The dgnum infrastructure
b1c719a7a0
All checks were successful
Build all the nodes / tower01 (pull_request) Successful in 1m31s
Build all the nodes / rescue01 (pull_request) Successful in 1m38s
Build all the nodes / web03 (pull_request) Successful in 1m20s
Build all the nodes / web02 (pull_request) Successful in 1m30s
Build all the nodes / zulip01 (pull_request) Successful in 1m22s
Build all the nodes / vault01 (pull_request) Successful in 1m37s
Build all the nodes / web01 (pull_request) Successful in 1m38s
Build all the nodes / krz01 (pull_request) Successful in 1m57s
Build all the nodes / storage01 (pull_request) Successful in 2m22s
Check meta / check_meta (pull_request) Successful in 19s
Check meta / check_dns (pull_request) Successful in 19s
Check workflows / check_workflows (push) Successful in 23s
Check workflows / check_workflows (pull_request) Successful in 23s
Build all the nodes / Jaccess04 (pull_request) Successful in 31s
Build all the nodes / Jaccess01 (pull_request) Successful in 31s
Build all the nodes / ap01 (pull_request) Successful in 47s
Build all the nodes / netcore01 (pull_request) Successful in 30s
Build all the nodes / netcore02 (pull_request) Successful in 27s
Build all the nodes / cof02 (pull_request) Successful in 1m13s
Build all the nodes / bridge01 (pull_request) Successful in 1m19s
Build all the nodes / build01 (pull_request) Successful in 1m29s
Build the shell / build-shell (pull_request) Successful in 39s
Build all the nodes / hypervisor01 (pull_request) Successful in 1m19s
Build all the nodes / lab-router01 (pull_request) Successful in 1m17s
Build all the nodes / hypervisor02 (pull_request) Successful in 1m19s
Run pre-commit on all files / pre-commit (pull_request) Successful in 32s
Build all the nodes / hypervisor03 (pull_request) Successful in 1m20s
Run pre-commit on all files / pre-commit (push) Successful in 33s
Build all the nodes / geo01 (pull_request) Successful in 1m33s
Build all the nodes / geo02 (pull_request) Successful in 1m30s
Build all the nodes / iso (pull_request) Successful in 1m31s
Build all the nodes / compute01 (pull_request) Successful in 1m56s
564595d0ad4be7277e07fa63b5a991b3c645655d → 4835b1dc898959d8547a871ef484930675cb47f1 Last 50 commits: 344f985 dev: remove i686 support; simplify flake 097aa18 contrib: add direct tests for agenix 17090d1 Merge pull request #163 from ryantm/rtm-2-21-recursive-nix 08dc506 Revert "contrib: add direct tests for agenix " d0d4ad5 Merge pull request #231 from ryantm/revert-163-rtm-2-21-recursive-nix 9bc80dc Merge pull request #229 from ryantm/rtm-12-20-flake 5c1198a feat: switch from rage to age eb3b5cf update nixpkgs bd86c06 fix doc build 58017c0 update inputs b6aa618 test removing installer 23d4d5d maybe this fixes darwin checks? 6ce42cc Fix CI for darwin 457669d Merge pull request #230 from ryantm/rtm-12-20-age bc24f2e Revert "Revert "contrib: add direct tests for agenix "" a23aa27 dev: reland add direct tests for agenix 417caa8 Merge pull request #232 from ryantm/rtm-12-23-test 1746e4f agenix: fix installCheckPhase with Nix 2.3 1f62cef fix: update docs for 5c1198a 8cb01a0 Merge pull request #244 from kraem/fix/rage_to_age_docs 3fd98a2 doc: fix wrong ssh-keyscan usage 1381a75 Merge pull request #254 from oluceps/fix-doc 2c1d1fb fix: allow for newlines in keys 24a7ea3 Merge pull request #256 from spectre256/main 07479c2 update link to nixos wiki (#258) 63a57d8 Fix typo 8d37c5b Merge pull request #259 from hansemschnokeloch/patch-1 08ed896 fix: always treat link destinations as files to ensure error when destination is a directory. c2fc076 Merge pull request #241 from sternenseemann/nix-2.3-install-check 3a56735 Merge pull request #187 from oddlama/main 760751b README: Add warning about HNDL and PQS in theat model de96bd9 Merge pull request #265 from Kreyren/patch-1 40012e5 Remove import for NixOS/HM modules 3f1dae0 Merge pull request #277 from fzakaria/import-module-remove e341399 age-home: Use curly-brackets for XDG_RUNTIME_DIR f6291c5 Merge pull request #280 from Kreyren/patch-3 cce0ff4 fix: bad age.identityPaths default value on darwin 302ab0c fix: bump to macOS-15 in CI 989ade2 feat: dynamically determine architecture in ci 96b7e4f contrib: improve readability of age.identityPaths default value 4d0d81e fix: bad indentation in ci e600439 Merge pull request #307 from codgician/fix-darwin-module cccd5af docs: add home-manager module documentation 58c5544 fix: use replaceVars instead of substituteAll 96e078c Merge pull request #324 from K900/replace-vars af991e8 Separate flags from positional args with `--` 72f7f68 Merge pull request #327 from n8henrie/leading-hyphen-filename 8a4516a Merge pull request #318 from bcl1713/main bd33a9b doc: strip trailing whitespace 6697e8b Merge pull request #328 from ryantm/doc-strip-whitespace |
||
|---|---|---|
| .forgejo/workflows | ||
| lib | ||
| LICENSES | ||
| machines | ||
| meta | ||
| modules | ||
| patches | ||
| pkgs | ||
| scripts | ||
| workflows | ||
| .envrc | ||
| .gitattributes | ||
| .gitignore | ||
| bootstrap.nix | ||
| CONTRIBUTE.md | ||
| default.nix | ||
| hive.nix | ||
| keys.nix | ||
| lon.lock | ||
| lon.nix | ||
| README.md | ||
| REUSE.toml | ||
| shell.nix | ||
❄️ infrastructure
The dgnum infrastructure.
Contributing
Some instruction on how to contribute are available (in french) in /CONTRIBUTE.md. You're expected to read this document before commiting to the repo.
Some documentation for the development tools are provided in the aforementioned file.
Using the binary cache
Add the following module to your configuration (and pin this repo using your favorite tool: npins, lon, etc...):
{ lib, ... }:
let
dgnum-infra = PINNED_PATH_TO_INFRA;
in {
nix.settings = (import dgnum-infra { }).mkCacheSettings {
caches = [ "infra" ];
};
}
Adding a new machine
The first step is to create a minimal viable NixOS host, using tha means necessary. The second step is to find a name for this host, it must be unique from the other hosts.
Tip
For the rest of this part, we assume that the host is named
host02
Download the keys
The public SSH keys of host02 have to be saved to keys, preferably only the ssh-ed25519 one.
It can be retreived with :
ssh-keyscan address.of.host02 2>/dev/null | awk '/ssh-ed25519/ {print $2,$3}'
Initialize the machine folder and configuration
- Create a folder
host02undermachines/ - Copy the hardware configuration file generated by
nixos-generate-configtomachines/host02/_hardware-configuration.nix - Create a
machines/host02/_configuration.nixfile, it will contain the main configuration options, the basic content of this file should be the following
{ lib, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
];
enabledServices = [
# List of services to enable
];
extraConfig = {
services.netbird.enable = true;
};
root = ./.;
}
Fill in the metadata
Network configuration
The network is declared in meta/network.nix, the necessary hostId value can be generated with :
head -c4 /dev/urandom | od -A none -t x4 | sed 's/ //'
Other details
The general metadata is declared in meta/nodes.nix, the main values to declare are :
site, where the node is physically locatedstateVersionnixpkgs, the nixpkgs version to use
Initialize secrets
Create the directory secrets in the configuration folder, and add a secrets.nix file containing :
(import ../../../keys.nix).mkSecrets [ "host02" ] [
# List of secrets for host02
]
This will be used for future secret management.
Update encrypted files
Both the Arkheon, Netbox and notification modules have secrets that are deployed on all machines. To make those services work correctly, run in modules/dgn-records, modules/dgn-netbox-agent and modules/dgn-notify :
agenix -r
Commit and create a PR
Once all of this is done, check that the configuration builds correctly :
colmena build --on host02
Apply it, and create a Pull Request.