catvayor
909bb55764
All checks were successful
Check meta / check_dns (pull_request) Successful in 15s
Check workflows / check_workflows (pull_request) Successful in 16s
Check meta / check_meta (pull_request) Successful in 37s
Build all the nodes / netaccess01 (pull_request) Successful in 21s
Build all the nodes / netcore02 (pull_request) Successful in 19s
Build all the nodes / netcore01 (pull_request) Successful in 42s
Build all the nodes / ap01 (pull_request) Successful in 1m55s
Build all the nodes / geo01 (pull_request) Successful in 2m5s
Build all the nodes / geo02 (pull_request) Successful in 2m7s
Build all the nodes / build01 (pull_request) Successful in 2m13s
Build all the nodes / hypervisor01 (pull_request) Successful in 2m13s
Build all the nodes / hypervisor02 (pull_request) Successful in 2m10s
Build all the nodes / hypervisor03 (pull_request) Successful in 2m31s
Build all the nodes / bridge01 (pull_request) Successful in 2m46s
Build all the nodes / compute01 (pull_request) Successful in 2m51s
Build the shell / build-shell (pull_request) Successful in 49s
Build all the nodes / storage01 (pull_request) Successful in 1m47s
Run pre-commit on all files / pre-commit (pull_request) Successful in 23s
Build all the nodes / tower01 (pull_request) Successful in 1m33s
Build all the nodes / rescue01 (pull_request) Successful in 2m57s
Build all the nodes / web03 (pull_request) Successful in 1m56s
Build all the nodes / vault01 (pull_request) Successful in 2m12s
Build all the nodes / web02 (pull_request) Successful in 2m14s
Build all the nodes / web01 (pull_request) Successful in 2m27s
Check meta / check_dns (push) Successful in 16s
Build all the nodes / netcore01 (push) Successful in 20s
Build all the nodes / netcore02 (push) Successful in 20s
Build all the nodes / netaccess01 (push) Successful in 21s
Check meta / check_meta (push) Successful in 30s
Build all the nodes / ap01 (push) Successful in 37s
Build all the nodes / geo02 (push) Successful in 1m54s
Build all the nodes / bridge01 (push) Successful in 2m3s
Build all the nodes / hypervisor03 (push) Successful in 2m2s
Build all the nodes / hypervisor01 (push) Successful in 2m4s
Build all the nodes / web02 (push) Successful in 1m49s
Build the shell / build-shell (push) Successful in 29s
Run pre-commit on all files / pre-commit (push) Successful in 34s
Build all the nodes / build01 (push) Successful in 3m1s
Build all the nodes / hypervisor02 (push) Successful in 3m11s
Build all the nodes / storage01 (push) Successful in 2m58s
Build all the nodes / web03 (push) Successful in 2m46s
Build all the nodes / geo01 (push) Successful in 3m27s
Build all the nodes / tower01 (push) Successful in 3m7s
Build all the nodes / vault01 (push) Successful in 3m13s
Build all the nodes / compute01 (push) Successful in 3m38s
Build all the nodes / rescue01 (push) Successful in 3m37s
Build all the nodes / web01 (push) Successful in 3m39s
|
||
|---|---|---|
| .. | ||
| nodes | ||
| default.nix | ||
| dns.nix | ||
| network.nix | ||
| nixpkgs.nix | ||
| options.nix | ||
| organization.nix | ||
| README.md | ||
| verify.nix | ||
Metadata of the DGNum infrastructure
DNS
The DNS configuration of our infrastructure is completely defined with the metadata contained in this folder.
The different machines have records pointing to their IP addresses when they exist:
-
$node.$site.infra.dgnum.eu points IN A $ipv4
-
$node.$site.infra.dgnum.eu points IN AAAA $ipv6
-
v4.$node.$site.infra.dgnum.eu points IN A $ipv4
-
v6.$node.$site.infra.dgnum.eu points IN AAAA $ipv6
Then the services hosted on those machines can be accessed through redirections:
- $service.dgnum.eu IN CNAME $node.$site.infra.dgnum.eu
or, when targeting only a specific IP protocol:
- $service4.dgnum.eu IN CNAME ipv4.$node.$site.infra.dgnum.eu
- $service6.dgnum.eu IN CNAME ipv6.$node.$site.infra.dgnum.eu
Extra records exist for ns, mail configuration, or the main website but shouldn't change or be tinkered with.
Network
The network configuration (except the NetBird vpn) is defined statically.
TODO.
Nixpkgs
Machines can use different versions of NixOS, the supported ones are specified here.
How to add a new version
- Switch to a new branch
nixos-$VERSION - Run the following command
npins add channel nixos-$VERSION
- Edit
meta/nixpkgs.nixand add$VERSIONto the supported version. - Read the release notes and check for changes.
- Update the nodes versions
- Create a PR so that the CI check that it builds
Nodes
The nodes are declared statically, several options can be configured:
deployment, the colmena deployment optionstateVersion, the state version of the nodenixpkgs, the version and sytem of NixOS to useadmins, the list of administrators specific to this node, they will be given root accessadminGroups, a list of groups whose members will be added toadminssite, the physical location of the nodevm-cluster, the VM cluster hosting the node when appropriate
Some options are set automatically, for example:
deployment.targetHostwill be inferred from the network configurationdeployment.tagswill containinfra-$site, so that a full site can be redeployed at once
Organization
The organization defines the groups and members of the infrastructure team, one day this information will be synchronized in Kanidm.
Members
For a member to be allowed access to a node, they must be defined in the members attribute set,
and their SSH keys must be available in the keys folder.
Groups
Groups exist only to simplify the management of accesses:
- The
rootgroup will be given administrator access on all nodes - The
isogroup will have its keys included in the ISOs built from the iso folder
Extra groups can be created at will, to be used in node-specific modules.
Module
The meta configuration can be evaluated as a module, to perform checks on the structure of the data.