DGNum/infrastructure
12
6
Fork 3
Code Issues 17 Pull requests 30 Projects 1 Releases Packages Wiki Activity Actions 2

chore(nixfmt): Format all files since nixfmt version changed
Some checks failed
Run pre-commit on all files / pre-commit (push) Waiting to run
Details
Check meta / check_dns (pull_request) Successful in 18s
Details
Check meta / check_meta (pull_request) Successful in 18s
Details
Check workflows / check_workflows (pull_request) Successful in 25s
Details
Build all the nodes / ap01 (pull_request) Successful in 1m11s
Details
Build all the nodes / bridge01 (pull_request) Successful in 1m55s
Details
Build all the nodes / geo01 (pull_request) Successful in 2m16s
Details
Build all the nodes / geo02 (pull_request) Successful in 1m52s
Details
Build all the nodes / netcore02 (pull_request) Successful in 34s
Details
Build all the nodes / compute01 (pull_request) Failing after 3m10s
Details
Build all the nodes / hypervisor02 (pull_request) Successful in 1m54s
Details
Build all the nodes / hypervisor01 (pull_request) Successful in 2m5s
Details
Build all the nodes / hypervisor03 (pull_request) Successful in 2m3s
Details
Build all the nodes / rescue01 (pull_request) Successful in 1m58s
Details
Build all the nodes / storage01 (pull_request) Successful in 2m0s
Details
Build all the nodes / tower01 (pull_request) Successful in 2m0s
Details
Build the shell / build-shell (pull_request) Successful in 33s
Details
Build all the nodes / web02 (pull_request) Successful in 1m54s
Details
Run pre-commit on all files / pre-commit (pull_request) Successful in 37s
Details
Build all the nodes / vault01 (pull_request) Successful in 2m6s
Details
Build all the nodes / web01 (pull_request) Successful in 2m32s
Details
Build all the nodes / web03 (pull_request) Successful in 1m37s
Details

Browse source
This commit is contained in:
sinavir 2025-01-07 11:35:06 +01:00
parent 599709baf1
commit 4fe4118009
No known key found for this signature in database
26 changed files with 212 additions and 174 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
default.nix
View file

@ -177,24 +177,27 @@ in
devShell = pkgs.mkShell {
name = "dgnum-infra";
packages = [
(pkgs.nixos-generators.overrideAttrs (_: {
version = "1.8.0-unstable";
src = sources.nixos-generators;
}))
pkgs.npins
packages =
[
(pkgs.nixos-generators.overrideAttrs (_: {
version = "1.8.0-unstable";
src = sources.nixos-generators;
}))
pkgs.npins
# SSO testing
pkgs.kanidm
pkgs.freeradius
pkgs.picocom # for serial access
# SSO testing
pkgs.kanidm
pkgs.freeradius
pkgs.picocom # for serial access
(pkgs.callPackage ./lib/colmena {
colmena = pkgs.callPackage "${sources.colmena}/package.nix" { };
})
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
] ++ git-checks.enabledPackages ++ (builtins.attrValues scripts);
(pkgs.callPackage ./lib/colmena {
colmena = pkgs.callPackage "${sources.colmena}/package.nix" { };
})
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
]
++ git-checks.enabledPackages
++ (builtins.attrValues scripts);
shellHook = builtins.concatStringsSep "\n" [
git-checks.shellHook

5
hive.nix
View file

@ -8,8 +8,9 @@ let
sources' = import ./npins;
# Patch sources directly
sources = builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; })
.applyPatches' sources';
sources =
builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; }).applyPatches'
sources';
nix-lib = import ./lib/nix-lib;
inherit (nix-lib) mapSingleFuse;

6
lib/netconf-junos/protocols.nix
View file

@ -28,9 +28,9 @@ in
config.netconf.xmls.protocols = ''
<protocols>
<rstp operation="replace">
${
concatMapStringsSep "" (intf: "<interface><name>${intf}</name></interface>") config.protocols.rstp
}
${concatMapStringsSep "" (
intf: "<interface><name>${intf}</name></interface>"
) config.protocols.rstp}
</rstp>
</protocols>
'';

10
lib/nix-lib/nixpkgs.nix
View file

@ -79,10 +79,12 @@ rec {
f here values
);
in
f [ ] [
rhs
lhs
];
f
[ ]
[
rhs
lhs
];
/**
A recursive variant of the update operator //. The recursion

2
machines/liminix/ap01/wlan.nix
View file

@ -89,7 +89,7 @@ in
hostap-2 = mkWifiSta (
baseParams // clientRadius // externalRadius // radiusKeyMgmt // modernParams
) config.hardware.networkInterfaces.wlan1 secrets-2;
# Oneshot that waits until the hostapd has set the interface in operational state.
# Oneshot that waits until the hostapd has set the interface in operational state.
hostap-2-ready = svc.hostapd-ready.build {
interface = config.hardware.networkInterfaces.wlan1;
};

8
machines/nixos/bridge01/secrets/secrets.nix
View file

@ -2,6 +2,8 @@
#
# SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys).mkSecrets [ "bridge01" ] [
# List of secrets for bridge01
]
(import ../../../../keys).mkSecrets
[ "bridge01" ]
[
# List of secrets for bridge01
]

10
machines/nixos/compute01/kanidm/secrets/secrets.nix
View file

@ -2,7 +2,9 @@
#
# SPDX-License-Identifier: EUPL-1.2
(import ../../../../../keys).mkSecrets [ "compute01" ] [
"kanidm-password_admin"
"kanidm-password_idm_admin"
]
(import ../../../../../keys).mkSecrets
[ "compute01" ]
[
"kanidm-password_admin"
"kanidm-password_idm_admin"
]

3
machines/nixos/compute01/librenms/module.nix
View file

@ -401,7 +401,8 @@ in
"distributed_billing" = cfg.distributedPoller.distributedBilling;
"distributed_poller_memcached_host" = cfg.distributedPoller.memcachedHost;
"distributed_poller_memcached_port" = cfg.distributedPoller.memcachedPort;
"rrdcached" = "${cfg.distributedPoller.rrdcachedHost}:${toString cfg.distributedPoller.rrdcachedPort}";
"rrdcached" =
"${cfg.distributedPoller.rrdcachedHost}:${toString cfg.distributedPoller.rrdcachedPort}";
})
// (lib.optionalAttrs cfg.useDistributedPollers {
"distributed_poller" = true;

3
machines/nixos/compute01/outline.nix
View file

@ -45,7 +45,8 @@ in
dgn-web.simpleProxies.outline = {
inherit host port;
vhostConfig.locations."/robots.txt".return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
vhostConfig.locations."/robots.txt".return =
''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
};
age-secrets.autoMatch = [ "outline" ];

66
machines/nixos/compute01/secrets/secrets.nix
View file

@ -2,35 +2,37 @@
#
# SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys).mkSecrets [ "compute01" ] [
# List of secrets for compute01
"arkheon-env_file"
"bupstash-put_key"
"dgsi-email_host_password_file"
"dgsi-kanidm_auth_token_file"
"dgsi-kanidm_secret_file"
"dgsi-secret_key_file"
"dgsi-x509_cert_file"
"dgsi-x509_key_file"
"ds-fr-secret_file"
"grafana-oauth_client_secret_file"
"grafana-smtp_password_file"
"hedgedoc-environment_file"
"librenms-database_password_file"
"librenms-environment_file"
"mastodon-extra_env_file"
"mastodon-smtp-password"
"nextcloud-adminpass_file"
"nextcloud-s3_secret_file"
"outline-oidc_client_secret_file"
"outline-smtp_password_file"
"outline-storage_secret_key_file"
"plausible-admin_user_password_file"
"plausible-secret_key_base_file"
"plausible-smtp_password_file"
"satosa-env_file"
"signal-irc-bridge-config"
"telegraf-environment_file"
"vaultwarden-environment_file"
"zammad-secret_key_base_file"
]
(import ../../../../keys).mkSecrets
[ "compute01" ]
[
# List of secrets for compute01
"arkheon-env_file"
"bupstash-put_key"
"dgsi-email_host_password_file"
"dgsi-kanidm_auth_token_file"
"dgsi-kanidm_secret_file"
"dgsi-secret_key_file"
"dgsi-x509_cert_file"
"dgsi-x509_key_file"
"ds-fr-secret_file"
"grafana-oauth_client_secret_file"
"grafana-smtp_password_file"
"hedgedoc-environment_file"
"librenms-database_password_file"
"librenms-environment_file"
"mastodon-extra_env_file"
"mastodon-smtp-password"
"nextcloud-adminpass_file"
"nextcloud-s3_secret_file"
"outline-oidc_client_secret_file"
"outline-smtp_password_file"
"outline-storage_secret_key_file"
"plausible-admin_user_password_file"
"plausible-secret_key_base_file"
"plausible-smtp_password_file"
"satosa-env_file"
"signal-irc-bridge-config"
"telegraf-environment_file"
"vaultwarden-environment_file"
"zammad-secret_key_base_file"
]

8
machines/nixos/geo01/secrets/secrets.nix
View file

@ -2,6 +2,8 @@
#
# SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys).mkSecrets [ "geo01" ] [
# List of secrets for geo01
]
(import ../../../../keys).mkSecrets
[ "geo01" ]
[
# List of secrets for geo01
]

8
machines/nixos/geo02/secrets/secrets.nix
View file

@ -2,6 +2,8 @@
#
# SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys).mkSecrets [ "geo02" ] [
# List of secrets for geo02
]
(import ../../../../keys).mkSecrets
[ "geo02" ]
[
# List of secrets for geo02
]

6
machines/nixos/hypervisor01/secrets/secrets.nix
View file

@ -2,6 +2,8 @@
#
# SPDX-License-Identifer: EUPL-1.2
(import ../../../../keys).mkSecrets [ "hypervisor01" ] [
(import ../../../../keys).mkSecrets
[ "hypervisor01" ]
[
]
]

6
machines/nixos/hypervisor02/secrets/secrets.nix
View file

@ -2,6 +2,8 @@
#
# SPDX-License-Identifer: EUPL-1.2
(import ../../../../keys).mkSecrets [ "hypervisor02" ] [
(import ../../../../keys).mkSecrets
[ "hypervisor02" ]
[
]
]

6
machines/nixos/hypervisor03/secrets/secrets.nix
View file

@ -2,6 +2,8 @@
#
# SPDX-License-Identifer: EUPL-1.2
(import ../../../../keys).mkSecrets [ "hypervisor03" ] [
(import ../../../../keys).mkSecrets
[ "hypervisor03" ]
[
]
]

10
machines/nixos/rescue01/secrets/secrets.nix
View file

@ -2,7 +2,9 @@
#
# SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys).mkSecrets [ "rescue01" ] [
# List of secrets for rescue01
"stateless-uptime-kuma-password"
]
(import ../../../../keys).mkSecrets
[ "rescue01" ]
[
# List of secrets for rescue01
"stateless-uptime-kuma-password"
]

48
machines/nixos/storage01/secrets/secrets.nix
View file

@ -2,26 +2,28 @@
#
# SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys).mkSecrets [ "storage01" ] [
# List of secrets for storage01
"bupstash-put_key"
"forgejo-mailer_password_file"
"forgejo_runners-token_file"
"garage-environment_file"
"influxdb2-grafana_token_file"
"influxdb2-initial_password_file"
"influxdb2-initial_token_file"
"influxdb2-telegraf_token_file"
"netbird-data_store_encryption_key_file"
"netbird-relay_environment_file"
"netbird-relay_secret_file"
"nginx-tvix-store-password"
"nginx-tvix-store-password-ci"
"peertube-secrets_file"
"peertube-service_environment_file"
"peertube-smtp_password_file"
"prometheus-garage_api"
"prometheus-uptime-kuma-apikey"
"prometheus-web_config_file"
"tvix-store-infra-signing-key"
]
(import ../../../../keys).mkSecrets
[ "storage01" ]
[
# List of secrets for storage01
"bupstash-put_key"
"forgejo-mailer_password_file"
"forgejo_runners-token_file"
"garage-environment_file"
"influxdb2-grafana_token_file"
"influxdb2-initial_password_file"
"influxdb2-initial_token_file"
"influxdb2-telegraf_token_file"
"netbird-data_store_encryption_key_file"
"netbird-relay_environment_file"
"netbird-relay_secret_file"
"nginx-tvix-store-password"
"nginx-tvix-store-password-ci"
"peertube-secrets_file"
"peertube-service_environment_file"
"peertube-smtp_password_file"
"prometheus-garage_api"
"prometheus-uptime-kuma-apikey"
"prometheus-web_config_file"
"tvix-store-infra-signing-key"
]

6
machines/nixos/tower01/secrets/secrets.nix
View file

@ -2,6 +2,8 @@
#
# SPDX-License-Identifer: EUPL-1.2
(import ../../../../keys).mkSecrets [ "tower01" ] [
(import ../../../../keys).mkSecrets
[ "tower01" ]
[
]
]

14
machines/nixos/vault01/networking.nix
View file

@ -277,15 +277,13 @@ in
];
script = ''
if ping -c 1 8.8.8.8 > /dev/null || ping -c 1 1.1.1.1 > /dev/null; then
${
lib.concatMapStringsSep "\n " ({ interfaceName, ... }: "networkctl up ${interfaceName}") userVlans
}
${lib.concatMapStringsSep "\n " (
{ interfaceName, ... }: "networkctl up ${interfaceName}"
) userVlans}
else
${
lib.concatMapStringsSep "\n " (
{ interfaceName, ... }: "networkctl down ${interfaceName}"
) userVlans
}
${lib.concatMapStringsSep "\n " (
{ interfaceName, ... }: "networkctl down ${interfaceName}"
) userVlans}
fi
'';
};

26
machines/nixos/vault01/secrets/secrets.nix
View file

@ -2,15 +2,17 @@
#
# SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys).mkSecrets [ "vault01" ] [
# List of secrets for vault01
"radius-auth_token_file"
"radius-ca_pem_file"
"radius-cert_pem_file"
"radius-dh_pem_file"
"radius-key_pem_file"
"radius-private_key_password_file"
"eatonmon-password_file"
"radius-ap-radius-secret_file"
"wg-key"
]
(import ../../../../keys).mkSecrets
[ "vault01" ]
[
# List of secrets for vault01
"radius-auth_token_file"
"radius-ca_pem_file"
"radius-cert_pem_file"
"radius-dh_pem_file"
"radius-key_pem_file"
"radius-private_key_password_file"
"eatonmon-password_file"
"radius-ap-radius-secret_file"
"wg-key"
]

5
machines/nixos/web01/redirections.nix
View file

@ -35,9 +35,8 @@ in
"www.interq.ens.fr" = "interq.ens.fr";
};
temporary =
{
};
temporary = {
};
retired = mkSubs {
"ens.fr" = [

24
machines/nixos/web01/secrets/secrets.nix
View file

@ -2,14 +2,16 @@
#
# SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys).mkSecrets [ "web01" ] [
# List of secrets for web01
"acme-certs_secret"
"bupstash-put_key"
"matterbridge-config_file"
"named-bind_dnskeys_conf"
"netbox-environment_file"
"ntfy_sh-environment_file"
"castopod-environment_file"
"kahulm-session_secret"
]
(import ../../../../keys).mkSecrets
[ "web01" ]
[
# List of secrets for web01
"acme-certs_secret"
"bupstash-put_key"
"matterbridge-config_file"
"named-bind_dnskeys_conf"
"netbox-environment_file"
"ntfy_sh-environment_file"
"castopod-environment_file"
"kahulm-session_secret"
]

3
machines/nixos/web01/wordpress/default.nix
View file

@ -66,5 +66,6 @@ in
dgn-backups.jobs.containers.settings.paths = [ "/var/lib/nixos-containers" ];
services.nginx.virtualHosts."bds.ens.fr".locations."/gestion2".return = "301 https://gestion.bds.ens.fr";
services.nginx.virtualHosts."bds.ens.fr".locations."/gestion2".return =
"301 https://gestion.bds.ens.fr";
}

14
machines/nixos/web02/secrets/secrets.nix
View file

@ -2,9 +2,11 @@
#
# SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys).mkSecrets [ "web02" ] [
# List of secrets for web02
"cas_eleves-secret_key_file"
"kadenios-secret_key_file"
"kadenios-email_password_file"
]
(import ../../../../keys).mkSecrets
[ "web02" ]
[
# List of secrets for web02
"cas_eleves-secret_key_file"
"kadenios-secret_key_file"
"kadenios-email_password_file"
]

40
machines/nixos/web03/secrets/secrets.nix
View file

@ -2,22 +2,24 @@
#
# SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys).mkSecrets [ "web03" ] [
# List of secrets for web03
"bupstash-put_key"
"dj_annuaire-secret_key_file"
"dj_bocal-secret_key_file"
"dj_ernestophone-secret_key_file"
"dj_ernestophone-password_file"
"dj_ernestophone-admins_file"
"dj_gestiojeux-secret_key_file"
"dj_interludes-email_host_password_file"
"dj_interludes-secret_key_file"
"dj_wikiens-secret_key_file"
"webhook-annuaire_token"
"webhook-bocal_token"
"webhook-ernestophone_token"
"webhook-gestiojeux_token"
"webhook-interludes_token"
"webhook-wikiens_token"
]
(import ../../../../keys).mkSecrets
[ "web03" ]
[
# List of secrets for web03
"bupstash-put_key"
"dj_annuaire-secret_key_file"
"dj_bocal-secret_key_file"
"dj_ernestophone-secret_key_file"
"dj_ernestophone-password_file"
"dj_ernestophone-admins_file"
"dj_gestiojeux-secret_key_file"
"dj_interludes-email_host_password_file"
"dj_interludes-secret_key_file"
"dj_wikiens-secret_key_file"
"webhook-annuaire_token"
"webhook-bocal_token"
"webhook-ernestophone_token"
"webhook-gestiojeux_token"
"webhook-interludes_token"
"webhook-wikiens_token"
]

14
modules/nixos/dgn-backups/keys/secrets.nix
View file

@ -2,9 +2,11 @@
#
# SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys).mkSecrets [ ] [
"compute01.key"
"storage01.key"
"web01.key"
"web03.key"
]
(import ../../../../keys).mkSecrets
[ ]
[
"compute01.key"
"storage01.key"
"web01.key"
"web03.key"
]