Factorise networking configurations #19

Closed
Niols wants to merge 0 commits from factorise-networking-config into main
Owner

This PR merges all networking-related configurations from VMs in infra/ into a infra/common/networking.nix module. More factorisation will come in subsequent PRs.

While merging these networking configurations, I have come across some variations:

In the nameservers:

  • some have 95.215.185.6, some don't; and
  • some have 2a00:51c0::5fd7:b906, some don't.

In nftables.ruleset, in the section define ssh_allow:

  • some have 95.215.185.181/32, # ansible.procolix.com, some don't; and
  • some have 95.215.185.235/32, # ansible-hq while some have 95.215.185.235, # ansible-hq.

Only one machine has services.openssh.settings.PasswordAuthentication = false.

It is possible for me to add options to produce these difference of configurations, but it feels like we could just unify those configurations instead. For now, I have taken the superset of those things, so now all machines have:

  • both 95.215.185.6 and 2a00:51c0::5fd7:b906 as nameservers, and
  • both 95.215.185.181/32, # ansible.procolix.com and 95.215.185.235/32, # ansible-hq in their ssh_allow section`.
  • services.openssh.settings.PasswordAuthentication = false

I am however not entirely sure that this is what we want. I think it is reasonable, but I would want an OK from either @koen or @kevin. (or both!)

This PR merges all networking-related configurations from VMs in `infra/` into a `infra/common/networking.nix` module. More factorisation will come in subsequent PRs. While merging these networking configurations, I have come across some variations: In the `nameservers`: - some have `95.215.185.6`, some don't; and - some have `2a00:51c0::5fd7:b906`, some don't. In nftables.ruleset, in the section `define ssh_allow`: - some have `95.215.185.181/32, # ansible.procolix.com`, some don't; and - some have `95.215.185.235/32, # ansible-hq` while some have `95.215.185.235, # ansible-hq`. Only one machine has `services.openssh.settings.PasswordAuthentication = false`. It is possible for me to add options to produce these difference of configurations, but it feels like we could just unify those configurations instead. For now, I have taken the superset of those things, so now all machines have: - both `95.215.185.6` and `2a00:51c0::5fd7:b906` as nameservers, and - both `95.215.185.181/32, # ansible.procolix.com` and `95.215.185.235/32, # ansible-hq` in their `ssh_allow` section`. - `services.openssh.settings.PasswordAuthentication = false` I am however not entirely sure that this is what we want. I think it is reasonable, but I would want an OK from either @koen or @kevin. (or both!)
Niols added 7 commits 2024-11-20 17:37:14 +01:00
fricklerhandwerk approved these changes 2024-11-20 23:01:34 +01:00
fricklerhandwerk left a comment
Owner

factoring LGTM

factoring LGTM
Owner

the different nameservers is a bit odd that I guess that has to do with iterations made to our default config there are differences the nameservers that should be there are

- 95.215.185.6
- 95.215.185.7
- 2a00:51c0::5fd7:b906
- 2a00:51c0::5fd7:b907

the ansible rule differences in the nftables probaly has do to with the same reason ansible.procolix.com is an older machine that has been fased out but and can be removed

services.openssh.settings.PasswordAuthentication = false is something i added due to an recommendation from valetin when i granted him acces to the forgejo and wiki vm's but havent been implented on the the others

the different nameservers is a bit odd that I guess that has to do with iterations made to our default config there are differences the nameservers that should be there are ``` - 95.215.185.6 - 95.215.185.7 - 2a00:51c0::5fd7:b906 - 2a00:51c0::5fd7:b907 ``` the ansible rule differences in the nftables probaly has do to with the same reason ansible.procolix.com is an older machine that has been fased out but and can be removed `services.openssh.settings.PasswordAuthentication = false` is something i added due to an recommendation from valetin when i granted him acces to the forgejo and wiki vm's but havent been implented on the the others
Niols added 1 commit 2024-11-21 11:33:07 +01:00
Follow @kevin's recommendations
All checks were successful
/ check-pre-commit (pull_request) Successful in 23s
60ec9aab2a
Author
Owner

Merged with 9c7b370447.

Merged with 9c7b370447ca7c460fd64997520bd0e0552fd330.
Niols closed this pull request 2024-11-21 11:34:32 +01:00
Author
Owner

Thanks @kevin!

Thanks @kevin!
All checks were successful
/ check-pre-commit (pull_request) Successful in 23s
Required
Details

Pull request closed

Sign in to join this conversation.
No reviewers
No milestone
No project
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Fediversity/Fediversity#19
No description provided.