Compare commits
No commits in common. "main" and "hypervisors" have entirely different histories.
main
...
hypervisor
24 changed files with 232 additions and 621 deletions
|
@ -20,7 +20,7 @@ precedence = "closest"
|
|||
[[annotations]]
|
||||
SPDX-FileCopyrightText = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>"
|
||||
SPDX-License-Identifier = "EUPL-1.2"
|
||||
path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"]
|
||||
path = ["machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"]
|
||||
precedence = "closest"
|
||||
|
||||
[[annotations]]
|
||||
|
|
|
@ -85,7 +85,6 @@ let
|
|||
# Patches
|
||||
{
|
||||
path = [
|
||||
"machines/nixos/compute01/ds-fr/01-smtp-tls.patch"
|
||||
"machines/nixos/compute01/librenms/kanidm.patch"
|
||||
"machines/nixos/compute01/stirling-pdf/*.patch"
|
||||
"machines/nixos/vault01/k-radius/packages/01-python_path.patch"
|
||||
|
|
|
@ -1,63 +0,0 @@
|
|||
From de5e8237e4bd8f3e325473c789fb542d01557f27 Mon Sep 17 00:00:00 2001
|
||||
From: Tom Hubrecht <tom@hubrecht.ovh>
|
||||
Date: Fri, 22 Sep 2023 17:26:27 +0200
|
||||
Subject: [PATCH 1/2] fix(smtp): Allow specifying SSL settings
|
||||
|
||||
---
|
||||
config/environments/production.rb | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/config/environments/production.rb b/config/environments/production.rb
|
||||
index cf942cd6c70..39692890213 100644
|
||||
--- a/config/environments/production.rb
|
||||
+++ b/config/environments/production.rb
|
||||
@@ -105,7 +105,8 @@
|
||||
user_name: ENV.fetch("SMTP_USER"),
|
||||
password: ENV.fetch("SMTP_PASS"),
|
||||
authentication: ENV.fetch("SMTP_AUTHENTICATION"),
|
||||
- enable_starttls_auto: ENV.fetch("SMTP_TLS").present?
|
||||
+ enable_starttls_auto: ENV.fetch("SMTP_TLS").present?,
|
||||
+ ssl: ENV.fetch("SMTP_SSL").present?
|
||||
}
|
||||
elsif ENV['SENDMAIL_ENABLED'] == 'enabled'
|
||||
config.action_mailer.delivery_method = :sendmail
|
||||
|
||||
From a406428ee761231c3e82dd5c8f5154d04474a238 Mon Sep 17 00:00:00 2001
|
||||
From: Tom Hubrecht <tom@hubrecht.ovh>
|
||||
Date: Mon, 25 Sep 2023 10:17:37 +0200
|
||||
Subject: [PATCH 2/2] fix(smtp): Disambiguate configuration options for SMTP
|
||||
|
||||
---
|
||||
config/env.example.optional | 3 ++-
|
||||
config/environments/production.rb | 4 ++--
|
||||
2 files changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/config/env.example.optional b/config/env.example.optional
|
||||
index 050e5d49bec..25bea8328fb 100644
|
||||
--- a/config/env.example.optional
|
||||
+++ b/config/env.example.optional
|
||||
@@ -206,7 +206,8 @@ SMTP_HOST=""
|
||||
SMTP_PORT=""
|
||||
SMTP_USER=""
|
||||
SMTP_PASS=""
|
||||
-SMTP_TLS=""
|
||||
+SMTP_STARTTLS="enabled" # Use any non-blank value to enable starttls
|
||||
+SMTP_TLS="" # Use any non-blank value to enable TLS
|
||||
SMTP_AUTHENTICATION="plain"
|
||||
|
||||
# Sendmail
|
||||
diff --git a/config/environments/production.rb b/config/environments/production.rb
|
||||
index 39692890213..bc203bbbaab 100644
|
||||
--- a/config/environments/production.rb
|
||||
+++ b/config/environments/production.rb
|
||||
@@ -105,8 +105,8 @@
|
||||
user_name: ENV.fetch("SMTP_USER"),
|
||||
password: ENV.fetch("SMTP_PASS"),
|
||||
authentication: ENV.fetch("SMTP_AUTHENTICATION"),
|
||||
- enable_starttls_auto: ENV.fetch("SMTP_TLS").present?,
|
||||
- ssl: ENV.fetch("SMTP_SSL").present?
|
||||
+ enable_starttls_auto: ENV.fetch("SMTP_STARTTLS", "enabled").present?,
|
||||
+ tls: ENV.fetch("SMTP_TLS", "").present?
|
||||
}
|
||||
elsif ENV['SENDMAIL_ENABLED'] == 'enabled'
|
||||
config.action_mailer.delivery_method = :sendmail
|
|
@ -11,49 +11,41 @@
|
|||
|
||||
let
|
||||
host = "demarches.dgnum.eu";
|
||||
port = 3000;
|
||||
|
||||
dgn-id = "8dfdc60d1aa66e7206461ed7a49199f624a66b4e";
|
||||
patch = pkgs.fetchurl {
|
||||
url = "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch";
|
||||
hash = "sha256-6JdbUf2fc79E5F1wtYFnP1JLGJffhGbjaxysRFr8xN4=";
|
||||
};
|
||||
dgn-id = "1fbe81d211b18dae7b9c1727362997c62636f24a";
|
||||
in
|
||||
{
|
||||
imports = [ ./module.nix ];
|
||||
|
||||
dgn-web.internalPorts.ds-fr = port;
|
||||
dgn-web.internalPorts.ds-fr = 3000;
|
||||
|
||||
services.demarches-simplifiees = {
|
||||
enable = true;
|
||||
|
||||
package = (import sources.nix-pkgs { inherit pkgs; }).demarches-simplifiees.overrideAttrs (old: {
|
||||
dsModules = old.dsModules.overrideAttrs {
|
||||
prePatch = ''
|
||||
${pkgs.lib.getExe pkgs.git} apply -p1 < ${patch}
|
||||
'';
|
||||
};
|
||||
package =
|
||||
((import sources.nix-pkgs { inherit pkgs; }).demarches-simplifiees.override {
|
||||
initialDeploymentDate = "20230923";
|
||||
}).overrideAttrs
|
||||
(old: {
|
||||
dsModules = old.dsModules.overrideAttrs {
|
||||
prePatch = ''
|
||||
${pkgs.lib.getExe pkgs.git} apply -p1 < ${
|
||||
pkgs.fetchurl {
|
||||
url = "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch";
|
||||
hash = "sha256-aCq/WkV4+PUSIzXgznwm2sAcaz12Y1zmUbh7QoXoMsM=";
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
});
|
||||
|
||||
patches = (old.patches or [ ]) ++ [ ./01-smtp-tls.patch ];
|
||||
|
||||
prePatch = ''
|
||||
${pkgs.lib.getExe pkgs.git} apply -p1 < ${patch}
|
||||
'';
|
||||
|
||||
postPatch = ''
|
||||
rm -f lib/tasks/deployment/20240830192553_backfill_hide_instructeurs_email.rake
|
||||
rm -f lib/tasks/deployment/20240912151317_clean_virtual_column_from_procedure_presentation.rake
|
||||
rm -f lib/tasks/deployment/20240920130741_migrate_procedure_presentation_to_columns.rake
|
||||
'';
|
||||
});
|
||||
|
||||
inherit host port;
|
||||
|
||||
environmentFile = config.age.secrets."ds-fr-secret_file".path;
|
||||
secretFile = config.age.secrets."ds-fr-secret_file".path;
|
||||
|
||||
initialDeploymentDate = "20230923";
|
||||
|
||||
environment = {
|
||||
settings = {
|
||||
APP_HOST = host;
|
||||
|
||||
# Disable France Connect and Agent Connect
|
||||
FRANCE_CONNECT_ENABLED = "disabled";
|
||||
AGENT_CONNECT_ENABLED = "disabled";
|
||||
|
@ -73,8 +65,8 @@ in
|
|||
SMTP_HOST = "kurisu.lahfa.xyz";
|
||||
SMTP_PORT = "465";
|
||||
SMTP_USER = "web-services@infra.dgnum.eu";
|
||||
SMTP_STARTTLS = "";
|
||||
SMTP_TLS = "true";
|
||||
SMTP_TLS = "";
|
||||
SMTP_SSL = "true";
|
||||
SMTP_AUTHENTICATION = "plain";
|
||||
|
||||
SUPER_ADMIN_OTP_ENABLED = "disabled";
|
||||
|
@ -95,10 +87,18 @@ in
|
|||
|
||||
RUBY_YJIT_ENABLE = "1";
|
||||
|
||||
STRICT_EMAIL_VALIDATION_STARTS_ON = "2024-12-18";
|
||||
STRICT_EMAIL_VALIDATION_STARTS_ON = "2024-02-23";
|
||||
WEASYPRINT_URL = "http://127.0.0.1:5000/pdf";
|
||||
|
||||
# Customization
|
||||
# HEADER_LOGO_SRC = "logo_ens_psl_couleur.png";
|
||||
# HEADER_LOGO_ALT = "Par la Recherche, pour la Recherche";
|
||||
# PROCEDURE_DEFAULT_LOGO_SRC = "logo_ens_psl_couleur.png";
|
||||
};
|
||||
};
|
||||
|
||||
# dgn-backups.jobs.ds-fr.settings.paths = [ "/var/lib/private/demarches-simplifiees/" ];
|
||||
age-secrets.autoMatch = [ "ds-fr" ];
|
||||
|
||||
dgn-backups.jobs.ds-fr.settings.paths = [ "/var/lib/ds-fr" ];
|
||||
dgn-backups.postgresDatabases = [ "ds-fr" ];
|
||||
}
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
# SPDX-FileCopyrightText: 2023-2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
|
||||
# Copyright Tom Hubrecht, (2023)
|
||||
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
|
||||
#
|
||||
# SPDX-License-Identifier: EUPL-1.2
|
||||
|
||||
|
@ -6,290 +7,192 @@
|
|||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
utils,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
inherit (lib)
|
||||
getExe
|
||||
getExe'
|
||||
mapAttrs
|
||||
mkDefault
|
||||
mkEnableOption
|
||||
mkIf
|
||||
mkOption
|
||||
mkPackageOption
|
||||
|
||||
optional
|
||||
;
|
||||
optionalString
|
||||
|
||||
inherit (lib.types)
|
||||
attrsOf
|
||||
nullOr
|
||||
oneOf
|
||||
package
|
||||
path
|
||||
port
|
||||
str
|
||||
types
|
||||
;
|
||||
|
||||
inherit (utils) escapeSystemdExecArgs;
|
||||
|
||||
cfg = config.services.demarches-simplifiees;
|
||||
|
||||
weasyprintEnv = pkgs.python3.withPackages (ps: [
|
||||
ps.flask
|
||||
ps.sentry-sdk
|
||||
ps.weasyprint
|
||||
]);
|
||||
settingsFormat = pkgs.formats.keyValue { };
|
||||
|
||||
env = settingsFormat.generate "ds-fr-env" cfg.settings;
|
||||
|
||||
ds-fr = pkgs.writeShellScriptBin "ds-fr" ''
|
||||
set -a
|
||||
cd ${cfg.package}
|
||||
|
||||
${optionalString (cfg.secretFile != null) "source ${cfg.secretFile}"}
|
||||
source ${env}
|
||||
|
||||
BIN="$1"
|
||||
shift
|
||||
|
||||
SUDO="exec"
|
||||
if [[ $USER != ${cfg.user} ]]; then
|
||||
SUDO='exec /run/wrappers/bin/sudo -u ${cfg.user} --preserve-env'
|
||||
fi
|
||||
|
||||
$SUDO ${cfg.package}/bin/$BIN "$@"
|
||||
'';
|
||||
in
|
||||
{
|
||||
options.services.demarches-simplifiees = {
|
||||
enable = mkEnableOption "Démarches Simplifiées";
|
||||
enable = mkEnableOption "demarches-simplifiees.";
|
||||
|
||||
package = mkPackageOption pkgs "demarches-simplifiees" { };
|
||||
|
||||
finalPackage = mkOption {
|
||||
type = package;
|
||||
default = cfg.package.override { inherit (cfg) initialDeploymentDate; };
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.callPackage ./package { inherit (cfg) initialDeploymentDate dataDir logDir; };
|
||||
};
|
||||
|
||||
host = mkOption {
|
||||
type = str;
|
||||
description = ''
|
||||
Hostname of the web server.
|
||||
'';
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "ds-fr";
|
||||
description = "User account under which DS runs.";
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
type = port;
|
||||
default = 3000;
|
||||
description = ''
|
||||
Listening port for the web server.
|
||||
'';
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = "ds-fr";
|
||||
description = "Group account under which DS runs.";
|
||||
};
|
||||
|
||||
weasyprintPort = mkOption {
|
||||
type = port;
|
||||
default = 5000;
|
||||
description = ''
|
||||
Port of the weasyprint server.
|
||||
'';
|
||||
dataDir = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/lib/ds-fr";
|
||||
};
|
||||
|
||||
environment = mkOption {
|
||||
type = attrsOf (
|
||||
nullOr (oneOf [
|
||||
package
|
||||
path
|
||||
str
|
||||
])
|
||||
);
|
||||
description = ''
|
||||
Evironment variables available to Démarches Simplifiées.
|
||||
'';
|
||||
logDir = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/log/ds-fr";
|
||||
};
|
||||
|
||||
environmentFile = mkOption {
|
||||
type = nullOr path;
|
||||
secretFile = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
Path to a file containing environment variables.
|
||||
Required secrets are `SECRET_KEY_BASE` and `OTP_SECRET_KEY`,
|
||||
which can be generated using `rails secret`.
|
||||
'';
|
||||
};
|
||||
|
||||
settings = mkOption { inherit (settingsFormat) type; };
|
||||
|
||||
initialDeploymentDate = mkOption {
|
||||
type = nullOr str;
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
Initial deployment date, used to ignore some migrations,
|
||||
which are known to be buggy and are supposed to change old production data.
|
||||
'';
|
||||
};
|
||||
|
||||
interactScript = mkOption {
|
||||
type = package;
|
||||
default = pkgs.writeShellApplication {
|
||||
name = "ds-fr";
|
||||
|
||||
runtimeInputs = [
|
||||
cfg.finalPackage
|
||||
config.systemd.package
|
||||
pkgs.util-linux
|
||||
];
|
||||
text = ''
|
||||
MainPID=$(systemctl show -p MainPID --value demarches-simplifiees.service)
|
||||
|
||||
nsenter -e -a -w -t "$MainPID" -G follow -S follow "$@"
|
||||
'';
|
||||
};
|
||||
description = ''
|
||||
Script to run ds-fr tasks.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
environment.systemPackages = [ cfg.interactScript ];
|
||||
environment.systemPackages = [ ds-fr ];
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"f '${cfg.logDir}/production.log' 0640 ${cfg.user} ${cfg.group} - -"
|
||||
"f '${cfg.dataDir}/.env' 0600 ${cfg.user} ${cfg.group} - -"
|
||||
"d '${cfg.dataDir}/tmp' 0700 ${cfg.user} ${cfg.group} 10d -"
|
||||
"d '${cfg.dataDir}/storage' 0700 ${cfg.user} ${cfg.group} - -"
|
||||
];
|
||||
|
||||
systemd.services = {
|
||||
ds-fr-setup = {
|
||||
description = "Demarches Simplifiees setup";
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
path = [
|
||||
pkgs.bash
|
||||
ds-fr
|
||||
];
|
||||
after = [ "postgresql.service" ];
|
||||
|
||||
systemd.services =
|
||||
let
|
||||
serviceConfig = {
|
||||
User = "ds-fr";
|
||||
DynamicUser = true;
|
||||
EnvironmentFile = optional (cfg.environmentFile != null) cfg.environmentFile;
|
||||
CacheDirectory = "demarches-simplifiees";
|
||||
LogsDirectory = "demarches-simplifiees";
|
||||
RuntimeDirectory = "demarches-simplifiees";
|
||||
StateDirectory = "demarches-simplifiees";
|
||||
WorkingDirectory = cfg.finalPackage;
|
||||
};
|
||||
in
|
||||
{
|
||||
demarches-simplifiees = {
|
||||
description = "Démarches Simplifiées";
|
||||
|
||||
inherit (cfg) environment;
|
||||
|
||||
path = [
|
||||
cfg.finalPackage
|
||||
pkgs.imagemagick
|
||||
];
|
||||
|
||||
after = [
|
||||
"network.target"
|
||||
"postgresql.target"
|
||||
];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
preStart = ''
|
||||
mkdir -p "$STATE_DIRECTORY/storage"
|
||||
|
||||
if [[ ! -f "$STATE_DIRECTORY/.version" ]]; then
|
||||
# Run initial setup
|
||||
rails db:environment:set
|
||||
rails db:schema:load
|
||||
rails db:seed
|
||||
rails jobs:schedule
|
||||
touch "$STATE_DIRECTORY/.version"
|
||||
fi
|
||||
|
||||
if [[ $(cat "$STATE_DIRECTORY/.version") != "$__DS_VERSION" ]]; then
|
||||
# Run migrations on version change
|
||||
rake db:migrate
|
||||
rake after_party:run
|
||||
echo "$__DS_VERSION" > "$STATE_DIRECTORY/.version"
|
||||
fi
|
||||
'';
|
||||
|
||||
serviceConfig = serviceConfig // {
|
||||
ExecStart = escapeSystemdExecArgs [
|
||||
(getExe' cfg.finalPackage "rails")
|
||||
"server"
|
||||
"-b"
|
||||
"127.0.0.1"
|
||||
"-p"
|
||||
cfg.port
|
||||
];
|
||||
};
|
||||
Type = "oneshot";
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
EnvironmentFile = [ env ] ++ (optional (cfg.secretFile != null) cfg.secretFile);
|
||||
StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
|
||||
LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
|
||||
};
|
||||
|
||||
demarches-simplifiees-work = {
|
||||
description = "Démarches Simplifiées work service";
|
||||
script = ''
|
||||
[[ ! -f ${cfg.dataDir}/.initial-migration ]] \
|
||||
&& ds-fr rails db:environment:set \
|
||||
&& ds-fr rails db:schema:load \
|
||||
&& ds-fr rails db:seed \
|
||||
&& touch ${cfg.dataDir}/.initial-migration
|
||||
|
||||
inherit (cfg) environment;
|
||||
ds-fr rake db:migrate
|
||||
ds-fr rake after_party:run
|
||||
'';
|
||||
};
|
||||
|
||||
after = [ "demarches-simplifiees.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
bindsTo = [ "demarches-simplifiees.service" ];
|
||||
partOf = [ "demarches-simplifiees.service" ];
|
||||
ds-fr-work = {
|
||||
description = "Demarches Simplifiees work service";
|
||||
|
||||
serviceConfig = serviceConfig // {
|
||||
ExecStart = escapeSystemdExecArgs [
|
||||
(getExe' cfg.finalPackage "rails")
|
||||
"jobs:work"
|
||||
];
|
||||
};
|
||||
};
|
||||
wantedBy = [
|
||||
"multi-user.target"
|
||||
"ds-fr.service"
|
||||
];
|
||||
after = [
|
||||
"network.target"
|
||||
"ds-fr-setup.service"
|
||||
];
|
||||
requires = [ "ds-fr-setup.service" ];
|
||||
|
||||
weasyprint-server = {
|
||||
description = "Weasyprint server";
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
environment = {
|
||||
BASE_URL = "https://${cfg.host}";
|
||||
LOG_DIR = "/var/log/weasyprint";
|
||||
UWSGI_PYTHONPATH = weasyprintEnv;
|
||||
UWSGI_MODULE = "wgsi:app";
|
||||
};
|
||||
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
Type = "notify";
|
||||
WorkingDirectory = cfg.finalPackage.weasyprint_server;
|
||||
LogsDirectory = "weasyprint";
|
||||
ExecStart = escapeSystemdExecArgs [
|
||||
(getExe (pkgs.uwsgi.override { plugins = [ "python3" ]; }))
|
||||
"--http-socket"
|
||||
"127.0.0.1:${builtins.toString cfg.weasyprintPort}"
|
||||
"--processes=4"
|
||||
"--enable-threads"
|
||||
];
|
||||
NotifyAccess = "all";
|
||||
KillSignal = "SIGQUIT";
|
||||
ExecReload = "${getExe' pkgs.coreutils "kill"} -HUP $MainPID";
|
||||
ExecStop = "${getExe' pkgs.coreutils "kill"} -INT $MainPID";
|
||||
|
||||
ProtectSystem = "full";
|
||||
ProtectHome = true;
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
};
|
||||
serviceConfig = {
|
||||
ExecStart = "${ds-fr}/bin/ds-fr rails jobs:work";
|
||||
EnvironmentFile = [ env ] ++ (optional (cfg.secretFile != null) cfg.secretFile);
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
|
||||
LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
|
||||
};
|
||||
};
|
||||
|
||||
ds-fr = {
|
||||
description = "Demarches Simplifiees web service";
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [
|
||||
"network.target"
|
||||
"ds-fr-setup.service"
|
||||
];
|
||||
requires = [ "ds-fr-setup.service" ];
|
||||
path = [ pkgs.imagemagick ];
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${ds-fr}/bin/ds-fr rails server";
|
||||
Environment = [ "RAILS_QUEUE_ADAPTER=delayed_job" ];
|
||||
EnvironmentFile = [ env ] ++ (optional (cfg.secretFile != null) cfg.secretFile);
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
|
||||
LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
demarches-simplifiees.environment =
|
||||
# Hardcoded values
|
||||
{
|
||||
demarches-simplifiees.settings =
|
||||
(builtins.mapAttrs (_: mkDefault) {
|
||||
RAILS_ENV = "production";
|
||||
RAILS_ROOT = builtins.toString cfg.package;
|
||||
|
||||
# Application host name
|
||||
#
|
||||
# Examples:
|
||||
# * For local development: localhost:3000
|
||||
# * For preproduction: staging.ds.example.org
|
||||
# * For production: ds.example.org
|
||||
APP_HOST = cfg.host;
|
||||
|
||||
# Database credentials
|
||||
DB_DATABASE = "ds-fr";
|
||||
DB_USERNAME = "ds-fr";
|
||||
DB_HOST = "/run/postgresql";
|
||||
DB_PORT = "5432";
|
||||
|
||||
# The variables must be present even if empty...
|
||||
DB_PASSWORD = "";
|
||||
DB_POOL = "";
|
||||
|
||||
# Jobs configuration
|
||||
RAILS_QUEUE_ADAPTER = "delayed_job";
|
||||
|
||||
# Log on stdout
|
||||
RAILS_LOG_TO_STDOUT = "true";
|
||||
|
||||
# Package version
|
||||
__DS_VERSION = cfg.finalPackage.version;
|
||||
|
||||
# Weasyprint endpoint generating attestations v2
|
||||
# See https://github.com/demarches-simplifiees/weasyprint_server
|
||||
WEASYPRINT_URL = "http://127.0.0.1:${builtins.toString cfg.weasyprintPort}/pdf";
|
||||
}
|
||||
// (mapAttrs (_: mkDefault) {
|
||||
RAILS_ENV = "production";
|
||||
RAILS_ROOT = builtins.toString cfg.finalPackage;
|
||||
APP_HOST = "localhost:3000";
|
||||
|
||||
# Rails key for signing sensitive data
|
||||
# See https://guides.rubyonrails.org/security.html
|
||||
|
@ -324,6 +227,18 @@ in
|
|||
# SAML
|
||||
SAML_IDP_ENABLED = "disabled";
|
||||
|
||||
# External service: authentication through France Connect
|
||||
FC_PARTICULIER_ID = "";
|
||||
FC_PARTICULIER_SECRET = "";
|
||||
FC_PARTICULIER_BASE_URL = "";
|
||||
|
||||
# External service: authentication through Agent Connect
|
||||
AGENT_CONNECT_ID = "";
|
||||
AGENT_CONNECT_SECRET = "";
|
||||
AGENT_CONNECT_BASE_URL = "";
|
||||
AGENT_CONNECT_JWKS = "";
|
||||
AGENT_CONNECT_REDIRECT = "";
|
||||
|
||||
# External service: integration with HelpScout (optional)
|
||||
HELPSCOUT_MAILBOX_ID = "";
|
||||
HELPSCOUT_CLIENT_ID = "";
|
||||
|
@ -373,6 +288,9 @@ in
|
|||
# https://api.gouv.fr/api/api-entreprise.html
|
||||
API_ENTREPRISE_KEY = "";
|
||||
|
||||
# External service: CRM for following admin accounts pipeline (specific to démarches-simplifiées.fr)
|
||||
PIPEDRIVE_KEY = "";
|
||||
|
||||
# Networks bypassing the email login token that verifies new devices, and rack-attack throttling
|
||||
TRUSTED_NETWORKS = "";
|
||||
|
||||
|
@ -381,7 +299,7 @@ in
|
|||
# "sXaot-fKhBlkI8qaSirQyuZbrpv5sVFoOturQ0pFEh0";
|
||||
|
||||
# Enable or disable Lograge logs
|
||||
LOGRAGE_ENABLED = "enabled";
|
||||
LOGRAGE_ENABLED = "disabled";
|
||||
|
||||
# Logs source for Lograge
|
||||
#
|
||||
|
@ -418,42 +336,57 @@ in
|
|||
|
||||
# Siret number used for API Entreprise, by default we use SIRET from dinum
|
||||
API_ENTREPRISE_DEFAULT_SIRET = "put_your_own_siret";
|
||||
})
|
||||
// {
|
||||
# Database credentials
|
||||
DB_DATABASE = "ds-fr";
|
||||
DB_USERNAME = cfg.user;
|
||||
DB_PASSWORD = "";
|
||||
DB_HOST = "/run/postgresql";
|
||||
DB_POOL = "";
|
||||
|
||||
# Date from which email validation requires a TLD in email adresses.
|
||||
# This change had been introduced by : cc53946d221d6f64c365ad6c6c4c544802eb94b4
|
||||
# Records (users, …) created before this date won't be affected. See #9978
|
||||
# To set a date, we recommend using *the day after* you have deployed this commit,
|
||||
# so existing records won't be invalid.
|
||||
STRICT_EMAIL_VALIDATION_STARTS_ON = "2024-02-19";
|
||||
});
|
||||
# Log on stdout
|
||||
RAILS_LOG_TO_STDOUT = true;
|
||||
};
|
||||
|
||||
postgresql = {
|
||||
enable = true;
|
||||
|
||||
ensureDatabases = [ "ds-fr" ];
|
||||
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "ds-fr";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
ensureUsers = optional (cfg.user == "ds-fr") {
|
||||
name = "ds-fr";
|
||||
ensureDBOwnership = true;
|
||||
};
|
||||
|
||||
extensions = [ config.services.postgresql.package.pkgs.postgis ];
|
||||
extraPlugins = with config.services.postgresql.package.pkgs; [ postgis ];
|
||||
};
|
||||
|
||||
nginx = {
|
||||
enable = true;
|
||||
|
||||
virtualHosts.${cfg.host} = {
|
||||
virtualHosts.${cfg.settings.APP_HOST} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
root = "${cfg.finalPackage}/public/";
|
||||
root = "${cfg.package}/public/";
|
||||
|
||||
locations."/".tryFiles = "$uri @proxy";
|
||||
locations."@proxy".proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}";
|
||||
locations."@proxy" = {
|
||||
proxyPass = "http://127.0.0.1:3000";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
users.users = mkIf (cfg.user == "ds-fr") {
|
||||
ds-fr = {
|
||||
inherit (cfg) group;
|
||||
|
||||
isSystemUser = true;
|
||||
home = cfg.package;
|
||||
};
|
||||
};
|
||||
|
||||
users.groups.${cfg.group} = { };
|
||||
};
|
||||
}
|
||||
|
|
|
@ -25,7 +25,6 @@ let
|
|||
"boussole-sante.normalesup.eu"
|
||||
"lanuit.ens.fr"
|
||||
"simi.normalesup.eu"
|
||||
"pub.dgnum.eu"
|
||||
];
|
||||
|
||||
buckets = [
|
||||
|
@ -36,7 +35,6 @@ let
|
|||
"hackens-website"
|
||||
"nuit-website"
|
||||
"peertube-videos-dgnum"
|
||||
"landing-website"
|
||||
] ++ domains;
|
||||
|
||||
mkHosted = host: builtins.map (b: "${b}.${host}");
|
||||
|
|
|
@ -35,9 +35,9 @@ in
|
|||
"www.interq.ens.fr" = "interq.ens.fr";
|
||||
};
|
||||
|
||||
temporary =
|
||||
{
|
||||
};
|
||||
temporary = {
|
||||
"pub.dgnum.eu".to = "https://www.instagram.com/dgnum_eu/";
|
||||
};
|
||||
|
||||
retired = mkSubs {
|
||||
"ens.fr" = [
|
||||
|
|
|
@ -135,9 +135,12 @@ in
|
|||
|
||||
dgn-web.simpleProxies.cas-eleves = {
|
||||
inherit host port;
|
||||
vhostConfig.locations = {
|
||||
"/static/".root = staticDrv;
|
||||
"= /robots.txt".root = "${staticDrv}/static";
|
||||
vhostConfig = {
|
||||
serverAliases = [ "cas-eleves.dgnum.eu" ];
|
||||
locations = {
|
||||
"/static/".root = staticDrv;
|
||||
"= /robots.txt".root = "${staticDrv}/static";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -13,7 +13,6 @@ lib.extra.mkConfig {
|
|||
enabledServices = [
|
||||
# List of services to enable
|
||||
"django-apps"
|
||||
"redirections"
|
||||
];
|
||||
|
||||
extraConfig = {
|
||||
|
|
|
@ -6,7 +6,6 @@
|
|||
imports = [
|
||||
./annuaire.nix
|
||||
./bocal.nix
|
||||
./ernestophone.nix
|
||||
./gestiojeux.nix
|
||||
./interludes.nix
|
||||
./wikiens.nix
|
||||
|
|
|
@ -1,65 +0,0 @@
|
|||
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
|
||||
#
|
||||
# SPDX-License-Identifier: EUPL-1.2
|
||||
|
||||
{
|
||||
pkgs,
|
||||
sources,
|
||||
config,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
|
||||
in
|
||||
|
||||
{
|
||||
services.django-apps.sites.ernestophone = {
|
||||
source = "https://git.dgnum.eu/DGNum/ernestophone.ens.fr";
|
||||
branch = "update";
|
||||
domain = "ernestophone.ens.fr";
|
||||
|
||||
nginx = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations = {
|
||||
"/media/trombonoscope/".root = "/run/django-apps/ernestophone/";
|
||||
};
|
||||
};
|
||||
|
||||
serveMedia = false;
|
||||
|
||||
webHookSecret = config.age.secrets."webhook-ernestophone_token".path;
|
||||
|
||||
python = pkgs.python3.override {
|
||||
packageOverrides = _: _: {
|
||||
inherit (nix-pkgs)
|
||||
django-avatar
|
||||
django-cas-ng
|
||||
django-solo
|
||||
loadcredential
|
||||
;
|
||||
};
|
||||
};
|
||||
|
||||
dependencies = ps: [
|
||||
ps.django
|
||||
ps.django-avatar
|
||||
ps.django-colorful
|
||||
ps.gunicorn
|
||||
ps.pillow
|
||||
ps.loadcredential
|
||||
];
|
||||
|
||||
application.module = "Ernestophone";
|
||||
|
||||
credentials = {
|
||||
SECRET_KEY = config.age.secrets."dj_ernestophone-secret_key_file".path;
|
||||
};
|
||||
|
||||
environment = {
|
||||
DJANGO_SETTINGS_MODULE = "Ernestophone.settings";
|
||||
ERNESTOPHONE_ALLOWED_HOSTS = [ "ernestophone.ens.fr" ];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,11 +0,0 @@
|
|||
# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
|
||||
#
|
||||
# SPDX-License-Identifier: EUPL-1.2
|
||||
|
||||
{
|
||||
dgn-redirections = {
|
||||
permanent = {
|
||||
"www.ernestophone.ens.fr" = "ernestophone.ens.fr";
|
||||
};
|
||||
};
|
||||
}
|
Binary file not shown.
|
@ -1,31 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA 9RRZxLF9tCD5U+9qMdPjANj+uL/8klzK3MV+YW6fhEc
|
||||
gd8gQtbKWfOmN1mDRszw7vEnSg8pPHpHU5JDo9bM/ek
|
||||
-> ssh-ed25519 QlRB9Q hArXwJSPPrZySgU8/YBJwsVfXMhgMy7N72jFcslb1xo
|
||||
H3ifulIpmYpllXTsXh5TYit6JTxZwUs33Rey1qtvQnM
|
||||
-> ssh-ed25519 r+nK/Q jh3gdHmJMBCQbMQdYdko4Igwt0y62eIZaTlNsO/nw1Y
|
||||
NgflhTMQOIbyl1udyCuvRsIDxIkOK+QZbVRHLNThDJs
|
||||
-> ssh-rsa krWCLQ
|
||||
kOodyo51tOrDsqKSyN/WyJXq7Kot54eb66WBfHVVuYqAafQZnaUvSgXInc4Ba8M9
|
||||
+pdwX37zff47gGr/obadKkAGf42xnu7nB8c6T68u/TNwKlQoIUuebEFEdqqp+dFe
|
||||
KY3DlM9LPyMMLO+Tk0t3djE9lp1FkbUeeDOk06rEgQyCs0HATKoa2k/c6/pim6vZ
|
||||
wvu/YxkJAdIIOdkunkKs1kiuCIbeqIQfb2vz/hpBUNI8e8T4S2W7zIVMocRDfYoq
|
||||
dPYj4kHRbnqeyWcobymCuXNdtGnhsT50oS3UGEvr4flaRpREQ+babp1g9uApnU6s
|
||||
oPbmlrwTB50FJA9mxp9rSw
|
||||
-> ssh-ed25519 /vwQcQ SVB+hkmtVwrsNShWD7agmjuZs64+pah596YIFZH/Eww
|
||||
SyRzjAkoKTfNcOMf5OiIVU/wHiPi+rDuXQ0qns9vhf0
|
||||
-> ssh-ed25519 0R97PA mrJuOmOhgGEbRMC/VYvJ++e1RGTTAZl7dzAJPT+6jUo
|
||||
Rn4+0P0spe1Xjn+3twu/cCdKBmsj5y327bESx8FkqJk
|
||||
-> ssh-ed25519 JGx7Ng VXVauDsi3WOxQ2G90ElTdGMueEtVxlQsbUHsceFJTB0
|
||||
AZNRGSyxTZn+L9e9eggyGlINvDSg5hQowBtv0hX954Q
|
||||
-> ssh-ed25519 bUjjig OBwPeegYOacrZxLrlxdVpOkshBCUIYOOgyF6LdOVTjw
|
||||
MJAv6ieAneoAe3//A6b3dBvJCze9uxFVRqlQnkm+rAY
|
||||
-> ssh-ed25519 VQSaNw ldI3O8GyoxhxvrE3okoVvPTrFYnUKNA0See4buKO7GA
|
||||
wcpmfgUNs0MyVcm/VGmwBpkZ++UGkTNDCiqqpYL2XXw
|
||||
-> n>[M-grease _ D--b ? [8U|"=~
|
||||
YZ1c1yZ4273rUu4v+APm/eBy8HQyish8t2zkTvjYFd8/pdA9uRkHogQGIBnlAi3h
|
||||
tq6/02nnT/QgZPcccQCD3SlwzkU0U2qdXIAdGtgzCo0FZsIYdkeU+VyoJDfcVt1o
|
||||
qXc
|
||||
--- lzSSWa0AAP8vhy6RfNChbM71Apmn7b6pLT1CtYFVrpQ
|
||||
<04>Ôï\÷/Áºß£íÄ*‰ŒÿÙi"ºÅåÝa/[Rr
|
||||
O)u^½Ÿ,Ù"%Km£¥<C2A3>zµkÝ°3)›Ù¡‰ø)ÌbS{^§<13>!y°ÅLÉERñ˜Ç
‚Q»uÅE‹EË;Êä´¤VÐ-¶?[ù<>uÑñÏ`Fvè%+$Ú§{¯xŦüg–Qºëiôy°<79>»#.^ìŒÓÎùÈ_*¤=íò×1êîÜCõ ê
~¸
|
|
@ -1,28 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA kBFUMktUZ09T8ujSXHRIo4OIWxIiwysmRv+UTiH+02M
|
||||
TvefF7CMKZIASBYaVQA22PzLr2rgZ3i7Q8ENBOmpQmI
|
||||
-> ssh-ed25519 QlRB9Q 0R2BthIX790DAiL36WPOemUa04tOnN0Drpg6u72j7UE
|
||||
nFGbwKZvSXo0SpO8AMfAGcZkphcXhX+GoFxYwadNzwQ
|
||||
-> ssh-ed25519 r+nK/Q cs+vGq5RzK/AogpcGjRG3KZjl4fp2Ghhv2ngHjTdvlE
|
||||
AyXbgDlQbe3HurX7lodUrMZyRSWADSFWmTndnHjh0dY
|
||||
-> ssh-rsa krWCLQ
|
||||
AnU8JBZXw8xIHA3L+220wCHwddC51Fx+sQx58tYsFg7eVH1NM2PKUr57a7+0KlxH
|
||||
TkIDMUuBotY4QPA0tzv212wnWaTw9ddV+T+Xe+l7JNyurCQRj1g1gWP3NLYIyYFC
|
||||
i/eXHg3XxByQG1BfBSL2nnUEiy6eJ2bLMFsJ9P6baB6hpdEnoFIuGdV4Bg3k/KGl
|
||||
Zp+Q1a7Ov0l/G7sRCw4WLQtq59otI2lxeKRSonCqSNOmDXyZBr82GMr/BmhebtK4
|
||||
h19K+EXU+Ze57lUf2kDCe0b4RSHbSGU1T1fSEMNcXFV0952r6zO9YClTsQeKl+ev
|
||||
1O7xqUhcRXgFUbDYRjTsLw
|
||||
-> ssh-ed25519 /vwQcQ AtEImZ61sgC2OzZvDldY7ttRf9I5+zmL2I7hZkmBoTY
|
||||
zQiLX4L6t+jZqzAJmN7iuRTeadD1jbs3E/NZZj/25UA
|
||||
-> ssh-ed25519 0R97PA JVheI/2kfdkqgM5Jf/py32lyYLtWjpmcx4zkHYMZl3g
|
||||
z/+qXmvziQo8yZ6f+2y5XVDv6d/uAghCVDQ9tpLXt54
|
||||
-> ssh-ed25519 JGx7Ng 41ZgklG6LmM5Mk6BkGWAf8N3j1safWPBKBAHKN2EQG0
|
||||
yOiGIHkyoMFI6NQMLCZavCaz+qxAy9jhf+vctWQ2z4k
|
||||
-> ssh-ed25519 bUjjig 0o9QkwuPZPOl/db1sQ9YL50DL1uyZqQ6ICxMEIupQ20
|
||||
FwFbAYzLUNwoAQNcbcwWckhqRSEicQTe4O4BMK7wHyg
|
||||
-> ssh-ed25519 VQSaNw iaWBGmaWmBxMJILFyob6CyVXyY24edPtT2itTQGP7xM
|
||||
EGmCuYElC5EgwqXtcXLAy7nNFt75Hl/gAehvfh+0sgg
|
||||
-> /Wa)P<iw-grease (;ag_e g#LM+oA Y n(M-1K+.
|
||||
lWfOmA
|
||||
--- k01yU9ZR8KIyG0JEfcYoP4iBlvqq7J676oPfDLpbvfs
|
||||
ÎD—èŒ<C3A8>Ptáçø4Õ•?6”N|ÐïZƒ³åM/œqo¨[ÄNä
|
|
@ -1,29 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA hAdsxHTIT08JvDQGzY0Vz+Jxd48Kw3XNpf6TEjiGiTc
|
||||
hZgLRBDGwpfIFMhTRExY6JJ0poJ+nqrBK8Fy3ukINFI
|
||||
-> ssh-ed25519 QlRB9Q AyfmPVVcb9WVzrbyh2KdPQMwPypQ0uq3q6kkPFcMyjw
|
||||
S2h//+6MMnUiBWrznI/1+qS83Gw1vpFmU8Hlma40bdA
|
||||
-> ssh-ed25519 r+nK/Q 741XzH0HZf/y8HR1AQIn+qgn0+L+2kcdPsepRcXx7w8
|
||||
5aNoPnRTYHB5FTXipQV+8C/s8t1s5/ZF9PwnJfYy8bM
|
||||
-> ssh-rsa krWCLQ
|
||||
HhSOliN7XQZngyyrJ++S2JMBytkPjSt/dEUlJNbJP5n6HY5H7QKqd9rsc4LLu/Hz
|
||||
BXKC9T3IVeuabMPNOBhE6SiOUejGv/txbMHPMdPTCju6JL4wP/2gqIK696kP62pL
|
||||
CAS/cOZXrHS8etEFkpqSuEVquNIXbivXNHEwFMH/GkNut0SCpafvQHrN1wZdveH5
|
||||
rp60R9ULzTzS3ztjEomAt9gWN6s7CtqZEozCMExPTXSW+OmBJprY+/Ae/uxeKZMS
|
||||
x6pscBbZSEazZ476sZCWKTpeej7iFlSrIvLfkwYn9PtKqmaInoM/0F2thkqpVPkZ
|
||||
/pcg11dUQpXJdaIiPEowlg
|
||||
-> ssh-ed25519 /vwQcQ m01BxY0nPTfcW0D/iFRbCNbFFp+lE/XLW315aPyNbTM
|
||||
hiKCfZH9k5GcUAkCJ/+x5V20SCeql8031lOge0Y9WXk
|
||||
-> ssh-ed25519 0R97PA oGfUKErY65Jd0ZlcVox/HXA3itOI5KImRqDwH+UR6XI
|
||||
32BtXjqImmG6TjUKoDU2QaJiMxldZdZoAP9SKPfGuHA
|
||||
-> ssh-ed25519 JGx7Ng FJCtkG+Ig5dC+ftTClgrKtIt/D8s9Dr97eWObbNEZDs
|
||||
i6tf7p5FDsdTZMJuBNmcTgVnL6eQDZFkjjH7AaBakqE
|
||||
-> ssh-ed25519 bUjjig mOfri52IdeSNAawjBR5rhvL2eZNlVOwYK6u1uHv98xw
|
||||
nx0Ko3omL+OVq3JHuCIacYfjn96kb78IgyvECEGq0G4
|
||||
-> ssh-ed25519 VQSaNw gEQeKOEwwR8QlykdFlo7iqrsmhemiS02v8Kfx2ER9Xc
|
||||
jpAEZx64/AXpA8HahtJq9OdcZYbqIFti5mxaPztvul8
|
||||
-> $5-grease (y&6%5f<
|
||||
YSrHrNaXa7b7Ivv1yVP3idg8t4iIdu5NX3hzczFp64bY7Bjp/g7jK+bWnDG26ryd
|
||||
G+fhmUbFuDj8ZtXg6yk
|
||||
--- YmnVS7kPp6h4pC9u28A32/xh67NwhIXwB1dxolI1DCg
|
||||
.¼Zs‡…n}®ì,èémõR€ÏêeÞ)¾bOª¶<C2AA>îնܷ†m8¼z£RyúìT/¦@¿CÜÝôW™¨F5ˆ?<ð.[Ö†r¡Ó[°M
|
|
@ -4,19 +4,14 @@
|
|||
|
||||
(import ../../../../keys).mkSecrets [ "web03" ] [
|
||||
# List of secrets for web03
|
||||
"bupstash-put_key"
|
||||
"dj_annuaire-secret_key_file"
|
||||
"dj_bocal-secret_key_file"
|
||||
"dj_ernestophone-secret_key_file"
|
||||
"dj_ernestophone-password_file"
|
||||
"dj_ernestophone-admins_file"
|
||||
"dj_gestiojeux-secret_key_file"
|
||||
"dj_interludes-email_host_password_file"
|
||||
"dj_interludes-secret_key_file"
|
||||
"dj_wikiens-secret_key_file"
|
||||
"webhook-annuaire_token"
|
||||
"webhook-bocal_token"
|
||||
"webhook-ernestophone_token"
|
||||
"webhook-gestiojeux_token"
|
||||
"webhook-interludes_token"
|
||||
"webhook-wikiens_token"
|
||||
|
|
|
@ -1,30 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA Ifc4K8jusXCbeMSYeAL+3jdvmDK1ojYiSzHJO/uefzk
|
||||
h5ewdTYV3o8+tPCzVWvLtqEM3WxVjtOqTRnrFAwKnes
|
||||
-> ssh-ed25519 QlRB9Q djvVFcR5y+WI5+rED8ztIQZuLfCj2z8wHx3WIutlfjk
|
||||
nsTUZEQRJAAZfNXw2YbzwV+RUJEx6Dmi0ujswMBqIro
|
||||
-> ssh-ed25519 r+nK/Q Ryx2iuVCefSFFMEyRjVbKFxTqaX6D+Ty4B1+6mRLSCg
|
||||
s7YjJa6NESaNZ9wzurlrsovu5ecJNnWLOhD80RnFqV4
|
||||
-> ssh-rsa krWCLQ
|
||||
utXBcdyAmbl463xcacn1+K9UyG78vKG9LW1vJ/q40ltqEsuxktP2C5YgBL2Whcld
|
||||
UYTsNFa3b02HP1wp0fPP4eVyk0NNKqO1rairMAvLJmQk15s0OVCk7LvjZe+Q31m1
|
||||
gYxBSuN4oy7gljtOlIfrHtcRqDMC5IToYSt91pwt/0wgkHDH1OcLap8jaQIuPdc1
|
||||
pQqd6iUTF96kvvp1P6XbvOHH3nVLNw/bITR5BUSqm/YBocJBrDNIL2wXcq27bBMs
|
||||
YqF2nykztoSss+YM40XnHx14wNU0WeocbSYuPKabKvtgV0ry62w+EW5t453TfMng
|
||||
y0dYmBdXVTKgCyL2v/onlA
|
||||
-> ssh-ed25519 /vwQcQ tax06kUoYtjoUZ8k0+2L0cBr9CTpZpWd5Ev1qRh4dWM
|
||||
x2RYQ+53UJnBXz8plzYrpga9JCWgm+WvkjpGg+CpG8M
|
||||
-> ssh-ed25519 0R97PA DoPbx9NVAHTe6NRxT50nwdStoUJRnATQDEKgIyq2hhA
|
||||
6DUg7uQ9L80KzaMJi6h/Nm5EgtLlAI+R01Mke9GpyzQ
|
||||
-> ssh-ed25519 JGx7Ng AG1PM5MB2TlfZoiF29gu01LqhcQ+rEQRQZHFVxdHYG8
|
||||
ePz8kT+axuMZe8MKi1Yj+ZOCITIYjVAuRE2iTScgpyY
|
||||
-> ssh-ed25519 bUjjig SgZgUi5qfE8wK54Mj8P/FJ4QPNs4HUV5qPc9jJTskmY
|
||||
n/fedObFehvhLwd3uhkhfBamFpjZDVK7M1J67BucoPI
|
||||
-> ssh-ed25519 VQSaNw a+SLVFR9PqKgyHfAPTjH4SGkp4XXjz6xz6uMjZgYOg0
|
||||
hv5F5ENsfpU27opx8OT4mvL0waGO+AieG/VXvHNi2hg
|
||||
-> g**u4-grease Fb|HQ E
|
||||
FcQESlzpmCxDtrbCZhddPdNjVROYKj2XsOppqa2GPZsWqQH8cFfKzxjwlNlE7WNF
|
||||
Q3xupVqn8H1Cg98i
|
||||
--- lYBZVJ4DEtBmKhenHOOkQpuPT7TrGGgN1OmTrfCTtY4
|
||||
Žy[§—‘ÀÒh{`Z³öNŠx/ùºóSyFú£–ç
|
||||
+‚¨Õr:¶úÀcJ¸L˜b¿M‹ô™w<E284A2>n+™õœ"§¢—|w¼¯¬kµ*
|
|
@ -99,7 +99,6 @@ let
|
|||
"prometheus" # Prometheus
|
||||
"victoria-metrics" # Victoria Metrics
|
||||
"videos" # Peertube
|
||||
"pub"
|
||||
|
||||
# Garage S3
|
||||
"*.cdn"
|
||||
|
@ -124,6 +123,7 @@ let
|
|||
"netbox" # Netbox
|
||||
"podcasts" # Castopod
|
||||
"push" # Ntfy.sh
|
||||
"pub" # Url de promotion (qrcodes etc...)
|
||||
|
||||
# Static websites
|
||||
"eleves"
|
||||
|
|
|
@ -11,12 +11,7 @@
|
|||
}:
|
||||
|
||||
let
|
||||
inherit (lib)
|
||||
getExe'
|
||||
mkEnableOption
|
||||
mkOption
|
||||
remove
|
||||
;
|
||||
inherit (lib) mkEnableOption mkOption remove;
|
||||
|
||||
inherit (lib.types)
|
||||
attrs
|
||||
|
@ -39,7 +34,6 @@ let
|
|||
compute01 = "*-*-* *:38:00";
|
||||
storage01 = "*-*-* *:21:00";
|
||||
web01 = "*-*-* *:47:00";
|
||||
web03 = "*-*-* *:13:00";
|
||||
};
|
||||
|
||||
mkJobs = builtins.mapAttrs (
|
||||
|
@ -99,7 +93,7 @@ in
|
|||
"${db}-db".settings = {
|
||||
user = "postgres";
|
||||
command = [
|
||||
(getExe' config.services.postgresql.package "pg_dump")
|
||||
"${lib.getExe' config.services.postgresql.package "pg_dump"}"
|
||||
db
|
||||
];
|
||||
};
|
||||
|
@ -119,8 +113,6 @@ in
|
|||
"storage01"
|
||||
"vault01"
|
||||
"web01"
|
||||
"web02"
|
||||
"web03"
|
||||
];
|
||||
allowed = [ "put" ];
|
||||
}
|
||||
|
|
|
@ -6,5 +6,4 @@
|
|||
"compute01.key"
|
||||
"storage01.key"
|
||||
"web01.key"
|
||||
"web03.key"
|
||||
]
|
||||
|
|
|
@ -1,28 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA CuALmA0MhxnWOn91YhtxAyn1h3xkoiuRoo4Ew1Eu32Q
|
||||
TRZxY9rF3NM9ulaA6s6SUetVcLT0He9yGaDZ38T9F6A
|
||||
-> ssh-ed25519 QlRB9Q TNA65R5tFs+KXJklNgfPPF12W52Fk6w7epstVzk9Ojw
|
||||
SD3IW1+ngBUkbBJz+53zDFVhne6b5rfVi2ym0UjTwLM
|
||||
-> ssh-ed25519 r+nK/Q b67auhVkYiVwthLGP3z719Ql/kHZQbxuJJgL7NzZiVc
|
||||
kl0ML0yd+QqBm9VZwMcMrZ8uuQkbJySaa9kI4RQFOak
|
||||
-> ssh-rsa krWCLQ
|
||||
NfHVOPshS0CR3ATrPcYAAiX/kAbgqw6mEVhxdTnvbWa8cPpblUpO/gm4UqW2vP0Q
|
||||
XUfvOCgH6ur3joLf/NylqwZ0UkQhmNj2hu8cOtjC4KgTohkMkZZmHlFKM9e3PuSS
|
||||
ZMx0GraugdTUD/ViCplwVxFPBUUblLcAuYx/BcV1hTb0ctbN9afi8DVzuSxoalDj
|
||||
Jy1UakJU0OwguB+ctv9kZcyLyV7zjchiq+dAoIDvkw0Z9bTCz7xhQ6uXAE7ahp3H
|
||||
rvycD/ZkK7h6yhg78x2lIBHP3sPaY3DFMFW9bDLtHYox22RVcm6/7oPbv0hTQ8ob
|
||||
n4Q7MWPF4vL1Xz9zyksetQ
|
||||
-> ssh-ed25519 /vwQcQ YvQmf/qYc6DVQT0gFPGuakvgDg/A76tor3f0+nTjbH4
|
||||
lMQoOb/kimcsSmNnUsUW7XmVdhLMee/s4NACiKi0Xls
|
||||
-> ssh-ed25519 0R97PA LzA+wuKlE3cEOpvGEW29/rx3qCU1X32F8HwJNic2Glg
|
||||
VOBmCcrtGrUk3ERWJL4QszdDtJrfoI/f1xA+X+a+PQk
|
||||
-> ssh-ed25519 JGx7Ng MIxNmk0eTtCUMHiWzklS2zNWdf16EHeOtere8cRoNSk
|
||||
X+gf1Ts9n2U+h6a0herR+WuiRXFS5BhicGKxpHQtQzM
|
||||
-> ssh-ed25519 bUjjig uSweFovyFxnz7Pqc/MCEE5/ZKgEblqs8xb1Ni+qrhS0
|
||||
AUhBDt7YN4x6k34g7mERYbn7rPVPZMmVvmZD668blRs
|
||||
-> m-grease \ %<B.PbZ ^G= >nhHA<}
|
||||
KhUslr0J28p4r62y0bCKOg2jGOx6M7deQ9Y8gfQ9oi7WYiEygoMghWdUP0lnzh3i
|
||||
a+rpJNPtRCIFScDWMazSvnmN6y5Y7W3dmOgLH8aN
|
||||
--- +/Cw6vq7b3Kn4D3/ogaSPxfxHBF0YxLXTxiskuD0vHg
|
||||
ðÎN½UÉÏôbÈ!D~Ò<>¬‰æ¿Aൟ¥1¯,ÙÍòe;y)N$Ô–NøO]9C_l{ œÎ„'Ù-÷q³‹<È°¢:¯ÊMÕ¯Á%ïqŒ¸Œ™í®“‰"Ûªð¦˜A®ÜMhè,iì<69>¦<EFBFBD>S9šÜyp&r /ŒÜÂlÙîÂ!.oƒ…ô¥èAº‰µ{#ƒt<08>ú¶–é4eA-ÆFšßÔ9+ˆ—"¿e¥7»pÏüN”¢BÚ×˶¾Úþ•OÝŸæOIÊ
kDèŒæ‹ˆZ=Pq—ðšQ üGB’²OÅj×ÒhHû+¡ëX<C3AB>¿‰Lά¶ÎP™ 4ÿÐX$¢Áy©÷ßÀxoÞáÄÍ <09>Ɩ܈]â»_‚µ³
\¼M<C2BC>7m.ByŽºlCr†-ŽHM¤“ãuªùu…+X}¦oÛgg.ÌŠG/$¯LXözÁBâ…¾¿¹sÔá©DÉÈK„Ç>þeü~2‡+W–ÿ‚©¹ƒÏq<C38F>Ï¢òPßSÕîRÆIñD {"jD¡‹ƒÉŸ9 åÈ<C3A5>¥= ¬SüÒ=<3D>®—HtHÕêbs¬Ÿµ£+èTÑãà0OŒ :¬£}˜mÓp«©ž¶
|
||||
z¥DÄ‹ƒÇ§±÷žmSå™8èïa±ípë2ÝÞ”° d°ÈÍÕSùròz½²í v#ÇÎœsñíÎÕ‰
0æMù¿ÂÎfÚA%Ó
™Ö³ïçD…뉆P<E280A0>drŠ£ÌX’IW±HôG©¾\IÑ8_ª„Lœ8Š Ù1MÚÚíôµMêz)ö$ì{ªM{S|b=ÙêÏkô*ïO”{Úêz•ª2:6}#–>_¨Ë-$ǪÈÑV‰ãp¨²("Wé«U[>>¤žÌ0Qh°-‰ê]¤§ªÞ†r;d&T¡£vÝ-i†Å]šû$ó°$<24>½aè™E94žéé`žçÐ<>í=!p©Æ[£ºqÖÏ›¦?U•/ÏkÀ… ÍwÓ^¥ZµÚIJèG¬lœiÇâè‘…€ö4C÷áb…ÑF÷´ªà+!Ót<C393>\¶t1ôc¡¯îSÇ~ž€+Òwª‘Ñ·[5¡jùû
g6†&©¯o¼´˜±ôÃ
|
|
@ -38,7 +38,6 @@ let
|
|||
inherit (lib.types)
|
||||
attrs
|
||||
attrsOf
|
||||
bool
|
||||
enum
|
||||
functionTo
|
||||
ints
|
||||
|
@ -130,12 +129,6 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
serveMedia = mkOption {
|
||||
type = bool;
|
||||
default = true;
|
||||
description = "Wther to serve the MEDIA_ROOT directory with nginx.";
|
||||
};
|
||||
|
||||
env_prefix = mkOption {
|
||||
type = str;
|
||||
default = toUpper name;
|
||||
|
@ -480,18 +473,13 @@ in
|
|||
{
|
||||
virtualHosts = mapAttrs' (
|
||||
name:
|
||||
{
|
||||
domain,
|
||||
nginx,
|
||||
serveMedia,
|
||||
...
|
||||
}:
|
||||
{ domain, nginx, ... }:
|
||||
nameValuePair domain (
|
||||
recursiveUpdate {
|
||||
locations = {
|
||||
"/".proxyPass = "http://unix:/run/django-apps/${name}.sock";
|
||||
"/static/".root = "/run/django-apps/${name}";
|
||||
"/media/".root = mkIf serveMedia "/run/django-apps/${name}";
|
||||
"/media/".root = "/run/django-apps/${name}";
|
||||
};
|
||||
} nginx
|
||||
)
|
||||
|
@ -732,14 +720,5 @@ in
|
|||
) config.extraServices)
|
||||
) cfg.sites);
|
||||
};
|
||||
|
||||
dgn-backups = {
|
||||
# jobs = mapAttrs' (
|
||||
# name: _: nameValuePair "dj-${name}" { settings.paths = [ "/var/lib/private/django-apps/${name}" ]; }
|
||||
# ) cfg.sites;
|
||||
postgresDatabases = builtins.map (name: "dj-${name}") (
|
||||
attrNames (filterAttrs (_: { dbType, ... }: dbType == "postgresql") cfg.sites)
|
||||
);
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -262,9 +262,9 @@
|
|||
"url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs"
|
||||
},
|
||||
"branch": "main",
|
||||
"revision": "cc01e1c2a6ecb1e38fde35ee54995a6a639fb057",
|
||||
"revision": "e8494b9d6110a97e2225b2fe43d29efa34cd9451",
|
||||
"url": null,
|
||||
"hash": "17a9vlwrk9365ccyl7a5xspqsn9wizcpwdpvr3qdimvq4fpwhjal"
|
||||
"hash": "1r2g3jdr311cn8y0cxvawc6qyp58lbydscp5hxadya2vl810vpln"
|
||||
},
|
||||
"nix-reuse": {
|
||||
"type": "GitRelease",
|
||||
|
@ -346,9 +346,9 @@
|
|||
"url": "https://git.dgnum.eu/mdebray/stateless-uptime-kuma"
|
||||
},
|
||||
"branch": "master",
|
||||
"revision": "d378d1ce00c676fa22ef0808cf73f3e1c34e0191",
|
||||
"revision": "880f444ff7862d6127b051cf1a993ad1585b1652",
|
||||
"url": null,
|
||||
"hash": "00k5i3n1g869g4070ryfdwqnk3k78fan1s8pqmnbq2m7m29hmb8f"
|
||||
"hash": "166057469hhxnyqbpd7jjlccdmigzch51616n1d5r617xg0y1mwp"
|
||||
},
|
||||
"wp4nix": {
|
||||
"type": "Git",
|
||||
|
|
Loading…
Reference in a new issue