From ee34d4465e157ac884c5456bd192dbb28436642d Mon Sep 17 00:00:00 2001 From: sinavir Date: Sat, 4 Jan 2025 12:01:29 +0100 Subject: [PATCH] feat(testing02): Init testing vm --- .forgejo/workflows/eval-nodes.yaml | 11 ++ REUSE.toml | 2 +- default.nix | 43 +++-- machines/nixos/testing02/_configuration.nix | 47 ++++++ .../testing02/_hardware-configuration.nix | 33 ++++ .../testing02/cas-eleves/01-pytest-cas.patch | 98 +++++++++++ .../nixos/testing02/cas-eleves/default.nix | 156 ++++++++++++++++++ machines/nixos/testing02/disko.nix | 37 +++++ .../secrets/cas_eleves-secret_key_file | Bin 0 -> 1443 bytes machines/nixos/testing02/secrets/secrets.nix | 10 ++ meta/dns.nix | 4 + meta/network.nix | 19 +++ meta/nodes/nixos.nix | 14 ++ modules/nixos/default.nix | 1 + 14 files changed, 457 insertions(+), 18 deletions(-) create mode 100644 machines/nixos/testing02/_configuration.nix create mode 100644 machines/nixos/testing02/_hardware-configuration.nix create mode 100644 machines/nixos/testing02/cas-eleves/01-pytest-cas.patch create mode 100644 machines/nixos/testing02/cas-eleves/default.nix create mode 100644 machines/nixos/testing02/disko.nix create mode 100644 machines/nixos/testing02/secrets/cas_eleves-secret_key_file create mode 100644 machines/nixos/testing02/secrets/secrets.nix diff --git a/.forgejo/workflows/eval-nodes.yaml b/.forgejo/workflows/eval-nodes.yaml index 452517e..07b4912 100644 --- a/.forgejo/workflows/eval-nodes.yaml +++ b/.forgejo/workflows/eval-nodes.yaml @@ -120,6 +120,17 @@ jobs: STORE_USER: admin name: Build and cache storage01 run: nix-shell -A eval-nodes --run cache-node + testing02: + runs-on: nix + steps: + - uses: actions/checkout@v3 + - env: + BUILD_NODE: testing02 + STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/ + STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }} + STORE_USER: admin + name: Build and cache testing02 + run: nix-shell -A eval-nodes --run cache-node tower01: runs-on: nix steps: diff --git a/REUSE.toml b/REUSE.toml index 1e6ae4c..226ea8e 100644 --- a/REUSE.toml +++ b/REUSE.toml @@ -20,7 +20,7 @@ precedence = "closest" [[annotations]] SPDX-FileCopyrightText = "2024 Tom Hubrecht " SPDX-License-Identifier = "EUPL-1.2" -path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"] +path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "machines/nixos/testing02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"] precedence = "closest" [[annotations]] diff --git a/default.nix b/default.nix index 653c978..746d8ce 100644 --- a/default.nix +++ b/default.nix @@ -5,7 +5,9 @@ { sources ? import ./npins, - pkgs ? import sources.nixpkgs { }, + pkgs ? import sources.nixpkgs { + overlays = [ (import sources.proxmox-nixos).overlays.x86_64-linux ]; + }, }: let @@ -93,6 +95,7 @@ let "machines/nixos/vault01/k-radius/packages/01-python_path.patch" "machines/nixos/web01/crabfit/*.patch" "machines/nixos/web02/cas-eleves/01-pytest-cas.patch" + "machines/nixos/testing02/cas-eleves/01-pytest-cas.patch" "patches/lix/01-disable-installChecks.patch" "patches/nixpkgs/03-crabfit-karla.patch" "patches/nixpkgs/05-netbird-relay.patch" @@ -177,24 +180,30 @@ in devShell = pkgs.mkShell { name = "dgnum-infra"; - packages = [ - (pkgs.nixos-generators.overrideAttrs (_: { - version = "1.8.0-unstable"; - src = sources.nixos-generators; - })) - pkgs.npins + packages = + [ + (pkgs.nixos-generators.overrideAttrs (_: { + version = "1.8.0-unstable"; + src = sources.nixos-generators; + })) + pkgs.npins - # SSO testing - pkgs.kanidm - pkgs.freeradius - pkgs.picocom # for serial access + # deploying on testing hypervisor + pkgs.nixmoxer - (pkgs.callPackage ./lib/colmena { - colmena = pkgs.callPackage "${sources.colmena}/package.nix" { }; - }) - (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { }) - (pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { }) - ] ++ git-checks.enabledPackages ++ (builtins.attrValues scripts); + # SSO testing + pkgs.kanidm + pkgs.freeradius + pkgs.picocom # for serial access + + (pkgs.callPackage ./lib/colmena { + colmena = pkgs.callPackage "${sources.colmena}/package.nix" { }; + }) + (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { }) + (pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { }) + ] + ++ git-checks.enabledPackages + ++ (builtins.attrValues scripts); shellHook = builtins.concatStringsSep "\n" [ git-checks.shellHook diff --git a/machines/nixos/testing02/_configuration.nix b/machines/nixos/testing02/_configuration.nix new file mode 100644 index 0000000..ced77fe --- /dev/null +++ b/machines/nixos/testing02/_configuration.nix @@ -0,0 +1,47 @@ +# SPDX-FileCopyrightText: 2024 Tom Hubrecht +# +# SPDX-License-Identifier: EUPL-1.2 + +{ lib, pkgs, ... }: + +lib.extra.mkConfig { + enabledModules = [ + # List of modules to enable + "dgn-web" + ]; + + enabledServices = [ + # List of services to enable + "cas-eleves" + ]; + + extraConfig = { + # Disable monitoring + dgn-node-monitoring.enable = false; + + # Enable Postgres databases + services.postgresql = { + enable = true; + + package = pkgs.postgresql_16; + }; + + virtualisation.proxmox = { + node = "krz01"; + autoInstall = true; + vmid = 106; + bios = "ovmf"; + memory = 4096; + cores = 2; + net = [ + { + model = "virtio"; + bridge = "vmbr0"; + } + ]; + scsi = [ { file = "zfs-noraid:16"; } ]; # This will create a 16GB volume in 'local' + }; + }; + + root = ./.; +} diff --git a/machines/nixos/testing02/_hardware-configuration.nix b/machines/nixos/testing02/_hardware-configuration.nix new file mode 100644 index 0000000..54e1ab1 --- /dev/null +++ b/machines/nixos/testing02/_hardware-configuration.nix @@ -0,0 +1,33 @@ +# SPDX-FileCopyrightText: 2024 Tom Hubrecht +# +# SPDX-License-Identifier: EUPL-1.2 + +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ modulesPath, sources, ... }: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + (sources.disko + "/module.nix") + ./disko.nix + ]; + + boot = { + initrd = { + availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "ehci_pci" + "virtio_pci" + "sr_mod" + "virtio_blk" + ]; + kernelModules = [ ]; + }; + + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + }; +} diff --git a/machines/nixos/testing02/cas-eleves/01-pytest-cas.patch b/machines/nixos/testing02/cas-eleves/01-pytest-cas.patch new file mode 100644 index 0000000..633a567 --- /dev/null +++ b/machines/nixos/testing02/cas-eleves/01-pytest-cas.patch @@ -0,0 +1,98 @@ +diff --git a/setup.py b/setup.py +index 7c7b02d..3f677ff 100644 +--- a/setup.py ++++ b/setup.py +@@ -67,6 +67,4 @@ if __name__ == '__main__': + url="https://github.com/nitmir/django-cas-server", + download_url="https://github.com/nitmir/django-cas-server/releases/latest", + zip_safe=False, +- setup_requires=['pytest-runner'], +- tests_require=['pytest', 'pytest-django', 'pytest-pythonpath', 'pytest-warnings', 'mock>=1'], + ) +index 2b389d3..dcdfafd 100644 +--- a/cas_server/tests/test_federate.py ++++ b/cas_server/tests/test_federate.py +@@ -16,6 +16,7 @@ from cas_server.default_settings import settings + import django + from django.test import TestCase, Client + from django.test.utils import override_settings ++import pytest + + from six.moves import reload_module + +@@ -64,6 +65,7 @@ class FederateAuthLoginLogoutTestCase( + ) in response.content.decode("utf-8")) + self.assertEqual(response.context['post_url'], '/federate') + ++ @pytest.mark.skip(reason="Address already in use") + def test_login_post_provider(self, remember=False): + """test a successful login wrokflow""" + tickets = [] +@@ -159,6 +161,7 @@ class FederateAuthLoginLogoutTestCase( + self.assertTrue(response["Location"].startswith("%s?ticket=" % self.service)) + return tickets + ++ @pytest.mark.skip(reason="Address already in use") + def test_login_twice(self): + """Test that user id db is used for the second login (cf coverage)""" + self.test_login_post_provider() +@@ -253,6 +256,7 @@ class FederateAuthLoginLogoutTestCase( + self.assertEqual(response.status_code, 200) + self.assertIn(b"Invalid response from your identity provider CAS", response.content) + ++ @pytest.mark.skip(reason="Address already in use") + def test_auth_federate_slo(self): + """test that SLO receive from backend CAS log out the users""" + # get tickets and connected clients +@@ -301,6 +305,7 @@ class FederateAuthLoginLogoutTestCase( + client, response, username=provider.build_username(settings.CAS_TEST_USER) + ) + ++ @pytest.mark.skip(reason="Address already in use") + def test_federate_logout(self): + """ + test the logout function: the user should be log out +@@ -340,6 +345,7 @@ class FederateAuthLoginLogoutTestCase( + response = client.get("/login") + self.assert_login_failed(client, response) + ++ @pytest.mark.skip(reason="Address already in use") + def test_remember_provider(self): + """ + If the user check remember, next login should not offer the chose of the backend CAS +@@ -355,6 +361,7 @@ class FederateAuthLoginLogoutTestCase( + provider.suffix + )) + ++ @pytest.mark.skip(reason="Address already in use") + def test_forget_provider(self): + """Test the logout option to forget remembered provider""" + tickets = self.test_login_post_provider(remember=True) +@@ -365,6 +372,7 @@ class FederateAuthLoginLogoutTestCase( + client.get("/logout?forget_provider=1") + self.assertEqual(client.cookies["remember_provider"]["max-age"], 0) + ++ @pytest.mark.skip(reason="Address already in use") + def test_renew(self): + """ + Test authentication renewal with federation mode +diff --git a/cas_server/tests/test_utils.py b/cas_server/tests/test_utils.py +index d690724..73ee761 100644 +--- a/cas_server/tests/test_utils.py ++++ b/cas_server/tests/test_utils.py +@@ -17,6 +17,7 @@ from django.db import connection + import six + import warnings + import datetime ++import pytest + + from cas_server import utils + +@@ -61,6 +62,7 @@ class CheckPasswordCase(TestCase): + ) + ) + ++ @pytest.mark.skip(reason="crypt is broken somehow") + def test_crypt(self): + """test the crypt auth method""" + salts = ["$6$UVVAQvrMyXMF3FF3", "aa"] diff --git a/machines/nixos/testing02/cas-eleves/default.nix b/machines/nixos/testing02/cas-eleves/default.nix new file mode 100644 index 0000000..cc28c09 --- /dev/null +++ b/machines/nixos/testing02/cas-eleves/default.nix @@ -0,0 +1,156 @@ +# SPDX-FileCopyrightText: 2024 Tom Hubrecht +# +# SPDX-License-Identifier: EUPL-1.2 + +{ + config, + lib, + pkgs, + sources, + ... +}: + +let + inherit (lib) mapAttrsToList; + + host = "cas.eleves.ens.fr"; + port = 9889; + + python3 = + let + nix-pkgs = import sources.nix-pkgs { + inherit pkgs; + python3 = pkgs.python312; + }; + self = pkgs.python312.override { + inherit self; + openssl = pkgs.openssl_3; + packageOverrides = _: _: { + inherit (nix-pkgs) django-browser-reload django-bulma-forms loadcredential; + + django-cas-server = nix-pkgs.django-cas-server.overridePythonAttrs (_: { + patches = [ ./01-pytest-cas.patch ]; + }); + }; + }; + in + self; + + pythonEnv = python3.withPackages (ps: [ + ps.django + ps.ldap3 + ps.gunicorn + ps.psycopg + + # Local packages + ps.django-browser-reload + ps.django-bulma-forms + ps.django-cas-server + ps.loadcredential + ]); + + staticDrv = pkgs.stdenv.mkDerivation { + name = "cas_eleves-static"; + + src = sources.cas-eleves; + + nativeBuildInputs = [ pythonEnv ]; + + configurePhase = '' + export CE_STATIC_ROOT=$out/static + export CE_DEBUG=true + export CREDENTIALS_DIRECTORY=$(pwd)/.credentials + ''; + + doBuild = false; + + installPhase = '' + mkdir -p $out/static + python3 manage.py collectstatic + ''; + }; +in + +{ + systemd.services = { + django-cas-eleves = { + description = "ENS CAS server"; + wantedBy = [ "multi-user.target" ]; + after = [ + "network.target" + "postgresql.service" + ]; + + serviceConfig = { + DynamicUser = true; + LoadCredential = mapAttrsToList (name: value: "${name}:${value}") { + SECRET_KEY = config.age.secrets."cas_eleves-secret_key_file".path; + }; + StateDirectory = "django-cas-eleves"; + User = "cas_server"; + WorkingDirectory = sources.cas-eleves; + }; + + environment = { + CE_ALLOWED_HOSTS = builtins.toJSON [ + "cas-eleves.dgnum.eu" + "cas.eleves.ens.fr" + ]; + CE_STATIC_ROOT = staticDrv; + }; + + path = [ pythonEnv ]; + + script = '' + python3 manage.py loaddata patterns + python3 manage.py migrate + gunicorn app.wsgi --pythonpath ${sources.cas-eleves} -b 127.0.0.1:${builtins.toString port} --workers=2 --threads=4 + ''; + }; + + cas-eleves-cleanup = { + description = "Periodic cleanup of cas_server database"; + + startAt = "daily"; + + serviceConfig = { + Type = "oneshot"; + + LoadCredential = mapAttrsToList (name: value: "${name}:${value}") { + SECRET_KEY = config.age.secrets."cas_eleves-secret_key_file".path; + }; + StateDirectory = "django-cas-eleves"; + User = "cas_server"; + WorkingDirectory = sources.cas-eleves; + }; + + path = [ pythonEnv ]; + + script = '' + python3 manage.py clearsessions + python3 manage.py cas_clean_sessions + python3 manage.py cas_clean_tickets + ''; + }; + }; + + dgn-redirections.permanent."cas-eleves.dgnum.eu" = "cas.eleves.ens.fr"; + + dgn-web.simpleProxies.cas-eleves = { + inherit host port; + vhostConfig.locations = { + "/static/".root = staticDrv; + "= /robots.txt".root = "${staticDrv}/static"; + }; + }; + + services.postgresql = { + ensureDatabases = [ "cas_server" ]; + ensureUsers = [ + { + name = "cas_server"; + ensureDBOwnership = true; + } + ]; + }; +} diff --git a/machines/nixos/testing02/disko.nix b/machines/nixos/testing02/disko.nix new file mode 100644 index 0000000..e549442 --- /dev/null +++ b/machines/nixos/testing02/disko.nix @@ -0,0 +1,37 @@ +# SPDX-FileCopyrightText: 2024 Maurice Debray +# +# SPDX-License-Identifier: EUPL-1.2 + +_: { + disko.devices = { + disk = { + main = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + type = "EF00"; + size = "1G"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/machines/nixos/testing02/secrets/cas_eleves-secret_key_file b/machines/nixos/testing02/secrets/cas_eleves-secret_key_file new file mode 100644 index 0000000000000000000000000000000000000000..940bb60147da35803b38ee257f9d8f2eb8f6f816 GIT binary patch literal 1443 zcmZY8yQ|~`7zJ?cB!!(I77`F`hP%mRGBb(b>g4^HOx{lxG?~1UNis<$kHJOMdW$Uu zg~he7vk|lwtZlZlu(A-bwAe~7!Zz2x;CBw^`}`!jiK=5eH+@!D_v$u*h9z)wAMCpH zCJK@DdWnNM@5IUu)VP9}Talzx&GLim#--$baqv1E3dS}<65n&TZPVw+u>+*b;e?oS zm9%2`d~CXL@CpRx8kVHMP_TTm_+?Id5ZCVJ!6MD=IJV$gaXH zi-MprG_b&^%1c+68A;Iqv4_i%bv6($u2QNwcJ6pJ9DFrXEfri0DLJ#NoPnfsxVx*h zi%Nu4a3S&a+44->!DQ5eoy~Z)N^ZTsAX=RH1vF2ULD$^QwIyJivH1!0Nv|(0MwG5o z08`>Ld9g!^uL73Z^a4sXeyz0qO5agXaCO?@aGTA5 zH80Rz>EO?u85P;aUSuxIEj4#>D6bU7D0@W&TG5H2SkB5sbx)pr#NBJ#k*VKWZQj^j zRw#DP%8r4>ctcd8+9cM+XqZ%|<7rrtBtR9FCGgl`#8S)m6?e7nx^t`c5E2&}<1;&G zzAQxRAy^WYSns z<(d zIq@{HHcD)(GkjIL+ai^O8RS~0gO!w;K(F8%zrBS1Ra%WHC!!7>VNc*9bep``_QjXL8h%TFP1<@5bjV}*xG&Z*OOx*L04eabyv?->EX=dQNn!rxmLjr0ZY|CCAFO5XhL`fyq z>^4#tR}VhLBB2oDj54uh;lm?+}b*z04Buw%JT9JX7gI<|906rk{i?_+739E5YJ z!47wBFgq3`mCS^+%Fm7&7Lj8pXUM(Vjd$0Ku7b4$nRF22#|bJsuUCCO8>6}obsIj$ z;?UDt<8JvQvzuXH87b##syL6*_i4na_MFtqgXJlsoFuRzFIAb&D{NMW|FpLr+$3$} zcM*7hxOcu1AAvWVMzHt5*kv?u`{5E_0?w(7_;^Vbw|8}O1DZ_kPm^nKV%$3vs&kox zY94p3$a=sthT(`EVJ-Awh+*Ja^w%rDls`QA_{qcY@mH^+KY#tX`ubDz)BKNsdhp{r zUlz~57uL3S_&^>1dGz@B-pgU5F4_|xu^zA>t`Sr7Z E0T27$9smFU literal 0 HcmV?d00001 diff --git a/machines/nixos/testing02/secrets/secrets.nix b/machines/nixos/testing02/secrets/secrets.nix new file mode 100644 index 0000000..8f5c982 --- /dev/null +++ b/machines/nixos/testing02/secrets/secrets.nix @@ -0,0 +1,10 @@ +# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique +# +# SPDX-License-Identifier: EUPL-1.2 + +(import ../../../../keys).mkSecrets + [ "web02" ] + [ + # List of secrets for web02 + "cas_eleves-secret_key_file" + ] diff --git a/meta/dns.nix b/meta/dns.nix index 40a9000..b62ecc7 100644 --- a/meta/dns.nix +++ b/meta/dns.nix @@ -115,6 +115,10 @@ let "status" # Uptime Kuma ]; + testing02.dual = [ + "*.testing" + ]; + vault01.dual = [ "radius" # FreeRADIUS ]; diff --git a/meta/network.nix b/meta/network.nix index 6980e44..fb2cd49 100644 --- a/meta/network.nix +++ b/meta/network.nix @@ -189,6 +189,25 @@ netbirdIp = "100.80.156.154"; }; + testing02 = { + interfaces = { + ens18 = { + ipv4 = [ + { + address = "129.199.146.235"; + prefixLength = 24; + } + ]; + + gateways = [ "129.199.146.254" ]; + enableDefaultDNS = true; + }; + }; + + hostId = "7bb28324"; + netbirdIp = null; # testing02 is not to be connected on the VPN + }; + tower01 = { interfaces = { eno2 = { diff --git a/meta/nodes/nixos.nix b/meta/nodes/nixos.nix index 40428ff..349196c 100644 --- a/meta/nodes/nixos.nix +++ b/meta/nodes/nixos.nix @@ -182,6 +182,20 @@ ]; }; + testing02 = { + site = "pav01"; + + hashedPassword = "$y$j9T$GMdDdUJFS3/.JruWdRjaJ1$7Or5QvWsYQ77swplkQdYAqdyVDmku0t6htBL0r5MT19"; + + stateVersion = "24.11"; + vm-cluster = "Hyperviseur Lab-infra"; + + nixpkgs = { + version = "24.11"; + system = "nixos"; + }; + }; + tower01 = { site = "oik01"; diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index cc1e316..bddbc41 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -38,6 +38,7 @@ "${sources.agenix}/modules/age.nix" "${sources.arkheon}/module.nix" "${sources."microvm.nix"}/nixos-modules/host" + (import sources.proxmox-nixos).nixosModules.declarative-vms ] ++ ((import sources.nix-modules { inherit lib; }).importModules ( [