Get basic nginx and acme setup working
This should enable DNS-01 acme for all khs openstack servers,
thus removing the pain of setting up acme for those servers.
Do note that this might not really be needed that much anymore,
as I should be able to hit them over IPv6, but for ease of mind,
this will enable ACME trivially, also for non https workloads, as well
as servers without open ports.
Do note that currently there's a global unifi firewall rule in place to
allow port 80 and 443 to my own servers over ipv6, I'd like to remove this
and have Nix configure firewall rules for each server individually, as
requested in the setup.
Former-commit-id: c402ada8f7
This commit is contained in:
parent
ba28ad8d03
commit
5037d791db
13 changed files with 184 additions and 101 deletions
22
README.md
22
README.md
|
|
@ -8,43 +8,35 @@ When running on a desktop machine, simply running `nixos-install` as per usual s
|
|||
|
||||
## Servers
|
||||
|
||||
To provision the cloud resources needed, the following can be run:
|
||||
To provision the cloud resources needed, and install NixOS, the following can be run:
|
||||
|
||||
```bash
|
||||
nix run '.#create-instance' -- <hostname>
|
||||
```
|
||||
|
||||
This will run the `provision.pre` terraform code to ensure the cloud resources are created as needed, on either hetzner or openstack. It should also select the appropriate secrets backend to fetch secrets from. In general every server should use `vault` (OpenBAO) as the backend, except for the server hosting OpenBAO.
|
||||
This will run the `provision.pre` terraform code to ensure the cloud resources are created as needed, on either hetzner or openstack. It should also select the appropriate secrets backend to fetch secrets from. In general every server should use `vault` (OpenBAO) as the backend, except for the server hosting OpenBAO. Then it will install NixOS.
|
||||
|
||||
Once the instance has been created it will _not_ run NixOS, but rather something like Debian, which can then be provisioned into a NixOS installation. Run the following command to enroll NixOS on the instance:
|
||||
When making changes to eg. the approle needed, and needing to provision the instance again (but not installing NixOS again, as that won't work), run:
|
||||
|
||||
```bash
|
||||
nix run '.#inxos-install' -- <hostname>
|
||||
nix run '.#provision-instance' -- <hostname>
|
||||
```
|
||||
|
||||
<details>
|
||||
<summary>NOTE</summary>
|
||||
If you're creating and destroying instances on the same host name and have DNS caching trouble, you can run the following to connect using an IP address:
|
||||
To update the NixOS config on an instance:
|
||||
|
||||
```bash
|
||||
nix run '.#nixos-install' -- <hostname> <ip>
|
||||
nix run '.#update-instance` -- <hostname>
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
TODO: Here should be some guidance on how to transfer RoleID/SecretID to the server, as well as running the post provisioning scripts for the servers that need it.
|
||||
|
||||
To delete the resources again run:
|
||||
|
||||
```bash
|
||||
nix run '.#destroy-instance' -- <hostname>
|
||||
```
|
||||
|
||||
NOTE: It is normal for the secret id associated with vault/openbao roles to not be deletable. Simply run the destroy-instance command a 2nd time and everything should work just fine.
|
||||
|
||||
## Secrets
|
||||
|
||||
To transfer the secrets needed for OpenTofu from Bitwarden to OpenBAO run:
|
||||
To transfer the secrets needed for OpenTofu from Bitwarden to OpenBAO/Vault run:
|
||||
|
||||
```bash
|
||||
nix run '.#bitwarden-to-vault'
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue