infrastructure/meta
Ryan Lahfa 8b66b2b7c3
Some checks failed
Check meta / check_meta (push) Failing after 17s
Check meta / check_meta (pull_request) Failing after 18s
lint / check (push) Successful in 24s
build configuration / build_compute01 (pull_request) Failing after 38s
build configuration / build_storage01 (pull_request) Failing after 35s
Check meta / check_dns (push) Failing after 1m9s
Check meta / check_dns (pull_request) Failing after 59s
build configuration / build_vault01 (pull_request) Failing after 36s
build configuration / build_web01 (pull_request) Failing after 35s
build configuration / build_web02 (pull_request) Failing after 40s
build configuration / build_rescue01 (pull_request) Failing after 33s
build configuration / push_to_cache (pull_request) Has been skipped
feat: add access control for APs via our custom modules
It works!

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-08-22 18:45:40 +02:00
..
default.nix feat(dns): Split out config 2024-02-23 13:06:15 +01:00
dns.nix feat(plausible): Transfer from web01 to compute01 2024-04-21 21:50:01 +02:00
network.nix feat(meta): Add netbird ip 2024-04-23 13:46:33 +02:00
nixpkgs.nix feat: Specialize nixpkgs as a function of the system 2024-05-24 18:46:13 +02:00
nodes.nix feat: add access control for APs via our custom modules 2024-08-22 18:45:40 +02:00
options.nix feat: Specialize nixpkgs as a function of the system 2024-05-24 18:46:13 +02:00
organization.nix feat: add access control for APs via our custom modules 2024-08-22 18:45:40 +02:00
README.md feat(meta): Add README 2024-04-04 13:36:51 +02:00
verify.nix feat(verify): Tweak error message 2024-05-15 09:58:50 +02:00

Metadata of the DGNum infrastructure

DNS

The DNS configuration of our infrastructure is completely defined with the metadata contained in this folder.

The different machines have records pointing to their IP addresses when they exist:

  • $node.$site.infra.dgnum.eu points IN A $ipv4

  • $node.$site.infra.dgnum.eu points IN AAAA $ipv6

  • v4.$node.$site.infra.dgnum.eu points IN A $ipv4

  • v6.$node.$site.infra.dgnum.eu points IN AAAA $ipv6

Then the services hosted on those machines can be accessed through redirections:

  • $service.dgnum.eu IN CNAME $node.$site.infra.dgnum.eu

or, when targeting only a specific IP protocol:

  • $service4.dgnum.eu IN CNAME ipv4.$node.$site.infra.dgnum.eu
  • $service6.dgnum.eu IN CNAME ipv6.$node.$site.infra.dgnum.eu

Extra records exist for ns, mail configuration, or the main website but shouldn't change or be tinkered with.

Network

The network configuration (except the NetBird vpn) is defined statically.

TODO.

Nixpkgs

Machines can use different versions of NixOS, the supported and default ones are specified here.

Nodes

The nodes are declared statically, several options can be configured:

  • deployment, the colmena deployment option
  • stateVersion, the state version of the node
  • nixpkgs, the version of NixOS to use
  • admins, the list of administrators specific to this node, they will be given root access
  • adminGroups, a list of groups whose members will be added to admins
  • site, the physical location of the node
  • vm-cluster, the VM cluster hosting the node when appropriate

Some options are set automatically, for example:

  • deployment.targetHost will be inferred from the network configuration
  • deployment.tags will contain infra-$site, so that a full site can be redeployed at once

Organization

The organization defines the groups and members of the infrastructure team, one day this information will be synchronized in Kanidm.

Members

For a member to be allowed access to a node, they must be defined in the members attribute set, and their SSH keys must be available in the keys folder.

Groups

Groups exist only to simplify the management of accesses:

  • The root group will be given administrator access on all nodes
  • The iso group will have its keys included in the ISOs built from the iso folder

Extra groups can be created at will, to be used in node-specific modules.

Module

The meta configuration can be evaluated as a module, to perform checks on the structure of the data.