diff --git a/README.md b/README.md index eac7f9a..119a26d 100644 --- a/README.md +++ b/README.md @@ -8,3 +8,97 @@ Some instruction on how to contribute are available (in french) in [/CONTRIBUTE. You're expected to read this document before commiting to the repo. Some documentation for the development tools are provided in the aforementioned file. + +# Adding a new machine + +The first step is to create a minimal viable NixOS host, using tha means necessary. +The second step is to find a name for this host, it must be unique from the other hosts. + +> [!TIP] +> For the rest of this part, we assume that the host is named `host02` + +## Download the keys + +The public SSH keys of `host02` have to be saved to `keys/machines/host02.keys`, preferably only the `ssh-ed25519` one. + +It can be retreived with : + +```bash +ssh-keyscan address.of.host02 2>/dev/null | awk '/ssh-ed25519/ {print $2,$3}' +``` + +## Initialize the machine folder and configuration + +- Create a folder `host02` under `machines/` +- Copy the hardware configuration file generated by `nixos-generate-config` to `machines/host02/_hardware-configuration.nix` +- Create a `machines/host02/_configuration.nix` file, it will contain the main configuration options, the basic content of this file should be the following + +```nix +{ lib, ... }: + +lib.extra.mkConfig { + enabledModules = [ + # List of modules to enable + ]; + + enabledServices = [ + # List of services to enable + ]; + + extraConfig = { + services.netbird.enable = true; + }; + + root = ./.; +} +``` + +## Fill in the metadata + +### Network configuration + +The network is declared in `meta/network.nix`, the necessary `hostId` value can be generated with : + +```bash +head -c4 /dev/urandom | od -A none -t x4 | sed 's/ //' +``` + +### Other details + +The general metadata is declared in `meta/nodes.nix`, the main values to declare are : + +- `site`, where the node is physically located +- `stateVersion` +- `nixpkgs`, the nixpkgs version to use + +## Initialize secrets + +Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing : + +```nix +let + lib = import ../../../lib { }; +in + +lib.setDefault { publicKeys = lib.getNodeKeys "host02"; } [ ] +``` + +This will be used for future secret management. + +## Update encrypted files + +Both the Arkheon, Netbox and notification modules have secrets that are deployed on all machines. To make those services work correctly, run in `modules/dgn-records`, `modules/dgn-netbox-agent` and `modules/dgn-notify` : + +```bash +agenix -r +``` + +## Commit and create a PR + +Once all of this is done, check that the configuration builds correctly : + +```bash +colmena build --on host02 +``` + +Apply it, and create a Pull Request. diff --git a/keys/machines/bridge01.keys b/keys/machines/bridge01.keys new file mode 100644 index 0000000..f9202b9 --- /dev/null +++ b/keys/machines/bridge01.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7 diff --git a/machines/bridge01/_configuration.nix b/machines/bridge01/_configuration.nix new file mode 100644 index 0000000..31931e9 --- /dev/null +++ b/machines/bridge01/_configuration.nix @@ -0,0 +1,20 @@ +{ lib, pkgs, ... }: + +lib.extra.mkConfig { + enabledModules = [ + # List of modules to enable + ]; + + enabledServices = [ + # List of services to enable + "network" + ]; + + extraConfig = { + services.netbird.enable = true; + + environment.systemPackages = [ pkgs.bcachefs-tools ]; + }; + + root = ./.; +} diff --git a/machines/bridge01/_hardware-configuration.nix b/machines/bridge01/_hardware-configuration.nix new file mode 100644 index 0000000..9d88755 --- /dev/null +++ b/machines/bridge01/_hardware-configuration.nix @@ -0,0 +1,53 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ modulesPath, pkgs, ... }: + +{ + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ + "xhci_pci" + "ehci_pci" + "ahci" + "sd_mod" + "sr_mod" + ]; + }; + + kernelModules = [ "kvm-intel" ]; + kernelPackages = pkgs.linuxPackages_latest; + + supportedFilesystems.bcachefs = true; + }; + + fileSystems = { + "/" = { + device = "UUID=3da58b64-a2fd-428d-bde8-3a185e2f73fd"; + fsType = "bcachefs"; + options = [ "compression=zstd" ]; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/4D0A-AF11"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; + }; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.vlan-admin.useDHCP = lib.mkDefault true; + # networking.interfaces.vlan-uplink-oob.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = true; +} diff --git a/machines/bridge01/network.nix b/machines/bridge01/network.nix new file mode 100644 index 0000000..ea6c3d0 --- /dev/null +++ b/machines/bridge01/network.nix @@ -0,0 +1,79 @@ +_: + +{ + networking = { + useNetworkd = true; + useDHCP = false; + + nftables.enable = true; + firewall.allowedUDPPorts = [ 67 ]; + }; + + systemd.network = { + networks = { + "10-eno1" = { + name = "eno1"; + networkConfig = { + VLAN = [ + "vlan-admin" + "vlan-uplink-oob" + ]; + + LinkLocalAddressing = false; + LLDP = false; + EmitLLDP = false; + IPv6AcceptRA = false; + IPv6SendRA = false; + }; + # address = [ "192.168.222.1/24" ]; + }; + + "10-vlan-admin" = { + name = "vlan-admin"; + # DHCP for the BMC + networkConfig.DHCPServer = "yes"; + + dhcpServerConfig = { + PoolOffset = 128; + EmitDNS = false; + EmitNTP = false; + EmitSIP = false; + EmitPOP3 = false; + EmitSMTP = false; + EmitLPR = false; + UplinkInterface = ":none"; + }; + + address = [ + "fd26:baf9:d250:8000::ffff/64" + "192.168.222.1/24" + ]; + }; + + "10-vlan-uplink-oob" = { + name = "vlan-uplink-oob"; + networkConfig.DHCP = "ipv4"; + }; + }; + + netdevs = { + "10-vlan-admin" = { + netdevConfig = { + Name = "vlan-admin"; + Kind = "vlan"; + }; + + vlanConfig.Id = 3000; + }; + + "10-vlan-uplink-oob" = { + netdevConfig = { + Name = "vlan-uplink-oob"; + Kind = "vlan"; + }; + + vlanConfig.Id = 500; + }; + }; + }; +} diff --git a/machines/bridge01/secrets/secrets.nix b/machines/bridge01/secrets/secrets.nix new file mode 100644 index 0000000..c504d17 --- /dev/null +++ b/machines/bridge01/secrets/secrets.nix @@ -0,0 +1,5 @@ +let + lib = import ../../../lib { }; +in + +lib.setDefault { publicKeys = lib.getNodeKeys "bridge01"; } [ ] diff --git a/meta/network.nix b/meta/network.nix index d4ce6c2..e4b6afa 100644 --- a/meta/network.nix +++ b/meta/network.nix @@ -1,4 +1,10 @@ { + bridge01 = { + hostId = "f57f3ba0"; + + interfaces = { }; + }; + compute01 = { interfaces = { eno1 = { diff --git a/meta/nodes.nix b/meta/nodes.nix index c40acde..a8e9e51 100644 --- a/meta/nodes.nix +++ b/meta/nodes.nix @@ -19,6 +19,22 @@ - luj01 -> VM de Luj */ { + bridge01 = { + site = "hyp01"; + + stateVersion = "24.05"; + + adminGroups = [ "fai" ]; + + deployment = { + targetHost = "fd26:baf9:d250:8000::ffff"; + sshOptions = [ + "-J" + "vault01.hyp01.infra.dgnum.eu" + ]; + }; + }; + web01 = { site = "rat01"; diff --git a/modules/dgn-netbox-agent/netbox-agent b/modules/dgn-netbox-agent/netbox-agent index 784f5c1..aa49dc0 100644 Binary files a/modules/dgn-netbox-agent/netbox-agent and b/modules/dgn-netbox-agent/netbox-agent differ diff --git a/modules/dgn-notify/mail b/modules/dgn-notify/mail index 1b23747..47e86ec 100644 Binary files a/modules/dgn-notify/mail and b/modules/dgn-notify/mail differ diff --git a/modules/dgn-records/__arkheon-token_file b/modules/dgn-records/__arkheon-token_file index f06deea..20ed02d 100644 --- a/modules/dgn-records/__arkheon-token_file +++ b/modules/dgn-records/__arkheon-token_file @@ -1,42 +1,44 @@ age-encryption.org/v1 --> ssh-ed25519 jIXfPA K2855nHVjrWY+Do/Iz8whCnQYMYl6QCMlBClpTRf4TI -LTRqDw9oukc2JA8DKqJSMfXeOJZCITpV6Gkh0tC4RC8 --> ssh-ed25519 QlRB9Q xeLR2Pt8t5kC10g2aMIxTNbrNJN4j4mBlC6cidqy4BQ -HSrxWUWxRCmLVrXy9C9zYP8jc7rRMKvN4YgKp82rAgQ --> ssh-ed25519 r+nK/Q Q2YybcpErKl8IfT3hoewrAOLJnC/rRgnZPa3RBampSE -enGIkp9ZAz/J/KdiKg0ZVCvsHKi2f8+THb6wpJ9MVm8 +-> ssh-ed25519 jIXfPA FhSZKBAccqBqfeayNqY3fhYSi+0NMxsxS3WsdvuVu2M +xT37RUaShiHdPBUnjWntSY43LqXsR8Pgz5kUZ/mgz2w +-> ssh-ed25519 QlRB9Q xwok3cJ6SlGxlGi/UesKHVf+O4q9mn7btLweXJzeknI +LrigakDhwhHCHEaJ0eQx6TIke9vYLqXwwaUjusWOvSk +-> ssh-ed25519 r+nK/Q DS8/iUfczVGxB/Hl6EkweNAGSM0ZhWqrFy4xn82QNH8 +0Z8KOLZtxh2c0JTeiPbz3ZDF3CYrDs7bmwKjjemTs0o -> ssh-rsa krWCLQ -nQAoYm+rR20EFbXEE/F0Dks6kQP2JdA904j2e7FfQEd1i6pA6mPcbuy1IslgRd1R -UjJzHamUGO91bNSqQI/+6l2883JJVwazNxgY8pZaWC7BzGYlfDITTTQm9ITPd7Eg -7W4DAcrf1h5EU7GZfsGXgFtcnLPCBGRsPoAIbeS2hN6JcQP8c66Ubizt7eIOqFab -880k+cjjJXespuMODavBzFJCshQJwezYcH0S26vyVAF1UJk3H2Yuj1lI+ofT69ef -0k+bhG/dC0axlQaym3N7CvAZ8XibjydXCdJjk8u3z54p5Sv89MZMJHaNb5rvcbzY -CBQRMjHWLFfVhTKvBt1OwA --> ssh-ed25519 /vwQcQ SXuM/Ssc11v/IGgZbSRiNvtAQvVcLa7PB3xm9mcOX0Q -xH+65+t3XbnXxPk8ha+i4PuIKvevJ0yHPZofFX/yw60 --> ssh-ed25519 0R97PA UQK8FggCF5e0ePV5TsctCzdzDh+xIleJkhRRNMn/8EE -+wpRiZFeUhUyV7nVKNu71X5jPmzMNDSVp1IWDw5aeOs --> ssh-ed25519 JGx7Ng HE1LAFeYk2HmuYoYrHtO1zhTKjPhfyNF0h4JjRgGwzA -6VS4Oa70W6ZCKmbBWQ9vSHdy6W8RpFfX7mqQ53anfO8 --> ssh-ed25519 5SY7Kg dXmbbDbI859IYD0jf3PAVPFmMq0zV6Lwvte4jUBkSBs -UfV7hAYLtTSeyLskbwh9Jj9vjJpvwydsdsKmgtiK+hw --> ssh-ed25519 p/Mg4Q /3jLavRHKgo5Oz+kKVwKHOmJVV7JbxxE3Y1DstD1OHI -tvhr/65+l7X9R8GmXNPB9Dwu0dtbQNcs+MUXgDRC+Xk --> ssh-ed25519 tDqJRg xYM5dqCmh53artXhIfUvsmjwRzLxZQO+/tampI2RbSY -LSRsicMA7S8xdPYzh3lIEneazrGrRhjuQdN1I27YbV0 --> ssh-ed25519 9pVK7Q 7dQilI3mmyb6F+gMp+z1i9Os6Prff5CLLbPUFvawTHk -GtlUtsE2sB/jr7H52qTQcRRKgqJ/f2bDNetYPF4oBPw --> ssh-ed25519 /BRpBQ 9dcoKWc+bTkmVkTxgwzJ6bhuUq39JWajYhD5vd+XAjU -ti+oXuQkM4QX7LFLjTyL52gsi8D1efU3sqC23jqTNrk --> ssh-ed25519 +MNHsw VCfgC5V+1u3iaO0JqC6hnvngUJsg77wfsvoIiawcECc -9HCtIUt3vBccTkW6tub0GNU0gJ6Oxou5QgRly7kO370 --> ssh-ed25519 rHotTw 5e5Q+cjsNFq4KbqOA0KczyJEclHO5dyTJxsRvVZRvkc -uavyfil+elUz3AQjIJ/UTaCpod2f4V7JWbYso3j+ePs --> ssh-ed25519 +mFdtQ 07KoGFU7pAivpypZZ7g3o/l+jhi7aDyVO7qg4qJo1CQ -Zthd7uchFTYNb7c9/+isX8BbnN0m6G1eFuohxJrX0KQ --> ssh-ed25519 0IVRbA B1AUTNW9N30rr3MVFBfT/H9eivnjh6p6585/gxu+7SY -VZ0IqaGWSeqA7j3XP+B2HWXf2UYB5SpHImreAA7uqA8 --> ssh-ed25519 IY5FSQ c0v+PlVESbYTq87dAeYaZNnjY6eCUBIcvHM2ymwoX0g -0i6eaJVVtljUQZvdd7y2tcKX6cObCxTE4OO0MEqHriQ ---- gSYlbAC2ojK59TsNxtU9sAww3kpFfgOngL9+kdzx/to -#/L'M̨|H(zpe0) ȝJ̏&@ \ No newline at end of file +CDqVAHHD/1keQdgJZX5/hkiYMpZae1MocI5LjtWWg+QDkw1Bp6bNZLou8Uc2RG0H +xZIB+z1XSXf7iMla5l7RWbW+g61T38QKWoAwvAGFz+XOstBTDY4bWgSv1g6vm+6x +XuQLxCkj4cmy3dUsvaiiQXsstuMGOWSUbp2OQWfErzoVegHVCr/XKSAI1vMwQOWN +9tJUJCKEo2DTr5OmIL7kSWguVZYy77ta7JxmGbPrNQ7LJuRoZkUgX4V37SFgDKN4 +QgpupxXP/3oDhDSzZYbS6Fw+b7U01BwPyziY1kOYztv2qSoBJFMVtZS3oJEu4ChU +7MRHaN15cGZRsC5zIQAg9w +-> ssh-ed25519 /vwQcQ ZPWBCoQ7imVFfTkUYrp4NGRnz3vskNtMgbV41F1s8BE +oTrgDNisd8Sqmxo0ZDpVSO5iURWNLrIlKABjys+gHhw +-> ssh-ed25519 0R97PA CgUUW9m8+M1rpsCPAPyRC8VKvilDKMA8VkDqqDfbpAs +qJ/pa3VLh6650lDN5YPyYtxsDYMiRyTtK1yu+JeF3ww +-> ssh-ed25519 JGx7Ng r8OMU9Grvd8yxzzUzeEH4iCPp8NBHVcQKQe13AJOKjE +eYC+/VMsoetiVFTGdlAL3xDDe6WziBYU4Fr6XN/HlJI +-> ssh-ed25519 5SY7Kg 4T4xlrNW8yqI23A3GH7dRDyhbUA62ldS2/R7YCsHz0U +ukewT84UtQcAQNNSNogi3WOjoNeA7p50D1JHJ+39lYs +-> ssh-ed25519 p/Mg4Q EBlu4oYIa4hX5mGExy2xwyHbnDli9xY7MebUOr+hTzw +TqmNgHL1xxyI+i4h3KgskVsWrlYUnuT5MJWcYj2crps +-> ssh-ed25519 DqHxWQ KiCWC6eJOUScSlPNpC2G2FbfD/fQ2b14KHhuw+QKNTI +Un89T6OXiXWTBZqwdXPvyckxcBIhp2wmC4A5723b/5g +-> ssh-ed25519 tDqJRg k5YZwwURv21NC/0tt2r3CBuUPDhfO/Y7c3ISVhMGQkA +sdm+SpychoEekD6JK6Wz2CCcfDpwPD6rlLyB3RJES08 +-> ssh-ed25519 9pVK7Q 2kUnZCmNsAu90KA+st/ZFnez8rg4zqIZ3AZQsqHW0y8 +YlCXQ5g8vnNboPVHdSKyrdwRNvjwp9VHP+RV2WP7z00 +-> ssh-ed25519 /BRpBQ w+kqiukijvXdlvKdTfVvNYv6pLTifaZeagzU1VWQLwE +RKNPvu971viqMHBXpgE9D8L9ievWxIS5ANU8QADqwRY +-> ssh-ed25519 +MNHsw m+K/VIApzxBfYxc4/dPod+9TwBBTrtGa/B28QhawAD8 +gwJLtE5zIiNtKZ/YdroneSLLuZzvoAXaJYsqPzPkyLc +-> ssh-ed25519 rHotTw NSgFCgFQxKc7DSrNq/77PAnAKxSG055gutF2aUUDLzA +uL3QhQHmtQrrUPllFtVf7QiLIMWkT0EYIokxUVkLMrc +-> ssh-ed25519 +mFdtQ otE9brZku3sOSb9IvvTW/eioWDFvMJlsxSUvOcPNwiU +7vV6u7zLv2EfSz3qmY9Sboj2Z5LBwSTxrl4FWm3mYAs +-> ssh-ed25519 0IVRbA kwQNIVhpFtgIlJAAoqk1fqUP9OHN9YGWcYXbT+/bHE0 +gDOPJMeDI2eDx+emxUNSb/MW7IRPj8ni3mOLgZV9F0Y +-> ssh-ed25519 IY5FSQ gtGe4X/Vx4oWn0IIUwv6qpWZ250slvT/QMdwVQQrsAQ +yeJ8+BibBiwq2944ruZdek/4tpAqyMnG0RsyzkXQpRg +--- QhDkZSHLpgsvAUk5YhkhD8MNNX6Vlj7CWeQfJ6oEmk0 +|`P!+g&i;lNn 4kW#胍w \ No newline at end of file