fix(atticd): Don't chunk NARs as garage does it automatically

README.md

@@ -3,6 +3,8 @@
 The dgnum infrastructure.
 
 # Contributing
-Some instruction on how to contribute are available (in french) in [/CONTRIBUTING.md](CONTRIBUTING.md). You're expected to read this document before commiting to the repo.
+
+Some instruction on how to contribute are available (in french) in [/CONTRIBUTE.md](CONTRIBUTE.md).
+You're expected to read this document before commiting to the repo.
 
 Some documentation for the development tools are provided in the aforementioned file.

iso/configuration.nix

@@ -3,7 +3,7 @@
 let
   dgn-lib = import ../lib { };
 
-  dgn-members = (import ../meta).members.groups.iso;
+  dgn-members = (import ../meta lib).members.groups.root;
 in
 
 {

keys/ecoppens.keys

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA

machines/storage01/atticd.nix

@@ -21,7 +21,7 @@ in
           #
           # If 0, chunking is disabled entirely for newly-uploaded NARs.
           # If 1, all NARs are chunked.
-          nar-size-threshold = 64 * 1024; # 64 KiB
+          nar-size-threshold = 0; # 64 KiB
 
           # The preferred minimum size of a chunk, in bytes
           min-size = 16 * 1024; # 16 KiB

machines/web01/redirections.nix

@@ -23,6 +23,8 @@ in
       "rdv.dgnum.eu" = "meet.dgnum.eu";
       "www.bda.ens.fr" = "bda.ens.fr";
       "bda.wp.dgnum.eu" = "bda.ens.fr";
+      "www.cineclub.ens.fr" = "cineclub.ens.fr";
+      "cineclub.wp.dgnum.eu" = "cineclub.ens.fr";
       "www.tuteurs.ens.fr" = "tuteurs.ens.fr";
       "www.interq.ens.fr" = "interq.ens.fr";
       "www.lanuit.ens.fr" = "lanuit.ens.fr";

machines/web01/wordpress/default.nix

@@ -42,7 +42,7 @@ in
         languages = [ pkgs.wordpressPackages.languages.fr_FR ];
       };
 
-      "cineclub.wp.dgnum.eu" = {
+      "cineclub.ens.fr" = {
         plugins = {
           inherit (wp4nix.plugins) user-role-editor;
         };

meta/nodes.nix

@@ -67,7 +67,7 @@
     stateVersion = "23.11";
     nixpkgs = "unstable";
 
-    admins = [ "catvayor" ];
+    adminGroups = [ "fai" ];
   };
 
   web02 = {

meta/options.nix

@@ -1,4 +1,4 @@
-{ lib, ... }@args:
+{ config, lib, ... }@args:
 
 let
   inherit (lib)
@@ -16,6 +16,7 @@ let
     nullOr
     str
     submodule
+    unspecified
     ;
 
   addressType =
@@ -32,6 +33,8 @@ let
         };
       };
     };
+
+  org = config.organization;
 in
 
 {
@@ -67,6 +70,39 @@ in
           Groups of the DGNum organization.
         '';
       };
+
+      external = mkOption {
+        type = attrsOf (listOf str);
+        description = ''
+          External services used by the DGNum organization.
+        '';
+      };
+
+      services = mkOption {
+        type = attrsOf (submodule {
+          options = {
+            admins = mkOption {
+              type = listOf str;
+              default = [ ];
+              description = ''
+                List of administrators of the service.
+              '';
+            };
+
+            adminGroups = mkOption {
+              type = listOf str;
+              default = [ ];
+              description = ''
+                List of administrator groups of the service.
+              '';
+            };
+          };
+        });
+        description = ''
+          Administrator access of the different DGNum services,
+          it is mainly indicative as most services cannot configure this statically.
+        '';
+      };
     };
 
     nodes = mkOption {
@@ -268,5 +304,75 @@ in
         Network configuration for the different machines.
       '';
     };
+
+    assertions = mkOption {
+      type = listOf unspecified;
+      internal = true;
+      default = [ ];
+      description = ''
+        This option allows modules to express conditions that must
+        hold for the evaluation of the system configuration to
+        succeed, along with associated error messages for the user.
+      '';
+    };
   };
+
+  config =
+    let
+      members = builtins.attrNames org.members;
+      groups = builtins.attrNames org.groups;
+
+      nameExists =
+        list: f: groups:
+        builtins.attrValues (
+          builtins.mapAttrs (name: members: {
+            assertion = builtins.all (x: builtins.elem x list) members;
+            message = f name;
+          }) groups
+        );
+
+      membersExists = nameExists members;
+      groupsExists = nameExists groups;
+
+      extract = name: builtins.mapAttrs (_: builtins.getAttr name);
+    in
+    {
+      assertions = builtins.concatLists [
+        # Check that all group members exist
+        (membersExists (
+          name: "A member of the ${name} group was not found in the members list."
+        ) org.groups)
+
+        # Check that all node admins exist
+        (membersExists (name: "A member of the node ${name} admins was not found in the members list.") (
+          extract "admins" config.nodes
+        ))
+
+        # Check that all node adminGroups exist
+        (groupsExists (name: "A member of the node ${name} adminGroups was not found in the groups list.") (
+          extract "adminGroups" config.nodes
+        ))
+
+        # Check that all services admins exist
+        (membersExists (name: "A member of the service ${name} admins was not found in the members list.") (
+          extract "admins" org.services
+        ))
+
+        # Check that all services adminGroups exist
+        (groupsExists (
+          name: "A member of the service ${name} adminGroups was not found in the groups list."
+        ) (extract "adminGroups" org.services))
+
+        # Check that all external services admins exist
+        (membersExists (
+          name: "A member of the external service ${name} admins was not found in the members list."
+        ) org.external)
+
+        # Check that all members have a keyFile
+        (builtins.map (name: {
+          assertion = builtins.pathExists "${builtins.toString ../keys}/${name}.keys";
+          message = "No ssh keys file found for ${name}.";
+        }) members)
+      ];
+    };
 }

meta/organization.nix

@@ -5,33 +5,39 @@
 
 {
   members = {
+    catvayor = {
+      name = "Lubin Bailly";
+      email = "catvayor@dgnum.eu";
+    };
+
+    ecoppens = {
+      name = "Elias Coppens";
+      email = "ecoppens@dgnum.eu";
+    };
+
+    jemagius = {
+      name = "Jean-Marc Gailis";
+      email = "jm@dgnum.eu";
+    };
+
+    luj = {
+      name = "Julien Malka";
+      email = "luj@dgnum.eu";
+    };
+
     mdebray = {
       name = "Maurice Debray";
       email = "maurice.debray@dgnum.eu";
     };
 
-    thubrecht = {
-      name = "Tom Hubrecht";
-      email = "tom.hubrecht@dgnum.eu";
-    };
-
     raito = {
       name = "Ryan Lahfa";
       email = "ryan@dgnum.eu";
     };
 
-    jemagius = {
-      name = "Jean-Marc Gailis";
-      email = "jm@dgnum.eu";
-    };
-    luj = {
-      name = "Julien Malka";
-      email = "luj@dgnum.eu";
-    };
-
-    catvayor = {
-      name = "Lubin Bailly";
-      email = "catvayor@dgnum.eu";
+    thubrecht = {
+      name = "Tom Hubrecht";
+      email = "tom.hubrecht@dgnum.eu";
     };
   };
 
@@ -44,17 +50,44 @@
       "luj"
     ];
 
-    # members of this group will have root access on the installation isos
-    iso = [
+    # members of this group are root on the fai infrastructure
+    fai = [
+      "catvayor"
+      "ecoppens"
+    ];
+  };
+
+  external = {
+    dns = [
       "thubrecht"
-      "mdebray"
       "raito"
-      "luj"
     ];
 
-    # members of this group can access netbox's secret
-    netbox = [ ];
+    email = [ "raito" ];
 
-    bureau = [ "gdd" ];
+    irc = [ "raito" ];
+  };
+
+  services = {
+    # Démarches Normaliennes
+    ds-fr.admins = [
+      "thubrecht"
+      "jemagius"
+    ];
+
+    # Cloud DGNum
+    nextcloud.admins = [
+      "thubrecht"
+      "raito"
+    ];
+
+    # Netbox DGNum
+    netbox.adminGroups = [
+      "root"
+      "fai"
+    ];
+
+    # Videos DGNum
+    peertube.admins = [ "thubrecht" ];
   };
 }

meta/verify.nix

@@ -14,7 +14,19 @@ let
 in
 
 {
-  meta = pkgs.writers.writeJSON "meta.json" ((import ./.) pkgs.lib);
+  meta =
+    let
+      config = (import ./.) pkgs.lib;
+      failed = builtins.map (x: "- ${x.message}") (builtins.filter (x: !x.assertion) config.assertions);
+    in
+    if (failed != [ ]) then
+      throw ''
+
+        Failed assertions:
+        ${builtins.concatStringsSep "\n" failed}
+      ''
+    else
+      pkgs.writers.writeJSON "meta.json" config;
 
   dns = dns.util.${builtins.currentSystem}.writeZone "dgnum.eu" (
     pkgs.lib.recursiveUpdate { SOA.serial = 0; } (import ./dns.nix { inherit dns lib; })