chore(meta): Revamp and remove DNS for now
Some checks failed
Some checks failed
We don't have a dns server for the lab infra for now. Later we will probably reintroduce the tooling for our dns server. This will be good for people to get into understanding the main infra repository.
This commit is contained in:
parent
3ce077f92c
commit
2ac0a35c5e
8 changed files with 6 additions and 539 deletions
|
@ -15,11 +15,3 @@ jobs:
|
|||
|
||||
- name: Check the validity of meta options
|
||||
run: nix-build meta/verify.nix -A meta
|
||||
|
||||
check_dns:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Check the validity of the DNS configuration
|
||||
run: nix-build meta/verify.nix -A dns --no-out-link
|
||||
|
|
|
@ -74,8 +74,6 @@ in
|
|||
host: { site, ... }: "${host}.${site}.infra.dgnum.eu"
|
||||
) (import ./meta/nodes.nix);
|
||||
|
||||
dns = import ./meta/dns.nix;
|
||||
|
||||
mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix;
|
||||
|
||||
shells = {
|
||||
|
|
136
meta/dns.nix
136
meta/dns.nix
|
@ -1,136 +0,0 @@
|
|||
{ lib, dns, ... }:
|
||||
|
||||
let
|
||||
inherit (lib) mapAttrs' nameValuePair;
|
||||
inherit (lib.extra) fuseAttrs mapSingleFuse;
|
||||
|
||||
inherit (dns.lib.combinators) mx spf ttl;
|
||||
|
||||
meta = (import ./.) lib;
|
||||
|
||||
mkCNAME = host: { CNAME = [ host ]; };
|
||||
|
||||
mkHosted =
|
||||
server:
|
||||
{
|
||||
dual ? [ ],
|
||||
v4 ? [ ],
|
||||
v6 ? [ ],
|
||||
}:
|
||||
let
|
||||
base = "${server}.${meta.nodes.${server}.site}.infra";
|
||||
mkHost = host: mapSingleFuse (_: mkCNAME host);
|
||||
in
|
||||
fuseAttrs [
|
||||
(mkHost base dual)
|
||||
(mkHost "v4.${base}" v4)
|
||||
(mkHost "v6.${base}" v6)
|
||||
];
|
||||
|
||||
cnames = builtins.mapAttrs (_: to: { CNAME = [ to ]; }) {
|
||||
"dev" = "dev.pages.codeberg.page.";
|
||||
"irc" = "public.p.lahfa.xyz.";
|
||||
"webmail" = "kurisu.dual.lahfa.xyz.";
|
||||
|
||||
# Transition to new site names
|
||||
"web01.dmi01.infra" = "web01.rat01.infra";
|
||||
"web02.dmi01.infra" = "web02.rat01.infra";
|
||||
"compute01.par01.infra" = "compute01.pav01.infra";
|
||||
"storage01.par01.infra" = "storage01.pav01.infra";
|
||||
|
||||
# Miscelleanous redirections
|
||||
"traque" = "traque.katvayor.net.";
|
||||
|
||||
# Temporary redirection for the BDS
|
||||
# FIXME: finish the django apps module
|
||||
"gestiobds.dj" = "cof.ens.fr.";
|
||||
};
|
||||
|
||||
hosted = fuseAttrs (builtins.attrValues (builtins.mapAttrs mkHosted { }));
|
||||
|
||||
kurisuDKIM = [
|
||||
{
|
||||
selector = "kurisu";
|
||||
k = "rsa";
|
||||
s = [ "email" ];
|
||||
p = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDa5KuK6ry+Ss2VsKL0FsDpoBlc7dcXZyp62fGqFJFJv4/GEivPWiwbr2o5oLKjQVI4kIYjIZsyQJFtI/Xcu4BrtDdBknb5WvCN8V9EvIMh3pfXOBLVx4oqw4BR7wF8Rw1J9xyfgsfK+m2n0M39XlMHH0Nuy6kU48jH9vYpZs17ZQIDAQAB";
|
||||
}
|
||||
];
|
||||
in
|
||||
|
||||
{
|
||||
SOA = {
|
||||
nameServer = "ns01.dgnum.eu.";
|
||||
adminEmail = "dns.dgnum.eu";
|
||||
retry = 3600;
|
||||
minimum = 300;
|
||||
};
|
||||
|
||||
# Primary DNS servers
|
||||
NS = [
|
||||
"ns01.dgnum.eu." # ns-03.hubrecht.ovh
|
||||
"ns02.dgnum.eu." # kurisu.lahfa.xyz
|
||||
];
|
||||
|
||||
# dgnum.codeberg.pages
|
||||
# ALIAS = [ "codeberg.page" ];
|
||||
A = [ "217.197.91.145" ];
|
||||
AAAA = [ "2001:67c:1401:20f0::1" ];
|
||||
|
||||
MX = map (ttl 3600) [ (mx.mx 10 "kurisu.lahfa.xyz.") ];
|
||||
|
||||
SRV = [
|
||||
{
|
||||
service = "autodiscover";
|
||||
proto = "tcp";
|
||||
port = 443;
|
||||
target = "autoconfig.mail.lahfa.xyz.";
|
||||
}
|
||||
];
|
||||
|
||||
TXT = [
|
||||
"dgnum.codeberg.page"
|
||||
(spf.strict [ "a:kurisu.lahfa.xyz" ])
|
||||
];
|
||||
DMARC = [ { p = "none"; } ];
|
||||
DKIM = kurisuDKIM;
|
||||
|
||||
subdomains =
|
||||
hosted
|
||||
// cnames
|
||||
// {
|
||||
ns01 = {
|
||||
A = [ "51.178.27.125" ];
|
||||
AAAA = [ "2001:41d0:305:2100::542c" ];
|
||||
};
|
||||
ns02 = {
|
||||
A = [ "163.172.69.160" ];
|
||||
AAAA = [ "2001:bc8:38ee::1" ];
|
||||
};
|
||||
}
|
||||
// {
|
||||
infra = {
|
||||
MX = map (ttl 3600) [ (mx.mx 10 "kurisu.lahfa.xyz.") ];
|
||||
|
||||
TXT = [ (spf.strict [ "a:kurisu.lahfa.xyz" ]) ];
|
||||
DMARC = [ { p = "none"; } ];
|
||||
DKIM = kurisuDKIM;
|
||||
|
||||
subdomains = mapAttrs' (
|
||||
host:
|
||||
{ site, ... }:
|
||||
nameValuePair "${host}.${site}" (
|
||||
with meta.network.${host}.addresses;
|
||||
{
|
||||
A = ipv4;
|
||||
AAAA = ipv6;
|
||||
subdomains = {
|
||||
v4.A = ipv4;
|
||||
v6.AAAA = ipv6;
|
||||
};
|
||||
}
|
||||
)
|
||||
) meta.nodes;
|
||||
};
|
||||
};
|
||||
}
|
183
meta/network.nix
183
meta/network.nix
|
@ -1,34 +1,4 @@
|
|||
{
|
||||
bridge01 = {
|
||||
hostId = "f57f3ba0";
|
||||
|
||||
interfaces = { };
|
||||
netbirdIp = null;
|
||||
};
|
||||
|
||||
compute01 = {
|
||||
interfaces = {
|
||||
eno1 = {
|
||||
ipv4 = [
|
||||
{
|
||||
address = "129.199.146.147";
|
||||
prefixLength = 24;
|
||||
}
|
||||
{
|
||||
address = "192.168.1.147";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
|
||||
gateways = [ "129.199.146.254" ];
|
||||
enableDefaultDNS = true;
|
||||
};
|
||||
};
|
||||
|
||||
hostId = "8df60941";
|
||||
netbirdIp = "100.80.75.197";
|
||||
};
|
||||
|
||||
krz01 = {
|
||||
interfaces = {
|
||||
eno1 = {
|
||||
|
@ -51,157 +21,4 @@
|
|||
hostId = "bd11e8fc";
|
||||
netbirdIp = "100.80.103.206";
|
||||
};
|
||||
|
||||
geo01 = {
|
||||
interfaces = {
|
||||
eno1 = {
|
||||
ipv4 = [
|
||||
{
|
||||
address = "129.199.210.194";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
|
||||
gateways = [ "129.199.210.254" ];
|
||||
|
||||
dns = [
|
||||
"129.199.96.11"
|
||||
"129.199.72.99"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
hostId = "b88fee0c";
|
||||
netbirdIp = "100.80.8.66";
|
||||
};
|
||||
|
||||
geo02 = {
|
||||
interfaces = {
|
||||
eno1 = {
|
||||
ipv4 = [
|
||||
{
|
||||
address = "129.199.210.69";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
|
||||
gateways = [ "129.199.210.254" ];
|
||||
|
||||
dns = [
|
||||
"129.199.96.11"
|
||||
"129.199.72.99"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
hostId = "45d65237";
|
||||
netbirdIp = "100.80.233.249";
|
||||
};
|
||||
|
||||
storage01 = {
|
||||
interfaces = {
|
||||
eno1 = {
|
||||
ipv4 = [
|
||||
{
|
||||
address = "129.199.146.148";
|
||||
prefixLength = 24;
|
||||
}
|
||||
{
|
||||
address = "192.168.1.148";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
|
||||
gateways = [ "129.199.146.254" ];
|
||||
enableDefaultDNS = true;
|
||||
};
|
||||
};
|
||||
|
||||
hostId = "d4e7c369";
|
||||
netbirdIp = "100.80.156.154";
|
||||
};
|
||||
|
||||
vault01 = {
|
||||
interfaces = {
|
||||
vlan-uplink-cri = {
|
||||
ipv4 = [
|
||||
{
|
||||
# see also machines/vault01/networking.nix
|
||||
address = "129.199.195.129";
|
||||
prefixLength = 32;
|
||||
}
|
||||
];
|
||||
gateways = [ ];
|
||||
enableDefaultDNS = true;
|
||||
};
|
||||
};
|
||||
|
||||
hostId = "e83b600d";
|
||||
netbirdIp = "100.80.255.180";
|
||||
};
|
||||
|
||||
web01 = {
|
||||
interfaces = {
|
||||
ens3 = {
|
||||
ipv4 = [
|
||||
{
|
||||
address = "129.199.129.53";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
|
||||
gateways = [ "129.199.129.1" ];
|
||||
enableDefaultDNS = true;
|
||||
};
|
||||
};
|
||||
|
||||
hostId = "050df79e";
|
||||
netbirdIp = "100.80.77.90";
|
||||
};
|
||||
|
||||
web02 = {
|
||||
interfaces = {
|
||||
ens3 = {
|
||||
ipv4 = [
|
||||
{
|
||||
address = "129.199.129.235";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
|
||||
gateways = [ "129.199.129.1" ];
|
||||
enableDefaultDNS = true;
|
||||
};
|
||||
};
|
||||
|
||||
hostId = "b431ca10";
|
||||
netbirdIp = null; # web02 is not to be connected on the VPN
|
||||
};
|
||||
|
||||
rescue01 = {
|
||||
interfaces = {
|
||||
ens18 = {
|
||||
ipv6 = [
|
||||
{
|
||||
address = "2a01:e0a:de4:a0e1:2d73:2a7e:18db:5728";
|
||||
prefixLength = 64;
|
||||
}
|
||||
];
|
||||
|
||||
ipv4 = [
|
||||
{
|
||||
address = "192.168.0.232";
|
||||
prefixLength = 21;
|
||||
}
|
||||
];
|
||||
gateways = [ "192.168.0.1" ];
|
||||
enableDefaultDNS = true;
|
||||
};
|
||||
};
|
||||
|
||||
addresses.ipv4 = [ "82.67.34.230" ];
|
||||
|
||||
hostId = "007f0200";
|
||||
netbirdIp = "100.80.97.140";
|
||||
};
|
||||
}
|
||||
|
|
106
meta/nodes.nix
106
meta/nodes.nix
|
@ -19,66 +19,6 @@
|
|||
- luj01 -> VM de Luj
|
||||
*/
|
||||
{
|
||||
bridge01 = {
|
||||
site = "hyp01";
|
||||
|
||||
hashedPassword = "$y$j9T$EPJdz70kselouXAVUmAH01$8nYbUBY9NPTMfYigegY0qFSdxJwhqzW8sFacDqEYCP5";
|
||||
|
||||
stateVersion = "24.05";
|
||||
|
||||
adminGroups = [ "fai" ];
|
||||
|
||||
deployment = {
|
||||
targetHost = "fd26:baf9:d250:8000::ffff";
|
||||
sshOptions = [
|
||||
"-J"
|
||||
"root@vault01.hyp01.infra.dgnum.eu"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
web01 = {
|
||||
site = "rat01";
|
||||
|
||||
deployment.tags = [ "web" ];
|
||||
|
||||
hashedPassword = "$y$j9T$9YqXO93VJE/GP3z8Sh4h51$hrBsEPL2O1eP/wBZTrNT8XV906V4JKbQ0g04IWBcyd2";
|
||||
|
||||
stateVersion = "23.05";
|
||||
vm-cluster = "Hyperviseur NPS";
|
||||
|
||||
nixpkgs = "24.05";
|
||||
};
|
||||
|
||||
compute01 = {
|
||||
site = "pav01";
|
||||
|
||||
hashedPassword = "$y$j9T$2nxZHq84G7fWvWMEaGavE/$0ADnmD9qMpXJJ.rWWH9086EakvZ3wAg0mSxZYugOf3C";
|
||||
|
||||
stateVersion = "23.05";
|
||||
nix-modules = [ "services/stirling-pdf" ];
|
||||
nixpkgs = "24.05";
|
||||
};
|
||||
|
||||
geo01 = {
|
||||
site = "oik01";
|
||||
deployment.tags = [ "geo" ];
|
||||
|
||||
hashedPassword = "$y$j9T$2XmDpJu.QLhV57yYCh5Lf1$LK.X0HKB02Q0Ujvhj5nIofW2IRrIAL/Uxnvl9AXM1L8";
|
||||
|
||||
stateVersion = "24.05";
|
||||
nixpkgs = "24.05";
|
||||
};
|
||||
|
||||
geo02 = {
|
||||
site = "oik01";
|
||||
deployment.tags = [ "geo" ];
|
||||
|
||||
hashedPassword = "$y$j9T$Q4fbMpSm9beWu4DPNAR9t0$dx/1pH4GPY72LpS5ZiECXAZFDdxwmIywztsX.qo2VVA";
|
||||
|
||||
stateVersion = "24.05";
|
||||
nixpkgs = "24.05";
|
||||
};
|
||||
|
||||
krz01 = {
|
||||
site = "pav01";
|
||||
|
@ -87,51 +27,5 @@
|
|||
|
||||
stateVersion = "24.05";
|
||||
nixpkgs = "unstable";
|
||||
|
||||
adminGroups = [ "lab" ];
|
||||
};
|
||||
|
||||
storage01 = {
|
||||
site = "pav01";
|
||||
|
||||
hashedPassword = "$y$j9T$tvRu1EJ9MwDSvEm0ogwe70$bKSw6nNteN0L3NOy2Yix7KlIvO/oROQmQ.Ynq002Fg8";
|
||||
|
||||
stateVersion = "23.11";
|
||||
nixpkgs = "24.05";
|
||||
|
||||
nix-modules = [ "services/forgejo-nix-runners" ];
|
||||
};
|
||||
|
||||
vault01 = {
|
||||
site = "hyp01";
|
||||
deployment.targetHost = "vault01.hyp01.infra.dgnum.eu";
|
||||
|
||||
hashedPassword = "$y$j9T$5osXVNxCDxu3jIndcyh7G.$UrjiDRpMu3W59tKHLGNdLWllZh.4p8IM4sBS5SrNrN1";
|
||||
|
||||
stateVersion = "23.11";
|
||||
nixpkgs = "24.05";
|
||||
|
||||
adminGroups = [ "fai" ];
|
||||
};
|
||||
|
||||
web02 = {
|
||||
site = "rat01";
|
||||
|
||||
hashedPassword = "$y$j9T$p42UVNy78PykkQOjPwXNJ/$B/zCUOrHXVSFGUY63wnViMiSmU2vCWsiX0y62qqgNQ5";
|
||||
|
||||
stateVersion = "24.05";
|
||||
nixpkgs = "24.05";
|
||||
vm-cluster = "Hyperviseur NPS";
|
||||
};
|
||||
|
||||
rescue01 = {
|
||||
site = "luj01";
|
||||
|
||||
deployment.targetHost = "v6.rescue01.luj01.infra.dgnum.eu";
|
||||
|
||||
hashedPassword = "$y$j9T$nqoMMu/axrD0m8AlUFdbs.$UFVmIdPAOHBe2jJv5HJJTcDgINC7LTnSGRQNs9zS1mC";
|
||||
|
||||
stateVersion = "23.11";
|
||||
vm-cluster = "Hyperviseur Luj";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -70,39 +70,6 @@ in
|
|||
Groups of the DGNum organization.
|
||||
'';
|
||||
};
|
||||
|
||||
external = mkOption {
|
||||
type = attrsOf (listOf str);
|
||||
description = ''
|
||||
External services used by the DGNum organization.
|
||||
'';
|
||||
};
|
||||
|
||||
services = mkOption {
|
||||
type = attrsOf (submodule {
|
||||
options = {
|
||||
admins = mkOption {
|
||||
type = listOf str;
|
||||
default = [ ];
|
||||
description = ''
|
||||
List of administrators of the service.
|
||||
'';
|
||||
};
|
||||
|
||||
adminGroups = mkOption {
|
||||
type = listOf str;
|
||||
default = [ ];
|
||||
description = ''
|
||||
List of administrator groups of the service.
|
||||
'';
|
||||
};
|
||||
};
|
||||
});
|
||||
description = ''
|
||||
Administrator access of the different DGNum services,
|
||||
it is mainly indicative as most services cannot configure this statically.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
nodes = mkOption {
|
||||
|
@ -360,21 +327,6 @@ in
|
|||
extract "adminGroups" config.nodes
|
||||
))
|
||||
|
||||
# Check that all services admins exist
|
||||
(membersExists (name: "A member of the service ${name} admins was not found in the members list.") (
|
||||
extract "admins" org.services
|
||||
))
|
||||
|
||||
# Check that all services adminGroups exist
|
||||
(groupsExists (
|
||||
name: "A member of the service ${name} adminGroups was not found in the groups list."
|
||||
) (extract "adminGroups" org.services))
|
||||
|
||||
# Check that all external services admins exist
|
||||
(membersExists (
|
||||
name: "A member of the external service ${name} admins was not found in the members list."
|
||||
) org.external)
|
||||
|
||||
# Check that all members have ssh keys
|
||||
(builtins.map (name: {
|
||||
assertion = ((import ../keys)._keys.${name} or [ ]) != [ ];
|
||||
|
|
|
@ -10,6 +10,11 @@
|
|||
email = "catvayor@dgnum.eu";
|
||||
};
|
||||
|
||||
cst1 = {
|
||||
name = "Constantin Gierczak--Galle";
|
||||
email = "cst1@dgnum.eu";
|
||||
};
|
||||
|
||||
ecoppens = {
|
||||
name = "Elias Coppens";
|
||||
email = "ecoppens@dgnum.eu";
|
||||
|
@ -48,52 +53,10 @@
|
|||
"raito"
|
||||
"mdebray"
|
||||
"luj"
|
||||
];
|
||||
|
||||
# members of this group are root on the fai infrastructure
|
||||
fai = [
|
||||
"catvayor"
|
||||
"ecoppens"
|
||||
"cst1"
|
||||
];
|
||||
|
||||
lab = [
|
||||
"catvayor"
|
||||
"ecoppens"
|
||||
];
|
||||
|
||||
};
|
||||
|
||||
external = {
|
||||
dns = [
|
||||
"thubrecht"
|
||||
"raito"
|
||||
];
|
||||
|
||||
email = [ "raito" ];
|
||||
|
||||
irc = [ "raito" ];
|
||||
};
|
||||
|
||||
services = {
|
||||
# Démarches Normaliennes
|
||||
ds-fr.admins = [
|
||||
"thubrecht"
|
||||
"jemagius"
|
||||
];
|
||||
|
||||
# Cloud DGNum
|
||||
nextcloud.admins = [
|
||||
"thubrecht"
|
||||
"raito"
|
||||
];
|
||||
|
||||
# Netbox DGNum
|
||||
netbox.adminGroups = [
|
||||
"root"
|
||||
"fai"
|
||||
];
|
||||
|
||||
# Videos DGNum
|
||||
peertube.admins = [ "thubrecht" ];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
let
|
||||
sources = import ../npins;
|
||||
pkgs = import sources.nixpkgs { };
|
||||
|
||||
dns = import sources."dns.nix" { inherit pkgs; };
|
||||
in
|
||||
|
||||
{
|
||||
|
@ -22,15 +20,4 @@ in
|
|||
else
|
||||
pkgs.writers.writeJSON "meta.json" config;
|
||||
|
||||
dns = dns.util.writeZone "dgnum.eu" (
|
||||
pkgs.lib.recursiveUpdate { SOA.serial = 0; } (
|
||||
import ./dns.nix {
|
||||
inherit dns;
|
||||
|
||||
lib = pkgs.lib // {
|
||||
extra = import ../lib/nix-lib;
|
||||
};
|
||||
}
|
||||
)
|
||||
);
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue