feat(bridge02): Initialize and add instructions to the README

README.md

@@ -8,3 +8,97 @@ Some instruction on how to contribute are available (in french) in [/CONTRIBUTE.
 You're expected to read this document before commiting to the repo.
 
 Some documentation for the development tools are provided in the aforementioned file.
+
+# Adding a new machine
+
+The first step is to create a minimal viable NixOS host, using tha means necessary.
+The second step is to find a name for this host, it must be unique from the other hosts.
+
+> [!TIP]
+> For the rest of this part, we assume that the host is named `host02`
+
+## Download the keys
+
+The public SSH keys of `host02` have to be saved to `keys/machines/host02.keys`, preferably only the `ssh-ed25519` one.
+
+It can be retreived with :
+
+```bash
+ssh-keyscan address.of.host02 2>/dev/null | awk '/ssh-ed25519/ {print $2,$3}'
+```
+
+## Initialize the machine folder and configuration
+
+- Create a folder `host02` under `machines/`
+- Copy the hardware configuration file generated by `nixos-generate-config` to `machines/host02/_hardware-configuration.nix`
+- Create a `machines/host02/_configuration.nix` file, it will contain the main configuration options, the basic content of this file should be the following
+
+```nix
+{ lib, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [
+    # List of modules to enable
+  ];
+
+  enabledServices = [
+    # List of services to enable
+  ];
+
+  extraConfig = {
+    services.netbird.enable = true;
+  };
+
+  root = ./.;
+}
+```
+
+## Fill in the metadata
+
+### Network configuration
+
+The network is declared in `meta/network.nix`, the necessary `hostId` value can be generated with :
+
+```bash
+head -c4 /dev/urandom | od -A none -t x4 | sed 's/ //'
+```
+
+### Other details
+
+The general metadata is declared in `meta/nodes.nix`, the main values to declare are :
+
+- `site`, where the node is physically located
+- `stateVersion`
+- `nixpkgs`, the nixpkgs version to use
+
+## Initialize secrets
+
+Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :
+
+```nix
+let
+  lib = import ../../../lib { };
+in
+
+lib.setDefault { publicKeys = lib.getNodeKeys "host02"; } [ ]
+```
+
+This will be used for future secret management.
+
+## Update encrypted files
+
+Both the Arkheon, Netbox and notification modules have secrets that are deployed on all machines. To make those services work correctly, run in `modules/dgn-records`, `modules/dgn-netbox-agent` and `modules/dgn-notify` :
+
+```bash
+agenix -r
+```
+
+## Commit and create a PR
+
+Once all of this is done, check that the configuration builds correctly :
+
+```bash
+colmena build --on host02
+```
+
+Apply it, and create a Pull Request.

keys/machines/bridge01.keys

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7

machines/bridge01/_configuration.nix

@@ -0,0 +1,20 @@
+{ lib, pkgs, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [
+    # List of modules to enable
+  ];
+
+  enabledServices = [
+    # List of services to enable
+    "network"
+  ];
+
+  extraConfig = {
+    services.netbird.enable = true;
+
+    environment.systemPackages = [ pkgs.bcachefs-tools ];
+  };
+
+  root = ./.;
+}

machines/bridge01/_hardware-configuration.nix

@@ -0,0 +1,53 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ modulesPath, pkgs, ... }:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "xhci_pci"
+        "ehci_pci"
+        "ahci"
+        "sd_mod"
+        "sr_mod"
+      ];
+    };
+
+    kernelModules = [ "kvm-intel" ];
+    kernelPackages = pkgs.linuxPackages_latest;
+
+    supportedFilesystems.bcachefs = true;
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "UUID=3da58b64-a2fd-428d-bde8-3a185e2f73fd";
+      fsType = "bcachefs";
+      options = [ "compression=zstd" ];
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/4D0A-AF11";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
+  };
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.vlan-admin.useDHCP = lib.mkDefault true;
+  # networking.interfaces.vlan-uplink-oob.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = true;
+}

machines/bridge01/network.nix

@@ -0,0 +1,79 @@
+_:
+
+{
+  networking = {
+    useNetworkd = true;
+    useDHCP = false;
+
+    nftables.enable = true;
+    firewall.allowedUDPPorts = [ 67 ];
+  };
+
+  systemd.network = {
+    networks = {
+      "10-eno1" = {
+        name = "eno1";
+        networkConfig = {
+          VLAN = [
+            "vlan-admin"
+            "vlan-uplink-oob"
+          ];
+
+          LinkLocalAddressing = false;
+          LLDP = false;
+          EmitLLDP = false;
+          IPv6AcceptRA = false;
+          IPv6SendRA = false;
+        };
+        # address = [ "192.168.222.1/24" ];
+      };
+
+      "10-vlan-admin" = {
+        name = "vlan-admin";
+        # DHCP for the BMC
+        networkConfig.DHCPServer = "yes";
+
+        dhcpServerConfig = {
+          PoolOffset = 128;
+          EmitDNS = false;
+          EmitNTP = false;
+          EmitSIP = false;
+          EmitPOP3 = false;
+          EmitSMTP = false;
+          EmitLPR = false;
+          UplinkInterface = ":none";
+        };
+
+        address = [
+          "fd26:baf9:d250:8000::ffff/64"
+          "192.168.222.1/24"
+        ];
+      };
+
+      "10-vlan-uplink-oob" = {
+        name = "vlan-uplink-oob";
+        networkConfig.DHCP = "ipv4";
+      };
+    };
+
+    netdevs = {
+      "10-vlan-admin" = {
+        netdevConfig = {
+          Name = "vlan-admin";
+          Kind = "vlan";
+        };
+
+        vlanConfig.Id = 3000;
+      };
+
+      "10-vlan-uplink-oob" = {
+        netdevConfig = {
+          Name = "vlan-uplink-oob";
+          Kind = "vlan";
+        };
+
+        vlanConfig.Id = 500;
+      };
+    };
+  };
+}

machines/bridge01/secrets/secrets.nix

@@ -0,0 +1,5 @@
+let
+  lib = import ../../../lib { };
+in
+
+lib.setDefault { publicKeys = lib.getNodeKeys "bridge01"; } [ ]

meta/network.nix

@@ -1,4 +1,10 @@
 {
+  bridge01 = {
+    hostId = "f57f3ba0";
+
+    interfaces = { };
+  };
+
   compute01 = {
     interfaces = {
       eno1 = {

meta/nodes.nix

@@ -19,6 +19,22 @@
   - luj01 -> VM de Luj
 */
 {
+  bridge01 = {
+    site = "hyp01";
+
+    stateVersion = "24.05";
+
+    adminGroups = [ "fai" ];
+
+    deployment = {
+      targetHost = "fd26:baf9:d250:8000::ffff";
+      sshOptions = [
+        "-J"
+        "vault01.hyp01.infra.dgnum.eu"
+      ];
+    };
+  };
+
   web01 = {
     site = "rat01";
 

modules/dgn-records/__arkheon-token_file

@@ -1,42 +1,44 @@
 age-encryption.org/v1
--> ssh-ed25519 jIXfPA K2855nHVjrWY+Do/Iz8whCnQYMYl6QCMlBClpTRf4TI
+-> ssh-ed25519 jIXfPA FhSZKBAccqBqfeayNqY3fhYSi+0NMxsxS3WsdvuVu2M
-LTRqDw9oukc2JA8DKqJSMfXeOJZCITpV6Gkh0tC4RC8
+xT37RUaShiHdPBUnjWntSY43LqXsR8Pgz5kUZ/mgz2w
--> ssh-ed25519 QlRB9Q xeLR2Pt8t5kC10g2aMIxTNbrNJN4j4mBlC6cidqy4BQ
+-> ssh-ed25519 QlRB9Q xwok3cJ6SlGxlGi/UesKHVf+O4q9mn7btLweXJzeknI
-HSrxWUWxRCmLVrXy9C9zYP8jc7rRMKvN4YgKp82rAgQ
+LrigakDhwhHCHEaJ0eQx6TIke9vYLqXwwaUjusWOvSk
--> ssh-ed25519 r+nK/Q Q2YybcpErKl8IfT3hoewrAOLJnC/rRgnZPa3RBampSE
+-> ssh-ed25519 r+nK/Q DS8/iUfczVGxB/Hl6EkweNAGSM0ZhWqrFy4xn82QNH8
-enGIkp9ZAz/J/KdiKg0ZVCvsHKi2f8+THb6wpJ9MVm8
+0Z8KOLZtxh2c0JTeiPbz3ZDF3CYrDs7bmwKjjemTs0o
 -> ssh-rsa krWCLQ
-nQAoYm+rR20EFbXEE/F0Dks6kQP2JdA904j2e7FfQEd1i6pA6mPcbuy1IslgRd1R
+CDqVAHHD/1keQdgJZX5/hkiYMpZae1MocI5LjtWWg+QDkw1Bp6bNZLou8Uc2RG0H
-UjJzHamUGO91bNSqQI/+6l2883JJVwazNxgY8pZaWC7BzGYlfDITTTQm9ITPd7Eg
+xZIB+z1XSXf7iMla5l7RWbW+g61T38QKWoAwvAGFz+XOstBTDY4bWgSv1g6vm+6x
-7W4DAcrf1h5EU7GZfsGXgFtcnLPCBGRsPoAIbeS2hN6JcQP8c66Ubizt7eIOqFab
+XuQLxCkj4cmy3dUsvaiiQXsstuMGOWSUbp2OQWfErzoVegHVCr/XKSAI1vMwQOWN
-880k+cjjJXespuMODavBzFJCshQJwezYcH0S26vyVAF1UJk3H2Yuj1lI+ofT69ef
+9tJUJCKEo2DTr5OmIL7kSWguVZYy77ta7JxmGbPrNQ7LJuRoZkUgX4V37SFgDKN4
-0k+bhG/dC0axlQaym3N7CvAZ8XibjydXCdJjk8u3z54p5Sv89MZMJHaNb5rvcbzY
+QgpupxXP/3oDhDSzZYbS6Fw+b7U01BwPyziY1kOYztv2qSoBJFMVtZS3oJEu4ChU
-CBQRMjHWLFfVhTKvBt1OwA
+7MRHaN15cGZRsC5zIQAg9w
--> ssh-ed25519 /vwQcQ SXuM/Ssc11v/IGgZbSRiNvtAQvVcLa7PB3xm9mcOX0Q
+-> ssh-ed25519 /vwQcQ ZPWBCoQ7imVFfTkUYrp4NGRnz3vskNtMgbV41F1s8BE
-xH+65+t3XbnXxPk8ha+i4PuIKvevJ0yHPZofFX/yw60
+oTrgDNisd8Sqmxo0ZDpVSO5iURWNLrIlKABjys+gHhw
--> ssh-ed25519 0R97PA UQK8FggCF5e0ePV5TsctCzdzDh+xIleJkhRRNMn/8EE
+-> ssh-ed25519 0R97PA CgUUW9m8+M1rpsCPAPyRC8VKvilDKMA8VkDqqDfbpAs
-+wpRiZFeUhUyV7nVKNu71X5jPmzMNDSVp1IWDw5aeOs
+qJ/pa3VLh6650lDN5YPyYtxsDYMiRyTtK1yu+JeF3ww
--> ssh-ed25519 JGx7Ng HE1LAFeYk2HmuYoYrHtO1zhTKjPhfyNF0h4JjRgGwzA
+-> ssh-ed25519 JGx7Ng r8OMU9Grvd8yxzzUzeEH4iCPp8NBHVcQKQe13AJOKjE
-6VS4Oa70W6ZCKmbBWQ9vSHdy6W8RpFfX7mqQ53anfO8
+eYC+/VMsoetiVFTGdlAL3xDDe6WziBYU4Fr6XN/HlJI
--> ssh-ed25519 5SY7Kg dXmbbDbI859IYD0jf3PAVPFmMq0zV6Lwvte4jUBkSBs
+-> ssh-ed25519 5SY7Kg 4T4xlrNW8yqI23A3GH7dRDyhbUA62ldS2/R7YCsHz0U
-UfV7hAYLtTSeyLskbwh9Jj9vjJpvwydsdsKmgtiK+hw
+ukewT84UtQcAQNNSNogi3WOjoNeA7p50D1JHJ+39lYs
--> ssh-ed25519 p/Mg4Q /3jLavRHKgo5Oz+kKVwKHOmJVV7JbxxE3Y1DstD1OHI
+-> ssh-ed25519 p/Mg4Q EBlu4oYIa4hX5mGExy2xwyHbnDli9xY7MebUOr+hTzw
-tvhr/65+l7X9R8GmXNPB9Dwu0dtbQNcs+MUXgDRC+Xk
+TqmNgHL1xxyI+i4h3KgskVsWrlYUnuT5MJWcYj2crps
--> ssh-ed25519 tDqJRg xYM5dqCmh53artXhIfUvsmjwRzLxZQO+/tampI2RbSY
+-> ssh-ed25519 DqHxWQ KiCWC6eJOUScSlPNpC2G2FbfD/fQ2b14KHhuw+QKNTI
-LSRsicMA7S8xdPYzh3lIEneazrGrRhjuQdN1I27YbV0
+Un89T6OXiXWTBZqwdXPvyckxcBIhp2wmC4A5723b/5g
--> ssh-ed25519 9pVK7Q 7dQilI3mmyb6F+gMp+z1i9Os6Prff5CLLbPUFvawTHk
+-> ssh-ed25519 tDqJRg k5YZwwURv21NC/0tt2r3CBuUPDhfO/Y7c3ISVhMGQkA
-GtlUtsE2sB/jr7H52qTQcRRKgqJ/f2bDNetYPF4oBPw
+sdm+SpychoEekD6JK6Wz2CCcfDpwPD6rlLyB3RJES08
--> ssh-ed25519 /BRpBQ 9dcoKWc+bTkmVkTxgwzJ6bhuUq39JWajYhD5vd+XAjU
+-> ssh-ed25519 9pVK7Q 2kUnZCmNsAu90KA+st/ZFnez8rg4zqIZ3AZQsqHW0y8
-ti+oXuQkM4QX7LFLjTyL52gsi8D1efU3sqC23jqTNrk
+YlCXQ5g8vnNboPVHdSKyrdwRNvjwp9VHP+RV2WP7z00
--> ssh-ed25519 +MNHsw VCfgC5V+1u3iaO0JqC6hnvngUJsg77wfsvoIiawcECc
+-> ssh-ed25519 /BRpBQ w+kqiukijvXdlvKdTfVvNYv6pLTifaZeagzU1VWQLwE
-9HCtIUt3vBccTkW6tub0GNU0gJ6Oxou5QgRly7kO370
+RKNPvu971viqMHBXpgE9D8L9ievWxIS5ANU8QADqwRY
--> ssh-ed25519 rHotTw 5e5Q+cjsNFq4KbqOA0KczyJEclHO5dyTJxsRvVZRvkc
+-> ssh-ed25519 +MNHsw m+K/VIApzxBfYxc4/dPod+9TwBBTrtGa/B28QhawAD8
-uavyfil+elUz3AQjIJ/UTaCpod2f4V7JWbYso3j+ePs
+gwJLtE5zIiNtKZ/YdroneSLLuZzvoAXaJYsqPzPkyLc
--> ssh-ed25519 +mFdtQ 07KoGFU7pAivpypZZ7g3o/l+jhi7aDyVO7qg4qJo1CQ
+-> ssh-ed25519 rHotTw NSgFCgFQxKc7DSrNq/77PAnAKxSG055gutF2aUUDLzA
-Zthd7uchFTYNb7c9/+isX8BbnN0m6G1eFuohxJrX0KQ
+uL3QhQHmtQrrUPllFtVf7QiLIMWkT0EYIokxUVkLMrc
--> ssh-ed25519 0IVRbA B1AUTNW9N30rr3MVFBfT/H9eivnjh6p6585/gxu+7SY
+-> ssh-ed25519 +mFdtQ otE9brZku3sOSb9IvvTW/eioWDFvMJlsxSUvOcPNwiU
-VZ0IqaGWSeqA7j3XP+B2HWXf2UYB5SpHImreAA7uqA8
+7vV6u7zLv2EfSz3qmY9Sboj2Z5LBwSTxrl4FWm3mYAs
--> ssh-ed25519 IY5FSQ c0v+PlVESbYTq87dAeYaZNnjY6eCUBIcvHM2ymwoX0g
+-> ssh-ed25519 0IVRbA kwQNIVhpFtgIlJAAoqk1fqUP9OHN9YGWcYXbT+/bHE0
-0i6eaJVVtljUQZvdd7y2tcKX6cObCxTE4OO0MEqHriQ
+gDOPJMeDI2eDx+emxUNSb/MW7IRPj8ni3mOLgZV9F0Y
---- gSYlbAC2ojK59TsNxtU9sAww3kpFfgOngL9+kdzx/to
+-> ssh-ed25519 IY5FSQ gtGe4X/Vx4oWn0IIUwv6qpWZ250slvT/QMdwVQQrsAQ
-#äÄ
‰Ì/áÉîÃÔL'€ÀM̨|H<>²ö(ðzpÝe0¶ê)¥ËÈ<>öŽèJÌ<4A>&©•¤<E280A2>@
+yeJ8+BibBiwq2944ruZdek/4tpAqyMnG0RsyzkXQpRg
+--- QhDkZSHLpgsvAUk5YhkhD8MNNX6Vlj7CWeQfJ6oEmk0
+|`ŸP!ùá+ôÃg&ói¤;¶šªâlÔNn„Äõ¬¸ç¤ °ü’4´kWó§#èƒ<C3A8><C692>±€w