From 2ac0a35c5ea960378e9cf6b164aba3e23766728b Mon Sep 17 00:00:00 2001 From: sinavir Date: Thu, 17 Oct 2024 13:03:15 +0200 Subject: [PATCH] chore(meta): Revamp and remove DNS for now We don't have a dns server for the lab infra for now. Later we will probably reintroduce the tooling for our dns server. This will be good for people to get into understanding the main infra repository. --- .forgejo/workflows/check-meta.yaml | 8 -- default.nix | 2 - meta/dns.nix | 136 --------------------- meta/network.nix | 183 ----------------------------- meta/nodes.nix | 106 ----------------- meta/options.nix | 48 -------- meta/organization.nix | 49 +------- meta/verify.nix | 13 -- 8 files changed, 6 insertions(+), 539 deletions(-) delete mode 100644 meta/dns.nix diff --git a/.forgejo/workflows/check-meta.yaml b/.forgejo/workflows/check-meta.yaml index 27af558..179d206 100644 --- a/.forgejo/workflows/check-meta.yaml +++ b/.forgejo/workflows/check-meta.yaml @@ -15,11 +15,3 @@ jobs: - name: Check the validity of meta options run: nix-build meta/verify.nix -A meta - - check_dns: - runs-on: nix - steps: - - uses: actions/checkout@v3 - - - name: Check the validity of the DNS configuration - run: nix-build meta/verify.nix -A dns --no-out-link diff --git a/default.nix b/default.nix index 414feb8..0dbf784 100644 --- a/default.nix +++ b/default.nix @@ -74,8 +74,6 @@ in host: { site, ... }: "${host}.${site}.infra.dgnum.eu" ) (import ./meta/nodes.nix); - dns = import ./meta/dns.nix; - mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix; shells = { diff --git a/meta/dns.nix b/meta/dns.nix deleted file mode 100644 index d6d59a0..0000000 --- a/meta/dns.nix +++ /dev/null @@ -1,136 +0,0 @@ -{ lib, dns, ... }: - -let - inherit (lib) mapAttrs' nameValuePair; - inherit (lib.extra) fuseAttrs mapSingleFuse; - - inherit (dns.lib.combinators) mx spf ttl; - - meta = (import ./.) lib; - - mkCNAME = host: { CNAME = [ host ]; }; - - mkHosted = - server: - { - dual ? [ ], - v4 ? [ ], - v6 ? [ ], - }: - let - base = "${server}.${meta.nodes.${server}.site}.infra"; - mkHost = host: mapSingleFuse (_: mkCNAME host); - in - fuseAttrs [ - (mkHost base dual) - (mkHost "v4.${base}" v4) - (mkHost "v6.${base}" v6) - ]; - - cnames = builtins.mapAttrs (_: to: { CNAME = [ to ]; }) { - "dev" = "dev.pages.codeberg.page."; - "irc" = "public.p.lahfa.xyz."; - "webmail" = "kurisu.dual.lahfa.xyz."; - - # Transition to new site names - "web01.dmi01.infra" = "web01.rat01.infra"; - "web02.dmi01.infra" = "web02.rat01.infra"; - "compute01.par01.infra" = "compute01.pav01.infra"; - "storage01.par01.infra" = "storage01.pav01.infra"; - - # Miscelleanous redirections - "traque" = "traque.katvayor.net."; - - # Temporary redirection for the BDS - # FIXME: finish the django apps module - "gestiobds.dj" = "cof.ens.fr."; - }; - - hosted = fuseAttrs (builtins.attrValues (builtins.mapAttrs mkHosted { })); - - kurisuDKIM = [ - { - selector = "kurisu"; - k = "rsa"; - s = [ "email" ]; - p = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDa5KuK6ry+Ss2VsKL0FsDpoBlc7dcXZyp62fGqFJFJv4/GEivPWiwbr2o5oLKjQVI4kIYjIZsyQJFtI/Xcu4BrtDdBknb5WvCN8V9EvIMh3pfXOBLVx4oqw4BR7wF8Rw1J9xyfgsfK+m2n0M39XlMHH0Nuy6kU48jH9vYpZs17ZQIDAQAB"; - } - ]; -in - -{ - SOA = { - nameServer = "ns01.dgnum.eu."; - adminEmail = "dns.dgnum.eu"; - retry = 3600; - minimum = 300; - }; - - # Primary DNS servers - NS = [ - "ns01.dgnum.eu." # ns-03.hubrecht.ovh - "ns02.dgnum.eu." # kurisu.lahfa.xyz - ]; - - # dgnum.codeberg.pages - # ALIAS = [ "codeberg.page" ]; - A = [ "217.197.91.145" ]; - AAAA = [ "2001:67c:1401:20f0::1" ]; - - MX = map (ttl 3600) [ (mx.mx 10 "kurisu.lahfa.xyz.") ]; - - SRV = [ - { - service = "autodiscover"; - proto = "tcp"; - port = 443; - target = "autoconfig.mail.lahfa.xyz."; - } - ]; - - TXT = [ - "dgnum.codeberg.page" - (spf.strict [ "a:kurisu.lahfa.xyz" ]) - ]; - DMARC = [ { p = "none"; } ]; - DKIM = kurisuDKIM; - - subdomains = - hosted - // cnames - // { - ns01 = { - A = [ "51.178.27.125" ]; - AAAA = [ "2001:41d0:305:2100::542c" ]; - }; - ns02 = { - A = [ "163.172.69.160" ]; - AAAA = [ "2001:bc8:38ee::1" ]; - }; - } - // { - infra = { - MX = map (ttl 3600) [ (mx.mx 10 "kurisu.lahfa.xyz.") ]; - - TXT = [ (spf.strict [ "a:kurisu.lahfa.xyz" ]) ]; - DMARC = [ { p = "none"; } ]; - DKIM = kurisuDKIM; - - subdomains = mapAttrs' ( - host: - { site, ... }: - nameValuePair "${host}.${site}" ( - with meta.network.${host}.addresses; - { - A = ipv4; - AAAA = ipv6; - subdomains = { - v4.A = ipv4; - v6.AAAA = ipv6; - }; - } - ) - ) meta.nodes; - }; - }; -} diff --git a/meta/network.nix b/meta/network.nix index 6216bf2..4d2043a 100644 --- a/meta/network.nix +++ b/meta/network.nix @@ -1,34 +1,4 @@ { - bridge01 = { - hostId = "f57f3ba0"; - - interfaces = { }; - netbirdIp = null; - }; - - compute01 = { - interfaces = { - eno1 = { - ipv4 = [ - { - address = "129.199.146.147"; - prefixLength = 24; - } - { - address = "192.168.1.147"; - prefixLength = 24; - } - ]; - - gateways = [ "129.199.146.254" ]; - enableDefaultDNS = true; - }; - }; - - hostId = "8df60941"; - netbirdIp = "100.80.75.197"; - }; - krz01 = { interfaces = { eno1 = { @@ -51,157 +21,4 @@ hostId = "bd11e8fc"; netbirdIp = "100.80.103.206"; }; - - geo01 = { - interfaces = { - eno1 = { - ipv4 = [ - { - address = "129.199.210.194"; - prefixLength = 24; - } - ]; - - gateways = [ "129.199.210.254" ]; - - dns = [ - "129.199.96.11" - "129.199.72.99" - ]; - }; - }; - - hostId = "b88fee0c"; - netbirdIp = "100.80.8.66"; - }; - - geo02 = { - interfaces = { - eno1 = { - ipv4 = [ - { - address = "129.199.210.69"; - prefixLength = 24; - } - ]; - - gateways = [ "129.199.210.254" ]; - - dns = [ - "129.199.96.11" - "129.199.72.99" - ]; - }; - }; - - hostId = "45d65237"; - netbirdIp = "100.80.233.249"; - }; - - storage01 = { - interfaces = { - eno1 = { - ipv4 = [ - { - address = "129.199.146.148"; - prefixLength = 24; - } - { - address = "192.168.1.148"; - prefixLength = 24; - } - ]; - - gateways = [ "129.199.146.254" ]; - enableDefaultDNS = true; - }; - }; - - hostId = "d4e7c369"; - netbirdIp = "100.80.156.154"; - }; - - vault01 = { - interfaces = { - vlan-uplink-cri = { - ipv4 = [ - { - # see also machines/vault01/networking.nix - address = "129.199.195.129"; - prefixLength = 32; - } - ]; - gateways = [ ]; - enableDefaultDNS = true; - }; - }; - - hostId = "e83b600d"; - netbirdIp = "100.80.255.180"; - }; - - web01 = { - interfaces = { - ens3 = { - ipv4 = [ - { - address = "129.199.129.53"; - prefixLength = 24; - } - ]; - - gateways = [ "129.199.129.1" ]; - enableDefaultDNS = true; - }; - }; - - hostId = "050df79e"; - netbirdIp = "100.80.77.90"; - }; - - web02 = { - interfaces = { - ens3 = { - ipv4 = [ - { - address = "129.199.129.235"; - prefixLength = 24; - } - ]; - - gateways = [ "129.199.129.1" ]; - enableDefaultDNS = true; - }; - }; - - hostId = "b431ca10"; - netbirdIp = null; # web02 is not to be connected on the VPN - }; - - rescue01 = { - interfaces = { - ens18 = { - ipv6 = [ - { - address = "2a01:e0a:de4:a0e1:2d73:2a7e:18db:5728"; - prefixLength = 64; - } - ]; - - ipv4 = [ - { - address = "192.168.0.232"; - prefixLength = 21; - } - ]; - gateways = [ "192.168.0.1" ]; - enableDefaultDNS = true; - }; - }; - - addresses.ipv4 = [ "82.67.34.230" ]; - - hostId = "007f0200"; - netbirdIp = "100.80.97.140"; - }; } diff --git a/meta/nodes.nix b/meta/nodes.nix index 884cf71..c5b6763 100644 --- a/meta/nodes.nix +++ b/meta/nodes.nix @@ -19,66 +19,6 @@ - luj01 -> VM de Luj */ { - bridge01 = { - site = "hyp01"; - - hashedPassword = "$y$j9T$EPJdz70kselouXAVUmAH01$8nYbUBY9NPTMfYigegY0qFSdxJwhqzW8sFacDqEYCP5"; - - stateVersion = "24.05"; - - adminGroups = [ "fai" ]; - - deployment = { - targetHost = "fd26:baf9:d250:8000::ffff"; - sshOptions = [ - "-J" - "root@vault01.hyp01.infra.dgnum.eu" - ]; - }; - }; - - web01 = { - site = "rat01"; - - deployment.tags = [ "web" ]; - - hashedPassword = "$y$j9T$9YqXO93VJE/GP3z8Sh4h51$hrBsEPL2O1eP/wBZTrNT8XV906V4JKbQ0g04IWBcyd2"; - - stateVersion = "23.05"; - vm-cluster = "Hyperviseur NPS"; - - nixpkgs = "24.05"; - }; - - compute01 = { - site = "pav01"; - - hashedPassword = "$y$j9T$2nxZHq84G7fWvWMEaGavE/$0ADnmD9qMpXJJ.rWWH9086EakvZ3wAg0mSxZYugOf3C"; - - stateVersion = "23.05"; - nix-modules = [ "services/stirling-pdf" ]; - nixpkgs = "24.05"; - }; - - geo01 = { - site = "oik01"; - deployment.tags = [ "geo" ]; - - hashedPassword = "$y$j9T$2XmDpJu.QLhV57yYCh5Lf1$LK.X0HKB02Q0Ujvhj5nIofW2IRrIAL/Uxnvl9AXM1L8"; - - stateVersion = "24.05"; - nixpkgs = "24.05"; - }; - - geo02 = { - site = "oik01"; - deployment.tags = [ "geo" ]; - - hashedPassword = "$y$j9T$Q4fbMpSm9beWu4DPNAR9t0$dx/1pH4GPY72LpS5ZiECXAZFDdxwmIywztsX.qo2VVA"; - - stateVersion = "24.05"; - nixpkgs = "24.05"; - }; krz01 = { site = "pav01"; @@ -87,51 +27,5 @@ stateVersion = "24.05"; nixpkgs = "unstable"; - - adminGroups = [ "lab" ]; - }; - - storage01 = { - site = "pav01"; - - hashedPassword = "$y$j9T$tvRu1EJ9MwDSvEm0ogwe70$bKSw6nNteN0L3NOy2Yix7KlIvO/oROQmQ.Ynq002Fg8"; - - stateVersion = "23.11"; - nixpkgs = "24.05"; - - nix-modules = [ "services/forgejo-nix-runners" ]; - }; - - vault01 = { - site = "hyp01"; - deployment.targetHost = "vault01.hyp01.infra.dgnum.eu"; - - hashedPassword = "$y$j9T$5osXVNxCDxu3jIndcyh7G.$UrjiDRpMu3W59tKHLGNdLWllZh.4p8IM4sBS5SrNrN1"; - - stateVersion = "23.11"; - nixpkgs = "24.05"; - - adminGroups = [ "fai" ]; - }; - - web02 = { - site = "rat01"; - - hashedPassword = "$y$j9T$p42UVNy78PykkQOjPwXNJ/$B/zCUOrHXVSFGUY63wnViMiSmU2vCWsiX0y62qqgNQ5"; - - stateVersion = "24.05"; - nixpkgs = "24.05"; - vm-cluster = "Hyperviseur NPS"; - }; - - rescue01 = { - site = "luj01"; - - deployment.targetHost = "v6.rescue01.luj01.infra.dgnum.eu"; - - hashedPassword = "$y$j9T$nqoMMu/axrD0m8AlUFdbs.$UFVmIdPAOHBe2jJv5HJJTcDgINC7LTnSGRQNs9zS1mC"; - - stateVersion = "23.11"; - vm-cluster = "Hyperviseur Luj"; }; } diff --git a/meta/options.nix b/meta/options.nix index e8f4e6a..0344793 100644 --- a/meta/options.nix +++ b/meta/options.nix @@ -70,39 +70,6 @@ in Groups of the DGNum organization. ''; }; - - external = mkOption { - type = attrsOf (listOf str); - description = '' - External services used by the DGNum organization. - ''; - }; - - services = mkOption { - type = attrsOf (submodule { - options = { - admins = mkOption { - type = listOf str; - default = [ ]; - description = '' - List of administrators of the service. - ''; - }; - - adminGroups = mkOption { - type = listOf str; - default = [ ]; - description = '' - List of administrator groups of the service. - ''; - }; - }; - }); - description = '' - Administrator access of the different DGNum services, - it is mainly indicative as most services cannot configure this statically. - ''; - }; }; nodes = mkOption { @@ -360,21 +327,6 @@ in extract "adminGroups" config.nodes )) - # Check that all services admins exist - (membersExists (name: "A member of the service ${name} admins was not found in the members list.") ( - extract "admins" org.services - )) - - # Check that all services adminGroups exist - (groupsExists ( - name: "A member of the service ${name} adminGroups was not found in the groups list." - ) (extract "adminGroups" org.services)) - - # Check that all external services admins exist - (membersExists ( - name: "A member of the external service ${name} admins was not found in the members list." - ) org.external) - # Check that all members have ssh keys (builtins.map (name: { assertion = ((import ../keys)._keys.${name} or [ ]) != [ ]; diff --git a/meta/organization.nix b/meta/organization.nix index cf0c2b5..b8a4016 100644 --- a/meta/organization.nix +++ b/meta/organization.nix @@ -10,6 +10,11 @@ email = "catvayor@dgnum.eu"; }; + cst1 = { + name = "Constantin Gierczak--Galle"; + email = "cst1@dgnum.eu"; + }; + ecoppens = { name = "Elias Coppens"; email = "ecoppens@dgnum.eu"; @@ -48,52 +53,10 @@ "raito" "mdebray" "luj" - ]; - - # members of this group are root on the fai infrastructure - fai = [ "catvayor" "ecoppens" + "cst1" ]; - lab = [ - "catvayor" - "ecoppens" - ]; - - }; - - external = { - dns = [ - "thubrecht" - "raito" - ]; - - email = [ "raito" ]; - - irc = [ "raito" ]; - }; - - services = { - # Démarches Normaliennes - ds-fr.admins = [ - "thubrecht" - "jemagius" - ]; - - # Cloud DGNum - nextcloud.admins = [ - "thubrecht" - "raito" - ]; - - # Netbox DGNum - netbox.adminGroups = [ - "root" - "fai" - ]; - - # Videos DGNum - peertube.admins = [ "thubrecht" ]; }; } diff --git a/meta/verify.nix b/meta/verify.nix index ecf2ed2..51beb99 100644 --- a/meta/verify.nix +++ b/meta/verify.nix @@ -3,8 +3,6 @@ let sources = import ../npins; pkgs = import sources.nixpkgs { }; - - dns = import sources."dns.nix" { inherit pkgs; }; in { @@ -22,15 +20,4 @@ in else pkgs.writers.writeJSON "meta.json" config; - dns = dns.util.writeZone "dgnum.eu" ( - pkgs.lib.recursiveUpdate { SOA.serial = 0; } ( - import ./dns.nix { - inherit dns; - - lib = pkgs.lib // { - extra = import ../lib/nix-lib; - }; - } - ) - ); }