feat(django-apps): Init ernestophone website

machines/nixos/web03/django-apps/default.nix

@@ -6,6 +6,7 @@
   imports = [
     ./annuaire.nix
     ./bocal.nix
+    ./ernestophone.nix
     ./gestiojeux.nix
     ./interludes.nix
     ./wikiens.nix

machines/nixos/web03/django-apps/ernestophone.nix

@@ -0,0 +1,65 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  pkgs,
+  sources,
+  config,
+  ...
+}:
+
+let
+  nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
+in
+
+{
+  services.django-apps.sites.ernestophone = {
+    source = "https://git.dgnum.eu/DGNum/ernestophone.ens.fr";
+    branch = "update";
+    domain = "beta.ernestophone.fr";
+
+    nginx = {
+      enableACME = true;
+      forceSSL = true;
+      locations = {
+        "/media/trombonoscope/".root = "/run/django-apps/ernestophone/";
+      };
+    };
+
+    serveMedia = false;
+
+    webHookSecret = config.age.secrets."webhook-ernestophone_token".path;
+
+    python = pkgs.python3.override {
+      packageOverrides = _: _: {
+        inherit (nix-pkgs)
+          django-avatar
+          django-cas-ng
+          django-solo
+          loadcredential
+          ;
+      };
+    };
+
+    dependencies = ps: [
+      ps.django
+      ps.django-avatar
+      ps.django-colorful
+      ps.gunicorn
+      ps.pillow
+      ps.loadcredential
+    ];
+
+    application.module = "Ernestophone";
+
+    credentials = {
+      SECRET_KEY = config.age.secrets."dj_ernestophone-secret_key_file".path;
+    };
+
+    environment = {
+      DJANGO_SETTINGS_MODULE = "Ernestophone.settings";
+      ERNESTOPHONE_ALLOWED_HOSTS = [ "beta.ernestophone.fr" ];
+    };
+  };
+}

machines/nixos/web03/secrets/dj_ernestophone-admins_file

@@ -0,0 +1,31 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA 9RRZxLF9tCD5U+9qMdPjANj+uL/8klzK3MV+YW6fhEc
+gd8gQtbKWfOmN1mDRszw7vEnSg8pPHpHU5JDo9bM/ek
+-> ssh-ed25519 QlRB9Q hArXwJSPPrZySgU8/YBJwsVfXMhgMy7N72jFcslb1xo
+H3ifulIpmYpllXTsXh5TYit6JTxZwUs33Rey1qtvQnM
+-> ssh-ed25519 r+nK/Q jh3gdHmJMBCQbMQdYdko4Igwt0y62eIZaTlNsO/nw1Y
+NgflhTMQOIbyl1udyCuvRsIDxIkOK+QZbVRHLNThDJs
+-> ssh-rsa krWCLQ
+kOodyo51tOrDsqKSyN/WyJXq7Kot54eb66WBfHVVuYqAafQZnaUvSgXInc4Ba8M9
++pdwX37zff47gGr/obadKkAGf42xnu7nB8c6T68u/TNwKlQoIUuebEFEdqqp+dFe
+KY3DlM9LPyMMLO+Tk0t3djE9lp1FkbUeeDOk06rEgQyCs0HATKoa2k/c6/pim6vZ
+wvu/YxkJAdIIOdkunkKs1kiuCIbeqIQfb2vz/hpBUNI8e8T4S2W7zIVMocRDfYoq
+dPYj4kHRbnqeyWcobymCuXNdtGnhsT50oS3UGEvr4flaRpREQ+babp1g9uApnU6s
+oPbmlrwTB50FJA9mxp9rSw
+-> ssh-ed25519 /vwQcQ SVB+hkmtVwrsNShWD7agmjuZs64+pah596YIFZH/Eww
+SyRzjAkoKTfNcOMf5OiIVU/wHiPi+rDuXQ0qns9vhf0
+-> ssh-ed25519 0R97PA mrJuOmOhgGEbRMC/VYvJ++e1RGTTAZl7dzAJPT+6jUo
+Rn4+0P0spe1Xjn+3twu/cCdKBmsj5y327bESx8FkqJk
+-> ssh-ed25519 JGx7Ng VXVauDsi3WOxQ2G90ElTdGMueEtVxlQsbUHsceFJTB0
+AZNRGSyxTZn+L9e9eggyGlINvDSg5hQowBtv0hX954Q
+-> ssh-ed25519 bUjjig OBwPeegYOacrZxLrlxdVpOkshBCUIYOOgyF6LdOVTjw
+MJAv6ieAneoAe3//A6b3dBvJCze9uxFVRqlQnkm+rAY
+-> ssh-ed25519 VQSaNw ldI3O8GyoxhxvrE3okoVvPTrFYnUKNA0See4buKO7GA
+wcpmfgUNs0MyVcm/VGmwBpkZ++UGkTNDCiqqpYL2XXw
+-> n>[M-grease _ D--b ? [8U|"=~
+YZ1c1yZ4273rUu4v+APm/eBy8HQyish8t2zkTvjYFd8/pdA9uRkHogQGIBnlAi3h
+tq6/02nnT/QgZPcccQCD3SlwzkU0U2qdXIAdGtgzCo0FZsIYdkeU+VyoJDfcVt1o
+qXc
+--- lzSSWa0AAP8vhy6RfNChbM71Apmn7b6pLT1CtYFVrpQ
+<04>Ôï\÷/Áºß£íÄ*‰ŒÿÙi"ºÅåÝa/[Rr
+O)u^½Ÿ,Ù"%Km£¥<C2A3>zµkÝ°3)›Ù¡‰ø)ÌbS{^§<13>!y°ÅLÉERñ˜Ç
‚Q»uÅE‹EË;Êä´¤VÐ-¶?[ù<>uÑñÏ`Fvè%+$Ú§{¯xŦüg–Qºëiôy°<79>»#.^ìŒÓÎùÈ_*¤=íò×1êîÜCõ	ê
~¸

machines/nixos/web03/secrets/dj_ernestophone-password_file

@@ -0,0 +1,28 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA kBFUMktUZ09T8ujSXHRIo4OIWxIiwysmRv+UTiH+02M
+TvefF7CMKZIASBYaVQA22PzLr2rgZ3i7Q8ENBOmpQmI
+-> ssh-ed25519 QlRB9Q 0R2BthIX790DAiL36WPOemUa04tOnN0Drpg6u72j7UE
+nFGbwKZvSXo0SpO8AMfAGcZkphcXhX+GoFxYwadNzwQ
+-> ssh-ed25519 r+nK/Q cs+vGq5RzK/AogpcGjRG3KZjl4fp2Ghhv2ngHjTdvlE
+AyXbgDlQbe3HurX7lodUrMZyRSWADSFWmTndnHjh0dY
+-> ssh-rsa krWCLQ
+AnU8JBZXw8xIHA3L+220wCHwddC51Fx+sQx58tYsFg7eVH1NM2PKUr57a7+0KlxH
+TkIDMUuBotY4QPA0tzv212wnWaTw9ddV+T+Xe+l7JNyurCQRj1g1gWP3NLYIyYFC
+i/eXHg3XxByQG1BfBSL2nnUEiy6eJ2bLMFsJ9P6baB6hpdEnoFIuGdV4Bg3k/KGl
+Zp+Q1a7Ov0l/G7sRCw4WLQtq59otI2lxeKRSonCqSNOmDXyZBr82GMr/BmhebtK4
+h19K+EXU+Ze57lUf2kDCe0b4RSHbSGU1T1fSEMNcXFV0952r6zO9YClTsQeKl+ev
+1O7xqUhcRXgFUbDYRjTsLw
+-> ssh-ed25519 /vwQcQ AtEImZ61sgC2OzZvDldY7ttRf9I5+zmL2I7hZkmBoTY
+zQiLX4L6t+jZqzAJmN7iuRTeadD1jbs3E/NZZj/25UA
+-> ssh-ed25519 0R97PA JVheI/2kfdkqgM5Jf/py32lyYLtWjpmcx4zkHYMZl3g
+z/+qXmvziQo8yZ6f+2y5XVDv6d/uAghCVDQ9tpLXt54
+-> ssh-ed25519 JGx7Ng 41ZgklG6LmM5Mk6BkGWAf8N3j1safWPBKBAHKN2EQG0
+yOiGIHkyoMFI6NQMLCZavCaz+qxAy9jhf+vctWQ2z4k
+-> ssh-ed25519 bUjjig 0o9QkwuPZPOl/db1sQ9YL50DL1uyZqQ6ICxMEIupQ20
+FwFbAYzLUNwoAQNcbcwWckhqRSEicQTe4O4BMK7wHyg
+-> ssh-ed25519 VQSaNw iaWBGmaWmBxMJILFyob6CyVXyY24edPtT2itTQGP7xM
+EGmCuYElC5EgwqXtcXLAy7nNFt75Hl/gAehvfh+0sgg
+-> /Wa)P<iw-grease (;ag_e g#LM+oA Y n(M-1K+.
+lWfOmA
+--- k01yU9ZR8KIyG0JEfcYoP4iBlvqq7J676oPfDLpbvfs
+ÎD—èŒ<C3A8>Ptáçø4Õ•?6”N|ÐïZƒ³åM/œqo¨[ÄNä

machines/nixos/web03/secrets/dj_ernestophone-secret_key_file

@@ -0,0 +1,29 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA hAdsxHTIT08JvDQGzY0Vz+Jxd48Kw3XNpf6TEjiGiTc
+hZgLRBDGwpfIFMhTRExY6JJ0poJ+nqrBK8Fy3ukINFI
+-> ssh-ed25519 QlRB9Q AyfmPVVcb9WVzrbyh2KdPQMwPypQ0uq3q6kkPFcMyjw
+S2h//+6MMnUiBWrznI/1+qS83Gw1vpFmU8Hlma40bdA
+-> ssh-ed25519 r+nK/Q 741XzH0HZf/y8HR1AQIn+qgn0+L+2kcdPsepRcXx7w8
+5aNoPnRTYHB5FTXipQV+8C/s8t1s5/ZF9PwnJfYy8bM
+-> ssh-rsa krWCLQ
+HhSOliN7XQZngyyrJ++S2JMBytkPjSt/dEUlJNbJP5n6HY5H7QKqd9rsc4LLu/Hz
+BXKC9T3IVeuabMPNOBhE6SiOUejGv/txbMHPMdPTCju6JL4wP/2gqIK696kP62pL
+CAS/cOZXrHS8etEFkpqSuEVquNIXbivXNHEwFMH/GkNut0SCpafvQHrN1wZdveH5
+rp60R9ULzTzS3ztjEomAt9gWN6s7CtqZEozCMExPTXSW+OmBJprY+/Ae/uxeKZMS
+x6pscBbZSEazZ476sZCWKTpeej7iFlSrIvLfkwYn9PtKqmaInoM/0F2thkqpVPkZ
+/pcg11dUQpXJdaIiPEowlg
+-> ssh-ed25519 /vwQcQ m01BxY0nPTfcW0D/iFRbCNbFFp+lE/XLW315aPyNbTM
+hiKCfZH9k5GcUAkCJ/+x5V20SCeql8031lOge0Y9WXk
+-> ssh-ed25519 0R97PA oGfUKErY65Jd0ZlcVox/HXA3itOI5KImRqDwH+UR6XI
+32BtXjqImmG6TjUKoDU2QaJiMxldZdZoAP9SKPfGuHA
+-> ssh-ed25519 JGx7Ng FJCtkG+Ig5dC+ftTClgrKtIt/D8s9Dr97eWObbNEZDs
+i6tf7p5FDsdTZMJuBNmcTgVnL6eQDZFkjjH7AaBakqE
+-> ssh-ed25519 bUjjig mOfri52IdeSNAawjBR5rhvL2eZNlVOwYK6u1uHv98xw
+nx0Ko3omL+OVq3JHuCIacYfjn96kb78IgyvECEGq0G4
+-> ssh-ed25519 VQSaNw gEQeKOEwwR8QlykdFlo7iqrsmhemiS02v8Kfx2ER9Xc
+jpAEZx64/AXpA8HahtJq9OdcZYbqIFti5mxaPztvul8
+-> $5-grease (y&6%5f<
+YSrHrNaXa7b7Ivv1yVP3idg8t4iIdu5NX3hzczFp64bY7Bjp/g7jK+bWnDG26ryd
+G+fhmUbFuDj8ZtXg6yk
+--- YmnVS7kPp6h4pC9u28A32/xh67NwhIXwB1dxolI1DCg
+.¼Zs‡…n}®ì,èémõR€ÏêeÞ)¾bOª¶<C2AA>îնܷ†m8¼z£RyúìT/¦@¿CÜÝôW™¨F5ˆ?<ð.[Ö†r¡Ó[°M

machines/nixos/web03/secrets/secrets.nix

@@ -6,12 +6,16 @@
   # List of secrets for web03
   "dj_annuaire-secret_key_file"
   "dj_bocal-secret_key_file"
+  "dj_ernestophone-secret_key_file"
+  "dj_ernestophone-password_file"
+  "dj_ernestophone-admins_file"
   "dj_gestiojeux-secret_key_file"
   "dj_interludes-email_host_password_file"
   "dj_interludes-secret_key_file"
   "dj_wikiens-secret_key_file"
   "webhook-annuaire_token"
   "webhook-bocal_token"
+  "webhook-ernestophone_token"
   "webhook-gestiojeux_token"
   "webhook-interludes_token"
   "webhook-wikiens_token"

machines/nixos/web03/secrets/webhook-ernestophone_token

@@ -0,0 +1,30 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA Ifc4K8jusXCbeMSYeAL+3jdvmDK1ojYiSzHJO/uefzk
+h5ewdTYV3o8+tPCzVWvLtqEM3WxVjtOqTRnrFAwKnes
+-> ssh-ed25519 QlRB9Q djvVFcR5y+WI5+rED8ztIQZuLfCj2z8wHx3WIutlfjk
+nsTUZEQRJAAZfNXw2YbzwV+RUJEx6Dmi0ujswMBqIro
+-> ssh-ed25519 r+nK/Q Ryx2iuVCefSFFMEyRjVbKFxTqaX6D+Ty4B1+6mRLSCg
+s7YjJa6NESaNZ9wzurlrsovu5ecJNnWLOhD80RnFqV4
+-> ssh-rsa krWCLQ
+utXBcdyAmbl463xcacn1+K9UyG78vKG9LW1vJ/q40ltqEsuxktP2C5YgBL2Whcld
+UYTsNFa3b02HP1wp0fPP4eVyk0NNKqO1rairMAvLJmQk15s0OVCk7LvjZe+Q31m1
+gYxBSuN4oy7gljtOlIfrHtcRqDMC5IToYSt91pwt/0wgkHDH1OcLap8jaQIuPdc1
+pQqd6iUTF96kvvp1P6XbvOHH3nVLNw/bITR5BUSqm/YBocJBrDNIL2wXcq27bBMs
+YqF2nykztoSss+YM40XnHx14wNU0WeocbSYuPKabKvtgV0ry62w+EW5t453TfMng
+y0dYmBdXVTKgCyL2v/onlA
+-> ssh-ed25519 /vwQcQ tax06kUoYtjoUZ8k0+2L0cBr9CTpZpWd5Ev1qRh4dWM
+x2RYQ+53UJnBXz8plzYrpga9JCWgm+WvkjpGg+CpG8M
+-> ssh-ed25519 0R97PA DoPbx9NVAHTe6NRxT50nwdStoUJRnATQDEKgIyq2hhA
+6DUg7uQ9L80KzaMJi6h/Nm5EgtLlAI+R01Mke9GpyzQ
+-> ssh-ed25519 JGx7Ng AG1PM5MB2TlfZoiF29gu01LqhcQ+rEQRQZHFVxdHYG8
+ePz8kT+axuMZe8MKi1Yj+ZOCITIYjVAuRE2iTScgpyY
+-> ssh-ed25519 bUjjig SgZgUi5qfE8wK54Mj8P/FJ4QPNs4HUV5qPc9jJTskmY
+n/fedObFehvhLwd3uhkhfBamFpjZDVK7M1J67BucoPI
+-> ssh-ed25519 VQSaNw a+SLVFR9PqKgyHfAPTjH4SGkp4XXjz6xz6uMjZgYOg0
+hv5F5ENsfpU27opx8OT4mvL0waGO+AieG/VXvHNi2hg
+-> g**u4-grease Fb|HQ E
+FcQESlzpmCxDtrbCZhddPdNjVROYKj2XsOppqa2GPZsWqQH8cFfKzxjwlNlE7WNF
+Q3xupVqn8H1Cg98i
+--- lYBZVJ4DEtBmKhenHOOkQpuPT7TrGGgN1OmTrfCTtY4
+Žy[§—‘ÀÒh{`Z³öNŠx/ùºóSyFú£–ç
++‚¨Õr:¶úÀcJ¸L˜b¿M‹ô™w<E284A2>n+™õœ"§¢—|w¼¯¬kµ*

modules/nixos/django-apps/default.nix

@@ -38,6 +38,7 @@ let
   inherit (lib.types)
     attrs
     attrsOf
+    bool
     enum
     functionTo
     ints
@@ -129,6 +130,12 @@ in
                 '';
               };
 
+              serveMedia = mkOption {
+                type = bool;
+                default = true;
+                description = "Wther to serve the MEDIA_ROOT directory with nginx.";
+              };
+
               env_prefix = mkOption {
                 type = str;
                 default = toUpper name;
@@ -473,13 +480,18 @@ in
         {
           virtualHosts = mapAttrs' (
             name:
-            { domain, nginx, ... }:
+            {
+              domain,
+              nginx,
+              serveMedia,
+              ...
+            }:
             nameValuePair domain (
               recursiveUpdate {
                 locations = {
                   "/".proxyPass = "http://unix:/run/django-apps/${name}.sock";
                   "/static/".root = "/run/django-apps/${name}";
-                  "/media/".root = "/run/django-apps/${name}";
+                  "/media/".root = mkIf serveMedia "/run/django-apps/${name}";
                 };
               } nginx
             )

npins/sources.json

@@ -262,9 +262,9 @@
         "url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs"
       },
       "branch": "main",
-      "revision": "476e657d9c285d91638b2a7c2bbbd9e6f9d0cfd4",
+      "revision": "cc01e1c2a6ecb1e38fde35ee54995a6a639fb057",
       "url": null,
-      "hash": "1i1a46q2v465zfa8rcfk1xisb7ywd4as18q6n2842ncnm69fxqns"
+      "hash": "17a9vlwrk9365ccyl7a5xspqsn9wizcpwdpvr3qdimvq4fpwhjal"
     },
     "nix-reuse": {
       "type": "GitRelease",