feat(compute01): Deploy dgsi
Some checks failed
build configuration / build_geo02 (push) Successful in 1m4s
build configuration / build_geo01 (push) Successful in 1m6s
build configuration / build_rescue01 (push) Successful in 1m10s
build configuration / build_bridge01 (push) Successful in 1m2s
lint / check (push) Failing after 24s
build configuration / build_storage01 (push) Successful in 4m45s
build configuration / build_compute01 (push) Successful in 5m9s
build configuration / push_to_cache_web02 (push) Successful in 1m19s
build configuration / push_to_cache_geo02 (push) Successful in 1m16s
build configuration / push_to_cache_geo01 (push) Successful in 1m18s
build configuration / push_to_cache_web01 (push) Successful in 1m59s
build configuration / push_to_cache_rescue01 (push) Successful in 1m24s
build configuration / push_to_cache_bridge01 (push) Successful in 1m8s
build configuration / push_to_cache_storage01 (push) Successful in 1m24s
build configuration / push_to_cache_compute01 (push) Failing after 1m59s
Check meta / check_meta (push) Successful in 17s
Check meta / check_dns (push) Successful in 21s
build configuration / build_vault01 (push) Successful in 2m58s
build configuration / build_web02 (push) Successful in 2m38s
build configuration / build_web01 (push) Successful in 3m11s
Some checks failed
build configuration / build_geo02 (push) Successful in 1m4s
build configuration / build_geo01 (push) Successful in 1m6s
build configuration / build_rescue01 (push) Successful in 1m10s
build configuration / build_bridge01 (push) Successful in 1m2s
lint / check (push) Failing after 24s
build configuration / build_storage01 (push) Successful in 4m45s
build configuration / build_compute01 (push) Successful in 5m9s
build configuration / push_to_cache_web02 (push) Successful in 1m19s
build configuration / push_to_cache_geo02 (push) Successful in 1m16s
build configuration / push_to_cache_geo01 (push) Successful in 1m18s
build configuration / push_to_cache_web01 (push) Successful in 1m59s
build configuration / push_to_cache_rescue01 (push) Successful in 1m24s
build configuration / push_to_cache_bridge01 (push) Successful in 1m8s
build configuration / push_to_cache_storage01 (push) Successful in 1m24s
build configuration / push_to_cache_compute01 (push) Failing after 1m59s
Check meta / check_meta (push) Successful in 17s
Check meta / check_dns (push) Successful in 21s
build configuration / build_vault01 (push) Successful in 2m58s
build configuration / build_web02 (push) Successful in 2m38s
build configuration / build_web01 (push) Successful in 3m11s
This commit is contained in:
parent
dd5c0c79f7
commit
2b75890752
7 changed files with 266 additions and 8 deletions
|
@ -1,18 +1,19 @@
|
|||
{ lib, ... }:
|
||||
|
||||
lib.extra.mkConfig {
|
||||
enabledModules = [
|
||||
# List of modules to enable
|
||||
enabledModules = [
|
||||
# INFO: This list needs to stay sorted alphabetically
|
||||
"dgn-backups"
|
||||
"dgn-web"
|
||||
"dgn-chatops"
|
||||
"dgn-web"
|
||||
];
|
||||
|
||||
enabledServices = [
|
||||
# List of services to enable
|
||||
enabledServices = [
|
||||
# INFO: This list needs to stay sorted alphabetically
|
||||
"arkheon"
|
||||
"takumi"
|
||||
"signal-irc-bridge"
|
||||
"dgsi"
|
||||
"ds-fr"
|
||||
"grafana"
|
||||
"hedgedoc"
|
||||
|
@ -25,8 +26,10 @@ lib.extra.mkConfig {
|
|||
"postgresql"
|
||||
"rstudio-server"
|
||||
"satosa"
|
||||
"signal-irc-bridge"
|
||||
"signald"
|
||||
"stirling-pdf"
|
||||
"takumi"
|
||||
"telegraf"
|
||||
"vaultwarden"
|
||||
"zammad"
|
||||
|
|
180
machines/compute01/dgsi/default.nix
Normal file
180
machines/compute01/dgsi/default.nix
Normal file
|
@ -0,0 +1,180 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
sources,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
inherit (lib) mapAttrsToList;
|
||||
|
||||
python =
|
||||
let
|
||||
python3 = pkgs.python312;
|
||||
nix-pkgs = import sources.nix-pkgs { inherit pkgs python3; };
|
||||
in
|
||||
python3.override {
|
||||
packageOverrides = _: _: {
|
||||
inherit (nix-pkgs)
|
||||
django-allauth
|
||||
django-allauth-cas
|
||||
django-browser-reload
|
||||
django-bulma-forms
|
||||
django-sass-processor
|
||||
django-sass-processor-dart-sass
|
||||
django-unfold
|
||||
pykanidm
|
||||
python-cas
|
||||
loadcredential
|
||||
;
|
||||
};
|
||||
};
|
||||
|
||||
pythonEnv = python.withPackages (ps: [
|
||||
ps.django
|
||||
ps.gunicorn
|
||||
ps.psycopg
|
||||
ps.django-compressor
|
||||
|
||||
# Local packages
|
||||
ps.django-allauth
|
||||
ps.django-allauth-cas
|
||||
ps.django-bulma-forms
|
||||
ps.django-sass-processor
|
||||
ps.django-sass-processor-dart-sass
|
||||
ps.django-unfold
|
||||
ps.loadcredential
|
||||
ps.pykanidm
|
||||
ps.python-cas
|
||||
]);
|
||||
|
||||
staticDrv = pkgs.stdenv.mkDerivation {
|
||||
name = "dgsi-static";
|
||||
|
||||
src = sources.dgsi;
|
||||
sourceRoot = "source/src";
|
||||
|
||||
nativeBuildInputs = [
|
||||
pkgs.dart-sass
|
||||
pythonEnv
|
||||
];
|
||||
|
||||
configurePhase = ''
|
||||
export DGSI_STATIC_ROOT=$out/static
|
||||
export CREDENTIALS_DIRECTORY=$(pwd)/../.credentials
|
||||
export DGSI_KANIDM_CLIENT="dgsi_test";
|
||||
export DGSI_KANIDM_AUTH_TOKEN="fake.token";
|
||||
'';
|
||||
|
||||
doBuild = false;
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out/static
|
||||
python3 manage.py compilescss
|
||||
python3 manage.py collectstatic
|
||||
'';
|
||||
};
|
||||
in
|
||||
|
||||
{
|
||||
users = {
|
||||
users.nginx.extraGroups = [ "django-apps" ];
|
||||
groups.django-apps = { };
|
||||
};
|
||||
|
||||
systemd = {
|
||||
services = {
|
||||
dj-dgsi = {
|
||||
description = "DGSI web app";
|
||||
|
||||
requires = [ "dj-dgsi.socket" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [
|
||||
"network.target"
|
||||
"postgresql.service"
|
||||
];
|
||||
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
LoadCredential = mapAttrsToList (name: value: "${name}:${value}") {
|
||||
SECRET_KEY = config.age.secrets."dgsi-secret_key_file".path;
|
||||
KANIDM_AUTH_TOKEN = config.age.secrets."dgsi-kanidm_auth_token_file".path;
|
||||
KANIDM_SECRET = config.age.secrets."dgsi-kanidm_secret_file".path;
|
||||
};
|
||||
RuntimeDirectory = "django-apps/dgsi";
|
||||
StateDirectory = "django-dgsi";
|
||||
UMask = "0027";
|
||||
User = "dj-dgsi";
|
||||
WorkingDirectory = "${sources.dgsi}/src";
|
||||
};
|
||||
|
||||
environment = {
|
||||
DGSI_ALLOWED_HOSTS = builtins.toJSON [
|
||||
"profil.dgnum.eu"
|
||||
"dgsi.dgnum.eu"
|
||||
];
|
||||
DGSI_STATIC_ROOT = staticDrv;
|
||||
DGSI_MEDIA_ROOT = "/var/lib/django-apps/dgsi/media";
|
||||
};
|
||||
|
||||
path = [ pythonEnv ];
|
||||
|
||||
script = ''
|
||||
python3 manage.py migrate
|
||||
gunicorn --pythonpath ${sources.dgsi}/src --bind unix:/run/django-apps/dgsi.sock --workers=4 app.wsgi
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
sockets."dj-dgsi" = {
|
||||
description = "Socket for the DGSI Django Application";
|
||||
wantedBy = [ "sockets.target" ];
|
||||
|
||||
socketConfig = {
|
||||
ListenStream = "/run/django-apps/dgsi.sock";
|
||||
SocketMode = "600";
|
||||
SocketUser = config.services.nginx.user;
|
||||
};
|
||||
};
|
||||
|
||||
mounts = [
|
||||
{
|
||||
where = "/run/django-apps/dgsi/media";
|
||||
what = "/var/lib/django-apps/dgsi/media";
|
||||
options = "bind";
|
||||
|
||||
after = [ "dj-dgsi.service" ];
|
||||
partOf = [ "dj-dgsi.service" ];
|
||||
upheldBy = [ "dj-dgsi.service" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
dgn-redirections.redirections."dgsi.dgnum.eu" = "profil.dgnum.eu";
|
||||
|
||||
services = {
|
||||
postgresql = {
|
||||
ensureDatabases = [ "dgsi" ];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "dgsi";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
nginx.virtualHosts."profil.dgnum.eu" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
serverAliases = [ "dgsi.dgnum.eu" ];
|
||||
|
||||
locations = {
|
||||
"/".proxyPass = "http://unix:/run/django-apps/dgsi.sock";
|
||||
"/static/".root = staticDrv;
|
||||
"/media/".root = "/run/django-apps/dgsi";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
BIN
machines/compute01/secrets/dgsi-kanidm_auth_token_file
Normal file
BIN
machines/compute01/secrets/dgsi-kanidm_auth_token_file
Normal file
Binary file not shown.
30
machines/compute01/secrets/dgsi-kanidm_secret_file
Normal file
30
machines/compute01/secrets/dgsi-kanidm_secret_file
Normal file
|
@ -0,0 +1,30 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA 7Nd4K/ivG8LyRcT+XhfN8K8OmoGKUPiUacgd5H/YyCY
|
||||
qHdajtgWM/ON3VHB76DhkDF0BCOhA5UtDTTiOM8Woy8
|
||||
-> ssh-ed25519 QlRB9Q 25AYqzBKePKEH4Ml+9xB+YxSvIIMY/M7Qo+LomdivHM
|
||||
SQN/1T/Judvtk8TjhUxhCsJVS73bLqaih6Gn8weVjvs
|
||||
-> ssh-ed25519 r+nK/Q iHlAURzupmiysH9XtEqhg+wbgYlsdLHvVyRzMsWsVmg
|
||||
R6yA3bt+5E5vhIVEHxu8h3sB9FjLiUH0tp5SKzHM8Kk
|
||||
-> ssh-rsa krWCLQ
|
||||
BxDfl3xriUdWiihr0RtfSpJ0UtDnF1oTa3n/1w4AMPNowh+kIVRKuaWFa+sVIJMB
|
||||
RZc+vdymNoUg/i3lAzlX2mo17LGEnX1jGSHtsMY7j1psS4b72i3hCvBLQ9n+kir7
|
||||
ub1CVvrsgn6SMzjQWrSNP6IsIPmYcgfJ2pG0J7oD8T6s0hnemm9ywtCmdpiVjh+O
|
||||
C2DB10qgVACLWOd/Gqd7ILiqeTOlaDHjuFJ3xRoUd7jzeOnG4BZOV8mfT443MoIa
|
||||
Kg/prr+MN9uf42a6iLb5avf8ZZLnrzoIyT5vJ3BFt1aUz3FX4DyZUrZmhm9pmYR9
|
||||
4YTArDtTP6X3+Rimd5rlbA
|
||||
-> ssh-ed25519 /vwQcQ NkudSMrSLIE0WOE3ScJSMBKwVnuz9p3UwKGg9SPDGiY
|
||||
w2rE2oO1bs0eoySeS0tT0Ic6Hji9qD7iNn0qYiwc2kU
|
||||
-> ssh-ed25519 0R97PA YH3uoQ/zJR/lrvC0TuWTSig/AJYsxI7sVrEhS173i1E
|
||||
DOdCOmorgGsg4hAXV0nYg9JeDmon2JY02iKq614jxUA
|
||||
-> ssh-ed25519 JGx7Ng YV6RIaM6oIoajPXVDrOuLRy2897e8LUEibyLiS/gf0o
|
||||
xz+guHt2N+tfIX5kvpxGDNqaez2VA8dD+QTu7fK7Pf4
|
||||
-> ssh-ed25519 5SY7Kg 4DhAsi0gqOunzEzlFFKeP3qYWos9Mc1UpVCDVQIBEws
|
||||
4/duAufrk/GHSbj5tEXdL+C+2AO+Es375as+/R+6PgY
|
||||
-> ssh-ed25519 p/Mg4Q +5WtmMV6ruLgQoTZpmBztrH+FS2aCKFcwuLKcweLr3s
|
||||
xRIVcBt4wV2PtEhO68sJ8/FB177QAq6zoZ1Dwfg1kPo
|
||||
-> ssh-ed25519 tDqJRg wWaBzLqsoPa8/0hjl4eu07dQvGFMLI3R6IrNNZzquBU
|
||||
ppzkds/p5BF2dIRZERhDD3rtQNxKhlIaoxCSIf20yJQ
|
||||
-> T9':1EB-grease / #'BD[s
|
||||
lZHA3xsgAESG
|
||||
--- uk+H++45TIOcuW3Qj4/D1S65Kw8OEb5ZHqWWIlYlSIg
|
||||
u=J¾f£‹ÏtüÉíãQ²]¶Epfž ÍêOëeëd<Í…ã6<C3A3> G'Æ¡a.ήշ^H¾´ñú|Lß*QN5öìþMGatʶ±§
|
31
machines/compute01/secrets/dgsi-secret_key_file
Normal file
31
machines/compute01/secrets/dgsi-secret_key_file
Normal file
|
@ -0,0 +1,31 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA xQaZW42vwq7pndbRqiATFVgl1QM3LbD5Sqzz61yinUY
|
||||
7N4GIIAnzwTPA2IgOPWLtE03kCZPihKu8ZAG9e7Bv7k
|
||||
-> ssh-ed25519 QlRB9Q mfs9SndrSY1meTEYiVxXLbS7Ecf0rjaQ3vX4626+9CI
|
||||
BDdh3a02EqMeO5jPlz6kjmjuLMldf/s9V7hDkIef+g4
|
||||
-> ssh-ed25519 r+nK/Q HqduuibujATQyp2TUswgrFyTdcdmPsNsZJ2pOLZ+MTc
|
||||
WjFm95dxVYKA2ekOgKzMrMmk1nxfuurmDyMXtUIGnIo
|
||||
-> ssh-rsa krWCLQ
|
||||
GzznBXY+5RpGFJKli2rOdzO5bun6REyjA78nV8RviQdAN/mGXEZfGFq4HFuQZM0e
|
||||
fYADtpZxOZ3vyY/9DqCguay3R02DcyTpAhdb6A3kdzApUVR/3ZKJXy0+l5qRqKD7
|
||||
j/cMfIxk/WpsHKHDWKXkG+FiTnF+V+ZtUom9W1aYFc1506OdDbjBVfTnBFs/+WVf
|
||||
MWd+Y0ANCFiNH+kjzvALRazkmJgt9SvYWBG6suym6YZ2073GFu85jUJB2juSDmBN
|
||||
tp0OJvNrjH5F/CcJXLMVrJz4Azin+2iM+re78cSVmZ1aqLf72RIrg/VhuuNy2MVn
|
||||
gU32t9qy5EvTbzliWpAvxw
|
||||
-> ssh-ed25519 /vwQcQ rVT/tH4fZ49hwxJTaZMZhzMgkS0MJILZmuL/J1CCPGY
|
||||
mW3BNdXsylo0Yhg2KYpGNLoDkd7DYX+NEGF8a7j5R5g
|
||||
-> ssh-ed25519 0R97PA vnXhW5pn1XgOJcMcD1cu7hQLlnIrJyp2Bu3TbThBIik
|
||||
QFQFocftqwsPS1AbGykbDkIWqaAdZ7I9njS2ZUXz+4w
|
||||
-> ssh-ed25519 JGx7Ng ljVNZ4AdZ3DLow2m3mf+6bf9zj6+t9RP7w8Bi7aMlAI
|
||||
E5Q9yEA3d2nPTZO2jFkGnsHyo3W19P/lSG6yl3RL6Vo
|
||||
-> ssh-ed25519 5SY7Kg 2LcgbYRROFSGfq0L5XBQMl6p62DreGceGqRFzKGi4X8
|
||||
x4V+gnzdm1HgjYwhBnYAldkchX4YCsUhqoq1iCaOZ6s
|
||||
-> ssh-ed25519 p/Mg4Q Y+o5nrSvL+xL43OHjEnesKV+9gCl4H4gBmBBjbqDABA
|
||||
TvGky1wSVanvpq2Xj2FUmRtJ205iq92g6PVDASAfyaE
|
||||
-> ssh-ed25519 tDqJRg X0Y8YCi5qOy3Du1/DIMMc4W7P6zQNTlwF4+QrisHCwM
|
||||
SzJPH+h5847WSl9CrJatqIf9CSnKGUQZDK6ROD5LqXU
|
||||
-> `--grease N]PH
|
||||
fdR7jONsDC5Fj/FU++dDsFJSa4sLmvnTzPbt3X96zJDHVQypmV+JMhQNudQGrq9K
|
||||
7oPr3+cA61qtqUv6v519zFLtRXkpY6FMiB2euGJufVZqGh9jDzfi0jNu6dUO7A
|
||||
--- a0TP8YPal5jgd3BSIm0THbaMHgLOiOgMqdlwQwUGzWk
|
||||
:È/Àn ž±Ý§¦p=fu²hã–T¶ÅêF—ÙêÂ¥nh¢„¾•œ¹ÀU2#„éµÆ©“ºôâ>Û“<4.<2E>uŸ‰’…m3Ü&<26>g¤(ö<>5۶Û
|
|
@ -6,9 +6,12 @@ in
|
|||
lib.setDefault { inherit publicKeys; } [
|
||||
"arkheon-env_file"
|
||||
"bupstash-put_key"
|
||||
"dgsi-kanidm_auth_token_file"
|
||||
"dgsi-kanidm_secret_file"
|
||||
"dgsi-secret_key_file"
|
||||
"ds-fr-secret_file"
|
||||
"grafana-smtp_password_file"
|
||||
"grafana-oauth_client_secret_file"
|
||||
"grafana-smtp_password_file"
|
||||
"hedgedoc-environment_file"
|
||||
"librenms-database_password_file"
|
||||
"librenms-environment_file"
|
||||
|
|
|
@ -50,6 +50,17 @@
|
|||
"url": null,
|
||||
"hash": "09z5l5yh4zm0mf9hb3xc18gjk2dgv3l1icywrsxax00y1i1zlvna"
|
||||
},
|
||||
"dgsi": {
|
||||
"type": "Git",
|
||||
"repository": {
|
||||
"type": "Git",
|
||||
"url": "https://git.dgnum.eu/DGNum/dgsi.git"
|
||||
},
|
||||
"branch": "main",
|
||||
"revision": "8a46e4ddb522a145046d9a5bfc729a8e46d99f44",
|
||||
"url": null,
|
||||
"hash": "1blyh1xcppcb6qjaww8aw00c4nh1dl50i64bf6ampj0idx0y93qh"
|
||||
},
|
||||
"disko": {
|
||||
"type": "GitRelease",
|
||||
"repository": {
|
||||
|
@ -229,9 +240,9 @@
|
|||
"url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs"
|
||||
},
|
||||
"branch": "main",
|
||||
"revision": "c3257569375903f94ad1af9fe8b77186bd824332",
|
||||
"revision": "d1af0a922edc1ef82b023ebe1158b5c1e02b4f2d",
|
||||
"url": null,
|
||||
"hash": "01kmivbk0ji5n7fifydq0wvlv34v1ima66r6icxrfykshh635w4p"
|
||||
"hash": "1vbhprwnjn6r0wd70ymv78yry6cbz6ip06q7bl3jwp6v0lqgwmf4"
|
||||
},
|
||||
"nixos-23.11": {
|
||||
"type": "Channel",
|
||||
|
|
Loading…
Reference in a new issue