Merge branch 'trigger-nixos-rebuild-from-deploymentagent' into poc-integration

2021-01-22 18:40:38 +01:00 · 2021-01-22 18:40:38 +01:00 · dfd7567445
commit dfd7567445
parent c9bad945dc 89d7f4c1ae
6 changed files with 55 additions and 13 deletions
--- a/README.md
+++ b/README.md
@ -71,7 +71,6 @@ id\_rsa\_operator_pub is baked into the image generated by Packer (see `nixos/ni

 ### NixOS
 #### Building NixOS Images (Snapshots) with Packer
-The `nixos` target in the `Makefile` wraps around the execution of Packer to build a NixOS image from the default Ubuntu 20.04 image provider by Hetzner Cloud.
 The `nixos` target in the `Makefile` wraps around the execution of Packer to build a NixOS image from the default Ubuntu 20.04 image provided by Hetzner Cloud.
 Two arguments may be supplied, `VERSION=` to specify the desired NixOS release (see [NixOS Release Notes](https://nixos.org/manual/nixos/stable/release-notes.html)) and `BUILD=` with which you can track versions of the images that have been created.

@ -159,12 +158,13 @@ $ make infra-destroy MODULE=compute
 The following sections assume the environment to be called 'production'.

 #### Configure Environment in `config.json` and `secrets.json`
-Set the environment name and desired NixOS image/snapshot ID in `config.json`:
 Set the environment name, domain names and desired NixOS image/snapshot ID in `config.json`:
 ```json
 {
-  "terraform_packer_environment": "production"
-  tbd
+    "terraform_packer_environment": "production",
+    "nixos_snapshot_id": "1234567",
+    "domain_name_production": "guidelines.ch",
+    "domain_alternative_names_production": "*.guidelines.ch"
 }
 ```
 Use your personal Gitlab deployment- and Hetzner Cloud tokens.
@ -178,7 +178,7 @@ Use your personal Gitlab deployment- and Hetzner Cloud tokens.
    "gitlab_deploy_token_password": "",
    "aws_access_key_id": "",
    "aws_secret_access_key": "",
-    "kibana_elasticsearch_password_production": "",
+    "elasticsearch_password_production": "",
    "hcloud_token_production": "",
    "vault_db_password_production": ""
 }
@ -263,7 +263,7 @@ If this file exists and contains a valid master key, Vault will be unsealed auto

 #### Configuring Elasticsearch
 Kibana can be accessed on port 8443 via any hostname behind the load balancer [https://guidelines.ch:8443/](https://guidelines.ch:9443/).
-Sign in with the user 'elastic' and password 'changeme' and go change the password in 'Management' -> 'Security' -> 'Users'.
+The password is derieved from the `elasticsearch_password_<env>` key in `secrets.json`

 #### Configuring Guidelines
 ```
--- a/infrastructure/modules/compute/certbot.sh
+++ b/infrastructure/modules/compute/certbot.sh
@ -42,7 +42,6 @@ update_load_balancer() {
    case "$1" in
        *[0-9]*)
            _proto=https
-            _redirect_http="true"
            _certs="[$1]"
            ;;
        "")
@ -58,6 +57,14 @@ update_load_balancer() {
    esac

    for sp in $service_ports; do
+        case "$sp" in
+            "443")
+                _redirect_http="true"
+                ;;
+            *)
+                _redirect_http="false"
+                ;;
+        esac
        error=$($curl -s -XPOST -H "Authorization: Bearer $API_TOKEN" -H "Content-Type: application/json" -d "{\"listen_port\": $sp, \"protocol\": \"$_proto\", \"http\":{\"redirect_http\": $_redirect_http, \"certificates\": $_certs}}" "https://api.hetzner.cloud/v1/load_balancers/$lb_id/actions/update_service" | $jq -r '.error')
        case "$(printf "%s" "$error" | $jq -r '.code')" in
            "null")
--- a/infrastructure/modules/compute/nix/guidelines.nix
+++ b/infrastructure/modules/compute/nix/guidelines.nix
@ -48,6 +48,28 @@ in
      };
    };

+    oci-containers.containers."deploymentagent" = {
+      image = "registry.gitlab.com/infektweb/glv5/hetzner-cloud-environment/deploymentagent:poc-integration";
+      ports = [
+        "5000:5000"
+      ];
+      extraOptions = [
+        "--add-host=host:10.0.1.51"
+      ];
+      environment = {
+        "VAULT_SECRET_PATH" = "kv/data/guidelines/${(builtins.readFile /opt/cloud-init-misc-data/environment)}/deploymentagent";
+        "VAULT_URL" = "http://host:8200";
+        "NIXOS_REBUILD_SOCKET_URL" = "host:4444";
+        "DEPLOYMENT_STATE_FILE" = "/guidelines.json";
+      };
+      volumes = [
+        "/mnt/data/vault-deploymentagent-api-token:/vault-token"
+        "/run/podman-containers.sock:/tmp/podman/podman.sock"
+        "/mnt/data/guidelines.json:/guidelines.json"
+      ];
+      #extraDockerOptions = [ "--network=foo" ];
+    };
+
    #oci-containers.containers."containerapi" = {
    #  image = "alpine";
    #  volumes = [
@ -69,5 +91,6 @@ in

  services.redis.enable = true;
  services.redis.requirePass = "p15c4e6538de2061edd65a52ab216ba071d78b1532a937c1c3d5821d5c571c0cf";
-  networking.firewall.allowedTCPPorts = [ 6379 ];
+
+  networking.firewall.allowedTCPPorts = [ 6379 5000 4444 ];
 }
--- a/infrastructure/modules/compute/nix/vault.nix
+++ b/infrastructure/modules/compute/nix/vault.nix
@ -2,7 +2,7 @@
 {
  services.vault.enable = true;
  services.vault.package = pkgs.vault-bin;
-  services.vault.address = "0.0.0.0:8200";
+  services.vault.address = "10.0.1.51:8200";
  services.vault.storageBackend = "postgresql";
  services.vault.storageConfig = "
    connection_url = \"postgres://vault:" + (builtins.readFile /opt/cloud-init-misc-data/vault_db_password) + "@localhost:5432/vault?sslmode=disable\"
--- a/infrastructure/modules/ingress/load_balancers.tf
+++ b/infrastructure/modules/ingress/load_balancers.tf
@ -35,7 +35,7 @@ resource "hcloud_load_balancer_service" "guidelines-http-to-https-with-terminati
  // TODO: Add health check
 }

-resource "hcloud_load_balancer_service" "guidelines-kibana-http-to-https-with-termination" {
+resource "hcloud_load_balancer_service" "guidelines-kibana-https-with-termination" {
  load_balancer_id = hcloud_load_balancer.guidelines.id
  protocol = "http"
  listen_port = 8443
@ -49,16 +49,28 @@ resource "hcloud_load_balancer_service" "guidelines-kibana-http-to-https-with-te
  // TODO: Add health check
 }

-resource "hcloud_load_balancer_service" "vault-http-to-https-with-termination" {
+resource "hcloud_load_balancer_service" "guidelines-deploymentagent-https-with-termination" {
  load_balancer_id = hcloud_load_balancer.guidelines.id
  protocol = "http"
  listen_port = 9443
-  destination_port = 8200
+  destination_port = 5000

  http {
    sticky_sessions = false
    #certificates = []
    #redirect_http = true
  }
+
+  health_check {
+    protocol = "http"
+    port = 5000
+    interval = 15
+    timeout = 10
+    http {
+      path = "/status"
+      status_codes = [ 401 ]
+      tls = false
+    }
+  }
  // TODO: Add health check
 }
--- a/nixos/nix/system.nix
+++ b/nixos/nix/system.nix
@ -43,7 +43,7 @@
  };

  systemd.sockets.socket-nixos-rebuild-trigger = {
-    listenStreams = [ "0.0.0.0:4444" ];
+    listenStreams = [ "10.0.1.51:4444" ];
    partOf = [ "socket-nixos-rebuild-trigger.service" ];
    wantedBy = [ "sockets.target" ];
  };