feat(web01): Update web01 to 23.11

machines/web01/castopod-head-proxy.nix

@@ -0,0 +1,33 @@
+{ config, lib, ... }:
+let
+  cfg = config.services.castopod;
+  fpm = config.services.phpfpm.pools.castopod;
+in
+  {
+  services.nginx = {
+      resolver.addresses = [ "127.0.0.53" ];
+      virtualHosts."${cfg.localDomain}" = {
+
+        locations."@force_get" = {
+          extraConfig = lib.mkForce ''
+            recursive_error_pages on;
+            proxy_method GET;
+            proxy_pass https://podcasts.dgnum.eu/$request_uri;
+          '';
+        };
+
+        locations."~ \.php$" = {
+          extraConfig = lib.mkForce ''
+            error_page 550 = @force_get;
+            if ($request_method = HEAD) { return 550; }
+            fastcgi_intercept_errors on;
+            fastcgi_index index.php;
+            fastcgi_pass unix:${fpm.socket};
+            try_files $uri =404;
+            fastcgi_read_timeout 3600;
+            fastcgi_send_timeout 3600;
+          '';
+        };
+      };
+    };
+  }

machines/web01/castopod.nix

@@ -3,12 +3,14 @@ let
   host = "podcasts.dgnum.eu";
 in
 {
-  # Notes:
-  # le paramètre analytics.salt est créé par le service
+  imports = [
+    ./castopod-head-proxy.nix
+  ];
   services.castopod = {
     enable = true;
     localDomain = host;
     environmentFile = config.age.secrets.castopod-environment_file.path;
+    maxUploadSize = 512;
     settings = {
       "email.fromEmail"="noreply@infra.dgnum.eu";
       "email.SMTPHost"="kurisu.lahfa.xyz";

machines/web01/plausible.nix

@@ -30,8 +30,6 @@ in
       secretKeybaseFile = config.age.secrets."plausible_secret-key-base-file".path;
     };
 
-    releaseCookiePath = config.age.secrets."plausible_release-cookie-file".path;
-
     adminUser = {
       passwordFile = config.age.secrets."plausible_admin-user-password-file".path;
       email = "tom.hubrecht@dgnum.eu";

meta/nodes.nix

@@ -23,11 +23,8 @@ in
 
 builtins.mapAttrs mkNode {
   web01 = {
-    deployment = {
-      tags = [ "web" ];
-    };
+    deployment.tags = [ "web" ];
 
-    nixpkgs = "23.05";
     stateVersion = "23.05";
   };
 

npins/sources.json

@@ -102,12 +102,6 @@
       "url": null,
       "hash": "14w7w327m8rf7yrjflqvbnmwx04l36n7j0nca5ilpvzrr8f2gg6l"
     },
-    "nixos-23.05": {
-      "type": "Channel",
-      "name": "nixos-23.05",
-      "url": "https://releases.nixos.org/nixos/23.05/nixos-23.05.4981.5b528f99f73c/nixexprs.tar.xz",
-      "hash": "1psdfcl5rjid66dhc8c0dfdrgqk5x76drwcads149pa45vbnri8k"
-    },
     "nixos-23.11": {
       "type": "Channel",
       "name": "nixos-23.11",

patches/default.nix

@@ -1,138 +1,13 @@
 {
   "nixos-23.11" = [
     # [Backport release-23.11] zfs_2_1: init at 2.1.13
-    { id = 270117; hash = "sha256-ot80XDtxDvPM0kW2gEeAs/z22jjkGOHog4Ue/JQEnZ8="; }
-  ];
+    { id = 270117; hash = "sha256-In3sogw/8TGYQQFCeBvdljANR0ZLng4magQ/4uyVy1A="; }
+    { id = 241542; revert = true; hash = "sha256-uiRokmJewTLURuQkPWRfb3jgxjaDwfkXntj8PWk6pi8="; }
 
-  "nixos-23.05" = [
-    # plausible: fix admin user password seed and SMTP passwords
-    {
-      id = 241126;
-      hash = "sha256-TcGuB3k8SeA8PRb/OdZ8ESw9/7yYKPftR96boK7Hmvc=";
-    }
-
-    # fetchMixDeps: sha256 -> hash
-    {
-      id = 235733;
-      hash = "sha256-oHGZFXwOJ9ngZNJBTd93abgI+eNPsCBJPgFxt41728o=";
-      includes = [
-        "pkgs/development/beam-modules/fetch-mix-deps.nix"
-        "pkgs/servers/web-apps/plausible/default.nix"
-      ];
-    }
-
-    # python3Packages.nix-prefetch-github: 6.0.1 -> 7.0.0
-    # Only keep the files related to plausible
-    {
-      id = 243018;
-      hash = "sha256-/7jid8tKo2JbVyEmeVxt+9VRqc/2YWkUeagyrMqqb70=";
-      includes = [ "pkgs/servers/web-apps/plausible/*" ];
-    }
-
-    # plausible: 1.4.4 -> 1.5.1
-    {
-      id = 229201;
-      hash = "sha256-wJ3qQbX5Yn7PZ5gpJYAeCIkblPaaVgUGg3XJb5C8ccY=";
-    }
-
-    # plausible: 1.5.1 -> 2.0.0
-    {
-      id = 253687;
-      hash = "sha256-Of3YXCJcevr5Ab6S/TMDR1M6PhffN/osLPAlfo60LAk=";
-    }
-
-    # dbip-country-lite: init at 2023-06
-    {
-      id = 235774;
-      hash = "sha256-M0oktrBKxezhBQh3gKHKXrWF7UjACX3PcpSzoq8HkW0=";
-    }
-
-    # kanidm: 1.1.0-alpha.12 -> 1.1.0-beta.13
-    {
-      id = 246564;
-      hash = "sha256-Q/G6w4iXthhC6JI/erOx0HBJ25aLQLtZSusAOdT6dYc=";
-    }
-
-    # Forgejo v1.19.4-0 -> v1.20.4-1
-    {
-      _type = "static";
-      path = ./forgejo.patch;
-    }
-
-    # nixos/forgejo: fork from nixos/gitea
-    {
-      id = 248310;
-      hash = "sha256-6cLMDbzYRKZrFulkS48dPznAap4bVCLsb1APaud9nV8=";
-    }
-
-    # garage: add environmentFile
-    {
-      id = 257043;
-      hash = "sha256-Z+WmDPuDoV1Ex+XzvUhvMPn8U+aw0tCRH3O5oR2qQrM=";
-    }
-
-    # outline: 0.68.1 -> 0.69.2
-    {
-      id = 232235;
-      hash = "sha256-f+upHsuuYyLqd9Wv+9JHhB3HnP+mXWer6L/xi5eFpwE=";
-    }
-
-    # outline: 0.69.2 -> 0.70.2
-    {
-      id = 241667;
-      excludes = [ "nixos/doc/manual/*" ];
-      hash = "sha256-9bOjwaXN/4/ASpNfyhaby+nuIz23gDLDIqgTdApdj1U=";
-    }
-
-    # outline 0.70.2 -> 0.71.0
-    {
-      id = 252126;
-      hash = "sha256-lH8xp5zG2fAaXS2gLF7UxqvuPlAigJ297hvlks0CG/U=";
-    }
-
-    # outline: use fetchYarnDeps
-    {
-      id = 253567;
-      hash = "sha256-aR62vOuTfmJ7MIr3plDcBonQQH2+o2F6z/LAAgcKVHU=";
-    }
-
-    # outline: 0.71.0 -> 0.72.0
-    {
-      id = 259246;
-      hash = "sha256-gRGsmqFjtQWWCCTRr9QHZDM3NxIbj5G9bFaFaTYTEYY=";
-    }
-
-    # nixos/outline: Add the possibility of using local storage instead of S3
-    {
-      id = 259254;
-      excludes = [ "nixos/doc/manual/*" ];
-      hash = "sha256-Hd3bRYncjnfHzEx+g6rb9cU3YmhF6W3QOtQUuDzw78U=";
-    }
-
-    # outline: 0.72.2 -> 0.73.1
-    {
-      id = 267752;
-      hash = "sha256-7bydFe7uOK9JxjFgwO0ZjZmKe3uo9GYZiMy0NG7+qkQ=";
-    }
-
-    # nixos/ntfy.sh: use dynamic user + add defaults
-    {
-      id = 234811;
-      hash = "sha256-Yz007dCmGl5OxRDMSHv63Ww+LzoQISm9Ttiw0p/6spY=";
-    }
-
-    # castopod: init
-    # Ne pas mettre à jour sans savoir ce qu'on fait (patch un peu customisé par rapport à upstream)
+    # castopod: 1.6.4 -> 1.7.0 + ajout du support de loadcredentials
     {
       _type = "static";
       path = ./castopod.patch;
     }
-
-    # nixos/fail2ban: RFC42-ize
-    {
-      id = 201907;
-      hash = "sha256-bkf37QTFgbnSz3s8QPm5Z+6rWVVOlDtISTR7FACEwMM=";
-      excludes = [ "nixos/doc/manual/" ];
-    }
   ];
 }

patches/forgejo.patch

@@ -1,33 +0,0 @@
-diff --git a/pkgs/applications/version-management/forgejo/default.nix b/pkgs/applications/version-management/forgejo/default.nix
-index d21097df07b..2ee652d8785 100644
---- a/pkgs/applications/version-management/forgejo/default.nix
-+++ b/pkgs/applications/version-management/forgejo/default.nix
-@@ -23,7 +23,7 @@ let
-     pname = "forgejo-frontend";
-     inherit (forgejo) src version;
- 
--    npmDepsHash = "sha256-dB/uBuS0kgaTwsPYnqklT450ejLHcPAqBdDs3JT8Uxg=";
-+    npmDepsHash = "sha256-YZzVw+WWqTmJafqnZ5vrzb7P6V4DTMNQwW1/+wvZEM8=";
- 
-     patches = [
-       ./package-json-npm-build-frontend.patch
-@@ -38,17 +38,17 @@ let
- in
- buildGoModule rec {
-   pname = "forgejo";
--  version = "1.19.4-0";
-+  version = "1.20.5-0";
- 
-   src = fetchFromGitea {
-     domain = "codeberg.org";
-     owner = "forgejo";
-     repo = "forgejo";
-     rev = "v${version}";
--    hash = "sha256-pTcnST8A4gADPBkNago9uwRFEmTx8vNONL/Emer4xLI=";
-+    hash = "sha256-tuwMvSWaMUc/GghmrbGLtyjixwOwiapWEOMD9QmMLic=";
-   };
- 
--  vendorHash = "sha256-LKxhNbSIRaP4EGWX6mE26G9CWfoFTrPRjrL4ShpRHWo=";
-+  vendorHash = "sha256-dgtZjsLBwblhdge3BvdbK/mN/TeZKps9K5dJbqomtjo=";
- 
-   subPackages = [ "." ];