refactor: centralize production environment configuration

- Add network/dns.nix, network/time.nix, network/proxy.nix, network/smtp.nix
- Update network/default.nix to import new files
- Update dns01, dns02, rp01 to use centralized DNS parameters
- Update gaia workstation to use centralized time parameters
- Servers use en_US.UTF-8 (set in host configs), workstations use fr_FR.UTF-8

This centralizes environment-specific settings while keeping host-type-specific
settings (like locale) in the host configurations.

nixos-infra/environments/production/hosts/servers/dns01/configuration.nix

@@ -8,6 +8,8 @@ let
     url = "ssh://git@gitea.prod.lagraula.fr:2222/xavier/nixos-infra-framework.git";
     rev = frameworkRev;
   };
+  # Import environment-specific network parameters
+  env = import ../../../network { };
 in {
   imports = [
     # Module for LXC containers
@@ -21,17 +23,22 @@ in {
 
   # Host identity (IP address 10.40.128.10/16 assigned via DHCP reservation)
   networking.hostName = "dns01";
-  networking.domain = "prod.lagraula.fr";
+  networking.domain = env.dns.domain;
   networking.useDHCP = true;
 
   # Technitium DNS Server — primary DNS server
   services.dns = {
     enable = true;
-    recursion = "AllowOnlyForPrivateNetworks";
-    forwarders = [ "1.1.1.1" "8.8.8.8" ];
+    recursion = env.dns.recursion;
+    forwarders = env.dns.forwarders;
     # Uncomment and configure with agenix secret:
     # adminPasswordFile = config.age.secrets.dns-admin-password.path;
-    allowZoneTransfer = [ "10.40.128.11" ]; # Allow secondary to dns02
+    allowZoneTransfer = env.dns.allowZoneTransfer; # Allow secondary to dns02
     listenAddresses = [ "10.40.128.10" "127.0.0.1" "::1" ];
   };
-}
+
+  # Caddy-specific configuration (optional)
+  services.caddy = {
+    email = env.dns.letsEncryptEmail;  # Email for Let's Encrypt
+  };
+}

nixos-infra/environments/production/hosts/servers/dns02/configuration.nix

@@ -6,6 +6,8 @@ let
     url = "ssh://git@gitea.prod.lagraula.fr:2222/xavier/nixos-infra-framework.git";
     rev = frameworkRev;
   };
+  # Import environment-specific network parameters
+  env = import ../../../network { };
 in {
   imports = [
     # Module for LXC containers
@@ -19,16 +21,16 @@ in {
 
   # Host identity (IP address 10.40.128.11/16 assigned via DHCP reservation)
   networking.hostName = "dns02";
-  networking.domain = "prod.lagraula.fr";
+  networking.domain = env.dns.domain;
   networking.useDHCP = true;
 
   # Technitium DNS Server — secondary (replica) DNS server
   services.dns = {
     enable = true;
-    recursion = "AllowOnlyForPrivateNetworks";
-    forwarders = [ "1.1.1.1" "8.8.8.8" ];
+    recursion = env.dns.recursion;
+    forwarders = env.dns.forwarders;
     # Uncomment and configure with agenix secret:
     # adminPasswordFile = config.age.secrets.dns-admin-password.path;
     listenAddresses = [ "10.40.128.11" "127.0.0.1" "::1" ];
   };
-}
+}

nixos-infra/environments/production/hosts/servers/rp01/configuration.nix

@@ -6,6 +6,8 @@ let
     url = "ssh://git@gitea.prod.lagraula.fr:2222/xavier/nixos-infra-framework.git";
     rev = frameworkRev;
   };
+  # Import environment-specific network parameters
+  env = import ../../../network { };
 in {
   imports = [
     # Module for LXC containers
@@ -16,7 +18,7 @@ in {
 
   # Host identity (IP address assigned via DHCP reservation)
   networking.hostName = "rp01";
-  networking.domain = "prod.lagraula.fr";
+  networking.domain = env.dns.domain;
   networking.useDHCP = true;
 
   # Services to expose via the reverse proxy
@@ -28,6 +30,6 @@ in {
 
   # Caddy-specific configuration (optional)
   services.caddy = {
-    email = "xavier@lagraula.fr";  # Email for Let's Encrypt
+    email = env.dns.letsEncryptEmail;  # Email for Let's Encrypt
   };
-}
+}

nixos-infra/environments/production/hosts/workstations/gaia/configuration.nix

@@ -1,8 +1,21 @@
 { config, pkgs, lib, ... }:
 
-{
+let
+  # Import environment-specific network parameters
+  env = import ../../../network { };
+in {
   # Workstation configuration for gaia
   # TODO: Fill in workstation-specific settings
   networking.hostName = "gaia";
-  networking.domain = "prod.lagraula.fr";
-}
+  networking.domain = env.dns.domain;
+
+  # Time settings
+  time.timeZone = env.time.timeZone;
+  time.hardwareClock = env.time.hardwareClock;
+
+  # NTP settings
+  services.ntp.servers = env.time.ntpServers;
+
+  # Locale for workstations (French)
+  i18n.defaultLocale = "fr_FR.UTF-8";
+}

nixos-infra/environments/production/network/default.nix

@@ -11,4 +11,8 @@
   vlans = (import ./vlans.nix).vlans;
   subnets = (import ./subnets.nix).subnets;
   hosts = (import ./hosts.nix).hosts;
-}
+  dns = import ./dns.nix;
+  time = import ./time.nix;
+  proxy = import ./proxy.nix;
+  smtp = import ./smtp.nix;
+}

nixos-infra/environments/production/network/dns.nix

@@ -0,0 +1,21 @@
+{ config, pkgs, lib, ... }:
+
+{
+  # Environment-specific DNS domain
+  domain = "prod.lagraula.fr";
+
+  # Default DNS servers for this environment
+  defaultNameServers = [ "10.40.128.10" "10.40.128.11" ];
+
+  # Forwarders for this environment (e.g., upstream DNS)
+  forwarders = [ "1.1.1.1" "8.8.8.8" ];
+
+  # Allow zone transfers only to secondary DNS servers in this environment
+  allowZoneTransfer = [ "10.40.128.11" ];
+
+  # Recursion policy for this environment
+  recursion = "AllowOnlyForPrivateNetworks";
+
+  # Email for Let's Encrypt (Caddy) — can be environment-specific
+  letsEncryptEmail = "xavier@lagraula.fr";
+}

nixos-infra/environments/production/network/proxy.nix

@@ -0,0 +1,27 @@
+{ config, pkgs, lib, ... }:
+
+{
+  # Proxy configuration for this environment
+  # Currently no proxy is used — direct access for all hosts
+
+  # Workstations: no proxy
+  workstations = {
+    httpProxy = "";
+    httpsProxy = "";
+    noProxy = "";
+  };
+
+  # Servers: no proxy
+  servers = {
+    httpProxy = "";
+    httpsProxy = "";
+    noProxy = "";
+  };
+
+  # To enable a proxy later, uncomment and set the proxy URLs:
+  # workstations = {
+  #   httpProxy = "http://proxy.prod.lagraula.fr:3128";
+  #   httpsProxy = "http://proxy.prod.lagraula.fr:3128";
+  #   noProxy = "localhost,127.0.0.1,::1,10.0.0.0/8";
+  # };
+}

nixos-infra/environments/production/network/smtp.nix

@@ -0,0 +1,22 @@
+{ config, pkgs, lib, ... }:
+
+{
+  # SMTP relay configuration for this environment
+  # Used by services that need to send email (e.g., monitoring alerts)
+
+  # SMTP relay host — can be an internal relay or external service
+  relayHost = "smtp.lagraula.fr";
+  relayPort = 587;
+
+  # TLS settings
+  useTLS = true;
+  useSTARTTLS = true;
+
+  # Authentication — currently none (open relay for internal use)
+  # To add authentication later:
+  # username = "noreply@prod.lagraula.fr";
+  # passwordFile = config.age.secrets.smtp-password.path;
+
+  # Default "From" address for system emails
+  fromAddress = "noreply@prod.lagraula.fr";
+}

nixos-infra/environments/production/network/time.nix

@@ -0,0 +1,16 @@
+{ config, pkgs, lib, ... }:
+
+{
+  # NTP servers for this environment
+  # The gateway acts as the NTP server (IPv4 .1, IPv6 ::1)
+  ntpServers = [
+    "10.10.128.1"    # IPv4 gateway
+    "fd00::1"        # IPv6 gateway
+  ];
+
+  # Time zone for this environment
+  timeZone = "Europe/Paris";
+
+  # Hardware clock setting
+  hardwareClock = "UTC";
+}