DGNum/lab-infra
8
1
Fork 1
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: DGNum:main
Branches Tags
DGNum:main
DGNum:staging
DGNum:homebox01_init
DGNum:dns01_ipv6
..
compare: DGNum:homebox01_init
Branches Tags
DGNum:main
DGNum:staging
DGNum:homebox01_init
DGNum:dns01_ipv6

3 commits
main ... homebox01_

Author SHA1 Message Date
Constantin Gierczak--Galle
e0a992d378
feat(homebox01): disable registration
Some checks failed
lint / check (push) Successful in 24s
Details
Check meta / check_meta (pull_request) Failing after 19s
Details
lint / check (pull_request) Successful in 23s
Details
build configuration / build_krz01 (pull_request) Failing after 1m26s
Details
2024-12-05 11:02:04 +01:00
Constantin Gierczak--Galle
8445a860c1
fix: fmt
Some checks failed
lint / check (push) Successful in 22s
Details
lint / check (pull_request) Successful in 24s
Details
Check meta / check_meta (pull_request) Failing after 27s
Details
build configuration / build_krz01 (pull_request) Failing after 1m30s
Details
2024-12-05 10:58:24 +01:00
Constantin Gierczak--Galle
ecb3bf02f5
feat(homebox01): init 2024-12-05 10:57:36 +01:00
45 changed files with 133 additions and 1308 deletions
Show stats Expand all files Collapse all files

3
.gitignore vendored
View file

@ -9,6 +9,3 @@ result-*
*.qcow2 *.qcow2
.gcroots .gcroots
.pre-commit-config.yaml .pre-commit-config.yaml
# nixmoxer (proxmox declarative vms)
nixmoxer.conf

2
default.nix
View file

@ -71,7 +71,7 @@ in
{ {
nodes = builtins.mapAttrs ( nodes = builtins.mapAttrs (
host: { site, ... }: "${host}.${site}.lab.infra.dgnum.eu" host: { site, ... }: "${host}.${site}.infra.dgnum.eu"
) (import ./meta/nodes.nix); ) (import ./meta/nodes.nix);
mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix; mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix;

8
keys/default.nix
View file

@ -14,18 +14,10 @@ rec {
_keys = (import "${_sources.infrastructure}/keys")._keys // { _keys = (import "${_sources.infrastructure}/keys")._keys // {
krz01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4o65gWOgNrxbSd3kiQIGZUM+YD6kuZOQtblvzUGsfB" ]; krz01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4o65gWOgNrxbSd3kiQIGZUM+YD6kuZOQtblvzUGsfB" ];
router02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5t0InDV9nTLEqXrenqMJZAjkCAmfzHk6LLLHme3k3j" ]; router02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5t0InDV9nTLEqXrenqMJZAjkCAmfzHk6LLLHme3k3j" ];
roam01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKXjzVxYs5v5+7N0tyqpBQERXKjXwTZUqVGkdye4S1LP" ];
status01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAQFCsn/8c46O7JLx0QYdbZsXnS+NYtsgUNHPd2Toksj" ];
}; };
_vpnKeys =
builtins.mapAttrs (_: v: v.vpnKeys) meta.organization.members
// builtins.mapAttrs (_: v: v.vpnKeys) meta.network;
getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls); getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);
getVpnKey = vpn: name: _vpnKeys.${name}.${vpn};
mkSecrets = mkSecrets =
nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); }; nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };

13
machines/dns01/_configuration.nix
View file

@ -10,18 +10,7 @@ lib.extra.mkConfig {
"nsd" "nsd"
]; ];
extraConfig = { extraConfig = { };
# TODO : retrieve this address from meta/network.nix
deployment.targetHost = "45.13.104.26";
deployment.tags = [ "cst1" ];
networking.firewall = {
enable = true;
logRefusedConnections = lib.mkForce true;
logRefusedPackets = lib.mkForce true;
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
};
root = ./.; root = ./.;
} }

22
machines/dns01/beta.dgnum.eu.nix Normal file
View file

@ -0,0 +1,22 @@
{ dns, ... }:
with dns.lib.combinators;
{
SOA = {
nameServer = "ns1";
adminEmail = "webmaster@dgnum.eu";
serial = 2019030800;
};
NS = [
# TODO: add nameservers with GLUE and everything
];
#A = [ "203.0.113.1" ];
#AAAA = [ "4321:0:1:2:3:4:567:89ab" ];
subdomains = {
photoprism = host "129.199.146.101" null;
immich = host "129.199.146.101" null;
};
}

55
machines/dns01/lab.dgnum.eu.nix
View file

@ -1,55 +0,0 @@
{ dns, lib, ... }:
let
inherit (lib) mapAttrs' nameValuePair;
meta = (import ./../../meta) lib;
in
with dns.lib.combinators;
{
SOA = {
nameServer = "ns01.lab.dgnum.eu";
adminEmail = "dns@dgnum.eu";
serial = 2019030800;
retry = 3600;
minimum = 300;
};
NS = [ "ns01.lab.dgnum.eu." ];
#A = [ "203.0.113.1" ];
#AAAA = [ "4321:0:1:2:3:4:567:89ab" ];
subdomains = {
# Hosted services
# NOTE: for now manually supplied, in the future automatically filled in
photoprism = host "129.199.146.101" null;
immich = host "129.199.146.101" null;
homebox = host "129.199.146.102" null;
status = host "129.199.146.103" null;
# Nameservers
ns01 = host "45.13.104.26" "2a0e:e701:1120:1000:ffff::45.13.104.26";
# *.infra.lab.dgnum.eu
infra = {
subdomains = mapAttrs' (
host:
{ site, ... }:
nameValuePair "${host}.${site}" (
with meta.network.${host}.addresses;
{
A = ipv4;
AAAA = ipv6;
subdomains = {
v4.A = ipv4;
v6.AAAA = ipv6;
};
}
)
) meta.nodes;
};
};
}

13
machines/dns01/nsd.nix
View file

@ -1,4 +1,4 @@
{ sources, lib, ... }: { sources, ... }:
let let
dns = import sources.dns-nix { }; dns = import sources.dns-nix { };
@ -6,14 +6,17 @@ in
{ {
services.nsd = { services.nsd = {
enable = true; enable = true;
verbosity = 1000;
interfaces = [ "2a0e:e701:1120:1000:ffff::45.13.104.26" ];
zones = { zones = {
"lab.dgnum.eu" = { "beta.dgnum.eu" = {
# provideXFR = [ ... ]; # provideXFR = [ ... ];
# notify = [ ... ]; # notify = [ ... ];
data = dns.lib.toString "lab.dgnum.eu" (import ./lab.dgnum.eu.nix { inherit dns lib; }); data = dns.lib.toString "beta.dgnum.eu" (import ./beta.dgnum.eu.nix { inherit dns; });
}; };
}; };
}; };
networking = {
firewall = {
allowedUDPPorts = [ 53 ];
};
};
} }

1
machines/homebox01/_configuration.nix
View file

@ -12,7 +12,6 @@ lib.extra.mkConfig {
]; ];
extraConfig = { extraConfig = {
deployment.tags = [ "cst1" ];
networking = { networking = {
firewall.allowedTCPPorts = [ firewall.allowedTCPPorts = [
80 80

2
machines/homebox01/homebox.nix
View file

@ -5,7 +5,7 @@
HBOX_OPTIONS_ALLOW_REGISTRATION = "false"; HBOX_OPTIONS_ALLOW_REGISTRATION = "false";
}; };
}; };
services.nginx.virtualHosts."homebox.lab.dgnum.eu" = { services.nginx.virtualHosts."homebox.cgiga.fr" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
serverAliases = [ ]; serverAliases = [ ];

4
machines/krz01/_configuration.nix
View file

@ -8,8 +8,8 @@ lib.extra.mkConfig {
enabledServices = [ enabledServices = [
# INFO: This list needs to stay sorted alphabetically # INFO: This list needs to stay sorted alphabetically
# Machine learning API machine # Machine learning API machine
"microvm-ml01" # "microvm-ml01"
"microvm-router01" # "microvm-router01"
"nvidia-tesla-k80" "nvidia-tesla-k80"
"ollama" "ollama"
"whisper" "whisper"

1
machines/photo01/_configuration.nix
View file

@ -13,7 +13,6 @@ in
./photoprism.nix ./photoprism.nix
]; ];
deployment.targetHost = address; deployment.targetHost = address;
deployment.tags = [ "cst1" ];
networking = { networking = {
firewall.allowedTCPPorts = [ firewall.allowedTCPPorts = [

2
machines/photo01/immich.nix
View file

@ -7,7 +7,7 @@
host = "localhost"; host = "localhost";
}; };
services.nginx.virtualHosts."immich.lab.dgnum.eu" = { services.nginx.virtualHosts."immich.cgiga.fr" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
serverAliases = [ ]; serverAliases = [ ];

4
machines/photo01/photoprism.nix
View file

@ -8,7 +8,7 @@
settings = { settings = {
PHOTOPRISM_DEFAULT_LOCALE = "fr"; PHOTOPRISM_DEFAULT_LOCALE = "fr";
PHOTOPRISM_ADMIN_USERNAME = "admin"; PHOTOPRISM_ADMIN_USERNAME = "admin";
PHOHOPRISM_SITE_URL = "https://photoprism.lab.dgnum.eu"; PHOHOPRISM_SITE_URL = "https://photoprism.cgiga.fr";
PHOTOPRISM_SITE_CAPTION = "PhotoPrism"; PHOTOPRISM_SITE_CAPTION = "PhotoPrism";
# DB access config # DB access config
@ -41,7 +41,7 @@
]; ];
}; };
nginx.virtualHosts."photoprism.lab.dgnum.eu" = { nginx.virtualHosts."photoprism.cgiga.fr" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
serverAliases = [ ]; serverAliases = [ ];

18
machines/roam01/_configuration.nix
View file

@ -1,18 +0,0 @@
{ lib, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
];
enabledServices = [
# List of services to enable
"wireguard"
];
extraConfig = {
networking.interfaces.enp1s0.useDHCP = true;
};
root = ./.;
}

58
machines/roam01/_hardware-configuration.nix
View file

@ -1,58 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [
"xhci_pci"
"usb_storage"
"usbhid"
"sd_mod"
"sdhci_pci"
];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/bfb4359b-75b2-4fa0-bdb6-283658a0019a";
fsType = "xfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/1A70-E9AE";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
swapDevices = [ { device = "/dev/disk/by-uuid/6518c729-a0cb-41b4-acc8-ec219d0afba6"; } ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0d1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

4
machines/roam01/secrets/secrets.nix
View file

@ -1,4 +0,0 @@
(import ../../../keys).mkSecrets [ "roam01" ] [
# List of secrets for router02
"systemd-network-wg_key"
]

39
machines/roam01/secrets/systemd-network-wg_key
View file

@ -1,39 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA eITDLS0bZ9nCNbcpXN2S2JK6+gy0V9Ix5anuz1DXpi8
h/3wu702P2+Mnrsh5EimLoLY6XPiyTvjytjVr2nVPU0
-> ssh-ed25519 QlRB9Q atT+Cb4dk/jH7uhQ7b8Qu1E4tFcrm7mUzqhwlvciCng
eZvsq5OsW7cxf4EmE7L4KhzmiCRhV72ILT5mOg3D7GY
-> ssh-ed25519 r+nK/Q RfAubzTOifMb9Pukkwkh7iUgOLxmIxkPCBhZqzohHA4
0rdpQrp7iSRjGCsi7EjOcuCx2YXXscJxIYv0vfpV9hw
-> ssh-rsa krWCLQ
tBs7XiMvJdAqbtZTaDxgyLrHxyUjgKU4amTtPdVxRUuqm4uSoxoHJj7N6NGBPhW4
ODB8ft5OoAwjtP/D12pNUn3fsIuo7DJGc57Dt74f0ge+MWTVI/tEC8I8EVOVYIpv
Udc1kW8n2CCdkAulSrvlfLQPuVFUcOYWGTvEVE05gPRoJ7NiXR9CW2ByyRjD12Fj
W+8c/H0/h8CmWGRFMZG+xlt9DmYNegz2TCKyTJPtWHRT6sYCqct13GQP/C8s8fJv
ZQjIUcF91EBTr6Gc0fGEYFmKQckOkEeAG3P92YuK9NLyHw5xHl9M+gFZlYsQ91kg
/uVW29GmK7qoyxpUP0GamA
-> ssh-ed25519 /vwQcQ 0y6bP+6t8EhcHs7ap/FmCDWxQLCkDF5KyeXlGZln9Qc
9xpybiFqQTxJ8Po0044HRhoBlmcFzqeXMG3IrZzKOdI
-> ssh-ed25519 0R97PA 1pn+9GwTf+AHsSCqI+xe0blM/6qJUgCgjCF3mlEV4k0
W278+7Qc5/QyALiy1Gt8WKqCw+MX4Ko0VLV+p1KoSjA
-> ssh-ed25519 JGx7Ng hrWsXtVn1DNQ86woVee66ljaMpgBBoJmHdS7qyESbz0
dRPPTNmGYFZ+VR9gPhfD5wutqIuJXXEtoMapnAShrHE
-> ssh-ed25519 bUjjig RzQTuUiEmKd9VqYMKz3cbaU7v4OncTK8N1VA+4M851w
49tmBO+NwrGfNyDwcyuk+7DFqK0yYfZoJ98qeYg0yBY
-> ssh-ed25519 5SY7Kg 9icmp/ZQKCNxep3mnqbJs3pfjaunJwpK9OP5PhXSvE4
Yx6OjFMMwg+MRsHSlg8DjBDF5jumxJcweaWPsy0TCNU
-> ssh-ed25519 p/Mg4Q yhvaDm7yq75qq2Sb5wmXqunG5sHoamAi0r/kBOFHJjw
ZnmJd4au4dGscs7HdW1TqqLjqniRT3EhivgllyuGp5s
-> ssh-ed25519 5rrg4g oQn9sbjixiuN02aDo/v4n6JWTT4MPbYVwni0OW04NFk
hhYoASjz7CPqNXwGCOydrzadudrvncUsv318zFFUB0A
-> ssh-ed25519 oRtTqQ holCshSmzD+N5BYaUOv00WZlFn0UOLTikddFPZpCw1o
XdPjWqs7UqmA4ZLbgNAlDuHcdEGeeGCryBLE0jUtRbM
-> ssh-ed25519 F2C+8w h7ncoDRcnH+pVcRAP5au111c47oRjg4ISn93qK912zk
7sisrDx+avRb9HE2WvYkgSErsvNMqsc+UESmRKt7xz8
-> ssh-ed25519 PMC4Bw oyKwRE22OV8RupaRKV6MgdL9sYK12NvhRDseQwo2MWE
oQOX7qy2Lo6eqmOBqgCjssu5mrd85NQDwmOdzIrj7yg
-> :1G-grease
krZ6nazBc8pS3EHxhcidv4uBigiek7jhODqwOoFQa3+31acCrziN8elOxd6gEa7B
a/xpMlN0
--- BZD889tFoBkFafKWHk0vfNhpP+YtdcU+wpmm0d9RV+Q
Ç„yz¥5Y7ùY}‡ˆ"·Q{±sy;âÇ“˜dÛü°”PX4¹ÏÃ×c½Š1AÕv©ýJî<ž^fÁ¯ƒñv3U%eó]P

54
machines/roam01/wireguard.nix
View file

@ -1,54 +0,0 @@
{
config,
lib,
dgn-keys,
name,
...
}:
let
mkPeer =
prefix: peerName:
let
peer = dgn-keys.getVpnKey "wg-mgmt" peerName;
in
{
Endpoint = "129.199.146.230:1194";
PersistentKeepalive = 25;
AllowedIPs = [ "fdaa::${prefix}:0/64" ];
PublicKey = peer.key;
};
in
{
age-secrets.autoMatch = [ "systemd-network" ];
networking.firewall.trustedInterfaces = [ "wg0" ];
systemd.network = {
networks = {
"50-wg-mgmt" = {
name = "wg-mgmt";
address = [ "fdaa::${lib.toHexString (dgn-keys.getVpnKey "wg-mgmt" name).id}/64" ];
routes = [
{
Destination = "fdaa::/64";
Scope = "link";
}
];
};
};
netdevs = {
"50-wg-mgmt" = {
netdevConfig = {
Name = "wg-mgmt";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = 1194;
PrivateKeyFile = config.age.secrets."systemd-network-wg_key".path;
};
wireguardPeers = builtins.map (mkPeer "0") [ "router02" ];
};
};
};
networking.firewall.allowedUDPPorts = [ 1194 ];
}

1
machines/router02/_configuration.nix
View file

@ -8,7 +8,6 @@ lib.extra.mkConfig {
enabledServices = [ enabledServices = [
# List of services to enable # List of services to enable
"networking" "networking"
"wireguard"
]; ];
extraConfig = { }; extraConfig = { };

18
machines/router02/networking.nix
View file

@ -40,14 +40,18 @@
}; };
routes = [ routes = [
{ {
routeConfig = {
Destination = "::/0"; Destination = "::/0";
Table = "he"; Table = "he";
Scope = "global"; Scope = "global";
};
} }
{ {
# Use HE tunnel for router trafic as well # Use HE tunnel for router trafic as well
routeConfig = {
Destination = "::/0"; Destination = "::/0";
Scope = "global"; Scope = "global";
};
} }
]; ];
routingPolicyRules = [ routingPolicyRules = [
@ -78,31 +82,41 @@
}; };
routes = [ routes = [
{ {
routeConfig = {
Gateway = "2a0b:cbc0:1::215"; Gateway = "2a0b:cbc0:1::215";
PreferredSource = "2a0e:e701:1120::1"; PreferredSource = "2a0e:e701:1120::1";
};
} }
{ {
# Local route # Local route
routeConfig = {
Table = "mwan"; Table = "mwan";
Destination = "2a0e:e701:1120::/64"; Destination = "2a0e:e701:1120::/64";
};
} }
{ {
# Default unreachable route for unattributed prefixes of our /48 # Default unreachable route for unattributed prefixes of our /48
routeConfig = {
Table = "mwan"; Table = "mwan";
Metric = 9999; Metric = 9999;
Destination = "2a0e:e701:1120::/48"; Destination = "2a0e:e701:1120::/48";
Type = "unreachable"; Type = "unreachable";
};
} }
{ {
routeConfig = {
Table = "mwan"; Table = "mwan";
Gateway = "2a0b:cbc0:1::215"; Gateway = "2a0b:cbc0:1::215";
PreferredSource = "2a0e:e701:1120::1"; PreferredSource = "2a0e:e701:1120::1";
};
} }
# IPv4 # IPv4
{ {
routeConfig = {
Scope = "global"; Scope = "global";
Table = "mwan"; Table = "mwan";
Gateway = "10.1.1.49"; Gateway = "10.1.1.49";
};
} }
]; ];
routingPolicyRules = [ routingPolicyRules = [
@ -151,8 +165,10 @@
]; ];
routes = [ routes = [
{ {
routeConfig = {
Table = "mwan"; Table = "mwan";
Destination = "2a0e:e701:1120:1000::/64"; Destination = "2a0e:e701:1120:1000::/64";
};
} }
]; ];
}; };
@ -172,9 +188,11 @@
]; ];
routes = [ routes = [
{ {
routeConfig = {
Table = "he"; Table = "he";
Scope = "global"; Scope = "global";
Destination = "2001:470:1f13:187::/64"; Destination = "2001:470:1f13:187::/64";
};
} }
]; ];
}; };

1
machines/router02/secrets/secrets.nix
View file

@ -1,4 +1,3 @@
(import ../../../keys).mkSecrets [ "router02" ] [ (import ../../../keys).mkSecrets [ "router02" ] [
# List of secrets for router02 # List of secrets for router02
"systemd-network-wg_key"
] ]

39
machines/router02/secrets/systemd-network-wg_key
View file

@ -1,39 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA 6v2v03EntXNNOnWAuZEcLybn6iWI+LB0kA/AbzszgQs
aqtydlqLgpfvC9rz0x0MshF+RfYJSpQaah5moS3CsGY
-> ssh-ed25519 QlRB9Q 8SqWmf7skeFnmT1HU43V7PwaqYl/hHTifx70qr05Y3c
W/b0CABozdoiSXWokOs+ChRL2pKCjL/b3kZHsBLBemw
-> ssh-ed25519 r+nK/Q TwRRJzM7q81lTdiMwINKYs5RqUaKR9odwTj0CaAUOFU
mYvyP/UeLFDgXFAUkCfZRNuRTJBL5t01nQ5a3U9BVrc
-> ssh-rsa krWCLQ
ssWV1ySMEEZJEsNUjss0U+rLVLYVLlPovyeqv3dWgRdbojFOboXZh7yo07KHOuu8
N3QU64Iy1B8VOoPPhkfRURJjsjEEt/48gwMm9Ff9lmF/rxuw8KOPlGgAF+HwGK0z
Y2gTJkehFuuBN70jsPpCGqlEpmbwLfw1BbYp8zYEq6OKXkhZjIWVEwfa3Ahiw0Z7
3VTC/9GVhpPu/s532TxYNsTZj6nBSp22jc8AZZvOxbPrV5Qk8yLb3JMfXBWn3bJv
N4A1x+ibCI6bnl+gYzmVjiquMuo8CMR1t+KAp6nNfv1dZT5UDBYKswYQ1AhQi7jh
KzBK3vInE18L3qWPxt4Zdw
-> ssh-ed25519 /vwQcQ YilslLDdIPQRNOr/ZA+WreHP5PNBiy/f6xz2UImsEQA
gjH2VsGYM/bJu+X5vwF1y+r0+pDC7EOjesuawUw5WAo
-> ssh-ed25519 0R97PA qFqvdP6/zg+/ruLrNmmFdi0ED43LVNtrfFISTVMLimA
YQyo/5tyH2JMPWiqV0bxWhMWVpyjcaQc9nr1WPUMygc
-> ssh-ed25519 JGx7Ng /SvvUDt/rDTaFOqaxL+d49pNyx7Wvkl0FMr36RIsxgQ
pF191qRavD24LSw2JHKpVKFGK281UitMTcLDV7Zw87M
-> ssh-ed25519 bUjjig +o1W/J1qFW96kC5SCz5azW4ar/bGglWOIST/VEBl0k8
mHPgOqZN5eLw5AG47TIXccckR1qhhr6Ix08l3CY2NF4
-> ssh-ed25519 5SY7Kg 53VjPE/xjun7Q1fKUaRKoEw1p5ble9fiunb/hX8sSns
5ro90MKLPz2rqdHghVBbrKXiRHHUEeRKkB+RZwxX1Ls
-> ssh-ed25519 p/Mg4Q tLc6UNchEe2AR/91gGauHIhD84UfKbIgS5MR77dhxhw
Q5/8BbmXj9wTv0oHr73Au3gNgMDPxT1btyRFhVZ+My8
-> ssh-ed25519 5rrg4g WVq0dsHIxZffMqbAgdtBoMZDpzWI2eSc/gYuohn2JHc
CXBXkFLl8ljpBZK3emGaj5D0lb07KfCBeHPLc0AuCFA
-> ssh-ed25519 oRtTqQ Zq/GevKIc0qaGd0jXWpkd88BxA6yPonFzvxqxtylCiw
KO0avMpoF1ICg+17xvsmBLGsZ4FVorjkcMl/adT2/IU
-> ssh-ed25519 F2C+8w b9E1FgolbSv9cbAKTwSUnUhcilOFC3mkX8zEgeYwJxs
vqh2UldeQQTkDuiRxrT8+Xxdpt2s16X+14J57rpZVKM
-> ssh-ed25519 Dk/ltw 9zNl1I2J0A99y6G2M4JHhUVgn/9xcCaDz+I1NQxJewg
GFQp+hYM9dyICmI5UmdnNftq7g3QyNH3MlkAoag8YtQ
-> jn$!zr-grease w#SDYrYf
tNm7A1/g1RMy3lwzsibb/VhsMojufa8iCJCfZ5PG13ikyKab/8GY2oBO282yzcGJ
NLDaG5WbIbese3Rxi+rC0ucRZYWlx/w
--- 8tELVgxGaIQsgC4NrrRbSh8Y8p+d8sQLG6pWZrc4b3o
<16>kÜè ŽuûEõ¬4>7>«p<C2AB>KøÎH¶ê$8MÞŸ@¢’¢û„<C3BB>°º fñ`ÿ°XÍÚLi½:”öû³&wè> 4€•,#q¿h™4

57
machines/router02/wireguard.nix
View file

@ -1,57 +0,0 @@
{
config,
lib,
dgn-keys,
name,
...
}:
let
mkPeer =
prefix: peerName:
let
peer = dgn-keys.getVpnKey "wg-mgmt" peerName;
in
{
AllowedIPs = [ "fdaa::${prefix}:${lib.toHexString peer.id}/32" ];
PublicKey = peer.key;
};
in
{
age-secrets.autoMatch = [ "systemd-network" ];
networking.firewall.trustedInterfaces = [ "wg0" ];
systemd.network = {
networks = {
"50-wg-mgmt" = {
name = "wg-mgmt";
address = [ "fdaa::${lib.toHexString (dgn-keys.getVpnKey "wg-mgmt" name).id}/64" ];
routes = [
{
Destination = "fdaa::/64";
Scope = "link";
}
];
};
};
netdevs = {
"50-wg-mgmt" = {
netdevConfig = {
Name = "wg-mgmt";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = 1194;
PrivateKeyFile = config.age.secrets."systemd-network-wg_key".path;
};
wireguardPeers =
builtins.map (mkPeer "1") [
"mdebray"
"catvayor"
]
++ builtins.map (mkPeer "0") [ "roam01" ];
};
};
};
networking.firewall.allowedUDPPorts = [ 1194 ];
}

25
machines/routexp01/_configuration.nix
View file

@ -1,25 +0,0 @@
{ lib, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
"lab-routexp"
];
enabledServices = [
# List of services to enable
];
extraConfig = {
lab-routexp = {
id = 1;
connections = [
1001
1002
];
};
};
root = ./.;
}

40
machines/routexp01/_hardware-configuration.nix
View file

@ -1,40 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
lib,
sources,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
(sources.disko + "/module.nix")
./disko.nix
];
boot = {
initrd = {
availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

33
machines/routexp01/disko.nix
View file

@ -1,33 +0,0 @@
_: {
disko.devices = {
disk = {
main = {
device = "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
type = "EF00";
size = "1G";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
}

1
machines/routexp01/networking.nix
View file

@ -1 +0,0 @@
{ }

3
machines/routexp01/secrets/secrets.nix
View file

@ -1,3 +0,0 @@
(import ../../../keys).mkSecrets [ "routexp01" ] [
# List of secrets for router02
]

25
machines/status01/_configuration.nix
View file

@ -1,25 +0,0 @@
{ lib, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
];
enabledServices = [
# List of services to enable
"nginx"
"uptime-kuma"
];
extraConfig = {
deployment.tags = [ "cst1" ];
networking = {
firewall.allowedTCPPorts = [
80
443
];
};
};
root = ./.;
}

34
machines/status01/_hardware-configuration.nix
View file

@ -1,34 +0,0 @@
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
loader.systemd-boot.enable = true;
initrd.kernelModules = [ ];
kernelModules = [ ];
extraModulePackages = [ ];
initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
};
fileSystems."/" = {
device = "/dev/disk/by-partlabel/disk-sda-root";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-partlabel/disk-sda-ESP";
fsType = "vfat";
};
networking.useDHCP = lib.mkDefault false;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

10
machines/status01/nginx.nix
View file

@ -1,10 +0,0 @@
{
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
clientMaxBodySize = "500m";
};
}

4
machines/status01/secrets/secrets.nix
View file

@ -1,4 +0,0 @@
(import ../../../keys).mkSecrets [ "status01" ] [
# List of secrets for router02
"stateless-uptime-kuma-password"
]

39
machines/status01/secrets/stateless-uptime-kuma-password
View file

@ -1,39 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA 53kqaGHoIiBW34TabFATNf+2Nju2FAQm5euxBlp4L2E
65jmuV2qa4FggzatITYncVQNSYTRtKEFZsBbtkQ487A
-> ssh-ed25519 QlRB9Q VwYIAUut50rqvm4nOUZf6Sp/HzyfE1Fg6JSsMF0H53s
euInJsL53RwaCza7OTZNRx+swsXcnN9FUMFMgmSnLug
-> ssh-ed25519 r+nK/Q 4ZxPhgovFEX8cX3mEarpl83i4Gg1IjDBdFwqlqt0p0E
n0oIgVJbCV9wd8GgPm4zDSKU+WPxrpXe1hNOH0M9orE
-> ssh-rsa krWCLQ
QxjqLVS1ANlU4kOSq9ybEHLlTrC9V9l5kQAakG9FLvGg6J88MM5v2oJzqN0MdRMy
HC26YFwibUMrues0qXfEYAx3uuss2TS82XAlZPGC4/dn31czI7mTjgbkkwVZZ1ED
SP8VWCAb/zjJoN+cSiVsTbu++b5dnavI2HrEA45pGopkG0usJE8Llr7kI/1Pb5Hi
GaYdjBk5MVrA+K8PTRJ3OdDM3aTKFaoPS5vgWM2RfSSkhVK51fKxIWkiphk5hZ7l
dmHk9qNiwZkg2wWp0W4pBCbHRzoIT2osNlbsO1IpsaNrVijrvxg5qHUHa1uqw5pB
fJ/7dh59Ckc6FkE7Mka1EQ
-> ssh-ed25519 /vwQcQ h3/pglzg2HhJ9AYixQgm//hDDfKwDm0qfdEYj94FF0Y
mJh35flVyki/cpuIlHMR2j2WI35W/HarJzJBvpa2hps
-> ssh-ed25519 0R97PA FKZr+kWHbRcZ0Ne6KdCH6mALFgTjAzquDyw3/HvTHXA
m0hzEpVB0n8LXEjFompdmDbGQQSEvXhQrxJWaCAhziA
-> ssh-ed25519 JGx7Ng TjvfKNCJIf8wW4p4VurJG4Ynl/s9ZoDndcP9GQs7K24
5Ps+MgsCaws3PKv1EFPHv1BdZVD4u/DfPiNgxTIEPDI
-> ssh-ed25519 bUjjig UEHCVJRj+Np4EvAUacUKaEIEtcv/92h/mdxpqwW9XjQ
nQfWPkwJ7MufMbTJ1ktE3skBxKu89ps7b/P48bevkwM
-> ssh-ed25519 5SY7Kg wP8S7omqt+wibyrLGdwChOilKLhlk3Uttouofrvn6Hg
PeHvagZGw11Jq8NZFi6Pvh+XSNgklY/235YKhUPogN4
-> ssh-ed25519 p/Mg4Q SC0lkuoNTFyPzVWW+CFQfsV5thLhnAlNMlW6r/M70WA
DR1hkNnQ1xOwSC6gk0i33Tn52iDNqsszPmxBrSS2/aU
-> ssh-ed25519 5rrg4g isrznX6EZE5Do1eNekhqaR/ZFeiMIzkk+y3+nIJ3dTM
nxLDqq/xhgCWQKlolE+7u06j3GrMKxSAirkDl5Y8zzA
-> ssh-ed25519 oRtTqQ GvvIExclzvOhzRs9TqSyPUMpPvFDcwOkthEKgxoOH3I
LkdOSCDASTS9EryBmarT9m2TVL3aafeN+FVGSyxN9AY
-> ssh-ed25519 F2C+8w USOT3pzvufIWjz7zelcMDACuyGAbwHfJ1wQc0Z5aS0A
ZnuvqZ0NdgmpDSc//c99j2X+B0FvioLS1eBC4mX9PQ0
-> ssh-ed25519 LCTbpA SLX/uFy8NniL/3dG2sOWFJqelwbcRC5UA+Ji7pYAFlQ
ckIg5nwZSsM1DAMT9DN2LPKnlQTQye54YUmHYDJ4rp4
-> +ka/`8V-grease `iuUWsh
61TbfYZeLgnlK2g7xDxOvPyZx1i1WlkyM6HtZVUUlUag0+k2mF2kuANCsm8GDJd4
qFDrRc6wmaCRnVf78HSdIJXKviR4QlxNXDnpTeh1jFGtIW4GXVHp
--- S/VYe23MY+e4qRXq615pCpV2VYHJF+s3ioeIEDaKPA8
n~,ló̓ŽSïD10<31>“àBFjºÞ1çbÃU©íš>Ö½íø˹Ýâ{÷§b$ϧ

30
machines/status01/unethical_patch_0.patch
View file

@ -1,30 +0,0 @@
diff --git a/server/model/group.js b/server/model/group.js
index 5b712ace..ecbced1a 100644
--- a/server/model/group.js
+++ b/server/model/group.js
@@ -31,10 +31,23 @@ class Group extends BeanModel {
*/
async getMonitorList() {
return R.convertToBeans("monitor", await R.getAll(`
- SELECT monitor.*, monitor_group.send_url FROM monitor, monitor_group
- WHERE monitor.id = monitor_group.monitor_id
+ SELECT monitor.*, monitor_group.send_url
+ FROM monitor
+ INNER JOIN monitor_group ON monitor.id = monitor_group.monitor_id
+ WHERE monitor.id IN (
+ SELECT hb.monitor_id
+ FROM heartbeat hb
+ INNER JOIN (
+ SELECT monitor_id, MAX(time) AS latest_time
+ FROM heartbeat
+ GROUP BY monitor_id
+ ) latest_hb
+ ON hb.monitor_id = latest_hb.monitor_id AND hb.time = latest_hb.latest_time
+ WHERE hb.status = 1
+ )
AND group_id = ?
ORDER BY monitor_group.weight
+
`, [
this.id,
]));

150
machines/status01/uptime-kuma.nix
View file

@ -1,150 +0,0 @@
{
config,
lib,
nodes,
sources,
pkgs,
...
}:
let
inherit (lib) concatLists mapAttrsToList mkMerge;
inherit (config.statelessUptimeKuma.lib)
pingProbesFromHive
fromHive
httpProbesFromConfig
probesWithTag
;
probesCfg = config.statelessUptimeKuma.probesConfig;
mkMonitors = name: builtins.attrNames (probesWithTag { inherit name; } probesCfg);
host = "status.lab.dgnum.eu";
port = 3001;
httpExcludes = [
"localhost"
] ++ (concatLists (mapAttrsToList (_: { config, ... }: config.dgn-redirections.retired) nodes));
extraProbes = {
monitors = {
# NOTE: Empty
};
};
status_pages = {
"dgnum" = {
title = "DGNum";
description = "Etat de l'infra du lab de la DGNum";
showTags = true;
publicGroupList = [
{
name = "Services";
weight = 1;
monitorList = mkMonitors "Service";
}
{
name = "Serveurs";
weight = 2;
monitorList = mkMonitors "Ping";
}
#{
# name = "VPN Interne";
# weight = 2;
# monitorList = mkMonitors "VPN";
#}
];
};
};
pingProbes = pingProbesFromHive {
inherit nodes;
mkHost = _: config: config.networking.fqdn;
tags = [ { name = "Ping"; } ];
excludes = [
"status01"
"labcore01"
];
};
#vpnProbes = pingProbesFromHive {
# inherit nodes;
# prefix = "VPN - ";
# mkHost = node: _: "${node}.dgnum";
# tags = [ { name = "VPN"; } ];
# excludes = [
# "web02"
# "status01"
# ];
#};
httpProbes = fromHive {
inherit nodes;
builder =
_: module:
httpProbesFromConfig {
inherit (module) config;
tags = [
{
name = "Host";
value = module.config.networking.fqdn;
}
{ name = "Service"; }
];
excludes = httpExcludes;
};
};
in
{
imports = [ (sources.stateless-uptime-kuma + "/nixos/module.nix") ];
nixpkgs.overlays = [ (import (sources.stateless-uptime-kuma + "/overlay.nix")) ];
services.uptime-kuma = {
enable = true;
package = pkgs.uptime-kuma.overrideAttrs (
_: prev: {
patches = prev.patches ++ [
# Very important patch
./unethical_patch_0.patch
];
}
);
};
services.nginx = {
enable = true;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
};
};
};
networking.firewall.allowedTCPPorts = [
80
443
];
statelessUptimeKuma = {
probesConfig = mkMerge [
pingProbes
httpProbes
extraProbes
#vpnProbes
{ inherit status_pages; }
];
extraFlags = [ "-s" ];
host = "http://localhost:${builtins.toString port}/";
username = "dgnum-lab";
passwordFile = config.age.secrets."stateless-uptime-kuma-password".path;
enableService = true;
};
}

73
meta/network.nix
View file

@ -1,32 +1,4 @@
let
mkRoutexp =
l:
builtins.listToAttrs (
builtins.map (
{ id, hostId, ... }:
{
name = "routexp${id}";
value = {
interfaces = {
ens18 = {
ipv6 = [
{
address = "2a0e:e701:1120:1000::1000:${id}";
prefixLength = 64;
}
];
gateways = [ "2a0e:e701:1120:1000::1" ];
dns = [ "2a0e:e701:1120:1000::f:1" ];
};
};
inherit hostId;
};
}
) l
);
in
{ {
dns01 = { dns01 = {
interfaces = { interfaces = {
ens18 = { ens18 = {
@ -37,13 +9,6 @@ in
} }
]; ];
ipv4 = [
{
address = "45.13.104.26";
prefixLength = 32;
}
];
gateways = [ "2a0e:e701:1120:1000::1" ]; gateways = [ "2a0e:e701:1120:1000::1" ];
dns = [ "2a0e:e701:1120:1000::f:1" ]; dns = [ "2a0e:e701:1120:1000::f:1" ];
}; };
@ -90,7 +55,6 @@ in
hostId = "bd11e8fc"; hostId = "bd11e8fc";
netbirdIp = "100.80.103.206"; netbirdIp = "100.80.103.206";
}; };
labcore01 = { labcore01 = {
interfaces = { interfaces = {
ens18 = { ens18 = {
@ -117,13 +81,6 @@ in
addresses.ipv4 = [ "129.199.146.230" ]; addresses.ipv4 = [ "129.199.146.230" ];
vpnKeys = {
wg-mgmt = {
id = 1;
key = "PN8/zo1Clue7jAnkvaUOg1ZdmcXmcTb6kIRpu5cplHs=";
};
};
hostId = "144d0f7a"; hostId = "144d0f7a";
}; };
photo01 = { photo01 = {
@ -133,34 +90,4 @@ in
hostId = "bcf8ff03"; hostId = "bcf8ff03";
}; };
status01 = {
interfaces = {
ens18 = {
ipv4 = [
{
address = "129.199.146.103";
prefixLength = 24;
}
];
gateways = [ "129.199.146.254" ];
enableDefaultDNS = true;
};
};
hostId = "7ce86f3d";
};
roam01 = {
interfaces = { };
vpnKeys = {
wg-mgmt = {
id = 2;
key = "Yg1GwHbJ7kwNbnjxI+5LtgDvzMPMiOm3EgI/saLI7FU=";
};
};
hostId = "999dc679";
};
} }
// mkRoutexp (import ./routexp.nix)

39
meta/nodes.nix
View file

@ -18,26 +18,6 @@
- hyp01 -> Salle serveur Hypnos 1 - hyp01 -> Salle serveur Hypnos 1
- luj01 -> VM de Luj - luj01 -> VM de Luj
*/ */
let
mkRoutexp =
l:
builtins.listToAttrs (
builtins.map (
{ id, ... }:
{
name = "routexp${id}";
value = {
site = "pav01";
hashedPassword = "$y$j9T$XJTT9MWCE49axmQppQSKc0$b9OzdEaQgDdXTc.meKWNeKd.TeTui2PdzdcFI/ggKk3";
stateVersion = "24.11";
nixpkgs = "unstable";
};
}
) l
);
in
{ {
dns01 = { dns01 = {
site = "pav01"; site = "pav01";
@ -89,23 +69,4 @@ in
stateVersion = "24.05"; stateVersion = "24.05";
nixpkgs = "unstable"; nixpkgs = "unstable";
}; };
status01 = {
site = "pav01";
hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/";
stateVersion = "24.05";
nixpkgs = "unstable";
};
roam01 = {
site = "nowhere";
hashedPassword = "$y$j9T$5OchePm5POsgveGLY/bKy/$9XkkZq9aBycg.YImEzFSiYRbAfBO0A4G7qMGIF/WEo9";
deployment.targetHost = "129.199.146.39";
stateVersion = "24.11";
nixpkgs = "unstable";
};
} }
// mkRoutexp (import ./routexp.nix)

114
meta/options.nix
View file

@ -14,14 +14,11 @@ let
ints ints
listOf listOf
nullOr nullOr
singleLineStr
str str
submodule submodule
unspecified unspecified
; ;
inherit (ints) positive;
addressType = addressType =
max: max:
submodule { submodule {
@ -37,22 +34,6 @@ let
}; };
}; };
vpnKeyType = submodule {
options = {
id = mkOption {
type = positive;
description = ''
Unique ID that will be used to guess IP address
'';
};
key = mkOption {
type = str;
description = ''
Public key of the user for this VPN
'';
};
};
};
org = config.organization; org = config.organization;
in in
@ -60,10 +41,7 @@ in
options = { options = {
organization = { organization = {
members = mkOption { members = mkOption {
type = attrsOf ( type = attrsOf (submodule {
submodule (
{ name, ... }:
{
options = { options = {
name = mkOption { name = mkOption {
type = str; type = str;
@ -78,37 +56,8 @@ in
Main e-mail address of the member. Main e-mail address of the member.
''; '';
}; };
username = mkOption {
type = str;
default = name;
description = ''
The username used for authentication.
WARNING: Must be the same as the ens login!
'';
}; };
});
sshKeys = lib.mkOption {
type = listOf singleLineStr;
description = ''
A list of verbatim OpenSSH public keys that should be added to the
user's authorized keys.
'';
example = [
"ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host"
"ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar"
];
};
vpnKeys = mkOption {
type = attrsOf vpnKeyType;
default = { };
description = "Attribute sets to define vpn keys of the user";
};
};
}
)
);
description = '' description = ''
Members of the DGNum organization. Members of the DGNum organization.
@ -121,39 +70,6 @@ in
Groups of the DGNum organization. Groups of the DGNum organization.
''; '';
}; };
external = mkOption {
type = attrsOf (listOf str);
description = ''
External services used by the DGNum organization.
'';
};
services = mkOption {
type = attrsOf (submodule {
options = {
admins = mkOption {
type = listOf str;
default = [ ];
description = ''
List of administrators of the service.
'';
};
adminGroups = mkOption {
type = listOf str;
default = [ ];
description = ''
List of administrator groups of the service.
'';
};
};
});
description = ''
Administrator access of the different DGNum services,
it is mainly indicative as most services cannot configure this statically.
'';
};
}; };
nodes = mkOption { nodes = mkOption {
@ -340,13 +256,6 @@ in
IP address of the node in the netbird network. IP address of the node in the netbird network.
''; '';
}; };
vpnKeys = mkOption {
type = attrsOf vpnKeyType;
default = { };
description = "Attribute sets to define vpn keys of the machine";
};
}; };
config = config =
@ -418,20 +327,11 @@ in
extract "adminGroups" config.nodes extract "adminGroups" config.nodes
)) ))
# Check that all services admins exist # Check that all members have ssh keys
(membersExists (name: "A member of the service ${name} admins was not found in the members list.") ( (builtins.map (name: {
extract "admins" org.services assertion = ((import ../keys)._keys.${name} or [ ]) != [ ];
)) message = "No ssh keys found for ${name}.";
}) members)
# Check that all services adminGroups exist
(groupsExists (
name: "A member of the service ${name} adminGroups was not found in the groups list."
) (extract "adminGroups" org.services))
# Check that all external services admins exist
(membersExists (
name: "A member of the external service ${name} admins was not found in the members list."
) org.external)
]; ];
}; };
} }

62
meta/organization.nix
View file

@ -5,104 +5,44 @@
{ {
members = { members = {
agroudiev = {
name = "Antoine Groudiev";
email = "antoine.groudiev@dgnum.eu";
sshKeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM="
];
};
catvayor = { catvayor = {
name = "Lubin Bailly"; name = "Lubin Bailly";
email = "catvayor@dgnum.eu"; email = "catvayor@dgnum.eu";
username = "lbailly";
sshKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
];
vpnKeys = {
wg-mgmt = {
id = 1;
key = "zIHvCSzk5a94jvnXU4iscbp9RUGzbWpARDMRgHNtMl4=";
};
};
}; };
cst1 = { cst1 = {
name = "Constantin Gierczak--Galle"; name = "Constantin Gierczak--Galle";
email = "cst1@dgnum.eu"; email = "cst1@dgnum.eu";
username = "cgierczakgalle";
sshKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270"
];
}; };
ecoppens = { ecoppens = {
name = "Elias Coppens"; name = "Elias Coppens";
email = "ecoppens@dgnum.eu"; email = "ecoppens@dgnum.eu";
sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
}; };
jemagius = { jemagius = {
name = "Jean-Marc Gailis"; name = "Jean-Marc Gailis";
email = "jm@dgnum.eu"; email = "jm@dgnum.eu";
username = "jgailis";
sshKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8="
];
}; };
luj = { luj = {
name = "Julien Malka"; name = "Julien Malka";
email = "luj@dgnum.eu"; email = "luj@dgnum.eu";
username = "jmalka";
sshKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
];
};
mboyer = {
name = "Matthieu Boyer";
email = "matthieu.boyer@dgnum.eu";
username = "mboyer02";
sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ];
}; };
mdebray = { mdebray = {
name = "Maurice Debray"; name = "Maurice Debray";
email = "maurice.debray@dgnum.eu"; email = "maurice.debray@dgnum.eu";
sshKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
];
vpnKeys = {
wg-mgmt = {
id = 2;
key = "+nTxD4ZAzk+9LHGwEfK0t2cMQf0ognBYmhybNbCzW38=";
};
};
}; };
raito = { raito = {
name = "Ryan Lahfa"; name = "Ryan Lahfa";
email = "ryan@dgnum.eu"; email = "ryan@dgnum.eu";
username = "rlahfa";
sshKeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
];
}; };
thubrecht = { thubrecht = {
name = "Tom Hubrecht"; name = "Tom Hubrecht";
email = "tom.hubrecht@dgnum.eu"; email = "tom.hubrecht@dgnum.eu";
sshKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
];
}; };
}; };

7
meta/routexp.nix
View file

@ -1,7 +0,0 @@
# List of routers for the routexp experiment
[
{
id = "01";
hostId = "d70d0593";
}
]

9
modules/default.nix
View file

@ -1,14 +1,7 @@
{ lib, sources, ... }: { lib, sources, ... }:
{ {
imports = imports = (lib.extra.mkImports ./. [ "lab-acme" ]) ++ [
(lib.extra.mkImports ./. [
"lab-acme"
"lab-network"
"lab-routexp"
])
++ [
"${sources."microvm.nix"}/nixos-modules/host" "${sources."microvm.nix"}/nixos-modules/host"
(import sources.proxmox-nixos).nixosModules.declarative-vms
]; ];
dgn-notify.enable = false; dgn-notify.enable = false;

59
modules/lab-network.nix
View file

@ -1,59 +0,0 @@
{
config,
lib,
meta,
name,
nodeMeta,
...
}:
let
inherit (lib)
mapAttrs'
mkEnableOption
mkIf
mkForce
;
net' = meta.network.${name};
mkAddress = { address, prefixLength, ... }: "${address}/${builtins.toString prefixLength}";
mkRoute = gateway: {
routeConfig = {
Gateway = gateway;
GatewayOnLink = true;
};
};
mkInterface = interface: net: {
name = "10-${interface}";
value = {
name = interface;
address = builtins.map mkAddress (net.ipv4 ++ net.ipv6);
routes = builtins.map mkRoute net.gateways;
inherit (net) DHCP dns;
};
};
cfg = config.lab-network;
in
{
options.lab-network.enable = mkEnableOption "automatic network configuration based on metadata" // {
default = true;
};
config = mkIf cfg.enable (mkForce {
networking = {
inherit (net') hostId;
hostName = name;
domain = "${nodeMeta.site}.infra.lab.dgnum.eu";
useNetworkd = true;
firewall.logRefusedConnections = false;
};
systemd.network.networks = mapAttrs' mkInterface net'.interfaces;
});
}

112
modules/lab-routexp/default.nix
View file

@ -1,112 +0,0 @@
# Copyright :
# - Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023
#
# Ce logiciel est un programme informatique servant à déployer des
# configurations de serveurs via NixOS.
#
# Ce logiciel est régi par la licence CeCILL soumise au droit français et
# respectant les principes de diffusion des logiciels libres. Vous pouvez
# utiliser, modifier et/ou redistribuer ce programme sous les conditions
# de la licence CeCILL telle que diffusée par le CEA, le CNRS et l'INRIA
# sur le site "http://www.cecill.info".
#
# En contrepartie de l'accessibilité au code source et des droits de copie,
# de modification et de redistribution accordés par cette licence, il n'est
# offert aux utilisateurs qu'une garantie limitée. Pour les mêmes raisons,
# seule une responsabilité restreinte pèse sur l'auteur du programme, le
# titulaire des droits patrimoniaux et les concédants successifs.
#
# A cet égard l'attention de l'utilisateur est attirée sur les risques
# associés au chargement, à l'utilisation, à la modification et/ou au
# développement et à la reproduction du logiciel par l'utilisateur étant
# donné sa spécificité de logiciel libre, qui peut le rendre complexe à
# manipuler et qui le réserve donc à des développeurs et des professionnels
# avertis possédant des connaissances informatiques approfondies. Les
# utilisateurs sont donc invités à charger et tester l'adéquation du
# logiciel à leurs besoins dans des conditions permettant d'assurer la
# sécurité de leurs systèmes et ou de leurs données et, plus généralement,
# à l'utiliser et l'exploiter dans les mêmes conditions de sécurité.
#
# Le fait que vous puissiez accéder à cet en-tête signifie que vous avez
# pris connaissance de la licence CeCILL, et que vous en avez accepté les
# termes.
{ config, lib, ... }:
let
inherit (lib)
mkOption
types
mkEnableOption
mkIf
;
cfg = config.lab-routexp;
in
{
options.lab-routexp = {
enable = mkEnableOption "Routing experimentation settings.";
connections = mkOption {
type = types.listOf types.int;
default = { };
description = "Interface -> Address/CIDR map";
};
id = mkOption {
type = types.int;
description = "machine id";
};
};
config = mkIf cfg.enable {
virtualisation.proxmox = {
node = "krz01";
autoInstall = true;
vmid = 150 + config.lab-routexp.id;
bios = "ovmf";
memory = 4096;
cores = 2;
net =
[
{
model = "virtio";
bridge = "vmbr1";
tag = 2520;
}
]
++ builtins.map (vlan: {
model = "virtio";
bridge = "vmbr1";
tag = vlan;
}) cfg.connections;
scsi = [ { file = "zfs-noraid:16"; } ]; # This will create a 16GB volume in 'local'
};
systemd.network = {
networks =
builtins.listToAttrs (
lib.imap0 (i: vlan: {
name = "20-ens${builtins.toString (20 + i)}";
value = {
name = "ens${builtins.toString (20 + i)}";
address = [ "fdfd:1794:0:${builtins.toString vlan}::${builtins.toString cfg.id}/64" ];
};
}) cfg.connections
)
// {
"20-babel-local" = {
name = "babel-local";
address = [ "fdfd:1794::${builtins.toString cfg.id}/64" ];
};
};
netdevs = {
"babel-local" = {
netdevConfig = {
Name = "babel-local";
Kind = "dummy";
};
};
};
};
};
}

7
nixmoxer.conf
View file

@ -1,7 +0,0 @@
# nixmoxer.conf
host=krz01.dgnum:8006
user=root@pam
password=7GsnLcPfXV4OzHg3wo1e2zWphek0
#token_value=971e236f-60f3-445c-b574-142230409312
#token_name=nixmoxer-maurice
verify_ssl=0

64
npins/sources.json
View file

@ -25,10 +25,10 @@
"pre_releases": false, "pre_releases": false,
"version_upper_bound": null, "version_upper_bound": null,
"release_prefix": null, "release_prefix": null,
"version": "v1.9.0", "version": "v1.8.0",
"revision": "49a4936cee640e27d74baee6fd1278285d29b100", "revision": "624fd86460e482017ed9c3c3c55a3758c06a4e7f",
"url": "https://api.github.com/repos/nix-community/disko/tarball/v1.9.0", "url": "https://api.github.com/repos/nix-community/disko/tarball/v1.8.0",
"hash": "0j76ar4qz320fakdii4659w5lww8wiz6yb7g47npywqvf2lbp388" "hash": "06ifryv6rw25cz8zda4isczajdgrvcl3aqr145p8njxx5jya2d77"
}, },
"dns-nix": { "dns-nix": {
"type": "GitRelease", "type": "GitRelease",
@ -53,9 +53,9 @@
"repo": "git-hooks.nix" "repo": "git-hooks.nix"
}, },
"branch": "master", "branch": "master",
"revision": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0", "revision": "1211305a5b237771e13fcca0c51e60ad47326a9a",
"url": "https://github.com/cachix/git-hooks.nix/archive/cd1af27aa85026ac759d5d3fccf650abe7e1bbf0.tar.gz", "url": "https://github.com/cachix/git-hooks.nix/archive/1211305a5b237771e13fcca0c51e60ad47326a9a.tar.gz",
"hash": "1icl4cz33lkr4bz7fvlf3jppmahgpzij81wfa5any3z7w7b5lnxw" "hash": "1qz8d9g7rhwjk4p2x0rx59alsf0dpjrb6kpzs681gi3rjr685ivq"
}, },
"infrastructure": { "infrastructure": {
"type": "Git", "type": "Git",
@ -64,9 +64,9 @@
"url": "https://git.dgnum.eu/DGNum/infrastructure" "url": "https://git.dgnum.eu/DGNum/infrastructure"
}, },
"branch": "main", "branch": "main",
"revision": "32f68a54a92b3742030d43cb0402ea9de332a004", "revision": "45f2f5905506ad7523bde63ae94d0a3dc19dd604",
"url": null, "url": null,
"hash": "1wk0wwa74gq35rx77jannkz2y1zlqz2v7ngm0sn6zj9mx9wwp0b2" "hash": "171rwwvx4mq01g1c2rhn6v4hyv5c8g2jzzxmff4qz70yzlhs8806"
}, },
"lix": { "lix": {
"type": "Git", "type": "Git",
@ -75,9 +75,9 @@
"url": "https://git.lix.systems/lix-project/lix.git" "url": "https://git.lix.systems/lix-project/lix.git"
}, },
"branch": "main", "branch": "main",
"revision": "f116608a20430b8484814300cdf22eebeb75a59f", "revision": "ed9b7f4f84fd60ad8618645cc1bae2d686ff0db6",
"url": null, "url": null,
"hash": "0hhjx3vk7rchkb4njhsf4vk2f7ipkpqb9jvywm0xcbpwa08xffis" "hash": "05kxga8fs9h4qm0yvp5l7jvsda7hzqs7rvxcn8r52dqg3c80hva9"
}, },
"lix-module": { "lix-module": {
"type": "Git", "type": "Git",
@ -86,9 +86,9 @@
"url": "https://git.lix.systems/lix-project/nixos-module.git" "url": "https://git.lix.systems/lix-project/nixos-module.git"
}, },
"branch": "main", "branch": "main",
"revision": "aa2846680fa9a2032939d720487942567fd9eb63", "revision": "fd186f535a4ac7ae35d98c1dd5d79f0a81b7976d",
"url": null, "url": null,
"hash": "0gb174800sgh6y6sir23nxsx85xrk478hbwqbzyd46ac34clz9wz" "hash": "0jxpqaz12lqibg03iv36sa0shfvamn2yhg937llv3kl4csijd34f"
}, },
"lon": { "lon": {
"type": "Git", "type": "Git",
@ -121,9 +121,9 @@
"url": "https://git.hubrecht.ovh/hubrecht/nix-modules.git" "url": "https://git.hubrecht.ovh/hubrecht/nix-modules.git"
}, },
"branch": "main", "branch": "main",
"revision": "75e8d70a051dd19d126b5248b62f61d6f8ce4361", "revision": "2fd7c7810b2a901020ddd2d0cc82810b83a313fc",
"url": null, "url": null,
"hash": "0yx5by3v2cshiidyh27n75lcqy9d1kk5zz5mchmfv63s9p0cjzqn" "hash": "0rag870ll745r5isnk6hlxv0b0sbgriba5k6nihahcwsal2f4830"
}, },
"nix-patches": { "nix-patches": {
"type": "GitRelease", "type": "GitRelease",
@ -146,9 +146,9 @@
"url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs" "url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs"
}, },
"branch": "main", "branch": "main",
"revision": "3ab3e49269d9e2536c8c5f78d4da673d7a3f5286", "revision": "0e80d4dcdd54a75556c0784de55dc139ad4fe797",
"url": null, "url": null,
"hash": "0b4k0gchxcdlmvs88403hdbidsxswigzxswcba7a3fxz9d884c4y" "hash": "1hlb0cczxq0jrzw4lhmkibnb8skcar0rmny594aqgyikknwzx2qf"
}, },
"nixos-23.11": { "nixos-23.11": {
"type": "Channel", "type": "Channel",
@ -159,8 +159,8 @@
"nixos-24.05": { "nixos-24.05": {
"type": "Channel", "type": "Channel",
"name": "nixos-24.05", "name": "nixos-24.05",
"url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.6668.e8c38b73aeb2/nixexprs.tar.xz", "url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.5518.ecbc1ca8ffd6/nixexprs.tar.xz",
"hash": "0lhh36z3fvd3b64dz7an08y3c3shb67aj17ny9z28bs21i3dc5yh" "hash": "1yr2v17d8jg9567rvadv62bpr6i47fp73by2454yjxh1m9ric2cm"
}, },
"nixos-generators": { "nixos-generators": {
"type": "Git", "type": "Git",
@ -170,21 +170,21 @@
"repo": "nixos-generators" "repo": "nixos-generators"
}, },
"branch": "master", "branch": "master",
"revision": "15a87ccb45e06d24a9fd5f99a49782efe11b23f0", "revision": "9ae128172f823956e54947fe471bc6dfa670ecb4",
"url": "https://github.com/nix-community/nixos-generators/archive/15a87ccb45e06d24a9fd5f99a49782efe11b23f0.tar.gz", "url": "https://github.com/nix-community/nixos-generators/archive/9ae128172f823956e54947fe471bc6dfa670ecb4.tar.gz",
"hash": "0mwllbwinr6cira94347vhzq3jn3zgp28xg6w1ga0ncls7s476q4" "hash": "1zn3lykymimzh21q4fixw6ql42n8j82dqwm5axifhcnl8dsdgrvr"
}, },
"nixos-unstable": { "nixos-unstable": {
"type": "Channel", "type": "Channel",
"name": "nixos-unstable", "name": "nixos-unstable",
"url": "https://releases.nixos.org/nixos/unstable/nixos-25.05beta708622.5e4fbfb6b3de/nixexprs.tar.xz", "url": "https://releases.nixos.org/nixos/unstable/nixos-24.11pre688563.bc947f541ae5/nixexprs.tar.xz",
"hash": "18zd6qnn1zmz3pgq2q484lmdk486ncxyp8r5g9c71r9dc8jr5dnc" "hash": "1jsaxwi128fiach3dj8rdj5agqivsr4sidb8lmdnl7g07fl9x0kj"
}, },
"nixpkgs": { "nixpkgs": {
"type": "Channel", "type": "Channel",
"name": "nixpkgs-unstable", "name": "nixpkgs-unstable",
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.05pre709559.5083ec887760/nixexprs.tar.xz", "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre689466.7d49afd36b55/nixexprs.tar.xz",
"hash": "1z912j1lmrg8zp2hpmmi69dls9zlpvqfvdkvh5xc3x6iqkqwn0cd" "hash": "0r4zb6j8in4dk7gxciapfm49dqbdd0c7ajjzj9iy2xrrj5aj32qp"
}, },
"proxmox-nixos": { "proxmox-nixos": {
"type": "Git", "type": "Git",
@ -197,17 +197,7 @@
"revision": "950e4cccac0f942076e8558f7f9f4d496cabfb18", "revision": "950e4cccac0f942076e8558f7f9f4d496cabfb18",
"url": "https://github.com/SaumonNet/proxmox-nixos/archive/950e4cccac0f942076e8558f7f9f4d496cabfb18.tar.gz", "url": "https://github.com/SaumonNet/proxmox-nixos/archive/950e4cccac0f942076e8558f7f9f4d496cabfb18.tar.gz",
"hash": "0bhqw42ydc0jfkfqw64xsg518a1pbxnvpqw92nna7lm8mzpxm6d4" "hash": "0bhqw42ydc0jfkfqw64xsg518a1pbxnvpqw92nna7lm8mzpxm6d4"
},
"stateless-uptime-kuma": {
"type": "Git",
"repository": {
"type": "Git",
"url": "https://git.dgnum.eu/DGNum/stateless-uptime-kuma"
},
"branch": "master",
"revision": "880f444ff7862d6127b051cf1a993ad1585b1652",
"url": null,
"hash": "166057469hhxnyqbpd7jjlccdmigzch51616n1d5r617xg0y1mwp"
} }
}, },
"version": 3 "version": 3
}