Structured documentation

README.org

@@ -1,175 +1,13 @@
-* Installing
-** Fresh system (nixos USB drive)
-1. Open a nix-shell with git (if not installed):
-   #+BEGIN_SRC bash
-   nix-shell -p git
-   #+END_SRC
-
-2. Clone the flake
-   #+BEGIN_SRC bash
-   git clone https://git.samfelag.xyz/marc/samfelag.git
-   #+END_SRC
-
-3. Partition the disk
-   We'll partition the disk in the follwing way:
-   * 512MB at the beginning for the boot partition
-   * 8GB at the end for swap
-   * The rest (at the middle) for the filesystem (/)
-
-   1. Locate the disk
-      #+BEGIN_SRC bash
-      lsblk
-      #+END_SRC
-   2. Create a GPT partition table
-      #+BEGIN_SRC bash
-      sudo parted /dev/nvme0n1 -- mklabel gpt
-      #+END_SRC
-   3. Create the root partition
-      #+BEGIN_SRC bash
-      sudo parted /dev/nvme0n1 -- mkpart primary 512MB -8GB
-      #+END_SRC
-   4. Create the swap partition
-      #+BEGIN_SRC bash
-      sudo parted /dev/nvme0n1 -- mkpart primary linux-swap -8GB 100%
-      #+END_SRC
-   5. Create the boot partition
-      #+BEGIN_SRC bash
-      sudo parted /dev/nvme0n1 -- mkpart ESP fat32 1MB 512MB
-      sudo parted /dev/nvme0n1 -- set 3 esp on
-      #+END_SRC
-
-4. Format the partitions
-   1. Root partition
-      #+BEGIN_SRC bash
-      sudo mkfs.ext4 -L nixos /dev/nvme0n1p1
-      #+END_SRC
-   2. Swap partition
-      #+BEGIN_SRC bash
-      sudo mkswap -L swap /dev/nvme0n1p2
-      #+END_SRC
-   3. Boot partition
-      #+BEGIN_SRC bash
-      sudo mkfs.fat -F 32 -n BOOT /dev/nvme0n1p3
-      #+END_SRC
-
-5. Mount the filesystems
-   1. Root partition
-      #+BEGIN_SRC bash
-      sudo mount /dev/disk/by-label/nixos /mnt
-      #+END_SRC
-   2. Boot partition
-      #+BEGIN_SRC bash
-      sudo mkdir -p /mnt/boot
-      sudo mount /dev/disk/by-label/BOOT /mnt/boot
-      #+END_SRC
-   3. Swap partition (if needed)
-      #+BEGIN_SRC bash
-      sudo swapon /dev/disk/by-label/swap
-      #+END_SRC
-
-6. Create the host nix configuration
-   If the host is not present under system/hosts, create a new folder for the host.
-   Generate the hardware configuration file, you can use nixos-generate-config as a base:
-   #+BEGIN_SRC bash
-   nixos-generate-config --dir <<host directory>> --no-filesystems
-   #+END_SRC
-
-7. Install nixos!
-   #+BEGIN_SRC bash
-   sudo nixos-install --impure --root /mnt --flake '.#reykjavik'
-   #+END_SRC
-
-8. Set up the user
-   You'll set the root password during the installation. You can then reboot and use the installed OS. First thing you'll have to do is log in as root and set the password for your user:
-   #+BEGIN_SRC bash
-   passwd marc
-   #+END_SRC
-
-** Fresh system (vultr)
-1. [Optional] Set the root password via the Vultr Console, so you can ssh to the instance
-
-2. Open a nix-shell with git (if not installed):
-   #+BEGIN_SRC bash
-   nix-shell -p git
-   #+END_SRC
-
-3. Clone the flake
-   #+BEGIN_SRC bash
-   git clone https://git.samfelag.xyz/marc/samfelag.git
-   #+END_SRC
-
-4. Partition the disk
-   We'll partition the disk in the follwing way:
-   * 512MB at the beginning for the boot partition
-   * 8GB at the end for swap
-   * The rest (at the middle) for the filesystem (/)
-
-   * Locate the disk
-     #+BEGIN_SRC bash
-     lsblk
-     #+END_SRC
-   * Create a MBR partition table
-     #+BEGIN_SRC bash
-     sudo parted /dev/vda -- mklabel msdos
-     #+END_SRC
-   * Create the root partition
-     #+BEGIN_SRC bash
-     sudo parted /dev/vda -- mkpart primary 1MiB -8GiB
-     #+END_SRC
-   * Create the swap partition
-     #+BEGIN_SRC bash
-     sudo parted /dev/vda -- mkpart primary linux-swap -8GiB 100%
-     #+END_SRC
-   * Create the boot partition
-     #+BEGIN_SRC bash
-     sudo parted /dev/vda -- mkpart ESP fat32 1MB 512MB
-     sudo parted /dev/vda -- set 3 esp on
-     #+END_SRC
-
-5. Format the partitions
-   1. Root partition
-      #+BEGIN_SRC bash
-      sudo mkfs.ext4 -L nixos /dev/vda1
-      #+END_SRC
-   2. Swap partition
-      #+BEGIN_SRC bash
-      sudo mkswap -L swap /dev/vda2
-      #+END_SRC
-
-6. Mount the filesystems
-   1. Root partition
-      #+BEGIN_SRC bash
-      sudo mount /dev/disk/by-label/nixos /mnt
-      #+END_SRC
-   2. Swap partition (if needed)
-      #+BEGIN_SRC bash
-      sudo swapon /dev/disk/by-label/swap
-      #+END_SRC
-
-7. Create the host nix configuration
-   If the host is not present under system/hosts, create a new folder for the host.
-   Generate the hardware configuration file, you can use nixos-generate-config as a base:
-   #+BEGIN_SRC bash
-   nixos-generate-config --dir <<host directory>> --no-filesystems
-   #+END_SRC
-
-8. Install nixos!
-   #+BEGIN_SRC bash
-   sudo nixos-install --impure --root /mnt --flake '.#vultr-test'
-   #+END_SRC
-
-9. Set up the user
-   You'll set the root password during the installation. You can then reboot and use the installed OS. First thing you'll have to do is log in as root and set the password for your user:
-   #+BEGIN_SRC bash
-   passwd marc
-   #+END_SRC
-
-* Rebuilding
-   #+BEGIN_SRC bash
-   sudo nixos-rebuild switch --impure --flake '.#reykjavik'
-   #+END_SRC
-
-* Modules
-** Desktop environment
-*** Themeing
+* NixOS
+** [[file:docs/install.org][Installing]]
+** Rebuilding
+#+BEGIN_SRC bash
+sudo nixos-rebuild switch --impure --flake '.#reykjavik'
+#+END_SRC
+** Modules
+*** Desktop environment
+**** Themeing
 We use [[https://github.com/Misterio77/nix-colors][nix-colors]] to (try to) keep a consistent theme across all applications. This uses [[https://github.com/chriskempson/base16][base-16 themes]] (here is a [[https://github.com/chriskempson/base16/blob/main/styling.md][styiling guide]] for it).
+* Samfelag Mesh
+** [[file:docs/hosts.org][Hosts]]
+** [[file:docs/consul.org][Consul]]

docs/consul.org

@@ -0,0 +1,68 @@
+#+title: Consul
+* ACLs
+** Policies
+*** Node Policy
+Policy for agent tokens
+#+begin_src hcl
+agent_prefix "" {
+  policy = "write"
+}
+node_prefix "" {
+  policy = "write"
+}
+service_prefix "" {
+  policy = "read"
+}
+session_prefix "" {
+  policy = "read"
+}
+#+end_src
+*** Nomad client
+Policy for nomad clients (to be added in the consul.token field in the nomad config)
+#+begin_src hcl
+agent_prefix "" {
+  policy = "read"
+}
+
+node_prefix "" {
+  policy = "read"
+}
+
+service_prefix "" {
+  policy = "write"
+}
+#+end_src
+*** Nomad server
+Policy for nomad servers (to be added in the consul.token field in the nomad config)
+#+begin_src hcl
+agent_prefix "" {
+  policy = "read"
+}
+
+node_prefix "" {
+  policy = "read"
+}
+
+service_prefix "" {
+  policy = "write"
+}
+
+acl = "write"
+#+end_src
+** Node Agent Token
+Create a token at http://hvannadal:8500/ui/samfelag/acls/tokens with the node policy.
+Create the consul config file and encrypt it via agenix:
+#+begin_src bash
+agenix -e consul.d/agent-token-<host>.json.age
+#+end_src
+JSON config:
+#+begin_src json
+{
+  "acl": {
+    "tokens": {
+      "default": "<AGENT_TOKEN>",
+      "agent": "<AGENT_TOKEN>"
+    }
+  }
+}
+#+end_src

docs/hosts.org

@@ -0,0 +1,35 @@
+#+title: Hosts
+* [[file:../hosts/reykjavik/README.org][Reykjavik]]
+* [[file:../hosts/kopavogur/README.org][Kopavogur]]
+* <<new_host>> Setting up a new host
+** Generate a host ssh key pair
+Generate the key pair (we'll use the name `id_<host>`)
+#+BEGIN_SRC bash
+ssh-keygen -f id_<host>
+#+END_SRC
+Encrypt the private key if you want to put it in the repo:
+#+begin_src bash
+gpg -r marc@sastre.cat -e id_<host>
+#+end_src
+You can decrypt it later with:
+#+begin_src bash
+gpg -d id_<host>.gpg > id_<host>
+#+end_src
+** Add the public key to secrets.nix
+In the [[file:../secrets/secrets.nix][agenix secrets file]] add the public key, and give access to the necessary secrets.
+** SSH public key authentication
+Setting up authentication from localhost (client) to remotehost (server). On localhost run:
+#+BEGIN_SRC bash
+ssh-keygen -f ~/.ssh/remotehost
+ssh-copy-id -i ~/.ssh/remotehost remotehost-or-ip
+#+END_SRC
+We may want to edit the ssh config file to use this ssh key when connection to remotehost:
+#+BEGIN_SRC
+Host remotehost
+  # HostName 192.168.1.105
+  # Port 22
+  # User user
+
+  IdentitiesOnly yes
+  IdentityFile ~/.ssh/remotehost
+#+END_SRC

docs/install.org

@@ -0,0 +1,114 @@
+#+title: Installing
+* Set up
+** If new host, follow [[new_host][Setting up a new host]]
+** Open a nix-shell with dependencies
+#+BEGIN_SRC bash
+nix shell nixpkgs#git
+#+END_SRC
+** Obtain the flake
++ Via git clone
+#+BEGIN_SRC bash
+git clone https://git.samfelag.xyz/marc/samfelag.git
+#+END_SRC
++ Via scp (in this case, from local to remote)
+#+BEGIN_SRC bash
+scp samfelag marc@remotehost:samfelag
+#+END_SRC
+** Copy the host ssh key
+Obtain the host ssh *private* key. You can decrypt it using gpg:
+#+begin_src bash
+gpg -d secrets/ssh-keys/id_<host>.gpg > /etc/ssh/id_<host>
+#+end_src
+Copy the ssh keys to `/etc/ssh`
+* Partition the disk
+We'll partition the disk in the follwing way:
++ 512MB at the beginning for the boot partition
++ 8GB at the end for swap
++ The rest (at the middle) for the filesystem (/)
+** Locate the disk
+#+BEGIN_SRC bash
+lsblk
+#+END_SRC
+** UEFI Boot
+1. Create a GPT partition table
+   #+BEGIN_SRC bash
+sudo parted /dev/nvme0n1 -- mklabel gpt
+   #+END_SRC
+2. Create the root partition
+   #+BEGIN_SRC bash
+sudo parted /dev/nvme0n1 -- mkpart primary 512MB -8GB
+   #+END_SRC
+3. Create the swap partition
+   #+BEGIN_SRC bash
+sudo parted /dev/nvme0n1 -- mkpart primary linux-swap -8GB 100%
+   #+END_SRC
+4. Create the boot partition
+   #+BEGIN_SRC bash
+sudo parted /dev/nvme0n1 -- mkpart ESP fat32 1MB 512MB
+sudo parted /dev/nvme0n1 -- set 3 esp on
+   #+END_SRC
+** MBR boot
+1. Create a MBR partition table
+  #+BEGIN_SRC bash
+sudo parted /dev/vda -- mklabel msdos
+  #+END_SRC
+2. Create the root partition
+  #+BEGIN_SRC bash
+sudo parted /dev/vda -- mkpart primary 1MiB -8GiB
+  #+END_SRC
+3. Create the swap partition
+  #+BEGIN_SRC bash
+sudo parted /dev/vda -- mkpart primary linux-swap -8GiB 100%
+  #+END_SRC
+4. Create the boot partition
+  #+BEGIN_SRC bash
+sudo parted /dev/vda -- mkpart ESP fat32 1MB 512MB
+sudo parted /dev/vda -- set 3 esp on
+  #+END_SRC
+* Format the partitions
+1. Root partition
+   #+BEGIN_SRC bash
+sudo mkfs.ext4 -L nixos /dev/nvme0n1p1
+   #+END_SRC
+2. Swap partition
+   #+BEGIN_SRC bash
+sudo mkswap -L swap /dev/nvme0n1p2
+   #+END_SRC
+3. Boot partition (if UEFI boot)
+   #+BEGIN_SRC bash
+sudo mkfs.fat -F 32 -n BOOT /dev/nvme0n1p3
+   #+END_SRC
+* Mount the filesystems
+1. Root partition
+   #+BEGIN_SRC bash
+sudo mount /dev/disk/by-label/nixos /mnt
+   #+END_SRC
+2. Boot partition (if UEFI boot)
+   #+BEGIN_SRC bash
+sudo mkdir -p /mnt/boot
+sudo mount /dev/disk/by-label/BOOT /mnt/boot
+   #+END_SRC
+3. Swap partition (if needed)
+   #+BEGIN_SRC bash
+sudo swapon /dev/disk/by-label/swap
+   #+END_SRC
+* Create the host nix configuration
+If the host is not present under system/hosts, create a new folder for the host.
+Check [[Setting up a new host]] for further documentation.
+Generate the hardware configuration file, you can use nixos-generate-config as a base:
+#+BEGIN_SRC bash
+nixos-generate-config --dir <<host directory>> --no-filesystems
+#+END_SRC
+* Install nixos!
+#+BEGIN_SRC bash
+sudo nixos-install --impure --root /mnt --flake '.#reykjavik'
+#+END_SRC
+* Copy the ssh deploy key (again)
+#+begin_src bash
+cp /etc/ssh/samfelag_agenix* /mnt/etc/ssh
+#+end_src
+* Set up the user
+You'll set the root password during the installation. You can then reboot and use the installed OS. First thing you'll have to do is log in as root and set the password for your user:
+#+BEGIN_SRC bash
+passwd marc
+#+END_SRC