/sslproxy.sh
deleted file mode 100755
index aa0006a..0000000
--- a/sslproxy.sh
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/bin/sh
-
-YEAR=$(date +%Y)
-
-_int() {
-  echo "Caught SIGINT signal!"
-  kill -INT "$child1" 2>/dev/null
-  kill -INT "$child2" 2>/dev/null
-}
-
-trap _int SIGINT
-
-socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt &
-child1=$!
-
-socat -dd tcp4-listen:8500,reuseaddr,fork openssl:localhost:8501,cert=secrets/pki/consul$YEAR-client.crt,key=secrets/pki/consul$YEAR-client.key,cafile=secrets/pki/consul$YEAR.crt &
-child2=$!
-
-wait "$child1"
-wait "$child2"
diff --git a/tlsenv.sh b/tlsenv.sh
new file mode 100644
index 0000000..8681e8c
--- /dev/null
+++ b/tlsenv.sh
@@ -0,0 +1,12 @@
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+YEAR=$(date +%Y)
+
+export NOMAD_ADDR=https://localhost:14646
+export NOMAD_CACERT=$SCRIPT_DIR/secrets/pki/nomad-ca.crt
+export NOMAD_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.crt
+export NOMAD_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.key
+
+export CONSUL_HTTP_ADDR=https://localhost:8501
+export CONSUL_CACERT=$SCRIPT_DIR/secrets/pki/consul-ca.crt
+export CONSUL_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.crt
+export CONSUL_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.key
diff --git a/tlsproxy.sh b/tlsproxy.sh
new file mode 100755
index 0000000..aa0006a
--- /dev/null
+++ b/tlsproxy.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+YEAR=$(date +%Y)
+
+_int() {
+  echo "Caught SIGINT signal!"
+  kill -INT "$child1" 2>/dev/null
+  kill -INT "$child2" 2>/dev/null
+}
+
+trap _int SIGINT
+
+socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt &
+child1=$!
+
+socat -dd tcp4-listen:8500,reuseaddr,fork openssl:localhost:8501,cert=secrets/pki/consul$YEAR-client.crt,key=secrets/pki/consul$YEAR-client.key,cafile=secrets/pki/consul$YEAR.crt &
+child2=$!
+
+wait "$child1"
+wait "$child2"
-- 
cgit v1.2.3