README.md 2.88 KB
Newer Older
Tim Schubert's avatar
Tim Schubert committed
1
# fginfo-infra
Tim Schubert's avatar
Tim Schubert committed
2
3

This contains configuration files and build scripts for fginfo infrastructure.
4
5
6
See what's inside:

```
Tim Schubert's avatar
Tim Schubert committed
7
nix flake show 'https://git.fginfo.tu-bs.de/fginfo/admin/infra/-/archive/main/infra-main.tar.gz'
8
```
Tim Schubert's avatar
Tim Schubert committed
9
10
11
12
13
14

## Directory structure

| Path        | Description                                            |
| ----------- | ------------------------------------------------------ |
| `doc/`      | Collection of other documentation                      |
Tim Schubert's avatar
Tim Schubert committed
15
| `nixos/`    | nix configuration for machnines                        |
Tim Schubert's avatar
Tim Schubert committed
16
| `pkgs/`     | packages such as wiki plugins and templates     |      |
Tim Schubert's avatar
Tim Schubert committed
17

Tim Schubert's avatar
Tim Schubert committed
18
## Installing the Nix toolchain
Tim Schubert's avatar
Tim Schubert committed
19

Tim Schubert's avatar
Tim Schubert committed
20
21
22
```
$ curl -L https://nixos.org/nix/install | sh
```
Tim Schubert's avatar
Tim Schubert committed
23

Tim Schubert's avatar
Tim Schubert committed
24
or see the [manual](https://nixos.org/download.html).
Tim Schubert's avatar
Tim Schubert committed
25

Tim Schubert's avatar
Tim Schubert committed
26
27
## Adding admins

Tim Schubert's avatar
Tim Schubert committed
28
29
30
31
Add an entry to `Admins.toml`.  This makes the key available in the
configuration and for encrypting secrets to and adds an admin account on all
servies.  Then rekey the secrets using `agenix -r -i ~/.ssh/id_fginfo`.  See
also [agenix](https://github.com/ryantm/agenix).
Tim Schubert's avatar
Tim Schubert committed
32
33
34

## Installing

Tim Schubert's avatar
Tim Schubert committed
35
36
1. Build the VM image

Tim Schubert's avatar
Tim Schubert committed
37
38
This repo contains recipes to build a deployable images of all VM hosts.  For
example, the following will build a disk image for the host *fginfo*.
Tim Schubert's avatar
Tim Schubert committed
39

Tim Schubert's avatar
Tim Schubert committed
40
```
Tim Schubert's avatar
Tim Schubert committed
41
# nix build .#fginfo-qcow
Tim Schubert's avatar
Tim Schubert committed
42
```
Tim Schubert's avatar
Tim Schubert committed
43

44
2. Set up secrets
Tim Schubert's avatar
Tim Schubert committed
45

Tim Schubert's avatar
Tim Schubert committed
46
47
Deploy the VM image and let the host generate its SSH-Keys. Copy the host's public key
to `secrets/secrets.nix` and allow the host access to all secrets it needs
Tim Schubert's avatar
Tim Schubert committed
48
access to. Then update the deployment on the host using
49
50

```
Tim Schubert's avatar
Tim Schubert committed
51
nix run .#deploy
52
53
```

54
## Updating certs
55

Tim Schubert's avatar
Tim Schubert committed
56
57
58
59
60
61
62
63
64
65
66
67
68
69
Zertifikatsanträge können online über Sectigo eingereicht werden. Die Abteilung
Netze (NOC) prüft den Antrag und man erhält eine Mail, wenn der Antrag
beantwortet wurde.  Mehr dazu ist in der [Doku des
GITZ](https://doku.rz.tu-bs.de/doku.php?id=zertifikate:ssl-zert_fuer_dv-koord_kdd)
enthalten.

Der initiale CSR muss weiterhin, wie in *Legacy* beschrieben, händisch erstellt
werden.  Anschließend erfolgt die erneute Antragsstellung direkt durch Sectigo
und das neue Zertifikat steht darüber zum Download bereit.

### Legacy

This was previously needed.

Tim Schubert's avatar
Tim Schubert committed
70
71
72
TU Braunschweig does not support getting certs with ACME, so certs have to be
applied for at GITZ.  Once a year the certs will have to be renewed.  For this,
a new CSR is needed.  The configuration files for openssl with required settings
Tim Schubert's avatar
Tim Schubert committed
73
are in `nixos/modules/<service>/openssl.cfg`. Generate a new CSR using
74
75
76
77
78

```
# umask 77
# openssl req -config openssl.cfg -utf8 -new -key key.pem -out csr.pem
```
79

Tim Schubert's avatar
Tim Schubert committed
80
81
82
83
84
where `key.pem` is the path to the TLS private key for the host, `openssl.cfg`
is the path to the configuration file and `csr.pem` is the output path for the
certificate request.  For further details see
[GITZ documentation](https://doku.rz.tu-bs.de/doku.php?id=zertifikate:ssl-zert_fuer_dv-koord_kdd)

85
86
## Updating

Tim Schubert's avatar
Tim Schubert committed
87
88
To update all systems, the lock file needs to be updated.

89
90
```
nix flake update --commit-lock-file
Tim Schubert's avatar
Tim Schubert committed
91
nix run .#deploy
92
```