1
0
Fork 0
forked from DGNum/lab-infra

Compare commits

...

20 commits

Author SHA1 Message Date
sinavir
930c1bd90a feat(sni-proxy): init 2024-12-22 02:49:09 +01:00
sinavir
138ea89bbc fix(dns01): Use the meta provided by the module system 2024-12-22 02:46:58 +01:00
sinavir
1f28d0ccbf feat(router02/sit): Use new tunnel 2024-12-21 12:57:20 +01:00
sinavir
9daab9a609 fix(lab-network): Don't use mkForce 2024-12-21 12:57:08 +01:00
sinavir
9b794dff35 feat(npins): update 2024-12-21 12:57:08 +01:00
40df8e738d
chore: nothing 2024-12-13 12:06:49 +01:00
sinavir
e262e55a66
feat: init roam01 2024-12-13 12:06:49 +01:00
sinavir
1d1a4ccac3
feat: experimental routers infra for dn42 2024-12-13 12:06:37 +01:00
sinavir
5626bba501
chore(npins): Update 2024-12-13 12:04:18 +01:00
sinavir
bceb0ce492
chore(router02/networking): Update routes syntax 2024-12-13 12:04:18 +01:00
1467819be2
feat: add deployment tag 'cst1' 2024-12-09 10:31:35 +01:00
b10fee2eee
feat(uptime-kuma): we have 100% uptime 2024-12-07 19:42:36 +01:00
d3bfe16f7f feat(status01): init (#11)
Reviewed-on: DGNum/lab-infra#11
Co-authored-by: Constantin Gierczak--Galle <git.cst1@mailbox.org>
Co-committed-by: Constantin Gierczak--Galle <git.cst1@mailbox.org>
2024-12-07 16:26:03 +01:00
1b8dc4d78a feat(dns01): bootstrap DNS (#10)
Reviewed-on: DGNum/lab-infra#10
Co-authored-by: Constantin Gierczak--Galle <git.cst1@mailbox.org>
Co-committed-by: Constantin Gierczak--Galle <git.cst1@mailbox.org>
2024-12-07 14:44:37 +01:00
862168b2bc feat(dns01): init DNS config (#9)
Reviewed-on: DGNum/lab-infra#9
Co-authored-by: Constantin Gierczak--Galle <git.cst1@mailbox.org>
Co-committed-by: Constantin Gierczak--Galle <git.cst1@mailbox.org>
2024-12-07 12:53:31 +01:00
1f82719dcb feat(homebox01): init (#8)
Reviewed-on: DGNum/lab-infra#8
Co-authored-by: Constantin Gierczak--Galle <git.cst1@mailbox.org>
Co-committed-by: Constantin Gierczak--Galle <git.cst1@mailbox.org>
2024-12-06 14:29:26 +01:00
51aaa9a80d feat(dns01): switch to milkywan network (#7)
Reviewed-on: DGNum/lab-infra#7
Co-authored-by: Constantin Gierczak--Galle <git.cst1@mailbox.org>
Co-committed-by: Constantin Gierczak--Galle <git.cst1@mailbox.org>
2024-12-05 09:39:28 +01:00
9b5c6848c0 feat(dns01): use infra-wide network config (#6)
Reviewed-on: DGNum/lab-infra#6
Co-authored-by: Constantin Gierczak--Galle <git.cst1@mailbox.org>
Co-committed-by: Constantin Gierczak--Galle <git.cst1@mailbox.org>
2024-12-04 18:07:34 +01:00
225ced72c2 feat(dns01): init
Reviewed-on: DGNum/lab-infra#5
Co-authored-by: Constantin Gierczak--Galle <git.cst1@mailbox.org>
Co-committed-by: Constantin Gierczak--Galle <git.cst1@mailbox.org>
2024-11-22 21:32:35 +01:00
68b5f86bd5 feat(photo01): init (#4)
Reviewed-on: DGNum/lab-infra#4
Co-authored-by: Constantin Gierczak--Galle <git.cst1@mailbox.org>
Co-committed-by: Constantin Gierczak--Galle <git.cst1@mailbox.org>
2024-11-22 14:04:37 +01:00
61 changed files with 1880 additions and 114 deletions

3
.gitignore vendored
View file

@ -9,3 +9,6 @@ result-*
*.qcow2 *.qcow2
.gcroots .gcroots
.pre-commit-config.yaml .pre-commit-config.yaml
# nixmoxer (proxmox declarative vms)
nixmoxer.conf

View file

@ -3,13 +3,13 @@
## HE ## HE
On a un `/64` uniquement routé via un tunnel 6in4: On a un `/64` uniquement routé via un tunnel 6in4:
- IP de lien local: `2001:470:1f12:187::2/64` - IP de lien local: `2001:470:1f12:2b::2/64`
- IP de lien Remote: `2001:470:1f12:187::1/64` - IP de lien Remote: `2001:470:1f12:2b::1/64`
- Endpoint ipv4: `216.66.84.42`/`129.199.146.230` - Endpoint ipv4: `216.66.84.42`/`129.199.146.230`
| Préfixe | Attribution | | Préfixe | Attribution |
|-|-| |-|-|
| `2001:470:1f13:187::/64` | he-dmz, vlan 2530 | | `2001:470:1f13:2b::/64` | he-dmz, vlan 2530 |
## MWAN ## MWAN
@ -22,7 +22,7 @@ Routé via SIIT sur le vlan mwan-siit (2520)
| IP | Attribution | Mainteneur | | IP | Attribution | Mainteneur |
|----|-------------|------------| |----|-------------|------------|
| `.25` | `labcore01` | Maurice | | `.25` | `labcore01` | Maurice |
| `.26` | | | | `.26` | `dns01` | cst1 |
| `.27` | | | | `.27` | | |
| `.28` | | | | `.28` | | |
| `.29` | | | | `.29` | | |

View file

@ -71,7 +71,7 @@ in
{ {
nodes = builtins.mapAttrs ( nodes = builtins.mapAttrs (
host: { site, ... }: "${host}.${site}.infra.dgnum.eu" host: { site, ... }: "${host}.${site}.lab.infra.dgnum.eu"
) (import ./meta/nodes.nix); ) (import ./meta/nodes.nix);
mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix; mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix;

View file

@ -14,10 +14,18 @@ rec {
_keys = (import "${_sources.infrastructure}/keys")._keys // { _keys = (import "${_sources.infrastructure}/keys")._keys // {
krz01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4o65gWOgNrxbSd3kiQIGZUM+YD6kuZOQtblvzUGsfB" ]; krz01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4o65gWOgNrxbSd3kiQIGZUM+YD6kuZOQtblvzUGsfB" ];
router02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5t0InDV9nTLEqXrenqMJZAjkCAmfzHk6LLLHme3k3j" ]; router02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5t0InDV9nTLEqXrenqMJZAjkCAmfzHk6LLLHme3k3j" ];
roam01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKXjzVxYs5v5+7N0tyqpBQERXKjXwTZUqVGkdye4S1LP" ];
status01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAQFCsn/8c46O7JLx0QYdbZsXnS+NYtsgUNHPd2Toksj" ];
}; };
_vpnKeys =
builtins.mapAttrs (_: v: v.vpnKeys) meta.organization.members
// builtins.mapAttrs (_: v: v.vpnKeys) meta.network;
getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls); getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);
getVpnKey = vpn: name: _vpnKeys.${name}.${vpn};
mkSecrets = mkSecrets =
nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); }; nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };

View file

@ -0,0 +1,27 @@
{ lib, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
];
enabledServices = [
# List of services to enable
"nsd"
];
extraConfig = {
# TODO : retrieve this address from meta/network.nix
deployment.targetHost = "45.13.104.26";
deployment.tags = [ "cst1" ];
networking.firewall = {
enable = true;
logRefusedConnections = lib.mkForce true;
logRefusedPackets = lib.mkForce true;
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
};
root = ./.;
}

View file

@ -0,0 +1,34 @@
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
loader.systemd-boot.enable = true;
initrd.kernelModules = [ ];
kernelModules = [ ];
extraModulePackages = [ ];
initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
};
fileSystems."/" = {
device = "/dev/disk/by-partlabel/disk-sda-root";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-partlabel/disk-sda-ESP";
fsType = "vfat";
};
networking.useDHCP = lib.mkDefault false;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View file

@ -0,0 +1,61 @@
{
meta,
dns,
lib,
...
}:
let
inherit (lib) mapAttrs' nameValuePair;
in
with dns.lib.combinators;
{
SOA = {
nameServer = "ns01.lab.dgnum.eu";
adminEmail = "dns@dgnum.eu";
serial = 2019030800;
retry = 3600;
minimum = 300;
};
NS = [ "ns01.lab.dgnum.eu." ];
#A = [ "203.0.113.1" ];
#AAAA = [ "4321:0:1:2:3:4:567:89ab" ];
subdomains = {
# Hosted services
# NOTE: for now manually supplied, in the future automatically filled in
photoprism = host "129.199.146.101" null;
immich = host "129.199.146.101" null;
homebox = host "129.199.146.102" null;
status = host "129.199.146.103" null;
kfet = host "129.199.146.230" "2a0e:e701:1120:1000::f:1";
# Nameservers
ns01 = host "45.13.104.26" "2a0e:e701:1120:1000:ffff::45.13.104.26";
# *.infra.lab.dgnum.eu
infra = {
subdomains = mapAttrs' (
host:
{ site, ... }:
nameValuePair "${host}.${site}" (
with meta.network.${host}.addresses;
{
A = ipv4;
AAAA = ipv6;
subdomains = {
v4.A = ipv4;
v6.AAAA = ipv6;
};
}
)
) meta.nodes;
};
};
}

24
machines/dns01/nsd.nix Normal file
View file

@ -0,0 +1,24 @@
{
sources,
lib,
meta,
...
}:
let
dns = import sources.dns-nix { };
in
{
services.nsd = {
enable = true;
verbosity = 1000;
interfaces = [ "2a0e:e701:1120:1000:ffff::45.13.104.26" ];
zones = {
"lab.dgnum.eu" = {
# provideXFR = [ ... ];
# notify = [ ... ];
data = dns.lib.toString "lab.dgnum.eu" (import ./lab.dgnum.eu.nix { inherit meta dns lib; });
};
};
};
}

View file

@ -0,0 +1,3 @@
(import ../../../keys).mkSecrets [ "dns01" ] [
# List of secrets for router02
]

View file

@ -0,0 +1,25 @@
{ lib, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
];
enabledServices = [
# List of services to enable
"homebox"
"nginx"
];
extraConfig = {
deployment.tags = [ "cst1" ];
networking = {
firewall.allowedTCPPorts = [
80
443
];
};
};
root = ./.;
}

View file

@ -0,0 +1,34 @@
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
loader.systemd-boot.enable = true;
initrd.kernelModules = [ ];
kernelModules = [ ];
extraModulePackages = [ ];
initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
};
fileSystems."/" = {
device = "/dev/disk/by-partlabel/disk-sda-root";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-partlabel/disk-sda-ESP";
fsType = "vfat";
};
networking.useDHCP = lib.mkDefault false;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View file

@ -0,0 +1,14 @@
{
services.homebox = {
enable = true;
settings = {
HBOX_OPTIONS_ALLOW_REGISTRATION = "false";
};
};
services.nginx.virtualHosts."homebox.lab.dgnum.eu" = {
enableACME = true;
forceSSL = true;
serverAliases = [ ];
locations."/".proxyPass = "http://localhost:7745/";
};
}

View file

@ -0,0 +1,10 @@
{
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
clientMaxBodySize = "500m";
};
}

View file

@ -0,0 +1,3 @@
(import ../../../keys).mkSecrets [ "homebox01" ] [
# List of secrets for router02
]

View file

@ -8,8 +8,8 @@ lib.extra.mkConfig {
enabledServices = [ enabledServices = [
# INFO: This list needs to stay sorted alphabetically # INFO: This list needs to stay sorted alphabetically
# Machine learning API machine # Machine learning API machine
# "microvm-ml01" "microvm-ml01"
# "microvm-router01" "microvm-router01"
"nvidia-tesla-k80" "nvidia-tesla-k80"
"ollama" "ollama"
"whisper" "whisper"

View file

@ -1,4 +1,9 @@
{ sources, ... }: {
sources,
meta,
name,
...
}:
let let
proxmox-nixos = import sources.proxmox-nixos; proxmox-nixos = import sources.proxmox-nixos;
in in
@ -6,6 +11,7 @@ in
imports = [ proxmox-nixos.nixosModules.proxmox-ve ]; imports = [ proxmox-nixos.nixosModules.proxmox-ve ];
services.proxmox-ve = { services.proxmox-ve = {
enable = true; enable = true;
ipAddress = meta.network.${name}.netbirdIp;
openFirewall = false; openFirewall = false;
}; };
nixpkgs.overlays = [ proxmox-nixos.overlays.x86_64-linux ]; nixpkgs.overlays = [ proxmox-nixos.overlays.x86_64-linux ];

View file

@ -8,6 +8,7 @@ lib.extra.mkConfig {
enabledServices = [ enabledServices = [
# List of services to enable # List of services to enable
"unbound" "unbound"
"nginx"
]; ];
extraConfig = { }; extraConfig = { };

Binary file not shown.

After

Width:  |  Height:  |  Size: 3.5 KiB

View file

@ -0,0 +1,93 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width" />
<title>Ouverture K-Fêt</title>
<style>
#main {
margin: 0;
padding: 0;
width: 100vw;
height: 100vh;
text-align: center;
font-weight: bold;
font-size: 15vw;
display: flex;
justify-content: center;
align-content: center;
flex-direction: column;
}
* {
margin: 0;
padding: 0;
}
.red {
background-color: red;
color: white;
}
.orange {
background-color: orange;
color: black;
}
.green {
background-color: green;
color: white;
}
#main > p {
overflow: hidden;
display: none;
}
.orange > #orange {
display: block;
}
.green > #green {
display: block;
}
.red > #red {
display: block;
}
</style>
<link rel="manifest" href="manifest.webmanifest" />
</head>
<body>
<div id="main" class="orange">
<p id="orange">Non défini</p>
<p id="red">Fermé</p>
<p id="green">Ouvert</p>
</div>
<script>
// Créer une connexion WebSocket
const socket = new WebSocket('wss://kfet.sinavir.fr/ws/');
const div = document.getElementById("main");
// Écouter les messages
socket.addEventListener('message', function (event) {
console.log('Voici un message du serveur', event.data);
switch (JSON.parse(event.data).status) {
case "opened":
div.className = "green";
document.title = "🟢 Ouvert | K-Fêt";
break;
case "closed":
div.className = "red";
document.title = "🔴 Fermé | K-Fêt";
break;
default:
div.className = "orange";
document.title = "🟠 Indéfini | K-Fêt";
}
});
</script>
</body>
</html>

View file

@ -0,0 +1,8 @@
{
dgn-web.enable = true;
services.nginx.virtualHosts."kfet.lab.dgnum.eu" = {
enableACME = true;
forceSSL = true;
root = ./kfet;
};
}

View file

@ -0,0 +1,56 @@
# TODO: revamp to use the same framework as the other VMs
{ pkgs, ... }:
let
address = "129.199.146.101";
in
{
imports = [
./_hardware-configuration.nix
./immich.nix
./nginx.nix
./photoprism.nix
];
deployment.targetHost = address;
deployment.tags = [ "cst1" ];
networking = {
firewall.allowedTCPPorts = [
22
80
443
8007
];
firewall.allowedUDPPorts = [ ];
useNetworkd = true;
};
time.timeZone = "Europe/Paris";
environment.systemPackages = with pkgs; [ neovim ];
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270"
];
security.acme.acceptTerms = true;
systemd.network = {
config.routeTables = {
he = 100;
mwan = 110;
};
networks = {
"10-ens18" = {
name = "ens18";
networkConfig = {
Description = "ENS uplink";
Address = [ "129.199.146.101/24" ];
Gateway = "129.199.146.254";
LLDP = true;
};
};
};
};
}

View file

@ -0,0 +1,34 @@
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
loader.systemd-boot.enable = true;
initrd.kernelModules = [ ];
kernelModules = [ ];
extraModulePackages = [ ];
initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
};
fileSystems."/" = {
device = "/dev/disk/by-partlabel/disk-sda-root";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-partlabel/disk-sda-ESP";
fsType = "vfat";
};
networking.useDHCP = lib.mkDefault false;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View file

@ -0,0 +1,16 @@
{
services.immich = {
enable = true;
# NOTE: default port changes in a later version
port = 3001;
machine-learning.enable = true;
host = "localhost";
};
services.nginx.virtualHosts."immich.lab.dgnum.eu" = {
enableACME = true;
forceSSL = true;
serverAliases = [ ];
locations."/".proxyPass = "http://localhost:3001/";
};
}

View file

@ -0,0 +1,10 @@
{
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
clientMaxBodySize = "500m";
};
}

View file

@ -0,0 +1,8 @@
{
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
};
};
}

View file

@ -0,0 +1,54 @@
{ pkgs, ... }:
{
services = {
photoprism = {
enable = true;
port = 2342;
settings = {
PHOTOPRISM_DEFAULT_LOCALE = "fr";
PHOTOPRISM_ADMIN_USERNAME = "admin";
PHOHOPRISM_SITE_URL = "https://photoprism.lab.dgnum.eu";
PHOTOPRISM_SITE_CAPTION = "PhotoPrism";
# DB access config
PHOTOPRISM_DATABASE_DRIVER = "mysql";
PHOTOPRISM_DATABASE_NAME = "photoprism";
PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock";
PHOTOPRISM_DATABASE_USER = "photoprism";
};
originalsPath = "/data/photos";
address = "localhost";
#importPath = "/photoprism/imports";
passwordFile = "/passwords/photoprism";
};
mysql = {
enable = true;
dataDir = "/data/mysql";
package = pkgs.mariadb;
ensureDatabases = [ "photoprism" ];
ensureUsers = [
{
name = "photoprism";
ensurePermissions = {
"photoprism.*" = "ALL PRIVILEGES";
};
}
];
};
nginx.virtualHosts."photoprism.lab.dgnum.eu" = {
enableACME = true;
forceSSL = true;
serverAliases = [ ];
locations."/" = {
proxyPass = "http://localhost:2342/";
proxyWebsockets = true;
};
};
};
}

View file

@ -0,0 +1,3 @@
(import ../../../keys).mkSecrets [ "photo01" ] [
# List of secrets for router02
]

View file

@ -0,0 +1,18 @@
{ lib, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
];
enabledServices = [
# List of services to enable
"wireguard"
];
extraConfig = {
networking.interfaces.enp1s0.useDHCP = true;
};
root = ./.;
}

View file

@ -0,0 +1,58 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [
"xhci_pci"
"usb_storage"
"usbhid"
"sd_mod"
"sdhci_pci"
];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/bfb4359b-75b2-4fa0-bdb6-283658a0019a";
fsType = "xfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/1A70-E9AE";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
swapDevices = [ { device = "/dev/disk/by-uuid/6518c729-a0cb-41b4-acc8-ec219d0afba6"; } ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0d1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View file

@ -0,0 +1,4 @@
(import ../../../keys).mkSecrets [ "roam01" ] [
# List of secrets for router02
"systemd-network-wg_key"
]

View file

@ -0,0 +1,39 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA eITDLS0bZ9nCNbcpXN2S2JK6+gy0V9Ix5anuz1DXpi8
h/3wu702P2+Mnrsh5EimLoLY6XPiyTvjytjVr2nVPU0
-> ssh-ed25519 QlRB9Q atT+Cb4dk/jH7uhQ7b8Qu1E4tFcrm7mUzqhwlvciCng
eZvsq5OsW7cxf4EmE7L4KhzmiCRhV72ILT5mOg3D7GY
-> ssh-ed25519 r+nK/Q RfAubzTOifMb9Pukkwkh7iUgOLxmIxkPCBhZqzohHA4
0rdpQrp7iSRjGCsi7EjOcuCx2YXXscJxIYv0vfpV9hw
-> ssh-rsa krWCLQ
tBs7XiMvJdAqbtZTaDxgyLrHxyUjgKU4amTtPdVxRUuqm4uSoxoHJj7N6NGBPhW4
ODB8ft5OoAwjtP/D12pNUn3fsIuo7DJGc57Dt74f0ge+MWTVI/tEC8I8EVOVYIpv
Udc1kW8n2CCdkAulSrvlfLQPuVFUcOYWGTvEVE05gPRoJ7NiXR9CW2ByyRjD12Fj
W+8c/H0/h8CmWGRFMZG+xlt9DmYNegz2TCKyTJPtWHRT6sYCqct13GQP/C8s8fJv
ZQjIUcF91EBTr6Gc0fGEYFmKQckOkEeAG3P92YuK9NLyHw5xHl9M+gFZlYsQ91kg
/uVW29GmK7qoyxpUP0GamA
-> ssh-ed25519 /vwQcQ 0y6bP+6t8EhcHs7ap/FmCDWxQLCkDF5KyeXlGZln9Qc
9xpybiFqQTxJ8Po0044HRhoBlmcFzqeXMG3IrZzKOdI
-> ssh-ed25519 0R97PA 1pn+9GwTf+AHsSCqI+xe0blM/6qJUgCgjCF3mlEV4k0
W278+7Qc5/QyALiy1Gt8WKqCw+MX4Ko0VLV+p1KoSjA
-> ssh-ed25519 JGx7Ng hrWsXtVn1DNQ86woVee66ljaMpgBBoJmHdS7qyESbz0
dRPPTNmGYFZ+VR9gPhfD5wutqIuJXXEtoMapnAShrHE
-> ssh-ed25519 bUjjig RzQTuUiEmKd9VqYMKz3cbaU7v4OncTK8N1VA+4M851w
49tmBO+NwrGfNyDwcyuk+7DFqK0yYfZoJ98qeYg0yBY
-> ssh-ed25519 5SY7Kg 9icmp/ZQKCNxep3mnqbJs3pfjaunJwpK9OP5PhXSvE4
Yx6OjFMMwg+MRsHSlg8DjBDF5jumxJcweaWPsy0TCNU
-> ssh-ed25519 p/Mg4Q yhvaDm7yq75qq2Sb5wmXqunG5sHoamAi0r/kBOFHJjw
ZnmJd4au4dGscs7HdW1TqqLjqniRT3EhivgllyuGp5s
-> ssh-ed25519 5rrg4g oQn9sbjixiuN02aDo/v4n6JWTT4MPbYVwni0OW04NFk
hhYoASjz7CPqNXwGCOydrzadudrvncUsv318zFFUB0A
-> ssh-ed25519 oRtTqQ holCshSmzD+N5BYaUOv00WZlFn0UOLTikddFPZpCw1o
XdPjWqs7UqmA4ZLbgNAlDuHcdEGeeGCryBLE0jUtRbM
-> ssh-ed25519 F2C+8w h7ncoDRcnH+pVcRAP5au111c47oRjg4ISn93qK912zk
7sisrDx+avRb9HE2WvYkgSErsvNMqsc+UESmRKt7xz8
-> ssh-ed25519 PMC4Bw oyKwRE22OV8RupaRKV6MgdL9sYK12NvhRDseQwo2MWE
oQOX7qy2Lo6eqmOBqgCjssu5mrd85NQDwmOdzIrj7yg
-> :1G-grease
krZ6nazBc8pS3EHxhcidv4uBigiek7jhODqwOoFQa3+31acCrziN8elOxd6gEa7B
a/xpMlN0
--- BZD889tFoBkFafKWHk0vfNhpP+YtdcU+wpmm0d9RV+Q
Ç„yz¥5Y7ùY}‡ˆ"·Q{±sy;âÇ“˜dÛü°”PX4¹ÏÃ×c½Š1AÕv©ýJî<ž^fÁ¯ƒñv3U%eó]P

View file

@ -0,0 +1,54 @@
{
config,
lib,
dgn-keys,
name,
...
}:
let
mkPeer =
prefix: peerName:
let
peer = dgn-keys.getVpnKey "wg-mgmt" peerName;
in
{
Endpoint = "129.199.146.230:1194";
PersistentKeepalive = 25;
AllowedIPs = [ "fdaa::${prefix}:0/64" ];
PublicKey = peer.key;
};
in
{
age-secrets.autoMatch = [ "systemd-network" ];
networking.firewall.trustedInterfaces = [ "wg0" ];
systemd.network = {
networks = {
"50-wg-mgmt" = {
name = "wg-mgmt";
address = [ "fdaa::${lib.toHexString (dgn-keys.getVpnKey "wg-mgmt" name).id}/64" ];
routes = [
{
Destination = "fdaa::/64";
Scope = "link";
}
];
};
};
netdevs = {
"50-wg-mgmt" = {
netdevConfig = {
Name = "wg-mgmt";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = 1194;
PrivateKeyFile = config.age.secrets."systemd-network-wg_key".path;
};
wireguardPeers = builtins.map (mkPeer "0") [ "router02" ];
};
};
};
networking.firewall.allowedUDPPorts = [ 1194 ];
}

View file

@ -8,6 +8,8 @@ lib.extra.mkConfig {
enabledServices = [ enabledServices = [
# List of services to enable # List of services to enable
"networking" "networking"
"wireguard"
"nginx-sni"
]; ];
extraConfig = { }; extraConfig = { };

View file

@ -42,7 +42,7 @@
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction # still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true; # networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true; # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";

View file

@ -10,7 +10,10 @@
networkConfig = { networkConfig = {
Description = "ENS uplink"; Description = "ENS uplink";
Address = [ "129.199.146.230/24" ]; Address = [
"129.199.146.231/24"
"129.199.146.230/24"
];
Gateway = "129.199.146.254"; Gateway = "129.199.146.254";
LLDP = true; LLDP = true;
# Only to the switch we are connected to directly, e.g. the hypervisor or the switch. # Only to the switch we are connected to directly, e.g. the hypervisor or the switch.
@ -34,36 +37,32 @@
"50-tun-he" = { "50-tun-he" = {
name = "sit-he"; name = "sit-he";
networkConfig = { networkConfig = {
Description = "HE.NET IPv6 Tunnel (gdd)"; Description = "HE.NET IPv6 Tunnel (maurice)";
Address = [ "2001:470:1f12:187::2/64" ]; Address = [ "2001:470:1f12:2b::2/64" ];
ConfigureWithoutCarrier = true; ConfigureWithoutCarrier = true;
}; };
routes = [ routes = [
{ {
routeConfig = {
Destination = "::/0"; Destination = "::/0";
Table = "he"; Table = "he";
Scope = "global"; Scope = "global";
};
} }
{ {
# Use HE tunnel for router trafic as well # Use HE tunnel for router trafic as well
routeConfig = {
Destination = "::/0"; Destination = "::/0";
Scope = "global"; Scope = "global";
};
} }
]; ];
routingPolicyRules = [ routingPolicyRules = [
{ {
routingPolicyRuleConfig = { routingPolicyRuleConfig = {
From = "2001:470:1f13:187::/64"; From = "2001:470:1f13:2b::/64";
Table = "he"; Table = "he";
}; };
} }
{ {
routingPolicyRuleConfig = { routingPolicyRuleConfig = {
To = "2001:470:1f13:187::/64"; To = "2001:470:1f13:2b::/64";
Table = "he"; Table = "he";
}; };
} }
@ -82,41 +81,31 @@
}; };
routes = [ routes = [
{ {
routeConfig = {
Gateway = "2a0b:cbc0:1::215"; Gateway = "2a0b:cbc0:1::215";
PreferredSource = "2a0e:e701:1120::1"; PreferredSource = "2a0e:e701:1120::1";
};
} }
{ {
# Local route # Local route
routeConfig = {
Table = "mwan"; Table = "mwan";
Destination = "2a0e:e701:1120::/64"; Destination = "2a0e:e701:1120::/64";
};
} }
{ {
# Default unreachable route for unattributed prefixes of our /48 # Default unreachable route for unattributed prefixes of our /48
routeConfig = {
Table = "mwan"; Table = "mwan";
Metric = 9999; Metric = 9999;
Destination = "2a0e:e701:1120::/48"; Destination = "2a0e:e701:1120::/48";
Type = "unreachable"; Type = "unreachable";
};
} }
{ {
routeConfig = {
Table = "mwan"; Table = "mwan";
Gateway = "2a0b:cbc0:1::215"; Gateway = "2a0b:cbc0:1::215";
PreferredSource = "2a0e:e701:1120::1"; PreferredSource = "2a0e:e701:1120::1";
};
} }
# IPv4 # IPv4
{ {
routeConfig = {
Scope = "global"; Scope = "global";
Table = "mwan"; Table = "mwan";
Gateway = "10.1.1.49"; Gateway = "10.1.1.49";
};
} }
]; ];
routingPolicyRules = [ routingPolicyRules = [
@ -165,10 +154,8 @@
]; ];
routes = [ routes = [
{ {
routeConfig = {
Table = "mwan"; Table = "mwan";
Destination = "2a0e:e701:1120:1000::/64"; Destination = "2a0e:e701:1120:1000::/64";
};
} }
]; ];
}; };
@ -176,23 +163,21 @@
name = "vlan-he-dmz"; name = "vlan-he-dmz";
networkConfig = { networkConfig = {
Description = "HE DMZ VLAN"; Description = "HE DMZ VLAN";
Address = [ "2001:470:1f13:187::1/64" ]; Address = [ "2001:470:1f13:2b::1/64" ];
IPv6SendRA = "yes"; IPv6SendRA = "yes";
}; };
ipv6Prefixes = [ ipv6Prefixes = [
{ {
ipv6PrefixConfig = { ipv6PrefixConfig = {
Prefix = "2001:470:1f13:187::0/64"; Prefix = "2001:470:1f13:2b::0/64";
}; };
} }
]; ];
routes = [ routes = [
{ {
routeConfig = {
Table = "he"; Table = "he";
Scope = "global"; Scope = "global";
Destination = "2001:470:1f13:187::/64"; Destination = "2001:470:1f13:2b::/64";
};
} }
]; ];
}; };
@ -204,7 +189,7 @@
Name = "sit-he"; Name = "sit-he";
}; };
tunnelConfig = { tunnelConfig = {
Local = "129.199.146.230"; Local = "129.199.146.231";
Remote = "216.66.84.42"; Remote = "216.66.84.42";
}; };
}; };

View file

@ -0,0 +1,21 @@
{ meta, ... }:
let
# Beware, jool will not translate. Prefer ipv6 proxy target
machines = builtins.mapAttrs (
host: { site, ... }: "v6.${host}.${site}.infra.lab.dgnum.eu:443"
) meta.nodes;
in
{
dgn-web.enable = true;
services.nginx = {
sni-proxy = {
preStreamConfig = ''
resolver 127.0.0.53;
'';
enable = true;
redirects = {
"kfet.lab.dgnum.eu" = machines.labcore01;
};
};
};
}

View file

@ -1,3 +1,4 @@
(import ../../../keys).mkSecrets [ "router02" ] [ (import ../../../keys).mkSecrets [ "router02" ] [
# List of secrets for router02 # List of secrets for router02
"systemd-network-wg_key"
] ]

View file

@ -0,0 +1,39 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA 6v2v03EntXNNOnWAuZEcLybn6iWI+LB0kA/AbzszgQs
aqtydlqLgpfvC9rz0x0MshF+RfYJSpQaah5moS3CsGY
-> ssh-ed25519 QlRB9Q 8SqWmf7skeFnmT1HU43V7PwaqYl/hHTifx70qr05Y3c
W/b0CABozdoiSXWokOs+ChRL2pKCjL/b3kZHsBLBemw
-> ssh-ed25519 r+nK/Q TwRRJzM7q81lTdiMwINKYs5RqUaKR9odwTj0CaAUOFU
mYvyP/UeLFDgXFAUkCfZRNuRTJBL5t01nQ5a3U9BVrc
-> ssh-rsa krWCLQ
ssWV1ySMEEZJEsNUjss0U+rLVLYVLlPovyeqv3dWgRdbojFOboXZh7yo07KHOuu8
N3QU64Iy1B8VOoPPhkfRURJjsjEEt/48gwMm9Ff9lmF/rxuw8KOPlGgAF+HwGK0z
Y2gTJkehFuuBN70jsPpCGqlEpmbwLfw1BbYp8zYEq6OKXkhZjIWVEwfa3Ahiw0Z7
3VTC/9GVhpPu/s532TxYNsTZj6nBSp22jc8AZZvOxbPrV5Qk8yLb3JMfXBWn3bJv
N4A1x+ibCI6bnl+gYzmVjiquMuo8CMR1t+KAp6nNfv1dZT5UDBYKswYQ1AhQi7jh
KzBK3vInE18L3qWPxt4Zdw
-> ssh-ed25519 /vwQcQ YilslLDdIPQRNOr/ZA+WreHP5PNBiy/f6xz2UImsEQA
gjH2VsGYM/bJu+X5vwF1y+r0+pDC7EOjesuawUw5WAo
-> ssh-ed25519 0R97PA qFqvdP6/zg+/ruLrNmmFdi0ED43LVNtrfFISTVMLimA
YQyo/5tyH2JMPWiqV0bxWhMWVpyjcaQc9nr1WPUMygc
-> ssh-ed25519 JGx7Ng /SvvUDt/rDTaFOqaxL+d49pNyx7Wvkl0FMr36RIsxgQ
pF191qRavD24LSw2JHKpVKFGK281UitMTcLDV7Zw87M
-> ssh-ed25519 bUjjig +o1W/J1qFW96kC5SCz5azW4ar/bGglWOIST/VEBl0k8
mHPgOqZN5eLw5AG47TIXccckR1qhhr6Ix08l3CY2NF4
-> ssh-ed25519 5SY7Kg 53VjPE/xjun7Q1fKUaRKoEw1p5ble9fiunb/hX8sSns
5ro90MKLPz2rqdHghVBbrKXiRHHUEeRKkB+RZwxX1Ls
-> ssh-ed25519 p/Mg4Q tLc6UNchEe2AR/91gGauHIhD84UfKbIgS5MR77dhxhw
Q5/8BbmXj9wTv0oHr73Au3gNgMDPxT1btyRFhVZ+My8
-> ssh-ed25519 5rrg4g WVq0dsHIxZffMqbAgdtBoMZDpzWI2eSc/gYuohn2JHc
CXBXkFLl8ljpBZK3emGaj5D0lb07KfCBeHPLc0AuCFA
-> ssh-ed25519 oRtTqQ Zq/GevKIc0qaGd0jXWpkd88BxA6yPonFzvxqxtylCiw
KO0avMpoF1ICg+17xvsmBLGsZ4FVorjkcMl/adT2/IU
-> ssh-ed25519 F2C+8w b9E1FgolbSv9cbAKTwSUnUhcilOFC3mkX8zEgeYwJxs
vqh2UldeQQTkDuiRxrT8+Xxdpt2s16X+14J57rpZVKM
-> ssh-ed25519 Dk/ltw 9zNl1I2J0A99y6G2M4JHhUVgn/9xcCaDz+I1NQxJewg
GFQp+hYM9dyICmI5UmdnNftq7g3QyNH3MlkAoag8YtQ
-> jn$!zr-grease w#SDYrYf
tNm7A1/g1RMy3lwzsibb/VhsMojufa8iCJCfZ5PG13ikyKab/8GY2oBO282yzcGJ
NLDaG5WbIbese3Rxi+rC0ucRZYWlx/w
--- 8tELVgxGaIQsgC4NrrRbSh8Y8p+d8sQLG6pWZrc4b3o
<16>kÜè ŽuûEõ¬4>7>«p<C2AB>KøÎH¶ê$8MÞŸ@¢’¢û„<C3BB>°º fñ`ÿ°XÍÚLi½:”öû³&wè> 4€•,#q¿h™4

View file

@ -0,0 +1,57 @@
{
config,
lib,
dgn-keys,
name,
...
}:
let
mkPeer =
prefix: peerName:
let
peer = dgn-keys.getVpnKey "wg-mgmt" peerName;
in
{
AllowedIPs = [ "fdaa::${prefix}:${lib.toHexString peer.id}/32" ];
PublicKey = peer.key;
};
in
{
age-secrets.autoMatch = [ "systemd-network" ];
networking.firewall.trustedInterfaces = [ "wg0" ];
systemd.network = {
networks = {
"50-wg-mgmt" = {
name = "wg-mgmt";
address = [ "fdaa::${lib.toHexString (dgn-keys.getVpnKey "wg-mgmt" name).id}/64" ];
routes = [
{
Destination = "fdaa::/64";
Scope = "link";
}
];
};
};
netdevs = {
"50-wg-mgmt" = {
netdevConfig = {
Name = "wg-mgmt";
Kind = "wireguard";
};
wireguardConfig = {
ListenPort = 1194;
PrivateKeyFile = config.age.secrets."systemd-network-wg_key".path;
};
wireguardPeers =
builtins.map (mkPeer "1") [
"mdebray"
"catvayor"
]
++ builtins.map (mkPeer "0") [ "roam01" ];
};
};
};
networking.firewall.allowedUDPPorts = [ 1194 ];
}

View file

@ -0,0 +1,25 @@
{ lib, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
"lab-routexp"
];
enabledServices = [
# List of services to enable
];
extraConfig = {
lab-routexp = {
id = 1;
connections = [
1001
1002
];
};
};
root = ./.;
}

View file

@ -0,0 +1,40 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
lib,
sources,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
(sources.disko + "/module.nix")
./disko.nix
];
boot = {
initrd = {
availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View file

@ -0,0 +1,33 @@
_: {
disko.devices = {
disk = {
main = {
device = "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
type = "EF00";
size = "1G";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
}

View file

@ -0,0 +1 @@
{ }

View file

@ -0,0 +1,3 @@
(import ../../../keys).mkSecrets [ "routexp01" ] [
# List of secrets for router02
]

View file

@ -0,0 +1,25 @@
{ lib, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
];
enabledServices = [
# List of services to enable
"nginx"
"uptime-kuma"
];
extraConfig = {
deployment.tags = [ "cst1" ];
networking = {
firewall.allowedTCPPorts = [
80
443
];
};
};
root = ./.;
}

View file

@ -0,0 +1,34 @@
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
loader.systemd-boot.enable = true;
initrd.kernelModules = [ ];
kernelModules = [ ];
extraModulePackages = [ ];
initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
};
fileSystems."/" = {
device = "/dev/disk/by-partlabel/disk-sda-root";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-partlabel/disk-sda-ESP";
fsType = "vfat";
};
networking.useDHCP = lib.mkDefault false;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View file

@ -0,0 +1,10 @@
{
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
clientMaxBodySize = "500m";
};
}

View file

@ -0,0 +1,4 @@
(import ../../../keys).mkSecrets [ "status01" ] [
# List of secrets for router02
"stateless-uptime-kuma-password"
]

View file

@ -0,0 +1,39 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA 53kqaGHoIiBW34TabFATNf+2Nju2FAQm5euxBlp4L2E
65jmuV2qa4FggzatITYncVQNSYTRtKEFZsBbtkQ487A
-> ssh-ed25519 QlRB9Q VwYIAUut50rqvm4nOUZf6Sp/HzyfE1Fg6JSsMF0H53s
euInJsL53RwaCza7OTZNRx+swsXcnN9FUMFMgmSnLug
-> ssh-ed25519 r+nK/Q 4ZxPhgovFEX8cX3mEarpl83i4Gg1IjDBdFwqlqt0p0E
n0oIgVJbCV9wd8GgPm4zDSKU+WPxrpXe1hNOH0M9orE
-> ssh-rsa krWCLQ
QxjqLVS1ANlU4kOSq9ybEHLlTrC9V9l5kQAakG9FLvGg6J88MM5v2oJzqN0MdRMy
HC26YFwibUMrues0qXfEYAx3uuss2TS82XAlZPGC4/dn31czI7mTjgbkkwVZZ1ED
SP8VWCAb/zjJoN+cSiVsTbu++b5dnavI2HrEA45pGopkG0usJE8Llr7kI/1Pb5Hi
GaYdjBk5MVrA+K8PTRJ3OdDM3aTKFaoPS5vgWM2RfSSkhVK51fKxIWkiphk5hZ7l
dmHk9qNiwZkg2wWp0W4pBCbHRzoIT2osNlbsO1IpsaNrVijrvxg5qHUHa1uqw5pB
fJ/7dh59Ckc6FkE7Mka1EQ
-> ssh-ed25519 /vwQcQ h3/pglzg2HhJ9AYixQgm//hDDfKwDm0qfdEYj94FF0Y
mJh35flVyki/cpuIlHMR2j2WI35W/HarJzJBvpa2hps
-> ssh-ed25519 0R97PA FKZr+kWHbRcZ0Ne6KdCH6mALFgTjAzquDyw3/HvTHXA
m0hzEpVB0n8LXEjFompdmDbGQQSEvXhQrxJWaCAhziA
-> ssh-ed25519 JGx7Ng TjvfKNCJIf8wW4p4VurJG4Ynl/s9ZoDndcP9GQs7K24
5Ps+MgsCaws3PKv1EFPHv1BdZVD4u/DfPiNgxTIEPDI
-> ssh-ed25519 bUjjig UEHCVJRj+Np4EvAUacUKaEIEtcv/92h/mdxpqwW9XjQ
nQfWPkwJ7MufMbTJ1ktE3skBxKu89ps7b/P48bevkwM
-> ssh-ed25519 5SY7Kg wP8S7omqt+wibyrLGdwChOilKLhlk3Uttouofrvn6Hg
PeHvagZGw11Jq8NZFi6Pvh+XSNgklY/235YKhUPogN4
-> ssh-ed25519 p/Mg4Q SC0lkuoNTFyPzVWW+CFQfsV5thLhnAlNMlW6r/M70WA
DR1hkNnQ1xOwSC6gk0i33Tn52iDNqsszPmxBrSS2/aU
-> ssh-ed25519 5rrg4g isrznX6EZE5Do1eNekhqaR/ZFeiMIzkk+y3+nIJ3dTM
nxLDqq/xhgCWQKlolE+7u06j3GrMKxSAirkDl5Y8zzA
-> ssh-ed25519 oRtTqQ GvvIExclzvOhzRs9TqSyPUMpPvFDcwOkthEKgxoOH3I
LkdOSCDASTS9EryBmarT9m2TVL3aafeN+FVGSyxN9AY
-> ssh-ed25519 F2C+8w USOT3pzvufIWjz7zelcMDACuyGAbwHfJ1wQc0Z5aS0A
ZnuvqZ0NdgmpDSc//c99j2X+B0FvioLS1eBC4mX9PQ0
-> ssh-ed25519 LCTbpA SLX/uFy8NniL/3dG2sOWFJqelwbcRC5UA+Ji7pYAFlQ
ckIg5nwZSsM1DAMT9DN2LPKnlQTQye54YUmHYDJ4rp4
-> +ka/`8V-grease `iuUWsh
61TbfYZeLgnlK2g7xDxOvPyZx1i1WlkyM6HtZVUUlUag0+k2mF2kuANCsm8GDJd4
qFDrRc6wmaCRnVf78HSdIJXKviR4QlxNXDnpTeh1jFGtIW4GXVHp
--- S/VYe23MY+e4qRXq615pCpV2VYHJF+s3ioeIEDaKPA8
n~,ló̓ŽSïD10<31>“àBFjºÞ1çbÃU©íš>Ö½íø˹Ýâ{÷§b$ϧ

View file

@ -0,0 +1,30 @@
diff --git a/server/model/group.js b/server/model/group.js
index 5b712ace..ecbced1a 100644
--- a/server/model/group.js
+++ b/server/model/group.js
@@ -31,10 +31,23 @@ class Group extends BeanModel {
*/
async getMonitorList() {
return R.convertToBeans("monitor", await R.getAll(`
- SELECT monitor.*, monitor_group.send_url FROM monitor, monitor_group
- WHERE monitor.id = monitor_group.monitor_id
+ SELECT monitor.*, monitor_group.send_url
+ FROM monitor
+ INNER JOIN monitor_group ON monitor.id = monitor_group.monitor_id
+ WHERE monitor.id IN (
+ SELECT hb.monitor_id
+ FROM heartbeat hb
+ INNER JOIN (
+ SELECT monitor_id, MAX(time) AS latest_time
+ FROM heartbeat
+ GROUP BY monitor_id
+ ) latest_hb
+ ON hb.monitor_id = latest_hb.monitor_id AND hb.time = latest_hb.latest_time
+ WHERE hb.status = 1
+ )
AND group_id = ?
ORDER BY monitor_group.weight
+
`, [
this.id,
]));

View file

@ -0,0 +1,150 @@
{
config,
lib,
nodes,
sources,
pkgs,
...
}:
let
inherit (lib) concatLists mapAttrsToList mkMerge;
inherit (config.statelessUptimeKuma.lib)
pingProbesFromHive
fromHive
httpProbesFromConfig
probesWithTag
;
probesCfg = config.statelessUptimeKuma.probesConfig;
mkMonitors = name: builtins.attrNames (probesWithTag { inherit name; } probesCfg);
host = "status.lab.dgnum.eu";
port = 3001;
httpExcludes = [
"localhost"
] ++ (concatLists (mapAttrsToList (_: { config, ... }: config.dgn-redirections.retired) nodes));
extraProbes = {
monitors = {
# NOTE: Empty
};
};
status_pages = {
"dgnum" = {
title = "DGNum";
description = "Etat de l'infra du lab de la DGNum";
showTags = true;
publicGroupList = [
{
name = "Services";
weight = 1;
monitorList = mkMonitors "Service";
}
{
name = "Serveurs";
weight = 2;
monitorList = mkMonitors "Ping";
}
#{
# name = "VPN Interne";
# weight = 2;
# monitorList = mkMonitors "VPN";
#}
];
};
};
pingProbes = pingProbesFromHive {
inherit nodes;
mkHost = _: config: config.networking.fqdn;
tags = [ { name = "Ping"; } ];
excludes = [
"status01"
"labcore01"
];
};
#vpnProbes = pingProbesFromHive {
# inherit nodes;
# prefix = "VPN - ";
# mkHost = node: _: "${node}.dgnum";
# tags = [ { name = "VPN"; } ];
# excludes = [
# "web02"
# "status01"
# ];
#};
httpProbes = fromHive {
inherit nodes;
builder =
_: module:
httpProbesFromConfig {
inherit (module) config;
tags = [
{
name = "Host";
value = module.config.networking.fqdn;
}
{ name = "Service"; }
];
excludes = httpExcludes;
};
};
in
{
imports = [ (sources.stateless-uptime-kuma + "/nixos/module.nix") ];
nixpkgs.overlays = [ (import (sources.stateless-uptime-kuma + "/overlay.nix")) ];
services.uptime-kuma = {
enable = true;
package = pkgs.uptime-kuma.overrideAttrs (
_: prev: {
patches = prev.patches ++ [
# Very important patch
./unethical_patch_0.patch
];
}
);
};
services.nginx = {
enable = true;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
};
};
};
networking.firewall.allowedTCPPorts = [
80
443
];
statelessUptimeKuma = {
probesConfig = mkMerge [
pingProbes
httpProbes
extraProbes
#vpnProbes
{ inherit status_pages; }
];
extraFlags = [ "-s" ];
host = "http://localhost:${builtins.toString port}/";
username = "dgnum-lab";
passwordFile = config.age.secrets."stateless-uptime-kuma-password".path;
enableService = true;
};
}

View file

@ -1,4 +1,73 @@
let
mkRoutexp =
l:
builtins.listToAttrs (
builtins.map (
{ id, hostId, ... }:
{ {
name = "routexp${id}";
value = {
interfaces = {
ens18 = {
ipv6 = [
{
address = "2a0e:e701:1120:1000::1000:${id}";
prefixLength = 64;
}
];
gateways = [ "2a0e:e701:1120:1000::1" ];
dns = [ "2a0e:e701:1120:1000::f:1" ];
};
};
inherit hostId;
};
}
) l
);
in
{
dns01 = {
interfaces = {
ens18 = {
ipv6 = [
{
address = "2a0e:e701:1120:1000:ffff::45.13.104.26";
prefixLength = 64;
}
];
ipv4 = [
{
address = "45.13.104.26";
prefixLength = 32;
}
];
gateways = [ "2a0e:e701:1120:1000::1" ];
dns = [ "2a0e:e701:1120:1000::f:1" ];
};
};
hostId = "1758233d";
};
homebox01 = {
interfaces = {
ens18 = {
ipv4 = [
{
address = "129.199.146.102";
prefixLength = 24;
}
];
gateways = [ "129.199.146.254" ];
enableDefaultDNS = true;
};
};
hostId = "ef3bd5c0";
};
krz01 = { krz01 = {
interfaces = { interfaces = {
vmbr0 = { vmbr0 = {
@ -21,6 +90,7 @@
hostId = "bd11e8fc"; hostId = "bd11e8fc";
netbirdIp = "100.80.103.206"; netbirdIp = "100.80.103.206";
}; };
labcore01 = { labcore01 = {
interfaces = { interfaces = {
ens18 = { ens18 = {
@ -47,6 +117,50 @@
addresses.ipv4 = [ "129.199.146.230" ]; addresses.ipv4 = [ "129.199.146.230" ];
vpnKeys = {
wg-mgmt = {
id = 1;
key = "PN8/zo1Clue7jAnkvaUOg1ZdmcXmcTb6kIRpu5cplHs=";
};
};
hostId = "144d0f7a"; hostId = "144d0f7a";
}; };
photo01 = {
interfaces = { };
addresses.ipv4 = [ "129.199.146.101" ];
hostId = "bcf8ff03";
};
status01 = {
interfaces = {
ens18 = {
ipv4 = [
{
address = "129.199.146.103";
prefixLength = 24;
} }
];
gateways = [ "129.199.146.254" ];
enableDefaultDNS = true;
};
};
hostId = "7ce86f3d";
};
roam01 = {
interfaces = { };
vpnKeys = {
wg-mgmt = {
id = 2;
key = "Yg1GwHbJ7kwNbnjxI+5LtgDvzMPMiOm3EgI/saLI7FU=";
};
};
hostId = "999dc679";
};
}
// mkRoutexp (import ./routexp.nix)

View file

@ -18,8 +18,36 @@
- hyp01 -> Salle serveur Hypnos 1 - hyp01 -> Salle serveur Hypnos 1
- luj01 -> VM de Luj - luj01 -> VM de Luj
*/ */
let
mkRoutexp =
l:
builtins.listToAttrs (
builtins.map (
{ id, ... }:
{ {
name = "routexp${id}";
value = {
site = "pav01";
hashedPassword = "$y$j9T$XJTT9MWCE49axmQppQSKc0$b9OzdEaQgDdXTc.meKWNeKd.TeTui2PdzdcFI/ggKk3";
stateVersion = "24.11";
nixpkgs = "unstable";
};
}
) l
);
in
{
dns01 = {
site = "pav01";
# TODO:
hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/";
stateVersion = "24.05";
nixpkgs = "24.05";
};
krz01 = { krz01 = {
site = "pav01"; site = "pav01";
@ -28,6 +56,14 @@
stateVersion = "24.05"; stateVersion = "24.05";
nixpkgs = "unstable"; nixpkgs = "unstable";
}; };
homebox01 = {
site = "pav01";
hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/";
stateVersion = "24.05";
nixpkgs = "unstable";
};
labcore01 = { labcore01 = {
site = "pav01"; site = "pav01";
@ -36,6 +72,15 @@
stateVersion = "24.05"; stateVersion = "24.05";
nixpkgs = "24.05"; nixpkgs = "24.05";
}; };
photo01 = {
site = "pav01";
# TODO
hashedPassword = "$y$j9T$aFhOWa05W7VKeKt3Nc.nA1$uBOvG4wf7/yWjwOxO8NLf9ipCsAkS1.5cD2EJpLx57A";
stateVersion = "24.05";
nixpkgs = "unstable";
};
router02 = { router02 = {
site = "pav01"; site = "pav01";
@ -44,4 +89,23 @@
stateVersion = "24.05"; stateVersion = "24.05";
nixpkgs = "unstable"; nixpkgs = "unstable";
}; };
status01 = {
site = "pav01";
hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/";
stateVersion = "24.05";
nixpkgs = "unstable";
};
roam01 = {
site = "nowhere";
hashedPassword = "$y$j9T$5OchePm5POsgveGLY/bKy/$9XkkZq9aBycg.YImEzFSiYRbAfBO0A4G7qMGIF/WEo9";
deployment.targetHost = "129.199.146.39";
stateVersion = "24.11";
nixpkgs = "unstable";
};
} }
// mkRoutexp (import ./routexp.nix)

View file

@ -14,11 +14,14 @@ let
ints ints
listOf listOf
nullOr nullOr
singleLineStr
str str
submodule submodule
unspecified unspecified
; ;
inherit (ints) positive;
addressType = addressType =
max: max:
submodule { submodule {
@ -34,6 +37,22 @@ let
}; };
}; };
vpnKeyType = submodule {
options = {
id = mkOption {
type = positive;
description = ''
Unique ID that will be used to guess IP address
'';
};
key = mkOption {
type = str;
description = ''
Public key of the user for this VPN
'';
};
};
};
org = config.organization; org = config.organization;
in in
@ -41,7 +60,10 @@ in
options = { options = {
organization = { organization = {
members = mkOption { members = mkOption {
type = attrsOf (submodule { type = attrsOf (
submodule (
{ name, ... }:
{
options = { options = {
name = mkOption { name = mkOption {
type = str; type = str;
@ -56,8 +78,37 @@ in
Main e-mail address of the member. Main e-mail address of the member.
''; '';
}; };
username = mkOption {
type = str;
default = name;
description = ''
The username used for authentication.
WARNING: Must be the same as the ens login!
'';
}; };
});
sshKeys = lib.mkOption {
type = listOf singleLineStr;
description = ''
A list of verbatim OpenSSH public keys that should be added to the
user's authorized keys.
'';
example = [
"ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host"
"ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar"
];
};
vpnKeys = mkOption {
type = attrsOf vpnKeyType;
default = { };
description = "Attribute sets to define vpn keys of the user";
};
};
}
)
);
description = '' description = ''
Members of the DGNum organization. Members of the DGNum organization.
@ -70,6 +121,39 @@ in
Groups of the DGNum organization. Groups of the DGNum organization.
''; '';
}; };
external = mkOption {
type = attrsOf (listOf str);
description = ''
External services used by the DGNum organization.
'';
};
services = mkOption {
type = attrsOf (submodule {
options = {
admins = mkOption {
type = listOf str;
default = [ ];
description = ''
List of administrators of the service.
'';
};
adminGroups = mkOption {
type = listOf str;
default = [ ];
description = ''
List of administrator groups of the service.
'';
};
};
});
description = ''
Administrator access of the different DGNum services,
it is mainly indicative as most services cannot configure this statically.
'';
};
}; };
nodes = mkOption { nodes = mkOption {
@ -256,6 +340,13 @@ in
IP address of the node in the netbird network. IP address of the node in the netbird network.
''; '';
}; };
vpnKeys = mkOption {
type = attrsOf vpnKeyType;
default = { };
description = "Attribute sets to define vpn keys of the machine";
};
}; };
config = config =
@ -327,11 +418,20 @@ in
extract "adminGroups" config.nodes extract "adminGroups" config.nodes
)) ))
# Check that all members have ssh keys # Check that all services admins exist
(builtins.map (name: { (membersExists (name: "A member of the service ${name} admins was not found in the members list.") (
assertion = ((import ../keys)._keys.${name} or [ ]) != [ ]; extract "admins" org.services
message = "No ssh keys found for ${name}."; ))
}) members)
# Check that all services adminGroups exist
(groupsExists (
name: "A member of the service ${name} adminGroups was not found in the groups list."
) (extract "adminGroups" org.services))
# Check that all external services admins exist
(membersExists (
name: "A member of the external service ${name} admins was not found in the members list."
) org.external)
]; ];
}; };
} }

View file

@ -5,44 +5,104 @@
{ {
members = { members = {
agroudiev = {
name = "Antoine Groudiev";
email = "antoine.groudiev@dgnum.eu";
sshKeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM="
];
};
catvayor = { catvayor = {
name = "Lubin Bailly"; name = "Lubin Bailly";
email = "catvayor@dgnum.eu"; email = "catvayor@dgnum.eu";
username = "lbailly";
sshKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
];
vpnKeys = {
wg-mgmt = {
id = 1;
key = "zIHvCSzk5a94jvnXU4iscbp9RUGzbWpARDMRgHNtMl4=";
};
};
}; };
cst1 = { cst1 = {
name = "Constantin Gierczak--Galle"; name = "Constantin Gierczak--Galle";
email = "cst1@dgnum.eu"; email = "cst1@dgnum.eu";
username = "cgierczakgalle";
sshKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270"
];
}; };
ecoppens = { ecoppens = {
name = "Elias Coppens"; name = "Elias Coppens";
email = "ecoppens@dgnum.eu"; email = "ecoppens@dgnum.eu";
sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
}; };
jemagius = { jemagius = {
name = "Jean-Marc Gailis"; name = "Jean-Marc Gailis";
email = "jm@dgnum.eu"; email = "jm@dgnum.eu";
username = "jgailis";
sshKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8="
];
}; };
luj = { luj = {
name = "Julien Malka"; name = "Julien Malka";
email = "luj@dgnum.eu"; email = "luj@dgnum.eu";
username = "jmalka";
sshKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
];
};
mboyer = {
name = "Matthieu Boyer";
email = "matthieu.boyer@dgnum.eu";
username = "mboyer02";
sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ];
}; };
mdebray = { mdebray = {
name = "Maurice Debray"; name = "Maurice Debray";
email = "maurice.debray@dgnum.eu"; email = "maurice.debray@dgnum.eu";
sshKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
];
vpnKeys = {
wg-mgmt = {
id = 2;
key = "+nTxD4ZAzk+9LHGwEfK0t2cMQf0ognBYmhybNbCzW38=";
};
};
}; };
raito = { raito = {
name = "Ryan Lahfa"; name = "Ryan Lahfa";
email = "ryan@dgnum.eu"; email = "ryan@dgnum.eu";
username = "rlahfa";
sshKeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
];
}; };
thubrecht = { thubrecht = {
name = "Tom Hubrecht"; name = "Tom Hubrecht";
email = "tom.hubrecht@dgnum.eu"; email = "tom.hubrecht@dgnum.eu";
sshKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
];
}; };
}; };

7
meta/routexp.nix Normal file
View file

@ -0,0 +1,7 @@
# List of routers for the routexp experiment
[
{
id = "01";
hostId = "d70d0593";
}
]

View file

@ -1,12 +1,23 @@
{ lib, sources, ... }: { lib, sources, ... }:
{ {
imports = (lib.extra.mkImports ./. [ "lab-acme" ]) ++ [ imports =
(lib.extra.mkImports ./. [
"lab-acme"
"lab-network"
"lab-routexp"
])
++ [
"${sources."microvm.nix"}/nixos-modules/host" "${sources."microvm.nix"}/nixos-modules/host"
(import sources.proxmox-nixos).nixosModules.declarative-vms
]
++ (import sources.nix-modules { inherit lib; }).importModules [
"services/nginx-sni"
]; ];
dgn-notify.enable = false; dgn-notify.enable = false;
dgn-records.enable = false; dgn-records.enable = false;
dgn-network.enable = false;
# TODO think about how to use netbox with lab # TODO think about how to use netbox with lab
dgn-netbox-agent.enable = false; dgn-netbox-agent.enable = false;

58
modules/lab-network.nix Normal file
View file

@ -0,0 +1,58 @@
{
config,
lib,
meta,
name,
nodeMeta,
...
}:
let
inherit (lib)
mapAttrs'
mkEnableOption
mkIf
;
net' = meta.network.${name};
mkAddress = { address, prefixLength, ... }: "${address}/${builtins.toString prefixLength}";
mkRoute = gateway: {
routeConfig = {
Gateway = gateway;
GatewayOnLink = true;
};
};
mkInterface = interface: net: {
name = "10-${interface}";
value = {
name = interface;
address = builtins.map mkAddress (net.ipv4 ++ net.ipv6);
routes = builtins.map mkRoute net.gateways;
inherit (net) DHCP dns;
};
};
cfg = config.lab-network;
in
{
options.lab-network.enable = mkEnableOption "automatic network configuration based on metadata" // {
default = true;
};
config = mkIf cfg.enable {
networking = {
inherit (net') hostId;
hostName = name;
domain = "${nodeMeta.site}.infra.lab.dgnum.eu";
useNetworkd = true;
firewall.logRefusedConnections = false;
};
systemd.network.networks = mapAttrs' mkInterface net'.interfaces;
};
}

View file

@ -0,0 +1,112 @@
# Copyright :
# - Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023
#
# Ce logiciel est un programme informatique servant à déployer des
# configurations de serveurs via NixOS.
#
# Ce logiciel est régi par la licence CeCILL soumise au droit français et
# respectant les principes de diffusion des logiciels libres. Vous pouvez
# utiliser, modifier et/ou redistribuer ce programme sous les conditions
# de la licence CeCILL telle que diffusée par le CEA, le CNRS et l'INRIA
# sur le site "http://www.cecill.info".
#
# En contrepartie de l'accessibilité au code source et des droits de copie,
# de modification et de redistribution accordés par cette licence, il n'est
# offert aux utilisateurs qu'une garantie limitée. Pour les mêmes raisons,
# seule une responsabilité restreinte pèse sur l'auteur du programme, le
# titulaire des droits patrimoniaux et les concédants successifs.
#
# A cet égard l'attention de l'utilisateur est attirée sur les risques
# associés au chargement, à l'utilisation, à la modification et/ou au
# développement et à la reproduction du logiciel par l'utilisateur étant
# donné sa spécificité de logiciel libre, qui peut le rendre complexe à
# manipuler et qui le réserve donc à des développeurs et des professionnels
# avertis possédant des connaissances informatiques approfondies. Les
# utilisateurs sont donc invités à charger et tester l'adéquation du
# logiciel à leurs besoins dans des conditions permettant d'assurer la
# sécurité de leurs systèmes et ou de leurs données et, plus généralement,
# à l'utiliser et l'exploiter dans les mêmes conditions de sécurité.
#
# Le fait que vous puissiez accéder à cet en-tête signifie que vous avez
# pris connaissance de la licence CeCILL, et que vous en avez accepté les
# termes.
{ config, lib, ... }:
let
inherit (lib)
mkOption
types
mkEnableOption
mkIf
;
cfg = config.lab-routexp;
in
{
options.lab-routexp = {
enable = mkEnableOption "Routing experimentation settings.";
connections = mkOption {
type = types.listOf types.int;
default = { };
description = "Interface -> Address/CIDR map";
};
id = mkOption {
type = types.int;
description = "machine id";
};
};
config = mkIf cfg.enable {
virtualisation.proxmox = {
node = "krz01";
autoInstall = true;
vmid = 150 + config.lab-routexp.id;
bios = "ovmf";
memory = 4096;
cores = 2;
net =
[
{
model = "virtio";
bridge = "vmbr1";
tag = 2520;
}
]
++ builtins.map (vlan: {
model = "virtio";
bridge = "vmbr1";
tag = vlan;
}) cfg.connections;
scsi = [ { file = "zfs-noraid:16"; } ]; # This will create a 16GB volume in 'local'
};
systemd.network = {
networks =
builtins.listToAttrs (
lib.imap0 (i: vlan: {
name = "20-ens${builtins.toString (20 + i)}";
value = {
name = "ens${builtins.toString (20 + i)}";
address = [ "fdfd:1794:0:${builtins.toString vlan}::${builtins.toString cfg.id}/64" ];
};
}) cfg.connections
)
// {
"20-babel-local" = {
name = "babel-local";
address = [ "fdfd:1794::${builtins.toString cfg.id}/64" ];
};
};
netdevs = {
"babel-local" = {
netdevConfig = {
Name = "babel-local";
Kind = "dummy";
};
};
};
};
};
}

7
nixmoxer.conf Normal file
View file

@ -0,0 +1,7 @@
# nixmoxer.conf
host=krz01.dgnum:8006
user=root@pam
password=7GsnLcPfXV4OzHg3wo1e2zWphek0
#token_value=971e236f-60f3-445c-b574-142230409312
#token_name=nixmoxer-maurice
verify_ssl=0

View file

@ -25,10 +25,25 @@
"pre_releases": false, "pre_releases": false,
"version_upper_bound": null, "version_upper_bound": null,
"release_prefix": null, "release_prefix": null,
"version": "v1.8.0", "version": "v1.9.0",
"revision": "624fd86460e482017ed9c3c3c55a3758c06a4e7f", "revision": "49a4936cee640e27d74baee6fd1278285d29b100",
"url": "https://api.github.com/repos/nix-community/disko/tarball/v1.8.0", "url": "https://api.github.com/repos/nix-community/disko/tarball/v1.9.0",
"hash": "06ifryv6rw25cz8zda4isczajdgrvcl3aqr145p8njxx5jya2d77" "hash": "0j76ar4qz320fakdii4659w5lww8wiz6yb7g47npywqvf2lbp388"
},
"dns-nix": {
"type": "GitRelease",
"repository": {
"type": "GitHub",
"owner": "nix-community",
"repo": "dns.nix"
},
"pre_releases": false,
"version_upper_bound": null,
"release_prefix": null,
"version": "v1.2.0",
"revision": "a3196708a56dee76186a9415c187473b94e6cbae",
"url": "https://api.github.com/repos/nix-community/dns.nix/tarball/v1.2.0",
"hash": "011b6ahj4qcf7jw009qgbf6k5dvjmgls88khwzgjr9kxlgbypb90"
}, },
"git-hooks": { "git-hooks": {
"type": "Git", "type": "Git",
@ -38,9 +53,9 @@
"repo": "git-hooks.nix" "repo": "git-hooks.nix"
}, },
"branch": "master", "branch": "master",
"revision": "1211305a5b237771e13fcca0c51e60ad47326a9a", "revision": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
"url": "https://github.com/cachix/git-hooks.nix/archive/1211305a5b237771e13fcca0c51e60ad47326a9a.tar.gz", "url": "https://github.com/cachix/git-hooks.nix/archive/cd1af27aa85026ac759d5d3fccf650abe7e1bbf0.tar.gz",
"hash": "1qz8d9g7rhwjk4p2x0rx59alsf0dpjrb6kpzs681gi3rjr685ivq" "hash": "1icl4cz33lkr4bz7fvlf3jppmahgpzij81wfa5any3z7w7b5lnxw"
}, },
"infrastructure": { "infrastructure": {
"type": "Git", "type": "Git",
@ -49,9 +64,9 @@
"url": "https://git.dgnum.eu/DGNum/infrastructure" "url": "https://git.dgnum.eu/DGNum/infrastructure"
}, },
"branch": "main", "branch": "main",
"revision": "45f2f5905506ad7523bde63ae94d0a3dc19dd604", "revision": "32f68a54a92b3742030d43cb0402ea9de332a004",
"url": null, "url": null,
"hash": "171rwwvx4mq01g1c2rhn6v4hyv5c8g2jzzxmff4qz70yzlhs8806" "hash": "1wk0wwa74gq35rx77jannkz2y1zlqz2v7ngm0sn6zj9mx9wwp0b2"
}, },
"lix": { "lix": {
"type": "Git", "type": "Git",
@ -60,9 +75,9 @@
"url": "https://git.lix.systems/lix-project/lix.git" "url": "https://git.lix.systems/lix-project/lix.git"
}, },
"branch": "main", "branch": "main",
"revision": "ed9b7f4f84fd60ad8618645cc1bae2d686ff0db6", "revision": "f116608a20430b8484814300cdf22eebeb75a59f",
"url": null, "url": null,
"hash": "05kxga8fs9h4qm0yvp5l7jvsda7hzqs7rvxcn8r52dqg3c80hva9" "hash": "0hhjx3vk7rchkb4njhsf4vk2f7ipkpqb9jvywm0xcbpwa08xffis"
}, },
"lix-module": { "lix-module": {
"type": "Git", "type": "Git",
@ -71,9 +86,9 @@
"url": "https://git.lix.systems/lix-project/nixos-module.git" "url": "https://git.lix.systems/lix-project/nixos-module.git"
}, },
"branch": "main", "branch": "main",
"revision": "fd186f535a4ac7ae35d98c1dd5d79f0a81b7976d", "revision": "aa2846680fa9a2032939d720487942567fd9eb63",
"url": null, "url": null,
"hash": "0jxpqaz12lqibg03iv36sa0shfvamn2yhg937llv3kl4csijd34f" "hash": "0gb174800sgh6y6sir23nxsx85xrk478hbwqbzyd46ac34clz9wz"
}, },
"lon": { "lon": {
"type": "Git", "type": "Git",
@ -106,9 +121,9 @@
"url": "https://git.hubrecht.ovh/hubrecht/nix-modules.git" "url": "https://git.hubrecht.ovh/hubrecht/nix-modules.git"
}, },
"branch": "main", "branch": "main",
"revision": "2fd7c7810b2a901020ddd2d0cc82810b83a313fc", "revision": "75e8d70a051dd19d126b5248b62f61d6f8ce4361",
"url": null, "url": null,
"hash": "0rag870ll745r5isnk6hlxv0b0sbgriba5k6nihahcwsal2f4830" "hash": "0yx5by3v2cshiidyh27n75lcqy9d1kk5zz5mchmfv63s9p0cjzqn"
}, },
"nix-patches": { "nix-patches": {
"type": "GitRelease", "type": "GitRelease",
@ -131,9 +146,9 @@
"url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs" "url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs"
}, },
"branch": "main", "branch": "main",
"revision": "0e80d4dcdd54a75556c0784de55dc139ad4fe797", "revision": "3ab3e49269d9e2536c8c5f78d4da673d7a3f5286",
"url": null, "url": null,
"hash": "1hlb0cczxq0jrzw4lhmkibnb8skcar0rmny594aqgyikknwzx2qf" "hash": "0b4k0gchxcdlmvs88403hdbidsxswigzxswcba7a3fxz9d884c4y"
}, },
"nixos-23.11": { "nixos-23.11": {
"type": "Channel", "type": "Channel",
@ -144,8 +159,8 @@
"nixos-24.05": { "nixos-24.05": {
"type": "Channel", "type": "Channel",
"name": "nixos-24.05", "name": "nixos-24.05",
"url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.5518.ecbc1ca8ffd6/nixexprs.tar.xz", "url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.6668.e8c38b73aeb2/nixexprs.tar.xz",
"hash": "1yr2v17d8jg9567rvadv62bpr6i47fp73by2454yjxh1m9ric2cm" "hash": "0lhh36z3fvd3b64dz7an08y3c3shb67aj17ny9z28bs21i3dc5yh"
}, },
"nixos-generators": { "nixos-generators": {
"type": "Git", "type": "Git",
@ -155,21 +170,21 @@
"repo": "nixos-generators" "repo": "nixos-generators"
}, },
"branch": "master", "branch": "master",
"revision": "9ae128172f823956e54947fe471bc6dfa670ecb4", "revision": "15a87ccb45e06d24a9fd5f99a49782efe11b23f0",
"url": "https://github.com/nix-community/nixos-generators/archive/9ae128172f823956e54947fe471bc6dfa670ecb4.tar.gz", "url": "https://github.com/nix-community/nixos-generators/archive/15a87ccb45e06d24a9fd5f99a49782efe11b23f0.tar.gz",
"hash": "1zn3lykymimzh21q4fixw6ql42n8j82dqwm5axifhcnl8dsdgrvr" "hash": "0mwllbwinr6cira94347vhzq3jn3zgp28xg6w1ga0ncls7s476q4"
}, },
"nixos-unstable": { "nixos-unstable": {
"type": "Channel", "type": "Channel",
"name": "nixos-unstable", "name": "nixos-unstable",
"url": "https://releases.nixos.org/nixos/unstable/nixos-24.11pre688563.bc947f541ae5/nixexprs.tar.xz", "url": "https://releases.nixos.org/nixos/unstable/nixos-25.05beta723344.d3c42f187194/nixexprs.tar.xz",
"hash": "1jsaxwi128fiach3dj8rdj5agqivsr4sidb8lmdnl7g07fl9x0kj" "hash": "0kwwzcza46ygfvrhhbnc7x02z3qw3zkyrjaxcdxmza0jzdv8gydj"
}, },
"nixpkgs": { "nixpkgs": {
"type": "Channel", "type": "Channel",
"name": "nixpkgs-unstable", "name": "nixpkgs-unstable",
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre689466.7d49afd36b55/nixexprs.tar.xz", "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.05pre709559.5083ec887760/nixexprs.tar.xz",
"hash": "0r4zb6j8in4dk7gxciapfm49dqbdd0c7ajjzj9iy2xrrj5aj32qp" "hash": "1z912j1lmrg8zp2hpmmi69dls9zlpvqfvdkvh5xc3x6iqkqwn0cd"
}, },
"proxmox-nixos": { "proxmox-nixos": {
"type": "Git", "type": "Git",
@ -179,9 +194,20 @@
"repo": "proxmox-nixos" "repo": "proxmox-nixos"
}, },
"branch": "main", "branch": "main",
"revision": "950e4cccac0f942076e8558f7f9f4d496cabfb18", "revision": "15187a4c4ac50d1a38c734f72dd201a7eb504a89",
"url": "https://github.com/SaumonNet/proxmox-nixos/archive/950e4cccac0f942076e8558f7f9f4d496cabfb18.tar.gz", "url": "https://github.com/SaumonNet/proxmox-nixos/archive/15187a4c4ac50d1a38c734f72dd201a7eb504a89.tar.gz",
"hash": "0bhqw42ydc0jfkfqw64xsg518a1pbxnvpqw92nna7lm8mzpxm6d4" "hash": "1scyza59y0kfjhl5chsl53l61p0dv5ymb4k7bq8grg9nla4aj7f2"
},
"stateless-uptime-kuma": {
"type": "Git",
"repository": {
"type": "Git",
"url": "https://git.dgnum.eu/DGNum/stateless-uptime-kuma"
},
"branch": "master",
"revision": "880f444ff7862d6127b051cf1a993ad1585b1652",
"url": null,
"hash": "166057469hhxnyqbpd7jjlccdmigzch51616n1d5r617xg0y1mwp"
} }
}, },
"version": 3 "version": 3