Repository for AFNix-managed infrastructure https://hydra.afnix.fr/project/infra

Nix 84.1%
Python 5.1%
Rust 3.3%
JavaScript 3.3%
Go 2.2%
Other 2%

Find a file

Yureka f663a92d17 /builders.nix: integrate into hosts/floral/part.nix This file in the root which only affects floral was a remnant of pre multi-tenant infra repo Change-Id: `I130721e2f6cacae6201dc392facfbc9b0c230c5a`		2026-02-01 21:58:53 +01:00
arcana	microvm: wire Arcana microvm server	2026-01-20 16:38:51 +01:00
common	ams01: renumber ids/ips to match bmc	2026-01-30 15:50:08 +01:00
dashboards	feat(grafana): plug jsonnet-based dashboards in provisioning	2024-08-24 16:32:21 +02:00
dnscontrol	ams01: renumber ids/ips to match bmc	2026-01-30 15:50:08 +01:00
hosts	/builders.nix: integrate into hosts/floral/part.nix	2026-02-01 21:58:53 +01:00
lib	microvm: wire Arcana microvm server	2026-01-20 16:38:51 +01:00
macos/mdm-scripts	macos/infect-with-nix: avoid keeping the bootstrap Lix around in $PATH	2026-01-20 07:52:21 +01:00
netboot/arm64	feat: introduce ARM64 baremetal nodes	2025-02-12 22:30:45 +01:00
overlays	arcana/microvm-server: init at 0.6.0	2026-01-20 15:28:31 +01:00
pki	feat(systems): trust our infra chain on all systems	2025-01-01 03:43:13 +01:00
secrets	git.afnix.fr: migrate from yuki.par01 -> new afnix-forgejo01.sbg01	2026-01-27 18:52:59 +01:00
services	build-nix-daemon: Always make cfg.user allowed- & trusted-user	2026-02-01 21:58:32 +01:00
terraform	terraform/keycloak: add `groups` claim to Hydra client	2026-01-28 00:10:17 +01:00
vm	git.afnix.fr: migrate from yuki.par01 -> new afnix-forgejo01.sbg01	2026-01-27 18:52:59 +01:00
.editorconfig	editorconfig: set indentation	2025-11-22 11:20:36 -05:00
.envrc	chore: add lorri to prevent direnv from blocking, closes #147	2024-10-27 09:42:11 +00:00
.gitattributes	feat(secrets): flag `.age` secret blobs as binary	2025-02-25 17:30:56 +01:00
.gitignore	terraform/afnix_hydra: activate jobsets, fix flake_uri	2026-01-25 21:23:08 +01:00
baremetal-nodes.nix	hosts/floral: wob01 → ams01	2025-11-01 20:01:30 +01:00
default.nix	feat: sign the ICA1 CSR	2024-12-31 17:50:23 +01:00
flake.lock	hosts/build-coord-ams01: reactivate Hydra setup	2026-01-25 16:55:43 +00:00
flake.nix	/builders.nix: integrate into hosts/floral/part.nix	2026-02-01 21:58:53 +01:00
LICENSE	Initial commit	2024-06-23 06:41:53 +02:00
README.md	deployment: move to Arcana	2025-11-10 02:49:57 +01:00
renovate.json	renovate: enable lock file maintenance settings	2025-09-08 08:22:16 +02:00
secrets.nix	git.afnix.fr: migrate from yuki.par01 -> new afnix-forgejo01.sbg01	2026-01-27 18:52:59 +01:00
tasks.py	wob01 -> ams01 in more places	2026-01-30 15:48:20 +01:00

README.md

Infrastructure for the donut shaped thing that is absolutely not a donut.

Quick start

Enter our dev-shell for things like our arcana wrapper, secrets helper and required binaries:

$ nix develop

Build the infrastructure

$ arcana build --on @localboot

Notice that @localboot is load-bearing as we have some machines that cannot be deployed with vanilla arcana. Fixing this is welcome.

Recommended deploy process

$ arcana apply dry-activate $machine # Verify that the nvd log is reasonable.
$ arcana apply $machine

Recommended upgrade process

$ nix flake update
$ arcana apply dry-activate --on @localboot # Verify that the nvd log is reasonable. Run it twice to get only NVD logs shown.
$ arcana apply --on @localboot

Deploy the Terraform infrastructure

$ vault-login
$ eval "$(get-secrets)"
$ nix run .#tf -- plan # Vanilla Terraform from there.
$ nix run .#tf -- apply

Make changes to DNS via dnscontrol

$ vault-login
$ eval "$(get-secrets)"
$ cd dnscontrol
$ dnscontrol preview # preview the changes without applying them
$ dnscontrol push # apply changes

Troubleshooting

I failed to deploy `gerrit01`

Our Gerrit source build is known to have some hiccups sometimes, we are always interested in build logs, feel free to attach information in a new issue so we can make it more reliable.

`get-secrets` fails

Are you a floral-admin ? If not, please get in touch with one of the superadmins.