Skip to content
Permalink
Browse files

WIP - exposing to the internet

  • Loading branch information...
shmish111 committed Jun 12, 2019
1 parent 33ddf9e commit cc9f28073636953eaa4b6d378978ba9d0580f10a
@@ -6,4 +6,20 @@ Note that for simplicity it will exclude the `nixops` machine so if you make cha

## Deployment

The deployment server is run on the nixops server however it is only enabled if the `githubWebhookKey` is present in `secrets.json`.
The deployment server is run on the nixops server however it is only enabled if the `githubWebhookKey` is present in `secrets.json`.

The deployment server relies on a nixops deployment called `playgrounds` existing. The reason for this is that it's difficult to manage ssh keys for the service however when a deployment is created the keys it is created with are stored in the state. Additionally this means you can rollback the deployment manually etc. Hopefully you called your original deployment `playgrounds` however if you didn't you can just create a new deployment with that name and delete the old one with the `--force` flag set.

If you're using the deployment server then whenever you deploy manually you will need to do `nixops modify ./default.nix ./network.nix -d playgrounds` first.

## Security

As far as I understand, the service needs to be run as root in order to run the deployment so there are limits on how much we can lock down this service.

## TODO

* The server needs to be locked down a bit
* Expose to the internet
* Alert somewhere when deployment succeeds or fails
* Fix nixpkgsLocation FIXME
* Enable configuration of branch to deploy (not high priority)
@@ -41,7 +41,7 @@ The individual machines now exist but have nothing installed on them. We configu
6. Switch to the branch you want to work with e.g. `git checkout master`
7. Move into the nixops directory `cd deployment/nixops/`
8. Create a file called `secrets.json` that is based on [the example file](./nixops/secrets.json.example)
9. Create a new deployment `nixops create ./default.nix ./network.nix -d plutus-playground`
9. Create a new deployment `nixops create ./default.nix ./network.nix -d playgrounds`
10. Deploy the new deployment `nixops deploy`
11. You should now be able to reach the playground at [https://myname.plutus.iohkdev.io] (https://myname.plutus.iohkdev.io) and meadow at [https://myname.marlowe.iohkdev.io] (https://myname.marlowe.iohkdev.io)

@@ -56,3 +56,7 @@ Most of the time, an environment can be updated without touching terraform at al
In the case that terraform code is altered in a way that re-created the nixops machine, you will need to go through the entire `Configure the machines` section above. If the nixops machine is not altered, you will be able to copy `machine.json` and just `nixops deploy` after applying terraform code.

WARNING: altering some ssh keys in terraform instances can result in machines being recreated. Ensure with others using machines that it's okay to bring down everything before running any terraform commands. Also a close inspection of `terraform plan` can help assess the danger of running `terraform apply`. Usually you don't want to change these keys anyway as user keys are managed by nixops. As an example, changing `var.nixops_ssh_keys` will result in the nixops machine being re-created however changing `var.playground_ssh_keys` will only change the `machines.json` file that nixops uses.

## Deployment Server

If you wish to use the continuous delivery deployment server then please read the [Readme](../deployment-server/README.md).
@@ -1,11 +1,8 @@
{ machines, stdOverlays, ... }: node: pkgs:
{ machines, stdOverlays, nixpkgsLocation, ... }: node: pkgs:
{
nixpkgs.overlays = stdOverlays;
nix = {
# FIXME: https://github.com/NixOS/nixpkgs/pull/57910
# Changes from jbgi have been squashed into my repo as jbgi/prometheus2 wasn't working for unrelated reasons
# Once 19.03 is released we should upgrade to that and we should be able to remove this
nixPath = [ "nixpkgs=https://github.com/shmish111/nixpkgs/archive/c73222f0ef9ba859f72e5ea2fb16e3f0e0242492.tar.gz"
nixPath = [ "nixpkgs=${nixpkgsLocation}"
];
binaryCaches = [ https://hydra.iohk.io https://cache.nixos.org https://mantis-hydra.aws.iohkdev.io ];
requireSignedBinaryCaches = false;
@@ -26,7 +26,11 @@ let
playgroundConfig = mkConfig "https://${machines.environment}.${machines.plutusTld}" "playground.yaml";
meadowConfig = mkConfig "https://${machines.environment}.${machines.marloweTld}" "marlowe.yaml";
stdOverlays = [ overlays.journalbeat ];
options = { inherit stdOverlays machines defaultMachine plutus secrets; };
# FIXME: https://github.com/NixOS/nixpkgs/pull/57910
# Changes from jbgi have been squashed into my repo as jbgi/prometheus2 wasn't working for unrelated reasons
# Once 19.03 is released we should upgrade to that and we should be able to remove this
nixpkgsLocation = "https://github.com/shmish111/nixpkgs/archive/c73222f0ef9ba859f72e5ea2fb16e3f0e0242492.tar.gz";
options = { inherit stdOverlays machines defaultMachine plutus secrets nixpkgsLocation; };
defaultMachine = (import ./default-machine.nix) options;
meadowOptions = options // { serviceConfig = meadowConfig;
serviceName = "meadow";
@@ -1,4 +1,4 @@
{ mkInstance = { machines, defaultMachine, secrets, githubhooks, configDir, enableGithubHooks, ... }: node: { config, pkgs, lib, ... }:
{ mkInstance = { machines, defaultMachine, secrets, githubhooks, configDir, enableGithubHooks, nixpkgsLocation, ... }: node: { config, pkgs, lib, ... }:

let
servers = [machines.meadowA machines.meadowB machines.playgroundA machines.playgroundB];
@@ -82,7 +82,7 @@ in

networking.firewall = {
enable = true;
allowedTCPPorts = [ 22 3000 ];
allowedTCPPorts = [ 22 3000 4000 ];
};

users.users.nixops =
@@ -184,7 +184,7 @@ in
systemd.services.githubhooks = {
enable = enableGithubHooks;
path = ["${githubhooks}" pkgs.git pkgs.nixops pkgs.nix pkgs.gnutar pkgs.gzip ];
script = "deployment-server-exe --keyfile ${configDir}/secrets.json --port 8080 --configDir ${configDir} --stateFile /root/.nixops/deployments.nixops --include nixos=/root/.nix-defexpr/channels/nixos --include nixpkgs=https://github.com/shmish111/nixpkgs/archive/c73222f0ef9ba859f72e5ea2fb16e3f0e0242492.tar.gz";
script = "deployment-server-exe --keyfile ${configDir}/secrets.json --port 4000 --configDir ${configDir} --stateFile /root/.nixops/deployments.nixops --include nixos=/root/.nix-defexpr/channels/nixos --include nixpkgs=${nixpkgsLocation}";
};
};
}
@@ -196,6 +196,44 @@ resource "aws_route53_record" "meadow_alb" {
}
}

# Github Webhook
resource "aws_alb_target_group" "github_webhook" {
port = "80"
protocol = "HTTP"
vpc_id = "${aws_vpc.plutus.id}"
}

resource "aws_alb_listener_rule" "github_webhook" {
depends_on = ["aws_alb_target_group.github_webhook"]
listener_arn = "${aws_alb_listener.playground.arn}"
priority = 103
action {
type = "forward"
target_group_arn = "${aws_alb_target_group.github_webhook.id}"
}
condition {
field = "host-header"
values = ["${local.github_webhook_domain_name}"]
}
}

resource "aws_alb_target_group_attachment" "github_webhook" {
target_group_arn = "${aws_alb_target_group.github_webhook.arn}"
target_id = "${aws_instance.nixops.id}"
port = "4000"
}

resource "aws_route53_record" "github_webhook_alb" {
zone_id = "${var.monitoring_public_zone}"
name = "${local.github_webhook_domain_name}"
type = "A"
alias {
name = "${aws_alb.plutus.dns_name}"
zone_id = "${aws_alb.plutus.zone_id}"
evaluate_target_health = true
}
}

# Monitoring
resource "aws_alb_target_group" "monitoring" {
port = "80"
@@ -209,7 +247,6 @@ resource "aws_alb_target_group" "monitoring" {
}
}


resource "aws_alb_listener_rule" "monitoring" {
depends_on = ["aws_alb_target_group.monitoring"]
listener_arn = "${aws_alb_listener.playground.arn}"
@@ -1,5 +1,6 @@
locals {
monitoring_domain_name = "${var.monitoring_full_domain != "" ? var.monitoring_full_domain : "${var.env}.${var.monitoring_tld}"}"
github_webhook_domain_name = "github.${var.env}.${var.monitoring_tld}"
meadow_domain_name = "${var.meadow_full_domain != "" ? var.meadow_full_domain : "${var.env}.${var.meadow_tld}"}"
plutus_domain_name = "${var.plutus_full_domain != "" ? var.plutus_full_domain : "${var.env}.${var.plutus_tld}"}"
}
@@ -18,6 +18,13 @@ resource "aws_security_group" "nixops" {
cidr_blocks = ["${var.public_subnet_cidrs}"]
}

ingress {
from_port = "4000"
to_port = "4000"
protocol = "TCP"
cidr_blocks = ["${var.public_subnet_cidrs}", "${var.private_subnet_cidrs}"]
}

ingress {
from_port = "3000"
to_port = "3000"

0 comments on commit cc9f280

Please sign in to comment.
You can’t perform that action at this time.