All AWS resources are managed by Terraform. Machine configuration is managed with Nix, and all machines run NixOS.
All necessary programs and dependencies are provided by Nix in nix-shell
or nix develop
.
-
./terraform contains terraform expressions used to deploy all EC2 servers and Route53 zones&records for tezos.serokell.team and tezosagora.org
-
./common.nix provides common NixOS configuration defaults for all servers
-
./modules contains NixOS modules that aren't used outside the repo but could still be reused some day
-
./servers contains NixOS server descriptions. Usually just imports a profile and changes the default values to specific ones
-
./flake.nix defines repository dependencies, passes them down to
servers
and builds the final NixOS systems to be deployed. Also defines adevShell
containing packages used to deploy this repo and adeploy
attribute which describes how to deploy NixOS systems to servers. -
./flake.lock
is a lockfile containing dependency pins (git revisions) -
./default.nix
and./shell.nix
are for pre-flake nix compatibility.
Name | Function | IP |
---|
Cloud hardware required to run this repository is described using Terraform. Terraform is an Infrastructure as Code tool from Hashicorp. Read more here.
Terraform version that is used in this repo is pinned. Please use nix-shell
or nix develop
to get it.
Terraform resources are declared in terraform/
.
The first time you use it, you need to run terraform init
in that directory.
This will initialize local state and download any missing plugins.
Your main workhorse will be terraform apply
, which will print a diff view of
any resource changes, and ask you whether you want to commit them. Please read
this output carefully, as Terraform will not hesitate to nuke anything it thinks
needs nuking.
Server configurations are described in ./servers
.
To deploy all the servers, enter a shell (with nix develop
or nix-shell
)
and run deploy
.
You may wish to read deploy --help
to understand how to use the tool.
Secrets are stored in Vault. Serokell employees with Admin-level access need to generate approle credentials and push them to servers in order for services to work after redeployment. Example of how to do so:
$ # Enter a shell with dependencies and variables set
$ nix develop # or nix-shell
$ # Authenticate to vault
$ vault login # You may need to specify the login method
$ # Generate and push approles with accompanying security policies to Vault
$ vault-push-approles
<interaction omitted>
$ # Fetch approle credentials from Vault and push them to the server
$ vault-push-approle-envs
<interaction omitted>