DGNum/infrastructure
13
6
Fork 3
Code Issues 20 Pull requests 8 Projects 1 Releases Packages Wiki Activity Actions

chore: pre-commit hooks are supposed to be run....
All checks were successful
build configuration / build_vault01 (push) Successful in 1m5s
Details
build configuration / build_web02 (push) Successful in 1m6s
Details
build configuration / build_compute01 (push) Successful in 1m11s
Details
build configuration / build_storage01 (push) Successful in 1m10s
Details
lint / check (push) Successful in 24s
Details
build configuration / build_web01 (push) Successful in 1m33s
Details
build configuration / build_rescue01 (push) Successful in 49s
Details

Browse source
This commit is contained in:
sinavir 2024-03-10 01:03:30 +01:00
parent d946894d8f
commit 581fa6b560
21 changed files with 348 additions and 382 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

63
default.nix
View file

@ -1,36 +1,37 @@
/* Copyright : /*
- Maurice Debray <maurice.debray@dgnum.eu> 2023 Copyright :
- Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023 - Maurice Debray <maurice.debray@dgnum.eu> 2023
- Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023
Ce logiciel est un programme informatique servant à déployer des Ce logiciel est un programme informatique servant à déployer des
configurations de serveurs via NixOS. configurations de serveurs via NixOS.
Ce logiciel est régi par la licence CeCILL soumise au droit français et Ce logiciel est régi par la licence CeCILL soumise au droit français et
respectant les principes de diffusion des logiciels libres. Vous pouvez respectant les principes de diffusion des logiciels libres. Vous pouvez
utiliser, modifier et/ou redistribuer ce programme sous les conditions utiliser, modifier et/ou redistribuer ce programme sous les conditions
de la licence CeCILL telle que diffusée par le CEA, le CNRS et l'INRIA de la licence CeCILL telle que diffusée par le CEA, le CNRS et l'INRIA
sur le site "http://www.cecill.info". sur le site "http://www.cecill.info".
En contrepartie de l'accessibilité au code source et des droits de copie, En contrepartie de l'accessibilité au code source et des droits de copie,
de modification et de redistribution accordés par cette licence, il n'est de modification et de redistribution accordés par cette licence, il n'est
offert aux utilisateurs qu'une garantie limitée. Pour les mêmes raisons, offert aux utilisateurs qu'une garantie limitée. Pour les mêmes raisons,
seule une responsabilité restreinte pèse sur l'auteur du programme, le seule une responsabilité restreinte pèse sur l'auteur du programme, le
titulaire des droits patrimoniaux et les concédants successifs. titulaire des droits patrimoniaux et les concédants successifs.
A cet égard l'attention de l'utilisateur est attirée sur les risques A cet égard l'attention de l'utilisateur est attirée sur les risques
associés au chargement, à l'utilisation, à la modification et/ou au associés au chargement, à l'utilisation, à la modification et/ou au
développement et à la reproduction du logiciel par l'utilisateur étant développement et à la reproduction du logiciel par l'utilisateur étant
donné sa spécificité de logiciel libre, qui peut le rendre complexe à donné sa spécificité de logiciel libre, qui peut le rendre complexe à
manipuler et qui le réserve donc à des développeurs et des professionnels manipuler et qui le réserve donc à des développeurs et des professionnels
avertis possédant des connaissances informatiques approfondies. Les avertis possédant des connaissances informatiques approfondies. Les
utilisateurs sont donc invités à charger et tester l'adéquation du utilisateurs sont donc invités à charger et tester l'adéquation du
logiciel à leurs besoins dans des conditions permettant d'assurer la logiciel à leurs besoins dans des conditions permettant d'assurer la
sécurité de leurs systèmes et ou de leurs données et, plus généralement, sécurité de leurs systèmes et ou de leurs données et, plus généralement,
à l'utiliser et l'exploiter dans les mêmes conditions de sécurité. à l'utiliser et l'exploiter dans les mêmes conditions de sécurité.
Le fait que vous puissiez accéder à cet en-tête signifie que vous avez Le fait que vous puissiez accéder à cet en-tête signifie que vous avez
pris connaissance de la licence CeCILL, et que vous en avez accepté les pris connaissance de la licence CeCILL, et que vous en avez accepté les
termes. termes.
*/ */
let let
@ -59,9 +60,9 @@ let
in in
{ {
nodes = builtins.mapAttrs (host: { site, ... }: "${host}.${site}.infra.dgnum.eu") ( nodes = builtins.mapAttrs (
import ./meta/nodes.nix host: { site, ... }: "${host}.${site}.infra.dgnum.eu"
); ) (import ./meta/nodes.nix);
dns = import ./meta/dns.nix; dns = import ./meta/dns.nix;

6
iso/configuration.nix
View file

@ -33,7 +33,7 @@ in
openssh.enable = true; openssh.enable = true;
}; };
users.users.root.openssh.authorizedKeys.keyFiles = users.users.root.openssh.authorizedKeys.keyFiles = builtins.map (
builtins.map (m: dgn-lib.mkRel ../keys "${m}.keys") m: dgn-lib.mkRel ../keys "${m}.keys"
dgn-members; ) dgn-members;
} }

7
lib/default.nix
View file

@ -20,10 +20,9 @@ lib.extra
getNodeKeys = getNodeKeys =
node: node:
let let
names = names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) meta.nodes.${node}.admins ++ [ "/machines/${node}" ]
(meta.nodes.${node}.admins ++ [ "/machines/${node}" ]) ) meta.nodes.${node}.adminGroups;
meta.nodes.${node}.adminGroups;
in in
rootKeys ++ (getAllKeys names); rootKeys ++ (getAllKeys names);

12
machines/compute01/arkheon.nix
View file

@ -10,13 +10,11 @@
(import sources.nixos-unstable { (import sources.nixos-unstable {
overlays = [ (import (sources.arkheon.outPath + "/overlay.nix")) ]; overlays = [ (import (sources.arkheon.outPath + "/overlay.nix")) ];
}).python3.withPackages }).python3.withPackages
( (ps: [
ps: [ ps.arkheon
ps.arkheon ps.daphne
ps.daphne ps.psycopg2
ps.psycopg2 ]);
]
);
domain = "arkheon.dgnum.eu"; domain = "arkheon.dgnum.eu";

36
machines/compute01/k-radius/module.nix
View file

@ -29,11 +29,9 @@ in
freeradius = mkOption { freeradius = mkOption {
type = types.package; type = types.package;
default = pkgs.freeradius.overrideAttrs ( default = pkgs.freeradius.overrideAttrs (old: {
old: { buildInputs = (old.buildInputs or [ ]) ++ [ (pkgs.python3.withPackages (ps: [ ps.kanidm ])) ];
buildInputs = (old.buildInputs or [ ]) ++ [ (pkgs.python3.withPackages (ps: [ ps.kanidm ])) ]; });
}
);
}; };
configDir = mkOption { configDir = mkOption {
@ -126,21 +124,19 @@ in
rm ${cfg.configDir}/clients.conf && touch ${cfg.configDir}/clients.conf rm ${cfg.configDir}/clients.conf && touch ${cfg.configDir}/clients.conf
${builtins.concatStringsSep "\n" ( ${builtins.concatStringsSep "\n" (
builtins.attrValues ( builtins.attrValues (
builtins.mapAttrs builtins.mapAttrs (
( name:
name: { secret, ipaddr }:
{ secret, ipaddr }: ''
'' cat <<EOF >> ${cfg.configDir}/clients.conf
cat <<EOF >> ${cfg.configDir}/clients.conf client ${name} {
client ${name} { ipaddr = ${ipaddr}
ipaddr = ${ipaddr} secret = $(cat "${secret}")
secret = $(cat "${secret}") proto = *
proto = * }
} EOF
EOF ''
'' ) cfg.radiusClients
)
cfg.radiusClients
) )
)} )}

4
machines/compute01/k-radius/packages/pykanidm.nix
View file

@ -31,7 +31,9 @@ python3.pkgs.buildPythonPackage {
aiohttp aiohttp
pydantic pydantic
toml toml
(authlib.overridePythonAttrs (_: { doCheck = false; })) (authlib.overridePythonAttrs (_: {
doCheck = false;
}))
]; ];
doCheck = false; doCheck = false;

10
machines/compute01/librenms/default.nix
View file

@ -12,12 +12,10 @@ in
package = package =
(pkgs.librenms.override { inherit (config.services.librenms) dataDir logDir; }).overrideAttrs (pkgs.librenms.override { inherit (config.services.librenms) dataDir logDir; }).overrideAttrs
( (old: {
old: { patches = (old.patches or [ ]) ++ [ ./kanidm.patch ];
patches = (old.patches or [ ]) ++ [ ./kanidm.patch ]; vendorHash = "sha256-2RgtMXQp4fTE+WloO36rtfytO4Sh2q0plt8WkWxEGHI=";
vendorHash = "sha256-2RgtMXQp4fTE+WloO36rtfytO4Sh2q0plt8WkWxEGHI="; });
}
);
hostname = host; hostname = host;

24
machines/compute01/librenms/module.nix
View file

@ -198,13 +198,11 @@ in
poolConfig = mkOption { poolConfig = mkOption {
type = type =
with types; with types;
attrsOf ( attrsOf (oneOf [
oneOf [ str
str int
int bool
bool ]);
]
);
default = { default = {
"pm" = "dynamic"; "pm" = "dynamic";
"pm.max_children" = 32; "pm.max_children" = 32;
@ -221,9 +219,9 @@ in
nginx = mkOption { nginx = mkOption {
type = types.submodule ( type = types.submodule (
recursiveUpdate recursiveUpdate (import "${modulesPath}/services/web-servers/nginx/vhost-options.nix" {
(import "${modulesPath}/services/web-servers/nginx/vhost-options.nix" { inherit config lib; }) inherit config lib;
{ } }) { }
); );
default = { }; default = { };
example = literalExpression '' example = literalExpression ''
@ -392,9 +390,9 @@ in
} }
// (lib.optionalAttrs cfg.distributedPoller.enable { // (lib.optionalAttrs cfg.distributedPoller.enable {
"distributed_poller" = true; "distributed_poller" = true;
"distributed_poller_name" = "distributed_poller_name" = lib.mkIf (
lib.mkIf (cfg.distributedPoller.name != null) cfg.distributedPoller.name != null
cfg.distributedPoller.name; ) cfg.distributedPoller.name;
"distributed_poller_group" = cfg.distributedPoller.group; "distributed_poller_group" = cfg.distributedPoller.group;
"distributed_billing" = cfg.distributedPoller.distributedBilling; "distributed_billing" = cfg.distributedPoller.distributedBilling;
"distributed_poller_memcached_host" = cfg.distributedPoller.memcachedHost; "distributed_poller_memcached_host" = cfg.distributedPoller.memcachedHost;

10
machines/compute01/satosa/module.nix
View file

@ -23,12 +23,10 @@ let
mkYamlFiles = mkYamlFiles =
files: builtins.attrValues (builtins.mapAttrs (name: yamlFormat.generate "${name}.yaml") files); files: builtins.attrValues (builtins.mapAttrs (name: yamlFormat.generate "${name}.yaml") files);
pyEnv = cfg.package.python.withPackages ( pyEnv = cfg.package.python.withPackages (ps: [
ps: [ cfg.package
cfg.package ps.gunicorn
ps.gunicorn ]);
]
);
in in
{ {
options.services.satosa = { options.services.satosa = {

33
machines/storage01/netbird/module.nix
View file

@ -30,9 +30,9 @@ let
managementFormat = pkgs.formats.json { }; managementFormat = pkgs.formats.json { };
settingsFile = settingsFormat.generate "setup.env" ( settingsFile = settingsFormat.generate "setup.env" (
builtins.mapAttrs builtins.mapAttrs (
(_: val: if builtins.isList val then ''"${builtins.concatStringsSep " " val}"'' else val) _: val: if builtins.isList val then ''"${builtins.concatStringsSep " " val}"'' else val
settings ) settings
); );
managementFile = managementFormat.generate "config.json" cfg.managementConfig; managementFile = managementFormat.generate "config.json" cfg.managementConfig;
@ -106,9 +106,9 @@ let
NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = ""; NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = "";
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS = [ "53000" ]; NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS = [ "53000" ];
NETBIRD_AUTH_PKCE_REDIRECT_URLS = NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (
builtins.map (p: "http://localhost:${p}") p: "http://localhost:${p}"
cfg.settings.NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS or NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS; ) cfg.settings.NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS or NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS;
} }
// (optionalAttrs cfg.setupAutoOidc { // (optionalAttrs cfg.setupAutoOidc {
NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT = "$NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT"; NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT = "$NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT";
@ -138,15 +138,13 @@ in
type = type =
with types; with types;
attrsOf ( attrsOf (
nullOr ( nullOr (oneOf [
oneOf [ (listOf str)
(listOf str) bool
bool int
int float
float str
str ])
]
)
); );
defaultText = lib.literalExpression '' defaultText = lib.literalExpression ''
{ {
@ -493,8 +491,9 @@ in
export AUTH_AUTHORITY="$NETBIRD_AUTH_AUTHORITY" export AUTH_AUTHORITY="$NETBIRD_AUTH_AUTHORITY"
export AUTH_CLIENT_ID="$NETBIRD_AUTH_CLIENT_ID" export AUTH_CLIENT_ID="$NETBIRD_AUTH_CLIENT_ID"
${optionalString (cfg.secretFiles.AUTH_CLIENT_SECRET == null) ${optionalString (
''export AUTH_CLIENT_SECRET="$NETBIRD_AUTH_CLIENT_SECRET"''} cfg.secretFiles.AUTH_CLIENT_SECRET == null
) ''export AUTH_CLIENT_SECRET="$NETBIRD_AUTH_CLIENT_SECRET"''}
export AUTH_AUDIENCE="$NETBIRD_AUTH_AUDIENCE" export AUTH_AUDIENCE="$NETBIRD_AUTH_AUDIENCE"
export AUTH_REDIRECT_URI="$NETBIRD_AUTH_REDIRECT_URI" export AUTH_REDIRECT_URI="$NETBIRD_AUTH_REDIRECT_URI"
export AUTH_SILENT_REDIRECT_URI="$NETBIRD_AUTH_SILENT_REDIRECT_URI" export AUTH_SILENT_REDIRECT_URI="$NETBIRD_AUTH_SILENT_REDIRECT_URI"

166
machines/web01/crabfit/packages/crabfit-frontend/default.nix
View file

@ -11,105 +11,103 @@
frontend_url ? "crab.fit", frontend_url ? "crab.fit",
}: }:
stdenv.mkDerivation ( stdenv.mkDerivation (finalAttrs: {
finalAttrs: { pname = "crabfit-frontend";
pname = "crabfit-frontend"; version = "unstable-2023-08-02";
version = "unstable-2023-08-02";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "GRA0007"; owner = "GRA0007";
repo = "crab.fit"; repo = "crab.fit";
rev = "628f9eefc300bf1ed3d6cc3323332c2ed9b8a350"; rev = "628f9eefc300bf1ed3d6cc3323332c2ed9b8a350";
hash = "sha256-jy8BrJSHukRenPbZHw4nPx3cSi7E2GSg//WOXDh90mY="; hash = "sha256-jy8BrJSHukRenPbZHw4nPx3cSi7E2GSg//WOXDh90mY=";
}; };
sourceRoot = "source/frontend"; sourceRoot = "source/frontend";
patches = [ patches = [
./01-privacy.patch ./01-privacy.patch
./02-karla.patch ./02-karla.patch
./03-standalone.patch ./03-standalone.patch
./04-frontend_url.patch ./04-frontend_url.patch
./05-dgnum.patch ./05-dgnum.patch
./06-download.patch ./06-download.patch
./07-colormap.patch ./07-colormap.patch
]; ];
offlineCache = fetchYarnDeps { offlineCache = fetchYarnDeps {
yarnLock = "${finalAttrs.src}/frontend/yarn.lock"; yarnLock = "${finalAttrs.src}/frontend/yarn.lock";
hash = "sha256-jkyQygwHdLlEZ1tlSQOh72nANp2F29rZbTXvKQStvGc="; hash = "sha256-jkyQygwHdLlEZ1tlSQOh72nANp2F29rZbTXvKQStvGc=";
}; };
nativeBuildInputs = [ nativeBuildInputs = [
nodejs nodejs
yarn yarn
fixup_yarn_lock fixup_yarn_lock
]; ];
postPatch = '' postPatch = ''
substituteInPlace \ substituteInPlace \
public/robots.txt \ public/robots.txt \
public/sitemap.xml \ public/sitemap.xml \
src/app/\[id\]/page.tsx \ src/app/\[id\]/page.tsx \
src/app/layout.tsx \ src/app/layout.tsx \
src/components/CreateForm/components/EventInfo/EventInfo.tsx \ src/components/CreateForm/components/EventInfo/EventInfo.tsx \
src/i18n/locales/de/help.json \ src/i18n/locales/de/help.json \
src/i18n/locales/en-GB/help.json \ src/i18n/locales/en-GB/help.json \
src/i18n/locales/en/help.json \ src/i18n/locales/en/help.json \
src/i18n/locales/es/help.json \ src/i18n/locales/es/help.json \
src/i18n/locales/fr/help.json \ src/i18n/locales/fr/help.json \
src/i18n/locales/hi/help.json \ src/i18n/locales/hi/help.json \
src/i18n/locales/id/help.json \ src/i18n/locales/id/help.json \
src/i18n/locales/it/help.json \ src/i18n/locales/it/help.json \
src/i18n/locales/ko/help.json \ src/i18n/locales/ko/help.json \
src/i18n/locales/pt-BR/help.json \ src/i18n/locales/pt-BR/help.json \
src/i18n/locales/pt-PT/help.json \ src/i18n/locales/pt-PT/help.json \
src/i18n/locales/ru/help.json \ src/i18n/locales/ru/help.json \
--replace "@FRONTEND_URL@" "${frontend_url}" --replace "@FRONTEND_URL@" "${frontend_url}"
''; '';
configurePhase = '' configurePhase = ''
runHook preConfigure runHook preConfigure
export HOME="$PWD" export HOME="$PWD"
echo 'NEXT_PUBLIC_API_URL="${api_url}"' > .env.local echo 'NEXT_PUBLIC_API_URL="${api_url}"' > .env.local
fixup_yarn_lock yarn.lock fixup_yarn_lock yarn.lock
yarn config --offline set yarn-offline-mirror ${finalAttrs.offlineCache} yarn config --offline set yarn-offline-mirror ${finalAttrs.offlineCache}
yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive
patchShebangs node_modules patchShebangs node_modules
mkdir -p src/app/fonts mkdir -p src/app/fonts
cp "${ cp "${
google-fonts.override { fonts = [ "Karla" ]; } google-fonts.override { fonts = [ "Karla" ]; }
}/share/fonts/truetype/Karla[wght].ttf" src/app/fonts/karla.ttf }/share/fonts/truetype/Karla[wght].ttf" src/app/fonts/karla.ttf
runHook postConfigure runHook postConfigure
''; '';
buildPhase = '' buildPhase = ''
runHook preBuild runHook preBuild
NODE_ENV=production yarn build NODE_ENV=production yarn build
runHook postBuild runHook postBuild
''; '';
installPhase = '' installPhase = ''
mkdir $out mkdir $out
cp -R .next/* $out cp -R .next/* $out
cp -R public $out/standalone/ cp -R public $out/standalone/
cp -R .next/static $out/standalone/.next cp -R .next/static $out/standalone/.next
ln -s /var/cache/crabfit $out/standalone/.next/cache ln -s /var/cache/crabfit $out/standalone/.next/cache
''; '';
meta = with lib; { meta = with lib; {
description = "Enter your availability to find a time that works for everyone"; description = "Enter your availability to find a time that works for everyone";
homepage = "https://github.com/GRA0007/crab.fit"; homepage = "https://github.com/GRA0007/crab.fit";
license = licenses.gpl3; license = licenses.gpl3;
maintainers = with maintainers; [ thubrecht ]; maintainers = with maintainers; [ thubrecht ];
}; };
} })
)

72
machines/web01/linkal/module.nix
View file

@ -28,7 +28,9 @@ in
package = mkOption { package = mkOption {
type = types.package; type = types.package;
default = package.overrideAttrs (_: { buildInputs = [ ]; }); default = package.overrideAttrs (_: {
buildInputs = [ ];
});
}; };
domain = mkOption { type = types.str; }; domain = mkOption { type = types.str; };
@ -38,36 +40,31 @@ in
let let
inherit (types) attrsOf port submodule; inherit (types) attrsOf port submodule;
in in
attrsOf ( attrsOf (submodule {
submodule { options = {
options = { port = mkOption { type = port; };
port = mkOption { type = port; }; calendars = mkOption { inherit (jsonFormat) type; };
calendars = mkOption { inherit (jsonFormat) type; }; };
}; });
}
);
default = { }; default = { };
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
systemd.services = systemd.services = mapAttrs' (
mapAttrs' name:
( { port, calendars }:
name: nameValuePair "linkal-${name}" {
{ port, calendars }: description = "Linkal - ${name}";
nameValuePair "linkal-${name}" { wantedBy = [ "multi-user.target" ];
description = "Linkal - ${name}"; serviceConfig = {
wantedBy = [ "multi-user.target" ]; Type = "simple";
serviceConfig = { ExecStart = "${cfg.package}/bin/linkal --port ${builtins.toString port} --calendar-file ${
Type = "simple"; jsonFormat.generate "linkal-${name}.json" { inherit calendars; }
ExecStart = "${cfg.package}/bin/linkal --port ${builtins.toString port} --calendar-file ${ }";
jsonFormat.generate "linkal-${name}.json" { inherit calendars; } };
}"; }
}; ) cfg.calendarGroups;
}
)
cfg.calendarGroups;
# Configure bind for DNS certificate validation on *.cal.dgnum.eu. # Configure bind for DNS certificate validation on *.cal.dgnum.eu.
# services.bind = { # services.bind = {
@ -107,20 +104,17 @@ in
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts = virtualHosts = mapAttrs' (
mapAttrs' name:
( { port, ... }:
name: nameValuePair "${name}.${cfg.domain}" {
{ port, ... }: enableACME = true;
nameValuePair "${name}.${cfg.domain}" { # acmeRoot = null; # Use DNS-01 validation
enableACME = true; forceSSL = true;
# acmeRoot = null; # Use DNS-01 validation
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString port}/"; locations."/".proxyPass = "http://127.0.0.1:${builtins.toString port}/";
} }
) ) cfg.calendarGroups;
cfg.calendarGroups;
}; };
}; };
} }

25
machines/web01/metis/default.nix
View file

@ -16,20 +16,17 @@ in
forceSSL = true; forceSSL = true;
root = metis.production; root = metis.production;
locations = locations = lib.mapAttrs' (
lib.mapAttrs' name: value:
( lib.nameValuePair "/cal/${name}/" {
name: value: extraConfig = ''
lib.nameValuePair "/cal/${name}/" { proxy_set_header X-Forwarded-Host $host;
extraConfig = '' proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Server $host; proxy_pass ${value};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; '';
proxy_pass ${value}; }
''; ) providers;
}
)
providers;
extraConfig = '' extraConfig = ''
rewrite ^/calendrier(.*)$ $1 permanent; rewrite ^/calendrier(.*)$ $1 permanent;

18
machines/web01/redirections.nix
View file

@ -6,16 +6,14 @@ let
mkRetired = mkRetired =
hosts: hosts:
builtins.listToAttrs ( builtins.listToAttrs (
builtins.map builtins.map (name: {
(name: { inherit name;
inherit name; value = {
value = { enableACME = true;
enableACME = true; forceSSL = true;
forceSSL = true; locations."/".return = "301 https://${retired_host}/${name}";
locations."/".return = "301 https://${retired_host}/${name}"; };
}; }) hosts
})
hosts
); );
mkSub = domain: builtins.map (s: "${s}.${domain}"); mkSub = domain: builtins.map (s: "${s}.${domain}");

25
meta/dns.nix
View file

@ -150,20 +150,17 @@ in
DMARC = [ { p = "none"; } ]; DMARC = [ { p = "none"; } ];
DKIM = kurisuDKIM; DKIM = kurisuDKIM;
subdomains = subdomains = mapAttrs' (
mapAttrs' host:
( { site, ... }:
host: nameValuePair "${host}.${site}" (
{ site, ... }: with meta.network.${host}.addresses;
nameValuePair "${host}.${site}" ( {
with meta.network.${host}.addresses; A = ipv4;
{ AAAA = ipv6;
A = ipv4; }
AAAA = ipv6; )
} ) meta.nodes;
)
)
meta.nodes;
}; };
}; };
} }

11
meta/nodes.nix
View file

@ -10,11 +10,12 @@
# nixpkgs = "unstable" or "22.11"; # nixpkgs version # nixpkgs = "unstable" or "22.11"; # nixpkgs version
# } # }
/* Liste des différents sites : /*
- dmi01 -> VM du NPSPI Liste des différents sites :
- par01 -> Salle serveur sous le pavillon Pasteur - dmi01 -> VM du NPSPI
- par02 -> Local DGNum Jourdan - par01 -> Salle serveur sous le pavillon Pasteur
- par03 -> VM de Luj - par02 -> Local DGNum Jourdan
- par03 -> VM de Luj
*/ */
{ {

34
meta/options.nix
View file

@ -38,25 +38,23 @@ in
options = { options = {
organization = { organization = {
members = mkOption { members = mkOption {
type = attrsOf ( type = attrsOf (submodule {
submodule { options = {
options = { name = mkOption {
name = mkOption { type = str;
type = str; description = ''
description = '' Name of the member.
Name of the member. '';
'';
};
email = mkOption {
type = str;
description = ''
Main e-mail address of the member.
'';
};
}; };
}
); email = mkOption {
type = str;
description = ''
Main e-mail address of the member.
'';
};
};
});
description = '' description = ''
Members of the DGNum organization. Members of the DGNum organization.

5
meta/organization.nix
View file

@ -1,5 +1,6 @@
/* To add a new member add an attribute to `members` /*
Then add the key to the required groups. To add a new member add an attribute to `members`
Then add the key to the required groups.
*/ */
{ {

6
modules/dgn-access-control.nix
View file

@ -83,8 +83,8 @@ in
# Admins have root access to the node # Admins have root access to the node
dgn-access-control.users.root = mkDefault admins; dgn-access-control.users.root = mkDefault admins;
users.users = users.users = builtins.mapAttrs (_: members: {
builtins.mapAttrs (_: members: { openssh.authorizedKeys.keys = lib.extra.getAllKeys members; }) openssh.authorizedKeys.keys = lib.extra.getAllKeys members;
cfg.users; }) cfg.users;
}; };
} }

67
modules/dgn-backups/default.nix
View file

@ -37,9 +37,9 @@ let
{ {
startAt = starts.${name}; startAt = starts.${name};
key = config.age.secrets."bupstash-put_key".path; key = config.age.secrets."bupstash-put_key".path;
repositoryCommands = repositoryCommands = lib.extra.mapSingleFuse (
lib.extra.mapSingleFuse (host: "ssh -i /etc/ssh/ssh_host_ed25519_key bupstash-repo@${host}.dgnum") host: "ssh -i /etc/ssh/ssh_host_ed25519_key bupstash-repo@${host}.dgnum"
to; ) to;
} }
// settings // settings
); );
@ -58,46 +58,41 @@ in
}; };
jobs = mkOption { jobs = mkOption {
type = attrsOf ( type = attrsOf (submodule {
submodule { options = {
options = { to = mkOption {
to = mkOption { type = listOf str;
type = listOf str; default = remove name [
default = remove name [ "compute01"
"compute01" "geo01"
"geo01" "geo02"
"geo02" "storage01"
"storage01" ];
]; description = "Hosts to send the backups to.";
description = "Hosts to send the backups to.";
};
settings = mkOption {
type = attrs;
default = { };
description = "Base bupstash job config.";
};
}; };
}
); settings = mkOption {
type = attrs;
default = { };
description = "Base bupstash job config.";
};
};
});
default = { }; default = { };
description = "List of bupstash jobs."; description = "List of bupstash jobs.";
}; };
}; };
config = { config = {
dgn-backups.jobs = dgn-backups.jobs = lib.extra.mapFuse (db: {
lib.extra.mapFuse "${db}-db".settings = {
(db: { user = "postgres";
"${db}-db".settings = { command = [
user = "postgres"; "${lib.getExe' config.services.postgresql.package "pg_dump"}"
command = [ db
"${lib.getExe' config.services.postgresql.package "pg_dump"}" ];
db };
]; }) cfg.postgresDatabases;
};
})
cfg.postgresDatabases;
services.bupstash = { services.bupstash = {
repositories = { repositories = {

96
modules/dgn-hardware.nix
View file

@ -41,56 +41,54 @@ in
}; };
}; };
config = mkIf cfg.enable ( config = mkIf cfg.enable (mkMerge [
mkMerge [ {
{ hardware.enableRedistributableFirmware = true;
hardware.enableRedistributableFirmware = true; hardware.cpu.intel.updateMicrocode = true;
hardware.cpu.intel.updateMicrocode = true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
boot = { boot = {
initrd.availableKernelModules = [ initrd.availableKernelModules = [
"ata_piix" "ata_piix"
"uhci_hcd" "uhci_hcd"
"ehci_pci" "ehci_pci"
"virtio_pci" "virtio_pci"
"ahci" "ahci"
"virtio_blk" "virtio_blk"
]; ];
kernelModules = [ "kvm-intel" ]; kernelModules = [ "kvm-intel" ];
kernelParams = [ kernelParams = [
"cgroup_enable=cpu" "cgroup_enable=cpu"
"cgroup_enable=cpuset" "cgroup_enable=cpuset"
"cgroup_enable=memory" "cgroup_enable=memory"
"cgroup_memory=1" "cgroup_memory=1"
]; ];
};
}
(mkIf cfg.useSystemd {
boot.loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
})
(mkIf cfg.useBcachefs {
boot.supportedFilesystems = [ "bcachefs" ];
boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_7;
})
(mkIf cfg.useZfs {
boot = {
supportedFilesystems = [ "zfs" ];
zfs = {
forceImportRoot = false;
extraPools = cfg.zfsPools;
package = pkgs.zfs_2_1;
}; };
} };
})
(mkIf cfg.useSystemd { ]);
boot.loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
})
(mkIf cfg.useBcachefs {
boot.supportedFilesystems = [ "bcachefs" ];
boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_7;
})
(mkIf cfg.useZfs {
boot = {
supportedFilesystems = [ "zfs" ];
zfs = {
forceImportRoot = false;
extraPools = cfg.zfsPools;
package = pkgs.zfs_2_1;
};
};
})
]
);
} }