History

Tom Hubrecht 88d9b8c3e3 Some checks failed Check meta / check_dns (pull_request) Successful in 19s Details Check meta / check_meta (pull_request) Successful in 20s Details Check workflows / check_workflows (pull_request) Successful in 24s Details Build all the nodes / ap01 (pull_request) Successful in 1m15s Details Build all the nodes / bridge01 (pull_request) Successful in 1m53s Details Build all the nodes / geo01 (pull_request) Successful in 1m55s Details Build all the nodes / geo02 (pull_request) Successful in 1m53s Details Build all the nodes / compute01 (pull_request) Successful in 2m33s Details Build all the nodes / rescue01 (pull_request) Successful in 2m13s Details Build all the nodes / storage01 (pull_request) Successful in 1m57s Details Run pre-commit on all files / check (pull_request) Successful in 30s Details Build all the nodes / web02 (pull_request) Successful in 1m47s Details Build all the nodes / vault01 (pull_request) Successful in 2m21s Details Build all the nodes / web03 (pull_request) Successful in 1m40s Details Build all the nodes / web01 (pull_request) Successful in 2m54s Details Check meta / check_dns (push) Successful in 20s Details Check meta / check_meta (push) Successful in 19s Details Check workflows / check_workflows (push) Successful in 25s Details Build all the nodes / ap01 (push) Successful in 1m16s Details Build all the nodes / bridge01 (push) Successful in 1m41s Details Build all the nodes / geo02 (push) Successful in 1m44s Details Build all the nodes / geo01 (push) Successful in 1m53s Details Build all the nodes / compute01 (push) Successful in 2m20s Details Build all the nodes / rescue01 (push) Successful in 1m49s Details Build all the nodes / storage01 (push) Successful in 1m46s Details Build all the nodes / vault01 (push) Successful in 1m45s Details Run pre-commit on all files / check (push) Successful in 30s Details Build all the nodes / web02 (push) Has been cancelled Details Build all the nodes / web01 (push) Has been cancelled Details Build all the nodes / web03 (push) Has been cancelled Details chore: Add license and copyright information Signed-off-by: Tom Hubrecht <tom.hubrecht@dgnum.eu> Acked-by: Ryan Lahfa <ryan.lahfa@dgnum.eu> Acked-by: Maurice Debray <maurice.debray@dgnum.eu> Acked-by: Lubin Bailly <lubin.bailly@dgnum.eu> Acked-by: Jean-Marc Gailis <jean-marc.gailis@dgnum.eu> as the legal authority, at the time of writing, in DGNum. Acked-by: Elias Coppens <elias.coppens@dgnum.eu> as a member, at the time of writing, of the DGNum executive counsel.		2024-12-13 12:41:38 +01:00
..
default.nix	chore: Add license and copyright information	2024-12-13 12:41:38 +01:00
dns.nix	chore: Add license and copyright information	2024-12-13 12:41:38 +01:00
network.nix	chore: Add license and copyright information	2024-12-13 12:41:38 +01:00
nixpkgs.nix	chore: Add license and copyright information	2024-12-13 12:41:38 +01:00
nodes.nix	chore: Add license and copyright information	2024-12-13 12:41:38 +01:00
options.nix	chore: Add license and copyright information	2024-12-13 12:41:38 +01:00
organization.nix	chore: Add license and copyright information	2024-12-13 12:41:38 +01:00
README.md	chore: Add license and copyright information	2024-12-13 12:41:38 +01:00
verify.nix	chore: Add license and copyright information	2024-12-13 12:41:38 +01:00

README.md

Metadata of the DGNum infrastructure

DNS

The DNS configuration of our infrastructure is completely defined with the metadata contained in this folder.

The different machines have records pointing to their IP addresses when they exist:

$node.$site.infra.dgnum.eu points IN A $ipv4
$node.$site.infra.dgnum.eu points IN AAAA $ipv6
v4.$node.$site.infra.dgnum.eu points IN A $ipv4
v6.$node.$site.infra.dgnum.eu points IN AAAA $ipv6

Then the services hosted on those machines can be accessed through redirections:

$service.dgnum.eu IN CNAME $node.$site.infra.dgnum.eu

or, when targeting only a specific IP protocol:

$service4.dgnum.eu IN CNAME ipv4.$node.$site.infra.dgnum.eu
$service6.dgnum.eu IN CNAME ipv6.$node.$site.infra.dgnum.eu

Extra records exist for ns, mail configuration, or the main website but shouldn't change or be tinkered with.

Network

The network configuration (except the NetBird vpn) is defined statically.

TODO.

Nixpkgs

Machines can use different versions of NixOS, the supported ones are specified here.

How to add a new version

Switch to a new branch nixos-$VERSION
Run the following command

npins add channel nixos-$VERSION

Edit meta/nixpkgs.nix and add $VERSION to the supported version.
Read the release notes and check for changes.
Update the nodes versions
Create a PR so that the CI check that it builds

Nodes

The nodes are declared statically, several options can be configured:

deployment, the colmena deployment option
stateVersion, the state version of the node
nixpkgs, the version and sytem of NixOS to use
admins, the list of administrators specific to this node, they will be given root access
adminGroups, a list of groups whose members will be added to admins
site, the physical location of the node
vm-cluster, the VM cluster hosting the node when appropriate

Some options are set automatically, for example:

deployment.targetHost will be inferred from the network configuration
deployment.tags will contain infra-$site, so that a full site can be redeployed at once

Organization

The organization defines the groups and members of the infrastructure team, one day this information will be synchronized in Kanidm.

Members

For a member to be allowed access to a node, they must be defined in the members attribute set, and their SSH keys must be available in the keys folder.

Groups

Groups exist only to simplify the management of accesses:

The root group will be given administrator access on all nodes
The iso group will have its keys included in the ISOs built from the iso folder

Extra groups can be created at will, to be used in node-specific modules.

Module

The meta configuration can be evaluated as a module, to perform checks on the structure of the data.