deployment: added server config
This commit is contained in:
parent
09259d997f
commit
4402cebab6
|
@ -0,0 +1,21 @@
|
|||
MIT License
|
||||
|
||||
Copyright (c) 2022 TiMMi Transport
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
|
@ -0,0 +1,71 @@
|
|||
This repository contains the completely declarative+reproducible configurations to deploy a server hosting the „beherbergung“ service and basic infrastructure for reliabiliy+maintainability.
|
||||
Most of the service definitions should re reusable with minimal adaptions for completely different projects.
|
||||
|
||||
* CI/CD
|
||||
* buildcache
|
||||
* [monitoring + alerting](./modules/monitoring/README.md)
|
||||
* backup
|
||||
* dns
|
||||
* reverse proxy + acme
|
||||
|
||||
Secrets are encrypted with sops.
|
||||
|
||||
## Deploy
|
||||
|
||||
Once the servers are installed following [the bootstrap instructions](#bootstrap), the roll out of configuration changes on all servers is trivial.
|
||||
As a developer with an [authorized key](./modules/hetzner.nix), call:
|
||||
|
||||
```shell
|
||||
nix run
|
||||
```
|
||||
|
||||
## Update
|
||||
|
||||
To update all flakes and redeploy, call:
|
||||
|
||||
```shell
|
||||
nix flake update
|
||||
nix run
|
||||
```
|
||||
|
||||
## Bootstrap
|
||||
|
||||
To setup a new server:
|
||||
1. boot a nixos image
|
||||
2. mount the future / to /mnt
|
||||
3. copy this repo to /mnt/etc/nixos
|
||||
4. check flake.nix and hosts/$HOSTNAME/\*configuration.nix
|
||||
- set a correct static ipv6
|
||||
5. nixos-install:
|
||||
|
||||
```shell
|
||||
nix-shell -p nixUnstable --command "nixos-install --no-root-passwd --flake .#${HOSTNAME}"
|
||||
```
|
||||
|
||||
6. setup sops:
|
||||
|
||||
6.1. add the new hosts key to sops config
|
||||
|
||||
```shell
|
||||
nix shell /etc/nixos#ssh-to-pgp --command ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key
|
||||
edit .sops.yaml sops/keys/hosts/$HOSTNAME.asc
|
||||
```
|
||||
|
||||
6.2. add pubkey to the developers keyring
|
||||
```shell
|
||||
gpg --import sops/keys/hosts/$HOSTNAME.asc
|
||||
```
|
||||
|
||||
6.3. edit secrets + use them
|
||||
|
||||
```shell
|
||||
nix shell .#sops --command sops sops/secrets/*
|
||||
edit modules/sops.nix
|
||||
```
|
||||
|
||||
## Ensure, outgoing SMTP is permitted by your hoster:
|
||||
|
||||
```shell
|
||||
openssl s_client -connect smtp.1und1.de:587 -starttls smtp
|
||||
openssl s_client -connect smtp.1und1.de:465
|
||||
```
|
|
@ -0,0 +1,15 @@
|
|||
{ config, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
../../modules/hetzner.nix
|
||||
];
|
||||
|
||||
system.stateVersion = "21.11";
|
||||
|
||||
networking = {
|
||||
hostName = "beherbergung-lifeline";
|
||||
interfaces.ens3 = {
|
||||
ipv6.addresses = [ { address = "2a01:4f8:c0c:cf13::1"; prefixLength = 64; } ];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,15 @@
|
|||
{ config, pkgs, ... }:
|
||||
{
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim tmux
|
||||
wget curl
|
||||
htop atop iotop iftop
|
||||
file bc jq
|
||||
git
|
||||
bind.dnsutils
|
||||
];
|
||||
|
||||
environment.variables = { EDITOR = "vim"; };
|
||||
}
|
|
@ -0,0 +1,48 @@
|
|||
## a common hardware-configuration.nix for our hetzner servers
|
||||
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
{
|
||||
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/sda1";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
version = 2;
|
||||
devices = [ "/dev/sda" ];
|
||||
};
|
||||
|
||||
networking = {
|
||||
useDHCP = false;
|
||||
interfaces.ens3 = {
|
||||
useDHCP = true;
|
||||
#ipv6.addresses ## should be set for each host
|
||||
};
|
||||
defaultGateway6 = {
|
||||
address = "fe80::1";
|
||||
interface = "ens3";
|
||||
};
|
||||
};
|
||||
|
||||
users.users.root = {
|
||||
openssh.authorizedKeys.keys = [
|
||||
## J03
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDW+YfsFtRz1h/0ubcKU+LyGfxH505yUkbWa5VtRFNWF2fjTAYGj6o5M4dt+fv1h370HXvvOBtt8sIlWQgMsD10+9mvjdXWhTcpnYPx4yWuyEERE1/1BhItrog6XJKAedbCDpQQ+POoewouiHWVAUfFByPj5RXuE8zKUeIEkGev/QKrKTLnTcS8zFs/yrokf1qYYR571B3U8IPDjpV/Y1GieG3MSNaefIMCwAAup1gPkUA0XZ4A1L7NdEiUEHlceKVu9eYiWUM+wDRunBXnLHubeGyP8KmBA7PNKgml3WWRNTZjqNQk4u9Bl+Qea5eCkD8KI257EqgXYXy0QBWNyF8X j03@l302"
|
||||
];
|
||||
};
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
permitRootLogin = "prohibit-password";
|
||||
};
|
||||
}
|
|
@ -0,0 +1,16 @@
|
|||
{ config, pkgs, nixpkgs, ... }:
|
||||
{
|
||||
boot.cleanTmpDir = true;
|
||||
|
||||
nix.package = pkgs.nixUnstable;
|
||||
nix.extraOptions = "experimental-features = nix-command flakes";
|
||||
|
||||
#nix.daemonIONiceLevel = 7;
|
||||
#nix.daemonNiceLevel = 19;
|
||||
|
||||
nix.autoOptimiseStore = true;
|
||||
nix.gc = {
|
||||
automatic = true;
|
||||
dates = "weekly";
|
||||
};
|
||||
}
|
|
@ -0,0 +1,107 @@
|
|||
{
|
||||
"nodes": {
|
||||
"dns": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1635273082,
|
||||
"narHash": "sha256-EHiDP2jEa7Ai5ZwIf5uld9RVFcV77+2SUxjQXwJsJa0=",
|
||||
"owner": "kirelagin",
|
||||
"repo": "dns.nix",
|
||||
"rev": "c7b9645da9c0ddce4f9de4ef27ec01bb8108039a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "kirelagin",
|
||||
"repo": "dns.nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils": {
|
||||
"locked": {
|
||||
"lastModified": 1614513358,
|
||||
"narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "5466c5bbece17adaab2d82fae80b46e807611bf3",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nix-deploy-git": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1637044180,
|
||||
"narHash": "sha256-5r3pOGql5wr0PtuOb0rJ0EeorcT3A43tWYRRvnZB0jk=",
|
||||
"owner": "johannesloetzsch",
|
||||
"repo": "nix-deploy-git",
|
||||
"rev": "c1c0b1def56009e8647bfe57c555c6bea0fb2b1a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "johannesloetzsch",
|
||||
"ref": "main",
|
||||
"repo": "nix-deploy-git",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1646588256,
|
||||
"narHash": "sha256-ZHljmNlt19nSm0Mz8fx6QEhddKUkU4hhwFmfNmGn+EY=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "2ebb6c1e5ae402ba35cca5eec58385e5f1adea04",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-21.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"dns": "dns",
|
||||
"nix-deploy-git": "nix-deploy-git",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"sops-nix": "sops-nix"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1646696263,
|
||||
"narHash": "sha256-a+6WgDoU2fd4bbSFMqK67i/ZTPzia29otmyeODa1uDU=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "4e21493d34f7485a568e05b9cbefa11fe047ecd3",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
|
@ -0,0 +1,64 @@
|
|||
{
|
||||
description = "https://github.com/internet4refugees/beherbergung.git development environment + package + deployment";
|
||||
|
||||
inputs = {
|
||||
#nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.11";
|
||||
sops-nix = {
|
||||
url = "github:Mic92/sops-nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
nix-deploy-git = {
|
||||
url = "github:johannesloetzsch/nix-deploy-git/main";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
dns = {
|
||||
url = "github:kirelagin/dns.nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, sops-nix, nix-deploy-git, dns }:
|
||||
let
|
||||
system = "x86_64-linux";
|
||||
pkgs = import nixpkgs { inherit system; };
|
||||
inherit (pkgs) lib;
|
||||
|
||||
commonAttrs = {
|
||||
system = "x86_64-linux";
|
||||
extraArgs = { flake = self; inherit system dns; };
|
||||
};
|
||||
commonModules = [
|
||||
./deployment/modules/nix.nix
|
||||
./deployment/modules/default.nix
|
||||
#sops-nix.nixosModules.sops
|
||||
#./deployment/modules/sops.nix
|
||||
#./deployment/modules/dns.nix
|
||||
#./deployment/modules/monitoring/client.nix
|
||||
#./deployment/modules/nginx/timmi.nix
|
||||
#nix-deploy-git.nixosModule
|
||||
#./deployment/modules/nix-deploy-git.nix
|
||||
];
|
||||
in
|
||||
rec {
|
||||
legacyPackages.${system} = (lib.mergeAttrs pkgs {
|
||||
#nixos-deploy = import ./tools/deploy.nix { inherit pkgs; };
|
||||
});
|
||||
|
||||
#defaultPackage.${system} = legacyPackages.${system}.nixos-deploy;
|
||||
|
||||
nixosConfigurations = {
|
||||
|
||||
beherbergung-lifeline = nixpkgs.lib.nixosSystem (lib.mergeAttrs commonAttrs {
|
||||
modules = commonModules ++ [
|
||||
./deployment/hosts/beherbergung-lifeline/configuration.nix
|
||||
#./deployment/modules/nginx/timmi-public.nix
|
||||
#./deployment/modules/binarycache/client.nix
|
||||
#./deployment/modules/binarycache/server.nix
|
||||
#./deployment/modules/monitoring/server.nix
|
||||
];
|
||||
});
|
||||
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue