diff --git a/.forgejo/workflows/check-meta.yaml b/.forgejo/workflows/check-meta.yaml index 27af558..179d206 100644 --- a/.forgejo/workflows/check-meta.yaml +++ b/.forgejo/workflows/check-meta.yaml @@ -15,11 +15,3 @@ jobs: - name: Check the validity of meta options run: nix-build meta/verify.nix -A meta - - check_dns: - runs-on: nix - steps: - - uses: actions/checkout@v3 - - - name: Check the validity of the DNS configuration - run: nix-build meta/verify.nix -A dns --no-out-link diff --git a/default.nix b/default.nix index 414feb8..0dbf784 100644 --- a/default.nix +++ b/default.nix @@ -74,8 +74,6 @@ in host: { site, ... }: "${host}.${site}.infra.dgnum.eu" ) (import ./meta/nodes.nix); - dns = import ./meta/dns.nix; - mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix; shells = { diff --git a/meta/dns.nix b/meta/dns.nix deleted file mode 100644 index d6d59a0..0000000 --- a/meta/dns.nix +++ /dev/null @@ -1,136 +0,0 @@ -{ lib, dns, ... }: - -let - inherit (lib) mapAttrs' nameValuePair; - inherit (lib.extra) fuseAttrs mapSingleFuse; - - inherit (dns.lib.combinators) mx spf ttl; - - meta = (import ./.) lib; - - mkCNAME = host: { CNAME = [ host ]; }; - - mkHosted = - server: - { - dual ? [ ], - v4 ? [ ], - v6 ? [ ], - }: - let - base = "${server}.${meta.nodes.${server}.site}.infra"; - mkHost = host: mapSingleFuse (_: mkCNAME host); - in - fuseAttrs [ - (mkHost base dual) - (mkHost "v4.${base}" v4) - (mkHost "v6.${base}" v6) - ]; - - cnames = builtins.mapAttrs (_: to: { CNAME = [ to ]; }) { - "dev" = "dev.pages.codeberg.page."; - "irc" = "public.p.lahfa.xyz."; - "webmail" = "kurisu.dual.lahfa.xyz."; - - # Transition to new site names - "web01.dmi01.infra" = "web01.rat01.infra"; - "web02.dmi01.infra" = "web02.rat01.infra"; - "compute01.par01.infra" = "compute01.pav01.infra"; - "storage01.par01.infra" = "storage01.pav01.infra"; - - # Miscelleanous redirections - "traque" = "traque.katvayor.net."; - - # Temporary redirection for the BDS - # FIXME: finish the django apps module - "gestiobds.dj" = "cof.ens.fr."; - }; - - hosted = fuseAttrs (builtins.attrValues (builtins.mapAttrs mkHosted { })); - - kurisuDKIM = [ - { - selector = "kurisu"; - k = "rsa"; - s = [ "email" ]; - p = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDa5KuK6ry+Ss2VsKL0FsDpoBlc7dcXZyp62fGqFJFJv4/GEivPWiwbr2o5oLKjQVI4kIYjIZsyQJFtI/Xcu4BrtDdBknb5WvCN8V9EvIMh3pfXOBLVx4oqw4BR7wF8Rw1J9xyfgsfK+m2n0M39XlMHH0Nuy6kU48jH9vYpZs17ZQIDAQAB"; - } - ]; -in - -{ - SOA = { - nameServer = "ns01.dgnum.eu."; - adminEmail = "dns.dgnum.eu"; - retry = 3600; - minimum = 300; - }; - - # Primary DNS servers - NS = [ - "ns01.dgnum.eu." # ns-03.hubrecht.ovh - "ns02.dgnum.eu." # kurisu.lahfa.xyz - ]; - - # dgnum.codeberg.pages - # ALIAS = [ "codeberg.page" ]; - A = [ "217.197.91.145" ]; - AAAA = [ "2001:67c:1401:20f0::1" ]; - - MX = map (ttl 3600) [ (mx.mx 10 "kurisu.lahfa.xyz.") ]; - - SRV = [ - { - service = "autodiscover"; - proto = "tcp"; - port = 443; - target = "autoconfig.mail.lahfa.xyz."; - } - ]; - - TXT = [ - "dgnum.codeberg.page" - (spf.strict [ "a:kurisu.lahfa.xyz" ]) - ]; - DMARC = [ { p = "none"; } ]; - DKIM = kurisuDKIM; - - subdomains = - hosted - // cnames - // { - ns01 = { - A = [ "51.178.27.125" ]; - AAAA = [ "2001:41d0:305:2100::542c" ]; - }; - ns02 = { - A = [ "163.172.69.160" ]; - AAAA = [ "2001:bc8:38ee::1" ]; - }; - } - // { - infra = { - MX = map (ttl 3600) [ (mx.mx 10 "kurisu.lahfa.xyz.") ]; - - TXT = [ (spf.strict [ "a:kurisu.lahfa.xyz" ]) ]; - DMARC = [ { p = "none"; } ]; - DKIM = kurisuDKIM; - - subdomains = mapAttrs' ( - host: - { site, ... }: - nameValuePair "${host}.${site}" ( - with meta.network.${host}.addresses; - { - A = ipv4; - AAAA = ipv6; - subdomains = { - v4.A = ipv4; - v6.AAAA = ipv6; - }; - } - ) - ) meta.nodes; - }; - }; -} diff --git a/meta/network.nix b/meta/network.nix index 6216bf2..4d2043a 100644 --- a/meta/network.nix +++ b/meta/network.nix @@ -1,34 +1,4 @@ { - bridge01 = { - hostId = "f57f3ba0"; - - interfaces = { }; - netbirdIp = null; - }; - - compute01 = { - interfaces = { - eno1 = { - ipv4 = [ - { - address = "129.199.146.147"; - prefixLength = 24; - } - { - address = "192.168.1.147"; - prefixLength = 24; - } - ]; - - gateways = [ "129.199.146.254" ]; - enableDefaultDNS = true; - }; - }; - - hostId = "8df60941"; - netbirdIp = "100.80.75.197"; - }; - krz01 = { interfaces = { eno1 = { @@ -51,157 +21,4 @@ hostId = "bd11e8fc"; netbirdIp = "100.80.103.206"; }; - - geo01 = { - interfaces = { - eno1 = { - ipv4 = [ - { - address = "129.199.210.194"; - prefixLength = 24; - } - ]; - - gateways = [ "129.199.210.254" ]; - - dns = [ - "129.199.96.11" - "129.199.72.99" - ]; - }; - }; - - hostId = "b88fee0c"; - netbirdIp = "100.80.8.66"; - }; - - geo02 = { - interfaces = { - eno1 = { - ipv4 = [ - { - address = "129.199.210.69"; - prefixLength = 24; - } - ]; - - gateways = [ "129.199.210.254" ]; - - dns = [ - "129.199.96.11" - "129.199.72.99" - ]; - }; - }; - - hostId = "45d65237"; - netbirdIp = "100.80.233.249"; - }; - - storage01 = { - interfaces = { - eno1 = { - ipv4 = [ - { - address = "129.199.146.148"; - prefixLength = 24; - } - { - address = "192.168.1.148"; - prefixLength = 24; - } - ]; - - gateways = [ "129.199.146.254" ]; - enableDefaultDNS = true; - }; - }; - - hostId = "d4e7c369"; - netbirdIp = "100.80.156.154"; - }; - - vault01 = { - interfaces = { - vlan-uplink-cri = { - ipv4 = [ - { - # see also machines/vault01/networking.nix - address = "129.199.195.129"; - prefixLength = 32; - } - ]; - gateways = [ ]; - enableDefaultDNS = true; - }; - }; - - hostId = "e83b600d"; - netbirdIp = "100.80.255.180"; - }; - - web01 = { - interfaces = { - ens3 = { - ipv4 = [ - { - address = "129.199.129.53"; - prefixLength = 24; - } - ]; - - gateways = [ "129.199.129.1" ]; - enableDefaultDNS = true; - }; - }; - - hostId = "050df79e"; - netbirdIp = "100.80.77.90"; - }; - - web02 = { - interfaces = { - ens3 = { - ipv4 = [ - { - address = "129.199.129.235"; - prefixLength = 24; - } - ]; - - gateways = [ "129.199.129.1" ]; - enableDefaultDNS = true; - }; - }; - - hostId = "b431ca10"; - netbirdIp = null; # web02 is not to be connected on the VPN - }; - - rescue01 = { - interfaces = { - ens18 = { - ipv6 = [ - { - address = "2a01:e0a:de4:a0e1:2d73:2a7e:18db:5728"; - prefixLength = 64; - } - ]; - - ipv4 = [ - { - address = "192.168.0.232"; - prefixLength = 21; - } - ]; - gateways = [ "192.168.0.1" ]; - enableDefaultDNS = true; - }; - }; - - addresses.ipv4 = [ "82.67.34.230" ]; - - hostId = "007f0200"; - netbirdIp = "100.80.97.140"; - }; } diff --git a/meta/nodes.nix b/meta/nodes.nix index 884cf71..c5b6763 100644 --- a/meta/nodes.nix +++ b/meta/nodes.nix @@ -19,66 +19,6 @@ - luj01 -> VM de Luj */ { - bridge01 = { - site = "hyp01"; - - hashedPassword = "$y$j9T$EPJdz70kselouXAVUmAH01$8nYbUBY9NPTMfYigegY0qFSdxJwhqzW8sFacDqEYCP5"; - - stateVersion = "24.05"; - - adminGroups = [ "fai" ]; - - deployment = { - targetHost = "fd26:baf9:d250:8000::ffff"; - sshOptions = [ - "-J" - "root@vault01.hyp01.infra.dgnum.eu" - ]; - }; - }; - - web01 = { - site = "rat01"; - - deployment.tags = [ "web" ]; - - hashedPassword = "$y$j9T$9YqXO93VJE/GP3z8Sh4h51$hrBsEPL2O1eP/wBZTrNT8XV906V4JKbQ0g04IWBcyd2"; - - stateVersion = "23.05"; - vm-cluster = "Hyperviseur NPS"; - - nixpkgs = "24.05"; - }; - - compute01 = { - site = "pav01"; - - hashedPassword = "$y$j9T$2nxZHq84G7fWvWMEaGavE/$0ADnmD9qMpXJJ.rWWH9086EakvZ3wAg0mSxZYugOf3C"; - - stateVersion = "23.05"; - nix-modules = [ "services/stirling-pdf" ]; - nixpkgs = "24.05"; - }; - - geo01 = { - site = "oik01"; - deployment.tags = [ "geo" ]; - - hashedPassword = "$y$j9T$2XmDpJu.QLhV57yYCh5Lf1$LK.X0HKB02Q0Ujvhj5nIofW2IRrIAL/Uxnvl9AXM1L8"; - - stateVersion = "24.05"; - nixpkgs = "24.05"; - }; - - geo02 = { - site = "oik01"; - deployment.tags = [ "geo" ]; - - hashedPassword = "$y$j9T$Q4fbMpSm9beWu4DPNAR9t0$dx/1pH4GPY72LpS5ZiECXAZFDdxwmIywztsX.qo2VVA"; - - stateVersion = "24.05"; - nixpkgs = "24.05"; - }; krz01 = { site = "pav01"; @@ -87,51 +27,5 @@ stateVersion = "24.05"; nixpkgs = "unstable"; - - adminGroups = [ "lab" ]; - }; - - storage01 = { - site = "pav01"; - - hashedPassword = "$y$j9T$tvRu1EJ9MwDSvEm0ogwe70$bKSw6nNteN0L3NOy2Yix7KlIvO/oROQmQ.Ynq002Fg8"; - - stateVersion = "23.11"; - nixpkgs = "24.05"; - - nix-modules = [ "services/forgejo-nix-runners" ]; - }; - - vault01 = { - site = "hyp01"; - deployment.targetHost = "vault01.hyp01.infra.dgnum.eu"; - - hashedPassword = "$y$j9T$5osXVNxCDxu3jIndcyh7G.$UrjiDRpMu3W59tKHLGNdLWllZh.4p8IM4sBS5SrNrN1"; - - stateVersion = "23.11"; - nixpkgs = "24.05"; - - adminGroups = [ "fai" ]; - }; - - web02 = { - site = "rat01"; - - hashedPassword = "$y$j9T$p42UVNy78PykkQOjPwXNJ/$B/zCUOrHXVSFGUY63wnViMiSmU2vCWsiX0y62qqgNQ5"; - - stateVersion = "24.05"; - nixpkgs = "24.05"; - vm-cluster = "Hyperviseur NPS"; - }; - - rescue01 = { - site = "luj01"; - - deployment.targetHost = "v6.rescue01.luj01.infra.dgnum.eu"; - - hashedPassword = "$y$j9T$nqoMMu/axrD0m8AlUFdbs.$UFVmIdPAOHBe2jJv5HJJTcDgINC7LTnSGRQNs9zS1mC"; - - stateVersion = "23.11"; - vm-cluster = "Hyperviseur Luj"; }; } diff --git a/meta/options.nix b/meta/options.nix index e8f4e6a..0344793 100644 --- a/meta/options.nix +++ b/meta/options.nix @@ -70,39 +70,6 @@ in Groups of the DGNum organization. ''; }; - - external = mkOption { - type = attrsOf (listOf str); - description = '' - External services used by the DGNum organization. - ''; - }; - - services = mkOption { - type = attrsOf (submodule { - options = { - admins = mkOption { - type = listOf str; - default = [ ]; - description = '' - List of administrators of the service. - ''; - }; - - adminGroups = mkOption { - type = listOf str; - default = [ ]; - description = '' - List of administrator groups of the service. - ''; - }; - }; - }); - description = '' - Administrator access of the different DGNum services, - it is mainly indicative as most services cannot configure this statically. - ''; - }; }; nodes = mkOption { @@ -360,21 +327,6 @@ in extract "adminGroups" config.nodes )) - # Check that all services admins exist - (membersExists (name: "A member of the service ${name} admins was not found in the members list.") ( - extract "admins" org.services - )) - - # Check that all services adminGroups exist - (groupsExists ( - name: "A member of the service ${name} adminGroups was not found in the groups list." - ) (extract "adminGroups" org.services)) - - # Check that all external services admins exist - (membersExists ( - name: "A member of the external service ${name} admins was not found in the members list." - ) org.external) - # Check that all members have ssh keys (builtins.map (name: { assertion = ((import ../keys)._keys.${name} or [ ]) != [ ]; diff --git a/meta/organization.nix b/meta/organization.nix index cf0c2b5..b8a4016 100644 --- a/meta/organization.nix +++ b/meta/organization.nix @@ -10,6 +10,11 @@ email = "catvayor@dgnum.eu"; }; + cst1 = { + name = "Constantin Gierczak--Galle"; + email = "cst1@dgnum.eu"; + }; + ecoppens = { name = "Elias Coppens"; email = "ecoppens@dgnum.eu"; @@ -48,52 +53,10 @@ "raito" "mdebray" "luj" - ]; - - # members of this group are root on the fai infrastructure - fai = [ "catvayor" "ecoppens" + "cst1" ]; - lab = [ - "catvayor" - "ecoppens" - ]; - - }; - - external = { - dns = [ - "thubrecht" - "raito" - ]; - - email = [ "raito" ]; - - irc = [ "raito" ]; - }; - - services = { - # Démarches Normaliennes - ds-fr.admins = [ - "thubrecht" - "jemagius" - ]; - - # Cloud DGNum - nextcloud.admins = [ - "thubrecht" - "raito" - ]; - - # Netbox DGNum - netbox.adminGroups = [ - "root" - "fai" - ]; - - # Videos DGNum - peertube.admins = [ "thubrecht" ]; }; } diff --git a/meta/verify.nix b/meta/verify.nix index ecf2ed2..51beb99 100644 --- a/meta/verify.nix +++ b/meta/verify.nix @@ -3,8 +3,6 @@ let sources = import ../npins; pkgs = import sources.nixpkgs { }; - - dns = import sources."dns.nix" { inherit pkgs; }; in { @@ -22,15 +20,4 @@ in else pkgs.writers.writeJSON "meta.json" config; - dns = dns.util.writeZone "dgnum.eu" ( - pkgs.lib.recursiveUpdate { SOA.serial = 0; } ( - import ./dns.nix { - inherit dns; - - lib = pkgs.lib // { - extra = import ../lib/nix-lib; - }; - } - ) - ); }