feat(testing02): Init testing vm

.forgejo/workflows/eval-nodes.yaml

@@ -120,6 +120,17 @@ jobs:
         STORE_USER: admin
       name: Build and cache storage01
       run: nix-shell -A eval-nodes --run cache-node
+  testing02:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: testing02
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache testing02
+      run: nix-shell -A eval-nodes --run cache-node
   tower01:
     runs-on: nix
     steps:

REUSE.toml

@@ -20,7 +20,7 @@ precedence = "closest"
 [[annotations]]
 SPDX-FileCopyrightText = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>"
 SPDX-License-Identifier = "EUPL-1.2"
-path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"]
+path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "machines/nixos/testing02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"]
 precedence = "closest"
 
 [[annotations]]

default.nix

@@ -5,7 +5,9 @@
 
 {
   sources ? import ./npins,
-  pkgs ? import sources.nixpkgs { },
+  pkgs ? import sources.nixpkgs {
+    overlays = [ (import sources.proxmox-nixos).overlays.x86_64-linux ];
+  },
 }:
 
 let
@@ -92,6 +94,7 @@ let
           "machines/nixos/vault01/k-radius/packages/01-python_path.patch"
           "machines/nixos/web01/crabfit/*.patch"
           "machines/nixos/web02/cas-eleves/01-pytest-cas.patch"
+          "machines/nixos/testing02/cas-eleves/01-pytest-cas.patch"
           "patches/lix/01-disable-installChecks.patch"
           "patches/nixpkgs/03-crabfit-karla.patch"
           "patches/nixpkgs/05-netbird-relay.patch"
@@ -176,24 +179,30 @@ in
   devShell = pkgs.mkShell {
     name = "dgnum-infra";
 
-    packages = [
-      (pkgs.nixos-generators.overrideAttrs (_: {
-        version = "1.8.0-unstable";
-        src = sources.nixos-generators;
-      }))
-      pkgs.npins
+    packages =
+      [
+        (pkgs.nixos-generators.overrideAttrs (_: {
+          version = "1.8.0-unstable";
+          src = sources.nixos-generators;
+        }))
+        pkgs.npins
 
-      # SSO testing
-      pkgs.kanidm
-      pkgs.freeradius
-      pkgs.picocom # for serial access
+        # deploying on testing hypervisor
+        pkgs.nixmoxer
 
-      (pkgs.callPackage ./lib/colmena {
-        colmena = pkgs.callPackage "${sources.colmena}/package.nix" { };
-      })
-      (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
-      (pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
-    ] ++ git-checks.enabledPackages ++ (builtins.attrValues scripts);
+        # SSO testing
+        pkgs.kanidm
+        pkgs.freeradius
+        pkgs.picocom # for serial access
+
+        (pkgs.callPackage ./lib/colmena {
+          colmena = pkgs.callPackage "${sources.colmena}/package.nix" { };
+        })
+        (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
+        (pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
+      ]
+      ++ git-checks.enabledPackages
+      ++ (builtins.attrValues scripts);
 
     shellHook = builtins.concatStringsSep "\n" [
       git-checks.shellHook

keys/default.nix

@@ -34,6 +34,7 @@ rec {
     ];
     rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
     storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
+    testing02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN9ZLXDshhwRZs35oN3UYDtJXEBwMTP20nyWz453TvlY" ];
     tower01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVpR+TMRLGAfhn7Q0C3tKOydYYjfoC/e1ZYbKpby01Z" ];
     vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
     web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ];

machines/nixos/testing02/_configuration.nix

@@ -0,0 +1,33 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ lib, pkgs, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [
+    # List of modules to enable
+    "dgn-web"
+  ];
+
+  enabledServices = [
+    # List of services to enable
+    "cas-eleves"
+  ];
+
+  extraConfig = {
+    # Disable monitoring
+    dgn-node-monitoring.enable = false;
+    dgn-records.enable = false;
+    dgn-notify.enable = false;
+
+    # Enable Postgres databases
+    services.postgresql = {
+      enable = true;
+
+      package = pkgs.postgresql_16;
+    };
+  };
+
+  root = ./.;
+}

machines/nixos/testing02/_hardware-configuration.nix

@@ -0,0 +1,33 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ modulesPath, sources, ... }:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+    (sources.disko + "/module.nix")
+    ./disko.nix
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "ata_piix"
+        "uhci_hcd"
+        "ehci_pci"
+        "virtio_pci"
+        "sr_mod"
+        "virtio_blk"
+      ];
+      kernelModules = [ ];
+    };
+
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+  };
+}

machines/nixos/testing02/cas-eleves/01-pytest-cas.patch

@@ -0,0 +1,98 @@
+diff --git a/setup.py b/setup.py
+index 7c7b02d..3f677ff 100644
+--- a/setup.py
++++ b/setup.py
+@@ -67,6 +67,4 @@ if __name__ == '__main__':
+         url="https://github.com/nitmir/django-cas-server",
+         download_url="https://github.com/nitmir/django-cas-server/releases/latest",
+         zip_safe=False,
+-        setup_requires=['pytest-runner'],
+-        tests_require=['pytest', 'pytest-django', 'pytest-pythonpath', 'pytest-warnings', 'mock>=1'],
+     )
+index 2b389d3..dcdfafd 100644
+--- a/cas_server/tests/test_federate.py
++++ b/cas_server/tests/test_federate.py
+@@ -16,6 +16,7 @@ from cas_server.default_settings import settings
+ import django
+ from django.test import TestCase, Client
+ from django.test.utils import override_settings
++import pytest
+ 
+ from six.moves import reload_module
+ 
+@@ -64,6 +65,7 @@ class FederateAuthLoginLogoutTestCase(
+             ) in response.content.decode("utf-8"))
+         self.assertEqual(response.context['post_url'], '/federate')
+ 
++    @pytest.mark.skip(reason="Address already in use")
+     def test_login_post_provider(self, remember=False):
+         """test a successful login wrokflow"""
+         tickets = []
+@@ -159,6 +161,7 @@ class FederateAuthLoginLogoutTestCase(
+             self.assertTrue(response["Location"].startswith("%s?ticket=" % self.service))
+         return tickets
+ 
++    @pytest.mark.skip(reason="Address already in use")
+     def test_login_twice(self):
+         """Test that user id db is used for the second login (cf coverage)"""
+         self.test_login_post_provider()
+@@ -253,6 +256,7 @@ class FederateAuthLoginLogoutTestCase(
+         self.assertEqual(response.status_code, 200)
+         self.assertIn(b"Invalid response from your identity provider CAS", response.content)
+ 
++    @pytest.mark.skip(reason="Address already in use")
+     def test_auth_federate_slo(self):
+         """test that SLO receive from backend CAS log out the users"""
+         # get tickets and connected clients
+@@ -301,6 +305,7 @@ class FederateAuthLoginLogoutTestCase(
+                     client, response, username=provider.build_username(settings.CAS_TEST_USER)
+                 )
+ 
++    @pytest.mark.skip(reason="Address already in use")
+     def test_federate_logout(self):
+         """
+             test the logout function: the user should be log out
+@@ -340,6 +345,7 @@ class FederateAuthLoginLogoutTestCase(
+                 response = client.get("/login")
+                 self.assert_login_failed(client, response)
+ 
++    @pytest.mark.skip(reason="Address already in use")
+     def test_remember_provider(self):
+         """
+             If the user check remember, next login should not offer the chose of the backend CAS
+@@ -355,6 +361,7 @@ class FederateAuthLoginLogoutTestCase(
+                 provider.suffix
+             ))
+ 
++    @pytest.mark.skip(reason="Address already in use")
+     def test_forget_provider(self):
+         """Test the logout option to forget remembered provider"""
+         tickets = self.test_login_post_provider(remember=True)
+@@ -365,6 +372,7 @@ class FederateAuthLoginLogoutTestCase(
+             client.get("/logout?forget_provider=1")
+             self.assertEqual(client.cookies["remember_provider"]["max-age"], 0)
+ 
++    @pytest.mark.skip(reason="Address already in use")
+     def test_renew(self):
+         """
+             Test authentication renewal with federation mode
+diff --git a/cas_server/tests/test_utils.py b/cas_server/tests/test_utils.py
+index d690724..73ee761 100644
+--- a/cas_server/tests/test_utils.py
++++ b/cas_server/tests/test_utils.py
+@@ -17,6 +17,7 @@ from django.db import connection
+ import six
+ import warnings
+ import datetime
++import pytest
+ 
+ from cas_server import utils
+ 
+@@ -61,6 +62,7 @@ class CheckPasswordCase(TestCase):
+             )
+         )
+ 
++    @pytest.mark.skip(reason="crypt is broken somehow")
+     def test_crypt(self):
+         """test the crypt auth method"""
+         salts = ["$6$UVVAQvrMyXMF3FF3", "aa"]

machines/nixos/testing02/cas-eleves/default.nix

@@ -0,0 +1,155 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  config,
+  lib,
+  pkgs,
+  sources,
+  ...
+}:
+
+let
+  inherit (lib) mapAttrsToList;
+
+  host = "cas.eleves.ens.fr";
+
+  src = sources.cas-eleves;
+
+  port = 9889;
+
+  python3 =
+    let
+      nix-pkgs = import sources.nix-pkgs {
+        inherit pkgs;
+        python3 = pkgs.python312;
+      };
+    in
+    pkgs.python312.override {
+      packageOverrides = _: _: {
+        inherit (nix-pkgs) django-browser-reload django-bulma-forms loadcredential;
+
+        django-cas-server = nix-pkgs.django-cas-server.overridePythonAttrs (_: {
+          patches = [ ./01-pytest-cas.patch ];
+        });
+      };
+    };
+
+  pythonEnv = python3.withPackages (ps: [
+    ps.django
+    ps.ldap3
+    ps.gunicorn
+    ps.psycopg
+
+    # Local packages
+    ps.django-browser-reload
+    ps.django-bulma-forms
+    ps.django-cas-server
+    ps.loadcredential
+  ]);
+
+  staticDrv = pkgs.stdenv.mkDerivation {
+    name = "cas_eleves-static";
+
+    inherit src;
+
+    nativeBuildInputs = [ pythonEnv ];
+
+    configurePhase = ''
+      export CE_STATIC_ROOT=$out/static
+      export CE_DEBUG=true
+      export CREDENTIALS_DIRECTORY=$(pwd)/.credentials
+    '';
+
+    doBuild = false;
+
+    installPhase = ''
+      mkdir -p $out/static
+      python3 manage.py collectstatic
+    '';
+  };
+in
+
+{
+  systemd.services = {
+    django-cas-eleves = {
+      description = "ENS CAS server";
+      wantedBy = [ "multi-user.target" ];
+      after = [
+        "network.target"
+        "postgresql.service"
+      ];
+
+      serviceConfig = {
+        DynamicUser = true;
+        LoadCredential = mapAttrsToList (name: value: "${name}:${value}") {
+          SECRET_KEY = config.age.secrets."cas_eleves-secret_key_file".path;
+        };
+        StateDirectory = "django-cas-eleves";
+        User = "cas_server";
+        WorkingDirectory = src;
+      };
+
+      environment = {
+        CE_ALLOWED_HOSTS = builtins.toJSON [
+          host
+        ];
+        CE_STATIC_ROOT = staticDrv;
+      };
+
+      path = [ pythonEnv ];
+
+      script = ''
+        python3 manage.py migrate
+        python3 manage.py loaddata patterns
+        gunicorn app.wsgi --pythonpath ${sources.cas-eleves} -b 127.0.0.1:${builtins.toString port} --workers=2 --threads=4
+      '';
+    };
+
+    cas-eleves-cleanup = {
+      description = "Periodic cleanup of cas_server database";
+
+      startAt = "daily";
+
+      serviceConfig = {
+        Type = "oneshot";
+
+        LoadCredential = mapAttrsToList (name: value: "${name}:${value}") {
+          SECRET_KEY = config.age.secrets."cas_eleves-secret_key_file".path;
+        };
+        StateDirectory = "django-cas-eleves";
+        User = "cas_server";
+        WorkingDirectory = src;
+      };
+
+      path = [ pythonEnv ];
+
+      script = ''
+        python3 manage.py clearsessions
+        python3 manage.py cas_clean_sessions
+        python3 manage.py cas_clean_tickets
+      '';
+    };
+  };
+
+  dgn-redirections.permanent."cas-eleves.dgnum.eu" = "cas.eleves.ens.fr";
+
+  dgn-web.simpleProxies.cas-eleves = {
+    inherit host port;
+    vhostConfig.locations = {
+      "/static/".root = staticDrv;
+      "= /robots.txt".root = "${staticDrv}/static";
+    };
+  };
+
+  services.postgresql = {
+    ensureDatabases = [ "cas_server" ];
+    ensureUsers = [
+      {
+        name = "cas_server";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+}

machines/nixos/testing02/disko.nix

@@ -0,0 +1,37 @@
+# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+_: {
+  disko.devices = {
+    disk = {
+      main = {
+        device = "/dev/sda";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              type = "EF00";
+              size = "1G";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

machines/nixos/testing02/secrets/cas_eleves-secret_key_file

@@ -0,0 +1,28 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA Y8DShtEMQgOntLe2D7DmyiBBk79lyqgnr+v2XU1wEUY
+0Ld753OZvmra3hu2ZhDTb+D6fmEDFHF3N1KXf576vFs
+-> ssh-ed25519 QlRB9Q UHxOhsZ4SVBxktiJZvdZWNoLTbDYwxgCxXH9kUOAHwc
+LHpldriHj6V7o3NBzRY5XCuKBVyt1TY8PwAV/Sw/II0
+-> ssh-ed25519 r+nK/Q Of86Jw9wbRO5FLqXBX9UBbgKvepsSs/RfoXA+WF5dEE
+RHUU7tJkLWGbwPbths8K1+RD3kAprtr+tcrutNIx4kw
+-> ssh-rsa krWCLQ
+leBDZeUh6g7VShLphqdbiSqbcWlWrWd2rsU5FJQRBp93ou81uTSx7YX0k+2T3j68
+oFwzYEAlCO+HS1pf4Xm+RU+v1Cek6v0GiKbOa0Qoq/quRACoz9XmYjuZymTywA9v
+1fsKI5lZf3Wrm+mo5kLjsN3r5sOzOwMJPDuyVToU85smnHEVLsyVHgk0NYOR3/FQ
+RfwCbIV8QDAQhO7wxeESbJc7uXV/Y3yW7R1beUqw10JjaP22+3XlBBirjJecfXbq
+3BjePWWXCbJiBfwusCYYFnNB+IH5Z+Iq5jjBPoC2Ds2qWF/u8Zkzm5kKFNe3FZAF
+irjyxq8Ig4mup8GbHJPhWQ
+-> ssh-ed25519 /vwQcQ I2XFpnON3doHt211OVV2jup8Gq45AnXxngl4buX11iU
+tETEki2X8DqWSobwkc3DIX5jRgEjIwEAkfwOgAn6XQQ
+-> ssh-ed25519 0R97PA 3SLLzYOFPJIMHPNv+nNRj0AVKVdjjzLwklNxTP22i3o
+SecCIijSQX9/trUkIcVZhkHkL0I91OoaVB0o7W7eQKY
+-> ssh-ed25519 JGx7Ng xgn+3vNx3+LFiCddKIm4Liw0dY1Tu9LbIv0IO7PsnTQ
+sBLQ5b+VfFna2NxRMiIKxPBS7ta25pB87g/w0dw5kBY
+-> ssh-ed25519 bUjjig Wy37MyZlHKZgAYoiZ51C1aKXk3ViEbsjywzEtirniWE
+xxO2NBD6XSRjD4V4LlrgFlgg6AfhDTXJeALjuSAMQ/E
+-> ssh-ed25519 4AXTDw olhRRCwy6pQKn3SoDoEOZX5O5UcG0OLU0tuWWRMXS1I
+EzE41m9GZSDUKa5YeE0yAboCqqPyA36/Y5jyrOuh1uY
+-> 0M'P-grease
+gY0
+--- AXjB6LAy1sz5hu44nz2pRCgvppwN+n2VDjUUtYwPGcY
+|¿&§Ð™·Ê*ê;ÕÌ<C395>C8qXå«.–Þ3³#
‘F˜ql„¬¯¨Þk?|•Œí¤¨t u7eÚ§ã­o¯"è±qad嶈Ü<ÑR

machines/nixos/testing02/secrets/secrets.nix

@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique <contact@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+(import ../../../../keys).mkSecrets
+  [ "testing02" ]
+  [
+    # List of secrets for web02
+    "cas_eleves-secret_key_file"
+  ]

meta/dns.nix

@@ -115,6 +115,10 @@ let
           "status" # Uptime Kuma
         ];
 
+        testing02.dual = [
+          "*.testing"
+        ];
+
         vault01.dual = [
           "radius" # FreeRADIUS
         ];

meta/network.nix

@@ -189,6 +189,25 @@
     netbirdIp = "100.80.156.154";
   };
 
+  testing02 = {
+    interfaces = {
+      ens18 = {
+        ipv4 = [
+          {
+            address = "129.199.146.44";
+            prefixLength = 24;
+          }
+        ];
+
+        gateways = [ "129.199.146.254" ];
+        enableDefaultDNS = true;
+      };
+    };
+
+    hostId = "7bb28324";
+    netbirdIp = null; # testing02 is not to be connected on the VPN
+  };
+
   tower01 = {
     interfaces = {
       eno2 = {

meta/nodes/nixos.nix

@@ -182,6 +182,20 @@
     ];
   };
 
+  testing02 = {
+    site = "pav01";
+
+    hashedPassword = "$y$j9T$GMdDdUJFS3/.JruWdRjaJ1$7Or5QvWsYQ77swplkQdYAqdyVDmku0t6htBL0r5MT19";
+
+    stateVersion = "24.11";
+    vm-cluster = "Hyperviseur Lab-infra";
+
+    nixpkgs = {
+      version = "24.11";
+      system = "nixos";
+    };
+  };
+
   tower01 = {
     site = "oik01";