From a00c981ecdef749f2e91432c3f6d626555170884 Mon Sep 17 00:00:00 2001 From: Xavier Lagraula Date: Mon, 11 May 2026 11:47:24 +0200 Subject: [PATCH] refactor: centralize production environment configuration - Add network/dns.nix, network/time.nix, network/proxy.nix, network/smtp.nix - Update network/default.nix to import new files - Update dns01, dns02, rp01 to use centralized DNS parameters - Update gaia workstation to use centralized time parameters - Servers use en_US.UTF-8 (set in host configs), workstations use fr_FR.UTF-8 This centralizes environment-specific settings while keeping host-type-specific settings (like locale) in the host configurations. --- .../hosts/servers/dns01/configuration.nix | 17 ++++++++---- .../hosts/servers/dns02/configuration.nix | 10 ++++--- .../hosts/servers/rp01/configuration.nix | 8 +++--- .../hosts/workstations/gaia/configuration.nix | 19 ++++++++++--- .../production/network/default.nix | 6 ++++- .../environments/production/network/dns.nix | 21 +++++++++++++++ .../environments/production/network/proxy.nix | 27 +++++++++++++++++++ .../environments/production/network/smtp.nix | 22 +++++++++++++++ .../environments/production/network/time.nix | 16 +++++++++++ 9 files changed, 130 insertions(+), 16 deletions(-) create mode 100644 nixos-infra/environments/production/network/dns.nix create mode 100644 nixos-infra/environments/production/network/proxy.nix create mode 100644 nixos-infra/environments/production/network/smtp.nix create mode 100644 nixos-infra/environments/production/network/time.nix diff --git a/nixos-infra/environments/production/hosts/servers/dns01/configuration.nix b/nixos-infra/environments/production/hosts/servers/dns01/configuration.nix index b4b5787..df1cc48 100644 --- a/nixos-infra/environments/production/hosts/servers/dns01/configuration.nix +++ b/nixos-infra/environments/production/hosts/servers/dns01/configuration.nix @@ -8,6 +8,8 @@ let url = "ssh://git@gitea.prod.lagraula.fr:2222/xavier/nixos-infra-framework.git"; rev = frameworkRev; }; + # Import environment-specific network parameters + env = import ../../../network { }; in { imports = [ # Module for LXC containers @@ -21,17 +23,22 @@ in { # Host identity (IP address 10.40.128.10/16 assigned via DHCP reservation) networking.hostName = "dns01"; - networking.domain = "prod.lagraula.fr"; + networking.domain = env.dns.domain; networking.useDHCP = true; # Technitium DNS Server — primary DNS server services.dns = { enable = true; - recursion = "AllowOnlyForPrivateNetworks"; - forwarders = [ "1.1.1.1" "8.8.8.8" ]; + recursion = env.dns.recursion; + forwarders = env.dns.forwarders; # Uncomment and configure with agenix secret: # adminPasswordFile = config.age.secrets.dns-admin-password.path; - allowZoneTransfer = [ "10.40.128.11" ]; # Allow secondary to dns02 + allowZoneTransfer = env.dns.allowZoneTransfer; # Allow secondary to dns02 listenAddresses = [ "10.40.128.10" "127.0.0.1" "::1" ]; }; -} \ No newline at end of file + + # Caddy-specific configuration (optional) + services.caddy = { + email = env.dns.letsEncryptEmail; # Email for Let's Encrypt + }; +} diff --git a/nixos-infra/environments/production/hosts/servers/dns02/configuration.nix b/nixos-infra/environments/production/hosts/servers/dns02/configuration.nix index 29775de..5099000 100644 --- a/nixos-infra/environments/production/hosts/servers/dns02/configuration.nix +++ b/nixos-infra/environments/production/hosts/servers/dns02/configuration.nix @@ -6,6 +6,8 @@ let url = "ssh://git@gitea.prod.lagraula.fr:2222/xavier/nixos-infra-framework.git"; rev = frameworkRev; }; + # Import environment-specific network parameters + env = import ../../../network { }; in { imports = [ # Module for LXC containers @@ -19,16 +21,16 @@ in { # Host identity (IP address 10.40.128.11/16 assigned via DHCP reservation) networking.hostName = "dns02"; - networking.domain = "prod.lagraula.fr"; + networking.domain = env.dns.domain; networking.useDHCP = true; # Technitium DNS Server — secondary (replica) DNS server services.dns = { enable = true; - recursion = "AllowOnlyForPrivateNetworks"; - forwarders = [ "1.1.1.1" "8.8.8.8" ]; + recursion = env.dns.recursion; + forwarders = env.dns.forwarders; # Uncomment and configure with agenix secret: # adminPasswordFile = config.age.secrets.dns-admin-password.path; listenAddresses = [ "10.40.128.11" "127.0.0.1" "::1" ]; }; -} \ No newline at end of file +} diff --git a/nixos-infra/environments/production/hosts/servers/rp01/configuration.nix b/nixos-infra/environments/production/hosts/servers/rp01/configuration.nix index a691891..f1df42a 100644 --- a/nixos-infra/environments/production/hosts/servers/rp01/configuration.nix +++ b/nixos-infra/environments/production/hosts/servers/rp01/configuration.nix @@ -6,6 +6,8 @@ let url = "ssh://git@gitea.prod.lagraula.fr:2222/xavier/nixos-infra-framework.git"; rev = frameworkRev; }; + # Import environment-specific network parameters + env = import ../../../network { }; in { imports = [ # Module for LXC containers @@ -16,7 +18,7 @@ in { # Host identity (IP address assigned via DHCP reservation) networking.hostName = "rp01"; - networking.domain = "prod.lagraula.fr"; + networking.domain = env.dns.domain; networking.useDHCP = true; # Services to expose via the reverse proxy @@ -28,6 +30,6 @@ in { # Caddy-specific configuration (optional) services.caddy = { - email = "xavier@lagraula.fr"; # Email for Let's Encrypt + email = env.dns.letsEncryptEmail; # Email for Let's Encrypt }; -} \ No newline at end of file +} diff --git a/nixos-infra/environments/production/hosts/workstations/gaia/configuration.nix b/nixos-infra/environments/production/hosts/workstations/gaia/configuration.nix index fc30829..3d9f726 100644 --- a/nixos-infra/environments/production/hosts/workstations/gaia/configuration.nix +++ b/nixos-infra/environments/production/hosts/workstations/gaia/configuration.nix @@ -1,8 +1,21 @@ { config, pkgs, lib, ... }: -{ +let + # Import environment-specific network parameters + env = import ../../../network { }; +in { # Workstation configuration for gaia # TODO: Fill in workstation-specific settings networking.hostName = "gaia"; - networking.domain = "prod.lagraula.fr"; -} \ No newline at end of file + networking.domain = env.dns.domain; + + # Time settings + time.timeZone = env.time.timeZone; + time.hardwareClock = env.time.hardwareClock; + + # NTP settings + services.ntp.servers = env.time.ntpServers; + + # Locale for workstations (French) + i18n.defaultLocale = "fr_FR.UTF-8"; +} diff --git a/nixos-infra/environments/production/network/default.nix b/nixos-infra/environments/production/network/default.nix index 816eabc..2b3103a 100644 --- a/nixos-infra/environments/production/network/default.nix +++ b/nixos-infra/environments/production/network/default.nix @@ -11,4 +11,8 @@ vlans = (import ./vlans.nix).vlans; subnets = (import ./subnets.nix).subnets; hosts = (import ./hosts.nix).hosts; -} \ No newline at end of file + dns = import ./dns.nix; + time = import ./time.nix; + proxy = import ./proxy.nix; + smtp = import ./smtp.nix; +} diff --git a/nixos-infra/environments/production/network/dns.nix b/nixos-infra/environments/production/network/dns.nix new file mode 100644 index 0000000..3d05daf --- /dev/null +++ b/nixos-infra/environments/production/network/dns.nix @@ -0,0 +1,21 @@ +{ config, pkgs, lib, ... }: + +{ + # Environment-specific DNS domain + domain = "prod.lagraula.fr"; + + # Default DNS servers for this environment + defaultNameServers = [ "10.40.128.10" "10.40.128.11" ]; + + # Forwarders for this environment (e.g., upstream DNS) + forwarders = [ "1.1.1.1" "8.8.8.8" ]; + + # Allow zone transfers only to secondary DNS servers in this environment + allowZoneTransfer = [ "10.40.128.11" ]; + + # Recursion policy for this environment + recursion = "AllowOnlyForPrivateNetworks"; + + # Email for Let's Encrypt (Caddy) — can be environment-specific + letsEncryptEmail = "xavier@lagraula.fr"; +} \ No newline at end of file diff --git a/nixos-infra/environments/production/network/proxy.nix b/nixos-infra/environments/production/network/proxy.nix new file mode 100644 index 0000000..0ba7e6c --- /dev/null +++ b/nixos-infra/environments/production/network/proxy.nix @@ -0,0 +1,27 @@ +{ config, pkgs, lib, ... }: + +{ + # Proxy configuration for this environment + # Currently no proxy is used — direct access for all hosts + + # Workstations: no proxy + workstations = { + httpProxy = ""; + httpsProxy = ""; + noProxy = ""; + }; + + # Servers: no proxy + servers = { + httpProxy = ""; + httpsProxy = ""; + noProxy = ""; + }; + + # To enable a proxy later, uncomment and set the proxy URLs: + # workstations = { + # httpProxy = "http://proxy.prod.lagraula.fr:3128"; + # httpsProxy = "http://proxy.prod.lagraula.fr:3128"; + # noProxy = "localhost,127.0.0.1,::1,10.0.0.0/8"; + # }; +} \ No newline at end of file diff --git a/nixos-infra/environments/production/network/smtp.nix b/nixos-infra/environments/production/network/smtp.nix new file mode 100644 index 0000000..8261ac0 --- /dev/null +++ b/nixos-infra/environments/production/network/smtp.nix @@ -0,0 +1,22 @@ +{ config, pkgs, lib, ... }: + +{ + # SMTP relay configuration for this environment + # Used by services that need to send email (e.g., monitoring alerts) + + # SMTP relay host — can be an internal relay or external service + relayHost = "smtp.lagraula.fr"; + relayPort = 587; + + # TLS settings + useTLS = true; + useSTARTTLS = true; + + # Authentication — currently none (open relay for internal use) + # To add authentication later: + # username = "noreply@prod.lagraula.fr"; + # passwordFile = config.age.secrets.smtp-password.path; + + # Default "From" address for system emails + fromAddress = "noreply@prod.lagraula.fr"; +} \ No newline at end of file diff --git a/nixos-infra/environments/production/network/time.nix b/nixos-infra/environments/production/network/time.nix new file mode 100644 index 0000000..8321cd5 --- /dev/null +++ b/nixos-infra/environments/production/network/time.nix @@ -0,0 +1,16 @@ +{ config, pkgs, lib, ... }: + +{ + # NTP servers for this environment + # The gateway acts as the NTP server (IPv4 .1, IPv6 ::1) + ntpServers = [ + "10.10.128.1" # IPv4 gateway + "fd00::1" # IPv6 gateway + ]; + + # Time zone for this environment + timeZone = "Europe/Paris"; + + # Hardware clock setting + hardwareClock = "UTC"; +} \ No newline at end of file