Repository for AFNix-managed infrastructure

Find a file

Pierre Bourdon 4fbc575030 flake.lock: Update Flake lock file updates: • Updated input 'afnix-docs': 'git+https://git.afnix.fr/afnix/docs.git?ref=refs/heads/main&rev=541f10d1ad94b57262de1796b5e4d23d01fc2786' (2025-08-28) → 'git+https://git.afnix.fr/afnix/docs.git?ref=refs/heads/main&rev=249e44ad4f7717f29ad164f8c23cf4992ec0a9d4' (2025-08-31)		2025-08-31 23:00:40 +02:00
common	common/base-server: disable microvm host by default	2025-08-31 18:19:46 +02:00
dashboards	feat(grafana): plug jsonnet-based dashboards in provisioning	2024-08-24 16:32:21 +02:00
dnscontrol	dns/afnix: add docs.afnix.fr	2025-08-31 22:55:56 +02:00
hosts	hosts/afnix/yuki: deploy docs.afnix.fr	2025-08-31 22:55:59 +02:00
lib	flake: use flake-parts and simplify(?)	2025-02-17 22:02:12 +01:00
netboot/arm64	feat: introduce ARM64 baremetal nodes	2025-02-12 22:30:45 +01:00
overlays	pkgs/besadii: support regexes for target branches	2025-07-25 00:40:03 +00:00
pki	feat(systems): trust our infra chain on all systems	2025-01-01 03:43:13 +01:00
secrets	afnix/forgejo: Add smtp setup	2025-08-31 20:53:19 +00:00
services	flake: refine which node makes use of DNS64/NAT64	2025-08-30 13:07:36 +00:00
terraform	tf/hydra: fix provider URL post-migration	2025-08-28 22:45:34 +02:00
vm	vm/afnix-ovh-lim-hv01/lix-zulip01: fix tenancy	2025-08-27 20:56:05 +02:00
.editorconfig	editorconfig: init	2024-07-13 01:10:18 +00:00
.envrc	chore: add lorri to prevent direnv from blocking, closes #147	2024-10-27 09:42:11 +00:00
.gitattributes	feat(secrets): flag `.age` secret blobs as binary	2025-02-25 17:30:56 +01:00
.gitignore	gitignore: fix exclusion pattern for per-tenant secrets	2025-07-30 14:03:47 +02:00
baremetal-nodes.nix	flake: use flake-parts and simplify(?)	2025-02-17 22:02:12 +01:00
builders.nix	hydra: configure machines via /etc	2025-03-23 00:48:10 +01:00
colmena.nix	flake: use flake-parts and simplify(?)	2025-02-17 22:02:12 +01:00
default.nix	feat: sign the ICA1 CSR	2024-12-31 17:50:23 +01:00
flake.lock	flake.lock: Update	2025-08-31 23:00:40 +02:00
flake.nix	flake: add afnix-docs input	2025-08-31 22:55:59 +02:00
LICENSE	Initial commit	2024-06-23 06:41:53 +02:00
README.md	docs(dns): add small section to README	2025-05-09 10:26:00 +02:00
secrets.nix	afnix/forgejo: Add smtp setup	2025-08-31 20:53:19 +00:00

README.md

Infrastructure for the donut shaped thing that is absolutely not a donut.

Quick start

Enter our dev-shell for things like our colmena wrapper, secrets helper and required binaries:

$ nix develop

Build the infrastructure

$ colmena build --on @localboot

Notice that @localboot is load-bearing as we have some machines that cannot be deployed with vanilla Colmena. Fixing this is welcome.

Recommended deploy process

$ colmena apply dry-activate $machine # Verify that the nvd log is reasonable.
$ colmena apply $machine

Recommended upgrade process

$ nix flake update
$ colmena apply dry-activate --on @localboot # Verify that the nvd log is reasonable. Run it twice to get only NVD logs shown.
$ colmena apply --on @localboot

Deploy the Terraform infrastructure

$ vault-login
$ eval "$(get-secrets)"
$ nix run .#tf -- plan # Vanilla Terraform from there.
$ nix run .#tf -- apply

Make changes to DNS via dnscontrol

$ vault-login
$ eval "$(get-secrets)"
$ cd dnscontrol
$ dnscontrol preview # preview the changes without applying them
$ dnscontrol push # apply changes

Troubleshooting

I failed to deploy `gerrit01`

Our Gerrit source build is known to have some hiccups sometimes, we are always interested in build logs, feel free to attach information in a new issue so we can make it more reliable.

`get-secrets` fails

Are you a floral-admin ? If not, please get in touch with one of the superadmins.