Factorise networking configurations #19
No reviewers
Labels
No labels
blocked
project-management
question
No milestone
No project
No assignees
3 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: Fediversity/Fediversity#19
Loading…
Reference in a new issue
No description provided.
Delete branch "factorise-networking-config"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR merges all networking-related configurations from VMs in
infra/
into ainfra/common/networking.nix
module. More factorisation will come in subsequent PRs.While merging these networking configurations, I have come across some variations:
In the
nameservers
:95.215.185.6
, some don't; and2a00:51c0::5fd7:b906
, some don't.In nftables.ruleset, in the section
define ssh_allow
:95.215.185.181/32, # ansible.procolix.com
, some don't; and95.215.185.235/32, # ansible-hq
while some have95.215.185.235, # ansible-hq
.Only one machine has
services.openssh.settings.PasswordAuthentication = false
.It is possible for me to add options to produce these difference of configurations, but it feels like we could just unify those configurations instead. For now, I have taken the superset of those things, so now all machines have:
95.215.185.6
and2a00:51c0::5fd7:b906
as nameservers, and95.215.185.181/32, # ansible.procolix.com
and95.215.185.235/32, # ansible-hq
in theirssh_allow
section`.services.openssh.settings.PasswordAuthentication = false
I am however not entirely sure that this is what we want. I think it is reasonable, but I would want an OK from either @koen or @kevin. (or both!)
infra/common
3bc484754finfra/common
c8d9b1c669infra/common
fe6d68446binfra/common
f56c00eb59factoring LGTM
the different nameservers is a bit odd that I guess that has to do with iterations made to our default config there are differences the nameservers that should be there are
the ansible rule differences in the nftables probaly has do to with the same reason ansible.procolix.com is an older machine that has been fased out but and can be removed
services.openssh.settings.PasswordAuthentication = false
is something i added due to an recommendation from valetin when i granted him acces to the forgejo and wiki vm's but havent been implented on the the othersMerged with
9c7b370447
.Thanks @kevin!
Pull request closed