feat(kanidm): Add SuiteNumerique Drive client

Define A and AAAA options in meta.addresses that can be reused later
Also define proxying in the metadata

.forgejo/workflows/eval-nodes.yaml

@@ -457,6 +457,25 @@ jobs:
       name: Cache web03
       run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
         errexit\npush-to-cache \"$STORE_PATH\"\n'"
+  zulip01:
+    runs-on: nix-infra
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: zulip01
+      name: Eval zulip01
+      run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
+        errexit\nDRV=$(instantiate-node)\necho \"DRV=$DRV\" >> $GITHUB_ENV\n'"
+    - name: Build zulip01
+      run: "STORE_PATH=\"$(nix-store --realise \"$DRV\")\"\necho \"STORE_PATH=$STORE_PATH\"\
+        \ >> $GITHUB_ENV\n"
+    - env:
+        STORE_ENDPOINT: https://snix-store.dgnum.eu/infra.signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Cache zulip01
+      run: "nix-shell -A eval-nodes --run 'set -o pipefail\nset -o nounset\nset -o
+        errexit\npush-to-cache \"$STORE_PATH\"\n'"
 name: Build all the nodes
 on:
   pull_request:

lib/netconf-junos/access.nix

@@ -0,0 +1,141 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ config, lib, ... }:
+let
+  inherit (lib)
+    concatImapStringsSep
+    concatMapAttrsStringSep
+    concatMapStrings
+    mkOption
+    ;
+  inherit (lib.types)
+    attrsOf
+    ints
+    listOf
+    str
+    submodule
+    ;
+in
+{
+  options = {
+    access.address-assignment.pool = mkOption {
+      type = attrsOf (
+        submodule (
+          { name, config, ... }:
+          {
+            options = {
+              family.inet = {
+                network = mkOption {
+                  type = str;
+                  description = ''
+                    Network where this pool is located.
+                  '';
+                };
+                ranges = mkOption {
+                  type = listOf (submodule {
+                    options = {
+                      low = mkOption {
+                        type = str;
+                        description = ''
+                          Lowest IP of this range.
+                        '';
+                      };
+                      high = mkOption {
+                        type = str;
+                        description = ''
+                          Highest IP of this range.
+                        '';
+                      };
+                    };
+                  });
+                  description = ''
+                    IP ranges in this pool.
+                  '';
+                };
+                dhcp-attributes = {
+                  maximum-lease-time = mkOption {
+                    type = ints.unsigned;
+                    description = ''
+                      Maximum lease time for leases in this pool.
+                    '';
+                  };
+                  name-server = mkOption {
+                    type = listOf str;
+                    default = [ ];
+                    description = ''
+                      DNS servers to propose.
+                    '';
+                  };
+                  router = mkOption {
+                    type = listOf str;
+                    default = [ ];
+                    description = ''
+                      Router IP for default route.
+                    '';
+                  };
+                };
+              };
+              xml = mkOption {
+                type = str;
+                readOnly = true;
+                visible = false;
+              };
+            };
+            config.xml =
+              let
+                inet-cfg = config.family.inet;
+              in
+              ''
+                <pool>
+                  <name>${name}</name>
+                  <family>
+                    <inet>
+                      <network>${inet-cfg.network}</network>
+                      ${concatImapStringsSep "\n" (
+                        idx:
+                        { low, high }:
+                        ''
+                          <range>
+                            <name>${name}-${toString idx}</name>
+                            <low>${low}</low>
+                            <high>${high}</high>
+                          </range>
+                        ''
+                      ) inet-cfg.ranges}
+                      <dhcp-attributes>
+                        <maximum-lease-time>${toString inet-cfg.dhcp-attributes.maximum-lease-time}</maximum-lease-time>
+                        ${concatMapStrings (
+                          dns: "<name-server><name>${dns}</name></name-server>"
+                        ) inet-cfg.dhcp-attributes.name-server}
+                        ${concatMapStrings (
+                          router: "<router><name>${router}</name></router>"
+                        ) inet-cfg.dhcp-attributes.router}
+                      </dhcp-attributes>
+                    </inet>
+                  </family>
+                </pool>
+              '';
+          }
+        )
+      );
+      default = { };
+      description = ''
+        Address pools for DHCP configuration.
+      '';
+    };
+    netconf.xmls.access = mkOption {
+      type = str;
+      visible = false;
+      readOnly = true;
+    };
+  };
+  config.netconf.xmls.access = ''
+    <access operation="replace">
+      <address-assignment>
+        ${concatMapAttrsStringSep "\n" (_: pool: pool.xml) config.access.address-assignment.pool}
+      </address-assignment>
+    </access>
+  '';
+}

lib/netconf-junos/default.nix

@@ -34,11 +34,13 @@ let
 in
 {
   imports = [
+    ./access.nix
     ./interfaces.nix
     ./poe.nix
     ./protocols.nix
     ./system.nix
     ./vlans.nix
+    ./routing-options.nix
   ];
 
   options = {
@@ -98,6 +100,8 @@ in
           ${protocols}
           ${vlans}
           ${poe}
+          ${access}
+          ${routing-options}
         </configuration>
       '';
       rpc = pkgs.writeText "${name}.rpc" ''

lib/netconf-junos/interfaces.nix

@@ -97,17 +97,17 @@ let
                 </ethernet-switching>
               '';
 
-              addr4 = map (addr: "<name>${addr}</name>") config.family.inet.addresses;
+              addr4 = map (addr: "<address><name>${addr}</name></address>") config.family.inet.addresses;
               inet = optionalString config.family.inet.enable ''
                 <inet>
-                  <address>${builtins.concatStringsSep "" addr4}</address>
+                  ${builtins.concatStringsSep "" addr4}
                 </inet>
               '';
 
-              addr6 = map (addr: "<name>${addr}</name>") config.family.inet6.addresses;
+              addr6 = map (addr: "<address><name>${addr}</name></address>") config.family.inet6.addresses;
               inet6 = optionalString config.family.inet6.enable ''
                 <inet6>
-                  <address>${builtins.concatStringsSep "" addr6}</address>
+                  ${builtins.concatStringsSep "" addr6}
                 </inet6>
               '';
             in

lib/netconf-junos/routing-options.nix

@@ -0,0 +1,59 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ config, lib, ... }:
+let
+  inherit (lib)
+    concatMapStringsSep
+    mkOption
+    ;
+  inherit (lib.types)
+    str
+    listOf
+    submodule
+    ;
+in
+{
+  options = {
+    routing-options.static.route = mkOption {
+      type = listOf (submodule {
+        options = {
+          destination = mkOption {
+            type = str;
+            description = ''
+              Destination network.
+            '';
+          };
+          next-hop = mkOption {
+            type = str;
+            description = ''
+              Gateway for this network.
+            '';
+          };
+        };
+      });
+      default = [ ];
+      description = ''
+        Static routes.
+      '';
+    };
+    netconf.xmls.routing-options = mkOption {
+      type = str;
+      readOnly = true;
+      visible = false;
+    };
+  };
+  config.netconf.xmls.routing-options = ''
+    <routing-options operation="replace">
+      <static>
+        ${concatMapStringsSep "\n" (route: ''
+          <route>
+            <name>${route.destination}</name>
+            <next-hop>${route.next-hop}</next-hop>
+          </route>
+        '') config.routing-options.static.route}
+      </static>
+    </routing-options>
+  '';
+}

lib/netconf-junos/system.nix

@@ -6,20 +6,25 @@
 
 let
   inherit (lib)
+    concatMapAttrsStringSep
+    concatMapStrings
     concatStrings
     concatStringsSep
     filter
     hasPrefix
     length
     mkOption
+    optionalString
     splitString
     ;
 
   inherit (lib.types)
+    attrsOf
     enum
     listOf
     port
     str
+    submodule
     ;
 in
 
@@ -55,6 +60,20 @@ in
           description = "Port to use for netconf.";
           default = 830;
         };
+        dhcp-local-server.group = mkOption {
+          type = attrsOf (submodule {
+            options.interfaces = mkOption {
+              type = listOf str;
+              description = ''
+                Interfaces managed by this group.
+              '';
+            };
+          });
+          default = { };
+          description = ''
+            Groups of configuration for DHCP server.
+          '';
+        };
       };
     };
     netconf.xmls.system = mkOption {
@@ -75,6 +94,19 @@ in
       ed25519 = map (key: "<ssh-ed25519><name>${key}</name></ssh-ed25519>") (
         filter (hasPrefix "ssh-ed25519 ") ssh-keys
       );
+
+      dhcp-local = optionalString (config.system.services.dhcp-local-server.group != { }) ''
+        <dhcp-local-server>
+        ${concatMapAttrsStringSep "\n" (name: cfg: ''
+          <group>
+            <name>${name}</name>
+            <interface>
+              ${concatMapStrings (intf: "<name>${intf}</name>") cfg.interfaces}
+            </interface>
+          </group>
+        '') config.system.services.dhcp-local-server.group}
+        </dhcp-local-server>
+      '';
     in
     ''
       <system>
@@ -89,6 +121,7 @@ in
             <ssh><port>${toString config.system.services.netconf.port}</port></ssh>
             <rfc-compliant/><yang-compliant/>
           </netconf>
+          ${dhcp-local}
         </services>
       </system>
     '';

machines/nixos/compute01/kanidm/default.nix

@@ -217,6 +217,15 @@ in
             "email"
           ];
         };
+
+        dgn_zulip = {
+          displayName = "Zulip [Chat]";
+          originUrl = "https://zulip.dgnum.eu/complete/oidc/";
+          originLanding = "https://zulip.dgnum.eu";
+          preferShortUsername = true;
+          allowInsecureClientDisablePkce = true;
+          enableLegacyCrypto = true;
+        };
       };
     };
   };

machines/nixos/compute01/librenms/default.nix

@@ -23,7 +23,15 @@ in
 
     hostname = host;
 
-    settings = { };
+    settings = {
+      auth.socialite.configs.kanidm = {
+        listener = "\\SocialiteProviders\\Kanidm\\KanidmExtendSocialite";
+        client_id = "$KANIDM_CLIENT_ID";
+        client_secret = "$KANIDM_CLIENT_SECRET";
+        redirect = "$KANIDM_REDIRECT_URI";
+        base_url = "$KANIDM_BASE_URL";
+      };
+    };
 
     database = {
       createLocally = true;

machines/nixos/compute01/librenms/kanidm.patch

@@ -80,3 +80,11 @@ index 3d89a1530..a00c5f307 100644
          {
              "name": "socialiteproviders/manager",
              "version": "v4.6.0",
+index 3d89a1530..a00c5f307 100644
+--- a/app/Providers/EventServiceProvider.php
++++ b/app/Providers/EventServiceProvider.php
+@@ -33,3 +33,4 @@
+         \SocialiteProviders\Manager\SocialiteWasCalled::class => [
++            \SocialiteProviders\Kanidm\KanidmExtendSocialite::class.'@handle',
+             \App\Listeners\SocialiteWasCalledListener::class,
+         ],

machines/nixos/lab-router01/nginx-sni.nix

@@ -12,6 +12,7 @@
       # Becareful, jool will not translate ips. Prefer ipv6 proxy target
       redirects = {
         "kfet.lab.dgnum.eu" = "v6.labcore01.pav01.infra.lab.dgnum.eu:443";
+        "zulip.dgnum.eu" = "v6.zulip01.pav01.infra.lab.dgnum.eu:443";
       };
     };
   };

machines/nixos/vault01/_configuration.nix

@@ -14,7 +14,7 @@ lib.extra.mkConfig {
     "k-radius"
     "monitoring"
     "networking"
-    "ups"
+    #    "ups"
     "ulogd"
   ];
 

machines/nixos/vault01/networking.nix

@@ -12,7 +12,12 @@
 }:
 
 let
-  inherit (lib) mapAttrs' mkOption nameValuePair;
+  inherit (lib)
+    genList
+    mapAttrs'
+    mkOption
+    nameValuePair
+    ;
   inherit (lib.types) listOf attrs;
 
   uplink = {
@@ -348,6 +353,7 @@ in
               chain postrouting {
                 type nat hook postrouting priority 100;
                 ip saddr 10.0.0.0/16 ip daddr != 10.0.0.0/16 snat ip to 129.199.195.130-129.199.195.157
+                ip saddr 192.168.0.0/17 ip daddr != 192.168.0.0/17 snat ip to 129.199.195.130-129.199.195.157
               }
             '';
           };
@@ -383,7 +389,7 @@ in
                 ip saddr 10.0.255.0/24 jump forward_reject;
 
                 # We only forward for ISP clients and our stuff
-                ip saddr != 10.0.0.0/16 jump forward_reject;
+                ip saddr != 10.0.0.0/16 ip saddr != 192.168.0.0/17 jump forward_reject;
 
                 # Can talk to us
                 ip daddr 10.0.0.0/27 accept;

machines/nixos/web03/django-apps/default.nix

@@ -11,6 +11,7 @@
     ./gestiocof.nix
     ./gestiojeux.nix
     ./interludes.nix
+    ./vector.nix
     ./wikiens.nix
   ];
 

machines/nixos/web03/django-apps/vector.nix

@@ -0,0 +1,48 @@
+# SPDX-FileCopyrightText: 2025 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ config, ... }:
+
+{
+  services.django-apps.sites.vector = {
+    source = "https://git.dgnum.eu/DGNum/vector";
+    branch = "main";
+    domain = "photos.dgnum.eu";
+
+    nginx = {
+      enableACME = true;
+      forceSSL = true;
+    };
+
+    webHookSecret = config.age.secrets."webhook-vector_token".path;
+
+    overlays.nix-pkgs = [
+      # Required packages
+      "authens"
+      "django-browser-reload"
+      "django-bulma-forms"
+      "django-unfold"
+      "loadcredential"
+
+      # Dependencies
+      "python-cas"
+    ];
+
+    dependencies = ps: [
+      ps.authens
+      ps.django
+      ps.django-browser-reload
+      ps.django-bulma-forms
+      ps.django-import-export
+      ps.django-sesame
+      ps.django-unfold
+      ps.loadcredential
+      ps.pillow
+    ];
+
+    credentials = {
+      SECRET_KEY = config.age.secrets."dj_vector-secret_key_file".path;
+    };
+  };
+}

machines/nixos/web03/secrets/dj_vector-secret_key_file

@@ -0,0 +1,34 @@
+age-encryption.org/v1
+-> ssh-ed25519 ZIo4kw U9Awj0lxgjMUgaAzQL2WzYiMgfD+86sKsvNnbd7g1lY
+ss6ZQIANobWXxHjTykQE3nZqXJ+i+x3x6f7kAzWNbh0
+-> ssh-ed25519 9/PCvA Yzdb3ff9BW1AAL5JqprCiyAByqsaSmyyUt5DVFq1IBw
+UxTfF4o9wSk3+XKKTNuWGSLMOPYrgA+ipumR5AzlNgk
+-> ssh-ed25519 prNEsA VkEG8GR5wWU+V3Dne9UtNK8lOPnMy7lbh9ea+kiTLik
+gY8l0Uj3ayMkPIVuMHG+BGvm+BYCR1n3HOEcAZWVLWs
+-> ssh-ed25519 jIXfPA mzhgIxTRN7ZtlRuZTkz0P/Zdl/QVetQHylH6KgL5fQE
+6dJo93aqlNqC6Kno8958r6+c552CPCW0sPD+sf9x678
+-> ssh-ed25519 QlRB9Q 8GZjCubDXSt/uNfchgoY4nC+nmq7h0mHH5PzaVwS8Gw
+WfCIpHHSL/ZzCrCGonXzov5aiEG8nEabRYc61Sot6W0
+-> ssh-ed25519 r+nK/Q dxq/i0WDDxRd2o2RapDZUTmink7pQpWbEp+6TByjYSY
+c/Z2Y2jXeAYZJ3ltI3XEb2qU2dM9WuBCfn4DmdLWuoc
+-> ssh-rsa krWCLQ
+DyMp39BeLJYmgfgyeVqcAUKWVSmqXj7Z24bu4JJ1TSjO9jWB61gp7K3rR/ascaZ3
+E+TkzK4DOUs81anTI1A6nUr3a5/PONU8y1M78OBRhaUkgA0EawUYWCvk7ITTri9N
+5U9m7yYXVjFImbPDmTuS496KEqqrYKF9hMU54MzAVjl7Glz3mw2sJmD3oyWX3lx+
+XgzS4O/tmL7WxsaHqzAnojr32aJH52Es0VNZRplCff4sgZl+1U+RPpi4kLk8E1+p
+QnXDyUEYpkJ4OlslT7+WrURumZhEfBhvDtJUIkILc650lJcxeO5kSgw9s46RmEwW
+tFtkMsG+M+sPqcgiqdpp1A
+-> ssh-ed25519 /vwQcQ C8NLKCeZRYT1hFAX7QWjaPXnlN8iiMXeSQEmdPMWhx0
+gHagG9v72kxa9LIs4aIV5CZsq60i62s4HkDwh6ostew
+-> ssh-ed25519 0R97PA /9uUwdq1jdah4pJsFBm8Lubc3bkpBtqDh2VCDZegJDo
+WD17gOJkv4INdNUIX0erAjNOeeWQZCQ1rXdc68KFLbw
+-> ssh-ed25519 JGx7Ng GpCSAEFl4Y/0pNYWXX5+iMfRqPIbJ2cTS6YPjNLiJW0
+KZNU1H+MVNUb5aJMkEurBPDd9h9b023CqK0TLTrd4y4
+-> ssh-ed25519 bUjjig GIZfUJbejtNHD7ezMM/KsNetxwLBYGHJ3ql5tn6sYwY
+U9jkfmRTM1WXvExskdponMb9/kTwzeZYA3CBUBq5PI8
+-> ssh-ed25519 VQSaNw YUZzVKlzWxTgDUZyKToDR3fvMSGDPCQL5hOD/fyW8lI
+S5IJ5E325zHj3VBq6jcQmZmhXgLDAceGMBrRUP0po5g
+-> ,`:sK>-grease
+1Jkp/UVsxUfBFXRGT1ADI97FkgaK/jTSj+Gu/mv3Kjhk3kCHCwrN2emrILvK
+--- 6tPIZn536nfhB/4+hiKitxMpYKdj42N+Xxw7gz+cCuQ
+¾Ú‡u™ŒhŠh
Š%Å$<24>¯^þrÒ3Üëi¯‘ð8§qK‹§½9‡ˆd®Ø&±<>X4ŠØ'lœ%ršCƒ™–„€“R”Ÿß=®ëƒ_ïì>XÙilO

machines/nixos/web03/secrets/secrets.nix

@@ -27,6 +27,7 @@
     "dj_gestiojeux-secret_key_file"
     "dj_interludes-email_host_password_file"
     "dj_interludes-secret_key_file"
+    "dj_vector-secret_key_file"
     "dj_wikiens-secret_key_file"
     "webhook-annuaire_token"
     "webhook-bocal_token"
@@ -35,5 +36,6 @@
     "webhook-gestiocof_token"
     "webhook-gestiojeux_token"
     "webhook-interludes_token"
+    "webhook-vector_token"
     "webhook-wikiens_token"
   ]

machines/nixos/web03/secrets/webhook-vector_token

@@ -0,0 +1,36 @@
+age-encryption.org/v1
+-> ssh-ed25519 ZIo4kw nixtliB448Qelkkhdy4Njr4V5gGJtlzR5z2mdjxENhs
+529gFsnjUhI/yFnphje0jhoszNrRoc1OmV1tc8QgTVk
+-> ssh-ed25519 9/PCvA eFSvkx9G++qeJWsAusXUz+V5IyVoW3kRuhL8M6LITSs
+Die/10zkmScdj5wmWKlVHtbIZ3n7Tw5O9xvmLrNittM
+-> ssh-ed25519 prNEsA +GGlW+gSP7WEvvjBNpNhzG8FSV3cVLu6A/2IbD51Wzo
+wTNAoE5Wk/ZzhuKPLuBbE40rHpuXqOFuTE2fn1Nw1kQ
+-> ssh-ed25519 jIXfPA qROvOffeaatJSsqQ+bNgXcZc0tlZDhNawcUsybu0YQo
+GgsBWLQuFbL4CghDOxbyaJ4dMJtuWV5IJWxr/aNDE5I
+-> ssh-ed25519 QlRB9Q K07kQAeVxZlkp4RFRPgAbX8ny5bqB9klZEGUyLaUtzg
+Oe7IAxrU+4onN8V6M178yTbXPPqkh++JSB+WKEXocQ8
+-> ssh-ed25519 r+nK/Q RFCuFtv3kdHjFHT4PcbVFfLUdD3kUBoO1XSfqB4ae2Q
+39RVcTVbte9KNt3vEHE0aEcSLJyhASqlNp+/+AFkrB0
+-> ssh-rsa krWCLQ
+LEFifhwKhjyaqSRtNpwVv9PTKmMmkz0tQLccZLTMQ4suKo3+YzLpBNrpIoi3xvuZ
+75Xv/MtcemPoVX5qBgJwkxZyV5roAtOpvRo+iTBiQ7awgFpiWcn+cILOyr3a/LER
+Xu92Wiotzv9WFJMsZd1DfeOvNl1YkxD2QqRdd6jF13vt8NwuogEY2GzgS/PerKi1
+YJ0ntGhecsy7n13kapA9VsTt8/e9dywZ/ZZIkmDG7ma0tqYnn1VzQTbZXjPMTl04
+kZ7Rg+u1C0Q1mCzSnJJtpbmDj0M8OyqHfEjg1DoWR3uBizH3BOjQjbnLPhnp0mL3
+cInvK02DW7JGazJDsuJblw
+-> ssh-ed25519 /vwQcQ bRu/3avtfAEqsAzlOdM/fjVoUaOPoJuD2lbvovojoz8
+7CO/CcO1kDXTrSjzy1z4KhcVnLwhOZEuMN+LySUaeyI
+-> ssh-ed25519 0R97PA Hb/RO8mCBX445wyyAXSnilOzE6HMhTGuw0Urz2Y6YVc
+BdZ98IodA3Tp5k0Tau+Iv8qrVf/CJRfYseicHyP1fCs
+-> ssh-ed25519 JGx7Ng gdEebhCXIuHzA3bDWltgnRo2XvGHszVScTfNXGBVX3A
+X5ZLnUcX9cjIrvpqw2jEveLcljE/idPD0BfX5V7QVwE
+-> ssh-ed25519 bUjjig f/pw/bL37yroIaiv4y9EqJqAVwh06vC9VcaMQPW40Qw
+LScPAIupupgpR1OL4oqG87pRYKSctQip3rHnnjBrCGg
+-> ssh-ed25519 VQSaNw BxWJoLzSaZwbO+XU0Hd61t2JaukDmcAzQphYKaAtWBI
+4RoGyHkU926BomYSLj6KquJ74OwMeVYQeBAV84wu57c
+-> R?\kyN-grease gO`2zD 7eWdp ,_h
+ZkiJSlbbGvaHYu0mUfMyW+hOZNDTZ4Fvql+0hsSgaJ9h5sGLMijNzinflWaUg2JE
+NTcZv5Xy77Y+j1Ch
+--- TrMQG6BDUx1tuCujCZM2u/g5DhfpSv6MVKtR+zC1S+w
+ÝÔ¾TVs]“VBYZ)iÁ®Ù‰HˆeþRî‹’bÂêòÂ.(&²
+N'3¡¢œD-Íè‰_V¯î

machines/nixos/zulip01/_configuration.nix

@@ -0,0 +1,26 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ lib, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [
+    # List of modules to enable
+    "dgn-web"
+  ];
+
+  enabledServices = [
+    # List of services to enable
+  ];
+
+  extraConfig = {
+    # Disable monitoring
+    dgn-monitoring.enable = false;
+    dgn-records.enable = false;
+    dgn-notify.enable = false;
+    dgn-backups.jobs = lib.mkForce { };
+  };
+
+  root = ./.;
+}

machines/nixos/zulip01/_hardware-configuration.nix

@@ -0,0 +1,33 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ modulesPath, sources, ... }:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+    (sources.disko + "/module.nix")
+    ./disko.nix
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "ata_piix"
+        "uhci_hcd"
+        "ehci_pci"
+        "virtio_pci"
+        "sr_mod"
+        "virtio_blk"
+      ];
+      kernelModules = [ ];
+    };
+
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+  };
+}

machines/nixos/zulip01/disko.nix

@@ -0,0 +1,37 @@
+# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+_: {
+  disko.devices = {
+    disk = {
+      main = {
+        device = "/dev/sda";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              type = "EF00";
+              size = "1G";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

machines/nixos/zulip01/secrets/secrets.nix

@@ -0,0 +1,5 @@
+# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique <contact@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+(import ../../../../keys.nix).mkSecrets [ "zulip01" ] [ ]

meta/dns.nix

@@ -12,6 +12,7 @@ let
     mapAttrs'
     nameValuePair
     optional
+    optionalAttrs
     ;
 
   inherit (lib.extra) fuseAttrs mapSingleFuse;
@@ -28,6 +29,7 @@ let
       dual ? [ ],
       v4 ? [ ],
       v6 ? [ ],
+      proxied ? [ ],
     }:
     let
       base = "${server}.${meta.nodes.${server}.site}.infra";
@@ -37,6 +39,7 @@ let
       (mkHost base dual)
       (mkHost "v4.${base}" v4)
       (mkHost "v6.${base}" v6)
+      (mkHost "proxied.${base}" proxied)
     ];
 
   cnames = builtins.mapAttrs (_: to: { CNAME = [ to ]; }) {
@@ -167,10 +170,17 @@ let
         ];
 
         web03.dual = [
+          "photos" # Vector
+
           # Django Apps
           "*.webapps"
           "apps-webhook"
         ];
+
+        zulip01.proxied = [
+          "zulip"
+          "z"
+        ];
       }
     )
   );
@@ -249,23 +259,21 @@ in
           { site, ... }:
           let
             net = meta.network.${host};
-            f =
-              x:
-              if x == [ ] then
-                [ ]
-              else if net.singleIpRecord then
-                [ (builtins.head x) ]
-              else
-                x;
-            inherit (net.addresses) ipv4 ipv6;
+            inherit (net.addresses) A AAAA;
           in
           nameValuePair "${host}.${site}" {
-            A = f ipv4;
-            AAAA = f ipv6;
+            inherit A AAAA;
+
             subdomains = {
-              v4.A = f ipv4;
-              v6.AAAA = f ipv6;
+              v4 = { inherit A; };
+              v6 = { inherit AAAA; };
               private.A = optional (net.netbirdIp != null) net.netbirdIp;
+              proxied = optionalAttrs (net.proxy != null) {
+                # NOTE: We assume that we want to proxy ipv4 to an ipv6-only node
+                #       This might change in the future but is not planned yet.
+                inherit (meta.network.${net.proxy}.addresses) A;
+                inherit AAAA;
+              };
             };
           }
         ) (filterAttrs (_: { nixpkgs, ... }: nixpkgs.system == "nixos") meta.nodes);

meta/network.nix

@@ -425,5 +425,27 @@
       netbirdIp = "100.80.157.46";
       singleIpRecord = true;
     };
+
+    zulip01 = {
+      interfaces = {
+        ens18 = {
+          ipv6 = [
+            {
+              address = "2a0e:e701:1120:1000::dead:beef";
+              prefixLength = 64;
+            }
+          ];
+
+          gateways = [ "2a0e:e701:1120:1000::1" ];
+          dns = [ "2a0e:e701:1120:1000::f:1" ];
+        };
+      };
+
+      hostId = "b551861d";
+      netbirdIp = null; # zulip01 is not to be connected on the VPN for now
+
+      # This node does not have ipv4 connectivity
+      proxy = "lab-router01";
+    };
   };
 }

meta/nodes/netconf.nix

@@ -27,7 +27,7 @@ let
         ];
       };
       nixpkgs = {
-        version = "24.05";
+        version = "unstable";
         system = "netconf";
       };
     };

meta/nodes/nixos.nix

@@ -395,5 +395,20 @@
 
       admins = [ "catvayor" ];
     };
+
+    zulip01 = {
+      site = "pav01";
+
+      hashedPassword = "$y$j9T$7NuClEAftCG0O7AA0KLK10$/ZLXV73tiZVMXFdgKfa4yVeYk.Qdea6uIgQTrtWHIbA";
+
+      sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnYjoGAfJGeMAds7RoqtqRJlfm2f6aBbb9SIPNizIof" ];
+
+      stateVersion = "24.11";
+
+      nixpkgs = {
+        version = "unstable";
+        system = "nixos";
+      };
+    };
   };
 }

meta/options.nix

@@ -412,22 +412,50 @@ in
                 );
               };
 
-              addresses = {
-                ipv4 = mkOption {
-                  type = listOf str;
-                  default = [ ];
-                  description = ''
-                    List of public ipv4 addresses of the node.
-                  '';
+              addresses =
+                let
+                  select = b: x: if (b && x != [ ]) then [ (builtins.head x) ] else x;
+                in
+                {
+                  ipv4 = mkOption {
+                    type = listOf str;
+                    default = [ ];
+                    description = ''
+                      List of public ipv4 addresses of the node.
+                    '';
+                  };
+
+                  ipv6 = mkOption {
+                    type = listOf str;
+                    default = [ ];
+                    description = ''
+                      List of public ipv6 addresses of the node.
+                    '';
+                  };
+
+                  A = mkOption {
+                    type = listOf str;
+                    default = select config.singleIpRecord config.addresses.ipv4;
+                    description = ''
+                      List of ipv4 addresses used for the A record.
+                    '';
+                  };
+
+                  AAAA = mkOption {
+                    type = listOf str;
+                    default = select config.singleIpRecord config.addresses.ipv6;
+                    description = ''
+                      List of ipv6 addresses used for the AAAA record.
+                    '';
+                  };
                 };
 
-                ipv6 = mkOption {
-                  type = listOf str;
-                  default = [ ];
-                  description = ''
-                    List of public ipv6 addresses of the node.
-                  '';
-                };
+              proxy = mkOption {
+                type = nullOr str;
+                default = null;
+                description = ''
+                  If not `null`, then a SNI proxy will be created to passthrough ipv4 traffic to this node via ipv6.
+                '';
               };
 
               hostId = mkOption {

npins/sources.json

@@ -74,9 +74,9 @@
       },
       "branch": "main",
       "submodules": false,
-      "revision": "904eb7058b9a61250fbfcb0b0bfa71e214bf1067",
+      "revision": "fbf6385e65400802a3f9f75f7cd91d5c01373d1b",
       "url": null,
-      "hash": "sha256-tDqte7MuOn0Gcj0a94m//wcjJvssnEZprtt5o/IpXlU="
+      "hash": "sha256-aOUI69wbMm9+KVWwcMw5TgVnk3DfjOzE4OEyYTD8XPU="
     },
     "disko": {
       "type": "GitRelease",