forked from DGNum/lab-infra
Compare commits
20 commits
init_photo
...
main
Author | SHA1 | Date | |
---|---|---|---|
|
930c1bd90a | ||
|
138ea89bbc | ||
|
1f28d0ccbf | ||
|
9daab9a609 | ||
|
9b794dff35 | ||
40df8e738d | |||
|
e262e55a66 | ||
|
1d1a4ccac3 | ||
|
5626bba501 | ||
|
bceb0ce492 | ||
1467819be2 | |||
b10fee2eee | |||
d3bfe16f7f | |||
1b8dc4d78a | |||
862168b2bc | |||
1f82719dcb | |||
51aaa9a80d | |||
9b5c6848c0 | |||
225ced72c2 | |||
68b5f86bd5 |
61 changed files with 1880 additions and 114 deletions
3
.gitignore
vendored
3
.gitignore
vendored
|
@ -9,3 +9,6 @@ result-*
|
|||
*.qcow2
|
||||
.gcroots
|
||||
.pre-commit-config.yaml
|
||||
|
||||
# nixmoxer (proxmox declarative vms)
|
||||
nixmoxer.conf
|
||||
|
|
|
@ -3,13 +3,13 @@
|
|||
## HE
|
||||
|
||||
On a un `/64` uniquement routé via un tunnel 6in4:
|
||||
- IP de lien local: `2001:470:1f12:187::2/64`
|
||||
- IP de lien Remote: `2001:470:1f12:187::1/64`
|
||||
- IP de lien local: `2001:470:1f12:2b::2/64`
|
||||
- IP de lien Remote: `2001:470:1f12:2b::1/64`
|
||||
- Endpoint ipv4: `216.66.84.42`/`129.199.146.230`
|
||||
|
||||
| Préfixe | Attribution |
|
||||
|-|-|
|
||||
| `2001:470:1f13:187::/64` | he-dmz, vlan 2530 |
|
||||
| `2001:470:1f13:2b::/64` | he-dmz, vlan 2530 |
|
||||
|
||||
## MWAN
|
||||
|
||||
|
@ -22,7 +22,7 @@ Routé via SIIT sur le vlan mwan-siit (2520)
|
|||
| IP | Attribution | Mainteneur |
|
||||
|----|-------------|------------|
|
||||
| `.25` | `labcore01` | Maurice |
|
||||
| `.26` | | |
|
||||
| `.26` | `dns01` | cst1 |
|
||||
| `.27` | | |
|
||||
| `.28` | | |
|
||||
| `.29` | | |
|
||||
|
|
|
@ -71,7 +71,7 @@ in
|
|||
|
||||
{
|
||||
nodes = builtins.mapAttrs (
|
||||
host: { site, ... }: "${host}.${site}.infra.dgnum.eu"
|
||||
host: { site, ... }: "${host}.${site}.lab.infra.dgnum.eu"
|
||||
) (import ./meta/nodes.nix);
|
||||
|
||||
mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix;
|
||||
|
|
|
@ -14,10 +14,18 @@ rec {
|
|||
_keys = (import "${_sources.infrastructure}/keys")._keys // {
|
||||
krz01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4o65gWOgNrxbSd3kiQIGZUM+YD6kuZOQtblvzUGsfB" ];
|
||||
router02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5t0InDV9nTLEqXrenqMJZAjkCAmfzHk6LLLHme3k3j" ];
|
||||
roam01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKXjzVxYs5v5+7N0tyqpBQERXKjXwTZUqVGkdye4S1LP" ];
|
||||
status01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAQFCsn/8c46O7JLx0QYdbZsXnS+NYtsgUNHPd2Toksj" ];
|
||||
};
|
||||
|
||||
_vpnKeys =
|
||||
builtins.mapAttrs (_: v: v.vpnKeys) meta.organization.members
|
||||
// builtins.mapAttrs (_: v: v.vpnKeys) meta.network;
|
||||
|
||||
getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);
|
||||
|
||||
getVpnKey = vpn: name: _vpnKeys.${name}.${vpn};
|
||||
|
||||
mkSecrets =
|
||||
nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };
|
||||
|
||||
|
|
27
machines/dns01/_configuration.nix
Normal file
27
machines/dns01/_configuration.nix
Normal file
|
@ -0,0 +1,27 @@
|
|||
{ lib, ... }:
|
||||
|
||||
lib.extra.mkConfig {
|
||||
enabledModules = [
|
||||
# List of modules to enable
|
||||
];
|
||||
|
||||
enabledServices = [
|
||||
# List of services to enable
|
||||
"nsd"
|
||||
];
|
||||
|
||||
extraConfig = {
|
||||
# TODO : retrieve this address from meta/network.nix
|
||||
deployment.targetHost = "45.13.104.26";
|
||||
deployment.tags = [ "cst1" ];
|
||||
networking.firewall = {
|
||||
enable = true;
|
||||
logRefusedConnections = lib.mkForce true;
|
||||
logRefusedPackets = lib.mkForce true;
|
||||
allowedTCPPorts = [ 53 ];
|
||||
allowedUDPPorts = [ 53 ];
|
||||
};
|
||||
};
|
||||
|
||||
root = ./.;
|
||||
}
|
34
machines/dns01/_hardware-configuration.nix
Normal file
34
machines/dns01/_hardware-configuration.nix
Normal file
|
@ -0,0 +1,34 @@
|
|||
{ lib, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
||||
|
||||
boot = {
|
||||
loader.systemd-boot.enable = true;
|
||||
initrd.kernelModules = [ ];
|
||||
kernelModules = [ ];
|
||||
extraModulePackages = [ ];
|
||||
initrd.availableKernelModules = [
|
||||
"ata_piix"
|
||||
"uhci_hcd"
|
||||
"virtio_pci"
|
||||
"virtio_scsi"
|
||||
"sd_mod"
|
||||
"sr_mod"
|
||||
];
|
||||
};
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-partlabel/disk-sda-root";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-partlabel/disk-sda-ESP";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
networking.useDHCP = lib.mkDefault false;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
}
|
61
machines/dns01/lab.dgnum.eu.nix
Normal file
61
machines/dns01/lab.dgnum.eu.nix
Normal file
|
@ -0,0 +1,61 @@
|
|||
{
|
||||
meta,
|
||||
dns,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
inherit (lib) mapAttrs' nameValuePair;
|
||||
in
|
||||
with dns.lib.combinators;
|
||||
{
|
||||
SOA = {
|
||||
nameServer = "ns01.lab.dgnum.eu";
|
||||
adminEmail = "dns@dgnum.eu";
|
||||
serial = 2019030800;
|
||||
retry = 3600;
|
||||
minimum = 300;
|
||||
};
|
||||
|
||||
NS = [ "ns01.lab.dgnum.eu." ];
|
||||
|
||||
#A = [ "203.0.113.1" ];
|
||||
#AAAA = [ "4321:0:1:2:3:4:567:89ab" ];
|
||||
|
||||
subdomains = {
|
||||
# Hosted services
|
||||
# NOTE: for now manually supplied, in the future automatically filled in
|
||||
photoprism = host "129.199.146.101" null;
|
||||
immich = host "129.199.146.101" null;
|
||||
|
||||
homebox = host "129.199.146.102" null;
|
||||
|
||||
status = host "129.199.146.103" null;
|
||||
|
||||
kfet = host "129.199.146.230" "2a0e:e701:1120:1000::f:1";
|
||||
|
||||
# Nameservers
|
||||
ns01 = host "45.13.104.26" "2a0e:e701:1120:1000:ffff::45.13.104.26";
|
||||
|
||||
# *.infra.lab.dgnum.eu
|
||||
infra = {
|
||||
subdomains = mapAttrs' (
|
||||
host:
|
||||
{ site, ... }:
|
||||
nameValuePair "${host}.${site}" (
|
||||
with meta.network.${host}.addresses;
|
||||
{
|
||||
A = ipv4;
|
||||
AAAA = ipv6;
|
||||
|
||||
subdomains = {
|
||||
v4.A = ipv4;
|
||||
v6.AAAA = ipv6;
|
||||
};
|
||||
}
|
||||
)
|
||||
) meta.nodes;
|
||||
};
|
||||
};
|
||||
}
|
24
machines/dns01/nsd.nix
Normal file
24
machines/dns01/nsd.nix
Normal file
|
@ -0,0 +1,24 @@
|
|||
{
|
||||
sources,
|
||||
lib,
|
||||
meta,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
dns = import sources.dns-nix { };
|
||||
in
|
||||
{
|
||||
services.nsd = {
|
||||
enable = true;
|
||||
verbosity = 1000;
|
||||
interfaces = [ "2a0e:e701:1120:1000:ffff::45.13.104.26" ];
|
||||
zones = {
|
||||
"lab.dgnum.eu" = {
|
||||
# provideXFR = [ ... ];
|
||||
# notify = [ ... ];
|
||||
data = dns.lib.toString "lab.dgnum.eu" (import ./lab.dgnum.eu.nix { inherit meta dns lib; });
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
3
machines/dns01/secrets/secrets.nix
Normal file
3
machines/dns01/secrets/secrets.nix
Normal file
|
@ -0,0 +1,3 @@
|
|||
(import ../../../keys).mkSecrets [ "dns01" ] [
|
||||
# List of secrets for router02
|
||||
]
|
25
machines/homebox01/_configuration.nix
Normal file
25
machines/homebox01/_configuration.nix
Normal file
|
@ -0,0 +1,25 @@
|
|||
{ lib, ... }:
|
||||
|
||||
lib.extra.mkConfig {
|
||||
enabledModules = [
|
||||
# List of modules to enable
|
||||
];
|
||||
|
||||
enabledServices = [
|
||||
# List of services to enable
|
||||
"homebox"
|
||||
"nginx"
|
||||
];
|
||||
|
||||
extraConfig = {
|
||||
deployment.tags = [ "cst1" ];
|
||||
networking = {
|
||||
firewall.allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
root = ./.;
|
||||
}
|
34
machines/homebox01/_hardware-configuration.nix
Normal file
34
machines/homebox01/_hardware-configuration.nix
Normal file
|
@ -0,0 +1,34 @@
|
|||
{ lib, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
||||
|
||||
boot = {
|
||||
loader.systemd-boot.enable = true;
|
||||
initrd.kernelModules = [ ];
|
||||
kernelModules = [ ];
|
||||
extraModulePackages = [ ];
|
||||
initrd.availableKernelModules = [
|
||||
"ata_piix"
|
||||
"uhci_hcd"
|
||||
"virtio_pci"
|
||||
"virtio_scsi"
|
||||
"sd_mod"
|
||||
"sr_mod"
|
||||
];
|
||||
};
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-partlabel/disk-sda-root";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-partlabel/disk-sda-ESP";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
networking.useDHCP = lib.mkDefault false;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
}
|
14
machines/homebox01/homebox.nix
Normal file
14
machines/homebox01/homebox.nix
Normal file
|
@ -0,0 +1,14 @@
|
|||
{
|
||||
services.homebox = {
|
||||
enable = true;
|
||||
settings = {
|
||||
HBOX_OPTIONS_ALLOW_REGISTRATION = "false";
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts."homebox.lab.dgnum.eu" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
serverAliases = [ ];
|
||||
locations."/".proxyPass = "http://localhost:7745/";
|
||||
};
|
||||
}
|
10
machines/homebox01/nginx.nix
Normal file
10
machines/homebox01/nginx.nix
Normal file
|
@ -0,0 +1,10 @@
|
|||
{
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedTlsSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedProxySettings = true;
|
||||
clientMaxBodySize = "500m";
|
||||
};
|
||||
}
|
3
machines/homebox01/secrets/secrets.nix
Normal file
3
machines/homebox01/secrets/secrets.nix
Normal file
|
@ -0,0 +1,3 @@
|
|||
(import ../../../keys).mkSecrets [ "homebox01" ] [
|
||||
# List of secrets for router02
|
||||
]
|
|
@ -8,8 +8,8 @@ lib.extra.mkConfig {
|
|||
enabledServices = [
|
||||
# INFO: This list needs to stay sorted alphabetically
|
||||
# Machine learning API machine
|
||||
# "microvm-ml01"
|
||||
# "microvm-router01"
|
||||
"microvm-ml01"
|
||||
"microvm-router01"
|
||||
"nvidia-tesla-k80"
|
||||
"ollama"
|
||||
"whisper"
|
||||
|
|
|
@ -1,4 +1,9 @@
|
|||
{ sources, ... }:
|
||||
{
|
||||
sources,
|
||||
meta,
|
||||
name,
|
||||
...
|
||||
}:
|
||||
let
|
||||
proxmox-nixos = import sources.proxmox-nixos;
|
||||
in
|
||||
|
@ -6,6 +11,7 @@ in
|
|||
imports = [ proxmox-nixos.nixosModules.proxmox-ve ];
|
||||
services.proxmox-ve = {
|
||||
enable = true;
|
||||
ipAddress = meta.network.${name}.netbirdIp;
|
||||
openFirewall = false;
|
||||
};
|
||||
nixpkgs.overlays = [ proxmox-nixos.overlays.x86_64-linux ];
|
||||
|
|
|
@ -8,6 +8,7 @@ lib.extra.mkConfig {
|
|||
enabledServices = [
|
||||
# List of services to enable
|
||||
"unbound"
|
||||
"nginx"
|
||||
];
|
||||
|
||||
extraConfig = { };
|
||||
|
|
BIN
machines/labcore01/kfet/favicon.png
Normal file
BIN
machines/labcore01/kfet/favicon.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 3.5 KiB |
93
machines/labcore01/kfet/index.html
Normal file
93
machines/labcore01/kfet/index.html
Normal file
|
@ -0,0 +1,93 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="UTF-8" />
|
||||
<meta name="viewport" content="width=device-width" />
|
||||
<title>Ouverture K-Fêt</title>
|
||||
<style>
|
||||
#main {
|
||||
margin: 0;
|
||||
padding: 0;
|
||||
width: 100vw;
|
||||
height: 100vh;
|
||||
text-align: center;
|
||||
font-weight: bold;
|
||||
font-size: 15vw;
|
||||
display: flex;
|
||||
justify-content: center;
|
||||
align-content: center;
|
||||
flex-direction: column;
|
||||
}
|
||||
|
||||
* {
|
||||
margin: 0;
|
||||
padding: 0;
|
||||
}
|
||||
|
||||
.red {
|
||||
background-color: red;
|
||||
color: white;
|
||||
}
|
||||
|
||||
.orange {
|
||||
background-color: orange;
|
||||
color: black;
|
||||
}
|
||||
|
||||
|
||||
.green {
|
||||
background-color: green;
|
||||
color: white;
|
||||
}
|
||||
|
||||
#main > p {
|
||||
overflow: hidden;
|
||||
display: none;
|
||||
}
|
||||
|
||||
.orange > #orange {
|
||||
display: block;
|
||||
}
|
||||
|
||||
.green > #green {
|
||||
display: block;
|
||||
}
|
||||
|
||||
.red > #red {
|
||||
display: block;
|
||||
}
|
||||
|
||||
</style>
|
||||
<link rel="manifest" href="manifest.webmanifest" />
|
||||
</head>
|
||||
<body>
|
||||
<div id="main" class="orange">
|
||||
<p id="orange">Non défini</p>
|
||||
<p id="red">Fermé</p>
|
||||
<p id="green">Ouvert</p>
|
||||
</div>
|
||||
<script>
|
||||
// Créer une connexion WebSocket
|
||||
const socket = new WebSocket('wss://kfet.sinavir.fr/ws/');
|
||||
const div = document.getElementById("main");
|
||||
|
||||
// Écouter les messages
|
||||
socket.addEventListener('message', function (event) {
|
||||
console.log('Voici un message du serveur', event.data);
|
||||
switch (JSON.parse(event.data).status) {
|
||||
case "opened":
|
||||
div.className = "green";
|
||||
document.title = "🟢 Ouvert | K-Fêt";
|
||||
break;
|
||||
case "closed":
|
||||
div.className = "red";
|
||||
document.title = "🔴 Fermé | K-Fêt";
|
||||
break;
|
||||
default:
|
||||
div.className = "orange";
|
||||
document.title = "🟠 Indéfini | K-Fêt";
|
||||
}
|
||||
});
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
8
machines/labcore01/nginx.nix
Normal file
8
machines/labcore01/nginx.nix
Normal file
|
@ -0,0 +1,8 @@
|
|||
{
|
||||
dgn-web.enable = true;
|
||||
services.nginx.virtualHosts."kfet.lab.dgnum.eu" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
root = ./kfet;
|
||||
};
|
||||
}
|
56
machines/photo01/_configuration.nix
Normal file
56
machines/photo01/_configuration.nix
Normal file
|
@ -0,0 +1,56 @@
|
|||
# TODO: revamp to use the same framework as the other VMs
|
||||
{ pkgs, ... }:
|
||||
|
||||
let
|
||||
address = "129.199.146.101";
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
./_hardware-configuration.nix
|
||||
|
||||
./immich.nix
|
||||
./nginx.nix
|
||||
./photoprism.nix
|
||||
];
|
||||
deployment.targetHost = address;
|
||||
deployment.tags = [ "cst1" ];
|
||||
|
||||
networking = {
|
||||
firewall.allowedTCPPorts = [
|
||||
22
|
||||
80
|
||||
443
|
||||
8007
|
||||
];
|
||||
firewall.allowedUDPPorts = [ ];
|
||||
useNetworkd = true;
|
||||
};
|
||||
|
||||
time.timeZone = "Europe/Paris";
|
||||
environment.systemPackages = with pkgs; [ neovim ];
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270"
|
||||
];
|
||||
|
||||
security.acme.acceptTerms = true;
|
||||
|
||||
systemd.network = {
|
||||
config.routeTables = {
|
||||
he = 100;
|
||||
mwan = 110;
|
||||
};
|
||||
networks = {
|
||||
"10-ens18" = {
|
||||
name = "ens18";
|
||||
|
||||
networkConfig = {
|
||||
Description = "ENS uplink";
|
||||
Address = [ "129.199.146.101/24" ];
|
||||
Gateway = "129.199.146.254";
|
||||
LLDP = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
34
machines/photo01/_hardware-configuration.nix
Normal file
34
machines/photo01/_hardware-configuration.nix
Normal file
|
@ -0,0 +1,34 @@
|
|||
{ lib, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
||||
|
||||
boot = {
|
||||
loader.systemd-boot.enable = true;
|
||||
initrd.kernelModules = [ ];
|
||||
kernelModules = [ ];
|
||||
extraModulePackages = [ ];
|
||||
initrd.availableKernelModules = [
|
||||
"ata_piix"
|
||||
"uhci_hcd"
|
||||
"virtio_pci"
|
||||
"virtio_scsi"
|
||||
"sd_mod"
|
||||
"sr_mod"
|
||||
];
|
||||
};
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-partlabel/disk-sda-root";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-partlabel/disk-sda-ESP";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
networking.useDHCP = lib.mkDefault false;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
}
|
16
machines/photo01/immich.nix
Normal file
16
machines/photo01/immich.nix
Normal file
|
@ -0,0 +1,16 @@
|
|||
{
|
||||
services.immich = {
|
||||
enable = true;
|
||||
# NOTE: default port changes in a later version
|
||||
port = 3001;
|
||||
machine-learning.enable = true;
|
||||
host = "localhost";
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."immich.lab.dgnum.eu" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
serverAliases = [ ];
|
||||
locations."/".proxyPass = "http://localhost:3001/";
|
||||
};
|
||||
}
|
10
machines/photo01/nginx.nix
Normal file
10
machines/photo01/nginx.nix
Normal file
|
@ -0,0 +1,10 @@
|
|||
{
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedTlsSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedProxySettings = true;
|
||||
clientMaxBodySize = "500m";
|
||||
};
|
||||
}
|
8
machines/photo01/openssh.nix
Normal file
8
machines/photo01/openssh.nix
Normal file
|
@ -0,0 +1,8 @@
|
|||
{
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings = {
|
||||
PasswordAuthentication = false;
|
||||
};
|
||||
};
|
||||
}
|
54
machines/photo01/photoprism.nix
Normal file
54
machines/photo01/photoprism.nix
Normal file
|
@ -0,0 +1,54 @@
|
|||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
services = {
|
||||
photoprism = {
|
||||
enable = true;
|
||||
port = 2342;
|
||||
settings = {
|
||||
PHOTOPRISM_DEFAULT_LOCALE = "fr";
|
||||
PHOTOPRISM_ADMIN_USERNAME = "admin";
|
||||
PHOHOPRISM_SITE_URL = "https://photoprism.lab.dgnum.eu";
|
||||
PHOTOPRISM_SITE_CAPTION = "PhotoPrism";
|
||||
|
||||
# DB access config
|
||||
PHOTOPRISM_DATABASE_DRIVER = "mysql";
|
||||
PHOTOPRISM_DATABASE_NAME = "photoprism";
|
||||
PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock";
|
||||
PHOTOPRISM_DATABASE_USER = "photoprism";
|
||||
};
|
||||
|
||||
originalsPath = "/data/photos";
|
||||
|
||||
address = "localhost";
|
||||
|
||||
#importPath = "/photoprism/imports";
|
||||
passwordFile = "/passwords/photoprism";
|
||||
};
|
||||
|
||||
mysql = {
|
||||
enable = true;
|
||||
dataDir = "/data/mysql";
|
||||
package = pkgs.mariadb;
|
||||
ensureDatabases = [ "photoprism" ];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "photoprism";
|
||||
ensurePermissions = {
|
||||
"photoprism.*" = "ALL PRIVILEGES";
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
nginx.virtualHosts."photoprism.lab.dgnum.eu" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
serverAliases = [ ];
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:2342/";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
3
machines/photo01/secrets/secrets.nix
Normal file
3
machines/photo01/secrets/secrets.nix
Normal file
|
@ -0,0 +1,3 @@
|
|||
(import ../../../keys).mkSecrets [ "photo01" ] [
|
||||
# List of secrets for router02
|
||||
]
|
18
machines/roam01/_configuration.nix
Normal file
18
machines/roam01/_configuration.nix
Normal file
|
@ -0,0 +1,18 @@
|
|||
{ lib, ... }:
|
||||
|
||||
lib.extra.mkConfig {
|
||||
enabledModules = [
|
||||
# List of modules to enable
|
||||
];
|
||||
|
||||
enabledServices = [
|
||||
# List of services to enable
|
||||
"wireguard"
|
||||
];
|
||||
|
||||
extraConfig = {
|
||||
networking.interfaces.enp1s0.useDHCP = true;
|
||||
};
|
||||
|
||||
root = ./.;
|
||||
}
|
58
machines/roam01/_hardware-configuration.nix
Normal file
58
machines/roam01/_hardware-configuration.nix
Normal file
|
@ -0,0 +1,58 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
|
||||
{
|
||||
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
|
||||
|
||||
boot = {
|
||||
initrd = {
|
||||
availableKernelModules = [
|
||||
"xhci_pci"
|
||||
"usb_storage"
|
||||
"usbhid"
|
||||
"sd_mod"
|
||||
"sdhci_pci"
|
||||
];
|
||||
kernelModules = [ ];
|
||||
};
|
||||
kernelModules = [ "kvm-intel" ];
|
||||
extraModulePackages = [ ];
|
||||
};
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-uuid/bfb4359b-75b2-4fa0-bdb6-283658a0019a";
|
||||
fsType = "xfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-uuid/1A70-E9AE";
|
||||
fsType = "vfat";
|
||||
options = [
|
||||
"fmask=0022"
|
||||
"dmask=0022"
|
||||
];
|
||||
};
|
||||
|
||||
swapDevices = [ { device = "/dev/disk/by-uuid/6518c729-a0cb-41b4-acc8-ec219d0afba6"; } ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp4s0d1.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
4
machines/roam01/secrets/secrets.nix
Normal file
4
machines/roam01/secrets/secrets.nix
Normal file
|
@ -0,0 +1,4 @@
|
|||
(import ../../../keys).mkSecrets [ "roam01" ] [
|
||||
# List of secrets for router02
|
||||
"systemd-network-wg_key"
|
||||
]
|
39
machines/roam01/secrets/systemd-network-wg_key
Normal file
39
machines/roam01/secrets/systemd-network-wg_key
Normal file
|
@ -0,0 +1,39 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA eITDLS0bZ9nCNbcpXN2S2JK6+gy0V9Ix5anuz1DXpi8
|
||||
h/3wu702P2+Mnrsh5EimLoLY6XPiyTvjytjVr2nVPU0
|
||||
-> ssh-ed25519 QlRB9Q atT+Cb4dk/jH7uhQ7b8Qu1E4tFcrm7mUzqhwlvciCng
|
||||
eZvsq5OsW7cxf4EmE7L4KhzmiCRhV72ILT5mOg3D7GY
|
||||
-> ssh-ed25519 r+nK/Q RfAubzTOifMb9Pukkwkh7iUgOLxmIxkPCBhZqzohHA4
|
||||
0rdpQrp7iSRjGCsi7EjOcuCx2YXXscJxIYv0vfpV9hw
|
||||
-> ssh-rsa krWCLQ
|
||||
tBs7XiMvJdAqbtZTaDxgyLrHxyUjgKU4amTtPdVxRUuqm4uSoxoHJj7N6NGBPhW4
|
||||
ODB8ft5OoAwjtP/D12pNUn3fsIuo7DJGc57Dt74f0ge+MWTVI/tEC8I8EVOVYIpv
|
||||
Udc1kW8n2CCdkAulSrvlfLQPuVFUcOYWGTvEVE05gPRoJ7NiXR9CW2ByyRjD12Fj
|
||||
W+8c/H0/h8CmWGRFMZG+xlt9DmYNegz2TCKyTJPtWHRT6sYCqct13GQP/C8s8fJv
|
||||
ZQjIUcF91EBTr6Gc0fGEYFmKQckOkEeAG3P92YuK9NLyHw5xHl9M+gFZlYsQ91kg
|
||||
/uVW29GmK7qoyxpUP0GamA
|
||||
-> ssh-ed25519 /vwQcQ 0y6bP+6t8EhcHs7ap/FmCDWxQLCkDF5KyeXlGZln9Qc
|
||||
9xpybiFqQTxJ8Po0044HRhoBlmcFzqeXMG3IrZzKOdI
|
||||
-> ssh-ed25519 0R97PA 1pn+9GwTf+AHsSCqI+xe0blM/6qJUgCgjCF3mlEV4k0
|
||||
W278+7Qc5/QyALiy1Gt8WKqCw+MX4Ko0VLV+p1KoSjA
|
||||
-> ssh-ed25519 JGx7Ng hrWsXtVn1DNQ86woVee66ljaMpgBBoJmHdS7qyESbz0
|
||||
dRPPTNmGYFZ+VR9gPhfD5wutqIuJXXEtoMapnAShrHE
|
||||
-> ssh-ed25519 bUjjig RzQTuUiEmKd9VqYMKz3cbaU7v4OncTK8N1VA+4M851w
|
||||
49tmBO+NwrGfNyDwcyuk+7DFqK0yYfZoJ98qeYg0yBY
|
||||
-> ssh-ed25519 5SY7Kg 9icmp/ZQKCNxep3mnqbJs3pfjaunJwpK9OP5PhXSvE4
|
||||
Yx6OjFMMwg+MRsHSlg8DjBDF5jumxJcweaWPsy0TCNU
|
||||
-> ssh-ed25519 p/Mg4Q yhvaDm7yq75qq2Sb5wmXqunG5sHoamAi0r/kBOFHJjw
|
||||
ZnmJd4au4dGscs7HdW1TqqLjqniRT3EhivgllyuGp5s
|
||||
-> ssh-ed25519 5rrg4g oQn9sbjixiuN02aDo/v4n6JWTT4MPbYVwni0OW04NFk
|
||||
hhYoASjz7CPqNXwGCOydrzadudrvncUsv318zFFUB0A
|
||||
-> ssh-ed25519 oRtTqQ holCshSmzD+N5BYaUOv00WZlFn0UOLTikddFPZpCw1o
|
||||
XdPjWqs7UqmA4ZLbgNAlDuHcdEGeeGCryBLE0jUtRbM
|
||||
-> ssh-ed25519 F2C+8w h7ncoDRcnH+pVcRAP5au111c47oRjg4ISn93qK912zk
|
||||
7sisrDx+avRb9HE2WvYkgSErsvNMqsc+UESmRKt7xz8
|
||||
-> ssh-ed25519 PMC4Bw oyKwRE22OV8RupaRKV6MgdL9sYK12NvhRDseQwo2MWE
|
||||
oQOX7qy2Lo6eqmOBqgCjssu5mrd85NQDwmOdzIrj7yg
|
||||
-> :1G-grease
|
||||
krZ6nazBc8pS3EHxhcidv4uBigiek7jhODqwOoFQa3+31acCrziN8elOxd6gEa7B
|
||||
a/xpMlN0
|
||||
--- BZD889tFoBkFafKWHk0vfNhpP+YtdcU+wpmm0d9RV+Q
|
||||
Ç„yz¥5Y7ùY}‡ˆ"·Q{±sy;âÇ“˜dÛü°”PX4¹Ï›Ã×c½Š1AÕv©ýJ›î<ž^fÁ¯ƒñv3U%eó]–P
|
54
machines/roam01/wireguard.nix
Normal file
54
machines/roam01/wireguard.nix
Normal file
|
@ -0,0 +1,54 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
dgn-keys,
|
||||
name,
|
||||
...
|
||||
}:
|
||||
let
|
||||
mkPeer =
|
||||
prefix: peerName:
|
||||
let
|
||||
peer = dgn-keys.getVpnKey "wg-mgmt" peerName;
|
||||
in
|
||||
{
|
||||
Endpoint = "129.199.146.230:1194";
|
||||
PersistentKeepalive = 25;
|
||||
AllowedIPs = [ "fdaa::${prefix}:0/64" ];
|
||||
PublicKey = peer.key;
|
||||
};
|
||||
in
|
||||
|
||||
{
|
||||
age-secrets.autoMatch = [ "systemd-network" ];
|
||||
networking.firewall.trustedInterfaces = [ "wg0" ];
|
||||
systemd.network = {
|
||||
networks = {
|
||||
"50-wg-mgmt" = {
|
||||
name = "wg-mgmt";
|
||||
address = [ "fdaa::${lib.toHexString (dgn-keys.getVpnKey "wg-mgmt" name).id}/64" ];
|
||||
routes = [
|
||||
{
|
||||
Destination = "fdaa::/64";
|
||||
Scope = "link";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
netdevs = {
|
||||
"50-wg-mgmt" = {
|
||||
netdevConfig = {
|
||||
Name = "wg-mgmt";
|
||||
Kind = "wireguard";
|
||||
};
|
||||
wireguardConfig = {
|
||||
ListenPort = 1194;
|
||||
PrivateKeyFile = config.age.secrets."systemd-network-wg_key".path;
|
||||
};
|
||||
|
||||
wireguardPeers = builtins.map (mkPeer "0") [ "router02" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
networking.firewall.allowedUDPPorts = [ 1194 ];
|
||||
}
|
|
@ -8,6 +8,8 @@ lib.extra.mkConfig {
|
|||
enabledServices = [
|
||||
# List of services to enable
|
||||
"networking"
|
||||
"wireguard"
|
||||
"nginx-sni"
|
||||
];
|
||||
|
||||
extraConfig = { };
|
||||
|
|
|
@ -42,7 +42,7 @@
|
|||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
|
|
|
@ -10,7 +10,10 @@
|
|||
|
||||
networkConfig = {
|
||||
Description = "ENS uplink";
|
||||
Address = [ "129.199.146.230/24" ];
|
||||
Address = [
|
||||
"129.199.146.231/24"
|
||||
"129.199.146.230/24"
|
||||
];
|
||||
Gateway = "129.199.146.254";
|
||||
LLDP = true;
|
||||
# Only to the switch we are connected to directly, e.g. the hypervisor or the switch.
|
||||
|
@ -34,36 +37,32 @@
|
|||
"50-tun-he" = {
|
||||
name = "sit-he";
|
||||
networkConfig = {
|
||||
Description = "HE.NET IPv6 Tunnel (gdd)";
|
||||
Address = [ "2001:470:1f12:187::2/64" ];
|
||||
Description = "HE.NET IPv6 Tunnel (maurice)";
|
||||
Address = [ "2001:470:1f12:2b::2/64" ];
|
||||
ConfigureWithoutCarrier = true;
|
||||
};
|
||||
routes = [
|
||||
{
|
||||
routeConfig = {
|
||||
Destination = "::/0";
|
||||
Table = "he";
|
||||
Scope = "global";
|
||||
};
|
||||
Destination = "::/0";
|
||||
Table = "he";
|
||||
Scope = "global";
|
||||
}
|
||||
{
|
||||
# Use HE tunnel for router trafic as well
|
||||
routeConfig = {
|
||||
Destination = "::/0";
|
||||
Scope = "global";
|
||||
};
|
||||
Destination = "::/0";
|
||||
Scope = "global";
|
||||
}
|
||||
];
|
||||
routingPolicyRules = [
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
From = "2001:470:1f13:187::/64";
|
||||
From = "2001:470:1f13:2b::/64";
|
||||
Table = "he";
|
||||
};
|
||||
}
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
To = "2001:470:1f13:187::/64";
|
||||
To = "2001:470:1f13:2b::/64";
|
||||
Table = "he";
|
||||
};
|
||||
}
|
||||
|
@ -82,41 +81,31 @@
|
|||
};
|
||||
routes = [
|
||||
{
|
||||
routeConfig = {
|
||||
Gateway = "2a0b:cbc0:1::215";
|
||||
PreferredSource = "2a0e:e701:1120::1";
|
||||
};
|
||||
Gateway = "2a0b:cbc0:1::215";
|
||||
PreferredSource = "2a0e:e701:1120::1";
|
||||
}
|
||||
{
|
||||
# Local route
|
||||
routeConfig = {
|
||||
Table = "mwan";
|
||||
Destination = "2a0e:e701:1120::/64";
|
||||
};
|
||||
Table = "mwan";
|
||||
Destination = "2a0e:e701:1120::/64";
|
||||
}
|
||||
{
|
||||
# Default unreachable route for unattributed prefixes of our /48
|
||||
routeConfig = {
|
||||
Table = "mwan";
|
||||
Metric = 9999;
|
||||
Destination = "2a0e:e701:1120::/48";
|
||||
Type = "unreachable";
|
||||
};
|
||||
Table = "mwan";
|
||||
Metric = 9999;
|
||||
Destination = "2a0e:e701:1120::/48";
|
||||
Type = "unreachable";
|
||||
}
|
||||
{
|
||||
routeConfig = {
|
||||
Table = "mwan";
|
||||
Gateway = "2a0b:cbc0:1::215";
|
||||
PreferredSource = "2a0e:e701:1120::1";
|
||||
};
|
||||
Table = "mwan";
|
||||
Gateway = "2a0b:cbc0:1::215";
|
||||
PreferredSource = "2a0e:e701:1120::1";
|
||||
}
|
||||
# IPv4
|
||||
{
|
||||
routeConfig = {
|
||||
Scope = "global";
|
||||
Table = "mwan";
|
||||
Gateway = "10.1.1.49";
|
||||
};
|
||||
Scope = "global";
|
||||
Table = "mwan";
|
||||
Gateway = "10.1.1.49";
|
||||
}
|
||||
];
|
||||
routingPolicyRules = [
|
||||
|
@ -165,10 +154,8 @@
|
|||
];
|
||||
routes = [
|
||||
{
|
||||
routeConfig = {
|
||||
Table = "mwan";
|
||||
Destination = "2a0e:e701:1120:1000::/64";
|
||||
};
|
||||
Table = "mwan";
|
||||
Destination = "2a0e:e701:1120:1000::/64";
|
||||
}
|
||||
];
|
||||
};
|
||||
|
@ -176,23 +163,21 @@
|
|||
name = "vlan-he-dmz";
|
||||
networkConfig = {
|
||||
Description = "HE DMZ VLAN";
|
||||
Address = [ "2001:470:1f13:187::1/64" ];
|
||||
Address = [ "2001:470:1f13:2b::1/64" ];
|
||||
IPv6SendRA = "yes";
|
||||
};
|
||||
ipv6Prefixes = [
|
||||
{
|
||||
ipv6PrefixConfig = {
|
||||
Prefix = "2001:470:1f13:187::0/64";
|
||||
Prefix = "2001:470:1f13:2b::0/64";
|
||||
};
|
||||
}
|
||||
];
|
||||
routes = [
|
||||
{
|
||||
routeConfig = {
|
||||
Table = "he";
|
||||
Scope = "global";
|
||||
Destination = "2001:470:1f13:187::/64";
|
||||
};
|
||||
Table = "he";
|
||||
Scope = "global";
|
||||
Destination = "2001:470:1f13:2b::/64";
|
||||
}
|
||||
];
|
||||
};
|
||||
|
@ -204,7 +189,7 @@
|
|||
Name = "sit-he";
|
||||
};
|
||||
tunnelConfig = {
|
||||
Local = "129.199.146.230";
|
||||
Local = "129.199.146.231";
|
||||
Remote = "216.66.84.42";
|
||||
};
|
||||
};
|
||||
|
|
21
machines/router02/nginx-sni.nix
Normal file
21
machines/router02/nginx-sni.nix
Normal file
|
@ -0,0 +1,21 @@
|
|||
{ meta, ... }:
|
||||
let
|
||||
# Beware, jool will not translate. Prefer ipv6 proxy target
|
||||
machines = builtins.mapAttrs (
|
||||
host: { site, ... }: "v6.${host}.${site}.infra.lab.dgnum.eu:443"
|
||||
) meta.nodes;
|
||||
in
|
||||
{
|
||||
dgn-web.enable = true;
|
||||
services.nginx = {
|
||||
sni-proxy = {
|
||||
preStreamConfig = ''
|
||||
resolver 127.0.0.53;
|
||||
'';
|
||||
enable = true;
|
||||
redirects = {
|
||||
"kfet.lab.dgnum.eu" = machines.labcore01;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,3 +1,4 @@
|
|||
(import ../../../keys).mkSecrets [ "router02" ] [
|
||||
# List of secrets for router02
|
||||
"systemd-network-wg_key"
|
||||
]
|
||||
|
|
39
machines/router02/secrets/systemd-network-wg_key
Normal file
39
machines/router02/secrets/systemd-network-wg_key
Normal file
|
@ -0,0 +1,39 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA 6v2v03EntXNNOnWAuZEcLybn6iWI+LB0kA/AbzszgQs
|
||||
aqtydlqLgpfvC9rz0x0MshF+RfYJSpQaah5moS3CsGY
|
||||
-> ssh-ed25519 QlRB9Q 8SqWmf7skeFnmT1HU43V7PwaqYl/hHTifx70qr05Y3c
|
||||
W/b0CABozdoiSXWokOs+ChRL2pKCjL/b3kZHsBLBemw
|
||||
-> ssh-ed25519 r+nK/Q TwRRJzM7q81lTdiMwINKYs5RqUaKR9odwTj0CaAUOFU
|
||||
mYvyP/UeLFDgXFAUkCfZRNuRTJBL5t01nQ5a3U9BVrc
|
||||
-> ssh-rsa krWCLQ
|
||||
ssWV1ySMEEZJEsNUjss0U+rLVLYVLlPovyeqv3dWgRdbojFOboXZh7yo07KHOuu8
|
||||
N3QU64Iy1B8VOoPPhkfRURJjsjEEt/48gwMm9Ff9lmF/rxuw8KOPlGgAF+HwGK0z
|
||||
Y2gTJkehFuuBN70jsPpCGqlEpmbwLfw1BbYp8zYEq6OKXkhZjIWVEwfa3Ahiw0Z7
|
||||
3VTC/9GVhpPu/s532TxYNsTZj6nBSp22jc8AZZvOxbPrV5Qk8yLb3JMfXBWn3bJv
|
||||
N4A1x+ibCI6bnl+gYzmVjiquMuo8CMR1t+KAp6nNfv1dZT5UDBYKswYQ1AhQi7jh
|
||||
KzBK3vInE18L3qWPxt4Zdw
|
||||
-> ssh-ed25519 /vwQcQ YilslLDdIPQRNOr/ZA+WreHP5PNBiy/f6xz2UImsEQA
|
||||
gjH2VsGYM/bJu+X5vwF1y+r0+pDC7EOjesuawUw5WAo
|
||||
-> ssh-ed25519 0R97PA qFqvdP6/zg+/ruLrNmmFdi0ED43LVNtrfFISTVMLimA
|
||||
YQyo/5tyH2JMPWiqV0bxWhMWVpyjcaQc9nr1WPUMygc
|
||||
-> ssh-ed25519 JGx7Ng /SvvUDt/rDTaFOqaxL+d49pNyx7Wvkl0FMr36RIsxgQ
|
||||
pF191qRavD24LSw2JHKpVKFGK281UitMTcLDV7Zw87M
|
||||
-> ssh-ed25519 bUjjig +o1W/J1qFW96kC5SCz5azW4ar/bGglWOIST/VEBl0k8
|
||||
mHPgOqZN5eLw5AG47TIXccckR1qhhr6Ix08l3CY2NF4
|
||||
-> ssh-ed25519 5SY7Kg 53VjPE/xjun7Q1fKUaRKoEw1p5ble9fiunb/hX8sSns
|
||||
5ro90MKLPz2rqdHghVBbrKXiRHHUEeRKkB+RZwxX1Ls
|
||||
-> ssh-ed25519 p/Mg4Q tLc6UNchEe2AR/91gGauHIhD84UfKbIgS5MR77dhxhw
|
||||
Q5/8BbmXj9wTv0oHr73Au3gNgMDPxT1btyRFhVZ+My8
|
||||
-> ssh-ed25519 5rrg4g WVq0dsHIxZffMqbAgdtBoMZDpzWI2eSc/gYuohn2JHc
|
||||
CXBXkFLl8ljpBZK3emGaj5D0lb07KfCBeHPLc0AuCFA
|
||||
-> ssh-ed25519 oRtTqQ Zq/GevKIc0qaGd0jXWpkd88BxA6yPonFzvxqxtylCiw
|
||||
KO0avMpoF1ICg+17xvsmBLGsZ4FVorjkcMl/adT2/IU
|
||||
-> ssh-ed25519 F2C+8w b9E1FgolbSv9cbAKTwSUnUhcilOFC3mkX8zEgeYwJxs
|
||||
vqh2UldeQQTkDuiRxrT8+Xxdpt2s16X+14J57rpZVKM
|
||||
-> ssh-ed25519 Dk/ltw 9zNl1I2J0A99y6G2M4JHhUVgn/9xcCaDz+I1NQxJewg
|
||||
GFQp+hYM9dyICmI5UmdnNftq7g3QyNH3MlkAoag8YtQ
|
||||
-> jn$!zr-grease w#SDYrYf
|
||||
tNm7A1/g1RMy3lwzsibb/VhsMojufa8iCJCfZ5PG13ikyKab/8GY2oBO282yzcGJ
|
||||
NLDaG5WbIbese3Rxi+rC0ucRZYWlx/w
|
||||
--- 8tELVgxGaIQsgC4NrrRbSh8Y8p+d8sQLG6pWZrc4b3o
|
||||
<16>kÜèŽuûEõ¬4>7>«p<C2AB>KøÎH¶ê$8MÞŸ@¢’¢û„<C3BB>°º
fñ`ÿ°XÍÚLi½:”öû³&wè>
4€•,#q¿h™4
|
57
machines/router02/wireguard.nix
Normal file
57
machines/router02/wireguard.nix
Normal file
|
@ -0,0 +1,57 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
dgn-keys,
|
||||
name,
|
||||
...
|
||||
}:
|
||||
let
|
||||
mkPeer =
|
||||
prefix: peerName:
|
||||
let
|
||||
peer = dgn-keys.getVpnKey "wg-mgmt" peerName;
|
||||
in
|
||||
{
|
||||
AllowedIPs = [ "fdaa::${prefix}:${lib.toHexString peer.id}/32" ];
|
||||
PublicKey = peer.key;
|
||||
};
|
||||
in
|
||||
|
||||
{
|
||||
age-secrets.autoMatch = [ "systemd-network" ];
|
||||
networking.firewall.trustedInterfaces = [ "wg0" ];
|
||||
systemd.network = {
|
||||
networks = {
|
||||
"50-wg-mgmt" = {
|
||||
name = "wg-mgmt";
|
||||
address = [ "fdaa::${lib.toHexString (dgn-keys.getVpnKey "wg-mgmt" name).id}/64" ];
|
||||
routes = [
|
||||
{
|
||||
Destination = "fdaa::/64";
|
||||
Scope = "link";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
netdevs = {
|
||||
"50-wg-mgmt" = {
|
||||
netdevConfig = {
|
||||
Name = "wg-mgmt";
|
||||
Kind = "wireguard";
|
||||
};
|
||||
wireguardConfig = {
|
||||
ListenPort = 1194;
|
||||
PrivateKeyFile = config.age.secrets."systemd-network-wg_key".path;
|
||||
};
|
||||
|
||||
wireguardPeers =
|
||||
builtins.map (mkPeer "1") [
|
||||
"mdebray"
|
||||
"catvayor"
|
||||
]
|
||||
++ builtins.map (mkPeer "0") [ "roam01" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
networking.firewall.allowedUDPPorts = [ 1194 ];
|
||||
}
|
25
machines/routexp01/_configuration.nix
Normal file
25
machines/routexp01/_configuration.nix
Normal file
|
@ -0,0 +1,25 @@
|
|||
{ lib, ... }:
|
||||
|
||||
lib.extra.mkConfig {
|
||||
enabledModules = [
|
||||
# List of modules to enable
|
||||
"lab-routexp"
|
||||
];
|
||||
|
||||
enabledServices = [
|
||||
# List of services to enable
|
||||
];
|
||||
|
||||
extraConfig = {
|
||||
lab-routexp = {
|
||||
id = 1;
|
||||
|
||||
connections = [
|
||||
1001
|
||||
1002
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
root = ./.;
|
||||
}
|
40
machines/routexp01/_hardware-configuration.nix
Normal file
40
machines/routexp01/_hardware-configuration.nix
Normal file
|
@ -0,0 +1,40 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{
|
||||
lib,
|
||||
sources,
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
{
|
||||
imports = [
|
||||
(modulesPath + "/profiles/qemu-guest.nix")
|
||||
(sources.disko + "/module.nix")
|
||||
./disko.nix
|
||||
];
|
||||
boot = {
|
||||
initrd = {
|
||||
availableKernelModules = [
|
||||
"ata_piix"
|
||||
"uhci_hcd"
|
||||
"virtio_pci"
|
||||
"virtio_scsi"
|
||||
"sd_mod"
|
||||
"sr_mod"
|
||||
];
|
||||
kernelModules = [ ];
|
||||
};
|
||||
kernelModules = [ ];
|
||||
extraModulePackages = [ ];
|
||||
};
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
}
|
33
machines/routexp01/disko.nix
Normal file
33
machines/routexp01/disko.nix
Normal file
|
@ -0,0 +1,33 @@
|
|||
_: {
|
||||
disko.devices = {
|
||||
disk = {
|
||||
main = {
|
||||
device = "/dev/sda";
|
||||
type = "disk";
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
ESP = {
|
||||
type = "EF00";
|
||||
size = "1G";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
mountOptions = [ "umask=0077" ];
|
||||
};
|
||||
};
|
||||
root = {
|
||||
size = "100%";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "ext4";
|
||||
mountpoint = "/";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
1
machines/routexp01/networking.nix
Normal file
1
machines/routexp01/networking.nix
Normal file
|
@ -0,0 +1 @@
|
|||
{ }
|
3
machines/routexp01/secrets/secrets.nix
Normal file
3
machines/routexp01/secrets/secrets.nix
Normal file
|
@ -0,0 +1,3 @@
|
|||
(import ../../../keys).mkSecrets [ "routexp01" ] [
|
||||
# List of secrets for router02
|
||||
]
|
25
machines/status01/_configuration.nix
Normal file
25
machines/status01/_configuration.nix
Normal file
|
@ -0,0 +1,25 @@
|
|||
{ lib, ... }:
|
||||
|
||||
lib.extra.mkConfig {
|
||||
enabledModules = [
|
||||
# List of modules to enable
|
||||
];
|
||||
|
||||
enabledServices = [
|
||||
# List of services to enable
|
||||
"nginx"
|
||||
"uptime-kuma"
|
||||
];
|
||||
|
||||
extraConfig = {
|
||||
deployment.tags = [ "cst1" ];
|
||||
networking = {
|
||||
firewall.allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
root = ./.;
|
||||
}
|
34
machines/status01/_hardware-configuration.nix
Normal file
34
machines/status01/_hardware-configuration.nix
Normal file
|
@ -0,0 +1,34 @@
|
|||
{ lib, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
||||
|
||||
boot = {
|
||||
loader.systemd-boot.enable = true;
|
||||
initrd.kernelModules = [ ];
|
||||
kernelModules = [ ];
|
||||
extraModulePackages = [ ];
|
||||
initrd.availableKernelModules = [
|
||||
"ata_piix"
|
||||
"uhci_hcd"
|
||||
"virtio_pci"
|
||||
"virtio_scsi"
|
||||
"sd_mod"
|
||||
"sr_mod"
|
||||
];
|
||||
};
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-partlabel/disk-sda-root";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-partlabel/disk-sda-ESP";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
networking.useDHCP = lib.mkDefault false;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
}
|
10
machines/status01/nginx.nix
Normal file
10
machines/status01/nginx.nix
Normal file
|
@ -0,0 +1,10 @@
|
|||
{
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedTlsSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedProxySettings = true;
|
||||
clientMaxBodySize = "500m";
|
||||
};
|
||||
}
|
4
machines/status01/secrets/secrets.nix
Normal file
4
machines/status01/secrets/secrets.nix
Normal file
|
@ -0,0 +1,4 @@
|
|||
(import ../../../keys).mkSecrets [ "status01" ] [
|
||||
# List of secrets for router02
|
||||
"stateless-uptime-kuma-password"
|
||||
]
|
39
machines/status01/secrets/stateless-uptime-kuma-password
Normal file
39
machines/status01/secrets/stateless-uptime-kuma-password
Normal file
|
@ -0,0 +1,39 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA 53kqaGHoIiBW34TabFATNf+2Nju2FAQm5euxBlp4L2E
|
||||
65jmuV2qa4FggzatITYncVQNSYTRtKEFZsBbtkQ487A
|
||||
-> ssh-ed25519 QlRB9Q VwYIAUut50rqvm4nOUZf6Sp/HzyfE1Fg6JSsMF0H53s
|
||||
euInJsL53RwaCza7OTZNRx+swsXcnN9FUMFMgmSnLug
|
||||
-> ssh-ed25519 r+nK/Q 4ZxPhgovFEX8cX3mEarpl83i4Gg1IjDBdFwqlqt0p0E
|
||||
n0oIgVJbCV9wd8GgPm4zDSKU+WPxrpXe1hNOH0M9orE
|
||||
-> ssh-rsa krWCLQ
|
||||
QxjqLVS1ANlU4kOSq9ybEHLlTrC9V9l5kQAakG9FLvGg6J88MM5v2oJzqN0MdRMy
|
||||
HC26YFwibUMrues0qXfEYAx3uuss2TS82XAlZPGC4/dn31czI7mTjgbkkwVZZ1ED
|
||||
SP8VWCAb/zjJoN+cSiVsTbu++b5dnavI2HrEA45pGopkG0usJE8Llr7kI/1Pb5Hi
|
||||
GaYdjBk5MVrA+K8PTRJ3OdDM3aTKFaoPS5vgWM2RfSSkhVK51fKxIWkiphk5hZ7l
|
||||
dmHk9qNiwZkg2wWp0W4pBCbHRzoIT2osNlbsO1IpsaNrVijrvxg5qHUHa1uqw5pB
|
||||
fJ/7dh59Ckc6FkE7Mka1EQ
|
||||
-> ssh-ed25519 /vwQcQ h3/pglzg2HhJ9AYixQgm//hDDfKwDm0qfdEYj94FF0Y
|
||||
mJh35flVyki/cpuIlHMR2j2WI35W/HarJzJBvpa2hps
|
||||
-> ssh-ed25519 0R97PA FKZr+kWHbRcZ0Ne6KdCH6mALFgTjAzquDyw3/HvTHXA
|
||||
m0hzEpVB0n8LXEjFompdmDbGQQSEvXhQrxJWaCAhziA
|
||||
-> ssh-ed25519 JGx7Ng TjvfKNCJIf8wW4p4VurJG4Ynl/s9ZoDndcP9GQs7K24
|
||||
5Ps+MgsCaws3PKv1EFPHv1BdZVD4u/DfPiNgxTIEPDI
|
||||
-> ssh-ed25519 bUjjig UEHCVJRj+Np4EvAUacUKaEIEtcv/92h/mdxpqwW9XjQ
|
||||
nQfWPkwJ7MufMbTJ1ktE3skBxKu89ps7b/P48bevkwM
|
||||
-> ssh-ed25519 5SY7Kg wP8S7omqt+wibyrLGdwChOilKLhlk3Uttouofrvn6Hg
|
||||
PeHvagZGw11Jq8NZFi6Pvh+XSNgklY/235YKhUPogN4
|
||||
-> ssh-ed25519 p/Mg4Q SC0lkuoNTFyPzVWW+CFQfsV5thLhnAlNMlW6r/M70WA
|
||||
DR1hkNnQ1xOwSC6gk0i33Tn52iDNqsszPmxBrSS2/aU
|
||||
-> ssh-ed25519 5rrg4g isrznX6EZE5Do1eNekhqaR/ZFeiMIzkk+y3+nIJ3dTM
|
||||
nxLDqq/xhgCWQKlolE+7u06j3GrMKxSAirkDl5Y8zzA
|
||||
-> ssh-ed25519 oRtTqQ GvvIExclzvOhzRs9TqSyPUMpPvFDcwOkthEKgxoOH3I
|
||||
LkdOSCDASTS9EryBmarT9m2TVL3aafeN+FVGSyxN9AY
|
||||
-> ssh-ed25519 F2C+8w USOT3pzvufIWjz7zelcMDACuyGAbwHfJ1wQc0Z5aS0A
|
||||
ZnuvqZ0NdgmpDSc//c99j2X+B0FvioLS1eBC4mX9PQ0
|
||||
-> ssh-ed25519 LCTbpA SLX/uFy8NniL/3dG2sOWFJqelwbcRC5UA+Ji7pYAFlQ
|
||||
ckIg5nwZSsM1DAMT9DN2LPKnlQTQye54YUmHYDJ4rp4
|
||||
-> +ka/`8V-grease `iuUWsh
|
||||
61TbfYZeLgnlK2g7xDxOvPyZx1i1WlkyM6HtZVUUlUag0+k2mF2kuANCsm8GDJd4
|
||||
qFDrRc6wmaCRnVf78HSdIJXKviR4QlxNXDnpTeh1jFGtIW4GXVHp
|
||||
--- S/VYe23MY+e4qRXq615pCpV2VYHJF+s3ioeIEDaKPA8
|
||||
n~,ló̓’ŽSïD10<31>“àBFjºÞ1çbÃU©íš>Ö½íø˹Ýâ{÷§b$ϧ
|
30
machines/status01/unethical_patch_0.patch
Normal file
30
machines/status01/unethical_patch_0.patch
Normal file
|
@ -0,0 +1,30 @@
|
|||
diff --git a/server/model/group.js b/server/model/group.js
|
||||
index 5b712ace..ecbced1a 100644
|
||||
--- a/server/model/group.js
|
||||
+++ b/server/model/group.js
|
||||
@@ -31,10 +31,23 @@ class Group extends BeanModel {
|
||||
*/
|
||||
async getMonitorList() {
|
||||
return R.convertToBeans("monitor", await R.getAll(`
|
||||
- SELECT monitor.*, monitor_group.send_url FROM monitor, monitor_group
|
||||
- WHERE monitor.id = monitor_group.monitor_id
|
||||
+ SELECT monitor.*, monitor_group.send_url
|
||||
+ FROM monitor
|
||||
+ INNER JOIN monitor_group ON monitor.id = monitor_group.monitor_id
|
||||
+ WHERE monitor.id IN (
|
||||
+ SELECT hb.monitor_id
|
||||
+ FROM heartbeat hb
|
||||
+ INNER JOIN (
|
||||
+ SELECT monitor_id, MAX(time) AS latest_time
|
||||
+ FROM heartbeat
|
||||
+ GROUP BY monitor_id
|
||||
+ ) latest_hb
|
||||
+ ON hb.monitor_id = latest_hb.monitor_id AND hb.time = latest_hb.latest_time
|
||||
+ WHERE hb.status = 1
|
||||
+ )
|
||||
AND group_id = ?
|
||||
ORDER BY monitor_group.weight
|
||||
+
|
||||
`, [
|
||||
this.id,
|
||||
]));
|
150
machines/status01/uptime-kuma.nix
Normal file
150
machines/status01/uptime-kuma.nix
Normal file
|
@ -0,0 +1,150 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
nodes,
|
||||
sources,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (lib) concatLists mapAttrsToList mkMerge;
|
||||
|
||||
inherit (config.statelessUptimeKuma.lib)
|
||||
pingProbesFromHive
|
||||
fromHive
|
||||
httpProbesFromConfig
|
||||
probesWithTag
|
||||
;
|
||||
|
||||
probesCfg = config.statelessUptimeKuma.probesConfig;
|
||||
|
||||
mkMonitors = name: builtins.attrNames (probesWithTag { inherit name; } probesCfg);
|
||||
|
||||
host = "status.lab.dgnum.eu";
|
||||
|
||||
port = 3001;
|
||||
|
||||
httpExcludes = [
|
||||
"localhost"
|
||||
] ++ (concatLists (mapAttrsToList (_: { config, ... }: config.dgn-redirections.retired) nodes));
|
||||
|
||||
extraProbes = {
|
||||
monitors = {
|
||||
# NOTE: Empty
|
||||
};
|
||||
};
|
||||
|
||||
status_pages = {
|
||||
"dgnum" = {
|
||||
title = "DGNum";
|
||||
description = "Etat de l'infra du lab de la DGNum";
|
||||
showTags = true;
|
||||
publicGroupList = [
|
||||
{
|
||||
name = "Services";
|
||||
weight = 1;
|
||||
monitorList = mkMonitors "Service";
|
||||
}
|
||||
{
|
||||
name = "Serveurs";
|
||||
weight = 2;
|
||||
monitorList = mkMonitors "Ping";
|
||||
}
|
||||
#{
|
||||
# name = "VPN Interne";
|
||||
# weight = 2;
|
||||
# monitorList = mkMonitors "VPN";
|
||||
#}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
pingProbes = pingProbesFromHive {
|
||||
inherit nodes;
|
||||
mkHost = _: config: config.networking.fqdn;
|
||||
tags = [ { name = "Ping"; } ];
|
||||
excludes = [
|
||||
"status01"
|
||||
"labcore01"
|
||||
];
|
||||
};
|
||||
|
||||
#vpnProbes = pingProbesFromHive {
|
||||
# inherit nodes;
|
||||
# prefix = "VPN - ";
|
||||
# mkHost = node: _: "${node}.dgnum";
|
||||
# tags = [ { name = "VPN"; } ];
|
||||
# excludes = [
|
||||
# "web02"
|
||||
# "status01"
|
||||
# ];
|
||||
#};
|
||||
|
||||
httpProbes = fromHive {
|
||||
inherit nodes;
|
||||
builder =
|
||||
_: module:
|
||||
httpProbesFromConfig {
|
||||
inherit (module) config;
|
||||
tags = [
|
||||
{
|
||||
name = "Host";
|
||||
value = module.config.networking.fqdn;
|
||||
}
|
||||
{ name = "Service"; }
|
||||
];
|
||||
excludes = httpExcludes;
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
imports = [ (sources.stateless-uptime-kuma + "/nixos/module.nix") ];
|
||||
nixpkgs.overlays = [ (import (sources.stateless-uptime-kuma + "/overlay.nix")) ];
|
||||
|
||||
services.uptime-kuma = {
|
||||
enable = true;
|
||||
package = pkgs.uptime-kuma.overrideAttrs (
|
||||
_: prev: {
|
||||
patches = prev.patches ++ [
|
||||
# Very important patch
|
||||
./unethical_patch_0.patch
|
||||
];
|
||||
}
|
||||
);
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
virtualHosts.${host} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString port}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
];
|
||||
|
||||
statelessUptimeKuma = {
|
||||
probesConfig = mkMerge [
|
||||
pingProbes
|
||||
httpProbes
|
||||
extraProbes
|
||||
#vpnProbes
|
||||
{ inherit status_pages; }
|
||||
];
|
||||
|
||||
extraFlags = [ "-s" ];
|
||||
|
||||
host = "http://localhost:${builtins.toString port}/";
|
||||
username = "dgnum-lab";
|
||||
passwordFile = config.age.secrets."stateless-uptime-kuma-password".path;
|
||||
enableService = true;
|
||||
};
|
||||
}
|
114
meta/network.nix
114
meta/network.nix
|
@ -1,4 +1,73 @@
|
|||
let
|
||||
mkRoutexp =
|
||||
l:
|
||||
builtins.listToAttrs (
|
||||
builtins.map (
|
||||
{ id, hostId, ... }:
|
||||
{
|
||||
name = "routexp${id}";
|
||||
value = {
|
||||
interfaces = {
|
||||
ens18 = {
|
||||
ipv6 = [
|
||||
{
|
||||
address = "2a0e:e701:1120:1000::1000:${id}";
|
||||
prefixLength = 64;
|
||||
}
|
||||
];
|
||||
gateways = [ "2a0e:e701:1120:1000::1" ];
|
||||
dns = [ "2a0e:e701:1120:1000::f:1" ];
|
||||
};
|
||||
};
|
||||
inherit hostId;
|
||||
};
|
||||
}
|
||||
) l
|
||||
);
|
||||
in
|
||||
{
|
||||
|
||||
dns01 = {
|
||||
interfaces = {
|
||||
ens18 = {
|
||||
ipv6 = [
|
||||
{
|
||||
address = "2a0e:e701:1120:1000:ffff::45.13.104.26";
|
||||
prefixLength = 64;
|
||||
}
|
||||
];
|
||||
|
||||
ipv4 = [
|
||||
{
|
||||
address = "45.13.104.26";
|
||||
prefixLength = 32;
|
||||
}
|
||||
];
|
||||
|
||||
gateways = [ "2a0e:e701:1120:1000::1" ];
|
||||
dns = [ "2a0e:e701:1120:1000::f:1" ];
|
||||
};
|
||||
};
|
||||
|
||||
hostId = "1758233d";
|
||||
};
|
||||
homebox01 = {
|
||||
interfaces = {
|
||||
ens18 = {
|
||||
ipv4 = [
|
||||
{
|
||||
address = "129.199.146.102";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
|
||||
gateways = [ "129.199.146.254" ];
|
||||
enableDefaultDNS = true;
|
||||
};
|
||||
};
|
||||
|
||||
hostId = "ef3bd5c0";
|
||||
};
|
||||
krz01 = {
|
||||
interfaces = {
|
||||
vmbr0 = {
|
||||
|
@ -21,6 +90,7 @@
|
|||
hostId = "bd11e8fc";
|
||||
netbirdIp = "100.80.103.206";
|
||||
};
|
||||
|
||||
labcore01 = {
|
||||
interfaces = {
|
||||
ens18 = {
|
||||
|
@ -47,6 +117,50 @@
|
|||
|
||||
addresses.ipv4 = [ "129.199.146.230" ];
|
||||
|
||||
vpnKeys = {
|
||||
wg-mgmt = {
|
||||
id = 1;
|
||||
key = "PN8/zo1Clue7jAnkvaUOg1ZdmcXmcTb6kIRpu5cplHs=";
|
||||
};
|
||||
};
|
||||
|
||||
hostId = "144d0f7a";
|
||||
};
|
||||
photo01 = {
|
||||
interfaces = { };
|
||||
|
||||
addresses.ipv4 = [ "129.199.146.101" ];
|
||||
|
||||
hostId = "bcf8ff03";
|
||||
};
|
||||
status01 = {
|
||||
interfaces = {
|
||||
ens18 = {
|
||||
ipv4 = [
|
||||
{
|
||||
address = "129.199.146.103";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
|
||||
gateways = [ "129.199.146.254" ];
|
||||
enableDefaultDNS = true;
|
||||
};
|
||||
};
|
||||
|
||||
hostId = "7ce86f3d";
|
||||
};
|
||||
roam01 = {
|
||||
interfaces = { };
|
||||
|
||||
vpnKeys = {
|
||||
wg-mgmt = {
|
||||
id = 2;
|
||||
key = "Yg1GwHbJ7kwNbnjxI+5LtgDvzMPMiOm3EgI/saLI7FU=";
|
||||
};
|
||||
};
|
||||
|
||||
hostId = "999dc679";
|
||||
};
|
||||
}
|
||||
// mkRoutexp (import ./routexp.nix)
|
||||
|
|
|
@ -18,8 +18,36 @@
|
|||
- hyp01 -> Salle serveur Hypnos 1
|
||||
- luj01 -> VM de Luj
|
||||
*/
|
||||
{
|
||||
let
|
||||
mkRoutexp =
|
||||
l:
|
||||
builtins.listToAttrs (
|
||||
builtins.map (
|
||||
{ id, ... }:
|
||||
{
|
||||
name = "routexp${id}";
|
||||
value = {
|
||||
site = "pav01";
|
||||
|
||||
hashedPassword = "$y$j9T$XJTT9MWCE49axmQppQSKc0$b9OzdEaQgDdXTc.meKWNeKd.TeTui2PdzdcFI/ggKk3";
|
||||
|
||||
stateVersion = "24.11";
|
||||
nixpkgs = "unstable";
|
||||
};
|
||||
}
|
||||
) l
|
||||
);
|
||||
in
|
||||
{
|
||||
dns01 = {
|
||||
site = "pav01";
|
||||
|
||||
# TODO:
|
||||
hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/";
|
||||
|
||||
stateVersion = "24.05";
|
||||
nixpkgs = "24.05";
|
||||
};
|
||||
krz01 = {
|
||||
site = "pav01";
|
||||
|
||||
|
@ -28,6 +56,14 @@
|
|||
stateVersion = "24.05";
|
||||
nixpkgs = "unstable";
|
||||
};
|
||||
homebox01 = {
|
||||
site = "pav01";
|
||||
|
||||
hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/";
|
||||
|
||||
stateVersion = "24.05";
|
||||
nixpkgs = "unstable";
|
||||
};
|
||||
labcore01 = {
|
||||
site = "pav01";
|
||||
|
||||
|
@ -36,6 +72,15 @@
|
|||
stateVersion = "24.05";
|
||||
nixpkgs = "24.05";
|
||||
};
|
||||
photo01 = {
|
||||
site = "pav01";
|
||||
|
||||
# TODO
|
||||
hashedPassword = "$y$j9T$aFhOWa05W7VKeKt3Nc.nA1$uBOvG4wf7/yWjwOxO8NLf9ipCsAkS1.5cD2EJpLx57A";
|
||||
|
||||
stateVersion = "24.05";
|
||||
nixpkgs = "unstable";
|
||||
};
|
||||
router02 = {
|
||||
site = "pav01";
|
||||
|
||||
|
@ -44,4 +89,23 @@
|
|||
stateVersion = "24.05";
|
||||
nixpkgs = "unstable";
|
||||
};
|
||||
status01 = {
|
||||
site = "pav01";
|
||||
|
||||
hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/";
|
||||
|
||||
stateVersion = "24.05";
|
||||
nixpkgs = "unstable";
|
||||
};
|
||||
roam01 = {
|
||||
site = "nowhere";
|
||||
|
||||
hashedPassword = "$y$j9T$5OchePm5POsgveGLY/bKy/$9XkkZq9aBycg.YImEzFSiYRbAfBO0A4G7qMGIF/WEo9";
|
||||
|
||||
deployment.targetHost = "129.199.146.39";
|
||||
|
||||
stateVersion = "24.11";
|
||||
nixpkgs = "unstable";
|
||||
};
|
||||
}
|
||||
// mkRoutexp (import ./routexp.nix)
|
||||
|
|
142
meta/options.nix
142
meta/options.nix
|
@ -14,11 +14,14 @@ let
|
|||
ints
|
||||
listOf
|
||||
nullOr
|
||||
singleLineStr
|
||||
str
|
||||
submodule
|
||||
unspecified
|
||||
;
|
||||
|
||||
inherit (ints) positive;
|
||||
|
||||
addressType =
|
||||
max:
|
||||
submodule {
|
||||
|
@ -34,6 +37,22 @@ let
|
|||
};
|
||||
};
|
||||
|
||||
vpnKeyType = submodule {
|
||||
options = {
|
||||
id = mkOption {
|
||||
type = positive;
|
||||
description = ''
|
||||
Unique ID that will be used to guess IP address
|
||||
'';
|
||||
};
|
||||
key = mkOption {
|
||||
type = str;
|
||||
description = ''
|
||||
Public key of the user for this VPN
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
org = config.organization;
|
||||
in
|
||||
|
||||
|
@ -41,23 +60,55 @@ in
|
|||
options = {
|
||||
organization = {
|
||||
members = mkOption {
|
||||
type = attrsOf (submodule {
|
||||
options = {
|
||||
name = mkOption {
|
||||
type = str;
|
||||
description = ''
|
||||
Name of the member.
|
||||
'';
|
||||
};
|
||||
type = attrsOf (
|
||||
submodule (
|
||||
{ name, ... }:
|
||||
{
|
||||
options = {
|
||||
name = mkOption {
|
||||
type = str;
|
||||
description = ''
|
||||
Name of the member.
|
||||
'';
|
||||
};
|
||||
|
||||
email = mkOption {
|
||||
type = str;
|
||||
description = ''
|
||||
Main e-mail address of the member.
|
||||
'';
|
||||
};
|
||||
};
|
||||
});
|
||||
email = mkOption {
|
||||
type = str;
|
||||
description = ''
|
||||
Main e-mail address of the member.
|
||||
'';
|
||||
};
|
||||
|
||||
username = mkOption {
|
||||
type = str;
|
||||
default = name;
|
||||
description = ''
|
||||
The username used for authentication.
|
||||
WARNING: Must be the same as the ens login!
|
||||
'';
|
||||
};
|
||||
|
||||
sshKeys = lib.mkOption {
|
||||
type = listOf singleLineStr;
|
||||
description = ''
|
||||
A list of verbatim OpenSSH public keys that should be added to the
|
||||
user's authorized keys.
|
||||
'';
|
||||
example = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host"
|
||||
"ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar"
|
||||
];
|
||||
};
|
||||
|
||||
vpnKeys = mkOption {
|
||||
type = attrsOf vpnKeyType;
|
||||
default = { };
|
||||
description = "Attribute sets to define vpn keys of the user";
|
||||
};
|
||||
};
|
||||
}
|
||||
)
|
||||
);
|
||||
|
||||
description = ''
|
||||
Members of the DGNum organization.
|
||||
|
@ -70,6 +121,39 @@ in
|
|||
Groups of the DGNum organization.
|
||||
'';
|
||||
};
|
||||
|
||||
external = mkOption {
|
||||
type = attrsOf (listOf str);
|
||||
description = ''
|
||||
External services used by the DGNum organization.
|
||||
'';
|
||||
};
|
||||
|
||||
services = mkOption {
|
||||
type = attrsOf (submodule {
|
||||
options = {
|
||||
admins = mkOption {
|
||||
type = listOf str;
|
||||
default = [ ];
|
||||
description = ''
|
||||
List of administrators of the service.
|
||||
'';
|
||||
};
|
||||
|
||||
adminGroups = mkOption {
|
||||
type = listOf str;
|
||||
default = [ ];
|
||||
description = ''
|
||||
List of administrator groups of the service.
|
||||
'';
|
||||
};
|
||||
};
|
||||
});
|
||||
description = ''
|
||||
Administrator access of the different DGNum services,
|
||||
it is mainly indicative as most services cannot configure this statically.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
nodes = mkOption {
|
||||
|
@ -256,6 +340,13 @@ in
|
|||
IP address of the node in the netbird network.
|
||||
'';
|
||||
};
|
||||
|
||||
vpnKeys = mkOption {
|
||||
type = attrsOf vpnKeyType;
|
||||
default = { };
|
||||
description = "Attribute sets to define vpn keys of the machine";
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
config =
|
||||
|
@ -327,11 +418,20 @@ in
|
|||
extract "adminGroups" config.nodes
|
||||
))
|
||||
|
||||
# Check that all members have ssh keys
|
||||
(builtins.map (name: {
|
||||
assertion = ((import ../keys)._keys.${name} or [ ]) != [ ];
|
||||
message = "No ssh keys found for ${name}.";
|
||||
}) members)
|
||||
# Check that all services admins exist
|
||||
(membersExists (name: "A member of the service ${name} admins was not found in the members list.") (
|
||||
extract "admins" org.services
|
||||
))
|
||||
|
||||
# Check that all services adminGroups exist
|
||||
(groupsExists (
|
||||
name: "A member of the service ${name} adminGroups was not found in the groups list."
|
||||
) (extract "adminGroups" org.services))
|
||||
|
||||
# Check that all external services admins exist
|
||||
(membersExists (
|
||||
name: "A member of the external service ${name} admins was not found in the members list."
|
||||
) org.external)
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -5,44 +5,104 @@
|
|||
|
||||
{
|
||||
members = {
|
||||
agroudiev = {
|
||||
name = "Antoine Groudiev";
|
||||
email = "antoine.groudiev@dgnum.eu";
|
||||
sshKeys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM="
|
||||
];
|
||||
};
|
||||
|
||||
catvayor = {
|
||||
name = "Lubin Bailly";
|
||||
email = "catvayor@dgnum.eu";
|
||||
username = "lbailly";
|
||||
sshKeys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
|
||||
];
|
||||
vpnKeys = {
|
||||
wg-mgmt = {
|
||||
id = 1;
|
||||
key = "zIHvCSzk5a94jvnXU4iscbp9RUGzbWpARDMRgHNtMl4=";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
cst1 = {
|
||||
name = "Constantin Gierczak--Galle";
|
||||
email = "cst1@dgnum.eu";
|
||||
username = "cgierczakgalle";
|
||||
sshKeys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270"
|
||||
];
|
||||
};
|
||||
|
||||
ecoppens = {
|
||||
name = "Elias Coppens";
|
||||
email = "ecoppens@dgnum.eu";
|
||||
sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
|
||||
};
|
||||
|
||||
jemagius = {
|
||||
name = "Jean-Marc Gailis";
|
||||
email = "jm@dgnum.eu";
|
||||
username = "jgailis";
|
||||
sshKeys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8="
|
||||
];
|
||||
};
|
||||
|
||||
luj = {
|
||||
name = "Julien Malka";
|
||||
email = "luj@dgnum.eu";
|
||||
username = "jmalka";
|
||||
sshKeys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
|
||||
];
|
||||
};
|
||||
|
||||
mboyer = {
|
||||
name = "Matthieu Boyer";
|
||||
email = "matthieu.boyer@dgnum.eu";
|
||||
username = "mboyer02";
|
||||
sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ];
|
||||
};
|
||||
|
||||
mdebray = {
|
||||
name = "Maurice Debray";
|
||||
email = "maurice.debray@dgnum.eu";
|
||||
sshKeys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
|
||||
];
|
||||
vpnKeys = {
|
||||
wg-mgmt = {
|
||||
id = 2;
|
||||
key = "+nTxD4ZAzk+9LHGwEfK0t2cMQf0ognBYmhybNbCzW38=";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
raito = {
|
||||
name = "Ryan Lahfa";
|
||||
email = "ryan@dgnum.eu";
|
||||
username = "rlahfa";
|
||||
sshKeys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
|
||||
];
|
||||
};
|
||||
|
||||
thubrecht = {
|
||||
name = "Tom Hubrecht";
|
||||
email = "tom.hubrecht@dgnum.eu";
|
||||
sshKeys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
|
|
7
meta/routexp.nix
Normal file
7
meta/routexp.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
# List of routers for the routexp experiment
|
||||
[
|
||||
{
|
||||
id = "01";
|
||||
hostId = "d70d0593";
|
||||
}
|
||||
]
|
|
@ -1,12 +1,23 @@
|
|||
{ lib, sources, ... }:
|
||||
{
|
||||
imports = (lib.extra.mkImports ./. [ "lab-acme" ]) ++ [
|
||||
"${sources."microvm.nix"}/nixos-modules/host"
|
||||
];
|
||||
imports =
|
||||
(lib.extra.mkImports ./. [
|
||||
"lab-acme"
|
||||
"lab-network"
|
||||
"lab-routexp"
|
||||
])
|
||||
++ [
|
||||
"${sources."microvm.nix"}/nixos-modules/host"
|
||||
(import sources.proxmox-nixos).nixosModules.declarative-vms
|
||||
]
|
||||
++ (import sources.nix-modules { inherit lib; }).importModules [
|
||||
"services/nginx-sni"
|
||||
];
|
||||
|
||||
dgn-notify.enable = false;
|
||||
|
||||
dgn-records.enable = false;
|
||||
dgn-network.enable = false;
|
||||
|
||||
# TODO think about how to use netbox with lab
|
||||
dgn-netbox-agent.enable = false;
|
||||
|
|
58
modules/lab-network.nix
Normal file
58
modules/lab-network.nix
Normal file
|
@ -0,0 +1,58 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
meta,
|
||||
name,
|
||||
nodeMeta,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
inherit (lib)
|
||||
mapAttrs'
|
||||
mkEnableOption
|
||||
mkIf
|
||||
;
|
||||
|
||||
net' = meta.network.${name};
|
||||
|
||||
mkAddress = { address, prefixLength, ... }: "${address}/${builtins.toString prefixLength}";
|
||||
mkRoute = gateway: {
|
||||
routeConfig = {
|
||||
Gateway = gateway;
|
||||
GatewayOnLink = true;
|
||||
};
|
||||
};
|
||||
|
||||
mkInterface = interface: net: {
|
||||
name = "10-${interface}";
|
||||
value = {
|
||||
name = interface;
|
||||
address = builtins.map mkAddress (net.ipv4 ++ net.ipv6);
|
||||
routes = builtins.map mkRoute net.gateways;
|
||||
|
||||
inherit (net) DHCP dns;
|
||||
};
|
||||
};
|
||||
|
||||
cfg = config.lab-network;
|
||||
in
|
||||
{
|
||||
options.lab-network.enable = mkEnableOption "automatic network configuration based on metadata" // {
|
||||
default = true;
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
networking = {
|
||||
inherit (net') hostId;
|
||||
|
||||
hostName = name;
|
||||
domain = "${nodeMeta.site}.infra.lab.dgnum.eu";
|
||||
useNetworkd = true;
|
||||
|
||||
firewall.logRefusedConnections = false;
|
||||
};
|
||||
|
||||
systemd.network.networks = mapAttrs' mkInterface net'.interfaces;
|
||||
};
|
||||
}
|
112
modules/lab-routexp/default.nix
Normal file
112
modules/lab-routexp/default.nix
Normal file
|
@ -0,0 +1,112 @@
|
|||
# Copyright :
|
||||
# - Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023
|
||||
#
|
||||
# Ce logiciel est un programme informatique servant à déployer des
|
||||
# configurations de serveurs via NixOS.
|
||||
#
|
||||
# Ce logiciel est régi par la licence CeCILL soumise au droit français et
|
||||
# respectant les principes de diffusion des logiciels libres. Vous pouvez
|
||||
# utiliser, modifier et/ou redistribuer ce programme sous les conditions
|
||||
# de la licence CeCILL telle que diffusée par le CEA, le CNRS et l'INRIA
|
||||
# sur le site "http://www.cecill.info".
|
||||
#
|
||||
# En contrepartie de l'accessibilité au code source et des droits de copie,
|
||||
# de modification et de redistribution accordés par cette licence, il n'est
|
||||
# offert aux utilisateurs qu'une garantie limitée. Pour les mêmes raisons,
|
||||
# seule une responsabilité restreinte pèse sur l'auteur du programme, le
|
||||
# titulaire des droits patrimoniaux et les concédants successifs.
|
||||
#
|
||||
# A cet égard l'attention de l'utilisateur est attirée sur les risques
|
||||
# associés au chargement, à l'utilisation, à la modification et/ou au
|
||||
# développement et à la reproduction du logiciel par l'utilisateur étant
|
||||
# donné sa spécificité de logiciel libre, qui peut le rendre complexe à
|
||||
# manipuler et qui le réserve donc à des développeurs et des professionnels
|
||||
# avertis possédant des connaissances informatiques approfondies. Les
|
||||
# utilisateurs sont donc invités à charger et tester l'adéquation du
|
||||
# logiciel à leurs besoins dans des conditions permettant d'assurer la
|
||||
# sécurité de leurs systèmes et ou de leurs données et, plus généralement,
|
||||
# à l'utiliser et l'exploiter dans les mêmes conditions de sécurité.
|
||||
#
|
||||
# Le fait que vous puissiez accéder à cet en-tête signifie que vous avez
|
||||
# pris connaissance de la licence CeCILL, et que vous en avez accepté les
|
||||
# termes.
|
||||
|
||||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
inherit (lib)
|
||||
mkOption
|
||||
types
|
||||
mkEnableOption
|
||||
mkIf
|
||||
;
|
||||
|
||||
cfg = config.lab-routexp;
|
||||
in
|
||||
|
||||
{
|
||||
options.lab-routexp = {
|
||||
enable = mkEnableOption "Routing experimentation settings.";
|
||||
connections = mkOption {
|
||||
type = types.listOf types.int;
|
||||
default = { };
|
||||
description = "Interface -> Address/CIDR map";
|
||||
};
|
||||
id = mkOption {
|
||||
type = types.int;
|
||||
description = "machine id";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
virtualisation.proxmox = {
|
||||
node = "krz01";
|
||||
autoInstall = true;
|
||||
vmid = 150 + config.lab-routexp.id;
|
||||
bios = "ovmf";
|
||||
memory = 4096;
|
||||
cores = 2;
|
||||
net =
|
||||
[
|
||||
{
|
||||
model = "virtio";
|
||||
bridge = "vmbr1";
|
||||
tag = 2520;
|
||||
}
|
||||
]
|
||||
++ builtins.map (vlan: {
|
||||
model = "virtio";
|
||||
bridge = "vmbr1";
|
||||
tag = vlan;
|
||||
}) cfg.connections;
|
||||
scsi = [ { file = "zfs-noraid:16"; } ]; # This will create a 16GB volume in 'local'
|
||||
};
|
||||
|
||||
systemd.network = {
|
||||
networks =
|
||||
builtins.listToAttrs (
|
||||
lib.imap0 (i: vlan: {
|
||||
name = "20-ens${builtins.toString (20 + i)}";
|
||||
value = {
|
||||
name = "ens${builtins.toString (20 + i)}";
|
||||
address = [ "fdfd:1794:0:${builtins.toString vlan}::${builtins.toString cfg.id}/64" ];
|
||||
};
|
||||
}) cfg.connections
|
||||
)
|
||||
// {
|
||||
"20-babel-local" = {
|
||||
name = "babel-local";
|
||||
address = [ "fdfd:1794::${builtins.toString cfg.id}/64" ];
|
||||
};
|
||||
};
|
||||
netdevs = {
|
||||
"babel-local" = {
|
||||
netdevConfig = {
|
||||
Name = "babel-local";
|
||||
Kind = "dummy";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
7
nixmoxer.conf
Normal file
7
nixmoxer.conf
Normal file
|
@ -0,0 +1,7 @@
|
|||
# nixmoxer.conf
|
||||
host=krz01.dgnum:8006
|
||||
user=root@pam
|
||||
password=7GsnLcPfXV4OzHg3wo1e2zWphek0
|
||||
#token_value=971e236f-60f3-445c-b574-142230409312
|
||||
#token_name=nixmoxer-maurice
|
||||
verify_ssl=0
|
|
@ -25,10 +25,25 @@
|
|||
"pre_releases": false,
|
||||
"version_upper_bound": null,
|
||||
"release_prefix": null,
|
||||
"version": "v1.8.0",
|
||||
"revision": "624fd86460e482017ed9c3c3c55a3758c06a4e7f",
|
||||
"url": "https://api.github.com/repos/nix-community/disko/tarball/v1.8.0",
|
||||
"hash": "06ifryv6rw25cz8zda4isczajdgrvcl3aqr145p8njxx5jya2d77"
|
||||
"version": "v1.9.0",
|
||||
"revision": "49a4936cee640e27d74baee6fd1278285d29b100",
|
||||
"url": "https://api.github.com/repos/nix-community/disko/tarball/v1.9.0",
|
||||
"hash": "0j76ar4qz320fakdii4659w5lww8wiz6yb7g47npywqvf2lbp388"
|
||||
},
|
||||
"dns-nix": {
|
||||
"type": "GitRelease",
|
||||
"repository": {
|
||||
"type": "GitHub",
|
||||
"owner": "nix-community",
|
||||
"repo": "dns.nix"
|
||||
},
|
||||
"pre_releases": false,
|
||||
"version_upper_bound": null,
|
||||
"release_prefix": null,
|
||||
"version": "v1.2.0",
|
||||
"revision": "a3196708a56dee76186a9415c187473b94e6cbae",
|
||||
"url": "https://api.github.com/repos/nix-community/dns.nix/tarball/v1.2.0",
|
||||
"hash": "011b6ahj4qcf7jw009qgbf6k5dvjmgls88khwzgjr9kxlgbypb90"
|
||||
},
|
||||
"git-hooks": {
|
||||
"type": "Git",
|
||||
|
@ -38,9 +53,9 @@
|
|||
"repo": "git-hooks.nix"
|
||||
},
|
||||
"branch": "master",
|
||||
"revision": "1211305a5b237771e13fcca0c51e60ad47326a9a",
|
||||
"url": "https://github.com/cachix/git-hooks.nix/archive/1211305a5b237771e13fcca0c51e60ad47326a9a.tar.gz",
|
||||
"hash": "1qz8d9g7rhwjk4p2x0rx59alsf0dpjrb6kpzs681gi3rjr685ivq"
|
||||
"revision": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
|
||||
"url": "https://github.com/cachix/git-hooks.nix/archive/cd1af27aa85026ac759d5d3fccf650abe7e1bbf0.tar.gz",
|
||||
"hash": "1icl4cz33lkr4bz7fvlf3jppmahgpzij81wfa5any3z7w7b5lnxw"
|
||||
},
|
||||
"infrastructure": {
|
||||
"type": "Git",
|
||||
|
@ -49,9 +64,9 @@
|
|||
"url": "https://git.dgnum.eu/DGNum/infrastructure"
|
||||
},
|
||||
"branch": "main",
|
||||
"revision": "45f2f5905506ad7523bde63ae94d0a3dc19dd604",
|
||||
"revision": "32f68a54a92b3742030d43cb0402ea9de332a004",
|
||||
"url": null,
|
||||
"hash": "171rwwvx4mq01g1c2rhn6v4hyv5c8g2jzzxmff4qz70yzlhs8806"
|
||||
"hash": "1wk0wwa74gq35rx77jannkz2y1zlqz2v7ngm0sn6zj9mx9wwp0b2"
|
||||
},
|
||||
"lix": {
|
||||
"type": "Git",
|
||||
|
@ -60,9 +75,9 @@
|
|||
"url": "https://git.lix.systems/lix-project/lix.git"
|
||||
},
|
||||
"branch": "main",
|
||||
"revision": "ed9b7f4f84fd60ad8618645cc1bae2d686ff0db6",
|
||||
"revision": "f116608a20430b8484814300cdf22eebeb75a59f",
|
||||
"url": null,
|
||||
"hash": "05kxga8fs9h4qm0yvp5l7jvsda7hzqs7rvxcn8r52dqg3c80hva9"
|
||||
"hash": "0hhjx3vk7rchkb4njhsf4vk2f7ipkpqb9jvywm0xcbpwa08xffis"
|
||||
},
|
||||
"lix-module": {
|
||||
"type": "Git",
|
||||
|
@ -71,9 +86,9 @@
|
|||
"url": "https://git.lix.systems/lix-project/nixos-module.git"
|
||||
},
|
||||
"branch": "main",
|
||||
"revision": "fd186f535a4ac7ae35d98c1dd5d79f0a81b7976d",
|
||||
"revision": "aa2846680fa9a2032939d720487942567fd9eb63",
|
||||
"url": null,
|
||||
"hash": "0jxpqaz12lqibg03iv36sa0shfvamn2yhg937llv3kl4csijd34f"
|
||||
"hash": "0gb174800sgh6y6sir23nxsx85xrk478hbwqbzyd46ac34clz9wz"
|
||||
},
|
||||
"lon": {
|
||||
"type": "Git",
|
||||
|
@ -106,9 +121,9 @@
|
|||
"url": "https://git.hubrecht.ovh/hubrecht/nix-modules.git"
|
||||
},
|
||||
"branch": "main",
|
||||
"revision": "2fd7c7810b2a901020ddd2d0cc82810b83a313fc",
|
||||
"revision": "75e8d70a051dd19d126b5248b62f61d6f8ce4361",
|
||||
"url": null,
|
||||
"hash": "0rag870ll745r5isnk6hlxv0b0sbgriba5k6nihahcwsal2f4830"
|
||||
"hash": "0yx5by3v2cshiidyh27n75lcqy9d1kk5zz5mchmfv63s9p0cjzqn"
|
||||
},
|
||||
"nix-patches": {
|
||||
"type": "GitRelease",
|
||||
|
@ -131,9 +146,9 @@
|
|||
"url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs"
|
||||
},
|
||||
"branch": "main",
|
||||
"revision": "0e80d4dcdd54a75556c0784de55dc139ad4fe797",
|
||||
"revision": "3ab3e49269d9e2536c8c5f78d4da673d7a3f5286",
|
||||
"url": null,
|
||||
"hash": "1hlb0cczxq0jrzw4lhmkibnb8skcar0rmny594aqgyikknwzx2qf"
|
||||
"hash": "0b4k0gchxcdlmvs88403hdbidsxswigzxswcba7a3fxz9d884c4y"
|
||||
},
|
||||
"nixos-23.11": {
|
||||
"type": "Channel",
|
||||
|
@ -144,8 +159,8 @@
|
|||
"nixos-24.05": {
|
||||
"type": "Channel",
|
||||
"name": "nixos-24.05",
|
||||
"url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.5518.ecbc1ca8ffd6/nixexprs.tar.xz",
|
||||
"hash": "1yr2v17d8jg9567rvadv62bpr6i47fp73by2454yjxh1m9ric2cm"
|
||||
"url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.6668.e8c38b73aeb2/nixexprs.tar.xz",
|
||||
"hash": "0lhh36z3fvd3b64dz7an08y3c3shb67aj17ny9z28bs21i3dc5yh"
|
||||
},
|
||||
"nixos-generators": {
|
||||
"type": "Git",
|
||||
|
@ -155,21 +170,21 @@
|
|||
"repo": "nixos-generators"
|
||||
},
|
||||
"branch": "master",
|
||||
"revision": "9ae128172f823956e54947fe471bc6dfa670ecb4",
|
||||
"url": "https://github.com/nix-community/nixos-generators/archive/9ae128172f823956e54947fe471bc6dfa670ecb4.tar.gz",
|
||||
"hash": "1zn3lykymimzh21q4fixw6ql42n8j82dqwm5axifhcnl8dsdgrvr"
|
||||
"revision": "15a87ccb45e06d24a9fd5f99a49782efe11b23f0",
|
||||
"url": "https://github.com/nix-community/nixos-generators/archive/15a87ccb45e06d24a9fd5f99a49782efe11b23f0.tar.gz",
|
||||
"hash": "0mwllbwinr6cira94347vhzq3jn3zgp28xg6w1ga0ncls7s476q4"
|
||||
},
|
||||
"nixos-unstable": {
|
||||
"type": "Channel",
|
||||
"name": "nixos-unstable",
|
||||
"url": "https://releases.nixos.org/nixos/unstable/nixos-24.11pre688563.bc947f541ae5/nixexprs.tar.xz",
|
||||
"hash": "1jsaxwi128fiach3dj8rdj5agqivsr4sidb8lmdnl7g07fl9x0kj"
|
||||
"url": "https://releases.nixos.org/nixos/unstable/nixos-25.05beta723344.d3c42f187194/nixexprs.tar.xz",
|
||||
"hash": "0kwwzcza46ygfvrhhbnc7x02z3qw3zkyrjaxcdxmza0jzdv8gydj"
|
||||
},
|
||||
"nixpkgs": {
|
||||
"type": "Channel",
|
||||
"name": "nixpkgs-unstable",
|
||||
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre689466.7d49afd36b55/nixexprs.tar.xz",
|
||||
"hash": "0r4zb6j8in4dk7gxciapfm49dqbdd0c7ajjzj9iy2xrrj5aj32qp"
|
||||
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.05pre709559.5083ec887760/nixexprs.tar.xz",
|
||||
"hash": "1z912j1lmrg8zp2hpmmi69dls9zlpvqfvdkvh5xc3x6iqkqwn0cd"
|
||||
},
|
||||
"proxmox-nixos": {
|
||||
"type": "Git",
|
||||
|
@ -179,9 +194,20 @@
|
|||
"repo": "proxmox-nixos"
|
||||
},
|
||||
"branch": "main",
|
||||
"revision": "950e4cccac0f942076e8558f7f9f4d496cabfb18",
|
||||
"url": "https://github.com/SaumonNet/proxmox-nixos/archive/950e4cccac0f942076e8558f7f9f4d496cabfb18.tar.gz",
|
||||
"hash": "0bhqw42ydc0jfkfqw64xsg518a1pbxnvpqw92nna7lm8mzpxm6d4"
|
||||
"revision": "15187a4c4ac50d1a38c734f72dd201a7eb504a89",
|
||||
"url": "https://github.com/SaumonNet/proxmox-nixos/archive/15187a4c4ac50d1a38c734f72dd201a7eb504a89.tar.gz",
|
||||
"hash": "1scyza59y0kfjhl5chsl53l61p0dv5ymb4k7bq8grg9nla4aj7f2"
|
||||
},
|
||||
"stateless-uptime-kuma": {
|
||||
"type": "Git",
|
||||
"repository": {
|
||||
"type": "Git",
|
||||
"url": "https://git.dgnum.eu/DGNum/stateless-uptime-kuma"
|
||||
},
|
||||
"branch": "master",
|
||||
"revision": "880f444ff7862d6127b051cf1a993ad1585b1652",
|
||||
"url": null,
|
||||
"hash": "166057469hhxnyqbpd7jjlccdmigzch51616n1d5r617xg0y1mwp"
|
||||
}
|
||||
},
|
||||
"version": 3
|
||||
|
|
Loading…
Reference in a new issue