From a0db30ca26ee0ca8c8efbabd76ba584331b5337c Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Fri, 24 Mar 2023 12:58:44 +0100 Subject: Sanitize DNS configuration - get rid of outside nameserver, unbound does the recursive resolving itself (and it checks DNSSEC) - remove CAP_NET_BIND_SERVICE for Consul as it is no longer binding on port 53 (was already obsolete) - make unbound config independant of LAN IPv4 address --- cluster/staging/site/bespin.nix | 1 - cluster/staging/site/corrin.nix | 1 - cluster/staging/site/jupiter.nix | 1 - cluster/staging/site/neptune.nix | 1 - 4 files changed, 4 deletions(-) (limited to 'cluster') diff --git a/cluster/staging/site/bespin.nix b/cluster/staging/site/bespin.nix index 9401f74..1133603 100644 --- a/cluster/staging/site/bespin.nix +++ b/cluster/staging/site/bespin.nix @@ -6,7 +6,6 @@ deuxfleurs.ipv6_default_gateway = "2a02:a03f:6510:5102::1"; deuxfleurs.lan_ip_prefix_length = 24; deuxfleurs.ipv6_prefix_length = 64; - deuxfleurs.nameservers = [ "192.168.5.254" ]; deuxfleurs.cname_target = "bespin.site.staging.deuxfleurs.org."; networking.firewall.allowedTCPPorts = [ 80 443 ]; diff --git a/cluster/staging/site/corrin.nix b/cluster/staging/site/corrin.nix index ca2ae49..8bf8693 100644 --- a/cluster/staging/site/corrin.nix +++ b/cluster/staging/site/corrin.nix @@ -6,7 +6,6 @@ deuxfleurs.ipv6_default_gateway = "fe80::7ec1:77ff:fe3e:bb90"; deuxfleurs.lan_ip_prefix_length = 24; deuxfleurs.ipv6_prefix_length = 64; - deuxfleurs.nameservers = [ "192.168.1.1" ]; deuxfleurs.cname_target = "corrin.site.staging.deuxfleurs.org."; deuxfleurs.public_ipv4 = "82.120.233.78"; diff --git a/cluster/staging/site/jupiter.nix b/cluster/staging/site/jupiter.nix index 31b9f47..291e582 100644 --- a/cluster/staging/site/jupiter.nix +++ b/cluster/staging/site/jupiter.nix @@ -6,7 +6,6 @@ deuxfleurs.ipv6_default_gateway = "fe80::9038:202a:73a0:e73b"; deuxfleurs.lan_ip_prefix_length = 24; deuxfleurs.ipv6_prefix_length = 64; - deuxfleurs.nameservers = [ "192.168.1.1" ]; deuxfleurs.cname_target = "jupiter.site.staging.deuxfleurs.org."; # no public ipv4 is used for the staging cluster on Jupiter diff --git a/cluster/staging/site/neptune.nix b/cluster/staging/site/neptune.nix index 5399826..b030b46 100644 --- a/cluster/staging/site/neptune.nix +++ b/cluster/staging/site/neptune.nix @@ -6,7 +6,6 @@ deuxfleurs.ipv6_default_gateway = "2001:910:1204:1::1"; deuxfleurs.lan_ip_prefix_length = 24; deuxfleurs.ipv6_prefix_length = 64; - deuxfleurs.nameservers = [ "192.168.1.1" ]; deuxfleurs.cname_target = "neptune.site.staging.deuxfleurs.org."; # no public ipv4 is used for the staging cluster on Neptune, -- cgit v1.2.3 From e2aea648cf2e6c8b11d53d6149f9e9d161da6d3e Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Fri, 24 Mar 2023 14:32:39 +0100 Subject: greatly simplify ipv4 and ipv6 configuration --- cluster/staging/known_hosts | 1 + cluster/staging/node/carcajou.nix | 8 ++++++-- cluster/staging/node/caribou.nix | 2 -- cluster/staging/node/df-pw5.nix | 5 +++-- cluster/staging/node/origan.nix | 3 +-- cluster/staging/node/piranha.nix | 3 +-- cluster/staging/site/bespin.nix | 5 +---- cluster/staging/site/corrin.nix | 5 +---- cluster/staging/site/jupiter.nix | 5 +---- cluster/staging/site/neptune.nix | 4 ---- 10 files changed, 15 insertions(+), 26 deletions(-) (limited to 'cluster') diff --git a/cluster/staging/known_hosts b/cluster/staging/known_hosts index 0cb04f2..d721c27 100644 --- a/cluster/staging/known_hosts +++ b/cluster/staging/known_hosts @@ -9,3 +9,4 @@ piranha.polyno.me,2a01:cb05:8984:3c00:223:24ff:feb0:ea82 ssh-ed25519 AAAAC3NzaC1 2a01:e0a:5e4:1d0:223:24ff:feaf:fdec ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsZas74RT6lCZwuUOPR23nPdbSdpWORyAmRgjoiMVHK df-pw5.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/dJIxioCkfeehxeGiZR7qquYGoqEH/YrRJ/ukEcaLH 10.14.3.1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnpO6zpLWsyyugOoOj+2bUow9TUrcWgURFGGaoyu+co +192.168.1.22 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMf/ioVSSb19Slu+HZLgKt4f1/XsL+K9uMxazSWb/+nQ diff --git a/cluster/staging/node/carcajou.nix b/cluster/staging/node/carcajou.nix index e1bd3a6..5822f49 100644 --- a/cluster/staging/node/carcajou.nix +++ b/cluster/staging/node/carcajou.nix @@ -8,6 +8,12 @@ ./remote-unlock.nix ]; + deuxfleurs.remoteUnlock = { + networkInterface = "eno1"; + staticIP = "192.168.1.22/24"; + defaultGateway = "192.168.1.1"; + }; + # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.timeout = 20; @@ -15,8 +21,6 @@ networking.hostName = "carcajou"; - deuxfleurs.network_interface = "eno1"; - deuxfleurs.lan_ip = "192.168.1.22"; deuxfleurs.ipv6 = "2001:910:1204:1::22"; deuxfleurs.cluster_ip = "10.14.1.2"; diff --git a/cluster/staging/node/caribou.nix b/cluster/staging/node/caribou.nix index 02cb16d..2e8691a 100644 --- a/cluster/staging/node/caribou.nix +++ b/cluster/staging/node/caribou.nix @@ -10,8 +10,6 @@ networking.hostName = "caribou"; - deuxfleurs.network_interface = "eno1"; - deuxfleurs.lan_ip = "192.168.1.23"; deuxfleurs.ipv6 = "2001:910:1204:1::23"; deuxfleurs.cluster_ip = "10.14.1.3"; diff --git a/cluster/staging/node/df-pw5.nix b/cluster/staging/node/df-pw5.nix index 33888d6..356a2ae 100644 --- a/cluster/staging/node/df-pw5.nix +++ b/cluster/staging/node/df-pw5.nix @@ -11,10 +11,11 @@ networking.hostName = "df-pw5"; - deuxfleurs.network_interface = "eno1"; - deuxfleurs.lan_ip = "192.168.5.130"; + deuxfleurs.staticIPv4.address = "192.168.5.130/24"; deuxfleurs.ipv6 = "2a02:a03f:6510:5102:223:24ff:feb0:e8a7"; deuxfleurs.cluster_ip = "10.14.4.1"; deuxfleurs.is_raft_server = false; + + system.stateVersion = "22.11"; } diff --git a/cluster/staging/node/origan.nix b/cluster/staging/node/origan.nix index 50bce58..6db7f87 100644 --- a/cluster/staging/node/origan.nix +++ b/cluster/staging/node/origan.nix @@ -10,8 +10,7 @@ networking.hostName = "origan"; - deuxfleurs.network_interface = "eno1"; - deuxfleurs.lan_ip = "192.168.1.33"; + deuxfleurs.staticIPv4.address = "192.168.1.33/24"; deuxfleurs.ipv6 = "2a01:e0a:5e4:1d0:223:24ff:feaf:fdec"; deuxfleurs.cluster_ip = "10.14.2.33"; diff --git a/cluster/staging/node/piranha.nix b/cluster/staging/node/piranha.nix index 9ac2a07..4873693 100644 --- a/cluster/staging/node/piranha.nix +++ b/cluster/staging/node/piranha.nix @@ -10,8 +10,7 @@ networking.hostName = "piranha"; - deuxfleurs.network_interface = "eno1"; - deuxfleurs.lan_ip = "192.168.1.25"; + deuxfleurs.staticIPv4.address = "192.168.1.25/24"; deuxfleurs.ipv6 = "2a01:cb05:8984:9900:223:24ff:feb0:ea82"; deuxfleurs.cluster_ip = "10.14.3.1"; diff --git a/cluster/staging/site/bespin.nix b/cluster/staging/site/bespin.nix index 1133603..3fcefbb 100644 --- a/cluster/staging/site/bespin.nix +++ b/cluster/staging/site/bespin.nix @@ -2,10 +2,7 @@ { deuxfleurs.site_name = "bespin"; - deuxfleurs.lan_default_gateway = "192.168.5.254"; - deuxfleurs.ipv6_default_gateway = "2a02:a03f:6510:5102::1"; - deuxfleurs.lan_ip_prefix_length = 24; - deuxfleurs.ipv6_prefix_length = 64; + deuxfleurs.staticIPv4.defaultGateway = "192.168.5.254"; deuxfleurs.cname_target = "bespin.site.staging.deuxfleurs.org."; networking.firewall.allowedTCPPorts = [ 80 443 ]; diff --git a/cluster/staging/site/corrin.nix b/cluster/staging/site/corrin.nix index 8bf8693..0ff7b80 100644 --- a/cluster/staging/site/corrin.nix +++ b/cluster/staging/site/corrin.nix @@ -2,10 +2,7 @@ { deuxfleurs.site_name = "corrin"; - deuxfleurs.lan_default_gateway = "192.168.1.1"; - deuxfleurs.ipv6_default_gateway = "fe80::7ec1:77ff:fe3e:bb90"; - deuxfleurs.lan_ip_prefix_length = 24; - deuxfleurs.ipv6_prefix_length = 64; + deuxfleurs.staticIPv4.defaultGateway = "192.168.1.1"; deuxfleurs.cname_target = "corrin.site.staging.deuxfleurs.org."; deuxfleurs.public_ipv4 = "82.120.233.78"; diff --git a/cluster/staging/site/jupiter.nix b/cluster/staging/site/jupiter.nix index 291e582..2269836 100644 --- a/cluster/staging/site/jupiter.nix +++ b/cluster/staging/site/jupiter.nix @@ -2,10 +2,7 @@ { deuxfleurs.site_name = "jupiter"; - deuxfleurs.lan_default_gateway = "192.168.1.1"; - deuxfleurs.ipv6_default_gateway = "fe80::9038:202a:73a0:e73b"; - deuxfleurs.lan_ip_prefix_length = 24; - deuxfleurs.ipv6_prefix_length = 64; + deuxfleurs.staticIPv4.defaultGateway = "192.168.1.1"; deuxfleurs.cname_target = "jupiter.site.staging.deuxfleurs.org."; # no public ipv4 is used for the staging cluster on Jupiter diff --git a/cluster/staging/site/neptune.nix b/cluster/staging/site/neptune.nix index b030b46..36d5957 100644 --- a/cluster/staging/site/neptune.nix +++ b/cluster/staging/site/neptune.nix @@ -2,10 +2,6 @@ { deuxfleurs.site_name = "neptune"; - deuxfleurs.lan_default_gateway = "192.168.1.1"; - deuxfleurs.ipv6_default_gateway = "2001:910:1204:1::1"; - deuxfleurs.lan_ip_prefix_length = 24; - deuxfleurs.ipv6_prefix_length = 64; deuxfleurs.cname_target = "neptune.site.staging.deuxfleurs.org."; # no public ipv4 is used for the staging cluster on Neptune, -- cgit v1.2.3 From 96566ae523934f5a37b8d7c2a9ef928cd5c0d098 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Fri, 24 Mar 2023 15:26:39 +0100 Subject: refactor configuration syntax --- cluster/staging/cluster.nix | 70 ++++++++++++++++++--------------------- cluster/staging/node/carcajou.nix | 7 ++-- cluster/staging/node/caribou.nix | 9 ++--- cluster/staging/node/df-pw5.nix | 8 ++--- cluster/staging/node/origan.nix | 9 ++--- cluster/staging/node/piranha.nix | 9 ++--- cluster/staging/site/bespin.nix | 4 +-- cluster/staging/site/corrin.nix | 6 ++-- cluster/staging/site/jupiter.nix | 7 ++-- cluster/staging/site/neptune.nix | 8 ++--- 10 files changed, 54 insertions(+), 83 deletions(-) (limited to 'cluster') diff --git a/cluster/staging/cluster.nix b/cluster/staging/cluster.nix index cf30d6e..56ca904 100644 --- a/cluster/staging/cluster.nix +++ b/cluster/staging/cluster.nix @@ -1,49 +1,43 @@ { config, pkgs, ... } @ args: { - deuxfleurs.cluster_name = "staging"; + deuxfleurs.clusterName = "staging"; # The IP range to use for the Wireguard overlay of this cluster - deuxfleurs.cluster_prefix = "10.14.0.0"; - deuxfleurs.cluster_prefix_length = 16; + deuxfleurs.clusterPrefix = "10.14.0.0/16"; - deuxfleurs.cluster_nodes = [ - { - hostname = "carcajou"; - site_name = "neptune"; + deuxfleurs.clusterNodes = { + "carcajou" = { + siteName = "neptune"; publicKey = "7Nm7pMmyS7Nts1MB+loyD8u84ODxHPTkDu+uqQR6yDk="; - IP = "10.14.1.2"; + address = "10.14.1.2"; endpoint = "77.207.15.215:33722"; - } - { - hostname = "caribou"; - site_name = "neptune"; + }; + "caribou" = { + siteName = "neptune"; publicKey = "lABn/axzD1jkFulX8c+K3B3CbKXORlIMDDoe8sQVxhs="; - IP = "10.14.1.3"; + address = "10.14.1.3"; endpoint = "77.207.15.215:33723"; - } - { - hostname = "origan"; - site_name = "jupiter"; + }; + "origan" = { + siteName = "jupiter"; publicKey = "smBQYUS60JDkNoqkTT7TgbpqFiM43005fcrT6472llI="; - IP = "10.14.2.33"; + address = "10.14.2.33"; endpoint = "82.64.238.84:33733"; - } - { - hostname = "piranha"; - site_name = "corrin"; + }; + "piranha" = { + siteName = "corrin"; publicKey = "m9rLf+233X1VColmeVrM/xfDGro5W6Gk5N0zqcf32WY="; - IP = "10.14.3.1"; + address = "10.14.3.1"; #endpoint = "82.120.233.78:33721"; - } - { - hostname = "df-pw5"; - site_name = "bespin"; + }; + "df-pw5" = { + siteName = "bespin"; publicKey = "XLOYoMXF+PO4jcgfSVAk+thh4VmWx0wzWnb0xs08G1s="; - IP = "10.14.4.1"; + address = "10.14.4.1"; endpoint = "bitfrost.fiber.shirokumo.net:33734"; - } - ]; + }; + }; services.wgautomesh.logLevel = "debug"; # Bootstrap IPs for Consul cluster, @@ -54,7 +48,7 @@ "10.14.1.3" # caribou ]; - deuxfleurs.admin_accounts = { + deuxfleurs.adminAccounts = { lx = [ # Keys for accessing nodes from outside "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJpaBZdYxHqMxhv2RExAOa7nkKhPBOHupMP3mYaZ73w9 lx@lindy" @@ -142,16 +136,16 @@ enable = true; port = substituter_port; openFirewall = false; - bindAddress = config.deuxfleurs.cluster_ip; + bindAddress = "0.0.0.0"; package = pkgs.haskellPackages.nix-serve-ng; }; nix.settings.substituters = map - ({ IP, ... }: "http://${IP}:${builtins.toString substituter_port}") - (builtins.filter - ({ site_name, IP, ...}: - (IP != config.deuxfleurs.cluster_ip - && site_name == config.deuxfleurs.site_name)) - config.deuxfleurs.cluster_nodes); + ({ address, ... }: "http://${address}:${builtins.toString substituter_port}") + (builtins.attrValues (pkgs.lib.filterAttrs + (hostname: { siteName, ...}: + (hostname != config.deuxfleurs.hostName + && siteName == config.deuxfleurs.siteName)) + config.deuxfleurs.clusterNodes)); }) ]; } diff --git a/cluster/staging/node/carcajou.nix b/cluster/staging/node/carcajou.nix index 5822f49..e6c1653 100644 --- a/cluster/staging/node/carcajou.nix +++ b/cluster/staging/node/carcajou.nix @@ -19,11 +19,8 @@ boot.loader.timeout = 20; boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "carcajou"; - - deuxfleurs.ipv6 = "2001:910:1204:1::22"; - - deuxfleurs.cluster_ip = "10.14.1.2"; + deuxfleurs.hostName = "carcajou"; + deuxfleurs.ipv6Address = "2001:910:1204:1::22"; system.stateVersion = "21.05"; } diff --git a/cluster/staging/node/caribou.nix b/cluster/staging/node/caribou.nix index 2e8691a..ad5a65d 100644 --- a/cluster/staging/node/caribou.nix +++ b/cluster/staging/node/caribou.nix @@ -8,12 +8,9 @@ boot.loader.timeout = 20; boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "caribou"; - - deuxfleurs.ipv6 = "2001:910:1204:1::23"; - - deuxfleurs.cluster_ip = "10.14.1.3"; - deuxfleurs.is_raft_server = true; + deuxfleurs.hostName = "caribou"; + deuxfleurs.ipv6Address = "2001:910:1204:1::23"; + deuxfleurs.isRaftServer = true; system.stateVersion = "21.05"; } diff --git a/cluster/staging/node/df-pw5.nix b/cluster/staging/node/df-pw5.nix index 356a2ae..0e5be15 100644 --- a/cluster/staging/node/df-pw5.nix +++ b/cluster/staging/node/df-pw5.nix @@ -9,13 +9,9 @@ boot.loader.efi.efiSysMountPoint = "/boot"; boot.loader.timeout = 20; - networking.hostName = "df-pw5"; - + deuxfleurs.hostName = "df-pw5"; deuxfleurs.staticIPv4.address = "192.168.5.130/24"; - deuxfleurs.ipv6 = "2a02:a03f:6510:5102:223:24ff:feb0:e8a7"; - - deuxfleurs.cluster_ip = "10.14.4.1"; - deuxfleurs.is_raft_server = false; + deuxfleurs.ipv6Address = "2a02:a03f:6510:5102:223:24ff:feb0:e8a7"; system.stateVersion = "22.11"; } diff --git a/cluster/staging/node/origan.nix b/cluster/staging/node/origan.nix index 6db7f87..d900fd6 100644 --- a/cluster/staging/node/origan.nix +++ b/cluster/staging/node/origan.nix @@ -8,13 +8,10 @@ boot.loader.timeout = 20; boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "origan"; - + deuxfleurs.hostName = "origan"; deuxfleurs.staticIPv4.address = "192.168.1.33/24"; - deuxfleurs.ipv6 = "2a01:e0a:5e4:1d0:223:24ff:feaf:fdec"; - - deuxfleurs.cluster_ip = "10.14.2.33"; - deuxfleurs.is_raft_server = true; + deuxfleurs.ipv6Address = "2a01:e0a:5e4:1d0:223:24ff:feaf:fdec"; + deuxfleurs.isRaftServer = true; system.stateVersion = "22.11"; } diff --git a/cluster/staging/node/piranha.nix b/cluster/staging/node/piranha.nix index 4873693..436965c 100644 --- a/cluster/staging/node/piranha.nix +++ b/cluster/staging/node/piranha.nix @@ -8,13 +8,10 @@ boot.loader.timeout = 20; boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "piranha"; - + deuxfleurs.hostName = "piranha"; deuxfleurs.staticIPv4.address = "192.168.1.25/24"; - deuxfleurs.ipv6 = "2a01:cb05:8984:9900:223:24ff:feb0:ea82"; - - deuxfleurs.cluster_ip = "10.14.3.1"; - deuxfleurs.is_raft_server = true; + deuxfleurs.ipv6Address = "2a01:cb05:8984:9900:223:24ff:feb0:ea82"; + deuxfleurs.isRaftServer = true; system.stateVersion = "22.11"; } diff --git a/cluster/staging/site/bespin.nix b/cluster/staging/site/bespin.nix index 3fcefbb..22feb59 100644 --- a/cluster/staging/site/bespin.nix +++ b/cluster/staging/site/bespin.nix @@ -1,9 +1,9 @@ { config, pkgs, ... }: { - deuxfleurs.site_name = "bespin"; + deuxfleurs.siteName = "bespin"; deuxfleurs.staticIPv4.defaultGateway = "192.168.5.254"; - deuxfleurs.cname_target = "bespin.site.staging.deuxfleurs.org."; + deuxfleurs.cnameTarget = "bespin.site.staging.deuxfleurs.org."; networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/cluster/staging/site/corrin.nix b/cluster/staging/site/corrin.nix index 0ff7b80..0083986 100644 --- a/cluster/staging/site/corrin.nix +++ b/cluster/staging/site/corrin.nix @@ -1,10 +1,10 @@ { config, pkgs, ... }: { - deuxfleurs.site_name = "corrin"; + deuxfleurs.siteName = "corrin"; deuxfleurs.staticIPv4.defaultGateway = "192.168.1.1"; - deuxfleurs.cname_target = "corrin.site.staging.deuxfleurs.org."; - deuxfleurs.public_ipv4 = "82.120.233.78"; + deuxfleurs.cnameTarget = "corrin.site.staging.deuxfleurs.org."; + deuxfleurs.publicIPv4 = "82.120.233.78"; networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/cluster/staging/site/jupiter.nix b/cluster/staging/site/jupiter.nix index 2269836..2d39f5a 100644 --- a/cluster/staging/site/jupiter.nix +++ b/cluster/staging/site/jupiter.nix @@ -1,12 +1,9 @@ { config, pkgs, ... }: { - deuxfleurs.site_name = "jupiter"; + deuxfleurs.siteName = "jupiter"; deuxfleurs.staticIPv4.defaultGateway = "192.168.1.1"; - deuxfleurs.cname_target = "jupiter.site.staging.deuxfleurs.org."; - - # no public ipv4 is used for the staging cluster on Jupiter - # deuxfleurs.public_ipv4 = "???"; + deuxfleurs.cnameTarget = "jupiter.site.staging.deuxfleurs.org."; networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/cluster/staging/site/neptune.nix b/cluster/staging/site/neptune.nix index 36d5957..f94d62f 100644 --- a/cluster/staging/site/neptune.nix +++ b/cluster/staging/site/neptune.nix @@ -1,12 +1,8 @@ { config, pkgs, ... }: { - deuxfleurs.site_name = "neptune"; - deuxfleurs.cname_target = "neptune.site.staging.deuxfleurs.org."; - - # no public ipv4 is used for the staging cluster on Neptune, - # because the Internet connection is already used for the prod cluster - # deuxfleurs.public_ipv4 = "77.207.15.215"; + deuxfleurs.siteName = "neptune"; + deuxfleurs.cnameTarget = "neptune.site.staging.deuxfleurs.org."; networking.firewall.allowedTCPPorts = [ 80 443 ]; } -- cgit v1.2.3 From cb8d7e92d2aa2950fa403ff8e2ec2a9a31b48b32 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Wed, 5 Apr 2023 10:25:22 +0200 Subject: staging: ipv6-only diplonat for automatic address discovery --- cluster/staging/app/core/deploy/core-system.hcl | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'cluster') diff --git a/cluster/staging/app/core/deploy/core-system.hcl b/cluster/staging/app/core/deploy/core-system.hcl index 05fa0f2..dba6b95 100644 --- a/cluster/staging/app/core/deploy/core-system.hcl +++ b/cluster/staging/app/core/deploy/core-system.hcl @@ -13,7 +13,6 @@ job "core-system" { stagger = "1m" } -/* group "diplonat" { task "diplonat" { driver = "nix2" @@ -21,7 +20,7 @@ job "core-system" { config { packages = [ "#iptables", - "git+https://git.deuxfleurs.fr/Deuxfleurs/diplonat.git?ref=main&rev=f306e8dc8d0e93478353ce39b6064e8c06a8bca6" + "git+https://git.deuxfleurs.fr/Deuxfleurs/diplonat.git?ref=stun&rev=21ab77b8288630c5f39a30b098c6a3888df622a1" ] command = "diplonat" } @@ -53,6 +52,7 @@ job "core-system" { data = < Date: Wed, 5 Apr 2023 13:20:17 +0200 Subject: Allow for IPv6 with RA disabled by manually providing gateway --- cluster/staging/node/carcajou.nix | 2 +- cluster/staging/node/caribou.nix | 2 +- cluster/staging/node/df-pw5.nix | 2 +- cluster/staging/node/origan.nix | 2 +- cluster/staging/node/piranha.nix | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) (limited to 'cluster') diff --git a/cluster/staging/node/carcajou.nix b/cluster/staging/node/carcajou.nix index e6c1653..d5211f1 100644 --- a/cluster/staging/node/carcajou.nix +++ b/cluster/staging/node/carcajou.nix @@ -20,7 +20,7 @@ boot.loader.efi.canTouchEfiVariables = true; deuxfleurs.hostName = "carcajou"; - deuxfleurs.ipv6Address = "2001:910:1204:1::22"; + deuxfleurs.staticIPv6.address = "2001:910:1204:1::22"; system.stateVersion = "21.05"; } diff --git a/cluster/staging/node/caribou.nix b/cluster/staging/node/caribou.nix index ad5a65d..80293e9 100644 --- a/cluster/staging/node/caribou.nix +++ b/cluster/staging/node/caribou.nix @@ -9,7 +9,7 @@ boot.loader.efi.canTouchEfiVariables = true; deuxfleurs.hostName = "caribou"; - deuxfleurs.ipv6Address = "2001:910:1204:1::23"; + deuxfleurs.staticIPv6.address = "2001:910:1204:1::23"; deuxfleurs.isRaftServer = true; system.stateVersion = "21.05"; diff --git a/cluster/staging/node/df-pw5.nix b/cluster/staging/node/df-pw5.nix index 0e5be15..e1a132c 100644 --- a/cluster/staging/node/df-pw5.nix +++ b/cluster/staging/node/df-pw5.nix @@ -11,7 +11,7 @@ deuxfleurs.hostName = "df-pw5"; deuxfleurs.staticIPv4.address = "192.168.5.130/24"; - deuxfleurs.ipv6Address = "2a02:a03f:6510:5102:223:24ff:feb0:e8a7"; + deuxfleurs.staticIPv6.address = "2a02:a03f:6510:5102:223:24ff:feb0:e8a7"; system.stateVersion = "22.11"; } diff --git a/cluster/staging/node/origan.nix b/cluster/staging/node/origan.nix index d900fd6..6906f4d 100644 --- a/cluster/staging/node/origan.nix +++ b/cluster/staging/node/origan.nix @@ -10,7 +10,7 @@ deuxfleurs.hostName = "origan"; deuxfleurs.staticIPv4.address = "192.168.1.33/24"; - deuxfleurs.ipv6Address = "2a01:e0a:5e4:1d0:223:24ff:feaf:fdec"; + deuxfleurs.staticIPv6.address = "2a01:e0a:5e4:1d0:223:24ff:feaf:fdec"; deuxfleurs.isRaftServer = true; system.stateVersion = "22.11"; diff --git a/cluster/staging/node/piranha.nix b/cluster/staging/node/piranha.nix index 2b9907d..bc1aa03 100644 --- a/cluster/staging/node/piranha.nix +++ b/cluster/staging/node/piranha.nix @@ -10,7 +10,7 @@ deuxfleurs.hostName = "piranha"; deuxfleurs.staticIPv4.address = "192.168.1.25/24"; - deuxfleurs.ipv6Address = "2a01:cb05:9142:7400:223:24ff:feb0:ea82"; + deuxfleurs.staticIPv6.address = "2a01:cb05:9142:7400:223:24ff:feb0:ea82"; deuxfleurs.isRaftServer = true; system.stateVersion = "22.11"; -- cgit v1.2.3 From 16422d280959808aff1670a066788e98049f42b7 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Wed, 5 Apr 2023 14:04:11 +0200 Subject: introduce back static ipv4 prefix lenght but with default value --- cluster/staging/node/df-pw5.nix | 2 +- cluster/staging/node/origan.nix | 2 +- cluster/staging/node/piranha.nix | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) (limited to 'cluster') diff --git a/cluster/staging/node/df-pw5.nix b/cluster/staging/node/df-pw5.nix index e1a132c..2f20f1c 100644 --- a/cluster/staging/node/df-pw5.nix +++ b/cluster/staging/node/df-pw5.nix @@ -10,7 +10,7 @@ boot.loader.timeout = 20; deuxfleurs.hostName = "df-pw5"; - deuxfleurs.staticIPv4.address = "192.168.5.130/24"; + deuxfleurs.staticIPv4.address = "192.168.5.130"; deuxfleurs.staticIPv6.address = "2a02:a03f:6510:5102:223:24ff:feb0:e8a7"; system.stateVersion = "22.11"; diff --git a/cluster/staging/node/origan.nix b/cluster/staging/node/origan.nix index 6906f4d..49ecbbf 100644 --- a/cluster/staging/node/origan.nix +++ b/cluster/staging/node/origan.nix @@ -9,7 +9,7 @@ boot.loader.efi.canTouchEfiVariables = true; deuxfleurs.hostName = "origan"; - deuxfleurs.staticIPv4.address = "192.168.1.33/24"; + deuxfleurs.staticIPv4.address = "192.168.1.33"; deuxfleurs.staticIPv6.address = "2a01:e0a:5e4:1d0:223:24ff:feaf:fdec"; deuxfleurs.isRaftServer = true; diff --git a/cluster/staging/node/piranha.nix b/cluster/staging/node/piranha.nix index bc1aa03..896f169 100644 --- a/cluster/staging/node/piranha.nix +++ b/cluster/staging/node/piranha.nix @@ -9,7 +9,7 @@ boot.loader.efi.canTouchEfiVariables = true; deuxfleurs.hostName = "piranha"; - deuxfleurs.staticIPv4.address = "192.168.1.25/24"; + deuxfleurs.staticIPv4.address = "192.168.1.25"; deuxfleurs.staticIPv6.address = "2a01:cb05:9142:7400:223:24ff:feb0:ea82"; deuxfleurs.isRaftServer = true; -- cgit v1.2.3 From c08bc17cc0ca37557a4b43f3ef2e1bcf8a1db2c0 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Wed, 5 Apr 2023 14:06:59 +0200 Subject: Adapt prod config to new parameters --- cluster/prod/cluster.nix | 101 +++++++++++++++++---------------------- cluster/prod/node/abricot.nix | 11 ++--- cluster/prod/node/celeri.nix | 11 ++--- cluster/prod/node/concombre.nix | 12 ++--- cluster/prod/node/courgette.nix | 11 ++--- cluster/prod/node/dahlia.nix | 12 ++--- cluster/prod/node/df-ykl.nix | 12 ++--- cluster/prod/node/df-ymf.nix | 11 ++--- cluster/prod/node/df-ymk.nix | 11 ++--- cluster/prod/node/diplotaxis.nix | 11 ++--- cluster/prod/node/doradille.nix | 11 ++--- cluster/prod/site/bespin.nix | 10 ++-- cluster/prod/site/neptune.nix | 12 ++--- cluster/prod/site/orion.nix | 17 +++---- cluster/prod/site/scorpio.nix | 12 ++--- 15 files changed, 98 insertions(+), 167 deletions(-) (limited to 'cluster') diff --git a/cluster/prod/cluster.nix b/cluster/prod/cluster.nix index 44c376e..cbeed8f 100644 --- a/cluster/prod/cluster.nix +++ b/cluster/prod/cluster.nix @@ -1,84 +1,73 @@ { config, pkgs, ... } @ args: { - deuxfleurs.cluster_name = "prod"; + deuxfleurs.clusterName = "prod"; # The IP range to use for the Wireguard overlay of this cluster - deuxfleurs.cluster_prefix = "10.83.0.0"; - deuxfleurs.cluster_prefix_length = 16; + deuxfleurs.clusterPrefix = "10.83.0.0/16"; - deuxfleurs.cluster_nodes = [ - { - hostname = "concombre"; - site_name = "neptune"; + deuxfleurs.cluster_nodes = { + "concombre" = { + siteName = "neptune"; publicKey = "VvXT0fPDfWsHxumZqVShpS33dJQAdpJ1E79ZbCBJP34="; - IP = "10.83.1.1"; + address = "10.83.1.1"; endpoint = "77.207.15.215:33731"; - } - { - hostname = "courgette"; - site_name = "neptune"; + }; + "courgette" = { + siteName = "neptune"; publicKey = "goTkBJGmzrGDOAjUcdH9G0JekipqSMoaYQdB6IHnzi0="; - IP = "10.83.1.2"; + address = "10.83.1.2"; endpoint = "77.207.15.215:33732"; - } - { - hostname = "celeri"; - site_name = "neptune"; + }; + "celeri" = { + siteName = "neptune"; publicKey = "oZDAb8LoLW87ktUHyFFec0VaIar97bqq47mGbdVqJ0U="; - IP = "10.83.1.3"; + address = "10.83.1.3"; endpoint = "77.207.15.215:33733"; - } - { - hostname = "dahlia"; - site_name = "orion"; + }; + "dahlia" = { + siteName = "orion"; publicKey = "EtRoWBYCdjqgXX0L+uWLg8KxNfIK8k9OTh30tL19bXU="; - IP = "10.83.2.1"; + address = "10.83.2.1"; endpoint = "82.66.80.201:33731"; - } - { - hostname = "diplotaxis"; - site_name = "orion"; + }; + "diplotaxis" = { + siteName = "orion"; publicKey = "HbLC938mysadMSOxWgq8+qrv+dBKzPP/43OMJp/3phA="; - IP = "10.83.2.2"; + address = "10.83.2.2"; endpoint = "82.66.80.201:33732"; - } - { - hostname = "doradille"; - site_name = "orion"; + }; + "doradille" = { + siteName = "orion"; publicKey = "e1C8jgTj9eD20ywG08G1FQZ+Js3wMK/msDUE1wO3l1Y="; - IP = "10.83.2.3"; + address = "10.83.2.3"; endpoint = "82.66.80.201:33733"; - } - { - hostname = "df-ykl"; - site_name = "bespin"; + }; + "df-ykl" = { + siteName = "bespin"; publicKey = "bIjxey/VhBgVrLa0FxN/KISOt2XFmQeSh1MPivUq9gg="; - IP = "10.83.3.1"; + address = "10.83.3.1"; endpoint = "109.136.55.235:33731"; - } - { - hostname = "df-ymf"; - site_name = "bespin"; + }; + "df-ymf" = { + siteName = "bespin"; publicKey = "pUIKv8UBl586O7DBrHBsb9BgNU7WlYQ2r2RSNkD+JAQ="; - IP = "10.83.3.2"; + address = "10.83.3.2"; endpoint = "109.136.55.235:33732"; - } - { - hostname = "df-ymk"; - site_name = "bespin"; + }; + "df-ymk" = { + siteName = "bespin"; publicKey = "VBmpo15iIJP7250NAsF+ryhZc3j+8TZFnE1Djvn5TXI="; - IP = "10.83.3.3"; + address = "10.83.3.3"; endpoint = "109.136.55.235:33733"; - } - { - hostname = "abricot"; - site_name = "scorpio"; + }; + "abricot" = { + siteName = "scorpio"; publicKey = "Sm9cmNZ/BfWVPFflMO+fuyiera4r203b/dKhHTQmBFg="; - IP = "10.83.4.1"; + address = "10.83.4.1"; endpoint = "82.65.41.110:33741"; - } - ]; + }; + }; # Bootstrap IPs for Consul cluster, # these are IPs on the Wireguard overlay @@ -88,7 +77,7 @@ "10.83.3.1" # df-ykl ]; - deuxfleurs.admin_accounts = { + deuxfleurs.adminAccounts = { lx = [ # Keys for accessing nodes from outside "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJpaBZdYxHqMxhv2RExAOa7nkKhPBOHupMP3mYaZ73w9 lx@lindy" diff --git a/cluster/prod/node/abricot.nix b/cluster/prod/node/abricot.nix index b092fb2..69cc38d 100644 --- a/cluster/prod/node/abricot.nix +++ b/cluster/prod/node/abricot.nix @@ -8,12 +8,7 @@ boot.loader.timeout = 20; boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "abricot"; - - deuxfleurs.network_interface = "eno1"; - deuxfleurs.lan_ip = "192.168.1.41"; - deuxfleurs.ipv6 = "2a01:e0a:e4:2dd0::41"; - - deuxfleurs.cluster_ip = "10.83.4.1"; - deuxfleurs.is_raft_server = false; + deuxfleurs.hostName = "abricot"; + deuxfleurs.staticIPv4.address = "192.168.1.41"; + deuxfleurs.staticIPv6.address = "2a01:e0a:e4:2dd0::41"; } diff --git a/cluster/prod/node/celeri.nix b/cluster/prod/node/celeri.nix index fdb88b9..45087f3 100644 --- a/cluster/prod/node/celeri.nix +++ b/cluster/prod/node/celeri.nix @@ -8,12 +8,7 @@ boot.loader.timeout = 20; boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "celeri"; - - deuxfleurs.network_interface = "enp0s31f6"; - deuxfleurs.lan_ip = "192.168.1.33"; - deuxfleurs.ipv6 = "2001:910:1204:1::33"; - - deuxfleurs.cluster_ip = "10.83.1.3"; - deuxfleurs.is_raft_server = false; + deuxfleurs.hostName = "celeri"; + deuxfleurs.staticIPv4.address = "192.168.1.33"; + deuxfleurs.staticIPv6.address = "2001:910:1204:1::33"; } diff --git a/cluster/prod/node/concombre.nix b/cluster/prod/node/concombre.nix index eefc9e7..9a9e456 100644 --- a/cluster/prod/node/concombre.nix +++ b/cluster/prod/node/concombre.nix @@ -8,12 +8,8 @@ boot.loader.timeout = 20; boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "concombre"; - - deuxfleurs.network_interface = "enp0s31f6"; - deuxfleurs.lan_ip = "192.168.1.31"; - deuxfleurs.ipv6 = "2001:910:1204:1::31"; - - deuxfleurs.cluster_ip = "10.83.1.1"; - deuxfleurs.is_raft_server = true; + deuxfleurs.hostName = "concombre"; + deuxfleurs.staticIPv4.address = "192.168.1.31"; + deuxfleurs.staticIPv6.address = "2001:910:1204:1::31"; + deuxfleurs.isRaftServer = true; } diff --git a/cluster/prod/node/courgette.nix b/cluster/prod/node/courgette.nix index c2bf0d8..081c297 100644 --- a/cluster/prod/node/courgette.nix +++ b/cluster/prod/node/courgette.nix @@ -8,12 +8,7 @@ boot.loader.timeout = 20; boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "courgette"; - - deuxfleurs.network_interface = "enp0s31f6"; - deuxfleurs.lan_ip = "192.168.1.32"; - deuxfleurs.ipv6 = "2001:910:1204:1::32"; - - deuxfleurs.cluster_ip = "10.83.1.2"; - deuxfleurs.is_raft_server = false; + deuxfleurs.hostName = "courgette"; + deuxfleurs.staticIPv4.address = "192.168.1.32"; + deuxfleurs.staticIPv6.address = "2001:910:1204:1::32"; } diff --git a/cluster/prod/node/dahlia.nix b/cluster/prod/node/dahlia.nix index fc51ea8..ee9e7aa 100644 --- a/cluster/prod/node/dahlia.nix +++ b/cluster/prod/node/dahlia.nix @@ -7,12 +7,8 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "dahlia"; - - deuxfleurs.network_interface = "enp0s31f6"; - deuxfleurs.lan_ip = "192.168.1.11"; - deuxfleurs.ipv6 = "2a01:e0a:28f:5e60::11"; - - deuxfleurs.cluster_ip = "10.83.2.1"; - deuxfleurs.is_raft_server = true; + deuxfleurs.hostName = "dahlia"; + deuxfleurs.staticIPv4.address = "192.168.1.11"; + deuxfleurs.staticIPv6.address = "2a01:e0a:28f:5e60::11"; + deuxfleurs.isRaftServer = true; } diff --git a/cluster/prod/node/df-ykl.nix b/cluster/prod/node/df-ykl.nix index 04a2b35..843d322 100644 --- a/cluster/prod/node/df-ykl.nix +++ b/cluster/prod/node/df-ykl.nix @@ -7,14 +7,10 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "df-ykl"; - - deuxfleurs.network_interface = "enp0s31f6"; - deuxfleurs.lan_ip = "192.168.5.117"; - deuxfleurs.ipv6 = "2a02:a03f:6510:5102:6e4b:90ff:fe3b:e86c"; - - deuxfleurs.cluster_ip = "10.83.3.1"; - deuxfleurs.is_raft_server = true; + deuxfleurs.hostName = "df-ykl"; + deuxfleurs.staticIPv4.address = "192.168.5.117"; + deuxfleurs.staticIPv6.address = "2a02:a03f:6510:5102:6e4b:90ff:fe3b:e86c"; + deuxfleurs.isRaftServer = true; fileSystems."/mnt" = { device = "/dev/disk/by-uuid/f7aa396f-23d0-44d3-89cf-3cb00bbb6c3b"; diff --git a/cluster/prod/node/df-ymf.nix b/cluster/prod/node/df-ymf.nix index 15c5b1e..df2ebb3 100644 --- a/cluster/prod/node/df-ymf.nix +++ b/cluster/prod/node/df-ymf.nix @@ -7,14 +7,9 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "df-ymf"; - - deuxfleurs.network_interface = "enp0s31f6"; - deuxfleurs.lan_ip = "192.168.5.134"; - deuxfleurs.ipv6 = "2a02:a03f:6510:5102:6e4b:90ff:fe3a:6174"; - - deuxfleurs.cluster_ip = "10.83.3.2"; - deuxfleurs.is_raft_server = false; + deuxfleurs.hostName = "df-ymf"; + deuxfleurs.staticIPv4.address = "192.168.5.134"; + deuxfleurs.staticIPv6.address = "2a02:a03f:6510:5102:6e4b:90ff:fe3a:6174"; fileSystems."/mnt" = { device = "/dev/disk/by-uuid/fec20a7e-5019-4747-8f73-77f3f196c122"; diff --git a/cluster/prod/node/df-ymk.nix b/cluster/prod/node/df-ymk.nix index d7deb49..f98b576 100644 --- a/cluster/prod/node/df-ymk.nix +++ b/cluster/prod/node/df-ymk.nix @@ -7,14 +7,9 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "df-ymk"; - - deuxfleurs.network_interface = "enp0s31f6"; - deuxfleurs.lan_ip = "192.168.5.116"; - deuxfleurs.ipv6 = "2a02:a03f:6510:5102:6e4b:90ff:fe3b:e939"; - - deuxfleurs.cluster_ip = "10.83.3.3"; - deuxfleurs.is_raft_server = false; + deuxfleurs.hostName = "df-ymk"; + deuxfleurs.staticIPv4.address = "192.168.5.116"; + deuxfleurs.staticIPv6.address = "2a02:a03f:6510:5102:6e4b:90ff:fe3b:e939"; fileSystems."/mnt" = { device = "/dev/disk/by-uuid/51d95b17-0e06-4a73-9e4e-ae5363cc4015"; diff --git a/cluster/prod/node/diplotaxis.nix b/cluster/prod/node/diplotaxis.nix index c1ce4f9..f9c7faf 100644 --- a/cluster/prod/node/diplotaxis.nix +++ b/cluster/prod/node/diplotaxis.nix @@ -8,12 +8,7 @@ boot.loader.grub.version = 2; boot.loader.grub.device = "/dev/nvme0n1"; # or "nodev" for efi only - networking.hostName = "diplotaxis"; - - deuxfleurs.network_interface = "enp0s31f6"; - deuxfleurs.lan_ip = "192.168.1.12"; - deuxfleurs.ipv6 = "2a01:e0a:28f:5e60::12"; - - deuxfleurs.cluster_ip = "10.83.2.2"; - deuxfleurs.is_raft_server = false; + deuxfleurs.hostName = "diplotaxis"; + deuxfleurs.staticIPv4.address = "192.168.1.12"; + deuxfleurs.staticIPv6.address = "2a01:e0a:28f:5e60::12"; } diff --git a/cluster/prod/node/doradille.nix b/cluster/prod/node/doradille.nix index f1c6e57..a4dc691 100644 --- a/cluster/prod/node/doradille.nix +++ b/cluster/prod/node/doradille.nix @@ -8,12 +8,7 @@ boot.loader.grub.version = 2; boot.loader.grub.device = "/dev/nvme0n1"; # or "nodev" for efi only - networking.hostName = "doradille"; - - deuxfleurs.network_interface = "enp0s31f6"; - deuxfleurs.lan_ip = "192.168.1.13"; - deuxfleurs.ipv6 = "2a01:e0a:28f:5e60::13"; - - deuxfleurs.cluster_ip = "10.83.2.3"; - deuxfleurs.is_raft_server = false; + deuxfleurs.hostName = "doradille"; + deuxfleurs.staticIPv4.address = "192.168.1.13"; + deuxfleurs.staticIPv6.address = "2a01:e0a:28f:5e60::13"; } diff --git a/cluster/prod/site/bespin.nix b/cluster/prod/site/bespin.nix index de39f85..3c9a668 100644 --- a/cluster/prod/site/bespin.nix +++ b/cluster/prod/site/bespin.nix @@ -1,13 +1,9 @@ { config, pkgs, ... }: { - deuxfleurs.site_name = "bespin"; - deuxfleurs.lan_default_gateway = "192.168.5.254"; - deuxfleurs.ipv6_default_gateway = "2a02:a03f:6510:5102::1"; - deuxfleurs.lan_ip_prefix_length = 24; - deuxfleurs.ipv6_prefix_length = 64; - deuxfleurs.nameservers = [ "192.168.5.254" ]; - deuxfleurs.cname_target = "bespin.site.deuxfleurs.fr."; + deuxfleurs.siteName = "bespin"; + deuxfleurs.staticIPv4.defaultGateway = "192.168.5.254"; + deuxfleurs.cnameTarget = "bespin.site.deuxfleurs.fr."; networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/cluster/prod/site/neptune.nix b/cluster/prod/site/neptune.nix index a4aac6d..81495c6 100644 --- a/cluster/prod/site/neptune.nix +++ b/cluster/prod/site/neptune.nix @@ -1,14 +1,10 @@ { config, pkgs, ... }: { - deuxfleurs.site_name = "neptune"; - deuxfleurs.lan_default_gateway = "192.168.1.1"; - deuxfleurs.ipv6_default_gateway = "2001:910:1204:1::1"; - deuxfleurs.lan_ip_prefix_length = 24; - deuxfleurs.ipv6_prefix_length = 64; - deuxfleurs.nameservers = [ "192.168.1.1" ]; - deuxfleurs.cname_target = "neptune.site.deuxfleurs.fr."; - deuxfleurs.public_ipv4 = "77.207.15.215"; + deuxfleurs.siteName = "neptune"; + deuxfleurs.staticIPv4.defaultGateway = "192.168.1.1"; + deuxfleurs.cnameTarget = "neptune.site.deuxfleurs.fr."; + deuxfleurs.publicIPv4 = "77.207.15.215"; networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/cluster/prod/site/orion.nix b/cluster/prod/site/orion.nix index fb4ba22..5f6c33e 100644 --- a/cluster/prod/site/orion.nix +++ b/cluster/prod/site/orion.nix @@ -1,14 +1,15 @@ { config, pkgs, ... }: { - deuxfleurs.site_name = "orion"; - deuxfleurs.lan_default_gateway = "192.168.1.254"; - deuxfleurs.ipv6_default_gateway = "2a01:e0a:28f:5e60::1"; - deuxfleurs.lan_ip_prefix_length = 24; - deuxfleurs.ipv6_prefix_length = 64; - deuxfleurs.nameservers = [ "192.168.1.254" ]; - deuxfleurs.cname_target = "orion.site.deuxfleurs.fr."; - deuxfleurs.public_ipv4 = "82.66.80.201"; + deuxfleurs.siteName = "orion"; + deuxfleurs.staticIPv4.defaultGateway = "192.168.1.254"; + # Setting an IPv6 default gateway will disable RA for now. + # Adding this for now as Orion has the mail servers and we are + # not yet confident we can disable this without getting ourselves + # banned by sending from unwanted IPs (although it should be ok). + deuxfleurs.staticIPv6.defaultGateway = "2a01:e0a:28f:5e60::1"; + deuxfleurs.cnameTarget = "orion.site.deuxfleurs.fr."; + deuxfleurs.publicIPv4 = "82.66.80.201"; networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/cluster/prod/site/scorpio.nix b/cluster/prod/site/scorpio.nix index b58e25c..b1e0f20 100644 --- a/cluster/prod/site/scorpio.nix +++ b/cluster/prod/site/scorpio.nix @@ -1,14 +1,10 @@ { config, pkgs, ... }: { - deuxfleurs.site_name = "scorpio"; - deuxfleurs.lan_default_gateway = "192.168.1.254"; - deuxfleurs.ipv6_default_gateway = "2a01:e0a:e4:2dd0::1"; - deuxfleurs.lan_ip_prefix_length = 24; - deuxfleurs.ipv6_prefix_length = 64; - deuxfleurs.nameservers = [ "192.168.1.254" ]; - deuxfleurs.cname_target = "scorpio.site.deuxfleurs.fr."; - deuxfleurs.public_ipv4 = "82.65.41.110"; + deuxfleurs.siteName = "scorpio"; + deuxfleurs.staticIPv4.defaultGateway = "192.168.1.254"; + deuxfleurs.cnameTarget = "scorpio.site.deuxfleurs.fr."; + deuxfleurs.publicIPv4 = "82.65.41.110"; networking.firewall.allowedTCPPorts = [ 80 443 ]; } -- cgit v1.2.3 From 07f50f297a8fcb3ccee167ca486084bafb2c1120 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Wed, 5 Apr 2023 16:30:28 +0200 Subject: D53 with addresses from DiploNAT autodiscovery; diplonat fw opening for tricot --- cluster/staging/app/core/deploy/core-service.hcl | 2 +- cluster/staging/app/core/deploy/core-system.hcl | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'cluster') diff --git a/cluster/staging/app/core/deploy/core-service.hcl b/cluster/staging/app/core/deploy/core-service.hcl index 6799e01..bf835c7 100644 --- a/cluster/staging/app/core/deploy/core-service.hcl +++ b/cluster/staging/app/core/deploy/core-service.hcl @@ -11,7 +11,7 @@ job "core-service" { config { packages = [ - "git+https://git.deuxfleurs.fr/lx/D53.git?ref=main&rev=86c255dfeabc60b0ef46ff78bc487c61c9548c79" + "git+https://git.deuxfleurs.fr/lx/D53.git?ref=diplonat-autodiscovery&rev=d906a6ebb5d977f44340b157a520477849ced161" ] command = "d53" } diff --git a/cluster/staging/app/core/deploy/core-system.hcl b/cluster/staging/app/core/deploy/core-system.hcl index dba6b95..2ec9b58 100644 --- a/cluster/staging/app/core/deploy/core-system.hcl +++ b/cluster/staging/app/core/deploy/core-system.hcl @@ -140,7 +140,7 @@ EOH tags = [ "d53-aaaa ${meta.site}.site.staging.deuxfleurs.org", "d53-aaaa staging.deuxfleurs.org", - # "(diplonat (tcp_port 80))" + "(diplonat (tcp_port 80))" ] address_mode = "host" } @@ -149,7 +149,7 @@ EOH name = "tricot-https" port = "https_port" tags = [ - # "(diplonat (tcp_port 443))" + "(diplonat (tcp_port 443))" ] address_mode = "host" } -- cgit v1.2.3 From 0372df95b5689d5104131ccc75f05d791c6e6a23 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Wed, 19 Apr 2023 20:36:24 +0200 Subject: staging: fix consul server addresses --- cluster/staging/cluster.nix | 4 ++-- cluster/staging/ssh_config | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'cluster') diff --git a/cluster/staging/cluster.nix b/cluster/staging/cluster.nix index 56ca904..2fec94c 100644 --- a/cluster/staging/cluster.nix +++ b/cluster/staging/cluster.nix @@ -43,9 +43,9 @@ # Bootstrap IPs for Consul cluster, # these are IPs on the Wireguard overlay services.consul.extraConfig.retry_join = [ - "10.14.1.1" # cariacou - "10.14.1.2" # carcajou "10.14.1.3" # caribou + "10.14.2.33" # origan + "10.14.3.1" # piranha ]; deuxfleurs.adminAccounts = { diff --git a/cluster/staging/ssh_config b/cluster/staging/ssh_config index 3043207..08cac54 100644 --- a/cluster/staging/ssh_config +++ b/cluster/staging/ssh_config @@ -10,7 +10,7 @@ Host origan HostName origan.df.trinity.fr.eu.org Host piranha - ProxyJump caribou.machine.deuxfleurs.fr + ProxyJump carcajou.machine.deuxfleurs.fr HostName 10.14.3.1 #HostName piranha.polyno.me -- cgit v1.2.3 From e5f9f3c8495a8f0e6b9c46b56d207b57aad3ec3d Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Wed, 19 Apr 2023 21:05:47 +0200 Subject: increase diplonat ram --- cluster/staging/app/core/deploy/core-system.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'cluster') diff --git a/cluster/staging/app/core/deploy/core-system.hcl b/cluster/staging/app/core/deploy/core-system.hcl index 2ec9b58..1d3eb84 100644 --- a/cluster/staging/app/core/deploy/core-system.hcl +++ b/cluster/staging/app/core/deploy/core-system.hcl @@ -65,7 +65,7 @@ EOH } resources { - memory = 40 + memory = 100 } } } -- cgit v1.2.3 From b4e82e37e4e1718dfffa70cd0c6222c1b34fc997 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Thu, 20 Apr 2023 15:13:13 +0200 Subject: diplonat with fixed iptables thing --- cluster/staging/app/core/deploy/core-service.hcl | 62 --------- cluster/staging/app/core/deploy/core-system.hcl | 164 ----------------------- cluster/staging/app/core/deploy/d53.hcl | 62 +++++++++ cluster/staging/app/core/deploy/diplonat.hcl | 75 +++++++++++ cluster/staging/app/core/deploy/tricot.hcl | 108 +++++++++++++++ 5 files changed, 245 insertions(+), 226 deletions(-) delete mode 100644 cluster/staging/app/core/deploy/core-service.hcl delete mode 100644 cluster/staging/app/core/deploy/core-system.hcl create mode 100644 cluster/staging/app/core/deploy/d53.hcl create mode 100644 cluster/staging/app/core/deploy/diplonat.hcl create mode 100644 cluster/staging/app/core/deploy/tricot.hcl (limited to 'cluster') diff --git a/cluster/staging/app/core/deploy/core-service.hcl b/cluster/staging/app/core/deploy/core-service.hcl deleted file mode 100644 index bf835c7..0000000 --- a/cluster/staging/app/core/deploy/core-service.hcl +++ /dev/null @@ -1,62 +0,0 @@ -job "core-service" { - datacenters = ["neptune", "jupiter", "corrin", "bespin"] - type = "service" - priority = 90 - - group "D53" { - count = 1 - - task "d53" { - driver = "nix2" - - config { - packages = [ - "git+https://git.deuxfleurs.fr/lx/D53.git?ref=diplonat-autodiscovery&rev=d906a6ebb5d977f44340b157a520477849ced161" - ] - command = "d53" - } - - resources { - cpu = 100 - memory = 100 - } - - restart { - interval = "3m" - attempts = 10 - delay = "15s" - mode = "delay" - } - - template { - data = "{{ key \"secrets/consul/consul-ca.crt\" }}" - destination = "etc/tricot/consul-ca.crt" - } - - template { - data = "{{ key \"secrets/consul/consul-client.crt\" }}" - destination = "etc/tricot/consul-client.crt" - } - - template { - data = "{{ key \"secrets/consul/consul-client.key\" }}" - destination = "etc/tricot/consul-client.key" - } - - template { - data = < Date: Fri, 21 Apr 2023 11:29:15 +0200 Subject: Fix unbound; remove Nixos firewall (use only diplonat) --- cluster/prod/cluster.nix | 2 +- cluster/prod/site/bespin.nix | 2 -- cluster/prod/site/neptune.nix | 2 -- cluster/prod/site/orion.nix | 2 -- cluster/prod/site/scorpio.nix | 2 -- cluster/staging/site/bespin.nix | 2 -- cluster/staging/site/corrin.nix | 2 -- cluster/staging/site/jupiter.nix | 2 -- cluster/staging/site/neptune.nix | 2 -- 9 files changed, 1 insertion(+), 17 deletions(-) (limited to 'cluster') diff --git a/cluster/prod/cluster.nix b/cluster/prod/cluster.nix index cbeed8f..ea3bdec 100644 --- a/cluster/prod/cluster.nix +++ b/cluster/prod/cluster.nix @@ -6,7 +6,7 @@ # The IP range to use for the Wireguard overlay of this cluster deuxfleurs.clusterPrefix = "10.83.0.0/16"; - deuxfleurs.cluster_nodes = { + deuxfleurs.clusterNodes = { "concombre" = { siteName = "neptune"; publicKey = "VvXT0fPDfWsHxumZqVShpS33dJQAdpJ1E79ZbCBJP34="; diff --git a/cluster/prod/site/bespin.nix b/cluster/prod/site/bespin.nix index 3c9a668..cdce53e 100644 --- a/cluster/prod/site/bespin.nix +++ b/cluster/prod/site/bespin.nix @@ -4,6 +4,4 @@ deuxfleurs.siteName = "bespin"; deuxfleurs.staticIPv4.defaultGateway = "192.168.5.254"; deuxfleurs.cnameTarget = "bespin.site.deuxfleurs.fr."; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/cluster/prod/site/neptune.nix b/cluster/prod/site/neptune.nix index 81495c6..ab24f4a 100644 --- a/cluster/prod/site/neptune.nix +++ b/cluster/prod/site/neptune.nix @@ -5,6 +5,4 @@ deuxfleurs.staticIPv4.defaultGateway = "192.168.1.1"; deuxfleurs.cnameTarget = "neptune.site.deuxfleurs.fr."; deuxfleurs.publicIPv4 = "77.207.15.215"; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/cluster/prod/site/orion.nix b/cluster/prod/site/orion.nix index 5f6c33e..58c49ab 100644 --- a/cluster/prod/site/orion.nix +++ b/cluster/prod/site/orion.nix @@ -10,6 +10,4 @@ deuxfleurs.staticIPv6.defaultGateway = "2a01:e0a:28f:5e60::1"; deuxfleurs.cnameTarget = "orion.site.deuxfleurs.fr."; deuxfleurs.publicIPv4 = "82.66.80.201"; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/cluster/prod/site/scorpio.nix b/cluster/prod/site/scorpio.nix index b1e0f20..e36dc1d 100644 --- a/cluster/prod/site/scorpio.nix +++ b/cluster/prod/site/scorpio.nix @@ -5,6 +5,4 @@ deuxfleurs.staticIPv4.defaultGateway = "192.168.1.254"; deuxfleurs.cnameTarget = "scorpio.site.deuxfleurs.fr."; deuxfleurs.publicIPv4 = "82.65.41.110"; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/cluster/staging/site/bespin.nix b/cluster/staging/site/bespin.nix index 22feb59..2dbfbad 100644 --- a/cluster/staging/site/bespin.nix +++ b/cluster/staging/site/bespin.nix @@ -4,6 +4,4 @@ deuxfleurs.siteName = "bespin"; deuxfleurs.staticIPv4.defaultGateway = "192.168.5.254"; deuxfleurs.cnameTarget = "bespin.site.staging.deuxfleurs.org."; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/cluster/staging/site/corrin.nix b/cluster/staging/site/corrin.nix index 6eb5239..027f6b3 100644 --- a/cluster/staging/site/corrin.nix +++ b/cluster/staging/site/corrin.nix @@ -5,6 +5,4 @@ deuxfleurs.staticIPv4.defaultGateway = "192.168.1.1"; deuxfleurs.cnameTarget = "corrin.site.staging.deuxfleurs.org."; deuxfleurs.publicIPv4 = "2.13.96.213"; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/cluster/staging/site/jupiter.nix b/cluster/staging/site/jupiter.nix index 2d39f5a..28ba297 100644 --- a/cluster/staging/site/jupiter.nix +++ b/cluster/staging/site/jupiter.nix @@ -4,6 +4,4 @@ deuxfleurs.siteName = "jupiter"; deuxfleurs.staticIPv4.defaultGateway = "192.168.1.1"; deuxfleurs.cnameTarget = "jupiter.site.staging.deuxfleurs.org."; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/cluster/staging/site/neptune.nix b/cluster/staging/site/neptune.nix index f94d62f..86148f4 100644 --- a/cluster/staging/site/neptune.nix +++ b/cluster/staging/site/neptune.nix @@ -3,6 +3,4 @@ { deuxfleurs.siteName = "neptune"; deuxfleurs.cnameTarget = "neptune.site.staging.deuxfleurs.org."; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; } -- cgit v1.2.3 From 0b3332fd3234a13fc5d780f94a74133d1e7ba199 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Fri, 21 Apr 2023 11:55:24 +0200 Subject: break out core services into separate files --- cluster/prod/app/core/deploy/bottin.hcl | 100 ++++++++++ cluster/prod/app/core/deploy/core-service.hcl | 64 ------- cluster/prod/app/core/deploy/core-system.hcl | 257 -------------------------- cluster/prod/app/core/deploy/d53.hcl | 64 +++++++ cluster/prod/app/core/deploy/diplonat.hcl | 68 +++++++ cluster/prod/app/core/deploy/tricot.hcl | 109 +++++++++++ 6 files changed, 341 insertions(+), 321 deletions(-) create mode 100644 cluster/prod/app/core/deploy/bottin.hcl delete mode 100644 cluster/prod/app/core/deploy/core-service.hcl delete mode 100644 cluster/prod/app/core/deploy/core-system.hcl create mode 100644 cluster/prod/app/core/deploy/d53.hcl create mode 100644 cluster/prod/app/core/deploy/diplonat.hcl create mode 100644 cluster/prod/app/core/deploy/tricot.hcl (limited to 'cluster') diff --git a/cluster/prod/app/core/deploy/bottin.hcl b/cluster/prod/app/core/deploy/bottin.hcl new file mode 100644 index 0000000..40bb5af --- /dev/null +++ b/cluster/prod/app/core/deploy/bottin.hcl @@ -0,0 +1,100 @@ +job "core:bottin" { + datacenters = ["orion", "neptune", "scorpio"] + type = "system" + priority = 90 + + update { + max_parallel = 1 + stagger = "1m" + } + + group "bottin" { + constraint { + distinct_property = "${meta.site}" + value = "1" + } + + network { + port "ldap_port" { + static = 389 + to = 389 + } + } + + task "bottin" { + driver = "docker" + config { + image = "dxflrs/bottin:7h18i30cckckaahv87d3c86pn4a7q41z" + network_mode = "host" + readonly_rootfs = true + ports = [ "ldap_port" ] + volumes = [ + "secrets/config.json:/config.json", + "secrets:/etc/bottin", + ] + } + + restart { + interval = "5m" + attempts = 10 + delay = "15s" + mode = "delay" + } + + resources { + memory = 100 + memory_max = 200 + } + + template { + data = file("../config/bottin/config.json.tpl") + destination = "secrets/config.json" + } + + template { + data = "{{ key \"secrets/consul/consul.crt\" }}" + destination = "secrets/consul.crt" + } + + template { + data = "{{ key \"secrets/consul/consul-client.crt\" }}" + destination = "secrets/consul-client.crt" + } + + template { + data = "{{ key \"secrets/consul/consul-client.key\" }}" + destination = "secrets/consul-client.key" + } + + template { + data = < Date: Fri, 21 Apr 2023 12:03:35 +0200 Subject: Diplonat on bespin, ipv6-only --- cluster/prod/app/core/deploy/diplonat.hcl | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'cluster') diff --git a/cluster/prod/app/core/deploy/diplonat.hcl b/cluster/prod/app/core/deploy/diplonat.hcl index bf56fd5..d6f8423 100644 --- a/cluster/prod/app/core/deploy/diplonat.hcl +++ b/cluster/prod/app/core/deploy/diplonat.hcl @@ -1,5 +1,5 @@ job "core:diplonat" { - datacenters = ["orion", "neptune", "scorpio"] + datacenters = ["orion", "neptune", "scorpio", "bespin"] type = "system" priority = 90 @@ -53,6 +53,9 @@ DIPLONAT_CONSUL_URL=https://consul.service.prod.consul:8501 DIPLONAT_CONSUL_TLS_SKIP_VERIFY=true DIPLONAT_CONSUL_CLIENT_CERT=/etc/diplonat/consul-client.crt DIPLONAT_CONSUL_CLIENT_KEY=/etc/diplonat/consul-client.key +{{ if env "meta.site" | eq "bespin" }} +DIPLONAT_IPV6_ONLY=true +{{ end }} RUST_LOG=debug EOH destination = "secrets/env" -- cgit v1.2.3 From 607add3161f9a465fc061cfd3a5434aa4dbd4796 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Fri, 21 Apr 2023 14:36:10 +0200 Subject: make specifying an ipv6 fully optionnal --- cluster/prod/app/garage/config/garage.toml | 6 ++++-- cluster/staging/app/core/deploy/d53.hcl | 4 ++-- cluster/staging/app/garage/config/garage.toml | 6 ++++-- cluster/staging/app/garage/deploy/garage.hcl | 1 + 4 files changed, 11 insertions(+), 6 deletions(-) (limited to 'cluster') diff --git a/cluster/prod/app/garage/config/garage.toml b/cluster/prod/app/garage/config/garage.toml index 36daa5d..5b10707 100644 --- a/cluster/prod/app/garage/config/garage.toml +++ b/cluster/prod/app/garage/config/garage.toml @@ -6,8 +6,10 @@ db_engine = "lmdb" replication_mode = "3" -rpc_bind_addr = "[{{ env "meta.public_ipv6" }}]:3901" -rpc_public_addr = "[{{ env "meta.public_ipv6" }}]:3901" +{{ with $a := env "attr.unique.hostname" | printf "diplonat/autodiscovery/ipv6/%s" | key | parseJSON }} +rpc_bind_addr = "[{{ $a.address }}]:3901" +rpc_public_addr = "[{{ $a.address }}]:3901" +{{ end }} rpc_secret = "{{ key "secrets/garage/rpc_secret" | trimSpace }}" [consul_discovery] diff --git a/cluster/staging/app/core/deploy/d53.hcl b/cluster/staging/app/core/deploy/d53.hcl index 5d57eb3..fb1c1bf 100644 --- a/cluster/staging/app/core/deploy/d53.hcl +++ b/cluster/staging/app/core/deploy/d53.hcl @@ -11,7 +11,7 @@ job "core:d53" { config { packages = [ - "git+https://git.deuxfleurs.fr/lx/D53.git?ref=diplonat-autodiscovery&rev=d906a6ebb5d977f44340b157a520477849ced161" + "git+https://git.deuxfleurs.fr/lx/D53.git?ref=diplonat-autodiscovery&rev=49d94dae1d753c1f3349be7ea9bc7e7978c0af15" ] command = "d53" } @@ -52,7 +52,7 @@ D53_CONSUL_CLIENT_KEY=/etc/tricot/consul-client.key D53_PROVIDERS=deuxfleurs.org:gandi D53_GANDI_API_KEY={{ key "secrets/d53/gandi_api_key" }} D53_ALLOWED_DOMAINS=staging.deuxfleurs.org -RUST_LOG=d53=info +RUST_LOG=d53=debug EOH destination = "secrets/env" env = true diff --git a/cluster/staging/app/garage/config/garage.toml b/cluster/staging/app/garage/config/garage.toml index f14a602..26e0361 100644 --- a/cluster/staging/app/garage/config/garage.toml +++ b/cluster/staging/app/garage/config/garage.toml @@ -6,8 +6,10 @@ db_engine = "lmdb" replication_mode = "3" -rpc_bind_addr = "[{{ env "meta.public_ipv6" }}]:3991" -rpc_public_addr = "[{{ env "meta.public_ipv6" }}]:3991" +{{ with $a := env "attr.unique.hostname" | printf "diplonat/autodiscovery/ipv6/%s" | key | parseJSON }} +rpc_bind_addr = "[{{ $a.address }}]:3991" +rpc_public_addr = "[{{ $a.address }}]:3991" +{{ end }} rpc_secret = "{{ key "secrets/garage-staging/rpc_secret" | trimSpace }}" bootstrap_peers = [] diff --git a/cluster/staging/app/garage/deploy/garage.hcl b/cluster/staging/app/garage/deploy/garage.hcl index 6e37d82..1fc969b 100644 --- a/cluster/staging/app/garage/deploy/garage.hcl +++ b/cluster/staging/app/garage/deploy/garage.hcl @@ -25,6 +25,7 @@ job "garage-staging" { config { packages = [ "#bash", # so that we can enter a shell inside container + "#coreutils", "git+https://git.deuxfleurs.fr/Deuxfleurs/garage.git?ref=main&rev=0d0906b066eb76111f3b427dce1c50eac083366c", ] command = "garage" -- cgit v1.2.3 From 6c07a429781d4a26a546e3f3049b41e0b968b033 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Thu, 4 May 2023 13:39:33 +0200 Subject: different wgautomesh gossip ports for prod and staging --- cluster/staging/cluster.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to 'cluster') diff --git a/cluster/staging/cluster.nix b/cluster/staging/cluster.nix index 2fec94c..362724b 100644 --- a/cluster/staging/cluster.nix +++ b/cluster/staging/cluster.nix @@ -38,6 +38,8 @@ endpoint = "bitfrost.fiber.shirokumo.net:33734"; }; }; + + deuxfleurs.wgautomeshPort = 1667; services.wgautomesh.logLevel = "debug"; # Bootstrap IPs for Consul cluster, -- cgit v1.2.3 From 258d27c566c78dfc714079bf921270a71fdc9535 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Tue, 9 May 2023 15:12:03 +0200 Subject: deploy tricot at bespin, register gitea (not accessed yet) --- cluster/prod/app/core/deploy/tricot.hcl | 2 +- cluster/prod/register_external_services.sh | 41 ++++++++++++++++++++++++++++++ cluster/prod/register_personal_services.sh | 17 ------------- 3 files changed, 42 insertions(+), 18 deletions(-) create mode 100755 cluster/prod/register_external_services.sh delete mode 100644 cluster/prod/register_personal_services.sh (limited to 'cluster') diff --git a/cluster/prod/app/core/deploy/tricot.hcl b/cluster/prod/app/core/deploy/tricot.hcl index 7c955d2..7c3bada 100644 --- a/cluster/prod/app/core/deploy/tricot.hcl +++ b/cluster/prod/app/core/deploy/tricot.hcl @@ -1,5 +1,5 @@ job "core:tricot" { - datacenters = ["orion", "neptune", "scorpio"] + datacenters = ["orion", "neptune", "scorpio", "bespin"] type = "system" priority = 90 diff --git a/cluster/prod/register_external_services.sh b/cluster/prod/register_external_services.sh new file mode 100755 index 0000000..9c00216 --- /dev/null +++ b/cluster/prod/register_external_services.sh @@ -0,0 +1,41 @@ +#!/usr/bin/env bash + +# Bruxelles (bespin): git forge at git.deuxfleurs.fr + +curl -vv -X PUT http://localhost:8500/v1/catalog/register -H "Content-Type: application/json" --data @- < Date: Tue, 16 May 2023 14:14:27 +0200 Subject: use RA on orion as well --- cluster/prod/site/orion.nix | 5 ----- 1 file changed, 5 deletions(-) (limited to 'cluster') diff --git a/cluster/prod/site/orion.nix b/cluster/prod/site/orion.nix index 58c49ab..dd8e208 100644 --- a/cluster/prod/site/orion.nix +++ b/cluster/prod/site/orion.nix @@ -3,11 +3,6 @@ { deuxfleurs.siteName = "orion"; deuxfleurs.staticIPv4.defaultGateway = "192.168.1.254"; - # Setting an IPv6 default gateway will disable RA for now. - # Adding this for now as Orion has the mail servers and we are - # not yet confident we can disable this without getting ourselves - # banned by sending from unwanted IPs (although it should be ok). - deuxfleurs.staticIPv6.defaultGateway = "2a01:e0a:28f:5e60::1"; deuxfleurs.cnameTarget = "orion.site.deuxfleurs.fr."; deuxfleurs.publicIPv4 = "82.66.80.201"; } -- cgit v1.2.3