diff --git a/machines/compute01/_configuration.nix b/machines/compute01/_configuration.nix index 0797105..11546d8 100644 --- a/machines/compute01/_configuration.nix +++ b/machines/compute01/_configuration.nix @@ -1,18 +1,19 @@ { lib, ... }: lib.extra.mkConfig { + # List of modules to enable enabledModules = [ - # List of modules to enable + # INFO: This list needs to stay sorted alphabetically "dgn-backups" - "dgn-web" "dgn-chatops" + "dgn-web" ]; + # List of services to enable enabledServices = [ - # List of services to enable + # INFO: This list needs to stay sorted alphabetically "arkheon" - "takumi" - "signal-irc-bridge" + "dgsi" "ds-fr" "grafana" "hedgedoc" @@ -25,8 +26,10 @@ lib.extra.mkConfig { "postgresql" "rstudio-server" "satosa" + "signal-irc-bridge" "signald" "stirling-pdf" + "takumi" "telegraf" "vaultwarden" "zammad" diff --git a/machines/compute01/dgsi/default.nix b/machines/compute01/dgsi/default.nix new file mode 100644 index 0000000..9afc74e --- /dev/null +++ b/machines/compute01/dgsi/default.nix @@ -0,0 +1,180 @@ +{ + config, + lib, + pkgs, + sources, + ... +}: + +let + inherit (lib) mapAttrsToList; + + python = + let + python3 = pkgs.python312; + nix-pkgs = import sources.nix-pkgs { inherit pkgs python3; }; + in + python3.override { + packageOverrides = _: _: { + inherit (nix-pkgs) + django-allauth + django-allauth-cas + django-browser-reload + django-bulma-forms + django-sass-processor + django-sass-processor-dart-sass + django-unfold + pykanidm + python-cas + loadcredential + ; + }; + }; + + pythonEnv = python.withPackages (ps: [ + ps.django + ps.gunicorn + ps.psycopg + ps.django-compressor + + # Local packages + ps.django-allauth + ps.django-allauth-cas + ps.django-bulma-forms + ps.django-sass-processor + ps.django-sass-processor-dart-sass + ps.django-unfold + ps.loadcredential + ps.pykanidm + ps.python-cas + ]); + + staticDrv = pkgs.stdenv.mkDerivation { + name = "dgsi-static"; + + src = sources.dgsi; + sourceRoot = "source/src"; + + nativeBuildInputs = [ + pkgs.dart-sass + pythonEnv + ]; + + configurePhase = '' + export DGSI_STATIC_ROOT=$out/static + export CREDENTIALS_DIRECTORY=$(pwd)/../.credentials + export DGSI_KANIDM_CLIENT="dgsi_test"; + export DGSI_KANIDM_AUTH_TOKEN="fake.token"; + ''; + + doBuild = false; + + installPhase = '' + mkdir -p $out/static + python3 manage.py compilescss + python3 manage.py collectstatic + ''; + }; +in + +{ + users = { + users.nginx.extraGroups = [ "django-apps" ]; + groups.django-apps = { }; + }; + + systemd = { + services = { + dj-dgsi = { + description = "DGSI web app"; + + requires = [ "dj-dgsi.socket" ]; + wantedBy = [ "multi-user.target" ]; + after = [ + "network.target" + "postgresql.service" + ]; + + serviceConfig = { + DynamicUser = true; + LoadCredential = mapAttrsToList (name: value: "${name}:${value}") { + SECRET_KEY = config.age.secrets."dgsi-secret_key_file".path; + KANIDM_AUTH_TOKEN = config.age.secrets."dgsi-kanidm_auth_token_file".path; + KANIDM_SECRET = config.age.secrets."dgsi-kanidm_secret_file".path; + }; + RuntimeDirectory = "django-apps/dgsi"; + StateDirectory = "django-dgsi"; + UMask = "0027"; + User = "dj-dgsi"; + WorkingDirectory = "${sources.dgsi}/src"; + }; + + environment = { + DGSI_ALLOWED_HOSTS = builtins.toJSON [ + "profil.dgnum.eu" + "dgsi.dgnum.eu" + ]; + DGSI_STATIC_ROOT = staticDrv; + DGSI_MEDIA_ROOT = "/var/lib/django-apps/dgsi/media"; + }; + + path = [ pythonEnv ]; + + script = '' + python3 manage.py migrate + gunicorn --pythonpath ${sources.dgsi}/src --bind unix:/run/django-apps/dgsi.sock --workers=4 app.wsgi + ''; + }; + }; + + sockets."dj-dgsi" = { + description = "Socket for the DGSI Django Application"; + wantedBy = [ "sockets.target" ]; + + socketConfig = { + ListenStream = "/run/django-apps/dgsi.sock"; + SocketMode = "600"; + SocketUser = config.services.nginx.user; + }; + }; + + mounts = [ + { + where = "/run/django-apps/dgsi/media"; + what = "/var/lib/django-apps/dgsi/media"; + options = "bind"; + + after = [ "dj-dgsi.service" ]; + partOf = [ "dj-dgsi.service" ]; + upheldBy = [ "dj-dgsi.service" ]; + } + ]; + }; + + dgn-redirections.redirections."dgsi.dgnum.eu" = "profil.dgnum.eu"; + + services = { + postgresql = { + ensureDatabases = [ "dgsi" ]; + ensureUsers = [ + { + name = "dgsi"; + ensureDBOwnership = true; + } + ]; + }; + + nginx.virtualHosts."profil.dgnum.eu" = { + enableACME = true; + forceSSL = true; + + serverAliases = [ "dgsi.dgnum.eu" ]; + + locations = { + "/".proxyPass = "http://unix:/run/django-apps/dgsi.sock"; + "/static/".root = staticDrv; + "/media/".root = "/run/django-apps/dgsi"; + }; + }; + }; +} diff --git a/machines/compute01/secrets/dgsi-kanidm_auth_token_file b/machines/compute01/secrets/dgsi-kanidm_auth_token_file new file mode 100644 index 0000000..638c006 Binary files /dev/null and b/machines/compute01/secrets/dgsi-kanidm_auth_token_file differ diff --git a/machines/compute01/secrets/dgsi-kanidm_secret_file b/machines/compute01/secrets/dgsi-kanidm_secret_file new file mode 100644 index 0000000..f47a017 --- /dev/null +++ b/machines/compute01/secrets/dgsi-kanidm_secret_file @@ -0,0 +1,30 @@ +age-encryption.org/v1 +-> ssh-ed25519 jIXfPA 7Nd4K/ivG8LyRcT+XhfN8K8OmoGKUPiUacgd5H/YyCY +qHdajtgWM/ON3VHB76DhkDF0BCOhA5UtDTTiOM8Woy8 +-> ssh-ed25519 QlRB9Q 25AYqzBKePKEH4Ml+9xB+YxSvIIMY/M7Qo+LomdivHM +SQN/1T/Judvtk8TjhUxhCsJVS73bLqaih6Gn8weVjvs +-> ssh-ed25519 r+nK/Q iHlAURzupmiysH9XtEqhg+wbgYlsdLHvVyRzMsWsVmg +R6yA3bt+5E5vhIVEHxu8h3sB9FjLiUH0tp5SKzHM8Kk +-> ssh-rsa krWCLQ +BxDfl3xriUdWiihr0RtfSpJ0UtDnF1oTa3n/1w4AMPNowh+kIVRKuaWFa+sVIJMB +RZc+vdymNoUg/i3lAzlX2mo17LGEnX1jGSHtsMY7j1psS4b72i3hCvBLQ9n+kir7 +ub1CVvrsgn6SMzjQWrSNP6IsIPmYcgfJ2pG0J7oD8T6s0hnemm9ywtCmdpiVjh+O +C2DB10qgVACLWOd/Gqd7ILiqeTOlaDHjuFJ3xRoUd7jzeOnG4BZOV8mfT443MoIa +Kg/prr+MN9uf42a6iLb5avf8ZZLnrzoIyT5vJ3BFt1aUz3FX4DyZUrZmhm9pmYR9 +4YTArDtTP6X3+Rimd5rlbA +-> ssh-ed25519 /vwQcQ NkudSMrSLIE0WOE3ScJSMBKwVnuz9p3UwKGg9SPDGiY +w2rE2oO1bs0eoySeS0tT0Ic6Hji9qD7iNn0qYiwc2kU +-> ssh-ed25519 0R97PA YH3uoQ/zJR/lrvC0TuWTSig/AJYsxI7sVrEhS173i1E +DOdCOmorgGsg4hAXV0nYg9JeDmon2JY02iKq614jxUA +-> ssh-ed25519 JGx7Ng YV6RIaM6oIoajPXVDrOuLRy2897e8LUEibyLiS/gf0o +xz+guHt2N+tfIX5kvpxGDNqaez2VA8dD+QTu7fK7Pf4 +-> ssh-ed25519 5SY7Kg 4DhAsi0gqOunzEzlFFKeP3qYWos9Mc1UpVCDVQIBEws +4/duAufrk/GHSbj5tEXdL+C+2AO+Es375as+/R+6PgY +-> ssh-ed25519 p/Mg4Q +5WtmMV6ruLgQoTZpmBztrH+FS2aCKFcwuLKcweLr3s +xRIVcBt4wV2PtEhO68sJ8/FB177QAq6zoZ1Dwfg1kPo +-> ssh-ed25519 tDqJRg wWaBzLqsoPa8/0hjl4eu07dQvGFMLI3R6IrNNZzquBU +ppzkds/p5BF2dIRZERhDD3rtQNxKhlIaoxCSIf20yJQ +-> T9':1EB-grease / #'BD[s +lZHA3xsgAESG +--- uk+H++45TIOcuW3Qj4/D1S65Kw8OEb5ZHqWWIlYlSIg +u=J¾f£‹ÏtüÉíãQ²]¶Epfž ÍêOëeëd<Í…ã6 G'Æ¡a.ήշ^H¾´ñú|Lß*QN5öìþMGatʶ±§ \ No newline at end of file diff --git a/machines/compute01/secrets/dgsi-secret_key_file b/machines/compute01/secrets/dgsi-secret_key_file new file mode 100644 index 0000000..bd6e682 --- /dev/null +++ b/machines/compute01/secrets/dgsi-secret_key_file @@ -0,0 +1,31 @@ +age-encryption.org/v1 +-> ssh-ed25519 jIXfPA xQaZW42vwq7pndbRqiATFVgl1QM3LbD5Sqzz61yinUY +7N4GIIAnzwTPA2IgOPWLtE03kCZPihKu8ZAG9e7Bv7k +-> ssh-ed25519 QlRB9Q mfs9SndrSY1meTEYiVxXLbS7Ecf0rjaQ3vX4626+9CI +BDdh3a02EqMeO5jPlz6kjmjuLMldf/s9V7hDkIef+g4 +-> ssh-ed25519 r+nK/Q HqduuibujATQyp2TUswgrFyTdcdmPsNsZJ2pOLZ+MTc +WjFm95dxVYKA2ekOgKzMrMmk1nxfuurmDyMXtUIGnIo +-> ssh-rsa krWCLQ +GzznBXY+5RpGFJKli2rOdzO5bun6REyjA78nV8RviQdAN/mGXEZfGFq4HFuQZM0e +fYADtpZxOZ3vyY/9DqCguay3R02DcyTpAhdb6A3kdzApUVR/3ZKJXy0+l5qRqKD7 +j/cMfIxk/WpsHKHDWKXkG+FiTnF+V+ZtUom9W1aYFc1506OdDbjBVfTnBFs/+WVf +MWd+Y0ANCFiNH+kjzvALRazkmJgt9SvYWBG6suym6YZ2073GFu85jUJB2juSDmBN +tp0OJvNrjH5F/CcJXLMVrJz4Azin+2iM+re78cSVmZ1aqLf72RIrg/VhuuNy2MVn +gU32t9qy5EvTbzliWpAvxw +-> ssh-ed25519 /vwQcQ rVT/tH4fZ49hwxJTaZMZhzMgkS0MJILZmuL/J1CCPGY +mW3BNdXsylo0Yhg2KYpGNLoDkd7DYX+NEGF8a7j5R5g +-> ssh-ed25519 0R97PA vnXhW5pn1XgOJcMcD1cu7hQLlnIrJyp2Bu3TbThBIik +QFQFocftqwsPS1AbGykbDkIWqaAdZ7I9njS2ZUXz+4w +-> ssh-ed25519 JGx7Ng ljVNZ4AdZ3DLow2m3mf+6bf9zj6+t9RP7w8Bi7aMlAI +E5Q9yEA3d2nPTZO2jFkGnsHyo3W19P/lSG6yl3RL6Vo +-> ssh-ed25519 5SY7Kg 2LcgbYRROFSGfq0L5XBQMl6p62DreGceGqRFzKGi4X8 +x4V+gnzdm1HgjYwhBnYAldkchX4YCsUhqoq1iCaOZ6s +-> ssh-ed25519 p/Mg4Q Y+o5nrSvL+xL43OHjEnesKV+9gCl4H4gBmBBjbqDABA +TvGky1wSVanvpq2Xj2FUmRtJ205iq92g6PVDASAfyaE +-> ssh-ed25519 tDqJRg X0Y8YCi5qOy3Du1/DIMMc4W7P6zQNTlwF4+QrisHCwM +SzJPH+h5847WSl9CrJatqIf9CSnKGUQZDK6ROD5LqXU +-> `--grease N]PH +fdR7jONsDC5Fj/FU++dDsFJSa4sLmvnTzPbt3X96zJDHVQypmV+JMhQNudQGrq9K +7oPr3+cA61qtqUv6v519zFLtRXkpY6FMiB2euGJufVZqGh9jDzfi0jNu6dUO7A +--- a0TP8YPal5jgd3BSIm0THbaMHgLOiOgMqdlwQwUGzWk +:È/ Àn ž±Ý§¦p=fu²hã–T¶ÅêF—ÙêÂ¥nh¢„¾•œ¹ÀU2#„éµÆ©“ºôâ>Û“<4.uŸ‰’…m3Ü&g¤(ö5 ۶Û \ No newline at end of file diff --git a/machines/compute01/secrets/secrets.nix b/machines/compute01/secrets/secrets.nix index 2ff76e4..5f7da8d 100644 --- a/machines/compute01/secrets/secrets.nix +++ b/machines/compute01/secrets/secrets.nix @@ -6,9 +6,12 @@ in lib.setDefault { inherit publicKeys; } [ "arkheon-env_file" "bupstash-put_key" + "dgsi-kanidm_auth_token_file" + "dgsi-kanidm_secret_file" + "dgsi-secret_key_file" "ds-fr-secret_file" - "grafana-smtp_password_file" "grafana-oauth_client_secret_file" + "grafana-smtp_password_file" "hedgedoc-environment_file" "librenms-database_password_file" "librenms-environment_file" diff --git a/npins/sources.json b/npins/sources.json index 644b8cb..31dafa4 100644 --- a/npins/sources.json +++ b/npins/sources.json @@ -50,6 +50,17 @@ "url": null, "hash": "09z5l5yh4zm0mf9hb3xc18gjk2dgv3l1icywrsxax00y1i1zlvna" }, + "dgsi": { + "type": "Git", + "repository": { + "type": "Git", + "url": "https://git.dgnum.eu/DGNum/dgsi.git" + }, + "branch": "main", + "revision": "8a46e4ddb522a145046d9a5bfc729a8e46d99f44", + "url": null, + "hash": "1blyh1xcppcb6qjaww8aw00c4nh1dl50i64bf6ampj0idx0y93qh" + }, "disko": { "type": "GitRelease", "repository": { @@ -229,9 +240,9 @@ "url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs" }, "branch": "main", - "revision": "c3257569375903f94ad1af9fe8b77186bd824332", + "revision": "d1af0a922edc1ef82b023ebe1158b5c1e02b4f2d", "url": null, - "hash": "01kmivbk0ji5n7fifydq0wvlv34v1ima66r6icxrfykshh635w4p" + "hash": "1vbhprwnjn6r0wd70ymv78yry6cbz6ip06q7bl3jwp6v0lqgwmf4" }, "nixos-23.11": { "type": "Channel",