Skip to content

Nix Ops for Terraform, Consul, Vault, Nomad

License

Notifications You must be signed in to change notification settings

complexcircuit/bitte

 
 

Repository files navigation

Bitte

Bitte is designed to run Nomad tasks large-scale on AWS.

Overview

The current stack consists of:

Provisioning and deployment is done with Nix and Hashicorp Terraform. The Terraform configuration consists of JSON generated by Nix.

The project is structured into clusters, modules, profiles, and jobs.

Cluster instances import profiles, that configure modules. Once the cluster is deployed, Nomad jobs can be scheduled.

Each cluster contains 3 core nodes that run server instances of Consul & Vault & Nomad. Alongside the core nodes, you can specify auto-scaling groups spread across regions and availability zones that in turn host the client instances and actually run the Nomad jobs.

The Terraform configuration can be found under modules/terraform and each file specifies a Terraform workspace.

To help manage this complexity, we also provide the bitte-cli tool. Please note that this is still under heavy development and the CLI options may break in newer versions.

We haven't fully automated deployments yet, there are some manual steps involved, mostly due to inherent complexity and security:

  • Create NS entries pointing to the generated route53 zone.
  • Generate or choose a KMS key.
  • Ensure you have the necessary permissions for your IAM user.

Usage

Nix

First you'll need to have Nix installed. We're using an experimental feature called flakes which increases speed of development and deployment drastically, but still requires a bit of preparation.

To enable flake support, add the following line to ~/.config/nix/nix.conf:

experimental-features = nix-command flakes

If you don't use nixUnstable or nixFlakes system-wide yet, you can simply invoke nix-shell --run 'nix develop' to get all required dependencies in scope.

Terraform

Prerequisites

Set your cluster name in the BITTE_CLUSTER environment variable. It's also convenient to set the AWS_PROFILE and have proper default values for the region. Let's assume we want to work on the atala-testnet. Then we need to have these settings:

cat ~/.aws/config
[profile atala-testnet]
region = eu-central-1

cat ~/.aws/credentials
[atala-testnet]
aws_access_key_id=XXXXXXXXXXXXXXXXXXXX
aws_secret_access_key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

export BITTE_CLUSTER=atala-testnet
export AWS_PROFILE="$BITTE_CLUSTER"

To create new deployment from scratch, run the following commands:

bitte terraform network
bitte terraform core
bitte terraform consul
bitte terraform clients

Rebuild

This is the equivalent to nixos-rebuild. In the core workspace it will only rebuild the core instances. In the clients workspace it will include the instances in all auto-scaling groups.

The --dirty flag is used for rebuilds that use the current directory as base, and doesn't require committing all files.

bitte rebuild --dirty
bitte rebuild --dirty --only monitoring

Debugging

To establish a connection to an instance, you can use bitte ssh and pass the name. This also works in the core and clients workspaces.

bitte ssh monitoring
bitte ssh monitoring -- date

Consul

It's responsible for simple distributed KV storage, service discovery, and service mesh communication. In particular we use Consul Connect to facilitate inter-job communication in Nomad, Consul DNS for discovery, and Consul KV for Vault.

Nomad

A workload orchestrator that makes sure our jobs run as efficiently as possible.

Jobs

Nomad jobs should be stored in the jobs directory.

Administration

Vault

Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data.

secrets:

/etc/ssl/certs/ca.pem

cfssl gencert -initca | cfssljson -bare ca

/etc/ssl/certs/cert.pem

/etc/ssl/certs/cert-key.pem

  cfssl gencert \
    -ca ca.pem \
    -ca-key ca-key.pem \
    -config "${caConfigJson}" \
    -profile bootstrap \
    cert.config

/etc/ssl/certs/full.pem

/etc/consul.d/secrets.json

{
    "acl": {
        "tokens": {
            "master": "uuid"
        }
    },
    "encrypt": "consul keygen"
}

/etc/consul.d/tokens.json

{
  "acl": {
    "tokens": {
      "default": "consul generated",
      "agent": "consul generated"
    }
  }
}

/etc/nomad.d/consul-token.json

{
  "consul": {
    "token": "consul generated"
  }
}

/etc/nomad.d/secrets.json

{
  "encrypt": "nomad operator keygen"
}

About

Nix Ops for Terraform, Consul, Vault, Nomad

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Nix 89.7%
  • Rust 4.2%
  • CUE 3.6%
  • Shell 1.8%
  • Other 0.7%