Compare commits
28 commits
main
...
colmena-li
Author | SHA1 | Date | |
---|---|---|---|
ed285ba79d | |||
d29deeae56 | |||
4ed0c435ba | |||
c08d6c464f | |||
46d07da404 | |||
99902d2bb8 | |||
c0ec57ef22 | |||
337a71a169 | |||
9bf83a60fe | |||
994e593d3b | |||
adb843dd8b | |||
45b106190f | |||
0b94fb5ba7 | |||
4fb39070bb | |||
47231417cc | |||
afd92ab203 | |||
270eb4b106 | |||
04cb0a9f04 | |||
c4d9d6d000 | |||
be1673c6aa | |||
8b66b2b7c3 | |||
3ed6ecba31 | |||
5a8fe24dce | |||
0a948e6148 | |||
41ca207b41 | |||
aa6b082b81 | |||
17b2345a02 | |||
fde8f66ea7 |
218 changed files with 3069 additions and 10418 deletions
1
.envrc
1
.envrc
|
@ -1,2 +1 @@
|
|||
watch_file workflows/*
|
||||
use nix
|
||||
|
|
|
@ -1,16 +1,3 @@
|
|||
jobs:
|
||||
check_dns:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Check the validity of the DNS configuration
|
||||
run: nix-build meta/verify.nix -A dns
|
||||
check_meta:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Check the validity of meta options
|
||||
run: nix-build meta/verify.nix -A meta
|
||||
name: Check meta
|
||||
on:
|
||||
pull_request:
|
||||
|
@ -18,4 +5,21 @@ on:
|
|||
- main
|
||||
push:
|
||||
paths:
|
||||
- meta/*
|
||||
- 'meta/*'
|
||||
|
||||
jobs:
|
||||
check_meta:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Check the validity of meta options
|
||||
run: nix-build meta/verify.nix -A meta
|
||||
|
||||
check_dns:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Check the validity of the DNS configuration
|
||||
run: nix-build meta/verify.nix -A dns --no-out-link
|
||||
|
|
|
@ -1,16 +0,0 @@
|
|||
jobs:
|
||||
check_workflows:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Check that the workflows are up to date
|
||||
run: nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l)
|
||||
-eq 0 ]'
|
||||
name: Check workflows
|
||||
on:
|
||||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
push:
|
||||
paths:
|
||||
- workflows/*
|
56
.forgejo/workflows/ds-fr.yaml
Normal file
56
.forgejo/workflows/ds-fr.yaml
Normal file
|
@ -0,0 +1,56 @@
|
|||
name: ds-fr update
|
||||
on:
|
||||
schedule:
|
||||
- cron: "26 18 * * wed"
|
||||
|
||||
jobs:
|
||||
npins_update:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
with:
|
||||
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
|
||||
|
||||
- name: Update DS and open PR if necessary
|
||||
run: |
|
||||
# Fetch the latest release tag
|
||||
VERSION=$(curl -L \
|
||||
-H "Accept: application/vnd.github+json" \
|
||||
-H "X-GitHub-Api-Version: 2022-11-28" \
|
||||
https://api.github.com/repos/demarches-simplifiees/demarches-simplifiees.fr/releases/latest \
|
||||
| jq -r '.tag_name')
|
||||
|
||||
# Move to the ds-fr directory
|
||||
cd machines/compute01/ds-fr/package
|
||||
|
||||
# Run the update script
|
||||
./update.sh -v "$VERSION"
|
||||
|
||||
if [ ! -z "$(git diff --name-only)" ]; then
|
||||
echo "[+] Changes detected, pushing updates."
|
||||
|
||||
git switch -C ds-update
|
||||
|
||||
git add .
|
||||
|
||||
git config user.name "DGNum Chores"
|
||||
git config user.email "tech@dgnum.eu"
|
||||
|
||||
git commit --message "chore(ds-fr): Update"
|
||||
git push --set-upstream origin ds-update --force
|
||||
|
||||
# Connect to the server with the cli
|
||||
tea login add \
|
||||
-n dgnum-chores \
|
||||
-t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
|
||||
-u https://git.dgnum.eu
|
||||
|
||||
# Create a pull request if needed
|
||||
# i.e. no PR with the same title exists
|
||||
if [ -z "$(tea pr ls -f='title,author' -o simple | grep 'chore(ds-fr): Update dgnum-chores')" ]; then
|
||||
tea pr create \
|
||||
--description "Automatic ds-fr update" \
|
||||
--title "chore(ds-fr): Update" \
|
||||
--head ds-update
|
||||
fi
|
||||
fi
|
|
@ -1,119 +0,0 @@
|
|||
jobs:
|
||||
bridge01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- env:
|
||||
BUILD_NODE: bridge01
|
||||
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
STORE_USER: admin
|
||||
name: Build and cache bridge01
|
||||
run: nix-shell -A eval-nodes --run cache-node
|
||||
compute01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- env:
|
||||
BUILD_NODE: compute01
|
||||
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
STORE_USER: admin
|
||||
name: Build and cache compute01
|
||||
run: nix-shell -A eval-nodes --run cache-node
|
||||
geo01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- env:
|
||||
BUILD_NODE: geo01
|
||||
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
STORE_USER: admin
|
||||
name: Build and cache geo01
|
||||
run: nix-shell -A eval-nodes --run cache-node
|
||||
geo02:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- env:
|
||||
BUILD_NODE: geo02
|
||||
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
STORE_USER: admin
|
||||
name: Build and cache geo02
|
||||
run: nix-shell -A eval-nodes --run cache-node
|
||||
rescue01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- env:
|
||||
BUILD_NODE: rescue01
|
||||
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
STORE_USER: admin
|
||||
name: Build and cache rescue01
|
||||
run: nix-shell -A eval-nodes --run cache-node
|
||||
storage01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- env:
|
||||
BUILD_NODE: storage01
|
||||
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
STORE_USER: admin
|
||||
name: Build and cache storage01
|
||||
run: nix-shell -A eval-nodes --run cache-node
|
||||
vault01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- env:
|
||||
BUILD_NODE: vault01
|
||||
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
STORE_USER: admin
|
||||
name: Build and cache vault01
|
||||
run: nix-shell -A eval-nodes --run cache-node
|
||||
web01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- env:
|
||||
BUILD_NODE: web01
|
||||
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
STORE_USER: admin
|
||||
name: Build and cache web01
|
||||
run: nix-shell -A eval-nodes --run cache-node
|
||||
web02:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- env:
|
||||
BUILD_NODE: web02
|
||||
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
STORE_USER: admin
|
||||
name: Build and cache web02
|
||||
run: nix-shell -A eval-nodes --run cache-node
|
||||
web03:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- env:
|
||||
BUILD_NODE: web03
|
||||
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
STORE_USER: admin
|
||||
name: Build and cache web03
|
||||
run: nix-shell -A eval-nodes --run cache-node
|
||||
name: Build all the nodes
|
||||
on:
|
||||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
push:
|
||||
branches:
|
||||
- main
|
88
.forgejo/workflows/eval.yaml
Normal file
88
.forgejo/workflows/eval.yaml
Normal file
|
@ -0,0 +1,88 @@
|
|||
name: build configuration
|
||||
on:
|
||||
pull_request:
|
||||
types: [opened, synchronize, edited, reopened]
|
||||
branches:
|
||||
- main
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
build_compute01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Build compute01
|
||||
run: |
|
||||
# Enter the shell
|
||||
nix-shell --run 'colmena build --on compute01'
|
||||
|
||||
build_storage01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Build storage01
|
||||
run: |
|
||||
# Enter the shell
|
||||
nix-shell --run 'colmena build --on storage01'
|
||||
|
||||
build_vault01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Build vault01
|
||||
run: |
|
||||
# Enter the shell
|
||||
nix-shell --run 'colmena build --on vault01'
|
||||
|
||||
build_web01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Build web01
|
||||
run: |
|
||||
# Enter the shell
|
||||
nix-shell --run 'colmena build --on web01'
|
||||
|
||||
build_web02:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Build web02
|
||||
run: |
|
||||
# Enter the shell
|
||||
nix-shell --run 'colmena build --on web02'
|
||||
|
||||
build_rescue01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Build rescue01
|
||||
run: |
|
||||
# Enter the shell
|
||||
nix-shell --run 'colmena build --on rescue01'
|
||||
|
||||
push_to_cache:
|
||||
runs-on: nix
|
||||
needs:
|
||||
- build_compute01
|
||||
- build_storage01
|
||||
- build_vault01
|
||||
- build_web01
|
||||
- build_web02
|
||||
- build_rescue01
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Push to cache
|
||||
run: nix-shell --run push-to-cache
|
||||
env:
|
||||
ATTIC_ENDPOINT: "https://cachix.dgnum.eu"
|
||||
ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}
|
11
.forgejo/workflows/lint.yaml
Normal file
11
.forgejo/workflows/lint.yaml
Normal file
|
@ -0,0 +1,11 @@
|
|||
name: lint
|
||||
on: push
|
||||
|
||||
jobs:
|
||||
check:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Run pre-commit on all files
|
||||
run: nix-shell --run 'pre-commit run --all-files --show-diff-on-failure' -A shells.pre-commit ./.
|
|
@ -1,25 +0,0 @@
|
|||
jobs:
|
||||
npins_update:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
with:
|
||||
depth: 0
|
||||
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
|
||||
- name: Update dependencies and open PR if necessary
|
||||
run: "npins update\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n echo
|
||||
\"[+] Changes detected, pushing updates.\"\n\n git switch -C npins-update\n\
|
||||
\n git add npins\n\n git config user.name \"DGNum Chores\"\n git config
|
||||
user.email \"tech@dgnum.eu\"\n\n git commit --message \"chore(npins): Update\"\
|
||||
\n git push --set-upstream origin npins-update --force\n\n # Connect to
|
||||
the server with the cli\n tea login add \\\n -n dgnum-chores \\\n -t
|
||||
\"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" \\\n -u https://git.dgnum.eu\n\
|
||||
\n # Create a pull request if needed\n # i.e. no PR with the same title
|
||||
exists\n if [ -z \"$(tea pr ls -f='title,author' -o simple | grep 'chore(npins):
|
||||
Update dgnum-chores')\" ]; then\n tea pr create \\\n --description
|
||||
\"Automatic npins update\" \\\n --title \"chore(npins): Update\" \\\n\
|
||||
\ --head npins-update\n fi\nfi\n"
|
||||
name: npins update
|
||||
on:
|
||||
schedule:
|
||||
- cron: 25 15 * * *
|
|
@ -1,24 +1,31 @@
|
|||
{
|
||||
name = "npins update";
|
||||
on.schedule = [
|
||||
name: npins update
|
||||
on:
|
||||
schedule:
|
||||
# Run at 11 o'clock every wednesday
|
||||
{ cron = "25 15 * * *"; }
|
||||
];
|
||||
- cron: "25 15 * * *"
|
||||
|
||||
jobs.npins_update = {
|
||||
runs-on = "nix";
|
||||
steps = [
|
||||
{
|
||||
uses = "actions/checkout@v3";
|
||||
"with" = {
|
||||
depth = 0;
|
||||
token = "\${{ secrets.TEA_DGNUM_CHORES_TOKEN }}";
|
||||
};
|
||||
}
|
||||
jobs:
|
||||
npins_update:
|
||||
runs-on: nix
|
||||
steps:
|
||||
# - name: Install applications
|
||||
# run: apt-get update && apt-get install sudo
|
||||
#
|
||||
- uses: actions/checkout@v3
|
||||
with:
|
||||
depth: 0
|
||||
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
|
||||
#
|
||||
# - uses: https://github.com/cachix/install-nix-action@v22
|
||||
# with:
|
||||
# nix_path: nixpkgs=channel:nixos-unstable
|
||||
|
||||
{
|
||||
name = "Update dependencies and open PR if necessary";
|
||||
run = ''
|
||||
# - name: Install tea
|
||||
# run: |
|
||||
# nix-env -f '<nixpkgs>' -i tea
|
||||
|
||||
- name: Update dependencies and open PR if necessary
|
||||
run: |
|
||||
npins update
|
||||
|
||||
if [ ! -z "$(git diff --name-only)" ]; then
|
||||
|
@ -37,7 +44,7 @@
|
|||
# Connect to the server with the cli
|
||||
tea login add \
|
||||
-n dgnum-chores \
|
||||
-t "''${{ secrets.TEA_DGNUM_CHORES_TOKEN }}" \
|
||||
-t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
|
||||
-u https://git.dgnum.eu
|
||||
|
||||
# Create a pull request if needed
|
||||
|
@ -49,8 +56,3 @@
|
|||
--head npins-update
|
||||
fi
|
||||
fi
|
||||
'';
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
|
@ -1,12 +0,0 @@
|
|||
jobs:
|
||||
check:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Run pre-commit on all files
|
||||
run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
|
||||
pre-push --show-diff-on-failure'
|
||||
name: Run pre-commit on all files
|
||||
on:
|
||||
- push
|
||||
- pull_request
|
107
README.md
107
README.md
|
@ -8,110 +8,3 @@ Some instruction on how to contribute are available (in french) in [/CONTRIBUTE.
|
|||
You're expected to read this document before commiting to the repo.
|
||||
|
||||
Some documentation for the development tools are provided in the aforementioned file.
|
||||
|
||||
# Using the binary cache
|
||||
|
||||
Add the following module to your configuration (and pin this repo using your favorite tool: npins, lon, etc...):
|
||||
```
|
||||
{ lib, ... }:
|
||||
let
|
||||
dgnum-infra = PINNED_PATH_TO_INFRA;
|
||||
in {
|
||||
nix.settings = (import dgnum-infra { }).mkCacheSettings {
|
||||
caches = [ "infra" ];
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
# Adding a new machine
|
||||
|
||||
The first step is to create a minimal viable NixOS host, using tha means necessary.
|
||||
The second step is to find a name for this host, it must be unique from the other hosts.
|
||||
|
||||
> [!TIP]
|
||||
> For the rest of this part, we assume that the host is named `host02`
|
||||
|
||||
## Download the keys
|
||||
|
||||
The public SSH keys of `host02` have to be saved to `keys`, preferably only the `ssh-ed25519` one.
|
||||
|
||||
It can be retreived with :
|
||||
|
||||
```bash
|
||||
ssh-keyscan address.of.host02 2>/dev/null | awk '/ssh-ed25519/ {print $2,$3}'
|
||||
```
|
||||
|
||||
## Initialize the machine folder and configuration
|
||||
|
||||
- Create a folder `host02` under `machines/`
|
||||
- Copy the hardware configuration file generated by `nixos-generate-config` to `machines/host02/_hardware-configuration.nix`
|
||||
- Create a `machines/host02/_configuration.nix` file, it will contain the main configuration options, the basic content of this file should be the following
|
||||
|
||||
```nix
|
||||
{ lib, ... }:
|
||||
|
||||
lib.extra.mkConfig {
|
||||
enabledModules = [
|
||||
# List of modules to enable
|
||||
];
|
||||
|
||||
enabledServices = [
|
||||
# List of services to enable
|
||||
];
|
||||
|
||||
extraConfig = {
|
||||
services.netbird.enable = true;
|
||||
};
|
||||
|
||||
root = ./.;
|
||||
}
|
||||
```
|
||||
|
||||
## Fill in the metadata
|
||||
|
||||
### Network configuration
|
||||
|
||||
The network is declared in `meta/network.nix`, the necessary `hostId` value can be generated with :
|
||||
|
||||
```bash
|
||||
head -c4 /dev/urandom | od -A none -t x4 | sed 's/ //'
|
||||
```
|
||||
|
||||
### Other details
|
||||
|
||||
The general metadata is declared in `meta/nodes.nix`, the main values to declare are :
|
||||
|
||||
- `site`, where the node is physically located
|
||||
- `stateVersion`
|
||||
- `nixpkgs`, the nixpkgs version to use
|
||||
|
||||
## Initialize secrets
|
||||
|
||||
Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :
|
||||
|
||||
```nix
|
||||
(import ../../../keys).mkSecrets [ "host02" ] [
|
||||
# List of secrets for host02
|
||||
]
|
||||
```
|
||||
|
||||
This will be used for future secret management.
|
||||
|
||||
## Update encrypted files
|
||||
|
||||
Both the Arkheon, Netbox and notification modules have secrets that are deployed on all machines. To make those services work correctly, run in `modules/dgn-records`, `modules/dgn-netbox-agent` and `modules/dgn-notify` :
|
||||
|
||||
```bash
|
||||
agenix -r
|
||||
```
|
||||
|
||||
## Commit and create a PR
|
||||
|
||||
Once all of this is done, check that the configuration builds correctly :
|
||||
|
||||
```bash
|
||||
colmena build --on host02
|
||||
```
|
||||
|
||||
Apply it, and create a Pull Request.
|
||||
|
|
105
default.nix
105
default.nix
|
@ -34,63 +34,28 @@
|
|||
termes.
|
||||
*/
|
||||
|
||||
{
|
||||
sources ? import ./npins,
|
||||
pkgs ? import sources.nixpkgs { },
|
||||
nix-pkgs ? import sources.nix-pkgs { inherit pkgs; },
|
||||
}:
|
||||
|
||||
let
|
||||
inherit (pkgs.lib)
|
||||
isFunction
|
||||
mapAttrs
|
||||
mapAttrs'
|
||||
nameValuePair
|
||||
removeSuffix
|
||||
;
|
||||
|
||||
git-checks = (import sources.git-hooks).run {
|
||||
sources = import ./npins;
|
||||
pkgs = import sources.nixpkgs { };
|
||||
pre-commit-check = (import sources.pre-commit-hooks).run {
|
||||
src = ./.;
|
||||
|
||||
hooks = {
|
||||
statix = {
|
||||
# Nix Hooks
|
||||
statix.enable = true;
|
||||
deadnix.enable = true;
|
||||
rfc101 = {
|
||||
enable = true;
|
||||
stages = [ "pre-push" ];
|
||||
settings.ignore = [
|
||||
"**/lon.nix"
|
||||
"**/npins"
|
||||
];
|
||||
};
|
||||
|
||||
deadnix = {
|
||||
enable = true;
|
||||
stages = [ "pre-push" ];
|
||||
};
|
||||
|
||||
nixfmt-rfc-style = {
|
||||
enable = true;
|
||||
stages = [ "pre-push" ];
|
||||
|
||||
name = "RFC-101 formatting";
|
||||
entry = "${pkgs.lib.getExe pkgs.nixfmt-rfc-style}";
|
||||
files = "\\.nix$";
|
||||
};
|
||||
|
||||
# Misc Hooks
|
||||
commitizen.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
workflows = (import sources.nix-actions { inherit pkgs; }).install {
|
||||
src = ./.;
|
||||
|
||||
workflows = mapAttrs' (
|
||||
name: _:
|
||||
nameValuePair (removeSuffix ".nix" name) (
|
||||
let
|
||||
w = import ./workflows/${name};
|
||||
in
|
||||
if isFunction w then w { inherit (pkgs) lib; } else w
|
||||
)
|
||||
) (builtins.readDir ./workflows);
|
||||
};
|
||||
|
||||
scripts = import ./scripts { inherit pkgs; };
|
||||
in
|
||||
|
||||
{
|
||||
|
@ -100,37 +65,39 @@ in
|
|||
|
||||
dns = import ./meta/dns.nix;
|
||||
|
||||
mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix;
|
||||
|
||||
devShell = pkgs.mkShell {
|
||||
shells = {
|
||||
default = pkgs.mkShell {
|
||||
name = "dgnum-infra";
|
||||
|
||||
packages = [
|
||||
(pkgs.nixos-generators.overrideAttrs (_: {
|
||||
version = "1.8.0-unstable";
|
||||
src = sources.nixos-generators;
|
||||
}))
|
||||
pkgs.npins
|
||||
|
||||
(pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
|
||||
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
|
||||
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
|
||||
] ++ (builtins.attrValues scripts);
|
||||
packages =
|
||||
(with pkgs; [
|
||||
npins
|
||||
nixos-generators
|
||||
attic-client
|
||||
picocom
|
||||
kanidm # for remote SSO operations
|
||||
freeradius # for radtest
|
||||
(callPackage (sources.liminix + "/pkgs/min-copy-closure") { nix = pkgs.lix; })
|
||||
(callPackage (sources.liminix + "/pkgs/min-collect-garbage") { nix = pkgs.lix; })
|
||||
(callPackage (sources.liminix + "/pkgs/tufted") { })
|
||||
(callPackage (sources.disko + "/package.nix") { })
|
||||
(callPackage ./lib/colmena { colmena = import sources.colmena; })
|
||||
])
|
||||
++ (import ./scripts { inherit pkgs; });
|
||||
|
||||
shellHook = ''
|
||||
${git-checks.shellHook}
|
||||
${workflows.shellHook}
|
||||
${pre-commit-check.shellHook}
|
||||
'';
|
||||
|
||||
preferLocalBuild = true;
|
||||
};
|
||||
|
||||
###
|
||||
# Alternative shells
|
||||
pre-commit = pkgs.mkShell {
|
||||
name = "pre-commit-shell";
|
||||
|
||||
passthru = mapAttrs (name: value: pkgs.mkShell (value // { inherit name; })) {
|
||||
pre-commit.shellHook = git-checks.shellHook;
|
||||
check-workflows.shellHook = workflows.shellHook;
|
||||
eval-nodes.packages = [ scripts.cache-node ];
|
||||
shellHook = ''
|
||||
${pre-commit-check.shellHook}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
136
hive.nix
136
hive.nix
|
@ -1,47 +1,90 @@
|
|||
let
|
||||
sources' = import ./npins;
|
||||
sources = import ./npins;
|
||||
|
||||
# Patch sources directly
|
||||
sources = builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; })
|
||||
.applyPatches' sources';
|
||||
lib = import (sources.nix-lib + "/src/trivial.nix");
|
||||
lib' = (import sources.nixos-unstable { }).lib;
|
||||
|
||||
nix-lib = import ./lib/nix-lib;
|
||||
|
||||
patch = import ./lib/nix-patches { patchFile = ./patches; };
|
||||
patch = import sources.nix-patches { patchFile = ./patches; };
|
||||
|
||||
nodes' = import ./meta/nodes.nix;
|
||||
nodes = builtins.attrNames nodes';
|
||||
|
||||
mkNode = node: {
|
||||
# Import the base configuration for each node
|
||||
imports = [ ./machines/${node}/_configuration.nix ];
|
||||
imports = builtins.map (lib.mkRel (./machines/${node})) [
|
||||
"_configuration.nix"
|
||||
"_hardware-configuration.nix"
|
||||
];
|
||||
|
||||
deployment.systemType = systemType node;
|
||||
};
|
||||
|
||||
nixpkgs' = import ./meta/nixpkgs.nix;
|
||||
|
||||
# All supported nixpkgs versions, instanciated
|
||||
nixpkgs = nix-lib.mapSingleFuse mkNixpkgs nixpkgs'.supported;
|
||||
nixpkgs = lib.mapSingleFuse (
|
||||
s: lib.mapSingleFuse (mkSystemNixpkgs s) nixpkgs'.versions.supported
|
||||
) nixpkgs'.systems.supported;
|
||||
|
||||
# Get the configured nixos version for the node,
|
||||
# defaulting to the one defined in meta/nixpkgs
|
||||
version = node: nodes'.${node}.nixpkgs or nixpkgs'.default;
|
||||
version = node: nodes'.${node}.nixpkgs or nixpkgs'.versions.default;
|
||||
system = node: nodes'.${node}.system or nixpkgs'.systems.default;
|
||||
systemType =
|
||||
node:
|
||||
nodes'.${node}.system
|
||||
or (lib'.warn "Not specifying the `deployment.systemType` is deprecated!" "nixos");
|
||||
|
||||
# Builds a patched version of nixpkgs, only as the source
|
||||
mkNixpkgs' =
|
||||
v:
|
||||
patch.mkNixpkgsSrc rec {
|
||||
src = sources'.${name};
|
||||
name = "nixos-${v}";
|
||||
let
|
||||
version = "nixos-${v}";
|
||||
in
|
||||
patch.mkNixpkgsSrc {
|
||||
src = sources.${version};
|
||||
inherit version;
|
||||
};
|
||||
|
||||
# Instanciates the required nixpkgs version
|
||||
mkNixpkgs = version: import (mkNixpkgs' version) { };
|
||||
mkNixpkgsConfigPerSystem =
|
||||
system: _:
|
||||
if system == "nixos" then
|
||||
{ }
|
||||
else
|
||||
(import "${sources.liminix}/devices/${system}").system
|
||||
// {
|
||||
overlays = [ (import "${sources.liminix}/overlay.nix") ];
|
||||
config = {
|
||||
allowUnsupportedSystem = true; # mipsel
|
||||
permittedInsecurePackages = [
|
||||
"python-2.7.18.8" # Python < 3 is needed for kernel backports.
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
# Instanciate a specialized version of nixpkgs
|
||||
mkSystemNixpkgs =
|
||||
system: version:
|
||||
let
|
||||
args = mkNixpkgsConfigPerSystem system version;
|
||||
in
|
||||
import (mkNixpkgs' version) args;
|
||||
|
||||
###
|
||||
# Function to create arguments based on the node
|
||||
#
|
||||
mkArgs = node: rec {
|
||||
lib = nixpkgs.${version node}.lib // {
|
||||
extra = nix-lib;
|
||||
mkArgs =
|
||||
node:
|
||||
let
|
||||
pkgs = nixpkgs.${system node};
|
||||
in
|
||||
rec {
|
||||
lib = import sources.nix-lib {
|
||||
inherit (pkgs.${version node}) lib;
|
||||
|
||||
nixpkgs = pkgs;
|
||||
|
||||
keysRoot = ./keys;
|
||||
};
|
||||
|
||||
meta = (import ./meta) lib;
|
||||
|
@ -51,26 +94,43 @@ let
|
|||
in
|
||||
|
||||
{
|
||||
meta = {
|
||||
nodeNixpkgs = nix-lib.mapSingleFuse (n: nixpkgs.${version n}) nodes;
|
||||
|
||||
specialArgs = {
|
||||
inherit nixpkgs sources;
|
||||
|
||||
dgn-keys = import ./keys;
|
||||
registry = {
|
||||
zyxel-nwa50ax = {
|
||||
evalConfig = import "${sources.liminix}/lib/eval-config.nix" {
|
||||
nixpkgs = sources.nixos-unstable;
|
||||
};
|
||||
|
||||
nodeSpecialArgs = nix-lib.mapSingleFuse mkArgs nodes;
|
||||
defaults = _: {
|
||||
nixpkgs = {
|
||||
source = sources.nixos-unstable;
|
||||
config = {
|
||||
allowUnsupportedSystem = true; # mipsel
|
||||
permittedInsecurePackages = [
|
||||
"python-2.7.18.8" # Python < 3 is needed for kernel backports.
|
||||
];
|
||||
};
|
||||
hostPlatform = {
|
||||
config = "mipsel-unknown-linux-musl";
|
||||
gcc = {
|
||||
abi = "32";
|
||||
arch = "mips32"; # mips32r2?
|
||||
};
|
||||
};
|
||||
|
||||
# It's impure, but who cares?
|
||||
# Can Flakes do that?
|
||||
buildPlatform = builtins.currentSystem;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
nixos = {
|
||||
evalConfig = import "${sources.nixos-unstable}/nixos/lib/eval-config.nix";
|
||||
defaults =
|
||||
{ name, nodeMeta, ... }:
|
||||
{ nodeMeta, name, ... }:
|
||||
{
|
||||
# Import the default modules
|
||||
imports = [
|
||||
./modules
|
||||
(import "${sources.lix-module}/module.nix" { inherit (sources) lix; })
|
||||
];
|
||||
imports = [ ./modules ];
|
||||
|
||||
# Include default secrets
|
||||
age-secrets.sources = [ ./machines/${name}/secrets ];
|
||||
|
@ -98,5 +158,17 @@ in
|
|||
inherit (nodeMeta) stateVersion;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
meta = {
|
||||
nodeNixpkgs = lib.mapSingleFuse (n: nixpkgs.${system n}.${version n}) nodes;
|
||||
|
||||
specialArgs = {
|
||||
inherit sources;
|
||||
};
|
||||
|
||||
nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes;
|
||||
};
|
||||
}
|
||||
// (nix-lib.mapSingleFuse mkNode nodes)
|
||||
// (lib.mapSingleFuse mkNode nodes)
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
NIXPKGS=$(nix-build --no-out-link nixpkgs.nix)
|
||||
NIXPKGS=$(nix-build nixpkgs.nix)
|
||||
|
||||
nixos-generate -c configuration.nix -I NIX_PATH="$NIXPKGS" -f install-iso
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
{ lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
dgn-keys = import ../keys;
|
||||
dgn-lib = import ../lib { };
|
||||
|
||||
dgn-members = (import ../meta lib).organization.groups.root;
|
||||
dgn-members = (import ../meta lib).members.groups.root;
|
||||
in
|
||||
|
||||
{
|
||||
|
@ -11,7 +11,7 @@ in
|
|||
|
||||
boot = {
|
||||
blacklistedKernelModules = [ "snd_pcsp" ];
|
||||
kernelPackages = pkgs.linuxPackages_latest;
|
||||
kernelPackages = pkgs.linuxPackages_6_1;
|
||||
tmp.cleanOnBoot = true;
|
||||
|
||||
loader = {
|
||||
|
@ -22,7 +22,6 @@ in
|
|||
supportedFilesystems = [
|
||||
"exfat"
|
||||
"zfs"
|
||||
"bcachefs"
|
||||
];
|
||||
|
||||
swraid.enable = lib.mkForce false;
|
||||
|
@ -34,5 +33,7 @@ in
|
|||
openssh.enable = true;
|
||||
};
|
||||
|
||||
users.users.root.openssh.authorizedKeys.keys = dgn-keys.getKeys dgn-members;
|
||||
users.users.root.openssh.authorizedKeys.keyFiles = builtins.map (
|
||||
m: dgn-lib.mkRel ../keys "${m}.keys"
|
||||
) dgn-members;
|
||||
}
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
let
|
||||
version = (import ../meta/nixpkgs.nix).default;
|
||||
nixpkgs = (import ../npins)."nixos-${version}";
|
||||
inherit (import ../npins) nixpkgs;
|
||||
in
|
||||
|
||||
(import nixpkgs { }).srcOnly {
|
||||
|
|
1
keys/catvayor.keys
Normal file
1
keys/catvayor.keys
Normal file
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor
|
18
keys/certs/dgnum-ap-server.crt
Normal file
18
keys/certs/dgnum-ap-server.crt
Normal file
|
@ -0,0 +1,18 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIC6TCCAdECFEbjeqNNzKWyfs2GJekipWK+yO4uMA0GCSqGSIb3DQEBCwUAMHMx
|
||||
NDAyBgNVBAMMK0RHTnVtIFRlc3QgQVAgQ0EgLS0gRE8gTk9UIFVTRSBPUiBHRVQg
|
||||
RklSRUQxCzAJBgNVBAYTAkZSMQ4wDAYDVQQIDAVQYXJpczEOMAwGA1UEBwwFUGFy
|
||||
aXMxDjAMBgNVBAoMBURHTnVtMB4XDTI0MDgyNjE5MDQxMFoXDTI2MDgyNjE5MDQx
|
||||
MFowdzE4MDYGA1UEAwwvREdOdW0gVGVzdCBBUCBzZXJ2ZXIgLS0gRE8gTk9UIFVT
|
||||
RSBPUiBHRVQgRklSRUQxCzAJBgNVBAYTAkZSMQ4wDAYDVQQIDAVQYXJpczEOMAwG
|
||||
A1UEBwwFUGFyaXMxDjAMBgNVBAoMBURHTnVtMIGbMBAGByqGSM49AgEGBSuBBAAj
|
||||
A4GGAAQBDrTf0SH/YOkOfvOSnB3BbICb80jSsxwQH50y4jylbXcrUZnegLYjW/lF
|
||||
QknuMBzzE5fnE9lAeOxqsn0ec+sL3zEBrV0LSG2LgxhAkahZS9U4Spt9Qc84U7cG
|
||||
AFQ3GXDMTEb/COHJSu7sIfV4gFRVesFez30gb94lMxckkq/6nkXXaEUwDQYJKoZI
|
||||
hvcNAQELBQADggEBAEfPHMAXwftYQ0lDYPlr9b+GZDl7/JAavEfBXKzj1U8O0sJz
|
||||
daNOHEX3a5ZOaQoean2zmBLROgQpDlwsjAFNA9dg0ef2f4RgJvr/l2fspHwG0Uaq
|
||||
4JEOKTj3htd8aZX2i6AR02UC2oxCtf7ZVa+a6NOeeKl53QPzjduPO60ruz8tD2Xr
|
||||
YnQwVinQX0fJo7TmyQKDIxwld/Q5pMoDMfVlS71M/vISFfQ/Rx1PqYvBQyG1dvIA
|
||||
qn9cNNVnjEGrk7zXjCfehMYiCtDZ+D3VyXeZ6A7YZNpc6RUj8rbWcOtKLayRFlwf
|
||||
DTjV3/nPqV0M2nU6jXFBMfQ47VSfB7ibINt94xo=
|
||||
-----END CERTIFICATE-----
|
23
keys/certs/dgnum-test-ap-ca.crt
Normal file
23
keys/certs/dgnum-test-ap-ca.crt
Normal file
|
@ -0,0 +1,23 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDxzCCAq+gAwIBAgIUPuHEZeZoCidp+w5ME2CrkZEn3T8wDQYJKoZIhvcNAQEL
|
||||
BQAwczE0MDIGA1UEAwwrREdOdW0gVGVzdCBBUCBDQSAtLSBETyBOT1QgVVNFIE9S
|
||||
IEdFVCBGSVJFRDELMAkGA1UEBhMCRlIxDjAMBgNVBAgMBVBhcmlzMQ4wDAYDVQQH
|
||||
DAVQYXJpczEOMAwGA1UECgwFREdOdW0wHhcNMjQwODI2MTg1ODQ4WhcNMjkwODI2
|
||||
MTg1ODQ4WjBzMTQwMgYDVQQDDCtER051bSBUZXN0IEFQIENBIC0tIERPIE5PVCBV
|
||||
U0UgT1IgR0VUIEZJUkVEMQswCQYDVQQGEwJGUjEOMAwGA1UECAwFUGFyaXMxDjAM
|
||||
BgNVBAcMBVBhcmlzMQ4wDAYDVQQKDAVER051bTCCASIwDQYJKoZIhvcNAQEBBQAD
|
||||
ggEPADCCAQoCggEBAKLgCNXLI6FQWJY5JQDqZcO1hmZpp0upT59/JvJXmEl4St1O
|
||||
FF3frSAoFcgn2Bv3kYQQ6wEhD3S7JBxRmoDtx/7sqsXthNpBaymVdphb9XhnVOC2
|
||||
NDBKV4WH06Hr06oKVfDSBhIldPJr1vfQLehOnz6uqK7walqPvid3tMv0lwt7mHZ9
|
||||
qQpgC2C/tkHwD1kh1RszoIZKIQWDnSNXPhYnB3X/DMCUWIKiz6P/0rVANEDDZER6
|
||||
b6eJRjv2l8jPlOt7CUTAOrsoJGCnSg2SV4lgr1u3mE/2AvmLdO0l5Dz0qCuQNbb3
|
||||
uWqYUonooR8rox171On/Rd0zvtihycSDxofVJ+MCAwEAAaNTMFEwHQYDVR0OBBYE
|
||||
FIPUT3v8AoeBS6VbcEvgVc1dC38hMB8GA1UdIwQYMBaAFIPUT3v8AoeBS6VbcEvg
|
||||
Vc1dC38hMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACX1aqYU
|
||||
9PIwZ/dBS7cpsBsCm9M0ueInTlQpvv6xioKuPhIet40YgawTRakxniAr0WXHTBV5
|
||||
a8ZQ4ff4uI+sdaxN7Ueufr4ltWVLuSc9DfIxjLVZ+41G6Ehy9Xc2zoDBfYURrXjd
|
||||
ISvPSXIKjM0yuS/249C77HOdzwbliS65Io2zubQStGfSaZ3sLAfPJoig+QiVyOtG
|
||||
sPoYzzrjXDBym+plfGTWqHv+gwo6DZarXrK4yaMn4hYkkf95NsY2ywwHzcy/4hsu
|
||||
+bMm4IeCrB9uNOZtQrqW81/+4oxjGiKLbhnFPNQOg2pzb+iOJTPKVicAqKDSCnou
|
||||
WXG5pjBKzojPvxU=
|
||||
-----END CERTIFICATE-----
|
|
@ -1,88 +0,0 @@
|
|||
let
|
||||
_sources = import ../npins;
|
||||
|
||||
meta = import ../meta (import _sources.nixpkgs { }).lib;
|
||||
|
||||
getAttr = flip builtins.getAttr;
|
||||
|
||||
inherit (import ../lib/nix-lib) flip setDefault unique;
|
||||
in
|
||||
|
||||
rec {
|
||||
# WARNING: When updating this list, make sure that the nodes and members are alphabetically sorted
|
||||
# If not, you will face an angry maintainer
|
||||
_keys = {
|
||||
# SSH keys of the nodes
|
||||
bridge01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7" ];
|
||||
compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
|
||||
geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
|
||||
geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
|
||||
rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
|
||||
storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
|
||||
vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
|
||||
web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ];
|
||||
web02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ];
|
||||
web03 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrWsMEfK86iaO9SubMqE2UvZNtHkLY5VUod/bbqKC0L" ];
|
||||
|
||||
# SSH keys of the DGNum members
|
||||
agroudiev = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM="
|
||||
];
|
||||
catvayor = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
|
||||
];
|
||||
cst1 = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270"
|
||||
];
|
||||
ecoppens = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
|
||||
gdd = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ"
|
||||
];
|
||||
jemagius = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8="
|
||||
];
|
||||
luj = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
|
||||
];
|
||||
mboyer = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ];
|
||||
mdebray = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
|
||||
];
|
||||
raito = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
|
||||
];
|
||||
thubrecht = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
|
||||
];
|
||||
};
|
||||
|
||||
getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);
|
||||
|
||||
mkSecrets =
|
||||
nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };
|
||||
|
||||
getNodeKeys' =
|
||||
node:
|
||||
let
|
||||
names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
|
||||
meta.nodes.${node}.admins ++ [ node ]
|
||||
) meta.nodes.${node}.adminGroups;
|
||||
in
|
||||
unique (getKeys names);
|
||||
|
||||
getNodeKeys = node: rootKeys ++ getNodeKeys' node;
|
||||
|
||||
# List of keys for the root group
|
||||
rootKeys = getKeys meta.organization.groups.root;
|
||||
|
||||
# List of 'machine' keys
|
||||
machineKeys = rootKeys ++ (getKeys (builtins.attrNames meta.nodes));
|
||||
}
|
1
keys/ecoppens.keys
Normal file
1
keys/ecoppens.keys
Normal file
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA
|
2
keys/gdd.keys
Normal file
2
keys/gdd.keys
Normal file
|
@ -0,0 +1,2 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ
|
2
keys/jemagius.keys
Normal file
2
keys/jemagius.keys
Normal file
|
@ -0,0 +1,2 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F
|
||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8=
|
2
keys/luj.keys
Normal file
2
keys/luj.keys
Normal file
|
@ -0,0 +1,2 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower
|
1
keys/machines/compute01.keys
Normal file
1
keys/machines/compute01.keys
Normal file
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu
|
1
keys/machines/geo01.keys
Normal file
1
keys/machines/geo01.keys
Normal file
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4
|
1
keys/machines/geo02.keys
Normal file
1
keys/machines/geo02.keys
Normal file
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket
|
1
keys/machines/rescue01.keys
Normal file
1
keys/machines/rescue01.keys
Normal file
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf
|
1
keys/machines/storage01.keys
Normal file
1
keys/machines/storage01.keys
Normal file
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ
|
1
keys/machines/vault01.keys
Normal file
1
keys/machines/vault01.keys
Normal file
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW
|
1
keys/machines/web01.keys
Normal file
1
keys/machines/web01.keys
Normal file
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5
|
1
keys/machines/web02.keys
Normal file
1
keys/machines/web02.keys
Normal file
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE020zqMJTlJ73czVxWVNmRof6il+N9dS4Knm43bJSpm
|
1
keys/mdebray.keys
Normal file
1
keys/mdebray.keys
Normal file
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris
|
3
keys/raito.keys
Normal file
3
keys/raito.keys
Normal file
|
@ -0,0 +1,3 @@
|
|||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU
|
3
keys/thubrecht.keys
Normal file
3
keys/thubrecht.keys
Normal file
|
@ -0,0 +1,3 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn
|
33
lib/default.nix
Normal file
33
lib/default.nix
Normal file
|
@ -0,0 +1,33 @@
|
|||
_:
|
||||
|
||||
let
|
||||
sources = import ../npins;
|
||||
|
||||
lib = import sources.nix-lib {
|
||||
inherit ((import sources.nixpkgs { })) lib;
|
||||
|
||||
keysRoot = ../keys;
|
||||
};
|
||||
|
||||
meta = import ../meta lib;
|
||||
|
||||
inherit (lib.extra) getAllKeys;
|
||||
in
|
||||
|
||||
lib.extra
|
||||
// rec {
|
||||
# Get publickeys associated to a node
|
||||
getNodeKeys =
|
||||
node:
|
||||
let
|
||||
names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
|
||||
meta.nodes.${node}.admins ++ [ "/machines/${node}" ]
|
||||
) meta.nodes.${node}.adminGroups;
|
||||
in
|
||||
rootKeys ++ (getAllKeys names);
|
||||
|
||||
rootKeys = getAllKeys meta.organization.groups.root;
|
||||
|
||||
machineKeys =
|
||||
rootKeys ++ (getAllKeys (builtins.map (n: "machines/${n}") (builtins.attrNames meta.nodes)));
|
||||
}
|
|
@ -1,200 +0,0 @@
|
|||
# Copyright Tom Hubrecht, (2023)
|
||||
#
|
||||
# Tom Hubrecht <tom@hubrecht.ovh>
|
||||
#
|
||||
# This software is governed by the CeCILL license under French law and
|
||||
# abiding by the rules of distribution of free software. You can use,
|
||||
# modify and/ or redistribute the software under the terms of the CeCILL
|
||||
# license as circulated by CEA, CNRS and INRIA at the following URL
|
||||
# "http://www.cecill.info".
|
||||
#
|
||||
# As a counterpart to the access to the source code and rights to copy,
|
||||
# modify and redistribute granted by the license, users are provided only
|
||||
# with a limited warranty and the software's author, the holder of the
|
||||
# economic rights, and the successive licensors have only limited
|
||||
# liability.
|
||||
#
|
||||
# In this respect, the user's attention is drawn to the risks associated
|
||||
# with loading, using, modifying and/or developing or reproducing the
|
||||
# software by the user in light of its specific status of free software,
|
||||
# that may mean that it is complicated to manipulate, and that also
|
||||
# therefore means that it is reserved for developers and experienced
|
||||
# professionals having in-depth computer knowledge. Users are therefore
|
||||
# encouraged to load and test the software's suitability as regards their
|
||||
# requirements in conditions enabling the security of their systems and/or
|
||||
# data to be ensured and, more generally, to use and operate it in the
|
||||
# same conditions as regards security.
|
||||
#
|
||||
# The fact that you are presently reading this means that you have had
|
||||
# knowledge of the CeCILL license and that you accept its terms.
|
||||
|
||||
let
|
||||
# Reimplement optional functions
|
||||
_optional =
|
||||
default: b: value:
|
||||
if b then value else default;
|
||||
in
|
||||
|
||||
rec {
|
||||
inherit (import ./nixpkgs.nix)
|
||||
flip
|
||||
hasPrefix
|
||||
recursiveUpdate
|
||||
splitString
|
||||
unique
|
||||
;
|
||||
|
||||
/*
|
||||
Fuses a list of attribute sets into a single attribute set.
|
||||
|
||||
Type: [attrs] -> attrs
|
||||
|
||||
Example:
|
||||
x = [ { a = 1; } { b = 2; } ]
|
||||
fuseAttrs x
|
||||
=> { a = 1; b = 2; }
|
||||
*/
|
||||
fuseAttrs = builtins.foldl' (attrs: x: attrs // x) { };
|
||||
|
||||
fuseValueAttrs = attrs: fuseAttrs (builtins.attrValues attrs);
|
||||
|
||||
/*
|
||||
Applies a function to `attrsList` before fusing the resulting list
|
||||
of attribute sets.
|
||||
|
||||
Type: ('a -> attrs) -> ['a] -> attrs
|
||||
|
||||
Example:
|
||||
x = [ "to" "ta" "ti" ]
|
||||
f = s: { ${s} = s + s; }
|
||||
mapFuse f x
|
||||
=> { to = "toto"; ta = "tata"; ti = "titi"; }
|
||||
*/
|
||||
mapFuse =
|
||||
# 'a -> attrs
|
||||
f:
|
||||
# ['a]
|
||||
attrsList:
|
||||
fuseAttrs (builtins.map f attrsList);
|
||||
|
||||
/*
|
||||
Equivalent of lib.singleton but for an attribute set.
|
||||
|
||||
Type: str -> 'a -> attrs
|
||||
|
||||
Example:
|
||||
singleAttr "a" 1
|
||||
=> { a = 1; }
|
||||
*/
|
||||
singleAttr = name: value: { ${name} = value; };
|
||||
|
||||
# Enables a list of modules.
|
||||
enableAttrs' =
|
||||
enable:
|
||||
mapFuse (m: {
|
||||
${m}.${enable} = true;
|
||||
});
|
||||
|
||||
enableModules = enableAttrs' "enable";
|
||||
|
||||
/*
|
||||
Create an attribute set from a list of values, mapping those
|
||||
values through the function `f`.
|
||||
|
||||
Example:
|
||||
mapSingleFuse (x: "val-${x}") [ "a" "b" ]
|
||||
=> { a = "val-a"; b = "val-b" }
|
||||
*/
|
||||
mapSingleFuse = f: mapFuse (x: singleAttr x (f x));
|
||||
|
||||
/*
|
||||
Creates a relative path as a string
|
||||
|
||||
Type: path -> str -> path
|
||||
|
||||
Example:
|
||||
mkRel /home/test/ "file.txt"
|
||||
=> "/home/test/file.txt"
|
||||
*/
|
||||
mkRel = path: file: path + "/${file}";
|
||||
|
||||
setDefault =
|
||||
default:
|
||||
mapFuse (name: {
|
||||
${name} = default;
|
||||
});
|
||||
|
||||
mkBaseSecrets =
|
||||
root:
|
||||
mapFuse (secret: {
|
||||
${secret}.file = mkRel root secret;
|
||||
});
|
||||
|
||||
getSecrets = dir: builtins.attrNames (import (mkRel dir "secrets.nix"));
|
||||
|
||||
subAttr = attrs: name: attrs.${name};
|
||||
|
||||
subAttrs = attrs: builtins.map (subAttr attrs);
|
||||
|
||||
optionalList = _optional [ ];
|
||||
|
||||
optionalAttrs = _optional { };
|
||||
|
||||
optionalString = _optional "";
|
||||
/*
|
||||
Same as fuseAttrs but using `lib.recursiveUpdate` to merge attribute
|
||||
sets together.
|
||||
|
||||
Type: [attrs] -> attrs
|
||||
*/
|
||||
recursiveFuse = builtins.foldl' recursiveUpdate { };
|
||||
|
||||
mkImport =
|
||||
root: file:
|
||||
let
|
||||
path = mkRel root file;
|
||||
in
|
||||
path + (optionalString (!(builtins.pathExists path)) ".nix");
|
||||
|
||||
mkImports = root: builtins.map (mkImport root);
|
||||
|
||||
/*
|
||||
Creates a confugiration by merging enabled modules,
|
||||
services and extraConfig.
|
||||
|
||||
Example:
|
||||
mkConfig {
|
||||
enabledModules = [ "ht-defaults" ];
|
||||
enabledServices = [ "toto" ];
|
||||
extraConfig = { services.nginx.enable = true; };
|
||||
root = ./.;
|
||||
}
|
||||
=>
|
||||
{
|
||||
imports = [ ./toto ];
|
||||
ht-defaults.enable = true;
|
||||
services.nginx.enable = true;
|
||||
}
|
||||
*/
|
||||
mkConfig =
|
||||
{
|
||||
# List of modules to enable with `enableModules`
|
||||
enabledModules,
|
||||
# List of services to import
|
||||
enabledServices,
|
||||
# Extra configuration, defaults to `{ }`
|
||||
extraConfig ? { },
|
||||
# Path relative to which the enabled services will be imported
|
||||
root,
|
||||
}:
|
||||
recursiveFuse [
|
||||
(enableModules enabledModules)
|
||||
|
||||
{
|
||||
imports =
|
||||
(extraConfig.imports or [ ]) ++ (mkImports root ([ "_hardware-configuration" ] ++ enabledServices));
|
||||
}
|
||||
|
||||
(removeAttrs extraConfig [ "imports" ])
|
||||
];
|
||||
}
|
|
@ -1,416 +0,0 @@
|
|||
###
|
||||
# Collection of nixpkgs library functions, those are necessary for defining our own lib
|
||||
#
|
||||
# They have been simplified and builtins are used in some places, instead of lib shims.
|
||||
|
||||
rec {
|
||||
/**
|
||||
Does the same as the update operator '//' except that attributes are
|
||||
merged until the given predicate is verified. The predicate should
|
||||
accept 3 arguments which are the path to reach the attribute, a part of
|
||||
the first attribute set and a part of the second attribute set. When
|
||||
the predicate is satisfied, the value of the first attribute set is
|
||||
replaced by the value of the second attribute set.
|
||||
|
||||
# Inputs
|
||||
|
||||
`pred`
|
||||
|
||||
: Predicate, taking the path to the current attribute as a list of strings for attribute names, and the two values at that path from the original arguments.
|
||||
|
||||
`lhs`
|
||||
|
||||
: Left attribute set of the merge.
|
||||
|
||||
`rhs`
|
||||
|
||||
: Right attribute set of the merge.
|
||||
|
||||
# Type
|
||||
|
||||
```
|
||||
recursiveUpdateUntil :: ( [ String ] -> AttrSet -> AttrSet -> Bool ) -> AttrSet -> AttrSet -> AttrSet
|
||||
```
|
||||
|
||||
# Examples
|
||||
:::{.example}
|
||||
## `lib.attrsets.recursiveUpdateUntil` usage example
|
||||
|
||||
```nix
|
||||
recursiveUpdateUntil (path: l: r: path == ["foo"]) {
|
||||
# first attribute set
|
||||
foo.bar = 1;
|
||||
foo.baz = 2;
|
||||
bar = 3;
|
||||
} {
|
||||
#second attribute set
|
||||
foo.bar = 1;
|
||||
foo.quz = 2;
|
||||
baz = 4;
|
||||
}
|
||||
|
||||
=> {
|
||||
foo.bar = 1; # 'foo.*' from the second set
|
||||
foo.quz = 2; #
|
||||
bar = 3; # 'bar' from the first set
|
||||
baz = 4; # 'baz' from the second set
|
||||
}
|
||||
```
|
||||
|
||||
:::
|
||||
*/
|
||||
recursiveUpdateUntil =
|
||||
pred: lhs: rhs:
|
||||
let
|
||||
f =
|
||||
attrPath:
|
||||
builtins.zipAttrsWith (
|
||||
n: values:
|
||||
let
|
||||
here = attrPath ++ [ n ];
|
||||
in
|
||||
if builtins.length values == 1 || pred here (builtins.elemAt values 1) (builtins.head values) then
|
||||
builtins.head values
|
||||
else
|
||||
f here values
|
||||
);
|
||||
in
|
||||
f [ ] [
|
||||
rhs
|
||||
lhs
|
||||
];
|
||||
|
||||
/**
|
||||
A recursive variant of the update operator ‘//’. The recursion
|
||||
stops when one of the attribute values is not an attribute set,
|
||||
in which case the right hand side value takes precedence over the
|
||||
left hand side value.
|
||||
|
||||
# Inputs
|
||||
|
||||
`lhs`
|
||||
|
||||
: Left attribute set of the merge.
|
||||
|
||||
`rhs`
|
||||
|
||||
: Right attribute set of the merge.
|
||||
|
||||
# Type
|
||||
|
||||
```
|
||||
recursiveUpdate :: AttrSet -> AttrSet -> AttrSet
|
||||
```
|
||||
|
||||
# Examples
|
||||
:::{.example}
|
||||
## `lib.attrsets.recursiveUpdate` usage example
|
||||
|
||||
```nix
|
||||
recursiveUpdate {
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.device = "/dev/hda";
|
||||
} {
|
||||
boot.loader.grub.device = "";
|
||||
}
|
||||
|
||||
returns: {
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.device = "";
|
||||
}
|
||||
```
|
||||
|
||||
:::
|
||||
*/
|
||||
recursiveUpdate =
|
||||
lhs: rhs:
|
||||
recursiveUpdateUntil (
|
||||
_: lhs: rhs:
|
||||
!(builtins.isAttrs lhs && builtins.isAttrs rhs)
|
||||
) lhs rhs;
|
||||
|
||||
/**
|
||||
Determine whether a string has given prefix.
|
||||
|
||||
# Inputs
|
||||
|
||||
`pref`
|
||||
: Prefix to check for
|
||||
|
||||
`str`
|
||||
: Input string
|
||||
|
||||
# Type
|
||||
|
||||
```
|
||||
hasPrefix :: string -> string -> bool
|
||||
```
|
||||
|
||||
# Examples
|
||||
:::{.example}
|
||||
## `lib.strings.hasPrefix` usage example
|
||||
|
||||
```nix
|
||||
hasPrefix "foo" "foobar"
|
||||
=> true
|
||||
hasPrefix "foo" "barfoo"
|
||||
=> false
|
||||
```
|
||||
|
||||
:::
|
||||
*/
|
||||
hasPrefix = pref: str: (builtins.substring 0 (builtins.stringLength pref) str == pref);
|
||||
|
||||
/**
|
||||
Escape occurrence of the elements of `list` in `string` by
|
||||
prefixing it with a backslash.
|
||||
|
||||
# Inputs
|
||||
|
||||
`list`
|
||||
: 1\. Function argument
|
||||
|
||||
`string`
|
||||
: 2\. Function argument
|
||||
|
||||
# Type
|
||||
|
||||
```
|
||||
escape :: [string] -> string -> string
|
||||
```
|
||||
|
||||
# Examples
|
||||
:::{.example}
|
||||
## `lib.strings.escape` usage example
|
||||
|
||||
```nix
|
||||
escape ["(" ")"] "(foo)"
|
||||
=> "\\(foo\\)"
|
||||
```
|
||||
|
||||
:::
|
||||
*/
|
||||
escape = list: builtins.replaceStrings list (builtins.map (c: "\\${c}") list);
|
||||
|
||||
/**
|
||||
Convert a string `s` to a list of characters (i.e. singleton strings).
|
||||
This allows you to, e.g., map a function over each character. However,
|
||||
note that this will likely be horribly inefficient; Nix is not a
|
||||
general purpose programming language. Complex string manipulations
|
||||
should, if appropriate, be done in a derivation.
|
||||
Also note that Nix treats strings as a list of bytes and thus doesn't
|
||||
handle unicode.
|
||||
|
||||
# Inputs
|
||||
|
||||
`s`
|
||||
: 1\. Function argument
|
||||
|
||||
# Type
|
||||
|
||||
```
|
||||
stringToCharacters :: string -> [string]
|
||||
```
|
||||
|
||||
# Examples
|
||||
:::{.example}
|
||||
## `lib.strings.stringToCharacters` usage example
|
||||
|
||||
```nix
|
||||
stringToCharacters ""
|
||||
=> [ ]
|
||||
stringToCharacters "abc"
|
||||
=> [ "a" "b" "c" ]
|
||||
stringToCharacters "🦄"
|
||||
=> [ "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" ]
|
||||
```
|
||||
|
||||
:::
|
||||
*/
|
||||
stringToCharacters = s: builtins.genList (p: builtins.substring p 1 s) (builtins.stringLength s);
|
||||
|
||||
/**
|
||||
Turn a string `s` into an exact regular expression
|
||||
|
||||
# Inputs
|
||||
|
||||
`s`
|
||||
: 1\. Function argument
|
||||
|
||||
# Type
|
||||
|
||||
```
|
||||
escapeRegex :: string -> string
|
||||
```
|
||||
|
||||
# Examples
|
||||
:::{.example}
|
||||
## `lib.strings.escapeRegex` usage example
|
||||
|
||||
```nix
|
||||
escapeRegex "[^a-z]*"
|
||||
=> "\\[\\^a-z]\\*"
|
||||
```
|
||||
|
||||
:::
|
||||
*/
|
||||
escapeRegex = escape (stringToCharacters "\\[{()^$?*+|.");
|
||||
|
||||
/**
|
||||
Appends string context from string like object `src` to `target`.
|
||||
|
||||
:::{.warning}
|
||||
This is an implementation
|
||||
detail of Nix and should be used carefully.
|
||||
:::
|
||||
|
||||
Strings in Nix carry an invisible `context` which is a list of strings
|
||||
representing store paths. If the string is later used in a derivation
|
||||
attribute, the derivation will properly populate the inputDrvs and
|
||||
inputSrcs.
|
||||
|
||||
# Inputs
|
||||
|
||||
`src`
|
||||
: The string to take the context from. If the argument is not a string,
|
||||
it will be implicitly converted to a string.
|
||||
|
||||
`target`
|
||||
: The string to append the context to. If the argument is not a string,
|
||||
it will be implicitly converted to a string.
|
||||
|
||||
# Type
|
||||
|
||||
```
|
||||
addContextFrom :: string -> string -> string
|
||||
```
|
||||
|
||||
# Examples
|
||||
:::{.example}
|
||||
## `lib.strings.addContextFrom` usage example
|
||||
|
||||
```nix
|
||||
pkgs = import <nixpkgs> { };
|
||||
addContextFrom pkgs.coreutils "bar"
|
||||
=> "bar"
|
||||
```
|
||||
|
||||
The context can be displayed using the `toString` function:
|
||||
|
||||
```nix
|
||||
nix-repl> builtins.getContext (lib.strings.addContextFrom pkgs.coreutils "bar")
|
||||
{
|
||||
"/nix/store/m1s1d2dk2dqqlw3j90jl3cjy2cykbdxz-coreutils-9.5.drv" = { ... };
|
||||
}
|
||||
```
|
||||
|
||||
:::
|
||||
*/
|
||||
addContextFrom = src: target: builtins.substring 0 0 src + target;
|
||||
|
||||
/**
|
||||
Cut a string with a separator and produces a list of strings which
|
||||
were separated by this separator.
|
||||
|
||||
# Inputs
|
||||
|
||||
`sep`
|
||||
: 1\. Function argument
|
||||
|
||||
`s`
|
||||
: 2\. Function argument
|
||||
|
||||
# Type
|
||||
|
||||
```
|
||||
splitString :: string -> string -> [string]
|
||||
```
|
||||
|
||||
# Examples
|
||||
:::{.example}
|
||||
## `lib.strings.splitString` usage example
|
||||
|
||||
```nix
|
||||
splitString "." "foo.bar.baz"
|
||||
=> [ "foo" "bar" "baz" ]
|
||||
splitString "/" "/usr/local/bin"
|
||||
=> [ "" "usr" "local" "bin" ]
|
||||
```
|
||||
|
||||
:::
|
||||
*/
|
||||
splitString =
|
||||
sep: s:
|
||||
let
|
||||
splits = builtins.filter builtins.isString (
|
||||
builtins.split (escapeRegex (builtins.toString sep)) (builtins.toString s)
|
||||
);
|
||||
in
|
||||
builtins.map (addContextFrom s) splits;
|
||||
|
||||
/**
|
||||
Remove duplicate elements from the `list`. O(n^2) complexity.
|
||||
|
||||
# Inputs
|
||||
|
||||
`list`
|
||||
|
||||
: Input list
|
||||
|
||||
# Type
|
||||
|
||||
```
|
||||
unique :: [a] -> [a]
|
||||
```
|
||||
|
||||
# Examples
|
||||
:::{.example}
|
||||
## `lib.lists.unique` usage example
|
||||
|
||||
```nix
|
||||
unique [ 3 2 3 4 ]
|
||||
=> [ 3 2 4 ]
|
||||
```
|
||||
|
||||
:::
|
||||
*/
|
||||
unique = builtins.foldl' (acc: e: if builtins.elem e acc then acc else acc ++ [ e ]) [ ];
|
||||
|
||||
/**
|
||||
Flip the order of the arguments of a binary function.
|
||||
|
||||
# Inputs
|
||||
|
||||
`f`
|
||||
|
||||
: 1\. Function argument
|
||||
|
||||
`a`
|
||||
|
||||
: 2\. Function argument
|
||||
|
||||
`b`
|
||||
|
||||
: 3\. Function argument
|
||||
|
||||
# Type
|
||||
|
||||
```
|
||||
flip :: (a -> b -> c) -> (b -> a -> c)
|
||||
```
|
||||
|
||||
# Examples
|
||||
:::{.example}
|
||||
## `lib.trivial.flip` usage example
|
||||
|
||||
```nix
|
||||
flip concat [1] [2]
|
||||
=> [ 2 1 ]
|
||||
```
|
||||
|
||||
:::
|
||||
*/
|
||||
flip =
|
||||
f: a: b:
|
||||
f b a;
|
||||
}
|
|
@ -1,110 +0,0 @@
|
|||
# Copyright Tom Hubrecht, (2023-2024)
|
||||
#
|
||||
# Tom Hubrecht <tom@hubrecht.ovh>
|
||||
#
|
||||
# This software is governed by the CeCILL license under French law and
|
||||
# abiding by the rules of distribution of free software. You can use,
|
||||
# modify and/ or redistribute the software under the terms of the CeCILL
|
||||
# license as circulated by CEA, CNRS and INRIA at the following URL
|
||||
# "http://www.cecill.info".
|
||||
#
|
||||
# As a counterpart to the access to the source code and rights to copy,
|
||||
# modify and redistribute granted by the license, users are provided only
|
||||
# with a limited warranty and the software's author, the holder of the
|
||||
# economic rights, and the successive licensors have only limited
|
||||
# liability.
|
||||
#
|
||||
# In this respect, the user's attention is drawn to the risks associated
|
||||
# with loading, using, modifying and/or developing or reproducing the
|
||||
# software by the user in light of its specific status of free software,
|
||||
# that may mean that it is complicated to manipulate, and that also
|
||||
# therefore means that it is reserved for developers and experienced
|
||||
# professionals having in-depth computer knowledge. Users are therefore
|
||||
# encouraged to load and test the software's suitability as regards their
|
||||
# requirements in conditions enabling the security of their systems and/or
|
||||
# data to be ensured and, more generally, to use and operate it in the
|
||||
# same conditions as regards security.
|
||||
#
|
||||
# The fact that you are presently reading this means that you have had
|
||||
# knowledge of the CeCILL license and that you accept its terms.
|
||||
|
||||
{
|
||||
patchFile,
|
||||
excludeGitHubManual ? true,
|
||||
fetchers ? { },
|
||||
}:
|
||||
|
||||
rec {
|
||||
base =
|
||||
{ pkgs }:
|
||||
rec {
|
||||
mkUrlPatch =
|
||||
attrs:
|
||||
pkgs.fetchpatch (
|
||||
{
|
||||
hash = pkgs.lib.fakeHash;
|
||||
}
|
||||
// attrs
|
||||
// (pkgs.lib.optionalAttrs (excludeGitHubManual && !(builtins.hasAttr "includes" attrs)) {
|
||||
excludes = (attrs.excludes or [ ]) ++ [ "nixos/doc/manual/*" ];
|
||||
})
|
||||
);
|
||||
|
||||
mkGitHubPatch =
|
||||
{ id, ... }@attrs:
|
||||
mkUrlPatch (
|
||||
(builtins.removeAttrs attrs [ "id" ])
|
||||
// {
|
||||
url = "https://github.com/NixOS/nixpkgs/pull/${builtins.toString id}.diff";
|
||||
}
|
||||
);
|
||||
|
||||
mkCommitPatch =
|
||||
{ sha, ... }@attrs:
|
||||
mkUrlPatch (
|
||||
(builtins.removeAttrs attrs [ "sha" ])
|
||||
// {
|
||||
url = "https://github.com/NixOS/nixpkgs/commit/${builtins.toString sha}.diff";
|
||||
}
|
||||
);
|
||||
|
||||
patchFunctions = {
|
||||
commit = mkCommitPatch;
|
||||
github = mkGitHubPatch;
|
||||
remote = pkgs.fetchpatch;
|
||||
static = attrs: attrs.path;
|
||||
url = mkUrlPatch;
|
||||
} // fetchers;
|
||||
|
||||
mkPatch =
|
||||
{
|
||||
_type ? "github",
|
||||
...
|
||||
}@attrs:
|
||||
if builtins.hasAttr _type patchFunctions then
|
||||
patchFunctions.${_type} (builtins.removeAttrs attrs [ "_type" ])
|
||||
else
|
||||
throw "Unknown patch type: ${builtins.toString _type}.";
|
||||
|
||||
mkPatches = v: builtins.map mkPatch ((import patchFile).${v} or [ ]);
|
||||
|
||||
applyPatches =
|
||||
{
|
||||
src,
|
||||
name,
|
||||
patches ? mkPatches name,
|
||||
}:
|
||||
if patches == [ ] then
|
||||
src
|
||||
else
|
||||
pkgs.applyPatches {
|
||||
inherit patches src;
|
||||
|
||||
name = "${name}-patched";
|
||||
};
|
||||
|
||||
applyPatches' = name: src: applyPatches { inherit name src; };
|
||||
};
|
||||
|
||||
mkNixpkgsSrc = { src, name }: (base { pkgs = import src { }; }).applyPatches { inherit src name; };
|
||||
}
|
1
liminix-rebuild.nix
Normal file
1
liminix-rebuild.nix
Normal file
|
@ -0,0 +1 @@
|
|||
{ liminix-system }: (import ./liminix-hive.nix { }).${liminix-system}.primary
|
259
machines/ap01/_configuration.nix
Normal file
259
machines/ap01/_configuration.nix
Normal file
|
@ -0,0 +1,259 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (pkgs.liminix.services) oneshot;
|
||||
inherit (pkgs.pseudofile) symlink dir;
|
||||
inherit (pkgs) serviceFns;
|
||||
svc = config.system.service;
|
||||
secrets-1 = {
|
||||
ssid = "DGNum 2G prototype (N)";
|
||||
};
|
||||
secrets-2 = {
|
||||
ssid = "DGNum 5G prototype (AX)";
|
||||
};
|
||||
baseParams = {
|
||||
country_code = "FR";
|
||||
hw_mode = "g";
|
||||
channel = 6;
|
||||
wmm_enabled = 1;
|
||||
ieee80211n = 1;
|
||||
ht_capab = "[LDPC][GF][HT40-][HT40+][SHORT-GI-40][MAX-AMSDU-7935][TX-STBC]";
|
||||
auth_algs = 1;
|
||||
wpa = 2;
|
||||
wpa_pairwise = "TKIP CCMP";
|
||||
rsn_pairwise = "CCMP";
|
||||
};
|
||||
|
||||
radiusKeyMgmt = {
|
||||
wpa_key_mgmt = "WPA-EAP";
|
||||
};
|
||||
|
||||
modernParams = {
|
||||
hw_mode = "a";
|
||||
he_su_beamformer = 1;
|
||||
he_su_beamformee = 1;
|
||||
he_mu_beamformer = 1;
|
||||
preamble = 1;
|
||||
# Allow radar detection.
|
||||
ieee80211d = 1;
|
||||
ieee80211h = 1;
|
||||
ieee80211ac = 1;
|
||||
ieee80211ax = 1;
|
||||
vht_capab = "[MAX-MPDU-7991][SU-BEAMFORMEE][SU-BEAMFORMER][RXLDPC][SHORT-GI-80][MAX-A-MPDU-LEN-EXP3][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][TX-STBC-2BY1][RX-STBC-1][MU-BEAMFORMER]";
|
||||
vht_oper_chwidth = 1;
|
||||
he_oper_chwidth = 1;
|
||||
channel = 36;
|
||||
vht_oper_centr_freq_seg0_idx = 42;
|
||||
he_oper_centr_freq_seg0_idx = 42;
|
||||
require_vht = 1;
|
||||
};
|
||||
|
||||
clientRadius = {
|
||||
ieee8021x = 1;
|
||||
eapol_version = 2;
|
||||
use_pae_group_addr = 1;
|
||||
dynamic_vlan = 0;
|
||||
vlan_tagged_interface = "lan";
|
||||
};
|
||||
|
||||
externalRadius = {
|
||||
# TODO: when we have proper IPAM, set the right value here.
|
||||
own_ip_addr = "127.0.0.1";
|
||||
nas_identifier = "ap01.dgnum.eu";
|
||||
|
||||
# No DNS here, hostapd do not support this mode.
|
||||
auth_server_addr = "129.199.195.129";
|
||||
auth_server_port = 1812;
|
||||
auth_server_shared_secret = "read it online";
|
||||
};
|
||||
|
||||
mkWifiSta =
|
||||
params: interface: secrets:
|
||||
svc.hostapd.build {
|
||||
inherit interface;
|
||||
package = pkgs.hostapd-radius;
|
||||
params = params // secrets;
|
||||
dependencies = [ config.services.jitter ];
|
||||
};
|
||||
in
|
||||
rec {
|
||||
imports = [
|
||||
"${modulesPath}/wlan.nix"
|
||||
"${modulesPath}/network"
|
||||
"${modulesPath}/dhcp6c"
|
||||
"${modulesPath}/hostapd"
|
||||
"${modulesPath}/ssh"
|
||||
"${modulesPath}/ntp"
|
||||
"${modulesPath}/vlan"
|
||||
"${modulesPath}/bridge"
|
||||
"${modulesPath}/jitter-rng"
|
||||
"${modulesPath}/pki"
|
||||
"${modulesPath}/ubus"
|
||||
../../modules/dgn-access-control.nix
|
||||
# TODO: god that's so a fucking hack.
|
||||
(import "${modulesPath}/../devices/zyxel-nwa50ax").module
|
||||
];
|
||||
|
||||
hostname = "ap01-prototype";
|
||||
|
||||
# Get moar random please
|
||||
services.jitter = svc.jitter-rng.build { };
|
||||
services.ubus = svc.ubus.build { };
|
||||
|
||||
# SSH keys are handled by the access control module.
|
||||
dgn-access-control.enable = true;
|
||||
users.root = {
|
||||
passwd = "$6$jVXFFOp8HBYmgINR$lutB4kvw.W1jlXRby9ZYAgBitQ32RxQdYAGN.s2x4ris8J07vM6tzlRBQoeLELOIEMClDzbciQV0itfHQnTqd1";
|
||||
};
|
||||
|
||||
services.int = svc.bridge.primary.build {
|
||||
ifname = "int";
|
||||
macAddressFromInterface = config.hardware.networkInterfaces.lan;
|
||||
};
|
||||
|
||||
services.bridge = svc.bridge.members.build {
|
||||
primary = services.int;
|
||||
members = {
|
||||
lan.member = config.hardware.networkInterfaces.lan;
|
||||
wlan0 = {
|
||||
member = config.hardware.networkInterfaces.wlan0;
|
||||
# Bridge only once hostapd is ready.
|
||||
dependencies = [ config.services.hostap-1-ready ];
|
||||
};
|
||||
wlan1 = {
|
||||
member = config.hardware.networkInterfaces.wlan1;
|
||||
# Bridge only once hostapd is ready.
|
||||
dependencies = [ config.services.hostap-2-ready ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.resolvconf = oneshot rec {
|
||||
name = "resolvconf";
|
||||
up = ''
|
||||
. ${serviceFns}
|
||||
( in_outputs ${name}
|
||||
for i in $(output ${services.dhcpv4} dns); do
|
||||
echo "nameserver $i" >> resolv.conf
|
||||
done
|
||||
)
|
||||
'';
|
||||
|
||||
dependencies = [
|
||||
config.services.dhcpv4
|
||||
];
|
||||
};
|
||||
|
||||
filesystem = dir {
|
||||
etc = dir {
|
||||
"resolv.conf" = symlink "${config.services.resolvconf}/.outputs/resolv.conf";
|
||||
"nixpkgs.version" = {
|
||||
type = "f";
|
||||
file = "${pkgs.lib.version}";
|
||||
mode = "0444";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.dhcpv4 = svc.network.dhcp.client.build {
|
||||
interface = config.services.int;
|
||||
dependencies = [
|
||||
config.services.hostname
|
||||
config.services.bridge.components.lan
|
||||
];
|
||||
};
|
||||
|
||||
# TODO(raito): these won't work with RAs
|
||||
# fix them in Liminix directly and re-enable.
|
||||
# services.dhcpv6 = svc.dhcp6c.client.build {
|
||||
# interface = config.services.int;
|
||||
# dependencies = [
|
||||
# config.services.hostname
|
||||
# config.services.bridge
|
||||
# ];
|
||||
# };
|
||||
|
||||
# services.ipv6 = svc.dhcp6c.address.build {
|
||||
# interface = config.services.int;
|
||||
# client = config.services.dhcpv6;
|
||||
# dependencies = [ config.services.hostname ];
|
||||
# };
|
||||
|
||||
services.defaultroute4 = svc.network.route.build {
|
||||
via = "$(output ${services.dhcpv4} router)";
|
||||
target = "default";
|
||||
dependencies = [ services.dhcpv4 ];
|
||||
};
|
||||
|
||||
services.packet_forwarding = svc.network.forward.build { };
|
||||
services.sshd = svc.ssh.build { allowRoot = true; };
|
||||
|
||||
services.ntp = config.system.service.ntp.build {
|
||||
pools = {
|
||||
"pool.ntp.org" = [ "iburst" ];
|
||||
};
|
||||
|
||||
dependencies = [ config.services.jitter ];
|
||||
};
|
||||
|
||||
boot.tftp = {
|
||||
serverip = "192.0.2.10";
|
||||
ipaddr = "192.0.2.12";
|
||||
};
|
||||
|
||||
# wlan0 is the 2.4GHz interface.
|
||||
services.hostap-1 = mkWifiSta (
|
||||
baseParams // radiusKeyMgmt
|
||||
) config.hardware.networkInterfaces.wlan0 secrets-1;
|
||||
services.hostap-1-ready = svc.hostapd-ready.build {
|
||||
interface = config.hardware.networkInterfaces.wlan0;
|
||||
};
|
||||
# wlan1 is the 5GHz interface, e.g. AX capable.
|
||||
services.hostap-2 = mkWifiSta (
|
||||
baseParams // clientRadius // externalRadius // radiusKeyMgmt // modernParams
|
||||
) config.hardware.networkInterfaces.wlan1 secrets-2;
|
||||
# Oneshot that waits until the hostapd has set the interface in operational state.
|
||||
services.hostap-2-ready = svc.hostapd-ready.build {
|
||||
interface = config.hardware.networkInterfaces.wlan1;
|
||||
};
|
||||
|
||||
defaultProfile.packages = with pkgs; [
|
||||
zyxel-bootconfig
|
||||
min-collect-garbage
|
||||
iwinfo
|
||||
ifwait
|
||||
# Levitate enable us to mass-reinstall the system on the fly.
|
||||
(levitate.override {
|
||||
config = {
|
||||
imports = [
|
||||
"${modulesPath}/network"
|
||||
"${modulesPath}/ssh"
|
||||
"${modulesPath}/hardware.nix"
|
||||
"${modulesPath}/kernel"
|
||||
"${modulesPath}/outputs/tftpboot.nix"
|
||||
"${modulesPath}/outputs.nix"
|
||||
];
|
||||
services = {
|
||||
# Simplest DHCPv4 we can find.
|
||||
dhcpv4 = svc.network.dhcp.client.build {
|
||||
interface = config.hardware.networkInterfaces.lan;
|
||||
};
|
||||
inherit (config.services) sshd;
|
||||
defaultroute4 = svc.network.route.build {
|
||||
via = "$(output ${services.dhcpv4} router)";
|
||||
target = "default";
|
||||
dependencies = [ config.services.dhcpv4 ];
|
||||
};
|
||||
};
|
||||
|
||||
defaultProfile.packages = [ mtdutils ];
|
||||
# Only keep root, which should inherit from DGN access control's root permissions.
|
||||
users.root = config.users.root;
|
||||
};
|
||||
})
|
||||
];
|
||||
}
|
1
machines/ap01/_hardware-configuration.nix
Normal file
1
machines/ap01/_hardware-configuration.nix
Normal file
|
@ -0,0 +1 @@
|
|||
{ }
|
|
@ -1,20 +0,0 @@
|
|||
{ lib, pkgs, ... }:
|
||||
|
||||
lib.extra.mkConfig {
|
||||
enabledModules = [
|
||||
# List of modules to enable
|
||||
];
|
||||
|
||||
enabledServices = [
|
||||
# List of services to enable
|
||||
"network"
|
||||
];
|
||||
|
||||
extraConfig = {
|
||||
services.netbird.enable = true;
|
||||
|
||||
environment.systemPackages = [ pkgs.bcachefs-tools ];
|
||||
};
|
||||
|
||||
root = ./.;
|
||||
}
|
|
@ -1,53 +0,0 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ modulesPath, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
|
||||
|
||||
boot = {
|
||||
initrd = {
|
||||
availableKernelModules = [
|
||||
"xhci_pci"
|
||||
"ehci_pci"
|
||||
"ahci"
|
||||
"sd_mod"
|
||||
"sr_mod"
|
||||
];
|
||||
};
|
||||
|
||||
kernelModules = [ "kvm-intel" ];
|
||||
kernelPackages = pkgs.linuxPackages_latest;
|
||||
|
||||
supportedFilesystems.bcachefs = true;
|
||||
};
|
||||
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
device = "UUID=3da58b64-a2fd-428d-bde8-3a185e2f73fd";
|
||||
fsType = "bcachefs";
|
||||
options = [ "compression=zstd" ];
|
||||
};
|
||||
|
||||
"/boot" = {
|
||||
device = "/dev/disk/by-uuid/4D0A-AF11";
|
||||
fsType = "vfat";
|
||||
options = [
|
||||
"fmask=0022"
|
||||
"dmask=0022"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.vlan-admin.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.vlan-uplink-oob.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = "x86_64-linux";
|
||||
hardware.cpu.intel.updateMicrocode = true;
|
||||
}
|
|
@ -1,79 +0,0 @@
|
|||
_:
|
||||
|
||||
{
|
||||
networking = {
|
||||
useNetworkd = true;
|
||||
useDHCP = false;
|
||||
|
||||
nftables.enable = true;
|
||||
firewall.allowedUDPPorts = [ 67 ];
|
||||
};
|
||||
|
||||
systemd.network = {
|
||||
networks = {
|
||||
"10-eno1" = {
|
||||
name = "eno1";
|
||||
networkConfig = {
|
||||
VLAN = [
|
||||
"vlan-admin"
|
||||
"vlan-uplink-oob"
|
||||
];
|
||||
|
||||
LinkLocalAddressing = false;
|
||||
LLDP = false;
|
||||
EmitLLDP = false;
|
||||
IPv6AcceptRA = false;
|
||||
IPv6SendRA = false;
|
||||
};
|
||||
# address = [ "192.168.222.1/24" ];
|
||||
};
|
||||
|
||||
"10-vlan-admin" = {
|
||||
name = "vlan-admin";
|
||||
# DHCP for the BMC
|
||||
networkConfig.DHCPServer = "yes";
|
||||
|
||||
dhcpServerConfig = {
|
||||
PoolOffset = 128;
|
||||
EmitDNS = false;
|
||||
EmitNTP = false;
|
||||
EmitSIP = false;
|
||||
EmitPOP3 = false;
|
||||
EmitSMTP = false;
|
||||
EmitLPR = false;
|
||||
UplinkInterface = ":none";
|
||||
};
|
||||
|
||||
address = [
|
||||
"fd26:baf9:d250:8000::ffff/64"
|
||||
"192.168.222.1/24"
|
||||
];
|
||||
};
|
||||
|
||||
"10-vlan-uplink-oob" = {
|
||||
name = "vlan-uplink-oob";
|
||||
networkConfig.DHCP = "ipv4";
|
||||
};
|
||||
};
|
||||
|
||||
netdevs = {
|
||||
"10-vlan-admin" = {
|
||||
netdevConfig = {
|
||||
Name = "vlan-admin";
|
||||
Kind = "vlan";
|
||||
};
|
||||
|
||||
vlanConfig.Id = 3000;
|
||||
};
|
||||
|
||||
"10-vlan-uplink-oob" = {
|
||||
netdevConfig = {
|
||||
Name = "vlan-uplink-oob";
|
||||
Kind = "vlan";
|
||||
};
|
||||
|
||||
vlanConfig.Id = 500;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,3 +0,0 @@
|
|||
(import ../../../keys).mkSecrets [ "bridg01" ] [
|
||||
# List of secrets for bridge01
|
||||
]
|
|
@ -1,19 +1,17 @@
|
|||
{ lib, ... }:
|
||||
|
||||
lib.extra.mkConfig {
|
||||
# List of modules to enable
|
||||
enabledModules = [
|
||||
# INFO: This list needs to stay sorted alphabetically
|
||||
# List of modules to enable
|
||||
"dgn-backups"
|
||||
"dgn-chatops"
|
||||
"dgn-fail2ban"
|
||||
"dgn-web"
|
||||
];
|
||||
|
||||
# List of services to enable
|
||||
enabledServices = [
|
||||
# INFO: This list needs to stay sorted alphabetically
|
||||
# List of services to enable
|
||||
"arkheon"
|
||||
"dgsi"
|
||||
"signal-irc-bridge"
|
||||
"ds-fr"
|
||||
"grafana"
|
||||
"hedgedoc"
|
||||
|
@ -21,22 +19,24 @@ lib.extra.mkConfig {
|
|||
"librenms"
|
||||
"mastodon"
|
||||
"nextcloud"
|
||||
"ollama-proxy"
|
||||
"outline"
|
||||
"plausible"
|
||||
"postgresql"
|
||||
"rstudio-server"
|
||||
"satosa"
|
||||
"signal-irc-bridge"
|
||||
"signald"
|
||||
"stirling-pdf"
|
||||
"takumi"
|
||||
"telegraf"
|
||||
"vaultwarden"
|
||||
"zammad"
|
||||
];
|
||||
|
||||
extraConfig = {
|
||||
dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
|
||||
"sshd-bruteforce"
|
||||
"sshd-timeout"
|
||||
];
|
||||
|
||||
dgn-hardware.useZfs = true;
|
||||
|
||||
services.netbird.enable = true;
|
||||
|
|
|
@ -1,222 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
utils,
|
||||
sources,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
inherit (lib) toLower;
|
||||
|
||||
python =
|
||||
let
|
||||
python3 = pkgs.python312;
|
||||
nix-pkgs = import sources.nix-pkgs { inherit pkgs python3; };
|
||||
in
|
||||
python3.override {
|
||||
packageOverrides = _: _: {
|
||||
inherit (nix-pkgs)
|
||||
django-allauth
|
||||
django-allauth-cas
|
||||
django-browser-reload
|
||||
django-bulma-forms
|
||||
django-sass-processor
|
||||
django-sass-processor-dart-sass
|
||||
django-unfold
|
||||
pykanidm
|
||||
python-cas
|
||||
loadcredential
|
||||
xlwt
|
||||
;
|
||||
};
|
||||
};
|
||||
|
||||
pythonEnv = python.withPackages (
|
||||
ps:
|
||||
[
|
||||
ps.django
|
||||
ps.gunicorn
|
||||
ps.psycopg
|
||||
ps.django-compressor
|
||||
ps.django-import-export
|
||||
|
||||
# Local packages
|
||||
ps.django-allauth
|
||||
ps.django-allauth-cas
|
||||
ps.django-browser-reload
|
||||
ps.django-bulma-forms
|
||||
ps.django-sass-processor
|
||||
ps.django-sass-processor-dart-sass
|
||||
ps.django-unfold
|
||||
ps.loadcredential
|
||||
ps.pykanidm
|
||||
ps.python-cas
|
||||
]
|
||||
++ ps.django-allauth.optional-dependencies.saml
|
||||
);
|
||||
|
||||
staticDrv = pkgs.stdenv.mkDerivation {
|
||||
name = "dgsi-static";
|
||||
|
||||
src = sources.dgsi;
|
||||
sourceRoot = "source/src";
|
||||
|
||||
nativeBuildInputs = [
|
||||
pkgs.dart-sass
|
||||
pythonEnv
|
||||
];
|
||||
|
||||
configurePhase = ''
|
||||
export DGSI_STATIC_ROOT=$out/static
|
||||
export CREDENTIALS_DIRECTORY=$(pwd)/../.credentials
|
||||
export DGSI_KANIDM_CLIENT="dgsi_test"
|
||||
export DGSI_KANIDM_AUTH_TOKEN="fake.token"
|
||||
export DGSI_X509_KEY=""
|
||||
export DGSI_X509_CERT=""
|
||||
'';
|
||||
|
||||
doBuild = false;
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out/static
|
||||
python3 manage.py compilescss
|
||||
python3 manage.py collectstatic
|
||||
'';
|
||||
};
|
||||
in
|
||||
|
||||
{
|
||||
users = {
|
||||
users.nginx.extraGroups = [ "django-apps" ];
|
||||
groups.django-apps = { };
|
||||
};
|
||||
|
||||
systemd = {
|
||||
services = {
|
||||
dj-dgsi = {
|
||||
description = "DGSI web app";
|
||||
|
||||
requires = [ "dj-dgsi.socket" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [
|
||||
"network.target"
|
||||
"postgresql.service"
|
||||
];
|
||||
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
LoadCredential = map (name: "${name}:${config.age.secrets."dgsi-${toLower name}_file".path}") [
|
||||
"EMAIL_HOST_PASSWORD"
|
||||
"KANIDM_AUTH_TOKEN"
|
||||
"KANIDM_SECRET"
|
||||
"SECRET_KEY"
|
||||
"X509_CERT"
|
||||
"X509_KEY"
|
||||
];
|
||||
RuntimeDirectory = "django-apps/dgsi";
|
||||
StateDirectory = "django-apps/dgsi";
|
||||
UMask = "0027";
|
||||
User = "dj-dgsi";
|
||||
Group = "django-apps";
|
||||
WorkingDirectory = sources.dgsi;
|
||||
ExecReload = "${lib.getExe' pkgs.coreutils "kill"} -s HUP $MAINPID";
|
||||
KillMode = "mixed";
|
||||
Type = "notify";
|
||||
ExecStart = utils.escapeSystemdExecArgs [
|
||||
(lib.getExe' pythonEnv "gunicorn")
|
||||
"--workers"
|
||||
4
|
||||
"--bind"
|
||||
"unix:/run/django-apps/dgsi.sock"
|
||||
"--pythonpath"
|
||||
"src"
|
||||
"app.wsgi"
|
||||
];
|
||||
};
|
||||
|
||||
environment = {
|
||||
DGSI_ALLOWED_HOSTS = builtins.toJSON [
|
||||
"profil.dgnum.eu"
|
||||
"dgsi.dgnum.eu"
|
||||
];
|
||||
|
||||
DGSI_EMAIL_HOST = "kurisu.lahfa.xyz";
|
||||
DGSI_EMAIL_HOST_USER = "web-services@infra.dgnum.eu";
|
||||
DGSI_EMAIL_USE_SSL = builtins.toJSON true;
|
||||
DGSI_FROM_EMAIL = "La Délégation Générale Numérique <noreply@infra.dgnum.eu>";
|
||||
DGSI_SERVER_EMAIL = "dgsi@infra.dgnum.eu";
|
||||
|
||||
DGSI_KANIDM_CLIENT = "dgsi";
|
||||
DGSI_KANIDM_URI = "https://sso.dgnum.eu";
|
||||
|
||||
DGSI_MEDIA_ROOT = "/var/lib/django-apps/dgsi/media";
|
||||
DGSI_STATIC_ROOT = "${staticDrv}/static";
|
||||
|
||||
DGSI_DATABASES = builtins.toJSON {
|
||||
default = {
|
||||
ENGINE = "django.db.backends.postgresql";
|
||||
NAME = "dj-dgsi";
|
||||
};
|
||||
};
|
||||
DJANGO_SETTINGS_MODULE = "app.settings";
|
||||
};
|
||||
|
||||
path = [ pythonEnv ];
|
||||
|
||||
preStart = ''
|
||||
python3 src/manage.py migrate --no-input
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
sockets."dj-dgsi" = {
|
||||
description = "Socket for the DGSI Django Application";
|
||||
wantedBy = [ "sockets.target" ];
|
||||
|
||||
socketConfig = {
|
||||
ListenStream = "/run/django-apps/dgsi.sock";
|
||||
SocketMode = "600";
|
||||
SocketUser = config.services.nginx.user;
|
||||
};
|
||||
};
|
||||
|
||||
mounts = [
|
||||
{
|
||||
where = "/run/django-apps/dgsi/media";
|
||||
what = "/var/lib/django-apps/dgsi/media";
|
||||
options = "bind";
|
||||
|
||||
after = [ "dj-dgsi.service" ];
|
||||
partOf = [ "dj-dgsi.service" ];
|
||||
upheldBy = [ "dj-dgsi.service" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
dgn-redirections.permanent."dgsi.dgnum.eu" = "profil.dgnum.eu";
|
||||
|
||||
services = {
|
||||
postgresql = {
|
||||
ensureDatabases = [ "dj-dgsi" ];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "dj-dgsi";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
nginx.virtualHosts."profil.dgnum.eu" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations = {
|
||||
"/".proxyPass = "http://unix:/run/django-apps/dgsi.sock";
|
||||
"/static/".root = staticDrv;
|
||||
"/media/".root = "/run/django-apps/dgsi";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,35 +1,14 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
sources,
|
||||
...
|
||||
}:
|
||||
{ config, ... }:
|
||||
|
||||
let
|
||||
host = "demarches.dgnum.eu";
|
||||
|
||||
dgn-id = "fca8f72cd60c00e74d7735ec13e4e3a22e8e1244";
|
||||
in
|
||||
{
|
||||
imports = [ ./module.nix ];
|
||||
|
||||
dgn-web.internalPorts.ds-fr = 3000;
|
||||
|
||||
services.demarches-simplifiees = {
|
||||
enable = true;
|
||||
|
||||
package =
|
||||
((import sources.nix-pkgs { inherit pkgs; }).demarches-simplifiees.override {
|
||||
initialDeploymentDate = "20230923";
|
||||
}).overrideAttrs
|
||||
(old: {
|
||||
dsModules = old.dsModules.overrideAttrs {
|
||||
prePatch = ''
|
||||
${pkgs.lib.getExe pkgs.git} apply -p1 < ${builtins.fetchurl "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch"}
|
||||
'';
|
||||
};
|
||||
});
|
||||
|
||||
secretFile = config.age.secrets."ds-fr-secret_file".path;
|
||||
|
||||
initialDeploymentDate = "20230923";
|
||||
|
|
|
@ -69,11 +69,17 @@ in
|
|||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
dgn-web.simpleProxies.grafana = {
|
||||
inherit host port;
|
||||
nginx.virtualHosts.${host} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString port}";
|
||||
proxyWebsockets = true;
|
||||
recommendedProxySettings = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
age-secrets.autoMatch = [ "grafana" ];
|
||||
|
|
|
@ -29,6 +29,16 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
nginx.virtualHosts.${host} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString port}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
|
||||
postgresql = {
|
||||
enable = true;
|
||||
|
||||
|
@ -43,11 +53,6 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
dgn-web.simpleProxies.hedgedoc = {
|
||||
inherit host port;
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
|
||||
systemd.services.hedgedoc.serviceConfig.StateDirectory = lib.mkForce [
|
||||
"hedgedoc"
|
||||
"hedgedoc/uploads"
|
||||
|
|
|
@ -1,22 +1,14 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
meta,
|
||||
nixpkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
inherit (lib)
|
||||
attrValues
|
||||
catAttrs
|
||||
escapeRegex
|
||||
concatStringsSep
|
||||
mapAttrs'
|
||||
nameValuePair
|
||||
;
|
||||
inherit (lib) escapeRegex concatStringsSep;
|
||||
|
||||
domain = "sso.dgnum.eu";
|
||||
port = 8443;
|
||||
|
||||
cert = config.security.acme.certs.${domain};
|
||||
|
||||
|
@ -35,21 +27,19 @@ let
|
|||
"netbird-beta.hubrecht.ovh"
|
||||
]
|
||||
);
|
||||
|
||||
usernameFor = member: meta.organization.members.${member}.username;
|
||||
in
|
||||
{
|
||||
services.kanidm = {
|
||||
enableServer = true;
|
||||
|
||||
# package = nixpkgs.unstable.kanidm;
|
||||
package = nixpkgs.unstable.kanidm;
|
||||
|
||||
serverSettings = {
|
||||
inherit domain;
|
||||
|
||||
origin = "https://${domain}";
|
||||
|
||||
bindaddress = "127.0.0.1:${builtins.toString port}";
|
||||
bindaddress = "127.0.0.1:8443";
|
||||
ldapbindaddress = "0.0.0.0:636";
|
||||
|
||||
trust_x_forward_for = true;
|
||||
|
@ -57,113 +47,10 @@ in
|
|||
tls_chain = "${cert.directory}/fullchain.pem";
|
||||
tls_key = "${cert.directory}/key.pem";
|
||||
};
|
||||
|
||||
provision = {
|
||||
enable = true;
|
||||
|
||||
persons = mapAttrs' (
|
||||
_:
|
||||
{
|
||||
email,
|
||||
name,
|
||||
username,
|
||||
...
|
||||
}:
|
||||
nameValuePair username {
|
||||
displayName = name;
|
||||
mailAddresses = [ email ];
|
||||
}
|
||||
) meta.organization.members;
|
||||
|
||||
groups =
|
||||
{
|
||||
grp_active.members = catAttrs "username" (attrValues meta.organization.members);
|
||||
}
|
||||
// (mapAttrs' (
|
||||
name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
|
||||
) meta.organization.groups);
|
||||
|
||||
# INFO: The authentication resources declared here can only be for internal services,
|
||||
# as regular members cannot be statically known.
|
||||
systems.oauth2 = {
|
||||
dgn_grafana = {
|
||||
displayName = "Grafana [Analysis]";
|
||||
originLanding = "https://grafana.dgnum.eu";
|
||||
originUrl = "https://grafana.dgnum.eu/";
|
||||
preferShortUsername = true;
|
||||
|
||||
scopeMaps.grp_active = [
|
||||
"openid"
|
||||
"profile"
|
||||
"email"
|
||||
];
|
||||
};
|
||||
|
||||
dgn_librenms = {
|
||||
allowInsecureClientDisablePkce = true;
|
||||
displayName = "LibreNMS [Network]";
|
||||
enableLegacyCrypto = true;
|
||||
originLanding = "https://nms.dgnum.eu";
|
||||
originUrl = "https://nms.dgnum.eu/";
|
||||
preferShortUsername = true;
|
||||
|
||||
scopeMaps.grp_active = [
|
||||
"openid"
|
||||
"profile"
|
||||
"email"
|
||||
];
|
||||
};
|
||||
|
||||
dgn_netbird = {
|
||||
displayName = "Netbird [VPN]";
|
||||
enableLocalhostRedirects = true;
|
||||
originLanding = "https://netbird.dgnum.eu";
|
||||
originUrl = "https://netbird.dgnum.eu/";
|
||||
preferShortUsername = true;
|
||||
public = true;
|
||||
|
||||
scopeMaps.grp_active = [
|
||||
"openid"
|
||||
"profile"
|
||||
"email"
|
||||
];
|
||||
};
|
||||
|
||||
dgn_netbox = {
|
||||
allowInsecureClientDisablePkce = true;
|
||||
displayName = "Netbox [Inventory]";
|
||||
enableLegacyCrypto = true;
|
||||
originLanding = "https://netbox.dgnum.eu";
|
||||
originUrl = "https://netbox.dgnum.eu/";
|
||||
preferShortUsername = true;
|
||||
|
||||
scopeMaps.grp_active = [
|
||||
"openid"
|
||||
"profile"
|
||||
"email"
|
||||
];
|
||||
};
|
||||
|
||||
dgn_outline = {
|
||||
displayName = "Outline [Docs]";
|
||||
originUrl = "https://docs.dgnum.eu/";
|
||||
originLanding = "https://docs.dgnum.eu";
|
||||
preferShortUsername = true;
|
||||
|
||||
scopeMaps.grp_active = [
|
||||
"openid"
|
||||
"profile"
|
||||
"email"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
users.users.kanidm.extraGroups = [ cert.group ];
|
||||
|
||||
dgn-web.internalPorts.kanidm = port;
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
|
@ -171,7 +58,7 @@ in
|
|||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "https://127.0.0.1:${builtins.toString port}";
|
||||
proxyPass = "https://127.0.0.1:8443";
|
||||
|
||||
extraConfig = ''
|
||||
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
|
||||
|
|
|
@ -1,4 +1,9 @@
|
|||
(import ../../../../keys).mkSecrets [ "compute01" ] [
|
||||
let
|
||||
lib = import ../../../../lib { };
|
||||
publicKeys = lib.getNodeKeys "compute01";
|
||||
in
|
||||
|
||||
lib.setDefault { inherit publicKeys; } [
|
||||
"kanidm-password_admin"
|
||||
"kanidm-password_idm_admin"
|
||||
]
|
||||
|
|
|
@ -3,24 +3,28 @@
|
|||
let
|
||||
host = "cloud.dgnum.eu";
|
||||
nextcloud-occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
|
||||
|
||||
port = 9980;
|
||||
in
|
||||
{
|
||||
services.nextcloud = {
|
||||
enable = true;
|
||||
hostName = host;
|
||||
|
||||
package = pkgs.nextcloud29;
|
||||
package = pkgs.nextcloud28;
|
||||
|
||||
https = true;
|
||||
|
||||
config = {
|
||||
overwriteProtocol = "https";
|
||||
|
||||
dbtype = "pgsql";
|
||||
|
||||
adminpassFile = config.age.secrets."nextcloud-adminpass_file".path;
|
||||
adminuser = "thubrecht";
|
||||
|
||||
defaultPhoneRegion = "FR";
|
||||
|
||||
trustedProxies = [ "::1" ];
|
||||
|
||||
objectstore.s3 = {
|
||||
enable = true;
|
||||
|
||||
|
@ -57,7 +61,7 @@ in
|
|||
"opcache.max_accelerated_files" = "10000";
|
||||
"opcache.memory_consumption" = "128";
|
||||
"opcache.revalidate_freq" = "1";
|
||||
"opcache.fast_shutdown" = "0";
|
||||
"opcache.fast_shutdown" = "1";
|
||||
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
|
||||
catch_workers_output = "yes";
|
||||
};
|
||||
|
@ -67,17 +71,11 @@ in
|
|||
|
||||
autoUpdateApps.enable = true;
|
||||
|
||||
settings = {
|
||||
overwriteprotocol = "https";
|
||||
|
||||
extraOptions = {
|
||||
overwritehost = host;
|
||||
"overwrite.cli.url" = "https://${host}";
|
||||
updatechecker = false;
|
||||
|
||||
default_phone_region = "FR";
|
||||
|
||||
trusted_proxies = [ "::1" ];
|
||||
|
||||
allow_local_remote_servers = true;
|
||||
maintenance_window_start = 1;
|
||||
|
||||
|
@ -99,20 +97,22 @@ in
|
|||
};
|
||||
|
||||
virtualisation.oci-containers = {
|
||||
# # Since 22.05, the default driver is podman but it doesn't work
|
||||
# # with podman. It would however be nice to switch to podman.
|
||||
# backend = "docker";
|
||||
containers.collabora = {
|
||||
image = "collabora/code";
|
||||
imageFile = pkgs.dockerTools.pullImage {
|
||||
imageName = "collabora/code";
|
||||
imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4";
|
||||
sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM=";
|
||||
imageDigest = "sha256:a8cce07c949aa59cea0a7f1f220266a1a6d886c717c3b5005782baf6f384d645";
|
||||
sha256 = "sha256-lN6skv62x+x7G7SNOUyZ8W6S/uScrkqE1nbBwwSEWXQ=";
|
||||
};
|
||||
ports = [ "${builtins.toString port}:${builtins.toString port}" ];
|
||||
ports = [ "9980:9980" ];
|
||||
environment = {
|
||||
domain = "cloud.dgnum.eu";
|
||||
extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json";
|
||||
};
|
||||
extraOptions = [
|
||||
"--network=host"
|
||||
"--cap-add"
|
||||
"MKNOD"
|
||||
"--cap-add"
|
||||
|
@ -121,8 +121,6 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
dgn-web.internalPorts.collabora = port;
|
||||
|
||||
services.nginx.virtualHosts = {
|
||||
${host} = {
|
||||
enableACME = true;
|
||||
|
@ -140,25 +138,25 @@ in
|
|||
extraConfig = ''
|
||||
# static files
|
||||
location ^~ /browser {
|
||||
proxy_pass http://127.0.0.1:${builtins.toString port};
|
||||
proxy_pass http://127.0.0.1:9980;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
|
||||
# WOPI discovery URL
|
||||
location ^~ /hosting/discovery {
|
||||
proxy_pass http://127.0.0.1:${builtins.toString port};
|
||||
proxy_pass http://127.0.0.1:9980;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
|
||||
# Capabilities
|
||||
location ^~ /hosting/capabilities {
|
||||
proxy_pass http://127.0.0.1:${builtins.toString port};
|
||||
proxy_pass http://127.0.0.1:9980;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
|
||||
# main websocket
|
||||
location ~ ^/cool/(.*)/ws$ {
|
||||
proxy_pass http://127.0.0.1:${builtins.toString port};
|
||||
proxy_pass http://127.0.0.1:9980;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header Host $host;
|
||||
|
@ -167,13 +165,13 @@ in
|
|||
|
||||
# download, presentation and image upload
|
||||
location ~ ^/(c|l)ool {
|
||||
proxy_pass http://127.0.0.1:${builtins.toString port};
|
||||
proxy_pass http://127.0.0.1:9980;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
|
||||
# Admin Console websocket
|
||||
location ^~ /cool/adminws {
|
||||
proxy_pass http://127.0.0.1:${builtins.toString port};
|
||||
proxy_pass http://127.0.0.1:9980;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header Host $host;
|
||||
|
|
|
@ -1,15 +0,0 @@
|
|||
{ pkgs, ... }:
|
||||
{
|
||||
services.nginx = {
|
||||
virtualHosts."ollama01.beta.dgnum.eu" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://100.80.103.206:11434";
|
||||
basicAuthFile = pkgs.writeText "ollama-htpasswd" ''
|
||||
raito:$y$j9T$UDEHpLtM52hRGK0I4qT6M0$N75AhENLqgtJnTGaPzq51imhjZvuPr.ow81Co1ZTcX2
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -2,7 +2,6 @@
|
|||
|
||||
let
|
||||
host = "docs.dgnum.eu";
|
||||
port = 3003;
|
||||
in
|
||||
{
|
||||
services.outline = {
|
||||
|
@ -36,12 +35,21 @@ in
|
|||
defaultLanguage = "fr_FR";
|
||||
|
||||
forceHttps = false;
|
||||
inherit port;
|
||||
port = 3003;
|
||||
};
|
||||
|
||||
dgn-web.simpleProxies.outline = {
|
||||
inherit host port;
|
||||
vhostConfig.locations."/robots.txt".return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
|
||||
services.nginx.virtualHosts.${host} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:3003";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
|
||||
locations."/robots.txt" = {
|
||||
return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
|
||||
};
|
||||
};
|
||||
|
||||
age-secrets.autoMatch = [ "outline" ];
|
||||
|
|
|
@ -38,7 +38,16 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
dgn-web.simpleProxies.plausible = {
|
||||
inherit host port;
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
virtualHosts.${host} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString port}";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -2,15 +2,16 @@
|
|||
|
||||
let
|
||||
host = "saml-idp.dgnum.eu";
|
||||
port = 8090;
|
||||
in
|
||||
{
|
||||
|
||||
imports = [ ./module.nix ];
|
||||
|
||||
services.satosa = {
|
||||
enable = true;
|
||||
|
||||
inherit host port;
|
||||
inherit host;
|
||||
port = 8090;
|
||||
|
||||
envFile = config.age.secrets."satosa-env_file".path;
|
||||
|
||||
|
@ -147,8 +148,9 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
dgn-web.simpleProxies.satosa = {
|
||||
inherit host port;
|
||||
services.nginx.virtualHosts.${host} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
|
||||
age-secrets.autoMatch = [ "satosa" ];
|
||||
|
|
|
@ -190,6 +190,14 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
services.nginx = mkIf cfg.configureNginx {
|
||||
enable = true;
|
||||
|
||||
virtualHosts.${cfg.host} = {
|
||||
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}";
|
||||
};
|
||||
};
|
||||
|
||||
users.users.satosa = {
|
||||
isSystemUser = true;
|
||||
group = "satosa";
|
||||
|
|
|
@ -1,28 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA CQffZYaxexZ2f+HeNj+SHeSak0kzNPiq6ExW7tUyCBs
|
||||
oJQhtMFD9KSnXSPGRb3zLwCB2/KEXo8cgxHN5ML83Qw
|
||||
-> ssh-ed25519 QlRB9Q V1PnEYJvFCdBRzN4z3iDtIzHLxxCimejdkqRS4zMCG8
|
||||
bVc87bxPmhofmoscGFBgQ+ffRlo216RiRkkV1MNoQyY
|
||||
-> ssh-ed25519 r+nK/Q YI+1MYnCvSq5/QfA2y01IQlJeMGF0AfNs91QlrVaVGs
|
||||
HSB8Gai96mjRbM68G3iRmXNkI4kqyJAWTMxWc8UOPr8
|
||||
-> ssh-rsa krWCLQ
|
||||
k2mssz4C9p8K+rJ6Jbbm+w7uLTqoUOiOKvlt2btEyw2Lup8PQNfyTNFSBvuBMmfj
|
||||
re1zuAufH0HIw3B0xWYauBSD4pasc7EFTr/OLoM8BRFMEb11IM5ZKJrO+hnWy0Sk
|
||||
eIs6cpkoBVi4GZmkRfbvaitk42i9JzjrKU0OeqLCWQbHmHkTb3acsGXCc6A6JSbF
|
||||
AVb+Eaak6EIdX1dP4PWyCxU2PkcBtYBcLoGH74r1o0i3SzvmuzKvlBntx5IzsAvY
|
||||
+QNGJLNZl0+NePafAkvVY8UOrlzxj+tCgfunAGXIXlZlVfNcjZX9Wv30sJOtwpbw
|
||||
DdkJAqSrNkHianC5MEGgpA
|
||||
-> ssh-ed25519 /vwQcQ yxGAMhwDcoDjw5MJudEE95PakhZvNpYfmfWiM6wbQBg
|
||||
C1o3mNO2YFnBXamCcpAW0aQVGrNNcUpDtSn8+VLobmE
|
||||
-> ssh-ed25519 0R97PA XRWbcwt3wXR3AYg0rhzc6OUuAA+blVTf3SHERYy3MkA
|
||||
iCBd0E1NrV7tv3/0pD0FYWgUfGmB4M+VWfiixvVGv68
|
||||
-> ssh-ed25519 JGx7Ng R47xTx4IGC/qf/v6WOXvJTd20MbeTdZ/8ovAA6d0iyQ
|
||||
uBxcQVztpW4QaAR5rKfEVgtmrPk6l51+tY3brNjsTV4
|
||||
-> ssh-ed25519 5SY7Kg LNtU+/1YlPX6T6gO2lb/wEei7hsy2oud8cTQXFQy0HY
|
||||
xxPvBAIpFyCUqExjseerz6WlwWQEmw9fltzQBx51KI0
|
||||
-> ssh-ed25519 p/Mg4Q uWIz5shMnsLXsh160cCW8E6kh9v4LPunOonugjWdSEY
|
||||
5aRrIB5gxIplVWDGeMQ6g09togku6LxWRxBP7FbRNU0
|
||||
-> ssh-ed25519 tDqJRg G8rNpeGY29czDVMvvt4LZ7nffZ/JAHDzxuIs7C/0SEM
|
||||
HowgAvrQQcvUx93ZdK5q2bSsJDqaOxFf+x/lwTRss4I
|
||||
--- ktcSPCC1TpguyYJ2ua7IuGcEw+Z9YuqjzcmH18abjo4
|
||||
サ<EFBFBD>虎 <20><>ゥ煩 ネ9<1猤カワ簒<EFBE9C>pWJSWpsV/ム#<23>ウリ9タ{タ゚cHB<><42><EFBFBD>5<EFBFBD>ャ^ァ
|
Binary file not shown.
|
@ -1,30 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA zSfj75mxEod8RszD4XGaFIeMvcLnBgUHShIW5yFPdiE
|
||||
YXaCFZ07BMzehG/PCUFDEzRy+y4c+IESO9kcLx+eG8M
|
||||
-> ssh-ed25519 QlRB9Q 39DPdLnRMs5YSQOr/rY2nXO/8s/oCnYDkRex51tZayw
|
||||
W3GbNP7qbgW2b0RoZmcWH0kLtQaIV50APGcntjMfn8o
|
||||
-> ssh-ed25519 r+nK/Q dnX8kPKvyHS5U1N52QTDwonaHbBh8sv2DPBL1PoBO2E
|
||||
mxduSFeWB4tJlrHDEthNKGv/vxzeWUtNwq1b2nDP6Z0
|
||||
-> ssh-rsa krWCLQ
|
||||
QN1OOmCREY2LljXm0+TAsOSkjIQ0RXyX8w5TVOOus5QAt1WTJan/mm4X1SviWqmn
|
||||
UFDIeCoG2l5tBSyZr4VpnDeq7koWRA2eC7WnwWW47PQIRFSyjf+sy00rGR9kxVuL
|
||||
1M9gsAGa5sud/PvmgSPSLsGhhrPsH/ZxN9beyIXIwmssmjN34KygUz9+u4T8IkVz
|
||||
oxdq75LMzE2o0gcgC1EZ5+rDq0NSPQ9+1KgqwJuKlLKRXGdudgaVEUxX60g2ZnkX
|
||||
8fNEgxqEkQ5MNnPfwbVumF6SWmMWyZSJ0rwHC94O1RdRNDcD3yKimuBmNSv2X+3L
|
||||
cS3kE9LfNst2zBKHBGBOHQ
|
||||
-> ssh-ed25519 /vwQcQ ZD8aiyO6fWEM9zG0iPP1/lftRPNl+mmFLHvGxVpSWzg
|
||||
ZcTmN8zSHz8iLQmCLTZCdaqX5En/KrciR8KHwoXl8t0
|
||||
-> ssh-ed25519 0R97PA xLQYBS5ozP1e4NWVa9yahN2OQB0Luw7mm3nBYdoHyRI
|
||||
SKTRzLfGNFQ9fSX8ZFkKIYPZ4If5QrxcmSoBoGVG2Xk
|
||||
-> ssh-ed25519 JGx7Ng XPo1QJ8OS/ShEAaXWwzZCS1p5/C6mLNlk4Us63YTVQ8
|
||||
HGbfr8WBfCDKnIlATAeiE6JcLWCbn64vn1Cg7i9QGbA
|
||||
-> ssh-ed25519 5SY7Kg CFpRcZmZ7DTspxkmdD8x7dRh1mqOHpTF7GzW5xBtLxw
|
||||
n1n6/Ciwwo4rb3Cb6Yv/b1dHSvVAbCuDZ52maNpCexg
|
||||
-> ssh-ed25519 p/Mg4Q km6ZjasKtOlaQL8rdVXkjRP4sooql15PrW0lz6YZaDg
|
||||
Yrpi65IC3RJS3YSAChKjVyvowGxxmSPFkwa6CXUYVZ4
|
||||
-> ssh-ed25519 tDqJRg au3x6e4L1os7OH4WXbdST74LhMsHPjP6KYrTWKUc1i8
|
||||
zxKFk51MteTETWEu8peSH/lninM3zZkQi+Xjx5OQMTU
|
||||
-> l$R6Y:c1-grease
|
||||
MY0HS+ErZAtAhg
|
||||
--- w+3gxmkrZ+xxSAQHbERgvsqur0v6k2/U0KUsfegRGcI
|
||||
7Ú”gpò7šæ«¹Š\ŠE„àø~Â$±\¹Ä”Q„™H‹R¥˜Èî¼¼2'k4Ž¥zÿqȦì'ÍNò!{‹@qx΋,ƒ+iTû
|
|
@ -1,31 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA xQaZW42vwq7pndbRqiATFVgl1QM3LbD5Sqzz61yinUY
|
||||
7N4GIIAnzwTPA2IgOPWLtE03kCZPihKu8ZAG9e7Bv7k
|
||||
-> ssh-ed25519 QlRB9Q mfs9SndrSY1meTEYiVxXLbS7Ecf0rjaQ3vX4626+9CI
|
||||
BDdh3a02EqMeO5jPlz6kjmjuLMldf/s9V7hDkIef+g4
|
||||
-> ssh-ed25519 r+nK/Q HqduuibujATQyp2TUswgrFyTdcdmPsNsZJ2pOLZ+MTc
|
||||
WjFm95dxVYKA2ekOgKzMrMmk1nxfuurmDyMXtUIGnIo
|
||||
-> ssh-rsa krWCLQ
|
||||
GzznBXY+5RpGFJKli2rOdzO5bun6REyjA78nV8RviQdAN/mGXEZfGFq4HFuQZM0e
|
||||
fYADtpZxOZ3vyY/9DqCguay3R02DcyTpAhdb6A3kdzApUVR/3ZKJXy0+l5qRqKD7
|
||||
j/cMfIxk/WpsHKHDWKXkG+FiTnF+V+ZtUom9W1aYFc1506OdDbjBVfTnBFs/+WVf
|
||||
MWd+Y0ANCFiNH+kjzvALRazkmJgt9SvYWBG6suym6YZ2073GFu85jUJB2juSDmBN
|
||||
tp0OJvNrjH5F/CcJXLMVrJz4Azin+2iM+re78cSVmZ1aqLf72RIrg/VhuuNy2MVn
|
||||
gU32t9qy5EvTbzliWpAvxw
|
||||
-> ssh-ed25519 /vwQcQ rVT/tH4fZ49hwxJTaZMZhzMgkS0MJILZmuL/J1CCPGY
|
||||
mW3BNdXsylo0Yhg2KYpGNLoDkd7DYX+NEGF8a7j5R5g
|
||||
-> ssh-ed25519 0R97PA vnXhW5pn1XgOJcMcD1cu7hQLlnIrJyp2Bu3TbThBIik
|
||||
QFQFocftqwsPS1AbGykbDkIWqaAdZ7I9njS2ZUXz+4w
|
||||
-> ssh-ed25519 JGx7Ng ljVNZ4AdZ3DLow2m3mf+6bf9zj6+t9RP7w8Bi7aMlAI
|
||||
E5Q9yEA3d2nPTZO2jFkGnsHyo3W19P/lSG6yl3RL6Vo
|
||||
-> ssh-ed25519 5SY7Kg 2LcgbYRROFSGfq0L5XBQMl6p62DreGceGqRFzKGi4X8
|
||||
x4V+gnzdm1HgjYwhBnYAldkchX4YCsUhqoq1iCaOZ6s
|
||||
-> ssh-ed25519 p/Mg4Q Y+o5nrSvL+xL43OHjEnesKV+9gCl4H4gBmBBjbqDABA
|
||||
TvGky1wSVanvpq2Xj2FUmRtJ205iq92g6PVDASAfyaE
|
||||
-> ssh-ed25519 tDqJRg X0Y8YCi5qOy3Du1/DIMMc4W7P6zQNTlwF4+QrisHCwM
|
||||
SzJPH+h5847WSl9CrJatqIf9CSnKGUQZDK6ROD5LqXU
|
||||
-> `--grease N]PH
|
||||
fdR7jONsDC5Fj/FU++dDsFJSa4sLmvnTzPbt3X96zJDHVQypmV+JMhQNudQGrq9K
|
||||
7oPr3+cA61qtqUv6v519zFLtRXkpY6FMiB2euGJufVZqGh9jDzfi0jNu6dUO7A
|
||||
--- a0TP8YPal5jgd3BSIm0THbaMHgLOiOgMqdlwQwUGzWk
|
||||
:È/Àn ž±Ý§¦p=fu²hã–T¶ÅêF—ÙêÂ¥nh¢„¾•œ¹ÀU2#„éµÆ©“ºôâ>Û“<4.<2E>uŸ‰’…m3Ü&<26>g¤(ö<>5۶Û
|
Binary file not shown.
Binary file not shown.
|
@ -1,16 +1,14 @@
|
|||
(import ../../../keys).mkSecrets [ "compute01" ] [
|
||||
# List of secrets for compute01
|
||||
let
|
||||
lib = import ../../../lib { };
|
||||
publicKeys = lib.getNodeKeys "compute01";
|
||||
in
|
||||
|
||||
lib.setDefault { inherit publicKeys; } [
|
||||
"arkheon-env_file"
|
||||
"bupstash-put_key"
|
||||
"dgsi-email_host_password_file"
|
||||
"dgsi-kanidm_auth_token_file"
|
||||
"dgsi-kanidm_secret_file"
|
||||
"dgsi-secret_key_file"
|
||||
"dgsi-x509_cert_file"
|
||||
"dgsi-x509_key_file"
|
||||
"ds-fr-secret_file"
|
||||
"grafana-oauth_client_secret_file"
|
||||
"grafana-smtp_password_file"
|
||||
"grafana-oauth_client_secret_file"
|
||||
"hedgedoc-environment_file"
|
||||
"librenms-database_password_file"
|
||||
"librenms-environment_file"
|
||||
|
|
|
@ -1,29 +1,29 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA Io/zqmrxU05V3yhgyGySW5f2hlQdBOqzXzv2I5x+nVs
|
||||
O5szAc5hiv4Kw+Xo90mhst3vGLqhtqSuaKxPTkCQCJw
|
||||
-> ssh-ed25519 QlRB9Q 9gQ+5aCcW+gi30S20om5+Zign9zXfgKlG9/59a2rdl4
|
||||
nXyckLZ6zNdG096GAPlK/gyold3XxOqeKB1Kiy/BCmI
|
||||
-> ssh-ed25519 r+nK/Q nctFMke6IvbEII3/Mq7wq9Cb30GO1yBqePJXdOFjExs
|
||||
fMEbZoSsvMiFS2wHD0RCcSqbigmFHCnhEagXDTYBIW8
|
||||
-> ssh-ed25519 jIXfPA amum6RbXOklYVgw9LbePC/FlJPJHLRT1peBvcD7+3xE
|
||||
xB0z2R0gERJNMQnuuWlMZBvwBLD/0Cb70rFrnYg7Xm0
|
||||
-> ssh-ed25519 QlRB9Q 3+JuXBQQWcQbC2HsfO5FY+MQrSIpXJ1DBOpp9vHH7GY
|
||||
7IcedTCLy1clAfhlhfkkMcLLq1FNM1kugRgdnAkXeCY
|
||||
-> ssh-ed25519 r+nK/Q fS289K4zpwTlcXaI1TrfmUTdatunytf3I/Yjh33PHQQ
|
||||
4n05isyZbYWQyyASL3FRiaL4IrliW+l5uxorfKgs1Es
|
||||
-> ssh-rsa krWCLQ
|
||||
i7lgxs2DFU6OYdR0wC9NBJAUrYOarTpIBu8JiQKKTymkGauTtpCkOgakEF7N/TLd
|
||||
1KFX6ww2lhmGwgi/4qYK5R21geqbLaogm5LsSrWgwI+nAqzAasD30i4MYWSfd1PS
|
||||
kewXfRmMOUc2feMN/FiLDlyxxdg3DQImEwwAUq3k4F7W7/ggi4qPKzqzGhlOG1kB
|
||||
Ma05hLsOhTVwbyRQzf9MFDUypYJ8KRsV5/rdxnGzTaJLlYbNoQpIG3lQZelggGpS
|
||||
N6f5kz0fHRkTqCrINJpmLVkvQDbNNDslsDcr86O0LEI7NPrBry5fUSxI+YOzCJCu
|
||||
3xnkIiYlcua2WGEXNd6vPQ
|
||||
-> ssh-ed25519 /vwQcQ L9OynFtsmYWQBB/PKHsJ4B2mdUFk8wkuPzaKBmvKERc
|
||||
LPHLANWrv90EFdF+cXEOFnOf1XaLWeyEDij+DYVrDJM
|
||||
-> ssh-ed25519 0R97PA 49YuJOzGjfLe8RixCtw8Z/EEngEGyNRQjb6sDXESQyM
|
||||
ICCw8XFpzJjZpOayDR6uoHqdv0vuEVg1uQyNrNONj8s
|
||||
-> ssh-ed25519 JGx7Ng fESc17fhVuC9dfNvDZKLq5EheYw+ufw0hpJqeDffxSE
|
||||
CWRV2wnZYh/bK5xgCDUASUmYMWSLbTXqnD1TFcbEHUU
|
||||
-> ssh-ed25519 5SY7Kg DgOrBwnV6Uxc5dMcNSR57HSgTW5DsG9Y9kcNYNevMGw
|
||||
W0HtwhGJ2jiU9jrfvGoEXthZ3ewxAL8ERNOUYSgWI1A
|
||||
-> ssh-ed25519 p/Mg4Q doo+f6eD3s2uoMwekzHcUFCsls8gNZjiI0Nyyd1sClA
|
||||
NZnBQy9PJeabIwp6N7D85sI/UbCIcC7FzQALoNOD5h0
|
||||
-> ssh-ed25519 tDqJRg tVVtvHVf/l4k+vr5A81tKTff49Rn1L1lrONq1DaGxDk
|
||||
vskCx+/l45iAtB8Mn6S9T7I0rKEGgesDfqBrrT0wewU
|
||||
--- HQzVXwtwdHyjKCBSbBOTiytzpLVc1eBCZZgW7sIgFEI
|
||||
9˜†%}‹/JÞ„U»cMä8É<38>ç™`®=%¿ÝîN}
è9tñœÇ§‰¡‹¨‰rŒ}ˆ½KÿøžqøëO5GlùÑct’#" Ò[Yw½e‰<65>_ûtˆ)f3Çòª´ÕGÊ2›¹j„Wý^ìr¹ôYa=ESÓ ýØ,<2C>“‘²Ú“rÐ_„£
ý8E ªª
Ž¬1çî•íŇ“sÂ<73>ü–¼<”µŸ‚£0QMU"Œ±Ú’Åõõˆ¬wSúœ4º=ï‰G(ˆ’º<<3C>?iZSW]Œ.pP93±zžl¸OSd·êS¯šçI8Äeײ·Ú7ÃUMù¯< ªº<C2AA>Ýžóì<>?îOc2Z¬Uº Ä•èc²Ã Ô—×7@ÄýôóŠò=¨Zæ™ihC“žXß”QŸcɹ[èo=kÏòñËÞL"ZÍ/uê´q
ÛGä›–çó
Ú[<5B>–ú,£«i×Ãäs<C3A4>Jÿ•=GBç~^€Ù'Aý´èÕ±©¹í*giÝ|Ý*ù’N·ÿŠË‘a]º˜áäši|áÔŽP'_(½±ÂQLŽØl„O 0ŠÈÛ´
|
||||
P94ϨäÛF½]³¡È{Öºeç4ý[McQu‚ÎÞî«¥Jwȃ¼Ê“÷•ÁÛX@RÙÑÛŒú‰5M•Ý£‹V<E280B9>rjÇ—ó<E28094>„—½¢Ÿó7<C3B3>[¨8qÐb
|
||||
dk+PWx2abIh09/6BNshqi6X7P4uqdlO8ofsBebYlQW8j7hwFTJ89ivERMq35h/6A
|
||||
6JT8R2QRpqT8HLYK21Wi3kDaiHF0H7KhHdXotTqCi4zFAqUFRKHs96dZsSgOePoL
|
||||
iJA7a/YHofpgjzZmNvc1ewLdmDD6+SnHXIzHfdHrFINUu2iRVDPwlyidOvRzJuGu
|
||||
OJv+KChAZ0l2RhQCH+dw5uzJZP6WKfoNhsupTtxLRlfb/gEWSUfahA85rWc5JvT4
|
||||
udw/oW3C7/hjiwKa8sd5XmxWz8BYut7OwTAFEXZCDSVuABjfUOKCF9IduTO3C8hP
|
||||
9fxCaztbhnCicDbTseP3rQ
|
||||
-> ssh-ed25519 /vwQcQ 3NrE1YovFZCAdBv2jjGLkj07Auqyt1gBxP5zn0vXNkc
|
||||
hYIWVsJNiKIbMl7zg7Qlf/HqwZ49eQsFs/3pFH809K8
|
||||
-> ssh-ed25519 0R97PA aw0rnvI6F3l/XA9SmK6I/mxDuVU7SD3jVcliix4u91Y
|
||||
TR+cZbyrengvbKF2jjhF42N+Iq7F3PMO71tc8e/Dy6s
|
||||
-> ssh-ed25519 JGx7Ng k+FsCk0FCgwsIOICmyOwJhrbTgleVoiqopv4cY5fmHQ
|
||||
ZNCkfdStH2LqTiDTZ4VZIomsPw+S8PeSZpz/r088iAM
|
||||
-> ssh-ed25519 5SY7Kg bN3Yr4E+74hi46Zn6eLknIxbhW7E+XGPGuF1I07h7EU
|
||||
UgX/w4B5iyJKXPcG4DCcM+vsZS/iGM8NFRS3F5qbif8
|
||||
-> ssh-ed25519 p/Mg4Q U1UZZaCOZ/gpLC0wc+ltv6Gx0GsYucydBmlHwnZT00k
|
||||
Dod7IsbtLnX89ekJGoRevH5OLd/ztLD4bsz3mUiuoHU
|
||||
-> ssh-ed25519 tDqJRg ydfBlrMl0PiStKGgxM48S2SFOQ+TdCU7WVkKoEne6W0
|
||||
WNRZAx3aKOq+/Cz7TGI6Eu1QN+hqZlPuscGBNkOJBhg
|
||||
--- E6Fp2JAT9jd8jYWOtMWkH0BNqrafOxBzyRLdK5H1/CI
|
||||
,Ò|®<Û([Û‡ÐUå¥-ÙŽ‘`/ú:z õÀ§aØ2çu<C3A7>d"òB íÀ•°<E280A2> Gž»ŒžJÈô$ë¼=ÿ£Eé&Î4tè<74>€¶§<C2B6>â¶÷v?g-º¦0!PCé¹S¹ból½nWf‹|:›ørm^麕:¹ÎÊ\nOƒEc<45>Zé?‹°
4ŒÎ+W©X;
û=7j6!Å@«Ãœ)oœ¸Ì<C2B8>4Ø+ÞÑ÷/¯3òʤ-…;$aeµ‘Ûˆ¶jß¹²:=åféت§ÀcŽJnžèÁû4Eø/_¬L€9³`Úò<C39A>Æðä³Ë:^:O<>ìp
H(Ð÷ <20>Ä邃àÄ ¢~ÔÛû×,iùºÎk~&çùpм0ìÜçÖèòG¢e`Å<>Ï•Õq"šè!™r‹<72>Ͳs
|
||||
þô*«ý‘Ö®þ5
‰P¿ºB¥.Ï\{wW<_E•)Rh
|
|
@ -7,16 +7,12 @@
|
|||
{
|
||||
imports = [ (import (sources.signal-irc-bridge.outPath + "/module.nix")) ];
|
||||
|
||||
systemd.services.signal-irc-bridge.serviceConfig = {
|
||||
Group = "nginx";
|
||||
};
|
||||
services.signal-irc-bridge = {
|
||||
enable = true;
|
||||
package = nixpkgs.unstable.callPackage (sources.signal-irc-bridge.outPath + "/package.nix") { };
|
||||
configFile = config.age.secrets."signal-irc-bridge-config".path;
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."bridge.dgnum.eu" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/files/".alias = "/var/lib/signal-irc/hermes-media/";
|
||||
};
|
||||
users.users.nginx.extraGroups = [ "signal-irc" ];
|
||||
}
|
||||
|
|
30
machines/compute01/stirling-pdf.nix
Normal file
30
machines/compute01/stirling-pdf.nix
Normal file
|
@ -0,0 +1,30 @@
|
|||
{ nixpkgs, ... }:
|
||||
|
||||
let
|
||||
dgn-id = "57ac2e06a00384772bf63f055874ce2fefe4eb0a";
|
||||
in
|
||||
|
||||
{
|
||||
services.stirling-pdf = {
|
||||
enable = true;
|
||||
|
||||
package = nixpkgs.unstable.stirling-pdf.overrideAttrs (old: {
|
||||
patches = (old.patches or [ ]) ++ [
|
||||
(builtins.fetchurl "https://git.dgnum.eu/DGNum/Stirling-PDF/commit/${dgn-id}.patch")
|
||||
];
|
||||
});
|
||||
|
||||
domain = "pdf.dgnum.eu";
|
||||
port = 8084;
|
||||
|
||||
nginx = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
|
||||
environment = {
|
||||
UI_APP_NAME = "DGNum PDF";
|
||||
SYSTEM_DEFAULT_LOCALE = "fr-FR";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,35 +0,0 @@
|
|||
diff --git a/build.gradle b/build.gradle
|
||||
index 78901d8e..3a14ceee 100644
|
||||
--- a/build.gradle
|
||||
+++ b/build.gradle
|
||||
@@ -70,20 +70,6 @@ launch4j {
|
||||
messagesInstanceAlreadyExists="Stirling-PDF is already running."
|
||||
}
|
||||
|
||||
-spotless {
|
||||
- java {
|
||||
- target project.fileTree('src/main/java')
|
||||
-
|
||||
- googleJavaFormat('1.19.1').aosp().reorderImports(false)
|
||||
-
|
||||
- importOrder('java', 'javax', 'org', 'com', 'net', 'io')
|
||||
- toggleOffOn()
|
||||
- trimTrailingWhitespace()
|
||||
- indentWithSpaces()
|
||||
- endWithNewline()
|
||||
- }
|
||||
-}
|
||||
-
|
||||
dependencies {
|
||||
//security updates
|
||||
implementation 'ch.qos.logback:logback-classic:1.5.3'
|
||||
@@ -171,9 +157,6 @@ dependencies {
|
||||
annotationProcessor 'org.projectlombok:lombok:1.18.32'
|
||||
}
|
||||
|
||||
-tasks.withType(JavaCompile).configureEach {
|
||||
- dependsOn 'spotlessApply'
|
||||
-}
|
||||
compileJava {
|
||||
options.compilerArgs << '-parameters'
|
||||
}
|
|
@ -1,12 +0,0 @@
|
|||
diff --git a/build.gradle b/build.gradle
|
||||
index 78901d8e..2e7ff96b 100644
|
||||
--- a/build.gradle
|
||||
+++ b/build.gradle
|
||||
@@ -166,6 +166,7 @@ task writeVersion {
|
||||
def props = new Properties()
|
||||
props.setProperty('version', version)
|
||||
props.store(propsFile.newWriter(), null)
|
||||
+ propsFile.text = propsFile.readLines().tail().join('\n')
|
||||
}
|
||||
|
||||
swaggerhubUpload {
|
|
@ -1,16 +0,0 @@
|
|||
diff --git a/build.gradle b/build.gradle
|
||||
index 2e7ff96b..f3a4a15c 100644
|
||||
--- a/build.gradle
|
||||
+++ b/build.gradle
|
||||
@@ -21,6 +21,11 @@ repositories {
|
||||
mavenCentral()
|
||||
}
|
||||
|
||||
+tasks.withType(AbstractArchiveTask) {
|
||||
+ preserveFileTimestamps = false
|
||||
+ reproducibleFileOrder = true
|
||||
+}
|
||||
+
|
||||
licenseReport {
|
||||
renderers = [new JsonReportRenderer()]
|
||||
}
|
|
@ -1,25 +0,0 @@
|
|||
diff --git a/build.gradle b/build.gradle
|
||||
index f3a4a15c..61fbd74e 100644
|
||||
--- a/build.gradle
|
||||
+++ b/build.gradle
|
||||
@@ -18,7 +18,7 @@ version = '0.26.1'
|
||||
sourceCompatibility = '17'
|
||||
|
||||
repositories {
|
||||
- mavenCentral()
|
||||
+ maven { url '@deps@' }
|
||||
}
|
||||
|
||||
tasks.withType(AbstractArchiveTask) {
|
||||
diff --git a/settings.gradle b/settings.gradle
|
||||
index f8139930..2c87f3cc 100644
|
||||
--- a/settings.gradle
|
||||
+++ b/settings.gradle
|
||||
@@ -1 +1,7 @@
|
||||
+pluginManagement {
|
||||
+ repositories {
|
||||
+ maven { url '@deps@' }
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
rootProject.name = 'Stirling-PDF'
|
|
@ -1,22 +0,0 @@
|
|||
diff --git a/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java b/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java
|
||||
index cab78313..192922f3 100644
|
||||
--- a/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java
|
||||
+++ b/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java
|
||||
@@ -19,7 +19,7 @@ public class ProcessExecutorTest {
|
||||
processExecutor = ProcessExecutor.getInstance(ProcessExecutor.Processes.LIBRE_OFFICE);
|
||||
}
|
||||
|
||||
- @Test
|
||||
+ /* @Test
|
||||
public void testRunCommandWithOutputHandling() throws IOException, InterruptedException {
|
||||
// Mock the command to execute
|
||||
List<String> command = new ArrayList<>();
|
||||
@@ -32,7 +32,7 @@ public class ProcessExecutorTest {
|
||||
// Check the exit code and output messages
|
||||
assertEquals(0, result.getRc());
|
||||
assertNotNull(result.getMessages()); // Check if messages are not null
|
||||
- }
|
||||
+ } */
|
||||
|
||||
@Test
|
||||
public void testRunCommandWithOutputHandling_Error() {
|
|
@ -1,42 +0,0 @@
|
|||
{ nixpkgs, ... }:
|
||||
|
||||
let
|
||||
###
|
||||
# How to update:
|
||||
# - clone https://git.dgnum.eu/DGNum/Stirling-PDF
|
||||
# - switch to the branch dgn-v0.X.Y where X.Y is the version in production
|
||||
# - fetch upstream changes up to the tagged release in nixos-unstable
|
||||
# - rebase onto the upstream branch, so that the last commit is "feat: Add DGNum customization"
|
||||
# - push to a new branch dgn-v0.A.B where A.B is the new version
|
||||
# - finally, update the commit hash of the customization patch
|
||||
|
||||
dgn-id = "d73e347b1cefe23092bfcb2d3f8a23903410203e";
|
||||
port = 8084;
|
||||
in
|
||||
|
||||
{
|
||||
dgn-web.internalPorts.stirling-pdf = port;
|
||||
|
||||
services.stirling-pdf = {
|
||||
enable = true;
|
||||
|
||||
package = nixpkgs.unstable.stirling-pdf.overrideAttrs (old: {
|
||||
patches = (old.patches or [ ]) ++ [
|
||||
(builtins.fetchurl "https://git.dgnum.eu/DGNum/Stirling-PDF/commit/${dgn-id}.patch")
|
||||
];
|
||||
});
|
||||
|
||||
domain = "pdf.dgnum.eu";
|
||||
inherit port;
|
||||
|
||||
nginx = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
|
||||
environment = {
|
||||
UI_APP_NAME = "DGNum PDF";
|
||||
SYSTEM_DEFAULT_LOCALE = "fr-FR";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
_: { dgn-chatops.enable = true; }
|
|
@ -2,8 +2,6 @@
|
|||
|
||||
let
|
||||
host = "pass.dgnum.eu";
|
||||
port = 10501;
|
||||
wsPort = 10500;
|
||||
in
|
||||
{
|
||||
services.vaultwarden = {
|
||||
|
@ -12,9 +10,9 @@ in
|
|||
config = {
|
||||
DOMAIN = "https://${host}";
|
||||
WEBSOCKET_ENABLED = true;
|
||||
WEBSOCKET_PORT = wsPort;
|
||||
WEBSOCKET_PORT = 10500;
|
||||
SIGNUPS_DOMAINS_WHITELIST = "dgnum.eu,ens.fr,ens.psl.eu";
|
||||
ROCKET_PORT = port;
|
||||
ROCKET_PORT = 10501;
|
||||
ROCKET_ADDRESS = "127.0.0.1";
|
||||
SIGNUPS_VERIFY = true;
|
||||
USE_SYSLOG = true;
|
||||
|
@ -33,28 +31,34 @@ in
|
|||
environmentFile = config.age.secrets."vaultwarden-environment_file".path;
|
||||
};
|
||||
|
||||
dgn-web = {
|
||||
internalPorts.vaultwarden-websockets = wsPort;
|
||||
services = {
|
||||
nginx = {
|
||||
enable = true;
|
||||
|
||||
simpleProxies.vaultwarden = {
|
||||
inherit host port;
|
||||
virtualHosts.${host} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://127.0.0.1:10501";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
|
||||
vhostConfig.locations = {
|
||||
"/notifications/hub" = {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString port}";
|
||||
proxyPass = "http://127.0.0.1:10500";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
|
||||
"/notifications/hub/negotiate" = {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString wsPort}";
|
||||
proxyPass = "http://127.0.0.1:10501";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
postgresql = {
|
||||
enable = true;
|
||||
|
||||
ensureDatabases = [ "vaultwarden" ];
|
||||
|
@ -66,6 +70,7 @@ in
|
|||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
dgn-backups.jobs.vaultwarden.settings.paths = [ "/var/lib/bitwarden_rs" ];
|
||||
dgn-backups.postgresDatabases = [ "vaultwarden" ];
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
(import ../../../keys).mkSecrets [ "geo01" ] [
|
||||
# List of secrets for geo01
|
||||
]
|
||||
let
|
||||
lib = import ../../../lib { };
|
||||
publicKeys = lib.getNodeKeys "geo01";
|
||||
in
|
||||
lib.setDefault { inherit publicKeys; } [ ]
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
(import ../../../keys).mkSecrets [ "geo02" ] [
|
||||
# List of secrets for geo02
|
||||
]
|
||||
let
|
||||
lib = import ../../../lib { };
|
||||
publicKeys = lib.getNodeKeys "geo02";
|
||||
in
|
||||
lib.setDefault { inherit publicKeys; } [ ]
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
lib.extra.mkConfig {
|
||||
enabledModules = [
|
||||
# List of modules to enable
|
||||
"dgn-web"
|
||||
"dgn-fail2ban"
|
||||
];
|
||||
|
||||
enabledServices = [
|
||||
|
@ -12,6 +12,11 @@ lib.extra.mkConfig {
|
|||
];
|
||||
|
||||
extraConfig = {
|
||||
dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
|
||||
"sshd-bruteforce"
|
||||
"sshd-timeout"
|
||||
];
|
||||
|
||||
services.netbird.enable = true;
|
||||
};
|
||||
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
(import ../../../keys).mkSecrets [ "rescue01" ] [
|
||||
# List of secrets for rescue01
|
||||
"stateless-uptime-kuma-password"
|
||||
]
|
||||
let
|
||||
lib = import ../../../lib { };
|
||||
publicKeys = lib.getNodeKeys "rescue01";
|
||||
in
|
||||
lib.setDefault { inherit publicKeys; } [ "stateless-uptime-kuma-password" ]
|
||||
|
|
|
@ -36,7 +36,6 @@ let
|
|||
"cdn.dgnum.eu"
|
||||
"saml-idp.dgnum.eu"
|
||||
"status.dgnum.eu"
|
||||
"radius.dgnum.eu"
|
||||
] ++ (concatLists (mapAttrsToList (_: { config, ... }: config.dgn-redirections.retired) nodes));
|
||||
|
||||
extraProbes = {
|
||||
|
@ -46,16 +45,6 @@ let
|
|||
accepted_statuscodes = [ "401" ];
|
||||
};
|
||||
|
||||
"ollama01.beta.dgnum.eu" = {
|
||||
type = mkForce "http";
|
||||
accepted_statuscodes = [ "401" ];
|
||||
};
|
||||
|
||||
"s3-admin.dgnum.eu" = {
|
||||
type = mkForce "http";
|
||||
accepted_statuscodes = [ "400" ];
|
||||
};
|
||||
|
||||
"api.meet.dgnum.eu" = {
|
||||
keyword = "Crab Fit API";
|
||||
};
|
||||
|
@ -132,10 +121,23 @@ in
|
|||
|
||||
services.uptime-kuma.enable = true;
|
||||
|
||||
dgn-web.simpleProxies.uptime-kuma = {
|
||||
inherit host port;
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
virtualHosts.${host} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString port}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
];
|
||||
|
||||
statelessUptimeKuma = {
|
||||
probesConfig = mkMerge [
|
||||
|
|
|
@ -4,12 +4,13 @@ lib.extra.mkConfig {
|
|||
enabledModules = [
|
||||
# List of modules to enable
|
||||
"dgn-backups"
|
||||
"dgn-fail2ban"
|
||||
"dgn-web"
|
||||
];
|
||||
|
||||
enabledServices = [
|
||||
# List of services to enable
|
||||
"tvix-cache"
|
||||
"atticd"
|
||||
"forgejo"
|
||||
"forgejo-runners"
|
||||
"garage"
|
||||
|
@ -17,11 +18,11 @@ lib.extra.mkConfig {
|
|||
"netbird"
|
||||
"peertube"
|
||||
"prometheus"
|
||||
"redirections"
|
||||
"victoria-metrics"
|
||||
];
|
||||
|
||||
extraConfig = {
|
||||
dgn-fail2ban.jails.sshd-preauth.enabled = true;
|
||||
|
||||
dgn-hardware.useZfs = true;
|
||||
|
||||
services.netbird.enable = true;
|
||||
|
|
82
machines/storage01/atticd.nix
Normal file
82
machines/storage01/atticd.nix
Normal file
|
@ -0,0 +1,82 @@
|
|||
{ config, nixpkgs, ... }:
|
||||
|
||||
let
|
||||
host = "cachix.dgnum.eu";
|
||||
in
|
||||
{
|
||||
services = {
|
||||
atticd = {
|
||||
enable = true;
|
||||
|
||||
credentialsFile = config.age.secrets."atticd-credentials_file".path;
|
||||
|
||||
settings = {
|
||||
listen = "127.0.0.1:9090";
|
||||
api-endpoint = "https://${host}/";
|
||||
|
||||
allowed-hosts = [ host ];
|
||||
|
||||
chunking = {
|
||||
# The minimum NAR size to trigger chunking
|
||||
#
|
||||
# If 0, chunking is disabled entirely for newly-uploaded NARs.
|
||||
# If 1, all NARs are chunked.
|
||||
nar-size-threshold = 0; # 64 KiB
|
||||
|
||||
# The preferred minimum size of a chunk, in bytes
|
||||
min-size = 16 * 1024; # 16 KiB
|
||||
|
||||
# The preferred average size of a chunk, in bytes
|
||||
avg-size = 64 * 1024; # 64 KiB
|
||||
|
||||
# The preferred maximum size of a chunk, in bytes
|
||||
max-size = 256 * 1024; # 256 KiB
|
||||
};
|
||||
|
||||
database.url = "postgresql://atticd?host=/run/postgresql";
|
||||
|
||||
storage = {
|
||||
type = "s3";
|
||||
region = "garage";
|
||||
bucket = "attic-dgnum";
|
||||
endpoint = "https://s3.dgnum.eu";
|
||||
};
|
||||
};
|
||||
|
||||
useFlakeCompatOverlay = false;
|
||||
package = nixpkgs.unstable.attic-server;
|
||||
};
|
||||
|
||||
nginx = {
|
||||
enable = true;
|
||||
|
||||
virtualHosts.${host} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:9090";
|
||||
|
||||
extraConfig = ''
|
||||
client_max_body_size 10G;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
postgresql = {
|
||||
enable = true;
|
||||
|
||||
ensureDatabases = [ "atticd" ];
|
||||
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "atticd";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.atticd.environment.RUST_LOG = "warn";
|
||||
}
|
|
@ -1,4 +1,9 @@
|
|||
{ config, pkgs, ... }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
nixpkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
url = "https://git.dgnum.eu";
|
||||
|
@ -31,12 +36,14 @@ in
|
|||
|
||||
inherit url;
|
||||
|
||||
storePath = "/data/slow";
|
||||
storePath = "/data/slow/nix";
|
||||
tokenFile = config.age.secrets."forgejo_runners-token_file".path;
|
||||
|
||||
dependencies = [
|
||||
pkgs.colmena
|
||||
pkgs.npins
|
||||
pkgs.tea
|
||||
nixpkgs.unstable.nixfmt-rfc-style
|
||||
];
|
||||
|
||||
containerOptions = [ "--cpus=4" ];
|
||||
|
|
|
@ -31,7 +31,6 @@ in
|
|||
|
||||
admin = {
|
||||
DEFAULT_EMAIL_NOTIFICATIONS = "enabled";
|
||||
SEND_NOTIFICATION_EMAIL_ON_NEW_USER = true;
|
||||
};
|
||||
|
||||
log.LEVEL = "Warn";
|
||||
|
@ -45,23 +44,16 @@ in
|
|||
USER = "web-services@infra.dgnum.eu";
|
||||
};
|
||||
|
||||
session = {
|
||||
SESSION_LIFE_TIME = 24 * 3600 * 7;
|
||||
GC_INTERVAL_TIME = 24 * 3600 * 7;
|
||||
};
|
||||
|
||||
server = {
|
||||
ROOT_URL = "https://${host}/";
|
||||
DOMAIN = host;
|
||||
HTTP_ADDRESS = "127.0.0.1";
|
||||
HTTP_PORT = port;
|
||||
APP_DATA_PATH = "/var/lib/git/data";
|
||||
OFFLINE_MODE = false;
|
||||
};
|
||||
|
||||
service = {
|
||||
EMAIL_DOMAIN_ALLOWLIST = "dgnum.eu,*";
|
||||
EMAIL_DOMAIN_BLOCKLIST = "*.shop,*.online,*.store";
|
||||
ENABLE_NOTIFY_MAIL = true;
|
||||
|
||||
DISABLE_REGISTRATION = false;
|
||||
|
@ -69,19 +61,22 @@ in
|
|||
};
|
||||
|
||||
ui.THEMES = "forgejo-auto,forgejo-light,forgejo-dark";
|
||||
|
||||
"cron.cleanup_actions".ENABLED = true;
|
||||
"cron.delete_old_actions".ENABLED = true;
|
||||
"cron.git_gc_repos".ENABLED = true;
|
||||
"cron.update_checker".ENABLED = false;
|
||||
};
|
||||
|
||||
mailerPasswordFile = config.age.secrets."forgejo-mailer_password_file".path;
|
||||
};
|
||||
};
|
||||
|
||||
dgn-web.simpleProxies.forgejo = {
|
||||
inherit host port;
|
||||
nginx = {
|
||||
enable = true;
|
||||
|
||||
virtualHosts.${host} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString port}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
users.users.git = {
|
||||
|
|
|
@ -1,13 +1,6 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
let
|
||||
inherit (lib) mapAttrs' nameValuePair;
|
||||
|
||||
host = "s3.dgnum.eu";
|
||||
webHost = "cdn.dgnum.eu";
|
||||
|
||||
|
@ -15,66 +8,50 @@ let
|
|||
metadata_dir = "/data/fast/garage/meta";
|
||||
|
||||
domains = [
|
||||
"bandarretdurgence.ens.fr"
|
||||
"boussole-sante.normalesup.eu"
|
||||
"lanuit.ens.fr"
|
||||
"simi.normalesup.eu"
|
||||
];
|
||||
|
||||
buckets = [
|
||||
"monorepo-terraform-state"
|
||||
|
||||
"banda-website"
|
||||
"castopod-dgnum"
|
||||
"hackens-website"
|
||||
"nuit-website"
|
||||
"peertube-videos-dgnum"
|
||||
"banda-website"
|
||||
] ++ domains;
|
||||
|
||||
mkHosted = host: builtins.map (b: "${b}.${host}");
|
||||
|
||||
ports = {
|
||||
admin_api = 3903;
|
||||
k2v_api = 3904;
|
||||
rpc = 3901;
|
||||
s3_api = 3900;
|
||||
s3_web = 3902;
|
||||
};
|
||||
in
|
||||
{
|
||||
dgn-web.internalPorts = mapAttrs' (name: nameValuePair "garage-${name}") ports;
|
||||
|
||||
services.garage = {
|
||||
enable = true;
|
||||
|
||||
package = pkgs.garage_1_0_1;
|
||||
package = pkgs.garage_0_9;
|
||||
|
||||
settings = {
|
||||
inherit data_dir metadata_dir;
|
||||
|
||||
db_engine = "lmdb";
|
||||
|
||||
replication_mode = "none"; # TODO: deprecated
|
||||
replication_mode = "none";
|
||||
compression_level = 7;
|
||||
|
||||
rpc_bind_addr = "[::]:${toString ports.rpc}";
|
||||
rpc_public_addr = "127.0.0.1:${toString ports.rpc}";
|
||||
rpc_bind_addr = "[::]:3901";
|
||||
rpc_public_addr = "127.0.0.1:3901";
|
||||
|
||||
s3_api = {
|
||||
s3_region = "garage";
|
||||
api_bind_addr = "127.0.0.1:${toString ports.s3_api}";
|
||||
api_bind_addr = "127.0.0.1:3900";
|
||||
root_domain = ".${host}";
|
||||
};
|
||||
|
||||
s3_web = {
|
||||
bind_addr = "127.0.0.1:${toString ports.s3_web}";
|
||||
bind_addr = "127.0.0.1:3902";
|
||||
root_domain = ".${webHost}";
|
||||
index = "index.html";
|
||||
};
|
||||
|
||||
k2v_api.api_bind_addr = "[::]:${toString ports.k2v_api}";
|
||||
k2v_api.api_bind_addr = "[::]:3904";
|
||||
|
||||
admin.api_bind_addr = "127.0.0.1:${toString ports.admin_api}";
|
||||
admin.api_bind_addr = "127.0.0.1:3903";
|
||||
};
|
||||
|
||||
environmentFile = config.age.secrets."garage-environment_file".path;
|
||||
|
@ -86,7 +63,7 @@ in
|
|||
data_dir
|
||||
metadata_dir
|
||||
];
|
||||
TimeoutSec = 600;
|
||||
TimeoutSec = 3000;
|
||||
};
|
||||
|
||||
users.users.garage = {
|
||||
|
@ -96,17 +73,6 @@ in
|
|||
users.groups.garage = { };
|
||||
|
||||
services.nginx.virtualHosts = {
|
||||
"s3-admin.dgnum.eu" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."/".extraConfig = ''
|
||||
proxy_pass http://127.0.0.1:${toString ports.admin_api};
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $host;
|
||||
'';
|
||||
};
|
||||
|
||||
${host} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
@ -114,7 +80,7 @@ in
|
|||
serverAliases = mkHosted host buckets;
|
||||
|
||||
locations."/".extraConfig = ''
|
||||
proxy_pass http://127.0.0.1:${toString ports.s3_api};
|
||||
proxy_pass http://127.0.0.1:3900;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $host;
|
||||
# Disable buffering to a temporary file.
|
||||
|
@ -130,7 +96,7 @@ in
|
|||
serverAliases = domains ++ (mkHosted webHost buckets);
|
||||
|
||||
locations."/".extraConfig = ''
|
||||
proxy_pass http://127.0.0.1:${toString ports.s3_web};
|
||||
proxy_pass http://127.0.0.1:3902;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $host;
|
||||
'';
|
||||
|
|
|
@ -5,7 +5,6 @@ let
|
|||
token = user: secret "${user}_token_file";
|
||||
|
||||
host = "influx.dgnum.eu";
|
||||
port = 8086;
|
||||
in
|
||||
|
||||
{
|
||||
|
@ -42,8 +41,13 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
dgn-web.simpleProxies.influxdb = {
|
||||
inherit host port;
|
||||
services.nginx.virtualHosts.${host} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:8086";
|
||||
};
|
||||
};
|
||||
|
||||
age-secrets.autoMatch = [ "influxdb2" ];
|
||||
|
|
|
@ -1,82 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
nixpkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
domain = "netbird.dgnum.eu";
|
||||
|
||||
s = name: config.age.secrets.${name}.path;
|
||||
in
|
||||
{
|
||||
services = {
|
||||
netbird.server = {
|
||||
enable = true;
|
||||
|
||||
package = nixpkgs.unstable.netbird;
|
||||
|
||||
inherit domain;
|
||||
|
||||
enableNginx = true;
|
||||
|
||||
coturn.enable = lib.mkForce false;
|
||||
|
||||
relay = {
|
||||
environmentFile = s "netbird-relay_environment_file";
|
||||
metricsPort = 9094;
|
||||
};
|
||||
|
||||
dashboard = {
|
||||
settings = {
|
||||
AUTH_AUTHORITY = "https://sso.dgnum.eu/oauth2/openid/dgn_netbird";
|
||||
AUTH_AUDIENCE = "dgn_netbird";
|
||||
AUTH_CLIENT_ID = "dgn_netbird";
|
||||
};
|
||||
};
|
||||
|
||||
management = {
|
||||
oidcConfigEndpoint = "https://sso.dgnum.eu/oauth2/openid/dgn_netbird/.well-known/openid-configuration";
|
||||
|
||||
dnsDomain = "dgnum";
|
||||
|
||||
metricsPort = 9092;
|
||||
|
||||
settings = {
|
||||
DataStoreEncryptionKey._secret = s "netbird-data_store_encryption_key_file";
|
||||
|
||||
PKCEAuthorizationFlow.ProviderConfig = {
|
||||
Audience = "dgn_netbird";
|
||||
ClientID = "dgn_netbird";
|
||||
AuthorizationEndpoint = "https://sso.dgnum.eu/ui/oauth2";
|
||||
TokenEndpoint = "https://sso.dgnum.eu/oauth2/token";
|
||||
};
|
||||
|
||||
IdpManagerConfig.ClientConfig.ClientID = "dgn_netbird";
|
||||
|
||||
DeviceAuthorizationFlow = {
|
||||
Provider = "none";
|
||||
ProviderConfig = {
|
||||
Audience = "dgn_netbird";
|
||||
ClientID = "dgn_netbird";
|
||||
};
|
||||
};
|
||||
|
||||
Relay = {
|
||||
Addresses = [ "rels://${domain}:443" ];
|
||||
CredentialsTTL = "24h";
|
||||
Secret._secret = s "netbird-relay_secret_file";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
nginx.virtualHosts.${domain} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
};
|
||||
|
||||
dgn-backups.jobs.netbird.settings.paths = [ "/var/lib/netbird-mgmt" ];
|
||||
}
|
47
machines/storage01/netbird/default.nix
Normal file
47
machines/storage01/netbird/default.nix
Normal file
|
@ -0,0 +1,47 @@
|
|||
{ config, ... }:
|
||||
|
||||
let
|
||||
domain = "netbird.dgnum.eu";
|
||||
in
|
||||
{
|
||||
imports = [ ./module.nix ];
|
||||
|
||||
services.netbird-server = {
|
||||
enable = true;
|
||||
|
||||
logLevel = "DEBUG";
|
||||
enableDeviceAuthorizationFlow = false;
|
||||
enableNginx = true;
|
||||
enableCoturn = true;
|
||||
setupAutoOidc = true;
|
||||
|
||||
management.dnsDomain = "dgnum";
|
||||
|
||||
secretFiles.AUTH_CLIENT_SECRET = config.age.secrets."netbird-auth_client_secret_file".path;
|
||||
|
||||
settings = {
|
||||
NETBIRD_DOMAIN = domain;
|
||||
|
||||
TURN_PASSWORD = "tototest1234";
|
||||
|
||||
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT = "https://sso.dgnum.eu/oauth2/openid/netbird_dgn/.well-known/openid-configuration";
|
||||
NETBIRD_AUTH_PKCE_USE_ID_TOKEN = true;
|
||||
|
||||
NETBIRD_AUTH_AUDIENCE = "netbird_dgn";
|
||||
NETBIRD_AUTH_CLIENT_ID = "netbird_dgn";
|
||||
NETBIRD_AUTH_USER_ID_CLAIM = "sub";
|
||||
# Updates the preference to use id tokens instead of access token on dashboard
|
||||
# Okta and Gitlab IDPs can benefit from this
|
||||
NETBIRD_TOKEN_SOURCE = "idToken";
|
||||
|
||||
# NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (p: "http://localhost:${p}") [
|
||||
# "53000"
|
||||
# "54000"
|
||||
# ];
|
||||
|
||||
NETBIRD_STORE_CONFIG_ENGINE = "sqlite";
|
||||
};
|
||||
};
|
||||
|
||||
dgn-backups.jobs.netbird.settings.paths = [ "/var/lib/netbird-mgmt" ];
|
||||
}
|
643
machines/storage01/netbird/module.nix
Normal file
643
machines/storage01/netbird/module.nix
Normal file
|
@ -0,0 +1,643 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (lib)
|
||||
filterAttrs
|
||||
literalExpression
|
||||
maintainers
|
||||
mkDefault
|
||||
mkEnableOption
|
||||
mkIf
|
||||
mkMerge
|
||||
mkOption
|
||||
optionalAttrs
|
||||
optionalString
|
||||
optionals
|
||||
types
|
||||
;
|
||||
|
||||
inherit ((import ./package { inherit pkgs; })) dashboard;
|
||||
|
||||
cfg = config.services.netbird-server;
|
||||
|
||||
stateDir = "/var/lib/netbird-mgmt";
|
||||
|
||||
settingsFormat = pkgs.formats.keyValue { };
|
||||
managementFormat = pkgs.formats.json { };
|
||||
|
||||
settingsFile = settingsFormat.generate "setup.env" (
|
||||
builtins.mapAttrs (
|
||||
_: val: if builtins.isList val then ''"${builtins.concatStringsSep " " val}"'' else val
|
||||
) settings
|
||||
);
|
||||
|
||||
managementFile = managementFormat.generate "config.json" cfg.managementConfig;
|
||||
|
||||
settings =
|
||||
rec {
|
||||
TURN_DOMAIN = cfg.settings.NETBIRD_DOMAIN;
|
||||
TURN_PORT = 3478;
|
||||
TURN_USER = "netbird";
|
||||
TURN_MIN_PORT = 49152;
|
||||
TURN_MAX_PORT = 65535;
|
||||
TURN_PASSWORD = if cfg.secretFiles.TURN_PASSWORD != null then "$TURN_PASSWORD" else null;
|
||||
TURN_SECRET = if cfg.secretFiles.TURN_SECRET != null then "$TURN_SECRET" else "secret";
|
||||
|
||||
STUN_USERNAME = "";
|
||||
STUN_PASSWORD = if cfg.secretFiles.STUN_PASSWORD != null then "$STUN_PASSWORD" else null;
|
||||
|
||||
NETBIRD_DASHBOARD_ENDPOINT = "https://${cfg.settings.NETBIRD_DOMAIN}:443";
|
||||
NETBIRD_MGMT_API_ENDPOINT = "https://${cfg.settings.NETBIRD_DOMAIN}:${
|
||||
builtins.toString cfg.settings.NETBIRD_MGMT_API_PORT or NETBIRD_MGMT_API_PORT
|
||||
}";
|
||||
NETBIRD_SIGNAL_ENDPOINT = "https://${cfg.settings.NETBIRD_DOMAIN}:${
|
||||
builtins.toString cfg.settings.NETBIRD_SIGNAL_PORT or NETBIRD_SIGNAL_PORT
|
||||
}";
|
||||
|
||||
NETBIRD_SIGNAL_PROTOCOL = "https";
|
||||
NETBIRD_SIGNAL_PORT = 443;
|
||||
|
||||
NETBIRD_AUTH_USER_ID_CLAIM = "sub";
|
||||
NETBIRD_AUTH_CLIENT_SECRET =
|
||||
if cfg.secretFiles.AUTH_CLIENT_SECRET != null then "$AUTH_CLIENT_SECRET" else "";
|
||||
NETBIRD_AUTH_SUPPORTED_SCOPES = [
|
||||
"openid"
|
||||
"profile"
|
||||
"email"
|
||||
"offline_access"
|
||||
"api"
|
||||
];
|
||||
|
||||
NETBIRD_AUTH_REDIRECT_URI = "";
|
||||
NETBIRD_AUTH_SILENT_REDIRECT_URI = "";
|
||||
|
||||
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER = "none";
|
||||
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID;
|
||||
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE = cfg.settings.NETBIRD_AUTH_AUDIENCE;
|
||||
NETBIRD_AUTH_DEVICE_AUTH_SCOPE = [
|
||||
"openid"
|
||||
"profile"
|
||||
"email"
|
||||
"offline_access"
|
||||
"api"
|
||||
];
|
||||
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN = false;
|
||||
|
||||
NETBIRD_MGMT_API_PORT = 443;
|
||||
|
||||
NETBIRD_MGMT_IDP = "none";
|
||||
NETBIRD_IDP_MGMT_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID;
|
||||
NETBIRD_IDP_MGMT_CLIENT_SECRET =
|
||||
if cfg.secretFiles.IDP_MGMT_CLIENT_SECRET != null then
|
||||
"$IDP_MGMT_CLIENT_SECRET"
|
||||
else
|
||||
cfg.settings.NETBIRD_AUTH_CLIENT_SECRET;
|
||||
NETBIRD_IDP_MGMT_GRANT_TYPE = "client_credentials";
|
||||
|
||||
NETBIRD_TOKEN_SOURCE = "accessToken";
|
||||
NETBIRD_DRAG_QUERY_PARAMS = false;
|
||||
|
||||
NETBIRD_USE_AUTH0 = false;
|
||||
|
||||
NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = "";
|
||||
|
||||
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS = [ "53000" ];
|
||||
NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (
|
||||
p: "http://localhost:${p}"
|
||||
) cfg.settings.NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS or NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS;
|
||||
}
|
||||
// (optionalAttrs cfg.setupAutoOidc {
|
||||
NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT = "$NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT";
|
||||
NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = "$NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT";
|
||||
NETBIRD_AUTH_TOKEN_ENDPOINT = "$NETBIRD_AUTH_TOKEN_ENDPOINT";
|
||||
NETBIRD_AUTH_JWT_CERTS = "$NETBIRD_AUTH_JWT_CERTS";
|
||||
NETBIRD_AUTH_AUTHORITY = "$NETBIRD_AUTH_AUTHORITY";
|
||||
})
|
||||
// cfg.settings;
|
||||
in
|
||||
{
|
||||
meta = {
|
||||
maintainers = with maintainers; [ thubrecht ];
|
||||
};
|
||||
|
||||
options.services.netbird-server = {
|
||||
enable = mkEnableOption (lib.mdDoc "netbird management service.");
|
||||
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.netbird;
|
||||
defaultText = literalExpression "pkgs.netbird";
|
||||
description = lib.mdDoc "The package to use for netbird";
|
||||
};
|
||||
|
||||
settings = mkOption {
|
||||
type =
|
||||
with types;
|
||||
attrsOf (
|
||||
nullOr (oneOf [
|
||||
(listOf str)
|
||||
bool
|
||||
int
|
||||
float
|
||||
str
|
||||
])
|
||||
);
|
||||
defaultText = lib.literalExpression ''
|
||||
{
|
||||
TURN_DOMAIN = cfg.settings.NETBIRD_DOMAIN;
|
||||
TURN_PORT = 3478;
|
||||
TURN_USER = "netbird";
|
||||
TURN_MIN_PORT = 49152;
|
||||
TURN_MAX_PORT = 65535;
|
||||
TURN_PASSWORD = if cfg.secretFiles.TURN_PASSWORD != null then "$TURN_PASSWORD" else null;
|
||||
TURN_SECRET = if cfg.secretFiles.TURN_SECRET != null then "$TURN_SECRET" else "secret";
|
||||
|
||||
STUN_USERNAME = "";
|
||||
STUN_PASSWORD = if cfg.secretFiles.STUN_PASSWORD != null then "$STUN_PASSWORD" else null;
|
||||
|
||||
NETBIRD_DASHBOARD_ENDPOINT = "https://''${cfg.settings.NETBIRD_DOMAIN}:443";
|
||||
NETBIRD_MGMT_API_ENDPOINT = "https://''${cfg.settings.NETBIRD_DOMAIN}:''${builtins.toString cfg.settings.NETBIRD_MGMT_API_PORT or NETBIRD_MGMT_API_PORT}";
|
||||
NETBIRD_SIGNAL_ENDPOINT = "https://''${cfg.settings.NETBIRD_DOMAIN}:''${builtins.toString cfg.settings.NETBIRD_SIGNAL_PORT or NETBIRD_SIGNAL_PORT}";
|
||||
|
||||
NETBIRD_SIGNAL_PROTOCOL = "https";
|
||||
NETBIRD_SIGNAL_PORT = 443;
|
||||
|
||||
NETBIRD_AUTH_USER_ID_CLAIM = "sub";
|
||||
NETBIRD_AUTH_CLIENT_SECRET = if cfg.secretFiles.AUTH_CLIENT_SECRET != null then "$AUTH_CLIENT_SECRET" else "";
|
||||
NETBIRD_AUTH_SUPPORTED_SCOPES = [ "openid" "profile" "email" "offline_access" "api" ];
|
||||
|
||||
NETBIRD_AUTH_REDIRECT_URI = "";
|
||||
NETBIRD_AUTH_SILENT_REDIRECT_URI = "";
|
||||
|
||||
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER = "none";
|
||||
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID;
|
||||
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE = cfg.settings.NETBIRD_AUTH_AUDIENCE;
|
||||
NETBIRD_AUTH_DEVICE_AUTH_SCOPE = [ "openid" "profile" "email" "offline_access" "api" ];
|
||||
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN = false;
|
||||
|
||||
NETBIRD_MGMT_API_PORT = 443;
|
||||
|
||||
NETBIRD_MGMT_IDP = "none";
|
||||
NETBIRD_IDP_MGMT_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID;
|
||||
NETBIRD_IDP_MGMT_CLIENT_SECRET = if cfg.secretFiles.IDP_MGMT_CLIENT_SECRET != null then "$IDP_MGMT_CLIENT_SECRET" else cfg.settings.NETBIRD_AUTH_CLIENT_SECRET;
|
||||
NETBIRD_IDP_MGMT_GRANT_TYPE = "client_credentials";
|
||||
|
||||
NETBIRD_TOKEN_SOURCE = "accessToken";
|
||||
NETBIRD_DRAG_QUERY_PARAMS = false;
|
||||
|
||||
NETBIRD_USE_AUTH0 = false;
|
||||
|
||||
NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = "";
|
||||
|
||||
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS = [ "53000" ];
|
||||
NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (p: "http://localhost:''${p}") cfg.settings.NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS or NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS;
|
||||
}
|
||||
'';
|
||||
description = lib.mdDoc ''
|
||||
Configuration settings for netbird.
|
||||
Example config values can be found in [setup.env.example](https://github.com/netbirdio/netbird/blob/main/infrastructure_files/setup.env.example)
|
||||
List of strings [ a b ] will be concatenated as "a b", useful for setting the supported scopes.
|
||||
'';
|
||||
};
|
||||
|
||||
managementConfig = mkOption {
|
||||
inherit (managementFormat) type;
|
||||
description = lib.mdDoc "Configuration of the netbird management server.";
|
||||
};
|
||||
|
||||
idpManagerExtraConfig = mkOption {
|
||||
type = types.attrsOf types.str;
|
||||
default = { };
|
||||
description = lib.mdDoc "Extra options passed to the IdpManagerConfig.";
|
||||
};
|
||||
|
||||
ports.management = mkOption {
|
||||
type = types.port;
|
||||
default = 8011;
|
||||
description = lib.mdDoc "Internal port of the management server.";
|
||||
};
|
||||
|
||||
ports.signal = mkOption {
|
||||
type = types.port;
|
||||
default = 8012;
|
||||
description = lib.mdDoc "Internal port of the signal server.";
|
||||
};
|
||||
|
||||
logLevel = mkOption {
|
||||
type = types.enum [
|
||||
"ERROR"
|
||||
"WARN"
|
||||
"INFO"
|
||||
"DEBUG"
|
||||
];
|
||||
default = "INFO";
|
||||
description = lib.mdDoc "Log level of the netbird services.";
|
||||
};
|
||||
|
||||
enableDeviceAuthorizationFlow = mkEnableOption "device authorization flow for netbird." // {
|
||||
default = true;
|
||||
};
|
||||
|
||||
enableNginx = mkEnableOption "NGINX reverse-proxy for the netbird server.";
|
||||
|
||||
enableCoturn = mkEnableOption "a Coturn server used for Netbird.";
|
||||
|
||||
setupAutoOidc = mkEnableOption "the automatic setup of the OIDC.";
|
||||
|
||||
management = {
|
||||
|
||||
dnsDomain = mkOption {
|
||||
type = types.str;
|
||||
default = "netbird.selfhosted";
|
||||
description = lib.mdDoc "Domain used for peer resolution.";
|
||||
};
|
||||
|
||||
singleAccountModeDomain = mkOption {
|
||||
type = types.str;
|
||||
default = "netbird.selfhosted";
|
||||
description = lib.mdDoc ''
|
||||
Enables single account mode.
|
||||
This means that all the users will be under the same account grouped by the specified domain.
|
||||
If the installation has more than one account, the property is ineffective.
|
||||
'';
|
||||
};
|
||||
|
||||
disableAnonymousMetrics = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = lib.mdDoc "Disables push of anonymous usage metrics to NetBird.";
|
||||
};
|
||||
|
||||
disableSingleAccountMode = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = lib.mdDoc ''
|
||||
If set to true, disables single account mode.
|
||||
The `singleAccountModeDomain` property will be ignored and every new user will have a separate NetBird account.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
secretFiles = {
|
||||
TURN_PASSWORD = mkOption {
|
||||
type = with types; nullOr path;
|
||||
default = null;
|
||||
description = lib.mdDoc "Path to a file containing the secret TURN_PASSWORD.";
|
||||
};
|
||||
|
||||
TURN_SECRET = mkOption {
|
||||
type = with types; nullOr path;
|
||||
default = null;
|
||||
description = lib.mdDoc "Path to a file containing the secret TURN_SECRET.";
|
||||
};
|
||||
|
||||
STUN_PASSWORD = mkOption {
|
||||
type = with types; nullOr path;
|
||||
default = null;
|
||||
description = lib.mdDoc "Path to a file containing the secret STUN_PASSWORD.";
|
||||
};
|
||||
|
||||
AUTH_CLIENT_SECRET = mkOption {
|
||||
type = with types; nullOr path;
|
||||
default = null;
|
||||
description = lib.mdDoc "Path to a file containing the secret NETBIRD_AUTH_CLIENT_SECRET.";
|
||||
};
|
||||
|
||||
IDP_MGMT_CLIENT_SECRET = mkOption {
|
||||
type = with types; nullOr path;
|
||||
default = cfg.secretFiles.AUTH_CLIENT_SECRET;
|
||||
defaultText = lib.literalExpression "cfg.secretFiles.AUTH_CLIENT_SECRET;";
|
||||
description = lib.mdDoc "Path to a file containing the secret NETBIRD_IDP_MGMT_CLIENT_SECRET.";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkMerge [
|
||||
(mkIf cfg.enable {
|
||||
services.netbird-server.managementConfig = with settings; {
|
||||
Stuns = mkDefault [
|
||||
{
|
||||
Proto = "udp";
|
||||
URI = "stun:${TURN_DOMAIN}:${builtins.toString TURN_PORT}";
|
||||
Username = STUN_USERNAME;
|
||||
Password = STUN_PASSWORD;
|
||||
}
|
||||
];
|
||||
TURNConfig = {
|
||||
Turns = [
|
||||
{
|
||||
Proto = "udp";
|
||||
URI = "turn:${TURN_DOMAIN}:${builtins.toString TURN_PORT}";
|
||||
Username = TURN_USER;
|
||||
Password = TURN_PASSWORD;
|
||||
}
|
||||
];
|
||||
CredentialsTTL = "12h";
|
||||
Secret = TURN_SECRET;
|
||||
TimeBasedCredentials = false;
|
||||
};
|
||||
Signal = {
|
||||
Proto = NETBIRD_SIGNAL_PROTOCOL;
|
||||
URI = "${NETBIRD_DOMAIN}:${builtins.toString NETBIRD_SIGNAL_PORT}";
|
||||
Username = "";
|
||||
Password = null;
|
||||
};
|
||||
Datadir = "${stateDir}/data";
|
||||
HttpConfig = {
|
||||
Address = "127.0.0.1:${builtins.toString cfg.ports.management}";
|
||||
AuthIssuer = NETBIRD_AUTH_AUTHORITY;
|
||||
AuthAudience = NETBIRD_AUTH_AUDIENCE;
|
||||
AuthKeysLocation = NETBIRD_AUTH_JWT_CERTS;
|
||||
AuthUserIDClaim = NETBIRD_AUTH_USER_ID_CLAIM;
|
||||
OIDCConfigEndpoint = NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT;
|
||||
};
|
||||
IdpManagerConfig = {
|
||||
ManagerType = NETBIRD_MGMT_IDP;
|
||||
ClientConfig = {
|
||||
Issuer = NETBIRD_AUTH_AUTHORITY;
|
||||
TokenEndpoint = NETBIRD_AUTH_TOKEN_ENDPOINT;
|
||||
ClientID = NETBIRD_IDP_MGMT_CLIENT_ID;
|
||||
ClientSecret = NETBIRD_IDP_MGMT_CLIENT_SECRET;
|
||||
GrantType = NETBIRD_IDP_MGMT_GRANT_TYPE;
|
||||
};
|
||||
ExtraConfig = cfg.idpManagerExtraConfig;
|
||||
};
|
||||
DeviceAuthorizationFlow = mkIf cfg.enableDeviceAuthorizationFlow {
|
||||
Provider = NETBIRD_AUTH_DEVICE_AUTH_PROVIDER;
|
||||
ProviderConfig = {
|
||||
Audience = NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE;
|
||||
Domain = NETBIRD_AUTH_AUTHORITY;
|
||||
ClientID = NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID;
|
||||
TokenEndpoint = NETBIRD_AUTH_TOKEN_ENDPOINT;
|
||||
DeviceAuthEndpoint = NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT;
|
||||
Scope = builtins.concatStringsSep " " NETBIRD_AUTH_DEVICE_AUTH_SCOPE;
|
||||
UseIDToken = NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN;
|
||||
};
|
||||
};
|
||||
PKCEAuthorizationFlow = {
|
||||
ProviderConfig = {
|
||||
Audience = NETBIRD_AUTH_AUDIENCE;
|
||||
ClientID = NETBIRD_AUTH_CLIENT_ID;
|
||||
ClientSecret = NETBIRD_AUTH_CLIENT_SECRET;
|
||||
AuthorizationEndpoint = NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT;
|
||||
TokenEndpoint = NETBIRD_AUTH_TOKEN_ENDPOINT;
|
||||
Scope = builtins.concatStringsSep " " NETBIRD_AUTH_SUPPORTED_SCOPES;
|
||||
RedirectURLs = NETBIRD_AUTH_PKCE_REDIRECT_URLS;
|
||||
UseIDToken = NETBIRD_AUTH_PKCE_USE_ID_TOKEN;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts = mkIf cfg.enableNginx {
|
||||
${cfg.settings.NETBIRD_DOMAIN} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
||||
locations = {
|
||||
"/" = {
|
||||
root = "${stateDir}/web-ui/";
|
||||
tryFiles = "$uri /index.html";
|
||||
};
|
||||
|
||||
"/signalexchange.SignalExchange/".extraConfig = ''
|
||||
grpc_pass grpc://localhost:${builtins.toString cfg.ports.signal};
|
||||
grpc_read_timeout 1d;
|
||||
grpc_send_timeout 1d;
|
||||
grpc_socket_keepalive on;
|
||||
'';
|
||||
|
||||
"/api".proxyPass = "http://localhost:${builtins.toString cfg.ports.management}";
|
||||
|
||||
"/management.ManagementService/".extraConfig = ''
|
||||
grpc_pass grpc://localhost:${builtins.toString cfg.ports.management};
|
||||
grpc_read_timeout 1d;
|
||||
grpc_send_timeout 1d;
|
||||
grpc_socket_keepalive on;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
netbird-setup = {
|
||||
wantedBy = [
|
||||
"netbird-management.service"
|
||||
"netbird-signal.service"
|
||||
"multi-user.target"
|
||||
];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RuntimeDirectory = "netbird-mgmt";
|
||||
StateDirectory = "netbird-mgmt";
|
||||
WorkingDirectory = stateDir;
|
||||
EnvironmentFile = [ settingsFile ];
|
||||
};
|
||||
unitConfig = {
|
||||
StartLimitInterval = 5;
|
||||
StartLimitBurst = 10;
|
||||
};
|
||||
|
||||
path =
|
||||
(with pkgs; [
|
||||
coreutils
|
||||
findutils
|
||||
gettext
|
||||
gnused
|
||||
])
|
||||
++ (optionals cfg.setupAutoOidc (
|
||||
with pkgs;
|
||||
[
|
||||
curl
|
||||
jq
|
||||
]
|
||||
));
|
||||
|
||||
script =
|
||||
''
|
||||
cp ${managementFile} ${stateDir}/management.json.copy
|
||||
''
|
||||
+ (optionalString cfg.setupAutoOidc ''
|
||||
mv ${stateDir}/management.json.copy ${stateDir}/management.json
|
||||
echo "loading OpenID configuration from $NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT to the openid-configuration.json file"
|
||||
curl "$NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT" -q -o ${stateDir}/openid-configuration.json
|
||||
|
||||
export NETBIRD_AUTH_AUTHORITY=$(jq -r '.issuer' ${stateDir}/openid-configuration.json)
|
||||
export NETBIRD_AUTH_JWT_CERTS=$(jq -r '.jwks_uri' ${stateDir}/openid-configuration.json)
|
||||
export NETBIRD_AUTH_TOKEN_ENDPOINT=$(jq -r '.token_endpoint' ${stateDir}/openid-configuration.json)
|
||||
export NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT=$(jq -r '.device_authorization_endpoint' ${stateDir}/openid-configuration.json)
|
||||
export NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT=$(jq -r '.authorization_endpoint' ${stateDir}/openid-configuration.json)
|
||||
|
||||
envsubst '$NETBIRD_AUTH_AUTHORITY $NETBIRD_AUTH_JWT_CERTS $NETBIRD_AUTH_TOKEN_ENDPOINT $NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT $NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT' < ${stateDir}/management.json > ${stateDir}/management.json.copy
|
||||
'')
|
||||
+ ''
|
||||
# Update secrets in management.json
|
||||
${builtins.concatStringsSep "\n" (
|
||||
builtins.attrValues (
|
||||
builtins.mapAttrs (name: path: "export ${name}=$(cat ${path})") (
|
||||
filterAttrs (_: p: p != null) cfg.secretFiles
|
||||
)
|
||||
)
|
||||
)}
|
||||
|
||||
envsubst '$TURN_PASSWORD $TURN_SECRET $STUN_PASSWORD $AUTH_CLIENT_SECRET $IDP_MGMT_CLIENT_SECRET' < ${stateDir}/management.json.copy > ${stateDir}/management.json
|
||||
|
||||
rm -rf ${stateDir}/web-ui
|
||||
mkdir -p ${stateDir}/web-ui
|
||||
cp -R ${dashboard}/* ${stateDir}/web-ui
|
||||
|
||||
export AUTH_AUTHORITY="$NETBIRD_AUTH_AUTHORITY"
|
||||
export AUTH_CLIENT_ID="$NETBIRD_AUTH_CLIENT_ID"
|
||||
${optionalString (
|
||||
cfg.secretFiles.AUTH_CLIENT_SECRET == null
|
||||
) ''export AUTH_CLIENT_SECRET="$NETBIRD_AUTH_CLIENT_SECRET"''}
|
||||
export AUTH_AUDIENCE="$NETBIRD_AUTH_AUDIENCE"
|
||||
export AUTH_REDIRECT_URI="$NETBIRD_AUTH_REDIRECT_URI"
|
||||
export AUTH_SILENT_REDIRECT_URI="$NETBIRD_AUTH_SILENT_REDIRECT_URI"
|
||||
export USE_AUTH0="$NETBIRD_USE_AUTH0"
|
||||
export AUTH_SUPPORTED_SCOPES=$(echo $NETBIRD_AUTH_SUPPORTED_SCOPES | sed -E 's/"//g')
|
||||
|
||||
export NETBIRD_MGMT_API_ENDPOINT=$(echo $NETBIRD_MGMT_API_ENDPOINT | sed -E 's/(:80|:443)$//')
|
||||
|
||||
MAIN_JS=$(find ${stateDir}/web-ui/static/js/main.*js)
|
||||
OIDC_TRUSTED_DOMAINS=${stateDir}/web-ui/OidcTrustedDomains.js
|
||||
mv "$MAIN_JS" "$MAIN_JS".copy
|
||||
envsubst '$USE_AUTH0 $AUTH_AUTHORITY $AUTH_CLIENT_ID $AUTH_CLIENT_SECRET $AUTH_SUPPORTED_SCOPES $AUTH_AUDIENCE $NETBIRD_MGMT_API_ENDPOINT $NETBIRD_MGMT_GRPC_API_ENDPOINT $NETBIRD_HOTJAR_TRACK_ID $AUTH_REDIRECT_URI $AUTH_SILENT_REDIRECT_URI $NETBIRD_TOKEN_SOURCE $NETBIRD_DRAG_QUERY_PARAMS' < "$MAIN_JS".copy > "$MAIN_JS"
|
||||
envsubst '$NETBIRD_MGMT_API_ENDPOINT' < "$OIDC_TRUSTED_DOMAINS".tmpl > "$OIDC_TRUSTED_DOMAINS"
|
||||
'';
|
||||
};
|
||||
|
||||
netbird-signal = {
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "netbird-management.service" ];
|
||||
restartTriggers = [
|
||||
settingsFile
|
||||
managementFile
|
||||
];
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = ''
|
||||
${cfg.package}/bin/netbird-signal run \
|
||||
--port ${builtins.toString cfg.ports.signal} \
|
||||
--log-file console \
|
||||
--log-level ${cfg.logLevel}
|
||||
'';
|
||||
Restart = "always";
|
||||
RuntimeDirectory = "netbird-mgmt";
|
||||
StateDirectory = "netbird-mgmt";
|
||||
WorkingDirectory = stateDir;
|
||||
};
|
||||
unitConfig = {
|
||||
StartLimitInterval = 5;
|
||||
StartLimitBurst = 10;
|
||||
};
|
||||
stopIfChanged = false;
|
||||
};
|
||||
|
||||
netbird-management = {
|
||||
description = "The management server for Netbird, a wireguard VPN";
|
||||
documentation = [ "https://netbird.io/docs/" ];
|
||||
after = [
|
||||
"network.target"
|
||||
"netbird-setup.service"
|
||||
];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
wants = [
|
||||
"netbird-signal.service"
|
||||
"netbird-setup.service"
|
||||
];
|
||||
restartTriggers = [
|
||||
settingsFile
|
||||
managementFile
|
||||
];
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = ''
|
||||
${cfg.package}/bin/netbird-mgmt management \
|
||||
--config ${stateDir}/management.json \
|
||||
--datadir ${stateDir}/data \
|
||||
${optionalString cfg.management.disableAnonymousMetrics "--disable-anonymous-metrics"} \
|
||||
${optionalString cfg.management.disableSingleAccountMode "--disable-single-account-mode"} \
|
||||
--dns-domain ${cfg.management.dnsDomain} \
|
||||
--single-account-mode-domain ${cfg.management.singleAccountModeDomain} \
|
||||
--idp-sign-key-refresh-enabled \
|
||||
--port ${builtins.toString cfg.ports.management} \
|
||||
--log-file console \
|
||||
--log-level ${cfg.logLevel}
|
||||
'';
|
||||
Restart = "always";
|
||||
RuntimeDirectory = "netbird-mgmt";
|
||||
StateDirectory = [
|
||||
"netbird-mgmt"
|
||||
"netbird-mgmt/data"
|
||||
];
|
||||
WorkingDirectory = stateDir;
|
||||
};
|
||||
unitConfig = {
|
||||
StartLimitInterval = 5;
|
||||
StartLimitBurst = 10;
|
||||
};
|
||||
stopIfChanged = false;
|
||||
};
|
||||
};
|
||||
})
|
||||
|
||||
(mkIf cfg.enableCoturn {
|
||||
services.coturn = {
|
||||
enable = true;
|
||||
|
||||
realm = settings.NETBIRD_DOMAIN;
|
||||
lt-cred-mech = true;
|
||||
no-cli = true;
|
||||
|
||||
extraConfig = ''
|
||||
fingerprint
|
||||
|
||||
user=${settings.TURN_USER}:${builtins.toString settings.TURN_PASSWORD}
|
||||
no-software-attribute
|
||||
'';
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
allowedUDPPorts = with settings; [
|
||||
TURN_PORT
|
||||
(TURN_PORT + 1)
|
||||
5349
|
||||
5350
|
||||
];
|
||||
allowedTCPPorts = with settings; [
|
||||
TURN_PORT
|
||||
(TURN_PORT + 1)
|
||||
];
|
||||
allowedUDPPortRanges = [
|
||||
{
|
||||
from = settings.TURN_MIN_PORT;
|
||||
to = settings.TURN_MAX_PORT;
|
||||
}
|
||||
];
|
||||
};
|
||||
})
|
||||
|
||||
(mkIf (cfg.enableNginx && cfg.enableCoturn) {
|
||||
services.coturn =
|
||||
let
|
||||
cert = config.security.acme.certs.${settings.TURN_DOMAIN};
|
||||
in
|
||||
{
|
||||
cert = "${cert.directory}/fullchain.pem";
|
||||
pkey = "${cert.directory}/key.pem";
|
||||
};
|
||||
|
||||
users.users.nginx.extraGroups = [ "turnserver" ];
|
||||
|
||||
# share certs with coturn and restart on renewal
|
||||
security.acme.certs.${settings.TURN_DOMAIN} = {
|
||||
group = "turnserver";
|
||||
postRun = "systemctl reload nginx.service; systemctl restart coturn.service";
|
||||
};
|
||||
})
|
||||
];
|
||||
}
|
31
machines/storage01/netbird/package/dashboard.nix
Normal file
31
machines/storage01/netbird/package/dashboard.nix
Normal file
|
@ -0,0 +1,31 @@
|
|||
{
|
||||
lib,
|
||||
buildNpmPackage,
|
||||
fetchFromGitHub,
|
||||
}:
|
||||
|
||||
buildNpmPackage rec {
|
||||
pname = "netbird-dashboard";
|
||||
version = "1.17.6";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "netbirdio";
|
||||
repo = "dashboard";
|
||||
rev = "v${version}";
|
||||
hash = "sha256-MDxN/58dv6OqPYnNgDVZ+YRzfw2dER7x8mEWe14rQ40=";
|
||||
};
|
||||
|
||||
npmDepsHash = "sha256-x7YyzBPAiXyxaIcAvUrXBexYaw0TaYnKgQKT3KadW8w=";
|
||||
npmFlags = [ "--legacy-peer-deps" ];
|
||||
|
||||
installPhase = ''
|
||||
cp -R build $out
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
description = "NetBird Management Service Web UI Panel";
|
||||
homepage = "https://github.com/netbirdio/dashboard";
|
||||
license = licenses.bsd3;
|
||||
maintainers = with maintainers; [ thubrecht ];
|
||||
};
|
||||
}
|
7
machines/storage01/netbird/package/default.nix
Normal file
7
machines/storage01/netbird/package/default.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
{
|
||||
pkgs ? import <nixpkgs> { },
|
||||
}:
|
||||
|
||||
{
|
||||
dashboard = pkgs.callPackage ./dashboard.nix { };
|
||||
}
|
|
@ -4,8 +4,6 @@ let
|
|||
host = "videos.dgnum.eu";
|
||||
in
|
||||
{
|
||||
dgn-web.internalPorts.peertube = config.services.peertube.listenHttp;
|
||||
|
||||
services.peertube = {
|
||||
enable = true;
|
||||
|
||||
|
|
|
@ -77,9 +77,15 @@ in
|
|||
];
|
||||
};
|
||||
|
||||
dgn-web.simpleProxies.prometheus = {
|
||||
inherit host port;
|
||||
services.nginx.virtualHosts.${host} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString port}";
|
||||
proxyWebsockets = true;
|
||||
recommendedProxySettings = true;
|
||||
};
|
||||
};
|
||||
|
||||
age-secrets.autoMatch = [ "prometheus" ];
|
||||
|
|
|
@ -1,9 +0,0 @@
|
|||
{
|
||||
dgn-redirections = {
|
||||
permanent = {
|
||||
"www.lanuit.ens.fr" = "lanuit.ens.fr";
|
||||
"lanuit.ens.psl.eu" = "lanuit.ens.fr";
|
||||
"www.lanuit.ens.psl.eu" = "lanuit.ens.fr";
|
||||
};
|
||||
};
|
||||
}
|
30
machines/storage01/secrets/atticd-credentials_file
Normal file
30
machines/storage01/secrets/atticd-credentials_file
Normal file
|
@ -0,0 +1,30 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA HECtxDO0OV6To/Qs3A+2N8+3xqsHp6pz6d4ArgsgXS4
|
||||
mnmDwWZ6d1aW5Qejzv2Jo112ee78wKVx90R7r5wQbYo
|
||||
-> ssh-ed25519 QlRB9Q Rx3bV/DkoCCvQCMwJGOfibG8Rif5Ap+W6EqWlFOhUQc
|
||||
jxEFUWqxedwIK3mNyOG+5dyFFZbJZ3XNFXnk0fe0vyw
|
||||
-> ssh-ed25519 r+nK/Q J591Cg/4oP26LT7Tl/wrdDipR/gpg1WMsiKJN0ygbjw
|
||||
WToE5xtuF2FOqtvRgz1SZStYGjTsKRxguIioan+vluU
|
||||
-> ssh-rsa krWCLQ
|
||||
hhp33AzK6wYWM6k7ZroV0J5i8C5MQXjQY9sksPQdABRQUd6XTmYOIOdA0ste0EA9
|
||||
hqbbHQwbFy0oE/QKfnUZWbgJo5Us1DWKxip55L875CPfVcmxvC2ADRO5JKKNkQa/
|
||||
P4zBALPqf+BXrafcGN4hT8D9gywIWdQ2zPSpKbJE+OdPcUrBVH/ndMUVoLfTEKL9
|
||||
B3XgqRvLNkgsdu7FMEPnelWT3WrxkBME7AathdXcEYXSxiTmaKqxDzRtcNLdh+y2
|
||||
6XfQU6lLMT+WWPD/Ro7UzLrWUnFJMYK0SinkOuX+PKxMq95lCc5kI3tZ7JL7bC5E
|
||||
vBGnX9w0unyR//LLqrOPWA
|
||||
-> ssh-ed25519 /vwQcQ eYSTWAYs/L+cYt/16TrKaIqoc9TFJQncM02Vd8hOg3A
|
||||
lWalXa1ZBtrjXOB+sznWCjStFHF4ulLaBilEc3b7qWc
|
||||
-> ssh-ed25519 0R97PA 78K7uF/mXT4pgTbnmfpyxY2czgs+DNueusuatUx7MCQ
|
||||
C/pWPdVCWZuHFuM5fzJHdGZomM3Wbt22iwfLbLSznh0
|
||||
-> ssh-ed25519 JGx7Ng xFzEGNVIiC0cXCbcSKUfmVLAdRBH7xu6/2E7nVoRwjI
|
||||
+TgvIl03KGm5N55+jGc7UcyRHjMvAFm3Kbvx5Ma4HQ4
|
||||
-> ssh-ed25519 5SY7Kg 7YO/crKVWSsr3Hy5HPr0/R3oPdCA2kWduZYeSlcxGnI
|
||||
N0IpdylU+3ybInseGSKPONxeNr8mh/ZlBGCvY2c0WTA
|
||||
-> ssh-ed25519 p/Mg4Q y1ekwzz3sSHGrLmb0NqF6VWfalARy+PykE77hVqD7Xc
|
||||
0s9QrDsLH6XdzetyIXJEB2MrwwUi8CDpu7SEemm8zJ4
|
||||
-> ssh-ed25519 rHotTw 7SMzV/pEmDISPL/fMjafXM3URZpbUPTg+9AngZ0GZTc
|
||||
eIi1+i9JVBLvfQMkmMv5S0N8qgwVtyklX/J+6MdtlSc
|
||||
--- Gjl7lNWG9gyMlg256Oa5i5bFLm1Cup1upjsEDVurgDo
|
||||
uÂ;.ÿñË>pÔïÑ–<C391>òh¸<68>2ÎŒ›}£PJ4èú‘©‰Ñ×íè==#¯¾Úÿ¹8e¤UÊÉŠÇ$1»!–z<E28093>jlA‡[@;ò‚s®<>ŒÉáAB±á-§Rå=È0Ò·d“ðµú†Ê¢þ{«ÒF¹—h›ò–à ù@%ˆŠä´›|×{ ¢åeÚÝÛ¯âøsbë«]Óèå¨ø.m8 8Bn"(Ûæ¤âïW½í!zxn\Ã(5:ïíÒÞ-ZD’ËÇÃ)}HŠü˜¦×ál}Sƒ‘˜ëFrn
|
||||
øL¦-wÉÑ—¼j)ê â¶èÐ&:¥îÓCÞÆ2ÝÒÅÀÏB»ÛzïàŽŸt•WÍ!£8|lïí0
|
||||
¾¸y8óÃkñbÔy×ËäÏ臃‹¹·k’¤¨ÉÍ™ê°n/-’'ÃZ<C383>ÅŸ
¾îƾ\Ûâê‰ù†uŸÍeu®"E ±/d
|
BIN
machines/storage01/secrets/netbird-auth_client_secret_file
Normal file
BIN
machines/storage01/secrets/netbird-auth_client_secret_file
Normal file
Binary file not shown.
|
@ -1,30 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA xId0d57S+YmTeZzTTNOs7Pt3RPQ7MLNiKg6Mox2MEFo
|
||||
hFUYZMNoxZQBEKz4SYDC4nLDDXRftXtUtCLCX2kvwZ8
|
||||
-> ssh-ed25519 QlRB9Q kmsgaV+FRbqcKkhttlbmY22M6pO6kMCqLUYsq1yGSyA
|
||||
VmprdWLh380qm6aarum1q17pDrMF0KLyXV/PN1OmEO8
|
||||
-> ssh-ed25519 r+nK/Q XVeZFVNLv0FlL/lPhXrvVJcHAubE1tTfSxl5iiixtF0
|
||||
Udm/qZMOzNcg2LMffkns+jUlrtXAC8Mk8ofCSD6zf/0
|
||||
-> ssh-rsa krWCLQ
|
||||
OJlswMZEz2ONsqvFH8aMo4cRXzNiSkqtOmNQuWbRcAI4sXKCNuNtNcv6WPcpBMPZ
|
||||
8eTvoIOf8triUwGBWLZ9oRvYOeoucyWCqx0zf11VwOclRBeziRPOQ5Uon+5gpsg2
|
||||
H1FO7Sk0sVjME/2INUjd1Q4TlPF9tlUOcEDBgyc81cLI0JrR7S2D6Hl/rAN9Gees
|
||||
D9c+q5PJkvbw7KQPEu7WOxPNCi1gRyHSlKv5ef5gToNOl/c8GAJR5FutO/bTgTTl
|
||||
P+yLysKXK+r2IwNNMHGFBDVbsp09IjQ+H623Sfr6H0pR7FYShohfzcM6JA3ydztN
|
||||
Gy5MiJasx3nWCUYJZUL1Fw
|
||||
-> ssh-ed25519 /vwQcQ OelREEMNnpUXuJ8BA1VPVM8yqEd8PS9m81sw5gaq8U8
|
||||
wPUQOWxzsj55/hii7Cd4+P1eFWVDQANwIcImOliOqog
|
||||
-> ssh-ed25519 0R97PA 9NzXGY3sZb8srqaVWWbZhbNJdDfCfeZIhJHPWy9U4FU
|
||||
+LvE5cI8heO8XhsejCWaJrwaRGYGCziymPZLrYTOXtg
|
||||
-> ssh-ed25519 JGx7Ng 1jWoS1sqmY9MxZT7fAMsg5QbokAMNlTg9jmpxzr1ekQ
|
||||
7MndRQ0ruZP2/cOKaid60rQg8Q3ljy2oknf0czOLGSo
|
||||
-> ssh-ed25519 5SY7Kg Bm19KVQA8DkrDxiYsVRdKVubML7J9L/apLoUs+otehk
|
||||
kQMv/7uijZlyGDbDt2aNF85vp4nYM9o3fIetvnykX6I
|
||||
-> ssh-ed25519 p/Mg4Q /vhTds9k+5uwSDjLyKp18ge+bu/Aeg72nHx2joWUTw0
|
||||
zeim4NPL7floIvZ296vYuyk5XAVFCCaWRc0iRQQxbyg
|
||||
-> ssh-ed25519 rHotTw YbKb6NyxsknA125fdWj5/RJjmaY22yDwNx+bLKV6ZW4
|
||||
jJw+YJqQC/B+UMLYAtTAIZuON2hiZAY171ovJ0ceKjg
|
||||
-> @K'k$-grease x>ie }CH4sS h|s
|
||||
bVzOpc2vPj8ldZskVlQSmOE7wHR2q/dXcdC6vrPXSvYWCKK8Rg
|
||||
--- uDaSBMjg5lvDnZyTKHqveb5B+y71HjrDzOqtsJycuBs
|
||||
1Ò¨Rq¢<>nýµ{”ýT°5?HXH1¢ Ê%‘)Í01’RGr׿fÖNT4å2B(í);ìíÿ‰íÁœ
|
Binary file not shown.
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue