feat(bridge02): Initialize and add instructions to the README
Some checks failed
Check meta / check_meta (push) Failing after 25s
Check meta / check_dns (push) Successful in 45s
build configuration / build_vault01 (push) Successful in 3m33s
build configuration / build_storage01 (push) Successful in 3m36s
build configuration / build_compute01 (push) Successful in 3m37s
build configuration / build_web02 (push) Successful in 2m56s
lint / check (push) Successful in 24s
build configuration / build_web01 (push) Successful in 3m45s
build configuration / build_rescue01 (push) Successful in 1m29s
build configuration / push_to_cache (push) Successful in 3m24s

This commit is contained in:
Tom Hubrecht 2024-07-10 17:31:04 +02:00
parent 0e8f752d79
commit 680682f520
Signed by: thubrecht
SSH key fingerprint: SHA256:r+nK/SIcWlJ0zFZJGHtlAoRwq1Rm+WcKAm5ADYMoQPc
11 changed files with 316 additions and 40 deletions

View file

@ -8,3 +8,97 @@ Some instruction on how to contribute are available (in french) in [/CONTRIBUTE.
You're expected to read this document before commiting to the repo. You're expected to read this document before commiting to the repo.
Some documentation for the development tools are provided in the aforementioned file. Some documentation for the development tools are provided in the aforementioned file.
# Adding a new machine
The first step is to create a minimal viable NixOS host, using tha means necessary.
The second step is to find a name for this host, it must be unique from the other hosts.
> [!TIP]
> For the rest of this part, we assume that the host is named `host02`
## Download the keys
The public SSH keys of `host02` have to be saved to `keys/machines/host02.keys`, preferably only the `ssh-ed25519` one.
It can be retreived with :
```bash
ssh-keyscan address.of.host02 2>/dev/null | awk '/ssh-ed25519/ {print $2,$3}'
```
## Initialize the machine folder and configuration
- Create a folder `host02` under `machines/`
- Copy the hardware configuration file generated by `nixos-generate-config` to `machines/host02/_hardware-configuration.nix`
- Create a `machines/host02/_configuration.nix` file, it will contain the main configuration options, the basic content of this file should be the following
```nix
{ lib, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
];
enabledServices = [
# List of services to enable
];
extraConfig = {
services.netbird.enable = true;
};
root = ./.;
}
```
## Fill in the metadata
### Network configuration
The network is declared in `meta/network.nix`, the necessary `hostId` value can be generated with :
```bash
head -c4 /dev/urandom | od -A none -t x4 | sed 's/ //'
```
### Other details
The general metadata is declared in `meta/nodes.nix`, the main values to declare are :
- `site`, where the node is physically located
- `stateVersion`
- `nixpkgs`, the nixpkgs version to use
## Initialize secrets
Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :
```nix
let
lib = import ../../../lib { };
in
lib.setDefault { publicKeys = lib.getNodeKeys "host02"; } [ ]
```
This will be used for future secret management.
## Update encrypted files
Both the Arkheon, Netbox and notification modules have secrets that are deployed on all machines. To make those services work correctly, run in `modules/dgn-records`, `modules/dgn-netbox-agent` and `modules/dgn-notify` :
```bash
agenix -r
```
## Commit and create a PR
Once all of this is done, check that the configuration builds correctly :
```bash
colmena build --on host02
```
Apply it, and create a Pull Request.

View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7

View file

@ -0,0 +1,20 @@
{ lib, pkgs, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
];
enabledServices = [
# List of services to enable
"network"
];
extraConfig = {
services.netbird.enable = true;
environment.systemPackages = [ pkgs.bcachefs-tools ];
};
root = ./.;
}

View file

@ -0,0 +1,53 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ modulesPath, pkgs, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [
"xhci_pci"
"ehci_pci"
"ahci"
"sd_mod"
"sr_mod"
];
};
kernelModules = [ "kvm-intel" ];
kernelPackages = pkgs.linuxPackages_latest;
supportedFilesystems.bcachefs = true;
};
fileSystems = {
"/" = {
device = "UUID=3da58b64-a2fd-428d-bde8-3a185e2f73fd";
fsType = "bcachefs";
options = [ "compression=zstd" ];
};
"/boot" = {
device = "/dev/disk/by-uuid/4D0A-AF11";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.vlan-admin.useDHCP = lib.mkDefault true;
# networking.interfaces.vlan-uplink-oob.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = "x86_64-linux";
hardware.cpu.intel.updateMicrocode = true;
}

View file

@ -0,0 +1,79 @@
_:
{
networking = {
useNetworkd = true;
useDHCP = false;
nftables.enable = true;
firewall.allowedUDPPorts = [ 67 ];
};
systemd.network = {
networks = {
"10-eno1" = {
name = "eno1";
networkConfig = {
VLAN = [
"vlan-admin"
"vlan-uplink-oob"
];
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
# address = [ "192.168.222.1/24" ];
};
"10-vlan-admin" = {
name = "vlan-admin";
# DHCP for the BMC
networkConfig.DHCPServer = "yes";
dhcpServerConfig = {
PoolOffset = 128;
EmitDNS = false;
EmitNTP = false;
EmitSIP = false;
EmitPOP3 = false;
EmitSMTP = false;
EmitLPR = false;
UplinkInterface = ":none";
};
address = [
"fd26:baf9:d250:8000::ffff/64"
"192.168.222.1/24"
];
};
"10-vlan-uplink-oob" = {
name = "vlan-uplink-oob";
networkConfig.DHCP = "ipv4";
};
};
netdevs = {
"10-vlan-admin" = {
netdevConfig = {
Name = "vlan-admin";
Kind = "vlan";
};
vlanConfig.Id = 3000;
};
"10-vlan-uplink-oob" = {
netdevConfig = {
Name = "vlan-uplink-oob";
Kind = "vlan";
};
vlanConfig.Id = 500;
};
};
};
}

View file

@ -0,0 +1,5 @@
let
lib = import ../../../lib { };
in
lib.setDefault { publicKeys = lib.getNodeKeys "bridge01"; } [ ]

View file

@ -1,4 +1,10 @@
{ {
bridge01 = {
hostId = "f57f3ba0";
interfaces = { };
};
compute01 = { compute01 = {
interfaces = { interfaces = {
eno1 = { eno1 = {

View file

@ -19,6 +19,22 @@
- luj01 -> VM de Luj - luj01 -> VM de Luj
*/ */
{ {
bridge01 = {
site = "hyp01";
stateVersion = "24.05";
adminGroups = [ "fai" ];
deployment = {
targetHost = "fd26:baf9:d250:8000::ffff";
sshOptions = [
"-J"
"vault01.hyp01.infra.dgnum.eu"
];
};
};
web01 = { web01 = {
site = "rat01"; site = "rat01";

Binary file not shown.

View file

@ -1,42 +1,44 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 jIXfPA K2855nHVjrWY+Do/Iz8whCnQYMYl6QCMlBClpTRf4TI -> ssh-ed25519 jIXfPA FhSZKBAccqBqfeayNqY3fhYSi+0NMxsxS3WsdvuVu2M
LTRqDw9oukc2JA8DKqJSMfXeOJZCITpV6Gkh0tC4RC8 xT37RUaShiHdPBUnjWntSY43LqXsR8Pgz5kUZ/mgz2w
-> ssh-ed25519 QlRB9Q xeLR2Pt8t5kC10g2aMIxTNbrNJN4j4mBlC6cidqy4BQ -> ssh-ed25519 QlRB9Q xwok3cJ6SlGxlGi/UesKHVf+O4q9mn7btLweXJzeknI
HSrxWUWxRCmLVrXy9C9zYP8jc7rRMKvN4YgKp82rAgQ LrigakDhwhHCHEaJ0eQx6TIke9vYLqXwwaUjusWOvSk
-> ssh-ed25519 r+nK/Q Q2YybcpErKl8IfT3hoewrAOLJnC/rRgnZPa3RBampSE -> ssh-ed25519 r+nK/Q DS8/iUfczVGxB/Hl6EkweNAGSM0ZhWqrFy4xn82QNH8
enGIkp9ZAz/J/KdiKg0ZVCvsHKi2f8+THb6wpJ9MVm8 0Z8KOLZtxh2c0JTeiPbz3ZDF3CYrDs7bmwKjjemTs0o
-> ssh-rsa krWCLQ -> ssh-rsa krWCLQ
nQAoYm+rR20EFbXEE/F0Dks6kQP2JdA904j2e7FfQEd1i6pA6mPcbuy1IslgRd1R CDqVAHHD/1keQdgJZX5/hkiYMpZae1MocI5LjtWWg+QDkw1Bp6bNZLou8Uc2RG0H
UjJzHamUGO91bNSqQI/+6l2883JJVwazNxgY8pZaWC7BzGYlfDITTTQm9ITPd7Eg xZIB+z1XSXf7iMla5l7RWbW+g61T38QKWoAwvAGFz+XOstBTDY4bWgSv1g6vm+6x
7W4DAcrf1h5EU7GZfsGXgFtcnLPCBGRsPoAIbeS2hN6JcQP8c66Ubizt7eIOqFab XuQLxCkj4cmy3dUsvaiiQXsstuMGOWSUbp2OQWfErzoVegHVCr/XKSAI1vMwQOWN
880k+cjjJXespuMODavBzFJCshQJwezYcH0S26vyVAF1UJk3H2Yuj1lI+ofT69ef 9tJUJCKEo2DTr5OmIL7kSWguVZYy77ta7JxmGbPrNQ7LJuRoZkUgX4V37SFgDKN4
0k+bhG/dC0axlQaym3N7CvAZ8XibjydXCdJjk8u3z54p5Sv89MZMJHaNb5rvcbzY QgpupxXP/3oDhDSzZYbS6Fw+b7U01BwPyziY1kOYztv2qSoBJFMVtZS3oJEu4ChU
CBQRMjHWLFfVhTKvBt1OwA 7MRHaN15cGZRsC5zIQAg9w
-> ssh-ed25519 /vwQcQ SXuM/Ssc11v/IGgZbSRiNvtAQvVcLa7PB3xm9mcOX0Q -> ssh-ed25519 /vwQcQ ZPWBCoQ7imVFfTkUYrp4NGRnz3vskNtMgbV41F1s8BE
xH+65+t3XbnXxPk8ha+i4PuIKvevJ0yHPZofFX/yw60 oTrgDNisd8Sqmxo0ZDpVSO5iURWNLrIlKABjys+gHhw
-> ssh-ed25519 0R97PA UQK8FggCF5e0ePV5TsctCzdzDh+xIleJkhRRNMn/8EE -> ssh-ed25519 0R97PA CgUUW9m8+M1rpsCPAPyRC8VKvilDKMA8VkDqqDfbpAs
+wpRiZFeUhUyV7nVKNu71X5jPmzMNDSVp1IWDw5aeOs qJ/pa3VLh6650lDN5YPyYtxsDYMiRyTtK1yu+JeF3ww
-> ssh-ed25519 JGx7Ng HE1LAFeYk2HmuYoYrHtO1zhTKjPhfyNF0h4JjRgGwzA -> ssh-ed25519 JGx7Ng r8OMU9Grvd8yxzzUzeEH4iCPp8NBHVcQKQe13AJOKjE
6VS4Oa70W6ZCKmbBWQ9vSHdy6W8RpFfX7mqQ53anfO8 eYC+/VMsoetiVFTGdlAL3xDDe6WziBYU4Fr6XN/HlJI
-> ssh-ed25519 5SY7Kg dXmbbDbI859IYD0jf3PAVPFmMq0zV6Lwvte4jUBkSBs -> ssh-ed25519 5SY7Kg 4T4xlrNW8yqI23A3GH7dRDyhbUA62ldS2/R7YCsHz0U
UfV7hAYLtTSeyLskbwh9Jj9vjJpvwydsdsKmgtiK+hw ukewT84UtQcAQNNSNogi3WOjoNeA7p50D1JHJ+39lYs
-> ssh-ed25519 p/Mg4Q /3jLavRHKgo5Oz+kKVwKHOmJVV7JbxxE3Y1DstD1OHI -> ssh-ed25519 p/Mg4Q EBlu4oYIa4hX5mGExy2xwyHbnDli9xY7MebUOr+hTzw
tvhr/65+l7X9R8GmXNPB9Dwu0dtbQNcs+MUXgDRC+Xk TqmNgHL1xxyI+i4h3KgskVsWrlYUnuT5MJWcYj2crps
-> ssh-ed25519 tDqJRg xYM5dqCmh53artXhIfUvsmjwRzLxZQO+/tampI2RbSY -> ssh-ed25519 DqHxWQ KiCWC6eJOUScSlPNpC2G2FbfD/fQ2b14KHhuw+QKNTI
LSRsicMA7S8xdPYzh3lIEneazrGrRhjuQdN1I27YbV0 Un89T6OXiXWTBZqwdXPvyckxcBIhp2wmC4A5723b/5g
-> ssh-ed25519 9pVK7Q 7dQilI3mmyb6F+gMp+z1i9Os6Prff5CLLbPUFvawTHk -> ssh-ed25519 tDqJRg k5YZwwURv21NC/0tt2r3CBuUPDhfO/Y7c3ISVhMGQkA
GtlUtsE2sB/jr7H52qTQcRRKgqJ/f2bDNetYPF4oBPw sdm+SpychoEekD6JK6Wz2CCcfDpwPD6rlLyB3RJES08
-> ssh-ed25519 /BRpBQ 9dcoKWc+bTkmVkTxgwzJ6bhuUq39JWajYhD5vd+XAjU -> ssh-ed25519 9pVK7Q 2kUnZCmNsAu90KA+st/ZFnez8rg4zqIZ3AZQsqHW0y8
ti+oXuQkM4QX7LFLjTyL52gsi8D1efU3sqC23jqTNrk YlCXQ5g8vnNboPVHdSKyrdwRNvjwp9VHP+RV2WP7z00
-> ssh-ed25519 +MNHsw VCfgC5V+1u3iaO0JqC6hnvngUJsg77wfsvoIiawcECc -> ssh-ed25519 /BRpBQ w+kqiukijvXdlvKdTfVvNYv6pLTifaZeagzU1VWQLwE
9HCtIUt3vBccTkW6tub0GNU0gJ6Oxou5QgRly7kO370 RKNPvu971viqMHBXpgE9D8L9ievWxIS5ANU8QADqwRY
-> ssh-ed25519 rHotTw 5e5Q+cjsNFq4KbqOA0KczyJEclHO5dyTJxsRvVZRvkc -> ssh-ed25519 +MNHsw m+K/VIApzxBfYxc4/dPod+9TwBBTrtGa/B28QhawAD8
uavyfil+elUz3AQjIJ/UTaCpod2f4V7JWbYso3j+ePs gwJLtE5zIiNtKZ/YdroneSLLuZzvoAXaJYsqPzPkyLc
-> ssh-ed25519 +mFdtQ 07KoGFU7pAivpypZZ7g3o/l+jhi7aDyVO7qg4qJo1CQ -> ssh-ed25519 rHotTw NSgFCgFQxKc7DSrNq/77PAnAKxSG055gutF2aUUDLzA
Zthd7uchFTYNb7c9/+isX8BbnN0m6G1eFuohxJrX0KQ uL3QhQHmtQrrUPllFtVf7QiLIMWkT0EYIokxUVkLMrc
-> ssh-ed25519 0IVRbA B1AUTNW9N30rr3MVFBfT/H9eivnjh6p6585/gxu+7SY -> ssh-ed25519 +mFdtQ otE9brZku3sOSb9IvvTW/eioWDFvMJlsxSUvOcPNwiU
VZ0IqaGWSeqA7j3XP+B2HWXf2UYB5SpHImreAA7uqA8 7vV6u7zLv2EfSz3qmY9Sboj2Z5LBwSTxrl4FWm3mYAs
-> ssh-ed25519 IY5FSQ c0v+PlVESbYTq87dAeYaZNnjY6eCUBIcvHM2ymwoX0g -> ssh-ed25519 0IVRbA kwQNIVhpFtgIlJAAoqk1fqUP9OHN9YGWcYXbT+/bHE0
0i6eaJVVtljUQZvdd7y2tcKX6cObCxTE4OO0MEqHriQ gDOPJMeDI2eDx+emxUNSb/MW7IRPj8ni3mOLgZV9F0Y
--- gSYlbAC2ojK59TsNxtU9sAww3kpFfgOngL9+kdzx/to -> ssh-ed25519 IY5FSQ gtGe4X/Vx4oWn0IIUwv6qpWZ250slvT/QMdwVQQrsAQ
#äĉÌ/áÉîÃÔL'€ÀM̨|H<>²ö(ðzpÝe0¶ê) ¥ËÈ<>öŽèJÌ<4A>&©•¤<E280A2>@ yeJ8+BibBiwq2944ruZdek/4tpAqyMnG0RsyzkXQpRg
--- QhDkZSHLpgsvAUk5YhkhD8MNNX6Vlj7CWeQfJ6oEmk0
|`ŸP!ùá+ôÃg&ói¤;¶šªâlÔNn„Äõ¬¸ç¤ °ü4´kWó§#èƒ<C3A8><C692>±€w