From 7c6c753c67cf6702fc80b66f8dbe3fdfb78ab4f3 Mon Sep 17 00:00:00 2001 From: sinavir Date: Thu, 19 Dec 2024 20:35:17 +0100 Subject: [PATCH] feat(django-apps): Init ernestophone website --- machines/nixos/web03/django-apps/default.nix | 1 + .../nixos/web03/django-apps/ernestophone.nix | 65 +++++++++++++++++++ .../web03/secrets/dj_ernestophone-admins_file | 31 +++++++++ .../secrets/dj_ernestophone-password_file | 28 ++++++++ .../secrets/dj_ernestophone-secret_key_file | 29 +++++++++ machines/nixos/web03/secrets/secrets.nix | 4 ++ .../web03/secrets/webhook-ernestophone_token | 30 +++++++++ modules/nixos/django-apps/default.nix | 16 ++++- npins/sources.json | 4 +- 9 files changed, 204 insertions(+), 4 deletions(-) create mode 100644 machines/nixos/web03/django-apps/ernestophone.nix create mode 100644 machines/nixos/web03/secrets/dj_ernestophone-admins_file create mode 100644 machines/nixos/web03/secrets/dj_ernestophone-password_file create mode 100644 machines/nixos/web03/secrets/dj_ernestophone-secret_key_file create mode 100644 machines/nixos/web03/secrets/webhook-ernestophone_token diff --git a/machines/nixos/web03/django-apps/default.nix b/machines/nixos/web03/django-apps/default.nix index e91f8a7..55be1b0 100644 --- a/machines/nixos/web03/django-apps/default.nix +++ b/machines/nixos/web03/django-apps/default.nix @@ -6,6 +6,7 @@ imports = [ ./annuaire.nix ./bocal.nix + ./ernestophone.nix ./gestiojeux.nix ./interludes.nix ./wikiens.nix diff --git a/machines/nixos/web03/django-apps/ernestophone.nix b/machines/nixos/web03/django-apps/ernestophone.nix new file mode 100644 index 0000000..44aea80 --- /dev/null +++ b/machines/nixos/web03/django-apps/ernestophone.nix @@ -0,0 +1,65 @@ +# SPDX-FileCopyrightText: 2024 Tom Hubrecht +# +# SPDX-License-Identifier: EUPL-1.2 + +{ + pkgs, + sources, + config, + ... +}: + +let + nix-pkgs = import sources.nix-pkgs { inherit pkgs; }; +in + +{ + services.django-apps.sites.ernestophone = { + source = "https://git.dgnum.eu/DGNum/ernestophone.ens.fr"; + branch = "update"; + domain = "beta.ernestophone.fr"; + + nginx = { + enableACME = true; + forceSSL = true; + locations = { + "/media/trombonoscope/".root = "/run/django-apps/ernestophone/"; + }; + }; + + serveMedia = false; + + webHookSecret = config.age.secrets."webhook-ernestophone_token".path; + + python = pkgs.python3.override { + packageOverrides = _: _: { + inherit (nix-pkgs) + django-avatar + django-cas-ng + django-solo + loadcredential + ; + }; + }; + + dependencies = ps: [ + ps.django + ps.django-avatar + ps.django-colorful + ps.gunicorn + ps.pillow + ps.loadcredential + ]; + + application.module = "Ernestophone"; + + credentials = { + SECRET_KEY = config.age.secrets."dj_ernestophone-secret_key_file".path; + }; + + environment = { + DJANGO_SETTINGS_MODULE = "Ernestophone.settings"; + ERNESTOPHONE_ALLOWED_HOSTS = [ "beta.ernestophone.fr" ]; + }; + }; +} diff --git a/machines/nixos/web03/secrets/dj_ernestophone-admins_file b/machines/nixos/web03/secrets/dj_ernestophone-admins_file new file mode 100644 index 0000000..eb3dc7a --- /dev/null +++ b/machines/nixos/web03/secrets/dj_ernestophone-admins_file @@ -0,0 +1,31 @@ +age-encryption.org/v1 +-> ssh-ed25519 jIXfPA 9RRZxLF9tCD5U+9qMdPjANj+uL/8klzK3MV+YW6fhEc +gd8gQtbKWfOmN1mDRszw7vEnSg8pPHpHU5JDo9bM/ek +-> ssh-ed25519 QlRB9Q hArXwJSPPrZySgU8/YBJwsVfXMhgMy7N72jFcslb1xo +H3ifulIpmYpllXTsXh5TYit6JTxZwUs33Rey1qtvQnM +-> ssh-ed25519 r+nK/Q jh3gdHmJMBCQbMQdYdko4Igwt0y62eIZaTlNsO/nw1Y +NgflhTMQOIbyl1udyCuvRsIDxIkOK+QZbVRHLNThDJs +-> ssh-rsa krWCLQ +kOodyo51tOrDsqKSyN/WyJXq7Kot54eb66WBfHVVuYqAafQZnaUvSgXInc4Ba8M9 ++pdwX37zff47gGr/obadKkAGf42xnu7nB8c6T68u/TNwKlQoIUuebEFEdqqp+dFe +KY3DlM9LPyMMLO+Tk0t3djE9lp1FkbUeeDOk06rEgQyCs0HATKoa2k/c6/pim6vZ +wvu/YxkJAdIIOdkunkKs1kiuCIbeqIQfb2vz/hpBUNI8e8T4S2W7zIVMocRDfYoq +dPYj4kHRbnqeyWcobymCuXNdtGnhsT50oS3UGEvr4flaRpREQ+babp1g9uApnU6s +oPbmlrwTB50FJA9mxp9rSw +-> ssh-ed25519 /vwQcQ SVB+hkmtVwrsNShWD7agmjuZs64+pah596YIFZH/Eww +SyRzjAkoKTfNcOMf5OiIVU/wHiPi+rDuXQ0qns9vhf0 +-> ssh-ed25519 0R97PA mrJuOmOhgGEbRMC/VYvJ++e1RGTTAZl7dzAJPT+6jUo +Rn4+0P0spe1Xjn+3twu/cCdKBmsj5y327bESx8FkqJk +-> ssh-ed25519 JGx7Ng VXVauDsi3WOxQ2G90ElTdGMueEtVxlQsbUHsceFJTB0 +AZNRGSyxTZn+L9e9eggyGlINvDSg5hQowBtv0hX954Q +-> ssh-ed25519 bUjjig OBwPeegYOacrZxLrlxdVpOkshBCUIYOOgyF6LdOVTjw +MJAv6ieAneoAe3//A6b3dBvJCze9uxFVRqlQnkm+rAY +-> ssh-ed25519 VQSaNw ldI3O8GyoxhxvrE3okoVvPTrFYnUKNA0See4buKO7GA +wcpmfgUNs0MyVcm/VGmwBpkZ++UGkTNDCiqqpYL2XXw +-> n>[M-grease _ D--b ? [8U|"=~ +YZ1c1yZ4273rUu4v+APm/eBy8HQyish8t2zkTvjYFd8/pdA9uRkHogQGIBnlAi3h +tq6/02nnT/QgZPcccQCD3SlwzkU0U2qdXIAdGtgzCo0FZsIYdkeU+VyoJDfcVt1o +qXc +--- lzSSWa0AAP8vhy6RfNChbM71Apmn7b6pLT1CtYFVrpQ +\/ߣ*i"a/[Rr +O)u^,"%Kmzkݰ3)١)bS{^!yL ER QuEE;V-?[u`Fv%+$ڧ{xŦgQiy#.^_*=1C ~ \ No newline at end of file diff --git a/machines/nixos/web03/secrets/dj_ernestophone-password_file b/machines/nixos/web03/secrets/dj_ernestophone-password_file new file mode 100644 index 0000000..ef1a308 --- /dev/null +++ b/machines/nixos/web03/secrets/dj_ernestophone-password_file @@ -0,0 +1,28 @@ +age-encryption.org/v1 +-> ssh-ed25519 jIXfPA kBFUMktUZ09T8ujSXHRIo4OIWxIiwysmRv+UTiH+02M +TvefF7CMKZIASBYaVQA22PzLr2rgZ3i7Q8ENBOmpQmI +-> ssh-ed25519 QlRB9Q 0R2BthIX790DAiL36WPOemUa04tOnN0Drpg6u72j7UE +nFGbwKZvSXo0SpO8AMfAGcZkphcXhX+GoFxYwadNzwQ +-> ssh-ed25519 r+nK/Q cs+vGq5RzK/AogpcGjRG3KZjl4fp2Ghhv2ngHjTdvlE +AyXbgDlQbe3HurX7lodUrMZyRSWADSFWmTndnHjh0dY +-> ssh-rsa krWCLQ +AnU8JBZXw8xIHA3L+220wCHwddC51Fx+sQx58tYsFg7eVH1NM2PKUr57a7+0KlxH +TkIDMUuBotY4QPA0tzv212wnWaTw9ddV+T+Xe+l7JNyurCQRj1g1gWP3NLYIyYFC +i/eXHg3XxByQG1BfBSL2nnUEiy6eJ2bLMFsJ9P6baB6hpdEnoFIuGdV4Bg3k/KGl +Zp+Q1a7Ov0l/G7sRCw4WLQtq59otI2lxeKRSonCqSNOmDXyZBr82GMr/BmhebtK4 +h19K+EXU+Ze57lUf2kDCe0b4RSHbSGU1T1fSEMNcXFV0952r6zO9YClTsQeKl+ev +1O7xqUhcRXgFUbDYRjTsLw +-> ssh-ed25519 /vwQcQ AtEImZ61sgC2OzZvDldY7ttRf9I5+zmL2I7hZkmBoTY +zQiLX4L6t+jZqzAJmN7iuRTeadD1jbs3E/NZZj/25UA +-> ssh-ed25519 0R97PA JVheI/2kfdkqgM5Jf/py32lyYLtWjpmcx4zkHYMZl3g +z/+qXmvziQo8yZ6f+2y5XVDv6d/uAghCVDQ9tpLXt54 +-> ssh-ed25519 JGx7Ng 41ZgklG6LmM5Mk6BkGWAf8N3j1safWPBKBAHKN2EQG0 +yOiGIHkyoMFI6NQMLCZavCaz+qxAy9jhf+vctWQ2z4k +-> ssh-ed25519 bUjjig 0o9QkwuPZPOl/db1sQ9YL50DL1uyZqQ6ICxMEIupQ20 +FwFbAYzLUNwoAQNcbcwWckhqRSEicQTe4O4BMK7wHyg +-> ssh-ed25519 VQSaNw iaWBGmaWmBxMJILFyob6CyVXyY24edPtT2itTQGP7xM +EGmCuYElC5EgwqXtcXLAy7nNFt75Hl/gAehvfh+0sgg +-> /Wa)P ssh-ed25519 jIXfPA hAdsxHTIT08JvDQGzY0Vz+Jxd48Kw3XNpf6TEjiGiTc +hZgLRBDGwpfIFMhTRExY6JJ0poJ+nqrBK8Fy3ukINFI +-> ssh-ed25519 QlRB9Q AyfmPVVcb9WVzrbyh2KdPQMwPypQ0uq3q6kkPFcMyjw +S2h//+6MMnUiBWrznI/1+qS83Gw1vpFmU8Hlma40bdA +-> ssh-ed25519 r+nK/Q 741XzH0HZf/y8HR1AQIn+qgn0+L+2kcdPsepRcXx7w8 +5aNoPnRTYHB5FTXipQV+8C/s8t1s5/ZF9PwnJfYy8bM +-> ssh-rsa krWCLQ +HhSOliN7XQZngyyrJ++S2JMBytkPjSt/dEUlJNbJP5n6HY5H7QKqd9rsc4LLu/Hz +BXKC9T3IVeuabMPNOBhE6SiOUejGv/txbMHPMdPTCju6JL4wP/2gqIK696kP62pL +CAS/cOZXrHS8etEFkpqSuEVquNIXbivXNHEwFMH/GkNut0SCpafvQHrN1wZdveH5 +rp60R9ULzTzS3ztjEomAt9gWN6s7CtqZEozCMExPTXSW+OmBJprY+/Ae/uxeKZMS +x6pscBbZSEazZ476sZCWKTpeej7iFlSrIvLfkwYn9PtKqmaInoM/0F2thkqpVPkZ +/pcg11dUQpXJdaIiPEowlg +-> ssh-ed25519 /vwQcQ m01BxY0nPTfcW0D/iFRbCNbFFp+lE/XLW315aPyNbTM +hiKCfZH9k5GcUAkCJ/+x5V20SCeql8031lOge0Y9WXk +-> ssh-ed25519 0R97PA oGfUKErY65Jd0ZlcVox/HXA3itOI5KImRqDwH+UR6XI +32BtXjqImmG6TjUKoDU2QaJiMxldZdZoAP9SKPfGuHA +-> ssh-ed25519 JGx7Ng FJCtkG+Ig5dC+ftTClgrKtIt/D8s9Dr97eWObbNEZDs +i6tf7p5FDsdTZMJuBNmcTgVnL6eQDZFkjjH7AaBakqE +-> ssh-ed25519 bUjjig mOfri52IdeSNAawjBR5rhvL2eZNlVOwYK6u1uHv98xw +nx0Ko3omL+OVq3JHuCIacYfjn96kb78IgyvECEGq0G4 +-> ssh-ed25519 VQSaNw gEQeKOEwwR8QlykdFlo7iqrsmhemiS02v8Kfx2ER9Xc +jpAEZx64/AXpA8HahtJq9OdcZYbqIFti5mxaPztvul8 +-> $5-grease (y&6%5f< +YSrHrNaXa7b7Ivv1yVP3idg8t4iIdu5NX3hzczFp64bY7Bjp/g7jK+bWnDG26ryd +G+fhmUbFuDj8ZtXg6yk +--- YmnVS7kPp6h4pC9u28A32/xh67NwhIXwB1dxolI1DCg +.Zsn} ,mRe)bOնm8zRyT/@CWF5?<.[ֆr \ No newline at end of file diff --git a/machines/nixos/web03/secrets/secrets.nix b/machines/nixos/web03/secrets/secrets.nix index 60bdf60..76fa329 100644 --- a/machines/nixos/web03/secrets/secrets.nix +++ b/machines/nixos/web03/secrets/secrets.nix @@ -6,12 +6,16 @@ # List of secrets for web03 "dj_annuaire-secret_key_file" "dj_bocal-secret_key_file" + "dj_ernestophone-secret_key_file" + "dj_ernestophone-password_file" + "dj_ernestophone-admins_file" "dj_gestiojeux-secret_key_file" "dj_interludes-email_host_password_file" "dj_interludes-secret_key_file" "dj_wikiens-secret_key_file" "webhook-annuaire_token" "webhook-bocal_token" + "webhook-ernestophone_token" "webhook-gestiojeux_token" "webhook-interludes_token" "webhook-wikiens_token" diff --git a/machines/nixos/web03/secrets/webhook-ernestophone_token b/machines/nixos/web03/secrets/webhook-ernestophone_token new file mode 100644 index 0000000..0c10b48 --- /dev/null +++ b/machines/nixos/web03/secrets/webhook-ernestophone_token @@ -0,0 +1,30 @@ +age-encryption.org/v1 +-> ssh-ed25519 jIXfPA Ifc4K8jusXCbeMSYeAL+3jdvmDK1ojYiSzHJO/uefzk +h5ewdTYV3o8+tPCzVWvLtqEM3WxVjtOqTRnrFAwKnes +-> ssh-ed25519 QlRB9Q djvVFcR5y+WI5+rED8ztIQZuLfCj2z8wHx3WIutlfjk +nsTUZEQRJAAZfNXw2YbzwV+RUJEx6Dmi0ujswMBqIro +-> ssh-ed25519 r+nK/Q Ryx2iuVCefSFFMEyRjVbKFxTqaX6D+Ty4B1+6mRLSCg +s7YjJa6NESaNZ9wzurlrsovu5ecJNnWLOhD80RnFqV4 +-> ssh-rsa krWCLQ +utXBcdyAmbl463xcacn1+K9UyG78vKG9LW1vJ/q40ltqEsuxktP2C5YgBL2Whcld +UYTsNFa3b02HP1wp0fPP4eVyk0NNKqO1rairMAvLJmQk15s0OVCk7LvjZe+Q31m1 +gYxBSuN4oy7gljtOlIfrHtcRqDMC5IToYSt91pwt/0wgkHDH1OcLap8jaQIuPdc1 +pQqd6iUTF96kvvp1P6XbvOHH3nVLNw/bITR5BUSqm/YBocJBrDNIL2wXcq27bBMs +YqF2nykztoSss+YM40XnHx14wNU0WeocbSYuPKabKvtgV0ry62w+EW5t453TfMng +y0dYmBdXVTKgCyL2v/onlA +-> ssh-ed25519 /vwQcQ tax06kUoYtjoUZ8k0+2L0cBr9CTpZpWd5Ev1qRh4dWM +x2RYQ+53UJnBXz8plzYrpga9JCWgm+WvkjpGg+CpG8M +-> ssh-ed25519 0R97PA DoPbx9NVAHTe6NRxT50nwdStoUJRnATQDEKgIyq2hhA +6DUg7uQ9L80KzaMJi6h/Nm5EgtLlAI+R01Mke9GpyzQ +-> ssh-ed25519 JGx7Ng AG1PM5MB2TlfZoiF29gu01LqhcQ+rEQRQZHFVxdHYG8 +ePz8kT+axuMZe8MKi1Yj+ZOCITIYjVAuRE2iTScgpyY +-> ssh-ed25519 bUjjig SgZgUi5qfE8wK54Mj8P/FJ4QPNs4HUV5qPc9jJTskmY +n/fedObFehvhLwd3uhkhfBamFpjZDVK7M1J67BucoPI +-> ssh-ed25519 VQSaNw a+SLVFR9PqKgyHfAPTjH4SGkp4XXjz6xz6uMjZgYOg0 +hv5F5ENsfpU27opx8OT4mvL0waGO+AieG/VXvHNi2hg +-> g**u4-grease Fb|HQ E +FcQESlzpmCxDtrbCZhddPdNjVROYKj2XsOppqa2GPZsWqQH8cFfKzxjwlNlE7WNF +Q3xupVqn8H1Cg98i +--- lYBZVJ4DEtBmKhenHOOkQpuPT7TrGGgN1OmTrfCTtY4 +y[h{`ZNx/SyF ++r:  cJLbMwn+"|wk* \ No newline at end of file diff --git a/modules/nixos/django-apps/default.nix b/modules/nixos/django-apps/default.nix index 0aa9ec3..60f6eda 100644 --- a/modules/nixos/django-apps/default.nix +++ b/modules/nixos/django-apps/default.nix @@ -38,6 +38,7 @@ let inherit (lib.types) attrs attrsOf + bool enum functionTo ints @@ -129,6 +130,12 @@ in ''; }; + serveMedia = mkOption { + type = bool; + default = true; + description = "Wther to serve the MEDIA_ROOT directory with nginx."; + }; + env_prefix = mkOption { type = str; default = toUpper name; @@ -473,13 +480,18 @@ in { virtualHosts = mapAttrs' ( name: - { domain, nginx, ... }: + { + domain, + nginx, + serveMedia, + ... + }: nameValuePair domain ( recursiveUpdate { locations = { "/".proxyPass = "http://unix:/run/django-apps/${name}.sock"; "/static/".root = "/run/django-apps/${name}"; - "/media/".root = "/run/django-apps/${name}"; + "/media/".root = mkIf serveMedia "/run/django-apps/${name}"; }; } nginx ) diff --git a/npins/sources.json b/npins/sources.json index 89eb1ea..7804669 100644 --- a/npins/sources.json +++ b/npins/sources.json @@ -262,9 +262,9 @@ "url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs" }, "branch": "main", - "revision": "476e657d9c285d91638b2a7c2bbbd9e6f9d0cfd4", + "revision": "cc01e1c2a6ecb1e38fde35ee54995a6a639fb057", "url": null, - "hash": "1i1a46q2v465zfa8rcfk1xisb7ywd4as18q6n2842ncnm69fxqns" + "hash": "17a9vlwrk9365ccyl7a5xspqsn9wizcpwdpvr3qdimvq4fpwhjal" }, "nix-reuse": { "type": "GitRelease",