Metadata of the DGNum infrastructure
====================================

# DNS

The DNS configuration of our infrastructure is completely defined with the metadata contained in this folder.

The different machines have records pointing to their IP addresses when they exist:

- $node.$site.infra.dgnum.eu points IN A $ipv4
- $node.$site.infra.dgnum.eu points IN AAAA $ipv6

- v4.$node.$site.infra.dgnum.eu points IN A $ipv4
- v6.$node.$site.infra.dgnum.eu points IN AAAA $ipv6

Then the services hosted on those machines can be accessed through redirections:

- $service.dgnum.eu IN CNAME $node.$site.infra.dgnum.eu

or, when targeting only a specific IP protocol:

- $service4.dgnum.eu IN CNAME ipv4.$node.$site.infra.dgnum.eu
- $service6.dgnum.eu IN CNAME ipv6.$node.$site.infra.dgnum.eu

Extra records exist for ns, mail configuration, or the main website but shouldn't change or be tinkered with.

# Network

The network configuration (except the NetBird vpn) is defined statically.

TODO.

# Nixpkgs

Machines can use different versions of NixOS, the supported and default ones are specified here.

## How to add a new version

- Switch to a new branch `nixos-$VERSION`
- Run the following command

```bash
npins add channel nixos-$VERSION
```

- Edit `meta/nixpkgs.nix` and add `$VERSION` to the supported version.
- Read the release notes and check for changes.
- Update the nodes versions
- Create a PR so that the CI check that it builds


# Nodes

The nodes are declared statically, several options can be configured:

- `deployment`, the colmena deployment option
- `stateVersion`, the state version of the node
- `nixpkgs`, the version of NixOS to use
- `admins`, the list of administrators specific to this node, they will be given root access
- `adminGroups`, a list of groups whose members will be added to `admins`
- `site`, the physical location of the node
- `vm-cluster`, the VM cluster hosting the node when appropriate

Some options are set automatically, for example:

- `deployment.targetHost` will be inferred from the network configuration
- `deployment.tags` will contain `infra-$site`, so that a full site can be redeployed at once

# Organization

The organization defines the groups and members of the infrastructure team,
one day this information will be synchronized in Kanidm.

## Members

For a member to be allowed access to a node, they must be defined in the `members` attribute set,
and their SSH keys must be available in the keys folder.

## Groups

Groups exist only to simplify the management of accesses:

- The `root` group will be given administrator access on all nodes
- The `iso` group will have its keys included in the ISOs built from the iso folder

Extra groups can be created at will, to be used in node-specific modules.

# Module

The meta configuration can be evaluated as a module, to perform checks on the structure of the data.