forked from DGNum/infrastructure
Ryan Lahfa
344cc26d8e
Our colmena knows how to deal with families of system types, e.g. NixOS systems or Liminix-based systems. This is a step 1 towards supporting our APs in our infrastructure. Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
411 lines
12 KiB
Nix
411 lines
12 KiB
Nix
{ config, lib, ... }@args:
|
|
|
|
let
|
|
inherit (lib)
|
|
mkEnableOption
|
|
mkDefault
|
|
mkIf
|
|
mkOption
|
|
;
|
|
|
|
inherit (lib.types)
|
|
attrs
|
|
attrsOf
|
|
enum
|
|
ints
|
|
listOf
|
|
nullOr
|
|
str
|
|
submodule
|
|
unspecified
|
|
;
|
|
|
|
addressType =
|
|
max:
|
|
submodule {
|
|
options = {
|
|
address = mkOption {
|
|
type = str;
|
|
description = "IP address.";
|
|
};
|
|
prefixLength = mkOption {
|
|
type = ints.between 8 max;
|
|
description = "Length of the prefix used in the local network.";
|
|
};
|
|
};
|
|
};
|
|
|
|
org = config.organization;
|
|
nixpkgs = import ./nixpkgs.nix;
|
|
in
|
|
|
|
{
|
|
options = {
|
|
organization = {
|
|
members = mkOption {
|
|
type = attrsOf (
|
|
submodule (
|
|
{ name, ... }:
|
|
{
|
|
options = {
|
|
name = mkOption {
|
|
type = str;
|
|
description = ''
|
|
Name of the member.
|
|
'';
|
|
};
|
|
|
|
email = mkOption {
|
|
type = str;
|
|
description = ''
|
|
Main e-mail address of the member.
|
|
'';
|
|
};
|
|
|
|
username = mkOption {
|
|
type = str;
|
|
default = name;
|
|
description = ''
|
|
The username used for authentication.
|
|
WARNING: Must be the same as the ens login!
|
|
'';
|
|
};
|
|
};
|
|
}
|
|
)
|
|
);
|
|
|
|
description = ''
|
|
Members of the DGNum organization.
|
|
'';
|
|
};
|
|
|
|
groups = mkOption {
|
|
type = attrsOf (listOf str);
|
|
description = ''
|
|
Groups of the DGNum organization.
|
|
'';
|
|
};
|
|
|
|
external = mkOption {
|
|
type = attrsOf (listOf str);
|
|
description = ''
|
|
External services used by the DGNum organization.
|
|
'';
|
|
};
|
|
|
|
services = mkOption {
|
|
type = attrsOf (submodule {
|
|
options = {
|
|
admins = mkOption {
|
|
type = listOf str;
|
|
default = [ ];
|
|
description = ''
|
|
List of administrators of the service.
|
|
'';
|
|
};
|
|
|
|
adminGroups = mkOption {
|
|
type = listOf str;
|
|
default = [ ];
|
|
description = ''
|
|
List of administrator groups of the service.
|
|
'';
|
|
};
|
|
};
|
|
});
|
|
description = ''
|
|
Administrator access of the different DGNum services,
|
|
it is mainly indicative as most services cannot configure this statically.
|
|
'';
|
|
};
|
|
};
|
|
|
|
nodes = mkOption {
|
|
type = attrsOf (
|
|
submodule (
|
|
{ config, name, ... }:
|
|
{
|
|
options = {
|
|
deployment = mkOption {
|
|
type = attrs;
|
|
default = { };
|
|
};
|
|
|
|
stateVersion = mkOption {
|
|
type = str;
|
|
description = ''
|
|
State version of the node.
|
|
'';
|
|
};
|
|
|
|
nixpkgs = {
|
|
version = mkOption {
|
|
type = enum nixpkgs.versions.supported;
|
|
inherit (nixpkgs.versions) default;
|
|
description = ''
|
|
Version of nixpkgs to use.
|
|
'';
|
|
};
|
|
system = mkOption {
|
|
type = enum nixpkgs.systems.supported;
|
|
inherit (nixpkgs.systems) default;
|
|
description = ''
|
|
Type of system for this node, will impact how it is evaluated and deployed.
|
|
'';
|
|
example = "zyxel-nwa50ax";
|
|
};
|
|
};
|
|
|
|
nix-modules = mkOption {
|
|
type = listOf str;
|
|
default = [ ];
|
|
description = ''
|
|
List of modules to import from [nix-modules](https://git.hubrecht.ovh/hubrecht/nix-modules).
|
|
'';
|
|
};
|
|
|
|
hashedPassword = mkOption {
|
|
type = str;
|
|
description = ''
|
|
The hashed password for the root account.
|
|
'';
|
|
};
|
|
|
|
admins = mkOption {
|
|
type = listOf str;
|
|
default = [ ];
|
|
description = ''
|
|
List of members to be given root access to this node.
|
|
'';
|
|
};
|
|
|
|
adminGroups = mkOption {
|
|
type = listOf str;
|
|
default = [ ];
|
|
description = ''
|
|
List of groups to be given root access to this node.
|
|
'';
|
|
};
|
|
|
|
site = mkOption {
|
|
type = str;
|
|
description = ''
|
|
Geographical site where the node is located.
|
|
'';
|
|
};
|
|
|
|
vm-cluster = mkOption {
|
|
type = nullOr str;
|
|
default = null;
|
|
description = "VM cluster where the VM is located";
|
|
};
|
|
};
|
|
|
|
config = {
|
|
deployment = {
|
|
tags = [ "infra-${config.site}" ];
|
|
targetHost =
|
|
let
|
|
ip = with args.config.network.${name}.addresses; ipv4 ++ ipv6;
|
|
in
|
|
mkIf (ip != [ ]) (mkDefault (builtins.head ip));
|
|
};
|
|
};
|
|
}
|
|
)
|
|
);
|
|
description = ''
|
|
Nodes of the infrastructure.
|
|
'';
|
|
};
|
|
|
|
network = mkOption {
|
|
type = attrsOf (
|
|
submodule (
|
|
{ config, ... }:
|
|
{
|
|
options = {
|
|
interfaces = mkOption {
|
|
type = attrsOf (
|
|
submodule (
|
|
{ config, ... }:
|
|
{
|
|
options = {
|
|
ipv4 = mkOption {
|
|
type = listOf (addressType 32);
|
|
default = [ ];
|
|
description = ''
|
|
List of ipv4 addresses assigned to the interface.
|
|
'';
|
|
};
|
|
|
|
ipv6 = mkOption {
|
|
type = listOf (addressType 64);
|
|
default = [ ];
|
|
description = ''
|
|
List of ipv6 addresses assigned to the interface.
|
|
'';
|
|
};
|
|
|
|
gateways = mkOption {
|
|
type = listOf str;
|
|
description = ''
|
|
List of gateways used by the interface.
|
|
'';
|
|
};
|
|
|
|
DHCP = mkOption {
|
|
type = nullOr str;
|
|
default = null;
|
|
description = "Whether to enable DHCP on the interface.";
|
|
};
|
|
|
|
dns = mkOption {
|
|
type = listOf str;
|
|
default = [ ];
|
|
};
|
|
|
|
enableDefaultDNS = mkEnableOption "default DNS servers.";
|
|
};
|
|
|
|
config.dns = mkIf config.enableDefaultDNS [
|
|
"1.1.1.1#cloudflare-dns.com"
|
|
"8.8.8.8#dns.google"
|
|
"1.0.0.1#cloudflare-dns.com"
|
|
"8.8.4.4#dns.google"
|
|
"2606:4700:4700::1111#cloudflare-dns.com"
|
|
"2001:4860:4860::8888#dns.google"
|
|
"2606:4700:4700::1001#cloudflare-dns.com"
|
|
"2001:4860:4860::8844#dns.google"
|
|
];
|
|
}
|
|
)
|
|
);
|
|
};
|
|
|
|
addresses = {
|
|
ipv4 = mkOption {
|
|
type = listOf str;
|
|
default = [ ];
|
|
description = ''
|
|
List of public ipv4 addresses of the node.
|
|
'';
|
|
};
|
|
|
|
ipv6 = mkOption {
|
|
type = listOf str;
|
|
default = [ ];
|
|
description = ''
|
|
List of public ipv6 addresses of the node.
|
|
'';
|
|
};
|
|
};
|
|
|
|
hostId = mkOption {
|
|
type = str;
|
|
description = ''
|
|
Network Id of the node.
|
|
'';
|
|
};
|
|
|
|
netbirdIp = mkOption {
|
|
type = nullOr str;
|
|
description = ''
|
|
IP address of the node in the netbird network.
|
|
'';
|
|
};
|
|
};
|
|
|
|
config =
|
|
let
|
|
getAddresses =
|
|
version: builtins.concatMap (int: builtins.map (builtins.getAttr "address") int.${version});
|
|
in
|
|
{
|
|
addresses = {
|
|
ipv4 = builtins.filter (ip: builtins.substring 0 7 ip != "192.168") (
|
|
getAddresses "ipv4" (builtins.attrValues config.interfaces)
|
|
);
|
|
ipv6 = builtins.filter (_: true) ((getAddresses "ipv6") (builtins.attrValues config.interfaces));
|
|
};
|
|
};
|
|
}
|
|
)
|
|
);
|
|
description = ''
|
|
Network configuration for the different machines.
|
|
'';
|
|
};
|
|
|
|
assertions = mkOption {
|
|
type = listOf unspecified;
|
|
internal = true;
|
|
default = [ ];
|
|
description = ''
|
|
This option allows modules to express conditions that must
|
|
hold for the evaluation of the system configuration to
|
|
succeed, along with associated error messages for the user.
|
|
'';
|
|
};
|
|
};
|
|
|
|
config =
|
|
let
|
|
members = builtins.attrNames org.members;
|
|
groups = builtins.attrNames org.groups;
|
|
|
|
nameExists =
|
|
list: f: groups:
|
|
builtins.attrValues (
|
|
builtins.mapAttrs (name: members: {
|
|
assertion = builtins.all (x: builtins.elem x list) members;
|
|
message = f name;
|
|
}) groups
|
|
);
|
|
|
|
membersExists = nameExists members;
|
|
groupsExists = nameExists groups;
|
|
|
|
extract = name: builtins.mapAttrs (_: builtins.getAttr name);
|
|
in
|
|
{
|
|
assertions = builtins.concatLists [
|
|
# Check that all group members exist
|
|
(membersExists (
|
|
name: "A member of the ${name} group was not found in the members list."
|
|
) org.groups)
|
|
|
|
# Check that all node admins exist
|
|
(membersExists (name: "A member of the node ${name} admins was not found in the members list.") (
|
|
extract "admins" config.nodes
|
|
))
|
|
|
|
# Check that all node adminGroups exist
|
|
(groupsExists (name: "A member of the node ${name} adminGroups was not found in the groups list.") (
|
|
extract "adminGroups" config.nodes
|
|
))
|
|
|
|
# Check that all services admins exist
|
|
(membersExists (name: "A member of the service ${name} admins was not found in the members list.") (
|
|
extract "admins" org.services
|
|
))
|
|
|
|
# Check that all services adminGroups exist
|
|
(groupsExists (
|
|
name: "A member of the service ${name} adminGroups was not found in the groups list."
|
|
) (extract "adminGroups" org.services))
|
|
|
|
# Check that all external services admins exist
|
|
(membersExists (
|
|
name: "A member of the external service ${name} admins was not found in the members list."
|
|
) org.external)
|
|
|
|
# Check that all members have ssh keys
|
|
(builtins.map (name: {
|
|
assertion = ((import ../keys)._keys.${name} or [ ]) != [ ];
|
|
message = "No ssh keys found for ${name}.";
|
|
}) members)
|
|
];
|
|
};
|
|
}
|