DGNum/infrastructure
10
6
Fork 3
Code Issues 24 Pull requests 26 Projects 1 Releases Packages Wiki Activity Actions

Compare commits

base: DGNum:main
Branches Tags
DGNum:main
DGNum:chore-npins
DGNum:npins-updates/nix-pkgs
DGNum:npins-updates/lix-module
DGNum:npins-updates/lon
DGNum:npins-updates/nixos-24.11
DGNum:npins-updates/nixos-generators
DGNum:npins-updates/wp4nix
DGNum:npins-updates/lix
DGNum:npins-updates/nixos-unstable
DGNum:npins-updates/git-hooks
DGNum:snix_module
DGNum:move_krz_and_router_back_to_infra
DGNum:multiuser_runners
DGNum:openwrt-exporter
DGNum:freeradius
DGNum:dgsi-vlan
DGNum:extranix
DGNum:vault01-isp
DGNum:django-apps-cycle
DGNum:tower02
DGNum:age-keys
DGNum:ban_git_scrappers
DGNum:asn-ban
DGNum:meta-isp
DGNum:mdebray/ap-dev
DGNum:ap-poc-v01
DGNum:ap01-prepare-poc
DGNum:netconf-profiles
DGNum:vault01-mtu
DGNum:meta_rework_bis
DGNum:meta_rework
DGNum:reuse
DGNum:mdebray/overlay
DGNum:django-apps-overlays
DGNum:testing02
DGNum:hypervisor
DGNum:ap01-vlan
DGNum:colmena-liminx-ng
DGNum:declarative-buckets
DGNum:victoria-metrics
DGNum:mattermost
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:colmena-liminix
DGNum:poc-v1.0
..
compare: DGNum:ap01-vlan
Branches Tags
DGNum:chore-npins
DGNum:npins-updates/nix-pkgs
DGNum:npins-updates/lix-module
DGNum:npins-updates/lon
DGNum:npins-updates/nixos-24.11
DGNum:npins-updates/nixos-generators
DGNum:npins-updates/wp4nix
DGNum:npins-updates/lix
DGNum:main
DGNum:npins-updates/nixos-unstable
DGNum:npins-updates/git-hooks
DGNum:snix_module
DGNum:move_krz_and_router_back_to_infra
DGNum:multiuser_runners
DGNum:openwrt-exporter
DGNum:freeradius
DGNum:dgsi-vlan
DGNum:extranix
DGNum:vault01-isp
DGNum:django-apps-cycle
DGNum:tower02
DGNum:age-keys
DGNum:ban_git_scrappers
DGNum:asn-ban
DGNum:meta-isp
DGNum:mdebray/ap-dev
DGNum:ap-poc-v01
DGNum:ap01-prepare-poc
DGNum:netconf-profiles
DGNum:vault01-mtu
DGNum:meta_rework_bis
DGNum:meta_rework
DGNum:reuse
DGNum:mdebray/overlay
DGNum:django-apps-overlays
DGNum:testing02
DGNum:hypervisor
DGNum:ap01-vlan
DGNum:colmena-liminx-ng
DGNum:declarative-buckets
DGNum:victoria-metrics
DGNum:mattermost
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:colmena-liminix
DGNum:poc-v1.0

7 commits
main ... ap01-vlan

Author SHA1 Message Date
Ryan Lahfa
9d5d75a427 chore(machines/ap01/recovery): better scope for pkgs and add zyxel-bootconfig to levitation
All checks were successful
Check meta / check_dns (pull_request) Successful in 18s
Details
Run pre-commit on all files / check (push) Successful in 25s
Details
Check meta / check_meta (pull_request) Successful in 17s
Details
Check workflows / check_workflows (pull_request) Successful in 21s
Details
Build all the nodes / bridge01 (pull_request) Successful in 1m26s
Details
Build all the nodes / ap01 (pull_request) Successful in 2m54s
Details
Build all the nodes / compute01 (pull_request) Successful in 1m51s
Details
Build all the nodes / geo01 (pull_request) Successful in 1m24s
Details
Build all the nodes / geo02 (pull_request) Successful in 1m24s
Details
Build all the nodes / rescue01 (pull_request) Successful in 1m51s
Details
Build all the nodes / storage01 (pull_request) Successful in 1m47s
Details
Build all the nodes / vault01 (pull_request) Successful in 1m40s
Details
Build all the nodes / web01 (pull_request) Successful in 2m13s
Details
Build all the nodes / web02 (pull_request) Successful in 1m30s
Details
Run pre-commit on all files / check (pull_request) Successful in 25s
Details
Build all the nodes / web03 (pull_request) Successful in 1m38s
Details 
This is useful to reconfigure A/B in memory.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-12-09 01:29:45 +01:00
Ryan Lahfa
eb87c9b359 feat(devshell): add tufted, a Fennel TFTP server 
This is useful for in-memory testing of APs connected over a simple
network.

In the future, we may use a TFTP server for field recovery by
configuring all our APs to use a certain known IPv4 address for the TFTP
server and ensuring that we always have a router on the untagged area
answering TFTP requests to reboot an AP in a known configuration,
without any serial console attached.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-12-09 01:29:45 +01:00
Ryan Lahfa
f3cc7bda86 feat(scripts/liminix): add a basic liminix rebuild 
This script requires manual efforts on the operator end not to fuck up
too hard.

This adds min-copy-closure and min-garbage-collect to the development
shell.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-12-09 01:29:45 +01:00
Ryan Lahfa
d915875a25 feat(scripts/liminix): make it easy to extract the firmware part of the Zyxel NWA FIT image 
This is useful when reflashing the system from scratch in the levitation
mode.

Note that doing this will reset the UBI counter to zero, this is bad for
wear leveling.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-12-09 01:29:45 +01:00
Ryan Lahfa
7e159cf466 feat(machines/ap01/recovery): pass the parent hostname with live indicator 
This makes the experience nicer.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-12-09 01:29:45 +01:00
Ryan Lahfa
054cbee74a feat(machines/ap01/recovery): fix levitation dependencies 
We should use the right DHCPv4.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-12-09 01:29:45 +01:00
Ryan Lahfa
e5f31469ee feat(machines/ap01): add default VLAN and admin VLAN 
Put DHCPv4 on the default VLAN now.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-12-09 01:29:45 +01:00
379 changed files with 9551 additions and 24980 deletions
Show stats Expand all files Collapse all files

2
.forgejo/workflows/check-meta.yaml
View file

@ -1,5 +1,3 @@
###
# This file was automatically generated with nix-actions.
jobs:
check_dns:
runs-on: nix

2
.forgejo/workflows/check-workflows.yaml
View file

@ -1,5 +1,3 @@
###
# This file was automatically generated with nix-actions.
jobs:
check_workflows:
runs-on: nix

112
.forgejo/workflows/eval-nodes.yaml
View file

@ -1,5 +1,3 @@
###
# This file was automatically generated with nix-actions.
jobs:
ap01:
runs-on: nix
@ -23,28 +21,6 @@ jobs:
STORE_USER: admin
name: Build and cache bridge01
run: nix-shell -A eval-nodes --run cache-node
build01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: build01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache build01
run: nix-shell -A eval-nodes --run cache-node
cof02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: cof02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache cof02
run: nix-shell -A eval-nodes --run cache-node
compute01:
runs-on: nix
steps:
@ -78,83 +54,6 @@ jobs:
STORE_USER: admin
name: Build and cache geo02
run: nix-shell -A eval-nodes --run cache-node
hypervisor01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: hypervisor01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache hypervisor01
run: nix-shell -A eval-nodes --run cache-node
hypervisor02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: hypervisor02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache hypervisor02
run: nix-shell -A eval-nodes --run cache-node
hypervisor03:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: hypervisor03
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache hypervisor03
run: nix-shell -A eval-nodes --run cache-node
netaccess01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: netaccess01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache netaccess01
run: nix-shell -A eval-nodes --run cache-node
netcore00:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: netcore00
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache netcore00
run: nix-shell -A eval-nodes --run cache-node
netcore01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: netcore01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache netcore01
run: nix-shell -A eval-nodes --run cache-node
netcore02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: netcore02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache netcore02
run: nix-shell -A eval-nodes --run cache-node
rescue01:
runs-on: nix
steps:
@ -177,17 +76,6 @@ jobs:
STORE_USER: admin
name: Build and cache storage01
run: nix-shell -A eval-nodes --run cache-node
tower01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: tower01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache tower01
run: nix-shell -A eval-nodes --run cache-node
vault01:
runs-on: nix
steps:

21
.forgejo/workflows/eval-shell.yaml
View file

@ -1,21 +0,0 @@
###
# This file was automatically generated with nix-actions.
jobs:
build-shell:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache shell
run: nix-shell -A eval-shell --run 'nix-build-and-cache -A devShell'
name: Build the shell
on:
pull_request:
branches:
- main
push:
branches:
- main

961
.forgejo/workflows/npins-update.yaml
View file

@ -1,952 +1,25 @@
###
# This file was automatically generated with nix-actions.
env:
GIT_AUTHOR_EMAIL: chores@mail.hubrecht.ovh
GIT_AUTHOR_NAME: HT Chores
GIT_COMMITTER_EMAIL: chores@mail.hubrecht.ovh
GIT_COMMITTER_NAME: HT Chores
jobs:
agenix:
npins_update:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/agenix
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update agenix'
GIT_UPDATE_BRANCH: npins-updates/agenix
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update agenix'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
arkheon:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/arkheon
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update arkheon'
GIT_UPDATE_BRANCH: npins-updates/arkheon
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update arkheon'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
cas-eleves:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/cas-eleves
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update cas-eleves'
GIT_UPDATE_BRANCH: npins-updates/cas-eleves
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update cas-eleves'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
cgroup-exporter:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/cgroup-exporter
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update cgroup-exporter'
GIT_UPDATE_BRANCH: npins-updates/cgroup-exporter
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update cgroup-exporter'\n\n# FIXME:
???????????\n# HACK: this correct the behavior of the following test\n# \
\ for some un-understandable reason\ngit help > /dev/null\nif [ ! -z \"\
$(git diff --name-only)\" ]; then\n echo \"[+] Changes detected, pushing
updates.\"\n\n git add npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n\
\ git commit --amend --no-edit\n git push --force\n else\n git commit
--message \"$COMMIT_MESSAGE\"\n git push -u origin \"$GIT_UPDATE_BRANCH\"\
\n fi\n\n # Connect to the server with the cli\n tea login add -n dgnum-chores
-t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" -u https://git.dgnum.eu\n\n \
\ # Create a pull request if needed\n # i.e. no PR with the same title exists\n\
\ if [ -z $(tea pr ls -f='head' -o simple | grep \"$GIT_UPDATE_BRANCH\")
]; then\n tea pr create --description \"Automatic npins update\" --title
\"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n fi\nelif [ -n \"$EXISTING_BRANCH\"\
\ ]; then\n git push --force\nfi\n"
colmena:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/colmena
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update colmena'
GIT_UPDATE_BRANCH: npins-updates/colmena
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update colmena'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
dgsi:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/dgsi
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update dgsi'
GIT_UPDATE_BRANCH: npins-updates/dgsi
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update dgsi'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
disko:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/disko
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update disko'
GIT_UPDATE_BRANCH: npins-updates/disko
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update disko'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
dns_nix:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/dns.nix
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update dns.nix'
GIT_UPDATE_BRANCH: npins-updates/dns.nix
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update dns.nix'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
git-hooks:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/git-hooks
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update git-hooks'
GIT_UPDATE_BRANCH: npins-updates/git-hooks
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update git-hooks'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
kadenios:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/kadenios
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update kadenios'
GIT_UPDATE_BRANCH: npins-updates/kadenios
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update kadenios'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
kahulm:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/kahulm
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update kahulm'
GIT_UPDATE_BRANCH: npins-updates/kahulm
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update kahulm'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
kat-pkgs:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/kat-pkgs
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update kat-pkgs'
GIT_UPDATE_BRANCH: npins-updates/kat-pkgs
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update kat-pkgs'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
liminix:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/liminix
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update liminix'
GIT_UPDATE_BRANCH: npins-updates/liminix
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update liminix'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
linkal:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/linkal
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update linkal'
GIT_UPDATE_BRANCH: npins-updates/linkal
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update linkal'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
lix:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/lix
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update lix'
GIT_UPDATE_BRANCH: npins-updates/lix
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update lix'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
lix-module:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/lix-module
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update lix-module'
GIT_UPDATE_BRANCH: npins-updates/lix-module
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update lix-module'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
lon:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/lon
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update lon'
GIT_UPDATE_BRANCH: npins-updates/lon
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update lon'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
metis:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/metis
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update metis'
GIT_UPDATE_BRANCH: npins-updates/metis
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update metis'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
microvm_nix:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/microvm.nix
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update microvm.nix'
GIT_UPDATE_BRANCH: npins-updates/microvm.nix
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update microvm.nix'\n\n# FIXME:
???????????\n# HACK: this correct the behavior of the following test\n# \
\ for some un-understandable reason\ngit help > /dev/null\nif [ ! -z \"\
$(git diff --name-only)\" ]; then\n echo \"[+] Changes detected, pushing
updates.\"\n\n git add npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n\
\ git commit --amend --no-edit\n git push --force\n else\n git commit
--message \"$COMMIT_MESSAGE\"\n git push -u origin \"$GIT_UPDATE_BRANCH\"\
\n fi\n\n # Connect to the server with the cli\n tea login add -n dgnum-chores
-t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" -u https://git.dgnum.eu\n\n \
\ # Create a pull request if needed\n # i.e. no PR with the same title exists\n\
\ if [ -z $(tea pr ls -f='head' -o simple | grep \"$GIT_UPDATE_BRANCH\")
]; then\n tea pr create --description \"Automatic npins update\" --title
\"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n fi\nelif [ -n \"$EXISTING_BRANCH\"\
\ ]; then\n git push --force\nfi\n"
nix-actions:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/nix-actions
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update nix-actions'
GIT_UPDATE_BRANCH: npins-updates/nix-actions
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update nix-actions'\n\n# FIXME:
???????????\n# HACK: this correct the behavior of the following test\n# \
\ for some un-understandable reason\ngit help > /dev/null\nif [ ! -z \"\
$(git diff --name-only)\" ]; then\n echo \"[+] Changes detected, pushing
updates.\"\n\n git add npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n\
\ git commit --amend --no-edit\n git push --force\n else\n git commit
--message \"$COMMIT_MESSAGE\"\n git push -u origin \"$GIT_UPDATE_BRANCH\"\
\n fi\n\n # Connect to the server with the cli\n tea login add -n dgnum-chores
-t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" -u https://git.dgnum.eu\n\n \
\ # Create a pull request if needed\n # i.e. no PR with the same title exists\n\
\ if [ -z $(tea pr ls -f='head' -o simple | grep \"$GIT_UPDATE_BRANCH\")
]; then\n tea pr create --description \"Automatic npins update\" --title
\"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n fi\nelif [ -n \"$EXISTING_BRANCH\"\
\ ]; then\n git push --force\nfi\n"
nix-modules:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/nix-modules
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update nix-modules'
GIT_UPDATE_BRANCH: npins-updates/nix-modules
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update nix-modules'\n\n# FIXME:
???????????\n# HACK: this correct the behavior of the following test\n# \
\ for some un-understandable reason\ngit help > /dev/null\nif [ ! -z \"\
$(git diff --name-only)\" ]; then\n echo \"[+] Changes detected, pushing
updates.\"\n\n git add npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n\
\ git commit --amend --no-edit\n git push --force\n else\n git commit
--message \"$COMMIT_MESSAGE\"\n git push -u origin \"$GIT_UPDATE_BRANCH\"\
\n fi\n\n # Connect to the server with the cli\n tea login add -n dgnum-chores
-t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" -u https://git.dgnum.eu\n\n \
\ # Create a pull request if needed\n # i.e. no PR with the same title exists\n\
\ if [ -z $(tea pr ls -f='head' -o simple | grep \"$GIT_UPDATE_BRANCH\")
]; then\n tea pr create --description \"Automatic npins update\" --title
\"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n fi\nelif [ -n \"$EXISTING_BRANCH\"\
\ ]; then\n git push --force\nfi\n"
nix-pkgs:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/nix-pkgs
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update nix-pkgs'
GIT_UPDATE_BRANCH: npins-updates/nix-pkgs
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update nix-pkgs'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
nix-reuse:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/nix-reuse
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update nix-reuse'
GIT_UPDATE_BRANCH: npins-updates/nix-reuse
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update nix-reuse'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
nixos-24_05:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/nixos-24.05
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update nixos-24.05'
GIT_UPDATE_BRANCH: npins-updates/nixos-24.05
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update nixos-24.05'\n\n# FIXME:
???????????\n# HACK: this correct the behavior of the following test\n# \
\ for some un-understandable reason\ngit help > /dev/null\nif [ ! -z \"\
$(git diff --name-only)\" ]; then\n echo \"[+] Changes detected, pushing
updates.\"\n\n git add npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n\
\ git commit --amend --no-edit\n git push --force\n else\n git commit
--message \"$COMMIT_MESSAGE\"\n git push -u origin \"$GIT_UPDATE_BRANCH\"\
\n fi\n\n # Connect to the server with the cli\n tea login add -n dgnum-chores
-t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" -u https://git.dgnum.eu\n\n \
\ # Create a pull request if needed\n # i.e. no PR with the same title exists\n\
\ if [ -z $(tea pr ls -f='head' -o simple | grep \"$GIT_UPDATE_BRANCH\")
]; then\n tea pr create --description \"Automatic npins update\" --title
\"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n fi\nelif [ -n \"$EXISTING_BRANCH\"\
\ ]; then\n git push --force\nfi\n"
nixos-24_11:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/nixos-24.11
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update nixos-24.11'
GIT_UPDATE_BRANCH: npins-updates/nixos-24.11
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update nixos-24.11'\n\n# FIXME:
???????????\n# HACK: this correct the behavior of the following test\n# \
\ for some un-understandable reason\ngit help > /dev/null\nif [ ! -z \"\
$(git diff --name-only)\" ]; then\n echo \"[+] Changes detected, pushing
updates.\"\n\n git add npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n\
\ git commit --amend --no-edit\n git push --force\n else\n git commit
--message \"$COMMIT_MESSAGE\"\n git push -u origin \"$GIT_UPDATE_BRANCH\"\
\n fi\n\n # Connect to the server with the cli\n tea login add -n dgnum-chores
-t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" -u https://git.dgnum.eu\n\n \
\ # Create a pull request if needed\n # i.e. no PR with the same title exists\n\
\ if [ -z $(tea pr ls -f='head' -o simple | grep \"$GIT_UPDATE_BRANCH\")
]; then\n tea pr create --description \"Automatic npins update\" --title
\"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n fi\nelif [ -n \"$EXISTING_BRANCH\"\
\ ]; then\n git push --force\nfi\n"
nixos-generators:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/nixos-generators
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update nixos-generators'
GIT_UPDATE_BRANCH: npins-updates/nixos-generators
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update nixos-generators'\n\n# FIXME:
???????????\n# HACK: this correct the behavior of the following test\n# \
\ for some un-understandable reason\ngit help > /dev/null\nif [ ! -z \"\
$(git diff --name-only)\" ]; then\n echo \"[+] Changes detected, pushing
updates.\"\n\n git add npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n\
\ git commit --amend --no-edit\n git push --force\n else\n git commit
--message \"$COMMIT_MESSAGE\"\n git push -u origin \"$GIT_UPDATE_BRANCH\"\
\n fi\n\n # Connect to the server with the cli\n tea login add -n dgnum-chores
-t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" -u https://git.dgnum.eu\n\n \
\ # Create a pull request if needed\n # i.e. no PR with the same title exists\n\
\ if [ -z $(tea pr ls -f='head' -o simple | grep \"$GIT_UPDATE_BRANCH\")
]; then\n tea pr create --description \"Automatic npins update\" --title
\"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n fi\nelif [ -n \"$EXISTING_BRANCH\"\
\ ]; then\n git push --force\nfi\n"
nixos-unstable:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/nixos-unstable
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update nixos-unstable'
GIT_UPDATE_BRANCH: npins-updates/nixos-unstable
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update nixos-unstable'\n\n# FIXME:
???????????\n# HACK: this correct the behavior of the following test\n# \
\ for some un-understandable reason\ngit help > /dev/null\nif [ ! -z \"\
$(git diff --name-only)\" ]; then\n echo \"[+] Changes detected, pushing
updates.\"\n\n git add npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n\
\ git commit --amend --no-edit\n git push --force\n else\n git commit
--message \"$COMMIT_MESSAGE\"\n git push -u origin \"$GIT_UPDATE_BRANCH\"\
\n fi\n\n # Connect to the server with the cli\n tea login add -n dgnum-chores
-t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" -u https://git.dgnum.eu\n\n \
\ # Create a pull request if needed\n # i.e. no PR with the same title exists\n\
\ if [ -z $(tea pr ls -f='head' -o simple | grep \"$GIT_UPDATE_BRANCH\")
]; then\n tea pr create --description \"Automatic npins update\" --title
\"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n fi\nelif [ -n \"$EXISTING_BRANCH\"\
\ ]; then\n git push --force\nfi\n"
signal-irc-bridge:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/signal-irc-bridge
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update signal-irc-bridge'
GIT_UPDATE_BRANCH: npins-updates/signal-irc-bridge
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update signal-irc-bridge'\n\n# FIXME:
???????????\n# HACK: this correct the behavior of the following test\n# \
\ for some un-understandable reason\ngit help > /dev/null\nif [ ! -z \"\
$(git diff --name-only)\" ]; then\n echo \"[+] Changes detected, pushing
updates.\"\n\n git add npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n\
\ git commit --amend --no-edit\n git push --force\n else\n git commit
--message \"$COMMIT_MESSAGE\"\n git push -u origin \"$GIT_UPDATE_BRANCH\"\
\n fi\n\n # Connect to the server with the cli\n tea login add -n dgnum-chores
-t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" -u https://git.dgnum.eu\n\n \
\ # Create a pull request if needed\n # i.e. no PR with the same title exists\n\
\ if [ -z $(tea pr ls -f='head' -o simple | grep \"$GIT_UPDATE_BRANCH\")
]; then\n tea pr create --description \"Automatic npins update\" --title
\"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n fi\nelif [ -n \"$EXISTING_BRANCH\"\
\ ]; then\n git push --force\nfi\n"
stateless-uptime-kuma:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/stateless-uptime-kuma
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update stateless-uptime-kuma'
GIT_UPDATE_BRANCH: npins-updates/stateless-uptime-kuma
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update stateless-uptime-kuma'\n\n
# FIXME: ???????????\n# HACK: this correct the behavior of the following test\n\
# for some un-understandable reason\ngit help > /dev/null\nif [ ! -z
\"$(git diff --name-only)\" ]; then\n echo \"[+] Changes detected, pushing
updates.\"\n\n git add npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n\
\ git commit --amend --no-edit\n git push --force\n else\n git commit
--message \"$COMMIT_MESSAGE\"\n git push -u origin \"$GIT_UPDATE_BRANCH\"\
\n fi\n\n # Connect to the server with the cli\n tea login add -n dgnum-chores
-t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" -u https://git.dgnum.eu\n\n \
\ # Create a pull request if needed\n # i.e. no PR with the same title exists\n\
\ if [ -z $(tea pr ls -f='head' -o simple | grep \"$GIT_UPDATE_BRANCH\")
]; then\n tea pr create --description \"Automatic npins update\" --title
\"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n fi\nelif [ -n \"$EXISTING_BRANCH\"\
\ ]; then\n git push --force\nfi\n"
wp4nix:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/wp4nix
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update wp4nix'
GIT_UPDATE_BRANCH: npins-updates/wp4nix
name: Open a PR if updates are present
run: "nix-shell -A npins-shell --run 'npins update wp4nix'\n\n# FIXME: ???????????\n
# HACK: this correct the behavior of the following test\n# for some
un-understandable reason\ngit help > /dev/null\nif [ ! -z \"$(git diff --name-only)\"\
\ ]; then\n echo \"[+] Changes detected, pushing updates.\"\n\n git add
npins\n\n if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='head' -o simple
| grep \"$GIT_UPDATE_BRANCH\") ]; then\n tea pr create --description \"\
Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\
\n fi\nelif [ -n \"$EXISTING_BRANCH\" ]; then\n git push --force\nfi\n"
name: Update dependencies
- name: Update dependencies and open PR if necessary
run: "npins update\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n echo
\"[+] Changes detected, pushing updates.\"\n\n git switch -C npins-update\n\
\n git add npins\n\n git config user.name \"DGNum Chores\"\n git config
user.email \"tech@dgnum.eu\"\n\n git commit --message \"chore(npins): Update\"\
\n git push --set-upstream origin npins-update --force\n\n # Connect to
the server with the cli\n tea login add \\\n -n dgnum-chores \\\n -t
\"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" \\\n -u https://git.dgnum.eu\n\
\n # Create a pull request if needed\n # i.e. no PR with the same title
exists\n if [ -z \"$(tea pr ls -f='title,author' -o simple | grep 'chore(npins):
Update dgnum-chores')\" ]; then\n tea pr create \\\n --description
\"Automatic npins update\" \\\n --title \"chore(npins): Update\" \\\n\
\ --head npins-update\n fi\nfi\n"
name: npins update
on:
schedule:
- cron: 15 12 * * *
- cron: 25 15 * * *

9
.forgejo/workflows/pre-commit.yaml
View file

@ -1,14 +1,9 @@
###
# This file was automatically generated with nix-actions.
jobs:
pre-commit:
check:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check stage pre-commit
run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
pre-commit --show-diff-on-failure'
- name: Check stage pre-push
- name: Run pre-commit on all files
run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
pre-push --show-diff-on-failure'
name: Run pre-commit on all files

6
CONTRIBUTE.md
View file

@ -1,9 +1,3 @@
<!--
SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
SPDX-License-Identifier: EUPL-1.2
-->
# Contribuer
Quelques éléments à savoir:

547
LICENSE Normal file
View file

@ -0,0 +1,547 @@
CONTRAT DE LICENCE DE LOGICIEL LIBRE CeCILL
Version 2.1 du 2013-06-21
Avertissement
Ce contrat est une licence de logiciel libre issue d'une concertation
entre ses auteurs afin que le respect de deux grands principes préside à
sa rédaction:
* d'une part, le respect des principes de diffusion des logiciels
libres: accès au code source, droits étendus conférés aux utilisateurs,
* d'autre part, la désignation d'un droit applicable, le droit
français, auquel elle est conforme, tant au regard du droit de la
responsabilité civile que du droit de la propriété intellectuelle et
de la protection qu'il offre aux auteurs et titulaires des droits
patrimoniaux sur un logiciel.
Les auteurs de la licence CeCILL (Ce[a] C[nrs] I[nria] L[ogiciel] L[ibre])
sont:
Commissariat à l'énergie atomique et aux énergies alternatives - CEA,
établissement public de recherche à caractère scientifique, technique et
industriel, dont le siège est situé 25 rue Leblanc, immeuble Le Ponant
D, 75015 Paris.
Centre National de la Recherche Scientifique - CNRS, établissement
public à caractère scientifique et technologique, dont le siège est
situé 3 rue Michel-Ange, 75794 Paris cedex 16.
Institut National de Recherche en Informatique et en Automatique -
Inria, établissement public à caractère scientifique et technologique,
dont le siège est situé Domaine de Voluceau, Rocquencourt, BP 105, 78153
Le Chesnay cedex.
Préambule
Ce contrat est une licence de logiciel libre dont l'objectif est de
conférer aux utilisateurs la liberté de modification et de
redistribution du logiciel régi par cette licence dans le cadre d'un
modèle de diffusion en logiciel libre.
L'exercice de ces libertés est assorti de certains devoirs à la charge
des utilisateurs afin de préserver ce statut au cours des
redistributions ultérieures.
L'accessibilité au code source et les droits de copie, de modification
et de redistribution qui en découlent ont pour contrepartie de n'offrir
aux utilisateurs qu'une garantie limitée et de ne faire peser sur
l'auteur du logiciel, le titulaire des droits patrimoniaux et les
concédants successifs qu'une responsabilité restreinte.
A cet égard l'attention de l'utilisateur est attirée sur les risques
associés au chargement, à l'utilisation, à la modification et/ou au
développement et à la reproduction du logiciel par l'utilisateur étant
donné sa spécificité de logiciel libre, qui peut le rendre complexe à
manipuler et qui le réserve donc à des développeurs ou des
professionnels avertis possédant des connaissances informatiques
approfondies. Les utilisateurs sont donc invités à charger et tester
l'adéquation du logiciel à leurs besoins dans des conditions permettant
d'assurer la sécurité de leurs systèmes et/ou de leurs données et, plus
généralement, à l'utiliser et l'exploiter dans les mêmes conditions de
sécurité. Ce contrat peut être reproduit et diffusé librement, sous
réserve de le conserver en l'état, sans ajout ni suppression de clauses.
Ce contrat est susceptible de s'appliquer à tout logiciel dont le
titulaire des droits patrimoniaux décide de soumettre l'exploitation aux
dispositions qu'il contient.
Une liste de questions fréquemment posées se trouve sur le site web
officiel de la famille des licences CeCILL
(http://www.cecill.info/index.fr.html) pour toute clarification qui
serait nécessaire.
Article 1 - DEFINITIONS
Dans ce contrat, les termes suivants, lorsqu'ils seront écrits avec une
lettre capitale, auront la signification suivante:
Contrat: désigne le présent contrat de licence, ses éventuelles versions
postérieures et annexes.
Logiciel: désigne le logiciel sous sa forme de Code Objet et/ou de Code
Source et le cas échéant sa documentation, dans leur état au moment de
l'acceptation du Contrat par le Licencié.
Logiciel Initial: désigne le Logiciel sous sa forme de Code Source et
éventuellement de Code Objet et le cas échéant sa documentation, dans
leur état au moment de leur première diffusion sous les termes du Contrat.
Logiciel Modifié: désigne le Logiciel modifié par au moins une
Contribution.
Code Source: désigne l'ensemble des instructions et des lignes de
programme du Logiciel et auquel l'accès est nécessaire en vue de
modifier le Logiciel.
Code Objet: désigne les fichiers binaires issus de la compilation du
Code Source.
Titulaire: désigne le ou les détenteurs des droits patrimoniaux d'auteur
sur le Logiciel Initial.
Licencié: désigne le ou les utilisateurs du Logiciel ayant accepté le
Contrat.
Contributeur: désigne le Licencié auteur d'au moins une Contribution.
Concédant: désigne le Titulaire ou toute personne physique ou morale
distribuant le Logiciel sous le Contrat.
Contribution: désigne l'ensemble des modifications, corrections,
traductions, adaptations et/ou nouvelles fonctionnalités intégrées dans
le Logiciel par tout Contributeur, ainsi que tout Module Interne.
Module: désigne un ensemble de fichiers sources y compris leur
documentation qui permet de réaliser des fonctionnalités ou services
supplémentaires à ceux fournis par le Logiciel.
Module Externe: désigne tout Module, non dérivé du Logiciel, tel que ce
Module et le Logiciel s'exécutent dans des espaces d'adressage
différents, l'un appelant l'autre au moment de leur exécution.
Module Interne: désigne tout Module lié au Logiciel de telle sorte
qu'ils s'exécutent dans le même espace d'adressage.
GNU GPL: désigne la GNU General Public License dans sa version 2 ou
toute version ultérieure, telle que publiée par Free Software Foundation
Inc.
GNU Affero GPL: désigne la GNU Affero General Public License dans sa
version 3 ou toute version ultérieure, telle que publiée par Free
Software Foundation Inc.
EUPL: désigne la Licence Publique de l'Union européenne dans sa version
1.1 ou toute version ultérieure, telle que publiée par la Commission
Européenne.
Parties: désigne collectivement le Licencié et le Concédant.
Ces termes s'entendent au singulier comme au pluriel.
Article 2 - OBJET
Le Contrat a pour objet la concession par le Concédant au Licencié d'une
licence non exclusive, cessible et mondiale du Logiciel telle que
définie ci-après à l'article 5 <#etendue> pour toute la durée de
protection des droits portant sur ce Logiciel.
Article 3 - ACCEPTATION
3.1 L'acceptation par le Licencié des termes du Contrat est réputée
acquise du fait du premier des faits suivants:
* (i) le chargement du Logiciel par tout moyen notamment par
téléchargement à partir d'un serveur distant ou par chargement à
partir d'un support physique;
* (ii) le premier exercice par le Licencié de l'un quelconque des
droits concédés par le Contrat.
3.2 Un exemplaire du Contrat, contenant notamment un avertissement
relatif aux spécificités du Logiciel, à la restriction de garantie et à
la limitation à un usage par des utilisateurs expérimentés a été mis à
disposition du Licencié préalablement à son acceptation telle que
définie à l'article 3.1 <#acceptation-acquise> ci dessus et le Licencié
reconnaît en avoir pris connaissance.
Article 4 - ENTREE EN VIGUEUR ET DUREE
4.1 ENTREE EN VIGUEUR
Le Contrat entre en vigueur à la date de son acceptation par le Licencié
telle que définie en 3.1 <#acceptation-acquise>.
4.2 DUREE
Le Contrat produira ses effets pendant toute la durée légale de
protection des droits patrimoniaux portant sur le Logiciel.
Article 5 - ETENDUE DES DROITS CONCEDES
Le Concédant concède au Licencié, qui accepte, les droits suivants sur
le Logiciel pour toutes destinations et pour la durée du Contrat dans
les conditions ci-après détaillées.
Par ailleurs, si le Concédant détient ou venait à détenir un ou
plusieurs brevets d'invention protégeant tout ou partie des
fonctionnalités du Logiciel ou de ses composants, il s'engage à ne pas
opposer les éventuels droits conférés par ces brevets aux Licenciés
successifs qui utiliseraient, exploiteraient ou modifieraient le
Logiciel. En cas de cession de ces brevets, le Concédant s'engage à
faire reprendre les obligations du présent alinéa aux cessionnaires.
5.1 DROIT D'UTILISATION
Le Licencié est autorisé à utiliser le Logiciel, sans restriction quant
aux domaines d'application, étant ci-après précisé que cela comporte:
1.
la reproduction permanente ou provisoire du Logiciel en tout ou
partie par tout moyen et sous toute forme.
2.
le chargement, l'affichage, l'exécution, ou le stockage du Logiciel
sur tout support.
3.
la possibilité d'en observer, d'en étudier, ou d'en tester le
fonctionnement afin de déterminer les idées et principes qui sont à
la base de n'importe quel élément de ce Logiciel; et ceci, lorsque
le Licencié effectue toute opération de chargement, d'affichage,
d'exécution, de transmission ou de stockage du Logiciel qu'il est en
droit d'effectuer en vertu du Contrat.
5.2 DROIT D'APPORTER DES CONTRIBUTIONS
Le droit d'apporter des Contributions comporte le droit de traduire,
d'adapter, d'arranger ou d'apporter toute autre modification au Logiciel
et le droit de reproduire le logiciel en résultant.
Le Licencié est autorisé à apporter toute Contribution au Logiciel sous
réserve de mentionner, de façon explicite, son nom en tant qu'auteur de
cette Contribution et la date de création de celle-ci.
5.3 DROIT DE DISTRIBUTION
Le droit de distribution comporte notamment le droit de diffuser, de
transmettre et de communiquer le Logiciel au public sur tout support et
par tout moyen ainsi que le droit de mettre sur le marché à titre
onéreux ou gratuit, un ou des exemplaires du Logiciel par tout procédé.
Le Licencié est autorisé à distribuer des copies du Logiciel, modifié ou
non, à des tiers dans les conditions ci-après détaillées.
5.3.1 DISTRIBUTION DU LOGICIEL SANS MODIFICATION
Le Licencié est autorisé à distribuer des copies conformes du Logiciel,
sous forme de Code Source ou de Code Objet, à condition que cette
distribution respecte les dispositions du Contrat dans leur totalité et
soit accompagnée:
1.
d'un exemplaire du Contrat,
2.
d'un avertissement relatif à la restriction de garantie et de
responsabilité du Concédant telle que prévue aux articles 8
<#responsabilite> et 9 <#garantie>,
et que, dans le cas où seul le Code Objet du Logiciel est redistribué,
le Licencié permette un accès effectif au Code Source complet du
Logiciel pour une durée d'au moins 3 ans à compter de la distribution du
logiciel, étant entendu que le coût additionnel d'acquisition du Code
Source ne devra pas excéder le simple coût de transfert des données.
5.3.2 DISTRIBUTION DU LOGICIEL MODIFIE
Lorsque le Licencié apporte une Contribution au Logiciel, les conditions
de distribution du Logiciel Modifié en résultant sont alors soumises à
l'intégralité des dispositions du Contrat.
Le Licencié est autorisé à distribuer le Logiciel Modifié, sous forme de
code source ou de code objet, à condition que cette distribution
respecte les dispositions du Contrat dans leur totalité et soit
accompagnée:
1.
d'un exemplaire du Contrat,
2.
d'un avertissement relatif à la restriction de garantie et de
responsabilité du Concédant telle que prévue aux articles 8
<#responsabilite> et 9 <#garantie>,
et, dans le cas où seul le code objet du Logiciel Modifié est redistribué,
3.
d'une note précisant les conditions d'accès effectif au code source
complet du Logiciel Modifié, pendant une période d'au moins 3 ans à
compter de la distribution du Logiciel Modifié, étant entendu que le
coût additionnel d'acquisition du code source ne devra pas excéder
le simple coût de transfert des données.
5.3.3 DISTRIBUTION DES MODULES EXTERNES
Lorsque le Licencié a développé un Module Externe les conditions du
Contrat ne s'appliquent pas à ce Module Externe, qui peut être distribué
sous un contrat de licence différent.
5.3.4 COMPATIBILITE AVEC D'AUTRES LICENCES
Le Licencié peut inclure un code soumis aux dispositions d'une des
versions de la licence GNU GPL, GNU Affero GPL et/ou EUPL dans le
Logiciel modifié ou non et distribuer l'ensemble sous les conditions de
la même version de la licence GNU GPL, GNU Affero GPL et/ou EUPL.
Le Licencié peut inclure le Logiciel modifié ou non dans un code soumis
aux dispositions d'une des versions de la licence GNU GPL, GNU Affero
GPL et/ou EUPL et distribuer l'ensemble sous les conditions de la même
version de la licence GNU GPL, GNU Affero GPL et/ou EUPL.
Article 6 - PROPRIETE INTELLECTUELLE
6.1 SUR LE LOGICIEL INITIAL
Le Titulaire est détenteur des droits patrimoniaux sur le Logiciel
Initial. Toute utilisation du Logiciel Initial est soumise au respect
des conditions dans lesquelles le Titulaire a choisi de diffuser son
oeuvre et nul autre n'a la faculté de modifier les conditions de
diffusion de ce Logiciel Initial.
Le Titulaire s'engage à ce que le Logiciel Initial reste au moins régi
par le Contrat et ce, pour la durée visée à l'article 4.2 <#duree>.
6.2 SUR LES CONTRIBUTIONS
Le Licencié qui a développé une Contribution est titulaire sur celle-ci
des droits de propriété intellectuelle dans les conditions définies par
la législation applicable.
6.3 SUR LES MODULES EXTERNES
Le Licencié qui a développé un Module Externe est titulaire sur celui-ci
des droits de propriété intellectuelle dans les conditions définies par
la législation applicable et reste libre du choix du contrat régissant
sa diffusion.
6.4 DISPOSITIONS COMMUNES
Le Licencié s'engage expressément:
1.
à ne pas supprimer ou modifier de quelque manière que ce soit les
mentions de propriété intellectuelle apposées sur le Logiciel;
2.
à reproduire à l'identique lesdites mentions de propriété
intellectuelle sur les copies du Logiciel modifié ou non.
Le Licencié s'engage à ne pas porter atteinte, directement ou
indirectement, aux droits de propriété intellectuelle du Titulaire et/ou
des Contributeurs sur le Logiciel et à prendre, le cas échéant, à
l'égard de son personnel toutes les mesures nécessaires pour assurer le
respect des dits droits de propriété intellectuelle du Titulaire et/ou
des Contributeurs.
Article 7 - SERVICES ASSOCIES
7.1 Le Contrat n'oblige en aucun cas le Concédant à la réalisation de
prestations d'assistance technique ou de maintenance du Logiciel.
Cependant le Concédant reste libre de proposer ce type de services. Les
termes et conditions d'une telle assistance technique et/ou d'une telle
maintenance seront alors déterminés dans un acte séparé. Ces actes de
maintenance et/ou assistance technique n'engageront que la seule
responsabilité du Concédant qui les propose.
7.2 De même, tout Concédant est libre de proposer, sous sa seule
responsabilité, à ses licenciés une garantie, qui n'engagera que lui,
lors de la redistribution du Logiciel et/ou du Logiciel Modifié et ce,
dans les conditions qu'il souhaite. Cette garantie et les modalités
financières de son application feront l'objet d'un acte séparé entre le
Concédant et le Licencié.
Article 8 - RESPONSABILITE
8.1 Sous réserve des dispositions de l'article 8.2
<#limite-responsabilite>, le Licencié a la faculté, sous réserve de
prouver la faute du Concédant concerné, de solliciter la réparation du
préjudice direct qu'il subirait du fait du Logiciel et dont il apportera
la preuve.
8.2 La responsabilité du Concédant est limitée aux engagements pris en
application du Contrat et ne saurait être engagée en raison notamment:
(i) des dommages dus à l'inexécution, totale ou partielle, de ses
obligations par le Licencié, (ii) des dommages directs ou indirects
découlant de l'utilisation ou des performances du Logiciel subis par le
Licencié et (iii) plus généralement d'un quelconque dommage indirect. En
particulier, les Parties conviennent expressément que tout préjudice
financier ou commercial (par exemple perte de données, perte de
bénéfices, perte d'exploitation, perte de clientèle ou de commandes,
manque à gagner, trouble commercial quelconque) ou toute action dirigée
contre le Licencié par un tiers, constitue un dommage indirect et
n'ouvre pas droit à réparation par le Concédant.
Article 9 - GARANTIE
9.1 Le Licencié reconnaît que l'état actuel des connaissances
scientifiques et techniques au moment de la mise en circulation du
Logiciel ne permet pas d'en tester et d'en vérifier toutes les
utilisations ni de détecter l'existence d'éventuels défauts. L'attention
du Licencié a été attirée sur ce point sur les risques associés au
chargement, à l'utilisation, la modification et/ou au développement et à
la reproduction du Logiciel qui sont réservés à des utilisateurs avertis.
Il relève de la responsabilité du Licencié de contrôler, par tous
moyens, l'adéquation du produit à ses besoins, son bon fonctionnement et
de s'assurer qu'il ne causera pas de dommages aux personnes et aux biens.
9.2 Le Concédant déclare de bonne foi être en droit de concéder
l'ensemble des droits attachés au Logiciel (comprenant notamment les
droits visés à l'article 5 <#etendue>).
9.3 Le Licencié reconnaît que le Logiciel est fourni "en l'état" par le
Concédant sans autre garantie, expresse ou tacite, que celle prévue à
l'article 9.2 <#bonne-foi> et notamment sans aucune garantie sur sa
valeur commerciale, son caractère sécurisé, innovant ou pertinent.
En particulier, le Concédant ne garantit pas que le Logiciel est exempt
d'erreur, qu'il fonctionnera sans interruption, qu'il sera compatible
avec l'équipement du Licencié et sa configuration logicielle ni qu'il
remplira les besoins du Licencié.
9.4 Le Concédant ne garantit pas, de manière expresse ou tacite, que le
Logiciel ne porte pas atteinte à un quelconque droit de propriété
intellectuelle d'un tiers portant sur un brevet, un logiciel ou sur tout
autre droit de propriété. Ainsi, le Concédant exclut toute garantie au
profit du Licencié contre les actions en contrefaçon qui pourraient être
diligentées au titre de l'utilisation, de la modification, et de la
redistribution du Logiciel. Néanmoins, si de telles actions sont
exercées contre le Licencié, le Concédant lui apportera son expertise
technique et juridique pour sa défense. Cette expertise technique et
juridique est déterminée au cas par cas entre le Concédant concerné et
le Licencié dans le cadre d'un protocole d'accord. Le Concédant dégage
toute responsabilité quant à l'utilisation de la dénomination du
Logiciel par le Licencié. Aucune garantie n'est apportée quant à
l'existence de droits antérieurs sur le nom du Logiciel et sur
l'existence d'une marque.
Article 10 - RESILIATION
10.1 En cas de manquement par le Licencié aux obligations mises à sa
charge par le Contrat, le Concédant pourra résilier de plein droit le
Contrat trente (30) jours après notification adressée au Licencié et
restée sans effet.
10.2 Le Licencié dont le Contrat est résilié n'est plus autorisé à
utiliser, modifier ou distribuer le Logiciel. Cependant, toutes les
licences qu'il aura concédées antérieurement à la résiliation du Contrat
resteront valides sous réserve qu'elles aient été effectuées en
conformité avec le Contrat.
Article 11 - DISPOSITIONS DIVERSES
11.1 CAUSE EXTERIEURE
Aucune des Parties ne sera responsable d'un retard ou d'une défaillance
d'exécution du Contrat qui serait dû à un cas de force majeure, un cas
fortuit ou une cause extérieure, telle que, notamment, le mauvais
fonctionnement ou les interruptions du réseau électrique ou de
télécommunication, la paralysie du réseau liée à une attaque
informatique, l'intervention des autorités gouvernementales, les
catastrophes naturelles, les dégâts des eaux, les tremblements de terre,
le feu, les explosions, les grèves et les conflits sociaux, l'état de
guerre...
11.2 Le fait, par l'une ou l'autre des Parties, d'omettre en une ou
plusieurs occasions de se prévaloir d'une ou plusieurs dispositions du
Contrat, ne pourra en aucun cas impliquer renonciation par la Partie
intéressée à s'en prévaloir ultérieurement.
11.3 Le Contrat annule et remplace toute convention antérieure, écrite
ou orale, entre les Parties sur le même objet et constitue l'accord
entier entre les Parties sur cet objet. Aucune addition ou modification
aux termes du Contrat n'aura d'effet à l'égard des Parties à moins
d'être faite par écrit et signée par leurs représentants dûment habilités.
11.4 Dans l'hypothèse où une ou plusieurs des dispositions du Contrat
s'avèrerait contraire à une loi ou à un texte applicable, existants ou
futurs, cette loi ou ce texte prévaudrait, et les Parties feraient les
amendements nécessaires pour se conformer à cette loi ou à ce texte.
Toutes les autres dispositions resteront en vigueur. De même, la
nullité, pour quelque raison que ce soit, d'une des dispositions du
Contrat ne saurait entraîner la nullité de l'ensemble du Contrat.
11.5 LANGUE
Le Contrat est rédigé en langue française et en langue anglaise, ces
deux versions faisant également foi.
Article 12 - NOUVELLES VERSIONS DU CONTRAT
12.1 Toute personne est autorisée à copier et distribuer des copies de
ce Contrat.
12.2 Afin d'en préserver la cohérence, le texte du Contrat est protégé
et ne peut être modifié que par les auteurs de la licence, lesquels se
réservent le droit de publier périodiquement des mises à jour ou de
nouvelles versions du Contrat, qui posséderont chacune un numéro
distinct. Ces versions ultérieures seront susceptibles de prendre en
compte de nouvelles problématiques rencontrées par les logiciels libres.
12.3 Tout Logiciel diffusé sous une version donnée du Contrat ne pourra
faire l'objet d'une diffusion ultérieure que sous la même version du
Contrat ou une version postérieure, sous réserve des dispositions de
l'article 5.3.4 <#compatibilite>.
Article 13 - LOI APPLICABLE ET COMPETENCE TERRITORIALE
13.1 Le Contrat est régi par la loi française. Les Parties conviennent
de tenter de régler à l'amiable les différends ou litiges qui
viendraient à se produire par suite ou à l'occasion du Contrat.
13.2 A défaut d'accord amiable dans un délai de deux (2) mois à compter
de leur survenance et sauf situation relevant d'une procédure d'urgence,
les différends ou litiges seront portés par la Partie la plus diligente
devant les Tribunaux compétents de Paris.

155
LICENSES/CC-BY-NC-ND-4.0.txt
View file

@ -1,155 +0,0 @@
Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International
Creative Commons Corporation (“Creative Commons”) is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an “as-is” basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible.
Using Creative Commons Public Licenses
Creative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses.
Considerations for licensors: Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. More considerations for licensors.
Considerations for the public: By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensors permission is not necessary for any reasonfor example, because of any applicable exception or limitation to copyrightthen that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described. Although not required by our licenses, you are encouraged to respect those requests where reasonable. More considerations for the public.
Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License
By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions.
Section 1 Definitions.
a. Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image.
b. Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.
c. Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements.
d. Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material.
e. Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License.
f. Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license.
g. Licensor means the individual(s) or entity(ies) granting rights under this Public License.
h. NonCommercial means not primarily intended for or directed towards commercial advantage or monetary compensation. For purposes of this Public License, the exchange of the Licensed Material for other material subject to Copyright and Similar Rights by digital file-sharing or similar means is NonCommercial provided there is no payment of monetary compensation in connection with the exchange.
i. Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them.
j. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.
k. You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.
Section 2 Scope.
a. License grant.
1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:
A. reproduce and Share the Licensed Material, in whole or in part, for NonCommercial purposes only; and
B. produce and reproduce, but not Share, Adapted Material for NonCommercial purposes only.
2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions.
3. Term. The term of this Public License is specified in Section 6(a).
4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.
5. Downstream recipients.
A. Offer from the Licensor Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.
B. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.
6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).
b. Other rights.
1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.
2. Patent and trademark rights are not licensed under this Public License.
3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties, including when the Licensed Material is used other than for NonCommercial purposes.
Section 3 License Conditions.
Your exercise of the Licensed Rights is expressly made subject to the following conditions.
a. Attribution.
1. If You Share the Licensed Material, You must:
A. retain the following if it is supplied by the Licensor with the Licensed Material:
i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);
ii. a copyright notice;
iii. a notice that refers to this Public License;
iv. a notice that refers to the disclaimer of warranties;
v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable;
B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and
C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.
For the avoidance of doubt, You do not have permission under this Public License to Share Adapted Material.
2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.
3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.
Section 4 Sui Generis Database Rights.
Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:
a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database for NonCommercial purposes only and provided You do not Share Adapted Material;
b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material; and
c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.
For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights.
Section 5 Disclaimer of Warranties and Limitation of Liability.
a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.
b. To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.
c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.
Section 6 Term and Termination.
a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.
b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:
1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or
2. upon express reinstatement by the Licensor.
For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.
c. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.
d. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.
Section 7 Other Terms and Conditions.
a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed.
b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License.
Section 8 Interpretation.
a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.
b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions.
c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor.
d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.
Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.
Creative Commons may be contacted at creativecommons.org.

121
LICENSES/CC0-1.0.txt
View file

@ -1,121 +0,0 @@
Creative Commons Legal Code
CC0 1.0 Universal
CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
HEREUNDER.
Statement of Purpose
The laws of most jurisdictions throughout the world automatically confer
exclusive Copyright and Related Rights (defined below) upon the creator
and subsequent owner(s) (each and all, an "owner") of an original work of
authorship and/or a database (each, a "Work").
Certain owners wish to permanently relinquish those rights to a Work for
the purpose of contributing to a commons of creative, cultural and
scientific works ("Commons") that the public can reliably and without fear
of later claims of infringement build upon, modify, incorporate in other
works, reuse and redistribute as freely as possible in any form whatsoever
and for any purposes, including without limitation commercial purposes.
These owners may contribute to the Commons to promote the ideal of a free
culture and the further production of creative, cultural and scientific
works, or to gain reputation or greater distribution for their Work in
part through the use and efforts of others.
For these and/or other purposes and motivations, and without any
expectation of additional consideration or compensation, the person
associating CC0 with a Work (the "Affirmer"), to the extent that he or she
is an owner of Copyright and Related Rights in the Work, voluntarily
elects to apply CC0 to the Work and publicly distribute the Work under its
terms, with knowledge of his or her Copyright and Related Rights in the
Work and the meaning and intended legal effect of CC0 on those rights.
1. Copyright and Related Rights. A Work made available under CC0 may be
protected by copyright and related or neighboring rights ("Copyright and
Related Rights"). Copyright and Related Rights include, but are not
limited to, the following:
i. the right to reproduce, adapt, distribute, perform, display,
communicate, and translate a Work;
ii. moral rights retained by the original author(s) and/or performer(s);
iii. publicity and privacy rights pertaining to a person's image or
likeness depicted in a Work;
iv. rights protecting against unfair competition in regards to a Work,
subject to the limitations in paragraph 4(a), below;
v. rights protecting the extraction, dissemination, use and reuse of data
in a Work;
vi. database rights (such as those arising under Directive 96/9/EC of the
European Parliament and of the Council of 11 March 1996 on the legal
protection of databases, and under any national implementation
thereof, including any amended or successor version of such
directive); and
vii. other similar, equivalent or corresponding rights throughout the
world based on applicable law or treaty, and any national
implementations thereof.
2. Waiver. To the greatest extent permitted by, but not in contravention
of, applicable law, Affirmer hereby overtly, fully, permanently,
irrevocably and unconditionally waives, abandons, and surrenders all of
Affirmer's Copyright and Related Rights and associated claims and causes
of action, whether now known or unknown (including existing as well as
future claims and causes of action), in the Work (i) in all territories
worldwide, (ii) for the maximum duration provided by applicable law or
treaty (including future time extensions), (iii) in any current or future
medium and for any number of copies, and (iv) for any purpose whatsoever,
including without limitation commercial, advertising or promotional
purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
member of the public at large and to the detriment of Affirmer's heirs and
successors, fully intending that such Waiver shall not be subject to
revocation, rescission, cancellation, termination, or any other legal or
equitable action to disrupt the quiet enjoyment of the Work by the public
as contemplated by Affirmer's express Statement of Purpose.
3. Public License Fallback. Should any part of the Waiver for any reason
be judged legally invalid or ineffective under applicable law, then the
Waiver shall be preserved to the maximum extent permitted taking into
account Affirmer's express Statement of Purpose. In addition, to the
extent the Waiver is so judged Affirmer hereby grants to each affected
person a royalty-free, non transferable, non sublicensable, non exclusive,
irrevocable and unconditional license to exercise Affirmer's Copyright and
Related Rights in the Work (i) in all territories worldwide, (ii) for the
maximum duration provided by applicable law or treaty (including future
time extensions), (iii) in any current or future medium and for any number
of copies, and (iv) for any purpose whatsoever, including without
limitation commercial, advertising or promotional purposes (the
"License"). The License shall be deemed effective as of the date CC0 was
applied by Affirmer to the Work. Should any part of the License for any
reason be judged legally invalid or ineffective under applicable law, such
partial invalidity or ineffectiveness shall not invalidate the remainder
of the License, and in such case Affirmer hereby affirms that he or she
will not (i) exercise any of his or her remaining Copyright and Related
Rights in the Work or (ii) assert any associated claims and causes of
action with respect to the Work, in either case contrary to Affirmer's
express Statement of Purpose.
4. Limitations and Disclaimers.
a. No trademark or patent rights held by Affirmer are waived, abandoned,
surrendered, licensed or otherwise affected by this document.
b. Affirmer offers the Work as-is and makes no representations or
warranties of any kind concerning the Work, express, implied,
statutory or otherwise, including without limitation warranties of
title, merchantability, fitness for a particular purpose, non
infringement, or the absence of latent or other defects, accuracy, or
the present or absence of errors, whether or not discoverable, all to
the greatest extent permissible under applicable law.
c. Affirmer disclaims responsibility for clearing rights of other persons
that may apply to the Work or any use thereof, including without
limitation any person's Copyright and Related Rights in the Work.
Further, Affirmer disclaims responsibility for obtaining any necessary
consents, permissions or other rights required for any use of the
Work.
d. Affirmer understands and acknowledges that Creative Commons is not a
party to this document and has no duty or obligation with respect to
this CC0 or use of the Work.

190
LICENSES/EUPL-1.2.txt
View file

@ -1,190 +0,0 @@
EUROPEAN UNION PUBLIC LICENCE v. 1.2
EUPL © the European Union 2007, 2016
This European Union Public Licence (the EUPL) applies to the Work (as defined below) which is provided under the
terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such
use is covered by a right of the copyright holder of the Work).
The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following
notice immediately following the copyright notice for the Work:
Licensed under the EUPL
or has expressed by any other means his willingness to license under the EUPL.
1.Definitions
In this Licence, the following terms have the following meaning:
The Licence:this Licence.
The Original Work:the work or software distributed or communicated by the Licensor under this Licence, available
as Source Code and also as Executable Code as the case may be.
Derivative Works:the works or software that could be created by the Licensee, based upon the Original Work or
modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work
required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in
the country mentioned in Article 15.
The Work:the Original Work or its Derivative Works.
The Source Code:the human-readable form of the Work which is the most convenient for people to study and
modify.
The Executable Code:any code which has generally been compiled and which is meant to be interpreted by
a computer as a program.
The Licensor:the natural or legal person that distributes or communicates the Work under the Licence.
Contributor(s):any natural or legal person who modifies the Work under the Licence, or otherwise contributes to
the creation of a Derivative Work.
The Licensee or You:any natural or legal person who makes any usage of the Work under the terms of the
Licence.
Distribution or Communication:any act of selling, giving, lending, renting, distributing, communicating,
transmitting, or otherwise making available, online or offline, copies of the Work or providing access to its essential
functionalities at the disposal of any other natural or legal person.
2.Scope of the rights granted by the Licence
The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for
the duration of copyright vested in the Original Work:
— use the Work in any circumstance and for all usage,
— reproduce the Work,
— modify the Work, and make Derivative Works based upon the Work,
— communicate to the public, including the right to make available or display the Work or copies thereof to the public
and perform publicly, as the case may be, the Work,
— distribute the Work or copies thereof,
— lend and rent the Work or copies thereof,
— sublicense rights in the Work or copies thereof.
Those rights can be exercised on any media, supports and formats, whether now known or later invented, as far as the
applicable law permits so.
In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed
by law in order to make effective the licence of the economic rights here above listed.
The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the
extent necessary to make use of the rights granted on the Work under this Licence.
3.Communication of the Source Code
The Licensor may provide the Work either in its Source Code form, or as Executable Code. If the Work is provided as
Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with
each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to
the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to
distribute or communicate the Work.
4.Limitations on copyright
Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the
exclusive rights of the rights owners in the Work, of the exhaustion of those rights or of other applicable limitations
thereto.
5.Obligations of the Licensee
The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those
obligations are the following:
Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to
the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices and a copy of the
Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work
to carry prominent notices stating that the Work has been modified and the date of modification.
Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this
Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless
the Original Work is expressly distributed only under this version of the Licence — for example by communicating
EUPL v. 1.2 only. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the
Work or Derivative Work that alter or restrict the terms of the Licence.
Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both
the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done
under the terms of this Compatible Licence. For the sake of this clause, Compatible Licence refers to the licences listed
in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with
his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail.
Provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide
a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available
for as long as the Licensee continues to distribute or communicate the Work.
Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names
of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and
reproducing the content of the copyright notice.
6.Chain of Authorship
The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or
licensed to him/her and that he/she has the power and authority to grant the Licence.
Each Contributor warrants that the copyright in the modifications he/she brings to the Work are owned by him/her or
licensed to him/her and that he/she has the power and authority to grant the Licence.
Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions
to the Work, under the terms of this Licence.
7.Disclaimer of Warranty
The Work is a work in progress, which is continuously improved by numerous Contributors. It is not a finished work
and may therefore contain defects or bugs inherent to this type of development.
For the above reason, the Work is provided under the Licence on an as is basis and without warranties of any kind
concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or
errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this
Licence.
This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work.
8.Disclaimer of Liability
Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be
liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the
Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss
of data or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However,
the Licensor will be liable under statutory product liability laws as far such laws apply to the Work.
9.Additional agreements
While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services
consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole
responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such Contributor by
the fact You have accepted any warranty or additional liability.
10.Acceptance of the Licence
The provisions of this Licence can be accepted by clicking on an icon I agree placed under the bottom of a window
displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of
applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms
and conditions.
Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You
by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution
or Communication by You of the Work or copies thereof.
11.Information to the public
In case of any Distribution or Communication of the Work by means of electronic communication by You (for example,
by offering to download the Work from a remote location) the distribution channel or media (for example, a website)
must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence
and the way it may be accessible, concluded, stored and reproduced by the Licensee.
12.Termination of the Licence
The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms
of the Licence.
Such a termination will not terminate the licences of any person who has received the Work from the Licensee under
the Licence, provided such persons remain in full compliance with the Licence.
13.Miscellaneous
Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the
Work.
If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or
enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid
and enforceable.
The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of
the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence.
New versions of the Licence will be published with a unique version number.
All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take
advantage of the linguistic version of their choice.
14.Jurisdiction
Without prejudice to specific agreement between parties,
— any litigation resulting from the interpretation of this License, arising between the European Union institutions,
bodies, offices or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice
of the European Union, as laid down in article 272 of the Treaty on the Functioning of the European Union,
— any litigation arising between other parties and resulting from the interpretation of this License, will be subject to
the exclusive jurisdiction of the competent court where the Licensor resides or conducts its primary business.
15.Applicable Law
Without prejudice to specific agreement between parties,
— this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat,
resides or has his registered office,
— this licence shall be governed by Belgian law if the Licensor has no seat, residence or registered office inside
a European Union Member State.
Appendix
Compatible Licences according to Article 5 EUPL are:
— GNU General Public License (GPL) v. 2, v. 3
— GNU Affero General Public License (AGPL) v. 3
— Open Software License (OSL) v. 2.1, v. 3.0
— Eclipse Public License (EPL) v. 1.0
— CeCILL v. 2.0, v. 2.1
— Mozilla Public Licence (MPL) v. 2
— GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3
— Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software
— European Union Public Licence (EUPL) v. 1.1, v. 1.2
— Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+).
The European Commission may update this Appendix to later versions of the above licences without producing
a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the
covered Source Code from exclusive appropriation.
All other changes or additions to this Appendix require the production of a new EUPL version.

9
LICENSES/MIT.txt
View file

@ -1,9 +0,0 @@
MIT License
Copyright (c) <year> <copyright holders>
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

9
README.md
View file

@ -1,10 +1,3 @@
<!--
SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
SPDX-License-Identifier: EUPL-1.2
-->
# ❄️ infrastructure
The dgnum infrastructure.
@ -98,7 +91,7 @@ The general metadata is declared in `meta/nodes.nix`, the main values to declare
Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :
```nix
(import ../../../keys.nix).mkSecrets [ "host02" ] [
(import ../../../keys).mkSecrets [ "host02" ] [
# List of secrets for host02
]
```

72
REUSE.toml
View file

@ -1,72 +0,0 @@
version = 1
[[annotations]]
SPDX-FileCopyrightText = "NONE"
SPDX-License-Identifier = "CC0-1.0"
path = ["**/.envrc", "**/Cargo.lock", "**/_hardware-configuration.nix", ".gitignore", "REUSE.toml", "shell.nix", "pkgs/by-name/docuseal/rubyEnv/*", "pkgs/by-name/docuseal/deps.json", "pkgs/by-name/docuseal/yarn.lock"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2"
path = [".forgejo/workflows/*"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
SPDX-License-Identifier = "CC-BY-NC-ND-4.0"
path = ["machines/**/secrets/*", "modules/nixos/dgn-backups/keys/*", "modules/nixos/dgn-netbox-agent/secrets/netbox-agent", "modules/nixos/dgn-notify/mail", "modules/nixos/dgn-records/__arkheon-token_file", "modules/nixos/dgn-s3/garage-*_file"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2"
path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/vault01/k-radius/packages/02-remove-noisy-logs.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/01-pretalx-environment-file.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch", "patches/cas-eleves/01-ldap-settings.patch"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = ["2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>", "2024 Maurice Debray <maurice.debray@dgnum.eu>"]
SPDX-License-Identifier = "EUPL-1.2"
path = ["patches/nixpkgs/07-kanidm-groups-module.patch", "patches/nixpkgs/08-kanidm-groups-pkgs.patch"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "2024 Maurice Debray <maurice.debray@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2"
path = ["patches/nixpkgs/06-netbox-qrcode.patch"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "2024 Lubin Bailly <lubin.bailly@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2"
path = ["modules/nixos/extranix/0001-revert-don-t-parse-md-in-js.patch", "modules/nixos/extranix/0002-chore-remove-useless-dependencies.patch", "modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch", "modules/nixos/extranix/0004-fix-indentation-of-ul.patch", "modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch", "patches/nixpkgs/02-action-validator.patch"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = ["2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>", "2025 Lubin Bailly <lubin.bailly@dgnum.eu>"]
SPDX-License-Identifier = "EUPL-1.2"
path = ["patches/nixpkgs/09-rename-autocreate-to-verify_bucket_exists.patch"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
SPDX-License-Identifier = "MIT"
path = "lib/colmena/*"
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "The [npins](https://github.com/andir/npins) contributors"
SPDX-License-Identifier = "EUPL-1.2"
path = "**/npins/*"
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "The [forgejo](https://codeberg.org/forgejo/forgejo) contributors"
SPDX-License-Identifier = "GPL-3.0-or-later"
path = "machines/nixos/compute01/extranix/static-data/images/forgejo.png"
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
SPDX-License-Identifier = "LicenseRef-Reserved"
path = ["machines/nixos/compute01/extranix/static-data/images/dgnum.png", "machines/nixos/compute01/extranix/static-data/images/favicon.ico", "machines/nixos/compute01/extranix/static-data/images/favicon.png"]
precedence = "closest"

35
bootstrap.nix
View file

@ -1,35 +0,0 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
# SPDX-FileContributor: Maurice Debray <maurice.debray@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
let
unpatchedSources = import ./npins;
pkgs = import unpatchedSources.nixos-unstable { overlays = [ ]; };
patch = (import ./lib/nix-patches { patchFile = ./patches; }).base {
inherit pkgs;
};
sources = builtins.mapAttrs (
k: src:
patch.applyPatches {
inherit src;
name = k;
}
) unpatchedSources;
overlays.lib = _: lib: { extra = import ./lib/nix-lib { inherit lib; }; };
in
{
inherit overlays sources unpatchedSources;
root = ./.;
pkgs = pkgs // {
lib = pkgs.lib.extend overlays.lib;
};
}

243
default.nix
View file

@ -1,19 +1,42 @@
# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
/*
Copyright :
- Maurice Debray <maurice.debray@dgnum.eu> 2023
- Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023
let
bootstrap = import ./bootstrap.nix;
in
Ce logiciel est un programme informatique servant à déployer des
configurations de serveurs via NixOS.
Ce logiciel est régi par la licence CeCILL soumise au droit français et
respectant les principes de diffusion des logiciels libres. Vous pouvez
utiliser, modifier et/ou redistribuer ce programme sous les conditions
de la licence CeCILL telle que diffusée par le CEA, le CNRS et l'INRIA
sur le site "http://www.cecill.info".
En contrepartie de l'accessibilité au code source et des droits de copie,
de modification et de redistribution accordés par cette licence, il n'est
offert aux utilisateurs qu'une garantie limitée. Pour les mêmes raisons,
seule une responsabilité restreinte pèse sur l'auteur du programme, le
titulaire des droits patrimoniaux et les concédants successifs.
A cet égard l'attention de l'utilisateur est attirée sur les risques
associés au chargement, à l'utilisation, à la modification et/ou au
développement et à la reproduction du logiciel par l'utilisateur étant
donné sa spécificité de logiciel libre, qui peut le rendre complexe à
manipuler et qui le réserve donc à des développeurs et des professionnels
avertis possédant des connaissances informatiques approfondies. Les
utilisateurs sont donc invités à charger et tester l'adéquation du
logiciel à leurs besoins dans des conditions permettant d'assurer la
sécurité de leurs systèmes et ou de leurs données et, plus généralement,
à l'utiliser et l'exploiter dans les mêmes conditions de sécurité.
Le fait que vous puissiez accéder à cet en-tête signifie que vous avez
pris connaissance de la licence CeCILL, et que vous en avez accepté les
termes.
*/
{
sources ? bootstrap.sources,
pkgs ? import sources.nixos-unstable {
overlays = [
(_: super: { lib = super.lib.extend bootstrap.overlays.lib; })
];
},
sources ? import ./npins,
pkgs ? import sources.nixpkgs { },
}:
let
@ -25,9 +48,6 @@ let
removeSuffix
;
nix-reuse = import sources.nix-reuse { inherit pkgs; };
nix-actions = import sources.nix-actions { inherit pkgs; };
git-checks = (import sources.git-hooks).run {
src = ./.;
@ -49,139 +69,13 @@ let
nixfmt-rfc-style = {
enable = true;
stages = [ "pre-push" ];
package = pkgs.nixfmt-rfc-style;
};
reuse = nix-reuse.hook {
enable = true;
stages = [ "pre-push" ];
package = pkgs.reuse; # git-hooks.nix is lagging on nixpkgs update
};
commitizen.enable = true;
};
};
reuse = nix-reuse.install {
defaultLicense = "EUPL-1.2";
defaultCopyright = "La Délégation Générale Numérique <contact@dgnum.eu>";
downloadLicenses = true;
generatedPaths = [
"**/.envrc"
"**/Cargo.lock"
"**/_hardware-configuration.nix"
".gitignore"
"REUSE.toml"
"shell.nix"
# Docuseal
"pkgs/by-name/docuseal/rubyEnv/*"
"pkgs/by-name/docuseal/deps.json"
"pkgs/by-name/docuseal/yarn.lock"
];
annotations = [
# Auto-generated workflow files using nix-actions
{ path = [ ".forgejo/workflows/*" ]; }
# Secrets
{
path = [
"machines/**/secrets/*"
"modules/nixos/dgn-backups/keys/*"
"modules/nixos/dgn-netbox-agent/secrets/netbox-agent"
"modules/nixos/dgn-notify/mail"
"modules/nixos/dgn-records/__arkheon-token_file"
"modules/nixos/dgn-s3/garage-*_file"
];
license = "CC-BY-NC-ND-4.0";
}
# Patches
{
path = [
"machines/nixos/compute01/ds-fr/01-smtp-tls.patch"
"machines/nixos/compute01/librenms/kanidm.patch"
"machines/nixos/compute01/stirling-pdf/*.patch"
"machines/nixos/vault01/k-radius/packages/01-python_path.patch"
"machines/nixos/vault01/k-radius/packages/02-remove-noisy-logs.patch"
"machines/nixos/web01/crabfit/*.patch"
"machines/nixos/web02/cas-eleves/01-pytest-cas.patch"
"patches/lix/01-disable-installChecks.patch"
"patches/nixpkgs/01-pretalx-environment-file.patch"
"patches/nixpkgs/03-crabfit-karla.patch"
"patches/nixpkgs/05-netbird-relay.patch"
"patches/cas-eleves/01-ldap-settings.patch"
];
copyright = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>";
}
{
path = [
"patches/nixpkgs/07-kanidm-groups-module.patch"
"patches/nixpkgs/08-kanidm-groups-pkgs.patch"
];
copyright = [
"2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>"
"2024 Maurice Debray <maurice.debray@dgnum.eu>"
];
}
{
path = [ "patches/nixpkgs/06-netbox-qrcode.patch" ];
copyright = "2024 Maurice Debray <maurice.debray@dgnum.eu>";
}
{
path = [
"modules/nixos/extranix/0001-revert-don-t-parse-md-in-js.patch"
"modules/nixos/extranix/0002-chore-remove-useless-dependencies.patch"
"modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch"
"modules/nixos/extranix/0004-fix-indentation-of-ul.patch"
"modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch"
"patches/nixpkgs/02-action-validator.patch"
];
copyright = "2024 Lubin Bailly <lubin.bailly@dgnum.eu>";
}
{
path = [
"patches/nixpkgs/09-rename-autocreate-to-verify_bucket_exists.patch"
];
copyright = [
"2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>"
"2025 Lubin Bailly <lubin.bailly@dgnum.eu>"
];
}
# colmena wrapper
{
path = "lib/colmena/*";
license = "MIT";
}
# npins generated files
{
path = "**/npins/*";
license = "EUPL-1.2";
copyright = "The [npins](https://github.com/andir/npins) contributors";
}
# images
{
path = "machines/nixos/compute01/extranix/static-data/images/forgejo.png";
license = "GPL-3.0-or-later";
copyright = "The [forgejo](https://codeberg.org/forgejo/forgejo) contributors";
}
{
path = [
"machines/nixos/compute01/extranix/static-data/images/dgnum.png"
"machines/nixos/compute01/extranix/static-data/images/favicon.ico"
"machines/nixos/compute01/extranix/static-data/images/favicon.png"
];
license = "LicenseRef-Reserved";
}
];
};
workflows = nix-actions.install {
workflows = (import sources.nix-actions { inherit pkgs; }).install {
src = ./.;
workflows = mapAttrs' (
@ -189,12 +83,8 @@ let
nameValuePair (removeSuffix ".nix" name) (
let
w = import ./workflows/${name};
args = {
inherit nix-actions;
inherit (pkgs) lib;
};
in
if (isFunction w) then (w args) else w
if isFunction w then w { inherit (pkgs) lib; } else w
)
) (builtins.readDir ./workflows);
};
@ -205,42 +95,45 @@ in
{
nodes = builtins.mapAttrs (
host: { site, ... }: "${host}.${site}.infra.dgnum.eu"
) (import ./meta/nodes/nixos.nix).nodes;
) (import ./meta/nodes.nix);
dns = import ./meta/dns.nix;
mkCacheSettings = import ./machines/nixos/storage01/tvix-cache/cache-settings.nix;
mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix;
devShell = pkgs.mkShell {
name = "dgnum-infra";
packages =
[
(pkgs.nixos-generators.overrideAttrs (_: {
version = "1.8.0-unstable";
src = sources.nixos-generators;
}))
pkgs.npins
packages = [
(pkgs.nixos-generators.overrideAttrs (_: {
version = "1.8.0-unstable";
src = sources.nixos-generators;
}))
pkgs.npins
# SSO testing
pkgs.kanidm
pkgs.freeradius
pkgs.picocom # for serial access
# SSO testing
pkgs.kanidm
pkgs.freeradius
pkgs.picocom # for serial access
(pkgs.callPackage ./lib/colmena {
colmena = pkgs.callPackage "${sources.colmena}/package.nix" { };
})
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
]
++ git-checks.enabledPackages
++ (builtins.attrValues scripts);
# Daemon-less copy closure for Liminix systems.
(pkgs.callPackage (sources.liminix + "/pkgs/min-copy-closure") { nix = pkgs.lix; })
# Daemon-less garbage collection for Liminix systems.
(pkgs.callPackage (sources.liminix + "/pkgs/min-collect-garbage") { nix = pkgs.lix; })
# TFTP server, friendly for Nix builds.
(pkgs.callPackage (sources.liminix + "/pkgs/tufted") { })
shellHook = builtins.concatStringsSep "\n" [
git-checks.shellHook
reuse.shellHook
workflows.shellHook
];
(pkgs.callPackage ./lib/colmena {
colmena = pkgs.callPackage "${sources.colmena}/package.nix" { };
})
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
] ++ (builtins.attrValues scripts);
shellHook = ''
${git-checks.shellHook}
${workflows.shellHook}
'';
preferLocalBuild = true;
@ -251,8 +144,6 @@ in
pre-commit.shellHook = git-checks.shellHook;
check-workflows.shellHook = workflows.shellHook;
eval-nodes.packages = [ scripts.cache-node ];
eval-shell.packages = [ scripts.nix-build-and-cache ];
npins-shell.packages = [ pkgs.npins ];
};
};
}

138
hive.nix
View file

@ -1,29 +1,41 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
# SPDX-FileContributor: Maurice Debray <maurice.debray@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
# TODO: change comments to ### \n # [text] \n #
let
### Init some tooling
sources' = import ./npins;
bootstrap = import ./bootstrap.nix;
# Patch sources directly
sources = builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; })
.applyPatches' sources';
inherit (bootstrap.pkgs) lib;
inherit (lib.extra) mapSingleFuse;
nix-lib = import ./lib/nix-lib;
inherit (nix-lib) mapSingleFuse;
inherit (bootstrap) sources;
patch = import ./lib/nix-patches { patchFile = ./patches; };
### Let's build meta
metadata = (import ./meta) lib;
nodes' = import ./meta/nodes.nix;
nodes = builtins.attrNames nodes';
nodes = builtins.attrNames metadata.nodes;
### Nixpkgs instanciation
mkNode = node: {
deployment.systemType = system node;
};
nixpkgs' = import ./meta/nixpkgs.nix;
# All supported nixpkgs versions × systems, instanciated
nixpkgs = mapSingleFuse (s: mapSingleFuse (mkSystemNixpkgs s) nixpkgs'.versions) nixpkgs'.systems;
# Get the configured nixos version for the node,
# defaulting to the one defined in meta/nixpkgs
version = node: nodes'.${node}.nixpkgs.version;
system = node: nodes'.${node}.nixpkgs.system;
category = node: nixpkgs'.categories.${system node};
nodePkgs = node: nixpkgs.${system node}.${version node};
# Builds a patched version of nixpkgs, only as the source
mkNixpkgs' =
v:
patch.mkNixpkgsSrc rec {
src = sources'.${name};
name = "nixos-${v}";
};
# Build up the nixpkgs configuration for Liminix embedded systems
mkLiminixConfig =
@ -43,47 +55,28 @@ let
mkNixpkgsConfig =
system:
{
nixos = _: { }; # TODO: add nix-pkgs overlay here
nixos = _: { };
zyxel-nwa50ax = mkLiminixConfig system;
netconf = _: { };
}
.${system} or (throw "Unknown system: ${system} for nixpkgs configuration instantiation");
# Instanciates the required nixpkgs version
mkSystemNixpkgs =
system: version: import sources."nixos-${version}" (mkNixpkgsConfig system version);
mkSystemNixpkgs = system: version: import (mkNixpkgs' version) (mkNixpkgsConfig system version);
# All supported nixpkgs versions × systems, instanciated
nixpkgs = mapSingleFuse (s: mapSingleFuse (mkSystemNixpkgs s) nixpkgs'.versions) nixpkgs'.systems;
# Get the configured nixos version for the node,
# defaulting to the one defined in meta/nixpkgs
version = node: metadata.nodes.${node}.nixpkgs.version;
system = node: metadata.nodes.${node}.nixpkgs.system;
category = node: nixpkgs'.categories.${system node};
nodePkgs = node: nixpkgs.${system node}.${version node};
##########
###
# Function to create arguments based on the node
#
mkArgs = node: rec {
lib = sourcePkgs.lib.extend bootstrap.overlays.lib;
lib = sourcePkgs.lib // {
extra = nix-lib;
};
sourcePkgs = nodePkgs node;
meta = metadata;
meta = (import ./meta) lib;
nodeMeta = metadata.nodes.${node};
nodeMeta = meta.nodes.${node};
nodePath = "machines/${category node}/${node}";
};
##########
# Module for each node (quite empty since almost everything is in the default module)
#
mkNode = node: {
deployment.systemType = system node;
};
in
{
@ -92,12 +85,9 @@ in
nodeNixpkgs = mapSingleFuse nodePkgs nodes;
specialArgs = {
inherit bootstrap nixpkgs sources;
inherit nixpkgs sources;
dgn-keys = import ./lib/keys {
meta = metadata;
inherit lib;
};
dgn-keys = import ./keys;
};
nodeSpecialArgs = mapSingleFuse mkArgs nodes;
@ -128,46 +118,13 @@ in
};
};
netconf = {
evalConfig = nixpkgs.nixos.unstable.lib.evalModules;
defaults =
{
name,
nodeMeta,
nodePath,
...
}:
{
_module.args = {
pkgs = nixpkgs.nixos.unstable;
};
# Import the default modules
imports = [
# Import the base configuration for each node
./${nodePath}.nix
./modules/netconf
./lib/netconf-junos
"${sources.nixos-unstable}/nixos/modules/misc/assertions.nix"
];
system.host-name = name;
inherit (nodeMeta) deployment;
};
};
nixos = {
evalConfig = args: import "${args.specialArgs.sourcePkgs.path}/nixos/lib/eval-config.nix" args;
defaults =
{
lib,
name,
nodes,
nodeMeta,
nodePath,
meta,
sourcePkgs,
...
}:
@ -181,10 +138,6 @@ in
./modules/${category name}
];
_module.args.serverNodes = lib.filterAttrs (
name: _: meta.nodes.${name}.nixpkgs.system == "nixos"
) nodes;
# Include default secrets
age-secrets.sources = [ ./${nodePath}/secrets ];
@ -193,7 +146,7 @@ in
nix = {
# Set NIX_PATH to the patched version of nixpkgs
nixPath = [ "nixpkgs=${builtins.storePath sourcePkgs.path}" ];
nixPath = [ "nixpkgs=${sourcePkgs.path}" ];
optimise.automatic = true;
gc = {
@ -201,14 +154,6 @@ in
dates = "weekly";
options = "--delete-older-than 7d";
};
settings =
{
substituters = [ "https://tvix-store.dgnum.eu/infra" ];
}
// (import ./machines/nixos/storage01/tvix-cache/cache-settings.nix {
caches = [ "infra" ];
});
};
# Allow unfree packages
@ -221,6 +166,5 @@ in
};
};
};
}
// (mapSingleFuse mkNode nodes)

4
iso/build-iso.sh Normal file → Executable file
View file

@ -1,9 +1,5 @@
#!/usr/bin/env bash
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
NIXPKGS=$(nix-build --no-out-link nixpkgs.nix)
nixos-generate -c configuration.nix -I NIX_PATH="$NIXPKGS" -f install-iso

8
iso/configuration.nix
View file

@ -1,13 +1,9 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, pkgs, ... }:
let
dgn-keys = import ../keys.nix;
dgn-keys = import ../keys;
dgn-members = (import ../meta lib).config.organization.groups.root;
dgn-members = (import ../meta lib).organization.groups.root;
in
{

6
iso/dgn-install/README.md
View file

@ -1,7 +1 @@
<!--
SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
SPDX-License-Identifier: EUPL-1.2
-->
Script pour installer automatiquement NixOS sur les machines de la DGNum

4
iso/dgn-install/default.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ pkgs, ... }:
let

4
iso/dgn-install/dgn-install.sh
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
bootDevice=
rootDevice=

4
iso/nixpkgs.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
let
version = (import ../meta/nixpkgs.nix).default;
nixpkgs = (import ../npins)."nixos-${version}";

13
keys.nix
View file

@ -1,13 +0,0 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
let
bootstrap = import ./bootstrap.nix;
inherit (bootstrap.pkgs) lib;
meta = import ./meta lib;
in
import ./lib/keys { inherit meta lib; }

88
keys/default.nix Normal file
View file

@ -0,0 +1,88 @@
let
_sources = import ../npins;
meta = import ../meta (import _sources.nixpkgs { }).lib;
getAttr = flip builtins.getAttr;
inherit (import ../lib/nix-lib) flip setDefault unique;
in
rec {
# WARNING: When updating this list, make sure that the nodes and members are alphabetically sorted
# If not, you will face an angry maintainer
_keys = {
# SSH keys of the nodes
bridge01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7" ];
compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ];
web02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ];
web03 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrWsMEfK86iaO9SubMqE2UvZNtHkLY5VUod/bbqKC0L" ];
# SSH keys of the DGNum members
agroudiev = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM="
];
catvayor = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
];
cst1 = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270"
];
ecoppens = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
gdd = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ"
];
jemagius = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8="
];
luj = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
];
mboyer = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ];
mdebray = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
];
raito = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
];
thubrecht = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
];
};
getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);
mkSecrets =
nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };
getNodeKeys' =
node:
let
names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
meta.nodes.${node}.admins ++ [ node ]
) meta.nodes.${node}.adminGroups;
in
unique (getKeys names);
getNodeKeys = node: rootKeys ++ getNodeKeys' node;
# List of keys for the root group
rootKeys = getKeys meta.organization.groups.root;
# List of 'machine' keys
machineKeys = rootKeys ++ (getKeys (builtins.attrNames meta.nodes));
}

2
lib/colmena/wrapper.sh.in
View file

@ -28,4 +28,4 @@ if [[ $1 == 'apply' ]]; then
doChecks
fi
exec @colmena@ --nix-option nix-path "" "$@"
exec @colmena@ "$@"

51
lib/keys/default.nix
View file

@ -1,51 +0,0 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
# SPDX-FileContributor: Maurice Debray <maurice.debray@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ meta, lib }:
let
inherit (lib.extra) setDefault;
getAttr = lib.flip builtins.getAttr;
in
rec {
_memberKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.organization.members;
_builderKeys = builtins.mapAttrs (_: v: v.builderKeys) meta.organization.members;
_nodeKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.nodes;
# Get keys of the users
getMemberKeys = name: builtins.concatLists (builtins.map (getAttr _memberKeys) name);
# Get builder keys of the users
getBuilderKeys = getAttr _builderKeys;
# Get keys of the ssh server
getNodeKeys = name: builtins.concatLists (builtins.map (getAttr _nodeKeys) name);
# List of keys for the root group
rootKeys = getMemberKeys meta.organization.groups.root;
# All admins for a node
getNodeAdmins = node: meta.organization.groups.root ++ meta.nodes.${node}.admins;
# All keys needed for secret encryption
getSecretKeys = node: lib.unique (getMemberKeys (getNodeAdmins node) ++ getNodeKeys [ node ]);
# List of keys for all machines wide secrets
machineKeys = rootKeys ++ (getNodeKeys (builtins.attrNames meta.nodes));
mkSecrets = nodes: setDefault { publicKeys = lib.unique (builtins.concatMap getSecretKeys nodes); };
mkRootSecrets = setDefault { publicKeys = lib.unique rootKeys; };
machineKeysBySystem =
system:
rootKeys
++ (getNodeKeys (
builtins.attrNames (lib.filterAttrs (_: v: v.nixpkgs.system == system) meta.nodes)
));
}

120
lib/netconf-junos/default.nix
View file

@ -1,120 +0,0 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
lib,
pkgs,
name,
...
}:
let
inherit (lib) mapAttrs mkOption;
inherit (lib.types)
attrs
attrsOf
bool
str
submodule
package
;
mandatory.options = {
supportPoE = mkOption {
type = bool;
example = true;
description = ''
Whether this interface supports PoE.
'';
};
};
in
{
imports = [
./interfaces.nix
./poe.nix
./protocols.nix
./system.nix
./vlans.nix
];
options = {
# Hack because of this https://git.dgnum.eu/DGNum/colmena/src/commit/71b1b660f2cda2e34e134d0028cafbd56bb22008/src/nix/hive/eval.nix#L166 which defines nixpkgs option but we don't have it here. What about liminix ?
nixpkgs = mkOption {
type = attrs;
default = { };
visible = false;
};
netconf = {
xmls.configuration = mkOption {
type = str;
readOnly = true;
description = ''
The full configuration to send to a JunOS.
'';
};
mandatoryInterfaces = mkOption {
type = attrsOf (submodule mandatory);
example = {
"ge-0/0/0" = {
supportPoE = true;
};
"ge-0/0/1" = {
supportPoE = true;
};
"xe-0/0/0" = {
supportPoE = false;
};
};
description = ''
JunOS require some interfaces to always be configured (even if they are disabled),
which correspond to physical interfaces of the switch. They have to be declared here
with some information about it (only if it supports PoE for now).
'';
};
rpc = mkOption {
type = package;
readOnly = true;
description = ''
The final rpc xml to send via netconf.
'';
};
};
};
config = {
interfaces =
let
mkIntf = _: _: { };
in
mapAttrs mkIntf config.netconf.mandatoryInterfaces;
netconf = {
xmls.configuration = with config.netconf.xmls; ''
<configuration>
${system}
${interfaces}
${protocols}
${vlans}
${poe}
</configuration>
'';
rpc = pkgs.writeText "${name}.rpc" ''
<rpc>
<edit-config>
<config>
${config.netconf.xmls.configuration}
</config>
<target>
<candidate/>
</target>
</edit-config>
</rpc>
<rpc>
<commit/>
</rpc>
'';
};
};
}

172
lib/netconf-junos/interfaces.nix
View file

@ -1,172 +0,0 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
inherit (lib)
mapAttrsToList
mkEnableOption
mkOption
optionalString
;
inherit (lib.types)
attrsOf
either
enum
ints
listOf
str
submodule
;
interface =
{ name, config, ... }:
let
unit =
{ name, config, ... }:
{
options = {
enable = mkEnableOption "this logical interface" // {
default = true;
example = false;
};
family = {
ethernet-switching = {
enable = mkEnableOption "the ethernet switching on this logical interface";
interface-mode = mkOption {
type = enum [
"trunk"
"access"
];
description = ''
Mode of operation for vlan addressing of this interface.
"trunk" means that the traffic is tagged, "access" means the
traffic is tagged by the switch.
'';
};
vlans = mkOption {
type = listOf (either str ints.unsigned);
default = [ ];
description = ''
Vlans that can be used on this interface.
Only one ID should be here for "access" mode of operation.
'';
};
};
#TODO : DHCP
inet = {
enable = mkEnableOption "the IPv4 configuration of this logical interface";
addresses = mkOption {
type = listOf str;
default = [ ];
description = ''
ipv4 addresses of this interface.
'';
};
};
inet6 = {
enable = mkEnableOption "the IPv6 configuration of this logical interface";
addresses = mkOption {
type = listOf str;
default = [ ];
description = ''
ipv6 addresses of this interface.
'';
};
};
};
xml = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.xml =
let
members = map (
vlan: "<members>${builtins.toString vlan}</members>"
) config.family.ethernet-switching.vlans;
eth = optionalString config.family.ethernet-switching.enable ''
<ethernet-switching>
<interface-mode>${config.family.ethernet-switching.interface-mode}</interface-mode>
<vlan>${builtins.concatStringsSep "" members}</vlan>
<storm-control><profile-name>default</profile-name></storm-control>
</ethernet-switching>
'';
addr4 = map (addr: "<name>${addr}</name>") config.family.inet.addresses;
inet = optionalString config.family.inet.enable ''
<inet>
<address>${builtins.concatStringsSep "" addr4}</address>
</inet>
'';
addr6 = map (addr: "<name>${addr}</name>") config.family.inet6.addresses;
inet6 = optionalString config.family.inet6.enable ''
<inet6>
<address>${builtins.concatStringsSep "" addr6}</address>
</inet6>
'';
in
''
<unit>
<name>${name}</name>
${optionalString (!config.enable) "<disable/>"}
<family>
${eth}${inet}${inet6}
</family>
</unit>'';
};
in
{
options = {
enable = mkEnableOption "this physical interface";
unit = mkOption {
type = attrsOf (submodule unit);
default = { };
description = ''
Configuration of the logical interfaces on this physical interface.
'';
};
xml = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.xml =
let
units = mapAttrsToList (_: unit: unit.xml) config.unit;
in
''
<interface>
<name>${name}</name>
${optionalString (!config.enable) "<disable/>"}
${builtins.concatStringsSep "" units}
</interface>
'';
};
in
{
options = {
interfaces = mkOption {
type = attrsOf (submodule interface);
description = ''
The interfaces configuration.
'';
};
netconf.xmls.interfaces = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.netconf.xmls.interfaces = ''
<interfaces operation="replace">
${builtins.concatStringsSep "" (mapAttrsToList (_: intf: intf.xml) config.interfaces)}
</interfaces>
'';
}

53
lib/netconf-junos/poe.nix
View file

@ -1,53 +0,0 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
inherit (lib)
mapAttrsToList
mkEnableOption
mkOption
optionalString
;
inherit (lib.types) attrsOf str submodule;
interface-module =
{ name, config, ... }:
{
options = {
enable = mkEnableOption "the PoE for this interface";
xml = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.xml = ''
<interface><name>${name}</name>${optionalString (!config.enable) "<disable/>"}</interface>
'';
};
in
{
options = {
poe.interfaces = mkOption {
type = attrsOf (submodule interface-module);
default = { };
description = ''
PoE configuration of interfaces.
'';
};
netconf.xmls.poe = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.netconf.xmls.poe = ''
<poe operation="replace">
${builtins.concatStringsSep "" (mapAttrsToList (_: intf: intf.xml) config.poe.interfaces)}
</poe>
'';
}

37
lib/netconf-junos/protocols.nix
View file

@ -1,37 +0,0 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
inherit (lib) concatMapStringsSep mkOption;
inherit (lib.types) listOf str;
in
{
options = {
protocols.rstp = mkOption {
type = listOf str;
description = ''
List of interfaces on which Rapid Spanning Tree Protocol should be enabled.
'';
};
netconf.xmls.protocols = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.netconf.xmls.protocols = ''
<protocols>
<rstp operation="replace">
${concatMapStringsSep "" (
intf: "<interface><name>${intf}</name></interface>"
) config.protocols.rstp}
</rstp>
</protocols>
'';
}

95
lib/netconf-junos/system.nix
View file

@ -1,95 +0,0 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
inherit (lib)
concatStrings
concatStringsSep
filter
hasPrefix
length
mkOption
splitString
;
inherit (lib.types)
enum
listOf
port
str
;
in
{
options = {
system = {
host-name = mkOption {
type = str;
description = "The hostname of the switch.";
};
root-authentication = {
hashedPasswd = mkOption {
type = str;
description = "Hashed password for root.";
};
ssh-keys = mkOption {
type = listOf str;
description = "ssh keys for root user.";
default = [ ];
};
};
services = {
ssh.root-login = mkOption {
type = enum [
"allow"
"deny"
"deny-password"
];
description = "Login policy to use for root.";
};
netconf.port = mkOption {
type = port;
description = "Port to use for netconf.";
default = 830;
};
};
};
netconf.xmls.system = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.netconf.xmls.system =
let
ssh-keys1 = map (splitString " ") config.system.root-authentication.ssh-keys;
ssh-keys2 = map (key: if length key < 3 then key ++ [ "foo@bar" ] else key) ssh-keys1;
ssh-keys = map (concatStringsSep " ") ssh-keys2;
edsca = map (key: "<ssh-edsca><name>${key}</name></ssh-edsca>") (
filter (hasPrefix "ssh-edsca ") ssh-keys
);
rsa = map (key: "<ssh-rsa><name>${key}</name></ssh-rsa>") (filter (hasPrefix "ssh-rsa ") ssh-keys);
ed25519 = map (key: "<ssh-ed25519><name>${key}</name></ssh-ed25519>") (
filter (hasPrefix "ssh-ed25519 ") ssh-keys
);
in
''
<system>
<host-name operation="replace">${config.system.host-name}</host-name>
<root-authentication operation="replace">
<encrypted-password>${config.system.root-authentication.hashedPasswd}</encrypted-password>
${concatStrings (edsca ++ rsa ++ ed25519)}
</root-authentication>
<services operation="replace">
<ssh><root-login>${config.system.services.ssh.root-login}</root-login></ssh>
<netconf>
<ssh><port>${toString config.system.services.netconf.port}</port></ssh>
<rfc-compliant/><yang-compliant/>
</netconf>
</services>
</system>
'';
}

135
lib/netconf-junos/vlans.nix
View file

@ -1,135 +0,0 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
inherit (lib)
assertMsg
concatStringsSep
mapAttrsToList
mkOption
optionalString
;
inherit (lib.types)
attrsOf
either
ints
listOf
nullOr
str
submodule
unspecified
;
vlan =
{ name, config, ... }:
{
options = {
id = mkOption {
type = nullOr ints.unsigned;
default = null;
description = ''
The ID of this vlan, `null` means no ID.
Incompatible with vlans.${name}.id-list.
'';
};
id-list = mkOption {
type =
let
range_type =
{ config, ... }:
{
config.__toString = _: "${toString config.begin}-${toString config.end}";
options = {
begin = mkOption {
type = ints.unsigned;
visible = false;
};
end = mkOption {
type = ints.unsigned;
visible = false;
};
__toString = mkOption {
visible = false;
internal = true;
readOnly = true;
type = unspecified;
};
};
};
in
listOf (either ints.unsigned (submodule range_type));
default = [ ];
example = [
42
{
begin = 100;
end = 200;
}
];
description = ''
List of IDs or IDs range to classify as this vlan.
Incompatible with vlans.${name}.id.
'';
};
l3-interface = mkOption {
type = nullOr str;
default = null;
example = "irb.0";
description = ''
Switch's logical interface to connect directly to this vlan.
This allows to communicate with the switch from a vlan without
having a cable looping back on it's management interface.
'';
};
xml = mkOption {
type = str;
readOnly = true;
visible = false;
};
};
config.xml =
let
id = optionalString (config.id != null) "<vlan-id>${toString config.id}</vlan-id>";
id-list = concatStringsSep "" (
map (vlan: "<vlan-id-list>${toString vlan}</vlan-id-list>") config.id-list
);
l3-intf = optionalString (
config.l3-interface != null
) "<l3-interface>${config.l3-interface}</l3-interface>";
in
assert assertMsg (
config.id == null || config.id-list == [ ]
) "vlans.${name}.id and vlans.${name}.id-list are incompatible.";
''
<vlan>
<name>${name}</name>
${id}${id-list}${l3-intf}
</vlan>
'';
};
in
{
options = {
vlans = mkOption {
type = attrsOf (submodule vlan);
description = ''
Named vlans configuration. Allows to name vlans inside interface configuration,
instead of just using their IDs.
'';
};
netconf.xmls.vlans = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.netconf.xmls.vlans = ''
<vlans operation="replace">
${builtins.concatStringsSep "" (mapAttrsToList (_: vlan: vlan.xml) config.vlans)}
</vlans>
'';
}

78
lib/nix-lib/default.nix
View file

@ -1,20 +1,50 @@
# Copyright Tom Hubrecht, (2023)
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib }:
# Tom Hubrecht <tom@hubrecht.ovh>
#
# This software is governed by the CeCILL license under French law and
# abiding by the rules of distribution of free software. You can use,
# modify and/ or redistribute the software under the terms of the CeCILL
# license as circulated by CEA, CNRS and INRIA at the following URL
# "http://www.cecill.info".
#
# As a counterpart to the access to the source code and rights to copy,
# modify and redistribute granted by the license, users are provided only
# with a limited warranty and the software's author, the holder of the
# economic rights, and the successive licensors have only limited
# liability.
#
# In this respect, the user's attention is drawn to the risks associated
# with loading, using, modifying and/or developing or reproducing the
# software by the user in light of its specific status of free software,
# that may mean that it is complicated to manipulate, and that also
# therefore means that it is reserved for developers and experienced
# professionals having in-depth computer knowledge. Users are therefore
# encouraged to load and test the software's suitability as regards their
# requirements in conditions enabling the security of their systems and/or
# data to be ensured and, more generally, to use and operate it in the
# same conditions as regards security.
#
# The fact that you are presently reading this means that you have had
# knowledge of the CeCILL license and that you accept its terms.
let
inherit (lib)
optionals
optionalString
listToAttrs
nameValuePair
recursiveUpdate
;
# Reimplement optional functions
_optional =
default: b: value:
if b then value else default;
in
rec {
inherit (import ./nixpkgs.nix)
flip
hasPrefix
recursiveUpdate
splitString
unique
warn
;
/*
Fuses a list of attribute sets into a single attribute set.
@ -48,24 +78,6 @@ rec {
attrsList:
fuseAttrs (builtins.map f attrsList);
/*
Generate an `attrsList` of given size with the generator before fusing
the resulting list of attribute sets.
Type: (Int -> attrs) -> Int -> attrs
Example:
f = s: { "a${toString s}" = s + s; }
genFuse f 3
=> { a0 = 0; a1 = 2; a2 = 4; }
*/
genFuse =
# Int -> attrs
f:
# Int
size:
fuseAttrs (builtins.genList f size);
/*
Equivalent of lib.singleton but for an attribute set.
@ -96,11 +108,6 @@ rec {
*/
mapSingleFuse = f: mapFuse (x: singleAttr x (f x));
# Like genAttrs but allows configuring the name
genAttrs' =
names: f: g:
listToAttrs (map (n: nameValuePair (f n) (g n)) names);
/*
Creates a relative path as a string
@ -130,8 +137,11 @@ rec {
subAttrs = attrs: builtins.map (subAttr attrs);
optionalList = optionals;
optionalList = _optional [ ];
optionalAttrs = _optional { };
optionalString = _optional "";
/*
Same as fuseAttrs but using `lib.recursiveUpdate` to merge attribute
sets together.

462
lib/nix-lib/nixpkgs.nix Normal file
View file

@ -0,0 +1,462 @@
###
# Collection of nixpkgs library functions, those are necessary for defining our own lib
#
# They have been simplified and builtins are used in some places, instead of lib shims.
rec {
/**
Does the same as the update operator '//' except that attributes are
merged until the given predicate is verified. The predicate should
accept 3 arguments which are the path to reach the attribute, a part of
the first attribute set and a part of the second attribute set. When
the predicate is satisfied, the value of the first attribute set is
replaced by the value of the second attribute set.
# Inputs
`pred`
: Predicate, taking the path to the current attribute as a list of strings for attribute names, and the two values at that path from the original arguments.
`lhs`
: Left attribute set of the merge.
`rhs`
: Right attribute set of the merge.
# Type
```
recursiveUpdateUntil :: ( [ String ] -> AttrSet -> AttrSet -> Bool ) -> AttrSet -> AttrSet -> AttrSet
```
# Examples
:::{.example}
## `lib.attrsets.recursiveUpdateUntil` usage example
```nix
recursiveUpdateUntil (path: l: r: path == ["foo"]) {
# first attribute set
foo.bar = 1;
foo.baz = 2;
bar = 3;
} {
#second attribute set
foo.bar = 1;
foo.quz = 2;
baz = 4;
}
=> {
foo.bar = 1; # 'foo.*' from the second set
foo.quz = 2; #
bar = 3; # 'bar' from the first set
baz = 4; # 'baz' from the second set
}
```
:::
*/
recursiveUpdateUntil =
pred: lhs: rhs:
let
f =
attrPath:
builtins.zipAttrsWith (
n: values:
let
here = attrPath ++ [ n ];
in
if builtins.length values == 1 || pred here (builtins.elemAt values 1) (builtins.head values) then
builtins.head values
else
f here values
);
in
f [ ] [
rhs
lhs
];
/**
A recursive variant of the update operator //. The recursion
stops when one of the attribute values is not an attribute set,
in which case the right hand side value takes precedence over the
left hand side value.
# Inputs
`lhs`
: Left attribute set of the merge.
`rhs`
: Right attribute set of the merge.
# Type
```
recursiveUpdate :: AttrSet -> AttrSet -> AttrSet
```
# Examples
:::{.example}
## `lib.attrsets.recursiveUpdate` usage example
```nix
recursiveUpdate {
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/hda";
} {
boot.loader.grub.device = "";
}
returns: {
boot.loader.grub.enable = true;
boot.loader.grub.device = "";
}
```
:::
*/
recursiveUpdate =
lhs: rhs:
recursiveUpdateUntil (
_: lhs: rhs:
!(builtins.isAttrs lhs && builtins.isAttrs rhs)
) lhs rhs;
/**
Determine whether a string has given prefix.
# Inputs
`pref`
: Prefix to check for
`str`
: Input string
# Type
```
hasPrefix :: string -> string -> bool
```
# Examples
:::{.example}
## `lib.strings.hasPrefix` usage example
```nix
hasPrefix "foo" "foobar"
=> true
hasPrefix "foo" "barfoo"
=> false
```
:::
*/
hasPrefix = pref: str: (builtins.substring 0 (builtins.stringLength pref) str == pref);
/**
Escape occurrence of the elements of `list` in `string` by
prefixing it with a backslash.
# Inputs
`list`
: 1\. Function argument
`string`
: 2\. Function argument
# Type
```
escape :: [string] -> string -> string
```
# Examples
:::{.example}
## `lib.strings.escape` usage example
```nix
escape ["(" ")"] "(foo)"
=> "\\(foo\\)"
```
:::
*/
escape = list: builtins.replaceStrings list (builtins.map (c: "\\${c}") list);
/**
Convert a string `s` to a list of characters (i.e. singleton strings).
This allows you to, e.g., map a function over each character. However,
note that this will likely be horribly inefficient; Nix is not a
general purpose programming language. Complex string manipulations
should, if appropriate, be done in a derivation.
Also note that Nix treats strings as a list of bytes and thus doesn't
handle unicode.
# Inputs
`s`
: 1\. Function argument
# Type
```
stringToCharacters :: string -> [string]
```
# Examples
:::{.example}
## `lib.strings.stringToCharacters` usage example
```nix
stringToCharacters ""
=> [ ]
stringToCharacters "abc"
=> [ "a" "b" "c" ]
stringToCharacters "🦄"
=> [ "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" ]
```
:::
*/
stringToCharacters = s: builtins.genList (p: builtins.substring p 1 s) (builtins.stringLength s);
/**
Turn a string `s` into an exact regular expression
# Inputs
`s`
: 1\. Function argument
# Type
```
escapeRegex :: string -> string
```
# Examples
:::{.example}
## `lib.strings.escapeRegex` usage example
```nix
escapeRegex "[^a-z]*"
=> "\\[\\^a-z]\\*"
```
:::
*/
escapeRegex = escape (stringToCharacters "\\[{()^$?*+|.");
/**
Appends string context from string like object `src` to `target`.
:::{.warning}
This is an implementation
detail of Nix and should be used carefully.
:::
Strings in Nix carry an invisible `context` which is a list of strings
representing store paths. If the string is later used in a derivation
attribute, the derivation will properly populate the inputDrvs and
inputSrcs.
# Inputs
`src`
: The string to take the context from. If the argument is not a string,
it will be implicitly converted to a string.
`target`
: The string to append the context to. If the argument is not a string,
it will be implicitly converted to a string.
# Type
```
addContextFrom :: string -> string -> string
```
# Examples
:::{.example}
## `lib.strings.addContextFrom` usage example
```nix
pkgs = import <nixpkgs> { };
addContextFrom pkgs.coreutils "bar"
=> "bar"
```
The context can be displayed using the `toString` function:
```nix
nix-repl> builtins.getContext (lib.strings.addContextFrom pkgs.coreutils "bar")
{
"/nix/store/m1s1d2dk2dqqlw3j90jl3cjy2cykbdxz-coreutils-9.5.drv" = { ... };
}
```
:::
*/
addContextFrom = src: target: builtins.substring 0 0 src + target;
/**
Cut a string with a separator and produces a list of strings which
were separated by this separator.
# Inputs
`sep`
: 1\. Function argument
`s`
: 2\. Function argument
# Type
```
splitString :: string -> string -> [string]
```
# Examples
:::{.example}
## `lib.strings.splitString` usage example
```nix
splitString "." "foo.bar.baz"
=> [ "foo" "bar" "baz" ]
splitString "/" "/usr/local/bin"
=> [ "" "usr" "local" "bin" ]
```
:::
*/
splitString =
sep: s:
let
splits = builtins.filter builtins.isString (
builtins.split (escapeRegex (builtins.toString sep)) (builtins.toString s)
);
in
builtins.map (addContextFrom s) splits;
/**
Remove duplicate elements from the `list`. O(n^2) complexity.
# Inputs
`list`
: Input list
# Type
```
unique :: [a] -> [a]
```
# Examples
:::{.example}
## `lib.lists.unique` usage example
```nix
unique [ 3 2 3 4 ]
=> [ 3 2 4 ]
```
:::
*/
unique = builtins.foldl' (acc: e: if builtins.elem e acc then acc else acc ++ [ e ]) [ ];
/**
Flip the order of the arguments of a binary function.
# Inputs
`f`
: 1\. Function argument
`a`
: 2\. Function argument
`b`
: 3\. Function argument
# Type
```
flip :: (a -> b -> c) -> (b -> a -> c)
```
# Examples
:::{.example}
## `lib.trivial.flip` usage example
```nix
flip concat [1] [2]
=> [ 2 1 ]
```
:::
*/
flip =
f: a: b:
f b a;
/**
`warn` *`message`* *`value`*
Print a warning before returning the second argument.
See [`builtins.warn`](https://nix.dev/manual/nix/latest/language/builtins.html#builtins-warn) (Nix >= 2.23).
On older versions, the Nix 2.23 behavior is emulated with [`builtins.trace`](https://nix.dev/manual/nix/latest/language/builtins.html#builtins-warn), including the [`NIX_ABORT_ON_WARN`](https://nix.dev/manual/nix/latest/command-ref/conf-file#conf-abort-on-warn) behavior, but not the `nix.conf` setting or command line option.
# Inputs
*`message`* (String)
: Warning message to print before evaluating *`value`*.
*`value`* (any value)
: Value to return as-is.
# Type
```
String -> a -> a
```
*/
warn =
# Since Nix 2.23, https://github.com/NixOS/nix/pull/10592
builtins.warn or (
let
mustAbort = builtins.elem (builtins.getEnv "NIX_ABORT_ON_WARN") [
"1"
"true"
"yes"
];
in
# Do not eta reduce v, so that we have the same strictness as `builtins.warn`.
msg: v:
# `builtins.warn` requires a string message, so we enforce that in our implementation, so that callers aren't accidentally incompatible with newer Nix versions.
assert builtins.isString msg;
if mustAbort then
builtins.trace "evaluation warning: ${msg}" (
abort "NIX_ABORT_ON_WARN=true; warnings are treated as unrecoverable errors."
)
else
builtins.trace "evaluation warning: ${msg}" v
);
}

38
lib/nix-patches/default.nix
View file

@ -1,7 +1,32 @@
# Copyright Tom Hubrecht, (2023-2024)
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
# Tom Hubrecht <tom@hubrecht.ovh>
#
# This software is governed by the CeCILL license under French law and
# abiding by the rules of distribution of free software. You can use,
# modify and/ or redistribute the software under the terms of the CeCILL
# license as circulated by CEA, CNRS and INRIA at the following URL
# "http://www.cecill.info".
#
# As a counterpart to the access to the source code and rights to copy,
# modify and redistribute granted by the license, users are provided only
# with a limited warranty and the software's author, the holder of the
# economic rights, and the successive licensors have only limited
# liability.
#
# In this respect, the user's attention is drawn to the risks associated
# with loading, using, modifying and/or developing or reproducing the
# software by the user in light of its specific status of free software,
# that may mean that it is complicated to manipulate, and that also
# therefore means that it is reserved for developers and experienced
# professionals having in-depth computer knowledge. Users are therefore
# encouraged to load and test the software's suitability as regards their
# requirements in conditions enabling the security of their systems and/or
# data to be ensured and, more generally, to use and operate it in the
# same conditions as regards security.
#
# The fact that you are presently reading this means that you have had
# knowledge of the CeCILL license and that you accept its terms.
{
patchFile,
@ -14,15 +39,12 @@ rec {
{ pkgs }:
rec {
mkUrlPatch =
{
hash ? null,
...
}@attrs:
attrs:
pkgs.fetchpatch (
{
hash = if hash == null then pkgs.lib.fakeHash else hash;
hash = pkgs.lib.fakeHash;
}
// (builtins.removeAttrs attrs [ "hash" ])
// attrs
// (pkgs.lib.optionalAttrs (excludeGitHubManual && !(builtins.hasAttr "includes" attrs)) {
excludes = (attrs.excludes or [ ]) ++ [ "nixos/doc/manual/*" ];
})

4
machines/liminix/ap01/_configuration.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
modulesPath,
sourcePkgs,

14
machines/liminix/ap01/addresses.nix
View file

@ -1,22 +1,20 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
let
svc = config.system.service;
in
{
services.dhcpv4 = svc.network.dhcp.client.build {
services.init-dhcpv4 = svc.network.dhcp.client.build {
interface = config.services.int;
dependencies = [
config.services.bridge.components.lan
];
};
services.defaultroute4 = svc.network.route.build {
via = "$(output ${config.services.dhcpv4} router)";
services.init-defaultroute4 = svc.network.route.build {
via = "$(output ${config.services.init-dhcpv4} router)";
target = "default";
dependencies = [ config.services.dhcpv4 ];
dependencies = [ config.services.init-dhcpv4 ];
};
# TODO: ensure SLAAC for admin-vlan.
}

9
machines/liminix/ap01/dns.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, pkgs, ... }:
let
inherit (pkgs.liminix.services) oneshot;
@ -12,17 +8,18 @@ in
# TODO: support dynamic reconfiguration once we are in the target VLAN?
services.resolvconf = oneshot rec {
name = "resolvconf";
# TODO: imho, DNS should be static and provided by the router?
up = ''
. ${serviceFns}
( in_outputs ${name}
for i in $(output ${config.services.dhcpv4} dns); do
for i in $(output ${config.services.init-dhcpv4} dns); do
echo "nameserver $i" >> resolv.conf
done
)
'';
dependencies = [
config.services.dhcpv4
config.services.init-dhcpv4
];
};

4
machines/liminix/ap01/ipc.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
let
svc = config.system.service;

66
machines/liminix/ap01/lan.nix
View file

@ -1,43 +1,43 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
let
svc = config.system.service;
in
{
services.int = svc.bridge.primary.build {
ifname = "int";
macAddressFromInterface = config.hardware.networkInterfaces.lan;
};
# Our bridging is a bit complicated, therefore, we need iproute2.
programs.iproute2.enable = true;
services.bridge = svc.bridge.members.build {
primary = config.services.int;
members = {
lan.member = config.hardware.networkInterfaces.lan;
wlan0 = {
member = config.hardware.networkInterfaces.wlan0;
# Bridge only once hostapd is ready.
dependencies = [ config.services.hostap-1-ready ];
};
wlan1 = {
member = config.hardware.networkInterfaces.wlan1;
# Bridge only once hostapd is ready.
dependencies = [ config.services.hostap-2-ready ];
services = {
int = svc.bridge.primary.build {
ifname = "int";
macAddressFromInterface = config.hardware.networkInterfaces.lan;
untagged = {
enable = true;
pvid = 1;
default-pvid = 1;
};
};
bridge = svc.bridge.members.build {
primary = config.services.int;
members = {
lan.member = config.hardware.networkInterfaces.lan;
wlan0 = {
member = config.hardware.networkInterfaces.wlan0;
# Bridge only once hostapd is ready.
dependencies = [ config.services.hostap-1-ready ];
};
wlan1 = {
member = config.hardware.networkInterfaces.wlan1;
# Bridge only once hostapd is ready.
dependencies = [ config.services.hostap-2-ready ];
};
};
};
admin-vlan = svc.vlan.build {
ifname = "admin";
primary = config.services.int;
vid = "3001";
};
};
# Default VLAN
# services.vlan-apro = svc.vlan.build {
# vlanId = 0;
# interface = config.services.int;
# };
# # Administration VLAN
# services.vlan-admin = svc.vlan.build {
# vlan = 3001;
# interface = config.services.int;
# };
}

4
machines/liminix/ap01/management.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
let
svc = config.system.service;

4
machines/liminix/ap01/metadata.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ pkgs, ... }:
let
inherit (pkgs.pseudofile) dir;

48
machines/liminix/ap01/recovery.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
pkgs,
@ -10,11 +6,12 @@
}:
let
svc = config.system.service;
parentConfig = config;
in
{
defaultProfile.packages = with pkgs; [
defaultProfile.packages = [
# Levitate enable us to mass-reinstall the system on the fly.
(levitate.override {
(pkgs.levitate.override {
config = {
imports = [
"${modulesPath}/network"
@ -23,24 +20,33 @@ in
"${modulesPath}/kernel"
"${modulesPath}/outputs/tftpboot.nix"
"${modulesPath}/outputs.nix"
(
{ config, ... }:
{
services = {
# In this situation, we fallback to the appro VLAN.
# TODO: add support for the admin VLAN.
# Simplest DHCPv4 we can find.
dhcpv4 = svc.network.dhcp.client.build {
interface = parentConfig.hardware.networkInterfaces.lan;
};
inherit (parentConfig.services) sshd;
defaultroute4 = svc.network.route.build {
via = "$(output ${config.services.dhcpv4} router)";
target = "default";
dependencies = [ config.services.dhcpv4 ];
};
};
}
)
];
hostname = "${parentConfig.hostname}-live";
nixpkgs.buildPlatform = builtins.currentSystem;
services = {
# In this situation, we fallback to the appro VLAN.
# TODO: add support for the admin VLAN.
# Simplest DHCPv4 we can find.
dhcpv4 = svc.network.dhcp.client.build {
interface = config.hardware.networkInterfaces.lan;
};
inherit (config.services) sshd;
defaultroute4 = svc.network.route.build {
via = "$(output ${config.services.dhcpv4} router)";
target = "default";
dependencies = [ config.services.dhcpv4 ];
};
};
defaultProfile.packages = [ mtdutils ];
defaultProfile.packages = with pkgs; [
mtdutils
zyxel-bootconfig
];
# Only keep root, which should inherit from DGN access control's root permissions.
users.root = config.users.root;
};

4
machines/liminix/ap01/system.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ pkgs, config, ... }:
let
svc = config.system.service;

6
machines/liminix/ap01/wlan.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, pkgs, ... }:
let
svc = config.system.service;
@ -89,7 +85,7 @@ in
hostap-2 = mkWifiSta (
baseParams // clientRadius // externalRadius // radiusKeyMgmt // modernParams
) config.hardware.networkInterfaces.wlan1 secrets-2;
# Oneshot that waits until the hostapd has set the interface in operational state.
# Oneshot that waits until the hostapd has set the interface in operational state.
hostap-2-ready = svc.hostapd-ready.build {
interface = config.hardware.networkInterfaces.wlan1;
};

29
machines/netconf/netaccess01.nix
View file

@ -1,29 +0,0 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
dgn-hardware.model = "EX2300-48P";
dgn-isp = {
enable = true;
AP = [
"ge-0/0/0"
"ge-0/0/1"
"ge-0/0/2"
"ge-0/0/3"
"ge-0/0/4"
"ge-0/0/5"
];
admin-ip = "fd26:baf9:d250:8000::2001/64";
};
dgn-interfaces = {
# netcore02
"xe-0/1/0".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
};
# debug management
"me0".inet.addresses = [ "192.168.42.6/24" ];
};
}

28
machines/netconf/netcore00.nix
View file

@ -1,28 +0,0 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
dgn-hardware = {
model = "EX4400-24X";
extensions = [ "EX4400-EM-4Y" ];
};
dgn-isp = {
enable = true;
admin-ip = "fd26:baf9:d250:8000::1010/64";
};
dgn-interfaces = {
"xe-0/2/0".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
};
"xe-0/0/23".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
};
# debug management
"me0".inet.addresses = [ "192.168.2.3/24" ];
};
}

52
machines/netconf/netcore01.nix
View file

@ -1,52 +0,0 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
dgn-hardware.model = "EX4100-F-48P";
dgn-isp = {
enable = true;
admin-ip = "fd26:baf9:d250:8000::100f/64";
};
dgn-profiles = {
"hypervisor" = {
interfaces = [
"ge-0/0/1"
"ge-0/0/3"
"ge-0/0/5"
"ge-0/0/7"
"ge-0/0/9"
];
configuration.ethernet-switching = {
interface-mode = "access";
vlans = [ "hypervisor" ];
};
};
"idrac" = {
interfaces = [
"ge-0/0/0"
"ge-0/0/2"
"ge-0/0/4"
"ge-0/0/6"
"ge-0/0/8"
# PDU and PSU
"ge-0/0/46"
"ge-0/0/47"
];
configuration.ethernet-switching = {
interface-mode = "access";
vlans = [ "admin-core" ];
};
};
};
dgn-interfaces = {
"xe-0/2/0".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
};
# debug management
"me0".inet.addresses = [ "192.168.2.2/24" ];
};
}

77
machines/netconf/netcore02.nix
View file

@ -1,77 +0,0 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
dgn-hardware.model = "EX2300-48P";
dgn-isp = {
enable = true;
AP = [
# H1-00
"ge-0/0/0"
"ge-0/0/1"
"ge-0/0/2"
"ge-0/0/3"
"ge-0/0/4"
"ge-0/0/5"
# H1-01
"ge-0/0/6"
"ge-0/0/7"
"ge-0/0/8"
"ge-0/0/9"
"ge-0/0/10"
"ge-0/0/11"
# H1-02
"ge-0/0/12"
"ge-0/0/13"
"ge-0/0/14"
"ge-0/0/15"
"ge-0/0/16"
"ge-0/0/17"
];
admin-ip = "fd26:baf9:d250:8000::1001/64";
};
dgn-interfaces = {
# oob
"ge-0/0/42".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
};
# ilo
"ge-0/0/47".ethernet-switching = {
interface-mode = "access";
vlans = [ "admin-core" ];
};
# router
"xe-0/1/0".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
};
# netaccess01
"xe-0/1/1".ethernet-switching = {
interface-mode = "trunk";
vlans = [
"users"
"ap-staging"
"admin-ap"
"admin-core"
];
};
# netcore01 (Potos)
"xe-0/1/2".ethernet-switching = {
interface-mode = "trunk";
vlans = [
"all"
];
};
# uplink
"ge-0/1/3".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "uplink-cri" ];
};
# debug management
"me0".inet.addresses = [ "192.168.42.6/24" ];
};
}

4
machines/nixos/bridge01/_configuration.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, pkgs, ... }:
lib.extra.mkConfig {

148
machines/nixos/bridge01/network.nix
View file

@ -1,19 +1,5 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
_:
{
pkgs,
utils,
lib,
...
}:
let
inherit (lib)
getExe'
;
in
{
networking = {
useNetworkd = true;
@ -23,84 +9,70 @@ in
firewall.allowedUDPPorts = [ 67 ];
};
systemd = {
services."arp-resolve-router" = {
wantedBy = [ "systemd-networkd.service" ];
after = [ "systemd-networkd-wait-online.service" ];
bindsTo = [ "systemd-networkd-wait-online.service" ];
serviceConfig.ExecStart = utils.escapeSystemdExecArgs [
(getExe' pkgs.iputils "ping")
"-c"
1
"10.120.33.245"
];
};
network = {
wait-online.anyInterface = true;
networks = {
"10-enp1s0f0" = {
name = "enp1s0f0";
# description = "To the switch";
networkConfig = {
VLAN = [
"vlan-admin"
];
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
};
"10-eno1" = {
name = "eno1";
# description = "Uplink cri";
address = [
"10.120.33.246/30"
"129.199.195.158/32"
];
routes = [
{
PreferredSource = "129.199.195.158";
Gateway = "10.120.33.245";
}
];
};
"10-vlan-admin" = {
name = "vlan-admin";
# DHCP for the BMC
networkConfig.DHCPServer = "yes";
dhcpServerConfig = {
PoolOffset = 128;
EmitDNS = false;
EmitNTP = false;
EmitSIP = false;
EmitPOP3 = false;
EmitSMTP = false;
EmitLPR = false;
UplinkInterface = ":none";
};
address = [
"fd26:baf9:d250:8000::ffff/64"
"192.168.222.1/24"
systemd.network = {
networks = {
"10-eno1" = {
name = "eno1";
networkConfig = {
VLAN = [
"vlan-admin"
"vlan-uplink-oob"
];
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
# address = [ "192.168.222.1/24" ];
};
netdevs = {
"10-vlan-admin" = {
netdevConfig = {
Name = "vlan-admin";
Kind = "vlan";
};
vlanConfig.Id = 3000;
"10-vlan-admin" = {
name = "vlan-admin";
# DHCP for the BMC
networkConfig.DHCPServer = "yes";
dhcpServerConfig = {
PoolOffset = 128;
EmitDNS = false;
EmitNTP = false;
EmitSIP = false;
EmitPOP3 = false;
EmitSMTP = false;
EmitLPR = false;
UplinkInterface = ":none";
};
address = [
"fd26:baf9:d250:8000::ffff/64"
"192.168.222.1/24"
];
};
"10-vlan-uplink-oob" = {
name = "vlan-uplink-oob";
networkConfig.DHCP = "ipv4";
};
};
netdevs = {
"10-vlan-admin" = {
netdevConfig = {
Name = "vlan-admin";
Kind = "vlan";
};
vlanConfig.Id = 3000;
};
"10-vlan-uplink-oob" = {
netdevConfig = {
Name = "vlan-uplink-oob";
Kind = "vlan";
};
vlanConfig.Id = 500;
};
};
};

12
machines/nixos/bridge01/secrets/secrets.nix
View file

@ -1,9 +1,3 @@
# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique <contact@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys.nix).mkSecrets
[ "bridge01" ]
[
# List of secrets for bridge01
]
(import ../../../../keys).mkSecrets [ "bridge01" ] [
# List of secrets for bridge01
]

26
machines/nixos/build01/_configuration.nix
View file

@ -1,26 +0,0 @@
# SPDX-FileCopyrightText: 2025 Elias Coppens <elias@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, ... }:
lib.extra.mkConfig {
enabledModules = [
"dgn-forgejo-runners"
];
enabledServices = [
"nix-builder"
];
extraConfig = {
dgn-forgejo-runners = {
nbRunners = 16;
dataDirectory = "/data";
};
services.netbird.enable = true;
};
root = ./.;
}

59
machines/nixos/build01/_hardware-configuration.nix
View file

@ -1,59 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
initrd = {
availableKernelModules = [
"xhci_pci"
"nvme"
"megaraid_sas"
"ehci_pci"
"ahci"
"usbhid"
"sd_mod"
];
kernelModules = [ "dm-snapshot" ];
};
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/fed99278-0916-4d9c-b974-c7125d3557b3";
fsType = "xfs";
};
"/data" = {
device = "/dev/disk/by-uuid/69b62f16-7db1-4720-a115-fd3b8dafe123";
fsType = "xfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/1372-46EA";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
};
swapDevices = [
{ device = "/dev/disk/by-uuid/34b9e0ab-c579-4293-849c-78f5093cf35a"; }
];
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

77
machines/nixos/build01/nix-builder.nix
View file

@ -1,77 +0,0 @@
# SPDX-FileCopyrightText: 2025 Elias Coppens <elias@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
pkgs,
lib,
dgn-keys,
meta,
...
}:
{
config = {
dgn-access-control.users = lib.genAttrs meta.organization.groups.nix-builder (u: lib.singleton u);
# FIXME(Raito): this should really go into `dgn-access-control` but I don't
# know what is the desired architecture for it. Leaving it for the people with opinions™.
users.groups.nix-builders = { };
users.users = lib.genAttrs meta.organization.groups.nix-builder (u: {
extraGroups = [ "nix-builders" ];
openssh.authorizedKeys.keys = dgn-keys.getBuilderKeys u;
});
security.pam.loginLimits = [
{
domain = "*";
item = "nofile";
type = "-";
value = "20480";
}
];
systemd.services.nix-daemon.serviceConfig = {
MemoryAccounting = true;
MemoryMax = "450G";
MemoryHigh = "440G";
MemorySwapMax = "2G";
ManagedOOMSwap = "kill";
ManagedOOMMemoryPressure = "kill";
MemoryPressureWatch = "on";
};
nix = {
gc = {
automatic = true;
dates = lib.mkForce "*:45";
options = lib.mkForce ''--max-freed "$((128 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"'';
randomizedDelaySec = "1800";
};
nrBuildUsers = 128;
settings = {
trusted-users = [
"@wheel"
"@nix-builders"
];
keep-outputs = false;
keep-derivations = false;
use-cgroups = true;
http-connections = 0;
auto-allocate-uids = true;
cores = 0;
max-jobs = 8;
fsync-metadata = true;
experimental-features = [
"auto-allocate-uids"
# "ca-derivations" this feature is really extremely broken.
"cgroups"
"fetch-closure"
"impure-derivations"
];
};
};
};
}

31
machines/nixos/build01/secrets/forgejo_runners-token_file
View file

@ -1,31 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA plGvUUrRbdkfNyD4UGIjjkv3Ktu4iqL4dImFZzWnqWA
asE0N7d6lqnOFJWoU+V1bCLhlD5oFAkjs9HSM+ps6Ak
-> ssh-ed25519 QlRB9Q hagbD6do4gKBuRBN8m8cDL6K0RFmiJwpvJOtAaPKXnA
9727tWz+PhGm/bycXUUQHV3YqeXc0AD/mM1DvTrBLC4
-> ssh-ed25519 r+nK/Q bnu+1g77I2LLnXNHZWMkIrgJpxpwJ1ZYgdAL4HE6hCo
cDLyOiULyjO9s6PACs6Ou6m5h0XcDzbdc7o2P7OAizQ
-> ssh-rsa krWCLQ
X8SpFIBmd7LOnJqI+V3MWlaYB8f4Mron5IKYZGrqRPWzLrrkAkJsr1QdV4K9vepe
zQsHecw8VvCKQesAKFrKTZxF8oXvoJU3GP5q9IVISLuEv8nLxgyhhLqQQqPVWLbC
0nGGtbke2Xw2QXgUpoe6GdZ53Neg2BShUmV6SYoGeTwdxGmuL6nFH7UMzwsKWLW5
95CoXfRyp4oxV7FQscuewPL+tNHXh6DoeW8Qlr3rxxgJkCSNMp+EchZJZOroGmtd
SQb2SgFs712x9han1vNR7Dn3o270xa/AVldmjRBNvDGyNefItb20OP4n3bWSK3b1
ejR3mZyP5SU2+Pr6navc0w
-> ssh-ed25519 /vwQcQ NQSD4lKvM7uWm0deYyc22DC7/IGYve0XB9Zg8yOY5GE
hpDWSKnlW6BtyKlXXS1anB78CvK+mnsm3BOxht7mL4Y
-> ssh-ed25519 0R97PA i4DSi49b4vQpt3hjiHPn0/H9MzyvHz0OEPJXcvn+G1M
C9uEKNTPRK8f4d2AYnPqDwTqDOV0SHmG/x/529l3YLA
-> ssh-ed25519 JGx7Ng 5WgVespkMD/X/67sBoF2RbG+YXu06UuSozHrLJSn2xE
pISCxxw/Hg9GBxh33gW6JO2mLKrdvSUVb6+AHMHwTtE
-> ssh-ed25519 bUjjig 14Ocpj1tCsZ5lZQ32wDHsO9iFkrNi8wZS8NUhQ5HEh0
ZbX31ejXuqmgKD1EcmH/B0zo1CeORzJn+QjrRuWNxh0
-> ssh-ed25519 oRtTqQ dSGSGECezsXdDeyFcOSLIvKT0jdOs2d73/dRAeBuJjc
2O/CXEu0rV5EdAewyvdA5XfLXMQvzEEtl8lPsBqICqk
-> ssh-ed25519 IxxZqA BbHNkDUiEoWcwGjjrkFbOHCXvq2gEd8Rv7tt3p8fXHA
yJsvxku/Kz26jTTEtuoHDLGO/gUotw/QZc+UwxCIwKE
-> Tqc#'yq%-grease b
X3iOhNF2FNp0ImC6uLsqjT1pAbNPBIxUCXLivDKbVIZYoBhtrLpQRJXoWK7GEakA
8TkORCQQUYZIlNqu2Psfbi0
--- 19Nolty0dET6QnYlxtieiluPP9R3HbrhEn5EDuFu/s4
“˜?l÷6r] úfBžo<ŸŒ9lj5M+Ší7íNõϹäô% Ñ.èœELĘâÂÒw§¾snÑáã¬nšN -×Ø̯pñûëËŠÓ

9
machines/nixos/build01/secrets/secrets.nix
View file

@ -1,9 +0,0 @@
# SPDX-FileCopyrightText: 2025 La Délégation Générale Numérique <contact@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys.nix).mkSecrets
[ "build01" ]
[
"forgejo_runners-token_file"
]

25
machines/nixos/cof02/_configuration.nix
View file

@ -1,25 +0,0 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
"dgn-web"
];
enabledServices = [
# List of services to enable
"staging-gestiocofs"
];
extraConfig = {
dgn-records.enable = false;
dgn-monitoring.enable = false;
dgn-notify.enable = false;
};
root = ./.;
}

45
machines/nixos/cof02/_hardware-configuration.nix
View file

@ -1,45 +0,0 @@
{ lib, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot = {
initrd = {
availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/c6aac187-c594-4af7-8efa-a2cbd8281b8c";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/3D06-7719";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
};
swapDevices = [ ];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

9
machines/nixos/cof02/secrets/secrets.nix
View file

@ -1,9 +0,0 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifer: EUPL-1.2
(import ../../../../keys.nix).mkSecrets
[ "cof02" ]
[
"webhook-gestiocof_token"
]

BIN
machines/nixos/cof02/secrets/webhook-gestiocof_token
View file

Binary file not shown.

207
machines/nixos/cof02/staging-gestiocofs.nix
View file

@ -1,207 +0,0 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, config, ... }:
let
inherit (lib)
mkMerge
listToAttrs
nameValuePair
;
branches = [
"master"
"staging"
"gestion-clubs"
"status-change-2024-nov-13"
];
mainDomain = "cof-stage.dgnum.eu";
in
mkMerge (
[
{
services.django-apps = {
enable = true;
webhook = {
domain = mainDomain;
nginx = {
enableACME = true;
forceSSL = true;
};
};
};
}
]
++ map (branch: {
services.django-apps.sites.${branch} = {
inherit branch;
source = "https://git.dgnum.eu/DGNum/gestioCOF";
domain = "${branch}.${mainDomain}";
doBackups = false;
nginx = {
enableACME = true;
forceSSL = true;
locations =
{
"/ws/" = {
proxyPass = "http://unix:/run/django-apps/${branch}/socket";
proxyWebsockets = true;
};
}
// (listToAttrs (
builtins.map
(
folder:
nameValuePair "~ ^/${folder}/" {
extraConfig = ''
# we don't have the mount
return 501;
'';
}
)
[
"arcanoid"
"cirque"
"pompom"
"trouveres"
]
));
extraConfig = ''
rewrite ^/$ /news;
'';
};
webHookSecret = config.age.secrets."webhook-gestiocof_token".path;
overlays = {
kat-pkgs = [
"django-cogwheels"
"django-djconfig"
"django-hCaptcha"
"wagtail-modeltranslation"
"wagtailmenus"
];
nix-pkgs = [
# Required packages
"authens"
"django-bootstrap-form"
"django-bulma-forms"
"django-cas-ng"
"loadcredential"
# Dependencies
"python-cas"
];
};
dependencies = ps: [
ps.authens
ps.channels
ps.channels-redis
ps.configparser
ps.django
ps.django-autocomplete-light
ps.django-bootstrap-form
ps.django-bulma-forms
ps.django-cas-ng
ps.django-cors-headers
ps.django-djconfig
ps.django-hCaptcha
ps.django-js-reverse
ps.django-widget-tweaks
ps.icalendar
ps.loadcredential
ps.pillow
ps.python-dateutil
ps.redis
ps.statistics
ps.wagtail
ps.wagtail-modeltranslation
ps.wagtailmenus
ps.django-debug-toolbar
];
application = {
module = "gestioasso";
type = "daphne";
settingsModule = "gestioasso.settings_cof";
};
environment = {
GESTIOCOF_CHANNEL_LAYERS.default = {
BACKEND = "shared.channels.ChannelLayer";
CONFIG.hosts = [ "unix://${config.services.redis.servers.${branch}.unixSocket}" ];
};
GESTIOCOF_CACHES.default = {
BACKEND = "django.core.cache.backends.redis.RedisCache";
LOCATION = "unix://${config.services.redis.servers.${branch}.unixSocket}";
};
GESTIOCOF_CORS_ALLOWED_ORIGINS = [
"https://${config.services.django-apps.sites.${branch}.domain}"
];
GESTIOCOF_SERVER_EMAIL = "gestion@cof.ens.fr";
GESTIOCOF_DEBUG = true;
# fake credentials
GESTIOCOF_SECRET_KEY = "insecure-key";
GESTIOCOF_HCAPTCHA_SECRET = "0x0000000000000000000000000000000000000000";
GESTIOCOF_HCAPTCHA_SITEKEY = "10000000-ffff-ffff-ffff-000000000001";
GESTIOCOF_KFETOPEN_TOKEN = "k-feste_token";
GESTIOCOF_SYMPA_PASSWORD = "toto";
GESTIOCOF_SYMPA_USERNAME = "sympa";
GESTIOCOF_EMAIL_HOST = "localhost";
};
env_prefix = "GESTIOCOF";
extraInit = ''
python manage.py sync_page_translation_fields
python manage.py update_translation_fields
python manage.py loaddata gestion sites articles
python manage.py loaddevdata
'';
extraServices.worker = {
script = "python3 manage.py runworker default";
serviceConfig = {
WorkingDirectory = "/var/lib/django-apps/${branch}/source";
SupplementaryGroups = [ "redis-${branch}" ];
};
};
timers = {
rappel-negatifs = {
script = ''
python3 manage.py sendrappelsnegatifs
'';
startAt = "*-*-* 1,13:17:19";
};
rappel-bda = {
script = ''
python3 manage.py sendrappels
'';
startAt = "*-*-* 2,14:17:19";
};
manage-reventes = {
script = ''
python3 manage.py manage_reventes
'';
startAt = "*-*-* *:01..56/5:29";
};
};
};
services.redis.servers.${branch} = {
enable = true;
};
systemd.services."dj-${branch}".serviceConfig.SupplementaryGroups = [ "redis-${branch}" ];
}) branches
)

11
machines/nixos/compute01/_configuration.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, ... }:
lib.extra.mkConfig {
@ -18,24 +14,19 @@ lib.extra.mkConfig {
# INFO: This list needs to stay sorted alphabetically
"arkheon"
"dgsi"
"docuseal"
"ds-fr"
"extranix"
"grafana"
"hedgedoc"
"kanidm"
"librenms"
"mastodon"
# "netbox"
"nextcloud"
"ollama-proxy"
"outline"
"plausible"
"postgresql"
"pretalx"
"pretix"
"rstudio-server"
# "satosa"
"satosa"
"signal-irc-bridge"
"signald"
"stirling-pdf"

2
machines/nixos/compute01/_hardware-configuration.nix
View file

@ -29,5 +29,5 @@
fsType = "vfat";
};
swapDevices = [ { device = "/dev/disk/by-uuid/edbb5acc-84fc-4a2f-9f1b-086eb137d6dc"; } ];
swapDevices = [ { device = "/dev/disk/by-uuid/30547280-00e9-4ee1-8a07-d116590d9fbf"; } ];
}

14
machines/nixos/compute01/arkheon.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, sources, ... }:
{
@ -10,6 +6,16 @@
services.arkheon = {
enable = true;
pythonEnv =
(import sources.nixos-unstable {
overlays = [ (import (sources.arkheon.outPath + "/overlay.nix")) ];
}).python3.withPackages
(ps: [
ps.arkheon
ps.daphne
ps.psycopg2
]);
domain = "arkheon.dgnum.eu";
nginx = {

87
machines/nixos/compute01/dgsi/default.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
lib,
@ -14,38 +10,40 @@
let
inherit (lib) toLower;
python = pkgs.python312.override {
packageOverrides = (import "${sources.nix-pkgs}/overlay.nix").mkOverlay {
folder = "python-modules";
plist = [
"django-allauth-cas"
"django-browser-reload"
"django-bulma-forms"
"django-sass-processor"
"django-sass-processor-dart-sass"
"django-unfold"
"loadcredential"
"pykanidm"
"python-cas"
"xlwt"
];
python =
let
python3 = pkgs.python312;
nix-pkgs = import sources.nix-pkgs { inherit pkgs python3; };
in
python3.override {
packageOverrides = _: _: {
inherit (nix-pkgs)
django-allauth
django-allauth-cas
django-browser-reload
django-bulma-forms
django-sass-processor
django-sass-processor-dart-sass
django-unfold
pykanidm
python-cas
loadcredential
xlwt
;
};
};
};
pythonEnv = python.withPackages (
ps:
[
ps.django
ps.django-allauth
ps.django-compressor
ps.django-htmx
ps.django-import-export
ps.djangorestframework
ps.drf-spectacular
ps.gunicorn
ps.psycopg
ps.django-compressor
ps.django-import-export
# Local packages
ps.django-allauth
ps.django-allauth-cas
ps.django-browser-reload
ps.django-bulma-forms
@ -56,29 +54,14 @@ let
ps.pykanidm
ps.python-cas
]
++ (
# On unstable, it is ps.django-allauth.optional-dependencies.socialaccount
# but it does not exist on 24.11
# FIXME: Use the correct optional-dependencies when available
[
ps.requests
ps.requests-oauthlib
ps.pyjwt
]
++ ps.pyjwt.optional-dependencies.crypto
)
++ ps.django-allauth.optional-dependencies.saml
++ ps.drf-spectacular.optional-dependencies.sidecar
);
staticDrv = pkgs.stdenv.mkDerivation {
name = "dgsi-static";
src = sources.dgsi;
# sources main dir has a silly name
setSourceRoot = ''
sourceRoot=$(echo */src)
'';
sourceRoot = "source/src";
nativeBuildInputs = [
pkgs.dart-sass
@ -92,7 +75,6 @@ let
export DGSI_KANIDM_AUTH_TOKEN="fake.token"
export DGSI_X509_KEY=""
export DGSI_X509_CERT=""
export DGSI_ARCHIVES_ROOT=""
'';
doBuild = false;
@ -171,10 +153,6 @@ in
DGSI_MEDIA_ROOT = "/var/lib/django-apps/dgsi/media";
DGSI_STATIC_ROOT = "${staticDrv}/static";
DGSI_ARCHIVES_ROOT = "/var/lib/django-apps/dgsi/archives";
DGSI_ARCHIVES_INTERNAL = "_archives";
DGSI_STAFF_GROUP = "grp_bureau@sso.dgnum.eu";
DGSI_DATABASES = builtins.toJSON {
default = {
@ -205,19 +183,10 @@ in
};
mounts = [
{
where = "/run/django-apps/dgsi/archives";
what = "/var/lib/django-apps/dgsi/archives";
options = "bind,nofail";
after = [ "dj-dgsi.service" ];
partOf = [ "dj-dgsi.service" ];
upheldBy = [ "dj-dgsi.service" ];
}
{
where = "/run/django-apps/dgsi/media";
what = "/var/lib/django-apps/dgsi/media";
options = "bind,nofail";
options = "bind";
after = [ "dj-dgsi.service" ];
partOf = [ "dj-dgsi.service" ];
@ -247,10 +216,6 @@ in
"/".proxyPass = "http://unix:/run/django-apps/dgsi.sock";
"/static/".root = staticDrv;
"/media/".root = "/run/django-apps/dgsi";
"/_archives/".extraConfig = ''
internal;
alias /run/django-apps/dgsi/archives/;
'';
};
};
};

34
machines/nixos/compute01/docuseal/default.nix
View file

@ -1,34 +0,0 @@
# SPDX-FileCopyrightText: 2025 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ bootstrap, ... }:
let
host = "docuseal.dgnum.eu";
port = 2500;
in
{
imports = [ ./module.nix ];
nixpkgs.overlays = [
(self: _: {
docuseal = self.callPackage (bootstrap.root + "/pkgs/by-name/docuseal") { };
})
];
services.docuseal = {
enable = true;
inherit host port;
};
dgn-web.simpleProxies.docuseal = {
inherit host port;
};
services.extranix.modules."DGNum Infrastructure".paths = [
./module.nix
];
}

229
machines/nixos/compute01/docuseal/module.nix
View file

@ -1,229 +0,0 @@
# SPDX-FileCopyrightText: 2025 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
lib,
pkgs,
utils,
...
}:
let
inherit (lib)
getExe'
mkEnableOption
mkIf
mkOption
mkPackageOption
optional
optionalAttrs
;
inherit (lib.types)
attrsOf
bool
nullOr
oneOf
package
path
port
str
;
inherit (utils) escapeSystemdExecArgs;
cfg = config.services.docuseal;
in
{
options.services.docuseal = {
enable = mkEnableOption "docuseal, an open source DocuSign alternative";
package = mkPackageOption pkgs "docuseal" { };
host = mkOption {
type = str;
description = ''
Hostname of the web server.
'';
};
port = mkOption {
type = port;
default = 3000;
description = ''
Listening port for the web server.
'';
};
environment = mkOption {
type = attrsOf (
nullOr (oneOf [
package
path
str
])
);
description = ''
Evironment variables available to Docuseal.
'';
};
environmentFile = mkOption {
type = nullOr path;
default = null;
description = ''
Path to a file containing environment variables.
'';
};
redis = {
createLocally = mkOption {
type = bool;
default = true;
description = ''
Whether to create a local redis automatically.
'';
};
};
interactScript = mkOption {
type = package;
default = pkgs.writeShellApplication {
name = "docuseal";
runtimeInputs = [
cfg.package
config.systemd.package
pkgs.util-linux
];
text = ''
MainPID=$(systemctl show -p MainPID --value docuseal.service)
nsenter -e -a -w -t "$MainPID" -G follow -S follow "$@"
'';
};
description = ''
Script to run docuseal tasks.
'';
};
};
config = mkIf cfg.enable {
services = {
docuseal.environment =
{
RAILS_ENV = "production";
WORKDIR = "/var/lib/docuseal";
DATABASE_URL = "postgresql:///docuseal?host=/run/postgresql";
HOST = cfg.host;
PORT = builtins.toString cfg.port;
}
// (optionalAttrs cfg.redis.createLocally {
REDIS_URL = "unix://${config.services.redis.servers.docuseal.unixSocket}";
});
postgresql = {
enable = true;
ensureDatabases = [ "docuseal" ];
ensureUsers = [
{
name = "docuseal";
ensureDBOwnership = true;
}
];
};
redis.servers.docuseal = mkIf cfg.redis.createLocally {
enable = true;
};
};
environment.systemPackages = [ cfg.interactScript ];
systemd.services.docuseal = {
description = "Docuseal";
after = [
"network.target"
"postgresql.target"
] ++ (optional cfg.redis.createLocally "redis.service");
wantedBy = [ "multi-user.target" ];
inherit (cfg) environment;
path = [ cfg.package ];
serviceConfig =
{
CacheDirectory = "docuseal";
CacheDirectoryMode = "0700";
DynamicUser = true;
EnvironmentFile = optional (cfg.environmentFile != null) cfg.environmentFile;
ExecStart = escapeSystemdExecArgs [
(getExe' cfg.package "bundle")
"exec"
"puma"
"-C"
"${cfg.package}/config/puma.rb"
"--dir"
cfg.package
];
LogsDirectory = "docuseal";
LogsDirectoryMode = "0700";
StateDirectory = "docuseal";
StateDirectoryMode = "0700";
SupplementaryGroups = optional cfg.redis.createLocally "redis-docuseal";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
User = "docuseal";
UMask = "0077";
WorkingDirectory = "/var/lib/docuseal";
# Proc filesystem
ProcSubset = "pid";
ProtectProc = "invisible";
# Capabilities
CapabilityBoundingSet = "";
# Security
NoNewPrivileges = true;
# Sandboxing
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateUsers = cfg.port >= 1024;
ProtectClock = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
RestrictNamespaces = true;
LockPersonality = true;
MemoryDenyWriteExecute = false;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
}
// optionalAttrs (cfg.port < 1024) {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
};
};
};
}

63
machines/nixos/compute01/ds-fr/01-smtp-tls.patch
View file

@ -1,63 +0,0 @@
From de5e8237e4bd8f3e325473c789fb542d01557f27 Mon Sep 17 00:00:00 2001
From: Tom Hubrecht <tom@hubrecht.ovh>
Date: Fri, 22 Sep 2023 17:26:27 +0200
Subject: [PATCH 1/2] fix(smtp): Allow specifying SSL settings
---
config/environments/production.rb | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/config/environments/production.rb b/config/environments/production.rb
index cf942cd6c70..39692890213 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -105,7 +105,8 @@
user_name: ENV.fetch("SMTP_USER"),
password: ENV.fetch("SMTP_PASS"),
authentication: ENV.fetch("SMTP_AUTHENTICATION"),
- enable_starttls_auto: ENV.fetch("SMTP_TLS").present?
+ enable_starttls_auto: ENV.fetch("SMTP_TLS").present?,
+ ssl: ENV.fetch("SMTP_SSL").present?
}
elsif ENV['SENDMAIL_ENABLED'] == 'enabled'
config.action_mailer.delivery_method = :sendmail
From a406428ee761231c3e82dd5c8f5154d04474a238 Mon Sep 17 00:00:00 2001
From: Tom Hubrecht <tom@hubrecht.ovh>
Date: Mon, 25 Sep 2023 10:17:37 +0200
Subject: [PATCH 2/2] fix(smtp): Disambiguate configuration options for SMTP
---
config/env.example.optional | 3 ++-
config/environments/production.rb | 4 ++--
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/config/env.example.optional b/config/env.example.optional
index 050e5d49bec..25bea8328fb 100644
--- a/config/env.example.optional
+++ b/config/env.example.optional
@@ -206,7 +206,8 @@ SMTP_HOST=""
SMTP_PORT=""
SMTP_USER=""
SMTP_PASS=""
-SMTP_TLS=""
+SMTP_STARTTLS="enabled" # Use any non-blank value to enable starttls
+SMTP_TLS="" # Use any non-blank value to enable TLS
SMTP_AUTHENTICATION="plain"
# Sendmail
diff --git a/config/environments/production.rb b/config/environments/production.rb
index 39692890213..bc203bbbaab 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -105,8 +105,8 @@
user_name: ENV.fetch("SMTP_USER"),
password: ENV.fetch("SMTP_PASS"),
authentication: ENV.fetch("SMTP_AUTHENTICATION"),
- enable_starttls_auto: ENV.fetch("SMTP_TLS").present?,
- ssl: ENV.fetch("SMTP_SSL").present?
+ enable_starttls_auto: ENV.fetch("SMTP_STARTTLS", "enabled").present?,
+ tls: ENV.fetch("SMTP_TLS", "").present?
}
elsif ENV['SENDMAIL_ENABLED'] == 'enabled'
config.action_mailer.delivery_method = :sendmail

72
machines/nixos/compute01/ds-fr/default.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
pkgs,
@ -11,49 +7,41 @@
let
host = "demarches.dgnum.eu";
port = 3000;
dgn-id = "8dfdc60d1aa66e7206461ed7a49199f624a66b4e";
patch = pkgs.fetchurl {
url = "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch";
hash = "sha256-6JdbUf2fc79E5F1wtYFnP1JLGJffhGbjaxysRFr8xN4=";
};
dgn-id = "1fbe81d211b18dae7b9c1727362997c62636f24a";
in
{
imports = [ ./module.nix ];
dgn-web.internalPorts.ds-fr = port;
dgn-web.internalPorts.ds-fr = 3000;
services.demarches-simplifiees = {
enable = true;
package = (import sources.nix-pkgs { inherit pkgs; }).demarches-simplifiees.overrideAttrs (old: {
dsModules = old.dsModules.overrideAttrs {
prePatch = ''
${pkgs.lib.getExe pkgs.git} apply -p1 < ${patch}
'';
};
package =
((import sources.nix-pkgs { inherit pkgs; }).demarches-simplifiees.override {
initialDeploymentDate = "20230923";
}).overrideAttrs
(old: {
dsModules = old.dsModules.overrideAttrs {
prePatch = ''
${pkgs.lib.getExe pkgs.git} apply -p1 < ${
pkgs.fetchurl {
url = "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch";
hash = "sha256-aCq/WkV4+PUSIzXgznwm2sAcaz12Y1zmUbh7QoXoMsM=";
}
}
'';
};
});
patches = (old.patches or [ ]) ++ [ ./01-smtp-tls.patch ];
prePatch = ''
${pkgs.lib.getExe pkgs.git} apply -p1 < ${patch}
'';
postPatch = ''
rm -f lib/tasks/deployment/20240830192553_backfill_hide_instructeurs_email.rake
rm -f lib/tasks/deployment/20240912151317_clean_virtual_column_from_procedure_presentation.rake
rm -f lib/tasks/deployment/20240920130741_migrate_procedure_presentation_to_columns.rake
'';
});
inherit host port;
environmentFile = config.age.secrets."ds-fr-secret_file".path;
secretFile = config.age.secrets."ds-fr-secret_file".path;
initialDeploymentDate = "20230923";
environment = {
settings = {
APP_HOST = host;
# Disable France Connect and Agent Connect
FRANCE_CONNECT_ENABLED = "disabled";
AGENT_CONNECT_ENABLED = "disabled";
@ -73,8 +61,8 @@ in
SMTP_HOST = "kurisu.lahfa.xyz";
SMTP_PORT = "465";
SMTP_USER = "web-services@infra.dgnum.eu";
SMTP_STARTTLS = "";
SMTP_TLS = "true";
SMTP_TLS = "";
SMTP_SSL = "true";
SMTP_AUTHENTICATION = "plain";
SUPER_ADMIN_OTP_ENABLED = "disabled";
@ -95,10 +83,18 @@ in
RUBY_YJIT_ENABLE = "1";
STRICT_EMAIL_VALIDATION_STARTS_ON = "2024-12-18";
STRICT_EMAIL_VALIDATION_STARTS_ON = "2024-02-23";
WEASYPRINT_URL = "http://127.0.0.1:5000/pdf";
# Customization
# HEADER_LOGO_SRC = "logo_ens_psl_couleur.png";
# HEADER_LOGO_ALT = "Par la Recherche, pour la Recherche";
# PROCEDURE_DEFAULT_LOGO_SRC = "logo_ens_psl_couleur.png";
};
};
# dgn-backups.jobs.ds-fr.settings.paths = [ "/var/lib/private/demarches-simplifiees/" ];
age-secrets.autoMatch = [ "ds-fr" ];
dgn-backups.jobs.ds-fr.settings.paths = [ "/var/lib/ds-fr" ];
dgn-backups.postgresDatabases = [ "ds-fr" ];
}

456
machines/nixos/compute01/ds-fr/module.nix
View file

@ -1,295 +1,227 @@
# SPDX-FileCopyrightText: 2023-2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
# Copyright Tom Hubrecht, (2023)
#
# SPDX-License-Identifier: EUPL-1.2
# Tom Hubrecht <tom@hubrecht.ovh>
#
# This software is a computer program whose purpose is to configure
# machines and servers with NixOS.
#
# This software is governed by the CeCILL license under French law and
# abiding by the rules of distribution of free software. You can use,
# modify and/ or redistribute the software under the terms of the CeCILL
# license as circulated by CEA, CNRS and INRIA at the following URL
# "http://www.cecill.info".
#
# As a counterpart to the access to the source code and rights to copy,
# modify and redistribute granted by the license, users are provided only
# with a limited warranty and the software's author, the holder of the
# economic rights, and the successive licensors have only limited
# liability.
#
# In this respect, the user's attention is drawn to the risks associated
# with loading, using, modifying and/or developing or reproducing the
# software by the user in light of its specific status of free software,
# that may mean that it is complicated to manipulate, and that also
# therefore means that it is reserved for developers and experienced
# professionals having in-depth computer knowledge. Users are therefore
# encouraged to load and test the software's suitability as regards their
# requirements in conditions enabling the security of their systems and/or
# data to be ensured and, more generally, to use and operate it in the
# same conditions as regards security.
#
# The fact that you are presently reading this means that you have had
# knowledge of the CeCILL license and that you accept its terms.
{
config,
lib,
pkgs,
utils,
...
}:
let
inherit (lib)
getExe
getExe'
mapAttrs
mdDoc
mkDefault
mkEnableOption
mkIf
mkOption
mkPackageOption
optional
;
optionalString
inherit (lib.types)
attrsOf
nullOr
oneOf
package
path
port
str
types
;
inherit (utils) escapeSystemdExecArgs;
cfg = config.services.demarches-simplifiees;
weasyprintEnv = pkgs.python3.withPackages (ps: [
ps.flask
ps.sentry-sdk
ps.weasyprint
]);
settingsFormat = pkgs.formats.keyValue { };
env = settingsFormat.generate "ds-fr-env" cfg.settings;
ds-fr = pkgs.writeShellScriptBin "ds-fr" ''
set -a
cd ${cfg.package}
${optionalString (cfg.secretFile != null) "source ${cfg.secretFile}"}
source ${env}
BIN="$1"
shift
SUDO="exec"
if [[ $USER != ${cfg.user} ]]; then
SUDO='exec /run/wrappers/bin/sudo -u ${cfg.user} --preserve-env'
fi
$SUDO ${cfg.package}/bin/$BIN "$@"
'';
in
{
options.services.demarches-simplifiees = {
enable = mkEnableOption "Démarches Simplifiées";
enable = mkEnableOption "demarches-simplifiees.";
package = mkPackageOption pkgs "demarches-simplifiees" { };
finalPackage = mkOption {
type = package;
default = cfg.package.override { inherit (cfg) initialDeploymentDate; };
package = mkOption {
type = types.package;
default = pkgs.callPackage ./package { inherit (cfg) initialDeploymentDate dataDir logDir; };
};
host = mkOption {
type = str;
description = ''
Hostname of the web server.
'';
user = mkOption {
type = types.str;
default = "ds-fr";
description = mdDoc "User account under which DS runs.";
};
port = mkOption {
type = port;
default = 3000;
description = ''
Listening port for the web server.
'';
group = mkOption {
type = types.str;
default = "ds-fr";
description = mdDoc "Group account under which DS runs.";
};
weasyprintPort = mkOption {
type = port;
default = 5000;
description = ''
Port of the weasyprint server.
'';
dataDir = mkOption {
type = types.str;
default = "/var/lib/ds-fr";
};
environment = mkOption {
type = attrsOf (
nullOr (oneOf [
package
path
str
])
);
description = ''
Evironment variables available to Démarches Simplifiées.
'';
logDir = mkOption {
type = types.str;
default = "/var/log/ds-fr";
};
environmentFile = mkOption {
type = nullOr path;
secretFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Path to a file containing environment variables.
Required secrets are `SECRET_KEY_BASE` and `OTP_SECRET_KEY`,
which can be generated using `rails secret`.
'';
};
settings = mkOption { inherit (settingsFormat) type; };
initialDeploymentDate = mkOption {
type = nullOr str;
type = types.nullOr types.str;
default = null;
description = ''
Initial deployment date, used to ignore some migrations,
which are known to be buggy and are supposed to change old production data.
'';
};
interactScript = mkOption {
type = package;
default = pkgs.writeShellApplication {
name = "ds-fr";
runtimeInputs = [
cfg.finalPackage
config.systemd.package
pkgs.util-linux
];
text = ''
MainPID=$(systemctl show -p MainPID --value demarches-simplifiees.service)
nsenter -e -a -w -t "$MainPID" -G follow -S follow "$@"
'';
};
description = ''
Script to run ds-fr tasks.
'';
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.interactScript ];
environment.systemPackages = [ ds-fr ];
systemd.tmpfiles.rules = [
"f '${cfg.logDir}/production.log' 0640 ${cfg.user} ${cfg.group} - -"
"f '${cfg.dataDir}/.env' 0600 ${cfg.user} ${cfg.group} - -"
"d '${cfg.dataDir}/tmp' 0700 ${cfg.user} ${cfg.group} 10d -"
"d '${cfg.dataDir}/storage' 0700 ${cfg.user} ${cfg.group} - -"
];
systemd.services = {
ds-fr-setup = {
description = "Demarches Simplifiees setup";
wantedBy = [ "multi-user.target" ];
path = [
pkgs.bash
ds-fr
];
after = [ "postgresql.service" ];
systemd.services =
let
serviceConfig = {
User = "ds-fr";
DynamicUser = true;
EnvironmentFile = optional (cfg.environmentFile != null) cfg.environmentFile;
CacheDirectory = "demarches-simplifiees";
LogsDirectory = "demarches-simplifiees";
RuntimeDirectory = "demarches-simplifiees";
StateDirectory = "demarches-simplifiees";
WorkingDirectory = cfg.finalPackage;
};
in
{
demarches-simplifiees = {
description = "Démarches Simplifiées";
inherit (cfg) environment;
path = [
cfg.finalPackage
pkgs.imagemagick
];
after = [
"network.target"
"postgresql.target"
];
wantedBy = [ "multi-user.target" ];
preStart = ''
mkdir -p "$STATE_DIRECTORY/storage"
if [[ ! -f "$STATE_DIRECTORY/.version" ]]; then
# Run initial setup
rails db:environment:set
rails db:schema:load
rails db:seed
rails jobs:schedule
touch "$STATE_DIRECTORY/.version"
fi
if [[ $(cat "$STATE_DIRECTORY/.version") != "$__DS_VERSION" ]]; then
# Run migrations on version change
rake db:migrate
rake after_party:run
echo "$__DS_VERSION" > "$STATE_DIRECTORY/.version"
fi
'';
serviceConfig = serviceConfig // {
ExecStart = escapeSystemdExecArgs [
(getExe' cfg.finalPackage "rails")
"server"
"-b"
"127.0.0.1"
"-p"
cfg.port
];
};
Type = "oneshot";
User = cfg.user;
Group = cfg.group;
EnvironmentFile = [ env ] ++ (optional (cfg.secretFile != null) cfg.secretFile);
StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
};
demarches-simplifiees-work = {
description = "Démarches Simplifiées work service";
script = ''
[[ ! -f ${cfg.dataDir}/.initial-migration ]] \
&& ds-fr rails db:environment:set \
&& ds-fr rails db:schema:load \
&& ds-fr rails db:seed \
&& touch ${cfg.dataDir}/.initial-migration
inherit (cfg) environment;
ds-fr rake db:migrate
ds-fr rake after_party:run
'';
};
after = [ "demarches-simplifiees.service" ];
wantedBy = [ "multi-user.target" ];
bindsTo = [ "demarches-simplifiees.service" ];
partOf = [ "demarches-simplifiees.service" ];
ds-fr-work = {
description = "Demarches Simplifiees work service";
serviceConfig = serviceConfig // {
ExecStart = escapeSystemdExecArgs [
(getExe' cfg.finalPackage "rails")
"jobs:work"
];
};
};
wantedBy = [
"multi-user.target"
"ds-fr.service"
];
after = [
"network.target"
"ds-fr-setup.service"
];
requires = [ "ds-fr-setup.service" ];
weasyprint-server = {
description = "Weasyprint server";
wantedBy = [ "multi-user.target" ];
environment = {
BASE_URL = "https://${cfg.host}";
LOG_DIR = "/var/log/weasyprint";
UWSGI_PYTHONPATH = weasyprintEnv;
UWSGI_MODULE = "wgsi:app";
};
serviceConfig = {
DynamicUser = true;
Type = "notify";
WorkingDirectory = cfg.finalPackage.weasyprint_server;
LogsDirectory = "weasyprint";
ExecStart = escapeSystemdExecArgs [
(getExe (pkgs.uwsgi.override { plugins = [ "python3" ]; }))
"--http-socket"
"127.0.0.1:${builtins.toString cfg.weasyprintPort}"
"--processes=4"
"--enable-threads"
];
NotifyAccess = "all";
KillSignal = "SIGQUIT";
ExecReload = "${getExe' pkgs.coreutils "kill"} -HUP $MainPID";
ExecStop = "${getExe' pkgs.coreutils "kill"} -INT $MainPID";
ProtectSystem = "full";
ProtectHome = true;
NoNewPrivileges = true;
PrivateDevices = true;
};
serviceConfig = {
ExecStart = "${ds-fr}/bin/ds-fr rails jobs:work";
EnvironmentFile = [ env ] ++ (optional (cfg.secretFile != null) cfg.secretFile);
User = cfg.user;
Group = cfg.group;
StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
};
};
ds-fr = {
description = "Demarches Simplifiees web service";
wantedBy = [ "multi-user.target" ];
after = [
"network.target"
"ds-fr-setup.service"
];
requires = [ "ds-fr-setup.service" ];
path = [ pkgs.imagemagick ];
serviceConfig = {
ExecStart = "${ds-fr}/bin/ds-fr rails server";
Environment = [ "RAILS_QUEUE_ADAPTER=delayed_job" ];
EnvironmentFile = [ env ] ++ (optional (cfg.secretFile != null) cfg.secretFile);
User = cfg.user;
Group = cfg.group;
StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
};
};
};
services = {
demarches-simplifiees.environment =
# Hardcoded values
{
demarches-simplifiees.settings =
(builtins.mapAttrs (_: mkDefault) {
RAILS_ENV = "production";
RAILS_ROOT = builtins.toString cfg.package;
# Application host name
#
# Examples:
# * For local development: localhost:3000
# * For preproduction: staging.ds.example.org
# * For production: ds.example.org
APP_HOST = cfg.host;
# Database credentials
DB_DATABASE = "ds-fr";
DB_USERNAME = "ds-fr";
DB_HOST = "/run/postgresql";
DB_PORT = "5432";
# The variables must be present even if empty...
DB_PASSWORD = "";
DB_POOL = "";
# Jobs configuration
RAILS_QUEUE_ADAPTER = "delayed_job";
# Log on stdout
RAILS_LOG_TO_STDOUT = "true";
# Package version
__DS_VERSION = cfg.finalPackage.version;
# Weasyprint endpoint generating attestations v2
# See https://github.com/demarches-simplifiees/weasyprint_server
WEASYPRINT_URL = "http://127.0.0.1:${builtins.toString cfg.weasyprintPort}/pdf";
}
// (mapAttrs (_: mkDefault) {
RAILS_ENV = "production";
RAILS_ROOT = builtins.toString cfg.finalPackage;
APP_HOST = "localhost:3000";
# Rails key for signing sensitive data
# See https://guides.rubyonrails.org/security.html
@ -324,6 +256,18 @@ in
# SAML
SAML_IDP_ENABLED = "disabled";
# External service: authentication through France Connect
FC_PARTICULIER_ID = "";
FC_PARTICULIER_SECRET = "";
FC_PARTICULIER_BASE_URL = "";
# External service: authentication through Agent Connect
AGENT_CONNECT_ID = "";
AGENT_CONNECT_SECRET = "";
AGENT_CONNECT_BASE_URL = "";
AGENT_CONNECT_JWKS = "";
AGENT_CONNECT_REDIRECT = "";
# External service: integration with HelpScout (optional)
HELPSCOUT_MAILBOX_ID = "";
HELPSCOUT_CLIENT_ID = "";
@ -373,6 +317,9 @@ in
# https://api.gouv.fr/api/api-entreprise.html
API_ENTREPRISE_KEY = "";
# External service: CRM for following admin accounts pipeline (specific to démarches-simplifiées.fr)
PIPEDRIVE_KEY = "";
# Networks bypassing the email login token that verifies new devices, and rack-attack throttling
TRUSTED_NETWORKS = "";
@ -381,7 +328,7 @@ in
# "sXaot-fKhBlkI8qaSirQyuZbrpv5sVFoOturQ0pFEh0";
# Enable or disable Lograge logs
LOGRAGE_ENABLED = "enabled";
LOGRAGE_ENABLED = "disabled";
# Logs source for Lograge
#
@ -418,42 +365,57 @@ in
# Siret number used for API Entreprise, by default we use SIRET from dinum
API_ENTREPRISE_DEFAULT_SIRET = "put_your_own_siret";
})
// {
# Database credentials
DB_DATABASE = "ds-fr";
DB_USERNAME = cfg.user;
DB_PASSWORD = "";
DB_HOST = "/run/postgresql";
DB_POOL = "";
# Date from which email validation requires a TLD in email adresses.
# This change had been introduced by : cc53946d221d6f64c365ad6c6c4c544802eb94b4
# Records (users, …) created before this date won't be affected. See #9978
# To set a date, we recommend using *the day after* you have deployed this commit,
# so existing records won't be invalid.
STRICT_EMAIL_VALIDATION_STARTS_ON = "2024-02-19";
});
# Log on stdout
RAILS_LOG_TO_STDOUT = true;
};
postgresql = {
enable = true;
ensureDatabases = [ "ds-fr" ];
ensureUsers = [
{
name = "ds-fr";
ensureDBOwnership = true;
}
];
ensureUsers = optional (cfg.user == "ds-fr") {
name = "ds-fr";
ensureDBOwnership = true;
};
extensions = [ config.services.postgresql.package.pkgs.postgis ];
extraPlugins = with config.services.postgresql.package.pkgs; [ postgis ];
};
nginx = {
enable = true;
virtualHosts.${cfg.host} = {
virtualHosts.${cfg.settings.APP_HOST} = {
enableACME = true;
forceSSL = true;
root = "${cfg.finalPackage}/public/";
root = "${cfg.package}/public/";
locations."/".tryFiles = "$uri @proxy";
locations."@proxy".proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}";
locations."@proxy" = {
proxyPass = "http://127.0.0.1:3000";
};
};
};
};
users.users = mkIf (cfg.user == "ds-fr") {
ds-fr = {
inherit (cfg) group;
isSystemUser = true;
home = cfg.package;
};
};
users.groups.${cfg.group} = { };
};
}

126
machines/nixos/compute01/extranix/default.nix
View file

@ -1,126 +0,0 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
lib,
pkgs,
meta,
bootstrap,
sources,
dgn-keys,
...
}:
let
inherit (lib.extra) mkImports;
host = "search.infra.dgnum.eu";
in
{
services = {
nginx.virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
};
extranix = {
enable = true;
theme = pkgs.fetchFromGitea {
domain = "git.dgnum.eu";
owner = "DGNum";
repo = "extranix-theme";
rev = "99e14ca818fb1f664a2221e1cc8394325426b446";
hash = "sha256-mDa03Y3Lf/piBzxTyiNj/8OI2rYEW5Pn99lXVL9EQmg=";
};
modules = {
"netconf" = {
paths = mkImports bootstrap.root [
"modules/netconf"
"modules/generic"
"lib/netconf-junos"
];
path-translations = [
{
base = bootstrap.root;
url = "https://git.dgnum.eu/DGNum/infrastructure/src/branch/main/";
}
];
};
"DGNum Infrastructure" =
let
# prefer a non-patched nixpkgs
infra-nixpkgs = bootstrap.pkgs;
infra-modulesPath = "${infra-nixpkgs.path}/nixos/modules/";
in
{
paths = mkImports bootstrap.root [
"modules/generic"
"modules/nixos"
];
ignored-modules = (import "${infra-modulesPath}/module-list.nix") ++ [
"${sources.agenix}/modules/age.nix"
"${sources.arkheon}/module.nix"
"${sources."microvm.nix"}/nixos-modules/host"
"${sources.cgroup-exporter}/nix/module.nix"
{ system.stateVersion = "25.05"; }
];
specialArgs = {
inherit meta sources;
modulesPath = builtins.storePath infra-modulesPath;
pkgs = infra-nixpkgs;
inherit (infra-nixpkgs) lib;
name = "nodeName";
nodeMeta = {
nix-modules = [ ];
admins = [ ];
adminGroups = [ ];
};
dgn-keys = dgn-keys // {
getNodeAdmins = _: [ ];
};
};
path-translations = [
{
base = bootstrap.root;
url = "https://git.dgnum.eu/DGNum/infrastructure/src/branch/main/";
}
{
base = sources.nix-modules;
url = "https://git.hubrecht.ovh/hubrecht/nix-modules/src/branch/main/";
}
{
base = infra-modulesPath;
url = "https://github.com/NixOS/nixpkgs/tree/master/nixos/modules";
}
];
};
};
inherit host;
index = "DGNum Infrastructure";
settings = {
baseUrl = "https://dgnum.eu/";
title = "DGNum module documentation";
languageCode = "en-us";
params = {
logo = "images/dgnum.png";
release_switch_title = "Category";
footer_credits_line = ''
Based on <a href="https://github.com/mipmip/home-manager-option-search">Home Manager Option Search</a>
'';
footer_copyright_line = ''
Made by catvayor for the <a href="https://dgnum.eu">DGNum</a>.
'';
main_menu = [
{
name = ''<img src="images/forgejo.png" /> Source'';
url = "https://git.dgnum.eu/DGNum/infrastructure/";
}
];
};
};
};
};
}

36
machines/nixos/compute01/grafana/default.nix → machines/nixos/compute01/grafana.nix
View file

@ -1,13 +1,4 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
pkgs,
meta,
...
}:
{ config, ... }:
let
host = "grafana.dgnum.eu";
@ -23,9 +14,9 @@ in
settings = {
"auth.generic_oauth" = {
api_url = "https://sso.dgnum.eu/oauth2/openid/dgn_grafana/userinfo";
api_url = "https://sso.dgnum.eu/oauth2/openid/grafana_dgn/userinfo";
auth_url = "https://sso.dgnum.eu/ui/oauth2";
client_id = "dgn_grafana";
client_id = "grafana_dgn";
client_secret = file "oauth_client_secret";
enabled = true;
id_token_attribute_name = "sub";
@ -67,27 +58,6 @@ in
auto_assign_org_role = "Admin";
};
};
declarativePlugins = import ./plugins.nix { inherit pkgs; };
provision = {
enable = true;
datasources.settings.datasources = [
{
name = "VictoriaLogs";
type = "victoriametrics-logs-datasource";
access = "proxy";
url = "http://${meta.network.storage01.netbirdIp}:9428";
}
{
name = "VictoriaMetrics";
type = "victoriametrics-metrics-datasource";
access = "proxy";
url = "http://${meta.network.storage01.netbirdIp}:8428";
}
];
};
};
postgresql = {

19
machines/nixos/compute01/grafana/plugins.nix
View file

@ -1,19 +0,0 @@
# SPDX-FileCopyrightText: 2025 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ pkgs, ... }:
builtins.map pkgs.grafanaPlugins.grafanaPlugin [
{
pname = "victoriametrics-logs-datasource";
version = "0.14.3";
zipHash = "sha256-g/ntmNyWJ9h/eYpZ0gqiESvVfm2fU6/Ci8R7FHIV7AQ=";
}
{
pname = "victoriametrics-metrics-datasource";
version = "0.13.1";
zipHash = "sha256-n1LskeOzp32LZS3PcsRh8FwQVBFVlzczfO2aGbEClSo=";
}
]

4
machines/nixos/compute01/hedgedoc.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let

64
machines/nixos/compute01/kanidm/default.nix
View file

@ -1,11 +1,6 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
lib,
pkgs,
meta,
...
}:
@ -47,7 +42,7 @@ in
services.kanidm = {
enableServer = true;
package = pkgs.kanidm_1_5;
# package = nixpkgs.unstable.kanidm;
serverSettings = {
inherit domain;
@ -81,17 +76,12 @@ in
) meta.organization.members;
groups =
(lib.extra.genFuse (id: { "vlan_${builtins.toString (4094 - id)}".memberless = true; }) 850)
// {
{
grp_active.members = catAttrs "username" (attrValues meta.organization.members);
grp-ext_cri.memberless = true;
}
// (mapAttrs' (
name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
) meta.organization.groups)
// (mapAttrs' (
name: srv: nameValuePair "grp-admin_${name}" { members = builtins.map usernameFor srv.admins; }
) meta.organization.services);
) meta.organization.groups);
# INFO: The authentication resources declared here can only be for internal services,
# as regular members cannot be statically known.
@ -99,7 +89,7 @@ in
dgn_grafana = {
displayName = "Grafana [Analysis]";
originLanding = "https://grafana.dgnum.eu";
originUrl = "https://grafana.dgnum.eu/login/generic_oauth";
originUrl = "https://grafana.dgnum.eu/";
preferShortUsername = true;
scopeMaps.grp_active = [
@ -114,7 +104,7 @@ in
displayName = "LibreNMS [Network]";
enableLegacyCrypto = true;
originLanding = "https://nms.dgnum.eu";
originUrl = "https://nms.dgnum.eu/auth/kanidm/callback";
originUrl = "https://nms.dgnum.eu/";
preferShortUsername = true;
scopeMaps.grp_active = [
@ -128,7 +118,7 @@ in
displayName = "Netbird [VPN]";
enableLocalhostRedirects = true;
originLanding = "https://netbird.dgnum.eu";
originUrl = "https://netbird.dgnum.eu/index";
originUrl = "https://netbird.dgnum.eu/";
preferShortUsername = true;
public = true;
@ -144,10 +134,7 @@ in
displayName = "Netbox [Inventory]";
enableLegacyCrypto = true;
originLanding = "https://netbox.dgnum.eu";
originUrl = [
"https://netbox.dgnum.eu/oauth/complete/oidc/"
"https://netbox-v2.dgnum.eu/oauth/complete/oidc/"
];
originUrl = "https://netbox.dgnum.eu/";
preferShortUsername = true;
scopeMaps.grp_active = [
@ -155,48 +142,13 @@ in
"profile"
"email"
];
scopeMaps.grp-ext_cri = [
"openid"
"profile"
"email"
];
};
dgn_outline = {
displayName = "Outline [Docs]";
originUrl = "https://docs.dgnum.eu/auth/oidc.callback";
originUrl = "https://docs.dgnum.eu/";
originLanding = "https://docs.dgnum.eu";
preferShortUsername = true;
allowInsecureClientDisablePkce = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_docs = {
displayName = "SuiteNumérique Docs [Docs]";
originUrl = "https://docs.lab.dgnum.eu/api/v1.0/callback/";
originLanding = "https://docs.lab.dgnum.eu";
preferShortUsername = true;
allowInsecureClientDisablePkce = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_visio = {
displayName = "SuiteNumérique Visio [Visio]";
originUrl = "https://visio.lab.dgnum.eu/api/v1.0/callback/";
originLanding = "https://visio.lab.dgnum.eu";
preferShortUsername = true;
allowInsecureClientDisablePkce = true;
scopeMaps.grp_active = [
"openid"

14
machines/nixos/compute01/kanidm/secrets/secrets.nix
View file

@ -1,10 +1,4 @@
# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique <contact@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
(import ../../../../../keys.nix).mkSecrets
[ "compute01" ]
[
"kanidm-password_admin"
"kanidm-password_idm_admin"
]
(import ../../../../../keys).mkSecrets [ "compute01" ] [
"kanidm-password_admin"
"kanidm-password_idm_admin"
]

6
machines/nixos/compute01/librenms/default.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, pkgs, ... }:
let
@ -18,7 +14,7 @@ in
(pkgs.librenms.override { inherit (config.services.librenms) dataDir logDir; }).overrideAttrs
(old: {
patches = (old.patches or [ ]) ++ [ ./kanidm.patch ];
vendorHash = "sha256-J/whSL1keEZKkfOtHpkJ2vSrN/s+DpUGb6RBXpQZQXg=";
vendorHash = "sha256-2RgtMXQp4fTE+WloO36rtfytO4Sh2q0plt8WkWxEGHI=";
});
hostname = host;

55
machines/nixos/compute01/librenms/kanidm.patch
View file

@ -1,50 +1,63 @@
diff --git a/composer.json b/composer.json
index af8168f4c..1775f150e 100644
index 13571c07c..dbe810a57 100644
--- a/composer.json
+++ b/composer.json
@@ -54,6 +54,7 @@
@@ -11,6 +11,12 @@
"snmp",
"distributed"
],
+ "repositories": [
+ {
+ "type": "vcs",
+ "url": "https://github.com/Tom-Hubrecht/Kanidm"
+ }
+ ],
"homepage": "https://www.librenms.org/",
"license": "GPL-3.0-or-later",
"require": {
@@ -49,6 +55,7 @@
"phpmailer/phpmailer": "~6.0",
"predis/predis": "^2.0",
"silber/bouncer": "^1.0",
+ "socialiteproviders/kanidm": "^5.0",
+ "socialiteproviders/kanidm": "^0.1.4",
"socialiteproviders/manager": "^4.3",
"spatie/laravel-ignition": "^2.0",
"symfony/yaml": "^6.2",
diff --git a/composer.lock b/composer.lock
index 3d89a1530..a00c5f307 100644
index b26090101..aa1fd3cef 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
- "content-hash": "fee5d24447dced4397e26066f8c9ee59",
+ "content-hash": "b9316a47587c8e6f6b0adbe3d54777f3",
- "content-hash": "21dbcfec63eafb1ae9172473314a57f8",
+ "content-hash": "16c250180b65a1f71acd5653914d7037",
"packages": [
{
"name": "amenadiel/jpgraph",
@@ -5906,6 +5906,56 @@
@@ -5244,6 +5244,55 @@
},
"time": "2023-02-10T16:47:25+00:00"
},
+ {
+ "name": "socialiteproviders/kanidm",
+ "version": "5.0.0",
+ "version": "v0.1.4",
+ "source": {
+ "type": "git",
+ "url": "https://github.com/SocialiteProviders/Kanidm.git",
+ "reference": "111ad45941e7150e3219ddfdeb8159f758bde2fd"
+ "url": "https://github.com/Tom-Hubrecht/Kanidm.git",
+ "reference": "b87d75b8342e00c46ef1c29c42e92b629bb206b1"
+ },
+ "dist": {
+ "type": "zip",
+ "url": "https://api.github.com/repos/SocialiteProviders/Kanidm/zipball/111ad45941e7150e3219ddfdeb8159f758bde2fd",
+ "reference": "111ad45941e7150e3219ddfdeb8159f758bde2fd",
+ "url": "https://api.github.com/repos/Tom-Hubrecht/Kanidm/zipball/b87d75b8342e00c46ef1c29c42e92b629bb206b1",
+ "reference": "b87d75b8342e00c46ef1c29c42e92b629bb206b1",
+ "shasum": ""
+ },
+ "require": {
+ "ext-json": "*",
+ "php": "^8.0",
+ "socialiteproviders/manager": "^4.4"
+ "socialiteproviders/manager": "^4.3"
+ },
+ "type": "library",
+ "autoload": {
@ -52,7 +65,6 @@ index 3d89a1530..a00c5f307 100644
+ "SocialiteProviders\\Kanidm\\": ""
+ }
+ },
+ "notification-url": "https://packagist.org/downloads/",
+ "license": [
+ "MIT"
+ ],
@ -71,12 +83,19 @@ index 3d89a1530..a00c5f307 100644
+ "socialite"
+ ],
+ "support": {
+ "docs": "https://socialiteproviders.com/kanidm",
+ "issues": "https://github.com/socialiteproviders/providers/issues",
+ "source": "https://github.com/socialiteproviders/providers"
+ "source": "https://github.com/socialiteproviders/providers",
+ "docs": "https://socialiteproviders.com/kanidm"
+ },
+ "time": "2024-02-19T19:49:21+00:00"
+ "time": "2024-02-18T14:12:08+00:00"
+ },
{
"name": "socialiteproviders/manager",
"version": "v4.6.0",
"version": "v4.3.0",
@@ -13357,5 +13406,5 @@
"ext-zlib": "*"
},
"platform-dev": [],
- "plugin-api-version": "2.3.0"
+ "plugin-api-version": "2.6.0"
}

7
machines/nixos/compute01/librenms/module.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
lib,
@ -401,8 +397,7 @@ in
"distributed_billing" = cfg.distributedPoller.distributedBilling;
"distributed_poller_memcached_host" = cfg.distributedPoller.memcachedHost;
"distributed_poller_memcached_port" = cfg.distributedPoller.memcachedPort;
"rrdcached" =
"${cfg.distributedPoller.rrdcachedHost}:${toString cfg.distributedPoller.rrdcachedPort}";
"rrdcached" = "${cfg.distributedPoller.rrdcachedHost}:${toString cfg.distributedPoller.rrdcachedPort}";
})
// (lib.optionalAttrs cfg.useDistributedPollers {
"distributed_poller" = true;

5
machines/nixos/compute01/mastodon.nix
View file

@ -1,8 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
# SPDX-FileContributor: Maurice Debray <maurice.debray@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
let

74
machines/nixos/compute01/netbox.nix
View file

@ -1,74 +0,0 @@
# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
lib,
pkgs,
...
}:
let
EnvironmentFile = [ config.age.secrets."netbox-environment_file".path ];
in
{
services = {
netbox = {
enable = true;
package = pkgs.netbox_4_1;
secretKeyFile = "/dev/null";
listenAddress = "127.0.0.1";
plugins = p: [ p.netbox-qrcode ];
settings = {
ALLOWED_HOSTS = [ "netbox-v2.dgnum.eu" ];
REMOTE_AUTH_BACKEND = "social_core.backends.open_id_connect.OpenIdConnectAuth";
PLUGINS = [ "netbox_qrcode" ];
PLUGINS_CONFIG = {
netbox_qrcode = {
custom_text = "DGNum. contact@dgnum.eu";
font = "Tahoma";
};
};
};
extraConfig = lib.mkForce ''
from os import environ as env
SECRET_KEY = env["SECRET_KEY"]
SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = env["NETBOX_OIDC_URL"]
SOCIAL_AUTH_OIDC_KEY = env["NETBOX_OIDC_KEY"]
SOCIAL_AUTH_OIDC_SECRET = env["NETBOX_OIDC_SECRET"]
'';
};
};
systemd.services = {
netbox.serviceConfig = {
inherit EnvironmentFile;
TimeoutStartSec = 600;
};
netbox-housekeeping.serviceConfig = {
inherit EnvironmentFile;
};
netbox-rq.serviceConfig = {
inherit EnvironmentFile;
};
};
users.users.nginx.extraGroups = [ "netbox" ];
dgn-web.simpleProxies.netbox = {
inherit (config.services.netbox) port;
host = "netbox-v2.dgnum.eu";
vhostConfig.locations."/static/".alias = "${config.services.netbox.dataDir}/static/";
};
# dgn-backups.jobs.netbox.settings.paths = [ "/var/lib/netbox" ];
# dgn-backups.postgresDatabases = [ "netbox" ];
}

307
machines/nixos/compute01/nextcloud.nix
View file

@ -1,12 +1,4 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
pkgs,
...
}:
{ config, pkgs, ... }:
let
host = "cloud.dgnum.eu";
@ -15,172 +7,182 @@ let
port = 9980;
in
{
services.nextcloud = {
enable = true;
hostName = host;
services = {
nextcloud = {
enable = true;
hostName = host;
package = pkgs.nextcloud29;
package = pkgs.nextcloud30;
https = true;
https = true;
config = {
dbtype = "pgsql";
config = {
dbtype = "pgsql";
adminpassFile = config.age.secrets."nextcloud-adminpass_file".path;
adminuser = "thubrecht";
adminpassFile = config.age.secrets."nextcloud-adminpass_file".path;
adminuser = "thubrecht";
objectstore.s3 = {
enable = true;
objectstore.s3 = {
enable = true;
hostname = "s3.dgnum.eu";
region = "garage";
usePathStyle = true;
port = 443;
hostname = "s3.dgnum.eu";
region = "garage";
usePathStyle = true;
port = 443;
bucket = "nextcloud-dgnum";
key = "GKda5367c73ca607c349d83c35";
verify_bucket_exists = false;
secretFile = config.age.secrets."nextcloud-s3_secret_file".path;
};
};
maxUploadSize = "4G";
poolSettings = {
pm = "dynamic";
"pm.max_children" = 64;
"pm.max_requests" = "500";
"pm.max_spare_servers" = "8";
"pm.min_spare_servers" = "4";
"pm.start_servers" = "6";
};
phpOptions = {
short_open_tag = "Off";
expose_php = "Off";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
display_errors = "stderr";
"opcache.enable_cli" = "1";
"opcache.interned_strings_buffer" = "32";
"opcache.max_accelerated_files" = "10000";
"opcache.memory_consumption" = "128";
"opcache.revalidate_freq" = "1";
"opcache.fast_shutdown" = "0";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
catch_workers_output = "yes";
};
database.createLocally = true;
configureRedis = true;
autoUpdateApps.enable = false;
settings = {
overwriteprotocol = "https";
overwritehost = host;
"overwrite.cli.url" = "https://${host}";
updatechecker = false;
default_phone_region = "FR";
trusted_proxies = [ "::1" ];
allow_local_remote_servers = true;
maintenance_window_start = 1;
"memories.exiftool" = "${pkgs.lib.getExe pkgs.exiftool}";
"memories.vod.ffmpeg" = "${pkgs.lib.getExe pkgs.ffmpeg-headless}";
"memories.vod.ffprobe" = "${pkgs.ffmpeg-headless}/bin/ffprobe";
bucket = "nextcloud-dgnum";
key = "GKda5367c73ca607c349d83c35";
verify_bucket_exists = false;
secretFile = config.age.secrets."nextcloud-s3_secret_file".path;
};
};
collabora-online = {
enable = true;
maxUploadSize = "4G";
inherit port;
settings = {
server_name = "code.dgnum.eu";
ssl = {
enable = false;
termination = true;
};
remote_font_config.url = "https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json";
net.proto = "IPv4";
};
aliasGroups = [ { host = "https://cloud.dgnum.eu"; } ];
poolSettings = {
pm = "dynamic";
"pm.max_children" = 64;
"pm.max_requests" = "500";
"pm.max_spare_servers" = "8";
"pm.min_spare_servers" = "4";
"pm.start_servers" = "6";
};
nginx.virtualHosts = {
${host} = {
enableACME = true;
forceSSL = true;
phpOptions = {
short_open_tag = "Off";
expose_php = "Off";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
display_errors = "stderr";
"opcache.enable_cli" = "1";
"opcache.interned_strings_buffer" = "32";
"opcache.max_accelerated_files" = "10000";
"opcache.memory_consumption" = "128";
"opcache.revalidate_freq" = "1";
"opcache.fast_shutdown" = "0";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
catch_workers_output = "yes";
};
extraConfig = ''
proxy_max_temp_file_size 4096m;
'';
};
database.createLocally = true;
configureRedis = true;
"code.dgnum.eu" = {
forceSSL = true;
enableACME = true;
autoUpdateApps.enable = true;
extraConfig = ''
# static files
location ^~ /browser {
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Host $host;
}
settings = {
overwriteprotocol = "https";
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Host $host;
}
overwritehost = host;
"overwrite.cli.url" = "https://${host}";
updatechecker = false;
# Capabilities
location ^~ /hosting/capabilities {
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Host $host;
}
default_phone_region = "FR";
# main websocket
location ~ ^/cool/(.*)/ws$ {
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 36000s;
}
trusted_proxies = [ "::1" ];
# download, presentation and image upload
location ~ ^/(c|l)ool {
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Host $host;
}
allow_local_remote_servers = true;
maintenance_window_start = 1;
# Admin Console websocket
location ^~ /cool/adminws {
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 36000s;
}
'';
"memories.exiftool" = "${pkgs.lib.getExe pkgs.exiftool}";
"memories.vod.ffmpeg" = "${pkgs.lib.getExe pkgs.ffmpeg-headless}";
"memories.vod.ffprobe" = "${pkgs.ffmpeg-headless}/bin/ffprobe";
};
};
virtualisation = {
podman = {
enable = true;
defaultNetwork.settings = {
dns_enable = true;
ipv6_enabled = true;
};
};
};
virtualisation.oci-containers = {
containers.collabora = {
image = "collabora/code";
imageFile = pkgs.dockerTools.pullImage {
imageName = "collabora/code";
imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4";
sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM=";
};
ports = [ "${builtins.toString port}:${builtins.toString port}" ];
environment = {
domain = "cloud.dgnum.eu";
extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json";
};
extraOptions = [
"--network=host"
"--cap-add"
"MKNOD"
"--cap-add"
"SYS_ADMIN"
];
};
};
dgn-web.internalPorts.collabora = port;
services.nginx.virtualHosts = {
${host} = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_max_temp_file_size 4096m;
'';
};
"code.dgnum.eu" = {
forceSSL = true;
enableACME = true;
extraConfig = ''
# static files
location ^~ /browser {
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Host $host;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Host $host;
}
# Capabilities
location ^~ /hosting/capabilities {
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Host $host;
}
# main websocket
location ~ ^/cool/(.*)/ws$ {
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/(c|l)ool {
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Host $host;
}
# Admin Console websocket
location ^~ /cool/adminws {
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 36000s;
}
'';
};
};
systemd.services = {
nextcloud-preview = {
description = "Generate preview for nextcloud media.";
@ -194,19 +196,10 @@ in
nextcloud-cron.path = [ pkgs.perl ];
};
users.users.cool = {
home = "/var/lib/cool/home";
createHome = true;
};
environment.systemPackages = [ pkgs.ffmpeg_6-headless ];
networking.hosts = {
"129.199.146.148" = [ "s3.dgnum.eu" ];
"129.199.146.147" = [
"code.dgnum.eu"
"cloud.dgnum.eu"
];
};
age-secrets.autoMatch = [ "nextcloud" ];

5
machines/nixos/compute01/ollama-proxy.nix
View file

@ -1,8 +1,3 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
# SPDX-FileContributor: Maurice Debray <maurice.debray@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ pkgs, ... }:
{
services.nginx = {

12
machines/nixos/compute01/outline.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
let
@ -28,10 +24,10 @@ in
publicUrl = "https://${host}";
oidcAuthentication = {
clientId = "dgn_outline";
clientId = "outline_dgn";
authUrl = "https://sso.dgnum.eu/ui/oauth2";
tokenUrl = "https://sso.dgnum.eu/oauth2/token";
userinfoUrl = "https://sso.dgnum.eu/oauth2/openid/dgn_outline/userinfo";
userinfoUrl = "https://sso.dgnum.eu/oauth2/openid/outline_dgn/userinfo";
displayName = "DGNum SSO";
clientSecretFile = config.age.secrets."outline-oidc_client_secret_file".path;
@ -45,9 +41,7 @@ in
dgn-web.simpleProxies.outline = {
inherit host port;
vhostConfig.locations."/robots.txt".return =
''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
proxyWebsockets = true;
vhostConfig.locations."/robots.txt".return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
};
age-secrets.autoMatch = [ "outline" ];

4
machines/nixos/compute01/plausible.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
let

4
machines/nixos/compute01/postgresql.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ pkgs, ... }:
{

59
machines/nixos/compute01/pretalx.nix
View file

@ -1,59 +0,0 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, pkgs, ... }:
{
services.nginx.virtualHosts.${config.services.pretalx.nginx.domain} = {
enableACME = true;
forceSSL = true;
};
services.pretalx = {
enable = true;
package = pkgs.pretalx.overrideAttrs (old: {
disabledTests = old.disabledTests ++ [
# Does not work in CI !?
"test_documentation_includes_config_options"
];
});
plugins = with config.services.pretalx.package.plugins; [
pages
venueless
];
nginx = {
enable = true;
domain = "pretalx.dgnum.eu";
};
environmentFile = config.age.secrets."pretalx-environment_file".path;
settings = {
files.upload_limit = 50;
mail = {
from = "pretalx@infra.dgnum.eu";
host = "kurisu.lahfa.xyz";
port = 465;
ssl = true;
user = "web-services@infra.dgnum.eu";
};
logging.email = "admins+pretalx@dgnum.eu";
locale = {
language_code = "fr";
time_zone = "Europe/Paris";
};
};
};
dgn-backups = {
postgresDatabases = [ "pretalx" ];
jobs.pretix.settings.paths = [ "/var/lib/pretalx" ];
};
}

55
machines/nixos/compute01/pretix.nix
View file

@ -1,55 +0,0 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
{
services.nginx.virtualHosts.${config.services.pretix.nginx.domain} = {
enableACME = true;
forceSSL = true;
};
services.pretix = {
enable = true;
plugins = with config.services.pretix.package.plugins; [
pages
passbook
];
nginx = {
enable = true;
domain = "pretix.dgnum.eu";
};
environmentFile = config.age.secrets."pretix-environment_file".path;
settings = {
pretix = {
instance_name = "pretix.dgnum.eu";
url = "https://${config.services.pretix.nginx.domain}";
};
mail = {
admins = "admins+pretix@dgnum.eu";
from = "pretix@infra.dgnum.eu";
host = "kurisu.lahfa.xyz";
port = 465;
ssl = "on";
user = "web-services@infra.dgnum.eu";
};
locale = {
default = "fr";
timezone = "Europe/Paris";
};
};
};
dgn-backups = {
postgresDatabases = [ "pretix" ];
jobs.pretix.settings.paths = [ "/var/lib/pretix" ];
};
}

4
machines/nixos/compute01/rstudio-server.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ pkgs, ... }:
let

4
machines/nixos/compute01/satosa/default.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
let

4
machines/nixos/compute01/satosa/module.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
lib,

4
machines/nixos/compute01/satosa/package/cookies-samesite-compat.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
lib,
python3,

4
machines/nixos/compute01/satosa/package/default.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ pkgs }:
let

4
machines/nixos/compute01/satosa/package/oic.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
lib,
python3,

4
machines/nixos/compute01/satosa/package/pydantic-core.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
lib,
python3,

4
machines/nixos/compute01/satosa/package/pydantic-settings.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
lib,
python3,

4
machines/nixos/compute01/satosa/package/pydantic.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
lib,
python3,

4
machines/nixos/compute01/satosa/package/pyop.nix
View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
lib,
python3,

Some files were not shown because too many files have changed in this diff Show more