From 8ba6cedc1b25086002c253ef48c594ec9d590396 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Mon, 20 Jan 2025 00:56:14 +0100 Subject: [PATCH] feat(compute01): Deploy pretalx --- REUSE.toml | 2 +- default.nix | 1 + machines/nixos/compute01/_configuration.nix | 1 + machines/nixos/compute01/pretalx.nix | 52 +++++++++++++++++++ .../secrets/pretalx-environment_file | 30 +++++++++++ machines/nixos/compute01/secrets/secrets.nix | 1 + patches/default.nix | 3 ++ .../nixpkgs/01-pretalx-environment-file.patch | 33 ++++++++++++ 8 files changed, 122 insertions(+), 1 deletion(-) create mode 100644 machines/nixos/compute01/pretalx.nix create mode 100644 machines/nixos/compute01/secrets/pretalx-environment_file create mode 100644 patches/nixpkgs/01-pretalx-environment-file.patch diff --git a/REUSE.toml b/REUSE.toml index 076efb7..388cc61 100644 --- a/REUSE.toml +++ b/REUSE.toml @@ -20,7 +20,7 @@ precedence = "closest" [[annotations]] SPDX-FileCopyrightText = "2024 Tom Hubrecht " SPDX-License-Identifier = "EUPL-1.2" -path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"] +path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/01-pretalx-environment-file.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"] precedence = "closest" [[annotations]] diff --git a/default.nix b/default.nix index 3d44b03..f12d53a 100644 --- a/default.nix +++ b/default.nix @@ -95,6 +95,7 @@ let "machines/nixos/web01/crabfit/*.patch" "machines/nixos/web02/cas-eleves/01-pytest-cas.patch" "patches/lix/01-disable-installChecks.patch" + "patches/nixpkgs/01-pretalx-environment-file.patch" "patches/nixpkgs/03-crabfit-karla.patch" "patches/nixpkgs/05-netbird-relay.patch" ]; diff --git a/machines/nixos/compute01/_configuration.nix b/machines/nixos/compute01/_configuration.nix index e36bee4..c252089 100644 --- a/machines/nixos/compute01/_configuration.nix +++ b/machines/nixos/compute01/_configuration.nix @@ -30,6 +30,7 @@ lib.extra.mkConfig { "outline" "plausible" "postgresql" + "pretalx" "pretix" "rstudio-server" # "satosa" diff --git a/machines/nixos/compute01/pretalx.nix b/machines/nixos/compute01/pretalx.nix new file mode 100644 index 0000000..342be12 --- /dev/null +++ b/machines/nixos/compute01/pretalx.nix @@ -0,0 +1,52 @@ +# SPDX-FileCopyrightText: 2024 Tom Hubrecht +# +# SPDX-License-Identifier: EUPL-1.2 + +{ config, ... }: + +{ + services.nginx.virtualHosts.${config.services.pretalx.nginx.domain} = { + enableACME = true; + forceSSL = true; + }; + + services.pretalx = { + enable = true; + + plugins = with config.services.pretalx.package.plugins; [ + pages + venueless + ]; + + nginx = { + enable = true; + domain = "pretalx.dgnum.eu"; + }; + + environmentFile = config.age.secrets."pretalx-environment_file".path; + + settings = { + files.upload_limit = 50; + + mail = { + from = "pretalx@infra.dgnum.eu"; + host = "kurisu.lahfa.xyz"; + port = 465; + ssl = true; + user = "web-services@infra.dgnum.eu"; + }; + + logging.email = "admins+pretalx@dgnum.eu"; + + locale = { + language_code = "fr"; + time_zone = "Europe/Paris"; + }; + }; + }; + + dgn-backups = { + postgresDatabases = [ "pretalx" ]; + jobs.pretix.settings.paths = [ "/var/lib/pretalx" ]; + }; +} diff --git a/machines/nixos/compute01/secrets/pretalx-environment_file b/machines/nixos/compute01/secrets/pretalx-environment_file new file mode 100644 index 0000000..9c0bfd7 --- /dev/null +++ b/machines/nixos/compute01/secrets/pretalx-environment_file @@ -0,0 +1,30 @@ +age-encryption.org/v1 +-> ssh-ed25519 jIXfPA nxmUrwL0YLjmyml8KcWZ6dWwV5O6w2Dlg7uqb+eSYBY +BgVWB3Z3wJ9E68kmDbf4/NrmsZGR/goS2Kfx/nc49Vs +-> ssh-ed25519 QlRB9Q VB75tVIpYDO9Ta0MRsfuP24TAjbyT6OWEN0SjVkGVnA +oDn5Yal9NY2ce0p4jf0+ceBM14aF9+62J3Ich00bn60 +-> ssh-ed25519 r+nK/Q ejM5Jc8o01aaFO55KL8O2IBf6XSb84zvirAUWyWI0Ck +UXPxGsxI+vZHPsSWirv9GTa/Etwh3GXlOxAHrBMiRZQ +-> ssh-rsa krWCLQ +noF/XAAr5oXO3yxHgoKlPuFSiexCG508JCHrvUK0Pkw71KASEcEAfEHb+rZTi6yA +vtRIoU6MnAG4RaDkilp2Cz4LDfx8JvT3ucmy///0UhwUwC8keeR7r/EIGPdB3Fyc +FyyhC0KflA0kmWsOR9EZi2YYAHRTPUMzXYdSdIGc/82WMVGEizTck8CH10GV2Bxl +SyiaJFk//q4fZZwyYUyaSVFjMwrjU1bbAipmB24SLLCLp1J+Xxq/OX83Mctjqutl +LlNC10GdvM1JoPFFxy9Chk63WHZXp745D5JppWKJ8FuUs89WpCspzYNgqRgyBoQA +wNlUgSD1p815tuCDs1+wlg +-> ssh-ed25519 /vwQcQ StDx98vbjAGhJu1o74uVBC6DhuqaZZjxIEPyyCS44Wo +CxNrC8Pdi9HMF0atPNQutowQG60DSyWhXA3n/vOS+HA +-> ssh-ed25519 0R97PA BfmW5ljTVp+tUs32lAMnSBz2q5jMSgwgza3pfS3L404 +GibEScHuYz0b7kt+EQRXhiY01IfZzBhmMMJ7JxstWNo +-> ssh-ed25519 JGx7Ng hCbmKD+QH6SlFmFMM61Xv2Y8TjNZJyCYhhtFmjYQUEM +J8CLfOvhJeSdN2W8NQsIbfA1li6V4IzZc43Rq+yNuHc +-> ssh-ed25519 bUjjig jFfhHzfqTzuuN4IszblOGe7WFMxfFa5GvUbQ5TgWNmI +FU6hJSW0AT5FG49oQzN7c0dDsmgbhOYLAEz4YeAus6o +-> ssh-ed25519 tDqJRg 8DMYhpgIDvTQ+IshJCKvgFiY8J4qdVVA7nGRRc+clSA +EfRYOKCE6zv6BqbDyN4p6QdfN5Y+2GPie2tLqISbsSQ +-> {7;qZH-grease b'% +/q1kVYwytu14uIpZOi643OuIU7M3xNYoe2IPCVeH7A7lsAfhEuCbUOSwVGb1yvvP +Zuz3ZUD4ubs7a4By3LmbfYgTak2iHUMd7YCMOcWgwRJb +--- GrGJW7DhRg2lMfi+2fs81QGOIwUVuJkLuCzynlGtvUc +̩ۼ].r@+utb)^ɽ*;/S->dƙYuk{s/Vʊ +Ho. \ No newline at end of file diff --git a/machines/nixos/compute01/secrets/secrets.nix b/machines/nixos/compute01/secrets/secrets.nix index be0bbf5..d575bbf 100644 --- a/machines/nixos/compute01/secrets/secrets.nix +++ b/machines/nixos/compute01/secrets/secrets.nix @@ -30,6 +30,7 @@ "plausible-admin_user_password_file" "plausible-secret_key_base_file" "plausible-smtp_password_file" + "pretalx-environment_file" "pretix-environment_file" "satosa-env_file" "signal-irc-bridge-config" diff --git a/patches/default.nix b/patches/default.nix index ee43201..0c15679 100644 --- a/patches/default.nix +++ b/patches/default.nix @@ -27,6 +27,9 @@ in # Fix pretix tests (npr 374822 "sha256-vM6l8Pb6F5HoZrpG4Ay3DdwwHBbv8MQy2Bo4gfiQ5zM=") + + # pretalx env file option + (local ./nixpkgs/01-pretalx-environment-file.patch) ]; "nixos-unstable" = [ diff --git a/patches/nixpkgs/01-pretalx-environment-file.patch b/patches/nixpkgs/01-pretalx-environment-file.patch new file mode 100644 index 0000000..e78ae4b --- /dev/null +++ b/patches/nixpkgs/01-pretalx-environment-file.patch @@ -0,0 +1,33 @@ +diff --git a/nixos/modules/services/web-apps/pretalx.nix b/nixos/modules/services/web-apps/pretalx.nix +index c7d35d029963..5a6ab7fbe083 100644 +--- a/nixos/modules/services/web-apps/pretalx.nix ++++ b/nixos/modules/services/web-apps/pretalx.nix +@@ -53,6 +53,17 @@ in + description = "User under which pretalx should run."; + }; + ++ environmentFile = lib.mkOption { ++ type = lib.types.nullOr lib.types.path; ++ default = null; ++ example = "/run/keys/pretalx-secrets.env"; ++ description = '' ++ Environment file to pass secret configuration values. ++ ++ Each line must follow the `PRETALX_SECTION_KEY=value` pattern. ++ ''; ++ }; ++ + plugins = lib.mkOption { + type = with lib.types; listOf package; + default = [ ]; +@@ -381,6 +392,9 @@ in + serviceConfig = { + User = "pretalx"; + Group = "pretalx"; ++ EnvironmentFile = lib.optionals (cfg.environmentFile != null) [ ++ cfg.environmentFile ++ ]; + StateDirectory = [ + "pretalx" + "pretalx/media" +