feat(cof02): init cof staging vm

The purpose of cof02 is to allow presenting under development features on gestiocof, or check that the next update of gestiocof works in production-like environment, by placing it in a near perfect copy of this environment
2025-03-08 23:17:33 +01:00 · 2025-03-08 23:17:33 +01:00 · bd4c64db02
commit bd4c64db02
parent 4229835ec4
9 changed files with 335 additions and 0 deletions
--- a/.forgejo/workflows/eval-nodes.yaml
+++ b/.forgejo/workflows/eval-nodes.yaml
@ -34,6 +34,17 @@ jobs:
        STORE_USER: admin
      name: Build and cache build01
      run: nix-shell -A eval-nodes --run cache-node
+  cof02:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: cof02
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache cof02
+      run: nix-shell -A eval-nodes --run cache-node
  compute01:
    runs-on: nix
    steps:
--- a/machines/nixos/cof02/_configuration.nix
+++ b/machines/nixos/cof02/_configuration.nix
@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ lib, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [
+    # List of modules to enable
+    "dgn-web"
+  ];
+
+  enabledServices = [
+    # List of services to enable
+    "staging-gestiocofs"
+  ];
+
+  extraConfig = {
+    dgn-records.enable = false;
+    dgn-monitoring.enable = false;
+    dgn-notify.enable = false;
+  };
+
+  root = ./.;
+}
--- a/machines/nixos/cof02/_hardware-configuration.nix
+++ b/machines/nixos/cof02/_hardware-configuration.nix
@ -0,0 +1,45 @@
+{ lib, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "ata_piix"
+        "uhci_hcd"
+        "virtio_pci"
+        "virtio_scsi"
+        "sd_mod"
+        "sr_mod"
+      ];
+      kernelModules = [ ];
+    };
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/c6aac187-c594-4af7-8efa-a2cbd8281b8c";
+      fsType = "ext4";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/3D06-7719";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
+  };
+
+  swapDevices = [ ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
--- a/machines/nixos/cof02/secrets/secrets.nix
+++ b/machines/nixos/cof02/secrets/secrets.nix
@ -0,0 +1,9 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
+#
+# SPDX-License-Identifer: EUPL-1.2
+
+(import ../../../../keys.nix).mkSecrets
+  [ "cof02" ]
+  [
+    "webhook-gestiocof_token"
+  ]
--- a/machines/nixos/cof02/secrets/webhook-gestiocof_token
+++ b/machines/nixos/cof02/secrets/webhook-gestiocof_token
--- a/machines/nixos/cof02/staging-gestiocofs.nix
+++ b/machines/nixos/cof02/staging-gestiocofs.nix
@ -0,0 +1,200 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ lib, config, ... }:
+let
+  inherit (lib)
+    mkMerge
+    listToAttrs
+    nameValuePair
+    ;
+  branches = [
+    "master"
+    "gestion-clubs"
+    "status-change-2024-nov-13"
+  ];
+  mainDomain = "cof-stage.dgnum.eu";
+in
+mkMerge (
+  [
+    {
+      services.django-apps = {
+        enable = true;
+
+        webhook = {
+          domain = mainDomain;
+
+          nginx = {
+            enableACME = true;
+            forceSSL = true;
+          };
+        };
+      };
+    }
+  ]
+  ++ map (branch: {
+    services.django-apps.sites.${branch} = {
+      inherit branch;
+      source = "https://git.dgnum.eu/DGNum/gestioCOF";
+      domain = "${branch}.${mainDomain}";
+      doBackups = false;
+
+      nginx = {
+        enableACME = true;
+        forceSSL = true;
+
+        locations =
+          {
+            "/ws/" = {
+              proxyPass = "http://unix:/run/django-apps/${branch}/socket";
+              proxyWebsockets = true;
+            };
+          }
+          // (listToAttrs (
+            builtins.map
+              (
+                folder:
+                nameValuePair "~ ^/${folder}/" {
+                  extraConfig = ''
+                    # we don't have the mount
+                    return 501;
+                  '';
+                }
+              )
+              [
+                "arcanoid"
+                "cirque"
+                "pompom"
+                "trouveres"
+              ]
+          ));
+
+        extraConfig = ''
+          rewrite ^/$ /news;
+        '';
+      };
+
+      webHookSecret = config.age.secrets."webhook-gestiocof_token".path;
+
+      overlays = {
+        kat-pkgs = [
+          "django-djconfig"
+          "django-hCaptcha"
+          "wagtail-modeltranslation"
+          "wagtailmenus"
+          "django-cogwheels"
+        ];
+
+        nix-pkgs = [
+          # Required packages
+          "authens"
+          "django-bootstrap-form"
+          "django-cas-ng"
+          "loadcredential"
+
+          # Dependencies
+          "python-cas"
+        ];
+      };
+
+      dependencies = ps: [
+        ps.authens
+        ps.channels
+        ps.channels-redis
+        ps.configparser
+        ps.django
+        ps.django-autocomplete-light
+        ps.django-bootstrap-form
+        ps.django-cas-ng
+        ps.django-cors-headers
+        ps.django-djconfig
+        ps.django-hCaptcha
+        ps.django-js-reverse
+        ps.django-widget-tweaks
+        ps.icalendar
+        ps.loadcredential
+        ps.pillow
+        ps.python-dateutil
+        ps.redis
+        ps.statistics
+        ps.wagtail
+        ps.wagtail-modeltranslation
+        ps.wagtailmenus
+      ];
+
+      application = {
+        module = "gestioasso";
+        type = "daphne";
+        settingsModule = "gestioasso.settings_cof";
+      };
+
+      environment = {
+        GESTIOCOF_CHANNEL_LAYERS.default = {
+          BACKEND = "shared.channels.ChannelLayer";
+          CONFIG.hosts = [ "unix://${config.services.redis.servers.${branch}.unixSocket}" ];
+        };
+        GESTIOCOF_CACHES.default = {
+          BACKEND = "django.core.cache.backends.redis.RedisCache";
+          LOCATION = "unix://${config.services.redis.servers.${branch}.unixSocket}";
+        };
+        GESTIOCOF_CORS_ALLOWED_ORIGINS = [
+          "https://${config.services.django-apps.sites.${branch}.domain}"
+        ];
+        GESTIOCOF_SERVER_EMAIL = "gestion@cof.ens.fr";
+
+        # fake credentials
+        GESTIOCOF_SECRET_KEY = "insecure-key";
+        GESTIOCOF_HCAPTCHA_SECRET = "0x0000000000000000000000000000000000000000";
+        GESTIOCOF_HCAPTCHA_SITEKEY = "10000000-ffff-ffff-ffff-000000000001";
+        GESTIOCOF_KFETOPEN_TOKEN = "k-feste_token";
+        GESTIOCOF_SYMPA_PASSWORD = "toto";
+        GESTIOCOF_SYMPA_USERNAME = "sympa";
+        GESTIOCOF_EMAIL_HOST = "localhost";
+      };
+      env_prefix = "GESTIOCOF";
+
+      extraInit = ''
+        python manage.py sync_page_translation_fields
+        python manage.py update_translation_fields
+        python manage.py loaddata gestion sites articles
+        python manage.py loaddevdata
+      '';
+
+      extraServices.worker = {
+        script = "python3 manage.py runworker default";
+
+        serviceConfig = {
+          WorkingDirectory = "/var/lib/django-apps/${branch}/source";
+          SupplementaryGroups = [ "redis-${branch}" ];
+        };
+      };
+      timers = {
+        rappel-negatifs = {
+          script = ''
+            python3 manage.py sendrappelsnegatifs
+          '';
+          startAt = "*-*-* 1,13:17:19";
+        };
+        rappel-bda = {
+          script = ''
+            python3 manage.py sendrappels
+          '';
+          startAt = "*-*-* 2,14:17:19";
+        };
+        manage-reventes = {
+          script = ''
+            python3 manage.py manage_reventes
+          '';
+          startAt = "*-*-* *:01..56/5:29";
+        };
+      };
+    };
+
+    services.redis.servers.${branch} = {
+      enable = true;
+    };
+
+    systemd.services."dj-${branch}".serviceConfig.SupplementaryGroups = [ "redis-${branch}" ];
+  }) branches
+)
--- a/meta/dns.nix
+++ b/meta/dns.nix
@ -61,6 +61,11 @@ let
  hosted = fuseAttrs (
    builtins.attrValues (
      builtins.mapAttrs mkHosted {
+        cof02.dual = [
+          "*.cof-stage"
+          "cof-stage"
+        ];
+
        compute01.dual = [
          "analytics" # Plausible Analytics
          "arkheon" # Arkheon
--- a/meta/network.nix
+++ b/meta/network.nix
@ -33,6 +33,25 @@
      netbirdIp = "100.80.31.249";
    };

+    cof02 = {
+      interfaces = {
+        ens18 = {
+          ipv4 = [
+            {
+              address = "129.199.146.54";
+              prefixLength = 24;
+            }
+          ];
+
+          gateways = [ "129.199.146.254" ];
+          enableDefaultDNS = true;
+        };
+      };
+
+      hostId = "4492d4ce";
+      netbirdIp = null;
+    };
+
    compute01 = {
      interfaces = {
        eno1 = {
--- a/meta/nodes/nixos.nix
+++ b/meta/nodes/nixos.nix
@ -73,6 +73,27 @@
      };
    };

+    cof02 = {
+      site = "pav01";
+
+      hashedPassword = "$y$j9T$7NuClEAftCG0O7AA0KLK10$/ZLXV73tiZVMXFdgKfa4yVeYk.Qdea6uIgQTrtWHIbA";
+
+      sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfYSj2V0jmricxbH/ZumcLXZuMqj5/AS9BvRoU1zejg" ];
+
+      stateVersion = "24.11";
+
+      nixpkgs = {
+        version = "24.11";
+        system = "nixos";
+      };
+
+      admins = [ "catvayor" ];
+
+      deployment = {
+        targetHost = "129.199.146.54";
+      };
+    };
+
    compute01 = {
      site = "pav01";
      sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];