diff --git a/.forgejo/workflows/eval-nodes.yaml b/.forgejo/workflows/eval-nodes.yaml index 358cf8c..a6289b4 100644 --- a/.forgejo/workflows/eval-nodes.yaml +++ b/.forgejo/workflows/eval-nodes.yaml @@ -34,6 +34,17 @@ jobs: STORE_USER: admin name: Build and cache build01 run: nix-shell -A eval-nodes --run cache-node + cof02: + runs-on: nix + steps: + - uses: actions/checkout@v3 + - env: + BUILD_NODE: cof02 + STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/ + STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }} + STORE_USER: admin + name: Build and cache cof02 + run: nix-shell -A eval-nodes --run cache-node compute01: runs-on: nix steps: diff --git a/machines/nixos/cof02/_configuration.nix b/machines/nixos/cof02/_configuration.nix new file mode 100644 index 0000000..1e5e011 --- /dev/null +++ b/machines/nixos/cof02/_configuration.nix @@ -0,0 +1,25 @@ +# SPDX-FileCopyrightText: 2025 Lubin Bailly +# +# SPDX-License-Identifier: EUPL-1.2 + +{ lib, ... }: + +lib.extra.mkConfig { + enabledModules = [ + # List of modules to enable + "dgn-web" + ]; + + enabledServices = [ + # List of services to enable + "staging-gestiocofs" + ]; + + extraConfig = { + dgn-records.enable = false; + dgn-monitoring.enable = false; + dgn-notify.enable = false; + }; + + root = ./.; +} diff --git a/machines/nixos/cof02/_hardware-configuration.nix b/machines/nixos/cof02/_hardware-configuration.nix new file mode 100644 index 0000000..74179dc --- /dev/null +++ b/machines/nixos/cof02/_hardware-configuration.nix @@ -0,0 +1,45 @@ +{ lib, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot = { + initrd = { + availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/c6aac187-c594-4af7-8efa-a2cbd8281b8c"; + fsType = "ext4"; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/3D06-7719"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; + }; + + swapDevices = [ ]; + + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/machines/nixos/cof02/secrets/secrets.nix b/machines/nixos/cof02/secrets/secrets.nix new file mode 100644 index 0000000..4ece318 --- /dev/null +++ b/machines/nixos/cof02/secrets/secrets.nix @@ -0,0 +1,9 @@ +# SPDX-FileCopyrightText: 2025 Lubin Bailly +# +# SPDX-License-Identifer: EUPL-1.2 + +(import ../../../../keys.nix).mkSecrets + [ "cof02" ] + [ + "webhook-gestiocof_token" + ] diff --git a/machines/nixos/cof02/secrets/webhook-gestiocof_token b/machines/nixos/cof02/secrets/webhook-gestiocof_token new file mode 100644 index 0000000..5b7e1cc Binary files /dev/null and b/machines/nixos/cof02/secrets/webhook-gestiocof_token differ diff --git a/machines/nixos/cof02/staging-gestiocofs.nix b/machines/nixos/cof02/staging-gestiocofs.nix new file mode 100644 index 0000000..becc029 --- /dev/null +++ b/machines/nixos/cof02/staging-gestiocofs.nix @@ -0,0 +1,200 @@ +# SPDX-FileCopyrightText: 2025 Lubin Bailly +# +# SPDX-License-Identifier: EUPL-1.2 + +{ lib, config, ... }: +let + inherit (lib) + mkMerge + listToAttrs + nameValuePair + ; + branches = [ + "master" + "gestion-clubs" + "status-change-2024-nov-13" + ]; + mainDomain = "cof-stage.dgnum.eu"; +in +mkMerge ( + [ + { + services.django-apps = { + enable = true; + + webhook = { + domain = mainDomain; + + nginx = { + enableACME = true; + forceSSL = true; + }; + }; + }; + } + ] + ++ map (branch: { + services.django-apps.sites.${branch} = { + inherit branch; + source = "https://git.dgnum.eu/DGNum/gestioCOF"; + domain = "${branch}.${mainDomain}"; + doBackups = false; + + nginx = { + enableACME = true; + forceSSL = true; + + locations = + { + "/ws/" = { + proxyPass = "http://unix:/run/django-apps/${branch}/socket"; + proxyWebsockets = true; + }; + } + // (listToAttrs ( + builtins.map + ( + folder: + nameValuePair "~ ^/${folder}/" { + extraConfig = '' + # we don't have the mount + return 501; + ''; + } + ) + [ + "arcanoid" + "cirque" + "pompom" + "trouveres" + ] + )); + + extraConfig = '' + rewrite ^/$ /news; + ''; + }; + + webHookSecret = config.age.secrets."webhook-gestiocof_token".path; + + overlays = { + kat-pkgs = [ + "django-djconfig" + "django-hCaptcha" + "wagtail-modeltranslation" + "wagtailmenus" + "django-cogwheels" + ]; + + nix-pkgs = [ + # Required packages + "authens" + "django-bootstrap-form" + "django-cas-ng" + "loadcredential" + + # Dependencies + "python-cas" + ]; + }; + + dependencies = ps: [ + ps.authens + ps.channels + ps.channels-redis + ps.configparser + ps.django + ps.django-autocomplete-light + ps.django-bootstrap-form + ps.django-cas-ng + ps.django-cors-headers + ps.django-djconfig + ps.django-hCaptcha + ps.django-js-reverse + ps.django-widget-tweaks + ps.icalendar + ps.loadcredential + ps.pillow + ps.python-dateutil + ps.redis + ps.statistics + ps.wagtail + ps.wagtail-modeltranslation + ps.wagtailmenus + ]; + + application = { + module = "gestioasso"; + type = "daphne"; + settingsModule = "gestioasso.settings_cof"; + }; + + environment = { + GESTIOCOF_CHANNEL_LAYERS.default = { + BACKEND = "shared.channels.ChannelLayer"; + CONFIG.hosts = [ "unix://${config.services.redis.servers.${branch}.unixSocket}" ]; + }; + GESTIOCOF_CACHES.default = { + BACKEND = "django.core.cache.backends.redis.RedisCache"; + LOCATION = "unix://${config.services.redis.servers.${branch}.unixSocket}"; + }; + GESTIOCOF_CORS_ALLOWED_ORIGINS = [ + "https://${config.services.django-apps.sites.${branch}.domain}" + ]; + GESTIOCOF_SERVER_EMAIL = "gestion@cof.ens.fr"; + + # fake credentials + GESTIOCOF_SECRET_KEY = "insecure-key"; + GESTIOCOF_HCAPTCHA_SECRET = "0x0000000000000000000000000000000000000000"; + GESTIOCOF_HCAPTCHA_SITEKEY = "10000000-ffff-ffff-ffff-000000000001"; + GESTIOCOF_KFETOPEN_TOKEN = "k-feste_token"; + GESTIOCOF_SYMPA_PASSWORD = "toto"; + GESTIOCOF_SYMPA_USERNAME = "sympa"; + GESTIOCOF_EMAIL_HOST = "localhost"; + }; + env_prefix = "GESTIOCOF"; + + extraInit = '' + python manage.py sync_page_translation_fields + python manage.py update_translation_fields + python manage.py loaddata gestion sites articles + python manage.py loaddevdata + ''; + + extraServices.worker = { + script = "python3 manage.py runworker default"; + + serviceConfig = { + WorkingDirectory = "/var/lib/django-apps/${branch}/source"; + SupplementaryGroups = [ "redis-${branch}" ]; + }; + }; + timers = { + rappel-negatifs = { + script = '' + python3 manage.py sendrappelsnegatifs + ''; + startAt = "*-*-* 1,13:17:19"; + }; + rappel-bda = { + script = '' + python3 manage.py sendrappels + ''; + startAt = "*-*-* 2,14:17:19"; + }; + manage-reventes = { + script = '' + python3 manage.py manage_reventes + ''; + startAt = "*-*-* *:01..56/5:29"; + }; + }; + }; + + services.redis.servers.${branch} = { + enable = true; + }; + + systemd.services."dj-${branch}".serviceConfig.SupplementaryGroups = [ "redis-${branch}" ]; + }) branches +) diff --git a/meta/dns.nix b/meta/dns.nix index 3161e18..f30f942 100644 --- a/meta/dns.nix +++ b/meta/dns.nix @@ -61,6 +61,11 @@ let hosted = fuseAttrs ( builtins.attrValues ( builtins.mapAttrs mkHosted { + cof02.dual = [ + "*.cof-stage" + "cof-stage" + ]; + compute01.dual = [ "analytics" # Plausible Analytics "arkheon" # Arkheon diff --git a/meta/network.nix b/meta/network.nix index f0d904a..740f694 100644 --- a/meta/network.nix +++ b/meta/network.nix @@ -33,6 +33,25 @@ netbirdIp = "100.80.31.249"; }; + cof02 = { + interfaces = { + ens18 = { + ipv4 = [ + { + address = "129.199.146.54"; + prefixLength = 24; + } + ]; + + gateways = [ "129.199.146.254" ]; + enableDefaultDNS = true; + }; + }; + + hostId = "4492d4ce"; + netbirdIp = null; + }; + compute01 = { interfaces = { eno1 = { diff --git a/meta/nodes/nixos.nix b/meta/nodes/nixos.nix index 553f100..919c192 100644 --- a/meta/nodes/nixos.nix +++ b/meta/nodes/nixos.nix @@ -73,6 +73,27 @@ }; }; + cof02 = { + site = "pav01"; + + hashedPassword = "$y$j9T$7NuClEAftCG0O7AA0KLK10$/ZLXV73tiZVMXFdgKfa4yVeYk.Qdea6uIgQTrtWHIbA"; + + sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfYSj2V0jmricxbH/ZumcLXZuMqj5/AS9BvRoU1zejg" ]; + + stateVersion = "24.11"; + + nixpkgs = { + version = "24.11"; + system = "nixos"; + }; + + admins = [ "catvayor" ]; + + deployment = { + targetHost = "129.199.146.54"; + }; + }; + compute01 = { site = "pav01"; sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];