DGNum/infrastructure
13
6
Fork 3
Code Issues 20 Pull requests 8 Projects 1 Releases Packages Wiki Activity Actions

chore: pre-commit hooks are supposed to be run....
All checks were successful
build configuration / build_vault01 (push) Successful in 1m5s
Details
build configuration / build_web02 (push) Successful in 1m6s
Details
build configuration / build_compute01 (push) Successful in 1m11s
Details
build configuration / build_storage01 (push) Successful in 1m10s
Details
lint / check (push) Successful in 24s
Details
build configuration / build_web01 (push) Successful in 1m33s
Details
build configuration / build_rescue01 (push) Successful in 49s
Details

Browse source
This commit is contained in:
sinavir 2024-03-10 01:03:30 +01:00
parent d946894d8f
commit 581fa6b560
21 changed files with 348 additions and 382 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
default.nix
View file

@ -1,4 +1,5 @@
/* Copyright : /*
Copyright :
- Maurice Debray <maurice.debray@dgnum.eu> 2023 - Maurice Debray <maurice.debray@dgnum.eu> 2023
- Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023 - Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023
@ -59,9 +60,9 @@ let
in in
{ {
nodes = builtins.mapAttrs (host: { site, ... }: "${host}.${site}.infra.dgnum.eu") ( nodes = builtins.mapAttrs (
import ./meta/nodes.nix host: { site, ... }: "${host}.${site}.infra.dgnum.eu"
); ) (import ./meta/nodes.nix);
dns = import ./meta/dns.nix; dns = import ./meta/dns.nix;

6
iso/configuration.nix
View file

@ -33,7 +33,7 @@ in
openssh.enable = true; openssh.enable = true;
}; };
users.users.root.openssh.authorizedKeys.keyFiles = users.users.root.openssh.authorizedKeys.keyFiles = builtins.map (
builtins.map (m: dgn-lib.mkRel ../keys "${m}.keys") m: dgn-lib.mkRel ../keys "${m}.keys"
dgn-members; ) dgn-members;
} }

7
lib/default.nix
View file

@ -20,10 +20,9 @@ lib.extra
getNodeKeys = getNodeKeys =
node: node:
let let
names = names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) meta.nodes.${node}.admins ++ [ "/machines/${node}" ]
(meta.nodes.${node}.admins ++ [ "/machines/${node}" ]) ) meta.nodes.${node}.adminGroups;
meta.nodes.${node}.adminGroups;
in in
rootKeys ++ (getAllKeys names); rootKeys ++ (getAllKeys names);

6
machines/compute01/arkheon.nix
View file

@ -10,13 +10,11 @@
(import sources.nixos-unstable { (import sources.nixos-unstable {
overlays = [ (import (sources.arkheon.outPath + "/overlay.nix")) ]; overlays = [ (import (sources.arkheon.outPath + "/overlay.nix")) ];
}).python3.withPackages }).python3.withPackages
( (ps: [
ps: [
ps.arkheon ps.arkheon
ps.daphne ps.daphne
ps.psycopg2 ps.psycopg2
] ]);
);
domain = "arkheon.dgnum.eu"; domain = "arkheon.dgnum.eu";

12
machines/compute01/k-radius/module.nix
View file

@ -29,11 +29,9 @@ in
freeradius = mkOption { freeradius = mkOption {
type = types.package; type = types.package;
default = pkgs.freeradius.overrideAttrs ( default = pkgs.freeradius.overrideAttrs (old: {
old: {
buildInputs = (old.buildInputs or [ ]) ++ [ (pkgs.python3.withPackages (ps: [ ps.kanidm ])) ]; buildInputs = (old.buildInputs or [ ]) ++ [ (pkgs.python3.withPackages (ps: [ ps.kanidm ])) ];
} });
);
}; };
configDir = mkOption { configDir = mkOption {
@ -126,8 +124,7 @@ in
rm ${cfg.configDir}/clients.conf && touch ${cfg.configDir}/clients.conf rm ${cfg.configDir}/clients.conf && touch ${cfg.configDir}/clients.conf
${builtins.concatStringsSep "\n" ( ${builtins.concatStringsSep "\n" (
builtins.attrValues ( builtins.attrValues (
builtins.mapAttrs builtins.mapAttrs (
(
name: name:
{ secret, ipaddr }: { secret, ipaddr }:
'' ''
@ -139,8 +136,7 @@ in
} }
EOF EOF
'' ''
) ) cfg.radiusClients
cfg.radiusClients
) )
)} )}

4
machines/compute01/k-radius/packages/pykanidm.nix
View file

@ -31,7 +31,9 @@ python3.pkgs.buildPythonPackage {
aiohttp aiohttp
pydantic pydantic
toml toml
(authlib.overridePythonAttrs (_: { doCheck = false; })) (authlib.overridePythonAttrs (_: {
doCheck = false;
}))
]; ];
doCheck = false; doCheck = false;

6
machines/compute01/librenms/default.nix
View file

@ -12,12 +12,10 @@ in
package = package =
(pkgs.librenms.override { inherit (config.services.librenms) dataDir logDir; }).overrideAttrs (pkgs.librenms.override { inherit (config.services.librenms) dataDir logDir; }).overrideAttrs
( (old: {
old: {
patches = (old.patches or [ ]) ++ [ ./kanidm.patch ]; patches = (old.patches or [ ]) ++ [ ./kanidm.patch ];
vendorHash = "sha256-2RgtMXQp4fTE+WloO36rtfytO4Sh2q0plt8WkWxEGHI="; vendorHash = "sha256-2RgtMXQp4fTE+WloO36rtfytO4Sh2q0plt8WkWxEGHI=";
} });
);
hostname = host; hostname = host;

18
machines/compute01/librenms/module.nix
View file

@ -198,13 +198,11 @@ in
poolConfig = mkOption { poolConfig = mkOption {
type = type =
with types; with types;
attrsOf ( attrsOf (oneOf [
oneOf [
str str
int int
bool bool
] ]);
);
default = { default = {
"pm" = "dynamic"; "pm" = "dynamic";
"pm.max_children" = 32; "pm.max_children" = 32;
@ -221,9 +219,9 @@ in
nginx = mkOption { nginx = mkOption {
type = types.submodule ( type = types.submodule (
recursiveUpdate recursiveUpdate (import "${modulesPath}/services/web-servers/nginx/vhost-options.nix" {
(import "${modulesPath}/services/web-servers/nginx/vhost-options.nix" { inherit config lib; }) inherit config lib;
{ } }) { }
); );
default = { }; default = { };
example = literalExpression '' example = literalExpression ''
@ -392,9 +390,9 @@ in
} }
// (lib.optionalAttrs cfg.distributedPoller.enable { // (lib.optionalAttrs cfg.distributedPoller.enable {
"distributed_poller" = true; "distributed_poller" = true;
"distributed_poller_name" = "distributed_poller_name" = lib.mkIf (
lib.mkIf (cfg.distributedPoller.name != null) cfg.distributedPoller.name != null
cfg.distributedPoller.name; ) cfg.distributedPoller.name;
"distributed_poller_group" = cfg.distributedPoller.group; "distributed_poller_group" = cfg.distributedPoller.group;
"distributed_billing" = cfg.distributedPoller.distributedBilling; "distributed_billing" = cfg.distributedPoller.distributedBilling;
"distributed_poller_memcached_host" = cfg.distributedPoller.memcachedHost; "distributed_poller_memcached_host" = cfg.distributedPoller.memcachedHost;

6
machines/compute01/satosa/module.nix
View file

@ -23,12 +23,10 @@ let
mkYamlFiles = mkYamlFiles =
files: builtins.attrValues (builtins.mapAttrs (name: yamlFormat.generate "${name}.yaml") files); files: builtins.attrValues (builtins.mapAttrs (name: yamlFormat.generate "${name}.yaml") files);
pyEnv = cfg.package.python.withPackages ( pyEnv = cfg.package.python.withPackages (ps: [
ps: [
cfg.package cfg.package
ps.gunicorn ps.gunicorn
] ]);
);
in in
{ {
options.services.satosa = { options.services.satosa = {

23
machines/storage01/netbird/module.nix
View file

@ -30,9 +30,9 @@ let
managementFormat = pkgs.formats.json { }; managementFormat = pkgs.formats.json { };
settingsFile = settingsFormat.generate "setup.env" ( settingsFile = settingsFormat.generate "setup.env" (
builtins.mapAttrs builtins.mapAttrs (
(_: val: if builtins.isList val then ''"${builtins.concatStringsSep " " val}"'' else val) _: val: if builtins.isList val then ''"${builtins.concatStringsSep " " val}"'' else val
settings ) settings
); );
managementFile = managementFormat.generate "config.json" cfg.managementConfig; managementFile = managementFormat.generate "config.json" cfg.managementConfig;
@ -106,9 +106,9 @@ let
NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = ""; NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = "";
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS = [ "53000" ]; NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS = [ "53000" ];
NETBIRD_AUTH_PKCE_REDIRECT_URLS = NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (
builtins.map (p: "http://localhost:${p}") p: "http://localhost:${p}"
cfg.settings.NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS or NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS; ) cfg.settings.NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS or NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS;
} }
// (optionalAttrs cfg.setupAutoOidc { // (optionalAttrs cfg.setupAutoOidc {
NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT = "$NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT"; NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT = "$NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT";
@ -138,15 +138,13 @@ in
type = type =
with types; with types;
attrsOf ( attrsOf (
nullOr ( nullOr (oneOf [
oneOf [
(listOf str) (listOf str)
bool bool
int int
float float
str str
] ])
)
); );
defaultText = lib.literalExpression '' defaultText = lib.literalExpression ''
{ {
@ -493,8 +491,9 @@ in
export AUTH_AUTHORITY="$NETBIRD_AUTH_AUTHORITY" export AUTH_AUTHORITY="$NETBIRD_AUTH_AUTHORITY"
export AUTH_CLIENT_ID="$NETBIRD_AUTH_CLIENT_ID" export AUTH_CLIENT_ID="$NETBIRD_AUTH_CLIENT_ID"
${optionalString (cfg.secretFiles.AUTH_CLIENT_SECRET == null) ${optionalString (
''export AUTH_CLIENT_SECRET="$NETBIRD_AUTH_CLIENT_SECRET"''} cfg.secretFiles.AUTH_CLIENT_SECRET == null
) ''export AUTH_CLIENT_SECRET="$NETBIRD_AUTH_CLIENT_SECRET"''}
export AUTH_AUDIENCE="$NETBIRD_AUTH_AUDIENCE" export AUTH_AUDIENCE="$NETBIRD_AUTH_AUDIENCE"
export AUTH_REDIRECT_URI="$NETBIRD_AUTH_REDIRECT_URI" export AUTH_REDIRECT_URI="$NETBIRD_AUTH_REDIRECT_URI"
export AUTH_SILENT_REDIRECT_URI="$NETBIRD_AUTH_SILENT_REDIRECT_URI" export AUTH_SILENT_REDIRECT_URI="$NETBIRD_AUTH_SILENT_REDIRECT_URI"

6
machines/web01/crabfit/packages/crabfit-frontend/default.nix
View file

@ -11,8 +11,7 @@
frontend_url ? "crab.fit", frontend_url ? "crab.fit",
}: }:
stdenv.mkDerivation ( stdenv.mkDerivation (finalAttrs: {
finalAttrs: {
pname = "crabfit-frontend"; pname = "crabfit-frontend";
version = "unstable-2023-08-02"; version = "unstable-2023-08-02";
@ -111,5 +110,4 @@ stdenv.mkDerivation (
license = licenses.gpl3; license = licenses.gpl3;
maintainers = with maintainers; [ thubrecht ]; maintainers = with maintainers; [ thubrecht ];
}; };
} })
)

24
machines/web01/linkal/module.nix
View file

@ -28,7 +28,9 @@ in
package = mkOption { package = mkOption {
type = types.package; type = types.package;
default = package.overrideAttrs (_: { buildInputs = [ ]; }); default = package.overrideAttrs (_: {
buildInputs = [ ];
});
}; };
domain = mkOption { type = types.str; }; domain = mkOption { type = types.str; };
@ -38,22 +40,18 @@ in
let let
inherit (types) attrsOf port submodule; inherit (types) attrsOf port submodule;
in in
attrsOf ( attrsOf (submodule {
submodule {
options = { options = {
port = mkOption { type = port; }; port = mkOption { type = port; };
calendars = mkOption { inherit (jsonFormat) type; }; calendars = mkOption { inherit (jsonFormat) type; };
}; };
} });
);
default = { }; default = { };
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
systemd.services = systemd.services = mapAttrs' (
mapAttrs'
(
name: name:
{ port, calendars }: { port, calendars }:
nameValuePair "linkal-${name}" { nameValuePair "linkal-${name}" {
@ -66,8 +64,7 @@ in
}"; }";
}; };
} }
) ) cfg.calendarGroups;
cfg.calendarGroups;
# Configure bind for DNS certificate validation on *.cal.dgnum.eu. # Configure bind for DNS certificate validation on *.cal.dgnum.eu.
# services.bind = { # services.bind = {
@ -107,9 +104,7 @@ in
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts = virtualHosts = mapAttrs' (
mapAttrs'
(
name: name:
{ port, ... }: { port, ... }:
nameValuePair "${name}.${cfg.domain}" { nameValuePair "${name}.${cfg.domain}" {
@ -119,8 +114,7 @@ in
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString port}/"; locations."/".proxyPass = "http://127.0.0.1:${builtins.toString port}/";
} }
) ) cfg.calendarGroups;
cfg.calendarGroups;
}; };
}; };
} }

7
machines/web01/metis/default.nix
View file

@ -16,9 +16,7 @@ in
forceSSL = true; forceSSL = true;
root = metis.production; root = metis.production;
locations = locations = lib.mapAttrs' (
lib.mapAttrs'
(
name: value: name: value:
lib.nameValuePair "/cal/${name}/" { lib.nameValuePair "/cal/${name}/" {
extraConfig = '' extraConfig = ''
@ -28,8 +26,7 @@ in
proxy_pass ${value}; proxy_pass ${value};
''; '';
} }
) ) providers;
providers;
extraConfig = '' extraConfig = ''
rewrite ^/calendrier(.*)$ $1 permanent; rewrite ^/calendrier(.*)$ $1 permanent;

6
machines/web01/redirections.nix
View file

@ -6,16 +6,14 @@ let
mkRetired = mkRetired =
hosts: hosts:
builtins.listToAttrs ( builtins.listToAttrs (
builtins.map builtins.map (name: {
(name: {
inherit name; inherit name;
value = { value = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".return = "301 https://${retired_host}/${name}"; locations."/".return = "301 https://${retired_host}/${name}";
}; };
}) }) hosts
hosts
); );
mkSub = domain: builtins.map (s: "${s}.${domain}"); mkSub = domain: builtins.map (s: "${s}.${domain}");

7
meta/dns.nix
View file

@ -150,9 +150,7 @@ in
DMARC = [ { p = "none"; } ]; DMARC = [ { p = "none"; } ];
DKIM = kurisuDKIM; DKIM = kurisuDKIM;
subdomains = subdomains = mapAttrs' (
mapAttrs'
(
host: host:
{ site, ... }: { site, ... }:
nameValuePair "${host}.${site}" ( nameValuePair "${host}.${site}" (
@ -162,8 +160,7 @@ in
AAAA = ipv6; AAAA = ipv6;
} }
) )
) ) meta.nodes;
meta.nodes;
}; };
}; };
} }

3
meta/nodes.nix
View file

@ -10,7 +10,8 @@
# nixpkgs = "unstable" or "22.11"; # nixpkgs version # nixpkgs = "unstable" or "22.11"; # nixpkgs version
# } # }
/* Liste des différents sites : /*
Liste des différents sites :
- dmi01 -> VM du NPSPI - dmi01 -> VM du NPSPI
- par01 -> Salle serveur sous le pavillon Pasteur - par01 -> Salle serveur sous le pavillon Pasteur
- par02 -> Local DGNum Jourdan - par02 -> Local DGNum Jourdan

6
meta/options.nix
View file

@ -38,8 +38,7 @@ in
options = { options = {
organization = { organization = {
members = mkOption { members = mkOption {
type = attrsOf ( type = attrsOf (submodule {
submodule {
options = { options = {
name = mkOption { name = mkOption {
type = str; type = str;
@ -55,8 +54,7 @@ in
''; '';
}; };
}; };
} });
);
description = '' description = ''
Members of the DGNum organization. Members of the DGNum organization.

3
meta/organization.nix
View file

@ -1,4 +1,5 @@
/* To add a new member add an attribute to `members` /*
To add a new member add an attribute to `members`
Then add the key to the required groups. Then add the key to the required groups.
*/ */

6
modules/dgn-access-control.nix
View file

@ -83,8 +83,8 @@ in
# Admins have root access to the node # Admins have root access to the node
dgn-access-control.users.root = mkDefault admins; dgn-access-control.users.root = mkDefault admins;
users.users = users.users = builtins.mapAttrs (_: members: {
builtins.mapAttrs (_: members: { openssh.authorizedKeys.keys = lib.extra.getAllKeys members; }) openssh.authorizedKeys.keys = lib.extra.getAllKeys members;
cfg.users; }) cfg.users;
}; };
} }

19
modules/dgn-backups/default.nix
View file

@ -37,9 +37,9 @@ let
{ {
startAt = starts.${name}; startAt = starts.${name};
key = config.age.secrets."bupstash-put_key".path; key = config.age.secrets."bupstash-put_key".path;
repositoryCommands = repositoryCommands = lib.extra.mapSingleFuse (
lib.extra.mapSingleFuse (host: "ssh -i /etc/ssh/ssh_host_ed25519_key bupstash-repo@${host}.dgnum") host: "ssh -i /etc/ssh/ssh_host_ed25519_key bupstash-repo@${host}.dgnum"
to; ) to;
} }
// settings // settings
); );
@ -58,8 +58,7 @@ in
}; };
jobs = mkOption { jobs = mkOption {
type = attrsOf ( type = attrsOf (submodule {
submodule {
options = { options = {
to = mkOption { to = mkOption {
type = listOf str; type = listOf str;
@ -78,17 +77,14 @@ in
description = "Base bupstash job config."; description = "Base bupstash job config.";
}; };
}; };
} });
);
default = { }; default = { };
description = "List of bupstash jobs."; description = "List of bupstash jobs.";
}; };
}; };
config = { config = {
dgn-backups.jobs = dgn-backups.jobs = lib.extra.mapFuse (db: {
lib.extra.mapFuse
(db: {
"${db}-db".settings = { "${db}-db".settings = {
user = "postgres"; user = "postgres";
command = [ command = [
@ -96,8 +92,7 @@ in
db db
]; ];
}; };
}) }) cfg.postgresDatabases;
cfg.postgresDatabases;
services.bupstash = { services.bupstash = {
repositories = { repositories = {

6
modules/dgn-hardware.nix
View file

@ -41,8 +41,7 @@ in
}; };
}; };
config = mkIf cfg.enable ( config = mkIf cfg.enable (mkMerge [
mkMerge [
{ {
hardware.enableRedistributableFirmware = true; hardware.enableRedistributableFirmware = true;
hardware.cpu.intel.updateMicrocode = true; hardware.cpu.intel.updateMicrocode = true;
@ -91,6 +90,5 @@ in
}; };
}; };
}) })
] ]);
);
} }