forked from afnix/infra
Repository for AFNix-managed infrastructure
| common | ||
| dashboards | ||
| dnscontrol | ||
| hosts | ||
| lib | ||
| macos/mdm-scripts | ||
| netboot/arm64 | ||
| overlays | ||
| pki | ||
| secrets | ||
| services | ||
| terraform | ||
| vm | ||
| .editorconfig | ||
| .envrc | ||
| .gitattributes | ||
| .gitignore | ||
| baremetal-nodes.nix | ||
| builders.nix | ||
| colmena.nix | ||
| default.nix | ||
| flake.lock | ||
| flake.nix | ||
| LICENSE | ||
| README.md | ||
| renovate.json | ||
| secrets.nix | ||
| tasks.py | ||
Infrastructure for the donut shaped thing that is absolutely not a donut.
Quick start
Enter our dev-shell for things like our colmena wrapper, secrets helper and required binaries:
$ nix develop
Build the infrastructure
$ colmena build --on @localboot
Notice that @localboot is load-bearing as we have some machines that cannot be deployed with vanilla Colmena. Fixing this is welcome.
Recommended deploy process
$ colmena apply dry-activate $machine # Verify that the nvd log is reasonable.
$ colmena apply $machine
Recommended upgrade process
$ nix flake update
$ colmena apply dry-activate --on @localboot # Verify that the nvd log is reasonable. Run it twice to get only NVD logs shown.
$ colmena apply --on @localboot
Deploy the Terraform infrastructure
$ vault-login
$ eval "$(get-secrets)"
$ nix run .#tf -- plan # Vanilla Terraform from there.
$ nix run .#tf -- apply
Make changes to DNS via dnscontrol
$ vault-login
$ eval "$(get-secrets)"
$ cd dnscontrol
$ dnscontrol preview # preview the changes without applying them
$ dnscontrol push # apply changes
Troubleshooting
I failed to deploy gerrit01
Our Gerrit source build is known to have some hiccups sometimes, we are always interested in build logs, feel free to attach information in a new issue so we can make it more reliable.
get-secrets fails
Are you a floral-admin ? If not, please get in touch with one of the superadmins.