DGNum/infrastructure
13
6
Fork 3
Code Issues 20 Pull requests 8 Projects 1 Releases Packages Wiki Activity Actions

Compare commits

base: DGNum:main
Branches Tags
DGNum:main
DGNum:npins-update
DGNum:lix-patched
DGNum:web01
DGNum:declarative-buckets
DGNum:victoria-metrics
DGNum:mattermost
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:ds-fr
DGNum:colmena-liminix
..
compare: DGNum:declarative-buckets
Branches Tags
DGNum:main
DGNum:npins-update
DGNum:lix-patched
DGNum:web01
DGNum:declarative-buckets
DGNum:victoria-metrics
DGNum:mattermost
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:ds-fr
DGNum:colmena-liminix

3 commits
main ... declarativ

Author SHA1 Message Date
Ryan Lahfa
822b4f3b83
feat(infra): showcase the declarative bucket feature
All checks were successful
Check meta / check_meta (push) Successful in 15s
Details
Check meta / check_dns (push) Successful in 16s
Details
lint / check (push) Successful in 26s
Details
Check meta / check_meta (pull_request) Successful in 16s
Details
Check meta / check_dns (pull_request) Successful in 16s
Details
build configuration / build_and_cache_storage01 (pull_request) Successful in 1m17s
Details
build configuration / build_and_cache_compute01 (pull_request) Successful in 1m35s
Details
build configuration / build_and_cache_rescue01 (pull_request) Successful in 1m11s
Details
build configuration / build_and_cache_geo01 (pull_request) Successful in 1m7s
Details
build configuration / build_and_cache_geo02 (pull_request) Successful in 1m6s
Details
build configuration / build_and_cache_vault01 (pull_request) Successful in 1m27s
Details
build configuration / build_and_cache_web02 (pull_request) Successful in 1m4s
Details
build configuration / build_and_cache_web01 (pull_request) Successful in 1m50s
Details
build configuration / build_and_cache_web03 (pull_request) Successful in 1m12s
Details
build configuration / build_and_cache_bridge01 (pull_request) Successful in 1m2s
Details
lint / check (pull_request) Successful in 23s
Details 
Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-10-22 13:32:02 +02:00
Ryan Lahfa
33f7a082ce
feat(infra): add S3 declarative buckets 
A very simple basic support for it, which requires a S3 admin token.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-10-22 13:32:02 +02:00
Ryan Lahfa
8706116ce4
feat(infra): introduce Terranix 
This requires the support for monorepo-terraform-state.s3.dgnum.eu being
available.

`.credentials/` is age-encrypted using only my key for now until we
figure out the right mechanism.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-10-22 13:32:02 +02:00
62 changed files with 1568 additions and 892 deletions
Show stats Expand all files Collapse all files

BIN
.credentials/admin-environment.age Normal file
View file

Binary file not shown.

6
.credentials/secrets.nix Normal file
View file

@ -0,0 +1,6 @@
let
keys = import ../keys;
in
{
"admin-environment.age".publicKeys = keys.rootKeys;
}

1
.envrc
View file

@ -1,2 +1 @@
watch_file workflows/*
use nix

34
.forgejo/workflows/check-meta.yaml
View file

@ -1,21 +1,25 @@
jobs:
check_dns:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of the DNS configuration
run: nix-build meta/verify.nix -A dns
check_meta:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of meta options
run: nix-build meta/verify.nix -A meta
name: Check meta
on:
pull_request:
branches:
- main
- main
push:
paths:
- meta/*
- 'meta/*'
jobs:
check_meta:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of meta options
run: nix-build meta/verify.nix -A meta
check_dns:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of the DNS configuration
run: nix-build meta/verify.nix -A dns --no-out-link

16
.forgejo/workflows/check-workflows.yaml
View file

@ -1,16 +0,0 @@
jobs:
check_workflows:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check that the workflows are up to date
run: nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l)
-eq 0 ]'
name: Check workflows
on:
pull_request:
branches:
- main
push:
paths:
- workflows/*

56
.forgejo/workflows/ds-fr.yaml Normal file
View file

@ -0,0 +1,56 @@
name: ds-fr update
on:
schedule:
- cron: "26 18 * * wed"
jobs:
npins_update:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- name: Update DS and open PR if necessary
run: |
# Fetch the latest release tag
VERSION=$(curl -L \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/demarches-simplifiees/demarches-simplifiees.fr/releases/latest \
| jq -r '.tag_name')
# Move to the ds-fr directory
cd machines/compute01/ds-fr/package
# Run the update script
./update.sh -v "$VERSION"
if [ ! -z "$(git diff --name-only)" ]; then
echo "[+] Changes detected, pushing updates."
git switch -C ds-update
git add .
git config user.name "DGNum Chores"
git config user.email "tech@dgnum.eu"
git commit --message "chore(ds-fr): Update"
git push --set-upstream origin ds-update --force
# Connect to the server with the cli
tea login add \
-n dgnum-chores \
-t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
-u https://git.dgnum.eu
# Create a pull request if needed
# i.e. no PR with the same title exists
if [ -z "$(tea pr ls -f='title,author' -o simple | grep 'chore(ds-fr): Update dgnum-chores')" ]; then
tea pr create \
--description "Automatic ds-fr update" \
--title "chore(ds-fr): Update" \
--head ds-update
fi
fi

119
.forgejo/workflows/eval-nodes.yaml
View file

@ -1,119 +0,0 @@
jobs:
bridge01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: bridge01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache bridge01
run: nix-shell -A eval-nodes --run cache-node
compute01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: compute01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache compute01
run: nix-shell -A eval-nodes --run cache-node
geo01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: geo01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache geo01
run: nix-shell -A eval-nodes --run cache-node
geo02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: geo02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache geo02
run: nix-shell -A eval-nodes --run cache-node
rescue01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: rescue01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache rescue01
run: nix-shell -A eval-nodes --run cache-node
storage01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: storage01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache storage01
run: nix-shell -A eval-nodes --run cache-node
vault01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: vault01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache vault01
run: nix-shell -A eval-nodes --run cache-node
web01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web01
run: nix-shell -A eval-nodes --run cache-node
web02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web02
run: nix-shell -A eval-nodes --run cache-node
web03:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web03
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web03
run: nix-shell -A eval-nodes --run cache-node
name: Build all the nodes
on:
pull_request:
branches:
- main
push:
branches:
- main

200
.forgejo/workflows/eval.yaml Normal file
View file

@ -0,0 +1,200 @@
name: build configuration
on:
pull_request:
types: [opened, synchronize, edited, reopened]
branches:
- main
push:
branches:
- main
jobs:
build_and_cache_compute01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "compute01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_compute01
path: paths.txt
build_and_cache_storage01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "storage01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_storage01
path: paths.txt
build_and_cache_rescue01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "rescue01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_rescue01
path: paths.txt
build_and_cache_geo01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "geo01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_geo01
path: paths.txt
build_and_cache_geo02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "geo02"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_geo02
path: paths.txt
build_and_cache_vault01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "vault01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_vault01
path: paths.txt
build_and_cache_web01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "web01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web01
path: paths.txt
build_and_cache_web02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "web02"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web02
path: paths.txt
build_and_cache_web03:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "web03"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web02
path: paths.txt
build_and_cache_bridge01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "bridge01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web02
path: paths.txt

11
.forgejo/workflows/lint.yaml Normal file
View file

@ -0,0 +1,11 @@
name: lint
on: [push, pull_request]
jobs:
check:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Run pre-commit on all files
run: nix-shell --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure' -A shells.pre-commit ./.

25
.forgejo/workflows/npins-update.yaml
View file

@ -1,25 +0,0 @@
jobs:
npins_update:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- name: Update dependencies and open PR if necessary
run: "npins update\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n echo
\"[+] Changes detected, pushing updates.\"\n\n git switch -C npins-update\n\
\n git add npins\n\n git config user.name \"DGNum Chores\"\n git config
user.email \"tech@dgnum.eu\"\n\n git commit --message \"chore(npins): Update\"\
\n git push --set-upstream origin npins-update --force\n\n # Connect to
the server with the cli\n tea login add \\\n -n dgnum-chores \\\n -t
\"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" \\\n -u https://git.dgnum.eu\n\
\n # Create a pull request if needed\n # i.e. no PR with the same title
exists\n if [ -z \"$(tea pr ls -f='title,author' -o simple | grep 'chore(npins):
Update dgnum-chores')\" ]; then\n tea pr create \\\n --description
\"Automatic npins update\" \\\n --title \"chore(npins): Update\" \\\n\
\ --head npins-update\n fi\nfi\n"
name: npins update
on:
schedule:
- cron: 25 15 * * *

50
workflows/npins-update.nix → .forgejo/workflows/npins.yaml
View file

@ -1,24 +1,31 @@
{
name = "npins update";
on.schedule = [
name: npins update
on:
schedule:
# Run at 11 o'clock every wednesday
{ cron = "25 15 * * *"; }
];
- cron: "25 15 * * *"
jobs.npins_update = {
runs-on = "nix";
steps = [
{
uses = "actions/checkout@v3";
"with" = {
depth = 0;
token = "\${{ secrets.TEA_DGNUM_CHORES_TOKEN }}";
};
}
jobs:
npins_update:
runs-on: nix
steps:
# - name: Install applications
# run: apt-get update && apt-get install sudo
#
- uses: actions/checkout@v3
with:
depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
#
# - uses: https://github.com/cachix/install-nix-action@v22
# with:
# nix_path: nixpkgs=channel:nixos-unstable
{
name = "Update dependencies and open PR if necessary";
run = ''
# - name: Install tea
# run: |
# nix-env -f '<nixpkgs>' -i tea
- name: Update dependencies and open PR if necessary
run: |
npins update
if [ ! -z "$(git diff --name-only)" ]; then
@ -37,7 +44,7 @@
# Connect to the server with the cli
tea login add \
-n dgnum-chores \
-t "''${{ secrets.TEA_DGNUM_CHORES_TOKEN }}" \
-t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
-u https://git.dgnum.eu
# Create a pull request if needed
@ -49,8 +56,3 @@
--head npins-update
fi
fi
'';
}
];
};
}

12
.forgejo/workflows/pre-commit.yaml
View file

@ -1,12 +0,0 @@
jobs:
check:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Run pre-commit on all files
run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
pre-push --show-diff-on-failure'
name: Run pre-commit on all files
on:
- push
- pull_request

6
.gitignore vendored
View file

@ -9,3 +9,9 @@ result-*
*.qcow2
.gcroots
.pre-commit-config.yaml
# Ignore Terraform configuration file
config.tf.json
# Ignore Terraform stuff
.terraform

38
.terraform.lock.hcl Normal file
View file

@ -0,0 +1,38 @@
# This file is maintained automatically by "tofu init".
# Manual edits may be lost in future updates.
provider "registry.opentofu.org/numtide/secret" {
version = "1.2.1"
constraints = "~> 1.2.1"
hashes = [
"h1:t2z3CjxVsXjKb3g59WGkLtvDIR4NzLU7UFEcyAgF2C0=",
"zh:17cbc7f3b90ee2b3ae5adfc3bd9cb70166a5ffbd8e642e64afa7cb0e32a34bae",
"zh:5d66ce2aea25fc3c12cec6fc569b8ff314df6d773b9c3449983a4e9cde8347c7",
"zh:67d02e96bf0d07f2fcf16ce9427a7a26f53e695676405d0c2b815808f950411d",
"zh:77c3c05681ce199e6b0e2e5a2dfe418f61ae8863d527e7a7d47a9699d912683b",
"zh:7f37e633b4f94ba9f347cfe68d44f80fe066188feb954b13ee0f621caae4121d",
"zh:ea16bbe494c6ddd0af7bbea9554474c387517db4e7f0d15513bb29ff893871bc",
]
}
provider "registry.opentofu.org/raitobezarius/garage" {
version = "1.0.3"
constraints = "~> 1.0.3"
hashes = [
"h1:QKbZcU7u9OG1t/h4S3+pXS3sOUfVMmfLTiYh5L5j1rE=",
"zh:04f220a2baf4bd1bae07888a1c311cacd6076c209de83adbe573525fc50f2ea4",
"zh:078938d5fa07e024d779c664823427af28935bbeb77e0ff940bac3e7bc41f1e8",
"zh:2dd58a2d82094a1b07ff1b6de57e4a0d96e1f20abecd4f70a6469079b46b76d9",
"zh:325da7a74b1c84f934b38134d7c419253292aeed6f6836a2fb37f42d13a8ff67",
"zh:3ca9230ef87e70691b24fd83d40bb5b6a08f0b91ab26cbb2e692f92155b6d179",
"zh:45ef683a18a5053c93c691d08f3903fd4918467dfa056b1c274207de8a6aeb74",
"zh:4c9ee6c34b07c209c5daf1e9ff182f828667e54a90a683bc11cdcea86e4f8ef7",
"zh:5f0bb6524b2fffa606e0e3585af93dfc31b611c7abf55e4371ae5fc36e85972c",
"zh:7a3495dc211164c7d4042769c20d7111c767d0fd5908742e0766281c70d7d184",
"zh:7ce79867cdd4b1f7028da811cd5cb271a46820c79c0328a1221dd3bb6215c631",
"zh:93278861ee6bcb64e23bd1268f79b02035fba4fca0a98607a98f46abf8dfdf83",
"zh:937e681beea8b0dd899557f2a194c8128bd8810417ff04954bc9958ff826e980",
"zh:cae6e1598dd32f23f3900c41e50a6ece7d9456dbd033d855bb238ac21539d67b",
"zh:f6f7556ba7d5578604290170a709e00140be6d7f8a510a20bce49a9a23d75e5f",
]
}

105
default.nix
View file

@ -41,15 +41,7 @@
}:
let
inherit (pkgs.lib)
isFunction
mapAttrs
mapAttrs'
nameValuePair
removeSuffix
;
git-checks = (import sources.git-hooks).run {
git-checks = (import (builtins.storePath sources.git-hooks)).run {
src = ./.;
hooks = {
@ -76,24 +68,17 @@ let
};
};
workflows = (import sources.nix-actions { inherit pkgs; }).install {
src = ./.;
workflows = mapAttrs' (
name: _:
nameValuePair (removeSuffix ".nix" name) (
let
w = import ./workflows/${name};
in
if isFunction w then w { inherit (pkgs) lib; } else w
)
) (builtins.readDir ./workflows);
terranixConfig = import "${sources.terranix}/core" {
inherit pkgs;
strip_nulls = true;
terranix_config.imports = [ ./terranix ];
};
scripts = import ./scripts { inherit pkgs; };
terranixConfigFile = (pkgs.formats.json { }).generate "config.tf.json" terranixConfig.config;
in
{
inherit terranixConfigFile terranixConfig;
nodes = builtins.mapAttrs (
host: { site, ... }: "${host}.${site}.infra.dgnum.eu"
) (import ./meta/nodes.nix);
@ -102,35 +87,63 @@ in
mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix;
devShell = pkgs.mkShell {
name = "dgnum-infra";
shells = {
default = pkgs.mkShell {
name = "dgnum-infra";
packages = [
(pkgs.nixos-generators.overrideAttrs (_: {
version = "1.8.0-unstable";
src = sources.nixos-generators;
}))
pkgs.npins
packages = [
(pkgs.writeShellScriptBin "tf" ''
set -eo pipefail
ln -snf ${terranixConfigFile} config.tf.json
exec ${pkgs.lib.getExe pkgs.opentofu} "$@"
'')
(pkgs.writeShellScriptBin "decryptAndSourceEnvironment" ''
set -eo pipefail
(pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
] ++ (builtins.attrValues scripts);
# TODO: don't hardcode me.
SECRET_FILE=".credentials/admin-environment.age"
IDENTITIES=()
for identity in [ "$HOME/.ssh/id_ed25519" "$HOME/.ssh/id_rsa" ]; do
test -r "$identity" || continue
IDENTITIES+=(-i)
IDENTITIES+=("$identity")
done
shellHook = ''
${git-checks.shellHook}
${workflows.shellHook}
'';
test "''${#IDENTITIES[@]}" -eq 0 && echo "[agenix-shell] WARNING: no readable identities found!"
preferLocalBuild = true;
test -f "$SECRET_FILE" || echo "[agenix-shell] WARNING: encrypted environment file $SECRET_FILE not found!"
export eval $(${pkgs.lib.getExe pkgs.rage} --decrypt "''${IDENTITIES[@]}" -o - $SECRET_FILE)
###
# Alternative shells
echo "[agenix-shell] Repository-wide secrets loaded in the environment."
'')
(pkgs.nixos-generators.overrideAttrs (_: {
version = "1.8.0-unstable";
src = builtins.storePath sources.nixos-generators;
}))
pkgs.npins
pkgs.rage
passthru = mapAttrs (name: value: pkgs.mkShell (value // { inherit name; })) {
pre-commit.shellHook = git-checks.shellHook;
check-workflows.shellHook = workflows.shellHook;
eval-nodes.packages = [ scripts.cache-node ];
(pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
] ++ (import ./scripts { inherit pkgs; });
shellHook = ''
${git-checks.shellHook}
# If we want to export these environments, we need to source it, not call it.
source $(which decryptAndSourceEnvironment)
'';
preferLocalBuild = true;
};
pre-commit = pkgs.mkShell {
name = "pre-commit-shell";
shellHook = ''
${git-checks.shellHook}
'';
};
};
}

15
hive.nix
View file

@ -64,12 +64,23 @@ in
};
defaults =
{ name, nodeMeta, ... }:
{
pkgs,
name,
nodeMeta,
...
}:
{
# Import the default modules
imports = [
./modules
(import "${sources.lix-module}/module.nix" { inherit (sources) lix; })
(import "${sources.lix-module}/module.nix" {
lix = pkgs.applyPatches {
name = "lix-2.90.patched";
src = sources.lix;
patches = [ ./patches/00-disable-installChecks-lix.patch ];
};
})
];
# Include default secrets

5
keys/default.nix
View file

@ -25,9 +25,6 @@ rec {
web03 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrWsMEfK86iaO9SubMqE2UvZNtHkLY5VUod/bbqKC0L" ];
# SSH keys of the DGNum members
agroudiev = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM="
];
catvayor = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
];
@ -47,10 +44,8 @@ rec {
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
];
mboyer = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ];
mdebray = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
];
raito = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"

7
lib/nix-lib/default.nix
View file

@ -190,11 +190,8 @@ rec {
recursiveFuse [
(enableModules enabledModules)
{
imports =
(extraConfig.imports or [ ]) ++ (mkImports root ([ "_hardware-configuration" ] ++ enabledServices));
}
{ imports = mkImports root ([ "_hardware-configuration" ] ++ enabledServices); }
(removeAttrs extraConfig [ "imports" ])
extraConfig
];
}

21
machines/compute01/ds-fr/default.nix
View file

@ -1,14 +1,7 @@
{
config,
pkgs,
sources,
...
}:
{ config, ... }:
let
host = "demarches.dgnum.eu";
dgn-id = "fca8f72cd60c00e74d7735ec13e4e3a22e8e1244";
in
{
imports = [ ./module.nix ];
@ -18,18 +11,6 @@ in
services.demarches-simplifiees = {
enable = true;
package =
((import sources.nix-pkgs { inherit pkgs; }).demarches-simplifiees.override {
initialDeploymentDate = "20230923";
}).overrideAttrs
(old: {
dsModules = old.dsModules.overrideAttrs {
prePatch = ''
${pkgs.lib.getExe pkgs.git} apply -p1 < ${builtins.fetchurl "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch"}
'';
};
});
secretFile = config.age.secrets."ds-fr-secret_file".path;
initialDeploymentDate = "20230923";

3
machines/compute01/kanidm/default.nix
View file

@ -2,6 +2,7 @@
config,
lib,
meta,
nixpkgs,
...
}:
@ -42,7 +43,7 @@ in
services.kanidm = {
enableServer = true;
# package = nixpkgs.unstable.kanidm;
package = nixpkgs.unstable.kanidm;
serverSettings = {
inherit domain;

2
machines/compute01/stirling-pdf/default.nix
View file

@ -10,7 +10,7 @@ let
# - push to a new branch dgn-v0.A.B where A.B is the new version
# - finally, update the commit hash of the customization patch
dgn-id = "d73e347b1cefe23092bfcb2d3f8a23903410203e";
dgn-id = "8f19cb1c9623f8da71f6512c1528d83acc35db57";
port = 8084;
in

14
machines/storage01/forgejo-runners.nix
View file

@ -1,4 +1,10 @@
{ config, pkgs, ... }:
{
config,
pkgs,
nixpkgs,
sources,
...
}:
let
url = "https://git.dgnum.eu";
@ -24,6 +30,8 @@ let
options = "--cpus=4";
};
};
nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
in
{
services.forgejo-nix-runners = {
@ -31,12 +39,14 @@ in
inherit url;
storePath = "/data/slow";
storePath = "/data/slow/nix";
tokenFile = config.age.secrets."forgejo_runners-token_file".path;
dependencies = [
nix-pkgs.colmena
pkgs.npins
pkgs.tea
nixpkgs.unstable.nixfmt-rfc-style
];
containerOptions = [ "--cpus=4" ];

1
machines/storage01/forgejo.nix
View file

@ -61,7 +61,6 @@ in
service = {
EMAIL_DOMAIN_ALLOWLIST = "dgnum.eu,*";
EMAIL_DOMAIN_BLOCKLIST = "*.shop,*.online,*.store";
ENABLE_NOTIFY_MAIL = true;
DISABLE_REGISTRATION = false;

3
machines/storage01/tvix-cache/default.nix
View file

@ -135,11 +135,10 @@ in
systemd.services."tvix-store" = {
wantedBy = [ "multi-user.target" ];
environment = {
RUST_LOG = "info";
RUST_LOG = "debug";
};
serviceConfig = {
UMask = "007";
LimitNOFILE = 1048576;
ExecStart = "${package}/bin/multitier-tvix-cache --endpoints-config ${toml.endpoints} --store-composition ${toml.composition}";
StateDirectory = "tvix-store";
RuntimeDirectory = "tvix-store";

17
machines/web01/metis/default.nix
View file

@ -6,35 +6,30 @@
}:
let
inherit (lib) mapAttrsToList match;
metis = import sources.metis { inherit pkgs; };
inherit (metis) providers;
in
{
services.nginx.virtualHosts."calendrier.dgnum.eu" = {
enableACME = true;
forceSSL = true;
root = metis.package;
root = metis.production;
locations = lib.mapAttrs' (
name: domain:
name: value:
lib.nameValuePair "/cal/${name}/" {
extraConfig = ''
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://${domain}/remote.php/dav/public-calendars/;
proxy_pass ${value};
'';
}
) metis.providers;
) providers;
extraConfig = ''
rewrite ^/calendrier(.*)$ $1 permanent;
'';
};
assertions = mapAttrsToList (name: domain: {
assertion = (match "[a-z-]+" name == [ ]) && (match "[a-z.-]+" domain == [ ]);
message = "The provider `${name}` associated to the domain `${domain}` seems to have an incorrect definition.";
}) metis.providers;
}

2
machines/web01/netbox.nix
View file

@ -13,7 +13,7 @@ in
services = {
netbox = {
enable = true;
package = nixpkgs.unstable.netbox_4_1;
package = nixpkgs.unstable.netbox_3_7;
secretKeyFile = "/dev/null";
listenAddress = "127.0.0.1";
plugins = p: [ p.netbox-qrcode ];

1
machines/web01/redirections.nix
View file

@ -29,6 +29,7 @@ in
"bds.wp.dgnum.eu" = "bds.ens.fr";
"www.tuteurs.ens.fr" = "tuteurs.ens.fr";
"www.interq.ens.fr" = "interq.ens.fr";
"www.lanuit.ens.fr" = "lanuit.ens.fr";
};
temporary = {

44
machines/web03/django-apps/bocal.nix
View file

@ -1,44 +0,0 @@
{ pkgs, sources, ... }:
let
nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
in
{
services.django-apps.sites.bocal = {
source = "https://git.dgnum.eu/DGNum/www-bocal";
branch = "main";
domain = "bocal.webapps.dgnum.eu";
nginx = {
enableACME = true;
forceSSL = true;
};
webHookSecret = builtins.toFile "insecure-secret" "T5hNeDraMivRZLUkrekv&QeM";
python = pkgs.python3.override {
packageOverrides = _: _: { inherit (nix-pkgs) django-cas-ng django-solo loadcredential; };
};
dependencies = ps: [
ps.django
ps.django-cas-ng
ps.django-markdownx
ps.django-solo
ps.markdown
ps.pillow
ps.loadcredential
];
credentials = {
SECRET_KEY = builtins.toFile "insecure-key" "insecure-key";
};
environment = {
DJANGO_SETTINGS_MODULE = "app.settings";
BOCAL_ALLOWED_HOSTS = [ "bocal.webapps.dgnum.eu" ];
BOCAL_RHOSTS_PATH = "/var/lib/django-apps/bocal/.rhosts";
};
};
}

6
machines/web03/django-apps/default.nix
View file

@ -1,18 +1,14 @@
{
imports = [
./annuaire.nix
./bocal.nix
./gestiojeux.nix
./interludes.nix
./wikiens.nix
];
services.django-apps = {
enable = true;
webhook = {
domain = "apps-webhook.dgnum.eu";
domain = "hooks.webapps.dgnum.eu";
nginx = {
enableACME = true;
forceSSL = true;

66
machines/web03/django-apps/interludes.nix
View file

@ -1,66 +0,0 @@
{
config,
pkgs,
sources,
...
}:
let
nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
in
{
services.webhook.extraArgs = [ "-debug" ];
services.django-apps.sites.interludes = {
source = "https://git.eleves.ens.fr/dlesbre/site-interludes";
branch = "master";
domain = "interludes.ens.fr";
nginx = {
enableACME = true;
forceSSL = true;
serverAliases = [ "interludes.webapps.dgnum.eu" ];
};
webHookSecret = config.age.secrets."webhook-interludes_token".path;
application = {
type = "wsgi";
module = "interludes";
};
dbType = "sqlite";
python = pkgs.python3.override {
packageOverrides = _: _: { inherit (nix-pkgs) python-cas loadcredential; };
};
django = ps: ps.django_4;
dependencies = ps: [
ps.loadcredential
ps.python-ldap
ps.python-cas
];
credentials = {
SECRET_KEY = config.age.secrets."dj_interludes-secret_key_file".path;
EMAIL_HOST_PASSWORD = config.age.secrets."dj_interludes-email_host_password_file".path;
};
environment = {
INTERLUDES_ALLOWED_HOSTS = [
"interludes.ens.fr"
"interludes.webapps.dgnum.eu"
];
# E-mail configuration
INTERLUDES_SERVER_EMAIL = "noreply-interludes-admin@ens.fr";
INTERLUDES_DEFAULT_FROM_EMAIL = "noreply-interludes@ens.fr";
INTERLUDES_EMAIL_HOST = "clipper.ens.fr";
INTERLUDES_EMAIL_PORT = 465;
INTERLUDES_EMAIL_HOST_USER = "interludes";
INTERLUDES_DEBUG = false;
};
};
}

50
machines/web03/django-apps/wikiens.nix
View file

@ -1,50 +0,0 @@
{ pkgs, sources, ... }:
let
nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
in
{
services.django-apps.sites.wikiens = {
source = "https://git.dgnum.eu/DGNum/wiki-eleves";
branch = "main";
domain = "wiki.webapps.dgnum.eu";
nginx = {
enableACME = true;
forceSSL = true;
};
webHookSecret = builtins.toFile "insecure-secret" "T5hNeDraMivRZLUkrekv&QeM";
python = pkgs.python3.override {
packageOverrides = _: _: {
inherit (nix-pkgs)
django-allauth
django-allauth-ens
django-wiki
loadcredential
;
};
};
dependencies =
ps:
[
ps.django
ps.django-allauth-ens
ps.django-wiki
ps.loadcredential
ps.tinycss2
]
++ ps.django-allauth.optional-dependencies.socialaccount;
credentials = {
SECRET_KEY = builtins.toFile "insecure-key" "insecure-key";
};
environment = {
WIKIENS_ALLOWED_HOSTS = [ "wiki.webapps.dgnum.eu" ];
};
};
}

29
machines/web03/secrets/dj_interludes-email_host_password_file
View file

@ -1,29 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA iJSzsbA8RiEhUIyhlKWCASQKoSQstjK4drMYl+PsChw
8THrknrBu0WGFEb4xTZiJxEY26q7sW83rwViDjyTE24
-> ssh-ed25519 QlRB9Q e7PRE212Ggt8nO6Bb+BabO85FOARsJGs9cPJmZNI9kg
ubKIBxI1ZBXttA7TWj401siKNT1HyB+N2MsZ+ldkgb8
-> ssh-ed25519 r+nK/Q EWV24Emm9hENa+yUAuQpkuJ0uJ0zIv+vRIbWpM4Wtg4
J59wnHRytgNqpX4+5HaJ9KZ5GvhckgtRK6TzfX7Ci8Y
-> ssh-rsa krWCLQ
AvmrzShR+XTpUpKaScoqvgFQ40PTSqh8p383p98xjG5LIz5kqJoWBnxJK7JabBpq
JkqVeq5XdH5RX4weobieG4KYUV8EDheLfOMXH5BrPgeJO4yhJ1rzH+oHBw4TwvFM
UvEZEAVgi3G1/suPfJAkO7QRkZjE7fRppEo5RAI0gMlM43YyJavrfqVIqB40Uugk
h0b0ybChUbKpXlZjqhYAAMN45jTAvW1emO0DMeIk6dbmnbZNdibul8f+NNdWKbI1
9NN5iH2IzuqTdc6gkE4912hdDeUJ4NZ6x/Fxp1/u3d1z/Yg7daUQUXUIoDX0Hyvb
+01dH0D/7kzRhEdNLO2NXA
-> ssh-ed25519 /vwQcQ GAsAj2i65KDQeFhe69YR2ycdGskop1wu3Lzrxp59sTg
wCSUqEtWv0i6sNg1RVtHI/jZh3VeNX3qtnbagXoNGT4
-> ssh-ed25519 0R97PA mFZ3q/3jd1guXl8bhRWyYjgsgE4JErJEels6vdmpfCs
7oIAT0MTsaKxbf26PSDBk7KqfyFgcBq09FGJ9v/rXqE
-> ssh-ed25519 JGx7Ng tpslfMWMJMUH46EGycbLiXotVdXlP4xmK0slb7XKYS8
wLLfX4jX4mIxzI8zr2GBlpBcPztTrHqKngi/ON0TExg
-> ssh-ed25519 bUjjig zLoniLfwKGH9Ctu34103WHBvjIyImtPyKx8O+5UMLUU
sYsterVGvCg6JWA0z3AO5sSlj9DBfj8u5o5jH9K2xeA
-> ssh-ed25519 VQSaNw oHzU9Lc/7p+MZAjVylzC63h586vOcffXkkpAi4XB8Q0
7T8CREpaCxM58KMYW28FY2i+ELjrx3eC3K7xaBy7O6A
-> (_o61>U-grease .P>ZRrj~ -=7S;N
6vnQVKKZwp4JowIwVb4klrhaR6NZjwlZYnngVQ0wqVenMZPj9oyhIXthLRqE1Q6/
k+sGxA
--- +yT0o8oZJS+32MeUAl8T9zREh31rq77pSVsSoFjHO5A
è ™ñΗ´ä!î^ûØÖ8ÔzøÑaÒÓ ÐàÔ@Ö¡s\ ˜_ÃÃúoÖö<C396>wõÖ¥Cr)¾€fû¿AÃ'•3D€â

29
machines/web03/secrets/dj_interludes-secret_key_file
View file

@ -1,29 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA 7v2qJ+2ZSp0tf4m6gcK2ShFF9ulNm/g3aHu3Wqe4Sxo
ZyVqTqBCK51/U5yxtp23nywprQv46yL90zwx6+DqKRg
-> ssh-ed25519 QlRB9Q IePmluoRImtaDplOoVqNiwfTQMKF1CuF4M6AzurXGRY
JjtOeyvARlc9t5Q+LS2+TZwAUgV4Qn2L8SFkw9YLnaU
-> ssh-ed25519 r+nK/Q LGPI7PmVPnZDQe6Su5MZQauxRHZkBKehyNbMq+BKlGQ
3RvcfLAFKaScusYKf47zFNAtnot7wySvytuD81s6TwM
-> ssh-rsa krWCLQ
xGH7rl+r8L5HEp6JUlAm04ktn9rQsWfBBlSRp7UsOi6ojwCfjjIA91yUrYw8TYRs
Ci60uoLS7cuMtSE/jQVU/FuVtR5kwjhOkWmQDHrC7rUWb6CufusxPIVJ0xanp3wo
cc2t+EfSdpVyGIx5N8BEMhQ6sR2EfERHGfUrnKCpcL5hM5L8ZHnVh6CkRBtvZaq0
Zy44Ob4pqH6fDz7EziM1hBkfg9myN+/Iqfvg5OUnfSrqooLZ8l0gDvGafS5fok91
uqb0PGDiv6lwzpaj87jKUCaXAF3ag2KAa6j8sbZ4+fSsQeB/jhH7hTlWcAR/oEFW
fuPQDFKxMucAsPjv1H1iaQ
-> ssh-ed25519 /vwQcQ +5+xDNQyRwBWXT6c593S01OG9IemNul/81G4ie1hTVg
Tzkq0toOCqdHOZNPiy/rUrO2eQXTDHi7g+jKbrWU/hU
-> ssh-ed25519 0R97PA WEMs0phnuvw1kQaqeSkovwFUL6w7J6wh+V7D82NxfDs
V5npmkeTPVcnaNwDtoy7PqBRllPTuQjvF9Qu14V59os
-> ssh-ed25519 JGx7Ng 3bty0WCf+ElvPEFt7fSpgYf5MeFUPaZ4vVGWPUAjn0I
ggl5CgXaUx4T6qbA9EG1oaF9NbfFYye4davm7lKqUvI
-> ssh-ed25519 bUjjig zFlaOVzFEkPG+J3Yz7alPgSiCVbC/7u/hCTVIP8X/Ho
3PBIRu9ZKfb9lkzijw6kKjX0ztXBkiwVaQUx8rxuYJc
-> ssh-ed25519 VQSaNw btusrepFF5Jhl3x2YWs6wVrHwzb6qBXfDXESclQJAXo
HwfOU3tyP9OsNjTkaMMmJnd4b+0ZfxJLkP6xe5jsAZE
-> Tp-grease s03Py `u6"4 E|5 _
3CvcQ6NEZKLY1F6y0cTMQPwV9mJvHB0T7dauvWJAYKkfb95TymqfDYGWwW1veND2
n1XD/arAJHVwva95K7TaQdsNLPGo8/VePQGUnYqi
--- qe75UTWqdDd0gGg0nm054SFZ2AgqVBw/bbycvcZSfQY
ãñêÕ]¹¦zÂg©;Ê¡îñ˜öÓ´0éÅYëÀHãŒ!@ìp­ö¸T«?£iÞ‰áèÚ>I^ül·o5”¯ë:{¬gJk£vø>€W8ði

3
machines/web03/secrets/secrets.nix
View file

@ -1,6 +1,3 @@
(import ../../../keys).mkSecrets [ "web03" ] [
# List of secrets for web03
"dj_interludes-email_host_password_file"
"dj_interludes-secret_key_file"
"webhook-interludes_token"
]

BIN
machines/web03/secrets/webhook-interludes_token
View file

Binary file not shown.

30
meta/dns.nix
View file

@ -1,7 +1,7 @@
{ lib, dns, ... }:
let
inherit (lib) mapAttrs' nameValuePair optional;
inherit (lib) mapAttrs' nameValuePair;
inherit (lib.extra) fuseAttrs mapSingleFuse;
inherit (dns.lib.combinators) mx spf ttl;
@ -138,9 +138,7 @@ let
];
web03.dual = [
# Django Apps
"*.webapps"
"apps-webhook"
"*.webapps" # Django apps
];
}
)
@ -217,19 +215,17 @@ in
subdomains = mapAttrs' (
host:
{ site, ... }:
let
net = meta.network.${host};
inherit (net.addresses) ipv4 ipv6;
in
nameValuePair "${host}.${site}" {
A = ipv4;
AAAA = ipv6;
subdomains = {
v4.A = ipv4;
v6.AAAA = ipv6;
private.A = optional (net.netbirdIp != null) net.netbirdIp;
};
}
nameValuePair "${host}.${site}" (
with meta.network.${host}.addresses;
{
A = ipv4;
AAAA = ipv6;
subdomains = {
v4.A = ipv4;
v6.AAAA = ipv6;
};
}
)
) meta.nodes;
};
};

2
meta/network.nix
View file

@ -171,7 +171,7 @@
};
hostId = "8afc7749";
netbirdIp = "100.80.157.46";
netbirdIp = null; # web03 is not yet connected to the VPN
};
rescue01 = {

2
meta/nodes.nix
View file

@ -135,7 +135,7 @@
nix-modules = [ "services/django-apps" ];
stateVersion = "24.05";
nixpkgs = "unstable";
nixpkgs = "24.05";
vm-cluster = "Hyperviseur NPS";
};
}

12
meta/organization.nix
View file

@ -5,11 +5,6 @@
{
members = {
agroudiev = {
name = "Antoine Groudiev";
email = "antoine.groudiev@dgnum.eu";
};
catvayor = {
name = "Lubin Bailly";
email = "catvayor@dgnum.eu";
@ -39,12 +34,6 @@
username = "jmalka";
};
mboyer = {
name = "Matthieu Boyer";
email = "matthieu.boyer@dgnum.eu";
username = "mboyer02";
};
mdebray = {
name = "Maurice Debray";
email = "maurice.debray@dgnum.eu";
@ -68,6 +57,7 @@
"thubrecht"
"raito"
"mdebray"
"luj"
];
# members of this group are root on the fai infrastructure

4
modules/dgn-netbox-agent/package.nix
View file

@ -16,8 +16,8 @@ python3.pkgs.buildPythonApplication {
src = fetchgit {
url = "https://git.dgnum.eu/DGNum/netbox-agent";
rev = "424283239658516feb34c0f68496775350b1bf22";
hash = "sha256-sp1QVy8AIezR2LRDDYS9G0g0GQRwGKGmEE7ykITPxtY=";
rev = "12ceea413cbb87280713de734b5e1b3e88c00178";
hash = "sha256-v6H8/yNUcpHERiyzytR2ZADLiDK2QpzSEmxTP5m9BLE=";
};
nativeBuildInputs = with python3.pkgs; [

93
npins/sources.json
View file

@ -59,10 +59,10 @@
"pre_releases": false,
"version_upper_bound": null,
"release_prefix": null,
"version": "v1.9.0",
"revision": "49a4936cee640e27d74baee6fd1278285d29b100",
"url": "https://api.github.com/repos/nix-community/disko/tarball/v1.9.0",
"hash": "0j76ar4qz320fakdii4659w5lww8wiz6yb7g47npywqvf2lbp388"
"version": "v1.8.2",
"revision": "0a97c6683ecb8d92ab0ce4c3c39e896e4a3fe388",
"url": "https://api.github.com/repos/nix-community/disko/tarball/v1.8.2",
"hash": "1xivgibk1fa07z4xqxpyha6yyb0pmahf52caf1kgh8zxr231ai1v"
},
"dns.nix": {
"type": "GitRelease",
@ -87,9 +87,9 @@
"repo": "git-hooks.nix"
},
"branch": "master",
"revision": "3308484d1a443fc5bc92012435d79e80458fe43c",
"url": "https://github.com/cachix/git-hooks.nix/archive/3308484d1a443fc5bc92012435d79e80458fe43c.tar.gz",
"hash": "0qdhcqisil8zhnf600y0vpa1mayrca8z2bja79p4j5vajy7dnx4s"
"revision": "3c3e88f0f544d6bb54329832616af7eb971b6be6",
"url": "https://github.com/cachix/git-hooks.nix/archive/3c3e88f0f544d6bb54329832616af7eb971b6be6.tar.gz",
"hash": "04pwjz423iq2nkazkys905gvsm5j39722ngavrnx42b8msr5k555"
},
"kadenios": {
"type": "Git",
@ -144,9 +144,9 @@
"url": "https://git.lix.systems/lix-project/lix.git"
},
"branch": "main",
"revision": "66f6dbda32959dd5cf3a9aaba15af72d037ab7ff",
"revision": "0ff8f9132552e03497b07e1e5c068660a7a04515",
"url": null,
"hash": "10mfry8k0jab4ngnhvx9d7ia8m7qf4va4395ylwg3qlsxziqvc8z"
"hash": "0qdaiqp5q2nb0yffc03vhlbd55v1jk3jlxz26prhk0hxddz0xhyq"
},
"lix-module": {
"type": "Git",
@ -155,9 +155,9 @@
"url": "https://git.lix.systems/lix-project/nixos-module.git"
},
"branch": "main",
"revision": "aa2846680fa9a2032939d720487942567fd9eb63",
"revision": "fd186f535a4ac7ae35d98c1dd5d79f0a81b7976d",
"url": null,
"hash": "0gb174800sgh6y6sir23nxsx85xrk478hbwqbzyd46ac34clz9wz"
"hash": "0jxpqaz12lqibg03iv36sa0shfvamn2yhg937llv3kl4csijd34f"
},
"lon": {
"type": "Git",
@ -178,9 +178,9 @@
"url": "https://git.dgnum.eu/DGNum/metis"
},
"branch": "master",
"revision": "ed6fafda45d638b1bafd5deaee098b80156b41e8",
"revision": "f631751da44a330c41398356ce2295e17ed45b7b",
"url": null,
"hash": "086spyhn2x1x2h31b0y4an501fdhph1nk64riybqnh6mqjkzlq4m"
"hash": "1laclhq6jz9mni4vxsxk3c143c2x478z1lqj115mqyj0d62rz8mg"
},
"microvm.nix": {
"type": "Git",
@ -194,20 +194,6 @@
"url": "https://github.com/RaitoBezarius/microvm.nix/archive/49899c9a4fdf75320785e79709bf1608c34caeb8.tar.gz",
"hash": "0sz6azdpiz4bd36x23bcdhx6mwyqj8zl5cczjgv48xqfmysy8zwy"
},
"nix-actions": {
"type": "GitRelease",
"repository": {
"type": "Git",
"url": "https://git.dgnum.eu/DGNum/nix-actions.git"
},
"pre_releases": false,
"version_upper_bound": null,
"release_prefix": null,
"version": "v0.2.2",
"revision": "b9cb5d6f945d1e3fd7b70d63848c70335e9912e8",
"url": null,
"hash": "0m6bw5qlrchsigx7x4nz3xkcn3dnr14k5j0ws9lbggnldnz9qg2w"
},
"nix-modules": {
"type": "Git",
"repository": {
@ -215,9 +201,9 @@
"url": "https://git.hubrecht.ovh/hubrecht/nix-modules.git"
},
"branch": "main",
"revision": "75e8d70a051dd19d126b5248b62f61d6f8ce4361",
"revision": "516225dc6958645284b11b74b9ce31e01993341c",
"url": null,
"hash": "0yx5by3v2cshiidyh27n75lcqy9d1kk5zz5mchmfv63s9p0cjzqn"
"hash": "1cxn1m1xf9p7p8a0y8r6iwp08d886k5rmgl947r9d0vg7ah31kmj"
},
"nix-patches": {
"type": "GitRelease",
@ -240,15 +226,15 @@
"url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs"
},
"branch": "main",
"revision": "fe54340f49449f01c2ee489abf7016d97706eb59",
"revision": "0e80d4dcdd54a75556c0784de55dc139ad4fe797",
"url": null,
"hash": "1sv9nqhzcqn8anqfgf63i2j5qcqzyy4vl0a45rvllv7rhbhw9adq"
"hash": "1hlb0cczxq0jrzw4lhmkibnb8skcar0rmny594aqgyikknwzx2qf"
},
"nixos-24.05": {
"type": "Channel",
"name": "nixos-24.05",
"url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.6668.e8c38b73aeb2/nixexprs.tar.xz",
"hash": "0lhh36z3fvd3b64dz7an08y3c3shb67aj17ny9z28bs21i3dc5yh"
"url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.5809.4eb33fe664af/nixexprs.tar.xz",
"hash": "02hxkkrpf33s6nsqkla1292zw64dqfq9wpkda5hry3vr3fhxwwg4"
},
"nixos-generators": {
"type": "Git",
@ -258,21 +244,21 @@
"repo": "nixos-generators"
},
"branch": "master",
"revision": "3280fdde8c8f0276c9f5286ad5c0f433dfa5d56c",
"url": "https://github.com/nix-community/nixos-generators/archive/3280fdde8c8f0276c9f5286ad5c0f433dfa5d56c.tar.gz",
"hash": "12v6lxls3bfkj20rwxy62l8g6zlkhsp29m6wd7764j1wwfwjk274"
"revision": "dd28a0806e7124fe392c33c9ccaa12f21970401f",
"url": "https://github.com/nix-community/nixos-generators/archive/dd28a0806e7124fe392c33c9ccaa12f21970401f.tar.gz",
"hash": "09226kqddjg1m8m1q9n4l1hsln93hckhj238q0v851wxbwd0qq73"
},
"nixos-unstable": {
"type": "Channel",
"name": "nixos-unstable",
"url": "https://releases.nixos.org/nixos/unstable/nixos-25.05beta710087.23e89b7da85c/nixexprs.tar.xz",
"hash": "0b695yx17sarr7d3ypb9z6njd0qhiga1682wjxidl053lvx6g33b"
"url": "https://releases.nixos.org/nixos/unstable/nixos-24.11pre694395.4c2fcb090b1f/nixexprs.tar.xz",
"hash": "05fszj13lci5gdbn5grn92wd3mzj6f7gy11kqj78xcsg69m2wbrl"
},
"nixpkgs": {
"type": "Channel",
"name": "nixpkgs-unstable",
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.05pre709559.5083ec887760/nixexprs.tar.xz",
"hash": "1z912j1lmrg8zp2hpmmi69dls9zlpvqfvdkvh5xc3x6iqkqwn0cd"
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre694416.ccc0c2126893/nixexprs.tar.xz",
"hash": "0cn1z4wzps8nfqxzr6l5mbn81adcqy2cy2ic70z13fhzicmxfsbx"
},
"proxmox-nixos": {
"type": "Git",
@ -282,9 +268,9 @@
"repo": "proxmox-nixos"
},
"branch": "main",
"revision": "c6a126238e8f8efc3660b523d314a0074e61fe44",
"url": "https://github.com/SaumonNet/proxmox-nixos/archive/c6a126238e8f8efc3660b523d314a0074e61fe44.tar.gz",
"hash": "0apinc8iiqsjazlj3nh75m4w5f93fd53xs4nj1s06qay4nq1h49w"
"revision": "950e4cccac0f942076e8558f7f9f4d496cabfb18",
"url": "https://github.com/SaumonNet/proxmox-nixos/archive/950e4cccac0f942076e8558f7f9f4d496cabfb18.tar.gz",
"hash": "0bhqw42ydc0jfkfqw64xsg518a1pbxnvpqw92nna7lm8mzpxm6d4"
},
"signal-irc-bridge": {
"type": "Git",
@ -308,6 +294,21 @@
"url": null,
"hash": "166057469hhxnyqbpd7jjlccdmigzch51616n1d5r617xg0y1mwp"
},
"terranix": {
"type": "GitRelease",
"repository": {
"type": "GitHub",
"owner": "terranix",
"repo": "terranix"
},
"pre_releases": false,
"version_upper_bound": null,
"release_prefix": null,
"version": "2.7.0",
"revision": "00710f39f38a0a654a2c4fd96cbb988b4f4cedfa",
"url": "https://api.github.com/repos/terranix/terranix/tarball/2.7.0",
"hash": "1wsyhsdsjw6xlhpkhaqvia3x0na3nx2vamcb2rbcbdmb7ra1y9f6"
},
"wp4nix": {
"type": "Git",
"repository": {
@ -316,9 +317,9 @@
"server": "https://git.helsinki.tools/"
},
"branch": "master",
"revision": "cce6f7961eb99fd56a039623c4d9e561d9a98928",
"url": "https://git.helsinki.tools/api/v4/projects/helsinki-systems%2Fwp4nix/repository/archive.tar.gz?sha=cce6f7961eb99fd56a039623c4d9e561d9a98928",
"hash": "0ggqc92mh4xbsrrdv8j0jl6f3cagwizd93sdl8p8mqpxv9445xrf"
"revision": "f72adfc39c18630b45f8c982910314246d4a8d92",
"url": "https://git.helsinki.tools/api/v4/projects/helsinki-systems%2Fwp4nix/repository/archive.tar.gz?sha=f72adfc39c18630b45f8c982910314246d4a8d92",
"hash": "08qfaav3vb832dr3r6f2n1ah6zyryvab0dxsaxwi6gk5p3zad3l8"
}
},
"version": 3

0
patches/lix/01-disable-installChecks.patch → patches/00-disable-installChecks-lix.patch
View file

808
patches/01-castopod.patch Normal file
View file

@ -0,0 +1,808 @@
From 3b656cbdf40c6056983e95ac5c87839a68571096 Mon Sep 17 00:00:00 2001
From: Alexander Tomokhov <alexoundos@gmail.com>
Date: Tue, 3 Oct 2023 22:20:59 +0400
Subject: [PATCH 1/8] castopod: 1.6.4 -> 1.6.5
---
pkgs/applications/audio/castopod/default.nix | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/pkgs/applications/audio/castopod/default.nix b/pkgs/applications/audio/castopod/default.nix
index 9d9f83e2ecce40..83c70f9b36646d 100644
--- a/pkgs/applications/audio/castopod/default.nix
+++ b/pkgs/applications/audio/castopod/default.nix
@@ -7,11 +7,11 @@
}:
stdenv.mkDerivation {
pname = "castopod";
- version = "1.6.4";
+ version = "1.6.5";
src = fetchurl {
- url = "https://code.castopod.org/adaures/castopod/uploads/ce56d4f149242f12bedd20f9a2b0916d/castopod-1.6.4.tar.gz";
- sha256 = "080jj91yxbn3xsbs0sywzwa2f5in9bp9qi2zwqcfqpaxlq9ga62v";
+ url = "https://code.castopod.org/adaures/castopod/uploads/5aaaa6cf2edaed25bd7253449e5f8584/castopod-1.6.5.tar.gz";
+ sha256 = "04gcq2vmfy5aa2fmsm1qqv1k8g024nikmysdrhy33wj460d529b5";
};
dontBuild = true;
From 4cd096c27c52ff9948bc7d9ebc05490147ca9675 Mon Sep 17 00:00:00 2001
From: Alexander Tomokhov <alexoundos@gmail.com>
Date: Tue, 3 Oct 2023 22:19:36 +0400
Subject: [PATCH 2/8] nixos/castopod: fix startup, displaying images, uploads
up to 500 MiB
- new maxUploadSize option
- new dataDir option (with ReadWritePaths systemd support)
- admin page reports correct free disk space (instead of /nix/store)
- fix example configuration in documentation
- now podcast creation and file upload are tested during NixOS test
- move castopod from audio to web-apps folder
- verbose logging from the browser test
---
nixos/modules/module-list.nix | 2 +-
.../services/{audio => web-apps}/castopod.md | 11 +-
.../services/{audio => web-apps}/castopod.nix | 60 ++--
nixos/tests/castopod.nix | 263 +++++++++++++-----
pkgs/applications/audio/castopod/default.nix | 13 +-
5 files changed, 256 insertions(+), 93 deletions(-)
rename nixos/modules/services/{audio => web-apps}/castopod.md (72%)
rename nixos/modules/services/{audio => web-apps}/castopod.nix (80%)
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 627427262da632..97043c965400c5 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -337,7 +337,6 @@
./services/amqp/rabbitmq.nix
./services/audio/alsa.nix
./services/audio/botamusique.nix
- ./services/audio/castopod.nix
./services/audio/gmediarender.nix
./services/audio/gonic.nix
./services/audio/goxlr-utility.nix
@@ -1282,6 +1281,7 @@
./services/web-apps/bookstack.nix
./services/web-apps/c2fmzq-server.nix
./services/web-apps/calibre-web.nix
+ ./services/web-apps/castopod.nix
./services/web-apps/coder.nix
./services/web-apps/changedetection-io.nix
./services/web-apps/chatgpt-retrieval-plugin.nix
diff --git a/nixos/modules/services/audio/castopod.md b/nixos/modules/services/web-apps/castopod.md
similarity index 72%
rename from nixos/modules/services/audio/castopod.md
rename to nixos/modules/services/web-apps/castopod.md
index ee8590737a7c73..f61bf1166a4d24 100644
--- a/nixos/modules/services/audio/castopod.md
+++ b/nixos/modules/services/web-apps/castopod.md
@@ -4,6 +4,7 @@ Castopod is an open-source hosting platform made for podcasters who want to enga
## Quickstart {#module-services-castopod-quickstart}
+Configure ACME (https://nixos.org/manual/nixos/unstable/#module-security-acme).
Use the following configuration to start a public instance of Castopod on `castopod.example.com` domain:
```nix
@@ -11,11 +12,11 @@ networking.firewall.allowedTCPPorts = [ 80 443 ];
services.castopod = {
enable = true;
database.createLocally = true;
- nginx.virtualHost = {
- serverName = "castopod.example.com";
- enableACME = true;
- forceSSL = true;
- };
+ localDomain = "castopod.example.com";
+};
+services.nginx.virtualHosts."castopod.example.com" = {
+ enableACME = true;
+ forceSSL = true;
};
```
diff --git a/nixos/modules/services/audio/castopod.nix b/nixos/modules/services/web-apps/castopod.nix
similarity index 80%
rename from nixos/modules/services/audio/castopod.nix
rename to nixos/modules/services/web-apps/castopod.nix
index b782b548914795..7c99551c83183f 100644
--- a/nixos/modules/services/audio/castopod.nix
+++ b/nixos/modules/services/web-apps/castopod.nix
@@ -4,7 +4,6 @@ let
fpm = config.services.phpfpm.pools.castopod;
user = "castopod";
- stateDirectory = "/var/lib/castopod";
# https://docs.castopod.org/getting-started/install.html#requirements
phpPackage = pkgs.php.withExtensions ({ enabled, all }: with all; [
@@ -29,6 +28,15 @@ in
defaultText = lib.literalMD "pkgs.castopod";
description = lib.mdDoc "Which Castopod package to use.";
};
+ dataDir = lib.mkOption {
+ type = lib.types.path;
+ default = "/var/lib/castopod";
+ description = lib.mdDoc ''
+ The path where castopod stores all data. This path must be in sync
+ with the castopod package (where it is hardcoded during the build in
+ accordance with its own `dataDir` argument).
+ '';
+ };
database = {
createLocally = lib.mkOption {
type = lib.types.bool;
@@ -111,6 +119,18 @@ in
Options for Castopod's PHP pool. See the documentation on `php-fpm.conf` for details on configuration directives.
'';
};
+ maxUploadSize = lib.mkOption {
+ type = lib.types.int;
+ default = 512;
+ description = lib.mdDoc ''
+ Maximum supported size for a file upload in MiB. Maximum HTTP body
+ size is set to this value for nginx and PHP (because castopod doesn't
+ support chunked uploads yet:
+ https://code.castopod.org/adaures/castopod/-/issues/330). Note, that
+ practical upload size limit is smaller. For example, with 512 MiB
+ setting - around 500 MiB is possible.
+ '';
+ };
};
};
@@ -120,13 +140,13 @@ in
sslEnabled = with config.services.nginx.virtualHosts.${cfg.localDomain}; addSSL || forceSSL || onlySSL || enableACME || useACMEHost != null;
baseURL = "http${lib.optionalString sslEnabled "s"}://${cfg.localDomain}";
in
- lib.mapAttrs (name: lib.mkDefault) {
+ lib.mapAttrs (_name: lib.mkDefault) {
"app.forceGlobalSecureRequests" = sslEnabled;
"app.baseURL" = baseURL;
- "media.baseURL" = "/";
+ "media.baseURL" = baseURL;
"media.root" = "media";
- "media.storage" = stateDirectory;
+ "media.storage" = cfg.dataDir;
"admin.gateway" = "admin";
"auth.gateway" = "auth";
@@ -142,13 +162,13 @@ in
services.phpfpm.pools.castopod = {
inherit user;
group = config.services.nginx.group;
- phpPackage = phpPackage;
+ inherit phpPackage;
phpOptions = ''
- # https://code.castopod.org/adaures/castopod/-/blob/main/docker/production/app/uploads.ini
+ # https://code.castopod.org/adaures/castopod/-/blob/develop/docker/production/common/uploads.template.ini
file_uploads = On
memory_limit = 512M
- upload_max_filesize = 500M
- post_max_size = 512M
+ upload_max_filesize = ${toString cfg.maxUploadSize}M
+ post_max_size = ${toString cfg.maxUploadSize}M
max_execution_time = 300
max_input_time = 300
'';
@@ -165,25 +185,25 @@ in
path = [ pkgs.openssl phpPackage ];
script =
let
- envFile = "${stateDirectory}/.env";
+ envFile = "${cfg.dataDir}/.env";
media = "${cfg.settings."media.storage"}/${cfg.settings."media.root"}";
in
''
- mkdir -p ${stateDirectory}/writable/{cache,logs,session,temp,uploads}
+ mkdir -p ${cfg.dataDir}/writable/{cache,logs,session,temp,uploads}
if [ ! -d ${lib.escapeShellArg media} ]; then
cp --no-preserve=mode,ownership -r ${cfg.package}/share/castopod/public/media ${lib.escapeShellArg media}
fi
- if [ ! -f ${stateDirectory}/salt ]; then
- openssl rand -base64 33 > ${stateDirectory}/salt
+ if [ ! -f ${cfg.dataDir}/salt ]; then
+ openssl rand -base64 33 > ${cfg.dataDir}/salt
fi
cat <<'EOF' > ${envFile}
${lib.generators.toKeyValue { } cfg.settings}
EOF
- echo "analytics.salt=$(cat ${stateDirectory}/salt)" >> ${envFile}
+ echo "analytics.salt=$(cat ${cfg.dataDir}/salt)" >> ${envFile}
${if (cfg.database.passwordFile != null) then ''
echo "database.default.password=$(cat ${lib.escapeShellArg cfg.database.passwordFile})" >> ${envFile}
@@ -192,10 +212,10 @@ in
''}
${lib.optionalString (cfg.environmentFile != null) ''
- cat ${lib.escapeShellArg cfg.environmentFile}) >> ${envFile}
+ cat ${lib.escapeShellArg cfg.environmentFile} >> ${envFile}
''}
- php spark castopod:database-update
+ php ${cfg.package}/share/castopod/spark castopod:database-update
'';
serviceConfig = {
StateDirectory = "castopod";
@@ -204,6 +224,7 @@ in
RemainAfterExit = true;
User = user;
Group = config.services.nginx.group;
+ ReadWritePaths = cfg.dataDir;
};
};
@@ -212,9 +233,7 @@ in
wantedBy = [ "multi-user.target" ];
path = [ phpPackage ];
script = ''
- php public/index.php scheduled-activities
- php public/index.php scheduled-websub-publish
- php public/index.php scheduled-video-clips
+ php ${cfg.package}/share/castopod/spark tasks:run
'';
serviceConfig = {
StateDirectory = "castopod";
@@ -222,6 +241,8 @@ in
Type = "oneshot";
User = user;
Group = config.services.nginx.group;
+ ReadWritePaths = cfg.dataDir;
+ LogLevelMax = "notice"; # otherwise periodic tasks flood the journal
};
};
@@ -251,6 +272,7 @@ in
extraConfig = ''
try_files $uri $uri/ /index.php?$args;
index index.php index.html;
+ client_max_body_size ${toString cfg.maxUploadSize}M;
'';
locations."^~ /${cfg.settings."media.root"}/" = {
@@ -278,7 +300,7 @@ in
};
};
- users.users.${user} = lib.mapAttrs (name: lib.mkDefault) {
+ users.users.${user} = lib.mapAttrs (_name: lib.mkDefault) {
description = "Castopod user";
isSystemUser = true;
group = config.services.nginx.group;
diff --git a/nixos/tests/castopod.nix b/nixos/tests/castopod.nix
index 4435ec617d4e67..2db7aa0bda6507 100644
--- a/nixos/tests/castopod.nix
+++ b/nixos/tests/castopod.nix
@@ -4,74 +4,211 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
meta = with lib.maintainers; {
maintainers = [ alexoundos misuzu ];
};
+
nodes.castopod = { nodes, ... }: {
+ # otherwise 500 MiB file upload fails!
+ virtualisation.diskSize = 512 + 3 * 512;
+
networking.firewall.allowedTCPPorts = [ 80 ];
- networking.extraHosts = ''
- 127.0.0.1 castopod.example.com
- '';
+ networking.extraHosts =
+ lib.strings.concatStringsSep "\n"
+ (lib.attrsets.mapAttrsToList
+ (name: _: "127.0.0.1 ${name}")
+ nodes.castopod.services.nginx.virtualHosts);
+
services.castopod = {
enable = true;
database.createLocally = true;
localDomain = "castopod.example.com";
+ maxUploadSize = 512;
};
- environment.systemPackages =
- let
- username = "admin";
- email = "admin@castood.example.com";
- password = "v82HmEp5";
- testRunner = pkgs.writers.writePython3Bin "test-runner"
- {
- libraries = [ pkgs.python3Packages.selenium ];
- flakeIgnore = [
- "E501"
- ];
- } ''
- from selenium.webdriver.common.by import By
- from selenium.webdriver import Firefox
- from selenium.webdriver.firefox.options import Options
- from selenium.webdriver.support.ui import WebDriverWait
- from selenium.webdriver.support import expected_conditions as EC
-
- options = Options()
- options.add_argument('--headless')
- driver = Firefox(options=options)
- try:
- driver.implicitly_wait(20)
- driver.get('http://castopod.example.com/cp-install')
-
- wait = WebDriverWait(driver, 10)
-
- wait.until(EC.title_contains("installer"))
-
- driver.find_element(By.CSS_SELECTOR, '#username').send_keys(
- '${username}'
- )
- driver.find_element(By.CSS_SELECTOR, '#email').send_keys(
- '${email}'
- )
- driver.find_element(By.CSS_SELECTOR, '#password').send_keys(
- '${password}'
- )
- driver.find_element(By.XPATH, "//button[contains(., 'Finish install')]").click()
-
- wait.until(EC.title_contains("Auth"))
-
- driver.find_element(By.CSS_SELECTOR, '#email').send_keys(
- '${email}'
- )
- driver.find_element(By.CSS_SELECTOR, '#password').send_keys(
- '${password}'
- )
- driver.find_element(By.XPATH, "//button[contains(., 'Login')]").click()
-
- wait.until(EC.title_contains("Admin dashboard"))
- finally:
- driver.close()
- driver.quit()
- '';
- in
- [ pkgs.firefox-unwrapped pkgs.geckodriver testRunner ];
};
+
+ nodes.client = { nodes, pkgs, lib, ... }:
+ let
+ domain = nodes.castopod.services.castopod.localDomain;
+
+ getIP = node:
+ (builtins.head node.networking.interfaces.eth1.ipv4.addresses).address;
+
+ targetPodcastSize = 500 * 1024 * 1024;
+ lameMp3Bitrate = 348300;
+ lameMp3FileAdjust = -800;
+ targetPodcastDuration = toString
+ ((targetPodcastSize + lameMp3FileAdjust) / (lameMp3Bitrate / 8));
+ mp3file = with pkgs;
+ runCommand "gen-castopod.mp3" { nativeBuildInputs = [ sox lame ]; } ''
+ sox -n -r 48000 -t wav - synth ${targetPodcastDuration} sine 440 `
+ `| lame --noreplaygain -cbr -q 9 -b 320 - $out
+ FILESIZE="$(stat -c%s $out)"
+ [ "$FILESIZE" -gt 0 ]
+ [ "$FILESIZE" -le "${toString targetPodcastSize}" ]
+ '';
+
+ bannerWidth = 3000;
+ banner = pkgs.runCommand "gen-castopod-cover.jpg" { } ''
+ ${pkgs.imagemagick}/bin/magick `
+ `-background green -bordercolor white -gravity northwest xc:black `
+ `-duplicate 99 `
+ `-seed 1 -resize "%[fx:rand()*72+24]" `
+ `-seed 0 -rotate "%[fx:rand()*360]" -border 6x6 -splice 16x36 `
+ `-seed 0 -rotate "%[fx:floor(rand()*4)*90]" -resize "150x50!" `
+ `+append -crop 10x1@ +repage -roll "+%[fx:(t%2)*72]+0" -append `
+ `-resize ${toString bannerWidth} -quality 1 $out
+ '';
+
+ coverWidth = toString 3000;
+ cover = pkgs.runCommand "gen-castopod-banner.jpg" { } ''
+ ${pkgs.imagemagick}/bin/magick `
+ `-background white -bordercolor white -gravity northwest xc:black `
+ `-duplicate 99 `
+ `-seed 1 -resize "%[fx:rand()*72+24]" `
+ `-seed 0 -rotate "%[fx:rand()*360]" -border 6x6 -splice 36x36 `
+ `-seed 0 -rotate "%[fx:floor(rand()*4)*90]" -resize "144x144!" `
+ `+append -crop 10x1@ +repage -roll "+%[fx:(t%2)*72]+0" -append `
+ `-resize ${coverWidth} -quality 1 $out
+ '';
+ in
+ {
+ networking.extraHosts =
+ lib.strings.concatStringsSep "\n"
+ (lib.attrsets.mapAttrsToList
+ (name: _: "${getIP nodes.castopod} ${name}")
+ nodes.castopod.services.nginx.virtualHosts);
+
+ environment.systemPackages =
+ let
+ username = "admin";
+ email = "admin@${domain}";
+ password = "Abcd1234";
+ podcastTitle = "Some Title";
+ episodeTitle = "Episode Title";
+ browser-test = pkgs.writers.writePython3Bin "browser-test"
+ {
+ libraries = [ pkgs.python3Packages.selenium ];
+ flakeIgnore = [ "E124" "E501" ];
+ } ''
+ from selenium.webdriver.common.by import By
+ from selenium.webdriver import Firefox
+ from selenium.webdriver.firefox.options import Options
+ from selenium.webdriver.firefox.service import Service
+ from selenium.webdriver.support.ui import WebDriverWait
+ from selenium.webdriver.support import expected_conditions as EC
+ from subprocess import STDOUT
+ import logging
+
+ selenium_logger = logging.getLogger("selenium")
+ selenium_logger.setLevel(logging.DEBUG)
+ selenium_logger.addHandler(logging.StreamHandler())
+
+ options = Options()
+ options.add_argument('--headless')
+ service = Service(log_output=STDOUT)
+ driver = Firefox(options=options, service=service)
+ driver = Firefox(options=options)
+ driver.implicitly_wait(20)
+
+ # install ##########################################################
+
+ driver.get('http://${domain}/cp-install')
+
+ wait = WebDriverWait(driver, 10)
+
+ wait.until(EC.title_contains("installer"))
+
+ driver.find_element(By.CSS_SELECTOR, '#username').send_keys(
+ '${username}'
+ )
+ driver.find_element(By.CSS_SELECTOR, '#email').send_keys(
+ '${email}'
+ )
+ driver.find_element(By.CSS_SELECTOR, '#password').send_keys(
+ '${password}'
+ )
+ driver.find_element(By.XPATH,
+ "//button[contains(., 'Finish install')]"
+ ).click()
+
+ wait.until(EC.title_contains("Auth"))
+
+ driver.find_element(By.CSS_SELECTOR, '#email').send_keys(
+ '${email}'
+ )
+ driver.find_element(By.CSS_SELECTOR, '#password').send_keys(
+ '${password}'
+ )
+ driver.find_element(By.XPATH,
+ "//button[contains(., 'Login')]"
+ ).click()
+
+ wait.until(EC.title_contains("Admin dashboard"))
+
+ # create podcast ###################################################
+
+ driver.get('http://${domain}/admin/podcasts/new')
+
+ wait.until(EC.title_contains("Create podcast"))
+
+ driver.find_element(By.CSS_SELECTOR, '#cover').send_keys(
+ '${cover}'
+ )
+ driver.find_element(By.CSS_SELECTOR, '#banner').send_keys(
+ '${banner}'
+ )
+ driver.find_element(By.CSS_SELECTOR, '#title').send_keys(
+ '${podcastTitle}'
+ )
+ driver.find_element(By.CSS_SELECTOR, '#handle').send_keys(
+ 'some_handle'
+ )
+ driver.find_element(By.CSS_SELECTOR, '#description').send_keys(
+ 'Some description'
+ )
+ driver.find_element(By.CSS_SELECTOR, '#owner_name').send_keys(
+ 'Owner Name'
+ )
+ driver.find_element(By.CSS_SELECTOR, '#owner_email').send_keys(
+ 'owner@email.xyz'
+ )
+ driver.find_element(By.XPATH,
+ "//button[contains(., 'Create podcast')]"
+ ).click()
+
+ wait.until(EC.title_contains("${podcastTitle}"))
+
+ driver.find_element(By.XPATH,
+ "//span[contains(., 'Add an episode')]"
+ ).click()
+
+ wait.until(EC.title_contains("Add an episode"))
+
+ # upload podcast ###################################################
+
+ driver.find_element(By.CSS_SELECTOR, '#audio_file').send_keys(
+ '${mp3file}'
+ )
+ driver.find_element(By.CSS_SELECTOR, '#cover').send_keys(
+ '${cover}'
+ )
+ driver.find_element(By.CSS_SELECTOR, '#description').send_keys(
+ 'Episode description'
+ )
+ driver.find_element(By.CSS_SELECTOR, '#title').send_keys(
+ '${episodeTitle}'
+ )
+ driver.find_element(By.XPATH,
+ "//button[contains(., 'Create episode')]"
+ ).click()
+
+ wait.until(EC.title_contains("${episodeTitle}"))
+
+ driver.close()
+ driver.quit()
+ '';
+ in
+ [ pkgs.firefox-unwrapped pkgs.geckodriver browser-test ];
+ };
+
testScript = ''
start_all()
castopod.wait_for_unit("castopod-setup.service")
@@ -79,9 +216,9 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
castopod.wait_for_unit("nginx.service")
castopod.wait_for_open_port(80)
castopod.wait_until_succeeds("curl -sS -f http://castopod.example.com")
- castopod.succeed("curl -s http://localhost/cp-install | grep 'Create your Super Admin account' > /dev/null")
- with subtest("Create superadmin and log in"):
- castopod.succeed("PYTHONUNBUFFERED=1 systemd-cat -t test-runner test-runner")
+ with subtest("Create superadmin, log in, create and upload a podcast"):
+ client.succeed(\
+ "PYTHONUNBUFFERED=1 systemd-cat -t browser-test browser-test")
'';
})
diff --git a/pkgs/applications/audio/castopod/default.nix b/pkgs/applications/audio/castopod/default.nix
index 83c70f9b36646d..badace09587d2b 100644
--- a/pkgs/applications/audio/castopod/default.nix
+++ b/pkgs/applications/audio/castopod/default.nix
@@ -3,7 +3,7 @@
, ffmpeg-headless
, lib
, nixosTests
-, stateDirectory ? "/var/lib/castopod"
+, dataDir ? "/var/lib/castopod"
}:
stdenv.mkDerivation {
pname = "castopod";
@@ -20,13 +20,16 @@ stdenv.mkDerivation {
postPatch = ''
# not configurable at runtime unfortunately:
substituteInPlace app/Config/Paths.php \
- --replace "__DIR__ . '/../../writable'" "'${stateDirectory}/writable'"
+ --replace "__DIR__ . '/../../writable'" "'${dataDir}/writable'"
- # configuration file must be writable, place it to ${stateDirectory}
+ substituteInPlace modules/Admin/Controllers/DashboardController.php \
+ --replace "disk_total_space('./')" "disk_total_space('${dataDir}')"
+
+ # configuration file must be writable, place it to ${dataDir}
substituteInPlace modules/Install/Controllers/InstallController.php \
- --replace "ROOTPATH" "'${stateDirectory}/'"
+ --replace "ROOTPATH" "'${dataDir}/'"
substituteInPlace public/index.php spark \
- --replace "DotEnv(ROOTPATH)" "DotEnv('${stateDirectory}')"
+ --replace "DotEnv(ROOTPATH)" "DotEnv('${dataDir}')"
# ffmpeg is required for Video Clips feature
substituteInPlace modules/MediaClipper/VideoClipper.php \
From 45d43fe39fa3167d5cf7ba9a2cb9fcd6fbe2c5c3 Mon Sep 17 00:00:00 2001
From: Alexander Tomokhov <alexoundos@gmail.com>
Date: Mon, 11 Dec 2023 09:00:26 +0400
Subject: [PATCH 3/8] nixos/castopod: little documentation fix
---
nixos/modules/services/web-apps/castopod.nix | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/nixos/modules/services/web-apps/castopod.nix b/nixos/modules/services/web-apps/castopod.nix
index 7c99551c83183f..11cf4b36aeb385 100644
--- a/nixos/modules/services/web-apps/castopod.nix
+++ b/nixos/modules/services/web-apps/castopod.nix
@@ -126,9 +126,10 @@ in
Maximum supported size for a file upload in MiB. Maximum HTTP body
size is set to this value for nginx and PHP (because castopod doesn't
support chunked uploads yet:
- https://code.castopod.org/adaures/castopod/-/issues/330). Note, that
- practical upload size limit is smaller. For example, with 512 MiB
- setting - around 500 MiB is possible.
+ https://code.castopod.org/adaures/castopod/-/issues/330).
+
+ Note, that practical upload size limit is smaller. For example, with
+ 512 MiB setting - around 500 MiB is possible.
'';
};
};
From 4aafd48b7e76748eaf0ff7409b12b455d1db31ec Mon Sep 17 00:00:00 2001
From: sinavir <sinavir@sinavir.fr>
Date: Fri, 23 Feb 2024 22:02:10 +0100
Subject: [PATCH 4/8] castopod: 1.6.5 -> 1.10.3
---
pkgs/applications/audio/castopod/default.nix | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pkgs/applications/audio/castopod/default.nix b/pkgs/applications/audio/castopod/default.nix
index badace09587d2b..438f1d728f9624 100644
--- a/pkgs/applications/audio/castopod/default.nix
+++ b/pkgs/applications/audio/castopod/default.nix
@@ -10,8 +10,8 @@ stdenv.mkDerivation {
version = "1.6.5";
src = fetchurl {
- url = "https://code.castopod.org/adaures/castopod/uploads/5aaaa6cf2edaed25bd7253449e5f8584/castopod-1.6.5.tar.gz";
- sha256 = "04gcq2vmfy5aa2fmsm1qqv1k8g024nikmysdrhy33wj460d529b5";
+ url = "https://code.castopod.org/adaures/castopod/uploads/2bb52d4607a772ac8b397efa3559a3ae/castopod-1.10.3.tar.gz";
+ sha256 = "0w1yl14v3aajm089vwpq9wkiibv3w312y004ggdbf7xwzsrmjs51";
};
dontBuild = true;
From 6205595efbdcc2f3440022b4ff7258e2f50a6427 Mon Sep 17 00:00:00 2001
From: sinavir <sinavir@sinavir.fr>
Date: Fri, 23 Feb 2024 22:27:24 +0100
Subject: [PATCH 6/8] nixos/castopod: use LoadCredentials
---
nixos/modules/services/web-apps/castopod.nix | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/nixos/modules/services/web-apps/castopod.nix b/nixos/modules/services/web-apps/castopod.nix
index 11cf4b36aeb385..042fb3954d2b73 100644
--- a/nixos/modules/services/web-apps/castopod.nix
+++ b/nixos/modules/services/web-apps/castopod.nix
@@ -67,6 +67,8 @@ in
description = lib.mdDoc ''
A file containing the password corresponding to
[](#opt-services.castopod.database.user).
+
+ This file is loaded using systemd LoadCredentials.
'';
};
};
@@ -93,6 +95,8 @@ in
Environment file to inject e.g. secrets into the configuration.
See [](https://code.castopod.org/adaures/castopod/-/blob/main/.env.example)
for available environment variables.
+
+ This file is loaded using systemd LoadCredentials.
'';
};
configureNginx = lib.mkOption {
@@ -207,19 +211,23 @@ in
echo "analytics.salt=$(cat ${cfg.dataDir}/salt)" >> ${envFile}
${if (cfg.database.passwordFile != null) then ''
- echo "database.default.password=$(cat ${lib.escapeShellArg cfg.database.passwordFile})" >> ${envFile}
+ echo "database.default.password=$(cat "$CREDENTIALS_DIRECTORY/dbpasswordfile)" >> ${envFile}
'' else ''
echo "database.default.password=" >> ${envFile}
''}
${lib.optionalString (cfg.environmentFile != null) ''
- cat ${lib.escapeShellArg cfg.environmentFile} >> ${envFile}
+ cat "$CREDENTIALS_DIRECTORY/envfile" >> ${envFile}
''}
php ${cfg.package}/share/castopod/spark castopod:database-update
'';
serviceConfig = {
StateDirectory = "castopod";
+ LoadCredential = lib.optional (cfg.environmentFile != null)
+ "envfile:${cfg.environmentFile}"
+ ++ (lib.optional (cfg.database.passwordFile != null)
+ "dbpasswordfile:${cfg.database.passwordFile}");
WorkingDirectory = "${cfg.package}/share/castopod";
Type = "oneshot";
RemainAfterExit = true;
From 9b03fc35a30671e5d4146bbcbe6b5536fa9baacc Mon Sep 17 00:00:00 2001
From: sinavir <sinavir@sinavir.fr>
Date: Sat, 2 Mar 2024 18:01:54 +0100
Subject: [PATCH 7/8] nixos/castopod: build mp3 in the test
---
nixos/tests/castopod.nix | 31 +++++++++++++++++++++----------
1 file changed, 21 insertions(+), 10 deletions(-)
diff --git a/nixos/tests/castopod.nix b/nixos/tests/castopod.nix
index 2db7aa0bda6507..2bdc6941c23815 100644
--- a/nixos/tests/castopod.nix
+++ b/nixos/tests/castopod.nix
@@ -37,14 +37,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
targetPodcastDuration = toString
((targetPodcastSize + lameMp3FileAdjust) / (lameMp3Bitrate / 8));
mp3file = with pkgs;
- runCommand "gen-castopod.mp3" { nativeBuildInputs = [ sox lame ]; } ''
- sox -n -r 48000 -t wav - synth ${targetPodcastDuration} sine 440 `
- `| lame --noreplaygain -cbr -q 9 -b 320 - $out
- FILESIZE="$(stat -c%s $out)"
- [ "$FILESIZE" -gt 0 ]
- [ "$FILESIZE" -le "${toString targetPodcastSize}" ]
- '';
-
+ runCommand ;
bannerWidth = 3000;
banner = pkgs.runCommand "gen-castopod-cover.jpg" { } ''
${pkgs.imagemagick}/bin/magick `
@@ -185,7 +178,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
# upload podcast ###################################################
driver.find_element(By.CSS_SELECTOR, '#audio_file').send_keys(
- '${mp3file}'
+ '/tmp/podcast.mp3'
)
driver.find_element(By.CSS_SELECTOR, '#cover').send_keys(
'${cover}'
@@ -206,7 +199,23 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
driver.quit()
'';
in
- [ pkgs.firefox-unwrapped pkgs.geckodriver browser-test ];
+ [
+ pkgs.firefox-unwrapped
+ pkgs.geckodriver
+ browser-test
+ (pkgs.writeShellApplication {
+ name = "build-mp3";
+ runtimeInputs = with pkgs; [ sox lame ];
+ text = ''
+ out=/tmp/podcast.mp3
+ sox -n -r 48000 -t wav - synth ${targetPodcastDuration} sine 440 `
+ `| lame --noreplaygain -cbr -q 9 -b 320 - $out
+ FILESIZE="$(stat -c%s $out)"
+ [ "$FILESIZE" -gt 0 ]
+ [ "$FILESIZE" -le "${toString targetPodcastSize}" ]
+ '';
+ })
+ ];
};
testScript = ''
@@ -217,6 +226,8 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
castopod.wait_for_open_port(80)
castopod.wait_until_succeeds("curl -sS -f http://castopod.example.com")
+ client.succeed("build-mp3")
+
with subtest("Create superadmin, log in, create and upload a podcast"):
client.succeed(\
"PYTHONUNBUFFERED=1 systemd-cat -t browser-test browser-test")
From 538281e8be427f820371f4005e991e0281872e12 Mon Sep 17 00:00:00 2001
From: sinavir <sinavir@sinavir.fr>
Date: Sat, 2 Mar 2024 18:04:35 +0100
Subject: [PATCH 8/8] nixos/castopod: Increase test timeouts
---
nixos/tests/castopod.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/nixos/tests/castopod.nix b/nixos/tests/castopod.nix
index 2bdc6941c23815..2c5c745f7da0df 100644
--- a/nixos/tests/castopod.nix
+++ b/nixos/tests/castopod.nix
@@ -105,7 +105,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
driver.get('http://${domain}/cp-install')
- wait = WebDriverWait(driver, 10)
+ wait = WebDriverWait(driver, 20)
wait.until(EC.title_contains("installer"))

28
patches/03-nextcloud.patch Normal file
View file

@ -0,0 +1,28 @@
--- a/nixos/modules/services/web-apps/nextcloud.nix
+++ b/nixos/modules/services/web-apps/nextcloud.nix
@@ -131,6 +131,7 @@
(mkRemovedOptionModule [ "services" "nextcloud" "disableImagemagick" ] ''
Use services.nextcloud.enableImagemagick instead.
'')
+ (mkRenamedOptionModule [ "services" "nextcloud" "config" "objectstore" "s3" "autocreate" ] [ "services" "nextcloud" "config" "objectstore" "s3" "verify_bucket_exists" ])
];
options.services.nextcloud = {
@@ -487,7 +487,7 @@
The name of the S3 bucket.
'';
};
- autocreate = mkOption {
+ verify_bucket_exists = mkOption {
type = types.bool;
description = lib.mdDoc ''
Create the objectstore if it does not exist.
@@ -820,7 +820,7 @@
'class' => '\\OC\\Files\\ObjectStore\\S3',
'arguments' => [
'bucket' => '${s3.bucket}',
- 'autocreate' => ${boolToString s3.autocreate},
+ 'verify_bucket_exists' => ${boolToString s3.verify_bucket_exists},
'key' => '${s3.key}',
'secret' => nix_read_secret('${s3.secretFile}'),
${optionalString (s3.hostname != null) "'hostname' => '${s3.hostname}',"}

0
patches/nixpkgs/04-crabfit-karla.patch → patches/04-crabfit-karla.patch
View file

0
patches/nixpkgs/05-netbird-relay.patch → patches/05-netbird-relay.patch
View file

35
patches/default.nix
View file

@ -1,19 +1,12 @@
let
local = path: {
_type = "static";
inherit path;
};
in
{
lix = [
(local ./lix/01-disable-installChecks.patch)
];
"nixos-24.05" = [
(local ./nixpkgs/06-netbox-qrcode.patch)
# netbox qrcode plugin
{
_type = "commit";
sha = "c82191d848e7a37e125ee15c485f32ac01afc0b2";
hash = "sha256-TooktlqihtULzJJsHvm8EubbUdJZvbDKdIDcYu7Qcig=";
}
# nixos/nextcloud: Rename autocreate (a no-op) to verify_bucket_exists
{
id = "275165";
hash = "sha256-9a26V3Pi8yLD3N9+mC1kvJoruxRTp/qOHapnt6VX7pw=";
@ -27,7 +20,10 @@ in
}
# Crabfit: don't depend on all google-fonts
(local ./nixpkgs/04-crabfit-karla.patch)
{
_type = "static";
path = ./04-crabfit-karla.patch;
}
# nixos/kanidm: add basic provisioning
{
@ -52,9 +48,16 @@ in
"nixos-unstable" = [
# netbox qrcode plugin
(local ./nixpkgs/06-netbox-qrcode.patch)
{
_type = "commit";
sha = "c82191d848e7a37e125ee15c485f32ac01afc0b2";
hash = "sha256-TooktlqihtULzJJsHvm8EubbUdJZvbDKdIDcYu7Qcig=";
}
# Build netbird-relay
(local ./nixpkgs/05-netbird-relay.patch)
{
_type = "static";
path = ./05-netbird-relay.patch;
}
];
}

70
patches/nixpkgs/06-netbox-qrcode.patch
View file

@ -1,70 +0,0 @@
diff --git a/pkgs/development/python-modules/netbox-qrcode/default.nix b/pkgs/development/python-modules/netbox-qrcode/default.nix
new file mode 100644
index 000000000000..b378b839a8dc
--- /dev/null
+++ b/pkgs/development/python-modules/netbox-qrcode/default.nix
@@ -0,0 +1,51 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, setuptools
+, wheel
+, pillow
+, qrcode
+, netbox
+}:
+
+buildPythonPackage rec {
+ pname = "netbox-qrcode";
+ version = "0.0.13";
+ pyproject = true;
+
+ src = fetchFromGitHub {
+ owner = "netbox-community";
+ repo = "netbox-qrcode";
+ rev = "v${version}";
+ hash = "sha256-/labSZyB1SkU/uemuL946RDk8IVEAgCYJY2vrJFney0=";
+ };
+
+ nativeBuildInputs = [
+ setuptools
+ wheel
+ ];
+
+ propagatedBuildInputs = [
+ qrcode
+ pillow
+ ];
+
+ checkInputs = [
+ netbox
+ ];
+
+ preFixup = ''
+ export PYTHONPATH=${netbox}/opt/netbox/netbox:$PYTHONPATH
+ '';
+
+ pythonImportsCheck = [
+ "netbox_qrcode"
+ ];
+
+ meta = with lib; {
+ description = "NetBox Plugin for generate QR Codes";
+ homepage = "https://github.com/netbox-community/netbox-qrcode";
+ license = licenses.asl20;
+ maintainers = with maintainers; [ sinavir ];
+ };
+}
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index 9999d745e3ac..b226e0063672 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -8989,6 +8989,8 @@ self: super: with self; {
netbox-reorder-rack = callPackage ../development/python-modules/netbox-reorder-rack { };
+ netbox-qrcode = callPackage ../development/python-modules/netbox-qrcode { };
+
netcdf4 = callPackage ../development/python-modules/netcdf4 { };
netdata = callPackage ../development/python-modules/netdata { };

7
scripts/cache-node.sh
View file

@ -1,9 +1,6 @@
set -o errexit
set -o nounset
set -o pipefail
shopt -s lastpipe
set -eu -o pipefail
drv=$(colmena eval --instantiate -E "{ nodes, ... }: nodes.${BUILD_NODE}.config.system.build.toplevel")
drv=$("@colmena@/bin/colmena" eval --instantiate -E "{ nodes, ... }: nodes.${BUILD_NODE}.config.system.build.toplevel")
# Build the derivation and send it to the great beyond
nix-store --query --requisites --force-realise --include-outputs "$drv" | grep -v '.*\.drv' >paths.txt

79
scripts/check-deployment.sh
View file

@ -1,3 +1,7 @@
#!/usr/bin/env bash
#!@bash@/bin/bash
# shellcheck shell=bash
set -o errexit
set -o nounset
set -o pipefail
@ -16,7 +20,7 @@ Exemple:
while [[ $# -gt 0 ]]; do
case "$1" in
--help | -h)
--help|-h)
echo "$usage"
exit 0
;;
@ -47,13 +51,13 @@ GIT_TOP_LEVEL=$(git rev-parse --show-toplevel)
echo "Cloning local main..."
git clone -q --branch main --single-branch "$GIT_TOP_LEVEL" "$TMP"
pushd "$TMP" >/dev/null || exit 2
pushd "$TMP" > /dev/null || exit 2
####################
# Evaluate configs #
####################
colmena_failed() {
colmena_failed () {
>&2 echo "Colmena failed. Check your config. Logs:"
>&2 cat "$COLMENA_LOGS"
exit 3
@ -64,7 +68,7 @@ COLMENA_LOGS=$(mktemp)
echo "Evaluating configs..."
# Disable warning because of '${}'
# shellcheck disable=SC2016
RESULTS=$(colmena eval -E '{ nodes, lib, ...}: lib.mapAttrsToList (k: v: { machine = k; path = v.config.system.build.toplevel; drv = v.config.system.build.toplevel.drvPath; domain = "${v.config.networking.hostName}.${v.config.networking.domain}"; }) nodes' 2>"$COLMENA_LOGS" || colmena_failed)
RESULTS=$(colmena eval -E '{ nodes, lib, ...}: lib.mapAttrsToList (k: v: { machine = k; path = v.config.system.build.toplevel; drv = v.config.system.build.toplevel.drvPath; domain = "${v.config.networking.hostName}.${v.config.networking.domain}"; }) nodes' 2> "$COLMENA_LOGS" || colmena_failed)
rm "$COLMENA_LOGS"
echo "Evaluation finished"
@ -73,48 +77,49 @@ echo "Evaluation finished"
# retrieve and check current-system #
#####################################
retrieve_current_system() {
retrieve_current_system () {
# TODO implement a less invasive method
ssh -n "root@$1" "readlink -f /run/current-system"
}
return_status=0
echo "$RESULTS" | jq -c '.[]' |
while IFS=$'\n' read -r c; do
echo "$RESULTS" | @jq@/bin/jq -c '.[]' |
while IFS=$'\n' read -r c; do
machine=$(echo "$c" | jq -r '.machine')
if [[ -n ${node-} ]] && [[ "$machine" != "$node" ]]; then
echo "Skipping ${machine}"
continue
fi
expected_path=$(echo "$c" | jq -r '.path')
domain=$(echo "$c" | jq -r '.domain')
drv_path=$(echo "$c" | jq -r '.drv')
machine=$(echo "$c" | @jq@/bin/jq -r '.machine')
if [[ -n ${node-} ]] && [[ "$machine" != "$node" ]]; then
echo "Skipping ${machine}"
continue
fi
expected_path=$(echo "$c" | @jq@/bin/jq -r '.path')
domain=$(echo "$c" | @jq@/bin/jq -r '.domain')
drv_path=$(echo "$c" | @jq@/bin/jq -r '.drv')
err=0
current_path=$(retrieve_current_system "$domain") || err=1
if [[ "1" == "${err}" ]]; then
echo "❌ failed to contact $domain !"
continue
fi
err=0
current_path=$(retrieve_current_system "$domain") || err=1
if [[ "1" == "${err}" ]] ; then
echo "❌ failed to contact $domain !"
continue
fi
if [ "$expected_path" == "$current_path" ]; then
echo "$machine -> OK"
elif [[ -n ${diff-} ]]; then
nix-copy-closure --from "root@$domain" "$current_path"
nix-store -r "$drv_path"
echo "$machine -> error. nvd output:"
nvd diff "$expected_path" "$current_path"
return_status=1
else
echo "☠️ $machine -> error:"
echo " - Expected system: $expected_path"
echo " - Current system: $current_path"
return_status=1
fi
done
if [ "$expected_path" == "$current_path" ] ; then
echo "$machine -> OK"
elif [[ -n ${diff-} ]] ; then
nix-copy-closure --from "root@$domain" "$current_path"
nix-store -r "$drv_path"
echo "$machine -> error. nvd output:"
@nvd@/bin/nvd diff "$expected_path" "$current_path"
return_status=1
else
echo "☠️ $machine -> error:"
echo " - Expected system: $expected_path"
echo " - Current system: $current_path"
return_status=1
fi
done
popd >/dev/null || exit 2
popd > /dev/null || exit 2
rm -r "$TMP"
exit $return_status

57
scripts/default.nix
View file

@ -1,32 +1,39 @@
{ pkgs }:
{ pkgs, ... }:
let
inherit (pkgs.lib) mapAttrs;
inherit (pkgs)
writeShellApplication
colmena
jq
nvd
;
scripts = {
cache-node = [ colmena ];
check-deployment = [
substitutions = {
inherit (pkgs)
bash
colmena
jq
coreutils
nvd
];
launch-vm = [ colmena ];
list-nodes = [ jq ];
git
jq
;
};
mkShellScript =
name:
(pkgs.substituteAll (
{
inherit name;
src = ./. + "/${name}.sh";
dir = "/bin/";
isExecutable = true;
checkPhase = ''
${pkgs.stdenv.shellDryRun} "$target"
'';
}
// substitutions
));
scripts = [
"cache-node"
"check-deployment"
"launch-vm"
"list-nodes"
];
in
mapAttrs (
name: runtimeInputs:
writeShellApplication {
inherit name runtimeInputs;
text = builtins.readFile ./${name}.sh;
}
) scripts
builtins.map mkShellScript scripts

32
scripts/launch-vm.sh
View file

@ -1,35 +1,33 @@
#!@bash@/bin/bash
# shellcheck shell=bash
set -o errexit
set -o nounset
set -o pipefail
shopt -s lastpipe
MACHINE=""
HOSTFWD=""
while getopts 'p:o:h' opt; do
case "$opt" in
p)
HOSTFWD=",hostfwd=tcp::$OPTARG$HOSTFWD"
;;
p)
HOSTFWD=",hostfwd=tcp::$OPTARG$HOSTFWD"
;;
o)
MACHINE="$OPTARG"
;;
o)
MACHINE="$OPTARG"
;;
h | ?)
echo "Usage: $(basename "$0") [-p hostport-:guestport] -o MACHINE"
exit 1
;;
h|?)
echo "Usage: $(basename "$0") [-p hostport-:guestport] -o MACHINE"
exit 1
;;
esac
done
shift "$((OPTIND - 1))"
shift "$((OPTIND -1))"
if [ -z "$MACHINE" ]; then
echo "-o option needed"
exit 1
fi
if [ -z "$MACHINE" ]; then echo "-o option needed"; exit 1; fi
DRV_PATH=$(colmena eval --instantiate -E "{nodes, ...}: nodes.$MACHINE.config.system.build.vm")
DRV_PATH=$(@colmena@/bin/colmena eval --instantiate -E "{nodes, ...}: nodes.$MACHINE.config.system.build.vm")
echo "Realising $DRV_PATH"
RESULT=$(nix-store -r "$DRV_PATH")

10
scripts/list-nodes.sh
View file

@ -1,8 +1,6 @@
set -o errexit
set -o nounset
set -o pipefail
shopt -s lastpipe
#!@bash@/bin/bash
# shellcheck shell=bash
cd "$(git rev-parse --show-toplevel)"
cd $(@git@/bin/git rev-parse --show-toplevel)
nix-instantiate --strict --eval --json -A nodes | jq .
nix-instantiate --strict --eval --json -A nodes | @jq@/bin/jq .

2
shell.nix
View file

@ -1 +1 @@
(import ./. { }).devShell
(import ./. { }).shells.default

7
terranix/common.nix Normal file
View file

@ -0,0 +1,7 @@
{
# Until we get some kind of KMS operational, store secrets in the state file.
terraform.required_providers.secret = {
version = "~> 1.2.1";
source = "numtide/secret";
};
}

7
terranix/default.nix Normal file
View file

@ -0,0 +1,7 @@
{
imports = [
./common.nix
./state.nix
./s3.nix
];
}

54
terranix/s3.nix Normal file
View file

@ -0,0 +1,54 @@
{ lib, ... }:
let
inherit (lib) tf;
in
{
# FIXME: add a NixOS module to abstract bucket creation, etc.
config = {
terraform.required_providers.garage = {
version = "~> 1.0.3";
source = "registry.opentofu.org/RaitoBezarius/garage";
};
resource = {
secret_resource.admin-s3-token.lifecycle.prevent_destroy = true;
garage_bucket = {
monorepo-terraform-state = { };
impress-raito-demo = { };
};
garage_bucket_global_alias = {
monorepo-terraform-state = {
bucket_id = tf.ref "resource.garage_bucket.monorepo-terraform-state.id";
alias = "monorepo-terraform-state";
};
impress-raito-demo = {
bucket_id = tf.ref "resource.garage_bucket.impress-raito-demo.id";
alias = "impress-raito-demo";
};
};
garage_key = {
raito-dinum-test = {
name = "raito-dinum-test";
permissions.create_bucket = false;
};
};
garage_bucket_key = {
raito-dinum-test = {
bucket_id = tf.ref "resource.garage_bucket.impress-raito-demo.id";
access_key_id = tf.ref "resource.garage_key.raito-dinum-test.access_key_id";
read = true;
write = true;
owner = true;
};
};
};
provider.garage = {
host = "s3-admin.dgnum.eu";
scheme = "https";
token = tf.ref "resource.secret_resource.admin-s3-token.value";
};
};
}

21
terranix/state.nix Normal file
View file

@ -0,0 +1,21 @@
{
# We use terraform.backend.s3 directly instead of the type-checked Terranix
# backend.s3 options. The latter does not support setting arbitrary s3
# endpoints.
#
# Note: currently requires the user to provide AWS_ACCESS_KEY_ID as well as
# AWS_SECRET_ACCESS_KEY in their environment variables.
terraform.backend.s3 = {
endpoints.s3 = "s3.dgnum.eu";
region = "garage";
bucket = "monorepo-terraform-state";
key = "state";
# It's just a dumb Garage server, don't try to be smart.
skip_credentials_validation = true;
skip_region_validation = true;
skip_requesting_account_id = true;
skip_metadata_api_check = true;
};
}

31
workflows/check-meta.nix
View file

@ -1,31 +0,0 @@
{
name = "Check meta";
on = {
pull_request.branches = [ "main" ];
push.paths = [ "meta/*" ];
};
jobs = {
check_meta = {
runs-on = "nix";
steps = [
{ uses = "actions/checkout@v3"; }
{
name = "Check the validity of meta options";
run = "nix-build meta/verify.nix -A meta";
}
];
};
check_dns = {
runs-on = "nix";
steps = [
{ uses = "actions/checkout@v3"; }
{
name = "Check the validity of the DNS configuration";
run = "nix-build meta/verify.nix -A dns";
}
];
};
};
}

20
workflows/check-workflows.nix
View file

@ -1,20 +0,0 @@
{
name = "Check workflows";
on = {
pull_request.branches = [ "main" ];
push.paths = [ "workflows/*" ];
};
jobs = {
check_workflows = {
runs-on = "nix";
steps = [
{ uses = "actions/checkout@v3"; }
{
name = "Check that the workflows are up to date";
run = "nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l) -eq 0 ]'";
}
];
};
};
}

32
workflows/eval-nodes.nix
View file

@ -1,32 +0,0 @@
{ lib }:
let
inherit (lib) attrNames genAttrs;
nodes = attrNames (builtins.readDir ../machines);
in
{
name = "Build all the nodes";
on = {
pull_request.branches = [ "main" ];
push.branches = [ "main" ];
};
jobs = genAttrs nodes (node: {
runs-on = "nix";
steps = [
{ uses = "actions/checkout@v3"; }
{
name = "Build and cache ${node}";
run = "nix-shell -A eval-nodes --run cache-node";
env = {
STORE_ENDPOINT = "https://tvix-store.dgnum.eu/infra-signing/";
STORE_USER = "admin";
STORE_PASSWORD = "\${{ secrets.STORE_PASSWORD }}";
BUILD_NODE = node;
};
}
];
});
}

18
workflows/pre-commit.nix
View file

@ -1,18 +0,0 @@
{
name = "Run pre-commit on all files";
on = [
"push"
"pull_request"
];
jobs.check = {
runs-on = "nix";
steps = [
{ uses = "actions/checkout@v3"; }
{
name = "Run pre-commit on all files";
run = "nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure'";
}
];
};
}