marco
/
zivildienst
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch 'poc-integration' of gitlab.com:infektweb/glv5/hetzner-cloud-environment into poc-integration

This commit is contained in:
Marco Streich 2021-01-19 10:21:52 +01:00
parent c66db4bdc7 b245b83cee
commit 1b2573f3c0
1 changed files with 15 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
README.md
View File

@ -43,6 +43,7 @@ To build and provision resources with Packer and Terraform, an API token is requ
This means that when you delete a load balancer, you will also lose the public IP you have been using for the services behind it.
You will probably not delete load balancers in the production environment, but for staging and testing environments, load balancers can be scaled up and down via the Hetzner Cloud web UI or their API/Terraform if you want to save some money.
There appear to be [plans](https://docs.hetzner.com/cloud/load-balancers/faq/#can-i-assign-a-floating-ip-to-my-load-balancer) to add support for load balancers with floating IPs.
**Certificates**: Certificates stored within the security service on Hetzner Cloud cannot be updated, only replaced.
Before a certificate can be deleted, it must be dereferenced from [services](https://docs.hetzner.cloud/#load-balancer-actions-update-service) which were set up on load balancers.
For this creason, Certbot needs to be wrapped by a script which takes care of certificate replacement (see `infrastructure/modules/compute/certbot.sh`).
@ -148,20 +149,20 @@ $ make infra-destroy MODULE=compute
### Data
#### Ephemeral Data
/opt/
/etc/nixos
- /opt/
- /etc/nixos
#### Persistent Data
/mnt/data
- /mnt/data
### Setting Up a New Environment
The following sections assume the environment to be called 'production'.
#### Configure Environment in `config.json` and `secrets.json`
Set the environment name and desired NixOS image/snapshot ID in `config.json`.
`config.json`:
Set the environment name and desired NixOS image/snapshot ID in `config.json`:
```json
{
tbd
"terraform_packer_environment": "production"
tbd
}
```
Use your personal Gitlab deployment- and Hetzner Cloud tokens.
@ -175,7 +176,6 @@ Use your personal Gitlab deployment- and Hetzner Cloud tokens.
"gitlab_deploy_token_password": "",
"aws_access_key_id": "",
"aws_secret_access_key": "",
"gitlab_deploy_token_password": "",
"hcloud_token_testing": "",
"hcloud_token_production": "",
"vault_db_password_production": ""
@ -197,12 +197,12 @@ $ make infra-apply MODULE=compute
```
Take note of the public IP from the load balancer (used to access your services) and the server (used to manage the NixOS system) in the Hetzner Cloud web UI or via their API:
```sh
$ curl -H "Authorization: Bearer $API_TOKEN" 'https://api.hetzner.cloud/v1/servers?label_selector=environment==production' | jq '.servers[].public_net'
$ curl -H "Authorization: Bearer $HCLOUD_TOKEN" 'https://api.hetzner.cloud/v1/servers?label_selector=environment==production' | jq '.servers[].public_net'
```
```sh
$ curl -H "Authorization: Bearer $API_TOKEN" 'https://api.hetzner.cloud/v1/load_balancers?label_selector=environment==production' | jq '.load_balancers[].public_net'
$ curl -H "Authorization: Bearer $HCLOUD_TOKEN" 'https://api.hetzner.cloud/v1/load_balancers?label_selector=environment==production' | jq '.load_balancers[].public_net'
```
You can now connect to the newly created server, using the default key pair stored on [Gitlab](https://gitlab.com/infektweb/glv5/hetzner-cloud-environment/-/settings/ci_cd) as user 'operator'.
You can now connect to the newly created server, using the default key pair stored on [Gitlab CI/CD](https://gitlab.com/infektweb/glv5/hetzner-cloud-environment/-/settings/ci_cd) as user `operator`.
```sh
$ ssh operator@168.119.230.44
```
@ -212,8 +212,8 @@ As a first step you should change the passwords of the `root` and `operator` use
```sh
$ sudo -i
$ passwd
$ passwd operator
# passwd
# passwd operator
```
#### Configuring Certbot
@ -258,8 +258,7 @@ GRANT ALL PRIVILEGES ON TABLE vault_kv_store TO vault;
```
Be sure to replace the password with the value which is set for `vault_db_password_production` in `secrets.json`.
```sh
$ sudo -i
$ su -l postgres
$ sudo su -l postgres
$ psql
[.. SQL commands ..]
$ exit
@ -313,8 +312,8 @@ Maybe there are better ways to do this using nix-shell.
If you prefer the passwords to be generated for you, use the argument `auto` instead of `interactive`.
##### Credentials for Kibana
If you would like to use Kibana (recommended), add the password you set for the 'kibana' user to `/mnt/data/kibana-elasticsearch-password` (mode 600) and rebuild NixOS with `systemctl start nixos-rebuild`.
Kibana can be accessed on port 8443 via any hostname behind the load balancer [https://guidelines.ch:8443/](https://guidelines.ch:9443/). (sign in with the 'elastic' user)
If you would like to use Kibana (recommended), add the password you set for the `kibana` user to `/mnt/data/kibana-elasticsearch-password` (mode 600) and rebuild NixOS with `systemctl start nixos-rebuild`.
Kibana can be accessed on port 8443 via any hostname behind the load balancer [https://guidelines.ch:8443/](https://guidelines.ch:9443/). (sign in with the `elastic` user)
#### Configuring Guidelines
```