From 6a0d07fddbecf71e9afdba3003ed9a19a45bc50b Mon Sep 17 00:00:00 2001 From: sinavir Date: Sat, 4 Jan 2025 12:01:29 +0100 Subject: [PATCH] feat(testing02): Init testing vm --- .forgejo/workflows/eval-nodes.yaml | 11 ++ REUSE.toml | 2 +- default.nix | 43 +++-- keys/default.nix | 1 + machines/nixos/testing02/_configuration.nix | 33 ++++ .../testing02/_hardware-configuration.nix | 33 ++++ .../testing02/cas-eleves/01-pytest-cas.patch | 98 +++++++++++ .../nixos/testing02/cas-eleves/default.nix | 155 ++++++++++++++++++ machines/nixos/testing02/disko.nix | 37 +++++ .../secrets/cas_eleves-secret_key_file | 28 ++++ machines/nixos/testing02/secrets/secrets.nix | 10 ++ meta/dns.nix | 4 + meta/network.nix | 19 +++ meta/nodes/nixos.nix | 14 ++ 14 files changed, 470 insertions(+), 18 deletions(-) create mode 100644 machines/nixos/testing02/_configuration.nix create mode 100644 machines/nixos/testing02/_hardware-configuration.nix create mode 100644 machines/nixos/testing02/cas-eleves/01-pytest-cas.patch create mode 100644 machines/nixos/testing02/cas-eleves/default.nix create mode 100644 machines/nixos/testing02/disko.nix create mode 100644 machines/nixos/testing02/secrets/cas_eleves-secret_key_file create mode 100644 machines/nixos/testing02/secrets/secrets.nix diff --git a/.forgejo/workflows/eval-nodes.yaml b/.forgejo/workflows/eval-nodes.yaml index 452517e..07b4912 100644 --- a/.forgejo/workflows/eval-nodes.yaml +++ b/.forgejo/workflows/eval-nodes.yaml @@ -120,6 +120,17 @@ jobs: STORE_USER: admin name: Build and cache storage01 run: nix-shell -A eval-nodes --run cache-node + testing02: + runs-on: nix + steps: + - uses: actions/checkout@v3 + - env: + BUILD_NODE: testing02 + STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/ + STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }} + STORE_USER: admin + name: Build and cache testing02 + run: nix-shell -A eval-nodes --run cache-node tower01: runs-on: nix steps: diff --git a/REUSE.toml b/REUSE.toml index 1e6ae4c..226ea8e 100644 --- a/REUSE.toml +++ b/REUSE.toml @@ -20,7 +20,7 @@ precedence = "closest" [[annotations]] SPDX-FileCopyrightText = "2024 Tom Hubrecht " SPDX-License-Identifier = "EUPL-1.2" -path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"] +path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "machines/nixos/testing02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"] precedence = "closest" [[annotations]] diff --git a/default.nix b/default.nix index 7aa2701..8a51f0e 100644 --- a/default.nix +++ b/default.nix @@ -5,7 +5,9 @@ { sources ? import ./npins, - pkgs ? import sources.nixpkgs { }, + pkgs ? import sources.nixpkgs { + overlays = [ (import sources.proxmox-nixos).overlays.x86_64-linux ]; + }, }: let @@ -92,6 +94,7 @@ let "machines/nixos/vault01/k-radius/packages/01-python_path.patch" "machines/nixos/web01/crabfit/*.patch" "machines/nixos/web02/cas-eleves/01-pytest-cas.patch" + "machines/nixos/testing02/cas-eleves/01-pytest-cas.patch" "patches/lix/01-disable-installChecks.patch" "patches/nixpkgs/03-crabfit-karla.patch" "patches/nixpkgs/05-netbird-relay.patch" @@ -176,24 +179,30 @@ in devShell = pkgs.mkShell { name = "dgnum-infra"; - packages = [ - (pkgs.nixos-generators.overrideAttrs (_: { - version = "1.8.0-unstable"; - src = sources.nixos-generators; - })) - pkgs.npins + packages = + [ + (pkgs.nixos-generators.overrideAttrs (_: { + version = "1.8.0-unstable"; + src = sources.nixos-generators; + })) + pkgs.npins - # SSO testing - pkgs.kanidm - pkgs.freeradius - pkgs.picocom # for serial access + # deploying on testing hypervisor + pkgs.nixmoxer - (pkgs.callPackage ./lib/colmena { - colmena = pkgs.callPackage "${sources.colmena}/package.nix" { }; - }) - (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { }) - (pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { }) - ] ++ git-checks.enabledPackages ++ (builtins.attrValues scripts); + # SSO testing + pkgs.kanidm + pkgs.freeradius + pkgs.picocom # for serial access + + (pkgs.callPackage ./lib/colmena { + colmena = pkgs.callPackage "${sources.colmena}/package.nix" { }; + }) + (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { }) + (pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { }) + ] + ++ git-checks.enabledPackages + ++ (builtins.attrValues scripts); shellHook = builtins.concatStringsSep "\n" [ git-checks.shellHook diff --git a/keys/default.nix b/keys/default.nix index 1a38900..50f5856 100644 --- a/keys/default.nix +++ b/keys/default.nix @@ -34,6 +34,7 @@ rec { ]; rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ]; storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ]; + testing02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN9ZLXDshhwRZs35oN3UYDtJXEBwMTP20nyWz453TvlY" ]; tower01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVpR+TMRLGAfhn7Q0C3tKOydYYjfoC/e1ZYbKpby01Z" ]; vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ]; web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ]; diff --git a/machines/nixos/testing02/_configuration.nix b/machines/nixos/testing02/_configuration.nix new file mode 100644 index 0000000..523ec5b --- /dev/null +++ b/machines/nixos/testing02/_configuration.nix @@ -0,0 +1,33 @@ +# SPDX-FileCopyrightText: 2024 Tom Hubrecht +# +# SPDX-License-Identifier: EUPL-1.2 + +{ lib, pkgs, ... }: + +lib.extra.mkConfig { + enabledModules = [ + # List of modules to enable + "dgn-web" + ]; + + enabledServices = [ + # List of services to enable + "cas-eleves" + ]; + + extraConfig = { + # Disable monitoring + dgn-node-monitoring.enable = false; + dgn-records.enable = false; + dgn-notify.enable = false; + + # Enable Postgres databases + services.postgresql = { + enable = true; + + package = pkgs.postgresql_16; + }; + }; + + root = ./.; +} diff --git a/machines/nixos/testing02/_hardware-configuration.nix b/machines/nixos/testing02/_hardware-configuration.nix new file mode 100644 index 0000000..54e1ab1 --- /dev/null +++ b/machines/nixos/testing02/_hardware-configuration.nix @@ -0,0 +1,33 @@ +# SPDX-FileCopyrightText: 2024 Tom Hubrecht +# +# SPDX-License-Identifier: EUPL-1.2 + +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ modulesPath, sources, ... }: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + (sources.disko + "/module.nix") + ./disko.nix + ]; + + boot = { + initrd = { + availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "ehci_pci" + "virtio_pci" + "sr_mod" + "virtio_blk" + ]; + kernelModules = [ ]; + }; + + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + }; +} diff --git a/machines/nixos/testing02/cas-eleves/01-pytest-cas.patch b/machines/nixos/testing02/cas-eleves/01-pytest-cas.patch new file mode 100644 index 0000000..633a567 --- /dev/null +++ b/machines/nixos/testing02/cas-eleves/01-pytest-cas.patch @@ -0,0 +1,98 @@ +diff --git a/setup.py b/setup.py +index 7c7b02d..3f677ff 100644 +--- a/setup.py ++++ b/setup.py +@@ -67,6 +67,4 @@ if __name__ == '__main__': + url="https://github.com/nitmir/django-cas-server", + download_url="https://github.com/nitmir/django-cas-server/releases/latest", + zip_safe=False, +- setup_requires=['pytest-runner'], +- tests_require=['pytest', 'pytest-django', 'pytest-pythonpath', 'pytest-warnings', 'mock>=1'], + ) +index 2b389d3..dcdfafd 100644 +--- a/cas_server/tests/test_federate.py ++++ b/cas_server/tests/test_federate.py +@@ -16,6 +16,7 @@ from cas_server.default_settings import settings + import django + from django.test import TestCase, Client + from django.test.utils import override_settings ++import pytest + + from six.moves import reload_module + +@@ -64,6 +65,7 @@ class FederateAuthLoginLogoutTestCase( + ) in response.content.decode("utf-8")) + self.assertEqual(response.context['post_url'], '/federate') + ++ @pytest.mark.skip(reason="Address already in use") + def test_login_post_provider(self, remember=False): + """test a successful login wrokflow""" + tickets = [] +@@ -159,6 +161,7 @@ class FederateAuthLoginLogoutTestCase( + self.assertTrue(response["Location"].startswith("%s?ticket=" % self.service)) + return tickets + ++ @pytest.mark.skip(reason="Address already in use") + def test_login_twice(self): + """Test that user id db is used for the second login (cf coverage)""" + self.test_login_post_provider() +@@ -253,6 +256,7 @@ class FederateAuthLoginLogoutTestCase( + self.assertEqual(response.status_code, 200) + self.assertIn(b"Invalid response from your identity provider CAS", response.content) + ++ @pytest.mark.skip(reason="Address already in use") + def test_auth_federate_slo(self): + """test that SLO receive from backend CAS log out the users""" + # get tickets and connected clients +@@ -301,6 +305,7 @@ class FederateAuthLoginLogoutTestCase( + client, response, username=provider.build_username(settings.CAS_TEST_USER) + ) + ++ @pytest.mark.skip(reason="Address already in use") + def test_federate_logout(self): + """ + test the logout function: the user should be log out +@@ -340,6 +345,7 @@ class FederateAuthLoginLogoutTestCase( + response = client.get("/login") + self.assert_login_failed(client, response) + ++ @pytest.mark.skip(reason="Address already in use") + def test_remember_provider(self): + """ + If the user check remember, next login should not offer the chose of the backend CAS +@@ -355,6 +361,7 @@ class FederateAuthLoginLogoutTestCase( + provider.suffix + )) + ++ @pytest.mark.skip(reason="Address already in use") + def test_forget_provider(self): + """Test the logout option to forget remembered provider""" + tickets = self.test_login_post_provider(remember=True) +@@ -365,6 +372,7 @@ class FederateAuthLoginLogoutTestCase( + client.get("/logout?forget_provider=1") + self.assertEqual(client.cookies["remember_provider"]["max-age"], 0) + ++ @pytest.mark.skip(reason="Address already in use") + def test_renew(self): + """ + Test authentication renewal with federation mode +diff --git a/cas_server/tests/test_utils.py b/cas_server/tests/test_utils.py +index d690724..73ee761 100644 +--- a/cas_server/tests/test_utils.py ++++ b/cas_server/tests/test_utils.py +@@ -17,6 +17,7 @@ from django.db import connection + import six + import warnings + import datetime ++import pytest + + from cas_server import utils + +@@ -61,6 +62,7 @@ class CheckPasswordCase(TestCase): + ) + ) + ++ @pytest.mark.skip(reason="crypt is broken somehow") + def test_crypt(self): + """test the crypt auth method""" + salts = ["$6$UVVAQvrMyXMF3FF3", "aa"] diff --git a/machines/nixos/testing02/cas-eleves/default.nix b/machines/nixos/testing02/cas-eleves/default.nix new file mode 100644 index 0000000..47a771e --- /dev/null +++ b/machines/nixos/testing02/cas-eleves/default.nix @@ -0,0 +1,155 @@ +# SPDX-FileCopyrightText: 2024 Tom Hubrecht +# +# SPDX-License-Identifier: EUPL-1.2 + +{ + config, + lib, + pkgs, + sources, + ... +}: + +let + inherit (lib) mapAttrsToList; + + host = "cas.eleves.ens.fr"; + + src = sources.cas-eleves; + + port = 9889; + + python3 = + let + nix-pkgs = import sources.nix-pkgs { + inherit pkgs; + python3 = pkgs.python312; + }; + in + pkgs.python312.override { + packageOverrides = _: _: { + inherit (nix-pkgs) django-browser-reload django-bulma-forms loadcredential; + + django-cas-server = nix-pkgs.django-cas-server.overridePythonAttrs (_: { + patches = [ ./01-pytest-cas.patch ]; + }); + }; + }; + + pythonEnv = python3.withPackages (ps: [ + ps.django + ps.ldap3 + ps.gunicorn + ps.psycopg + + # Local packages + ps.django-browser-reload + ps.django-bulma-forms + ps.django-cas-server + ps.loadcredential + ]); + + staticDrv = pkgs.stdenv.mkDerivation { + name = "cas_eleves-static"; + + inherit src; + + nativeBuildInputs = [ pythonEnv ]; + + configurePhase = '' + export CE_STATIC_ROOT=$out/static + export CE_DEBUG=true + export CREDENTIALS_DIRECTORY=$(pwd)/.credentials + ''; + + doBuild = false; + + installPhase = '' + mkdir -p $out/static + python3 manage.py collectstatic + ''; + }; +in + +{ + systemd.services = { + django-cas-eleves = { + description = "ENS CAS server"; + wantedBy = [ "multi-user.target" ]; + after = [ + "network.target" + "postgresql.service" + ]; + + serviceConfig = { + DynamicUser = true; + LoadCredential = mapAttrsToList (name: value: "${name}:${value}") { + SECRET_KEY = config.age.secrets."cas_eleves-secret_key_file".path; + }; + StateDirectory = "django-cas-eleves"; + User = "cas_server"; + WorkingDirectory = src; + }; + + environment = { + CE_ALLOWED_HOSTS = builtins.toJSON [ + host + ]; + CE_STATIC_ROOT = staticDrv; + }; + + path = [ pythonEnv ]; + + script = '' + python3 manage.py migrate + python3 manage.py loaddata patterns + gunicorn app.wsgi --pythonpath ${sources.cas-eleves} -b 127.0.0.1:${builtins.toString port} --workers=2 --threads=4 + ''; + }; + + cas-eleves-cleanup = { + description = "Periodic cleanup of cas_server database"; + + startAt = "daily"; + + serviceConfig = { + Type = "oneshot"; + + LoadCredential = mapAttrsToList (name: value: "${name}:${value}") { + SECRET_KEY = config.age.secrets."cas_eleves-secret_key_file".path; + }; + StateDirectory = "django-cas-eleves"; + User = "cas_server"; + WorkingDirectory = src; + }; + + path = [ pythonEnv ]; + + script = '' + python3 manage.py clearsessions + python3 manage.py cas_clean_sessions + python3 manage.py cas_clean_tickets + ''; + }; + }; + + dgn-redirections.permanent."cas-eleves.dgnum.eu" = "cas.eleves.ens.fr"; + + dgn-web.simpleProxies.cas-eleves = { + inherit host port; + vhostConfig.locations = { + "/static/".root = staticDrv; + "= /robots.txt".root = "${staticDrv}/static"; + }; + }; + + services.postgresql = { + ensureDatabases = [ "cas_server" ]; + ensureUsers = [ + { + name = "cas_server"; + ensureDBOwnership = true; + } + ]; + }; +} diff --git a/machines/nixos/testing02/disko.nix b/machines/nixos/testing02/disko.nix new file mode 100644 index 0000000..e549442 --- /dev/null +++ b/machines/nixos/testing02/disko.nix @@ -0,0 +1,37 @@ +# SPDX-FileCopyrightText: 2024 Maurice Debray +# +# SPDX-License-Identifier: EUPL-1.2 + +_: { + disko.devices = { + disk = { + main = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + type = "EF00"; + size = "1G"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/machines/nixos/testing02/secrets/cas_eleves-secret_key_file b/machines/nixos/testing02/secrets/cas_eleves-secret_key_file new file mode 100644 index 0000000..71e900c --- /dev/null +++ b/machines/nixos/testing02/secrets/cas_eleves-secret_key_file @@ -0,0 +1,28 @@ +age-encryption.org/v1 +-> ssh-ed25519 jIXfPA Y8DShtEMQgOntLe2D7DmyiBBk79lyqgnr+v2XU1wEUY +0Ld753OZvmra3hu2ZhDTb+D6fmEDFHF3N1KXf576vFs +-> ssh-ed25519 QlRB9Q UHxOhsZ4SVBxktiJZvdZWNoLTbDYwxgCxXH9kUOAHwc +LHpldriHj6V7o3NBzRY5XCuKBVyt1TY8PwAV/Sw/II0 +-> ssh-ed25519 r+nK/Q Of86Jw9wbRO5FLqXBX9UBbgKvepsSs/RfoXA+WF5dEE +RHUU7tJkLWGbwPbths8K1+RD3kAprtr+tcrutNIx4kw +-> ssh-rsa krWCLQ +leBDZeUh6g7VShLphqdbiSqbcWlWrWd2rsU5FJQRBp93ou81uTSx7YX0k+2T3j68 +oFwzYEAlCO+HS1pf4Xm+RU+v1Cek6v0GiKbOa0Qoq/quRACoz9XmYjuZymTywA9v +1fsKI5lZf3Wrm+mo5kLjsN3r5sOzOwMJPDuyVToU85smnHEVLsyVHgk0NYOR3/FQ +RfwCbIV8QDAQhO7wxeESbJc7uXV/Y3yW7R1beUqw10JjaP22+3XlBBirjJecfXbq +3BjePWWXCbJiBfwusCYYFnNB+IH5Z+Iq5jjBPoC2Ds2qWF/u8Zkzm5kKFNe3FZAF +irjyxq8Ig4mup8GbHJPhWQ +-> ssh-ed25519 /vwQcQ I2XFpnON3doHt211OVV2jup8Gq45AnXxngl4buX11iU +tETEki2X8DqWSobwkc3DIX5jRgEjIwEAkfwOgAn6XQQ +-> ssh-ed25519 0R97PA 3SLLzYOFPJIMHPNv+nNRj0AVKVdjjzLwklNxTP22i3o +SecCIijSQX9/trUkIcVZhkHkL0I91OoaVB0o7W7eQKY +-> ssh-ed25519 JGx7Ng xgn+3vNx3+LFiCddKIm4Liw0dY1Tu9LbIv0IO7PsnTQ +sBLQ5b+VfFna2NxRMiIKxPBS7ta25pB87g/w0dw5kBY +-> ssh-ed25519 bUjjig Wy37MyZlHKZgAYoiZ51C1aKXk3ViEbsjywzEtirniWE +xxO2NBD6XSRjD4V4LlrgFlgg6AfhDTXJeALjuSAMQ/E +-> ssh-ed25519 4AXTDw olhRRCwy6pQKn3SoDoEOZX5O5UcG0OLU0tuWWRMXS1I +EzE41m9GZSDUKa5YeE0yAboCqqPyA36/Y5jyrOuh1uY +-> 0M'P-grease +gY0 +--- AXjB6LAy1sz5hu44nz2pRCgvppwN+n2VDjUUtYwPGcY +|&Й*;̍C8qX.3#Fqlk?|tu7eڧo"qad嶈<R \ No newline at end of file diff --git a/machines/nixos/testing02/secrets/secrets.nix b/machines/nixos/testing02/secrets/secrets.nix new file mode 100644 index 0000000..8d15ad9 --- /dev/null +++ b/machines/nixos/testing02/secrets/secrets.nix @@ -0,0 +1,10 @@ +# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique +# +# SPDX-License-Identifier: EUPL-1.2 + +(import ../../../../keys).mkSecrets + [ "testing02" ] + [ + # List of secrets for web02 + "cas_eleves-secret_key_file" + ] diff --git a/meta/dns.nix b/meta/dns.nix index 40a9000..b62ecc7 100644 --- a/meta/dns.nix +++ b/meta/dns.nix @@ -115,6 +115,10 @@ let "status" # Uptime Kuma ]; + testing02.dual = [ + "*.testing" + ]; + vault01.dual = [ "radius" # FreeRADIUS ]; diff --git a/meta/network.nix b/meta/network.nix index 6980e44..5b2ecfc 100644 --- a/meta/network.nix +++ b/meta/network.nix @@ -189,6 +189,25 @@ netbirdIp = "100.80.156.154"; }; + testing02 = { + interfaces = { + ens18 = { + ipv4 = [ + { + address = "129.199.146.44"; + prefixLength = 24; + } + ]; + + gateways = [ "129.199.146.254" ]; + enableDefaultDNS = true; + }; + }; + + hostId = "7bb28324"; + netbirdIp = null; # testing02 is not to be connected on the VPN + }; + tower01 = { interfaces = { eno2 = { diff --git a/meta/nodes/nixos.nix b/meta/nodes/nixos.nix index dea4288..388d842 100644 --- a/meta/nodes/nixos.nix +++ b/meta/nodes/nixos.nix @@ -182,6 +182,20 @@ ]; }; + testing02 = { + site = "pav01"; + + hashedPassword = "$y$j9T$GMdDdUJFS3/.JruWdRjaJ1$7Or5QvWsYQ77swplkQdYAqdyVDmku0t6htBL0r5MT19"; + + stateVersion = "24.11"; + vm-cluster = "Hyperviseur Lab-infra"; + + nixpkgs = { + version = "24.11"; + system = "nixos"; + }; + }; + tower01 = { site = "oik01";