blob: 1307fde1897dada55718ed40de5339b0a056d857 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
# Quick start
## How to welcome a new administrator
See: https://guide.deuxfleurs.fr/operations/acces/pass/
Basically:
- The new administrator generates a GPG key and publishes it on Gitea
- All existing administrators pull their key and sign it
- An existing administrator reencrypt the keystore with this new key and push it
- The new administrator clone the repo and check that they can decrypt the secrets
- Finally, the new administrator must choose a password to operate over SSH with `./passwd prod rick` where `rick` is the target username
## How to create files for a new zone
*The documentation is written for the production cluster, the same apply for other clusters.*
Basically:
- Create your `site` file in `cluster/prod/site/` folder
- Create your `node` files in `cluster/prod/node/` folder
- Add your wireguard configuration to `cluster/prod/cluster.nix`
- You will have to edit your NAT config manually to bind one public IPv4 port to each node
- Nodes' public wireguard keys are generated during the first run of `deploy_nixos`, see below
- Add your nodes to `cluster/prod/ssh_config`, it will be used by the various SSH scripts.
- If you use `ssh` directly, use `ssh -F ./cluster/prod/ssh_config`
- Add `User root` for the first time as your user will not be declared yet on the system
## How to deploy a Nix configuration on a fresh node
We suppose that the node name is `datura`.
Start by doing the deployment one node at a time, you will have plenty of time
in your operator's life to break everything through automation.
Run:
- `./deploy_nixos prod datura` - to deploy the nix configuration file;
- a new wireguard key is printed if it hadn't been generated before, it has to be
added to `cluster.nix`, and then redeployed on all nodes as the new wireguard conf is needed everywhere
- `./deploy_passwords prod datura` - to deploy user's passwords
- if a user changes their password (using `./passwd`), needs to be redeployed on all nodes to setup the password on all nodes
- `./deploy_pki prod datura` - to deploy Nomad's and Consul's PKI
## How to operate a node
Edit your `~/.ssh/config` file:
```
Host dahlia
HostName dahlia.machine.deuxfleurs.fr
LocalForward 14646 127.0.0.1:4646
LocalForward 8501 127.0.0.1:8501
LocalForward 1389 bottin.service.prod.consul:389
LocalForward 5432 psql-proxy.service.prod.consul:5432
```
Then run the TLS proxy and leave it running:
```
./tlsproxy prod
```
SSH to a production machine (e.g. dahlia) and leave it running:
```
ssh dahlia
```
Finally you should see be able to access the production Nomad and Consul by browsing:
- Consul: http://localhost:8500
- Nomad: http://localhost:4646
|