chore: pre-commit hooks are supposed to be run....
All checks were successful
build configuration / build_vault01 (push) Successful in 1m5s
build configuration / build_web02 (push) Successful in 1m6s
build configuration / build_compute01 (push) Successful in 1m11s
build configuration / build_storage01 (push) Successful in 1m10s
lint / check (push) Successful in 24s
build configuration / build_web01 (push) Successful in 1m33s
build configuration / build_rescue01 (push) Successful in 49s
All checks were successful
build configuration / build_vault01 (push) Successful in 1m5s
build configuration / build_web02 (push) Successful in 1m6s
build configuration / build_compute01 (push) Successful in 1m11s
build configuration / build_storage01 (push) Successful in 1m10s
lint / check (push) Successful in 24s
build configuration / build_web01 (push) Successful in 1m33s
build configuration / build_rescue01 (push) Successful in 49s
This commit is contained in:
parent
d946894d8f
commit
581fa6b560
21 changed files with 348 additions and 382 deletions
|
@ -1,4 +1,5 @@
|
|||
/* Copyright :
|
||||
/*
|
||||
Copyright :
|
||||
- Maurice Debray <maurice.debray@dgnum.eu> 2023
|
||||
- Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023
|
||||
|
||||
|
@ -59,9 +60,9 @@ let
|
|||
in
|
||||
|
||||
{
|
||||
nodes = builtins.mapAttrs (host: { site, ... }: "${host}.${site}.infra.dgnum.eu") (
|
||||
import ./meta/nodes.nix
|
||||
);
|
||||
nodes = builtins.mapAttrs (
|
||||
host: { site, ... }: "${host}.${site}.infra.dgnum.eu"
|
||||
) (import ./meta/nodes.nix);
|
||||
|
||||
dns = import ./meta/dns.nix;
|
||||
|
||||
|
|
|
@ -33,7 +33,7 @@ in
|
|||
openssh.enable = true;
|
||||
};
|
||||
|
||||
users.users.root.openssh.authorizedKeys.keyFiles =
|
||||
builtins.map (m: dgn-lib.mkRel ../keys "${m}.keys")
|
||||
dgn-members;
|
||||
users.users.root.openssh.authorizedKeys.keyFiles = builtins.map (
|
||||
m: dgn-lib.mkRel ../keys "${m}.keys"
|
||||
) dgn-members;
|
||||
}
|
||||
|
|
|
@ -20,10 +20,9 @@ lib.extra
|
|||
getNodeKeys =
|
||||
node:
|
||||
let
|
||||
names =
|
||||
builtins.foldl' (names: group: names ++ meta.organization.groups.${group})
|
||||
(meta.nodes.${node}.admins ++ [ "/machines/${node}" ])
|
||||
meta.nodes.${node}.adminGroups;
|
||||
names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
|
||||
meta.nodes.${node}.admins ++ [ "/machines/${node}" ]
|
||||
) meta.nodes.${node}.adminGroups;
|
||||
in
|
||||
rootKeys ++ (getAllKeys names);
|
||||
|
||||
|
|
|
@ -10,13 +10,11 @@
|
|||
(import sources.nixos-unstable {
|
||||
overlays = [ (import (sources.arkheon.outPath + "/overlay.nix")) ];
|
||||
}).python3.withPackages
|
||||
(
|
||||
ps: [
|
||||
(ps: [
|
||||
ps.arkheon
|
||||
ps.daphne
|
||||
ps.psycopg2
|
||||
]
|
||||
);
|
||||
]);
|
||||
|
||||
domain = "arkheon.dgnum.eu";
|
||||
|
||||
|
|
|
@ -29,11 +29,9 @@ in
|
|||
|
||||
freeradius = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.freeradius.overrideAttrs (
|
||||
old: {
|
||||
default = pkgs.freeradius.overrideAttrs (old: {
|
||||
buildInputs = (old.buildInputs or [ ]) ++ [ (pkgs.python3.withPackages (ps: [ ps.kanidm ])) ];
|
||||
}
|
||||
);
|
||||
});
|
||||
};
|
||||
|
||||
configDir = mkOption {
|
||||
|
@ -126,8 +124,7 @@ in
|
|||
rm ${cfg.configDir}/clients.conf && touch ${cfg.configDir}/clients.conf
|
||||
${builtins.concatStringsSep "\n" (
|
||||
builtins.attrValues (
|
||||
builtins.mapAttrs
|
||||
(
|
||||
builtins.mapAttrs (
|
||||
name:
|
||||
{ secret, ipaddr }:
|
||||
''
|
||||
|
@ -139,8 +136,7 @@ in
|
|||
}
|
||||
EOF
|
||||
''
|
||||
)
|
||||
cfg.radiusClients
|
||||
) cfg.radiusClients
|
||||
)
|
||||
)}
|
||||
|
||||
|
|
|
@ -31,7 +31,9 @@ python3.pkgs.buildPythonPackage {
|
|||
aiohttp
|
||||
pydantic
|
||||
toml
|
||||
(authlib.overridePythonAttrs (_: { doCheck = false; }))
|
||||
(authlib.overridePythonAttrs (_: {
|
||||
doCheck = false;
|
||||
}))
|
||||
];
|
||||
|
||||
doCheck = false;
|
||||
|
|
|
@ -12,12 +12,10 @@ in
|
|||
|
||||
package =
|
||||
(pkgs.librenms.override { inherit (config.services.librenms) dataDir logDir; }).overrideAttrs
|
||||
(
|
||||
old: {
|
||||
(old: {
|
||||
patches = (old.patches or [ ]) ++ [ ./kanidm.patch ];
|
||||
vendorHash = "sha256-2RgtMXQp4fTE+WloO36rtfytO4Sh2q0plt8WkWxEGHI=";
|
||||
}
|
||||
);
|
||||
});
|
||||
|
||||
hostname = host;
|
||||
|
||||
|
|
|
@ -198,13 +198,11 @@ in
|
|||
poolConfig = mkOption {
|
||||
type =
|
||||
with types;
|
||||
attrsOf (
|
||||
oneOf [
|
||||
attrsOf (oneOf [
|
||||
str
|
||||
int
|
||||
bool
|
||||
]
|
||||
);
|
||||
]);
|
||||
default = {
|
||||
"pm" = "dynamic";
|
||||
"pm.max_children" = 32;
|
||||
|
@ -221,9 +219,9 @@ in
|
|||
|
||||
nginx = mkOption {
|
||||
type = types.submodule (
|
||||
recursiveUpdate
|
||||
(import "${modulesPath}/services/web-servers/nginx/vhost-options.nix" { inherit config lib; })
|
||||
{ }
|
||||
recursiveUpdate (import "${modulesPath}/services/web-servers/nginx/vhost-options.nix" {
|
||||
inherit config lib;
|
||||
}) { }
|
||||
);
|
||||
default = { };
|
||||
example = literalExpression ''
|
||||
|
@ -392,9 +390,9 @@ in
|
|||
}
|
||||
// (lib.optionalAttrs cfg.distributedPoller.enable {
|
||||
"distributed_poller" = true;
|
||||
"distributed_poller_name" =
|
||||
lib.mkIf (cfg.distributedPoller.name != null)
|
||||
cfg.distributedPoller.name;
|
||||
"distributed_poller_name" = lib.mkIf (
|
||||
cfg.distributedPoller.name != null
|
||||
) cfg.distributedPoller.name;
|
||||
"distributed_poller_group" = cfg.distributedPoller.group;
|
||||
"distributed_billing" = cfg.distributedPoller.distributedBilling;
|
||||
"distributed_poller_memcached_host" = cfg.distributedPoller.memcachedHost;
|
||||
|
|
|
@ -23,12 +23,10 @@ let
|
|||
mkYamlFiles =
|
||||
files: builtins.attrValues (builtins.mapAttrs (name: yamlFormat.generate "${name}.yaml") files);
|
||||
|
||||
pyEnv = cfg.package.python.withPackages (
|
||||
ps: [
|
||||
pyEnv = cfg.package.python.withPackages (ps: [
|
||||
cfg.package
|
||||
ps.gunicorn
|
||||
]
|
||||
);
|
||||
]);
|
||||
in
|
||||
{
|
||||
options.services.satosa = {
|
||||
|
|
|
@ -30,9 +30,9 @@ let
|
|||
managementFormat = pkgs.formats.json { };
|
||||
|
||||
settingsFile = settingsFormat.generate "setup.env" (
|
||||
builtins.mapAttrs
|
||||
(_: val: if builtins.isList val then ''"${builtins.concatStringsSep " " val}"'' else val)
|
||||
settings
|
||||
builtins.mapAttrs (
|
||||
_: val: if builtins.isList val then ''"${builtins.concatStringsSep " " val}"'' else val
|
||||
) settings
|
||||
);
|
||||
|
||||
managementFile = managementFormat.generate "config.json" cfg.managementConfig;
|
||||
|
@ -106,9 +106,9 @@ let
|
|||
NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = "";
|
||||
|
||||
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS = [ "53000" ];
|
||||
NETBIRD_AUTH_PKCE_REDIRECT_URLS =
|
||||
builtins.map (p: "http://localhost:${p}")
|
||||
cfg.settings.NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS or NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS;
|
||||
NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (
|
||||
p: "http://localhost:${p}"
|
||||
) cfg.settings.NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS or NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS;
|
||||
}
|
||||
// (optionalAttrs cfg.setupAutoOidc {
|
||||
NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT = "$NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT";
|
||||
|
@ -138,15 +138,13 @@ in
|
|||
type =
|
||||
with types;
|
||||
attrsOf (
|
||||
nullOr (
|
||||
oneOf [
|
||||
nullOr (oneOf [
|
||||
(listOf str)
|
||||
bool
|
||||
int
|
||||
float
|
||||
str
|
||||
]
|
||||
)
|
||||
])
|
||||
);
|
||||
defaultText = lib.literalExpression ''
|
||||
{
|
||||
|
@ -493,8 +491,9 @@ in
|
|||
|
||||
export AUTH_AUTHORITY="$NETBIRD_AUTH_AUTHORITY"
|
||||
export AUTH_CLIENT_ID="$NETBIRD_AUTH_CLIENT_ID"
|
||||
${optionalString (cfg.secretFiles.AUTH_CLIENT_SECRET == null)
|
||||
''export AUTH_CLIENT_SECRET="$NETBIRD_AUTH_CLIENT_SECRET"''}
|
||||
${optionalString (
|
||||
cfg.secretFiles.AUTH_CLIENT_SECRET == null
|
||||
) ''export AUTH_CLIENT_SECRET="$NETBIRD_AUTH_CLIENT_SECRET"''}
|
||||
export AUTH_AUDIENCE="$NETBIRD_AUTH_AUDIENCE"
|
||||
export AUTH_REDIRECT_URI="$NETBIRD_AUTH_REDIRECT_URI"
|
||||
export AUTH_SILENT_REDIRECT_URI="$NETBIRD_AUTH_SILENT_REDIRECT_URI"
|
||||
|
|
|
@ -11,8 +11,7 @@
|
|||
frontend_url ? "crab.fit",
|
||||
}:
|
||||
|
||||
stdenv.mkDerivation (
|
||||
finalAttrs: {
|
||||
stdenv.mkDerivation (finalAttrs: {
|
||||
pname = "crabfit-frontend";
|
||||
version = "unstable-2023-08-02";
|
||||
|
||||
|
@ -111,5 +110,4 @@ stdenv.mkDerivation (
|
|||
license = licenses.gpl3;
|
||||
maintainers = with maintainers; [ thubrecht ];
|
||||
};
|
||||
}
|
||||
)
|
||||
})
|
||||
|
|
|
@ -28,7 +28,9 @@ in
|
|||
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = package.overrideAttrs (_: { buildInputs = [ ]; });
|
||||
default = package.overrideAttrs (_: {
|
||||
buildInputs = [ ];
|
||||
});
|
||||
};
|
||||
|
||||
domain = mkOption { type = types.str; };
|
||||
|
@ -38,22 +40,18 @@ in
|
|||
let
|
||||
inherit (types) attrsOf port submodule;
|
||||
in
|
||||
attrsOf (
|
||||
submodule {
|
||||
attrsOf (submodule {
|
||||
options = {
|
||||
port = mkOption { type = port; };
|
||||
calendars = mkOption { inherit (jsonFormat) type; };
|
||||
};
|
||||
}
|
||||
);
|
||||
});
|
||||
default = { };
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services =
|
||||
mapAttrs'
|
||||
(
|
||||
systemd.services = mapAttrs' (
|
||||
name:
|
||||
{ port, calendars }:
|
||||
nameValuePair "linkal-${name}" {
|
||||
|
@ -66,8 +64,7 @@ in
|
|||
}";
|
||||
};
|
||||
}
|
||||
)
|
||||
cfg.calendarGroups;
|
||||
) cfg.calendarGroups;
|
||||
|
||||
# Configure bind for DNS certificate validation on *.cal.dgnum.eu.
|
||||
# services.bind = {
|
||||
|
@ -107,9 +104,7 @@ in
|
|||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
virtualHosts =
|
||||
mapAttrs'
|
||||
(
|
||||
virtualHosts = mapAttrs' (
|
||||
name:
|
||||
{ port, ... }:
|
||||
nameValuePair "${name}.${cfg.domain}" {
|
||||
|
@ -119,8 +114,7 @@ in
|
|||
|
||||
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString port}/";
|
||||
}
|
||||
)
|
||||
cfg.calendarGroups;
|
||||
) cfg.calendarGroups;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -16,9 +16,7 @@ in
|
|||
forceSSL = true;
|
||||
root = metis.production;
|
||||
|
||||
locations =
|
||||
lib.mapAttrs'
|
||||
(
|
||||
locations = lib.mapAttrs' (
|
||||
name: value:
|
||||
lib.nameValuePair "/cal/${name}/" {
|
||||
extraConfig = ''
|
||||
|
@ -28,8 +26,7 @@ in
|
|||
proxy_pass ${value};
|
||||
'';
|
||||
}
|
||||
)
|
||||
providers;
|
||||
) providers;
|
||||
|
||||
extraConfig = ''
|
||||
rewrite ^/calendrier(.*)$ $1 permanent;
|
||||
|
|
|
@ -6,16 +6,14 @@ let
|
|||
mkRetired =
|
||||
hosts:
|
||||
builtins.listToAttrs (
|
||||
builtins.map
|
||||
(name: {
|
||||
builtins.map (name: {
|
||||
inherit name;
|
||||
value = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".return = "301 https://${retired_host}/${name}";
|
||||
};
|
||||
})
|
||||
hosts
|
||||
}) hosts
|
||||
);
|
||||
|
||||
mkSub = domain: builtins.map (s: "${s}.${domain}");
|
||||
|
|
|
@ -150,9 +150,7 @@ in
|
|||
DMARC = [ { p = "none"; } ];
|
||||
DKIM = kurisuDKIM;
|
||||
|
||||
subdomains =
|
||||
mapAttrs'
|
||||
(
|
||||
subdomains = mapAttrs' (
|
||||
host:
|
||||
{ site, ... }:
|
||||
nameValuePair "${host}.${site}" (
|
||||
|
@ -162,8 +160,7 @@ in
|
|||
AAAA = ipv6;
|
||||
}
|
||||
)
|
||||
)
|
||||
meta.nodes;
|
||||
) meta.nodes;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -10,7 +10,8 @@
|
|||
# nixpkgs = "unstable" or "22.11"; # nixpkgs version
|
||||
# }
|
||||
|
||||
/* Liste des différents sites :
|
||||
/*
|
||||
Liste des différents sites :
|
||||
- dmi01 -> VM du NPSPI
|
||||
- par01 -> Salle serveur sous le pavillon Pasteur
|
||||
- par02 -> Local DGNum Jourdan
|
||||
|
|
|
@ -38,8 +38,7 @@ in
|
|||
options = {
|
||||
organization = {
|
||||
members = mkOption {
|
||||
type = attrsOf (
|
||||
submodule {
|
||||
type = attrsOf (submodule {
|
||||
options = {
|
||||
name = mkOption {
|
||||
type = str;
|
||||
|
@ -55,8 +54,7 @@ in
|
|||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
);
|
||||
});
|
||||
|
||||
description = ''
|
||||
Members of the DGNum organization.
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
/* To add a new member add an attribute to `members`
|
||||
/*
|
||||
To add a new member add an attribute to `members`
|
||||
Then add the key to the required groups.
|
||||
*/
|
||||
|
||||
|
|
|
@ -83,8 +83,8 @@ in
|
|||
# Admins have root access to the node
|
||||
dgn-access-control.users.root = mkDefault admins;
|
||||
|
||||
users.users =
|
||||
builtins.mapAttrs (_: members: { openssh.authorizedKeys.keys = lib.extra.getAllKeys members; })
|
||||
cfg.users;
|
||||
users.users = builtins.mapAttrs (_: members: {
|
||||
openssh.authorizedKeys.keys = lib.extra.getAllKeys members;
|
||||
}) cfg.users;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -37,9 +37,9 @@ let
|
|||
{
|
||||
startAt = starts.${name};
|
||||
key = config.age.secrets."bupstash-put_key".path;
|
||||
repositoryCommands =
|
||||
lib.extra.mapSingleFuse (host: "ssh -i /etc/ssh/ssh_host_ed25519_key bupstash-repo@${host}.dgnum")
|
||||
to;
|
||||
repositoryCommands = lib.extra.mapSingleFuse (
|
||||
host: "ssh -i /etc/ssh/ssh_host_ed25519_key bupstash-repo@${host}.dgnum"
|
||||
) to;
|
||||
}
|
||||
// settings
|
||||
);
|
||||
|
@ -58,8 +58,7 @@ in
|
|||
};
|
||||
|
||||
jobs = mkOption {
|
||||
type = attrsOf (
|
||||
submodule {
|
||||
type = attrsOf (submodule {
|
||||
options = {
|
||||
to = mkOption {
|
||||
type = listOf str;
|
||||
|
@ -78,17 +77,14 @@ in
|
|||
description = "Base bupstash job config.";
|
||||
};
|
||||
};
|
||||
}
|
||||
);
|
||||
});
|
||||
default = { };
|
||||
description = "List of bupstash jobs.";
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
dgn-backups.jobs =
|
||||
lib.extra.mapFuse
|
||||
(db: {
|
||||
dgn-backups.jobs = lib.extra.mapFuse (db: {
|
||||
"${db}-db".settings = {
|
||||
user = "postgres";
|
||||
command = [
|
||||
|
@ -96,8 +92,7 @@ in
|
|||
db
|
||||
];
|
||||
};
|
||||
})
|
||||
cfg.postgresDatabases;
|
||||
}) cfg.postgresDatabases;
|
||||
|
||||
services.bupstash = {
|
||||
repositories = {
|
||||
|
|
|
@ -41,8 +41,7 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable (
|
||||
mkMerge [
|
||||
config = mkIf cfg.enable (mkMerge [
|
||||
{
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
hardware.cpu.intel.updateMicrocode = true;
|
||||
|
@ -91,6 +90,5 @@ in
|
|||
};
|
||||
};
|
||||
})
|
||||
]
|
||||
);
|
||||
]);
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue