DGNum/lab-infra
8
1
Fork 1
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Finish to init repo #1

Merged
Luj merged 6 commits from finish_init into main 2024-10-18 11:24:45 +02:00
Conversation 0 Commits 6 Files changed 21 +6 -539
8 changed files with 6 additions and 539 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 2ac0a35c5e - Show all commits

8
.forgejo/workflows/check-meta.yaml
View file

@ -15,11 +15,3 @@ jobs:
- name: Check the validity of meta options - name: Check the validity of meta options
run: nix-build meta/verify.nix -A meta run: nix-build meta/verify.nix -A meta
check_dns:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of the DNS configuration
run: nix-build meta/verify.nix -A dns --no-out-link

2
default.nix
View file

@ -74,8 +74,6 @@ in
host: { site, ... }: "${host}.${site}.infra.dgnum.eu" host: { site, ... }: "${host}.${site}.infra.dgnum.eu"
) (import ./meta/nodes.nix); ) (import ./meta/nodes.nix);
dns = import ./meta/dns.nix;
mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix; mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix;
shells = { shells = {

136
meta/dns.nix
View file

@ -1,136 +0,0 @@
{ lib, dns, ... }:
let
inherit (lib) mapAttrs' nameValuePair;
inherit (lib.extra) fuseAttrs mapSingleFuse;
inherit (dns.lib.combinators) mx spf ttl;
meta = (import ./.) lib;
mkCNAME = host: { CNAME = [ host ]; };
mkHosted =
server:
{
dual ? [ ],
v4 ? [ ],
v6 ? [ ],
}:
let
base = "${server}.${meta.nodes.${server}.site}.infra";
mkHost = host: mapSingleFuse (_: mkCNAME host);
in
fuseAttrs [
(mkHost base dual)
(mkHost "v4.${base}" v4)
(mkHost "v6.${base}" v6)
];
cnames = builtins.mapAttrs (_: to: { CNAME = [ to ]; }) {
"dev" = "dev.pages.codeberg.page.";
"irc" = "public.p.lahfa.xyz.";
"webmail" = "kurisu.dual.lahfa.xyz.";
# Transition to new site names
"web01.dmi01.infra" = "web01.rat01.infra";
"web02.dmi01.infra" = "web02.rat01.infra";
"compute01.par01.infra" = "compute01.pav01.infra";
"storage01.par01.infra" = "storage01.pav01.infra";
# Miscelleanous redirections
"traque" = "traque.katvayor.net.";
# Temporary redirection for the BDS
# FIXME: finish the django apps module
"gestiobds.dj" = "cof.ens.fr.";
};
hosted = fuseAttrs (builtins.attrValues (builtins.mapAttrs mkHosted { }));
kurisuDKIM = [
{
selector = "kurisu";
k = "rsa";
s = [ "email" ];
p = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDa5KuK6ry+Ss2VsKL0FsDpoBlc7dcXZyp62fGqFJFJv4/GEivPWiwbr2o5oLKjQVI4kIYjIZsyQJFtI/Xcu4BrtDdBknb5WvCN8V9EvIMh3pfXOBLVx4oqw4BR7wF8Rw1J9xyfgsfK+m2n0M39XlMHH0Nuy6kU48jH9vYpZs17ZQIDAQAB";
}
];
in
{
SOA = {
nameServer = "ns01.dgnum.eu.";
adminEmail = "dns.dgnum.eu";
retry = 3600;
minimum = 300;
};
# Primary DNS servers
NS = [
"ns01.dgnum.eu." # ns-03.hubrecht.ovh
"ns02.dgnum.eu." # kurisu.lahfa.xyz
];
# dgnum.codeberg.pages
# ALIAS = [ "codeberg.page" ];
A = [ "217.197.91.145" ];
AAAA = [ "2001:67c:1401:20f0::1" ];
MX = map (ttl 3600) [ (mx.mx 10 "kurisu.lahfa.xyz.") ];
SRV = [
{
service = "autodiscover";
proto = "tcp";
port = 443;
target = "autoconfig.mail.lahfa.xyz.";
}
];
TXT = [
"dgnum.codeberg.page"
(spf.strict [ "a:kurisu.lahfa.xyz" ])
];
DMARC = [ { p = "none"; } ];
DKIM = kurisuDKIM;
subdomains =
hosted
// cnames
// {
ns01 = {
A = [ "51.178.27.125" ];
AAAA = [ "2001:41d0:305:2100::542c" ];
};
ns02 = {
A = [ "163.172.69.160" ];
AAAA = [ "2001:bc8:38ee::1" ];
};
}
// {
infra = {
MX = map (ttl 3600) [ (mx.mx 10 "kurisu.lahfa.xyz.") ];
TXT = [ (spf.strict [ "a:kurisu.lahfa.xyz" ]) ];
DMARC = [ { p = "none"; } ];
DKIM = kurisuDKIM;
subdomains = mapAttrs' (
host:
{ site, ... }:
nameValuePair "${host}.${site}" (
with meta.network.${host}.addresses;
{
A = ipv4;
AAAA = ipv6;
subdomains = {
v4.A = ipv4;
v6.AAAA = ipv6;
};
}
)
) meta.nodes;
};
};
}

183
meta/network.nix
View file

@ -1,34 +1,4 @@
{ {
bridge01 = {
hostId = "f57f3ba0";
interfaces = { };
netbirdIp = null;
};
compute01 = {
interfaces = {
eno1 = {
ipv4 = [
{
address = "129.199.146.147";
prefixLength = 24;
}
{
address = "192.168.1.147";
prefixLength = 24;
}
];
gateways = [ "129.199.146.254" ];
enableDefaultDNS = true;
};
};
hostId = "8df60941";
netbirdIp = "100.80.75.197";
};
krz01 = { krz01 = {
interfaces = { interfaces = {
eno1 = { eno1 = {
@ -51,157 +21,4 @@
hostId = "bd11e8fc"; hostId = "bd11e8fc";
netbirdIp = "100.80.103.206"; netbirdIp = "100.80.103.206";
}; };
geo01 = {
interfaces = {
eno1 = {
ipv4 = [
{
address = "129.199.210.194";
prefixLength = 24;
}
];
gateways = [ "129.199.210.254" ];
dns = [
"129.199.96.11"
"129.199.72.99"
];
};
};
hostId = "b88fee0c";
netbirdIp = "100.80.8.66";
};
geo02 = {
interfaces = {
eno1 = {
ipv4 = [
{
address = "129.199.210.69";
prefixLength = 24;
}
];
gateways = [ "129.199.210.254" ];
dns = [
"129.199.96.11"
"129.199.72.99"
];
};
};
hostId = "45d65237";
netbirdIp = "100.80.233.249";
};
storage01 = {
interfaces = {
eno1 = {
ipv4 = [
{
address = "129.199.146.148";
prefixLength = 24;
}
{
address = "192.168.1.148";
prefixLength = 24;
}
];
gateways = [ "129.199.146.254" ];
enableDefaultDNS = true;
};
};
hostId = "d4e7c369";
netbirdIp = "100.80.156.154";
};
vault01 = {
interfaces = {
vlan-uplink-cri = {
ipv4 = [
{
# see also machines/vault01/networking.nix
address = "129.199.195.129";
prefixLength = 32;
}
];
gateways = [ ];
enableDefaultDNS = true;
};
};
hostId = "e83b600d";
netbirdIp = "100.80.255.180";
};
web01 = {
interfaces = {
ens3 = {
ipv4 = [
{
address = "129.199.129.53";
prefixLength = 24;
}
];
gateways = [ "129.199.129.1" ];
enableDefaultDNS = true;
};
};
hostId = "050df79e";
netbirdIp = "100.80.77.90";
};
web02 = {
interfaces = {
ens3 = {
ipv4 = [
{
address = "129.199.129.235";
prefixLength = 24;
}
];
gateways = [ "129.199.129.1" ];
enableDefaultDNS = true;
};
};
hostId = "b431ca10";
netbirdIp = null; # web02 is not to be connected on the VPN
};
rescue01 = {
interfaces = {
ens18 = {
ipv6 = [
{
address = "2a01:e0a:de4:a0e1:2d73:2a7e:18db:5728";
prefixLength = 64;
}
];
ipv4 = [
{
address = "192.168.0.232";
prefixLength = 21;
}
];
gateways = [ "192.168.0.1" ];
enableDefaultDNS = true;
};
};
addresses.ipv4 = [ "82.67.34.230" ];
hostId = "007f0200";
netbirdIp = "100.80.97.140";
};
} }

106
meta/nodes.nix
View file

@ -19,66 +19,6 @@
- luj01 -> VM de Luj - luj01 -> VM de Luj
*/ */
{ {
bridge01 = {
site = "hyp01";
hashedPassword = "$y$j9T$EPJdz70kselouXAVUmAH01$8nYbUBY9NPTMfYigegY0qFSdxJwhqzW8sFacDqEYCP5";
stateVersion = "24.05";
adminGroups = [ "fai" ];
deployment = {
targetHost = "fd26:baf9:d250:8000::ffff";
sshOptions = [
"-J"
"root@vault01.hyp01.infra.dgnum.eu"
];
};
};
web01 = {
site = "rat01";
deployment.tags = [ "web" ];
hashedPassword = "$y$j9T$9YqXO93VJE/GP3z8Sh4h51$hrBsEPL2O1eP/wBZTrNT8XV906V4JKbQ0g04IWBcyd2";
stateVersion = "23.05";
vm-cluster = "Hyperviseur NPS";
nixpkgs = "24.05";
};
compute01 = {
site = "pav01";
hashedPassword = "$y$j9T$2nxZHq84G7fWvWMEaGavE/$0ADnmD9qMpXJJ.rWWH9086EakvZ3wAg0mSxZYugOf3C";
stateVersion = "23.05";
nix-modules = [ "services/stirling-pdf" ];
nixpkgs = "24.05";
};
geo01 = {
site = "oik01";
deployment.tags = [ "geo" ];
hashedPassword = "$y$j9T$2XmDpJu.QLhV57yYCh5Lf1$LK.X0HKB02Q0Ujvhj5nIofW2IRrIAL/Uxnvl9AXM1L8";
stateVersion = "24.05";
nixpkgs = "24.05";
};
geo02 = {
site = "oik01";
deployment.tags = [ "geo" ];
hashedPassword = "$y$j9T$Q4fbMpSm9beWu4DPNAR9t0$dx/1pH4GPY72LpS5ZiECXAZFDdxwmIywztsX.qo2VVA";
stateVersion = "24.05";
nixpkgs = "24.05";
};
krz01 = { krz01 = {
site = "pav01"; site = "pav01";
@ -87,51 +27,5 @@
stateVersion = "24.05"; stateVersion = "24.05";
nixpkgs = "unstable"; nixpkgs = "unstable";
adminGroups = [ "lab" ];
};
storage01 = {
site = "pav01";
hashedPassword = "$y$j9T$tvRu1EJ9MwDSvEm0ogwe70$bKSw6nNteN0L3NOy2Yix7KlIvO/oROQmQ.Ynq002Fg8";
stateVersion = "23.11";
nixpkgs = "24.05";
nix-modules = [ "services/forgejo-nix-runners" ];
};
vault01 = {
site = "hyp01";
deployment.targetHost = "vault01.hyp01.infra.dgnum.eu";
hashedPassword = "$y$j9T$5osXVNxCDxu3jIndcyh7G.$UrjiDRpMu3W59tKHLGNdLWllZh.4p8IM4sBS5SrNrN1";
stateVersion = "23.11";
nixpkgs = "24.05";
adminGroups = [ "fai" ];
};
web02 = {
site = "rat01";
hashedPassword = "$y$j9T$p42UVNy78PykkQOjPwXNJ/$B/zCUOrHXVSFGUY63wnViMiSmU2vCWsiX0y62qqgNQ5";
stateVersion = "24.05";
nixpkgs = "24.05";
vm-cluster = "Hyperviseur NPS";
};
rescue01 = {
site = "luj01";
deployment.targetHost = "v6.rescue01.luj01.infra.dgnum.eu";
hashedPassword = "$y$j9T$nqoMMu/axrD0m8AlUFdbs.$UFVmIdPAOHBe2jJv5HJJTcDgINC7LTnSGRQNs9zS1mC";
stateVersion = "23.11";
vm-cluster = "Hyperviseur Luj";
}; };
} }

48
meta/options.nix
View file

@ -70,39 +70,6 @@ in
Groups of the DGNum organization. Groups of the DGNum organization.
''; '';
}; };
external = mkOption {
type = attrsOf (listOf str);
description = ''
External services used by the DGNum organization.
'';
};
services = mkOption {
type = attrsOf (submodule {
options = {
admins = mkOption {
type = listOf str;
default = [ ];
description = ''
List of administrators of the service.
'';
};
adminGroups = mkOption {
type = listOf str;
default = [ ];
description = ''
List of administrator groups of the service.
'';
};
};
});
description = ''
Administrator access of the different DGNum services,
it is mainly indicative as most services cannot configure this statically.
'';
};
}; };
nodes = mkOption { nodes = mkOption {
@ -360,21 +327,6 @@ in
extract "adminGroups" config.nodes extract "adminGroups" config.nodes
)) ))
# Check that all services admins exist
(membersExists (name: "A member of the service ${name} admins was not found in the members list.") (
extract "admins" org.services
))
# Check that all services adminGroups exist
(groupsExists (
name: "A member of the service ${name} adminGroups was not found in the groups list."
) (extract "adminGroups" org.services))
# Check that all external services admins exist
(membersExists (
name: "A member of the external service ${name} admins was not found in the members list."
) org.external)
# Check that all members have ssh keys # Check that all members have ssh keys
(builtins.map (name: { (builtins.map (name: {
assertion = ((import ../keys)._keys.${name} or [ ]) != [ ]; assertion = ((import ../keys)._keys.${name} or [ ]) != [ ];

49
meta/organization.nix
View file

@ -10,6 +10,11 @@
email = "catvayor@dgnum.eu"; email = "catvayor@dgnum.eu";
}; };
cst1 = {
name = "Constantin Gierczak--Galle";
email = "cst1@dgnum.eu";
};
ecoppens = { ecoppens = {
name = "Elias Coppens"; name = "Elias Coppens";
email = "ecoppens@dgnum.eu"; email = "ecoppens@dgnum.eu";
@ -48,52 +53,10 @@
"raito" "raito"
"mdebray" "mdebray"
"luj" "luj"
];
# members of this group are root on the fai infrastructure
fai = [
"catvayor" "catvayor"
"ecoppens" "ecoppens"
"cst1"
]; ];
lab = [
"catvayor"
"ecoppens"
];
};
external = {
dns = [
"thubrecht"
"raito"
];
email = [ "raito" ];
irc = [ "raito" ];
};
services = {
# Démarches Normaliennes
ds-fr.admins = [
"thubrecht"
"jemagius"
];
# Cloud DGNum
nextcloud.admins = [
"thubrecht"
"raito"
];
# Netbox DGNum
netbox.adminGroups = [
"root"
"fai"
];
# Videos DGNum
peertube.admins = [ "thubrecht" ];
}; };
} }

13
meta/verify.nix
View file

@ -3,8 +3,6 @@
let let
sources = import ../npins; sources = import ../npins;
pkgs = import sources.nixpkgs { }; pkgs = import sources.nixpkgs { };
dns = import sources."dns.nix" { inherit pkgs; };
in in
{ {
@ -22,15 +20,4 @@ in
else else
pkgs.writers.writeJSON "meta.json" config; pkgs.writers.writeJSON "meta.json" config;
dns = dns.util.writeZone "dgnum.eu" (
pkgs.lib.recursiveUpdate { SOA.serial = 0; } (
import ./dns.nix {
inherit dns;
lib = pkgs.lib // {
extra = import ../lib/nix-lib;
};
}
)
);
} }