Compare commits

..

1 commit

Author SHA1 Message Date
sinavir
bb04e6a88c feat(dns): IPv4 for rescue01
All checks were successful
Check meta / check_meta (push) Successful in 23s
lint / check (push) Successful in 26s
Check meta / check_dns (push) Successful in 44s
build configuration / build_vault01 (pull_request) Successful in 1m5s
build configuration / build_storage01 (pull_request) Successful in 1m9s
build configuration / build_compute01 (pull_request) Successful in 1m13s
build configuration / build_web02 (pull_request) Successful in 58s
build configuration / build_rescue01 (pull_request) Successful in 53s
build configuration / build_web01 (pull_request) Successful in 1m26s
2024-04-03 18:05:05 +02:00
451 changed files with 14292 additions and 16404 deletions

1
.envrc
View file

@ -1,2 +1 @@
watch_file workflows/*
use nix

View file

@ -1,21 +1,22 @@
name: Check meta
on:
push:
paths:
- 'meta/*'
jobs:
check_dns:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of the DNS configuration
run: nix-build meta/verify.nix -A dns
check_meta:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of meta options
run: nix-build meta/verify.nix -A meta
name: Check meta
on:
pull_request:
branches:
- main
push:
paths:
- meta/*
- uses: actions/checkout@v3
- name: Check the validity of meta options
run: nix-build meta/verify.nix -A meta
check_dns:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of the DNS configuration
run: nix-build meta/verify.nix -A dns --no-out-link

View file

@ -1,16 +0,0 @@
jobs:
check_workflows:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check that the workflows are up to date
run: nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l)
-eq 0 ]'
name: Check workflows
on:
pull_request:
branches:
- main
push:
paths:
- workflows/*

View file

@ -0,0 +1,57 @@
name: ds-fr update
on:
schedule:
# Run at 8 o'clock every day
- cron: "26 18 * * *"
jobs:
npins_update:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- name: Update DS and open PR if necessary
run: |
# Fetch the latest release tag
VERSION=$(curl -L \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/demarches-simplifiees/demarches-simplifiees.fr/releases/latest \
| jq -r '.tag_name')
# Move to the ds-fr directory
cd machines/compute01/ds-fr/package
# Run the update script
./update.sh -v "$VERSION"
if [ ! -z "$(git diff --name-only)" ]; then
echo "[+] Changes detected, pushing updates."
git switch -C ds-update
git add .
git config user.name "DGNum Chores"
git config user.email "tech@dgnum.eu"
git commit --message "chore(ds-fr): Update"
git push --set-upstream origin ds-update --force
# Connect to the server with the cli
tea login add \
-n dgnum-chores \
-t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
-u https://git.dgnum.eu
# Create a pull request if needed
# i.e. no PR with the same title exists
if [ -z "$(tea pr ls -f='title,author' -o simple | grep 'chore(ds-fr): Update dgnum-chores')" ]; then
tea pr create \
--description "Automatic ds-fr update" \
--title "chore(ds-fr): Update" \
--head ds-update
fi
fi

View file

@ -1,174 +0,0 @@
jobs:
ap01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: ap01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache ap01
run: nix-shell -A eval-nodes --run cache-node
bridge01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: bridge01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache bridge01
run: nix-shell -A eval-nodes --run cache-node
compute01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: compute01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache compute01
run: nix-shell -A eval-nodes --run cache-node
geo01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: geo01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache geo01
run: nix-shell -A eval-nodes --run cache-node
geo02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: geo02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache geo02
run: nix-shell -A eval-nodes --run cache-node
hypervisor01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: hypervisor01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache hypervisor01
run: nix-shell -A eval-nodes --run cache-node
hypervisor02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: hypervisor02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache hypervisor02
run: nix-shell -A eval-nodes --run cache-node
hypervisor03:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: hypervisor03
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache hypervisor03
run: nix-shell -A eval-nodes --run cache-node
netcore02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: netcore02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache netcore02
run: nix-shell -A eval-nodes --run cache-node
rescue01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: rescue01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache rescue01
run: nix-shell -A eval-nodes --run cache-node
storage01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: storage01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache storage01
run: nix-shell -A eval-nodes --run cache-node
vault01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: vault01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache vault01
run: nix-shell -A eval-nodes --run cache-node
web01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web01
run: nix-shell -A eval-nodes --run cache-node
web02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web02
run: nix-shell -A eval-nodes --run cache-node
web03:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web03
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web03
run: nix-shell -A eval-nodes --run cache-node
name: Build all the nodes
on:
pull_request:
branches:
- main
push:
branches:
- main

View file

@ -0,0 +1,70 @@
name: build configuration
on:
pull_request:
types: [opened, synchronize, edited, reopened]
branches:
- main
push:
branches:
- main
jobs:
build_compute01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build compute01
run: |
# Enter the shell
nix-shell --run 'colmena build --on compute01'
build_storage01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build storage01
run: |
# Enter the shell
nix-shell --run 'colmena build --on storage01'
build_vault01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build vault01
run: |
# Enter the shell
nix-shell --run 'colmena build --on vault01'
build_web01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build web01
run: |
# Enter the shell
nix-shell --run 'colmena build --on web01'
build_web02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build web02
run: |
# Enter the shell
nix-shell --run 'colmena build --on web02'
build_rescue01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build rescue01
run: |
# Enter the shell
nix-shell --run 'colmena build --on rescue01'

View file

@ -0,0 +1,11 @@
name: lint
on: push
jobs:
check:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Run pre-commit on all files
run: nix-shell --run 'pre-commit run --all-files --show-diff-on-failure' -A shells.pre-commit ./.

View file

@ -1,25 +0,0 @@
jobs:
npins_update:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- name: Update dependencies and open PR if necessary
run: "npins update\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n echo
\"[+] Changes detected, pushing updates.\"\n\n git switch -C npins-update\n\
\n git add npins\n\n git config user.name \"DGNum Chores\"\n git config
user.email \"tech@dgnum.eu\"\n\n git commit --message \"chore(npins): Update\"\
\n git push --set-upstream origin npins-update --force\n\n # Connect to
the server with the cli\n tea login add \\\n -n dgnum-chores \\\n -t
\"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" \\\n -u https://git.dgnum.eu\n\
\n # Create a pull request if needed\n # i.e. no PR with the same title
exists\n if [ -z \"$(tea pr ls -f='title,author' -o simple | grep 'chore(npins):
Update dgnum-chores')\" ]; then\n tea pr create \\\n --description
\"Automatic npins update\" \\\n --title \"chore(npins): Update\" \\\n\
\ --head npins-update\n fi\nfi\n"
name: npins update
on:
schedule:
- cron: 25 15 * * *

View file

@ -1,28 +1,31 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
name = "npins update";
on.schedule = [
name: npins update
on:
schedule:
# Run at 11 o'clock every wednesday
{ cron = "25 15 * * *"; }
];
- cron: "25 15 * * *"
jobs.npins_update = {
runs-on = "nix";
steps = [
{
uses = "actions/checkout@v3";
"with" = {
depth = 0;
token = "\${{ secrets.TEA_DGNUM_CHORES_TOKEN }}";
};
}
jobs:
npins_update:
runs-on: nix
steps:
# - name: Install applications
# run: apt-get update && apt-get install sudo
#
- uses: actions/checkout@v3
with:
depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
#
# - uses: https://github.com/cachix/install-nix-action@v22
# with:
# nix_path: nixpkgs=channel:nixos-unstable
{
name = "Update dependencies and open PR if necessary";
run = ''
# - name: Install tea
# run: |
# nix-env -f '<nixpkgs>' -i tea
- name: Update dependencies and open PR if necessary
run: |
npins update
if [ ! -z "$(git diff --name-only)" ]; then
@ -41,7 +44,7 @@
# Connect to the server with the cli
tea login add \
-n dgnum-chores \
-t "''${{ secrets.TEA_DGNUM_CHORES_TOKEN }}" \
-t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
-u https://git.dgnum.eu
# Create a pull request if needed
@ -53,8 +56,3 @@
--head npins-update
fi
fi
'';
}
];
};
}

View file

@ -1,15 +0,0 @@
jobs:
pre-commit:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check stage pre-commit
run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
pre-commit --show-diff-on-failure'
- name: Check stage pre-push
run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
pre-push --show-diff-on-failure'
name: Run pre-commit on all files
on:
- push
- pull_request

View file

@ -1,9 +1,3 @@
<!--
SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
SPDX-License-Identifier: EUPL-1.2
-->
# Contribuer
Quelques éléments à savoir:

547
LICENSE Normal file
View file

@ -0,0 +1,547 @@
CONTRAT DE LICENCE DE LOGICIEL LIBRE CeCILL
Version 2.1 du 2013-06-21
Avertissement
Ce contrat est une licence de logiciel libre issue d'une concertation
entre ses auteurs afin que le respect de deux grands principes préside à
sa rédaction:
* d'une part, le respect des principes de diffusion des logiciels
libres: accès au code source, droits étendus conférés aux utilisateurs,
* d'autre part, la désignation d'un droit applicable, le droit
français, auquel elle est conforme, tant au regard du droit de la
responsabilité civile que du droit de la propriété intellectuelle et
de la protection qu'il offre aux auteurs et titulaires des droits
patrimoniaux sur un logiciel.
Les auteurs de la licence CeCILL (Ce[a] C[nrs] I[nria] L[ogiciel] L[ibre])
sont:
Commissariat à l'énergie atomique et aux énergies alternatives - CEA,
établissement public de recherche à caractère scientifique, technique et
industriel, dont le siège est situé 25 rue Leblanc, immeuble Le Ponant
D, 75015 Paris.
Centre National de la Recherche Scientifique - CNRS, établissement
public à caractère scientifique et technologique, dont le siège est
situé 3 rue Michel-Ange, 75794 Paris cedex 16.
Institut National de Recherche en Informatique et en Automatique -
Inria, établissement public à caractère scientifique et technologique,
dont le siège est situé Domaine de Voluceau, Rocquencourt, BP 105, 78153
Le Chesnay cedex.
Préambule
Ce contrat est une licence de logiciel libre dont l'objectif est de
conférer aux utilisateurs la liberté de modification et de
redistribution du logiciel régi par cette licence dans le cadre d'un
modèle de diffusion en logiciel libre.
L'exercice de ces libertés est assorti de certains devoirs à la charge
des utilisateurs afin de préserver ce statut au cours des
redistributions ultérieures.
L'accessibilité au code source et les droits de copie, de modification
et de redistribution qui en découlent ont pour contrepartie de n'offrir
aux utilisateurs qu'une garantie limitée et de ne faire peser sur
l'auteur du logiciel, le titulaire des droits patrimoniaux et les
concédants successifs qu'une responsabilité restreinte.
A cet égard l'attention de l'utilisateur est attirée sur les risques
associés au chargement, à l'utilisation, à la modification et/ou au
développement et à la reproduction du logiciel par l'utilisateur étant
donné sa spécificité de logiciel libre, qui peut le rendre complexe à
manipuler et qui le réserve donc à des développeurs ou des
professionnels avertis possédant des connaissances informatiques
approfondies. Les utilisateurs sont donc invités à charger et tester
l'adéquation du logiciel à leurs besoins dans des conditions permettant
d'assurer la sécurité de leurs systèmes et/ou de leurs données et, plus
généralement, à l'utiliser et l'exploiter dans les mêmes conditions de
sécurité. Ce contrat peut être reproduit et diffusé librement, sous
réserve de le conserver en l'état, sans ajout ni suppression de clauses.
Ce contrat est susceptible de s'appliquer à tout logiciel dont le
titulaire des droits patrimoniaux décide de soumettre l'exploitation aux
dispositions qu'il contient.
Une liste de questions fréquemment posées se trouve sur le site web
officiel de la famille des licences CeCILL
(http://www.cecill.info/index.fr.html) pour toute clarification qui
serait nécessaire.
Article 1 - DEFINITIONS
Dans ce contrat, les termes suivants, lorsqu'ils seront écrits avec une
lettre capitale, auront la signification suivante:
Contrat: désigne le présent contrat de licence, ses éventuelles versions
postérieures et annexes.
Logiciel: désigne le logiciel sous sa forme de Code Objet et/ou de Code
Source et le cas échéant sa documentation, dans leur état au moment de
l'acceptation du Contrat par le Licencié.
Logiciel Initial: désigne le Logiciel sous sa forme de Code Source et
éventuellement de Code Objet et le cas échéant sa documentation, dans
leur état au moment de leur première diffusion sous les termes du Contrat.
Logiciel Modifié: désigne le Logiciel modifié par au moins une
Contribution.
Code Source: désigne l'ensemble des instructions et des lignes de
programme du Logiciel et auquel l'accès est nécessaire en vue de
modifier le Logiciel.
Code Objet: désigne les fichiers binaires issus de la compilation du
Code Source.
Titulaire: désigne le ou les détenteurs des droits patrimoniaux d'auteur
sur le Logiciel Initial.
Licencié: désigne le ou les utilisateurs du Logiciel ayant accepté le
Contrat.
Contributeur: désigne le Licencié auteur d'au moins une Contribution.
Concédant: désigne le Titulaire ou toute personne physique ou morale
distribuant le Logiciel sous le Contrat.
Contribution: désigne l'ensemble des modifications, corrections,
traductions, adaptations et/ou nouvelles fonctionnalités intégrées dans
le Logiciel par tout Contributeur, ainsi que tout Module Interne.
Module: désigne un ensemble de fichiers sources y compris leur
documentation qui permet de réaliser des fonctionnalités ou services
supplémentaires à ceux fournis par le Logiciel.
Module Externe: désigne tout Module, non dérivé du Logiciel, tel que ce
Module et le Logiciel s'exécutent dans des espaces d'adressage
différents, l'un appelant l'autre au moment de leur exécution.
Module Interne: désigne tout Module lié au Logiciel de telle sorte
qu'ils s'exécutent dans le même espace d'adressage.
GNU GPL: désigne la GNU General Public License dans sa version 2 ou
toute version ultérieure, telle que publiée par Free Software Foundation
Inc.
GNU Affero GPL: désigne la GNU Affero General Public License dans sa
version 3 ou toute version ultérieure, telle que publiée par Free
Software Foundation Inc.
EUPL: désigne la Licence Publique de l'Union européenne dans sa version
1.1 ou toute version ultérieure, telle que publiée par la Commission
Européenne.
Parties: désigne collectivement le Licencié et le Concédant.
Ces termes s'entendent au singulier comme au pluriel.
Article 2 - OBJET
Le Contrat a pour objet la concession par le Concédant au Licencié d'une
licence non exclusive, cessible et mondiale du Logiciel telle que
définie ci-après à l'article 5 <#etendue> pour toute la durée de
protection des droits portant sur ce Logiciel.
Article 3 - ACCEPTATION
3.1 L'acceptation par le Licencié des termes du Contrat est réputée
acquise du fait du premier des faits suivants:
* (i) le chargement du Logiciel par tout moyen notamment par
téléchargement à partir d'un serveur distant ou par chargement à
partir d'un support physique;
* (ii) le premier exercice par le Licencié de l'un quelconque des
droits concédés par le Contrat.
3.2 Un exemplaire du Contrat, contenant notamment un avertissement
relatif aux spécificités du Logiciel, à la restriction de garantie et à
la limitation à un usage par des utilisateurs expérimentés a été mis à
disposition du Licencié préalablement à son acceptation telle que
définie à l'article 3.1 <#acceptation-acquise> ci dessus et le Licencié
reconnaît en avoir pris connaissance.
Article 4 - ENTREE EN VIGUEUR ET DUREE
4.1 ENTREE EN VIGUEUR
Le Contrat entre en vigueur à la date de son acceptation par le Licencié
telle que définie en 3.1 <#acceptation-acquise>.
4.2 DUREE
Le Contrat produira ses effets pendant toute la durée légale de
protection des droits patrimoniaux portant sur le Logiciel.
Article 5 - ETENDUE DES DROITS CONCEDES
Le Concédant concède au Licencié, qui accepte, les droits suivants sur
le Logiciel pour toutes destinations et pour la durée du Contrat dans
les conditions ci-après détaillées.
Par ailleurs, si le Concédant détient ou venait à détenir un ou
plusieurs brevets d'invention protégeant tout ou partie des
fonctionnalités du Logiciel ou de ses composants, il s'engage à ne pas
opposer les éventuels droits conférés par ces brevets aux Licenciés
successifs qui utiliseraient, exploiteraient ou modifieraient le
Logiciel. En cas de cession de ces brevets, le Concédant s'engage à
faire reprendre les obligations du présent alinéa aux cessionnaires.
5.1 DROIT D'UTILISATION
Le Licencié est autorisé à utiliser le Logiciel, sans restriction quant
aux domaines d'application, étant ci-après précisé que cela comporte:
1.
la reproduction permanente ou provisoire du Logiciel en tout ou
partie par tout moyen et sous toute forme.
2.
le chargement, l'affichage, l'exécution, ou le stockage du Logiciel
sur tout support.
3.
la possibilité d'en observer, d'en étudier, ou d'en tester le
fonctionnement afin de déterminer les idées et principes qui sont à
la base de n'importe quel élément de ce Logiciel; et ceci, lorsque
le Licencié effectue toute opération de chargement, d'affichage,
d'exécution, de transmission ou de stockage du Logiciel qu'il est en
droit d'effectuer en vertu du Contrat.
5.2 DROIT D'APPORTER DES CONTRIBUTIONS
Le droit d'apporter des Contributions comporte le droit de traduire,
d'adapter, d'arranger ou d'apporter toute autre modification au Logiciel
et le droit de reproduire le logiciel en résultant.
Le Licencié est autorisé à apporter toute Contribution au Logiciel sous
réserve de mentionner, de façon explicite, son nom en tant qu'auteur de
cette Contribution et la date de création de celle-ci.
5.3 DROIT DE DISTRIBUTION
Le droit de distribution comporte notamment le droit de diffuser, de
transmettre et de communiquer le Logiciel au public sur tout support et
par tout moyen ainsi que le droit de mettre sur le marché à titre
onéreux ou gratuit, un ou des exemplaires du Logiciel par tout procédé.
Le Licencié est autorisé à distribuer des copies du Logiciel, modifié ou
non, à des tiers dans les conditions ci-après détaillées.
5.3.1 DISTRIBUTION DU LOGICIEL SANS MODIFICATION
Le Licencié est autorisé à distribuer des copies conformes du Logiciel,
sous forme de Code Source ou de Code Objet, à condition que cette
distribution respecte les dispositions du Contrat dans leur totalité et
soit accompagnée:
1.
d'un exemplaire du Contrat,
2.
d'un avertissement relatif à la restriction de garantie et de
responsabilité du Concédant telle que prévue aux articles 8
<#responsabilite> et 9 <#garantie>,
et que, dans le cas où seul le Code Objet du Logiciel est redistribué,
le Licencié permette un accès effectif au Code Source complet du
Logiciel pour une durée d'au moins 3 ans à compter de la distribution du
logiciel, étant entendu que le coût additionnel d'acquisition du Code
Source ne devra pas excéder le simple coût de transfert des données.
5.3.2 DISTRIBUTION DU LOGICIEL MODIFIE
Lorsque le Licencié apporte une Contribution au Logiciel, les conditions
de distribution du Logiciel Modifié en résultant sont alors soumises à
l'intégralité des dispositions du Contrat.
Le Licencié est autorisé à distribuer le Logiciel Modifié, sous forme de
code source ou de code objet, à condition que cette distribution
respecte les dispositions du Contrat dans leur totalité et soit
accompagnée:
1.
d'un exemplaire du Contrat,
2.
d'un avertissement relatif à la restriction de garantie et de
responsabilité du Concédant telle que prévue aux articles 8
<#responsabilite> et 9 <#garantie>,
et, dans le cas où seul le code objet du Logiciel Modifié est redistribué,
3.
d'une note précisant les conditions d'accès effectif au code source
complet du Logiciel Modifié, pendant une période d'au moins 3 ans à
compter de la distribution du Logiciel Modifié, étant entendu que le
coût additionnel d'acquisition du code source ne devra pas excéder
le simple coût de transfert des données.
5.3.3 DISTRIBUTION DES MODULES EXTERNES
Lorsque le Licencié a développé un Module Externe les conditions du
Contrat ne s'appliquent pas à ce Module Externe, qui peut être distribué
sous un contrat de licence différent.
5.3.4 COMPATIBILITE AVEC D'AUTRES LICENCES
Le Licencié peut inclure un code soumis aux dispositions d'une des
versions de la licence GNU GPL, GNU Affero GPL et/ou EUPL dans le
Logiciel modifié ou non et distribuer l'ensemble sous les conditions de
la même version de la licence GNU GPL, GNU Affero GPL et/ou EUPL.
Le Licencié peut inclure le Logiciel modifié ou non dans un code soumis
aux dispositions d'une des versions de la licence GNU GPL, GNU Affero
GPL et/ou EUPL et distribuer l'ensemble sous les conditions de la même
version de la licence GNU GPL, GNU Affero GPL et/ou EUPL.
Article 6 - PROPRIETE INTELLECTUELLE
6.1 SUR LE LOGICIEL INITIAL
Le Titulaire est détenteur des droits patrimoniaux sur le Logiciel
Initial. Toute utilisation du Logiciel Initial est soumise au respect
des conditions dans lesquelles le Titulaire a choisi de diffuser son
oeuvre et nul autre n'a la faculté de modifier les conditions de
diffusion de ce Logiciel Initial.
Le Titulaire s'engage à ce que le Logiciel Initial reste au moins régi
par le Contrat et ce, pour la durée visée à l'article 4.2 <#duree>.
6.2 SUR LES CONTRIBUTIONS
Le Licencié qui a développé une Contribution est titulaire sur celle-ci
des droits de propriété intellectuelle dans les conditions définies par
la législation applicable.
6.3 SUR LES MODULES EXTERNES
Le Licencié qui a développé un Module Externe est titulaire sur celui-ci
des droits de propriété intellectuelle dans les conditions définies par
la législation applicable et reste libre du choix du contrat régissant
sa diffusion.
6.4 DISPOSITIONS COMMUNES
Le Licencié s'engage expressément:
1.
à ne pas supprimer ou modifier de quelque manière que ce soit les
mentions de propriété intellectuelle apposées sur le Logiciel;
2.
à reproduire à l'identique lesdites mentions de propriété
intellectuelle sur les copies du Logiciel modifié ou non.
Le Licencié s'engage à ne pas porter atteinte, directement ou
indirectement, aux droits de propriété intellectuelle du Titulaire et/ou
des Contributeurs sur le Logiciel et à prendre, le cas échéant, à
l'égard de son personnel toutes les mesures nécessaires pour assurer le
respect des dits droits de propriété intellectuelle du Titulaire et/ou
des Contributeurs.
Article 7 - SERVICES ASSOCIES
7.1 Le Contrat n'oblige en aucun cas le Concédant à la réalisation de
prestations d'assistance technique ou de maintenance du Logiciel.
Cependant le Concédant reste libre de proposer ce type de services. Les
termes et conditions d'une telle assistance technique et/ou d'une telle
maintenance seront alors déterminés dans un acte séparé. Ces actes de
maintenance et/ou assistance technique n'engageront que la seule
responsabilité du Concédant qui les propose.
7.2 De même, tout Concédant est libre de proposer, sous sa seule
responsabilité, à ses licenciés une garantie, qui n'engagera que lui,
lors de la redistribution du Logiciel et/ou du Logiciel Modifié et ce,
dans les conditions qu'il souhaite. Cette garantie et les modalités
financières de son application feront l'objet d'un acte séparé entre le
Concédant et le Licencié.
Article 8 - RESPONSABILITE
8.1 Sous réserve des dispositions de l'article 8.2
<#limite-responsabilite>, le Licencié a la faculté, sous réserve de
prouver la faute du Concédant concerné, de solliciter la réparation du
préjudice direct qu'il subirait du fait du Logiciel et dont il apportera
la preuve.
8.2 La responsabilité du Concédant est limitée aux engagements pris en
application du Contrat et ne saurait être engagée en raison notamment:
(i) des dommages dus à l'inexécution, totale ou partielle, de ses
obligations par le Licencié, (ii) des dommages directs ou indirects
découlant de l'utilisation ou des performances du Logiciel subis par le
Licencié et (iii) plus généralement d'un quelconque dommage indirect. En
particulier, les Parties conviennent expressément que tout préjudice
financier ou commercial (par exemple perte de données, perte de
bénéfices, perte d'exploitation, perte de clientèle ou de commandes,
manque à gagner, trouble commercial quelconque) ou toute action dirigée
contre le Licencié par un tiers, constitue un dommage indirect et
n'ouvre pas droit à réparation par le Concédant.
Article 9 - GARANTIE
9.1 Le Licencié reconnaît que l'état actuel des connaissances
scientifiques et techniques au moment de la mise en circulation du
Logiciel ne permet pas d'en tester et d'en vérifier toutes les
utilisations ni de détecter l'existence d'éventuels défauts. L'attention
du Licencié a été attirée sur ce point sur les risques associés au
chargement, à l'utilisation, la modification et/ou au développement et à
la reproduction du Logiciel qui sont réservés à des utilisateurs avertis.
Il relève de la responsabilité du Licencié de contrôler, par tous
moyens, l'adéquation du produit à ses besoins, son bon fonctionnement et
de s'assurer qu'il ne causera pas de dommages aux personnes et aux biens.
9.2 Le Concédant déclare de bonne foi être en droit de concéder
l'ensemble des droits attachés au Logiciel (comprenant notamment les
droits visés à l'article 5 <#etendue>).
9.3 Le Licencié reconnaît que le Logiciel est fourni "en l'état" par le
Concédant sans autre garantie, expresse ou tacite, que celle prévue à
l'article 9.2 <#bonne-foi> et notamment sans aucune garantie sur sa
valeur commerciale, son caractère sécurisé, innovant ou pertinent.
En particulier, le Concédant ne garantit pas que le Logiciel est exempt
d'erreur, qu'il fonctionnera sans interruption, qu'il sera compatible
avec l'équipement du Licencié et sa configuration logicielle ni qu'il
remplira les besoins du Licencié.
9.4 Le Concédant ne garantit pas, de manière expresse ou tacite, que le
Logiciel ne porte pas atteinte à un quelconque droit de propriété
intellectuelle d'un tiers portant sur un brevet, un logiciel ou sur tout
autre droit de propriété. Ainsi, le Concédant exclut toute garantie au
profit du Licencié contre les actions en contrefaçon qui pourraient être
diligentées au titre de l'utilisation, de la modification, et de la
redistribution du Logiciel. Néanmoins, si de telles actions sont
exercées contre le Licencié, le Concédant lui apportera son expertise
technique et juridique pour sa défense. Cette expertise technique et
juridique est déterminée au cas par cas entre le Concédant concerné et
le Licencié dans le cadre d'un protocole d'accord. Le Concédant dégage
toute responsabilité quant à l'utilisation de la dénomination du
Logiciel par le Licencié. Aucune garantie n'est apportée quant à
l'existence de droits antérieurs sur le nom du Logiciel et sur
l'existence d'une marque.
Article 10 - RESILIATION
10.1 En cas de manquement par le Licencié aux obligations mises à sa
charge par le Contrat, le Concédant pourra résilier de plein droit le
Contrat trente (30) jours après notification adressée au Licencié et
restée sans effet.
10.2 Le Licencié dont le Contrat est résilié n'est plus autorisé à
utiliser, modifier ou distribuer le Logiciel. Cependant, toutes les
licences qu'il aura concédées antérieurement à la résiliation du Contrat
resteront valides sous réserve qu'elles aient été effectuées en
conformité avec le Contrat.
Article 11 - DISPOSITIONS DIVERSES
11.1 CAUSE EXTERIEURE
Aucune des Parties ne sera responsable d'un retard ou d'une défaillance
d'exécution du Contrat qui serait dû à un cas de force majeure, un cas
fortuit ou une cause extérieure, telle que, notamment, le mauvais
fonctionnement ou les interruptions du réseau électrique ou de
télécommunication, la paralysie du réseau liée à une attaque
informatique, l'intervention des autorités gouvernementales, les
catastrophes naturelles, les dégâts des eaux, les tremblements de terre,
le feu, les explosions, les grèves et les conflits sociaux, l'état de
guerre...
11.2 Le fait, par l'une ou l'autre des Parties, d'omettre en une ou
plusieurs occasions de se prévaloir d'une ou plusieurs dispositions du
Contrat, ne pourra en aucun cas impliquer renonciation par la Partie
intéressée à s'en prévaloir ultérieurement.
11.3 Le Contrat annule et remplace toute convention antérieure, écrite
ou orale, entre les Parties sur le même objet et constitue l'accord
entier entre les Parties sur cet objet. Aucune addition ou modification
aux termes du Contrat n'aura d'effet à l'égard des Parties à moins
d'être faite par écrit et signée par leurs représentants dûment habilités.
11.4 Dans l'hypothèse où une ou plusieurs des dispositions du Contrat
s'avèrerait contraire à une loi ou à un texte applicable, existants ou
futurs, cette loi ou ce texte prévaudrait, et les Parties feraient les
amendements nécessaires pour se conformer à cette loi ou à ce texte.
Toutes les autres dispositions resteront en vigueur. De même, la
nullité, pour quelque raison que ce soit, d'une des dispositions du
Contrat ne saurait entraîner la nullité de l'ensemble du Contrat.
11.5 LANGUE
Le Contrat est rédigé en langue française et en langue anglaise, ces
deux versions faisant également foi.
Article 12 - NOUVELLES VERSIONS DU CONTRAT
12.1 Toute personne est autorisée à copier et distribuer des copies de
ce Contrat.
12.2 Afin d'en préserver la cohérence, le texte du Contrat est protégé
et ne peut être modifié que par les auteurs de la licence, lesquels se
réservent le droit de publier périodiquement des mises à jour ou de
nouvelles versions du Contrat, qui posséderont chacune un numéro
distinct. Ces versions ultérieures seront susceptibles de prendre en
compte de nouvelles problématiques rencontrées par les logiciels libres.
12.3 Tout Logiciel diffusé sous une version donnée du Contrat ne pourra
faire l'objet d'une diffusion ultérieure que sous la même version du
Contrat ou une version postérieure, sous réserve des dispositions de
l'article 5.3.4 <#compatibilite>.
Article 13 - LOI APPLICABLE ET COMPETENCE TERRITORIALE
13.1 Le Contrat est régi par la loi française. Les Parties conviennent
de tenter de régler à l'amiable les différends ou litiges qui
viendraient à se produire par suite ou à l'occasion du Contrat.
13.2 A défaut d'accord amiable dans un délai de deux (2) mois à compter
de leur survenance et sauf situation relevant d'une procédure d'urgence,
les différends ou litiges seront portés par la Partie la plus diligente
devant les Tribunaux compétents de Paris.

View file

@ -1,155 +0,0 @@
Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International
Creative Commons Corporation (“Creative Commons”) is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an “as-is” basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible.
Using Creative Commons Public Licenses
Creative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses.
Considerations for licensors: Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. More considerations for licensors.
Considerations for the public: By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensors permission is not necessary for any reasonfor example, because of any applicable exception or limitation to copyrightthen that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described. Although not required by our licenses, you are encouraged to respect those requests where reasonable. More considerations for the public.
Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License
By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions.
Section 1 Definitions.
a. Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image.
b. Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.
c. Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements.
d. Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material.
e. Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License.
f. Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license.
g. Licensor means the individual(s) or entity(ies) granting rights under this Public License.
h. NonCommercial means not primarily intended for or directed towards commercial advantage or monetary compensation. For purposes of this Public License, the exchange of the Licensed Material for other material subject to Copyright and Similar Rights by digital file-sharing or similar means is NonCommercial provided there is no payment of monetary compensation in connection with the exchange.
i. Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them.
j. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.
k. You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.
Section 2 Scope.
a. License grant.
1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:
A. reproduce and Share the Licensed Material, in whole or in part, for NonCommercial purposes only; and
B. produce and reproduce, but not Share, Adapted Material for NonCommercial purposes only.
2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions.
3. Term. The term of this Public License is specified in Section 6(a).
4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.
5. Downstream recipients.
A. Offer from the Licensor Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.
B. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.
6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).
b. Other rights.
1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.
2. Patent and trademark rights are not licensed under this Public License.
3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties, including when the Licensed Material is used other than for NonCommercial purposes.
Section 3 License Conditions.
Your exercise of the Licensed Rights is expressly made subject to the following conditions.
a. Attribution.
1. If You Share the Licensed Material, You must:
A. retain the following if it is supplied by the Licensor with the Licensed Material:
i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);
ii. a copyright notice;
iii. a notice that refers to this Public License;
iv. a notice that refers to the disclaimer of warranties;
v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable;
B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and
C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.
For the avoidance of doubt, You do not have permission under this Public License to Share Adapted Material.
2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.
3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.
Section 4 Sui Generis Database Rights.
Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:
a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database for NonCommercial purposes only and provided You do not Share Adapted Material;
b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material; and
c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.
For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights.
Section 5 Disclaimer of Warranties and Limitation of Liability.
a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.
b. To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.
c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.
Section 6 Term and Termination.
a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.
b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:
1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or
2. upon express reinstatement by the Licensor.
For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.
c. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.
d. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.
Section 7 Other Terms and Conditions.
a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed.
b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License.
Section 8 Interpretation.
a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.
b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions.
c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor.
d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.
Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.
Creative Commons may be contacted at creativecommons.org.

View file

@ -1,121 +0,0 @@
Creative Commons Legal Code
CC0 1.0 Universal
CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
HEREUNDER.
Statement of Purpose
The laws of most jurisdictions throughout the world automatically confer
exclusive Copyright and Related Rights (defined below) upon the creator
and subsequent owner(s) (each and all, an "owner") of an original work of
authorship and/or a database (each, a "Work").
Certain owners wish to permanently relinquish those rights to a Work for
the purpose of contributing to a commons of creative, cultural and
scientific works ("Commons") that the public can reliably and without fear
of later claims of infringement build upon, modify, incorporate in other
works, reuse and redistribute as freely as possible in any form whatsoever
and for any purposes, including without limitation commercial purposes.
These owners may contribute to the Commons to promote the ideal of a free
culture and the further production of creative, cultural and scientific
works, or to gain reputation or greater distribution for their Work in
part through the use and efforts of others.
For these and/or other purposes and motivations, and without any
expectation of additional consideration or compensation, the person
associating CC0 with a Work (the "Affirmer"), to the extent that he or she
is an owner of Copyright and Related Rights in the Work, voluntarily
elects to apply CC0 to the Work and publicly distribute the Work under its
terms, with knowledge of his or her Copyright and Related Rights in the
Work and the meaning and intended legal effect of CC0 on those rights.
1. Copyright and Related Rights. A Work made available under CC0 may be
protected by copyright and related or neighboring rights ("Copyright and
Related Rights"). Copyright and Related Rights include, but are not
limited to, the following:
i. the right to reproduce, adapt, distribute, perform, display,
communicate, and translate a Work;
ii. moral rights retained by the original author(s) and/or performer(s);
iii. publicity and privacy rights pertaining to a person's image or
likeness depicted in a Work;
iv. rights protecting against unfair competition in regards to a Work,
subject to the limitations in paragraph 4(a), below;
v. rights protecting the extraction, dissemination, use and reuse of data
in a Work;
vi. database rights (such as those arising under Directive 96/9/EC of the
European Parliament and of the Council of 11 March 1996 on the legal
protection of databases, and under any national implementation
thereof, including any amended or successor version of such
directive); and
vii. other similar, equivalent or corresponding rights throughout the
world based on applicable law or treaty, and any national
implementations thereof.
2. Waiver. To the greatest extent permitted by, but not in contravention
of, applicable law, Affirmer hereby overtly, fully, permanently,
irrevocably and unconditionally waives, abandons, and surrenders all of
Affirmer's Copyright and Related Rights and associated claims and causes
of action, whether now known or unknown (including existing as well as
future claims and causes of action), in the Work (i) in all territories
worldwide, (ii) for the maximum duration provided by applicable law or
treaty (including future time extensions), (iii) in any current or future
medium and for any number of copies, and (iv) for any purpose whatsoever,
including without limitation commercial, advertising or promotional
purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
member of the public at large and to the detriment of Affirmer's heirs and
successors, fully intending that such Waiver shall not be subject to
revocation, rescission, cancellation, termination, or any other legal or
equitable action to disrupt the quiet enjoyment of the Work by the public
as contemplated by Affirmer's express Statement of Purpose.
3. Public License Fallback. Should any part of the Waiver for any reason
be judged legally invalid or ineffective under applicable law, then the
Waiver shall be preserved to the maximum extent permitted taking into
account Affirmer's express Statement of Purpose. In addition, to the
extent the Waiver is so judged Affirmer hereby grants to each affected
person a royalty-free, non transferable, non sublicensable, non exclusive,
irrevocable and unconditional license to exercise Affirmer's Copyright and
Related Rights in the Work (i) in all territories worldwide, (ii) for the
maximum duration provided by applicable law or treaty (including future
time extensions), (iii) in any current or future medium and for any number
of copies, and (iv) for any purpose whatsoever, including without
limitation commercial, advertising or promotional purposes (the
"License"). The License shall be deemed effective as of the date CC0 was
applied by Affirmer to the Work. Should any part of the License for any
reason be judged legally invalid or ineffective under applicable law, such
partial invalidity or ineffectiveness shall not invalidate the remainder
of the License, and in such case Affirmer hereby affirms that he or she
will not (i) exercise any of his or her remaining Copyright and Related
Rights in the Work or (ii) assert any associated claims and causes of
action with respect to the Work, in either case contrary to Affirmer's
express Statement of Purpose.
4. Limitations and Disclaimers.
a. No trademark or patent rights held by Affirmer are waived, abandoned,
surrendered, licensed or otherwise affected by this document.
b. Affirmer offers the Work as-is and makes no representations or
warranties of any kind concerning the Work, express, implied,
statutory or otherwise, including without limitation warranties of
title, merchantability, fitness for a particular purpose, non
infringement, or the absence of latent or other defects, accuracy, or
the present or absence of errors, whether or not discoverable, all to
the greatest extent permissible under applicable law.
c. Affirmer disclaims responsibility for clearing rights of other persons
that may apply to the Work or any use thereof, including without
limitation any person's Copyright and Related Rights in the Work.
Further, Affirmer disclaims responsibility for obtaining any necessary
consents, permissions or other rights required for any use of the
Work.
d. Affirmer understands and acknowledges that Creative Commons is not a
party to this document and has no duty or obligation with respect to
this CC0 or use of the Work.

View file

@ -1,190 +0,0 @@
EUROPEAN UNION PUBLIC LICENCE v. 1.2
EUPL © the European Union 2007, 2016
This European Union Public Licence (the EUPL) applies to the Work (as defined below) which is provided under the
terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such
use is covered by a right of the copyright holder of the Work).
The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following
notice immediately following the copyright notice for the Work:
Licensed under the EUPL
or has expressed by any other means his willingness to license under the EUPL.
1.Definitions
In this Licence, the following terms have the following meaning:
The Licence:this Licence.
The Original Work:the work or software distributed or communicated by the Licensor under this Licence, available
as Source Code and also as Executable Code as the case may be.
Derivative Works:the works or software that could be created by the Licensee, based upon the Original Work or
modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work
required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in
the country mentioned in Article 15.
The Work:the Original Work or its Derivative Works.
The Source Code:the human-readable form of the Work which is the most convenient for people to study and
modify.
The Executable Code:any code which has generally been compiled and which is meant to be interpreted by
a computer as a program.
The Licensor:the natural or legal person that distributes or communicates the Work under the Licence.
Contributor(s):any natural or legal person who modifies the Work under the Licence, or otherwise contributes to
the creation of a Derivative Work.
The Licensee or You:any natural or legal person who makes any usage of the Work under the terms of the
Licence.
Distribution or Communication:any act of selling, giving, lending, renting, distributing, communicating,
transmitting, or otherwise making available, online or offline, copies of the Work or providing access to its essential
functionalities at the disposal of any other natural or legal person.
2.Scope of the rights granted by the Licence
The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for
the duration of copyright vested in the Original Work:
— use the Work in any circumstance and for all usage,
— reproduce the Work,
— modify the Work, and make Derivative Works based upon the Work,
— communicate to the public, including the right to make available or display the Work or copies thereof to the public
and perform publicly, as the case may be, the Work,
— distribute the Work or copies thereof,
— lend and rent the Work or copies thereof,
— sublicense rights in the Work or copies thereof.
Those rights can be exercised on any media, supports and formats, whether now known or later invented, as far as the
applicable law permits so.
In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed
by law in order to make effective the licence of the economic rights here above listed.
The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the
extent necessary to make use of the rights granted on the Work under this Licence.
3.Communication of the Source Code
The Licensor may provide the Work either in its Source Code form, or as Executable Code. If the Work is provided as
Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with
each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to
the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to
distribute or communicate the Work.
4.Limitations on copyright
Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the
exclusive rights of the rights owners in the Work, of the exhaustion of those rights or of other applicable limitations
thereto.
5.Obligations of the Licensee
The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those
obligations are the following:
Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to
the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices and a copy of the
Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work
to carry prominent notices stating that the Work has been modified and the date of modification.
Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this
Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless
the Original Work is expressly distributed only under this version of the Licence — for example by communicating
EUPL v. 1.2 only. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the
Work or Derivative Work that alter or restrict the terms of the Licence.
Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both
the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done
under the terms of this Compatible Licence. For the sake of this clause, Compatible Licence refers to the licences listed
in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with
his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail.
Provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide
a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available
for as long as the Licensee continues to distribute or communicate the Work.
Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names
of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and
reproducing the content of the copyright notice.
6.Chain of Authorship
The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or
licensed to him/her and that he/she has the power and authority to grant the Licence.
Each Contributor warrants that the copyright in the modifications he/she brings to the Work are owned by him/her or
licensed to him/her and that he/she has the power and authority to grant the Licence.
Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions
to the Work, under the terms of this Licence.
7.Disclaimer of Warranty
The Work is a work in progress, which is continuously improved by numerous Contributors. It is not a finished work
and may therefore contain defects or bugs inherent to this type of development.
For the above reason, the Work is provided under the Licence on an as is basis and without warranties of any kind
concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or
errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this
Licence.
This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work.
8.Disclaimer of Liability
Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be
liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the
Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss
of data or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However,
the Licensor will be liable under statutory product liability laws as far such laws apply to the Work.
9.Additional agreements
While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services
consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole
responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such Contributor by
the fact You have accepted any warranty or additional liability.
10.Acceptance of the Licence
The provisions of this Licence can be accepted by clicking on an icon I agree placed under the bottom of a window
displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of
applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms
and conditions.
Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You
by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution
or Communication by You of the Work or copies thereof.
11.Information to the public
In case of any Distribution or Communication of the Work by means of electronic communication by You (for example,
by offering to download the Work from a remote location) the distribution channel or media (for example, a website)
must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence
and the way it may be accessible, concluded, stored and reproduced by the Licensee.
12.Termination of the Licence
The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms
of the Licence.
Such a termination will not terminate the licences of any person who has received the Work from the Licensee under
the Licence, provided such persons remain in full compliance with the Licence.
13.Miscellaneous
Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the
Work.
If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or
enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid
and enforceable.
The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of
the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence.
New versions of the Licence will be published with a unique version number.
All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take
advantage of the linguistic version of their choice.
14.Jurisdiction
Without prejudice to specific agreement between parties,
— any litigation resulting from the interpretation of this License, arising between the European Union institutions,
bodies, offices or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice
of the European Union, as laid down in article 272 of the Treaty on the Functioning of the European Union,
— any litigation arising between other parties and resulting from the interpretation of this License, will be subject to
the exclusive jurisdiction of the competent court where the Licensor resides or conducts its primary business.
15.Applicable Law
Without prejudice to specific agreement between parties,
— this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat,
resides or has his registered office,
— this licence shall be governed by Belgian law if the Licensor has no seat, residence or registered office inside
a European Union Member State.
Appendix
Compatible Licences according to Article 5 EUPL are:
— GNU General Public License (GPL) v. 2, v. 3
— GNU Affero General Public License (AGPL) v. 3
— Open Software License (OSL) v. 2.1, v. 3.0
— Eclipse Public License (EPL) v. 1.0
— CeCILL v. 2.0, v. 2.1
— Mozilla Public Licence (MPL) v. 2
— GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3
— Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software
— European Union Public Licence (EUPL) v. 1.1, v. 1.2
— Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+).
The European Commission may update this Appendix to later versions of the above licences without producing
a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the
covered Source Code from exclusive appropriation.
All other changes or additions to this Appendix require the production of a new EUPL version.

View file

@ -1,9 +0,0 @@
MIT License
Copyright (c) <year> <copyright holders>
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

118
README.md
View file

@ -1,124 +1,8 @@
<!--
SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
SPDX-License-Identifier: EUPL-1.2
-->
# ❄️ infrastructure
The dgnum infrastructure.
# Contributing
Some instruction on how to contribute are available (in french) in [/CONTRIBUTE.md](CONTRIBUTE.md).
You're expected to read this document before commiting to the repo.
Some instruction on how to contribute are available (in french) in [/CONTRIBUTING.md](CONTRIBUTING.md). You're expected to read this document before commiting to the repo.
Some documentation for the development tools are provided in the aforementioned file.
# Using the binary cache
Add the following module to your configuration (and pin this repo using your favorite tool: npins, lon, etc...):
```
{ lib, ... }:
let
dgnum-infra = PINNED_PATH_TO_INFRA;
in {
nix.settings = (import dgnum-infra { }).mkCacheSettings {
caches = [ "infra" ];
};
}
```
# Adding a new machine
The first step is to create a minimal viable NixOS host, using tha means necessary.
The second step is to find a name for this host, it must be unique from the other hosts.
> [!TIP]
> For the rest of this part, we assume that the host is named `host02`
## Download the keys
The public SSH keys of `host02` have to be saved to `keys`, preferably only the `ssh-ed25519` one.
It can be retreived with :
```bash
ssh-keyscan address.of.host02 2>/dev/null | awk '/ssh-ed25519/ {print $2,$3}'
```
## Initialize the machine folder and configuration
- Create a folder `host02` under `machines/`
- Copy the hardware configuration file generated by `nixos-generate-config` to `machines/host02/_hardware-configuration.nix`
- Create a `machines/host02/_configuration.nix` file, it will contain the main configuration options, the basic content of this file should be the following
```nix
{ lib, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
];
enabledServices = [
# List of services to enable
];
extraConfig = {
services.netbird.enable = true;
};
root = ./.;
}
```
## Fill in the metadata
### Network configuration
The network is declared in `meta/network.nix`, the necessary `hostId` value can be generated with :
```bash
head -c4 /dev/urandom | od -A none -t x4 | sed 's/ //'
```
### Other details
The general metadata is declared in `meta/nodes.nix`, the main values to declare are :
- `site`, where the node is physically located
- `stateVersion`
- `nixpkgs`, the nixpkgs version to use
## Initialize secrets
Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :
```nix
(import ../../../keys).mkSecrets [ "host02" ] [
# List of secrets for host02
]
```
This will be used for future secret management.
## Update encrypted files
Both the Arkheon, Netbox and notification modules have secrets that are deployed on all machines. To make those services work correctly, run in `modules/dgn-records`, `modules/dgn-netbox-agent` and `modules/dgn-notify` :
```bash
agenix -r
```
## Commit and create a PR
Once all of this is done, check that the configuration builds correctly :
```bash
colmena build --on host02
```
Apply it, and create a Pull Request.

View file

@ -1,42 +0,0 @@
version = 1
[[annotations]]
SPDX-FileCopyrightText = "NONE"
SPDX-License-Identifier = "CC0-1.0"
path = ["**/.envrc", "**/Cargo.lock", "**/_hardware-configuration.nix", ".gitignore", "REUSE.toml", "shell.nix"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2"
path = [".forgejo/workflows/*"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
SPDX-License-Identifier = "CC-BY-NC-ND-4.0"
path = ["machines/**/secrets/*", "modules/nixos/dgn-backups/keys/*", "modules/nixos/dgn-netbox-agent/secrets/netbox-agent", "modules/nixos/dgn-notify/mail", "modules/nixos/dgn-records/__arkheon-token_file"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2"
path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "2024 Maurice Debray <maurice.debray@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2"
path = ["patches/nixpkgs/06-netbox-qrcode.patch"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
SPDX-License-Identifier = "MIT"
path = "lib/colmena/*"
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "The [npins](https://github.com/andir/npins) contributors"
SPDX-License-Identifier = "EUPL-1.2"
path = "**/npins/*"
precedence = "closest"

View file

@ -1,137 +1,62 @@
# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
/*
Copyright :
- Maurice Debray <maurice.debray@dgnum.eu> 2023
- Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023
{
sources ? import ./npins,
pkgs ? import sources.nixpkgs { },
}:
Ce logiciel est un programme informatique servant à déployer des
configurations de serveurs via NixOS.
Ce logiciel est régi par la licence CeCILL soumise au droit français et
respectant les principes de diffusion des logiciels libres. Vous pouvez
utiliser, modifier et/ou redistribuer ce programme sous les conditions
de la licence CeCILL telle que diffusée par le CEA, le CNRS et l'INRIA
sur le site "http://www.cecill.info".
En contrepartie de l'accessibilité au code source et des droits de copie,
de modification et de redistribution accordés par cette licence, il n'est
offert aux utilisateurs qu'une garantie limitée. Pour les mêmes raisons,
seule une responsabilité restreinte pèse sur l'auteur du programme, le
titulaire des droits patrimoniaux et les concédants successifs.
A cet égard l'attention de l'utilisateur est attirée sur les risques
associés au chargement, à l'utilisation, à la modification et/ou au
développement et à la reproduction du logiciel par l'utilisateur étant
donné sa spécificité de logiciel libre, qui peut le rendre complexe à
manipuler et qui le réserve donc à des développeurs et des professionnels
avertis possédant des connaissances informatiques approfondies. Les
utilisateurs sont donc invités à charger et tester l'adéquation du
logiciel à leurs besoins dans des conditions permettant d'assurer la
sécurité de leurs systèmes et ou de leurs données et, plus généralement,
à l'utiliser et l'exploiter dans les mêmes conditions de sécurité.
Le fait que vous puissiez accéder à cet en-tête signifie que vous avez
pris connaissance de la licence CeCILL, et que vous en avez accepté les
termes.
*/
let
inherit (pkgs.lib)
isFunction
mapAttrs
mapAttrs'
nameValuePair
removeSuffix
;
sources = import ./npins;
pkgs = import sources.nixpkgs { };
nix-reuse = import sources.nix-reuse { inherit pkgs; };
git-checks = (import sources.git-hooks).run {
pre-commit-check = (import sources.pre-commit-hooks).run {
src = ./.;
hooks = {
statix = {
# Nix Hooks
statix.enable = true;
deadnix.enable = true;
rfc101 = {
enable = true;
stages = [ "pre-push" ];
settings.ignore = [
"**/lon.nix"
"**/npins"
];
};
deadnix = {
enable = true;
stages = [ "pre-push" ];
};
nixfmt-rfc-style = {
enable = true;
stages = [ "pre-push" ];
package = pkgs.nixfmt-rfc-style;
};
reuse = nix-reuse.hook {
enable = true;
stages = [ "pre-push" ];
name = "RFC-101 formatting";
entry = "${pkgs.lib.getExe pkgs.nixfmt-rfc-style}";
files = "\\.nix$";
};
# Misc Hooks
commitizen.enable = true;
};
};
reuse = nix-reuse.install {
defaultLicense = "EUPL-1.2";
defaultCopyright = "La Délégation Générale Numérique <contact@dgnum.eu>";
downloadLicenses = true;
generatedPaths = [
"**/.envrc"
"**/Cargo.lock"
"**/_hardware-configuration.nix"
".gitignore"
"REUSE.toml"
"shell.nix"
];
annotations = [
# Auto-generated workflow files using nix-actions
{ path = [ ".forgejo/workflows/*" ]; }
# Secrets
{
path = [
"machines/**/secrets/*"
"modules/nixos/dgn-backups/keys/*"
"modules/nixos/dgn-netbox-agent/secrets/netbox-agent"
"modules/nixos/dgn-notify/mail"
"modules/nixos/dgn-records/__arkheon-token_file"
];
license = "CC-BY-NC-ND-4.0";
}
# Patches
{
path = [
"machines/nixos/compute01/ds-fr/01-smtp-tls.patch"
"machines/nixos/compute01/librenms/kanidm.patch"
"machines/nixos/compute01/stirling-pdf/*.patch"
"machines/nixos/vault01/k-radius/packages/01-python_path.patch"
"machines/nixos/web01/crabfit/*.patch"
"machines/nixos/web02/cas-eleves/01-pytest-cas.patch"
"patches/lix/01-disable-installChecks.patch"
"patches/nixpkgs/03-crabfit-karla.patch"
"patches/nixpkgs/05-netbird-relay.patch"
];
copyright = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>";
}
{
path = [ "patches/nixpkgs/06-netbox-qrcode.patch" ];
copyright = "2024 Maurice Debray <maurice.debray@dgnum.eu>";
}
# colmena wrapper
{
path = "lib/colmena/*";
license = "MIT";
}
# npins generated files
{
path = "**/npins/*";
license = "EUPL-1.2";
copyright = "The [npins](https://github.com/andir/npins) contributors";
}
];
};
workflows = (import sources.nix-actions { inherit pkgs; }).install {
src = ./.;
workflows = mapAttrs' (
name: _:
nameValuePair (removeSuffix ".nix" name) (
let
w = import ./workflows/${name};
in
if isFunction w then w { inherit (pkgs) lib; } else w
)
) (builtins.readDir ./workflows);
};
scripts = import ./scripts { inherit pkgs sources; };
in
{
@ -141,45 +66,37 @@ in
dns = import ./meta/dns.nix;
mkCacheSettings = import ./machines/nixos/storage01/tvix-cache/cache-settings.nix;
shells = {
default = pkgs.mkShell {
name = "dgnum-infra";
devShell = pkgs.mkShell {
name = "dgnum-infra";
packages =
(
with pkgs;
[
npins
nixos-generators
]
++ (builtins.map (p: callPackage p { }) [
(sources.disko + "/package.nix")
./lib/colmena
])
)
++ (import ./scripts { inherit pkgs; });
packages = [
(pkgs.nixos-generators.overrideAttrs (_: {
version = "1.8.0-unstable";
src = sources.nixos-generators;
}))
pkgs.npins
shellHook = ''
${pre-commit-check.shellHook}
'';
# SSO testing
pkgs.kanidm
pkgs.freeradius
pkgs.picocom # for serial access
preferLocalBuild = true;
};
(pkgs.callPackage ./lib/colmena {
colmena = pkgs.callPackage "${sources.colmena}/package.nix" { };
})
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
] ++ git-checks.enabledPackages ++ (builtins.attrValues scripts);
pre-commit = pkgs.mkShell {
name = "pre-commit-shell";
shellHook = ''
${git-checks.shellHook}
${workflows.shellHook}
${reuse.shellHook}
'';
preferLocalBuild = true;
###
# Alternative shells
passthru = mapAttrs (name: value: pkgs.mkShell (value // { inherit name; })) {
pre-commit.shellHook = git-checks.shellHook;
check-workflows.shellHook = workflows.shellHook;
eval-nodes.packages = [ scripts.cache-node ];
shellHook = ''
${pre-commit-check.shellHook}
'';
};
};
}

234
hive.nix
View file

@ -1,222 +1,78 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
# SPDX-FileContributor: Maurice Debray <maurice.debray@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
let
sources' = import ./npins;
sources = import ./npins;
# Patch sources directly
sources = builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; })
.applyPatches' sources';
lib = import (sources.nix-lib + "/src/trivial.nix");
nix-lib = import ./lib/nix-lib;
inherit (nix-lib) mapSingleFuse;
patch = import sources.nix-patches { patchFile = ./patches; };
patch = import ./lib/nix-patches { patchFile = ./patches; };
nodes' = import ./meta/nodes;
nodes' = import ./meta/nodes.nix;
nodes = builtins.attrNames nodes';
mkNode = node: {
deployment.systemType = system node;
# Import the base configuration for each node
imports = builtins.map (lib.mkRel (./machines/${node})) [
"_configuration.nix"
"_hardware-configuration.nix"
];
};
nixpkgs' = import ./meta/nixpkgs.nix;
# All supported nixpkgs versions × systems, instanciated
nixpkgs = mapSingleFuse (s: mapSingleFuse (mkSystemNixpkgs s) nixpkgs'.versions) nixpkgs'.systems;
# Get the configured nixos version for the node,
# defaulting to the one defined in meta/nixpkgs
version = node: nodes'.${node}.nixpkgs.version;
system = node: nodes'.${node}.nixpkgs.system;
category = node: nixpkgs'.categories.${system node};
nodePkgs = node: nixpkgs.${system node}.${version node};
# Builds a patched version of nixpkgs, only as the source
mkNixpkgs' =
v:
mkNixpkgs =
node:
patch.mkNixpkgsSrc rec {
src = sources'.${name};
name = "nixos-${v}";
src = sources.${version};
version = "nixos-${nodes'.${node}.nixpkgs or (import ./meta/nixpkgs.nix)}";
};
# Build up the nixpkgs configuration for Liminix embedded systems
mkLiminixConfig =
system: _:
(import "${sources.liminix}/devices/${system}").system
// {
overlays = [ (import "${sources.liminix}/overlay.nix") ];
config = {
allowUnsupportedSystem = true; # mipsel
permittedInsecurePackages = [
"python-2.7.18.8" # Python < 3.x is needed for kernel backports.
];
};
};
# Build up the arguments to instantiate a nixpkgs given a system and a version.
mkNixpkgsConfig =
system:
{
nixos = _: { };
zyxel-nwa50ax = mkLiminixConfig system;
netconf = _: { };
}
.${system} or (throw "Unknown system: ${system} for nixpkgs configuration instantiation");
# Instanciates the required nixpkgs version
mkSystemNixpkgs = system: version: import (mkNixpkgs' version) (mkNixpkgsConfig system version);
mkNixpkgs' = node: import (mkNixpkgs node) { };
###
# Function to create arguments based on the node
#
mkArgs = node: rec {
lib = sourcePkgs.lib // {
extra = nix-lib;
lib = import sources.nix-lib {
inherit (mkNixpkgs' node) lib;
keysRoot = ./keys;
};
sourcePkgs = nodePkgs node;
meta = (import ./meta) lib;
nodeMeta = meta.nodes.${node};
nodePath = "machines/${category node}/${node}";
};
in
# nodes = builtins.attrNames metadata.nodes;
{
meta = {
nixpkgs = import nixpkgs.nixos.unstable.path;
nodeNixpkgs = mapSingleFuse nodePkgs nodes;
nodeNixpkgs = lib.mapSingleFuse mkNixpkgs' nodes;
specialArgs = {
inherit nixpkgs sources;
dgn-keys = import ./keys;
inherit sources;
};
nodeSpecialArgs = mapSingleFuse mkArgs nodes;
nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes;
};
registry = {
zyxel-nwa50ax = {
evalConfig =
args:
(import "${sources.liminix}/lib/eval-config.nix" {
nixpkgs = args.specialArgs.sourcePkgs.path;
})
args;
defaults =
{ meta, name, ... }:
{
# Import the default modules
imports = [ ./modules ];
defaults =
{ name, nodePath, ... }:
{
# Import the default modules
imports = [
# Import the base configuration for each node
./${nodePath}/_configuration.nix
./modules/generic
./modules/${category name}
];
# It's impure, but who cares?
# Can Flakes even do that? :)
nixpkgs.buildPlatform = builtins.currentSystem;
};
# Include default secrets
age-secrets.sources = [ (./machines + "/${name}/secrets") ];
# Deployment config is specified in meta.nodes.${node}.deployment
inherit (meta.nodes.${name}) deployment;
# Set NIX_PATH to the patched version of nixpkgs
nix.nixPath = [ "nixpkgs=${mkNixpkgs name}" ];
nix.optimise.automatic = true;
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# Use the stateVersion declared in the metadata
system = {
inherit (meta.nodes.${name}) stateVersion;
};
};
netconf = {
evalConfig = nixpkgs.nixos.unstable.lib.evalModules;
defaults =
{
name,
nodeMeta,
nodePath,
...
}:
{
_module.args = {
pkgs = nixpkgs.nixos.unstable;
};
# Import the default modules
imports = [
# Import the base configuration for each node
./${nodePath}.nix
./modules/netconf
./lib/netconf-junos
"${sources.nixpkgs}/nixos/modules/misc/assertions.nix"
];
system.host-name = name;
inherit (nodeMeta) deployment;
};
};
nixos = {
evalConfig = args: import "${args.specialArgs.sourcePkgs.path}/nixos/lib/eval-config.nix" args;
defaults =
{
lib,
name,
nodes,
nodeMeta,
nodePath,
meta,
sourcePkgs,
...
}:
{
# Import the default modules
imports = [
# Import the base configuration for each node
./${nodePath}/_configuration.nix
./modules/generic
(import "${sources.lix-module}/module.nix" { inherit (sources) lix; })
./modules/${category name}
];
_module.args.serverNodes = lib.filterAttrs (
name: _: meta.nodes.${name}.nixpkgs.system == "nixos"
) nodes;
# Include default secrets
age-secrets.sources = [ ./${nodePath}/secrets ];
# Deployment config is specified in meta.nodes.${node}.deployment
inherit (nodeMeta) deployment;
nix = {
# Set NIX_PATH to the patched version of nixpkgs
nixPath = [ "nixpkgs=${builtins.storePath sourcePkgs.path}" ];
optimise.automatic = true;
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
settings =
{
substituters = [ "https://tvix-store.dgnum.eu/infra" ];
}
// (import ./machines/nixos/storage01/tvix-cache/cache-settings.nix {
caches = [ "infra" ];
});
};
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# Use the stateVersion declared in the metadata
system = {
inherit (nodeMeta) stateVersion;
};
};
};
};
}
// (mapSingleFuse mkNode nodes)
// (lib.mapSingleFuse mkNode nodes)

6
iso/build-iso.sh Normal file → Executable file
View file

@ -1,9 +1,5 @@
#!/usr/bin/env bash
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
NIXPKGS=$(nix-build --no-out-link nixpkgs.nix)
NIXPKGS=$(nix-build nixpkgs.nix)
nixos-generate -c configuration.nix -I NIX_PATH="$NIXPKGS" -f install-iso

View file

@ -1,13 +1,9 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, pkgs, ... }:
let
dgn-keys = import ../keys;
dgn-lib = import ../lib { };
dgn-members = (import ../meta lib).organization.groups.root;
dgn-members = (import ../meta).members.groups.iso;
in
{
@ -15,7 +11,7 @@ in
boot = {
blacklistedKernelModules = [ "snd_pcsp" ];
kernelPackages = pkgs.linuxPackages_latest;
kernelPackages = pkgs.linuxPackages_6_1;
tmp.cleanOnBoot = true;
loader = {
@ -26,7 +22,6 @@ in
supportedFilesystems = [
"exfat"
"zfs"
"bcachefs"
];
swraid.enable = lib.mkForce false;
@ -38,5 +33,7 @@ in
openssh.enable = true;
};
users.users.root.openssh.authorizedKeys.keys = dgn-keys.getKeys dgn-members;
users.users.root.openssh.authorizedKeys.keyFiles = builtins.map (
m: dgn-lib.mkRel ../keys "${m}.keys"
) dgn-members;
}

View file

@ -1,7 +1 @@
<!--
SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
SPDX-License-Identifier: EUPL-1.2
-->
Script pour installer automatiquement NixOS sur les machines de la DGNum

View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ pkgs, ... }:
let

View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
bootDevice=
rootDevice=

View file

@ -1,10 +1,5 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
let
version = (import ../meta/nixpkgs.nix).default;
nixpkgs = (import ../npins)."nixos-${version}";
inherit (import ../npins) nixpkgs;
in
(import nixpkgs { }).srcOnly {

View file

@ -1,101 +0,0 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
let
_sources = import ../npins;
meta = import ../meta (import _sources.nixpkgs { }).lib;
getAttr = flip builtins.getAttr;
inherit (import ../lib/nix-lib) flip setDefault unique;
in
rec {
# WARNING: When updating this list, make sure that the nodes and members are alphabetically sorted
# If not, you will face an angry maintainer
_keys = {
# SSH keys of the nodes
bridge01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7" ];
compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
hypervisor01 = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPE0typcnvSioMfdLUloIfR5zcf/X0k6201xMHoQBCr"
];
hypervisor02 = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPETkWlOfESXQic+HgfGLV/T4Nqg0WjdDbEqtgDwkH+S"
];
hypervisor03 = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLF0mxSGitsDE3/YXfrHNjtOMUt4HT2MbryyUKPLSBI"
];
rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ];
web02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ];
web03 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrWsMEfK86iaO9SubMqE2UvZNtHkLY5VUod/bbqKC0L" ];
# SSH keys of the DGNum members
agroudiev = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM="
];
catvayor = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
];
cst1 = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270"
];
ecoppens = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
gdd = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ"
];
jemagius = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8="
];
luj = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
];
mboyer = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ];
mdebray = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
];
raito = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
];
thubrecht = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
];
};
getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);
mkSecrets =
nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };
getNodeKeys' =
node:
let
names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
meta.nodes.${node}.admins ++ [ node ]
) meta.nodes.${node}.adminGroups;
in
unique (getKeys names);
getNodeKeys = node: rootKeys ++ getNodeKeys' node;
# List of keys for the root group
rootKeys = getKeys meta.organization.groups.root;
# List of 'machine' keys
machineKeys = rootKeys ++ (getKeys (builtins.attrNames meta.nodes));
}

2
keys/gdd.keys Normal file
View file

@ -0,0 +1,2 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ

2
keys/jemagius.keys Normal file
View file

@ -0,0 +1,2 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8=

2
keys/luj.keys Normal file
View file

@ -0,0 +1,2 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower

View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu

1
keys/machines/geo01.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4

1
keys/machines/geo02.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket

View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf

View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ

View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW

1
keys/machines/web01.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5

1
keys/machines/web02.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE020zqMJTlJ73czVxWVNmRof6il+N9dS4Knm43bJSpm

1
keys/mdebray.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris

3
keys/raito.keys Normal file
View file

@ -0,0 +1,3 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU

3
keys/thubrecht.keys Normal file
View file

@ -0,0 +1,3 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn

33
lib/default.nix Normal file
View file

@ -0,0 +1,33 @@
_:
let
sources = import ../npins;
lib = import sources.nix-lib {
inherit ((import sources.nixpkgs { })) lib;
keysRoot = ../keys;
};
meta = import ../meta lib;
inherit (lib.extra) getAllKeys;
in
lib.extra
// rec {
# Get publickeys associated to a node
getNodeKeys =
node:
let
names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
meta.nodes.${node}.admins ++ [ "/machines/${node}" ]
) meta.nodes.${node}.adminGroups;
in
rootKeys ++ (getAllKeys names);
rootKeys = getAllKeys meta.organization.groups.root;
machineKeys =
rootKeys ++ (getAllKeys (builtins.map (n: "machines/${n}") (builtins.attrNames meta.nodes)));
}

View file

@ -1,116 +0,0 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
lib,
pkgs,
name,
...
}:
let
inherit (lib) mapAttrs mkOption;
inherit (lib.types)
attrsOf
bool
str
any
submodule
package
;
mandatory.options = {
supportPoE = mkOption {
type = bool;
example = true;
description = ''
Whether this interface supports PoE.
'';
};
};
in
{
imports = [
./interfaces.nix
./poe.nix
./protocols.nix
./system.nix
./vlans.nix
];
options = {
# Hack because of this https://git.dgnum.eu/DGNum/colmena/src/commit/71b1b660f2cda2e34e134d0028cafbd56bb22008/src/nix/hive/eval.nix#L166 which defines nixpkgs option but we don't have it here. What about liminix ?
nixpkgs = mkOption {
type = attrsOf any;
default = { };
};
netconf = {
xmls.configuration = mkOption {
type = str;
readOnly = true;
description = ''
The full configuration to send to a JunOS.
'';
};
mandatoryInterfaces = mkOption {
type = attrsOf (submodule mandatory);
example = {
"ge-0/0/0" = {
supportPoE = true;
};
"ge-0/0/1" = {
supportPoE = true;
};
"xe-0/0/0" = {
supportPoE = false;
};
};
description = ''
JunOS require some interfaces to always be configured (even if they are disabled),
which correspond to physical interfaces of the switch. They have to be declared here
with some information about it (only if it supports PoE for now).
'';
};
rpc = mkOption {
type = package;
readOnly = true;
};
};
};
config = {
interfaces =
let
mkIntf = _: _: { };
in
mapAttrs mkIntf config.netconf.mandatoryInterfaces;
netconf = {
xmls.configuration = with config.netconf.xmls; ''
<configuration>
${system}
${interfaces}
${protocols}
${vlans}
${poe}
</configuration>
'';
rpc = pkgs.writeText "${name}.rpc" ''
<rpc>
<edit-config>
<config>
${config.netconf.xmls.configuration}
</config>
<target>
<candidate/>
</target>
</edit-config>
</rpc>
<rpc>
<commit/>
</rpc>
'';
};
};
}

View file

@ -1,172 +0,0 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
inherit (lib)
mapAttrsToList
mkEnableOption
mkOption
optionalString
;
inherit (lib.types)
attrsOf
either
enum
ints
listOf
str
submodule
;
interface =
{ name, config, ... }:
let
unit =
{ name, config, ... }:
{
options = {
enable = mkEnableOption "this logical interface" // {
default = true;
example = false;
};
family = {
ethernet-switching = {
enable = mkEnableOption "the ethernet switching on this logical interface";
interface-mode = mkOption {
type = enum [
"trunk"
"access"
];
description = ''
Mode of operation for vlan addressing of this interface.
"trunk" means that the traffic is tagged, "access" means the
traffic is tagged by the switch.
'';
};
vlans = mkOption {
type = listOf (either str ints.unsigned);
default = [ ];
description = ''
Vlans that can be used on this interface.
Only one ID should be here for "access" mode of operation.
'';
};
};
#TODO : DHCP
inet = {
enable = mkEnableOption "the IPv4 configuration of this logical interface";
addresses = mkOption {
type = listOf str;
default = [ ];
description = ''
ipv4 addresses of this interface.
'';
};
};
inet6 = {
enable = mkEnableOption "the IPv6 configuration of this logical interface";
addresses = mkOption {
type = listOf str;
default = [ ];
description = ''
ipv6 addresses of this interface.
'';
};
};
};
xml = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.xml =
let
members = map (
vlan: "<members>${builtins.toString vlan}</members>"
) config.family.ethernet-switching.vlans;
eth = optionalString config.family.ethernet-switching.enable ''
<ethernet-switching>
<interface-mode>${config.family.ethernet-switching.interface-mode}</interface-mode>
<vlan>${builtins.concatStringsSep "" members}</vlan>
<storm-control><profile-name>default</profile-name></storm-control>
</ethernet-switching>
'';
addr4 = map (addr: "<name>${addr}</name>") config.family.inet.addresses;
inet = optionalString config.family.inet.enable ''
<inet>
<address>${builtins.concatStringsSep "" addr4}</address>
</inet>
'';
addr6 = map (addr: "<name>${addr}</name>") config.family.inet6.addresses;
inet6 = optionalString config.family.inet6.enable ''
<inet6>
<address>${builtins.concatStringsSep "" addr6}</address>
</inet6>
'';
in
''
<unit>
<name>${name}</name>
${optionalString (!config.enable) "<disable/>"}
<family>
${eth}${inet}${inet6}
</family>
</unit>'';
};
in
{
options = {
enable = mkEnableOption "this physical interface";
unit = mkOption {
type = attrsOf (submodule unit);
default = { };
description = ''
Configuration of the logical interfaces on this physical interface.
'';
};
xml = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.xml =
let
units = mapAttrsToList (_: unit: unit.xml) config.unit;
in
''
<interface>
<name>${name}</name>
${optionalString (!config.enable) "<disable/>"}
${builtins.concatStringsSep "" units}
</interface>
'';
};
in
{
options = {
interfaces = mkOption {
type = attrsOf (submodule interface);
description = ''
The interfaces configuration.
'';
};
netconf.xmls.interfaces = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.netconf.xmls.interfaces = ''
<interfaces operation="replace">
${builtins.concatStringsSep "" (mapAttrsToList (_: intf: intf.xml) config.interfaces)}
</interfaces>
'';
}

View file

@ -1,53 +0,0 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
inherit (lib)
mapAttrsToList
mkEnableOption
mkOption
optionalString
;
inherit (lib.types) attrsOf str submodule;
interface-module =
{ name, config, ... }:
{
options = {
enable = mkEnableOption "the PoE for this interface";
xml = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.xml = ''
<interface><name>${name}</name>${optionalString (!config.enable) "<disable/>"}</interface>
'';
};
in
{
options = {
poe.interfaces = mkOption {
type = attrsOf (submodule interface-module);
default = { };
description = ''
PoE configuration of interfaces.
'';
};
netconf.xmls.poe = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.netconf.xmls.poe = ''
<poe operation="replace">
${builtins.concatStringsSep "" (mapAttrsToList (_: intf: intf.xml) config.poe.interfaces)}
</poe>
'';
}

View file

@ -1,37 +0,0 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
inherit (lib) concatMapStringsSep mkOption;
inherit (lib.types) listOf str;
in
{
options = {
protocols.rstp = mkOption {
type = listOf str;
description = ''
List of interfaces on which Rapid Spanning Tree Protocol should be enabled.
'';
};
netconf.xmls.protocols = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.netconf.xmls.protocols = ''
<protocols>
<rstp operation="replace">
${
concatMapStringsSep "" (intf: "<interface><name>${intf}</name></interface>") config.protocols.rstp
}
</rstp>
</protocols>
'';
}

View file

@ -1,95 +0,0 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
inherit (lib)
concatStrings
concatStringsSep
filter
hasPrefix
length
mkOption
splitString
;
inherit (lib.types)
enum
listOf
port
str
;
in
{
options = {
system = {
host-name = mkOption {
type = str;
description = "The hostname of the switch.";
};
root-authentication = {
hashedPasswd = mkOption {
type = str;
description = "Hashed password for root.";
};
ssh-keys = mkOption {
type = listOf str;
description = "ssh keys for root user.";
default = [ ];
};
};
services = {
ssh.root-login = mkOption {
type = enum [
"allow"
"deny"
"deny-password"
];
description = "Login policy to use for root.";
};
netconf.port = mkOption {
type = port;
description = "Port to use for netconf.";
default = 830;
};
};
};
netconf.xmls.system = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.netconf.xmls.system =
let
ssh-keys1 = map (splitString " ") config.system.root-authentication.ssh-keys;
ssh-keys2 = map (key: if length key < 3 then key ++ [ "foo@bar" ] else key) ssh-keys1;
ssh-keys = map (concatStringsSep " ") ssh-keys2;
edsca = map (key: "<ssh-edsca><name>${key}</name></ssh-edsca>") (
filter (hasPrefix "ssh-edsca ") ssh-keys
);
rsa = map (key: "<ssh-rsa><name>${key}</name></ssh-rsa>") (filter (hasPrefix "ssh-rsa ") ssh-keys);
ed25519 = map (key: "<ssh-ed25519><name>${key}</name></ssh-ed25519>") (
filter (hasPrefix "ssh-ed25519 ") ssh-keys
);
in
''
<system>
<host-name operation="replace">${config.system.host-name}</host-name>
<root-authentication operation="replace">
<encrypted-password>${config.system.root-authentication.hashedPasswd}</encrypted-password>
${concatStrings (edsca ++ rsa ++ ed25519)}
</root-authentication>
<services operation="replace">
<ssh><root-login>${config.system.services.ssh.root-login}</root-login></ssh>
<netconf>
<ssh><port>${toString config.system.services.netconf.port}</port></ssh>
<rfc-compliant/><yang-compliant/>
</netconf>
</services>
</system>
'';
}

View file

@ -1,135 +0,0 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
inherit (lib)
assertMsg
concatStringsSep
mapAttrsToList
mkOption
optionalString
;
inherit (lib.types)
attrsOf
either
ints
listOf
nullOr
str
submodule
unspecified
;
vlan =
{ name, config, ... }:
{
options = {
id = mkOption {
type = nullOr ints.unsigned;
default = null;
description = ''
The ID of this vlan, `null` means no ID.
Incompatible with vlans.${name}.id-list.
'';
};
id-list = mkOption {
type =
let
range_type =
{ config, ... }:
{
config.__toString = _: "${toString config.begin}-${toString config.end}";
options = {
begin = mkOption {
type = ints.unsigned;
visible = false;
};
end = mkOption {
type = ints.unsigned;
visible = false;
};
__toString = mkOption {
visible = false;
internal = true;
readOnly = true;
type = unspecified;
};
};
};
in
listOf (either ints.unsigned (submodule range_type));
default = [ ];
example = [
42
{
begin = 100;
end = 200;
}
];
description = ''
List of IDs or IDs range to classify as this vlan.
Incompatible with vlans.${name}.id.
'';
};
l3-interface = mkOption {
type = nullOr str;
default = null;
example = "irb.0";
description = ''
Switch's logical interface to connect directly to this vlan.
This allows to communicate with the switch from a vlan without
having a cable looping back on it's management interface.
'';
};
xml = mkOption {
type = str;
readOnly = true;
visible = false;
};
};
config.xml =
let
id = optionalString (config.id != null) "<vlan-id>${toString config.id}</vlan-id>";
id-list = concatStringsSep "" (
map (vlan: "<vlan-id-list>${toString vlan}</vlan-id-list>") config.id-list
);
l3-intf = optionalString (
config.l3-interface != null
) "<l3-interface>${config.l3-interface}</l3-interface>";
in
assert assertMsg (
config.id == null || config.id-list == [ ]
) "vlans.${name}.id and vlans.${name}.id-list are incompatible.";
''
<vlan>
<name>${name}</name>
${id}${id-list}${l3-intf}
</vlan>
'';
};
in
{
options = {
vlans = mkOption {
type = attrsOf (submodule vlan);
description = ''
Named vlans configuration. Allows to name vlans inside interface configuration,
instead of just using their IDs.
'';
};
netconf.xmls.vlans = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.netconf.xmls.vlans = ''
<vlans operation="replace">
${builtins.concatStringsSep "" (mapAttrsToList (_: vlan: vlan.xml) config.vlans)}
</vlans>
'';
}

View file

@ -1,176 +0,0 @@
# Copyright Tom Hubrecht, (2023)
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
let
# Reimplement optional functions
_optional =
default: b: value:
if b then value else default;
in
rec {
inherit (import ./nixpkgs.nix)
flip
hasPrefix
recursiveUpdate
splitString
unique
warn
;
/*
Fuses a list of attribute sets into a single attribute set.
Type: [attrs] -> attrs
Example:
x = [ { a = 1; } { b = 2; } ]
fuseAttrs x
=> { a = 1; b = 2; }
*/
fuseAttrs = builtins.foldl' (attrs: x: attrs // x) { };
fuseValueAttrs = attrs: fuseAttrs (builtins.attrValues attrs);
/*
Applies a function to `attrsList` before fusing the resulting list
of attribute sets.
Type: ('a -> attrs) -> ['a] -> attrs
Example:
x = [ "to" "ta" "ti" ]
f = s: { ${s} = s + s; }
mapFuse f x
=> { to = "toto"; ta = "tata"; ti = "titi"; }
*/
mapFuse =
# 'a -> attrs
f:
# ['a]
attrsList:
fuseAttrs (builtins.map f attrsList);
/*
Equivalent of lib.singleton but for an attribute set.
Type: str -> 'a -> attrs
Example:
singleAttr "a" 1
=> { a = 1; }
*/
singleAttr = name: value: { ${name} = value; };
# Enables a list of modules.
enableAttrs' =
enable:
mapFuse (m: {
${m}.${enable} = true;
});
enableModules = enableAttrs' "enable";
/*
Create an attribute set from a list of values, mapping those
values through the function `f`.
Example:
mapSingleFuse (x: "val-${x}") [ "a" "b" ]
=> { a = "val-a"; b = "val-b" }
*/
mapSingleFuse = f: mapFuse (x: singleAttr x (f x));
/*
Creates a relative path as a string
Type: path -> str -> path
Example:
mkRel /home/test/ "file.txt"
=> "/home/test/file.txt"
*/
mkRel = path: file: path + "/${file}";
setDefault =
default:
mapFuse (name: {
${name} = default;
});
mkBaseSecrets =
root:
mapFuse (secret: {
${secret}.file = mkRel root secret;
});
getSecrets = dir: builtins.attrNames (import (mkRel dir "secrets.nix"));
subAttr = attrs: name: attrs.${name};
subAttrs = attrs: builtins.map (subAttr attrs);
optionalList = _optional [ ];
optionalAttrs = _optional { };
optionalString = _optional "";
/*
Same as fuseAttrs but using `lib.recursiveUpdate` to merge attribute
sets together.
Type: [attrs] -> attrs
*/
recursiveFuse = builtins.foldl' recursiveUpdate { };
mkImport =
root: file:
let
path = mkRel root file;
in
path + (optionalString (!(builtins.pathExists path)) ".nix");
mkImports = root: builtins.map (mkImport root);
/*
Creates a confugiration by merging enabled modules,
services and extraConfig.
Example:
mkConfig {
enabledModules = [ "ht-defaults" ];
enabledServices = [ "toto" ];
extraConfig = { services.nginx.enable = true; };
root = ./.;
}
=>
{
imports = [ ./toto ];
ht-defaults.enable = true;
services.nginx.enable = true;
}
*/
mkConfig =
{
# List of modules to enable with `enableModules`
enabledModules,
# List of services to import
enabledServices,
# Extra configuration, defaults to `{ }`
extraConfig ? { },
# Path relative to which the enabled services will be imported
root,
}:
recursiveFuse [
(enableModules enabledModules)
{
imports =
(extraConfig.imports or [ ]) ++ (mkImports root ([ "_hardware-configuration" ] ++ enabledServices));
}
(removeAttrs extraConfig [ "imports" ])
];
}

View file

@ -1,466 +0,0 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
###
# Collection of nixpkgs library functions, those are necessary for defining our own lib
#
# They have been simplified and builtins are used in some places, instead of lib shims.
rec {
/**
Does the same as the update operator '//' except that attributes are
merged until the given predicate is verified. The predicate should
accept 3 arguments which are the path to reach the attribute, a part of
the first attribute set and a part of the second attribute set. When
the predicate is satisfied, the value of the first attribute set is
replaced by the value of the second attribute set.
# Inputs
`pred`
: Predicate, taking the path to the current attribute as a list of strings for attribute names, and the two values at that path from the original arguments.
`lhs`
: Left attribute set of the merge.
`rhs`
: Right attribute set of the merge.
# Type
```
recursiveUpdateUntil :: ( [ String ] -> AttrSet -> AttrSet -> Bool ) -> AttrSet -> AttrSet -> AttrSet
```
# Examples
:::{.example}
## `lib.attrsets.recursiveUpdateUntil` usage example
```nix
recursiveUpdateUntil (path: l: r: path == ["foo"]) {
# first attribute set
foo.bar = 1;
foo.baz = 2;
bar = 3;
} {
#second attribute set
foo.bar = 1;
foo.quz = 2;
baz = 4;
}
=> {
foo.bar = 1; # 'foo.*' from the second set
foo.quz = 2; #
bar = 3; # 'bar' from the first set
baz = 4; # 'baz' from the second set
}
```
:::
*/
recursiveUpdateUntil =
pred: lhs: rhs:
let
f =
attrPath:
builtins.zipAttrsWith (
n: values:
let
here = attrPath ++ [ n ];
in
if builtins.length values == 1 || pred here (builtins.elemAt values 1) (builtins.head values) then
builtins.head values
else
f here values
);
in
f [ ] [
rhs
lhs
];
/**
A recursive variant of the update operator //. The recursion
stops when one of the attribute values is not an attribute set,
in which case the right hand side value takes precedence over the
left hand side value.
# Inputs
`lhs`
: Left attribute set of the merge.
`rhs`
: Right attribute set of the merge.
# Type
```
recursiveUpdate :: AttrSet -> AttrSet -> AttrSet
```
# Examples
:::{.example}
## `lib.attrsets.recursiveUpdate` usage example
```nix
recursiveUpdate {
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/hda";
} {
boot.loader.grub.device = "";
}
returns: {
boot.loader.grub.enable = true;
boot.loader.grub.device = "";
}
```
:::
*/
recursiveUpdate =
lhs: rhs:
recursiveUpdateUntil (
_: lhs: rhs:
!(builtins.isAttrs lhs && builtins.isAttrs rhs)
) lhs rhs;
/**
Determine whether a string has given prefix.
# Inputs
`pref`
: Prefix to check for
`str`
: Input string
# Type
```
hasPrefix :: string -> string -> bool
```
# Examples
:::{.example}
## `lib.strings.hasPrefix` usage example
```nix
hasPrefix "foo" "foobar"
=> true
hasPrefix "foo" "barfoo"
=> false
```
:::
*/
hasPrefix = pref: str: (builtins.substring 0 (builtins.stringLength pref) str == pref);
/**
Escape occurrence of the elements of `list` in `string` by
prefixing it with a backslash.
# Inputs
`list`
: 1\. Function argument
`string`
: 2\. Function argument
# Type
```
escape :: [string] -> string -> string
```
# Examples
:::{.example}
## `lib.strings.escape` usage example
```nix
escape ["(" ")"] "(foo)"
=> "\\(foo\\)"
```
:::
*/
escape = list: builtins.replaceStrings list (builtins.map (c: "\\${c}") list);
/**
Convert a string `s` to a list of characters (i.e. singleton strings).
This allows you to, e.g., map a function over each character. However,
note that this will likely be horribly inefficient; Nix is not a
general purpose programming language. Complex string manipulations
should, if appropriate, be done in a derivation.
Also note that Nix treats strings as a list of bytes and thus doesn't
handle unicode.
# Inputs
`s`
: 1\. Function argument
# Type
```
stringToCharacters :: string -> [string]
```
# Examples
:::{.example}
## `lib.strings.stringToCharacters` usage example
```nix
stringToCharacters ""
=> [ ]
stringToCharacters "abc"
=> [ "a" "b" "c" ]
stringToCharacters "🦄"
=> [ "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" ]
```
:::
*/
stringToCharacters = s: builtins.genList (p: builtins.substring p 1 s) (builtins.stringLength s);
/**
Turn a string `s` into an exact regular expression
# Inputs
`s`
: 1\. Function argument
# Type
```
escapeRegex :: string -> string
```
# Examples
:::{.example}
## `lib.strings.escapeRegex` usage example
```nix
escapeRegex "[^a-z]*"
=> "\\[\\^a-z]\\*"
```
:::
*/
escapeRegex = escape (stringToCharacters "\\[{()^$?*+|.");
/**
Appends string context from string like object `src` to `target`.
:::{.warning}
This is an implementation
detail of Nix and should be used carefully.
:::
Strings in Nix carry an invisible `context` which is a list of strings
representing store paths. If the string is later used in a derivation
attribute, the derivation will properly populate the inputDrvs and
inputSrcs.
# Inputs
`src`
: The string to take the context from. If the argument is not a string,
it will be implicitly converted to a string.
`target`
: The string to append the context to. If the argument is not a string,
it will be implicitly converted to a string.
# Type
```
addContextFrom :: string -> string -> string
```
# Examples
:::{.example}
## `lib.strings.addContextFrom` usage example
```nix
pkgs = import <nixpkgs> { };
addContextFrom pkgs.coreutils "bar"
=> "bar"
```
The context can be displayed using the `toString` function:
```nix
nix-repl> builtins.getContext (lib.strings.addContextFrom pkgs.coreutils "bar")
{
"/nix/store/m1s1d2dk2dqqlw3j90jl3cjy2cykbdxz-coreutils-9.5.drv" = { ... };
}
```
:::
*/
addContextFrom = src: target: builtins.substring 0 0 src + target;
/**
Cut a string with a separator and produces a list of strings which
were separated by this separator.
# Inputs
`sep`
: 1\. Function argument
`s`
: 2\. Function argument
# Type
```
splitString :: string -> string -> [string]
```
# Examples
:::{.example}
## `lib.strings.splitString` usage example
```nix
splitString "." "foo.bar.baz"
=> [ "foo" "bar" "baz" ]
splitString "/" "/usr/local/bin"
=> [ "" "usr" "local" "bin" ]
```
:::
*/
splitString =
sep: s:
let
splits = builtins.filter builtins.isString (
builtins.split (escapeRegex (builtins.toString sep)) (builtins.toString s)
);
in
builtins.map (addContextFrom s) splits;
/**
Remove duplicate elements from the `list`. O(n^2) complexity.
# Inputs
`list`
: Input list
# Type
```
unique :: [a] -> [a]
```
# Examples
:::{.example}
## `lib.lists.unique` usage example
```nix
unique [ 3 2 3 4 ]
=> [ 3 2 4 ]
```
:::
*/
unique = builtins.foldl' (acc: e: if builtins.elem e acc then acc else acc ++ [ e ]) [ ];
/**
Flip the order of the arguments of a binary function.
# Inputs
`f`
: 1\. Function argument
`a`
: 2\. Function argument
`b`
: 3\. Function argument
# Type
```
flip :: (a -> b -> c) -> (b -> a -> c)
```
# Examples
:::{.example}
## `lib.trivial.flip` usage example
```nix
flip concat [1] [2]
=> [ 2 1 ]
```
:::
*/
flip =
f: a: b:
f b a;
/**
`warn` *`message`* *`value`*
Print a warning before returning the second argument.
See [`builtins.warn`](https://nix.dev/manual/nix/latest/language/builtins.html#builtins-warn) (Nix >= 2.23).
On older versions, the Nix 2.23 behavior is emulated with [`builtins.trace`](https://nix.dev/manual/nix/latest/language/builtins.html#builtins-warn), including the [`NIX_ABORT_ON_WARN`](https://nix.dev/manual/nix/latest/command-ref/conf-file#conf-abort-on-warn) behavior, but not the `nix.conf` setting or command line option.
# Inputs
*`message`* (String)
: Warning message to print before evaluating *`value`*.
*`value`* (any value)
: Value to return as-is.
# Type
```
String -> a -> a
```
*/
warn =
# Since Nix 2.23, https://github.com/NixOS/nix/pull/10592
builtins.warn or (
let
mustAbort = builtins.elem (builtins.getEnv "NIX_ABORT_ON_WARN") [
"1"
"true"
"yes"
];
in
# Do not eta reduce v, so that we have the same strictness as `builtins.warn`.
msg: v:
# `builtins.warn` requires a string message, so we enforce that in our implementation, so that callers aren't accidentally incompatible with newer Nix versions.
assert builtins.isString msg;
if mustAbort then
builtins.trace "evaluation warning: ${msg}" (
abort "NIX_ABORT_ON_WARN=true; warnings are treated as unrecoverable errors."
)
else
builtins.trace "evaluation warning: ${msg}" v
);
}

View file

@ -1,85 +0,0 @@
# Copyright Tom Hubrecht, (2023-2024)
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
patchFile,
excludeGitHubManual ? true,
fetchers ? { },
}:
rec {
base =
{ pkgs }:
rec {
mkUrlPatch =
attrs:
pkgs.fetchpatch (
{
hash = pkgs.lib.fakeHash;
}
// attrs
// (pkgs.lib.optionalAttrs (excludeGitHubManual && !(builtins.hasAttr "includes" attrs)) {
excludes = (attrs.excludes or [ ]) ++ [ "nixos/doc/manual/*" ];
})
);
mkGitHubPatch =
{ id, ... }@attrs:
mkUrlPatch (
(builtins.removeAttrs attrs [ "id" ])
// {
url = "https://github.com/NixOS/nixpkgs/pull/${builtins.toString id}.diff";
}
);
mkCommitPatch =
{ sha, ... }@attrs:
mkUrlPatch (
(builtins.removeAttrs attrs [ "sha" ])
// {
url = "https://github.com/NixOS/nixpkgs/commit/${builtins.toString sha}.diff";
}
);
patchFunctions = {
commit = mkCommitPatch;
github = mkGitHubPatch;
remote = pkgs.fetchpatch;
static = attrs: attrs.path;
url = mkUrlPatch;
} // fetchers;
mkPatch =
{
_type ? "github",
...
}@attrs:
if builtins.hasAttr _type patchFunctions then
patchFunctions.${_type} (builtins.removeAttrs attrs [ "_type" ])
else
throw "Unknown patch type: ${builtins.toString _type}.";
mkPatches = v: builtins.map mkPatch ((import patchFile).${v} or [ ]);
applyPatches =
{
src,
name,
patches ? mkPatches name,
}:
if patches == [ ] then
src
else
pkgs.applyPatches {
inherit patches src;
name = "${name}-patched";
};
applyPatches' = name: src: applyPatches { inherit name src; };
};
mkNixpkgsSrc = { src, name }: (base { pkgs = import src { }; }).applyPatches { inherit src name; };
}

View file

@ -1,46 +1,39 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, ... }:
lib.extra.mkConfig {
# List of modules to enable
enabledModules = [
# INFO: This list needs to stay sorted alphabetically
# List of modules to enable
"dgn-backups"
"dgn-chatops"
"dgn-fail2ban"
"dgn-web"
];
# List of services to enable
enabledServices = [
# INFO: This list needs to stay sorted alphabetically
# List of services to enable
"arkheon"
"dgsi"
"ds-fr"
"grafana"
"hedgedoc"
"k-radius"
"kanidm"
"librenms"
"mastodon"
"nextcloud"
"ollama-proxy"
"outline"
"plausible"
"postgresql"
"rstudio-server"
# "satosa"
"signal-irc-bridge"
"signald"
"stirling-pdf"
"takumi"
"satosa"
"telegraf"
"vaultwarden"
"zammad"
"signald"
];
extraConfig = {
dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
"sshd-bruteforce"
"sshd-timeout"
];
dgn-hardware.useZfs = true;
services.netbird.enable = true;

View file

@ -29,5 +29,5 @@
fsType = "vfat";
};
swapDevices = [ { device = "/dev/disk/by-uuid/edbb5acc-84fc-4a2f-9f1b-086eb137d6dc"; } ];
swapDevices = [ { device = "/dev/disk/by-uuid/30547280-00e9-4ee1-8a07-d116590d9fbf"; } ];
}

View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, sources, ... }:
{

View file

@ -1,59 +1,21 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
pkgs,
sources,
...
}:
{ config, ... }:
let
host = "demarches.dgnum.eu";
port = 3000;
dgn-id = "8dfdc60d1aa66e7206461ed7a49199f624a66b4e";
patch = pkgs.fetchurl {
url = "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch";
hash = "sha256-6JdbUf2fc79E5F1wtYFnP1JLGJffhGbjaxysRFr8xN4=";
};
in
{
imports = [ ./module.nix ];
dgn-web.internalPorts.ds-fr = port;
services.demarches-simplifiees = {
enable = true;
package = (import sources.nix-pkgs { inherit pkgs; }).demarches-simplifiees.overrideAttrs (old: {
dsModules = old.dsModules.overrideAttrs {
prePatch = ''
${pkgs.lib.getExe pkgs.git} apply -p1 < ${patch}
'';
};
patches = (old.patches or [ ]) ++ [ ./01-smtp-tls.patch ];
prePatch = ''
${pkgs.lib.getExe pkgs.git} apply -p1 < ${patch}
'';
postPatch = ''
rm -f lib/tasks/deployment/20240830192553_backfill_hide_instructeurs_email.rake
rm -f lib/tasks/deployment/20240912151317_clean_virtual_column_from_procedure_presentation.rake
rm -f lib/tasks/deployment/20240920130741_migrate_procedure_presentation_to_columns.rake
'';
});
inherit host port;
environmentFile = config.age.secrets."ds-fr-secret_file".path;
secretFile = config.age.secrets."ds-fr-secret_file".path;
initialDeploymentDate = "20230923";
environment = {
settings = {
APP_HOST = host;
# Disable France Connect and Agent Connect
FRANCE_CONNECT_ENABLED = "disabled";
AGENT_CONNECT_ENABLED = "disabled";
@ -73,8 +35,8 @@ in
SMTP_HOST = "kurisu.lahfa.xyz";
SMTP_PORT = "465";
SMTP_USER = "web-services@infra.dgnum.eu";
SMTP_STARTTLS = "";
SMTP_TLS = "true";
SMTP_TLS = "";
SMTP_SSL = "true";
SMTP_AUTHENTICATION = "plain";
SUPER_ADMIN_OTP_ENABLED = "disabled";
@ -95,10 +57,18 @@ in
RUBY_YJIT_ENABLE = "1";
STRICT_EMAIL_VALIDATION_STARTS_ON = "2024-12-18";
STRICT_EMAIL_VALIDATION_STARTS_ON = "2024-02-23";
WEASYPRINT_URL = "http://127.0.0.1:5000/pdf";
# Customization
# HEADER_LOGO_SRC = "logo_ens_psl_couleur.png";
# HEADER_LOGO_ALT = "Par la Recherche, pour la Recherche";
# PROCEDURE_DEFAULT_LOGO_SRC = "logo_ens_psl_couleur.png";
};
};
# dgn-backups.jobs.ds-fr.settings.paths = [ "/var/lib/private/demarches-simplifiees/" ];
age-secrets.autoMatch = [ "ds-fr" ];
dgn-backups.jobs.ds-fr.settings.paths = [ "/var/lib/ds-fr" ];
dgn-backups.postgresDatabases = [ "ds-fr" ];
}

View file

@ -0,0 +1,421 @@
# Copyright Tom Hubrecht, (2023)
#
# Tom Hubrecht <tom@hubrecht.ovh>
#
# This software is a computer program whose purpose is to configure
# machines and servers with NixOS.
#
# This software is governed by the CeCILL license under French law and
# abiding by the rules of distribution of free software. You can use,
# modify and/ or redistribute the software under the terms of the CeCILL
# license as circulated by CEA, CNRS and INRIA at the following URL
# "http://www.cecill.info".
#
# As a counterpart to the access to the source code and rights to copy,
# modify and redistribute granted by the license, users are provided only
# with a limited warranty and the software's author, the holder of the
# economic rights, and the successive licensors have only limited
# liability.
#
# In this respect, the user's attention is drawn to the risks associated
# with loading, using, modifying and/or developing or reproducing the
# software by the user in light of its specific status of free software,
# that may mean that it is complicated to manipulate, and that also
# therefore means that it is reserved for developers and experienced
# professionals having in-depth computer knowledge. Users are therefore
# encouraged to load and test the software's suitability as regards their
# requirements in conditions enabling the security of their systems and/or
# data to be ensured and, more generally, to use and operate it in the
# same conditions as regards security.
#
# The fact that you are presently reading this means that you have had
# knowledge of the CeCILL license and that you accept its terms.
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
mdDoc
mkDefault
mkEnableOption
mkIf
mkOption
optional
optionalString
types
;
cfg = config.services.demarches-simplifiees;
settingsFormat = pkgs.formats.keyValue { };
env = settingsFormat.generate "ds-fr-env" cfg.settings;
ds-fr = pkgs.writeShellScriptBin "ds-fr" ''
set -a
cd ${cfg.package}
${optionalString (cfg.secretFile != null) "source ${cfg.secretFile}"}
source ${env}
BIN="$1"
shift
SUDO="exec"
if [[ $USER != ${cfg.user} ]]; then
SUDO='exec /run/wrappers/bin/sudo -u ${cfg.user} --preserve-env'
fi
$SUDO ${cfg.package}/bin/$BIN "$@"
'';
in
{
options.services.demarches-simplifiees = {
enable = mkEnableOption "demarches-simplifiees.";
package = mkOption {
type = types.package;
default = pkgs.callPackage ./package { inherit (cfg) initialDeploymentDate dataDir logDir; };
};
user = mkOption {
type = types.str;
default = "ds-fr";
description = mdDoc "User account under which DS runs.";
};
group = mkOption {
type = types.str;
default = "ds-fr";
description = mdDoc "Group account under which DS runs.";
};
dataDir = mkOption {
type = types.str;
default = "/var/lib/ds-fr";
};
logDir = mkOption {
type = types.str;
default = "/var/log/ds-fr";
};
secretFile = mkOption {
type = types.nullOr types.path;
default = null;
};
settings = mkOption { inherit (settingsFormat) type; };
initialDeploymentDate = mkOption {
type = types.nullOr types.str;
default = null;
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ ds-fr ];
systemd.tmpfiles.rules = [
"f '${cfg.logDir}/production.log' 0640 ${cfg.user} ${cfg.group} - -"
"f '${cfg.dataDir}/.env' 0600 ${cfg.user} ${cfg.group} - -"
"d '${cfg.dataDir}/tmp' 0700 ${cfg.user} ${cfg.group} 10d -"
"d '${cfg.dataDir}/storage' 0700 ${cfg.user} ${cfg.group} - -"
];
systemd.services = {
ds-fr-setup = {
description = "Demarches Simplifiees setup";
wantedBy = [ "multi-user.target" ];
path = [
pkgs.bash
ds-fr
];
after = [ "postgresql.service" ];
serviceConfig = {
Type = "oneshot";
User = cfg.user;
Group = cfg.group;
EnvironmentFile = [ env ] ++ (optional (cfg.secretFile != null) cfg.secretFile);
StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
};
script = ''
[[ ! -f ${cfg.dataDir}/.initial-migration ]] \
&& ds-fr rails db:environment:set \
&& ds-fr rails db:schema:load \
&& ds-fr rails db:seed \
&& touch ${cfg.dataDir}/.initial-migration
ds-fr rake db:migrate
ds-fr rake after_party:run
'';
};
ds-fr-work = {
description = "Demarches Simplifiees work service";
wantedBy = [
"multi-user.target"
"ds-fr.service"
];
after = [
"network.target"
"ds-fr-setup.service"
];
requires = [ "ds-fr-setup.service" ];
serviceConfig = {
ExecStart = "${ds-fr}/bin/ds-fr rails jobs:work";
EnvironmentFile = [ env ] ++ (optional (cfg.secretFile != null) cfg.secretFile);
User = cfg.user;
Group = cfg.group;
StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
};
};
ds-fr = {
description = "Demarches Simplifiees web service";
wantedBy = [ "multi-user.target" ];
after = [
"network.target"
"ds-fr-setup.service"
];
requires = [ "ds-fr-setup.service" ];
path = [ pkgs.imagemagick ];
serviceConfig = {
ExecStart = "${ds-fr}/bin/ds-fr rails server";
Environment = [ "RAILS_QUEUE_ADAPTER=delayed_job" ];
EnvironmentFile = [ env ] ++ (optional (cfg.secretFile != null) cfg.secretFile);
User = cfg.user;
Group = cfg.group;
StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
};
};
};
services = {
demarches-simplifiees.settings =
(builtins.mapAttrs (_: mkDefault) {
RAILS_ENV = "production";
RAILS_ROOT = builtins.toString cfg.package;
# Application host name
#
# Examples:
# * For local development: localhost:3000
# * For preproduction: staging.ds.example.org
# * For production: ds.example.org
APP_HOST = "localhost:3000";
# Rails key for signing sensitive data
# See https://guides.rubyonrails.org/security.html
#
# For production you MUST generate a new key, and keep it secret.
# Secrets must be long and random. Use bin/rails secret to get new unique secrets.
# Secret key for One-Time-Password codes, used for 2-factors authentication
# OTP_SECRET_KEY = "";
# Protect access to the instance with a static login/password (useful for staging environments)
BASIC_AUTH_ENABLED = "disabled";
BASIC_AUTH_USERNAME = "";
BASIC_AUTH_PASSWORD = "";
# ActiveStorage service to use for attached files.
# Possible values:
# - "local": store files on the local filesystem
# - "amazon": store files remotely on an S3 storage service
# - "openstack": store files remotely on an OpenStack storage service
#
# (See config/storage.yml for the configuration of each service.)
ACTIVE_STORAGE_SERVICE = "local";
# Configuration for the OpenStack storage service (if enabled)
FOG_OPENSTACK_API_KEY = "";
FOG_OPENSTACK_USERNAME = "";
FOG_OPENSTACK_URL = "";
FOG_OPENSTACK_REGION = "";
DS_PROXY_URL = "";
# SAML
SAML_IDP_ENABLED = "disabled";
# External service: authentication through France Connect
FC_PARTICULIER_ID = "";
FC_PARTICULIER_SECRET = "";
FC_PARTICULIER_BASE_URL = "";
# External service: authentication through Agent Connect
AGENT_CONNECT_ID = "";
AGENT_CONNECT_SECRET = "";
AGENT_CONNECT_BASE_URL = "";
AGENT_CONNECT_JWKS = "";
AGENT_CONNECT_REDIRECT = "";
# External service: integration with HelpScout (optional)
HELPSCOUT_MAILBOX_ID = "";
HELPSCOUT_CLIENT_ID = "";
HELPSCOUT_CLIENT_SECRET = "";
HELPSCOUT_WEBHOOK_SECRET = "";
# External service: external supervision
SENTRY_ENABLED = "disabled";
SENTRY_CURRENT_ENV = "development";
SENTRY_DSN_RAILS = "";
SENTRY_DSN_JS = "";
# External service: Matomo web analytics
MATOMO_ENABLED = "disabled";
MATOMO_COOKIE_DOMAIN = "*.www.demarches-simplifiees.fr";
MATOMO_DOMAIN = "*.www.demarches-simplifiees.fr";
MATOMO_ID = "";
MATOMO_HOST = "matomo.example.org";
# Default SMTP Provider: Mailjet
MAILJET_API_KEY = "";
MAILJET_SECRET_KEY = "";
# Alternate SMTP Provider: SendInBlue/DoList
SENDINBLUE_CLIENT_KEY = "";
SENDINBLUE_SMTP_KEY = "";
SENDINBLUE_USER_NAME = "";
# SENDINBLUE_LOGIN_URL="https://app.sendinblue.com/account/saml/login/truc"
# Alternate SMTP Provider: Mailtrap (mail catcher for staging environments)
# When enabled, all emails will be sent using this provider
MAILTRAP_ENABLED = "disabled";
MAILTRAP_USERNAME = "";
MAILTRAP_PASSWORD = "";
# Alternative SMTP Provider: Mailcatcher (Catches mail and serves it through a dream.)
# When enabled, all emails will be sent using this provider
MAILCATCHER_ENABLED = "disabled";
MAILCATCHER_HOST = "";
MAILCATCHER_PORT = "";
# External service: live chat for admins (specific to démarches-simplifiées.fr)
CRISP_ENABLED = "disabled";
CRISP_CLIENT_KEY = "";
# API Entreprise credentials
# https://api.gouv.fr/api/api-entreprise.html
API_ENTREPRISE_KEY = "";
# External service: CRM for following admin accounts pipeline (specific to démarches-simplifiées.fr)
PIPEDRIVE_KEY = "";
# Networks bypassing the email login token that verifies new devices, and rack-attack throttling
TRUSTED_NETWORKS = "";
# External service: mesuring performance of the Rails app (specific to démarches-simplifiées.fr)
SKYLIGHT_AUTHENTICATION_KEY = "";
# "sXaot-fKhBlkI8qaSirQyuZbrpv5sVFoOturQ0pFEh0";
# Enable or disable Lograge logs
LOGRAGE_ENABLED = "disabled";
# Logs source for Lograge
#
# Examples:
# * For local development: tps_local
# * For preproduction: tps_staging
# * For production: tps_prod
LOGRAGE_SOURCE = "tps_prod";
# External service: timestamping a daily archive of dossiers status changes
UNIVERSIGN_API_URL = "https://ws.universign.eu/tsa/post/";
UNIVERSIGN_USERPWD = "";
# External service: API Geo / Adresse
API_ADRESSE_URL = "https://api-adresse.data.gouv.fr";
API_GEO_URL = "https://geo.api.gouv.fr";
# External service: API Education
API_EDUCATION_URL = "https://data.education.gouv.fr/api/records/1.0";
# Encryption key for sensitive columns in the database
ENCRYPTION_SERVICE_SALT = "";
# ActiveRecord encryption keys. Generate them with bin/rails db:encryption:init (you can omit deterministic_key)
AR_ENCRYPTION_PRIMARY_KEY = "";
AR_ENCRYPTION_KEY_DERIVATION_SALT = "";
# Salt for invisible_captcha session data.
# Must be the same value for all app instances behind a load-balancer.
INVISIBLE_CAPTCHA_SECRET = "kikooloool";
# Clamav antivirus usage
CLAMAV_ENABLED = "disabled";
# Siret number used for API Entreprise, by default we use SIRET from dinum
API_ENTREPRISE_DEFAULT_SIRET = "put_your_own_siret";
})
// {
# Database credentials
DB_DATABASE = "ds-fr";
DB_USERNAME = cfg.user;
DB_PASSWORD = "";
DB_HOST = "/run/postgresql";
DB_POOL = "";
# Log on stdout
RAILS_LOG_TO_STDOUT = true;
};
postgresql = {
enable = true;
ensureDatabases = [ "ds-fr" ];
ensureUsers = optional (cfg.user == "ds-fr") {
name = "ds-fr";
ensureDBOwnership = true;
};
extraPlugins = with config.services.postgresql.package.pkgs; [ postgis ];
};
nginx = {
enable = true;
virtualHosts.${cfg.settings.APP_HOST} = {
enableACME = true;
forceSSL = true;
root = "${cfg.package}/public/";
locations."/".tryFiles = "$uri @proxy";
locations."@proxy" = {
proxyPass = "http://127.0.0.1:3000";
};
};
};
};
users.users = mkIf (cfg.user == "ds-fr") {
ds-fr = {
inherit (cfg) group;
isSystemUser = true;
home = cfg.package;
};
};
users.groups.${cfg.group} = { };
};
}

View file

@ -0,0 +1,160 @@
{
lib,
stdenv,
fetchFromGitHub,
git,
fetchYarnDeps,
yarn,
fixup_yarn_lock,
nodejs,
ruby_3_2,
bundlerEnv,
logDir ? "/var/log/ds-fr",
dataDir ? "/var/lib/ds-fr",
initialDeploymentDate ? "17941030",
}:
let
inherit (lib) getExe;
# Head of the DGNum repo
dgn-id = "12e4a32ca5d909a90ca6f7e53081cc6b6b14c416";
pname = "ds-fr";
meta = import ./meta.nix;
inherit (meta) version;
src = fetchFromGitHub {
owner = "demarches-simplifiees";
repo = "demarches-simplifiees.fr";
rev = version;
hash = meta.src-hash;
};
rubyEnv = bundlerEnv {
name = "env-${pname}";
gemdir = ./rubyEnv;
ruby = ruby_3_2;
gemset = (import ./rubyEnv/gemset.nix) // {
bundler = {
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "deeQ3fNwcSiGSO/yeB2yoTniRq2gHW8WueprXoPX6Jk=";
type = "gem";
};
version = "2.3.11";
};
};
};
dsModules = stdenv.mkDerivation {
pname = "${pname}-modules";
inherit src version;
offlineCache = fetchYarnDeps {
yarnLock = "${src}/yarn.lock";
hash = meta.deps-hash;
};
buildInputs = [ rubyEnv ];
nativeBuildInputs = [
fixup_yarn_lock
nodejs
yarn
rubyEnv.wrappedRuby
];
RAILS_ENV = "production";
NODE_ENV = "dev";
patches = [
# Disable functionnalities as we only precompile assets
./patches/build.patch
];
postPatch = ''
${getExe git} apply -p1 < ${builtins.fetchurl "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch"}
'';
OTP_SECRET_KEY = "precompile_placeholder";
SECRET_KEY_BASE = "precompile_placeholder";
APP_HOST = "precompile_placeholder";
buildPhase = ''
export HOME=$(mktemp -d)
yarn config --offline set yarn-offline-mirror $offlineCache
fixup_yarn_lock yarn.lock
yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive
patchShebangs node_modules/
patchShebangs bin/
bin/rake assets:precompile
yarn cache clean --offline
rm -rf node_modules/
'';
installPhase = ''
mkdir -p $out/public
cp -r public/* $out/public
'';
};
in
stdenv.mkDerivation {
name = "demarches-simplifiees.fr-${version}";
inherit src;
buildInputs = [ rubyEnv ];
propagatedBuildInputs = [ rubyEnv.wrappedRuby ];
patches = [
./patches/replay_routing_engine_for_a_cloned_procedure.patch
./patches/smtp_settings.patch
./patches/garage.patch
];
postPatch = ''
${getExe git} apply -p1 < ${builtins.fetchurl "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch"}
'';
buildPhase = ''
rm -rf public
ln -s ${dsModules}/public/ public
patchShebangs bin/
rm -rf log storage
ln -s ${logDir} log
ln -s ${dataDir}/tmp tmp
ln -s ${dataDir}/storage storage
for f in $(ls lib/tasks/deployment/); do
[[ ! ${initialDeploymentDate} < $f ]] \
&& rm lib/tasks/deployment/$f;
done;
echo "Removed unused data migrations"
'';
installPhase = ''
mkdir -p $out
cp -r * $out/
'';
passthru = {
inherit rubyEnv;
ruby = rubyEnv.wrappedRuby;
};
meta = with lib; {
description = "Dématérialiser et simplifier les démarches administratives";
homepage = "https://github.com/demarches-simplifiees/demarches-simplifiees.fr";
license = licenses.agpl3Only;
maintainers = with maintainers; [ thubrecht ];
};
}

View file

@ -0,0 +1,5 @@
{
version = "2024-03-26-01";
src-hash = "sha256-JLwbeCGZNFxzZnh6bcheNUkrg/51UG4IM9pln+ridSs=";
deps-hash = "sha256-ZtZ1iqKHWGPR5+BDOtOvrpgdndfP5IiqrLkju96YAM4=";
}

View file

@ -0,0 +1,42 @@
diff --git a/config/environments/production.rb b/config/environments/production.rb
index 16d8c8e84..6262b8782 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -118,7 +118,7 @@ Rails.application.configure do
# the I18n.default_locale when a translation cannot be found).
config.i18n.fallbacks = true
- config.active_storage.service = ENV.fetch("ACTIVE_STORAGE_SERVICE").to_sym
+ config.active_storage.service = ENV.fetch("ACTIVE_STORAGE_SERVICE", 'local').to_sym
# Send deprecation notices to registered listeners.
config.active_support.deprecation = :notify
@@ -174,5 +174,5 @@ Rails.application.configure do
# The Content-Security-Policy is NOT in Report-Only mode
config.content_security_policy_report_only = false
- config.lograge.enabled = ENV['LOGRAGE_ENABLED'] == 'enabled'
+ config.lograge.enabled = ENV.fetch('LOGRAGE_ENABLED', 'disabled') == 'enabled'
end
diff --git a/config/initializers/mailcatcher.rb b/config/initializers/mailcatcher.rb
index 8b931f704..dbeceb4ec 100644
--- a/config/initializers/mailcatcher.rb
+++ b/config/initializers/mailcatcher.rb
@@ -1,4 +1,4 @@
-if ENV.fetch('MAILCATCHER_ENABLED') == 'enabled'
+if ENV.fetch('MAILCATCHER_ENABLED', 'disabled') == 'enabled'
ActiveSupport.on_load(:action_mailer) do
module Mailcatcher
class SMTP < ::Mail::SMTP; end
diff --git a/config/initializers/mailtrap.rb b/config/initializers/mailtrap.rb
index 6d1faa04b..658673ed1 100644
--- a/config/initializers/mailtrap.rb
+++ b/config/initializers/mailtrap.rb
@@ -1,4 +1,4 @@
-if ENV.fetch('MAILTRAP_ENABLED') == 'enabled'
+if ENV.fetch('MAILTRAP_ENABLED', 'disabled') == 'enabled'
ActiveSupport.on_load(:action_mailer) do
module Mailtrap
class SMTP < ::Mail::SMTP; end

View file

@ -0,0 +1,16 @@
diff --git a/config/storage.yml b/config/storage.yml
index d2b2d241f..1b2744504 100644
--- a/config/storage.yml
+++ b/config/storage.yml
@@ -19,3 +19,11 @@ amazon:
secret_access_key: <%= ENV.fetch("S3_SECRET_ACCESS_KEY", "") %>
region: <%= ENV.fetch("S3_REGION", "") %>
bucket: <%= ENV.fetch("S3_BUCKET", "") %>
+garage:
+ service: S3
+ access_key_id: <%= ENV.fetch("S3_ACCESS_KEY_ID", "") %>
+ secret_access_key: <%= ENV.fetch("S3_SECRET_ACCESS_KEY", "") %>
+ region: <%= ENV.fetch("S3_REGION", "garage") %>
+ bucket: <%= ENV.fetch("S3_BUCKET", "") %>
+ endpoint: <%= ENV.fetch("S3_ENDPOINT", "") %>
+ force_path_style: <%= ENV.fetch("S3_FORCE_PATH_STYLE", "").present? %>

View file

@ -0,0 +1,35 @@
diff --git a/lib/tasks/deployment/20230613114744_replay_routing_engine_for_a_cloned_procedure.rake b/lib/tasks/deployment/20230613114744_replay_routing_engine_for_a_cloned_procedure.rake
index 9d4f3a284..04d62a63b 100644
--- a/lib/tasks/deployment/20230613114744_replay_routing_engine_for_a_cloned_procedure.rake
+++ b/lib/tasks/deployment/20230613114744_replay_routing_engine_for_a_cloned_procedure.rake
@@ -4,18 +4,18 @@ namespace :after_party do
puts "Running deploy task 'replay_routing_engine_for_a_cloned_procedure'"
# Put your task implementation HERE.
- dossiers = Procedure
- .find(76266)
- .dossiers
- .en_construction
-
- progress = ProgressReport.new(dossiers.count)
-
- dossiers.find_each do |dossier|
- RoutingEngine.compute(dossier)
- progress.inc
- end
- progress.finish
+ # dossiers = Procedure
+ # .find(76266)
+ # .dossiers
+ # .en_construction
+ #
+ # progress = ProgressReport.new(dossiers.count)
+ #
+ # dossiers.find_each do |dossier|
+ # RoutingEngine.compute(dossier)
+ # progress.inc
+ # end
+ # progress.finish
# Update task as completed. If you remove the line below, the task will
# run with every deploy (or every time you call after_party:run).

View file

@ -0,0 +1,14 @@
diff --git a/config/environments/production.rb b/config/environments/production.rb
index 16d8c8e84..e0326d26d 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -86,7 +86,8 @@ Rails.application.configure do
user_name: ENV.fetch("SMTP_USER"),
password: ENV.fetch("SMTP_PASS"),
authentication: ENV.fetch("SMTP_AUTHENTICATION"),
- enable_starttls_auto: ENV.fetch("SMTP_TLS").present?
+ enable_starttls_auto: ENV.fetch("SMTP_TLS").present?,
+ ssl: ENV.fetch("SMTP_SSL").present?
}
elsif ENV['SENDMAIL_ENABLED'] == 'enabled'
config.action_mailer.delivery_method = :sendmail

View file

@ -0,0 +1,12 @@
diff --git a/app/controllers/concerns/uninterlace_png_concern.rb b/app/controllers/concerns/uninterlace_png_concern.rb
index 8e9d06251..0870357c6 100644
--- a/app/controllers/concerns/uninterlace_png_concern.rb
+++ b/app/controllers/concerns/uninterlace_png_concern.rb
@@ -14,6 +14,6 @@ module UninterlacePngConcern
def interlaced?(png_path)
png = MiniMagick::Image.open(png_path)
- png.data["interlace"] != "None"
+ png.details["interlace"] != "None"
end
end

View file

@ -0,0 +1,148 @@
source 'https://rubygems.org'
gem 'rails', '~> 7.0.8' # allows update to security fixes at any time
gem 'aasm'
gem 'acsv'
gem 'active_model_serializers'
gem 'activestorage-openstack'
gem 'active_storage_validations'
gem 'addressable'
gem 'administrate'
gem 'administrate-field-enum' # Allow using Field::Enum in administrate
gem 'after_party'
gem 'ancestry'
gem 'anchored'
gem 'bcrypt'
gem 'bootsnap', '>= 1.4.4', require: false # Reduces boot times through caching; required in config/boot.rb
gem 'browser'
gem 'charlock_holmes'
gem 'chartkick'
gem 'chunky_png'
gem 'clamav-client', require: 'clamav/client'
gem 'daemons'
gem 'deep_cloneable' # Enable deep clone of active record models
gem 'delayed_cron_job' # Cron jobs
gem 'delayed_job_active_record'
gem 'delayed_job_web'
gem 'devise', git: 'https://github.com/heartcombo/devise.git', ref: "edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1" # Gestion des comptes utilisateurs, drop ref on next release: 4.9.4
gem 'devise-i18n'
gem 'devise-two-factor'
gem 'discard'
gem 'dotenv-rails', require: 'dotenv/rails-now' # dotenv should always be loaded before rails
gem 'dry-monads'
gem 'faraday-jwt'
gem 'flipper'
gem 'flipper-active_record'
gem 'flipper-active_support_cache_store'
gem 'flipper-ui'
gem 'fugit'
gem 'geocoder'
gem 'geo_coord', require: "geo/coord"
gem 'gitlab-sidekiq-fetcher', require: 'sidekiq-reliable-fetch', git: 'https://github.com/demarches-simplifiees/reliable-fetch.git'
gem 'gon'
gem 'graphql', '2.0.24'
gem 'graphql-batch', '0.5.1'
gem 'graphql-rails_logger'
gem 'groupdate'
gem 'haml-rails'
gem 'hashie'
gem 'http_accept_language'
gem 'i18n_data'
gem 'i18n-tasks', require: false
gem 'iban-tools'
gem 'image_processing'
gem 'invisible_captcha'
gem 'json_schemer'
gem 'jwt'
gem 'kaminari'
gem 'kredis'
gem 'listen' # Required by ActiveSupport::EventedFileUpdateChecker
gem 'lograge'
gem 'logstash-event'
gem 'maintenance_tasks'
gem 'matrix' # needed by prawn and not default in ruby 3.1
gem 'mini_magick'
gem 'net-imap', require: false # See https://github.com/mikel/mail/pull/1439
gem 'net-pop', require: false # same
gem 'net-smtp', require: false # same
gem 'openid_connect'
gem 'parsby'
gem 'pg'
gem 'phonelib'
gem 'prawn-rails' # PDF Generation
gem 'premailer-rails'
gem 'puma' # Use Puma as the app server
gem 'pundit'
gem 'rack-attack'
gem 'rails-i18n' # Locales par défaut
gem 'rake-progressbar', require: false
gem 'redcarpet'
gem 'redis'
gem 'rexml' # add missing gem due to ruby3 (https://github.com/Shopify/bootsnap/issues/325)
gem 'rqrcode'
gem 'saml_idp'
gem 'sassc-rails' # Use SCSS for stylesheets
gem 'sentry-delayed_job'
gem 'sentry-rails'
gem 'sentry-ruby'
gem 'sentry-sidekiq'
gem 'sib-api-v3-sdk'
gem 'sidekiq'
gem 'skylight'
gem 'spreadsheet_architect'
gem 'strong_migrations' # lint database migrations
gem 'turbo-rails'
gem 'typhoeus'
gem 'ulid-ruby', require: 'ulid'
gem 'view_component'
gem 'vite_rails'
gem 'warden'
gem 'zipline'
gem 'zxcvbn-ruby', require: 'zxcvbn'
group :test do
gem 'axe-core-rspec' # accessibility rspec matchers
gem 'capybara' # Integration testing
gem 'capybara-email' # Access emails during integration tests
gem 'capybara-screenshot' # Save a dump of the page when an integration test fails
gem 'factory_bot'
gem 'launchy'
gem 'rack_session_access'
gem 'rails-controller-testing'
gem 'rspec_junit_formatter'
gem 'rspec-retry'
gem 'selenium-devtools'
gem 'selenium-webdriver'
gem 'shoulda-matchers', require: false
gem 'timecop'
gem 'vcr'
gem 'webmock'
end
group :development do
gem 'benchmark-ips', require: false
gem 'brakeman', require: false
gem 'haml-lint'
gem 'letter_opener_web'
gem 'memory_profiler'
gem 'rack-mini-profiler'
gem 'rails-erd', require: false # generates `doc/database_models.pdf`
gem 'rubocop', require: false
gem 'rubocop-performance', require: false
gem 'rubocop-rails', require: false
gem 'rubocop-rspec', require: false
gem 'scss_lint', require: false
gem 'stackprof'
gem 'web-console'
end
group :development, :test do
gem 'graphql-schema_comparator'
gem 'irb'
gem 'mina', require: false # Deploy
gem 'rspec-rails'
gem 'simple_xlsx_reader'
gem 'spring' # Spring speeds up development by keeping your application running in the background
gem 'spring-commands-rspec'
end

View file

@ -0,0 +1,966 @@
GIT
remote: https://github.com/demarches-simplifiees/reliable-fetch.git
revision: f547a270c402b0180091516d790434e83287fae7
specs:
gitlab-sidekiq-fetcher (0.11.0)
json (>= 2.5)
sidekiq (~> 7.0)
GIT
remote: https://github.com/heartcombo/devise.git
revision: edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1
ref: edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1
specs:
devise (4.9.3)
bcrypt (~> 3.0)
orm_adapter (~> 0.1)
railties (>= 4.1.0)
responders
warden (~> 1.2.3)
GEM
remote: https://rubygems.org/
specs:
aasm (5.5.0)
concurrent-ruby (~> 1.0)
acsv (0.0.1)
actioncable (7.0.8.1)
actionpack (= 7.0.8.1)
activesupport (= 7.0.8.1)
nio4r (~> 2.0)
websocket-driver (>= 0.6.1)
actionmailbox (7.0.8.1)
actionpack (= 7.0.8.1)
activejob (= 7.0.8.1)
activerecord (= 7.0.8.1)
activestorage (= 7.0.8.1)
activesupport (= 7.0.8.1)
mail (>= 2.7.1)
net-imap
net-pop
net-smtp
actionmailer (7.0.8.1)
actionpack (= 7.0.8.1)
actionview (= 7.0.8.1)
activejob (= 7.0.8.1)
activesupport (= 7.0.8.1)
mail (~> 2.5, >= 2.5.4)
net-imap
net-pop
net-smtp
rails-dom-testing (~> 2.0)
actionpack (7.0.8.1)
actionview (= 7.0.8.1)
activesupport (= 7.0.8.1)
rack (~> 2.0, >= 2.2.4)
rack-test (>= 0.6.3)
rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.0, >= 1.2.0)
actiontext (7.0.8.1)
actionpack (= 7.0.8.1)
activerecord (= 7.0.8.1)
activestorage (= 7.0.8.1)
activesupport (= 7.0.8.1)
globalid (>= 0.6.0)
nokogiri (>= 1.8.5)
actionview (7.0.8.1)
activesupport (= 7.0.8.1)
builder (~> 3.1)
erubi (~> 1.4)
rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.1, >= 1.2.0)
active_model_serializers (0.10.14)
actionpack (>= 4.1)
activemodel (>= 4.1)
case_transform (>= 0.2)
jsonapi-renderer (>= 0.1.1.beta1, < 0.3)
active_storage_validations (1.1.4)
activejob (>= 5.2.0)
activemodel (>= 5.2.0)
activestorage (>= 5.2.0)
activesupport (>= 5.2.0)
activejob (7.0.8.1)
activesupport (= 7.0.8.1)
globalid (>= 0.3.6)
activemodel (7.0.8.1)
activesupport (= 7.0.8.1)
activerecord (7.0.8.1)
activemodel (= 7.0.8.1)
activesupport (= 7.0.8.1)
activestorage (7.0.8.1)
actionpack (= 7.0.8.1)
activejob (= 7.0.8.1)
activerecord (= 7.0.8.1)
activesupport (= 7.0.8.1)
marcel (~> 1.0)
mini_mime (>= 1.1.0)
activestorage-openstack (1.6.0)
fog-openstack (>= 1.0.9)
marcel
rails (>= 5.2.2)
activesupport (7.0.8.1)
concurrent-ruby (~> 1.0, >= 1.0.2)
i18n (>= 1.6, < 2)
minitest (>= 5.1)
tzinfo (~> 2.0)
addressable (2.8.6)
public_suffix (>= 2.0.2, < 6.0)
administrate (0.20.1)
actionpack (>= 6.0, < 8.0)
actionview (>= 6.0, < 8.0)
activerecord (>= 6.0, < 8.0)
jquery-rails (~> 4.6.0)
kaminari (~> 1.2.2)
sassc-rails (~> 2.1)
selectize-rails (~> 0.6)
administrate-field-enum (0.0.9)
administrate (~> 0.12)
aes_key_wrap (1.1.0)
after_party (1.11.2)
ancestry (4.3.3)
activerecord (>= 5.2.6)
anchored (1.1.0)
ast (2.4.2)
attr_required (1.0.2)
axe-core-api (4.8.2)
dumb_delegator
virtus
axe-core-rspec (4.8.2)
axe-core-api
dumb_delegator
virtus
axiom-types (0.1.1)
descendants_tracker (~> 0.0.4)
ice_nine (~> 0.11.0)
thread_safe (~> 0.3, >= 0.3.1)
base64 (0.2.0)
bcrypt (3.1.20)
benchmark-ips (2.13.0)
better_html (2.0.2)
actionview (>= 6.0)
activesupport (>= 6.0)
ast (~> 2.0)
erubi (~> 1.4)
parser (>= 2.4)
smart_properties
bigdecimal (3.1.6)
bindata (2.5.0)
bindex (0.8.1)
bootsnap (1.18.3)
msgpack (~> 1.2)
brakeman (6.1.2)
racc
browser (5.3.1)
builder (3.2.4)
capybara (3.40.0)
addressable
matrix
mini_mime (>= 0.1.3)
nokogiri (~> 1.11)
rack (>= 1.6.0)
rack-test (>= 0.6.3)
regexp_parser (>= 1.5, < 3.0)
xpath (~> 3.2)
capybara-email (3.0.2)
capybara (>= 2.4, < 4.0)
mail
capybara-screenshot (1.0.26)
capybara (>= 1.0, < 4)
launchy
case_transform (0.2)
activesupport
caxlsx (3.4.1)
htmlentities (~> 4.3, >= 4.3.4)
marcel (~> 1.0)
nokogiri (~> 1.10, >= 1.10.4)
rubyzip (>= 1.3.0, < 3)
charlock_holmes (0.7.7)
chartkick (5.0.5)
choice (0.2.0)
chunky_png (1.4.0)
clamav-client (3.2.0)
coercible (1.0.0)
descendants_tracker (~> 0.0.1)
concurrent-ruby (1.2.3)
connection_pool (2.4.1)
content_disposition (1.0.0)
crack (1.0.0)
bigdecimal
rexml
crass (1.0.6)
css_parser (1.16.0)
addressable
daemons (1.4.1)
date (3.3.4)
deep_cloneable (3.2.0)
activerecord (>= 3.1.0, < 8)
delayed_cron_job (0.9.0)
fugit (>= 1.5)
delayed_job (4.1.11)
activesupport (>= 3.0, < 8.0)
delayed_job_active_record (4.1.8)
activerecord (>= 3.0, < 8.0)
delayed_job (>= 3.0, < 5)
delayed_job_web (1.4.4)
activerecord (> 3.0.0)
delayed_job (> 2.0.3)
rack-protection (>= 1.5.5)
sinatra (>= 1.4.4)
descendants_tracker (0.0.4)
thread_safe (~> 0.3, >= 0.3.1)
devise-i18n (1.12.0)
devise (>= 4.9.0)
devise-two-factor (5.0.0)
activesupport (~> 7.0)
devise (~> 4.0)
railties (~> 7.0)
rotp (~> 6.0)
diff-lcs (1.5.1)
discard (1.3.0)
activerecord (>= 4.2, < 8)
dotenv (2.8.1)
dotenv-rails (2.8.1)
dotenv (= 2.8.1)
railties (>= 3.2)
dry-cli (1.0.0)
dry-core (1.0.1)
concurrent-ruby (~> 1.0)
zeitwerk (~> 2.6)
dry-monads (1.6.0)
concurrent-ruby (~> 1.0)
dry-core (~> 1.0, < 2)
zeitwerk (~> 2.6)
dumb_delegator (1.0.0)
email_validator (2.2.4)
activemodel
erubi (1.12.0)
et-orbi (1.2.7)
tzinfo
ethon (0.16.0)
ffi (>= 1.15.0)
excon (0.109.0)
factory_bot (6.4.6)
activesupport (>= 5.0.0)
faraday (2.9.0)
faraday-net_http (>= 2.0, < 3.2)
faraday-follow_redirects (0.3.0)
faraday (>= 1, < 3)
faraday-jwt (0.1.0)
faraday (~> 2.0)
json-jwt (~> 1.16)
faraday-net_http (3.1.0)
net-http
ffi (1.16.3)
flipper (1.2.2)
concurrent-ruby (< 2)
flipper-active_record (1.2.2)
activerecord (>= 4.2, < 8)
flipper (~> 1.2.2)
flipper-active_support_cache_store (1.2.2)
activesupport (>= 4.2, < 8)
flipper (~> 1.2.2)
flipper-ui (1.2.2)
erubi (>= 1.0.0, < 2.0.0)
flipper (~> 1.2.2)
rack (>= 1.4, < 4)
rack-protection (>= 1.5.3, <= 4.0.0)
sanitize (< 7)
fog-core (2.4.0)
builder
excon (~> 0.71)
formatador (>= 0.2, < 2.0)
mime-types
fog-json (1.2.0)
fog-core
multi_json (~> 1.10)
fog-openstack (1.1.0)
fog-core (~> 2.1)
fog-json (>= 1.0)
formatador (1.1.0)
fugit (1.9.0)
et-orbi (~> 1, >= 1.2.7)
raabro (~> 1.4)
geo_coord (0.2.0)
geocoder (1.8.2)
globalid (1.2.1)
activesupport (>= 6.1)
gon (6.4.0)
actionpack (>= 3.0.20)
i18n (>= 0.7)
multi_json
request_store (>= 1.0)
graphql (2.0.24)
graphql-batch (0.5.1)
graphql (>= 1.10, < 3)
promise.rb (~> 0.7.2)
graphql-rails_logger (1.2.4)
actionpack (> 5.0)
activesupport (> 5.0)
railties (> 5.0)
rouge (~> 3.0)
graphql-schema_comparator (1.2.1)
bundler (>= 1.14)
graphql (>= 1.10, < 3.0)
thor (>= 0.19, < 2.0)
groupdate (6.4.0)
activesupport (>= 6.1)
haml (6.3.0)
temple (>= 0.8.2)
thor
tilt
haml-lint (0.999.999)
haml_lint
haml-rails (2.1.0)
actionpack (>= 5.1)
activesupport (>= 5.1)
haml (>= 4.0.6)
railties (>= 5.1)
haml_lint (0.56.0)
haml (>= 5.0)
parallel (~> 1.10)
rainbow
rubocop (>= 1.0)
sysexits (~> 1.1)
hana (1.3.7)
hashdiff (1.1.0)
hashie (5.0.0)
highline (3.0.1)
htmlentities (4.3.4)
http_accept_language (2.1.1)
i18n (1.14.4)
concurrent-ruby (~> 1.0)
i18n-tasks (1.0.13)
activesupport (>= 4.0.2)
ast (>= 2.1.0)
better_html (>= 1.0, < 3.0)
erubi
highline (>= 2.0.0)
i18n
parser (>= 3.2.2.1)
rails-i18n
rainbow (>= 2.2.2, < 4.0)
terminal-table (>= 1.5.1)
i18n_data (0.13.0)
iban-tools (1.2.1)
ice_nine (0.11.2)
image_processing (1.12.2)
mini_magick (>= 4.9.5, < 5)
ruby-vips (>= 2.0.17, < 3)
invisible_captcha (2.2.0)
rails (>= 5.2)
io-console (0.7.2)
irb (1.11.2)
rdoc
reline (>= 0.4.2)
job-iteration (1.4.1)
activejob (>= 5.2)
jquery-rails (4.6.0)
rails-dom-testing (>= 1, < 3)
railties (>= 4.2.0)
thor (>= 0.14, < 2.0)
json (2.7.1)
json-jwt (1.16.6)
activesupport (>= 4.2)
aes_key_wrap
base64
bindata
faraday (~> 2.0)
faraday-follow_redirects
json_schemer (2.1.1)
hana (~> 1.3)
regexp_parser (~> 2.0)
simpleidn (~> 0.2)
jsonapi-renderer (0.2.2)
jwt (2.7.1)
kaminari (1.2.2)
activesupport (>= 4.1.0)
kaminari-actionview (= 1.2.2)
kaminari-activerecord (= 1.2.2)
kaminari-core (= 1.2.2)
kaminari-actionview (1.2.2)
actionview
kaminari-core (= 1.2.2)
kaminari-activerecord (1.2.2)
activerecord
kaminari-core (= 1.2.2)
kaminari-core (1.2.2)
kredis (1.7.0)
activemodel (>= 6.0.0)
activesupport (>= 6.0.0)
redis (>= 4.2, < 6)
language_server-protocol (3.17.0.3)
launchy (2.5.2)
addressable (~> 2.8)
letter_opener (1.9.0)
launchy (>= 2.2, < 3)
letter_opener_web (2.0.0)
actionmailer (>= 5.2)
letter_opener (~> 1.7)
railties (>= 5.2)
rexml
listen (3.8.0)
rb-fsevent (~> 0.10, >= 0.10.3)
rb-inotify (~> 0.9, >= 0.9.10)
lograge (0.14.0)
actionpack (>= 4)
activesupport (>= 4)
railties (>= 4)
request_store (~> 1.0)
logstash-event (1.2.02)
loofah (2.22.0)
crass (~> 1.0.2)
nokogiri (>= 1.12.0)
mail (2.8.1)
mini_mime (>= 0.1.1)
net-imap
net-pop
net-smtp
maintenance_tasks (2.6.0)
actionpack (>= 6.0)
activejob (>= 6.0)
activerecord (>= 6.0)
job-iteration (>= 1.3.6)
railties (>= 6.0)
zeitwerk (>= 2.6.2)
marcel (1.0.2)
matrix (0.4.2)
memory_profiler (1.0.1)
method_source (1.0.0)
mime-types (3.5.2)
mime-types-data (~> 3.2015)
mime-types-data (3.2024.0206)
mina (1.2.5)
rake
mini_magick (4.12.0)
mini_mime (1.1.5)
mini_portile2 (2.8.5)
minitest (5.22.2)
msgpack (1.7.2)
multi_json (1.15.0)
mustermann (3.0.0)
ruby2_keywords (~> 0.0.1)
net-http (0.4.1)
uri
net-imap (0.4.10)
date
net-protocol
net-pop (0.1.2)
net-protocol
net-protocol (0.2.2)
timeout
net-smtp (0.4.0.1)
net-protocol
nio4r (2.7.0)
nokogiri (1.16.2)
mini_portile2 (~> 2.8.2)
racc (~> 1.4)
openid_connect (2.3.0)
activemodel
attr_required (>= 1.0.0)
email_validator
faraday (~> 2.0)
faraday-follow_redirects
json-jwt (>= 1.16)
mail
rack-oauth2 (~> 2.2)
swd (~> 2.0)
tzinfo
validate_url
webfinger (~> 2.0)
orm_adapter (0.5.0)
parallel (1.24.0)
parsby (1.1.1)
parser (3.3.0.5)
ast (~> 2.4.1)
racc
pdf-core (0.9.0)
pg (1.5.4)
phonelib (0.8.7)
prawn (2.4.0)
pdf-core (~> 0.9.0)
ttfunk (~> 1.7)
prawn-rails (1.4.2)
actionview (>= 3.1.0)
prawn
prawn-table
prawn-table (0.2.2)
prawn (>= 1.3.0, < 3.0.0)
premailer (1.22.0)
addressable
css_parser (>= 1.12.0)
htmlentities (>= 4.0.0)
premailer-rails (1.12.0)
actionmailer (>= 3)
net-smtp
premailer (~> 1.7, >= 1.7.9)
promise.rb (0.7.4)
psych (5.1.2)
stringio
public_suffix (5.0.4)
puma (6.4.2)
nio4r (~> 2.0)
pundit (2.3.1)
activesupport (>= 3.0.0)
raabro (1.4.0)
racc (1.7.3)
rack (2.2.8.1)
rack-attack (6.7.0)
rack (>= 1.0, < 4)
rack-mini-profiler (3.3.1)
rack (>= 1.2.0)
rack-oauth2 (2.2.1)
activesupport
attr_required
faraday (~> 2.0)
faraday-follow_redirects
json-jwt (>= 1.11.0)
rack (>= 2.1.0)
rack-protection (3.2.0)
base64 (>= 0.1.0)
rack (~> 2.2, >= 2.2.4)
rack-proxy (0.7.7)
rack
rack-test (2.1.0)
rack (>= 1.3)
rack_session_access (0.2.0)
builder (>= 2.0.0)
rack (>= 1.0.0)
rails (7.0.8.1)
actioncable (= 7.0.8.1)
actionmailbox (= 7.0.8.1)
actionmailer (= 7.0.8.1)
actionpack (= 7.0.8.1)
actiontext (= 7.0.8.1)
actionview (= 7.0.8.1)
activejob (= 7.0.8.1)
activemodel (= 7.0.8.1)
activerecord (= 7.0.8.1)
activestorage (= 7.0.8.1)
activesupport (= 7.0.8.1)
bundler (>= 1.15.0)
railties (= 7.0.8.1)
rails-controller-testing (1.0.5)
actionpack (>= 5.0.1.rc1)
actionview (>= 5.0.1.rc1)
activesupport (>= 5.0.1.rc1)
rails-dom-testing (2.2.0)
activesupport (>= 5.0.0)
minitest
nokogiri (>= 1.6)
rails-erd (1.7.2)
activerecord (>= 4.2)
activesupport (>= 4.2)
choice (~> 0.2.0)
ruby-graphviz (~> 1.2)
rails-html-sanitizer (1.6.0)
loofah (~> 2.21)
nokogiri (~> 1.14)
rails-i18n (7.0.8)
i18n (>= 0.7, < 2)
railties (>= 6.0.0, < 8)
railties (7.0.8.1)
actionpack (= 7.0.8.1)
activesupport (= 7.0.8.1)
method_source
rake (>= 12.2)
thor (~> 1.0)
zeitwerk (~> 2.5)
rainbow (3.1.1)
rake (13.1.0)
rake-progressbar (0.0.5)
rb-fsevent (0.11.2)
rb-inotify (0.10.1)
ffi (~> 1.0)
rdoc (6.6.2)
psych (>= 4.0.0)
redcarpet (3.6.0)
redis (5.1.0)
redis-client (>= 0.17.0)
redis-client (0.20.0)
connection_pool
regexp_parser (2.9.0)
reline (0.4.2)
io-console (~> 0.5)
request_store (1.5.1)
rack (>= 1.4)
responders (3.1.1)
actionpack (>= 5.2)
railties (>= 5.2)
rexml (3.2.6)
rodf (1.2.0)
builder (>= 3.0)
rubyzip (>= 1.0)
rotp (6.3.0)
rouge (3.30.0)
rqrcode (2.2.0)
chunky_png (~> 1.0)
rqrcode_core (~> 1.0)
rqrcode_core (1.2.0)
rspec-core (3.13.0)
rspec-support (~> 3.13.0)
rspec-expectations (3.13.0)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.13.0)
rspec-mocks (3.13.0)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.13.0)
rspec-rails (6.1.1)
actionpack (>= 6.1)
activesupport (>= 6.1)
railties (>= 6.1)
rspec-core (~> 3.12)
rspec-expectations (~> 3.12)
rspec-mocks (~> 3.12)
rspec-support (~> 3.12)
rspec-retry (0.6.2)
rspec-core (> 3.3)
rspec-support (3.13.0)
rspec_junit_formatter (0.6.0)
rspec-core (>= 2, < 4, != 2.12.0)
rubocop (1.60.2)
json (~> 2.3)
language_server-protocol (>= 3.17.0)
parallel (~> 1.10)
parser (>= 3.3.0.2)
rainbow (>= 2.2.2, < 4.0)
regexp_parser (>= 1.8, < 3.0)
rexml (>= 3.2.5, < 4.0)
rubocop-ast (>= 1.30.0, < 2.0)
ruby-progressbar (~> 1.7)
unicode-display_width (>= 2.4.0, < 3.0)
rubocop-ast (1.30.0)
parser (>= 3.2.1.0)
rubocop-capybara (2.20.0)
rubocop (~> 1.41)
rubocop-factory_bot (2.25.1)
rubocop (~> 1.41)
rubocop-performance (1.20.2)
rubocop (>= 1.48.1, < 2.0)
rubocop-ast (>= 1.30.0, < 2.0)
rubocop-rails (2.23.1)
activesupport (>= 4.2.0)
rack (>= 1.1)
rubocop (>= 1.33.0, < 2.0)
rubocop-ast (>= 1.30.0, < 2.0)
rubocop-rspec (2.26.1)
rubocop (~> 1.40)
rubocop-capybara (~> 2.17)
rubocop-factory_bot (~> 2.22)
ruby-graphviz (1.2.5)
rexml
ruby-progressbar (1.13.0)
ruby-vips (2.2.0)
ffi (~> 1.12)
ruby2_keywords (0.0.5)
rubyzip (2.3.2)
saml_idp (0.16.0)
activesupport (>= 5.2)
builder (>= 3.0)
nokogiri (>= 1.6.2)
rexml
xmlenc (>= 0.7.1)
sanitize (6.1.0)
crass (~> 1.0.2)
nokogiri (>= 1.12.0)
sass (3.7.4)
sass-listen (~> 4.0.0)
sass-listen (4.0.0)
rb-fsevent (~> 0.9, >= 0.9.4)
rb-inotify (~> 0.9, >= 0.9.7)
sassc (2.4.0)
ffi (~> 1.9)
sassc-rails (2.1.2)
railties (>= 4.0.0)
sassc (>= 2.0)
sprockets (> 3.0)
sprockets-rails
tilt
scss_lint (0.60.0)
sass (~> 3.5, >= 3.5.5)
selectize-rails (0.12.6)
selenium-devtools (0.121.0)
selenium-webdriver (~> 4.2)
selenium-webdriver (4.17.0)
base64 (~> 0.2)
rexml (~> 3.2, >= 3.2.5)
rubyzip (>= 1.2.2, < 3.0)
websocket (~> 1.0)
sentry-delayed_job (5.16.1)
delayed_job (>= 4.0)
sentry-ruby (~> 5.16.1)
sentry-rails (5.16.1)
railties (>= 5.0)
sentry-ruby (~> 5.16.1)
sentry-ruby (5.16.1)
concurrent-ruby (~> 1.0, >= 1.0.2)
sentry-sidekiq (5.16.1)
sentry-ruby (~> 5.16.1)
sidekiq (>= 3.0)
shoulda-matchers (6.1.0)
activesupport (>= 5.2.0)
sib-api-v3-sdk (9.1.0)
addressable (~> 2.3, >= 2.3.0)
json (~> 2.1, >= 2.1.0)
typhoeus (~> 1.0, >= 1.0.1)
sidekiq (7.2.1)
concurrent-ruby (< 2)
connection_pool (>= 2.3.0)
rack (>= 2.2.4)
redis-client (>= 0.19.0)
simple_xlsx_reader (1.0.4)
nokogiri
rubyzip
simpleidn (0.2.1)
unf (~> 0.1.4)
sinatra (3.2.0)
mustermann (~> 3.0)
rack (~> 2.2, >= 2.2.4)
rack-protection (= 3.2.0)
tilt (~> 2.0)
skylight (6.0.3)
activesupport (>= 5.2.0)
smart_properties (1.17.0)
spreadsheet_architect (5.0.0)
caxlsx (>= 3.3.0, < 4)
rodf (>= 1.0.0, < 2)
spring (4.1.3)
spring-commands-rspec (1.0.4)
spring (>= 0.9.1)
sprockets (4.2.1)
concurrent-ruby (~> 1.0)
rack (>= 2.2.4, < 4)
sprockets-rails (3.4.2)
actionpack (>= 5.2)
activesupport (>= 5.2)
sprockets (>= 3.0.0)
stackprof (0.2.26)
stringio (3.1.0)
strong_migrations (1.7.0)
activerecord (>= 5.2)
swd (2.0.3)
activesupport (>= 3)
attr_required (>= 0.0.5)
faraday (~> 2.0)
faraday-follow_redirects
sysexits (1.2.0)
temple (0.8.2)
terminal-table (3.0.2)
unicode-display_width (>= 1.1.1, < 3)
thor (1.3.0)
thread_safe (0.3.6)
tilt (2.3.0)
timecop (0.9.8)
timeout (0.4.1)
ttfunk (1.7.0)
turbo-rails (2.0.2)
actionpack (>= 6.0.0)
activejob (>= 6.0.0)
railties (>= 6.0.0)
typhoeus (1.4.1)
ethon (>= 0.9.0)
tzinfo (2.0.6)
concurrent-ruby (~> 1.0)
ulid-ruby (1.0.2)
unf (0.1.4)
unf_ext
unf_ext (0.0.9.1)
unicode-display_width (2.5.0)
uri (0.13.0)
validate_url (1.0.15)
activemodel (>= 3.0.0)
public_suffix
vcr (6.2.0)
view_component (3.10.0)
activesupport (>= 5.2.0, < 8.0)
concurrent-ruby (~> 1.0)
method_source (~> 1.0)
virtus (2.0.0)
axiom-types (~> 0.1)
coercible (~> 1.0)
descendants_tracker (~> 0.0, >= 0.0.3)
vite_rails (3.0.17)
railties (>= 5.1, < 8)
vite_ruby (~> 3.0, >= 3.2.2)
vite_ruby (3.5.0)
dry-cli (>= 0.7, < 2)
rack-proxy (~> 0.6, >= 0.6.1)
zeitwerk (~> 2.2)
warden (1.2.9)
rack (>= 2.0.9)
web-console (4.2.1)
actionview (>= 6.0.0)
activemodel (>= 6.0.0)
bindex (>= 0.4.0)
railties (>= 6.0.0)
webfinger (2.1.3)
activesupport
faraday (~> 2.0)
faraday-follow_redirects
webmock (3.20.0)
addressable (>= 2.8.0)
crack (>= 0.3.2)
hashdiff (>= 0.4.0, < 2.0.0)
websocket (1.2.10)
websocket-driver (0.7.6)
websocket-extensions (>= 0.1.0)
websocket-extensions (0.1.5)
xmlenc (0.8.0)
activemodel (>= 3.0.0)
activesupport (>= 3.0.0)
nokogiri (>= 1.6.0, < 2.0.0)
xmlmapper (>= 0.7.3)
xmlmapper (0.8.1)
nokogiri (~> 1.11)
xpath (3.2.0)
nokogiri (~> 1.8)
zeitwerk (2.6.13)
zip_tricks (5.6.0)
zipline (1.5.0)
actionpack (>= 6.0, < 8.0)
content_disposition (~> 1.0)
zip_tricks (>= 4.2.1, < 6.0)
zxcvbn-ruby (1.2.0)
PLATFORMS
ruby
DEPENDENCIES
aasm
acsv
active_model_serializers
active_storage_validations
activestorage-openstack
addressable
administrate
administrate-field-enum
after_party
ancestry
anchored
axe-core-rspec
bcrypt
benchmark-ips
bootsnap (>= 1.4.4)
brakeman
browser
capybara
capybara-email
capybara-screenshot
charlock_holmes
chartkick
chunky_png
clamav-client
daemons
deep_cloneable
delayed_cron_job
delayed_job_active_record
delayed_job_web
devise!
devise-i18n
devise-two-factor
discard
dotenv-rails
dry-monads
factory_bot
faraday-jwt
flipper
flipper-active_record
flipper-active_support_cache_store
flipper-ui
fugit
geo_coord
geocoder
gitlab-sidekiq-fetcher!
gon
graphql (= 2.0.24)
graphql-batch (= 0.5.1)
graphql-rails_logger
graphql-schema_comparator
groupdate
haml-lint
haml-rails
hashie
http_accept_language
i18n-tasks
i18n_data
iban-tools
image_processing
invisible_captcha
irb
json_schemer
jwt
kaminari
kredis
launchy
letter_opener_web
listen
lograge
logstash-event
maintenance_tasks
matrix
memory_profiler
mina
mini_magick
net-imap
net-pop
net-smtp
openid_connect
parsby
pg
phonelib
prawn-rails
premailer-rails
puma
pundit
rack-attack
rack-mini-profiler
rack_session_access
rails (~> 7.0.8)
rails-controller-testing
rails-erd
rails-i18n
rake-progressbar
redcarpet
redis
rexml
rqrcode
rspec-rails
rspec-retry
rspec_junit_formatter
rubocop
rubocop-performance
rubocop-rails
rubocop-rspec
saml_idp
sassc-rails
scss_lint
selenium-devtools
selenium-webdriver
sentry-delayed_job
sentry-rails
sentry-ruby
sentry-sidekiq
shoulda-matchers
sib-api-v3-sdk
sidekiq
simple_xlsx_reader
skylight
spreadsheet_architect
spring
spring-commands-rspec
stackprof
strong_migrations
timecop
turbo-rails
typhoeus
ulid-ruby
vcr
view_component
vite_rails
warden
web-console
webmock
zipline
zxcvbn-ruby
BUNDLED WITH
2.5.4

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,66 @@
#!/usr/bin/env bash
version=
gitArgs=
while [ "$#" -gt 0 ]; do
i="$1"
shift 1
case "$i" in
--version | -v)
version="$1"
shift 1
;;
--git-args)
gitArgs="$gitArgs $1"
shift 1
;;
*)
echo "$0: unknown option \`$i'"
exit 1
;;
esac
done
# Create a working environment
CWD=$(pwd)
TMP=$(mktemp -d)
cd "$TMP"
# Fetch the latest source or the required version
gitUrl="https://github.com/demarches-simplifiees/demarches-simplifiees.fr.git"
if [ -n "$version" ]; then
git clone --depth 1 --branch $version $gitUrl .
else
git clone --depth 1 $gitUrl .
version="$(git rev-parse HEAD)"
fi
# Generate gemset.nix
nix-shell -p bundix --run "bundix -l" >/dev/null
# Copy the new files
cp gemset.nix Gemfile Gemfile.lock "$CWD/rubyEnv/"
# Print the new source details
SRC_HASH=$(nix-shell -p nurl --run "nurl --hash $gitUrl $version")
# Print Yarn deps hash
hash=$(nix-shell -p prefetch-yarn-deps --run "prefetch-yarn-deps yarn.lock")
DEPS_HASH=$(nix-hash --to-sri --type sha256 "$hash")
cat <<EOF >"$CWD/meta.nix"
{
version = "$version";
src-hash = "$SRC_HASH";
deps-hash = "$DEPS_HASH";
}
EOF
nixfmt "$CWD"
rm -rf "$TMP"

View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
let
@ -18,9 +14,9 @@ in
settings = {
"auth.generic_oauth" = {
api_url = "https://sso.dgnum.eu/oauth2/openid/dgn_grafana/userinfo";
api_url = "https://sso.dgnum.eu/oauth2/openid/grafana_dgn/userinfo";
auth_url = "https://sso.dgnum.eu/ui/oauth2";
client_id = "dgn_grafana";
client_id = "grafana_dgn";
client_secret = file "oauth_client_secret";
enabled = true;
id_token_attribute_name = "sub";
@ -73,11 +69,17 @@ in
}
];
};
};
dgn-web.simpleProxies.grafana = {
inherit host port;
proxyWebsockets = true;
nginx.virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
};
age-secrets.autoMatch = [ "grafana" ];

View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
@ -33,6 +29,16 @@ in
};
};
nginx.virtualHosts.${host} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
};
};
postgresql = {
enable = true;
@ -47,11 +53,6 @@ in
};
};
dgn-web.simpleProxies.hedgedoc = {
inherit host port;
proxyWebsockets = true;
};
systemd.services.hedgedoc.serviceConfig.StateDirectory = lib.mkForce [
"hedgedoc"
"hedgedoc/uploads"

View file

@ -1,8 +1,4 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
{ config, lib, ... }:
{
imports = [ ./module.nix ];
@ -10,15 +6,6 @@
services.k-radius = {
enable = true;
domain = "radius.dgnum.eu";
radiusClients = {
ap = {
ipaddr = "0.0.0.0/0";
secret = config.age.secrets."radius-ap-radius-secret_file".path;
};
};
settings = {
# URL to the Kanidm server
uri = "https://sso.dgnum.eu";
@ -53,6 +40,18 @@
};
authTokenFile = config.age.secrets."radius-auth_token_file".path;
privateKeyPasswordFile = config.age.secrets."radius-private_key_password_file".path;
certs = builtins.listToAttrs (
builtins.map (name: lib.nameValuePair name config.age.secrets."radius-${name}_pem_file".path) [
"ca"
"cert"
"dh"
"key"
]
);
radiusClients = { };
};
age-secrets.autoMatch = [ "radius" ];

View file

@ -0,0 +1,196 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
mkEnableOption
mkIf
mkOption
types
;
settingsFormat = pkgs.formats.toml { };
py-pkgs = import ./packages/python { inherit pkgs; };
pykanidm = pkgs.callPackage ./packages/pykanidm.nix { inherit (py-pkgs) pydantic; };
rlm_python = pkgs.callPackage ./packages/rlm_python.nix { inherit pykanidm; };
cfg = config.services.k-radius;
in
{
options.services.k-radius = {
enable = mkEnableOption "a freeradius service linked to kanidm.";
settings = mkOption { inherit (settingsFormat) type; };
freeradius = mkOption {
type = types.package;
default = pkgs.freeradius.overrideAttrs (old: {
buildInputs = (old.buildInputs or [ ]) ++ [ (pkgs.python3.withPackages (ps: [ ps.kanidm ])) ];
});
};
configDir = mkOption {
type = types.path;
default = "/var/lib/radius/raddb";
description = "The path of the freeradius server configuration directory.";
};
authTokenFile = mkOption {
type = types.path;
description = "File to the auth token for the service account.";
};
radiusClients = mkOption {
type = types.attrsOf (
types.submodule {
options = {
secret = mkOption { type = types.path; };
ipaddr = mkOption { type = types.str; };
};
}
);
default = { };
description = "A mapping of clients and their authentication tokens.";
};
certs = {
ca = mkOption {
type = types.str;
description = "The signing CA of the RADIUS certificate.";
};
dh = mkOption {
type = types.str;
description = "The output of `openssl dhparam -in ca.pem -out dh.pem 2048`.";
};
cert = mkOption {
type = types.str;
description = "The certificate for the RADIUS server.";
};
key = mkOption {
type = types.str;
description = "The signing key for the RADIUS certificate.";
};
};
privateKeyPasswordFile = mkOption { type = types.path; };
};
config = mkIf cfg.enable {
users = {
users.radius = {
group = "radius";
description = "Radius daemon user";
isSystemUser = true;
};
groups.radius = { };
};
services.k-radius.settings = {
ca_path = cfg.certs.ca;
radius_cert_path = cfg.certs.cert;
radius_key_path = cfg.certs.key;
radius_dh_path = cfg.certs.dh;
radius_ca_path = cfg.certs.ca;
};
systemd.services.radius = {
description = "FreeRadius server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
wants = [ "network.target" ];
preStart = ''
cp -R ${cfg.freeradius}/etc/raddb/* ${cfg.configDir}
cp -R ${rlm_python}/etc/raddb/* ${cfg.configDir}
chmod -R u+w ${cfg.configDir}
# disable auth via methods kanidm doesn't support
rm ${cfg.configDir}/mods-available/sql
rm ${cfg.configDir}/mods-enabled/{passwd,totp}
# enable the python and cache modules
ln -nsf ${cfg.configDir}/mods-available/python3 ${cfg.configDir}/mods-enabled/python3
ln -nsf ${cfg.configDir}/sites-available/check-eap-tls ${cfg.configDir}/sites-enabled/check-eap-tls
# write the clients configuration
rm ${cfg.configDir}/clients.conf && touch ${cfg.configDir}/clients.conf
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs (
name:
{ secret, ipaddr }:
''
cat <<EOF >> ${cfg.configDir}/clients.conf
client ${name} {
ipaddr = ${ipaddr}
secret = $(cat "${secret}")
proto = *
}
EOF
''
) cfg.radiusClients
)
)}
# Copy the kanidm configuration
cat <<EOF > /var/lib/radius/kanidm.toml
auth_token = "$(cat "${cfg.authTokenFile}")"
EOF
cat ${settingsFormat.generate "kanidm.toml" cfg.settings} >> /var/lib/radius/kanidm.toml
chmod u+w /var/lib/radius/kanidm.toml
# Copy the certificates to the correct directory
rm -rf ${cfg.configDir}/certs && mkdir -p ${cfg.configDir}/certs
cp ${cfg.certs.ca} ${cfg.configDir}/certs/ca.pem
${pkgs.openssl}/bin/openssl rehash ${cfg.configDir}/certs
cp ${cfg.certs.dh} ${cfg.configDir}/certs/dh.pem
cat ${cfg.certs.cert} ${cfg.certs.key} > ${cfg.configDir}/certs/server.pem
# Write the password of the private_key in the eap module
sed -i ${cfg.configDir}/mods-available/eap \
-e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/"
# Check the configuration
# ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout
'';
path = [
pkgs.openssl
pkgs.gnused
];
serviceConfig = {
ExecStart = "${cfg.freeradius}/bin/radiusd -X -f -d ${cfg.configDir} -l stdout";
ExecReload = [
"${cfg.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout"
"${pkgs.coreutils}/bin/kill -HUP $MAINPID"
];
User = "radius";
Group = "radius";
DynamicUser = true;
Restart = "on-failure";
RestartSec = 2;
LogsDirectory = "radius";
StateDirectory = "radius";
RuntimeDirectory = "radius";
Environment = [
"KANIDM_RLM_CONFIG=/var/lib/radius/kanidm.toml"
"PYTHONPATH=${rlm_python.pythonPath}"
];
};
};
};
}

View file

@ -0,0 +1,52 @@
{
lib,
fetchFromGitHub,
python3,
pydantic,
}:
let
pname = "kanidm";
version = "0.0.3";
in
python3.pkgs.buildPythonPackage {
inherit pname version;
format = "pyproject";
disabled = python3.pythonOlder "3.8";
src =
(fetchFromGitHub {
owner = pname;
repo = pname;
# Latest 1.1.0-rc.15 tip
rev = "a5ca8018e3a636dbb0a79b3fd869db059d92979d";
hash = "sha256-PFGoeGn7a/lVR6rOmOKA3ydAoo3/+9RlkwBAKS22Psg=";
})
+ "/pykanidm";
nativeBuildInputs = with python3.pkgs; [ poetry-core ];
propagatedBuildInputs = with python3.pkgs; [
aiohttp
pydantic
toml
(authlib.overridePythonAttrs (_: {
doCheck = false;
}))
];
doCheck = false;
pythonImportsCheck = [ "kanidm" ];
meta = with lib; {
description = "Kanidm client library";
homepage = "https://github.com/kanidm/kanidm/tree/master/pykanidm";
license = licenses.mpl20;
maintainers = with maintainers; [
arianvp
hexa
];
};
}

View file

@ -0,0 +1,18 @@
diff --git a/pyproject.toml b/pyproject.toml
index 1602e32..507048d 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -72,13 +72,6 @@ filterwarnings = [
]
timeout = 30
xfail_strict = true
-# min, max, mean, stddev, median, iqr, outliers, ops, rounds, iterations
-addopts = [
- '--benchmark-columns', 'min,mean,stddev,outliers,rounds,iterations',
- '--benchmark-group-by', 'group',
- '--benchmark-warmup', 'on',
- '--benchmark-disable', # this is enable by `make benchmark` when you actually want to run benchmarks
-]
[tool.coverage.run]
source = ['pydantic_core']

View file

@ -0,0 +1,20 @@
{ pkgs }:
let
inherit (pkgs) lib;
callPackage = lib.callPackageWith (pkgs // pkgs.python3.pkgs // self);
self = builtins.listToAttrs (
builtins.map
(name: {
inherit name;
value = callPackage (./. + "/${name}.nix") { };
})
[
"pydantic"
"pydantic-core"
]
);
in
self

View file

@ -0,0 +1,84 @@
{
stdenv,
lib,
buildPythonPackage,
fetchFromGitHub,
cargo,
rustPlatform,
rustc,
libiconv,
typing-extensions,
pytestCheckHook,
hypothesis,
pytest-timeout,
pytest-mock,
dirty-equals,
}:
let
pydantic-core = buildPythonPackage rec {
pname = "pydantic-core";
version = "2.14.5";
format = "pyproject";
src = fetchFromGitHub {
owner = "pydantic";
repo = "pydantic-core";
rev = "refs/tags/v${version}";
hash = "sha256-UguZpA3KEutOgIavjx8Ie//0qJq+4FTZNQTwb/ZIgb8=";
};
patches = [ ./01-remove-benchmark-flags.patch ];
cargoDeps = rustPlatform.fetchCargoTarball {
inherit src;
name = "${pname}-${version}";
hash = "sha256-mMgw922QjHmk0yimXfolLNiYZntTsGydQywe7PTNnwc=";
};
nativeBuildInputs = [
cargo
rustPlatform.cargoSetupHook
rustPlatform.maturinBuildHook
rustc
typing-extensions
];
buildInputs = lib.optionals stdenv.isDarwin [ libiconv ];
propagatedBuildInputs = [ typing-extensions ];
pythonImportsCheck = [ "pydantic_core" ];
# escape infinite recursion with pydantic via dirty-equals
doCheck = false;
passthru.tests.pytest = pydantic-core.overrideAttrs { doCheck = true; };
nativeCheckInputs = [
pytestCheckHook
hypothesis
pytest-timeout
dirty-equals
pytest-mock
];
disabledTests = [
# RecursionError: maximum recursion depth exceeded while calling a Python object
"test_recursive"
];
disabledTestPaths = [
# no point in benchmarking in nixpkgs build farm
"tests/benchmarks"
];
meta = with lib; {
changelog = "https://github.com/pydantic/pydantic-core/releases/tag/v${version}";
description = "Core validation logic for pydantic written in rust";
homepage = "https://github.com/pydantic/pydantic-core";
license = licenses.mit;
maintainers = with maintainers; [ blaggacao ];
};
};
in
pydantic-core

View file

@ -0,0 +1,92 @@
{
lib,
buildPythonPackage,
fetchFromGitHub,
pythonOlder,
# build-system
hatchling,
hatch-fancy-pypi-readme,
# native dependencies
libxcrypt,
# dependencies
annotated-types,
pydantic-core,
typing-extensions,
# tests
cloudpickle,
email-validator,
dirty-equals,
faker,
pytestCheckHook,
pytest-mock,
}:
buildPythonPackage rec {
pname = "pydantic";
version = "2.5.2";
pyproject = true;
disabled = pythonOlder "3.7";
src = fetchFromGitHub {
owner = "pydantic";
repo = "pydantic";
rev = "refs/tags/v${version}";
hash = "sha256-D0gYcyrKVVDhBgV9sCVTkGq/kFmIoT9l0i5bRM1qxzM=";
};
buildInputs = lib.optionals (pythonOlder "3.9") [ libxcrypt ];
nativeBuildInputs = [
hatch-fancy-pypi-readme
hatchling
];
propagatedBuildInputs = [
annotated-types
pydantic-core
typing-extensions
];
passthru.optional-dependencies = {
email = [ email-validator ];
};
nativeCheckInputs = [
cloudpickle
dirty-equals
faker
pytest-mock
pytestCheckHook
] ++ lib.flatten (lib.attrValues passthru.optional-dependencies);
preCheck = ''
export HOME=$(mktemp -d)
substituteInPlace pyproject.toml \
--replace "'--benchmark-columns', 'min,mean,stddev,outliers,rounds,iterations'," "" \
--replace "'--benchmark-group-by', 'group'," "" \
--replace "'--benchmark-warmup', 'on'," "" \
--replace "'--benchmark-disable'," ""
'';
disabledTestPaths = [
"tests/benchmarks"
# avoid cyclic dependency
"tests/test_docs.py"
];
pythonImportsCheck = [ "pydantic" ];
meta = with lib; {
description = "Data validation and settings management using Python type hinting";
homepage = "https://github.com/pydantic/pydantic";
changelog = "https://github.com/pydantic/pydantic/blob/v${version}/HISTORY.md";
license = licenses.mit;
maintainers = with maintainers; [ wd15 ];
};
}

View file

@ -1,13 +1,13 @@
diff --git a/mods-available/python3 b/mods-available/python3
diff --git a/rlm_python/mods-available/python3 b/rlm_python/mods-available/python3
index 978536f8a..90c71fca0 100644
--- a/mods-available/python3
+++ b/mods-available/python3
--- a/rlm_python/mods-available/python3
+++ b/rlm_python/mods-available/python3
@@ -13,7 +13,7 @@ python3 {
# item is GLOBAL TO THE SERVER. That is, you cannot have two
# instances of the python module, each with a different path.
#
- python_path="/usr/lib64/python3.8:/usr/lib/python3.8:/usr/lib/python3.8/site-packages:/usr/lib64/python3.8/site-packages:/usr/lib64/python3.8/lib-dynload:/usr/local/lib/python3.8/site-packages:/etc/raddb/mods-config/python3/"
+ python_path="@pythonPath@:/etc/raddb/mods-config/python3/"
+ python_path="@kanidm_python@:/etc/raddb/mods-config/python3/"
module = "kanidm.radius"
# python_path = ${modconfdir}/${.:name}

View file

@ -0,0 +1,45 @@
{
stdenv,
fetchFromGitHub,
python3,
pykanidm,
}:
let
pythonPath = with python3.pkgs; makePythonPath [ pykanidm ];
in
stdenv.mkDerivation rec {
pname = "rlm_python";
version = "1.1.0-rc.15";
src = fetchFromGitHub {
owner = "kanidm";
repo = "kanidm";
rev = "v${version}";
hash = "sha256-0y8juXS61Z9zxOdsWAQ6lJurP+n855Nela6egYRecok=";
};
patches = [ ./python_path.patch ];
postPatch = ''
substituteInPlace rlm_python/mods-available/python3 \
--replace "@kanidm_python@" "${pythonPath}"
'';
installPhase = ''
mkdir -p $out/etc/raddb/
cp -R rlm_python/{mods-available,sites-available} $out/etc/raddb/
'';
phases = [
"unpackPhase"
"patchPhase"
"installPhase"
];
passthru = {
inherit pythonPath;
};
preferLocalBuild = true;
}

View file

@ -0,0 +1,89 @@
{ config, sources, ... }:
let
domain = "sso.dgnum.eu";
cert = config.security.acme.certs.${domain};
allowedSubDomains = [
"cloud"
"git"
"videos"
"social"
"demarches"
"netbird"
];
in
{
services.kanidm = {
enableServer = true;
package = (import sources.nixos-unstable { }).kanidm;
serverSettings = {
inherit domain;
origin = "https://${domain}";
bindaddress = "127.0.0.1:8443";
ldapbindaddress = "0.0.0.0:636";
trust_x_forward_for = true;
tls_chain = "${cert.directory}/fullchain.pem";
tls_key = "${cert.directory}/key.pem";
};
};
users.users.kanidm.extraGroups = [ cert.group ];
services.nginx = {
enable = true;
virtualHosts.${domain} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "https://127.0.0.1:8443";
extraConfig = ''
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
return 444;
}
set $origin $http_origin;
if ($origin !~ '^https?://(${builtins.concatStringsSep "|" allowedSubDomains})\.dgnum\.eu$') {
set $origin 'https://${domain}';
}
proxy_hide_header Access-Control-Allow-Origin;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' "$origin" always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header Access-Control-Max-Age 1728000;
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
}
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
add_header Access-Control-Allow-Origin "$origin" always;
add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
add_header Access-Control-Allow-Credentials true always;
}
'';
};
};
};
networking.firewall.allowedTCPPorts = [ 636 ];
networking.firewall.allowedUDPPorts = [ 636 ];
dgn-backups.jobs.kanidm.settings.paths = [ "/var/lib/kanidm" ];
}

View file

@ -0,0 +1,9 @@
let
lib = import ../../../../lib { };
publicKeys = lib.getNodeKeys "compute01";
in
lib.setDefault { inherit publicKeys; } [
"kanidm-password_admin"
"kanidm-password_idm_admin"
]

View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, pkgs, ... }:
let
@ -18,7 +14,7 @@ in
(pkgs.librenms.override { inherit (config.services.librenms) dataDir logDir; }).overrideAttrs
(old: {
patches = (old.patches or [ ]) ++ [ ./kanidm.patch ];
vendorHash = "sha256-J/whSL1keEZKkfOtHpkJ2vSrN/s+DpUGb6RBXpQZQXg=";
vendorHash = "sha256-2RgtMXQp4fTE+WloO36rtfytO4Sh2q0plt8WkWxEGHI=";
});
hostname = host;

View file

@ -1,50 +1,63 @@
diff --git a/composer.json b/composer.json
index af8168f4c..1775f150e 100644
index 13571c07c..dbe810a57 100644
--- a/composer.json
+++ b/composer.json
@@ -54,6 +54,7 @@
@@ -11,6 +11,12 @@
"snmp",
"distributed"
],
+ "repositories": [
+ {
+ "type": "vcs",
+ "url": "https://github.com/Tom-Hubrecht/Kanidm"
+ }
+ ],
"homepage": "https://www.librenms.org/",
"license": "GPL-3.0-or-later",
"require": {
@@ -49,6 +55,7 @@
"phpmailer/phpmailer": "~6.0",
"predis/predis": "^2.0",
"silber/bouncer": "^1.0",
+ "socialiteproviders/kanidm": "^5.0",
+ "socialiteproviders/kanidm": "^0.1.4",
"socialiteproviders/manager": "^4.3",
"spatie/laravel-ignition": "^2.0",
"symfony/yaml": "^6.2",
diff --git a/composer.lock b/composer.lock
index 3d89a1530..a00c5f307 100644
index b26090101..aa1fd3cef 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
- "content-hash": "fee5d24447dced4397e26066f8c9ee59",
+ "content-hash": "b9316a47587c8e6f6b0adbe3d54777f3",
- "content-hash": "21dbcfec63eafb1ae9172473314a57f8",
+ "content-hash": "16c250180b65a1f71acd5653914d7037",
"packages": [
{
"name": "amenadiel/jpgraph",
@@ -5906,6 +5906,56 @@
@@ -5244,6 +5244,55 @@
},
"time": "2023-02-10T16:47:25+00:00"
},
+ {
+ "name": "socialiteproviders/kanidm",
+ "version": "5.0.0",
+ "version": "v0.1.4",
+ "source": {
+ "type": "git",
+ "url": "https://github.com/SocialiteProviders/Kanidm.git",
+ "reference": "111ad45941e7150e3219ddfdeb8159f758bde2fd"
+ "url": "https://github.com/Tom-Hubrecht/Kanidm.git",
+ "reference": "b87d75b8342e00c46ef1c29c42e92b629bb206b1"
+ },
+ "dist": {
+ "type": "zip",
+ "url": "https://api.github.com/repos/SocialiteProviders/Kanidm/zipball/111ad45941e7150e3219ddfdeb8159f758bde2fd",
+ "reference": "111ad45941e7150e3219ddfdeb8159f758bde2fd",
+ "url": "https://api.github.com/repos/Tom-Hubrecht/Kanidm/zipball/b87d75b8342e00c46ef1c29c42e92b629bb206b1",
+ "reference": "b87d75b8342e00c46ef1c29c42e92b629bb206b1",
+ "shasum": ""
+ },
+ "require": {
+ "ext-json": "*",
+ "php": "^8.0",
+ "socialiteproviders/manager": "^4.4"
+ "socialiteproviders/manager": "^4.3"
+ },
+ "type": "library",
+ "autoload": {
@ -52,7 +65,6 @@ index 3d89a1530..a00c5f307 100644
+ "SocialiteProviders\\Kanidm\\": ""
+ }
+ },
+ "notification-url": "https://packagist.org/downloads/",
+ "license": [
+ "MIT"
+ ],
@ -71,12 +83,19 @@ index 3d89a1530..a00c5f307 100644
+ "socialite"
+ ],
+ "support": {
+ "docs": "https://socialiteproviders.com/kanidm",
+ "issues": "https://github.com/socialiteproviders/providers/issues",
+ "source": "https://github.com/socialiteproviders/providers"
+ "source": "https://github.com/socialiteproviders/providers",
+ "docs": "https://socialiteproviders.com/kanidm"
+ },
+ "time": "2024-02-19T19:49:21+00:00"
+ "time": "2024-02-18T14:12:08+00:00"
+ },
{
"name": "socialiteproviders/manager",
"version": "v4.6.0",
"version": "v4.3.0",
@@ -13357,5 +13406,5 @@
"ext-zlib": "*"
},
"platform-dev": [],
- "plugin-api-version": "2.3.0"
+ "plugin-api-version": "2.6.0"
}

View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
lib,

View file

@ -1,8 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
# SPDX-FileContributor: Maurice Debray <maurice.debray@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
let
@ -14,12 +9,8 @@ in
localDomain = host;
smtp = {
fromAddress = "noreply@infra.dgnum.eu";
host = "kurisu.lahfa.xyz";
port = 465;
user = "web-services@infra.dgnum.eu";
passwordFile = config.age.secrets.mastodon-smtp-password.path;
authenticate = true;
# TODO: smtp setup
fromAddress = "social@services.dgnum.eu";
};
streamingProcesses = 4;
@ -31,8 +22,6 @@ in
# LOCAL_DOMAIN = "dgnum.eu";
WEB_DOMAIN = host;
SMTP_TLS = "true";
RAILS_LOG_LEVEL = "warn";
# ObjectStorage configuration

View file

@ -0,0 +1,215 @@
{ config, pkgs, ... }:
let
host = "cloud.dgnum.eu";
nextcloud-occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
in
{
services.nextcloud = {
enable = true;
hostName = host;
package = pkgs.nextcloud28;
https = true;
config = {
overwriteProtocol = "https";
dbtype = "pgsql";
adminpassFile = config.age.secrets."nextcloud-adminpass_file".path;
adminuser = "thubrecht";
defaultPhoneRegion = "FR";
trustedProxies = [ "::1" ];
objectstore.s3 = {
enable = true;
hostname = "s3.dgnum.eu";
region = "garage";
usePathStyle = true;
port = 443;
bucket = "nextcloud-dgnum";
key = "GKda5367c73ca607c349d83c35";
verify_bucket_exists = false;
secretFile = config.age.secrets."nextcloud-s3_secret_file".path;
};
};
maxUploadSize = "4G";
poolSettings = {
pm = "dynamic";
"pm.max_children" = 64;
"pm.max_requests" = "500";
"pm.max_spare_servers" = "8";
"pm.min_spare_servers" = "4";
"pm.start_servers" = "6";
};
phpOptions = {
short_open_tag = "Off";
expose_php = "Off";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
display_errors = "stderr";
"opcache.enable_cli" = "1";
"opcache.interned_strings_buffer" = "32";
"opcache.max_accelerated_files" = "10000";
"opcache.memory_consumption" = "128";
"opcache.revalidate_freq" = "1";
"opcache.fast_shutdown" = "1";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
catch_workers_output = "yes";
};
database.createLocally = true;
configureRedis = true;
autoUpdateApps.enable = true;
extraOptions = {
overwritehost = host;
"overwrite.cli.url" = "https://${host}";
updatechecker = false;
allow_local_remote_servers = true;
maintenance_window_start = 1;
"memories.exiftool" = "${pkgs.lib.getExe pkgs.exiftool}";
"memories.vod.ffmpeg" = "${pkgs.lib.getExe pkgs.ffmpeg-headless}";
"memories.vod.ffprobe" = "${pkgs.ffmpeg-headless}/bin/ffprobe";
};
};
virtualisation = {
podman = {
enable = true;
defaultNetwork.settings = {
dns_enable = true;
ipv6_enabled = true;
};
};
};
virtualisation.oci-containers = {
# # Since 22.05, the default driver is podman but it doesn't work
# # with podman. It would however be nice to switch to podman.
# backend = "docker";
containers.collabora = {
image = "collabora/code";
imageFile = pkgs.dockerTools.pullImage {
imageName = "collabora/code";
imageDigest = "sha256:a8cce07c949aa59cea0a7f1f220266a1a6d886c717c3b5005782baf6f384d645";
sha256 = "sha256-lN6skv62x+x7G7SNOUyZ8W6S/uScrkqE1nbBwwSEWXQ=";
};
ports = [ "9980:9980" ];
environment = {
domain = "cloud.dgnum.eu";
extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json";
};
extraOptions = [
"--cap-add"
"MKNOD"
"--cap-add"
"SYS_ADMIN"
];
};
};
services.nginx.virtualHosts = {
${host} = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_max_temp_file_size 4096m;
'';
};
"code.dgnum.eu" = {
forceSSL = true;
enableACME = true;
extraConfig = ''
# static files
location ^~ /browser {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# Capabilities
location ^~ /hosting/capabilities {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# main websocket
location ~ ^/cool/(.*)/ws$ {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/(c|l)ool {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# Admin Console websocket
location ^~ /cool/adminws {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 36000s;
}
'';
};
};
systemd.services = {
nextcloud-preview = {
description = "Generate preview for nextcloud media.";
script = "${nextcloud-occ} preview:pre-generate -vvv";
startAt = "*-*-* 01:00:00 UTC";
serviceConfig = {
Restart = "on-failure";
};
};
nextcloud-cron.path = [ pkgs.perl ];
};
environment.systemPackages = [ pkgs.ffmpeg_6-headless ];
networking.hosts = {
"129.199.146.148" = [ "s3.dgnum.eu" ];
};
age-secrets.autoMatch = [ "nextcloud" ];
system.activationScripts = {
restart-nextcloud.text = ''
if [ "$(${pkgs.systemd}/bin/systemctl is-active phpfpm-nextcloud)" == "active" ]; then
${pkgs.systemd}/bin/systemctl restart phpfpm-nextcloud
fi
'';
};
dgn-backups.jobs.nextcloud.settings.paths = [ "/var/lib/nextcloud" ];
dgn-backups.postgresDatabases = [ "nextcloud" ];
}

View file

@ -1,12 +1,7 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
let
host = "docs.dgnum.eu";
port = 3003;
in
{
services.outline = {
@ -28,10 +23,10 @@ in
publicUrl = "https://${host}";
oidcAuthentication = {
clientId = "dgn_outline";
clientId = "outline_dgn";
authUrl = "https://sso.dgnum.eu/ui/oauth2";
tokenUrl = "https://sso.dgnum.eu/oauth2/token";
userinfoUrl = "https://sso.dgnum.eu/oauth2/openid/dgn_outline/userinfo";
userinfoUrl = "https://sso.dgnum.eu/oauth2/openid/outline_dgn/userinfo";
displayName = "DGNum SSO";
clientSecretFile = config.age.secrets."outline-oidc_client_secret_file".path;
@ -40,12 +35,21 @@ in
defaultLanguage = "fr_FR";
forceHttps = false;
inherit port;
port = 3003;
};
dgn-web.simpleProxies.outline = {
inherit host port;
vhostConfig.locations."/robots.txt".return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
services.nginx.virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:3003";
proxyWebsockets = true;
};
locations."/robots.txt" = {
return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
};
};
age-secrets.autoMatch = [ "outline" ];

View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ pkgs, ... }:
let

View file

@ -1,20 +1,17 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
let
host = "saml-idp.dgnum.eu";
port = 8090;
in
{
imports = [ ./module.nix ];
services.satosa = {
enable = true;
inherit host port;
inherit host;
port = 8090;
envFile = config.age.secrets."satosa-env_file".path;
@ -151,8 +148,9 @@ in
};
};
dgn-web.simpleProxies.satosa = {
inherit host port;
services.nginx.virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
};
age-secrets.autoMatch = [ "satosa" ];

View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
lib,
@ -194,6 +190,14 @@ in
};
};
services.nginx = mkIf cfg.configureNginx {
enable = true;
virtualHosts.${cfg.host} = {
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}";
};
};
users.users.satosa = {
isSystemUser = true;
group = "satosa";

View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
lib,
python3,

View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ pkgs }:
let

View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
lib,
python3,

View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
lib,
python3,

View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
lib,
python3,

View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
lib,
python3,

View file

@ -1,7 +1,3 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
lib,
python3,

View file

@ -1,11 +1,7 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
lib,
python3,
fetchFromGitHub,
fetchPypi,
cookies-samesite-compat,
pyop,
}:
@ -15,13 +11,17 @@ python3.pkgs.buildPythonPackage rec {
version = "8.4.0";
pyproject = true;
src = fetchFromGitHub {
owner = "IdentityPython";
repo = "SATOSA";
rev = "v${version}";
hash = "sha256-q7XmZ3EnAFO1OXIhXIF4Vd0H8uaayFIHFZpWiZUsAFA=";
src = fetchPypi {
pname = "SATOSA";
inherit version;
hash = "sha256-KREROjb157RJJVRr9YefzoR/eflR/U7ZmG6yOH5DjcU=";
};
nativeBuildInputs = [
python3.pkgs.setuptools
python3.pkgs.wheel
];
propagatedBuildInputs = with python3.pkgs; [
chevron
click
@ -50,7 +50,7 @@ python3.pkgs.buildPythonPackage rec {
description = "Protocol proxy (SAML/OIDC)";
homepage = "https://pypi.org/project/SATOSA";
license = licenses.asl20;
maintainers = with maintainers; [ thubrecht ];
maintainers = with maintainers; [ ];
mainProgram = "satosa";
};
}

Some files were not shown because too many files have changed in this diff Show more