There are two environments defined in this project:
testing, where latestmainof each project is deployed automatically by the CIstaging, where latest release of each project is deployed manually (potentially automated in the future)
Each service is deployed as a hardened systemd service.
The steward service is configured with a CA certificate and key and running on unprivileged port. The service itself only handles HTTP traffic, which is transparently upgraded to TLS by Nginx reverse proxy by using Let's Encrypt certificates, which routes requests to ports 443 and 80 (redirected) to the underlying service.
The drawbridge service is configured with Steward CA certificate, as well as server certificate and key and is running on unprivileged port. The service itself handles HTTPS traffic, but is behind Nginx reverse proxy, which routes requests to ports 443 and 80 (redirected) to the underlying service.
deploy user is used for deployment.
The only dependency for deployment is nix, which is platform-agnostic and well-supported on Linux and MacOS.
If you do not wish to install it, you can also run it via Docker/Podman. For example:
$ docker run -w $(pwd) -v $(pwd):$(pwd) -v $(mktemp -d):/nixpkgs nixos/nix nix --extra-experimental-features 'nix-command flakes' develop -c deployNote, if you were to do this, you probably want to avoid using a temporary directory for the nixpkgs cache, since then nix would have to download all dependencies of the project on each invocation.
Instead, it is highly recommended to store the Nix store in a persistent location (e.g. by defining a volume) to avoid having to reconstruct the cache on each invocation.
From within nix develop shell:
$ bootstrapThis will generate keys and certificates for all hosts.
serokell/deploy-rs is used for deployment. (Note, the tool does not need to be installed as it is already present in nix development shell)
To deploy all instances, run deploy from the root of this repository.
From within nix develop shell:
$ deployOr to deploy a specific instance:
$ deploy '.#store-testing'hostsdirectory contains host-specific assets and tooling, e.g. TLS certificates and a script to generate themflake.nixcontains the definitions of all nodes in the network