DGNum/infrastructure
13
6
Fork 3
Code Issues 19 Pull requests 8 Projects 1 Releases Packages Wiki Activity Actions

Compare commits

base: DGNum:main
Branches Tags
DGNum:main
DGNum:npins-update
DGNum:declarative-buckets
DGNum:victoria-metrics
DGNum:netbox-agent
DGNum:mattermost
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:ds-fr
DGNum:colmena-liminix
lbailly:nat
lbailly:main
lbailly:firewall
lbailly:ulogd
lbailly:dns_for_rescue01
lbailly:systemd_notify
lbailly:npins-update
lbailly:liminix-v1
..
compare: lbailly:systemd_notify
Branches Tags
lbailly:nat
lbailly:main
lbailly:firewall
lbailly:ulogd
lbailly:dns_for_rescue01
lbailly:systemd_notify
lbailly:npins-update
lbailly:liminix-v1
DGNum:main
DGNum:npins-update
DGNum:declarative-buckets
DGNum:victoria-metrics
DGNum:netbox-agent
DGNum:mattermost
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:ds-fr
DGNum:colmena-liminix

1 commit
main ... systemd_no

Author SHA1 Message Date
sinavir
e06472d2a4 feat(monitoring): Add simple systemd monitoring
All checks were successful
lint / check (push) Successful in 24s
Details
build configuration / build_vault01 (pull_request) Successful in 1m5s
Details
build configuration / build_storage01 (pull_request) Successful in 1m7s
Details
build configuration / build_compute01 (pull_request) Successful in 1m12s
Details
build configuration / build_web02 (pull_request) Successful in 54s
Details
build configuration / build_web01 (pull_request) Successful in 1m31s
Details
build configuration / build_rescue01 (pull_request) Successful in 51s
Details
2024-04-03 18:00:10 +02:00
234 changed files with 3123 additions and 11946 deletions
Show stats Expand all files Collapse all files

3
.forgejo/workflows/check-meta.yaml
View file

@ -1,8 +1,5 @@
name: Check meta
on:
pull_request:
branches:
- main
push:
paths:
- 'meta/*'

3
.forgejo/workflows/ds-fr.yaml
View file

@ -1,7 +1,8 @@
name: ds-fr update
on:
schedule:
- cron: "26 18 * * wed"
# Run at 8 o'clock every day
- cron: "26 18 * * *"
jobs:
npins_update:

190
.forgejo/workflows/eval.yaml
View file

@ -9,192 +9,62 @@ on:
- main
jobs:
build_and_cache_compute01:
build_compute01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "compute01"
- name: Build compute01
run: |
# Enter the shell
nix-shell --run 'colmena build --on compute01'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_compute01
path: paths.txt
build_and_cache_storage01:
build_storage01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "storage01"
- name: Build storage01
run: |
# Enter the shell
nix-shell --run 'colmena build --on storage01'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_storage01
path: paths.txt
build_and_cache_rescue01:
build_vault01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "rescue01"
- name: Build vault01
run: |
# Enter the shell
nix-shell --run 'colmena build --on vault01'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_rescue01
path: paths.txt
build_and_cache_geo01:
build_web01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "geo01"
- name: Build web01
run: |
# Enter the shell
nix-shell --run 'colmena build --on web01'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_geo01
path: paths.txt
build_and_cache_geo02:
build_web02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "geo02"
- name: Build web02
run: |
# Enter the shell
nix-shell --run 'colmena build --on web02'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_geo02
path: paths.txt
build_and_cache_vault01:
build_rescue01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "vault01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_vault01
path: paths.txt
build_and_cache_web01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "web01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web01
path: paths.txt
build_and_cache_web02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "web02"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web02
path: paths.txt
build_and_cache_web03:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "web03"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web02
path: paths.txt
build_and_cache_bridge01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "bridge01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web02
path: paths.txt
- name: Build rescue01
run: |
# Enter the shell
nix-shell --run 'colmena build --on rescue01'

4
.forgejo/workflows/lint.yaml
View file

@ -1,5 +1,5 @@
name: lint
on: [push, pull_request]
on: push
jobs:
check:
@ -8,4 +8,4 @@ jobs:
- uses: actions/checkout@v3
- name: Run pre-commit on all files
run: nix-shell --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure' -A shells.pre-commit ./.
run: nix-shell --run 'pre-commit run --all-files --show-diff-on-failure' -A shells.pre-commit ./.

111
README.md
View file

@ -3,115 +3,6 @@
The dgnum infrastructure.
# Contributing
Some instruction on how to contribute are available (in french) in [/CONTRIBUTE.md](CONTRIBUTE.md).
You're expected to read this document before commiting to the repo.
Some instruction on how to contribute are available (in french) in [/CONTRIBUTING.md](CONTRIBUTING.md). You're expected to read this document before commiting to the repo.
Some documentation for the development tools are provided in the aforementioned file.
# Using the binary cache
Add the following module to your configuration (and pin this repo using your favorite tool: npins, lon, etc...):
```
{ lib, ... }:
let
dgnum-infra = PINNED_PATH_TO_INFRA;
in {
nix.settings = (import dgnum-infra { }).mkCacheSettings {
caches = [ "infra" ];
};
}
```
# Adding a new machine
The first step is to create a minimal viable NixOS host, using tha means necessary.
The second step is to find a name for this host, it must be unique from the other hosts.
> [!TIP]
> For the rest of this part, we assume that the host is named `host02`
## Download the keys
The public SSH keys of `host02` have to be saved to `keys`, preferably only the `ssh-ed25519` one.
It can be retreived with :
```bash
ssh-keyscan address.of.host02 2>/dev/null | awk '/ssh-ed25519/ {print $2,$3}'
```
## Initialize the machine folder and configuration
- Create a folder `host02` under `machines/`
- Copy the hardware configuration file generated by `nixos-generate-config` to `machines/host02/_hardware-configuration.nix`
- Create a `machines/host02/_configuration.nix` file, it will contain the main configuration options, the basic content of this file should be the following
```nix
{ lib, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
];
enabledServices = [
# List of services to enable
];
extraConfig = {
services.netbird.enable = true;
};
root = ./.;
}
```
## Fill in the metadata
### Network configuration
The network is declared in `meta/network.nix`, the necessary `hostId` value can be generated with :
```bash
head -c4 /dev/urandom | od -A none -t x4 | sed 's/ //'
```
### Other details
The general metadata is declared in `meta/nodes.nix`, the main values to declare are :
- `site`, where the node is physically located
- `stateVersion`
- `nixpkgs`, the nixpkgs version to use
## Initialize secrets
Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :
```nix
(import ../../../keys).mkSecrets [ "host02" ] [
# List of secrets for host02
]
```
This will be used for future secret management.
## Update encrypted files
Both the Arkheon, Netbox and notification modules have secrets that are deployed on all machines. To make those services work correctly, run in `modules/dgn-records`, `modules/dgn-netbox-agent` and `modules/dgn-notify` :
```bash
agenix -r
```
## Commit and create a PR
Once all of this is done, check that the configuration builds correctly :
```bash
colmena build --on host02
```
Apply it, and create a Pull Request.

67
default.nix
View file

@ -34,36 +34,26 @@
termes.
*/
{
sources ? import ./npins,
pkgs ? import sources.nixpkgs { },
nix-pkgs ? import sources.nix-pkgs { inherit pkgs; },
}:
let
git-checks = (import (builtins.storePath sources.git-hooks)).run {
sources = import ./npins;
pkgs = import sources.nixpkgs { };
pre-commit-check = (import sources.pre-commit-hooks).run {
src = ./.;
hooks = {
statix = {
# Nix Hooks
statix.enable = true;
deadnix.enable = true;
rfc101 = {
enable = true;
stages = [ "pre-push" ];
settings.ignore = [
"**/lon.nix"
"**/npins"
];
};
deadnix = {
enable = true;
stages = [ "pre-push" ];
};
nixfmt-rfc-style = {
enable = true;
stages = [ "pre-push" ];
name = "RFC-101 formatting";
entry = "${pkgs.lib.getExe pkgs.nixfmt-rfc-style}";
files = "\\.nix$";
};
# Misc Hooks
commitizen.enable = true;
};
};
@ -76,27 +66,26 @@ in
dns = import ./meta/dns.nix;
mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix;
shells = {
default = pkgs.mkShell {
name = "dgnum-infra";
packages = [
(pkgs.nixos-generators.overrideAttrs (_: {
version = "1.8.0-unstable";
src = builtins.storePath sources.nixos-generators;
}))
pkgs.npins
(pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
] ++ (import ./scripts { inherit pkgs; });
packages =
(
with pkgs;
[
npins
nixos-generators
]
++ (builtins.map (p: callPackage p { }) [
(sources.disko + "/package.nix")
./lib/colmena
])
)
++ (import ./scripts { inherit pkgs; });
shellHook = ''
${git-checks.shellHook}
${pre-commit-check.shellHook}
'';
preferLocalBuild = true;
@ -106,7 +95,7 @@ in
name = "pre-commit-shell";
shellHook = ''
${git-checks.shellHook}
${pre-commit-check.shellHook}
'';
};
};

93
hive.nix
View file

@ -1,113 +1,78 @@
let
sources' = import ./npins;
sources = import ./npins;
# Patch sources directly
sources = builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; })
.applyPatches' sources';
lib = import (sources.nix-lib + "/src/trivial.nix");
nix-lib = import ./lib/nix-lib;
patch = import ./lib/nix-patches { patchFile = ./patches; };
patch = import sources.nix-patches { patchFile = ./patches; };
nodes' = import ./meta/nodes.nix;
nodes = builtins.attrNames nodes';
mkNode = node: {
# Import the base configuration for each node
imports = [ ./machines/${node}/_configuration.nix ];
imports = builtins.map (lib.mkRel (./machines/${node})) [
"_configuration.nix"
"_hardware-configuration.nix"
];
};
nixpkgs' = import ./meta/nixpkgs.nix;
# All supported nixpkgs versions, instanciated
nixpkgs = nix-lib.mapSingleFuse mkNixpkgs nixpkgs'.supported;
# Get the configured nixos version for the node,
# defaulting to the one defined in meta/nixpkgs
version = node: nodes'.${node}.nixpkgs or nixpkgs'.default;
# Builds a patched version of nixpkgs, only as the source
mkNixpkgs' =
v:
mkNixpkgs =
node:
patch.mkNixpkgsSrc rec {
src = sources'.${name};
name = "nixos-${v}";
src = sources.${version};
version = "nixos-${nodes'.${node}.nixpkgs or (import ./meta/nixpkgs.nix)}";
};
# Instanciates the required nixpkgs version
mkNixpkgs = version: import (mkNixpkgs' version) { };
mkNixpkgs' = node: import (mkNixpkgs node) { };
###
# Function to create arguments based on the node
#
mkArgs = node: rec {
lib = nixpkgs.${version node}.lib // {
extra = nix-lib;
lib = import sources.nix-lib {
inherit (mkNixpkgs' node) lib;
keysRoot = ./keys;
};
meta = (import ./meta) lib;
nodeMeta = meta.nodes.${node};
};
in
# nodes = builtins.attrNames metadata.nodes;
{
meta = {
nodeNixpkgs = nix-lib.mapSingleFuse (n: nixpkgs.${version n}) nodes;
nodeNixpkgs = lib.mapSingleFuse mkNixpkgs' nodes;
specialArgs = {
inherit nixpkgs sources;
dgn-keys = import ./keys;
inherit sources;
};
nodeSpecialArgs = nix-lib.mapSingleFuse mkArgs nodes;
nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes;
};
defaults =
{
pkgs,
name,
nodeMeta,
...
}:
{ meta, name, ... }:
{
# Import the default modules
imports = [
./modules
(import "${sources.lix-module}/module.nix" {
lix = pkgs.applyPatches {
name = "lix-2.90.patched";
src = sources.lix;
patches = [ ./patches/00-disable-installChecks-lix.patch ];
};
})
];
imports = [ ./modules ];
# Include default secrets
age-secrets.sources = [ ./machines/${name}/secrets ];
age-secrets.sources = [ (./machines + "/${name}/secrets") ];
# Deployment config is specified in meta.nodes.${node}.deployment
inherit (nodeMeta) deployment;
inherit (meta.nodes.${name}) deployment;
nix = {
# Set NIX_PATH to the patched version of nixpkgs
nixPath = [ "nixpkgs=${mkNixpkgs' (version name)}" ];
optimise.automatic = true;
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
};
# Set NIX_PATH to the patched version of nixpkgs
nix.nixPath = [ "nixpkgs=${mkNixpkgs name}" ];
nix.optimise.automatic = true;
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# Use the stateVersion declared in the metadata
system = {
inherit (nodeMeta) stateVersion;
inherit (meta.nodes.${name}) stateVersion;
};
};
}
// (nix-lib.mapSingleFuse mkNode nodes)
// (lib.mapSingleFuse mkNode nodes)

2
iso/build-iso.sh
View file

@ -1,5 +1,5 @@
#!/usr/bin/env bash
NIXPKGS=$(nix-build --no-out-link nixpkgs.nix)
NIXPKGS=$(nix-build nixpkgs.nix)
nixos-generate -c configuration.nix -I NIX_PATH="$NIXPKGS" -f install-iso

11
iso/configuration.nix
View file

@ -1,9 +1,9 @@
{ lib, pkgs, ... }:
let
dgn-keys = import ../keys;
dgn-lib = import ../lib { };
dgn-members = (import ../meta lib).organization.groups.root;
dgn-members = (import ../meta).members.groups.iso;
in
{
@ -11,7 +11,7 @@ in
boot = {
blacklistedKernelModules = [ "snd_pcsp" ];
kernelPackages = pkgs.linuxPackages_latest;
kernelPackages = pkgs.linuxPackages_6_1;
tmp.cleanOnBoot = true;
loader = {
@ -22,7 +22,6 @@ in
supportedFilesystems = [
"exfat"
"zfs"
"bcachefs"
];
swraid.enable = lib.mkForce false;
@ -34,5 +33,7 @@ in
openssh.enable = true;
};
users.users.root.openssh.authorizedKeys.keys = dgn-keys.getKeys dgn-members;
users.users.root.openssh.authorizedKeys.keyFiles = builtins.map (
m: dgn-lib.mkRel ../keys "${m}.keys"
) dgn-members;
}

3
iso/nixpkgs.nix
View file

@ -1,6 +1,5 @@
let
version = (import ../meta/nixpkgs.nix).default;
nixpkgs = (import ../npins)."nixos-${version}";
inherit (import ../npins) nixpkgs;
in
(import nixpkgs { }).srcOnly {

84
keys/default.nix
View file

@ -1,84 +0,0 @@
let
_sources = import ../npins;
meta = import ../meta (import _sources.nixpkgs { }).lib;
getAttr = flip builtins.getAttr;
inherit (import ../lib/nix-lib) flip setDefault unique;
in
rec {
# WARNING: When updating this list, make sure that the nodes and members are alphabetically sorted
# If not, you will face an angry maintainer
_keys = {
# SSH keys of the nodes
bridge01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7" ];
compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ];
web02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ];
web03 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrWsMEfK86iaO9SubMqE2UvZNtHkLY5VUod/bbqKC0L" ];
# SSH keys of the DGNum members
catvayor = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
];
cst1 = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270"
];
ecoppens = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
gdd = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ"
];
jemagius = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8="
];
luj = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
];
mdebray = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
];
raito = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
];
thubrecht = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
];
};
getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);
mkSecrets =
nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };
getNodeKeys' =
node:
let
names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
meta.nodes.${node}.admins ++ [ node ]
) meta.nodes.${node}.adminGroups;
in
unique (getKeys names);
getNodeKeys = node: rootKeys ++ getNodeKeys' node;
# List of keys for the root group
rootKeys = getKeys meta.organization.groups.root;
# List of 'machine' keys
machineKeys = rootKeys ++ (getKeys (builtins.attrNames meta.nodes));
}

2
keys/gdd.keys Normal file
View file

@ -0,0 +1,2 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ

2
keys/jemagius.keys Normal file
View file

@ -0,0 +1,2 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8=

2
keys/luj.keys Normal file
View file

@ -0,0 +1,2 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower

1
keys/machines/compute01.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu

1
keys/machines/geo01.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4

1
keys/machines/geo02.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket

1
keys/machines/rescue01.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf

1
keys/machines/storage01.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ

1
keys/machines/vault01.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW

1
keys/machines/web01.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5

1
keys/machines/web02.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE020zqMJTlJ73czVxWVNmRof6il+N9dS4Knm43bJSpm

1
keys/mdebray.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris

3
keys/raito.keys Normal file
View file

@ -0,0 +1,3 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU

3
keys/thubrecht.keys Normal file
View file

@ -0,0 +1,3 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn

33
lib/default.nix Normal file
View file

@ -0,0 +1,33 @@
_:
let
sources = import ../npins;
lib = import sources.nix-lib {
inherit ((import sources.nixpkgs { })) lib;
keysRoot = ../keys;
};
meta = import ../meta lib;
inherit (lib.extra) getAllKeys;
in
lib.extra
// rec {
# Get publickeys associated to a node
getNodeKeys =
node:
let
names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
meta.nodes.${node}.admins ++ [ "/machines/${node}" ]
) meta.nodes.${node}.adminGroups;
in
rootKeys ++ (getAllKeys names);
rootKeys = getAllKeys meta.organization.groups.root;
machineKeys =
rootKeys ++ (getAllKeys (builtins.map (n: "machines/${n}") (builtins.attrNames meta.nodes)));
}

197
lib/nix-lib/default.nix
View file

@ -1,197 +0,0 @@
# Copyright Tom Hubrecht, (2023)
#
# Tom Hubrecht <tom@hubrecht.ovh>
#
# This software is governed by the CeCILL license under French law and
# abiding by the rules of distribution of free software. You can use,
# modify and/ or redistribute the software under the terms of the CeCILL
# license as circulated by CEA, CNRS and INRIA at the following URL
# "http://www.cecill.info".
#
# As a counterpart to the access to the source code and rights to copy,
# modify and redistribute granted by the license, users are provided only
# with a limited warranty and the software's author, the holder of the
# economic rights, and the successive licensors have only limited
# liability.
#
# In this respect, the user's attention is drawn to the risks associated
# with loading, using, modifying and/or developing or reproducing the
# software by the user in light of its specific status of free software,
# that may mean that it is complicated to manipulate, and that also
# therefore means that it is reserved for developers and experienced
# professionals having in-depth computer knowledge. Users are therefore
# encouraged to load and test the software's suitability as regards their
# requirements in conditions enabling the security of their systems and/or
# data to be ensured and, more generally, to use and operate it in the
# same conditions as regards security.
#
# The fact that you are presently reading this means that you have had
# knowledge of the CeCILL license and that you accept its terms.
let
# Reimplement optional functions
_optional =
default: b: value:
if b then value else default;
in
rec {
inherit (import ./nixpkgs.nix)
flip
hasPrefix
recursiveUpdate
splitString
unique
;
/*
Fuses a list of attribute sets into a single attribute set.
Type: [attrs] -> attrs
Example:
x = [ { a = 1; } { b = 2; } ]
fuseAttrs x
=> { a = 1; b = 2; }
*/
fuseAttrs = builtins.foldl' (attrs: x: attrs // x) { };
fuseValueAttrs = attrs: fuseAttrs (builtins.attrValues attrs);
/*
Applies a function to `attrsList` before fusing the resulting list
of attribute sets.
Type: ('a -> attrs) -> ['a] -> attrs
Example:
x = [ "to" "ta" "ti" ]
f = s: { ${s} = s + s; }
mapFuse f x
=> { to = "toto"; ta = "tata"; ti = "titi"; }
*/
mapFuse =
# 'a -> attrs
f:
# ['a]
attrsList:
fuseAttrs (builtins.map f attrsList);
/*
Equivalent of lib.singleton but for an attribute set.
Type: str -> 'a -> attrs
Example:
singleAttr "a" 1
=> { a = 1; }
*/
singleAttr = name: value: { ${name} = value; };
# Enables a list of modules.
enableAttrs' =
enable:
mapFuse (m: {
${m}.${enable} = true;
});
enableModules = enableAttrs' "enable";
/*
Create an attribute set from a list of values, mapping those
values through the function `f`.
Example:
mapSingleFuse (x: "val-${x}") [ "a" "b" ]
=> { a = "val-a"; b = "val-b" }
*/
mapSingleFuse = f: mapFuse (x: singleAttr x (f x));
/*
Creates a relative path as a string
Type: path -> str -> path
Example:
mkRel /home/test/ "file.txt"
=> "/home/test/file.txt"
*/
mkRel = path: file: path + "/${file}";
setDefault =
default:
mapFuse (name: {
${name} = default;
});
mkBaseSecrets =
root:
mapFuse (secret: {
${secret}.file = mkRel root secret;
});
getSecrets = dir: builtins.attrNames (import (mkRel dir "secrets.nix"));
subAttr = attrs: name: attrs.${name};
subAttrs = attrs: builtins.map (subAttr attrs);
optionalList = _optional [ ];
optionalAttrs = _optional { };
optionalString = _optional "";
/*
Same as fuseAttrs but using `lib.recursiveUpdate` to merge attribute
sets together.
Type: [attrs] -> attrs
*/
recursiveFuse = builtins.foldl' recursiveUpdate { };
mkImport =
root: file:
let
path = mkRel root file;
in
path + (optionalString (!(builtins.pathExists path)) ".nix");
mkImports = root: builtins.map (mkImport root);
/*
Creates a confugiration by merging enabled modules,
services and extraConfig.
Example:
mkConfig {
enabledModules = [ "ht-defaults" ];
enabledServices = [ "toto" ];
extraConfig = { services.nginx.enable = true; };
root = ./.;
}
=>
{
imports = [ ./toto ];
ht-defaults.enable = true;
services.nginx.enable = true;
}
*/
mkConfig =
{
# List of modules to enable with `enableModules`
enabledModules,
# List of services to import
enabledServices,
# Extra configuration, defaults to `{ }`
extraConfig ? { },
# Path relative to which the enabled services will be imported
root,
}:
recursiveFuse [
(enableModules enabledModules)
{ imports = mkImports root ([ "_hardware-configuration" ] ++ enabledServices); }
extraConfig
];
}

416
lib/nix-lib/nixpkgs.nix
View file

@ -1,416 +0,0 @@
###
# Collection of nixpkgs library functions, those are necessary for defining our own lib
#
# They have been simplified and builtins are used in some places, instead of lib shims.
rec {
/**
Does the same as the update operator '//' except that attributes are
merged until the given predicate is verified. The predicate should
accept 3 arguments which are the path to reach the attribute, a part of
the first attribute set and a part of the second attribute set. When
the predicate is satisfied, the value of the first attribute set is
replaced by the value of the second attribute set.
# Inputs
`pred`
: Predicate, taking the path to the current attribute as a list of strings for attribute names, and the two values at that path from the original arguments.
`lhs`
: Left attribute set of the merge.
`rhs`
: Right attribute set of the merge.
# Type
```
recursiveUpdateUntil :: ( [ String ] -> AttrSet -> AttrSet -> Bool ) -> AttrSet -> AttrSet -> AttrSet
```
# Examples
:::{.example}
## `lib.attrsets.recursiveUpdateUntil` usage example
```nix
recursiveUpdateUntil (path: l: r: path == ["foo"]) {
# first attribute set
foo.bar = 1;
foo.baz = 2;
bar = 3;
} {
#second attribute set
foo.bar = 1;
foo.quz = 2;
baz = 4;
}
=> {
foo.bar = 1; # 'foo.*' from the second set
foo.quz = 2; #
bar = 3; # 'bar' from the first set
baz = 4; # 'baz' from the second set
}
```
:::
*/
recursiveUpdateUntil =
pred: lhs: rhs:
let
f =
attrPath:
builtins.zipAttrsWith (
n: values:
let
here = attrPath ++ [ n ];
in
if builtins.length values == 1 || pred here (builtins.elemAt values 1) (builtins.head values) then
builtins.head values
else
f here values
);
in
f [ ] [
rhs
lhs
];
/**
A recursive variant of the update operator //. The recursion
stops when one of the attribute values is not an attribute set,
in which case the right hand side value takes precedence over the
left hand side value.
# Inputs
`lhs`
: Left attribute set of the merge.
`rhs`
: Right attribute set of the merge.
# Type
```
recursiveUpdate :: AttrSet -> AttrSet -> AttrSet
```
# Examples
:::{.example}
## `lib.attrsets.recursiveUpdate` usage example
```nix
recursiveUpdate {
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/hda";
} {
boot.loader.grub.device = "";
}
returns: {
boot.loader.grub.enable = true;
boot.loader.grub.device = "";
}
```
:::
*/
recursiveUpdate =
lhs: rhs:
recursiveUpdateUntil (
_: lhs: rhs:
!(builtins.isAttrs lhs && builtins.isAttrs rhs)
) lhs rhs;
/**
Determine whether a string has given prefix.
# Inputs
`pref`
: Prefix to check for
`str`
: Input string
# Type
```
hasPrefix :: string -> string -> bool
```
# Examples
:::{.example}
## `lib.strings.hasPrefix` usage example
```nix
hasPrefix "foo" "foobar"
=> true
hasPrefix "foo" "barfoo"
=> false
```
:::
*/
hasPrefix = pref: str: (builtins.substring 0 (builtins.stringLength pref) str == pref);
/**
Escape occurrence of the elements of `list` in `string` by
prefixing it with a backslash.
# Inputs
`list`
: 1\. Function argument
`string`
: 2\. Function argument
# Type
```
escape :: [string] -> string -> string
```
# Examples
:::{.example}
## `lib.strings.escape` usage example
```nix
escape ["(" ")"] "(foo)"
=> "\\(foo\\)"
```
:::
*/
escape = list: builtins.replaceStrings list (builtins.map (c: "\\${c}") list);
/**
Convert a string `s` to a list of characters (i.e. singleton strings).
This allows you to, e.g., map a function over each character. However,
note that this will likely be horribly inefficient; Nix is not a
general purpose programming language. Complex string manipulations
should, if appropriate, be done in a derivation.
Also note that Nix treats strings as a list of bytes and thus doesn't
handle unicode.
# Inputs
`s`
: 1\. Function argument
# Type
```
stringToCharacters :: string -> [string]
```
# Examples
:::{.example}
## `lib.strings.stringToCharacters` usage example
```nix
stringToCharacters ""
=> [ ]
stringToCharacters "abc"
=> [ "a" "b" "c" ]
stringToCharacters "🦄"
=> [ "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" ]
```
:::
*/
stringToCharacters = s: builtins.genList (p: builtins.substring p 1 s) (builtins.stringLength s);
/**
Turn a string `s` into an exact regular expression
# Inputs
`s`
: 1\. Function argument
# Type
```
escapeRegex :: string -> string
```
# Examples
:::{.example}
## `lib.strings.escapeRegex` usage example
```nix
escapeRegex "[^a-z]*"
=> "\\[\\^a-z]\\*"
```
:::
*/
escapeRegex = escape (stringToCharacters "\\[{()^$?*+|.");
/**
Appends string context from string like object `src` to `target`.
:::{.warning}
This is an implementation
detail of Nix and should be used carefully.
:::
Strings in Nix carry an invisible `context` which is a list of strings
representing store paths. If the string is later used in a derivation
attribute, the derivation will properly populate the inputDrvs and
inputSrcs.
# Inputs
`src`
: The string to take the context from. If the argument is not a string,
it will be implicitly converted to a string.
`target`
: The string to append the context to. If the argument is not a string,
it will be implicitly converted to a string.
# Type
```
addContextFrom :: string -> string -> string
```
# Examples
:::{.example}
## `lib.strings.addContextFrom` usage example
```nix
pkgs = import <nixpkgs> { };
addContextFrom pkgs.coreutils "bar"
=> "bar"
```
The context can be displayed using the `toString` function:
```nix
nix-repl> builtins.getContext (lib.strings.addContextFrom pkgs.coreutils "bar")
{
"/nix/store/m1s1d2dk2dqqlw3j90jl3cjy2cykbdxz-coreutils-9.5.drv" = { ... };
}
```
:::
*/
addContextFrom = src: target: builtins.substring 0 0 src + target;
/**
Cut a string with a separator and produces a list of strings which
were separated by this separator.
# Inputs
`sep`
: 1\. Function argument
`s`
: 2\. Function argument
# Type
```
splitString :: string -> string -> [string]
```
# Examples
:::{.example}
## `lib.strings.splitString` usage example
```nix
splitString "." "foo.bar.baz"
=> [ "foo" "bar" "baz" ]
splitString "/" "/usr/local/bin"
=> [ "" "usr" "local" "bin" ]
```
:::
*/
splitString =
sep: s:
let
splits = builtins.filter builtins.isString (
builtins.split (escapeRegex (builtins.toString sep)) (builtins.toString s)
);
in
builtins.map (addContextFrom s) splits;
/**
Remove duplicate elements from the `list`. O(n^2) complexity.
# Inputs
`list`
: Input list
# Type
```
unique :: [a] -> [a]
```
# Examples
:::{.example}
## `lib.lists.unique` usage example
```nix
unique [ 3 2 3 4 ]
=> [ 3 2 4 ]
```
:::
*/
unique = builtins.foldl' (acc: e: if builtins.elem e acc then acc else acc ++ [ e ]) [ ];
/**
Flip the order of the arguments of a binary function.
# Inputs
`f`
: 1\. Function argument
`a`
: 2\. Function argument
`b`
: 3\. Function argument
# Type
```
flip :: (a -> b -> c) -> (b -> a -> c)
```
# Examples
:::{.example}
## `lib.trivial.flip` usage example
```nix
flip concat [1] [2]
=> [ 2 1 ]
```
:::
*/
flip =
f: a: b:
f b a;
}

110
lib/nix-patches/default.nix
View file

@ -1,110 +0,0 @@
# Copyright Tom Hubrecht, (2023-2024)
#
# Tom Hubrecht <tom@hubrecht.ovh>
#
# This software is governed by the CeCILL license under French law and
# abiding by the rules of distribution of free software. You can use,
# modify and/ or redistribute the software under the terms of the CeCILL
# license as circulated by CEA, CNRS and INRIA at the following URL
# "http://www.cecill.info".
#
# As a counterpart to the access to the source code and rights to copy,
# modify and redistribute granted by the license, users are provided only
# with a limited warranty and the software's author, the holder of the
# economic rights, and the successive licensors have only limited
# liability.
#
# In this respect, the user's attention is drawn to the risks associated
# with loading, using, modifying and/or developing or reproducing the
# software by the user in light of its specific status of free software,
# that may mean that it is complicated to manipulate, and that also
# therefore means that it is reserved for developers and experienced
# professionals having in-depth computer knowledge. Users are therefore
# encouraged to load and test the software's suitability as regards their
# requirements in conditions enabling the security of their systems and/or
# data to be ensured and, more generally, to use and operate it in the
# same conditions as regards security.
#
# The fact that you are presently reading this means that you have had
# knowledge of the CeCILL license and that you accept its terms.
{
patchFile,
excludeGitHubManual ? true,
fetchers ? { },
}:
rec {
base =
{ pkgs }:
rec {
mkUrlPatch =
attrs:
pkgs.fetchpatch (
{
hash = pkgs.lib.fakeHash;
}
// attrs
// (pkgs.lib.optionalAttrs (excludeGitHubManual && !(builtins.hasAttr "includes" attrs)) {
excludes = (attrs.excludes or [ ]) ++ [ "nixos/doc/manual/*" ];
})
);
mkGitHubPatch =
{ id, ... }@attrs:
mkUrlPatch (
(builtins.removeAttrs attrs [ "id" ])
// {
url = "https://github.com/NixOS/nixpkgs/pull/${builtins.toString id}.diff";
}
);
mkCommitPatch =
{ sha, ... }@attrs:
mkUrlPatch (
(builtins.removeAttrs attrs [ "sha" ])
// {
url = "https://github.com/NixOS/nixpkgs/commit/${builtins.toString sha}.diff";
}
);
patchFunctions = {
commit = mkCommitPatch;
github = mkGitHubPatch;
remote = pkgs.fetchpatch;
static = attrs: attrs.path;
url = mkUrlPatch;
} // fetchers;
mkPatch =
{
_type ? "github",
...
}@attrs:
if builtins.hasAttr _type patchFunctions then
patchFunctions.${_type} (builtins.removeAttrs attrs [ "_type" ])
else
throw "Unknown patch type: ${builtins.toString _type}.";
mkPatches = v: builtins.map mkPatch ((import patchFile).${v} or [ ]);
applyPatches =
{
src,
name,
patches ? mkPatches name,
}:
if patches == [ ] then
src
else
pkgs.applyPatches {
inherit patches src;
name = "${name}-patched";
};
applyPatches' = name: src: applyPatches { inherit name src; };
};
mkNixpkgsSrc = { src, name }: (base { pkgs = import src { }; }).applyPatches { inherit src name; };
}

20
machines/bridge01/_configuration.nix
View file

@ -1,20 +0,0 @@
{ lib, pkgs, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
];
enabledServices = [
# List of services to enable
"network"
];
extraConfig = {
services.netbird.enable = true;
environment.systemPackages = [ pkgs.bcachefs-tools ];
};
root = ./.;
}

53
machines/bridge01/_hardware-configuration.nix
View file

@ -1,53 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ modulesPath, pkgs, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [
"xhci_pci"
"ehci_pci"
"ahci"
"sd_mod"
"sr_mod"
];
};
kernelModules = [ "kvm-intel" ];
kernelPackages = pkgs.linuxPackages_latest;
supportedFilesystems.bcachefs = true;
};
fileSystems = {
"/" = {
device = "UUID=3da58b64-a2fd-428d-bde8-3a185e2f73fd";
fsType = "bcachefs";
options = [ "compression=zstd" ];
};
"/boot" = {
device = "/dev/disk/by-uuid/4D0A-AF11";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.vlan-admin.useDHCP = lib.mkDefault true;
# networking.interfaces.vlan-uplink-oob.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = "x86_64-linux";
hardware.cpu.intel.updateMicrocode = true;
}

79
machines/bridge01/network.nix
View file

@ -1,79 +0,0 @@
_:
{
networking = {
useNetworkd = true;
useDHCP = false;
nftables.enable = true;
firewall.allowedUDPPorts = [ 67 ];
};
systemd.network = {
networks = {
"10-eno1" = {
name = "eno1";
networkConfig = {
VLAN = [
"vlan-admin"
"vlan-uplink-oob"
];
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
# address = [ "192.168.222.1/24" ];
};
"10-vlan-admin" = {
name = "vlan-admin";
# DHCP for the BMC
networkConfig.DHCPServer = "yes";
dhcpServerConfig = {
PoolOffset = 128;
EmitDNS = false;
EmitNTP = false;
EmitSIP = false;
EmitPOP3 = false;
EmitSMTP = false;
EmitLPR = false;
UplinkInterface = ":none";
};
address = [
"fd26:baf9:d250:8000::ffff/64"
"192.168.222.1/24"
];
};
"10-vlan-uplink-oob" = {
name = "vlan-uplink-oob";
networkConfig.DHCP = "ipv4";
};
};
netdevs = {
"10-vlan-admin" = {
netdevConfig = {
Name = "vlan-admin";
Kind = "vlan";
};
vlanConfig.Id = 3000;
};
"10-vlan-uplink-oob" = {
netdevConfig = {
Name = "vlan-uplink-oob";
Kind = "vlan";
};
vlanConfig.Id = 500;
};
};
};
}

3
machines/bridge01/secrets/secrets.nix
View file

@ -1,3 +0,0 @@
(import ../../../keys).mkSecrets [ "bridg01" ] [
# List of secrets for bridge01
]

23
machines/compute01/_configuration.nix
View file

@ -1,42 +1,39 @@
{ lib, ... }:
lib.extra.mkConfig {
# List of modules to enable
enabledModules = [
# INFO: This list needs to stay sorted alphabetically
# List of modules to enable
"dgn-backups"
"dgn-chatops"
"dgn-fail2ban"
"dgn-web"
];
# List of services to enable
enabledServices = [
# INFO: This list needs to stay sorted alphabetically
# List of services to enable
"arkheon"
"dgsi"
"ds-fr"
"grafana"
"hedgedoc"
"k-radius"
"kanidm"
"librenms"
"mastodon"
"nextcloud"
"ollama-proxy"
"outline"
"plausible"
"postgresql"
"rstudio-server"
"satosa"
"signal-irc-bridge"
"signald"
"stirling-pdf"
"takumi"
"telegraf"
"vaultwarden"
"zammad"
"signald"
];
extraConfig = {
dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
"sshd-bruteforce"
"sshd-timeout"
];
dgn-hardware.useZfs = true;
services.netbird.enable = true;

222
machines/compute01/dgsi/default.nix
View file

@ -1,222 +0,0 @@
{
config,
lib,
pkgs,
utils,
sources,
...
}:
let
inherit (lib) toLower;
python =
let
python3 = pkgs.python312;
nix-pkgs = import sources.nix-pkgs { inherit pkgs python3; };
in
python3.override {
packageOverrides = _: _: {
inherit (nix-pkgs)
django-allauth
django-allauth-cas
django-browser-reload
django-bulma-forms
django-sass-processor
django-sass-processor-dart-sass
django-unfold
pykanidm
python-cas
loadcredential
xlwt
;
};
};
pythonEnv = python.withPackages (
ps:
[
ps.django
ps.gunicorn
ps.psycopg
ps.django-compressor
ps.django-import-export
# Local packages
ps.django-allauth
ps.django-allauth-cas
ps.django-browser-reload
ps.django-bulma-forms
ps.django-sass-processor
ps.django-sass-processor-dart-sass
ps.django-unfold
ps.loadcredential
ps.pykanidm
ps.python-cas
]
++ ps.django-allauth.optional-dependencies.saml
);
staticDrv = pkgs.stdenv.mkDerivation {
name = "dgsi-static";
src = sources.dgsi;
sourceRoot = "source/src";
nativeBuildInputs = [
pkgs.dart-sass
pythonEnv
];
configurePhase = ''
export DGSI_STATIC_ROOT=$out/static
export CREDENTIALS_DIRECTORY=$(pwd)/../.credentials
export DGSI_KANIDM_CLIENT="dgsi_test"
export DGSI_KANIDM_AUTH_TOKEN="fake.token"
export DGSI_X509_KEY=""
export DGSI_X509_CERT=""
'';
doBuild = false;
installPhase = ''
mkdir -p $out/static
python3 manage.py compilescss
python3 manage.py collectstatic
'';
};
in
{
users = {
users.nginx.extraGroups = [ "django-apps" ];
groups.django-apps = { };
};
systemd = {
services = {
dj-dgsi = {
description = "DGSI web app";
requires = [ "dj-dgsi.socket" ];
wantedBy = [ "multi-user.target" ];
after = [
"network.target"
"postgresql.service"
];
serviceConfig = {
DynamicUser = true;
LoadCredential = map (name: "${name}:${config.age.secrets."dgsi-${toLower name}_file".path}") [
"EMAIL_HOST_PASSWORD"
"KANIDM_AUTH_TOKEN"
"KANIDM_SECRET"
"SECRET_KEY"
"X509_CERT"
"X509_KEY"
];
RuntimeDirectory = "django-apps/dgsi";
StateDirectory = "django-apps/dgsi";
UMask = "0027";
User = "dj-dgsi";
Group = "django-apps";
WorkingDirectory = sources.dgsi;
ExecReload = "${lib.getExe' pkgs.coreutils "kill"} -s HUP $MAINPID";
KillMode = "mixed";
Type = "notify";
ExecStart = utils.escapeSystemdExecArgs [
(lib.getExe' pythonEnv "gunicorn")
"--workers"
4
"--bind"
"unix:/run/django-apps/dgsi.sock"
"--pythonpath"
"src"
"app.wsgi"
];
};
environment = {
DGSI_ALLOWED_HOSTS = builtins.toJSON [
"profil.dgnum.eu"
"dgsi.dgnum.eu"
];
DGSI_EMAIL_HOST = "kurisu.lahfa.xyz";
DGSI_EMAIL_HOST_USER = "web-services@infra.dgnum.eu";
DGSI_EMAIL_USE_SSL = builtins.toJSON true;
DGSI_FROM_EMAIL = "La Délégation Générale Numérique <noreply@infra.dgnum.eu>";
DGSI_SERVER_EMAIL = "dgsi@infra.dgnum.eu";
DGSI_KANIDM_CLIENT = "dgsi";
DGSI_KANIDM_URI = "https://sso.dgnum.eu";
DGSI_MEDIA_ROOT = "/var/lib/django-apps/dgsi/media";
DGSI_STATIC_ROOT = "${staticDrv}/static";
DGSI_DATABASES = builtins.toJSON {
default = {
ENGINE = "django.db.backends.postgresql";
NAME = "dj-dgsi";
};
};
DJANGO_SETTINGS_MODULE = "app.settings";
};
path = [ pythonEnv ];
preStart = ''
python3 src/manage.py migrate --no-input
'';
};
};
sockets."dj-dgsi" = {
description = "Socket for the DGSI Django Application";
wantedBy = [ "sockets.target" ];
socketConfig = {
ListenStream = "/run/django-apps/dgsi.sock";
SocketMode = "600";
SocketUser = config.services.nginx.user;
};
};
mounts = [
{
where = "/run/django-apps/dgsi/media";
what = "/var/lib/django-apps/dgsi/media";
options = "bind";
after = [ "dj-dgsi.service" ];
partOf = [ "dj-dgsi.service" ];
upheldBy = [ "dj-dgsi.service" ];
}
];
};
dgn-redirections.permanent."dgsi.dgnum.eu" = "profil.dgnum.eu";
services = {
postgresql = {
ensureDatabases = [ "dj-dgsi" ];
ensureUsers = [
{
name = "dj-dgsi";
ensureDBOwnership = true;
}
];
};
nginx.virtualHosts."profil.dgnum.eu" = {
enableACME = true;
forceSSL = true;
locations = {
"/".proxyPass = "http://unix:/run/django-apps/dgsi.sock";
"/static/".root = staticDrv;
"/media/".root = "/run/django-apps/dgsi";
};
};
};
}

2
machines/compute01/ds-fr/default.nix
View file

@ -6,8 +6,6 @@ in
{
imports = [ ./module.nix ];
dgn-web.internalPorts.ds-fr = 3000;
services.demarches-simplifiees = {
enable = true;

57
machines/compute01/ds-fr/package/default.nix
View file

@ -3,7 +3,9 @@
stdenv,
fetchFromGitHub,
git,
bun,
fetchYarnDeps,
yarn,
fixup_yarn_lock,
nodejs,
ruby_3_2,
bundlerEnv,
@ -16,7 +18,7 @@ let
inherit (lib) getExe;
# Head of the DGNum repo
dgn-id = "f270f1cdd09e643a9c666c94df1841234430de49";
dgn-id = "12e4a32ca5d909a90ca6f7e53081cc6b6b14c416";
pname = "ds-fr";
meta = import ./meta.nix;
@ -48,46 +50,20 @@ let
};
};
node_modules = stdenv.mkDerivation {
pname = "${pname}-node_modules";
inherit src version;
impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ [
"GIT_PROXY_COMMAND"
"SOCKS_SERVER"
];
nativeBuildInputs = [ bun ];
dontConfigure = true;
buildPhase = ''
bun install --no-progress --frozen-lockfile --ignore-scripts
rm -r node_modules/.cache
# Remove inconsistent file
rm node_modules/.bin/grunt
'';
installPhase = ''
mv node_modules $out
'';
dontFixup = true;
outputHash = meta.deps-hash or lib.fakeHash;
outputHashAlgo = "sha256";
outputHashMode = "recursive";
};
dsModules = stdenv.mkDerivation {
pname = "${pname}-modules";
inherit src version;
offlineCache = fetchYarnDeps {
yarnLock = "${src}/yarn.lock";
hash = meta.deps-hash;
};
buildInputs = [ rubyEnv ];
nativeBuildInputs = [
bun
fixup_yarn_lock
nodejs
yarn
rubyEnv.wrappedRuby
];
@ -108,13 +84,18 @@ let
APP_HOST = "precompile_placeholder";
buildPhase = ''
cp -R ${node_modules} node_modules
chmod u+w -R node_modules
export HOME=$(mktemp -d)
yarn config --offline set yarn-offline-mirror $offlineCache
fixup_yarn_lock yarn.lock
yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive
patchShebangs node_modules
patchShebangs node_modules/
patchShebangs bin/
bin/rake assets:precompile
yarn cache clean --offline
rm -rf node_modules/
'';
installPhase = ''

6
machines/compute01/ds-fr/package/meta.nix
View file

@ -1,5 +1,5 @@
{
version = "2024-04-24-01";
src-hash = "sha256-+FjthJZb1KqqFttFmXr/FN5qaFcY9RGTKAqhdLGVFSg=";
deps-hash = "sha256-Vj8WCB+LSHJM67qbsZ5CPc+jK1KWO1MXnSFp/LH0Ow8=";
version = "2024-03-26-01";
src-hash = "sha256-JLwbeCGZNFxzZnh6bcheNUkrg/51UG4IM9pln+ridSs=";
deps-hash = "sha256-ZtZ1iqKHWGPR5+BDOtOvrpgdndfP5IiqrLkju96YAM4=";
}

16
machines/compute01/ds-fr/package/rubyEnv/Gemfile
View file

@ -10,7 +10,6 @@ gem 'active_storage_validations'
gem 'addressable'
gem 'administrate'
gem 'administrate-field-enum' # Allow using Field::Enum in administrate
gem 'after_commit_everywhere'
gem 'after_party'
gem 'ancestry'
gem 'anchored'
@ -23,10 +22,10 @@ gem 'chunky_png'
gem 'clamav-client', require: 'clamav/client'
gem 'daemons'
gem 'deep_cloneable' # Enable deep clone of active record models
gem 'delayed_cron_job', require: false # Cron jobs
gem 'delayed_cron_job' # Cron jobs
gem 'delayed_job_active_record'
gem 'delayed_job_web'
gem 'devise'
gem 'devise', git: 'https://github.com/heartcombo/devise.git', ref: "edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1" # Gestion des comptes utilisateurs, drop ref on next release: 4.9.4
gem 'devise-i18n'
gem 'devise-two-factor'
gem 'discard'
@ -77,7 +76,6 @@ gem 'puma' # Use Puma as the app server
gem 'pundit'
gem 'rack-attack'
gem 'rails-i18n' # Locales par défaut
gem 'rails-pg-extras'
gem 'rake-progressbar', require: false
gem 'redcarpet'
gem 'redis'
@ -91,23 +89,15 @@ gem 'sentry-ruby'
gem 'sentry-sidekiq'
gem 'sib-api-v3-sdk'
gem 'sidekiq'
gem 'sidekiq-cron'
gem 'skylight'
gem 'spreadsheet_architect'
gem 'strong_migrations' # lint database migrations
gem 'sys-proctable'
gem 'turbo-rails'
gem 'typhoeus'
gem 'ulid-ruby', require: 'ulid'
gem 'view_component'
gem 'vite_rails'
gem 'warden'
gem 'webrick', require: false
gem 'yabeda-graphql'
gem 'yabeda-prometheus'
gem 'yabeda-puma-plugin'
gem 'yabeda-rails'
gem 'yabeda-sidekiq'
gem 'zipline'
gem 'zxcvbn-ruby', require: 'zxcvbn'
@ -125,8 +115,6 @@ group :test do
gem 'selenium-devtools'
gem 'selenium-webdriver'
gem 'shoulda-matchers', require: false
gem 'simplecov', require: false
gem 'simplecov-cobertura', require: false
gem 'timecop'
gem 'vcr'
gem 'webmock'

214
machines/compute01/ds-fr/package/rubyEnv/Gemfile.lock
View file

@ -6,6 +6,18 @@ GIT
json (>= 2.5)
sidekiq (~> 7.0)
GIT
remote: https://github.com/heartcombo/devise.git
revision: edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1
ref: edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1
specs:
devise (4.9.3)
bcrypt (~> 3.0)
orm_adapter (~> 0.1)
railties (>= 4.1.0)
responders
warden (~> 1.2.3)
GEM
remote: https://rubygems.org/
specs:
@ -104,15 +116,10 @@ GEM
administrate-field-enum (0.0.9)
administrate (~> 0.12)
aes_key_wrap (1.1.0)
after_commit_everywhere (1.4.0)
activerecord (>= 4.2)
activesupport
after_party (1.11.2)
ancestry (4.3.3)
activerecord (>= 5.2.6)
anchored (1.1.0)
anyway_config (2.6.3)
ruby-next-core (~> 1.0)
ast (2.4.2)
attr_required (1.0.2)
axe-core-api (4.8.2)
@ -136,7 +143,7 @@ GEM
erubi (~> 1.4)
parser (>= 2.4)
smart_properties
bigdecimal (3.1.7)
bigdecimal (3.1.6)
bindata (2.5.0)
bindex (0.8.1)
bootsnap (1.18.3)
@ -168,7 +175,7 @@ GEM
nokogiri (~> 1.10, >= 1.10.4)
rubyzip (>= 1.3.0, < 3)
charlock_holmes (0.7.7)
chartkick (5.0.6)
chartkick (5.0.5)
choice (0.2.0)
chunky_png (1.4.0)
clamav-client (3.2.0)
@ -201,12 +208,6 @@ GEM
sinatra (>= 1.4.4)
descendants_tracker (0.0.4)
thread_safe (~> 0.3, >= 0.3.1)
devise (4.9.4)
bcrypt (~> 3.0)
orm_adapter (~> 0.1)
railties (>= 4.1.0)
responders
warden (~> 1.2.3)
devise-i18n (1.12.0)
devise (>= 4.9.0)
devise-two-factor (5.0.0)
@ -217,7 +218,6 @@ GEM
diff-lcs (1.5.1)
discard (1.3.0)
activerecord (>= 4.2, < 8)
docile (1.4.0)
dotenv (2.8.1)
dotenv-rails (2.8.1)
dotenv (= 2.8.1)
@ -226,7 +226,6 @@ GEM
dry-core (1.0.1)
concurrent-ruby (~> 1.0)
zeitwerk (~> 2.6)
dry-initializer (3.1.1)
dry-monads (1.6.0)
concurrent-ruby (~> 1.0)
dry-core (~> 1.0, < 2)
@ -235,7 +234,7 @@ GEM
email_validator (2.2.4)
activemodel
erubi (1.12.0)
et-orbi (1.2.11)
et-orbi (1.2.7)
tzinfo
ethon (0.16.0)
ffi (>= 1.15.0)
@ -278,7 +277,7 @@ GEM
fog-core (~> 2.1)
fog-json (>= 1.0)
formatador (1.1.0)
fugit (1.10.1)
fugit (1.9.0)
et-orbi (~> 1, >= 1.2.7)
raabro (~> 1.4)
geo_coord (0.2.0)
@ -350,7 +349,7 @@ GEM
invisible_captcha (2.2.0)
rails (>= 5.2)
io-console (0.7.2)
irb (1.12.0)
irb (1.11.2)
rdoc
reline (>= 0.4.2)
job-iteration (1.4.1)
@ -359,7 +358,7 @@ GEM
rails-dom-testing (>= 1, < 3)
railties (>= 4.2.0)
thor (>= 0.14, < 2.0)
json (2.7.2)
json (2.7.1)
json-jwt (1.16.6)
activesupport (>= 4.2)
aes_key_wrap
@ -367,15 +366,12 @@ GEM
bindata
faraday (~> 2.0)
faraday-follow_redirects
json_schemer (2.2.1)
base64
bigdecimal
json_schemer (2.1.1)
hana (~> 1.3)
regexp_parser (~> 2.0)
simpleidn (~> 0.2)
jsonapi-renderer (0.2.2)
jwt (2.8.1)
base64
jwt (2.7.1)
kaminari (1.2.2)
activesupport (>= 4.1.0)
kaminari-actionview (= 1.2.2)
@ -402,7 +398,7 @@ GEM
letter_opener (~> 1.7)
railties (>= 5.2)
rexml
listen (3.9.0)
listen (3.8.0)
rb-fsevent (~> 0.10, >= 0.10.3)
rb-inotify (~> 0.9, >= 0.9.10)
lograge (0.14.0)
@ -419,7 +415,7 @@ GEM
net-imap
net-pop
net-smtp
maintenance_tasks (2.7.0)
maintenance_tasks (2.6.0)
actionpack (>= 6.0)
activejob (>= 6.0)
activerecord (>= 6.0)
@ -429,7 +425,7 @@ GEM
marcel (1.0.2)
matrix (0.4.2)
memory_profiler (1.0.1)
method_source (1.1.0)
method_source (1.0.0)
mime-types (3.5.2)
mime-types-data (~> 3.2015)
mime-types-data (3.2024.0206)
@ -437,8 +433,8 @@ GEM
rake
mini_magick (4.12.0)
mini_mime (1.1.5)
mini_portile2 (2.8.6)
minitest (5.22.3)
mini_portile2 (2.8.5)
minitest (5.22.2)
msgpack (1.7.2)
multi_json (1.15.0)
mustermann (3.0.0)
@ -454,8 +450,8 @@ GEM
timeout
net-smtp (0.4.0.1)
net-protocol
nio4r (2.7.1)
nokogiri (1.16.4)
nio4r (2.7.0)
nokogiri (1.16.2)
mini_portile2 (~> 2.8.2)
racc (~> 1.4)
openid_connect (2.3.0)
@ -478,8 +474,8 @@ GEM
ast (~> 2.4.1)
racc
pdf-core (0.9.0)
pg (1.5.6)
phonelib (0.8.8)
pg (1.5.4)
phonelib (0.8.7)
prawn (2.4.0)
pdf-core (~> 0.9.0)
ttfunk (~> 1.7)
@ -497,18 +493,17 @@ GEM
actionmailer (>= 3)
net-smtp
premailer (~> 1.7, >= 1.7.9)
prometheus-client (4.2.2)
promise.rb (0.7.4)
psych (5.1.2)
stringio
public_suffix (5.0.5)
public_suffix (5.0.4)
puma (6.4.2)
nio4r (~> 2.0)
pundit (2.3.1)
activesupport (>= 3.0.0)
raabro (1.4.0)
racc (1.7.3)
rack (2.2.9)
rack (2.2.8.1)
rack-attack (6.7.0)
rack (>= 1.0, < 4)
rack-mini-profiler (3.3.1)
@ -560,12 +555,9 @@ GEM
rails-html-sanitizer (1.6.0)
loofah (~> 2.21)
nokogiri (~> 1.14)
rails-i18n (7.0.9)
rails-i18n (7.0.8)
i18n (>= 0.7, < 2)
railties (>= 6.0.0, < 8)
rails-pg-extras (5.3.1)
rails
ruby-pg-extras (= 5.3.1)
railties (7.0.8.1)
actionpack (= 7.0.8.1)
activesupport (= 7.0.8.1)
@ -574,20 +566,20 @@ GEM
thor (~> 1.0)
zeitwerk (~> 2.5)
rainbow (3.1.1)
rake (13.2.1)
rake (13.1.0)
rake-progressbar (0.0.5)
rb-fsevent (0.11.2)
rb-inotify (0.10.1)
ffi (~> 1.0)
rdoc (6.6.3.1)
rdoc (6.6.2)
psych (>= 4.0.0)
redcarpet (3.6.0)
redis (5.2.0)
redis-client (>= 0.22.0)
redis-client (0.22.1)
redis (5.1.0)
redis-client (>= 0.17.0)
redis-client (0.20.0)
connection_pool
regexp_parser (2.9.0)
reline (0.5.3)
reline (0.4.2)
io-console (~> 0.5)
request_store (1.5.1)
rack (>= 1.4)
@ -612,20 +604,20 @@ GEM
rspec-mocks (3.13.0)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.13.0)
rspec-rails (6.1.2)
rspec-rails (6.1.1)
actionpack (>= 6.1)
activesupport (>= 6.1)
railties (>= 6.1)
rspec-core (~> 3.13)
rspec-expectations (~> 3.13)
rspec-mocks (~> 3.13)
rspec-support (~> 3.13)
rspec-core (~> 3.12)
rspec-expectations (~> 3.12)
rspec-mocks (~> 3.12)
rspec-support (~> 3.12)
rspec-retry (0.6.2)
rspec-core (> 3.3)
rspec-support (3.13.1)
rspec-support (3.13.0)
rspec_junit_formatter (0.6.0)
rspec-core (>= 2, < 4, != 2.12.0)
rubocop (1.63.3)
rubocop (1.60.2)
json (~> 2.3)
language_server-protocol (>= 3.17.0)
parallel (~> 1.10)
@ -633,36 +625,29 @@ GEM
rainbow (>= 2.2.2, < 4.0)
regexp_parser (>= 1.8, < 3.0)
rexml (>= 3.2.5, < 4.0)
rubocop-ast (>= 1.31.1, < 2.0)
rubocop-ast (>= 1.30.0, < 2.0)
ruby-progressbar (~> 1.7)
unicode-display_width (>= 2.4.0, < 3.0)
rubocop-ast (1.31.2)
parser (>= 3.3.0.4)
rubocop-ast (1.30.0)
parser (>= 3.2.1.0)
rubocop-capybara (2.20.0)
rubocop (~> 1.41)
rubocop-factory_bot (2.25.1)
rubocop (~> 1.41)
rubocop-performance (1.21.0)
rubocop-performance (1.20.2)
rubocop (>= 1.48.1, < 2.0)
rubocop-ast (>= 1.31.1, < 2.0)
rubocop-rails (2.24.1)
rubocop-ast (>= 1.30.0, < 2.0)
rubocop-rails (2.23.1)
activesupport (>= 4.2.0)
rack (>= 1.1)
rubocop (>= 1.33.0, < 2.0)
rubocop-ast (>= 1.31.1, < 2.0)
rubocop-rspec (2.29.1)
rubocop-ast (>= 1.30.0, < 2.0)
rubocop-rspec (2.26.1)
rubocop (~> 1.40)
rubocop-capybara (~> 2.17)
rubocop-factory_bot (~> 2.22)
rubocop-rspec_rails (~> 2.28)
rubocop-rspec_rails (2.28.3)
rubocop (~> 1.40)
ruby-graphviz (1.2.5)
rexml
ruby-next-core (1.0.2)
ruby-pg-extras (5.3.1)
pg
terminal-table
ruby-progressbar (1.13.0)
ruby-vips (2.2.0)
ffi (~> 1.12)
@ -693,52 +678,38 @@ GEM
scss_lint (0.60.0)
sass (~> 3.5, >= 3.5.5)
selectize-rails (0.12.6)
selenium-devtools (0.123.0)
selenium-devtools (0.121.0)
selenium-webdriver (~> 4.2)
selenium-webdriver (4.19.0)
selenium-webdriver (4.17.0)
base64 (~> 0.2)
rexml (~> 3.2, >= 3.2.5)
rubyzip (>= 1.2.2, < 3.0)
websocket (~> 1.0)
sentry-delayed_job (5.17.3)
sentry-delayed_job (5.16.1)
delayed_job (>= 4.0)
sentry-ruby (~> 5.17.3)
sentry-rails (5.17.3)
sentry-ruby (~> 5.16.1)
sentry-rails (5.16.1)
railties (>= 5.0)
sentry-ruby (~> 5.17.3)
sentry-ruby (5.17.3)
bigdecimal
sentry-ruby (~> 5.16.1)
sentry-ruby (5.16.1)
concurrent-ruby (~> 1.0, >= 1.0.2)
sentry-sidekiq (5.17.3)
sentry-ruby (~> 5.17.3)
sentry-sidekiq (5.16.1)
sentry-ruby (~> 5.16.1)
sidekiq (>= 3.0)
shoulda-matchers (6.2.0)
shoulda-matchers (6.1.0)
activesupport (>= 5.2.0)
sib-api-v3-sdk (9.1.0)
addressable (~> 2.3, >= 2.3.0)
json (~> 2.1, >= 2.1.0)
typhoeus (~> 1.0, >= 1.0.1)
sidekiq (7.2.2)
sidekiq (7.2.1)
concurrent-ruby (< 2)
connection_pool (>= 2.3.0)
rack (>= 2.2.4)
redis-client (>= 0.19.0)
sidekiq-cron (1.12.0)
fugit (~> 1.8)
globalid (>= 1.0.1)
sidekiq (>= 6)
simple_xlsx_reader (1.0.4)
nokogiri
rubyzip
simplecov (0.22.0)
docile (~> 1.1)
simplecov-html (~> 0.11)
simplecov_json_formatter (~> 0.1)
simplecov-cobertura (2.1.0)
rexml
simplecov (~> 0.19)
simplecov-html (0.12.3)
simplecov_json_formatter (0.1.4)
simpleidn (0.2.1)
unf (~> 0.1.4)
sinatra (3.2.0)
@ -746,13 +717,13 @@ GEM
rack (~> 2.2, >= 2.2.4)
rack-protection (= 3.2.0)
tilt (~> 2.0)
skylight (6.0.4)
skylight (6.0.3)
activesupport (>= 5.2.0)
smart_properties (1.17.0)
spreadsheet_architect (5.0.0)
caxlsx (>= 3.3.0, < 4)
rodf (>= 1.0.0, < 2)
spring (4.2.1)
spring (4.1.3)
spring-commands-rspec (1.0.4)
spring (>= 0.9.1)
sprockets (4.2.1)
@ -764,26 +735,24 @@ GEM
sprockets (>= 3.0.0)
stackprof (0.2.26)
stringio (3.1.0)
strong_migrations (1.8.0)
strong_migrations (1.7.0)
activerecord (>= 5.2)
swd (2.0.3)
activesupport (>= 3)
attr_required (>= 0.0.5)
faraday (~> 2.0)
faraday-follow_redirects
sys-proctable (1.3.0)
ffi (~> 1.1)
sysexits (1.2.0)
temple (0.8.2)
terminal-table (3.0.2)
unicode-display_width (>= 1.1.1, < 3)
thor (1.3.1)
thor (1.3.0)
thread_safe (0.3.6)
tilt (2.3.0)
timecop (0.9.8)
timeout (0.4.1)
ttfunk (1.7.0)
turbo-rails (2.0.5)
turbo-rails (2.0.2)
actionpack (>= 6.0.0)
activejob (>= 6.0.0)
railties (>= 6.0.0)
@ -801,7 +770,7 @@ GEM
activemodel (>= 3.0.0)
public_suffix
vcr (6.2.0)
view_component (3.12.1)
view_component (3.10.0)
activesupport (>= 5.2.0, < 8.0)
concurrent-ruby (~> 1.0)
method_source (~> 1.0)
@ -827,11 +796,10 @@ GEM
activesupport
faraday (~> 2.0)
faraday-follow_redirects
webmock (3.23.0)
webmock (3.20.0)
addressable (>= 2.8.0)
crack (>= 0.3.2)
hashdiff (>= 0.4.0, < 2.0.0)
webrick (1.8.1)
websocket (1.2.10)
websocket-driver (0.7.6)
websocket-extensions (>= 0.1.0)
@ -845,30 +813,6 @@ GEM
nokogiri (~> 1.11)
xpath (3.2.0)
nokogiri (~> 1.8)
yabeda (0.12.0)
anyway_config (>= 1.0, < 3)
concurrent-ruby
dry-initializer
yabeda-graphql (0.2.3)
graphql (>= 1.9, < 3)
yabeda (~> 0.2)
yabeda-prometheus (0.9.1)
prometheus-client (>= 3.0, < 5.0)
rack
yabeda (~> 0.10)
yabeda-puma-plugin (0.7.1)
json
puma
yabeda (~> 0.5)
yabeda-rails (0.9.0)
activesupport
anyway_config (>= 1.3, < 3)
railties
yabeda (~> 0.8)
yabeda-sidekiq (0.12.0)
anyway_config (>= 1.3, < 3)
sidekiq
yabeda (~> 0.6)
zeitwerk (2.6.13)
zip_tricks (5.6.0)
zipline (1.5.0)
@ -889,7 +833,6 @@ DEPENDENCIES
addressable
administrate
administrate-field-enum
after_commit_everywhere
after_party
ancestry
anchored
@ -911,7 +854,7 @@ DEPENDENCIES
delayed_cron_job
delayed_job_active_record
delayed_job_web
devise
devise!
devise-i18n
devise-two-factor
discard
@ -975,7 +918,6 @@ DEPENDENCIES
rails-controller-testing
rails-erd
rails-i18n
rails-pg-extras
rake-progressbar
redcarpet
redis
@ -1000,17 +942,13 @@ DEPENDENCIES
shoulda-matchers
sib-api-v3-sdk
sidekiq
sidekiq-cron
simple_xlsx_reader
simplecov
simplecov-cobertura
skylight
spreadsheet_architect
spring
spring-commands-rspec
stackprof
strong_migrations
sys-proctable
timecop
turbo-rails
typhoeus
@ -1021,14 +959,8 @@ DEPENDENCIES
warden
web-console
webmock
webrick
yabeda-graphql
yabeda-prometheus
yabeda-puma-plugin
yabeda-rails
yabeda-sidekiq
zipline
zxcvbn-ruby
BUNDLED WITH
2.5.9
2.5.4

498
machines/compute01/ds-fr/package/rubyEnv/gemset.nix
View file

@ -330,20 +330,6 @@
};
version = "1.1.0";
};
after_commit_everywhere = {
dependencies = [
"activerecord"
"activesupport"
];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "18hq21w6v36i615pi81960cjj0h7vrnpp54qbbk6gsz44g8rpd3y";
type = "gem";
};
version = "1.4.0";
};
after_party = {
groups = [ "default" ];
platforms = [ ];
@ -375,17 +361,6 @@
};
version = "1.1.0";
};
anyway_config = {
dependencies = [ "ruby-next-core" ];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "10bnmxr4wfkqc35m2d1l9apw23g9v21b0sfgq0z3afczblz6415f";
type = "gem";
};
version = "2.6.3";
};
ast = {
groups = [
"default"
@ -518,10 +493,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0cq1c29zbkcxgdihqisirhcw76xc768z2zpd5vbccpq0l1lv76g7";
sha256 = "00db5v09k1z3539g1zrk7vkjrln9967k08adh6qx33ng97a2gg5w";
type = "gem";
};
version = "3.1.7";
version = "3.1.6";
};
bindata = {
groups = [ "default" ];
@ -682,10 +657,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "14vir1240ynwmad0a0qrklx8m7kzvayd2jwi51xh3hnlf529iicn";
sha256 = "1wnqscsnwjs809q33v3hmcr7isv35022bwd002mwviy5ic29dw32";
type = "gem";
};
version = "5.0.6";
version = "5.0.5";
};
choice = {
groups = [
@ -922,11 +897,13 @@
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1y57fpcvy1kjd4nb7zk7mvzq62wqcpfynrgblj558k3hbvz4404j";
type = "gem";
fetchSubmodules = false;
rev = "edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1";
sha256 = "1vlcyp6qng7ws4gaw51rz6dhxwldryvfm6fsk33gf7drm7xvr5qf";
type = "git";
url = "https://github.com/heartcombo/devise.git";
};
version = "4.9.4";
version = "4.9.3";
};
devise-i18n = {
dependencies = [ "devise" ];
@ -980,19 +957,6 @@
};
version = "1.3.0";
};
docile = {
groups = [
"default"
"test"
];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1lxqxgq71rqwj1lpl9q1mbhhhhhhdkkj7my341f2889pwayk85sz";
type = "gem";
};
version = "1.4.0";
};
dotenv = {
groups = [ "default" ];
platforms = [ ];
@ -1041,16 +1005,6 @@
};
version = "1.0.1";
};
dry-initializer = {
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1v3dah1r96b10m8xjixmdmymg7dr16wn5715id4vxjkw6vm7s9jd";
type = "gem";
};
version = "3.1.1";
};
dry-monads = {
dependencies = [
"concurrent-ruby"
@ -1110,10 +1064,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0r6zylqjfv0xhdxvldr0kgmnglm57nm506pcm6085f0xqa68cvnj";
sha256 = "1d2z4ky2v15dpcz672i2p7lb2nc793dasq3yq3660h2az53kss9v";
type = "gem";
};
version = "1.2.11";
version = "1.2.7";
};
ethon = {
dependencies = [ "ffi" ];
@ -1326,10 +1280,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "10m9b2gvwfvmm61000mq7n8q7pk2xkxmizgfydpis66n2ybrhwh5";
sha256 = "08fjxnzqvql8mg8wbpddg6fl9lrsp38dwhiyfpfsz550524f2ap9";
type = "gem";
};
version = "1.10.1";
version = "1.9.0";
};
geo_coord = {
groups = [ "default" ];
@ -1718,10 +1672,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "17ak21ybbprj9vg0hk8pb1r2yk9vlh50v9bdwh3qvlmpzcvljqq7";
sha256 = "1f8wms39b7z83x6pflq2sjh3sikpk0xjh680igbpkp1j3pl0fpx0";
type = "gem";
};
version = "1.12.0";
version = "1.11.2";
};
job-iteration = {
dependencies = [ "activejob" ];
@ -1757,10 +1711,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0b4qsi8gay7ncmigr0pnbxyb17y3h8kavdyhsh7nrlqwr35vb60q";
sha256 = "0r9jmjhg2ly3l736flk7r2al47b5c8cayh0gqkq0yhjqzc9a6zhq";
type = "gem";
};
version = "2.7.2";
version = "2.7.1";
};
json-jwt = {
dependencies = [
@ -1782,8 +1736,6 @@
};
json_schemer = {
dependencies = [
"base64"
"bigdecimal"
"hana"
"regexp_parser"
"simpleidn"
@ -1792,10 +1744,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0gp7zh16wk8qijcp9n4x460a5ks0mhacs0vb2f6rffi3v9k2fg4m";
sha256 = "02gnz7wajg7f5n67vlswfi8yjvwahypy36z6hrg0qfx3cc3589qg";
type = "gem";
};
version = "2.2.1";
version = "2.1.1";
};
jsonapi-renderer = {
groups = [ "default" ];
@ -1808,15 +1760,14 @@
version = "0.2.2";
};
jwt = {
dependencies = [ "base64" ];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "02m3vza49pb9dirwpn8vmzbcypi3fc6l3a9dh253jwm1121g7ajb";
sha256 = "16z11alz13vfc4zs5l3fk6n51n2jw9lskvc4h4prnww0y797qd87";
type = "gem";
};
version = "2.8.1";
version = "2.7.1";
};
kaminari = {
dependencies = [
@ -1954,10 +1905,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0rwwsmvq79qwzl6324yc53py02kbrcww35si720490z5w0j497nv";
sha256 = "13rgkfar8pp31z1aamxf5y7cfq88wv6rxxcwy7cmm177qq508ycn";
type = "gem";
};
version = "3.9.0";
version = "3.8.0";
};
lograge = {
dependencies = [
@ -2036,10 +1987,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1jybdhfr6mv4kgq5ph91r06r071jnvzx0lhm3988l1y3wqrdfmq8";
sha256 = "0ighmn1nnv31bykarkwf0pqgrqab09jxk0xp9hh6zwpfqi7b915n";
type = "gem";
};
version = "2.7.0";
version = "2.6.0";
};
marcel = {
groups = [ "default" ];
@ -2083,10 +2034,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1igmc3sq9ay90f8xjvfnswd1dybj1s3fi0dwd53inwsvqk4h24qq";
sha256 = "1pnyh44qycnf9mzi1j6fywd5fkskv3x7nmsqrrws0rjn5dd4ayfp";
type = "gem";
};
version = "1.1.0";
version = "1.0.0";
};
mime-types = {
dependencies = [ "mime-types-data" ];
@ -2156,10 +2107,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "149r94xi6b3jbp6bv72f8383b95ndn0p5sxnq11gs1j9jadv0ajf";
sha256 = "1kl9c3kdchjabrihdqfmcplk3lq4cw1rr9f378y6q22qwy5dndvs";
type = "gem";
};
version = "2.8.6";
version = "2.8.5";
};
minitest = {
groups = [
@ -2170,10 +2121,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "07lq26b86giy3ha3fhrywk9r1ajhc2pm2mzj657jnpnbj1i6g17a";
sha256 = "0667vf0zglacry87nkcl3ns8421aydvz71vfa3g3yjhiq8zh19f5";
type = "gem";
};
version = "5.22.3";
version = "5.22.2";
};
msgpack = {
groups = [ "default" ];
@ -2285,10 +2236,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "15iwbiij52x6jhdbl0rkcldnhfndmsy0sbnsygkr9vhskfqrp72m";
sha256 = "0xkjz56qc7hl7zy7i7bhiyw5pl85wwjsa4p70rj6s958xj2sd1lm";
type = "gem";
};
version = "2.7.1";
version = "2.7.0";
};
nokogiri = {
dependencies = [
@ -2303,10 +2254,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0i8g0i370jhn2sclml0bg9qlrgf4csi6sy7czbhx8kjbl71idhb2";
sha256 = "173zavvxlwyi48lfskk48wcrdbkvjlhjhvy4jpcrfx72rpjjx4k8";
type = "gem";
};
version = "1.16.4";
version = "1.16.2";
};
openid_connect = {
dependencies = [
@ -2397,20 +2348,20 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "071b55bhsz7mivlnp2kv0a11msnl7xg5awvk8mlflpl270javhsb";
sha256 = "0pfj771p5a29yyyw58qacks464sl86d5m3jxjl5rlqqw2m3v5xq4";
type = "gem";
};
version = "1.5.6";
version = "1.5.4";
};
phonelib = {
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1ish2nzp5jz9xw80npgc5gqsr9krc50wk3irfj71hkw4iccjdn62";
sha256 = "1d97488hh70n56gdyra1ajynfp36fp1ca1hy55dghf52vklyjgac";
type = "gem";
};
version = "0.8.8";
version = "0.8.7";
};
prawn = {
dependencies = [
@ -2482,16 +2433,6 @@
};
version = "1.12.0";
};
prometheus-client = {
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1zw39rp3b6jhm9273giv119lkgqvllisxb98k7vfx7367birbqcm";
type = "gem";
};
version = "4.2.2";
};
"promise.rb" = {
groups = [ "default" ];
platforms = [ ];
@ -2526,10 +2467,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "14y4vzjwf5gp0mqgs880kis0k7n2biq8i6ci6q2n315kichl1hvj";
sha256 = "1bni4qjrsh2q49pnmmd6if4iv3ak36bd2cckrs6npl111n769k9m";
type = "gem";
};
version = "5.0.5";
version = "5.0.4";
};
puma = {
dependencies = [ "nio4r" ];
@ -2586,10 +2527,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0hj0rkw2z9r1lcg2wlrcld2n3phwrcgqcp7qd1g9a7hwgalh2qzx";
sha256 = "10mpk0hl6hnv324fp1pfimi2nw9acj0z4gyhrph36qg84pk1s4m7";
type = "gem";
};
version = "2.2.9";
version = "2.2.8.1";
};
rack-attack = {
dependencies = [ "rack" ];
@ -2786,24 +2727,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0s8kvic2ia34ngssz6h15wqj0k3wwblhyh0f9v0j3gy7ly0dp161";
sha256 = "1k8jvm3l4gafw7hyvpky7yzjjnkr3iy7l59lyam8ah3kqhmzk7zf";
type = "gem";
};
version = "7.0.9";
};
rails-pg-extras = {
dependencies = [
"rails"
"ruby-pg-extras"
];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0sn9xi3qxs96vwg4adiks0p62x3lng10i254q8yijfm4hpdmlihl";
type = "gem";
};
version = "5.3.1";
version = "7.0.8";
};
railties = {
dependencies = [
@ -2849,10 +2776,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "17850wcwkgi30p7yqh60960ypn7yibacjjha0av78zaxwvd3ijs6";
sha256 = "1ilr853hawi09626axx0mps4rkkmxcs54mapz9jnqvpnlwd3wsmy";
type = "gem";
};
version = "13.2.1";
version = "13.1.0";
};
rake-progressbar = {
groups = [ "default" ];
@ -2901,10 +2828,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0ib3cnf4yllvw070gr4bz94sbmqx3haqc5f846fsvdcs494vgxrr";
sha256 = "14wnrpd1kl43ynk1wwwgv9avsw84d1lrvlfyrjy3d4h7h7ndnqzp";
type = "gem";
};
version = "6.6.3.1";
version = "6.6.2";
};
redcarpet = {
groups = [ "default" ];
@ -2922,10 +2849,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1d1ng78dwbzgfg1sljf9bnx2km5y3p3jc42a9npwcrmiard9fsrk";
sha256 = "1yv9z3cch7aay3rs2iildk7jnvhijhwyyxvcn2nfdn6yp9vn7kxz";
type = "gem";
};
version = "5.2.0";
version = "5.1.0";
};
redis-client = {
dependencies = [ "connection_pool" ];
@ -2933,10 +2860,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0zhh37gdchzip97z1c6al0bx9m017gfm21n2kl31gy435s0v64dl";
sha256 = "136wddl18jl7zmlcigpf83fvfdmp369rhhc65n6jrdphwj7w76i3";
type = "gem";
};
version = "0.22.1";
version = "0.20.0";
};
regexp_parser = {
groups = [
@ -2962,10 +2889,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0d90nhsqvzp576dsz622fcz0r4zj9hvqlvb6y00f20zx3mx78iic";
sha256 = "0fhwdmw89zqb1fdxcd6lr57zabbfi08z8j6kqwngak0xnxi2j10l";
type = "gem";
};
version = "0.5.3";
version = "0.4.2";
};
request_store = {
dependencies = [ "rack" ];
@ -3132,10 +3059,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "02wr7fl189p1lnpaylz48dlp1n5y763w92gk59s0345hwfr4m1q2";
sha256 = "1clmx6qzdbpm1g8ycg38gjbqsbr8ccqi6hqyx88g8yckz1hrx55x";
type = "gem";
};
version = "6.1.2";
version = "6.1.1";
};
rspec-retry = {
dependencies = [ "rspec-core" ];
@ -3157,10 +3084,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "03z7gpqz5xkw9rf53835pa8a9vgj4lic54rnix9vfwmp2m7pv1s8";
sha256 = "0msjfw99dkbvmviv3wsid4k9h1prdgq7pnm52dcyf362p19mywhf";
type = "gem";
};
version = "3.13.1";
version = "3.13.0";
};
rspec_junit_formatter = {
dependencies = [ "rspec-core" ];
@ -3190,10 +3117,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0i2zimjixmjs6r88mgpklj6kdxq63a24mjvvphhbnbwgclb1z8qp";
sha256 = "0v67rgbhzanbf02fy5xasaxgmhxghlqb2cxjvbplinm2zfzs0380";
type = "gem";
};
version = "1.63.3";
version = "1.60.2";
};
rubocop-ast = {
dependencies = [ "parser" ];
@ -3204,10 +3131,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1v3q8n48w8h809rqbgzihkikr4g3xk72m1na7s97jdsmjjq6y83w";
sha256 = "1cs9cc5p9q70valk4na3lki4xs88b52486p2v46yx3q1n5969bgs";
type = "gem";
};
version = "1.31.2";
version = "1.30.0";
};
rubocop-capybara = {
dependencies = [ "rubocop" ];
@ -3246,10 +3173,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "16jayzjaaglhx69s6b83acpdzcxxccfkcn69gfpkimf2j64zlm7c";
sha256 = "0cf7fn4dwf45r3nhnda0dhnwn8qghswyqbfxr2ippb3z8a6gmc8v";
type = "gem";
};
version = "1.21.0";
version = "1.20.2";
};
rubocop-rails = {
dependencies = [
@ -3262,40 +3189,25 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "06dcxrr71sn0kkw8fwh0w884zbig2ilxpkl66s7lcis9jmkggv83";
sha256 = "1id396xvixh5w19bjsli477mn4dr48ff8n1243d2z0y4zr1ld52h";
type = "gem";
};
version = "2.24.1";
version = "2.23.1";
};
rubocop-rspec = {
dependencies = [
"rubocop"
"rubocop-capybara"
"rubocop-factory_bot"
"rubocop-rspec_rails"
];
groups = [ "development" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "04rfx0f0ns3vfz16fvbxgc9ivjh6gkpqfdi0qsg3grq660dfhkjk";
sha256 = "0n24wy34shczlr5fnim7vcbrgvs0hffzw89n06fxziim9iws406s";
type = "gem";
};
version = "2.29.1";
};
rubocop-rspec_rails = {
dependencies = [ "rubocop" ];
groups = [
"default"
"development"
];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0618lfncmvnvkwa1jb0kga1f2yiiw1809flkj4kg52nagh3z4scp";
type = "gem";
};
version = "2.28.3";
version = "2.26.1";
};
ruby-graphviz = {
dependencies = [ "rexml" ];
@ -3311,30 +3223,6 @@
};
version = "1.2.5";
};
ruby-next-core = {
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0vxgamkq4crciyz9lb3vkblzqp6c6wxw9p4ahzqdgk5gy4xikc24";
type = "gem";
};
version = "1.0.2";
};
ruby-pg-extras = {
dependencies = [
"pg"
"terminal-table"
];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1brz8c167ljb1jbv4b0a20nzj12ahk9cf94n6lxri054w7i6hh0x";
type = "gem";
};
version = "5.3.1";
};
ruby-progressbar = {
groups = [
"default"
@ -3500,10 +3388,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0fxhkxpczqg4f7gxdyvc6ccxy9hppnwl3ih03p42f6hbfy5q1x64";
sha256 = "1l2qf5w0bk01s50gzx8clzw4zchff9a01kk2s8fnpz65g7rgh4g9";
type = "gem";
};
version = "0.123.0";
version = "0.121.0";
};
selenium-webdriver = {
dependencies = [
@ -3516,10 +3404,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0rjh9s5x7jqaxjfcz2m3hphhlajk9nxs6wdsnia62iba07bd32sc";
sha256 = "0g3l3invk95w1f72mpp0r4hc3vsc3070c1xd1wg76kfg2r182xnq";
type = "gem";
};
version = "4.19.0";
version = "4.17.0";
};
sentry-delayed_job = {
dependencies = [
@ -3530,10 +3418,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1bnglhd7cvy5y0kr50w4bgs89y72ym6zlgp751g2y50dp4ydl540";
sha256 = "1rbhzb3nmrs5lrfmcshrg5wp9liblc14m63ljxb12nc4w5fnnwf8";
type = "gem";
};
version = "5.17.3";
version = "5.16.1";
};
sentry-rails = {
dependencies = [
@ -3544,24 +3432,21 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0ncl8br0k6fas4n6c4xw4wr59kq5s2liqn1s4790m73k5p272xq1";
sha256 = "16jyjm0rcj1y175bjmj6bhf7dclp5yw5dh1fna0xy4r07ysq864g";
type = "gem";
};
version = "5.17.3";
version = "5.16.1";
};
sentry-ruby = {
dependencies = [
"bigdecimal"
"concurrent-ruby"
];
dependencies = [ "concurrent-ruby" ];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1z5v5zzasy04hbgxbj9n8bb39ayllvps3snfgbc5rydh1d5ilyb1";
sha256 = "0fsqs1f7nb4y45qwlg14hz155r4pf8ny3j8gzpxlqafpd3dz2zkn";
type = "gem";
};
version = "5.17.3";
version = "5.16.1";
};
sentry-sidekiq = {
dependencies = [
@ -3572,10 +3457,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0n1cr9g15hp08jsqabprd6q34ap61r71f33x28w1xr4ri4hllwfh";
sha256 = "0ksmn3ca3rrdd33azmiprbd4hrcw3fr7hiya60sqp9apg6ir36v3";
type = "gem";
};
version = "5.17.3";
version = "5.16.1";
};
shoulda-matchers = {
dependencies = [ "activesupport" ];
@ -3583,10 +3468,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1pfq0w167v4055k0km64sxik1qslhsi32wl2jlidmfzkqmcw00m7";
sha256 = "1p83ca48h812h5gksw2q0x5289jsc4c417f8s6w9d4a12jzw86zi";
type = "gem";
};
version = "6.2.0";
version = "6.1.0";
};
sib-api-v3-sdk = {
dependencies = [
@ -3614,25 +3499,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "18ykb35ab3fsg6jj8h7kb3kbba41sls4nvwn6vxb731iyh10v4h9";
sha256 = "057vw807x98r4xmhyv2m2rxa8qqxr7ysn7asp5hmdvn9sa9kkm3c";
type = "gem";
};
version = "7.2.2";
};
sidekiq-cron = {
dependencies = [
"fugit"
"globalid"
"sidekiq"
];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0v09lg8kza19jmigqv5hx2ibhm75j6pa639sfy4bv2208l50hqv6";
type = "gem";
};
version = "1.12.0";
version = "7.2.1";
};
simple_xlsx_reader = {
dependencies = [
@ -3651,61 +3521,6 @@
};
version = "1.0.4";
};
simplecov = {
dependencies = [
"docile"
"simplecov-html"
"simplecov_json_formatter"
];
groups = [ "test" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "198kcbrjxhhzca19yrdcd6jjj9sb51aaic3b0sc3pwjghg3j49py";
type = "gem";
};
version = "0.22.0";
};
simplecov-cobertura = {
dependencies = [
"rexml"
"simplecov"
];
groups = [ "test" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "00izmp202y48qvmvwrh5x56cc5ivbjhgkkkjklvqmqzj9pik4r9c";
type = "gem";
};
version = "2.1.0";
};
simplecov-html = {
groups = [
"default"
"test"
];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0yx01bxa8pbf9ip4hagqkp5m0mqfnwnw2xk8kjraiywz4lrss6jb";
type = "gem";
};
version = "0.12.3";
};
simplecov_json_formatter = {
groups = [
"default"
"test"
];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0a5l0733hj7sk51j81ykfmlk2vd5vaijlq9d5fn165yyx3xii52j";
type = "gem";
};
version = "0.1.4";
};
simpleidn = {
dependencies = [ "unf" ];
groups = [ "default" ];
@ -3739,10 +3554,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "035xplxkr21z73c7mzfaj7ak438w2j63118724s53fbnv8rrw790";
sha256 = "0607y37q3lc748ld6w5qhp9kcj1h2vi5026hsg30vb6dsdrpcyy6";
type = "gem";
};
version = "6.0.4";
version = "6.0.3";
};
smart_properties = {
groups = [ "default" ];
@ -3776,10 +3591,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1bm5w3mp597vy0cjwx609k3jdh5zik36ffmna7hchrn9g96s45w5";
sha256 = "0dqpd70xcaxsa8m8zd6rq464dfczy1rm086bascv9c5b7qnn2yyp";
type = "gem";
};
version = "4.2.1";
version = "4.1.3";
};
spring-commands-rspec = {
dependencies = [ "spring" ];
@ -3854,10 +3669,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0p9g8jqcakpwmbs6f77ydmbiwbgx9c5nr6jgwxh4xx6xpig1bphq";
sha256 = "1742r643p4nigjj45gjjmgl3d9i5ja7klda0bhmxp02ay971c3n6";
type = "gem";
};
version = "1.8.0";
version = "1.7.0";
};
swd = {
dependencies = [
@ -3875,17 +3690,6 @@
};
version = "2.0.3";
};
sys-proctable = {
dependencies = [ "ffi" ];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0m3fj6j1qpfszqnsvr6wpak0d9vw5ggylaqkalhl3m50kbbimxii";
type = "gem";
};
version = "1.3.0";
};
sysexits = {
groups = [
"default"
@ -3932,10 +3736,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1vq1fjp45az9hfp6fxljhdrkv75cvbab1jfrwcw738pnsiqk8zps";
sha256 = "1hx77jxkrwi66yvs10wfxqa8s25ds25ywgrrf66acm9nbfg7zp0s";
type = "gem";
};
version = "1.3.1";
version = "1.3.0";
};
thread_safe = {
groups = [
@ -4007,10 +3811,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0ab2fr50fdzhpjlp78c17xmrd59ab32c55vrjd94wwr4khs7bxyf";
sha256 = "1vgz0y5ilnpgj3id9y5rshnq1hyhhjh4pjzb0hs9fv0p8kps4k07";
type = "gem";
};
version = "2.0.5";
version = "2.0.2";
};
typhoeus = {
dependencies = [ "ethon" ];
@ -4126,10 +3930,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "12xi88jvx49p15nx2168wm0r00g90mb4cxzzsjxz92akjk92mkpj";
sha256 = "12sm1z0lk7rhrd18i4d5zhlj4d142rsw3arpdf9nx3hpflx8ib4j";
type = "gem";
};
version = "3.12.1";
version = "3.10.0";
};
virtus = {
dependencies = [
@ -4230,20 +4034,10 @@
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "07zk8ljq5kyd1mm9qw3452fcnf7frg3irh9ql8ln2m8zbi1qf1qh";
sha256 = "0rc3g9hhxi6v2l1cp9q3kcjd92bhmdbrb517l4v5pyzwq2nflcyc";
type = "gem";
};
version = "3.23.0";
};
webrick = {
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "13qm7s0gr2pmfcl7dxrmq38asaza4w0i2n9my4yzs499j731wh8r";
type = "gem";
};
version = "1.8.1";
version = "3.20.0";
};
websocket = {
groups = [
@ -4320,96 +4114,6 @@
};
version = "3.2.0";
};
yabeda = {
dependencies = [
"anyway_config"
"concurrent-ruby"
"dry-initializer"
];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1185mqhgjzpdxs7s6y424mxrranpk5l5x1w64pwfj226gn07b3qx";
type = "gem";
};
version = "0.12.0";
};
yabeda-graphql = {
dependencies = [
"graphql"
"yabeda"
];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0y422499vbs4m1555yvqrdjyk7bdg16rnj224zaw1b77d8irmrks";
type = "gem";
};
version = "0.2.3";
};
yabeda-prometheus = {
dependencies = [
"prometheus-client"
"rack"
"yabeda"
];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1zfmiiv131jwvcb9dx3cnlgrrvcfzbm8ili5gi9fpyygx3580zdq";
type = "gem";
};
version = "0.9.1";
};
yabeda-puma-plugin = {
dependencies = [
"json"
"puma"
"yabeda"
];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0yxifgq9m11n73qz9jgxsapqp67ijm5gp6y5jbdvkdcf7c2p47d4";
type = "gem";
};
version = "0.7.1";
};
yabeda-rails = {
dependencies = [
"activesupport"
"anyway_config"
"railties"
"yabeda"
];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1nl2jpx561mpwdxf63db9yshhwfmg8k72r8d9yxnsic2wahvy4b0";
type = "gem";
};
version = "0.9.0";
};
yabeda-sidekiq = {
dependencies = [
"anyway_config"
"sidekiq"
"yabeda"
];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "142xrxc3r2l0185jzrn0r9zc6s9x7v87glrf78pi4mkan60y59q4";
type = "gem";
};
version = "0.12.0";
};
zeitwerk = {
groups = [
"default"

12
machines/compute01/ds-fr/package/update.sh
View file

@ -26,13 +26,13 @@ done
CWD=$(pwd)
TMP=$(mktemp -d)
cd "$TMP" || exit 1
cd "$TMP"
# Fetch the latest source or the required version
gitUrl="https://github.com/demarches-simplifiees/demarches-simplifiees.fr.git"
if [ -n "$version" ]; then
git clone --depth 1 --branch "$version" $gitUrl .
git clone --depth 1 --branch $version $gitUrl .
else
git clone --depth 1 $gitUrl .
@ -48,10 +48,10 @@ cp gemset.nix Gemfile Gemfile.lock "$CWD/rubyEnv/"
# Print the new source details
SRC_HASH=$(nix-shell -p nurl --run "nurl --hash $gitUrl $version")
# Switch to bun
nix-shell -p bun --run "bun install --frozen-lockfile --no-cache --no-progress --ignore-scripts"
# Print Yarn deps hash
hash=$(nix-shell -p prefetch-yarn-deps --run "prefetch-yarn-deps yarn.lock")
DEPS_HASH=$(nix-hash --sri --type sha256 node_modules)
DEPS_HASH=$(nix-hash --to-sri --type sha256 "$hash")
cat <<EOF >"$CWD/meta.nix"
{
@ -61,6 +61,6 @@ cat <<EOF >"$CWD/meta.nix"
}
EOF
nix-shell -p nixfmt-rfc-style --run "nixfmt $CWD"
nixfmt "$CWD"
rm -rf "$TMP"

14
machines/compute01/grafana.nix
View file

@ -69,11 +69,17 @@ in
}
];
};
};
dgn-web.simpleProxies.grafana = {
inherit host port;
proxyWebsockets = true;
nginx.virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
};
age-secrets.autoMatch = [ "grafana" ];

15
machines/compute01/hedgedoc.nix
View file

@ -29,6 +29,16 @@ in
};
};
nginx.virtualHosts.${host} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
};
};
postgresql = {
enable = true;
@ -43,11 +53,6 @@ in
};
};
dgn-web.simpleProxies.hedgedoc = {
inherit host port;
proxyWebsockets = true;
};
systemd.services.hedgedoc.serviceConfig.StateDirectory = lib.mkForce [
"hedgedoc"
"hedgedoc/uploads"

23
machines/vault01/k-radius/default.nix → machines/compute01/k-radius/default.nix
View file

@ -1,4 +1,4 @@
{ config, ... }:
{ config, lib, ... }:
{
imports = [ ./module.nix ];
@ -6,15 +6,6 @@
services.k-radius = {
enable = true;
domain = "radius.dgnum.eu";
radiusClients = {
ap = {
ipaddr = "0.0.0.0/0";
secret = config.age.secrets."radius-ap-radius-secret_file".path;
};
};
settings = {
# URL to the Kanidm server
uri = "https://sso.dgnum.eu";
@ -49,6 +40,18 @@
};
authTokenFile = config.age.secrets."radius-auth_token_file".path;
privateKeyPasswordFile = config.age.secrets."radius-private_key_password_file".path;
certs = builtins.listToAttrs (
builtins.map (name: lib.nameValuePair name config.age.secrets."radius-${name}_pem_file".path) [
"ca"
"cert"
"dh"
"key"
]
);
radiusClients = { };
};
age-secrets.autoMatch = [ "radius" ];

196
machines/compute01/k-radius/module.nix Normal file
View file

@ -0,0 +1,196 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
mkEnableOption
mkIf
mkOption
types
;
settingsFormat = pkgs.formats.toml { };
py-pkgs = import ./packages/python { inherit pkgs; };
pykanidm = pkgs.callPackage ./packages/pykanidm.nix { inherit (py-pkgs) pydantic; };
rlm_python = pkgs.callPackage ./packages/rlm_python.nix { inherit pykanidm; };
cfg = config.services.k-radius;
in
{
options.services.k-radius = {
enable = mkEnableOption "a freeradius service linked to kanidm.";
settings = mkOption { inherit (settingsFormat) type; };
freeradius = mkOption {
type = types.package;
default = pkgs.freeradius.overrideAttrs (old: {
buildInputs = (old.buildInputs or [ ]) ++ [ (pkgs.python3.withPackages (ps: [ ps.kanidm ])) ];
});
};
configDir = mkOption {
type = types.path;
default = "/var/lib/radius/raddb";
description = "The path of the freeradius server configuration directory.";
};
authTokenFile = mkOption {
type = types.path;
description = "File to the auth token for the service account.";
};
radiusClients = mkOption {
type = types.attrsOf (
types.submodule {
options = {
secret = mkOption { type = types.path; };
ipaddr = mkOption { type = types.str; };
};
}
);
default = { };
description = "A mapping of clients and their authentication tokens.";
};
certs = {
ca = mkOption {
type = types.str;
description = "The signing CA of the RADIUS certificate.";
};
dh = mkOption {
type = types.str;
description = "The output of `openssl dhparam -in ca.pem -out dh.pem 2048`.";
};
cert = mkOption {
type = types.str;
description = "The certificate for the RADIUS server.";
};
key = mkOption {
type = types.str;
description = "The signing key for the RADIUS certificate.";
};
};
privateKeyPasswordFile = mkOption { type = types.path; };
};
config = mkIf cfg.enable {
users = {
users.radius = {
group = "radius";
description = "Radius daemon user";
isSystemUser = true;
};
groups.radius = { };
};
services.k-radius.settings = {
ca_path = cfg.certs.ca;
radius_cert_path = cfg.certs.cert;
radius_key_path = cfg.certs.key;
radius_dh_path = cfg.certs.dh;
radius_ca_path = cfg.certs.ca;
};
systemd.services.radius = {
description = "FreeRadius server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
wants = [ "network.target" ];
preStart = ''
cp -R ${cfg.freeradius}/etc/raddb/* ${cfg.configDir}
cp -R ${rlm_python}/etc/raddb/* ${cfg.configDir}
chmod -R u+w ${cfg.configDir}
# disable auth via methods kanidm doesn't support
rm ${cfg.configDir}/mods-available/sql
rm ${cfg.configDir}/mods-enabled/{passwd,totp}
# enable the python and cache modules
ln -nsf ${cfg.configDir}/mods-available/python3 ${cfg.configDir}/mods-enabled/python3
ln -nsf ${cfg.configDir}/sites-available/check-eap-tls ${cfg.configDir}/sites-enabled/check-eap-tls
# write the clients configuration
rm ${cfg.configDir}/clients.conf && touch ${cfg.configDir}/clients.conf
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs (
name:
{ secret, ipaddr }:
''
cat <<EOF >> ${cfg.configDir}/clients.conf
client ${name} {
ipaddr = ${ipaddr}
secret = $(cat "${secret}")
proto = *
}
EOF
''
) cfg.radiusClients
)
)}
# Copy the kanidm configuration
cat <<EOF > /var/lib/radius/kanidm.toml
auth_token = "$(cat "${cfg.authTokenFile}")"
EOF
cat ${settingsFormat.generate "kanidm.toml" cfg.settings} >> /var/lib/radius/kanidm.toml
chmod u+w /var/lib/radius/kanidm.toml
# Copy the certificates to the correct directory
rm -rf ${cfg.configDir}/certs && mkdir -p ${cfg.configDir}/certs
cp ${cfg.certs.ca} ${cfg.configDir}/certs/ca.pem
${pkgs.openssl}/bin/openssl rehash ${cfg.configDir}/certs
cp ${cfg.certs.dh} ${cfg.configDir}/certs/dh.pem
cat ${cfg.certs.cert} ${cfg.certs.key} > ${cfg.configDir}/certs/server.pem
# Write the password of the private_key in the eap module
sed -i ${cfg.configDir}/mods-available/eap \
-e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/"
# Check the configuration
# ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout
'';
path = [
pkgs.openssl
pkgs.gnused
];
serviceConfig = {
ExecStart = "${cfg.freeradius}/bin/radiusd -X -f -d ${cfg.configDir} -l stdout";
ExecReload = [
"${cfg.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout"
"${pkgs.coreutils}/bin/kill -HUP $MAINPID"
];
User = "radius";
Group = "radius";
DynamicUser = true;
Restart = "on-failure";
RestartSec = 2;
LogsDirectory = "radius";
StateDirectory = "radius";
RuntimeDirectory = "radius";
Environment = [
"KANIDM_RLM_CONFIG=/var/lib/radius/kanidm.toml"
"PYTHONPATH=${rlm_python.pythonPath}"
];
};
};
};
}

52
machines/compute01/k-radius/packages/pykanidm.nix Normal file
View file

@ -0,0 +1,52 @@
{
lib,
fetchFromGitHub,
python3,
pydantic,
}:
let
pname = "kanidm";
version = "0.0.3";
in
python3.pkgs.buildPythonPackage {
inherit pname version;
format = "pyproject";
disabled = python3.pythonOlder "3.8";
src =
(fetchFromGitHub {
owner = pname;
repo = pname;
# Latest 1.1.0-rc.15 tip
rev = "a5ca8018e3a636dbb0a79b3fd869db059d92979d";
hash = "sha256-PFGoeGn7a/lVR6rOmOKA3ydAoo3/+9RlkwBAKS22Psg=";
})
+ "/pykanidm";
nativeBuildInputs = with python3.pkgs; [ poetry-core ];
propagatedBuildInputs = with python3.pkgs; [
aiohttp
pydantic
toml
(authlib.overridePythonAttrs (_: {
doCheck = false;
}))
];
doCheck = false;
pythonImportsCheck = [ "kanidm" ];
meta = with lib; {
description = "Kanidm client library";
homepage = "https://github.com/kanidm/kanidm/tree/master/pykanidm";
license = licenses.mpl20;
maintainers = with maintainers; [
arianvp
hexa
];
};
}

18
machines/compute01/k-radius/packages/python/01-remove-benchmark-flags.patch Normal file
View file

@ -0,0 +1,18 @@
diff --git a/pyproject.toml b/pyproject.toml
index 1602e32..507048d 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -72,13 +72,6 @@ filterwarnings = [
]
timeout = 30
xfail_strict = true
-# min, max, mean, stddev, median, iqr, outliers, ops, rounds, iterations
-addopts = [
- '--benchmark-columns', 'min,mean,stddev,outliers,rounds,iterations',
- '--benchmark-group-by', 'group',
- '--benchmark-warmup', 'on',
- '--benchmark-disable', # this is enable by `make benchmark` when you actually want to run benchmarks
-]
[tool.coverage.run]
source = ['pydantic_core']

20
machines/compute01/k-radius/packages/python/default.nix Normal file
View file

@ -0,0 +1,20 @@
{ pkgs }:
let
inherit (pkgs) lib;
callPackage = lib.callPackageWith (pkgs // pkgs.python3.pkgs // self);
self = builtins.listToAttrs (
builtins.map
(name: {
inherit name;
value = callPackage (./. + "/${name}.nix") { };
})
[
"pydantic"
"pydantic-core"
]
);
in
self

84
machines/compute01/k-radius/packages/python/pydantic-core.nix Normal file
View file

@ -0,0 +1,84 @@
{
stdenv,
lib,
buildPythonPackage,
fetchFromGitHub,
cargo,
rustPlatform,
rustc,
libiconv,
typing-extensions,
pytestCheckHook,
hypothesis,
pytest-timeout,
pytest-mock,
dirty-equals,
}:
let
pydantic-core = buildPythonPackage rec {
pname = "pydantic-core";
version = "2.14.5";
format = "pyproject";
src = fetchFromGitHub {
owner = "pydantic";
repo = "pydantic-core";
rev = "refs/tags/v${version}";
hash = "sha256-UguZpA3KEutOgIavjx8Ie//0qJq+4FTZNQTwb/ZIgb8=";
};
patches = [ ./01-remove-benchmark-flags.patch ];
cargoDeps = rustPlatform.fetchCargoTarball {
inherit src;
name = "${pname}-${version}";
hash = "sha256-mMgw922QjHmk0yimXfolLNiYZntTsGydQywe7PTNnwc=";
};
nativeBuildInputs = [
cargo
rustPlatform.cargoSetupHook
rustPlatform.maturinBuildHook
rustc
typing-extensions
];
buildInputs = lib.optionals stdenv.isDarwin [ libiconv ];
propagatedBuildInputs = [ typing-extensions ];
pythonImportsCheck = [ "pydantic_core" ];
# escape infinite recursion with pydantic via dirty-equals
doCheck = false;
passthru.tests.pytest = pydantic-core.overrideAttrs { doCheck = true; };
nativeCheckInputs = [
pytestCheckHook
hypothesis
pytest-timeout
dirty-equals
pytest-mock
];
disabledTests = [
# RecursionError: maximum recursion depth exceeded while calling a Python object
"test_recursive"
];
disabledTestPaths = [
# no point in benchmarking in nixpkgs build farm
"tests/benchmarks"
];
meta = with lib; {
changelog = "https://github.com/pydantic/pydantic-core/releases/tag/v${version}";
description = "Core validation logic for pydantic written in rust";
homepage = "https://github.com/pydantic/pydantic-core";
license = licenses.mit;
maintainers = with maintainers; [ blaggacao ];
};
};
in
pydantic-core

92
machines/compute01/k-radius/packages/python/pydantic.nix Normal file
View file

@ -0,0 +1,92 @@
{
lib,
buildPythonPackage,
fetchFromGitHub,
pythonOlder,
# build-system
hatchling,
hatch-fancy-pypi-readme,
# native dependencies
libxcrypt,
# dependencies
annotated-types,
pydantic-core,
typing-extensions,
# tests
cloudpickle,
email-validator,
dirty-equals,
faker,
pytestCheckHook,
pytest-mock,
}:
buildPythonPackage rec {
pname = "pydantic";
version = "2.5.2";
pyproject = true;
disabled = pythonOlder "3.7";
src = fetchFromGitHub {
owner = "pydantic";
repo = "pydantic";
rev = "refs/tags/v${version}";
hash = "sha256-D0gYcyrKVVDhBgV9sCVTkGq/kFmIoT9l0i5bRM1qxzM=";
};
buildInputs = lib.optionals (pythonOlder "3.9") [ libxcrypt ];
nativeBuildInputs = [
hatch-fancy-pypi-readme
hatchling
];
propagatedBuildInputs = [
annotated-types
pydantic-core
typing-extensions
];
passthru.optional-dependencies = {
email = [ email-validator ];
};
nativeCheckInputs = [
cloudpickle
dirty-equals
faker
pytest-mock
pytestCheckHook
] ++ lib.flatten (lib.attrValues passthru.optional-dependencies);
preCheck = ''
export HOME=$(mktemp -d)
substituteInPlace pyproject.toml \
--replace "'--benchmark-columns', 'min,mean,stddev,outliers,rounds,iterations'," "" \
--replace "'--benchmark-group-by', 'group'," "" \
--replace "'--benchmark-warmup', 'on'," "" \
--replace "'--benchmark-disable'," ""
'';
disabledTestPaths = [
"tests/benchmarks"
# avoid cyclic dependency
"tests/test_docs.py"
];
pythonImportsCheck = [ "pydantic" ];
meta = with lib; {
description = "Data validation and settings management using Python type hinting";
homepage = "https://github.com/pydantic/pydantic";
changelog = "https://github.com/pydantic/pydantic/blob/v${version}/HISTORY.md";
license = licenses.mit;
maintainers = with maintainers; [ wd15 ];
};
}

8
machines/vault01/k-radius/packages/01-python_path.patch → machines/compute01/k-radius/packages/python_path.patch
View file

@ -1,13 +1,13 @@
diff --git a/mods-available/python3 b/mods-available/python3
diff --git a/rlm_python/mods-available/python3 b/rlm_python/mods-available/python3
index 978536f8a..90c71fca0 100644
--- a/mods-available/python3
+++ b/mods-available/python3
--- a/rlm_python/mods-available/python3
+++ b/rlm_python/mods-available/python3
@@ -13,7 +13,7 @@ python3 {
# item is GLOBAL TO THE SERVER. That is, you cannot have two
# instances of the python module, each with a different path.
#
- python_path="/usr/lib64/python3.8:/usr/lib/python3.8:/usr/lib/python3.8/site-packages:/usr/lib64/python3.8/site-packages:/usr/lib64/python3.8/lib-dynload:/usr/local/lib/python3.8/site-packages:/etc/raddb/mods-config/python3/"
+ python_path="@pythonPath@:/etc/raddb/mods-config/python3/"
+ python_path="@kanidm_python@:/etc/raddb/mods-config/python3/"
module = "kanidm.radius"
# python_path = ${modconfdir}/${.:name}

45
machines/compute01/k-radius/packages/rlm_python.nix Normal file
View file

@ -0,0 +1,45 @@
{
stdenv,
fetchFromGitHub,
python3,
pykanidm,
}:
let
pythonPath = with python3.pkgs; makePythonPath [ pykanidm ];
in
stdenv.mkDerivation rec {
pname = "rlm_python";
version = "1.1.0-rc.15";
src = fetchFromGitHub {
owner = "kanidm";
repo = "kanidm";
rev = "v${version}";
hash = "sha256-0y8juXS61Z9zxOdsWAQ6lJurP+n855Nela6egYRecok=";
};
patches = [ ./python_path.patch ];
postPatch = ''
substituteInPlace rlm_python/mods-available/python3 \
--replace "@kanidm_python@" "${pythonPath}"
'';
installPhase = ''
mkdir -p $out/etc/raddb/
cp -R rlm_python/{mods-available,sites-available} $out/etc/raddb/
'';
phases = [
"unpackPhase"
"patchPhase"
"installPhase"
];
passthru = {
inherit pythonPath;
};
preferLocalBuild = true;
}

154
machines/compute01/kanidm/default.nix
View file

@ -1,56 +1,31 @@
{
config,
lib,
meta,
nixpkgs,
...
}:
{ config, sources, ... }:
let
inherit (lib)
attrValues
catAttrs
escapeRegex
concatStringsSep
mapAttrs'
nameValuePair
;
domain = "sso.dgnum.eu";
port = 8443;
cert = config.security.acme.certs.${domain};
allowedDomains = builtins.map escapeRegex (
(builtins.map (s: "${s}.dgnum.eu") [
# DGNum subdomains
"cloud"
"git"
"videos"
"social"
"demarches"
"netbird"
])
++ [
# Extra domains
"netbird-beta.hubrecht.ovh"
]
);
usernameFor = member: meta.organization.members.${member}.username;
allowedSubDomains = [
"cloud"
"git"
"videos"
"social"
"demarches"
"netbird"
];
in
{
services.kanidm = {
enableServer = true;
package = nixpkgs.unstable.kanidm;
package = (import sources.nixos-unstable { }).kanidm;
serverSettings = {
inherit domain;
origin = "https://${domain}";
bindaddress = "127.0.0.1:${builtins.toString port}";
bindaddress = "127.0.0.1:8443";
ldapbindaddress = "0.0.0.0:636";
trust_x_forward_for = true;
@ -58,113 +33,10 @@ in
tls_chain = "${cert.directory}/fullchain.pem";
tls_key = "${cert.directory}/key.pem";
};
provision = {
enable = true;
persons = mapAttrs' (
_:
{
email,
name,
username,
...
}:
nameValuePair username {
displayName = name;
mailAddresses = [ email ];
}
) meta.organization.members;
groups =
{
grp_active.members = catAttrs "username" (attrValues meta.organization.members);
}
// (mapAttrs' (
name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
) meta.organization.groups);
# INFO: The authentication resources declared here can only be for internal services,
# as regular members cannot be statically known.
systems.oauth2 = {
dgn_grafana = {
displayName = "Grafana [Analysis]";
originLanding = "https://grafana.dgnum.eu";
originUrl = "https://grafana.dgnum.eu/";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_librenms = {
allowInsecureClientDisablePkce = true;
displayName = "LibreNMS [Network]";
enableLegacyCrypto = true;
originLanding = "https://nms.dgnum.eu";
originUrl = "https://nms.dgnum.eu/";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_netbird = {
displayName = "Netbird [VPN]";
enableLocalhostRedirects = true;
originLanding = "https://netbird.dgnum.eu";
originUrl = "https://netbird.dgnum.eu/";
preferShortUsername = true;
public = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_netbox = {
allowInsecureClientDisablePkce = true;
displayName = "Netbox [Inventory]";
enableLegacyCrypto = true;
originLanding = "https://netbox.dgnum.eu";
originUrl = "https://netbox.dgnum.eu/";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_outline = {
displayName = "Outline [Docs]";
originUrl = "https://docs.dgnum.eu/";
originLanding = "https://docs.dgnum.eu";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
};
};
};
users.users.kanidm.extraGroups = [ cert.group ];
dgn-web.internalPorts.kanidm = port;
services.nginx = {
enable = true;
@ -172,7 +44,7 @@ in
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "https://127.0.0.1:${builtins.toString port}";
proxyPass = "https://127.0.0.1:8443";
extraConfig = ''
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
@ -181,7 +53,7 @@ in
set $origin $http_origin;
if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') {
if ($origin !~ '^https?://(${builtins.concatStringsSep "|" allowedSubDomains})\.dgnum\.eu$') {
set $origin 'https://${domain}';
}

7
machines/compute01/kanidm/secrets/secrets.nix
View file

@ -1,4 +1,9 @@
(import ../../../../keys).mkSecrets [ "compute01" ] [
let
lib = import ../../../../lib { };
publicKeys = lib.getNodeKeys "compute01";
in
lib.setDefault { inherit publicKeys; } [
"kanidm-password_admin"
"kanidm-password_idm_admin"
]

10
machines/compute01/mastodon.nix
View file

@ -9,12 +9,8 @@ in
localDomain = host;
smtp = {
fromAddress = "noreply@infra.dgnum.eu";
host = "kurisu.lahfa.xyz";
port = 465;
user = "web-services@infra.dgnum.eu";
passwordFile = config.age.secrets.mastodon-smtp-password.path;
authenticate = true;
# TODO: smtp setup
fromAddress = "social@services.dgnum.eu";
};
streamingProcesses = 4;
@ -26,8 +22,6 @@ in
# LOCAL_DOMAIN = "dgnum.eu";
WEB_DOMAIN = host;
SMTP_TLS = "true";
RAILS_LOG_LEVEL = "warn";
# ObjectStorage configuration

44
machines/compute01/nextcloud.nix
View file

@ -3,24 +3,28 @@
let
host = "cloud.dgnum.eu";
nextcloud-occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
port = 9980;
in
{
services.nextcloud = {
enable = true;
hostName = host;
package = pkgs.nextcloud29;
package = pkgs.nextcloud28;
https = true;
config = {
overwriteProtocol = "https";
dbtype = "pgsql";
adminpassFile = config.age.secrets."nextcloud-adminpass_file".path;
adminuser = "thubrecht";
defaultPhoneRegion = "FR";
trustedProxies = [ "::1" ];
objectstore.s3 = {
enable = true;
@ -57,7 +61,7 @@ in
"opcache.max_accelerated_files" = "10000";
"opcache.memory_consumption" = "128";
"opcache.revalidate_freq" = "1";
"opcache.fast_shutdown" = "0";
"opcache.fast_shutdown" = "1";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
catch_workers_output = "yes";
};
@ -67,17 +71,11 @@ in
autoUpdateApps.enable = true;
settings = {
overwriteprotocol = "https";
extraOptions = {
overwritehost = host;
"overwrite.cli.url" = "https://${host}";
updatechecker = false;
default_phone_region = "FR";
trusted_proxies = [ "::1" ];
allow_local_remote_servers = true;
maintenance_window_start = 1;
@ -99,20 +97,22 @@ in
};
virtualisation.oci-containers = {
# # Since 22.05, the default driver is podman but it doesn't work
# # with podman. It would however be nice to switch to podman.
# backend = "docker";
containers.collabora = {
image = "collabora/code";
imageFile = pkgs.dockerTools.pullImage {
imageName = "collabora/code";
imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4";
sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM=";
imageDigest = "sha256:a8cce07c949aa59cea0a7f1f220266a1a6d886c717c3b5005782baf6f384d645";
sha256 = "sha256-lN6skv62x+x7G7SNOUyZ8W6S/uScrkqE1nbBwwSEWXQ=";
};
ports = [ "${builtins.toString port}:${builtins.toString port}" ];
ports = [ "9980:9980" ];
environment = {
domain = "cloud.dgnum.eu";
extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json";
};
extraOptions = [
"--network=host"
"--cap-add"
"MKNOD"
"--cap-add"
@ -121,8 +121,6 @@ in
};
};
dgn-web.internalPorts.collabora = port;
services.nginx.virtualHosts = {
${host} = {
enableACME = true;
@ -140,25 +138,25 @@ in
extraConfig = ''
# static files
location ^~ /browser {
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# Capabilities
location ^~ /hosting/capabilities {
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# main websocket
location ~ ^/cool/(.*)/ws$ {
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_pass http://127.0.0.1:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
@ -167,13 +165,13 @@ in
# download, presentation and image upload
location ~ ^/(c|l)ool {
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# Admin Console websocket
location ^~ /cool/adminws {
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_pass http://127.0.0.1:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;

15
machines/compute01/ollama-proxy.nix
View file

@ -1,15 +0,0 @@
{ pkgs, ... }:
{
services.nginx = {
virtualHosts."ollama01.beta.dgnum.eu" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://100.80.103.206:11434";
basicAuthFile = pkgs.writeText "ollama-htpasswd" ''
raito:$y$j9T$UDEHpLtM52hRGK0I4qT6M0$N75AhENLqgtJnTGaPzq51imhjZvuPr.ow81Co1ZTcX2
'';
};
};
};
}

18
machines/compute01/outline.nix
View file

@ -2,7 +2,6 @@
let
host = "docs.dgnum.eu";
port = 3003;
in
{
services.outline = {
@ -36,12 +35,21 @@ in
defaultLanguage = "fr_FR";
forceHttps = false;
inherit port;
port = 3003;
};
dgn-web.simpleProxies.outline = {
inherit host port;
vhostConfig.locations."/robots.txt".return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
services.nginx.virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:3003";
proxyWebsockets = true;
};
locations."/robots.txt" = {
return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
};
};
age-secrets.autoMatch = [ "outline" ];

34
machines/compute01/postgresql.nix
View file

@ -1,34 +0,0 @@
{ pkgs, ... }:
{
services.postgresql = {
enable = true;
package = pkgs.postgresql_16;
settings = {
checkpoint_completion_target = 0.90625;
default_statistics_target = 100;
effective_cache_size = "32GB";
effective_io_concurrency = 200;
maintenance_work_mem = "2GB";
max_connections = 500;
max_parallel_maintenance_workers = 4;
max_parallel_workers = 12;
max_parallel_workers_per_gather = 4;
max_wal_size = "4GB";
max_worker_processes = 12;
min_wal_size = "1GB";
random_page_cost = 1.125;
shared_buffers = "16GB";
wal_buffers = "16MB";
work_mem = "83886kB";
};
};
dgn-console = {
# Update the versions below for upgrading
pg-upgrade-to = pkgs.postgresql_16.withPackages (ps: [ ps.postgis ]);
pg-upgrade-from = pkgs.postgresql_16.withPackages (ps: [ ps.postgis ]);
};
}

10
machines/compute01/satosa/default.nix
View file

@ -2,15 +2,16 @@
let
host = "saml-idp.dgnum.eu";
port = 8090;
in
{
imports = [ ./module.nix ];
services.satosa = {
enable = true;
inherit host port;
inherit host;
port = 8090;
envFile = config.age.secrets."satosa-env_file".path;
@ -147,8 +148,9 @@ in
};
};
dgn-web.simpleProxies.satosa = {
inherit host port;
services.nginx.virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
};
age-secrets.autoMatch = [ "satosa" ];

8
machines/compute01/satosa/module.nix
View file

@ -190,6 +190,14 @@ in
};
};
services.nginx = mkIf cfg.configureNginx {
enable = true;
virtualHosts.${cfg.host} = {
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}";
};
};
users.users.satosa = {
isSystemUser = true;
group = "satosa";

18
machines/compute01/satosa/package/satosa.nix
View file

@ -1,7 +1,7 @@
{
lib,
python3,
fetchFromGitHub,
fetchPypi,
cookies-samesite-compat,
pyop,
}:
@ -11,13 +11,17 @@ python3.pkgs.buildPythonPackage rec {
version = "8.4.0";
pyproject = true;
src = fetchFromGitHub {
owner = "IdentityPython";
repo = "SATOSA";
rev = "v${version}";
hash = "sha256-q7XmZ3EnAFO1OXIhXIF4Vd0H8uaayFIHFZpWiZUsAFA=";
src = fetchPypi {
pname = "SATOSA";
inherit version;
hash = "sha256-KREROjb157RJJVRr9YefzoR/eflR/U7ZmG6yOH5DjcU=";
};
nativeBuildInputs = [
python3.pkgs.setuptools
python3.pkgs.wheel
];
propagatedBuildInputs = with python3.pkgs; [
chevron
click
@ -46,7 +50,7 @@ python3.pkgs.buildPythonPackage rec {
description = "Protocol proxy (SAML/OIDC)";
homepage = "https://pypi.org/project/SATOSA";
license = licenses.asl20;
maintainers = with maintainers; [ thubrecht ];
maintainers = with maintainers; [ ];
mainProgram = "satosa";
};
}

28
machines/compute01/secrets/dgsi-email_host_password_file
View file

@ -1,28 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA CQffZYaxexZ2f+HeNj+SHeSak0kzNPiq6ExW7tUyCBs
oJQhtMFD9KSnXSPGRb3zLwCB2/KEXo8cgxHN5ML83Qw
-> ssh-ed25519 QlRB9Q V1PnEYJvFCdBRzN4z3iDtIzHLxxCimejdkqRS4zMCG8
bVc87bxPmhofmoscGFBgQ+ffRlo216RiRkkV1MNoQyY
-> ssh-ed25519 r+nK/Q YI+1MYnCvSq5/QfA2y01IQlJeMGF0AfNs91QlrVaVGs
HSB8Gai96mjRbM68G3iRmXNkI4kqyJAWTMxWc8UOPr8
-> ssh-rsa krWCLQ
k2mssz4C9p8K+rJ6Jbbm+w7uLTqoUOiOKvlt2btEyw2Lup8PQNfyTNFSBvuBMmfj
re1zuAufH0HIw3B0xWYauBSD4pasc7EFTr/OLoM8BRFMEb11IM5ZKJrO+hnWy0Sk
eIs6cpkoBVi4GZmkRfbvaitk42i9JzjrKU0OeqLCWQbHmHkTb3acsGXCc6A6JSbF
AVb+Eaak6EIdX1dP4PWyCxU2PkcBtYBcLoGH74r1o0i3SzvmuzKvlBntx5IzsAvY
+QNGJLNZl0+NePafAkvVY8UOrlzxj+tCgfunAGXIXlZlVfNcjZX9Wv30sJOtwpbw
DdkJAqSrNkHianC5MEGgpA
-> ssh-ed25519 /vwQcQ yxGAMhwDcoDjw5MJudEE95PakhZvNpYfmfWiM6wbQBg
C1o3mNO2YFnBXamCcpAW0aQVGrNNcUpDtSn8+VLobmE
-> ssh-ed25519 0R97PA XRWbcwt3wXR3AYg0rhzc6OUuAA+blVTf3SHERYy3MkA
iCBd0E1NrV7tv3/0pD0FYWgUfGmB4M+VWfiixvVGv68
-> ssh-ed25519 JGx7Ng R47xTx4IGC/qf/v6WOXvJTd20MbeTdZ/8ovAA6d0iyQ
uBxcQVztpW4QaAR5rKfEVgtmrPk6l51+tY3brNjsTV4
-> ssh-ed25519 5SY7Kg LNtU+/1YlPX6T6gO2lb/wEei7hsy2oud8cTQXFQy0HY
xxPvBAIpFyCUqExjseerz6WlwWQEmw9fltzQBx51KI0
-> ssh-ed25519 p/Mg4Q uWIz5shMnsLXsh160cCW8E6kh9v4LPunOonugjWdSEY
5aRrIB5gxIplVWDGeMQ6g09togku6LxWRxBP7FbRNU0
-> ssh-ed25519 tDqJRg G8rNpeGY29czDVMvvt4LZ7nffZ/JAHDzxuIs7C/0SEM
HowgAvrQQcvUx93ZdK5q2bSsJDqaOxFf+x/lwTRss4I
--- ktcSPCC1TpguyYJ2ua7IuGcEw+Z9YuqjzcmH18abjo4
<EFBFBD><20><>ゥ煩 ネ9<1猤カワ簒<EFBE9C>pWJSWpsV/ム#<23>ウリ9タ{タ゚cHB<><42><EFBFBD>5<EFBFBD>ャ^ァ

BIN
machines/compute01/secrets/dgsi-kanidm_auth_token_file
View file

Binary file not shown.

30
machines/compute01/secrets/dgsi-kanidm_secret_file
View file

@ -1,30 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA zSfj75mxEod8RszD4XGaFIeMvcLnBgUHShIW5yFPdiE
YXaCFZ07BMzehG/PCUFDEzRy+y4c+IESO9kcLx+eG8M
-> ssh-ed25519 QlRB9Q 39DPdLnRMs5YSQOr/rY2nXO/8s/oCnYDkRex51tZayw
W3GbNP7qbgW2b0RoZmcWH0kLtQaIV50APGcntjMfn8o
-> ssh-ed25519 r+nK/Q dnX8kPKvyHS5U1N52QTDwonaHbBh8sv2DPBL1PoBO2E
mxduSFeWB4tJlrHDEthNKGv/vxzeWUtNwq1b2nDP6Z0
-> ssh-rsa krWCLQ
QN1OOmCREY2LljXm0+TAsOSkjIQ0RXyX8w5TVOOus5QAt1WTJan/mm4X1SviWqmn
UFDIeCoG2l5tBSyZr4VpnDeq7koWRA2eC7WnwWW47PQIRFSyjf+sy00rGR9kxVuL
1M9gsAGa5sud/PvmgSPSLsGhhrPsH/ZxN9beyIXIwmssmjN34KygUz9+u4T8IkVz
oxdq75LMzE2o0gcgC1EZ5+rDq0NSPQ9+1KgqwJuKlLKRXGdudgaVEUxX60g2ZnkX
8fNEgxqEkQ5MNnPfwbVumF6SWmMWyZSJ0rwHC94O1RdRNDcD3yKimuBmNSv2X+3L
cS3kE9LfNst2zBKHBGBOHQ
-> ssh-ed25519 /vwQcQ ZD8aiyO6fWEM9zG0iPP1/lftRPNl+mmFLHvGxVpSWzg
ZcTmN8zSHz8iLQmCLTZCdaqX5En/KrciR8KHwoXl8t0
-> ssh-ed25519 0R97PA xLQYBS5ozP1e4NWVa9yahN2OQB0Luw7mm3nBYdoHyRI
SKTRzLfGNFQ9fSX8ZFkKIYPZ4If5QrxcmSoBoGVG2Xk
-> ssh-ed25519 JGx7Ng XPo1QJ8OS/ShEAaXWwzZCS1p5/C6mLNlk4Us63YTVQ8
HGbfr8WBfCDKnIlATAeiE6JcLWCbn64vn1Cg7i9QGbA
-> ssh-ed25519 5SY7Kg CFpRcZmZ7DTspxkmdD8x7dRh1mqOHpTF7GzW5xBtLxw
n1n6/Ciwwo4rb3Cb6Yv/b1dHSvVAbCuDZ52maNpCexg
-> ssh-ed25519 p/Mg4Q km6ZjasKtOlaQL8rdVXkjRP4sooql15PrW0lz6YZaDg
Yrpi65IC3RJS3YSAChKjVyvowGxxmSPFkwa6CXUYVZ4
-> ssh-ed25519 tDqJRg au3x6e4L1os7OH4WXbdST74LhMsHPjP6KYrTWKUc1i8
zxKFk51MteTETWEu8peSH/lninM3zZkQi+Xjx5OQMTU
-> l$R6Y:c1-grease
MY0HS+ErZAtAhg
--- w+3gxmkrZ+xxSAQHbERgvsqur0v6k2/U0KUsfegRGcI
7Ú”gpò7šæ«¹Š\ŠE„àø~Â$±\¹Ä”Q„™H˜Èî¼¼2'k4Ž¥zÿqȦì'ÍNò!{@qxÎ,ƒ+iTû

31
machines/compute01/secrets/dgsi-secret_key_file
View file

@ -1,31 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA xQaZW42vwq7pndbRqiATFVgl1QM3LbD5Sqzz61yinUY
7N4GIIAnzwTPA2IgOPWLtE03kCZPihKu8ZAG9e7Bv7k
-> ssh-ed25519 QlRB9Q mfs9SndrSY1meTEYiVxXLbS7Ecf0rjaQ3vX4626+9CI
BDdh3a02EqMeO5jPlz6kjmjuLMldf/s9V7hDkIef+g4
-> ssh-ed25519 r+nK/Q HqduuibujATQyp2TUswgrFyTdcdmPsNsZJ2pOLZ+MTc
WjFm95dxVYKA2ekOgKzMrMmk1nxfuurmDyMXtUIGnIo
-> ssh-rsa krWCLQ
GzznBXY+5RpGFJKli2rOdzO5bun6REyjA78nV8RviQdAN/mGXEZfGFq4HFuQZM0e
fYADtpZxOZ3vyY/9DqCguay3R02DcyTpAhdb6A3kdzApUVR/3ZKJXy0+l5qRqKD7
j/cMfIxk/WpsHKHDWKXkG+FiTnF+V+ZtUom9W1aYFc1506OdDbjBVfTnBFs/+WVf
MWd+Y0ANCFiNH+kjzvALRazkmJgt9SvYWBG6suym6YZ2073GFu85jUJB2juSDmBN
tp0OJvNrjH5F/CcJXLMVrJz4Azin+2iM+re78cSVmZ1aqLf72RIrg/VhuuNy2MVn
gU32t9qy5EvTbzliWpAvxw
-> ssh-ed25519 /vwQcQ rVT/tH4fZ49hwxJTaZMZhzMgkS0MJILZmuL/J1CCPGY
mW3BNdXsylo0Yhg2KYpGNLoDkd7DYX+NEGF8a7j5R5g
-> ssh-ed25519 0R97PA vnXhW5pn1XgOJcMcD1cu7hQLlnIrJyp2Bu3TbThBIik
QFQFocftqwsPS1AbGykbDkIWqaAdZ7I9njS2ZUXz+4w
-> ssh-ed25519 JGx7Ng ljVNZ4AdZ3DLow2m3mf+6bf9zj6+t9RP7w8Bi7aMlAI
E5Q9yEA3d2nPTZO2jFkGnsHyo3W19P/lSG6yl3RL6Vo
-> ssh-ed25519 5SY7Kg 2LcgbYRROFSGfq0L5XBQMl6p62DreGceGqRFzKGi4X8
x4V+gnzdm1HgjYwhBnYAldkchX4YCsUhqoq1iCaOZ6s
-> ssh-ed25519 p/Mg4Q Y+o5nrSvL+xL43OHjEnesKV+9gCl4H4gBmBBjbqDABA
TvGky1wSVanvpq2Xj2FUmRtJ205iq92g6PVDASAfyaE
-> ssh-ed25519 tDqJRg X0Y8YCi5qOy3Du1/DIMMc4W7P6zQNTlwF4+QrisHCwM
SzJPH+h5847WSl9CrJatqIf9CSnKGUQZDK6ROD5LqXU
-> `--grease N]PH
fdR7jONsDC5Fj/FU++dDsFJSa4sLmvnTzPbt3X96zJDHVQypmV+JMhQNudQGrq9K
7oPr3+cA61qtqUv6v519zFLtRXkpY6FMiB2euGJufVZqGh9jDzfi0jNu6dUO7A
--- a0TP8YPal5jgd3BSIm0THbaMHgLOiOgMqdlwQwUGzWk
:È/ Àn ž±Ý§¦p=fu²hãT¶ÅêF—ÙêÂ¥nh¢„¾•œ¹ÀU2#„éµÆ©“ºôâ>Û“<4.<2E>uŸ‰…m3Ü&<26>g¤(ö<>5 Û¶Ã

BIN
machines/compute01/secrets/dgsi-x509_cert_file
View file

Binary file not shown.

BIN
machines/compute01/secrets/dgsi-x509_key_file
View file

Binary file not shown.

BIN
machines/compute01/secrets/mastodon-smtp-password
View file

Binary file not shown.

BIN
machines/compute01/secrets/plausible-admin_user_password_file
View file

Binary file not shown.

28
machines/compute01/secrets/plausible-secret_key_base_file
View file

@ -1,28 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA T6TOJOuejaoxw3zdeLzGm0CrSkDCCIRenL7wMGnDtlU
dubdAXhc32S6BszHddOcMA6aStZLOvc+36s3nZsYFMU
-> ssh-ed25519 QlRB9Q akzRDbZzo0LwoS1cOwE/tYdz7M+6bhgI81d37d1GtBw
KsGqFhkjlcJNquMi2+1TfQDBy9qguwh5ED9KBg4Y2hU
-> ssh-ed25519 r+nK/Q bL6A9O6UnjjyY+iLvbQSvSTjXX38FLsNjaSngoQXHxY
YZ7Y11inKpzA2m6lro9XXX2qkW6FmkeFGZ3Ak6X+U2w
-> ssh-rsa krWCLQ
dZVUqAyqrP3KHZlpu70IBU8U3I9IP71RzjbiF1rp4rOdz4iQ9ik88ai+hXVuadcN
DMl/7pIkVky6EL8JxFXTQhLivJUpO3NcN3iAS+CLKC+0EFVc03sLyCjn8IExO85r
Lec37ICk9n4LUNEA91A2h4C8U9TbDxCt7MLrIKcQtfFcd+4U1o9g3n19xo9PK1Ho
mcqTbUVgW1nOLxsEeCp5zsCQ+/8tFLcnK08yUB0RlWK+PDFZkk8u8Q2SYZjnaeEp
cwOhUnm/1a15IbW2oGCrVaEd/ymnLDJc6S7vXGpFDWHmOzvJ4Av9KZlGFYaWCjbV
7bGIgWkiQ7iJvTxzu0ZEqw
-> ssh-ed25519 /vwQcQ /DR3Kox7XkbdYQH7SyIc9atjwwe7Ah7hH/63RlzDd0g
k/199lCIfxR7l4ETJMEr1Ch1Zx8v3M5zn0b8mg6ip2k
-> ssh-ed25519 0R97PA H1PS+SlW5FNOf15eO6MKJ/nnVJQkfFMub0IzTS4PhDo
77zwCD0tbrLu4J0vS0RxPK3YZucFV1VYkUVoMTHjf2o
-> ssh-ed25519 JGx7Ng 2WIYPKkWXplInR8v1q22ygs7uYNfIzETeiCt5+MKQQQ
9Gsyr30kaNhxn+fUCBicvoA+hHiWpUf0d0pxRZauhMY
-> ssh-ed25519 5SY7Kg QTnBfvkMcnXpGITtaHr+mRZGogI1kTUqO4byfyMZhGE
89A/PPHVPeBQvTxCeXH8ITVDMkcsYUMbwatyw8NQ04E
-> ssh-ed25519 p/Mg4Q n6hQLuUv3QOMADJF0zpcALYqVUVi5tZHmKGmVZA0IVQ
ZXa+3y33kyo4vQxcEa2XTMIwjH2HE+bAKZw993PgROk
-> ssh-ed25519 tDqJRg Hf1KIZjUTTaHo18P1vWxaSehyKTFElBOovrCN0uJFCc
H8qGw8vIqp4bNiyon2uvTkrrd8lIYnMWnIfzS+w4QRQ
--- QOKOfU20JY1Sj+K20UUxgtPZ7JxKuZ1GtK+OKBZ1Zhg
Íúâ?º}àæ2æŽýiÐM}6BÖw#b2Ï´žËŠ¹ÍÊžvu´¿,Ö'.ŒWÔ”øIPýã'ixYÍ€*·šKoÎtXI#Àß6b`„1pʬòÍœˆ×"§lâSf(ˆ`UöëÄê6 kT°Á'µÎÔM@ÈÖå„hŸï®{WYŸØÝÏÂ<SN;UŒœ ݨÿ

28
machines/compute01/secrets/plausible-smtp_password_file
View file

@ -1,28 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA CQffZYaxexZ2f+HeNj+SHeSak0kzNPiq6ExW7tUyCBs
oJQhtMFD9KSnXSPGRb3zLwCB2/KEXo8cgxHN5ML83Qw
-> ssh-ed25519 QlRB9Q V1PnEYJvFCdBRzN4z3iDtIzHLxxCimejdkqRS4zMCG8
bVc87bxPmhofmoscGFBgQ+ffRlo216RiRkkV1MNoQyY
-> ssh-ed25519 r+nK/Q YI+1MYnCvSq5/QfA2y01IQlJeMGF0AfNs91QlrVaVGs
HSB8Gai96mjRbM68G3iRmXNkI4kqyJAWTMxWc8UOPr8
-> ssh-rsa krWCLQ
k2mssz4C9p8K+rJ6Jbbm+w7uLTqoUOiOKvlt2btEyw2Lup8PQNfyTNFSBvuBMmfj
re1zuAufH0HIw3B0xWYauBSD4pasc7EFTr/OLoM8BRFMEb11IM5ZKJrO+hnWy0Sk
eIs6cpkoBVi4GZmkRfbvaitk42i9JzjrKU0OeqLCWQbHmHkTb3acsGXCc6A6JSbF
AVb+Eaak6EIdX1dP4PWyCxU2PkcBtYBcLoGH74r1o0i3SzvmuzKvlBntx5IzsAvY
+QNGJLNZl0+NePafAkvVY8UOrlzxj+tCgfunAGXIXlZlVfNcjZX9Wv30sJOtwpbw
DdkJAqSrNkHianC5MEGgpA
-> ssh-ed25519 /vwQcQ yxGAMhwDcoDjw5MJudEE95PakhZvNpYfmfWiM6wbQBg
C1o3mNO2YFnBXamCcpAW0aQVGrNNcUpDtSn8+VLobmE
-> ssh-ed25519 0R97PA XRWbcwt3wXR3AYg0rhzc6OUuAA+blVTf3SHERYy3MkA
iCBd0E1NrV7tv3/0pD0FYWgUfGmB4M+VWfiixvVGv68
-> ssh-ed25519 JGx7Ng R47xTx4IGC/qf/v6WOXvJTd20MbeTdZ/8ovAA6d0iyQ
uBxcQVztpW4QaAR5rKfEVgtmrPk6l51+tY3brNjsTV4
-> ssh-ed25519 5SY7Kg LNtU+/1YlPX6T6gO2lb/wEei7hsy2oud8cTQXFQy0HY
xxPvBAIpFyCUqExjseerz6WlwWQEmw9fltzQBx51KI0
-> ssh-ed25519 p/Mg4Q uWIz5shMnsLXsh160cCW8E6kh9v4LPunOonugjWdSEY
5aRrIB5gxIplVWDGeMQ6g09togku6LxWRxBP7FbRNU0
-> ssh-ed25519 tDqJRg G8rNpeGY29czDVMvvt4LZ7nffZ/JAHDzxuIs7C/0SEM
HowgAvrQQcvUx93ZdK5q2bSsJDqaOxFf+x/lwTRss4I
--- ktcSPCC1TpguyYJ2ua7IuGcEw+Z9YuqjzcmH18abjo4
<EFBFBD><20><>ゥ煩 ネ9<1猤カワ簒<EFBE9C>pWJSWpsV/ム#<23>ウリ9タ{タ゚cHB<><42><EFBFBD>5<EFBFBD>ャ^ァ

BIN
machines/compute01/secrets/radius-auth_token_file Normal file
View file

Binary file not shown.

BIN
machines/compute01/secrets/radius-ca_pem_file Normal file
View file

Binary file not shown.

BIN
machines/compute01/secrets/radius-cert_pem_file Normal file
View file

Binary file not shown.

31
machines/compute01/secrets/radius-dh_pem_file Normal file
View file

@ -0,0 +1,31 @@
age-encryption.org/v1
-> ssh-ed25519 tDqJRg R3h8Ph1ooMaR/bmz09yRzVRq1mR3L7o87wMhsysC5kU
Go50Us/u8CgZS7Up20RH8NlRS0+ESBw30wa8SZ5dqoo
-> ssh-ed25519 jIXfPA gMaMIQvUIu5bK5mRWP6SSZQArMzhg4bDZDcjwx9dyDY
Vv8H7oTBvogaoW4dhdm81TOe995CSGeBxB8LtFgJqwc
-> ssh-ed25519 QlRB9Q 1CxZ2F8EMykWDzrAzN6NSPtjLmMJ99zf8UWLyV3e+Ag
ak7M8/mCeQOMKFPllTsA79glffS/vu51vHIRT3F8qLE
-> ssh-ed25519 r+nK/Q qcuIACZn+1ofDpWW1IBmY0IIj4WZNQhxtUJlHgh11ws
OJhEfDQHkg3s5CCBcVfba9S4OG4hBjJIYkCoLAIFwOI
-> ssh-rsa krWCLQ
1XseIDq7c94X7Dpp1sC3oBLhZSd4w7UJ7QI03SGmqVTd3VVwP5IV430vrSIFETMI
LopkMvCtF1XpIJQ+nHoxsukG/0kefh5Iodmd6anQNp0iVU/tWkQzWbkHlVlkxJ2M
o3fMRAaVyH5GvQkIT5ndWma34vqwydAinM2mchi0hy0ibP5lkk8K7OtafNP4eYNh
m7necRRI8yCuE1wBRy8sBpo5mEqGj1uINxXiF6yUI05pCBXHG1qDiFkDHfw8va9k
Qitfwv2Clkk/hQG6aEYuruoXwq4SZxSCswMpP5Nz70I+e5YkZw8G50ICaVBXxuAP
ABByGBZ/QKLw66NpE7rbSA
-> ssh-ed25519 /vwQcQ 1P92WFx8+9DaL2dPwmX+Bva+h7Hy9qXszDTyPvd81kc
gLVhBlE4lAMcod32/Y8xzypVCDu4vRca3aem3OHiocU
-> ssh-ed25519 0R97PA rZblJRi2bYJig4HyzOXdtpUEEkGDlHS456aKlqxwGX4
qjIkEyHjDxzmf34bS7qWJ9lexMXu2QMmcD9RP4MpkYQ
-> ssh-ed25519 JGx7Ng IbCSvxAUY1gDTny5KurzONVaQwX/VgvNs1hAQ9iUQRE
5ivoGkzEHAyTl3gUE+9nVYclF8/aqnyOF3a81fZfbW0
-> t|-grease (u /1\q}65 ]@
Dd2SJgnQFUSDlS4eSkKUaGwve8Rsv/4MNEwGRJftdtTvxv80bRuNBEFe+ah4YhiV
LA3n6c+Te9Q
--- wWhpJpx4IHeC1Qo4nH6iuEB3e9l5b8U5xOnsX8BoBgQ
5¥t·Œ °ÒxÚ@<1E>`zÈÔgCà Ѭ:4Œó¾&‡Spi8ñŸuæ"lÕ×)<29>aŒÁÄ,4ÃsÌ*uÿ€ƒ±v#ÿ*ÎàÜÊ^ݶ‚Ø«%´Ñº98¾,yBÙ
"¶%Ç㤄†NÎÓ· íò¬} [Ñ¿Ó(äØ{<11>ý0ô—f²<66>„|Š à-—&qF k Ö¶¹µùÔÎLì,¹À„žD™áΩ­QÍ—½è<C2BD>4N}<7D>ÙÐJ´·ÇÓˆ€]dU Ïø¿<C3B8>I—:ÌôÑÉ öì°¦£sý¨õB #}¹
ÞÃXzð‰N4·>ñ5iSan`‰¹.õÃPcHØÉAéßÈÿµH=¥ËæÂ~ö(Pçô±Š$ ,¡ã‹ù¯ZЬÆwçÚ /×
Á–+rC$†ýê&ØJñ ; ÉvÞjæ‰ÎY¹,š*`ºGå=ã¯M¼ƒƒeäA<51>\D˜ÿ@¥j¾$gö{Q´lhIoÊÏIM)};@ìNü½b‰<62>k5Dgüoþ'ItW(Ïk
ê6)ËŒä0£<30>tM¶É Ó(Ûê¡<C3AA>n²k®Zu%m<17>¡ bzÚõŠ¿ÁìÍÿ

BIN
machines/compute01/secrets/radius-key_pem_file Normal file
View file

Binary file not shown.

26
machines/compute01/secrets/radius-private_key_password_file Normal file
View file

@ -0,0 +1,26 @@
age-encryption.org/v1
-> ssh-ed25519 tDqJRg sTm4u+QVtvUqNgMJhufIljdH63oCmvfbRz6NRa2ZbwI
ZYjAINMp/ds7g+7Wjg26YRpRV+nznQPB1r7NzAHGfW0
-> ssh-ed25519 jIXfPA z4LS/Igwab0moIzxG9b06T5rZiODkdJyjaFepJVcxQ8
qNkDc+prvr1bNTSWJyygJj7yb8MOz2nR+Z8EMHUVVOs
-> ssh-ed25519 QlRB9Q 6TQ0Vp3KB5yDIEt029hIB3aCnDjTDP0JG6LN2J9gtjU
fZXeSxb7GJOJYvCr2nVf6BKf8QjaqOOuoi0I/xXV1qc
-> ssh-ed25519 r+nK/Q eW4wTH9PNd0mzVFsxwS4mEEn5gVUCpYA/g+ifeUB+00
kqED+vZVHn0SXTpgbaiMseI6vPCyTt5Gfu4pHxPvKp0
-> ssh-rsa krWCLQ
axyFJ/zhMoZ1mJLzWAbXbHjlAlLj7HraHyY6ddZBVibgRSEufdXsa8ABmdR6+EuM
ty37+/TZOBv11ew/D1C7vQ7B/1JXgej2TAAmYt4vN3lVZdgJI+tQGiOf1nsqfI64
p4ZbMi9G0wlzb+Z7Z5SLKo6HwharYI+vDEgh3Ua9Q+6bpZeXxxJHmkACikAI4xJV
3lLo1iTeyJy/9u/WoHmEOuqJLeZdhmPZBozxTdDTWz9wMHy+NotfXFaIFTyUpocu
OU19N95fyVyTRwmrGFcWs34O631Ejpo3oVLDvjXrFtV4HISSweB/YbU84EveFbz5
28gTWKdeOQcHJfmaeJV/Rg
-> ssh-ed25519 /vwQcQ cXNRE5eLKNh4lL7S7cMDfp79+TQyiJK3gTzYCuHeRHo
4bz0al2kf/S6VEhObpLxy8tvB1t/tBVdB1Gi/7XinD4
-> ssh-ed25519 0R97PA iGdUtE7KDRBNSXv1w0dJNPQWxAeDpIAePUU8t0qURV8
OUoeLNWl0rLt6+FNf5plNmQIgrULwIgEL/W4HFTYeB8
-> ssh-ed25519 JGx7Ng tPkAPvVDZOcP06+mrD5uK03dUJi4aMAvkoz21y9L6Ak
tcUItLMra+EIYH6MA1ULMpr8bkUql448jnurev8N5wk
-> \<?_-grease (+d_8zF H
--- /CiW5jTjVkXDOdwmb4P80FswPEpgTt2GZnqT7KlOvC0
=þ%©»gæÆQ³-¼ffÄUC.qÅ͘·H<C2B7>µ—ìäÙ=Vý£žØú<C398>ŽRåN

27
machines/compute01/secrets/secrets.nix
View file

@ -1,31 +1,30 @@
(import ../../../keys).mkSecrets [ "compute01" ] [
# List of secrets for compute01
let
lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "compute01";
in
lib.setDefault { inherit publicKeys; } [
"arkheon-env_file"
"bupstash-put_key"
"dgsi-email_host_password_file"
"dgsi-kanidm_auth_token_file"
"dgsi-kanidm_secret_file"
"dgsi-secret_key_file"
"dgsi-x509_cert_file"
"dgsi-x509_key_file"
"ds-fr-secret_file"
"grafana-oauth_client_secret_file"
"grafana-smtp_password_file"
"grafana-oauth_client_secret_file"
"hedgedoc-environment_file"
"librenms-database_password_file"
"librenms-environment_file"
"mastodon-extra_env_file"
"mastodon-smtp-password"
"nextcloud-adminpass_file"
"nextcloud-s3_secret_file"
"outline-oidc_client_secret_file"
"outline-smtp_password_file"
"outline-storage_secret_key_file"
"plausible-admin_user_password_file"
"plausible-secret_key_base_file"
"plausible-smtp_password_file"
"radius-auth_token_file"
"radius-ca_pem_file"
"radius-cert_pem_file"
"radius-dh_pem_file"
"radius-key_pem_file"
"radius-private_key_password_file"
"satosa-env_file"
"signal-irc-bridge-config"
"telegraf-environment_file"
"vaultwarden-environment_file"
"zammad-secret_key_base_file"

29
machines/compute01/secrets/signal-irc-bridge-config
View file

@ -1,29 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA Io/zqmrxU05V3yhgyGySW5f2hlQdBOqzXzv2I5x+nVs
O5szAc5hiv4Kw+Xo90mhst3vGLqhtqSuaKxPTkCQCJw
-> ssh-ed25519 QlRB9Q 9gQ+5aCcW+gi30S20om5+Zign9zXfgKlG9/59a2rdl4
nXyckLZ6zNdG096GAPlK/gyold3XxOqeKB1Kiy/BCmI
-> ssh-ed25519 r+nK/Q nctFMke6IvbEII3/Mq7wq9Cb30GO1yBqePJXdOFjExs
fMEbZoSsvMiFS2wHD0RCcSqbigmFHCnhEagXDTYBIW8
-> ssh-rsa krWCLQ
i7lgxs2DFU6OYdR0wC9NBJAUrYOarTpIBu8JiQKKTymkGauTtpCkOgakEF7N/TLd
1KFX6ww2lhmGwgi/4qYK5R21geqbLaogm5LsSrWgwI+nAqzAasD30i4MYWSfd1PS
kewXfRmMOUc2feMN/FiLDlyxxdg3DQImEwwAUq3k4F7W7/ggi4qPKzqzGhlOG1kB
Ma05hLsOhTVwbyRQzf9MFDUypYJ8KRsV5/rdxnGzTaJLlYbNoQpIG3lQZelggGpS
N6f5kz0fHRkTqCrINJpmLVkvQDbNNDslsDcr86O0LEI7NPrBry5fUSxI+YOzCJCu
3xnkIiYlcua2WGEXNd6vPQ
-> ssh-ed25519 /vwQcQ L9OynFtsmYWQBB/PKHsJ4B2mdUFk8wkuPzaKBmvKERc
LPHLANWrv90EFdF+cXEOFnOf1XaLWeyEDij+DYVrDJM
-> ssh-ed25519 0R97PA 49YuJOzGjfLe8RixCtw8Z/EEngEGyNRQjb6sDXESQyM
ICCw8XFpzJjZpOayDR6uoHqdv0vuEVg1uQyNrNONj8s
-> ssh-ed25519 JGx7Ng fESc17fhVuC9dfNvDZKLq5EheYw+ufw0hpJqeDffxSE
CWRV2wnZYh/bK5xgCDUASUmYMWSLbTXqnD1TFcbEHUU
-> ssh-ed25519 5SY7Kg DgOrBwnV6Uxc5dMcNSR57HSgTW5DsG9Y9kcNYNevMGw
W0HtwhGJ2jiU9jrfvGoEXthZ3ewxAL8ERNOUYSgWI1A
-> ssh-ed25519 p/Mg4Q doo+f6eD3s2uoMwekzHcUFCsls8gNZjiI0Nyyd1sClA
NZnBQy9PJeabIwp6N7D85sI/UbCIcC7FzQALoNOD5h0
-> ssh-ed25519 tDqJRg tVVtvHVf/l4k+vr5A81tKTff49Rn1L1lrONq1DaGxDk
vskCx+/l45iAtB8Mn6S9T7I0rKEGgesDfqBrrT0wewU
--- HQzVXwtwdHyjKCBSbBOTiytzpLVc1eBCZZgW7sIgFEI
9˜†%}/JÞ„U»cMä<38>ç™`®=%¿ÝîN} è9tñœÇ§‰¡¨‰rŒ}ˆ½KÿøžqøëO5GlùÑct#" Ò[Yw½e‰<65>_ûtˆ)f3Çòª´ÕGÊ2¹j„Wý^ìr¹ôYa=ESÓ ýØ,<2C>²Ú“rÐ_„£ ý8E ªª Ž¬1çî•íŇ“sÂ<73>ü–¼<”µŸ‚£ 0QMU"Œ±Ú’Åõ õˆ¬wSúœ4º=ï‰G(ˆ’º<<3C>?iZSW]Œ. pP93±zžl¸OSd·êS¯šçI­8Äeײ·Ú7ÃUMù¯< ªº<C2AA>Ýžóì<>?îOc2Z¬Uº Ä•èc²àԗ×7@ÄýôóŠòZæ™ihCžXß”QŸcɹ[èo=kÏòñËÞL"Z Í/uê´q ÛGäçó Ú[<5B>ú,£«i×Ãäs<C3A4>Jÿ•=GBç~^€Ù'Aý´èÕ±©¹í*giÝ|Ý*ùN·ÿŠË‘a]º˜áäši|áÔŽP'_(½±ÂQLŽØl„O ÈÛ´
P94ϨäÛF½]³¡È{Öºeç4ý[McQuÎÞî« ¥Jwȃ¼Ê“÷•ÁÛX@RÙÑÛŒú‰5M•Ý£V<E280B9>rjÇ—ó<E28094>„—½¢Ÿó7<C3B3>[¨8qÐb

22
machines/compute01/signal-irc-bridge.nix
View file

@ -1,22 +0,0 @@
{
config,
sources,
nixpkgs,
...
}:
{
imports = [ (import (sources.signal-irc-bridge.outPath + "/module.nix")) ];
services.signal-irc-bridge = {
enable = true;
package = nixpkgs.unstable.callPackage (sources.signal-irc-bridge.outPath + "/package.nix") { };
configFile = config.age.secrets."signal-irc-bridge-config".path;
};
services.nginx.virtualHosts."bridge.dgnum.eu" = {
forceSSL = true;
enableACME = true;
locations."/files/".alias = "/var/lib/signal-irc/hermes-media/";
};
users.users.nginx.extraGroups = [ "signal-irc" ];
}

35
machines/compute01/stirling-pdf/01-spotless.patch
View file

@ -1,35 +0,0 @@
diff --git a/build.gradle b/build.gradle
index 78901d8e..3a14ceee 100644
--- a/build.gradle
+++ b/build.gradle
@@ -70,20 +70,6 @@ launch4j {
messagesInstanceAlreadyExists="Stirling-PDF is already running."
}
-spotless {
- java {
- target project.fileTree('src/main/java')
-
- googleJavaFormat('1.19.1').aosp().reorderImports(false)
-
- importOrder('java', 'javax', 'org', 'com', 'net', 'io')
- toggleOffOn()
- trimTrailingWhitespace()
- indentWithSpaces()
- endWithNewline()
- }
-}
-
dependencies {
//security updates
implementation 'ch.qos.logback:logback-classic:1.5.3'
@@ -171,9 +157,6 @@ dependencies {
annotationProcessor 'org.projectlombok:lombok:1.18.32'
}
-tasks.withType(JavaCompile).configureEach {
- dependsOn 'spotlessApply'
-}
compileJava {
options.compilerArgs << '-parameters'
}

12
machines/compute01/stirling-pdf/02-propsfile.patch
View file

@ -1,12 +0,0 @@
diff --git a/build.gradle b/build.gradle
index 78901d8e..2e7ff96b 100644
--- a/build.gradle
+++ b/build.gradle
@@ -166,6 +166,7 @@ task writeVersion {
def props = new Properties()
props.setProperty('version', version)
props.store(propsFile.newWriter(), null)
+ propsFile.text = propsFile.readLines().tail().join('\n')
}
swaggerhubUpload {

16
machines/compute01/stirling-pdf/03-jar-timestamps.patch
View file

@ -1,16 +0,0 @@
diff --git a/build.gradle b/build.gradle
index 2e7ff96b..f3a4a15c 100644
--- a/build.gradle
+++ b/build.gradle
@@ -21,6 +21,11 @@ repositories {
mavenCentral()
}
+tasks.withType(AbstractArchiveTask) {
+ preserveFileTimestamps = false
+ reproducibleFileOrder = true
+}
+
licenseReport {
renderers = [new JsonReportRenderer()]
}

25
machines/compute01/stirling-pdf/04-local-maven-deps.patch
View file

@ -1,25 +0,0 @@
diff --git a/build.gradle b/build.gradle
index f3a4a15c..61fbd74e 100644
--- a/build.gradle
+++ b/build.gradle
@@ -18,7 +18,7 @@ version = '0.26.1'
sourceCompatibility = '17'
repositories {
- mavenCentral()
+ maven { url '@deps@' }
}
tasks.withType(AbstractArchiveTask) {
diff --git a/settings.gradle b/settings.gradle
index f8139930..2c87f3cc 100644
--- a/settings.gradle
+++ b/settings.gradle
@@ -1 +1,7 @@
+pluginManagement {
+ repositories {
+ maven { url '@deps@' }
+ }
+}
+
rootProject.name = 'Stirling-PDF'

22
machines/compute01/stirling-pdf/05-java-output-test.patch
View file

@ -1,22 +0,0 @@
diff --git a/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java b/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java
index cab78313..192922f3 100644
--- a/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java
+++ b/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java
@@ -19,7 +19,7 @@ public class ProcessExecutorTest {
processExecutor = ProcessExecutor.getInstance(ProcessExecutor.Processes.LIBRE_OFFICE);
}
- @Test
+ /* @Test
public void testRunCommandWithOutputHandling() throws IOException, InterruptedException {
// Mock the command to execute
List<String> command = new ArrayList<>();
@@ -32,7 +32,7 @@ public class ProcessExecutorTest {
// Check the exit code and output messages
assertEquals(0, result.getRc());
assertNotNull(result.getMessages()); // Check if messages are not null
- }
+ } */
@Test
public void testRunCommandWithOutputHandling_Error() {

42
machines/compute01/stirling-pdf/default.nix
View file

@ -1,42 +0,0 @@
{ nixpkgs, ... }:
let
###
# How to update:
# - clone https://git.dgnum.eu/DGNum/Stirling-PDF
# - switch to the branch dgn-v0.X.Y where X.Y is the version in production
# - fetch upstream changes up to the tagged release in nixos-unstable
# - rebase onto the upstream branch, so that the last commit is "feat: Add DGNum customization"
# - push to a new branch dgn-v0.A.B where A.B is the new version
# - finally, update the commit hash of the customization patch
dgn-id = "8f19cb1c9623f8da71f6512c1528d83acc35db57";
port = 8084;
in
{
dgn-web.internalPorts.stirling-pdf = port;
services.stirling-pdf = {
enable = true;
package = nixpkgs.unstable.stirling-pdf.overrideAttrs (old: {
patches = (old.patches or [ ]) ++ [
(builtins.fetchurl "https://git.dgnum.eu/DGNum/Stirling-PDF/commit/${dgn-id}.patch")
];
});
domain = "pdf.dgnum.eu";
inherit port;
nginx = {
enableACME = true;
forceSSL = true;
};
environment = {
UI_APP_NAME = "DGNum PDF";
SYSTEM_DEFAULT_LOCALE = "fr-FR";
};
};
}

1
machines/compute01/takumi.nix
View file

@ -1 +0,0 @@
_: { dgn-chatops.enable = true; }

59
machines/compute01/vaultwarden.nix
View file

@ -2,8 +2,6 @@
let
host = "pass.dgnum.eu";
port = 10501;
wsPort = 10500;
in
{
services.vaultwarden = {
@ -12,9 +10,9 @@ in
config = {
DOMAIN = "https://${host}";
WEBSOCKET_ENABLED = true;
WEBSOCKET_PORT = wsPort;
WEBSOCKET_PORT = 10500;
SIGNUPS_DOMAINS_WHITELIST = "dgnum.eu,ens.fr,ens.psl.eu";
ROCKET_PORT = port;
ROCKET_PORT = 10501;
ROCKET_ADDRESS = "127.0.0.1";
SIGNUPS_VERIFY = true;
USE_SYSLOG = true;
@ -33,38 +31,45 @@ in
environmentFile = config.age.secrets."vaultwarden-environment_file".path;
};
dgn-web = {
internalPorts.vaultwarden-websockets = wsPort;
services = {
nginx = {
enable = true;
simpleProxies.vaultwarden = {
inherit host port;
proxyWebsockets = true;
virtualHosts.${host} = {
forceSSL = true;
enableACME = true;
vhostConfig.locations = {
"/notifications/hub" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
};
locations = {
"/" = {
proxyPass = "http://127.0.0.1:10501";
proxyWebsockets = true;
};
"/notifications/hub/negotiate" = {
proxyPass = "http://127.0.0.1:${builtins.toString wsPort}";
proxyWebsockets = true;
"/notifications/hub" = {
proxyPass = "http://127.0.0.1:10500";
proxyWebsockets = true;
};
"/notifications/hub/negotiate" = {
proxyPass = "http://127.0.0.1:10501";
proxyWebsockets = true;
};
};
};
};
};
services.postgresql = {
enable = true;
postgresql = {
enable = true;
ensureDatabases = [ "vaultwarden" ];
ensureDatabases = [ "vaultwarden" ];
ensureUsers = [
{
name = "vaultwarden";
ensureDBOwnership = true;
}
];
ensureUsers = [
{
name = "vaultwarden";
ensureDBOwnership = true;
}
];
};
};
dgn-backups.jobs.vaultwarden.settings.paths = [ "/var/lib/bitwarden_rs" ];

8
machines/geo01/secrets/secrets.nix
View file

@ -1,3 +1,5 @@
(import ../../../keys).mkSecrets [ "geo01" ] [
# List of secrets for geo01
]
let
lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "geo01";
in
lib.setDefault { inherit publicKeys; } [ ]

8
machines/geo02/secrets/secrets.nix
View file

@ -1,3 +1,5 @@
(import ../../../keys).mkSecrets [ "geo02" ] [
# List of secrets for geo02
]
let
lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "geo02";
in
lib.setDefault { inherit publicKeys; } [ ]

7
machines/rescue01/_configuration.nix
View file

@ -3,7 +3,7 @@
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
"dgn-web"
"dgn-fail2ban"
];
enabledServices = [
@ -12,6 +12,11 @@ lib.extra.mkConfig {
];
extraConfig = {
dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
"sshd-bruteforce"
"sshd-timeout"
];
services.netbird.enable = true;
};

9
machines/rescue01/secrets/secrets.nix
View file

@ -1,4 +1,5 @@
(import ../../../keys).mkSecrets [ "rescue01" ] [
# List of secrets for rescue01
"stateless-uptime-kuma-password"
]
let
lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "rescue01";
in
lib.setDefault { inherit publicKeys; } [ ]

28
machines/rescue01/secrets/stateless-uptime-kuma-password
View file

@ -1,28 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA wZdqi7vBlMEOJiY1VvbsmqyBSO/jl6SWLRGw+0ylKWo
UvKyh4Jh608Z9i9+6WuPu3mwnlC98aAr6jiV38JJGzk
-> ssh-ed25519 QlRB9Q +DUjR2Wqwg2SevBY+YgvLEDkcnoWGRTfcVFbl27CQT4
poWQnP4cOQGc5Xhgrgz2KKEOJ8dB+iCcqME5D/zJv5c
-> ssh-ed25519 r+nK/Q GsidIKDaPJmx8igrgoAbWGywJQB0nV/cY8Zm0CIByho
m4HrxUhPkp7gahyLO2gfQUnglkB715jaCrADg77ns34
-> ssh-rsa krWCLQ
VwNy3N6+l3Vgpo8AK7cJ2gRmHa+oBtB4w3n+E8gn7sugcEB16NDtjK861zwszUq7
OfOPUZ5mE+RWz20XYWPAJIPEYNaiqc5vJzguFvZdlyJNInJLxANlIaHydE1AGA9v
l07t9PAxxV5L40EiPHxjveEKaKiAAJVbWWfILX9f4U5vjKy5729IE/3aTRUbTD/M
CXINLnzFWwDLi3x2yBrGUly2mLIb4KyDuE8jnPmtCFveKsVxVsDEeiXvi0yeT+xM
viGvXJ9Ad6tAug4BE2suqwG1iPHsa98pFBqYM8gG2rp2WOFhzs0emkTu5LGYJOMr
VR39Qxcdp1WjPr9e+l/MDQ
-> ssh-ed25519 /vwQcQ GBXHQzwSFS+abM91umquafIEcUoI407reSuULz7SGGY
WpW9aHq2Eq8pXpvGsEKoByQLj0tr04GxNQrf09ronrY
-> ssh-ed25519 0R97PA BxlIEcd6G5GDLUxgoTzyUqRRxGIx49YCZSvzjVIBdjw
oDqUd2O+oBdDrOvrQysdptF1LuvXK/dKurFnHUjgNfk
-> ssh-ed25519 JGx7Ng Km6PmwRZ9HfGjEhkgb8P+ZCt+B/C+jg9bcvdwBvrS0Q
D+UC5nkMnpYuJtz5X30iF1avU+jlEy4zOEPkyj5o2x8
-> ssh-ed25519 5SY7Kg 3tf/eLI3ngqilOfEz8fayTDHWHNd14ANJTSt5lz1yDM
QUhDPYuiZ9YloKgYqY5UdMVmawyMAOS/T4jbpvsNJpI
-> ssh-ed25519 p/Mg4Q h/8lvmwcmoyTa6vW0N2AbgKt/dpNNqVmRW02NaYl7Wo
OaFeo+ZPa2LY5zRJzv/exq4bv734FxZwX3ql1kpv5bk
-> ssh-ed25519 +MNHsw iaiHp0x4Xzf886Q0Li6IleeO3wZUAQbYFHxn0jzdCk0
W4gaBtwKPbonB2g9+Ts+teXPEPoWDCVoVn1vixiQ+7M
--- 1ACvcwsxZKnjgKRAzJy8e4eBtxZXrwe00wPdDlMWnBo
Œ<ƒ¼î|ë=©r<2Ÿµ.>ÃÇ~,5J² Ä … àé[ºë^+͸Z‰ñjá×=Ï<Ï%Út뮪

160
machines/rescue01/uptime-kuma.nix
View file

@ -1,156 +1,26 @@
{
config,
lib,
nodes,
sources,
...
}:
let
inherit (lib)
concatLists
mapAttrsToList
mkForce
mkMerge
;
inherit (config.statelessUptimeKuma.lib)
pingProbesFromHive
fromHive
httpProbesFromConfig
probesWithTag
;
probesCfg = config.statelessUptimeKuma.probesConfig;
mkMonitors = name: builtins.attrNames (probesWithTag { inherit name; } probesCfg);
host = "status.dgnum.eu";
port = 3001;
httpExcludes = [
"localhost"
"ens.cal.dgnum.eu"
"luj-current.cal.dgnum.eu"
"s3.dgnum.eu"
"cdn.dgnum.eu"
"saml-idp.dgnum.eu"
"status.dgnum.eu"
"radius.dgnum.eu"
] ++ (concatLists (mapAttrsToList (_: { config, ... }: config.dgn-redirections.retired) nodes));
extraProbes = {
monitors = {
"prometheus.dgnum.eu" = {
type = mkForce "http";
accepted_statuscodes = [ "401" ];
};
"ollama01.beta.dgnum.eu" = {
type = mkForce "http";
accepted_statuscodes = [ "401" ];
};
"s3-admin.dgnum.eu" = {
type = mkForce "http";
accepted_statuscodes = [ "400" ];
};
"api.meet.dgnum.eu" = {
keyword = "Crab Fit API";
};
};
};
status_pages = {
"dgnum" = {
title = "DGNum";
description = "Etat de l'infra de la DGNum";
showTags = true;
publicGroupList = [
{
name = "Services";
weight = 1;
monitorList = mkMonitors "Service";
}
{
name = "Serveurs";
weight = 2;
monitorList = mkMonitors "Ping";
}
{
name = "VPN Interne";
weight = 2;
monitorList = mkMonitors "VPN";
}
];
};
};
pingProbes = pingProbesFromHive {
inherit nodes;
mkHost = _: config: config.networking.fqdn;
tags = [ { name = "Ping"; } ];
excludes = [
"geo01"
"geo02"
"rescue01"
];
};
vpnProbes = pingProbesFromHive {
inherit nodes;
prefix = "VPN - ";
mkHost = node: _: "${node}.dgnum";
tags = [ { name = "VPN"; } ];
excludes = [
"rescue01"
"web02"
];
};
httpProbes = fromHive {
inherit nodes;
builder =
_: module:
httpProbesFromConfig {
inherit (module) config;
tags = [
{
name = "Host";
value = module.config.networking.fqdn;
}
{ name = "Service"; }
];
excludes = httpExcludes;
};
};
in
{
imports = [ (sources.stateless-uptime-kuma + "/nixos/module.nix") ];
nixpkgs.overlays = [ (import (sources.stateless-uptime-kuma + "/overlay.nix")) ];
services.uptime-kuma.enable = true;
dgn-web.simpleProxies.uptime-kuma = {
inherit host port;
proxyWebsockets = true;
services.nginx = {
enable = true;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
};
};
};
statelessUptimeKuma = {
probesConfig = mkMerge [
pingProbes
httpProbes
extraProbes
vpnProbes
{ inherit status_pages; }
];
extraFlags = [ "-s" ];
host = "http://localhost:${builtins.toString port}/";
username = "dgnum";
passwordFile = config.age.secrets."stateless-uptime-kuma-password".path;
enableService = true;
};
networking.firewall.allowedTCPPorts = [
80
443
];
}

7
machines/storage01/_configuration.nix
View file

@ -4,12 +4,13 @@ lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
"dgn-backups"
"dgn-fail2ban"
"dgn-web"
];
enabledServices = [
# List of services to enable
"tvix-cache"
"atticd"
"forgejo"
"forgejo-runners"
"garage"
@ -17,11 +18,11 @@ lib.extra.mkConfig {
"netbird"
"peertube"
"prometheus"
"redirections"
"victoria-metrics"
];
extraConfig = {
dgn-fail2ban.jails.sshd-preauth.enabled = true;
dgn-hardware.useZfs = true;
services.netbird.enable = true;

85
machines/storage01/atticd.nix Normal file
View file

@ -0,0 +1,85 @@
{
config,
pkgs,
sources,
...
}:
let
host = "cachix.dgnum.eu";
in
{
services = {
atticd = {
enable = true;
credentialsFile = config.age.secrets."atticd-credentials_file".path;
settings = {
listen = "127.0.0.1:9090";
api-endpoint = "https://${host}/";
allowed-hosts = [ host ];
chunking = {
# The minimum NAR size to trigger chunking
#
# If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked.
nar-size-threshold = 64 * 1024; # 64 KiB
# The preferred minimum size of a chunk, in bytes
min-size = 16 * 1024; # 16 KiB
# The preferred average size of a chunk, in bytes
avg-size = 64 * 1024; # 64 KiB
# The preferred maximum size of a chunk, in bytes
max-size = 256 * 1024; # 256 KiB
};
database.url = "postgresql://atticd?host=/run/postgresql";
storage = {
type = "s3";
region = "garage";
bucket = "attic-dgnum";
endpoint = "https://s3.dgnum.eu";
};
};
useFlakeCompatOverlay = false;
package = pkgs.callPackage "${sources.attic}/package.nix" { };
};
nginx = {
enable = true;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:9090";
extraConfig = ''
client_max_body_size 100M;
'';
};
};
};
postgresql = {
enable = true;
ensureDatabases = [ "atticd" ];
ensureUsers = [
{
name = "atticd";
ensureDBOwnership = true;
}
];
};
};
}

7
machines/storage01/forgejo-runners.nix
View file

@ -1,7 +1,6 @@
{
config,
pkgs,
nixpkgs,
sources,
...
}:
@ -30,8 +29,6 @@ let
options = "--cpus=4";
};
};
nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
in
{
services.forgejo-nix-runners = {
@ -43,10 +40,10 @@ in
tokenFile = config.age.secrets."forgejo_runners-token_file".path;
dependencies = [
nix-pkgs.colmena
pkgs.colmena
pkgs.npins
pkgs.tea
nixpkgs.unstable.nixfmt-rfc-style
(import sources.nixpkgs { }).nixfmt-rfc-style
];
containerOptions = [ "--cpus=4" ];

73
machines/storage01/forgejo.nix
View file

@ -1,4 +1,4 @@
{ config, nixpkgs, ... }:
{ config, pkgs, ... }:
let
port = 3000;
@ -10,7 +10,7 @@ in
enable = true;
user = "git";
package = nixpkgs.unstable.forgejo;
package = pkgs.forgejo;
stateDir = "/var/lib/git";
database = {
@ -24,18 +24,30 @@ in
APP_NAME = "Forge git de la DGNum";
};
server = {
ROOT_URL = "https://${host}/";
DOMAIN = host;
HTTP_ADDRESS = "127.0.0.1";
HTTP_PORT = port;
APP_DATA_PATH = "/var/lib/git/data";
};
service = {
EMAIL_DOMAIN_ALLOWLIST = "dgnum.eu,*";
DISABLE_REGISTRATION = false;
REGISTER_EMAIL_CONFIRM = true;
};
log.LEVEL = "Warn";
ui.THEMES = "forgejo-auto,forgejo-light,forgejo-dark";
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "https://gitea.com";
};
admin = {
DEFAULT_EMAIL_NOTIFICATIONS = "enabled";
SEND_NOTIFICATION_EMAIL_ON_NEW_USER = true;
};
log.LEVEL = "Warn";
mailer = {
ENABLED = true;
FROM = "git@infra.dgnum.eu";
@ -44,43 +56,22 @@ in
SMTP_PORT = 465;
USER = "web-services@infra.dgnum.eu";
};
session = {
SESSION_LIFE_TIME = 24 * 3600 * 7;
GC_INTERVAL_TIME = 24 * 3600 * 7;
};
server = {
ROOT_URL = "https://${host}/";
DOMAIN = host;
HTTP_ADDRESS = "127.0.0.1";
HTTP_PORT = port;
APP_DATA_PATH = "/var/lib/git/data";
OFFLINE_MODE = false;
};
service = {
EMAIL_DOMAIN_ALLOWLIST = "dgnum.eu,*";
ENABLE_NOTIFY_MAIL = true;
DISABLE_REGISTRATION = false;
REGISTER_EMAIL_CONFIRM = true;
};
ui.THEMES = "forgejo-auto,forgejo-light,forgejo-dark";
"cron.cleanup_actions".ENABLED = true;
"cron.delete_old_actions".ENABLED = true;
"cron.git_gc_repos".ENABLED = true;
"cron.update_checker".ENABLED = false;
};
mailerPasswordFile = config.age.secrets."forgejo-mailer_password_file".path;
};
};
dgn-web.simpleProxies.forgejo = {
inherit host port;
nginx = {
enable = true;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString port}";
};
};
};
};
users.users.git = {

Some files were not shown because too many files have changed in this diff Show more