infrastructure/meta/README.md
Tom Hubrecht 88d9b8c3e3
Some checks failed
Check meta / check_dns (pull_request) Successful in 19s
Check meta / check_meta (pull_request) Successful in 20s
Check workflows / check_workflows (pull_request) Successful in 24s
Build all the nodes / ap01 (pull_request) Successful in 1m15s
Build all the nodes / bridge01 (pull_request) Successful in 1m53s
Build all the nodes / geo01 (pull_request) Successful in 1m55s
Build all the nodes / geo02 (pull_request) Successful in 1m53s
Build all the nodes / compute01 (pull_request) Successful in 2m33s
Build all the nodes / rescue01 (pull_request) Successful in 2m13s
Build all the nodes / storage01 (pull_request) Successful in 1m57s
Run pre-commit on all files / check (pull_request) Successful in 30s
Build all the nodes / web02 (pull_request) Successful in 1m47s
Build all the nodes / vault01 (pull_request) Successful in 2m21s
Build all the nodes / web03 (pull_request) Successful in 1m40s
Build all the nodes / web01 (pull_request) Successful in 2m54s
Check meta / check_dns (push) Successful in 20s
Check meta / check_meta (push) Successful in 19s
Check workflows / check_workflows (push) Successful in 25s
Build all the nodes / ap01 (push) Successful in 1m16s
Build all the nodes / bridge01 (push) Successful in 1m41s
Build all the nodes / geo02 (push) Successful in 1m44s
Build all the nodes / geo01 (push) Successful in 1m53s
Build all the nodes / compute01 (push) Successful in 2m20s
Build all the nodes / rescue01 (push) Successful in 1m49s
Build all the nodes / storage01 (push) Successful in 1m46s
Build all the nodes / vault01 (push) Successful in 1m45s
Run pre-commit on all files / check (push) Successful in 30s
Build all the nodes / web02 (push) Has been cancelled
Build all the nodes / web01 (push) Has been cancelled
Build all the nodes / web03 (push) Has been cancelled
chore: Add license and copyright information
Signed-off-by: Tom Hubrecht <tom.hubrecht@dgnum.eu>
Acked-by: Ryan Lahfa <ryan.lahfa@dgnum.eu>
Acked-by: Maurice Debray <maurice.debray@dgnum.eu>
Acked-by: Lubin Bailly <lubin.bailly@dgnum.eu>
Acked-by: Jean-Marc Gailis <jean-marc.gailis@dgnum.eu> as the legal authority, at the time of writing, in DGNum.
Acked-by: Elias Coppens <elias.coppens@dgnum.eu> as a member, at the time of writing, of the DGNum executive counsel.
2024-12-13 12:41:38 +01:00

96 lines
2.9 KiB
Markdown

<!--
SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
SPDX-License-Identifier: EUPL-1.2
-->
Metadata of the DGNum infrastructure
====================================
# DNS
The DNS configuration of our infrastructure is completely defined with the metadata contained in this folder.
The different machines have records pointing to their IP addresses when they exist:
- $node.$site.infra.dgnum.eu points IN A $ipv4
- $node.$site.infra.dgnum.eu points IN AAAA $ipv6
- v4.$node.$site.infra.dgnum.eu points IN A $ipv4
- v6.$node.$site.infra.dgnum.eu points IN AAAA $ipv6
Then the services hosted on those machines can be accessed through redirections:
- $service.dgnum.eu IN CNAME $node.$site.infra.dgnum.eu
or, when targeting only a specific IP protocol:
- $service4.dgnum.eu IN CNAME ipv4.$node.$site.infra.dgnum.eu
- $service6.dgnum.eu IN CNAME ipv6.$node.$site.infra.dgnum.eu
Extra records exist for ns, mail configuration, or the main website but shouldn't change or be tinkered with.
# Network
The network configuration (except the NetBird vpn) is defined statically.
TODO.
# Nixpkgs
Machines can use different versions of NixOS, the supported ones are specified here.
## How to add a new version
- Switch to a new branch `nixos-$VERSION`
- Run the following command
```bash
npins add channel nixos-$VERSION
```
- Edit `meta/nixpkgs.nix` and add `$VERSION` to the supported version.
- Read the release notes and check for changes.
- Update the nodes versions
- Create a PR so that the CI check that it builds
# Nodes
The nodes are declared statically, several options can be configured:
- `deployment`, the colmena deployment option
- `stateVersion`, the state version of the node
- `nixpkgs`, the version and sytem of NixOS to use
- `admins`, the list of administrators specific to this node, they will be given root access
- `adminGroups`, a list of groups whose members will be added to `admins`
- `site`, the physical location of the node
- `vm-cluster`, the VM cluster hosting the node when appropriate
Some options are set automatically, for example:
- `deployment.targetHost` will be inferred from the network configuration
- `deployment.tags` will contain `infra-$site`, so that a full site can be redeployed at once
# Organization
The organization defines the groups and members of the infrastructure team,
one day this information will be synchronized in Kanidm.
## Members
For a member to be allowed access to a node, they must be defined in the `members` attribute set,
and their SSH keys must be available in the keys folder.
## Groups
Groups exist only to simplify the management of accesses:
- The `root` group will be given administrator access on all nodes
- The `iso` group will have its keys included in the ISOs built from the iso folder
Extra groups can be created at will, to be used in node-specific modules.
# Module
The meta configuration can be evaluated as a module, to perform checks on the structure of the data.