This commit is contained in:
Marco Streich 2021-01-21 09:01:00 +01:00
parent 047d3acbf7
commit 0ac87b712e
2 changed files with 7 additions and 5 deletions

View File

@ -72,6 +72,7 @@ id\_rsa\_operator_pub is baked into the image generated by Packer (see `nixos/ni
### NixOS
#### Building NixOS Images (Snapshots) with Packer
The `nixos` target in the `Makefile` wraps around the execution of Packer to build a NixOS image from the default Ubuntu 20.04 image provider by Hetzner Cloud.
The `nixos` target in the `Makefile` wraps around the execution of Packer to build a NixOS image from the default Ubuntu 20.04 image provided by Hetzner Cloud.
Two arguments may be supplied, `VERSION=` to specify the desired NixOS release (see [NixOS Release Notes](https://nixos.org/manual/nixos/stable/release-notes.html)) and `BUILD=` with which you can track versions of the images that have been created.
Example:
@ -159,6 +160,7 @@ The following sections assume the environment to be called 'production'.
#### Configure Environment in `config.json` and `secrets.json`
Set the environment name and desired NixOS image/snapshot ID in `config.json`:
Set the environment name, domain names and desired NixOS image/snapshot ID in `config.json`:
```json
{
"terraform_packer_environment": "production"
@ -240,8 +242,8 @@ $ journalctl -u hetzner-certbot
You can access Vault on port 9443 via any hostname behind the load balancer [https://guidelines.ch:9443/](https://guidelines.ch:9443/).
As a first step, you will need to create a master key (set) which is used to unseal Vault on each startup.
To use just one master key, initialize Vault with "Key shares" and "Key threshold" both set to "1".
The "initial root token" is used to authenticate as an administrator with the Vault API or web UI
The "key" is used to unseal Vault upon startup.
The "initial root token" is used to authenticate as an administrator with the Vault API or web UI.
The "key" is used to unseal Vault in case it has been sealed (manually or due to a restart).
You can now set up the key-value based secret engine which is supported by the [settings](https://gitlab.com/infektcommon/settings) package.
Be sure to use V2 of the KV engine.
See the [Vault documentation](https://www.vaultproject.io/docs).
@ -257,7 +259,7 @@ Key (will be hidden):
##### Unseal Vault Automatically on Startup
You can manually write the created master key to `/mnt/data/vault-root-token`.
If this file exists and contains a valid master key, it Vault will be unsealed automatically.
If this file exists and contains a valid master key, Vault will be unsealed automatically on startup.
#### Configuring Elasticsearch
Kibana can be accessed on port 8443 via any hostname behind the load balancer [https://guidelines.ch:8443/](https://guidelines.ch:9443/).

View File

@ -55,7 +55,7 @@ make clean
}
]
```
If the same app is specified multiple times, the last entry in the list take precedence.
If the same app is specified multiple times, the last entry in the list takes precedence.
### Deployment state
@ -143,7 +143,7 @@ curl -u'testuser:testpass' -i -XPOST localhost:8080/deploy -d '[{"app":"alpine",
"DeploymentSpec": [
{
"app": "alpine",
"version": "latst"
"version": "latest"
},
{
"app": "alpine",