marco
/
zivildienst
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

WIP

This commit is contained in:
Marco Streich 2021-01-22 16:50:04 +01:00
parent 7c9c9f34d7
commit 908b46a62b
5 changed files with 54 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@ -71,7 +71,6 @@ id\_rsa\_operator_pub is baked into the image generated by Packer (see `nixos/ni
### NixOS ### NixOS
#### Building NixOS Images (Snapshots) with Packer #### Building NixOS Images (Snapshots) with Packer
The `nixos` target in the `Makefile` wraps around the execution of Packer to build a NixOS image from the default Ubuntu 20.04 image provider by Hetzner Cloud.
The `nixos` target in the `Makefile` wraps around the execution of Packer to build a NixOS image from the default Ubuntu 20.04 image provided by Hetzner Cloud. The `nixos` target in the `Makefile` wraps around the execution of Packer to build a NixOS image from the default Ubuntu 20.04 image provided by Hetzner Cloud.
Two arguments may be supplied, `VERSION=` to specify the desired NixOS release (see [NixOS Release Notes](https://nixos.org/manual/nixos/stable/release-notes.html)) and `BUILD=` with which you can track versions of the images that have been created. Two arguments may be supplied, `VERSION=` to specify the desired NixOS release (see [NixOS Release Notes](https://nixos.org/manual/nixos/stable/release-notes.html)) and `BUILD=` with which you can track versions of the images that have been created.
@ -159,12 +158,13 @@ $ make infra-destroy MODULE=compute
The following sections assume the environment to be called 'production'. The following sections assume the environment to be called 'production'.
#### Configure Environment in `config.json` and `secrets.json` #### Configure Environment in `config.json` and `secrets.json`
Set the environment name and desired NixOS image/snapshot ID in `config.json`:
Set the environment name, domain names and desired NixOS image/snapshot ID in `config.json`: Set the environment name, domain names and desired NixOS image/snapshot ID in `config.json`:
```json ```json
{ {
"terraform_packer_environment": "production" "terraform_packer_environment": "production",
tbd "nixos_snapshot_id": "1234567",
"domain_name_production": "guidelines.ch",
"domain_alternative_names_production": "*.guidelines.ch"
} }
``` ```
Use your personal Gitlab deployment- and Hetzner Cloud tokens. Use your personal Gitlab deployment- and Hetzner Cloud tokens.
@ -178,7 +178,7 @@ Use your personal Gitlab deployment- and Hetzner Cloud tokens.
"gitlab_deploy_token_password": "", "gitlab_deploy_token_password": "",
"aws_access_key_id": "", "aws_access_key_id": "",
"aws_secret_access_key": "", "aws_secret_access_key": "",
"kibana_elasticsearch_password_production": "", "elasticsearch_password_production": "",
"hcloud_token_production": "", "hcloud_token_production": "",
"vault_db_password_production": "" "vault_db_password_production": ""
} }
@ -263,7 +263,7 @@ If this file exists and contains a valid master key, Vault will be unsealed auto
#### Configuring Elasticsearch #### Configuring Elasticsearch
Kibana can be accessed on port 8443 via any hostname behind the load balancer [https://guidelines.ch:8443/](https://guidelines.ch:9443/). Kibana can be accessed on port 8443 via any hostname behind the load balancer [https://guidelines.ch:8443/](https://guidelines.ch:9443/).
Sign in with the user 'elastic' and password 'changeme' and go change the password in 'Management' -> 'Security' -> 'Users'. The password is derieved from the `elasticsearch_password_<env>` key in `secrets.json`
#### Configuring Guidelines #### Configuring Guidelines
``` ```

9
infrastructure/modules/compute/certbot.sh
View File

@ -42,7 +42,6 @@ update_load_balancer() {
case "$1" in case "$1" in
*[0-9]*) *[0-9]*)
_proto=https _proto=https
_redirect_http="true"
_certs="[$1]" _certs="[$1]"
;; ;;
"") "")
@ -58,6 +57,14 @@ update_load_balancer() {
esac esac
for sp in $service_ports; do for sp in $service_ports; do
case "$sp" in
"443")
_redirect_http="true"
;;
*)
_redirect_http="false"
;;
esac
error=$($curl -s -XPOST -H "Authorization: Bearer $API_TOKEN" -H "Content-Type: application/json" -d "{\"listen_port\": $sp, \"protocol\": \"$_proto\", \"http\":{\"redirect_http\": $_redirect_http, \"certificates\": $_certs}}" "https://api.hetzner.cloud/v1/load_balancers/$lb_id/actions/update_service" | $jq -r '.error') error=$($curl -s -XPOST -H "Authorization: Bearer $API_TOKEN" -H "Content-Type: application/json" -d "{\"listen_port\": $sp, \"protocol\": \"$_proto\", \"http\":{\"redirect_http\": $_redirect_http, \"certificates\": $_certs}}" "https://api.hetzner.cloud/v1/load_balancers/$lb_id/actions/update_service" | $jq -r '.error')
case "$(printf "%s" "$error" | $jq -r '.code')" in case "$(printf "%s" "$error" | $jq -r '.code')" in
"null") "null")

25
infrastructure/modules/compute/nix/guidelines.nix
View File

@ -48,6 +48,28 @@ in
}; };
}; };
oci-containers.containers."deploymentagent" = {
image = "registry.gitlab.com/infektweb/glv5/hetzner-cloud-environment/deploymentagent:poc-integration";
ports = [
"5000:5000"
];
extraOptions = [
"--add-host=host:10.0.1.51"
];
environment = {
"VAULT_SECRET_PATH" = "kv/data/guidelines/${(builtins.readFile /opt/cloud-init-misc-data/environment)}/deploymentagent";
"VAULT_URL" = "http://host:8200";
"NIXOS_REBUILD_SOCKET_URL" = "host:4444";
"DEPLOYMENT_STATE_FILE" = "/guidelines.json";
};
volumes = [
"/mnt/data/vault-deploymentagent-api-token:/vault-token"
"/run/podman-containers.sock:/tmp/podman/podman.sock"
"/mnt/data/guidelines.json:/guidelines.json"
];
#extraDockerOptions = [ "--network=foo" ];
};
#oci-containers.containers."containerapi" = { #oci-containers.containers."containerapi" = {
# image = "alpine"; # image = "alpine";
# volumes = [ # volumes = [
@ -69,5 +91,6 @@ in
services.redis.enable = true; services.redis.enable = true;
services.redis.requirePass = "p15c4e6538de2061edd65a52ab216ba071d78b1532a937c1c3d5821d5c571c0cf"; services.redis.requirePass = "p15c4e6538de2061edd65a52ab216ba071d78b1532a937c1c3d5821d5c571c0cf";
networking.firewall.allowedTCPPorts = [ 6379 ];
networking.firewall.allowedTCPPorts = [ 6379 5000 4444 ];
} }

18
infrastructure/modules/ingress/load_balancers.tf
View File

@ -35,7 +35,7 @@ resource "hcloud_load_balancer_service" "guidelines-http-to-https-with-terminati
// TODO: Add health check // TODO: Add health check
} }
resource "hcloud_load_balancer_service" "guidelines-kibana-http-to-https-with-termination" { resource "hcloud_load_balancer_service" "guidelines-kibana-https-with-termination" {
load_balancer_id = hcloud_load_balancer.guidelines.id load_balancer_id = hcloud_load_balancer.guidelines.id
protocol = "http" protocol = "http"
listen_port = 8443 listen_port = 8443
@ -49,16 +49,28 @@ resource "hcloud_load_balancer_service" "guidelines-kibana-http-to-https-with-te
// TODO: Add health check // TODO: Add health check
} }
resource "hcloud_load_balancer_service" "vault-http-to-https-with-termination" { resource "hcloud_load_balancer_service" "guidelines-deploymentagent-https-with-termination" {
load_balancer_id = hcloud_load_balancer.guidelines.id load_balancer_id = hcloud_load_balancer.guidelines.id
protocol = "http" protocol = "http"
listen_port = 9443 listen_port = 9443
destination_port = 8200 destination_port = 5000
http { http {
sticky_sessions = false sticky_sessions = false
#certificates = [] #certificates = []
#redirect_http = true #redirect_http = true
} }
health_check {
protocol = "http"
port = 5000
interval = 15
timeout = 10
http {
path = "/status"
status_codes = [ 401 ]
tls = false
}
}
// TODO: Add health check // TODO: Add health check
} }

2
nixos/nix/system.nix
View File

@ -43,7 +43,7 @@
}; };
systemd.sockets.socket-nixos-rebuild-trigger = { systemd.sockets.socket-nixos-rebuild-trigger = {
listenStreams = [ "0.0.0.0:4444" ]; listenStreams = [ "10.0.1.51:4444" ];
partOf = [ "socket-nixos-rebuild-trigger.service" ]; partOf = [ "socket-nixos-rebuild-trigger.service" ];
wantedBy = [ "sockets.target" ]; wantedBy = [ "sockets.target" ];
}; };