DGNum/infrastructure
13
6
Fork 3
Code Issues 20 Pull requests 8 Projects 1 Releases Packages Wiki Activity Actions

Compare commits

base: DGNum:main
Branches Tags
DGNum:main
DGNum:npins-update
DGNum:web01
DGNum:declarative-buckets
DGNum:victoria-metrics
DGNum:mattermost
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:ds-fr
DGNum:colmena-liminix
cst1:add_cst1_ssh
cst1:init-dgnum-page
cst1:takumi-can-do-ollama
cst1:declarative-buckets
cst1:main
cst1:move-ollama
cst1:prepare-for-terranix
cst1:ollama-api
cst1:npins-update
cst1:internal-lib
cst1:ds-update
cst1:ds-fr
cst1:colmena-liminix
cst1:tvix-store
cst1:nixpkgs
cst1:liminix-v1
..
compare: cst1:ds-update
Branches Tags
cst1:add_cst1_ssh
cst1:init-dgnum-page
cst1:takumi-can-do-ollama
cst1:declarative-buckets
cst1:main
cst1:move-ollama
cst1:prepare-for-terranix
cst1:ollama-api
cst1:npins-update
cst1:internal-lib
cst1:ds-update
cst1:ds-fr
cst1:colmena-liminix
cst1:tvix-store
cst1:nixpkgs
cst1:liminix-v1
DGNum:main
DGNum:npins-update
DGNum:web01
DGNum:declarative-buckets
DGNum:victoria-metrics
DGNum:mattermost
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:ds-fr
DGNum:colmena-liminix

1 commit
main ... ds-update

Author SHA1 Message Date
DGNum Chores
a0f14ad58d chore(ds-fr): Update
Some checks failed
Check meta / check_meta (push) Successful in 17s
Details
Check meta / check_dns (push) Successful in 18s
Details
lint / check (push) Successful in 26s
Details
Check meta / check_meta (pull_request) Successful in 19s
Details
Check meta / check_dns (pull_request) Successful in 17s
Details
build configuration / build_storage01 (pull_request) Successful in 1m10s
Details
build configuration / build_vault01 (pull_request) Successful in 1m13s
Details
build configuration / build_web01 (pull_request) Successful in 1m39s
Details
build configuration / build_web02 (pull_request) Successful in 1m3s
Details
build configuration / build_geo01 (pull_request) Successful in 1m12s
Details
build configuration / build_geo02 (pull_request) Successful in 1m6s
Details
build configuration / build_rescue01 (pull_request) Successful in 1m15s
Details
lint / check (pull_request) Successful in 31s
Details
build configuration / build_bridge01 (pull_request) Successful in 1m8s
Details
build configuration / build_compute01 (pull_request) Failing after 3m45s
Details
build configuration / push_to_cache_compute01 (pull_request) Has been skipped
Details
build configuration / push_to_cache_storage01 (pull_request) Successful in 1m24s
Details
build configuration / push_to_cache_vault01 (pull_request) Successful in 1m32s
Details
build configuration / push_to_cache_web02 (pull_request) Successful in 1m24s
Details
build configuration / push_to_cache_geo01 (pull_request) Successful in 1m18s
Details
build configuration / push_to_cache_web01 (pull_request) Successful in 2m2s
Details
build configuration / push_to_cache_geo02 (pull_request) Successful in 1m12s
Details
build configuration / push_to_cache_bridge01 (pull_request) Successful in 1m10s
Details
build configuration / push_to_cache_rescue01 (pull_request) Successful in 1m24s
Details
2024-10-02 16:28:20 +00:00
155 changed files with 2492 additions and 3491 deletions
Show stats Expand all files Collapse all files

1
.envrc
View file

@ -1,2 +1 @@
watch_file workflows/*
use nix

34
.forgejo/workflows/check-meta.yaml
View file

@ -1,21 +1,25 @@
jobs:
check_dns:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of the DNS configuration
run: nix-build meta/verify.nix -A dns
check_meta:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of meta options
run: nix-build meta/verify.nix -A meta
name: Check meta
on:
pull_request:
branches:
- main
- main
push:
paths:
- meta/*
- 'meta/*'
jobs:
check_meta:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of meta options
run: nix-build meta/verify.nix -A meta
check_dns:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of the DNS configuration
run: nix-build meta/verify.nix -A dns --no-out-link

16
.forgejo/workflows/check-workflows.yaml
View file

@ -1,16 +0,0 @@
jobs:
check_workflows:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check that the workflows are up to date
run: nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l)
-eq 0 ]'
name: Check workflows
on:
pull_request:
branches:
- main
push:
paths:
- workflows/*

56
.forgejo/workflows/ds-fr.yaml Normal file
View file

@ -0,0 +1,56 @@
name: ds-fr update
on:
schedule:
- cron: "26 18 * * wed"
jobs:
npins_update:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- name: Update DS and open PR if necessary
run: |
# Fetch the latest release tag
VERSION=$(curl -L \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/demarches-simplifiees/demarches-simplifiees.fr/releases/latest \
| jq -r '.tag_name')
# Move to the ds-fr directory
cd machines/compute01/ds-fr/package
# Run the update script
./update.sh -v "$VERSION"
if [ ! -z "$(git diff --name-only)" ]; then
echo "[+] Changes detected, pushing updates."
git switch -C ds-update
git add .
git config user.name "DGNum Chores"
git config user.email "tech@dgnum.eu"
git commit --message "chore(ds-fr): Update"
git push --set-upstream origin ds-update --force
# Connect to the server with the cli
tea login add \
-n dgnum-chores \
-t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
-u https://git.dgnum.eu
# Create a pull request if needed
# i.e. no PR with the same title exists
if [ -z "$(tea pr ls -f='title,author' -o simple | grep 'chore(ds-fr): Update dgnum-chores')" ]; then
tea pr create \
--description "Automatic ds-fr update" \
--title "chore(ds-fr): Update" \
--head ds-update
fi
fi

119
.forgejo/workflows/eval-nodes.yaml
View file

@ -1,119 +0,0 @@
jobs:
bridge01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: bridge01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache bridge01
run: nix-shell -A eval-nodes --run cache-node
compute01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: compute01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache compute01
run: nix-shell -A eval-nodes --run cache-node
geo01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: geo01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache geo01
run: nix-shell -A eval-nodes --run cache-node
geo02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: geo02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache geo02
run: nix-shell -A eval-nodes --run cache-node
rescue01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: rescue01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache rescue01
run: nix-shell -A eval-nodes --run cache-node
storage01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: storage01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache storage01
run: nix-shell -A eval-nodes --run cache-node
vault01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: vault01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache vault01
run: nix-shell -A eval-nodes --run cache-node
web01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web01
run: nix-shell -A eval-nodes --run cache-node
web02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web02
run: nix-shell -A eval-nodes --run cache-node
web03:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web03
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web03
run: nix-shell -A eval-nodes --run cache-node
name: Build all the nodes
on:
pull_request:
branches:
- main
push:
branches:
- main

289
.forgejo/workflows/eval.yaml Normal file
View file

@ -0,0 +1,289 @@
name: build configuration
on:
pull_request:
types: [opened, synchronize, edited, reopened]
branches:
- main
push:
branches:
- main
jobs:
build_compute01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build compute01
run: |
# Enter the shell
nix-shell --run 'colmena build --on compute01'
build_storage01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build storage01
run: |
# Enter the shell
nix-shell --run 'colmena build --on storage01'
build_vault01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build vault01
run: |
# Enter the shell
nix-shell --run 'colmena build --on vault01'
build_web01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build web01
run: |
# Enter the shell
nix-shell --run 'colmena build --on web01'
build_web02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build web02
run: |
# Enter the shell
nix-shell --run 'colmena build --on web02'
build_rescue01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build rescue01
run: |
# Enter the shell
nix-shell --run 'colmena build --on rescue01'
build_geo01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build geo01
run: |
# Enter the shell
nix-shell --run 'colmena build --on geo01'
build_geo02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build geo02
run: |
# Enter the shell
nix-shell --run 'colmena build --on geo02'
build_bridge01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build bridge01
run: |
# Enter the shell
nix-shell --run 'colmena build --on bridge01'
push_to_cache_compute01:
runs-on: nix
needs:
- build_compute01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "compute01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_compute01
path: uploaded.txt
push_to_cache_storage01:
runs-on: nix
needs:
- build_storage01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "storage01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_storage01
path: uploaded.txt
push_to_cache_rescue01:
runs-on: nix
needs:
- build_rescue01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "rescue01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_rescue01
path: uploaded.txt
push_to_cache_geo01:
runs-on: nix
needs:
- build_geo01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "geo01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_geo01
path: uploaded.txt
push_to_cache_geo02:
runs-on: nix
needs:
- build_geo02
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "geo02" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_geo02
path: uploaded.txt
push_to_cache_vault01:
runs-on: nix
needs:
- build_vault01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "vault01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_vault01
path: uploaded.txt
push_to_cache_web01:
runs-on: nix
needs:
- build_web01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "web01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web01
path: uploaded.txt
push_to_cache_web02:
runs-on: nix
needs:
- build_web02
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "web02" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web02
path: uploaded.txt
push_to_cache_bridge01:
runs-on: nix
needs:
- build_bridge01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "bridge01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web02
path: uploaded.txt

11
.forgejo/workflows/lint.yaml Normal file
View file

@ -0,0 +1,11 @@
name: lint
on: [push, pull_request]
jobs:
check:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Run pre-commit on all files
run: nix-shell --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure' -A shells.pre-commit ./.

25
.forgejo/workflows/npins-update.yaml
View file

@ -1,25 +0,0 @@
jobs:
npins_update:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- name: Update dependencies and open PR if necessary
run: "npins update\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n echo
\"[+] Changes detected, pushing updates.\"\n\n git switch -C npins-update\n\
\n git add npins\n\n git config user.name \"DGNum Chores\"\n git config
user.email \"tech@dgnum.eu\"\n\n git commit --message \"chore(npins): Update\"\
\n git push --set-upstream origin npins-update --force\n\n # Connect to
the server with the cli\n tea login add \\\n -n dgnum-chores \\\n -t
\"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" \\\n -u https://git.dgnum.eu\n\
\n # Create a pull request if needed\n # i.e. no PR with the same title
exists\n if [ -z \"$(tea pr ls -f='title,author' -o simple | grep 'chore(npins):
Update dgnum-chores')\" ]; then\n tea pr create \\\n --description
\"Automatic npins update\" \\\n --title \"chore(npins): Update\" \\\n\
\ --head npins-update\n fi\nfi\n"
name: npins update
on:
schedule:
- cron: 25 15 * * *

50
workflows/npins-update.nix → .forgejo/workflows/npins.yaml
View file

@ -1,24 +1,31 @@
{
name = "npins update";
on.schedule = [
name: npins update
on:
schedule:
# Run at 11 o'clock every wednesday
{ cron = "25 15 * * *"; }
];
- cron: "25 15 * * *"
jobs.npins_update = {
runs-on = "nix";
steps = [
{
uses = "actions/checkout@v3";
"with" = {
depth = 0;
token = "\${{ secrets.TEA_DGNUM_CHORES_TOKEN }}";
};
}
jobs:
npins_update:
runs-on: nix
steps:
# - name: Install applications
# run: apt-get update && apt-get install sudo
#
- uses: actions/checkout@v3
with:
depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
#
# - uses: https://github.com/cachix/install-nix-action@v22
# with:
# nix_path: nixpkgs=channel:nixos-unstable
{
name = "Update dependencies and open PR if necessary";
run = ''
# - name: Install tea
# run: |
# nix-env -f '<nixpkgs>' -i tea
- name: Update dependencies and open PR if necessary
run: |
npins update
if [ ! -z "$(git diff --name-only)" ]; then
@ -37,7 +44,7 @@
# Connect to the server with the cli
tea login add \
-n dgnum-chores \
-t "''${{ secrets.TEA_DGNUM_CHORES_TOKEN }}" \
-t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
-u https://git.dgnum.eu
# Create a pull request if needed
@ -49,8 +56,3 @@
--head npins-update
fi
fi
'';
}
];
};
}

12
.forgejo/workflows/pre-commit.yaml
View file

@ -1,12 +0,0 @@
jobs:
check:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Run pre-commit on all files
run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
pre-push --show-diff-on-failure'
name: Run pre-commit on all files
on:
- push
- pull_request

25
README.md
View file

@ -9,21 +9,6 @@ You're expected to read this document before commiting to the repo.
Some documentation for the development tools are provided in the aforementioned file.
# Using the binary cache
Add the following module to your configuration (and pin this repo using your favorite tool: npins, lon, etc...):
```
{ lib, ... }:
let
dgnum-infra = PINNED_PATH_TO_INFRA;
in {
nix.settings = (import dgnum-infra { }).mkCacheSettings {
caches = [ "infra" ];
};
}
```
# Adding a new machine
The first step is to create a minimal viable NixOS host, using tha means necessary.
@ -34,7 +19,7 @@ The second step is to find a name for this host, it must be unique from the othe
## Download the keys
The public SSH keys of `host02` have to be saved to `keys`, preferably only the `ssh-ed25519` one.
The public SSH keys of `host02` have to be saved to `keys/machines/host02.keys`, preferably only the `ssh-ed25519` one.
It can be retreived with :
@ -91,9 +76,11 @@ The general metadata is declared in `meta/nodes.nix`, the main values to declare
Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :
```nix
(import ../../../keys).mkSecrets [ "host02" ] [
# List of secrets for host02
]
let
lib = import ../../../lib { };
in
lib.setDefault { publicKeys = lib.getNodeKeys "host02"; } [ ]
```
This will be used for future secret management.

74
default.nix
View file

@ -41,15 +41,7 @@
}:
let
inherit (pkgs.lib)
isFunction
mapAttrs
mapAttrs'
nameValuePair
removeSuffix
;
git-checks = (import sources.git-hooks).run {
git-checks = (import (builtins.storePath sources.git-hooks)).run {
src = ./.;
hooks = {
@ -75,22 +67,6 @@ let
commitizen.enable = true;
};
};
workflows = (import sources.nix-actions { inherit pkgs; }).install {
src = ./.;
workflows = mapAttrs' (
name: _:
nameValuePair (removeSuffix ".nix" name) (
let
w = import ./workflows/${name};
in
if isFunction w then w { inherit (pkgs) lib; } else w
)
) (builtins.readDir ./workflows);
};
scripts = import ./scripts { inherit pkgs; };
in
{
@ -100,37 +76,37 @@ in
dns = import ./meta/dns.nix;
mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix;
shells = {
default = pkgs.mkShell {
name = "dgnum-infra";
devShell = pkgs.mkShell {
name = "dgnum-infra";
packages = [
(pkgs.nixos-generators.overrideAttrs (_: {
version = "1.8.0-unstable";
src = builtins.storePath sources.nixos-generators;
}))
pkgs.attic-client
pkgs.npins
packages = [
(pkgs.nixos-generators.overrideAttrs (_: {
version = "1.8.0-unstable";
src = sources.nixos-generators;
}))
pkgs.npins
(pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
(pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
] ++ (builtins.attrValues scripts);
] ++ (import ./scripts { inherit pkgs; });
shellHook = ''
${git-checks.shellHook}
${workflows.shellHook}
'';
shellHook = ''
${git-checks.shellHook}
'';
preferLocalBuild = true;
preferLocalBuild = true;
};
###
# Alternative shells
pre-commit = pkgs.mkShell {
name = "pre-commit-shell";
passthru = mapAttrs (name: value: pkgs.mkShell (value // { inherit name; })) {
pre-commit.shellHook = git-checks.shellHook;
check-workflows.shellHook = workflows.shellHook;
eval-nodes.packages = [ scripts.cache-node ];
shellHook = ''
${git-checks.shellHook}
'';
};
};
}

40
hive.nix
View file

@ -1,25 +1,24 @@
let
sources' = import ./npins;
sources = import ./npins;
# Patch sources directly
sources = builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; })
.applyPatches' sources';
lib = import (sources.nix-lib + "/src/trivial.nix");
nix-lib = import ./lib/nix-lib;
patch = import ./lib/nix-patches { patchFile = ./patches; };
patch = import sources.nix-patches { patchFile = ./patches; };
nodes' = import ./meta/nodes.nix;
nodes = builtins.attrNames nodes';
mkNode = node: {
# Import the base configuration for each node
imports = [ ./machines/${node}/_configuration.nix ];
imports = builtins.map (lib.mkRel (./machines/${node})) [
"_configuration.nix"
"_hardware-configuration.nix"
];
};
nixpkgs' = import ./meta/nixpkgs.nix;
# All supported nixpkgs versions, instanciated
nixpkgs = nix-lib.mapSingleFuse mkNixpkgs nixpkgs'.supported;
nixpkgs = lib.mapSingleFuse mkNixpkgs nixpkgs'.supported;
# Get the configured nixos version for the node,
# defaulting to the one defined in meta/nixpkgs
@ -28,9 +27,12 @@ let
# Builds a patched version of nixpkgs, only as the source
mkNixpkgs' =
v:
patch.mkNixpkgsSrc rec {
src = sources'.${name};
name = "nixos-${v}";
let
version = "nixos-${v}";
in
patch.mkNixpkgsSrc {
src = sources.${version};
inherit version;
};
# Instanciates the required nixpkgs version
@ -40,8 +42,10 @@ let
# Function to create arguments based on the node
#
mkArgs = node: rec {
lib = nixpkgs.${version node}.lib // {
extra = nix-lib;
lib = import sources.nix-lib {
inherit (nixpkgs.${version node}) lib;
keysRoot = ./keys;
};
meta = (import ./meta) lib;
@ -52,15 +56,13 @@ in
{
meta = {
nodeNixpkgs = nix-lib.mapSingleFuse (n: nixpkgs.${version n}) nodes;
nodeNixpkgs = lib.mapSingleFuse (n: nixpkgs.${version n}) nodes;
specialArgs = {
inherit nixpkgs sources;
dgn-keys = import ./keys;
};
nodeSpecialArgs = nix-lib.mapSingleFuse mkArgs nodes;
nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes;
};
defaults =
@ -110,4 +112,4 @@ in
};
};
}
// (nix-lib.mapSingleFuse mkNode nodes)
// (lib.mapSingleFuse mkNode nodes)

6
iso/configuration.nix
View file

@ -1,7 +1,7 @@
{ lib, pkgs, ... }:
let
dgn-keys = import ../keys;
dgn-lib = import ../lib { };
dgn-members = (import ../meta lib).organization.groups.root;
in
@ -34,5 +34,7 @@ in
openssh.enable = true;
};
users.users.root.openssh.authorizedKeys.keys = dgn-keys.getKeys dgn-members;
users.users.root.openssh.authorizedKeys.keyFiles = builtins.map (
m: dgn-lib.mkRel ../keys "${m}.keys"
) dgn-members;
}

1
keys/catvayor.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor

88
keys/default.nix
View file

@ -1,88 +0,0 @@
let
_sources = import ../npins;
meta = import ../meta (import _sources.nixpkgs { }).lib;
getAttr = flip builtins.getAttr;
inherit (import ../lib/nix-lib) flip setDefault unique;
in
rec {
# WARNING: When updating this list, make sure that the nodes and members are alphabetically sorted
# If not, you will face an angry maintainer
_keys = {
# SSH keys of the nodes
bridge01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7" ];
compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ];
web02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ];
web03 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrWsMEfK86iaO9SubMqE2UvZNtHkLY5VUod/bbqKC0L" ];
# SSH keys of the DGNum members
agroudiev = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM="
];
catvayor = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
];
cst1 = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270"
];
ecoppens = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
gdd = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ"
];
jemagius = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8="
];
luj = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
];
mboyer = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ];
mdebray = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
];
raito = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
];
thubrecht = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
];
};
getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);
mkSecrets =
nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };
getNodeKeys' =
node:
let
names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
meta.nodes.${node}.admins ++ [ node ]
) meta.nodes.${node}.adminGroups;
in
unique (getKeys names);
getNodeKeys = node: rootKeys ++ getNodeKeys' node;
# List of keys for the root group
rootKeys = getKeys meta.organization.groups.root;
# List of 'machine' keys
machineKeys = rootKeys ++ (getKeys (builtins.attrNames meta.nodes));
}

1
keys/ecoppens.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA

2
keys/gdd.keys Normal file
View file

@ -0,0 +1,2 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ

2
keys/jemagius.keys Normal file
View file

@ -0,0 +1,2 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8=

2
keys/luj.keys Normal file
View file

@ -0,0 +1,2 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower

1
keys/machines/bridge01.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7

1
keys/machines/compute01.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu

1
keys/machines/geo01.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4

1
keys/machines/geo02.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket

1
keys/machines/rescue01.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf

1
keys/machines/storage01.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ

1
keys/machines/vault01.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW

1
keys/machines/web01.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5

1
keys/machines/web02.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX

1
keys/mdebray.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris

3
keys/raito.keys Normal file
View file

@ -0,0 +1,3 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU

3
keys/thubrecht.keys Normal file
View file

@ -0,0 +1,3 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn

33
lib/default.nix Normal file
View file

@ -0,0 +1,33 @@
_:
let
sources = import ../npins;
lib = import sources.nix-lib {
inherit ((import sources.nixpkgs { })) lib;
keysRoot = ../keys;
};
meta = import ../meta lib;
inherit (lib.extra) getAllKeys;
in
lib.extra
// rec {
# Get publickeys associated to a node
getNodeKeys =
node:
let
names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
meta.nodes.${node}.admins ++ [ "/machines/${node}" ]
) meta.nodes.${node}.adminGroups;
in
rootKeys ++ (getAllKeys names);
rootKeys = getAllKeys meta.organization.groups.root;
machineKeys =
rootKeys ++ (getAllKeys (builtins.map (n: "machines/${n}") (builtins.attrNames meta.nodes)));
}

200
lib/nix-lib/default.nix
View file

@ -1,200 +0,0 @@
# Copyright Tom Hubrecht, (2023)
#
# Tom Hubrecht <tom@hubrecht.ovh>
#
# This software is governed by the CeCILL license under French law and
# abiding by the rules of distribution of free software. You can use,
# modify and/ or redistribute the software under the terms of the CeCILL
# license as circulated by CEA, CNRS and INRIA at the following URL
# "http://www.cecill.info".
#
# As a counterpart to the access to the source code and rights to copy,
# modify and redistribute granted by the license, users are provided only
# with a limited warranty and the software's author, the holder of the
# economic rights, and the successive licensors have only limited
# liability.
#
# In this respect, the user's attention is drawn to the risks associated
# with loading, using, modifying and/or developing or reproducing the
# software by the user in light of its specific status of free software,
# that may mean that it is complicated to manipulate, and that also
# therefore means that it is reserved for developers and experienced
# professionals having in-depth computer knowledge. Users are therefore
# encouraged to load and test the software's suitability as regards their
# requirements in conditions enabling the security of their systems and/or
# data to be ensured and, more generally, to use and operate it in the
# same conditions as regards security.
#
# The fact that you are presently reading this means that you have had
# knowledge of the CeCILL license and that you accept its terms.
let
# Reimplement optional functions
_optional =
default: b: value:
if b then value else default;
in
rec {
inherit (import ./nixpkgs.nix)
flip
hasPrefix
recursiveUpdate
splitString
unique
;
/*
Fuses a list of attribute sets into a single attribute set.
Type: [attrs] -> attrs
Example:
x = [ { a = 1; } { b = 2; } ]
fuseAttrs x
=> { a = 1; b = 2; }
*/
fuseAttrs = builtins.foldl' (attrs: x: attrs // x) { };
fuseValueAttrs = attrs: fuseAttrs (builtins.attrValues attrs);
/*
Applies a function to `attrsList` before fusing the resulting list
of attribute sets.
Type: ('a -> attrs) -> ['a] -> attrs
Example:
x = [ "to" "ta" "ti" ]
f = s: { ${s} = s + s; }
mapFuse f x
=> { to = "toto"; ta = "tata"; ti = "titi"; }
*/
mapFuse =
# 'a -> attrs
f:
# ['a]
attrsList:
fuseAttrs (builtins.map f attrsList);
/*
Equivalent of lib.singleton but for an attribute set.
Type: str -> 'a -> attrs
Example:
singleAttr "a" 1
=> { a = 1; }
*/
singleAttr = name: value: { ${name} = value; };
# Enables a list of modules.
enableAttrs' =
enable:
mapFuse (m: {
${m}.${enable} = true;
});
enableModules = enableAttrs' "enable";
/*
Create an attribute set from a list of values, mapping those
values through the function `f`.
Example:
mapSingleFuse (x: "val-${x}") [ "a" "b" ]
=> { a = "val-a"; b = "val-b" }
*/
mapSingleFuse = f: mapFuse (x: singleAttr x (f x));
/*
Creates a relative path as a string
Type: path -> str -> path
Example:
mkRel /home/test/ "file.txt"
=> "/home/test/file.txt"
*/
mkRel = path: file: path + "/${file}";
setDefault =
default:
mapFuse (name: {
${name} = default;
});
mkBaseSecrets =
root:
mapFuse (secret: {
${secret}.file = mkRel root secret;
});
getSecrets = dir: builtins.attrNames (import (mkRel dir "secrets.nix"));
subAttr = attrs: name: attrs.${name};
subAttrs = attrs: builtins.map (subAttr attrs);
optionalList = _optional [ ];
optionalAttrs = _optional { };
optionalString = _optional "";
/*
Same as fuseAttrs but using `lib.recursiveUpdate` to merge attribute
sets together.
Type: [attrs] -> attrs
*/
recursiveFuse = builtins.foldl' recursiveUpdate { };
mkImport =
root: file:
let
path = mkRel root file;
in
path + (optionalString (!(builtins.pathExists path)) ".nix");
mkImports = root: builtins.map (mkImport root);
/*
Creates a confugiration by merging enabled modules,
services and extraConfig.
Example:
mkConfig {
enabledModules = [ "ht-defaults" ];
enabledServices = [ "toto" ];
extraConfig = { services.nginx.enable = true; };
root = ./.;
}
=>
{
imports = [ ./toto ];
ht-defaults.enable = true;
services.nginx.enable = true;
}
*/
mkConfig =
{
# List of modules to enable with `enableModules`
enabledModules,
# List of services to import
enabledServices,
# Extra configuration, defaults to `{ }`
extraConfig ? { },
# Path relative to which the enabled services will be imported
root,
}:
recursiveFuse [
(enableModules enabledModules)
{
imports =
(extraConfig.imports or [ ]) ++ (mkImports root ([ "_hardware-configuration" ] ++ enabledServices));
}
(removeAttrs extraConfig [ "imports" ])
];
}

416
lib/nix-lib/nixpkgs.nix
View file

@ -1,416 +0,0 @@
###
# Collection of nixpkgs library functions, those are necessary for defining our own lib
#
# They have been simplified and builtins are used in some places, instead of lib shims.
rec {
/**
Does the same as the update operator '//' except that attributes are
merged until the given predicate is verified. The predicate should
accept 3 arguments which are the path to reach the attribute, a part of
the first attribute set and a part of the second attribute set. When
the predicate is satisfied, the value of the first attribute set is
replaced by the value of the second attribute set.
# Inputs
`pred`
: Predicate, taking the path to the current attribute as a list of strings for attribute names, and the two values at that path from the original arguments.
`lhs`
: Left attribute set of the merge.
`rhs`
: Right attribute set of the merge.
# Type
```
recursiveUpdateUntil :: ( [ String ] -> AttrSet -> AttrSet -> Bool ) -> AttrSet -> AttrSet -> AttrSet
```
# Examples
:::{.example}
## `lib.attrsets.recursiveUpdateUntil` usage example
```nix
recursiveUpdateUntil (path: l: r: path == ["foo"]) {
# first attribute set
foo.bar = 1;
foo.baz = 2;
bar = 3;
} {
#second attribute set
foo.bar = 1;
foo.quz = 2;
baz = 4;
}
=> {
foo.bar = 1; # 'foo.*' from the second set
foo.quz = 2; #
bar = 3; # 'bar' from the first set
baz = 4; # 'baz' from the second set
}
```
:::
*/
recursiveUpdateUntil =
pred: lhs: rhs:
let
f =
attrPath:
builtins.zipAttrsWith (
n: values:
let
here = attrPath ++ [ n ];
in
if builtins.length values == 1 || pred here (builtins.elemAt values 1) (builtins.head values) then
builtins.head values
else
f here values
);
in
f [ ] [
rhs
lhs
];
/**
A recursive variant of the update operator //. The recursion
stops when one of the attribute values is not an attribute set,
in which case the right hand side value takes precedence over the
left hand side value.
# Inputs
`lhs`
: Left attribute set of the merge.
`rhs`
: Right attribute set of the merge.
# Type
```
recursiveUpdate :: AttrSet -> AttrSet -> AttrSet
```
# Examples
:::{.example}
## `lib.attrsets.recursiveUpdate` usage example
```nix
recursiveUpdate {
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/hda";
} {
boot.loader.grub.device = "";
}
returns: {
boot.loader.grub.enable = true;
boot.loader.grub.device = "";
}
```
:::
*/
recursiveUpdate =
lhs: rhs:
recursiveUpdateUntil (
_: lhs: rhs:
!(builtins.isAttrs lhs && builtins.isAttrs rhs)
) lhs rhs;
/**
Determine whether a string has given prefix.
# Inputs
`pref`
: Prefix to check for
`str`
: Input string
# Type
```
hasPrefix :: string -> string -> bool
```
# Examples
:::{.example}
## `lib.strings.hasPrefix` usage example
```nix
hasPrefix "foo" "foobar"
=> true
hasPrefix "foo" "barfoo"
=> false
```
:::
*/
hasPrefix = pref: str: (builtins.substring 0 (builtins.stringLength pref) str == pref);
/**
Escape occurrence of the elements of `list` in `string` by
prefixing it with a backslash.
# Inputs
`list`
: 1\. Function argument
`string`
: 2\. Function argument
# Type
```
escape :: [string] -> string -> string
```
# Examples
:::{.example}
## `lib.strings.escape` usage example
```nix
escape ["(" ")"] "(foo)"
=> "\\(foo\\)"
```
:::
*/
escape = list: builtins.replaceStrings list (builtins.map (c: "\\${c}") list);
/**
Convert a string `s` to a list of characters (i.e. singleton strings).
This allows you to, e.g., map a function over each character. However,
note that this will likely be horribly inefficient; Nix is not a
general purpose programming language. Complex string manipulations
should, if appropriate, be done in a derivation.
Also note that Nix treats strings as a list of bytes and thus doesn't
handle unicode.
# Inputs
`s`
: 1\. Function argument
# Type
```
stringToCharacters :: string -> [string]
```
# Examples
:::{.example}
## `lib.strings.stringToCharacters` usage example
```nix
stringToCharacters ""
=> [ ]
stringToCharacters "abc"
=> [ "a" "b" "c" ]
stringToCharacters "🦄"
=> [ "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" ]
```
:::
*/
stringToCharacters = s: builtins.genList (p: builtins.substring p 1 s) (builtins.stringLength s);
/**
Turn a string `s` into an exact regular expression
# Inputs
`s`
: 1\. Function argument
# Type
```
escapeRegex :: string -> string
```
# Examples
:::{.example}
## `lib.strings.escapeRegex` usage example
```nix
escapeRegex "[^a-z]*"
=> "\\[\\^a-z]\\*"
```
:::
*/
escapeRegex = escape (stringToCharacters "\\[{()^$?*+|.");
/**
Appends string context from string like object `src` to `target`.
:::{.warning}
This is an implementation
detail of Nix and should be used carefully.
:::
Strings in Nix carry an invisible `context` which is a list of strings
representing store paths. If the string is later used in a derivation
attribute, the derivation will properly populate the inputDrvs and
inputSrcs.
# Inputs
`src`
: The string to take the context from. If the argument is not a string,
it will be implicitly converted to a string.
`target`
: The string to append the context to. If the argument is not a string,
it will be implicitly converted to a string.
# Type
```
addContextFrom :: string -> string -> string
```
# Examples
:::{.example}
## `lib.strings.addContextFrom` usage example
```nix
pkgs = import <nixpkgs> { };
addContextFrom pkgs.coreutils "bar"
=> "bar"
```
The context can be displayed using the `toString` function:
```nix
nix-repl> builtins.getContext (lib.strings.addContextFrom pkgs.coreutils "bar")
{
"/nix/store/m1s1d2dk2dqqlw3j90jl3cjy2cykbdxz-coreutils-9.5.drv" = { ... };
}
```
:::
*/
addContextFrom = src: target: builtins.substring 0 0 src + target;
/**
Cut a string with a separator and produces a list of strings which
were separated by this separator.
# Inputs
`sep`
: 1\. Function argument
`s`
: 2\. Function argument
# Type
```
splitString :: string -> string -> [string]
```
# Examples
:::{.example}
## `lib.strings.splitString` usage example
```nix
splitString "." "foo.bar.baz"
=> [ "foo" "bar" "baz" ]
splitString "/" "/usr/local/bin"
=> [ "" "usr" "local" "bin" ]
```
:::
*/
splitString =
sep: s:
let
splits = builtins.filter builtins.isString (
builtins.split (escapeRegex (builtins.toString sep)) (builtins.toString s)
);
in
builtins.map (addContextFrom s) splits;
/**
Remove duplicate elements from the `list`. O(n^2) complexity.
# Inputs
`list`
: Input list
# Type
```
unique :: [a] -> [a]
```
# Examples
:::{.example}
## `lib.lists.unique` usage example
```nix
unique [ 3 2 3 4 ]
=> [ 3 2 4 ]
```
:::
*/
unique = builtins.foldl' (acc: e: if builtins.elem e acc then acc else acc ++ [ e ]) [ ];
/**
Flip the order of the arguments of a binary function.
# Inputs
`f`
: 1\. Function argument
`a`
: 2\. Function argument
`b`
: 3\. Function argument
# Type
```
flip :: (a -> b -> c) -> (b -> a -> c)
```
# Examples
:::{.example}
## `lib.trivial.flip` usage example
```nix
flip concat [1] [2]
=> [ 2 1 ]
```
:::
*/
flip =
f: a: b:
f b a;
}

110
lib/nix-patches/default.nix
View file

@ -1,110 +0,0 @@
# Copyright Tom Hubrecht, (2023-2024)
#
# Tom Hubrecht <tom@hubrecht.ovh>
#
# This software is governed by the CeCILL license under French law and
# abiding by the rules of distribution of free software. You can use,
# modify and/ or redistribute the software under the terms of the CeCILL
# license as circulated by CEA, CNRS and INRIA at the following URL
# "http://www.cecill.info".
#
# As a counterpart to the access to the source code and rights to copy,
# modify and redistribute granted by the license, users are provided only
# with a limited warranty and the software's author, the holder of the
# economic rights, and the successive licensors have only limited
# liability.
#
# In this respect, the user's attention is drawn to the risks associated
# with loading, using, modifying and/or developing or reproducing the
# software by the user in light of its specific status of free software,
# that may mean that it is complicated to manipulate, and that also
# therefore means that it is reserved for developers and experienced
# professionals having in-depth computer knowledge. Users are therefore
# encouraged to load and test the software's suitability as regards their
# requirements in conditions enabling the security of their systems and/or
# data to be ensured and, more generally, to use and operate it in the
# same conditions as regards security.
#
# The fact that you are presently reading this means that you have had
# knowledge of the CeCILL license and that you accept its terms.
{
patchFile,
excludeGitHubManual ? true,
fetchers ? { },
}:
rec {
base =
{ pkgs }:
rec {
mkUrlPatch =
attrs:
pkgs.fetchpatch (
{
hash = pkgs.lib.fakeHash;
}
// attrs
// (pkgs.lib.optionalAttrs (excludeGitHubManual && !(builtins.hasAttr "includes" attrs)) {
excludes = (attrs.excludes or [ ]) ++ [ "nixos/doc/manual/*" ];
})
);
mkGitHubPatch =
{ id, ... }@attrs:
mkUrlPatch (
(builtins.removeAttrs attrs [ "id" ])
// {
url = "https://github.com/NixOS/nixpkgs/pull/${builtins.toString id}.diff";
}
);
mkCommitPatch =
{ sha, ... }@attrs:
mkUrlPatch (
(builtins.removeAttrs attrs [ "sha" ])
// {
url = "https://github.com/NixOS/nixpkgs/commit/${builtins.toString sha}.diff";
}
);
patchFunctions = {
commit = mkCommitPatch;
github = mkGitHubPatch;
remote = pkgs.fetchpatch;
static = attrs: attrs.path;
url = mkUrlPatch;
} // fetchers;
mkPatch =
{
_type ? "github",
...
}@attrs:
if builtins.hasAttr _type patchFunctions then
patchFunctions.${_type} (builtins.removeAttrs attrs [ "_type" ])
else
throw "Unknown patch type: ${builtins.toString _type}.";
mkPatches = v: builtins.map mkPatch ((import patchFile).${v} or [ ]);
applyPatches =
{
src,
name,
patches ? mkPatches name,
}:
if patches == [ ] then
src
else
pkgs.applyPatches {
inherit patches src;
name = "${name}-patched";
};
applyPatches' = name: src: applyPatches { inherit name src; };
};
mkNixpkgsSrc = { src, name }: (base { pkgs = import src { }; }).applyPatches { inherit src name; };
}

8
machines/bridge01/secrets/secrets.nix
View file

@ -1,3 +1,5 @@
(import ../../../keys).mkSecrets [ "bridg01" ] [
# List of secrets for bridge01
]
let
lib = import ../../../lib { };
in
lib.setDefault { publicKeys = lib.getNodeKeys "bridge01"; } [ ]

1
machines/compute01/_configuration.nix
View file

@ -21,7 +21,6 @@ lib.extra.mkConfig {
"librenms"
"mastodon"
"nextcloud"
"ollama-proxy"
"outline"
"plausible"
"postgresql"

62
machines/compute01/dgsi/default.nix
View file

@ -8,7 +8,7 @@
}:
let
inherit (lib) toLower;
inherit (lib) mapAttrsToList;
python =
let
@ -33,29 +33,25 @@ let
};
};
pythonEnv = python.withPackages (
ps:
[
ps.django
ps.gunicorn
ps.psycopg
ps.django-compressor
ps.django-import-export
pythonEnv = python.withPackages (ps: [
ps.django
ps.gunicorn
ps.psycopg
ps.django-compressor
ps.django-import-export
# Local packages
ps.django-allauth
ps.django-allauth-cas
ps.django-browser-reload
ps.django-bulma-forms
ps.django-sass-processor
ps.django-sass-processor-dart-sass
ps.django-unfold
ps.loadcredential
ps.pykanidm
ps.python-cas
]
++ ps.django-allauth.optional-dependencies.saml
);
# Local packages
ps.django-allauth
ps.django-allauth-cas
ps.django-browser-reload
ps.django-bulma-forms
ps.django-sass-processor
ps.django-sass-processor-dart-sass
ps.django-unfold
ps.loadcredential
ps.pykanidm
ps.python-cas
]);
staticDrv = pkgs.stdenv.mkDerivation {
name = "dgsi-static";
@ -71,10 +67,8 @@ let
configurePhase = ''
export DGSI_STATIC_ROOT=$out/static
export CREDENTIALS_DIRECTORY=$(pwd)/../.credentials
export DGSI_KANIDM_CLIENT="dgsi_test"
export DGSI_KANIDM_AUTH_TOKEN="fake.token"
export DGSI_X509_KEY=""
export DGSI_X509_CERT=""
export DGSI_KANIDM_CLIENT="dgsi_test";
export DGSI_KANIDM_AUTH_TOKEN="fake.token";
'';
doBuild = false;
@ -107,14 +101,12 @@ in
serviceConfig = {
DynamicUser = true;
LoadCredential = map (name: "${name}:${config.age.secrets."dgsi-${toLower name}_file".path}") [
"EMAIL_HOST_PASSWORD"
"KANIDM_AUTH_TOKEN"
"KANIDM_SECRET"
"SECRET_KEY"
"X509_CERT"
"X509_KEY"
];
LoadCredential = mapAttrsToList (name: value: "${name}:${value}") {
SECRET_KEY = config.age.secrets."dgsi-secret_key_file".path;
KANIDM_AUTH_TOKEN = config.age.secrets."dgsi-kanidm_auth_token_file".path;
KANIDM_SECRET = config.age.secrets."dgsi-kanidm_secret_file".path;
EMAIL_HOST_PASSWORD = config.age.secrets."dgsi-email_host_password_file".path;
};
RuntimeDirectory = "django-apps/dgsi";
StateDirectory = "django-apps/dgsi";
UMask = "0027";

23
machines/compute01/ds-fr/default.nix
View file

@ -1,35 +1,14 @@
{
config,
pkgs,
sources,
...
}:
{ config, ... }:
let
host = "demarches.dgnum.eu";
dgn-id = "fca8f72cd60c00e74d7735ec13e4e3a22e8e1244";
in
{
imports = [ ./module.nix ];
dgn-web.internalPorts.ds-fr = 3000;
services.demarches-simplifiees = {
enable = true;
package =
((import sources.nix-pkgs { inherit pkgs; }).demarches-simplifiees.override {
initialDeploymentDate = "20230923";
}).overrideAttrs
(old: {
dsModules = old.dsModules.overrideAttrs {
prePatch = ''
${pkgs.lib.getExe pkgs.git} apply -p1 < ${builtins.fetchurl "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch"}
'';
};
});
secretFile = config.age.secrets."ds-fr-secret_file".path;
initialDeploymentDate = "20230923";

6
machines/compute01/ds-fr/package/meta.nix
View file

@ -1,5 +1,5 @@
{
version = "2024-04-24-01";
src-hash = "sha256-+FjthJZb1KqqFttFmXr/FN5qaFcY9RGTKAqhdLGVFSg=";
deps-hash = "sha256-Vj8WCB+LSHJM67qbsZ5CPc+jK1KWO1MXnSFp/LH0Ow8=";
version = "2024-09-30-02";
src-hash = "sha256-WnrU2vH/ElKjpRLgDsxjo33hAIPGIRQR/o9RcAde4Pc=";
deps-hash = "sha256-i0qNvr2wDLdGbFp5wcqDi3aFTvA9P7aS+BaOvU5cnUM=";
}

11
machines/compute01/ds-fr/package/rubyEnv/Gemfile
View file

@ -1,3 +1,5 @@
# frozen_string_literal: true
source 'https://rubygems.org'
gem 'rails', '~> 7.0.8' # allows update to security fixes at any time
@ -17,6 +19,7 @@ gem 'anchored'
gem 'bcrypt'
gem 'bootsnap', '>= 1.4.4', require: false # Reduces boot times through caching; required in config/boot.rb
gem 'browser'
gem 'capybara-playwright-driver'
gem 'charlock_holmes'
gem 'chartkick'
gem 'chunky_png'
@ -37,6 +40,7 @@ gem 'flipper'
gem 'flipper-active_record'
gem 'flipper-active_support_cache_store'
gem 'flipper-ui'
gem 'front_matter_parser'
gem 'fugit'
gem 'geocoder'
gem 'geo_coord', require: "geo/coord"
@ -94,6 +98,7 @@ gem 'sidekiq'
gem 'sidekiq-cron'
gem 'skylight'
gem 'spreadsheet_architect'
gem 'string-similarity'
gem 'strong_migrations' # lint database migrations
gem 'sys-proctable'
gem 'turbo-rails'
@ -103,13 +108,10 @@ gem 'view_component'
gem 'vite_rails'
gem 'warden'
gem 'webrick', require: false
gem 'yabeda-graphql'
gem 'yabeda-prometheus'
gem 'yabeda-puma-plugin'
gem 'yabeda-rails'
gem 'yabeda-sidekiq'
gem 'zipline'
gem 'zxcvbn-ruby', require: 'zxcvbn'
gem 'zxcvbn'
group :test do
gem 'axe-core-rspec' # accessibility rspec matchers
@ -127,6 +129,7 @@ group :test do
gem 'shoulda-matchers', require: false
gem 'simplecov', require: false
gem 'simplecov-cobertura', require: false
gem "test-prof"
gem 'timecop'
gem 'vcr'
gem 'webmock'

210
machines/compute01/ds-fr/package/rubyEnv/Gemfile.lock
View file

@ -12,47 +12,47 @@ GEM
aasm (5.5.0)
concurrent-ruby (~> 1.0)
acsv (0.0.1)
actioncable (7.0.8.1)
actionpack (= 7.0.8.1)
activesupport (= 7.0.8.1)
actioncable (7.0.8.4)
actionpack (= 7.0.8.4)
activesupport (= 7.0.8.4)
nio4r (~> 2.0)
websocket-driver (>= 0.6.1)
actionmailbox (7.0.8.1)
actionpack (= 7.0.8.1)
activejob (= 7.0.8.1)
activerecord (= 7.0.8.1)
activestorage (= 7.0.8.1)
activesupport (= 7.0.8.1)
actionmailbox (7.0.8.4)
actionpack (= 7.0.8.4)
activejob (= 7.0.8.4)
activerecord (= 7.0.8.4)
activestorage (= 7.0.8.4)
activesupport (= 7.0.8.4)
mail (>= 2.7.1)
net-imap
net-pop
net-smtp
actionmailer (7.0.8.1)
actionpack (= 7.0.8.1)
actionview (= 7.0.8.1)
activejob (= 7.0.8.1)
activesupport (= 7.0.8.1)
actionmailer (7.0.8.4)
actionpack (= 7.0.8.4)
actionview (= 7.0.8.4)
activejob (= 7.0.8.4)
activesupport (= 7.0.8.4)
mail (~> 2.5, >= 2.5.4)
net-imap
net-pop
net-smtp
rails-dom-testing (~> 2.0)
actionpack (7.0.8.1)
actionview (= 7.0.8.1)
activesupport (= 7.0.8.1)
actionpack (7.0.8.4)
actionview (= 7.0.8.4)
activesupport (= 7.0.8.4)
rack (~> 2.0, >= 2.2.4)
rack-test (>= 0.6.3)
rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.0, >= 1.2.0)
actiontext (7.0.8.1)
actionpack (= 7.0.8.1)
activerecord (= 7.0.8.1)
activestorage (= 7.0.8.1)
activesupport (= 7.0.8.1)
actiontext (7.0.8.4)
actionpack (= 7.0.8.4)
activerecord (= 7.0.8.4)
activestorage (= 7.0.8.4)
activesupport (= 7.0.8.4)
globalid (>= 0.6.0)
nokogiri (>= 1.8.5)
actionview (7.0.8.1)
activesupport (= 7.0.8.1)
actionview (7.0.8.4)
activesupport (= 7.0.8.4)
builder (~> 3.1)
erubi (~> 1.4)
rails-dom-testing (~> 2.0)
@ -67,26 +67,26 @@ GEM
activemodel (>= 5.2.0)
activestorage (>= 5.2.0)
activesupport (>= 5.2.0)
activejob (7.0.8.1)
activesupport (= 7.0.8.1)
activejob (7.0.8.4)
activesupport (= 7.0.8.4)
globalid (>= 0.3.6)
activemodel (7.0.8.1)
activesupport (= 7.0.8.1)
activerecord (7.0.8.1)
activemodel (= 7.0.8.1)
activesupport (= 7.0.8.1)
activestorage (7.0.8.1)
actionpack (= 7.0.8.1)
activejob (= 7.0.8.1)
activerecord (= 7.0.8.1)
activesupport (= 7.0.8.1)
activemodel (7.0.8.4)
activesupport (= 7.0.8.4)
activerecord (7.0.8.4)
activemodel (= 7.0.8.4)
activesupport (= 7.0.8.4)
activestorage (7.0.8.4)
actionpack (= 7.0.8.4)
activejob (= 7.0.8.4)
activerecord (= 7.0.8.4)
activesupport (= 7.0.8.4)
marcel (~> 1.0)
mini_mime (>= 1.1.0)
activestorage-openstack (1.6.0)
fog-openstack (>= 1.0.9)
marcel
rails (>= 5.2.2)
activesupport (7.0.8.1)
activesupport (7.0.8.4)
concurrent-ruby (~> 1.0, >= 1.0.2)
i18n (>= 1.6, < 2)
minitest (>= 5.1)
@ -144,7 +144,7 @@ GEM
brakeman (6.1.2)
racc
browser (5.3.1)
builder (3.2.4)
builder (3.3.0)
capybara (3.40.0)
addressable
matrix
@ -157,6 +157,10 @@ GEM
capybara-email (3.0.2)
capybara (>= 2.4, < 4.0)
mail
capybara-playwright-driver (0.5.2)
addressable
capybara
playwright-ruby-client (>= 1.16.0)
capybara-screenshot (1.0.26)
capybara (>= 1.0, < 4)
launchy
@ -174,7 +178,7 @@ GEM
clamav-client (3.2.0)
coercible (1.0.0)
descendants_tracker (~> 0.0.1)
concurrent-ruby (1.2.3)
concurrent-ruby (1.3.4)
connection_pool (2.4.1)
content_disposition (1.0.0)
crack (1.0.0)
@ -209,7 +213,7 @@ GEM
warden (~> 1.2.3)
devise-i18n (1.12.0)
devise (>= 4.9.0)
devise-two-factor (5.0.0)
devise-two-factor (6.0.0)
activesupport (~> 7.0)
devise (~> 4.0)
railties (~> 7.0)
@ -234,7 +238,7 @@ GEM
dumb_delegator (1.0.0)
email_validator (2.2.4)
activemodel
erubi (1.12.0)
erubi (1.13.0)
et-orbi (1.2.11)
tzinfo
ethon (0.16.0)
@ -252,19 +256,20 @@ GEM
faraday-net_http (3.1.0)
net-http
ffi (1.16.3)
flipper (1.2.2)
flipper (1.3.0)
concurrent-ruby (< 2)
flipper-active_record (1.2.2)
flipper-active_record (1.3.0)
activerecord (>= 4.2, < 8)
flipper (~> 1.2.2)
flipper-active_support_cache_store (1.2.2)
flipper (~> 1.3.0)
flipper-active_support_cache_store (1.3.0)
activesupport (>= 4.2, < 8)
flipper (~> 1.2.2)
flipper-ui (1.2.2)
flipper (~> 1.3.0)
flipper-ui (1.3.0)
erubi (>= 1.0.0, < 2.0.0)
flipper (~> 1.2.2)
flipper (~> 1.3.0)
rack (>= 1.4, < 4)
rack-protection (>= 1.5.3, <= 4.0.0)
rack-protection (>= 1.5.3, < 5.0.0)
rack-session (>= 1.0.2, < 3.0.0)
sanitize (< 7)
fog-core (2.4.0)
builder
@ -278,8 +283,9 @@ GEM
fog-core (~> 2.1)
fog-json (>= 1.0)
formatador (1.1.0)
fugit (1.10.1)
et-orbi (~> 1, >= 1.2.7)
front_matter_parser (1.0.1)
fugit (1.11.1)
et-orbi (~> 1, >= 1.2.11)
raabro (~> 1.4)
geo_coord (0.2.0)
geocoder (1.8.2)
@ -328,7 +334,7 @@ GEM
highline (3.0.1)
htmlentities (4.3.4)
http_accept_language (2.1.1)
i18n (1.14.4)
i18n (1.14.6)
concurrent-ruby (~> 1.0)
i18n-tasks (1.0.13)
activesupport (>= 4.0.2)
@ -405,6 +411,7 @@ GEM
listen (3.9.0)
rb-fsevent (~> 0.10, >= 0.10.3)
rb-inotify (~> 0.9, >= 0.9.10)
logger (1.6.0)
lograge (0.14.0)
actionpack (>= 4)
activesupport (>= 4)
@ -426,7 +433,7 @@ GEM
job-iteration (>= 1.3.6)
railties (>= 6.0)
zeitwerk (>= 2.6.2)
marcel (1.0.2)
marcel (1.0.4)
matrix (0.4.2)
memory_profiler (1.0.1)
method_source (1.1.0)
@ -437,25 +444,25 @@ GEM
rake
mini_magick (4.12.0)
mini_mime (1.1.5)
mini_portile2 (2.8.6)
minitest (5.22.3)
mini_portile2 (2.8.7)
minitest (5.25.1)
msgpack (1.7.2)
multi_json (1.15.0)
mustermann (3.0.0)
ruby2_keywords (~> 0.0.1)
net-http (0.4.1)
uri
net-imap (0.4.10)
net-imap (0.4.12)
date
net-protocol
net-pop (0.1.2)
net-protocol
net-protocol (0.2.2)
timeout
net-smtp (0.4.0.1)
net-smtp (0.5.0)
net-protocol
nio4r (2.7.1)
nokogiri (1.16.4)
nio4r (2.7.3)
nokogiri (1.16.7)
mini_portile2 (~> 2.8.2)
racc (~> 1.4)
openid_connect (2.3.0)
@ -480,6 +487,9 @@ GEM
pdf-core (0.9.0)
pg (1.5.6)
phonelib (0.8.8)
playwright-ruby-client (1.46.0)
concurrent-ruby (>= 1.1.6)
mime-types (>= 3.0)
prawn (2.4.0)
pdf-core (~> 0.9.0)
ttfunk (~> 1.7)
@ -502,12 +512,12 @@ GEM
psych (5.1.2)
stringio
public_suffix (5.0.5)
puma (6.4.2)
puma (6.4.3)
nio4r (~> 2.0)
pundit (2.3.1)
activesupport (>= 3.0.0)
raabro (1.4.0)
racc (1.7.3)
racc (1.8.1)
rack (2.2.9)
rack-attack (6.7.0)
rack (>= 1.0, < 4)
@ -525,25 +535,27 @@ GEM
rack (~> 2.2, >= 2.2.4)
rack-proxy (0.7.7)
rack
rack-session (1.0.2)
rack (< 3)
rack-test (2.1.0)
rack (>= 1.3)
rack_session_access (0.2.0)
builder (>= 2.0.0)
rack (>= 1.0.0)
rails (7.0.8.1)
actioncable (= 7.0.8.1)
actionmailbox (= 7.0.8.1)
actionmailer (= 7.0.8.1)
actionpack (= 7.0.8.1)
actiontext (= 7.0.8.1)
actionview (= 7.0.8.1)
activejob (= 7.0.8.1)
activemodel (= 7.0.8.1)
activerecord (= 7.0.8.1)
activestorage (= 7.0.8.1)
activesupport (= 7.0.8.1)
rails (7.0.8.4)
actioncable (= 7.0.8.4)
actionmailbox (= 7.0.8.4)
actionmailer (= 7.0.8.4)
actionpack (= 7.0.8.4)
actiontext (= 7.0.8.4)
actionview (= 7.0.8.4)
activejob (= 7.0.8.4)
activemodel (= 7.0.8.4)
activerecord (= 7.0.8.4)
activestorage (= 7.0.8.4)
activesupport (= 7.0.8.4)
bundler (>= 1.15.0)
railties (= 7.0.8.1)
railties (= 7.0.8.4)
rails-controller-testing (1.0.5)
actionpack (>= 5.0.1.rc1)
actionview (>= 5.0.1.rc1)
@ -566,9 +578,9 @@ GEM
rails-pg-extras (5.3.1)
rails
ruby-pg-extras (= 5.3.1)
railties (7.0.8.1)
actionpack (= 7.0.8.1)
activesupport (= 7.0.8.1)
railties (7.0.8.4)
actionpack (= 7.0.8.4)
activesupport (= 7.0.8.4)
method_source
rake (>= 12.2)
thor (~> 1.0)
@ -594,7 +606,8 @@ GEM
responders (3.1.1)
actionpack (>= 5.2)
railties (>= 5.2)
rexml (3.2.6)
rexml (3.3.6)
strscan
rodf (1.2.0)
builder (>= 3.0)
rubyzip (>= 1.0)
@ -674,7 +687,7 @@ GEM
nokogiri (>= 1.6.2)
rexml
xmlenc (>= 0.7.1)
sanitize (6.1.0)
sanitize (6.1.2)
crass (~> 1.0.2)
nokogiri (>= 1.12.0)
sass (3.7.4)
@ -693,10 +706,11 @@ GEM
scss_lint (0.60.0)
sass (~> 3.5, >= 3.5.5)
selectize-rails (0.12.6)
selenium-devtools (0.123.0)
selenium-devtools (0.126.0)
selenium-webdriver (~> 4.2)
selenium-webdriver (4.19.0)
selenium-webdriver (4.22.0)
base64 (~> 0.2)
logger (~> 1.4)
rexml (~> 3.2, >= 3.2.5)
rubyzip (>= 1.2.2, < 3.0)
websocket (~> 1.0)
@ -718,7 +732,7 @@ GEM
addressable (~> 2.3, >= 2.3.0)
json (~> 2.1, >= 2.1.0)
typhoeus (~> 1.0, >= 1.0.1)
sidekiq (7.2.2)
sidekiq (7.2.4)
concurrent-ruby (< 2)
connection_pool (>= 2.3.0)
rack (>= 2.2.4)
@ -763,9 +777,11 @@ GEM
activesupport (>= 5.2)
sprockets (>= 3.0.0)
stackprof (0.2.26)
string-similarity (2.1.0)
stringio (3.1.0)
strong_migrations (1.8.0)
activerecord (>= 5.2)
strscan (3.1.0)
swd (2.0.3)
activesupport (>= 3)
attr_required (>= 0.0.5)
@ -777,7 +793,8 @@ GEM
temple (0.8.2)
terminal-table (3.0.2)
unicode-display_width (>= 1.1.1, < 3)
thor (1.3.1)
test-prof (1.3.3)
thor (1.3.2)
thread_safe (0.3.6)
tilt (2.3.0)
timecop (0.9.8)
@ -831,7 +848,7 @@ GEM
addressable (>= 2.8.0)
crack (>= 0.3.2)
hashdiff (>= 0.4.0, < 2.0.0)
webrick (1.8.1)
webrick (1.8.2)
websocket (1.2.10)
websocket-driver (0.7.6)
websocket-extensions (>= 0.1.0)
@ -849,33 +866,21 @@ GEM
anyway_config (>= 1.0, < 3)
concurrent-ruby
dry-initializer
yabeda-graphql (0.2.3)
graphql (>= 1.9, < 3)
yabeda (~> 0.2)
yabeda-prometheus (0.9.1)
prometheus-client (>= 3.0, < 5.0)
rack
yabeda (~> 0.10)
yabeda-puma-plugin (0.7.1)
json
puma
yabeda (~> 0.5)
yabeda-rails (0.9.0)
activesupport
anyway_config (>= 1.3, < 3)
railties
yabeda (~> 0.8)
yabeda-sidekiq (0.12.0)
anyway_config (>= 1.3, < 3)
sidekiq
yabeda (~> 0.6)
zeitwerk (2.6.13)
zeitwerk (2.6.18)
zip_tricks (5.6.0)
zipline (1.5.0)
actionpack (>= 6.0, < 8.0)
content_disposition (~> 1.0)
zip_tricks (>= 4.2.1, < 6.0)
zxcvbn-ruby (1.2.0)
zxcvbn (0.1.11)
PLATFORMS
ruby
@ -901,6 +906,7 @@ DEPENDENCIES
browser
capybara
capybara-email
capybara-playwright-driver
capybara-screenshot
charlock_holmes
chartkick
@ -923,6 +929,7 @@ DEPENDENCIES
flipper-active_record
flipper-active_support_cache_store
flipper-ui
front_matter_parser
fugit
geo_coord
geocoder
@ -1009,8 +1016,10 @@ DEPENDENCIES
spring
spring-commands-rspec
stackprof
string-similarity
strong_migrations
sys-proctable
test-prof
timecop
turbo-rails
typhoeus
@ -1022,13 +1031,10 @@ DEPENDENCIES
web-console
webmock
webrick
yabeda-graphql
yabeda-prometheus
yabeda-puma-plugin
yabeda-rails
yabeda-sidekiq
zipline
zxcvbn-ruby
zxcvbn
BUNDLED WITH
2.5.9

311
machines/compute01/ds-fr/package/rubyEnv/gemset.nix
View file

@ -31,10 +31,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0j86qjs1zw34p0p7d5napa1vvwqlvm9nmv7ckxxhcba1qv4dspmw";
sha256 = "1c46q4ykf8cqcpzad7zhkrxjhvf92sil0185zvxwzhj95p1zp5vr";
type = "gem";
};
version = "7.0.8.1";
version = "7.0.8.4";
};
actionmailbox = {
dependencies = [
@ -52,10 +52,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1f68h8cl6dqbz7mq3x43s0s82291nani3bz1hrxkk2qpgda23mw9";
sha256 = "0x100vq4rf2c5ndz8ai00hb5gsb9ax2xqc89dsfzzhxbpa9gs9ik";
type = "gem";
};
version = "7.0.8.1";
version = "7.0.8.4";
};
actionmailer = {
dependencies = [
@ -76,10 +76,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "077j47jsg0wqwx5b13n4h0g3g409b6kfrlazpzgjpa3pal74f7sc";
sha256 = "1hds7b6n7vsa64fmma7wl7x9mxscr89myfb13vxni5fcns1agwzr";
type = "gem";
};
version = "7.0.8.1";
version = "7.0.8.4";
};
actionpack = {
dependencies = [
@ -98,10 +98,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0jh83rqd6glys1b2wsihzsln8yk6zdwgiyn9xncyiav9rcwjpkax";
sha256 = "18k05a55i0xgyv60lx0m1psnyncn935j76ivbp9hssqpij00jj1f";
type = "gem";
};
version = "7.0.8.1";
version = "7.0.8.4";
};
actiontext = {
dependencies = [
@ -116,10 +116,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "044qi3zhzxlfq7slc2pb9ky9mdivp1m1sjyhjvnsi64ggq7cvr22";
sha256 = "1g54g1kjyrwv9g592gxfz7z6ksmj916l1cgkxk54zhywxf6gpn0y";
type = "gem";
};
version = "7.0.8.1";
version = "7.0.8.4";
};
actionview = {
dependencies = [
@ -137,10 +137,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1ygpg75f3ffdcbxvf7s14xw3hcjin1nnx1nk3mg9mj2xc1nb60aa";
sha256 = "03rfynhj40270dqhkm4cyaphzb37b4fdiaqh9grvcfq760vx7ha5";
type = "gem";
};
version = "7.0.8.1";
version = "7.0.8.4";
};
active_model_serializers = {
dependencies = [
@ -186,10 +186,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0yql9v4cd1xbqgnzlf3cv4a6sm26v2y4gsgcbbfgvfc0hhlfjklg";
sha256 = "1b54didwsg5p8wn30qjwspzh97w7g07hrsdzr7wdrdly4zii7sr1";
type = "gem";
};
version = "7.0.8.1";
version = "7.0.8.4";
};
activemodel = {
dependencies = [ "activesupport" ];
@ -200,10 +200,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0grdpvglh0cj96qhlxjj9bcfqkh13c1pfpcwc9ld3aw0yzvsw5a1";
sha256 = "1mi5cppdmkzgr2z135ibs0bq71qndbnip0vfflz1n4j4hqnhjkpg";
type = "gem";
};
version = "7.0.8.1";
version = "7.0.8.4";
};
activerecord = {
dependencies = [
@ -217,10 +217,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0rlky1cr5kcdl0jad3nk5jpim6vjzbgkfhxnk7y492b3j2nznpcf";
sha256 = "1pkv0jvvjc3grr0rvxni9b3j3hb22jaj0h70g476h9w54p0aljcb";
type = "gem";
};
version = "7.0.8.1";
version = "7.0.8.4";
};
activestorage = {
dependencies = [
@ -235,10 +235,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0f4g3589i5ii4gdfazv6d9rjinr16aarh6g12v8378ck7jll3mhz";
sha256 = "1qdqx20dqkg7iwzb8q5148x5sl9mr2063hxzy4i7i94af2d2vz6b";
type = "gem";
};
version = "7.0.8.1";
version = "7.0.8.4";
};
activestorage-openstack = {
dependencies = [
@ -270,10 +270,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0ff3x7q400flzhml131ix8zfwmh13h70rs6yzbzf513g781gbbxh";
sha256 = "15z11983ws5svibg6rky9k2mgd4d4chnvddyxfpgn81b81q70139";
type = "gem";
};
version = "7.0.8.1";
version = "7.0.8.4";
};
addressable = {
dependencies = [ "public_suffix" ];
@ -587,10 +587,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "045wzckxpwcqzrjr353cxnyaxgf0qg22jh00dcx7z38cys5g1jlr";
sha256 = "0pw3r2lyagsxkm71bf44v5b74f7l9r7di22brbyji9fwz791hya9";
type = "gem";
};
version = "3.2.4";
version = "3.3.0";
};
capybara = {
dependencies = [
@ -626,6 +626,21 @@
};
version = "3.0.2";
};
capybara-playwright-driver = {
dependencies = [
"addressable"
"capybara"
"playwright-ruby-client"
];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0a0pzvajqhzhi8nmj5w7s5izndd52vbc55ml26p2wk9ddjd8zlb5";
type = "gem";
};
version = "0.5.2";
};
capybara-screenshot = {
dependencies = [
"capybara"
@ -743,10 +758,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1qh1b14jwbbj242klkyz5fc7npd4j0mvndz62gajhvl1l3wd7zc2";
sha256 = "0chwfdq2a6kbj6xz9l6zrdfnyghnh32si82la1dnpa5h75ir5anl";
type = "gem";
};
version = "1.2.3";
version = "1.3.4";
};
connection_pool = {
groups = [ "default" ];
@ -950,10 +965,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1hh0yc85ixnan90hibz3nba6pamhscxfr1zaymxgv3vw5icv50ya";
sha256 = "1yx6ym8a9szwnq9yziljidqjn6gf99blvz1yib9qdd0qcg5x5hp8";
type = "gem";
};
version = "5.0.0";
version = "6.0.0";
};
diff-lcs = {
groups = [
@ -1099,10 +1114,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "08s75vs9cxlc4r1q2bjg4br8g9wc5lc5x5vl0vv4zq5ivxsdpgi7";
sha256 = "0qnd6ff4az22ysnmni3730c41b979xinilahzg86bn7gv93ip9pw";
type = "gem";
};
version = "1.12.0";
version = "1.13.0";
};
et-orbi = {
dependencies = [ "tzinfo" ];
@ -1213,10 +1228,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1rf5jgb6wv1zqf79arj94z67z7l7nw4xb9rlwm3cwvizs33gq0p0";
sha256 = "12vj0ilxykfc2hwi9b5hz441qni1wx7agvkys5v8avkp4dgzlfww";
type = "gem";
};
version = "1.2.2";
version = "1.3.0";
};
flipper-active_record = {
dependencies = [
@ -1227,10 +1242,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1qb6vwdjppivba0dbqyfkfhbvg3d5klx5zparz5n14gchmmk9k2k";
sha256 = "0zslli5da0x0nw4xs1h6fbnjahhs84nb2pn1wq6pgmq3c50wjlcr";
type = "gem";
};
version = "1.2.2";
version = "1.3.0";
};
flipper-active_support_cache_store = {
dependencies = [
@ -1241,10 +1256,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1brm8q793ywcchp4wa7mmkmmy5903z212kr9ck4v0fz502kc64xl";
sha256 = "1zra7lh8yzc45d4p6wyvfv4m53pnb6vna2gc3xisss10ldgh1abr";
type = "gem";
};
version = "1.2.2";
version = "1.3.0";
};
flipper-ui = {
dependencies = [
@ -1252,16 +1267,17 @@
"flipper"
"rack"
"rack-protection"
"rack-session"
"sanitize"
];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "15c1j07661rgmmv61kviis5y997hmq8b0w5829x2gchvha6hdmlv";
sha256 = "1khq1fmixahizhiysqdnm3zlyfy84na0g2vyncd2xyskqp7l3szs";
type = "gem";
};
version = "1.2.2";
version = "1.3.0";
};
fog-core = {
dependencies = [
@ -1317,6 +1333,16 @@
};
version = "1.1.0";
};
front_matter_parser = {
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0yvvxcym75csvckkg3bcf739ild3f0b2yifnlj45gf8xl2yriqms";
type = "gem";
};
version = "1.0.1";
};
fugit = {
dependencies = [
"et-orbi"
@ -1326,10 +1352,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "10m9b2gvwfvmm61000mq7n8q7pk2xkxmizgfydpis66n2ybrhwh5";
sha256 = "0s4qhq3mjl0gak5wl20w9d5jhq069mk1393dkj76s8i2pvkqb578";
type = "gem";
};
version = "1.10.1";
version = "1.11.1";
};
geo_coord = {
groups = [ "default" ];
@ -1607,10 +1633,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0lbm33fpb3w06wd2231sg58dwlwgjsvym93m548ajvl6s3mfvpn7";
sha256 = "0k31wcgnvcvd14snz0pfqj976zv6drfsnq6x8acz10fiyms9l8nw";
type = "gem";
};
version = "1.14.4";
version = "1.14.6";
};
i18n-tasks = {
dependencies = [
@ -1959,6 +1985,19 @@
};
version = "3.9.0";
};
logger = {
groups = [
"default"
"test"
];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0gpg8gzi0xwymw4aaq2iafcbx31i3xzkg3fb30mdxn1d4qhc3dqa";
type = "gem";
};
version = "1.6.0";
};
lograge = {
dependencies = [
"actionpack"
@ -2046,10 +2085,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0kky3yiwagsk8gfbzn3mvl2fxlh3b39v6nawzm4wpjs6xxvvc4x0";
sha256 = "190n2mk8m1l708kr88fh6mip9sdsh339d2s6sgrik3sbnvz4jmhd";
type = "gem";
};
version = "1.0.2";
version = "1.0.4";
};
matrix = {
groups = [
@ -2156,10 +2195,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "149r94xi6b3jbp6bv72f8383b95ndn0p5sxnq11gs1j9jadv0ajf";
sha256 = "1q1f2sdw3y3y9mnym9dhjgsjr72sq975cfg5c4yx7gwv8nmzbvhk";
type = "gem";
};
version = "2.8.6";
version = "2.8.7";
};
minitest = {
groups = [
@ -2170,10 +2209,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "07lq26b86giy3ha3fhrywk9r1ajhc2pm2mzj657jnpnbj1i6g17a";
sha256 = "1n1akmc6bibkbxkzm1p1wmfb4n9vv397knkgz0ffykb3h1d7kdix";
type = "gem";
};
version = "5.22.3";
version = "5.25.1";
};
msgpack = {
groups = [ "default" ];
@ -2230,10 +2269,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0zn7j2w0hc622ig0rslk4iy6yp3937dy9ibhyr1mwwx39n7paxaj";
sha256 = "18yclv06n0cy8jqmi11sd1dl8nasc5n5r1mhan2v51j7jd3z58v3";
type = "gem";
};
version = "0.4.10";
version = "0.4.12";
};
net-pop = {
dependencies = [ "net-protocol" ];
@ -2275,20 +2314,20 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0csspzqrg7s2v2wdp6vqqs1rra6w5ilpgnps5h52ig6rp7x2i389";
sha256 = "0amlhz8fhnjfmsiqcjajip57ici2xhw089x7zqyhpk51drg43h2z";
type = "gem";
};
version = "0.4.0.1";
version = "0.5.0";
};
nio4r = {
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "15iwbiij52x6jhdbl0rkcldnhfndmsy0sbnsygkr9vhskfqrp72m";
sha256 = "017nbw87dpr4wyk81cgj8kxkxqgsgblrkxnmmadc77cg9gflrfal";
type = "gem";
};
version = "2.7.1";
version = "2.7.3";
};
nokogiri = {
dependencies = [
@ -2303,10 +2342,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0i8g0i370jhn2sclml0bg9qlrgf4csi6sy7czbhx8kjbl71idhb2";
sha256 = "15gysw8rassqgdq3kwgl4mhqmrgh7nk2qvrcqp4ijyqazgywn6gq";
type = "gem";
};
version = "1.16.4";
version = "1.16.7";
};
openid_connect = {
dependencies = [
@ -2412,6 +2451,20 @@
};
version = "0.8.8";
};
playwright-ruby-client = {
dependencies = [
"concurrent-ruby"
"mime-types"
];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1ak52v8nih2n7jhgi4j74ybs7kp3yp2fkcxppgxa59n5hibxvfcz";
type = "gem";
};
version = "1.46.0";
};
prawn = {
dependencies = [
"pdf-core"
@ -2537,10 +2590,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0i2vaww6qcazj0ywva1plmjnj6rk23b01szswc5jhcq7s2cikd1y";
sha256 = "0gml1rixrfb0naciq3mrnqkpcvm9ahgps1c04hzxh4b801f69914";
type = "gem";
};
version = "6.4.2";
version = "6.4.3";
};
pundit = {
dependencies = [ "activesupport" ];
@ -2572,10 +2625,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "01b9662zd2x9bp4rdjfid07h09zxj7kvn7f5fghbqhzc625ap1dp";
sha256 = "0byn0c9nkahsl93y9ln5bysq4j31q8xkf2ws42swighxd4lnjzsa";
type = "gem";
};
version = "1.7.3";
version = "1.8.1";
};
rack = {
groups = [
@ -2656,6 +2709,17 @@
};
version = "0.7.7";
};
rack-session = {
dependencies = [ "rack" ];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0xhxhlsz6shh8nm44jsmd9276zcnyzii364vhcvf0k8b8bjia8d0";
type = "gem";
};
version = "1.0.2";
};
rack-test = {
dependencies = [ "rack" ];
groups = [
@ -2704,10 +2768,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1v9dp9sgh8kk32r23mj66zjni7w1dv2h7mbaxgmazsf59a43gsvx";
sha256 = "1sv5jzd3varqzcqm8zxllwiqzgbgcymszw12ci3f9zbzlliq8hby";
type = "gem";
};
version = "7.0.8.1";
version = "7.0.8.4";
};
rails-controller-testing = {
dependencies = [
@ -2822,10 +2886,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "08ga56kz6a37dnlmi7y45r19fcc7jzb62mrc3ifavbzggmhy7r62";
sha256 = "02z7lqx0y60bzpkd4v67i9sbdh7djs0mm89h343kidx0gmq0kbh0";
type = "gem";
};
version = "7.0.8.1";
version = "7.0.8.4";
};
rainbow = {
groups = [
@ -2993,6 +3057,7 @@
version = "3.1.1";
};
rexml = {
dependencies = [ "strscan" ];
groups = [
"default"
"development"
@ -3001,10 +3066,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "05i8518ay14kjbma550mv0jm8a6di8yp5phzrd8rj44z9qnrlrp0";
sha256 = "1ik3in0957l9s6iwdm3nsk4za072cj27riiqgpx6zzcd22flbw3s";
type = "gem";
};
version = "3.2.6";
version = "3.3.6";
};
rodf = {
dependencies = [
@ -3409,10 +3474,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0wsw05y0h1ln3x2kvcw26fs9ivryb4xbjrb4hsk2pishkhydkz4j";
sha256 = "1c9j1rwdp87k7b7mawf8agpdycdr2dsl2wvjipmcy1c55kllp2qp";
type = "gem";
};
version = "6.1.0";
version = "6.1.2";
};
sass = {
dependencies = [ "sass-listen" ];
@ -3500,14 +3565,15 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0fxhkxpczqg4f7gxdyvc6ccxy9hppnwl3ih03p42f6hbfy5q1x64";
sha256 = "0ph7b947h5cgqyhb5a4jk467bggx48xy619ggh6p38ys8bjszp1l";
type = "gem";
};
version = "0.123.0";
version = "0.126.0";
};
selenium-webdriver = {
dependencies = [
"base64"
"logger"
"rexml"
"rubyzip"
"websocket"
@ -3516,10 +3582,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0rjh9s5x7jqaxjfcz2m3hphhlajk9nxs6wdsnia62iba07bd32sc";
sha256 = "0rjxlivsh32xvjq78p1m1sr366aa04wms4hwb2r187ygrnmp0hv4";
type = "gem";
};
version = "4.19.0";
version = "4.22.0";
};
sentry-delayed_job = {
dependencies = [
@ -3614,10 +3680,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "18ykb35ab3fsg6jj8h7kb3kbba41sls4nvwn6vxb731iyh10v4h9";
sha256 = "0y079baadqgm73n44jdp24g7jfgq9fds2wbbpqni0pnfhvs043l1";
type = "gem";
};
version = "7.2.2";
version = "7.2.4";
};
sidekiq-cron = {
dependencies = [
@ -3834,6 +3900,16 @@
};
version = "0.2.26";
};
string-similarity = {
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1gx30368nj7wpcnhydyvdg9sj6b4aishm9669zvfvvpx77frp55b";
type = "gem";
};
version = "2.1.0";
};
stringio = {
groups = [
"default"
@ -3859,6 +3935,20 @@
};
version = "1.8.0";
};
strscan = {
groups = [
"default"
"development"
"test"
];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0mamrl7pxacbc79ny5hzmakc9grbjysm3yy6119ppgsg44fsif01";
type = "gem";
};
version = "3.1.0";
};
swd = {
dependencies = [
"activesupport"
@ -3923,6 +4013,16 @@
};
version = "3.0.2";
};
test-prof = {
groups = [ "test" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0rwnq67qm2ngz066sncvg0dv65bsk29qz3xarbv8qan2hi7yw0qg";
type = "gem";
};
version = "1.3.3";
};
thor = {
groups = [
"default"
@ -3932,10 +4032,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1vq1fjp45az9hfp6fxljhdrkv75cvbab1jfrwcw738pnsiqk8zps";
sha256 = "1nmymd86a0vb39pzj2cwv57avdrl6pl3lf5bsz58q594kqxjkw7f";
type = "gem";
};
version = "1.3.1";
version = "1.3.2";
};
thread_safe = {
groups = [
@ -4240,10 +4340,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "13qm7s0gr2pmfcl7dxrmq38asaza4w0i2n9my4yzs499j731wh8r";
sha256 = "089gy5494j560b242vi173wnbj2913hwlwnjkpzld58r96ilc5s3";
type = "gem";
};
version = "1.8.1";
version = "1.8.2";
};
websocket = {
groups = [
@ -4335,20 +4435,6 @@
};
version = "0.12.0";
};
yabeda-graphql = {
dependencies = [
"graphql"
"yabeda"
];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0y422499vbs4m1555yvqrdjyk7bdg16rnj224zaw1b77d8irmrks";
type = "gem";
};
version = "0.2.3";
};
yabeda-prometheus = {
dependencies = [
"prometheus-client"
@ -4364,37 +4450,6 @@
};
version = "0.9.1";
};
yabeda-puma-plugin = {
dependencies = [
"json"
"puma"
"yabeda"
];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0yxifgq9m11n73qz9jgxsapqp67ijm5gp6y5jbdvkdcf7c2p47d4";
type = "gem";
};
version = "0.7.1";
};
yabeda-rails = {
dependencies = [
"activesupport"
"anyway_config"
"railties"
"yabeda"
];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1nl2jpx561mpwdxf63db9yshhwfmg8k72r8d9yxnsic2wahvy4b0";
type = "gem";
};
version = "0.9.0";
};
yabeda-sidekiq = {
dependencies = [
"anyway_config"
@ -4419,10 +4474,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1m67qmsak3x8ixs8rb971azl3l7wapri65pmbf5z886h46q63f1d";
sha256 = "10cpfdswql21vildiin0q7drg5zfzf2sahnk9hv3nyzzjqwj2bdx";
type = "gem";
};
version = "2.6.13";
version = "2.6.18";
};
zip_tricks = {
groups = [ "default" ];
@ -4449,14 +4504,14 @@
};
version = "1.5.0";
};
zxcvbn-ruby = {
zxcvbn = {
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0afxvi4hy49civms434l6ndm5wcfq0gf5pkgmw7bjxhwfl5jg0c1";
sha256 = "10pf2nkinn3n2kyyfjck5bzjxayp8rp6dffi17kybaz381gqrbwg";
type = "gem";
};
version = "1.2.0";
version = "0.1.11";
};
}

14
machines/compute01/grafana.nix
View file

@ -69,11 +69,17 @@ in
}
];
};
};
dgn-web.simpleProxies.grafana = {
inherit host port;
proxyWebsockets = true;
nginx.virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
};
age-secrets.autoMatch = [ "grafana" ];

15
machines/compute01/hedgedoc.nix
View file

@ -29,6 +29,16 @@ in
};
};
nginx.virtualHosts.${host} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
};
};
postgresql = {
enable = true;
@ -43,11 +53,6 @@ in
};
};
dgn-web.simpleProxies.hedgedoc = {
inherit host port;
proxyWebsockets = true;
};
systemd.services.hedgedoc.serviceConfig.StateDirectory = lib.mkForce [
"hedgedoc"
"hedgedoc/uploads"

120
machines/compute01/kanidm/default.nix
View file

@ -1,23 +1,14 @@
{
config,
lib,
meta,
nixpkgs,
...
}:
let
inherit (lib)
attrValues
catAttrs
escapeRegex
concatStringsSep
mapAttrs'
nameValuePair
;
inherit (lib) escapeRegex concatStringsSep;
domain = "sso.dgnum.eu";
port = 8443;
cert = config.security.acme.certs.${domain};
@ -36,8 +27,6 @@ let
"netbird-beta.hubrecht.ovh"
]
);
usernameFor = member: meta.organization.members.${member}.username;
in
{
services.kanidm = {
@ -50,7 +39,7 @@ in
origin = "https://${domain}";
bindaddress = "127.0.0.1:${builtins.toString port}";
bindaddress = "127.0.0.1:8443";
ldapbindaddress = "0.0.0.0:636";
trust_x_forward_for = true;
@ -58,113 +47,10 @@ in
tls_chain = "${cert.directory}/fullchain.pem";
tls_key = "${cert.directory}/key.pem";
};
provision = {
enable = true;
persons = mapAttrs' (
_:
{
email,
name,
username,
...
}:
nameValuePair username {
displayName = name;
mailAddresses = [ email ];
}
) meta.organization.members;
groups =
{
grp_active.members = catAttrs "username" (attrValues meta.organization.members);
}
// (mapAttrs' (
name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
) meta.organization.groups);
# INFO: The authentication resources declared here can only be for internal services,
# as regular members cannot be statically known.
systems.oauth2 = {
dgn_grafana = {
displayName = "Grafana [Analysis]";
originLanding = "https://grafana.dgnum.eu";
originUrl = "https://grafana.dgnum.eu/";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_librenms = {
allowInsecureClientDisablePkce = true;
displayName = "LibreNMS [Network]";
enableLegacyCrypto = true;
originLanding = "https://nms.dgnum.eu";
originUrl = "https://nms.dgnum.eu/";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_netbird = {
displayName = "Netbird [VPN]";
enableLocalhostRedirects = true;
originLanding = "https://netbird.dgnum.eu";
originUrl = "https://netbird.dgnum.eu/";
preferShortUsername = true;
public = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_netbox = {
allowInsecureClientDisablePkce = true;
displayName = "Netbox [Inventory]";
enableLegacyCrypto = true;
originLanding = "https://netbox.dgnum.eu";
originUrl = "https://netbox.dgnum.eu/";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_outline = {
displayName = "Outline [Docs]";
originUrl = "https://docs.dgnum.eu/";
originLanding = "https://docs.dgnum.eu";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
};
};
};
users.users.kanidm.extraGroups = [ cert.group ];
dgn-web.internalPorts.kanidm = port;
services.nginx = {
enable = true;
@ -172,7 +58,7 @@ in
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "https://127.0.0.1:${builtins.toString port}";
proxyPass = "https://127.0.0.1:8443";
extraConfig = ''
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {

7
machines/compute01/kanidm/secrets/secrets.nix
View file

@ -1,4 +1,9 @@
(import ../../../../keys).mkSecrets [ "compute01" ] [
let
lib = import ../../../../lib { };
publicKeys = lib.getNodeKeys "compute01";
in
lib.setDefault { inherit publicKeys; } [
"kanidm-password_admin"
"kanidm-password_idm_admin"
]

18
machines/compute01/nextcloud.nix
View file

@ -3,8 +3,6 @@
let
host = "cloud.dgnum.eu";
nextcloud-occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
port = 9980;
in
{
services.nextcloud = {
@ -106,7 +104,7 @@ in
imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4";
sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM=";
};
ports = [ "${builtins.toString port}:${builtins.toString port}" ];
ports = [ "9980:9980" ];
environment = {
domain = "cloud.dgnum.eu";
extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json";
@ -121,8 +119,6 @@ in
};
};
dgn-web.internalPorts.collabora = port;
services.nginx.virtualHosts = {
${host} = {
enableACME = true;
@ -140,25 +136,25 @@ in
extraConfig = ''
# static files
location ^~ /browser {
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# Capabilities
location ^~ /hosting/capabilities {
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# main websocket
location ~ ^/cool/(.*)/ws$ {
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_pass http://127.0.0.1:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
@ -167,13 +163,13 @@ in
# download, presentation and image upload
location ~ ^/(c|l)ool {
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# Admin Console websocket
location ^~ /cool/adminws {
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_pass http://127.0.0.1:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;

15
machines/compute01/ollama-proxy.nix
View file

@ -1,15 +0,0 @@
{ pkgs, ... }:
{
services.nginx = {
virtualHosts."ollama01.beta.dgnum.eu" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://100.80.103.206:11434";
basicAuthFile = pkgs.writeText "ollama-htpasswd" ''
raito:$y$j9T$UDEHpLtM52hRGK0I4qT6M0$N75AhENLqgtJnTGaPzq51imhjZvuPr.ow81Co1ZTcX2
'';
};
};
};
}

18
machines/compute01/outline.nix
View file

@ -2,7 +2,6 @@
let
host = "docs.dgnum.eu";
port = 3003;
in
{
services.outline = {
@ -36,12 +35,21 @@ in
defaultLanguage = "fr_FR";
forceHttps = false;
inherit port;
port = 3003;
};
dgn-web.simpleProxies.outline = {
inherit host port;
vhostConfig.locations."/robots.txt".return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
services.nginx.virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:3003";
proxyWebsockets = true;
};
locations."/robots.txt" = {
return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
};
};
age-secrets.autoMatch = [ "outline" ];

13
machines/compute01/plausible.nix
View file

@ -38,7 +38,16 @@ in
};
};
dgn-web.simpleProxies.plausible = {
inherit host port;
services.nginx = {
enable = true;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
};
};
};
}

10
machines/compute01/satosa/default.nix
View file

@ -2,15 +2,16 @@
let
host = "saml-idp.dgnum.eu";
port = 8090;
in
{
imports = [ ./module.nix ];
services.satosa = {
enable = true;
inherit host port;
inherit host;
port = 8090;
envFile = config.age.secrets."satosa-env_file".path;
@ -147,8 +148,9 @@ in
};
};
dgn-web.simpleProxies.satosa = {
inherit host port;
services.nginx.virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
};
age-secrets.autoMatch = [ "satosa" ];

8
machines/compute01/satosa/module.nix
View file

@ -190,6 +190,14 @@ in
};
};
services.nginx = mkIf cfg.configureNginx {
enable = true;
virtualHosts.${cfg.host} = {
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}";
};
};
users.users.satosa = {
isSystemUser = true;
group = "satosa";

BIN
machines/compute01/secrets/dgsi-x509_cert_file
View file

Binary file not shown.

BIN
machines/compute01/secrets/dgsi-x509_key_file
View file

Binary file not shown.

10
machines/compute01/secrets/secrets.nix
View file

@ -1,13 +1,15 @@
(import ../../../keys).mkSecrets [ "compute01" ] [
# List of secrets for compute01
let
lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "compute01";
in
lib.setDefault { inherit publicKeys; } [
"arkheon-env_file"
"bupstash-put_key"
"dgsi-email_host_password_file"
"dgsi-kanidm_auth_token_file"
"dgsi-kanidm_secret_file"
"dgsi-secret_key_file"
"dgsi-x509_cert_file"
"dgsi-x509_key_file"
"ds-fr-secret_file"
"grafana-oauth_client_secret_file"
"grafana-smtp_password_file"

16
machines/compute01/stirling-pdf/default.nix
View file

@ -1,22 +1,10 @@
{ nixpkgs, ... }:
let
###
# How to update:
# - clone https://git.dgnum.eu/DGNum/Stirling-PDF
# - switch to the branch dgn-v0.X.Y where X.Y is the version in production
# - fetch upstream changes up to the tagged release in nixos-unstable
# - rebase onto the upstream branch, so that the last commit is "feat: Add DGNum customization"
# - push to a new branch dgn-v0.A.B where A.B is the new version
# - finally, update the commit hash of the customization patch
dgn-id = "d73e347b1cefe23092bfcb2d3f8a23903410203e";
port = 8084;
dgn-id = "f756a0f47e704db815a7af6786f6eb0aec628d6b";
in
{
dgn-web.internalPorts.stirling-pdf = port;
services.stirling-pdf = {
enable = true;
@ -27,7 +15,7 @@ in
});
domain = "pdf.dgnum.eu";
inherit port;
port = 8084;
nginx = {
enableACME = true;

59
machines/compute01/vaultwarden.nix
View file

@ -2,8 +2,6 @@
let
host = "pass.dgnum.eu";
port = 10501;
wsPort = 10500;
in
{
services.vaultwarden = {
@ -12,9 +10,9 @@ in
config = {
DOMAIN = "https://${host}";
WEBSOCKET_ENABLED = true;
WEBSOCKET_PORT = wsPort;
WEBSOCKET_PORT = 10500;
SIGNUPS_DOMAINS_WHITELIST = "dgnum.eu,ens.fr,ens.psl.eu";
ROCKET_PORT = port;
ROCKET_PORT = 10501;
ROCKET_ADDRESS = "127.0.0.1";
SIGNUPS_VERIFY = true;
USE_SYSLOG = true;
@ -33,38 +31,45 @@ in
environmentFile = config.age.secrets."vaultwarden-environment_file".path;
};
dgn-web = {
internalPorts.vaultwarden-websockets = wsPort;
services = {
nginx = {
enable = true;
simpleProxies.vaultwarden = {
inherit host port;
proxyWebsockets = true;
virtualHosts.${host} = {
forceSSL = true;
enableACME = true;
vhostConfig.locations = {
"/notifications/hub" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
};
locations = {
"/" = {
proxyPass = "http://127.0.0.1:10501";
proxyWebsockets = true;
};
"/notifications/hub/negotiate" = {
proxyPass = "http://127.0.0.1:${builtins.toString wsPort}";
proxyWebsockets = true;
"/notifications/hub" = {
proxyPass = "http://127.0.0.1:10500";
proxyWebsockets = true;
};
"/notifications/hub/negotiate" = {
proxyPass = "http://127.0.0.1:10501";
proxyWebsockets = true;
};
};
};
};
};
services.postgresql = {
enable = true;
postgresql = {
enable = true;
ensureDatabases = [ "vaultwarden" ];
ensureDatabases = [ "vaultwarden" ];
ensureUsers = [
{
name = "vaultwarden";
ensureDBOwnership = true;
}
];
ensureUsers = [
{
name = "vaultwarden";
ensureDBOwnership = true;
}
];
};
};
dgn-backups.jobs.vaultwarden.settings.paths = [ "/var/lib/bitwarden_rs" ];

8
machines/geo01/secrets/secrets.nix
View file

@ -1,3 +1,5 @@
(import ../../../keys).mkSecrets [ "geo01" ] [
# List of secrets for geo01
]
let
lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "geo01";
in
lib.setDefault { inherit publicKeys; } [ ]

8
machines/geo02/secrets/secrets.nix
View file

@ -1,3 +1,5 @@
(import ../../../keys).mkSecrets [ "geo02" ] [
# List of secrets for geo02
]
let
lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "geo02";
in
lib.setDefault { inherit publicKeys; } [ ]

1
machines/rescue01/_configuration.nix
View file

@ -3,7 +3,6 @@
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
"dgn-web"
];
enabledServices = [

9
machines/rescue01/secrets/secrets.nix
View file

@ -1,4 +1,5 @@
(import ../../../keys).mkSecrets [ "rescue01" ] [
# List of secrets for rescue01
"stateless-uptime-kuma-password"
]
let
lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "rescue01";
in
lib.setDefault { inherit publicKeys; } [ "stateless-uptime-kuma-password" ]

29
machines/rescue01/uptime-kuma.nix
View file

@ -46,16 +46,6 @@ let
accepted_statuscodes = [ "401" ];
};
"ollama01.beta.dgnum.eu" = {
type = mkForce "http";
accepted_statuscodes = [ "401" ];
};
"s3-admin.dgnum.eu" = {
type = mkForce "http";
accepted_statuscodes = [ "400" ];
};
"api.meet.dgnum.eu" = {
keyword = "Crab Fit API";
};
@ -132,11 +122,24 @@ in
services.uptime-kuma.enable = true;
dgn-web.simpleProxies.uptime-kuma = {
inherit host port;
proxyWebsockets = true;
services.nginx = {
enable = true;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
};
};
};
networking.firewall.allowedTCPPorts = [
80
443
];
statelessUptimeKuma = {
probesConfig = mkMerge [
pingProbes

2
machines/storage01/_configuration.nix
View file

@ -9,6 +9,7 @@ lib.extra.mkConfig {
enabledServices = [
# List of services to enable
"atticd"
"tvix-cache"
"forgejo"
"forgejo-runners"
@ -18,7 +19,6 @@ lib.extra.mkConfig {
"peertube"
"prometheus"
"redirections"
"victoria-metrics"
];
extraConfig = {

82
machines/storage01/atticd.nix Normal file
View file

@ -0,0 +1,82 @@
{ config, nixpkgs, ... }:
let
host = "cachix.dgnum.eu";
in
{
services = {
atticd = {
enable = true;
credentialsFile = config.age.secrets."atticd-credentials_file".path;
settings = {
listen = "127.0.0.1:9099";
api-endpoint = "https://${host}/";
allowed-hosts = [ host ];
chunking = {
# The minimum NAR size to trigger chunking
#
# If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked.
nar-size-threshold = 0; # 64 KiB
# The preferred minimum size of a chunk, in bytes
min-size = 16 * 1024; # 16 KiB
# The preferred average size of a chunk, in bytes
avg-size = 64 * 1024; # 64 KiB
# The preferred maximum size of a chunk, in bytes
max-size = 256 * 1024; # 256 KiB
};
database.url = "postgresql://atticd?host=/run/postgresql";
storage = {
type = "s3";
region = "garage";
bucket = "attic-dgnum";
endpoint = "https://s3.dgnum.eu";
};
};
useFlakeCompatOverlay = false;
package = nixpkgs.unstable.attic-server;
};
nginx = {
enable = true;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:9099";
extraConfig = ''
client_max_body_size 10G;
'';
};
};
};
postgresql = {
enable = true;
ensureDatabases = [ "atticd" ];
ensureUsers = [
{
name = "atticd";
ensureDBOwnership = true;
}
];
};
};
systemd.services.atticd.environment.RUST_LOG = "warn";
}

12
machines/storage01/forgejo-runners.nix
View file

@ -1,4 +1,10 @@
{ config, pkgs, ... }:
{
config,
pkgs,
nixpkgs,
sources,
...
}:
let
url = "https://git.dgnum.eu";
@ -24,6 +30,8 @@ let
options = "--cpus=4";
};
};
nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
in
{
services.forgejo-nix-runners = {
@ -35,8 +43,10 @@ in
tokenFile = config.age.secrets."forgejo_runners-token_file".path;
dependencies = [
nix-pkgs.colmena
pkgs.npins
pkgs.tea
nixpkgs.unstable.nixfmt-rfc-style
];
containerOptions = [ "--cpus=4" ];

21
machines/storage01/forgejo.nix
View file

@ -31,7 +31,6 @@ in
admin = {
DEFAULT_EMAIL_NOTIFICATIONS = "enabled";
SEND_NOTIFICATION_EMAIL_ON_NEW_USER = true;
};
log.LEVEL = "Warn";
@ -45,11 +44,6 @@ in
USER = "web-services@infra.dgnum.eu";
};
session = {
SESSION_LIFE_TIME = 24 * 3600 * 7;
GC_INTERVAL_TIME = 24 * 3600 * 7;
};
server = {
ROOT_URL = "https://${host}/";
DOMAIN = host;
@ -61,7 +55,6 @@ in
service = {
EMAIL_DOMAIN_ALLOWLIST = "dgnum.eu,*";
EMAIL_DOMAIN_BLOCKLIST = "*.shop,*.online,*.store";
ENABLE_NOTIFY_MAIL = true;
DISABLE_REGISTRATION = false;
@ -78,10 +71,18 @@ in
mailerPasswordFile = config.age.secrets."forgejo-mailer_password_file".path;
};
};
dgn-web.simpleProxies.forgejo = {
inherit host port;
nginx = {
enable = true;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString port}";
};
};
};
};
users.users.git = {

54
machines/storage01/garage.nix
View file

@ -1,13 +1,6 @@
{
config,
lib,
pkgs,
...
}:
{ config, pkgs, ... }:
let
inherit (lib) mapAttrs' nameValuePair;
host = "s3.dgnum.eu";
webHost = "cdn.dgnum.eu";
@ -22,8 +15,6 @@ let
];
buckets = [
"monorepo-terraform-state"
"banda-website"
"castopod-dgnum"
"hackens-website"
@ -32,49 +23,39 @@ let
] ++ domains;
mkHosted = host: builtins.map (b: "${b}.${host}");
ports = {
admin_api = 3903;
k2v_api = 3904;
rpc = 3901;
s3_api = 3900;
s3_web = 3902;
};
in
{
dgn-web.internalPorts = mapAttrs' (name: nameValuePair "garage-${name}") ports;
services.garage = {
enable = true;
package = pkgs.garage_1_0_1;
package = pkgs.garage_0_9;
settings = {
inherit data_dir metadata_dir;
db_engine = "lmdb";
replication_mode = "none"; # TODO: deprecated
replication_mode = "none";
compression_level = 7;
rpc_bind_addr = "[::]:${toString ports.rpc}";
rpc_public_addr = "127.0.0.1:${toString ports.rpc}";
rpc_bind_addr = "[::]:3901";
rpc_public_addr = "127.0.0.1:3901";
s3_api = {
s3_region = "garage";
api_bind_addr = "127.0.0.1:${toString ports.s3_api}";
api_bind_addr = "127.0.0.1:3900";
root_domain = ".${host}";
};
s3_web = {
bind_addr = "127.0.0.1:${toString ports.s3_web}";
bind_addr = "127.0.0.1:3902";
root_domain = ".${webHost}";
index = "index.html";
};
k2v_api.api_bind_addr = "[::]:${toString ports.k2v_api}";
k2v_api.api_bind_addr = "[::]:3904";
admin.api_bind_addr = "127.0.0.1:${toString ports.admin_api}";
admin.api_bind_addr = "127.0.0.1:3903";
};
environmentFile = config.age.secrets."garage-environment_file".path;
@ -86,7 +67,7 @@ in
data_dir
metadata_dir
];
TimeoutSec = 600;
TimeoutSec = 3000;
};
users.users.garage = {
@ -96,17 +77,6 @@ in
users.groups.garage = { };
services.nginx.virtualHosts = {
"s3-admin.dgnum.eu" = {
enableACME = true;
forceSSL = true;
locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:${toString ports.admin_api};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
'';
};
${host} = {
enableACME = true;
forceSSL = true;
@ -114,7 +84,7 @@ in
serverAliases = mkHosted host buckets;
locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:${toString ports.s3_api};
proxy_pass http://127.0.0.1:3900;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
# Disable buffering to a temporary file.
@ -130,7 +100,7 @@ in
serverAliases = domains ++ (mkHosted webHost buckets);
locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:${toString ports.s3_web};
proxy_pass http://127.0.0.1:3902;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
'';

10
machines/storage01/influxdb.nix
View file

@ -5,7 +5,6 @@ let
token = user: secret "${user}_token_file";
host = "influx.dgnum.eu";
port = 8086;
in
{
@ -42,8 +41,13 @@ in
};
};
dgn-web.simpleProxies.influxdb = {
inherit host port;
services.nginx.virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8086";
};
};
age-secrets.autoMatch = [ "influxdb2" ];

82
machines/storage01/netbird.nix
View file

@ -1,82 +0,0 @@
{
config,
lib,
nixpkgs,
...
}:
let
domain = "netbird.dgnum.eu";
s = name: config.age.secrets.${name}.path;
in
{
services = {
netbird.server = {
enable = true;
package = nixpkgs.unstable.netbird;
inherit domain;
enableNginx = true;
coturn.enable = lib.mkForce false;
relay = {
environmentFile = s "netbird-relay_environment_file";
metricsPort = 9094;
};
dashboard = {
settings = {
AUTH_AUTHORITY = "https://sso.dgnum.eu/oauth2/openid/dgn_netbird";
AUTH_AUDIENCE = "dgn_netbird";
AUTH_CLIENT_ID = "dgn_netbird";
};
};
management = {
oidcConfigEndpoint = "https://sso.dgnum.eu/oauth2/openid/dgn_netbird/.well-known/openid-configuration";
dnsDomain = "dgnum";
metricsPort = 9092;
settings = {
DataStoreEncryptionKey._secret = s "netbird-data_store_encryption_key_file";
PKCEAuthorizationFlow.ProviderConfig = {
Audience = "dgn_netbird";
ClientID = "dgn_netbird";
AuthorizationEndpoint = "https://sso.dgnum.eu/ui/oauth2";
TokenEndpoint = "https://sso.dgnum.eu/oauth2/token";
};
IdpManagerConfig.ClientConfig.ClientID = "dgn_netbird";
DeviceAuthorizationFlow = {
Provider = "none";
ProviderConfig = {
Audience = "dgn_netbird";
ClientID = "dgn_netbird";
};
};
Relay = {
Addresses = [ "rels://${domain}:443" ];
CredentialsTTL = "24h";
Secret._secret = s "netbird-relay_secret_file";
};
};
};
};
nginx.virtualHosts.${domain} = {
enableACME = true;
forceSSL = true;
};
};
dgn-backups.jobs.netbird.settings.paths = [ "/var/lib/netbird-mgmt" ];
}

47
machines/storage01/netbird/default.nix Normal file
View file

@ -0,0 +1,47 @@
{ config, ... }:
let
domain = "netbird.dgnum.eu";
in
{
imports = [ ./module.nix ];
services.netbird-server = {
enable = true;
logLevel = "DEBUG";
enableDeviceAuthorizationFlow = false;
enableNginx = true;
enableCoturn = true;
setupAutoOidc = true;
management.dnsDomain = "dgnum";
secretFiles.AUTH_CLIENT_SECRET = config.age.secrets."netbird-auth_client_secret_file".path;
settings = {
NETBIRD_DOMAIN = domain;
TURN_PASSWORD = "tototest1234";
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT = "https://sso.dgnum.eu/oauth2/openid/netbird_dgn/.well-known/openid-configuration";
NETBIRD_AUTH_PKCE_USE_ID_TOKEN = true;
NETBIRD_AUTH_AUDIENCE = "netbird_dgn";
NETBIRD_AUTH_CLIENT_ID = "netbird_dgn";
NETBIRD_AUTH_USER_ID_CLAIM = "sub";
# Updates the preference to use id tokens instead of access token on dashboard
# Okta and Gitlab IDPs can benefit from this
NETBIRD_TOKEN_SOURCE = "idToken";
# NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (p: "http://localhost:${p}") [
# "53000"
# "54000"
# ];
NETBIRD_STORE_CONFIG_ENGINE = "sqlite";
};
};
dgn-backups.jobs.netbird.settings.paths = [ "/var/lib/netbird-mgmt" ];
}

643
machines/storage01/netbird/module.nix Normal file
View file

@ -0,0 +1,643 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
filterAttrs
literalExpression
maintainers
mkDefault
mkEnableOption
mkIf
mkMerge
mkOption
optionalAttrs
optionalString
optionals
types
;
inherit ((import ./package { inherit pkgs; })) dashboard;
cfg = config.services.netbird-server;
stateDir = "/var/lib/netbird-mgmt";
settingsFormat = pkgs.formats.keyValue { };
managementFormat = pkgs.formats.json { };
settingsFile = settingsFormat.generate "setup.env" (
builtins.mapAttrs (
_: val: if builtins.isList val then ''"${builtins.concatStringsSep " " val}"'' else val
) settings
);
managementFile = managementFormat.generate "config.json" cfg.managementConfig;
settings =
rec {
TURN_DOMAIN = cfg.settings.NETBIRD_DOMAIN;
TURN_PORT = 3478;
TURN_USER = "netbird";
TURN_MIN_PORT = 49152;
TURN_MAX_PORT = 65535;
TURN_PASSWORD = if cfg.secretFiles.TURN_PASSWORD != null then "$TURN_PASSWORD" else null;
TURN_SECRET = if cfg.secretFiles.TURN_SECRET != null then "$TURN_SECRET" else "secret";
STUN_USERNAME = "";
STUN_PASSWORD = if cfg.secretFiles.STUN_PASSWORD != null then "$STUN_PASSWORD" else null;
NETBIRD_DASHBOARD_ENDPOINT = "https://${cfg.settings.NETBIRD_DOMAIN}:443";
NETBIRD_MGMT_API_ENDPOINT = "https://${cfg.settings.NETBIRD_DOMAIN}:${
builtins.toString cfg.settings.NETBIRD_MGMT_API_PORT or NETBIRD_MGMT_API_PORT
}";
NETBIRD_SIGNAL_ENDPOINT = "https://${cfg.settings.NETBIRD_DOMAIN}:${
builtins.toString cfg.settings.NETBIRD_SIGNAL_PORT or NETBIRD_SIGNAL_PORT
}";
NETBIRD_SIGNAL_PROTOCOL = "https";
NETBIRD_SIGNAL_PORT = 443;
NETBIRD_AUTH_USER_ID_CLAIM = "sub";
NETBIRD_AUTH_CLIENT_SECRET =
if cfg.secretFiles.AUTH_CLIENT_SECRET != null then "$AUTH_CLIENT_SECRET" else "";
NETBIRD_AUTH_SUPPORTED_SCOPES = [
"openid"
"profile"
"email"
"offline_access"
"api"
];
NETBIRD_AUTH_REDIRECT_URI = "";
NETBIRD_AUTH_SILENT_REDIRECT_URI = "";
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER = "none";
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID;
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE = cfg.settings.NETBIRD_AUTH_AUDIENCE;
NETBIRD_AUTH_DEVICE_AUTH_SCOPE = [
"openid"
"profile"
"email"
"offline_access"
"api"
];
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN = false;
NETBIRD_MGMT_API_PORT = 443;
NETBIRD_MGMT_IDP = "none";
NETBIRD_IDP_MGMT_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID;
NETBIRD_IDP_MGMT_CLIENT_SECRET =
if cfg.secretFiles.IDP_MGMT_CLIENT_SECRET != null then
"$IDP_MGMT_CLIENT_SECRET"
else
cfg.settings.NETBIRD_AUTH_CLIENT_SECRET;
NETBIRD_IDP_MGMT_GRANT_TYPE = "client_credentials";
NETBIRD_TOKEN_SOURCE = "accessToken";
NETBIRD_DRAG_QUERY_PARAMS = false;
NETBIRD_USE_AUTH0 = false;
NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = "";
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS = [ "53000" ];
NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (
p: "http://localhost:${p}"
) cfg.settings.NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS or NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS;
}
// (optionalAttrs cfg.setupAutoOidc {
NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT = "$NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT";
NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = "$NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT";
NETBIRD_AUTH_TOKEN_ENDPOINT = "$NETBIRD_AUTH_TOKEN_ENDPOINT";
NETBIRD_AUTH_JWT_CERTS = "$NETBIRD_AUTH_JWT_CERTS";
NETBIRD_AUTH_AUTHORITY = "$NETBIRD_AUTH_AUTHORITY";
})
// cfg.settings;
in
{
meta = {
maintainers = with maintainers; [ thubrecht ];
};
options.services.netbird-server = {
enable = mkEnableOption (lib.mdDoc "netbird management service.");
package = mkOption {
type = types.package;
default = pkgs.netbird;
defaultText = literalExpression "pkgs.netbird";
description = lib.mdDoc "The package to use for netbird";
};
settings = mkOption {
type =
with types;
attrsOf (
nullOr (oneOf [
(listOf str)
bool
int
float
str
])
);
defaultText = lib.literalExpression ''
{
TURN_DOMAIN = cfg.settings.NETBIRD_DOMAIN;
TURN_PORT = 3478;
TURN_USER = "netbird";
TURN_MIN_PORT = 49152;
TURN_MAX_PORT = 65535;
TURN_PASSWORD = if cfg.secretFiles.TURN_PASSWORD != null then "$TURN_PASSWORD" else null;
TURN_SECRET = if cfg.secretFiles.TURN_SECRET != null then "$TURN_SECRET" else "secret";
STUN_USERNAME = "";
STUN_PASSWORD = if cfg.secretFiles.STUN_PASSWORD != null then "$STUN_PASSWORD" else null;
NETBIRD_DASHBOARD_ENDPOINT = "https://''${cfg.settings.NETBIRD_DOMAIN}:443";
NETBIRD_MGMT_API_ENDPOINT = "https://''${cfg.settings.NETBIRD_DOMAIN}:''${builtins.toString cfg.settings.NETBIRD_MGMT_API_PORT or NETBIRD_MGMT_API_PORT}";
NETBIRD_SIGNAL_ENDPOINT = "https://''${cfg.settings.NETBIRD_DOMAIN}:''${builtins.toString cfg.settings.NETBIRD_SIGNAL_PORT or NETBIRD_SIGNAL_PORT}";
NETBIRD_SIGNAL_PROTOCOL = "https";
NETBIRD_SIGNAL_PORT = 443;
NETBIRD_AUTH_USER_ID_CLAIM = "sub";
NETBIRD_AUTH_CLIENT_SECRET = if cfg.secretFiles.AUTH_CLIENT_SECRET != null then "$AUTH_CLIENT_SECRET" else "";
NETBIRD_AUTH_SUPPORTED_SCOPES = [ "openid" "profile" "email" "offline_access" "api" ];
NETBIRD_AUTH_REDIRECT_URI = "";
NETBIRD_AUTH_SILENT_REDIRECT_URI = "";
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER = "none";
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID;
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE = cfg.settings.NETBIRD_AUTH_AUDIENCE;
NETBIRD_AUTH_DEVICE_AUTH_SCOPE = [ "openid" "profile" "email" "offline_access" "api" ];
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN = false;
NETBIRD_MGMT_API_PORT = 443;
NETBIRD_MGMT_IDP = "none";
NETBIRD_IDP_MGMT_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID;
NETBIRD_IDP_MGMT_CLIENT_SECRET = if cfg.secretFiles.IDP_MGMT_CLIENT_SECRET != null then "$IDP_MGMT_CLIENT_SECRET" else cfg.settings.NETBIRD_AUTH_CLIENT_SECRET;
NETBIRD_IDP_MGMT_GRANT_TYPE = "client_credentials";
NETBIRD_TOKEN_SOURCE = "accessToken";
NETBIRD_DRAG_QUERY_PARAMS = false;
NETBIRD_USE_AUTH0 = false;
NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = "";
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS = [ "53000" ];
NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (p: "http://localhost:''${p}") cfg.settings.NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS or NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS;
}
'';
description = lib.mdDoc ''
Configuration settings for netbird.
Example config values can be found in [setup.env.example](https://github.com/netbirdio/netbird/blob/main/infrastructure_files/setup.env.example)
List of strings [ a b ] will be concatenated as "a b", useful for setting the supported scopes.
'';
};
managementConfig = mkOption {
inherit (managementFormat) type;
description = lib.mdDoc "Configuration of the netbird management server.";
};
idpManagerExtraConfig = mkOption {
type = types.attrsOf types.str;
default = { };
description = lib.mdDoc "Extra options passed to the IdpManagerConfig.";
};
ports.management = mkOption {
type = types.port;
default = 8011;
description = lib.mdDoc "Internal port of the management server.";
};
ports.signal = mkOption {
type = types.port;
default = 8012;
description = lib.mdDoc "Internal port of the signal server.";
};
logLevel = mkOption {
type = types.enum [
"ERROR"
"WARN"
"INFO"
"DEBUG"
];
default = "INFO";
description = lib.mdDoc "Log level of the netbird services.";
};
enableDeviceAuthorizationFlow = mkEnableOption "device authorization flow for netbird." // {
default = true;
};
enableNginx = mkEnableOption "NGINX reverse-proxy for the netbird server.";
enableCoturn = mkEnableOption "a Coturn server used for Netbird.";
setupAutoOidc = mkEnableOption "the automatic setup of the OIDC.";
management = {
dnsDomain = mkOption {
type = types.str;
default = "netbird.selfhosted";
description = lib.mdDoc "Domain used for peer resolution.";
};
singleAccountModeDomain = mkOption {
type = types.str;
default = "netbird.selfhosted";
description = lib.mdDoc ''
Enables single account mode.
This means that all the users will be under the same account grouped by the specified domain.
If the installation has more than one account, the property is ineffective.
'';
};
disableAnonymousMetrics = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc "Disables push of anonymous usage metrics to NetBird.";
};
disableSingleAccountMode = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
If set to true, disables single account mode.
The `singleAccountModeDomain` property will be ignored and every new user will have a separate NetBird account.
'';
};
};
secretFiles = {
TURN_PASSWORD = mkOption {
type = with types; nullOr path;
default = null;
description = lib.mdDoc "Path to a file containing the secret TURN_PASSWORD.";
};
TURN_SECRET = mkOption {
type = with types; nullOr path;
default = null;
description = lib.mdDoc "Path to a file containing the secret TURN_SECRET.";
};
STUN_PASSWORD = mkOption {
type = with types; nullOr path;
default = null;
description = lib.mdDoc "Path to a file containing the secret STUN_PASSWORD.";
};
AUTH_CLIENT_SECRET = mkOption {
type = with types; nullOr path;
default = null;
description = lib.mdDoc "Path to a file containing the secret NETBIRD_AUTH_CLIENT_SECRET.";
};
IDP_MGMT_CLIENT_SECRET = mkOption {
type = with types; nullOr path;
default = cfg.secretFiles.AUTH_CLIENT_SECRET;
defaultText = lib.literalExpression "cfg.secretFiles.AUTH_CLIENT_SECRET;";
description = lib.mdDoc "Path to a file containing the secret NETBIRD_IDP_MGMT_CLIENT_SECRET.";
};
};
};
config = mkMerge [
(mkIf cfg.enable {
services.netbird-server.managementConfig = with settings; {
Stuns = mkDefault [
{
Proto = "udp";
URI = "stun:${TURN_DOMAIN}:${builtins.toString TURN_PORT}";
Username = STUN_USERNAME;
Password = STUN_PASSWORD;
}
];
TURNConfig = {
Turns = [
{
Proto = "udp";
URI = "turn:${TURN_DOMAIN}:${builtins.toString TURN_PORT}";
Username = TURN_USER;
Password = TURN_PASSWORD;
}
];
CredentialsTTL = "12h";
Secret = TURN_SECRET;
TimeBasedCredentials = false;
};
Signal = {
Proto = NETBIRD_SIGNAL_PROTOCOL;
URI = "${NETBIRD_DOMAIN}:${builtins.toString NETBIRD_SIGNAL_PORT}";
Username = "";
Password = null;
};
Datadir = "${stateDir}/data";
HttpConfig = {
Address = "127.0.0.1:${builtins.toString cfg.ports.management}";
AuthIssuer = NETBIRD_AUTH_AUTHORITY;
AuthAudience = NETBIRD_AUTH_AUDIENCE;
AuthKeysLocation = NETBIRD_AUTH_JWT_CERTS;
AuthUserIDClaim = NETBIRD_AUTH_USER_ID_CLAIM;
OIDCConfigEndpoint = NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT;
};
IdpManagerConfig = {
ManagerType = NETBIRD_MGMT_IDP;
ClientConfig = {
Issuer = NETBIRD_AUTH_AUTHORITY;
TokenEndpoint = NETBIRD_AUTH_TOKEN_ENDPOINT;
ClientID = NETBIRD_IDP_MGMT_CLIENT_ID;
ClientSecret = NETBIRD_IDP_MGMT_CLIENT_SECRET;
GrantType = NETBIRD_IDP_MGMT_GRANT_TYPE;
};
ExtraConfig = cfg.idpManagerExtraConfig;
};
DeviceAuthorizationFlow = mkIf cfg.enableDeviceAuthorizationFlow {
Provider = NETBIRD_AUTH_DEVICE_AUTH_PROVIDER;
ProviderConfig = {
Audience = NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE;
Domain = NETBIRD_AUTH_AUTHORITY;
ClientID = NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID;
TokenEndpoint = NETBIRD_AUTH_TOKEN_ENDPOINT;
DeviceAuthEndpoint = NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT;
Scope = builtins.concatStringsSep " " NETBIRD_AUTH_DEVICE_AUTH_SCOPE;
UseIDToken = NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN;
};
};
PKCEAuthorizationFlow = {
ProviderConfig = {
Audience = NETBIRD_AUTH_AUDIENCE;
ClientID = NETBIRD_AUTH_CLIENT_ID;
ClientSecret = NETBIRD_AUTH_CLIENT_SECRET;
AuthorizationEndpoint = NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT;
TokenEndpoint = NETBIRD_AUTH_TOKEN_ENDPOINT;
Scope = builtins.concatStringsSep " " NETBIRD_AUTH_SUPPORTED_SCOPES;
RedirectURLs = NETBIRD_AUTH_PKCE_REDIRECT_URLS;
UseIDToken = NETBIRD_AUTH_PKCE_USE_ID_TOKEN;
};
};
};
services.nginx.virtualHosts = mkIf cfg.enableNginx {
${cfg.settings.NETBIRD_DOMAIN} = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
root = "${stateDir}/web-ui/";
tryFiles = "$uri /index.html";
};
"/signalexchange.SignalExchange/".extraConfig = ''
grpc_pass grpc://localhost:${builtins.toString cfg.ports.signal};
grpc_read_timeout 1d;
grpc_send_timeout 1d;
grpc_socket_keepalive on;
'';
"/api".proxyPass = "http://localhost:${builtins.toString cfg.ports.management}";
"/management.ManagementService/".extraConfig = ''
grpc_pass grpc://localhost:${builtins.toString cfg.ports.management};
grpc_read_timeout 1d;
grpc_send_timeout 1d;
grpc_socket_keepalive on;
'';
};
};
};
systemd.services = {
netbird-setup = {
wantedBy = [
"netbird-management.service"
"netbird-signal.service"
"multi-user.target"
];
serviceConfig = {
Type = "oneshot";
RuntimeDirectory = "netbird-mgmt";
StateDirectory = "netbird-mgmt";
WorkingDirectory = stateDir;
EnvironmentFile = [ settingsFile ];
};
unitConfig = {
StartLimitInterval = 5;
StartLimitBurst = 10;
};
path =
(with pkgs; [
coreutils
findutils
gettext
gnused
])
++ (optionals cfg.setupAutoOidc (
with pkgs;
[
curl
jq
]
));
script =
''
cp ${managementFile} ${stateDir}/management.json.copy
''
+ (optionalString cfg.setupAutoOidc ''
mv ${stateDir}/management.json.copy ${stateDir}/management.json
echo "loading OpenID configuration from $NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT to the openid-configuration.json file"
curl "$NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT" -q -o ${stateDir}/openid-configuration.json
export NETBIRD_AUTH_AUTHORITY=$(jq -r '.issuer' ${stateDir}/openid-configuration.json)
export NETBIRD_AUTH_JWT_CERTS=$(jq -r '.jwks_uri' ${stateDir}/openid-configuration.json)
export NETBIRD_AUTH_TOKEN_ENDPOINT=$(jq -r '.token_endpoint' ${stateDir}/openid-configuration.json)
export NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT=$(jq -r '.device_authorization_endpoint' ${stateDir}/openid-configuration.json)
export NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT=$(jq -r '.authorization_endpoint' ${stateDir}/openid-configuration.json)
envsubst '$NETBIRD_AUTH_AUTHORITY $NETBIRD_AUTH_JWT_CERTS $NETBIRD_AUTH_TOKEN_ENDPOINT $NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT $NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT' < ${stateDir}/management.json > ${stateDir}/management.json.copy
'')
+ ''
# Update secrets in management.json
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs (name: path: "export ${name}=$(cat ${path})") (
filterAttrs (_: p: p != null) cfg.secretFiles
)
)
)}
envsubst '$TURN_PASSWORD $TURN_SECRET $STUN_PASSWORD $AUTH_CLIENT_SECRET $IDP_MGMT_CLIENT_SECRET' < ${stateDir}/management.json.copy > ${stateDir}/management.json
rm -rf ${stateDir}/web-ui
mkdir -p ${stateDir}/web-ui
cp -R ${dashboard}/* ${stateDir}/web-ui
export AUTH_AUTHORITY="$NETBIRD_AUTH_AUTHORITY"
export AUTH_CLIENT_ID="$NETBIRD_AUTH_CLIENT_ID"
${optionalString (
cfg.secretFiles.AUTH_CLIENT_SECRET == null
) ''export AUTH_CLIENT_SECRET="$NETBIRD_AUTH_CLIENT_SECRET"''}
export AUTH_AUDIENCE="$NETBIRD_AUTH_AUDIENCE"
export AUTH_REDIRECT_URI="$NETBIRD_AUTH_REDIRECT_URI"
export AUTH_SILENT_REDIRECT_URI="$NETBIRD_AUTH_SILENT_REDIRECT_URI"
export USE_AUTH0="$NETBIRD_USE_AUTH0"
export AUTH_SUPPORTED_SCOPES=$(echo $NETBIRD_AUTH_SUPPORTED_SCOPES | sed -E 's/"//g')
export NETBIRD_MGMT_API_ENDPOINT=$(echo $NETBIRD_MGMT_API_ENDPOINT | sed -E 's/(:80|:443)$//')
MAIN_JS=$(find ${stateDir}/web-ui/static/js/main.*js)
OIDC_TRUSTED_DOMAINS=${stateDir}/web-ui/OidcTrustedDomains.js
mv "$MAIN_JS" "$MAIN_JS".copy
envsubst '$USE_AUTH0 $AUTH_AUTHORITY $AUTH_CLIENT_ID $AUTH_CLIENT_SECRET $AUTH_SUPPORTED_SCOPES $AUTH_AUDIENCE $NETBIRD_MGMT_API_ENDPOINT $NETBIRD_MGMT_GRPC_API_ENDPOINT $NETBIRD_HOTJAR_TRACK_ID $AUTH_REDIRECT_URI $AUTH_SILENT_REDIRECT_URI $NETBIRD_TOKEN_SOURCE $NETBIRD_DRAG_QUERY_PARAMS' < "$MAIN_JS".copy > "$MAIN_JS"
envsubst '$NETBIRD_MGMT_API_ENDPOINT' < "$OIDC_TRUSTED_DOMAINS".tmpl > "$OIDC_TRUSTED_DOMAINS"
'';
};
netbird-signal = {
after = [ "network.target" ];
wantedBy = [ "netbird-management.service" ];
restartTriggers = [
settingsFile
managementFile
];
serviceConfig = {
ExecStart = ''
${cfg.package}/bin/netbird-signal run \
--port ${builtins.toString cfg.ports.signal} \
--log-file console \
--log-level ${cfg.logLevel}
'';
Restart = "always";
RuntimeDirectory = "netbird-mgmt";
StateDirectory = "netbird-mgmt";
WorkingDirectory = stateDir;
};
unitConfig = {
StartLimitInterval = 5;
StartLimitBurst = 10;
};
stopIfChanged = false;
};
netbird-management = {
description = "The management server for Netbird, a wireguard VPN";
documentation = [ "https://netbird.io/docs/" ];
after = [
"network.target"
"netbird-setup.service"
];
wantedBy = [ "multi-user.target" ];
wants = [
"netbird-signal.service"
"netbird-setup.service"
];
restartTriggers = [
settingsFile
managementFile
];
serviceConfig = {
ExecStart = ''
${cfg.package}/bin/netbird-mgmt management \
--config ${stateDir}/management.json \
--datadir ${stateDir}/data \
${optionalString cfg.management.disableAnonymousMetrics "--disable-anonymous-metrics"} \
${optionalString cfg.management.disableSingleAccountMode "--disable-single-account-mode"} \
--dns-domain ${cfg.management.dnsDomain} \
--single-account-mode-domain ${cfg.management.singleAccountModeDomain} \
--idp-sign-key-refresh-enabled \
--port ${builtins.toString cfg.ports.management} \
--log-file console \
--log-level ${cfg.logLevel}
'';
Restart = "always";
RuntimeDirectory = "netbird-mgmt";
StateDirectory = [
"netbird-mgmt"
"netbird-mgmt/data"
];
WorkingDirectory = stateDir;
};
unitConfig = {
StartLimitInterval = 5;
StartLimitBurst = 10;
};
stopIfChanged = false;
};
};
})
(mkIf cfg.enableCoturn {
services.coturn = {
enable = true;
realm = settings.NETBIRD_DOMAIN;
lt-cred-mech = true;
no-cli = true;
extraConfig = ''
fingerprint
user=${settings.TURN_USER}:${builtins.toString settings.TURN_PASSWORD}
no-software-attribute
'';
};
networking.firewall = {
allowedUDPPorts = with settings; [
TURN_PORT
(TURN_PORT + 1)
5349
5350
];
allowedTCPPorts = with settings; [
TURN_PORT
(TURN_PORT + 1)
];
allowedUDPPortRanges = [
{
from = settings.TURN_MIN_PORT;
to = settings.TURN_MAX_PORT;
}
];
};
})
(mkIf (cfg.enableNginx && cfg.enableCoturn) {
services.coturn =
let
cert = config.security.acme.certs.${settings.TURN_DOMAIN};
in
{
cert = "${cert.directory}/fullchain.pem";
pkey = "${cert.directory}/key.pem";
};
users.users.nginx.extraGroups = [ "turnserver" ];
# share certs with coturn and restart on renewal
security.acme.certs.${settings.TURN_DOMAIN} = {
group = "turnserver";
postRun = "systemctl reload nginx.service; systemctl restart coturn.service";
};
})
];
}

31
machines/storage01/netbird/package/dashboard.nix Normal file
View file

@ -0,0 +1,31 @@
{
lib,
buildNpmPackage,
fetchFromGitHub,
}:
buildNpmPackage rec {
pname = "netbird-dashboard";
version = "1.17.6";
src = fetchFromGitHub {
owner = "netbirdio";
repo = "dashboard";
rev = "v${version}";
hash = "sha256-MDxN/58dv6OqPYnNgDVZ+YRzfw2dER7x8mEWe14rQ40=";
};
npmDepsHash = "sha256-x7YyzBPAiXyxaIcAvUrXBexYaw0TaYnKgQKT3KadW8w=";
npmFlags = [ "--legacy-peer-deps" ];
installPhase = ''
cp -R build $out
'';
meta = with lib; {
description = "NetBird Management Service Web UI Panel";
homepage = "https://github.com/netbirdio/dashboard";
license = licenses.bsd3;
maintainers = with maintainers; [ thubrecht ];
};
}

7
machines/storage01/netbird/package/default.nix Normal file
View file

@ -0,0 +1,7 @@
{
pkgs ? import <nixpkgs> { },
}:
{
dashboard = pkgs.callPackage ./dashboard.nix { };
}

2
machines/storage01/peertube.nix
View file

@ -4,8 +4,6 @@ let
host = "videos.dgnum.eu";
in
{
dgn-web.internalPorts.peertube = config.services.peertube.listenHttp;
services.peertube = {
enable = true;

12
machines/storage01/prometheus.nix
View file

@ -77,9 +77,15 @@ in
];
};
dgn-web.simpleProxies.prometheus = {
inherit host port;
proxyWebsockets = true;
services.nginx.virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
age-secrets.autoMatch = [ "prometheus" ];

30
machines/storage01/secrets/atticd-credentials_file Normal file
View file

@ -0,0 +1,30 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA HECtxDO0OV6To/Qs3A+2N8+3xqsHp6pz6d4ArgsgXS4
mnmDwWZ6d1aW5Qejzv2Jo112ee78wKVx90R7r5wQbYo
-> ssh-ed25519 QlRB9Q Rx3bV/DkoCCvQCMwJGOfibG8Rif5Ap+W6EqWlFOhUQc
jxEFUWqxedwIK3mNyOG+5dyFFZbJZ3XNFXnk0fe0vyw
-> ssh-ed25519 r+nK/Q J591Cg/4oP26LT7Tl/wrdDipR/gpg1WMsiKJN0ygbjw
WToE5xtuF2FOqtvRgz1SZStYGjTsKRxguIioan+vluU
-> ssh-rsa krWCLQ
hhp33AzK6wYWM6k7ZroV0J5i8C5MQXjQY9sksPQdABRQUd6XTmYOIOdA0ste0EA9
hqbbHQwbFy0oE/QKfnUZWbgJo5Us1DWKxip55L875CPfVcmxvC2ADRO5JKKNkQa/
P4zBALPqf+BXrafcGN4hT8D9gywIWdQ2zPSpKbJE+OdPcUrBVH/ndMUVoLfTEKL9
B3XgqRvLNkgsdu7FMEPnelWT3WrxkBME7AathdXcEYXSxiTmaKqxDzRtcNLdh+y2
6XfQU6lLMT+WWPD/Ro7UzLrWUnFJMYK0SinkOuX+PKxMq95lCc5kI3tZ7JL7bC5E
vBGnX9w0unyR//LLqrOPWA
-> ssh-ed25519 /vwQcQ eYSTWAYs/L+cYt/16TrKaIqoc9TFJQncM02Vd8hOg3A
lWalXa1ZBtrjXOB+sznWCjStFHF4ulLaBilEc3b7qWc
-> ssh-ed25519 0R97PA 78K7uF/mXT4pgTbnmfpyxY2czgs+DNueusuatUx7MCQ
C/pWPdVCWZuHFuM5fzJHdGZomM3Wbt22iwfLbLSznh0
-> ssh-ed25519 JGx7Ng xFzEGNVIiC0cXCbcSKUfmVLAdRBH7xu6/2E7nVoRwjI
+TgvIl03KGm5N55+jGc7UcyRHjMvAFm3Kbvx5Ma4HQ4
-> ssh-ed25519 5SY7Kg 7YO/crKVWSsr3Hy5HPr0/R3oPdCA2kWduZYeSlcxGnI
N0IpdylU+3ybInseGSKPONxeNr8mh/ZlBGCvY2c0WTA
-> ssh-ed25519 p/Mg4Q y1ekwzz3sSHGrLmb0NqF6VWfalARy+PykE77hVqD7Xc
0s9QrDsLH6XdzetyIXJEB2MrwwUi8CDpu7SEemm8zJ4
-> ssh-ed25519 rHotTw 7SMzV/pEmDISPL/fMjafXM3URZpbUPTg+9AngZ0GZTc
eIi1+i9JVBLvfQMkmMv5S0N8qgwVtyklX/J+6MdtlSc
--- Gjl7lNWG9gyMlg256Oa5i5bFLm1Cup1upjsEDVurgDo
uÂ;.ÿñË>pÔïÑ<C391>òh¸<68>2ÎŒ}£PJ4èú‘©‰Ñ×íè==#¯¾Úÿ¹8e¤UÊÉŠÇ$ 1»!z<E28093>jlA‡[@;òs®<>ŒÉáAB±á-§Rå=È0Ò·d“ðµú†Ê¢þ{«ÒF¹—hòà ù@%ˆŠä´›|×{ ¢åeÚÝÛ¯âøsbë«]Óèå¨ø.m8 8Bn"(Ûæ¤âïW½í!zxn\Ã(5:ïíÒÞ-ZDËÇÃ)}HŠü˜¦×ál}Sƒ˜ëFrn
øL¦-wÉÑ—¼j)ê â¶èÐ&:¥îÓCÞÆ2ÝÒÅÀÏB»ÛzïàŽŸt•WÍ!£8|lïí0
¾¸y8óÃkñbÔy×ËäÏ臃¹·k¤¨ÉÍ™ê°n/-'ÃZ<C383>ÅŸ ¾îƾ\Ûâê‰ù†uŸÍeu®"E ±/d

BIN
machines/storage01/secrets/netbird-auth_client_secret_file Normal file
View file

Binary file not shown.

30
machines/storage01/secrets/netbird-data_store_encryption_key_file
View file

@ -1,30 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA xId0d57S+YmTeZzTTNOs7Pt3RPQ7MLNiKg6Mox2MEFo
hFUYZMNoxZQBEKz4SYDC4nLDDXRftXtUtCLCX2kvwZ8
-> ssh-ed25519 QlRB9Q kmsgaV+FRbqcKkhttlbmY22M6pO6kMCqLUYsq1yGSyA
VmprdWLh380qm6aarum1q17pDrMF0KLyXV/PN1OmEO8
-> ssh-ed25519 r+nK/Q XVeZFVNLv0FlL/lPhXrvVJcHAubE1tTfSxl5iiixtF0
Udm/qZMOzNcg2LMffkns+jUlrtXAC8Mk8ofCSD6zf/0
-> ssh-rsa krWCLQ
OJlswMZEz2ONsqvFH8aMo4cRXzNiSkqtOmNQuWbRcAI4sXKCNuNtNcv6WPcpBMPZ
8eTvoIOf8triUwGBWLZ9oRvYOeoucyWCqx0zf11VwOclRBeziRPOQ5Uon+5gpsg2
H1FO7Sk0sVjME/2INUjd1Q4TlPF9tlUOcEDBgyc81cLI0JrR7S2D6Hl/rAN9Gees
D9c+q5PJkvbw7KQPEu7WOxPNCi1gRyHSlKv5ef5gToNOl/c8GAJR5FutO/bTgTTl
P+yLysKXK+r2IwNNMHGFBDVbsp09IjQ+H623Sfr6H0pR7FYShohfzcM6JA3ydztN
Gy5MiJasx3nWCUYJZUL1Fw
-> ssh-ed25519 /vwQcQ OelREEMNnpUXuJ8BA1VPVM8yqEd8PS9m81sw5gaq8U8
wPUQOWxzsj55/hii7Cd4+P1eFWVDQANwIcImOliOqog
-> ssh-ed25519 0R97PA 9NzXGY3sZb8srqaVWWbZhbNJdDfCfeZIhJHPWy9U4FU
+LvE5cI8heO8XhsejCWaJrwaRGYGCziymPZLrYTOXtg
-> ssh-ed25519 JGx7Ng 1jWoS1sqmY9MxZT7fAMsg5QbokAMNlTg9jmpxzr1ekQ
7MndRQ0ruZP2/cOKaid60rQg8Q3ljy2oknf0czOLGSo
-> ssh-ed25519 5SY7Kg Bm19KVQA8DkrDxiYsVRdKVubML7J9L/apLoUs+otehk
kQMv/7uijZlyGDbDt2aNF85vp4nYM9o3fIetvnykX6I
-> ssh-ed25519 p/Mg4Q /vhTds9k+5uwSDjLyKp18ge+bu/Aeg72nHx2joWUTw0
zeim4NPL7floIvZ296vYuyk5XAVFCCaWRc0iRQQxbyg
-> ssh-ed25519 rHotTw YbKb6NyxsknA125fdWj5/RJjmaY22yDwNx+bLKV6ZW4
jJw+YJqQC/B+UMLYAtTAIZuON2hiZAY171ovJ0ceKjg
-> @K'k$-grease x>ie }CH4sS h|s
bVzOpc2vPj8ldZskVlQSmOE7wHR2q/dXcdC6vrPXSvYWCKK8Rg
--- uDaSBMjg5lvDnZyTKHqveb5B+y71HjrDzOqtsJycuBs
1Ò¨Rq¢<>nýµ{”ý5?HXH1¢ Ê%)Í01RGr׿fÖNT4å2B(í);ìíÿ‰íÁœ

BIN
machines/storage01/secrets/netbird-relay_environment_file
View file

Binary file not shown.

31
machines/storage01/secrets/netbird-relay_secret_file
View file

@ -1,31 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA lI9DxAFp/gbF+77Sofv9KIrs3kMTYTLEm8C6AsZBPyI
8RFGt1aJnZbd7Lpr4iy1VlMr3yzpPf6sI79cik5X77c
-> ssh-ed25519 QlRB9Q eMENLAMY+eNXJhduTnJoyPimbThM7VA+4m6BrnZa8RE
NpwcJhh0U8pMU1hnXFz2bfwSmCQra1CI5Tr2cbXGMT0
-> ssh-ed25519 r+nK/Q eyuD/hYyYmG96AcPEZVNsohXgK9WD+g+ZyMpIyaiYjY
Ef+R/eXkqvOmYJvjz4muTjGamkXzgHzD31vXDXsgo3M
-> ssh-rsa krWCLQ
BuBMUp5uijNV71OYvMGS9NhBBplfFugJy14EOHclJ2TKjQ19RVKHPj0wX0AxuPCT
iV6j6Po/oKSsGuoKy6JMTLKjYtROPF70Ld8PlC4tFI5i0xQagEFhKONfk1Rd/mF0
2qGriQhSUMvkMirbkhE3CxrAzSqcjuoGji+ZWwpz2LYUVsF89nnoLsTRri+Sg5ZW
4qhoo23UTU+IlrVtqjB7W1rNAwHKhWPZnjc08x1x/qnLATemmDMsFmTEGljJNGMR
kEg+oUdwdvLjDsnGBWkE+Ck/mrEGwjcsDTmZmCYcH/Q11EMdj5hnCfG68PRhLF9K
b28fHveM3i5/jHrrTxWbrA
-> ssh-ed25519 /vwQcQ 1xQWlLW6xCrheirHSKcGEu+KM644y8NP1KYvwOganQc
IFVYj83X1uLvgIRlnDvnLiaoZNM9viLT7X11vIHdLxY
-> ssh-ed25519 0R97PA I8K03IKgC59zmHqVr8h8TaxuuTSbmYsyap830JyhIhw
AGxW9sq7PQNgs9WFcbINI2CnE3lJJ0rDmseN83YSeT0
-> ssh-ed25519 JGx7Ng syz/pzdj3Lg1VwulZhT8UQncgXjOH1nlbtqHgASLAws
IKaU32zbjFc319PctmGPtHt4RXjgzun0K+9HeuGS3FU
-> ssh-ed25519 5SY7Kg 06EjOyKw1zIWcdZGC7EfNt9mFix+fVcy1iS+SBhPgCQ
ZxcNbC1QmTPJkWlwBnD9YjuzekGZtSDeI7RYxq0uwgw
-> ssh-ed25519 p/Mg4Q uCbjjN5S0ZoZtsj5jva9mTrlZ2UE02A3DysxV1PZ/lM
7jWWiWp4ei5VjftKZz29osbaFxfpId+X3GLzgWZ9Wgo
-> ssh-ed25519 rHotTw Q1/zZpGbUCbXiEELad5710uNkllrFuQlhonSLfIoQVo
h6iW26rADPn1MRqNoD33ZVVDRDr2DBoNK+BjrDxwZik
-> ss-grease
A3WDPMHgipAaXF0MStKGx8CAbFTqks74CRTKButwwJYvgnMFp2Yglx3D2NOWTdJm
yde7gp5XInweYf2TjvQK88l0MD0VYlG9Lu7+wbWGFElCpQ
--- 0d/8UVX6ubUZpKG3LzJsFKbsZNRKUwQq7LuWMiyezKo
P?j@¦Hˆ´ßš¥¼ówgêìÚ©L¥_ã+ì|ζãÙ¦Ö#“fu#c涯„IæS†|¨À²å 

12
machines/storage01/secrets/secrets.nix
View file

@ -1,5 +1,9 @@
(import ../../../keys).mkSecrets [ "storage01" ] [
# List of secrets for storage01
let
lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "storage01";
in
lib.setDefault { inherit publicKeys; } [
"atticd-credentials_file"
"bupstash-put_key"
"forgejo-mailer_password_file"
"forgejo_runners-token_file"
@ -8,9 +12,7 @@
"influxdb2-initial_password_file"
"influxdb2-initial_token_file"
"influxdb2-telegraf_token_file"
"netbird-data_store_encryption_key_file"
"netbird-relay_environment_file"
"netbird-relay_secret_file"
"netbird-auth_client_secret_file"
"nginx-tvix-store-password"
"nginx-tvix-store-password-ci"
"peertube-secrets_file"

14
machines/storage01/tvix-cache/cache-settings.nix
View file

@ -1,14 +0,0 @@
let
cache-info = {
infra = {
public-key = "infra.tvix-store.dgnum.eu-1:8CAY64o3rKjyw2uA5mzr/aTzstnc+Uj4g8OC6ClG1m8=";
url = "https://tvix-store.dgnum.eu/infra";
};
};
in
{ caches }:
{
trusted-substituters = builtins.map (cache: cache-info.${cache}.url) caches;
trusted-public-keys = builtins.map (cache: cache-info.${cache}.public-key) caches;
}

30
machines/storage01/tvix-cache/default.nix
View file

@ -1,13 +1,9 @@
{ pkgs, config, ... }:
let
settingsFormat = pkgs.formats.toml { };
dataDir = "/data/slow/tvix-store";
# How to add a cache:
# - Add the relevant services (likely only a pathinfoservice) to the
# composition config (store-config.composition).
# - Add an endpoint (store-config.endpoints).
# - Append a proxy configuration to nginx in order to make the store
# accessible.
# - Update cache-info.nix so users can add the cache to their configuration
store-config = {
composition = {
blobservices.default = {
@ -58,13 +54,6 @@ let
};
};
};
settingsFormat = pkgs.formats.toml { };
webHost = "tvix-store.dgnum.eu";
dataDir = "/data/slow/tvix-store";
systemdHardening = {
PrivateDevices = true;
PrivateTmp = true;
@ -81,12 +70,10 @@ let
RuntimeDirectoryMode = "0750";
StateDirectoryMode = "0750";
};
toml = {
composition = settingsFormat.generate "composition.toml" store-config.composition;
endpoints = settingsFormat.generate "endpoints.toml" store-config.endpoints;
};
package = pkgs.callPackage ./package { };
in
{
@ -96,7 +83,7 @@ in
"nginx"
];
services.nginx.virtualHosts.${webHost} = {
services.nginx.virtualHosts."tvix-store.dgnum.eu" = {
enableACME = true;
forceSSL = true;
locations = {
@ -118,12 +105,14 @@ in
auth_basic_user_file ${config.age.secrets."nginx-tvix-store-password-ci".path};
'';
};
"/.well-known/nix-signing-keys/" = {
alias = "${./pubkeys}/";
extraConfig = "autoindex on;";
};
};
};
# TODO add tvix-store cli here
# environment.systemPackages = [ ];
users.users.tvix-store = {
isSystemUser = true;
group = "tvix-store";
@ -135,11 +124,10 @@ in
systemd.services."tvix-store" = {
wantedBy = [ "multi-user.target" ];
environment = {
RUST_LOG = "info";
RUST_LOG = "debug";
};
serviceConfig = {
UMask = "007";
LimitNOFILE = 1048576;
ExecStart = "${package}/bin/multitier-tvix-cache --endpoints-config ${toml.endpoints} --store-composition ${toml.composition}";
StateDirectory = "tvix-store";
RuntimeDirectory = "tvix-store";

1
machines/storage01/tvix-cache/pubkeys/infra Normal file
View file

@ -0,0 +1 @@
infra.tvix-store.dgnum.eu-1:8CAY64o3rKjyw2uA5mzr/aTzstnc+Uj4g8OC6ClG1m8=

16
machines/storage01/victoria-metrics.nix
View file

@ -1,16 +0,0 @@
let
host = "victoria-metrics.dgnum.eu";
port = 9099;
in
{
services.victoriametrics = {
enable = true;
listenAddress = "127.0.0.1:${builtins.toString port}";
};
dgn-web.simpleProxies.victoria-metrics = {
inherit host port;
};
}

6
machines/vault01/networking.nix
View file

@ -238,11 +238,7 @@ in
content = ''
chain postrouting {
type nat hook postrouting priority 100;
ip saddr 10.0.0.0/16 ip saddr != 10.0.255.0/24 snat ip to 129.199.195.130-129.199.195.158
ether saddr { e0:2e:0b:bd:97:73, e8:d5:2b:0d:fe:4a } snat to 129.199.195.130 comment "Elias"
ether saddr { 1c:1b:b5:14:9c:e5, e6:ce:e2:b6:e3:82 } snat to 129.199.195.131 comment "Lubin"
ether saddr d0:49:7c:46:f6:39 snat to 129.199.195.132 comment "Jean-Marc"
ether saddr { 5c:64:8e:f4:09:06 } snat to 129.199.195.158 comment "APs"
ip saddr 10.0.0.0/16 ether saddr 5c:64:8e:f4:09:06 snat ip to 129.199.195.130-129.199.195.158
}
'';
};

7
machines/vault01/secrets/secrets.nix
View file

@ -1,5 +1,8 @@
(import ../../../keys).mkSecrets [ "vault01" ] [
# List of secrets for vault01
let
lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "vault01";
in
lib.setDefault { inherit publicKeys; } [
"radius-auth_token_file"
"radius-ca_pem_file"
"radius-cert_pem_file"

27
machines/web01/crabfit/default.nix
View file

@ -12,12 +12,25 @@
dgn-backups.postgresDatabases = [ "crabfit" ];
dgn-web.simpleProxies = {
crabfit-api = {
inherit (config.services.crabfit.api) host port;
services.nginx =
let
cfg = config.services.crabfit;
in
{
enable = true;
virtualHosts.${cfg.frontend.host} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.frontend.port}";
};
virtualHosts.${cfg.api.host} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.api.port}";
};
};
crabfit-frontend = {
inherit (config.services.crabfit.frontend) host port;
};
};
}

23
machines/web01/linkal/module.nix
View file

@ -101,13 +101,20 @@ in
# };
# };
dgn-web.simpleProxies = mapAttrs' (
name:
{ port, ... }:
nameValuePair "linkal-${name}" {
inherit port;
host = "${name}.${cfg.domain}";
}
) cfg.calendarGroups;
services.nginx = {
enable = true;
virtualHosts = mapAttrs' (
name:
{ port, ... }:
nameValuePair "${name}.${cfg.domain}" {
enableACME = true;
# acmeRoot = null; # Use DNS-01 validation
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString port}/";
}
) cfg.calendarGroups;
};
};
}

17
machines/web01/metis/default.nix
View file

@ -6,35 +6,30 @@
}:
let
inherit (lib) mapAttrsToList match;
metis = import sources.metis { inherit pkgs; };
inherit (metis) providers;
in
{
services.nginx.virtualHosts."calendrier.dgnum.eu" = {
enableACME = true;
forceSSL = true;
root = metis.package;
root = metis.production;
locations = lib.mapAttrs' (
name: domain:
name: value:
lib.nameValuePair "/cal/${name}/" {
extraConfig = ''
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://${domain}/remote.php/dav/public-calendars/;
proxy_pass ${value};
'';
}
) metis.providers;
) providers;
extraConfig = ''
rewrite ^/calendrier(.*)$ $1 permanent;
'';
};
assertions = mapAttrsToList (name: domain: {
assertion = (match "[a-z-]+" name == [ ]) && (match "[a-z.-]+" domain == [ ]);
message = "The provider `${name}` associated to the domain `${domain}` seems to have an incorrect definition.";
}) metis.providers;
}

23
machines/web01/netbox.nix
View file

@ -13,7 +13,7 @@ in
services = {
netbox = {
enable = true;
package = nixpkgs.unstable.netbox_4_1;
package = nixpkgs.unstable.netbox_3_7;
secretKeyFile = "/dev/null";
listenAddress = "127.0.0.1";
plugins = p: [ p.netbox-qrcode ];
@ -39,6 +39,17 @@ in
SOCIAL_AUTH_OIDC_SECRET = env["NETBOX_OIDC_SECRET"]
'';
};
nginx = {
enable = true;
virtualHosts."netbox.dgnum.eu" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}";
locations."/static/".alias = "${config.services.netbox.dataDir}/static/";
};
};
};
systemd.services = {
@ -58,12 +69,10 @@ in
};
users.users.nginx.extraGroups = [ "netbox" ];
dgn-web.simpleProxies.netbox = {
inherit (config.services.netbox) port;
host = "netbox.dgnum.eu";
vhostConfig.locations."/static/".alias = "${config.services.netbox.dataDir}/static/";
};
networking.firewall.allowedTCPPorts = [
443
80
];
dgn-backups.jobs.netbox.settings.paths = [ "/var/lib/netbox" ];
dgn-backups.postgresDatabases = [ "netbox" ];

12
machines/web01/ntfy-sh.nix
View file

@ -2,7 +2,6 @@
let
host = "push.dgnum.eu";
port = 2586;
in
{
services.ntfy-sh = {
@ -18,9 +17,14 @@ in
};
};
dgn-web.simpleProxies.ntfy-sh = {
inherit host port;
proxyWebsockets = true;
services.nginx.virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:2586";
proxyWebsockets = true;
};
};
systemd.services.ntfy-sh.serviceConfig.EnvironmentFile = [

1
machines/web01/redirections.nix
View file

@ -29,6 +29,7 @@ in
"bds.wp.dgnum.eu" = "bds.ens.fr";
"www.tuteurs.ens.fr" = "tuteurs.ens.fr";
"www.interq.ens.fr" = "interq.ens.fr";
"www.lanuit.ens.fr" = "lanuit.ens.fr";
};
temporary = {

7
machines/web01/secrets/secrets.nix
View file

@ -1,5 +1,8 @@
(import ../../../keys).mkSecrets [ "web01" ] [
# List of secrets for web01
let
lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "web01";
in
lib.setDefault { inherit publicKeys; } [
"acme-certs_secret"
"bupstash-put_key"
"matterbridge-config_file"

12
machines/web02/cas-eleves/01-pytest-cas.patch
View file

@ -1,14 +1,4 @@
diff --git a/setup.py b/setup.py
index 7c7b02d..3f677ff 100644
--- a/setup.py
+++ b/setup.py
@@ -67,6 +67,4 @@ if __name__ == '__main__':
url="https://github.com/nitmir/django-cas-server",
download_url="https://github.com/nitmir/django-cas-server/releases/latest",
zip_safe=False,
- setup_requires=['pytest-runner'],
- tests_require=['pytest', 'pytest-django', 'pytest-pythonpath', 'pytest-warnings', 'mock>=1'],
)
diff --git a/cas_server/tests/test_federate.py b/cas_server/tests/test_federate.py
index 2b389d3..dcdfafd 100644
--- a/cas_server/tests/test_federate.py
+++ b/cas_server/tests/test_federate.py

31
machines/web02/cas-eleves/default.nix
View file

@ -9,7 +9,6 @@
let
inherit (lib) mapAttrsToList;
host = "cas.eleves.ens.fr";
port = 9889;
python3 =
@ -129,24 +128,28 @@ in
dgn-redirections.permanent."cas-eleves.dgnum.eu" = "cas.eleves.ens.fr";
dgn-web.simpleProxies.cas-eleves = {
inherit host port;
vhostConfig = {
services = {
postgresql = {
ensureDatabases = [ "cas_server" ];
ensureUsers = [
{
name = "cas_server";
ensureDBOwnership = true;
}
];
};
nginx.virtualHosts."cas.eleves.ens.fr" = {
enableACME = true;
forceSSL = true;
serverAliases = [ "cas-eleves.dgnum.eu" ];
locations = {
"/".proxyPass = "http://127.0.0.1:${builtins.toString port}";
"/static/".root = staticDrv;
"= /robots.txt".root = "${staticDrv}/static";
};
};
};
services.postgresql = {
ensureDatabases = [ "cas_server" ];
ensureUsers = [
{
name = "cas_server";
ensureDBOwnership = true;
}
];
};
}

32
machines/web02/kadenios/default.nix
View file

@ -9,7 +9,6 @@
let
inherit (lib) mapAttrsToList optionals;
host = "vote.dgnum.eu";
port = 9888;
python3 =
@ -169,18 +168,25 @@ in
};
};
dgn-web.simpleProxies.kadenios = {
inherit host port;
vhostConfig.locations."/static/".root = staticDrv;
};
services = {
postgresql = {
ensureDatabases = [ "kadenios" ];
ensureUsers = [
{
name = "kadenios";
ensureDBOwnership = true;
}
];
};
services.postgresql = {
ensureDatabases = [ "kadenios" ];
ensureUsers = [
{
name = "kadenios";
ensureDBOwnership = true;
}
];
nginx.virtualHosts."vote.dgnum.eu" = {
enableACME = true;
forceSSL = true;
locations = {
"/".proxyPass = "http://127.0.0.1:${builtins.toString port}";
"/static/".root = staticDrv;
};
};
};
}

6
machines/web02/secrets/secrets.nix
View file

@ -1,5 +1,7 @@
(import ../../../keys).mkSecrets [ "web02" ] [
# List of secrets for web02
let
lib = import ../../../lib { };
in
lib.setDefault { publicKeys = lib.getNodeKeys "web02"; } [
"cas_eleves-secret_key_file"
"kadenios-secret_key_file"
"kadenios-email_password_file"

Some files were not shown because too many files have changed in this diff Show more