DGNum/infrastructure
11
6
Fork 2
Code Issues 21 Pull requests 21 Projects 1 Releases Packages Wiki Activity Actions

Compare commits

base: DGNum:main
Branches Tags
DGNum:main
DGNum:npins-updates/nixos-24.11
DGNum:npins-updates/nixos-unstable
DGNum:npins-updates/proxmox-nixos
DGNum:npins-updates/lix
DGNum:npins-updates/nixos-generators
DGNum:vault01-isp
DGNum:meta-isp
DGNum:npins-updates/git-hooks
DGNum:npins-update
DGNum:openwrt-exporter
DGNum:nix-lib
DGNum:npins-updates/colmena
DGNum:npins-updates/nix-actions
DGNum:mdebray/ap-dev
DGNum:ap-poc-v01
DGNum:ap01-prepare-poc
DGNum:netconf-profiles
DGNum:vault01-mtu
DGNum:meta_rework_bis
DGNum:meta_rework
DGNum:reuse
DGNum:mdebray/overlay
DGNum:django-apps-overlays
DGNum:testing02
DGNum:hypervisor
DGNum:ap01-vlan
DGNum:colmena-liminx-ng
DGNum:declarative-buckets
DGNum:victoria-metrics
DGNum:mattermost
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:colmena-liminix
DGNum:poc-v1.0
..
compare: DGNum:testing02
Branches Tags
DGNum:npins-updates/nixos-24.11
DGNum:npins-updates/nixos-unstable
DGNum:npins-updates/proxmox-nixos
DGNum:npins-updates/lix
DGNum:npins-updates/nixos-generators
DGNum:main
DGNum:vault01-isp
DGNum:meta-isp
DGNum:npins-updates/git-hooks
DGNum:npins-update
DGNum:openwrt-exporter
DGNum:nix-lib
DGNum:npins-updates/colmena
DGNum:npins-updates/nix-actions
DGNum:mdebray/ap-dev
DGNum:ap-poc-v01
DGNum:ap01-prepare-poc
DGNum:netconf-profiles
DGNum:vault01-mtu
DGNum:meta_rework_bis
DGNum:meta_rework
DGNum:reuse
DGNum:mdebray/overlay
DGNum:django-apps-overlays
DGNum:testing02
DGNum:hypervisor
DGNum:ap01-vlan
DGNum:colmena-liminx-ng
DGNum:declarative-buckets
DGNum:victoria-metrics
DGNum:mattermost
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:colmena-liminix
DGNum:poc-v1.0

1 commit
main ... testing02

Author SHA1 Message Date
sinavir
15782c5d0b
feat(testing02): Init testing vm
All checks were successful
Check meta / check_dns (pull_request) Successful in 21s
Details
Check meta / check_meta (pull_request) Successful in 20s
Details
Check workflows / check_workflows (pull_request) Successful in 30s
Details
Run pre-commit on all files / pre-commit (push) Successful in 52s
Details
Build all the nodes / ap01 (pull_request) Successful in 1m16s
Details
Build all the nodes / bridge01 (pull_request) Successful in 1m59s
Details
Build all the nodes / geo01 (pull_request) Successful in 2m24s
Details
Build all the nodes / geo02 (pull_request) Successful in 2m14s
Details
Build all the nodes / hypervisor01 (pull_request) Successful in 1m55s
Details
Build all the nodes / hypervisor02 (pull_request) Successful in 1m50s
Details
Build all the nodes / netcore02 (pull_request) Successful in 33s
Details
Build all the nodes / hypervisor03 (pull_request) Successful in 1m44s
Details
Build all the nodes / compute01 (pull_request) Successful in 3m25s
Details
Build all the nodes / storage01 (pull_request) Successful in 2m23s
Details
Build all the nodes / tower01 (pull_request) Successful in 1m55s
Details
Build all the nodes / rescue01 (pull_request) Successful in 2m28s
Details
Build all the nodes / testing02 (pull_request) Successful in 2m18s
Details
Build all the nodes / vault01 (pull_request) Successful in 2m8s
Details
Build the shell / build-shell (pull_request) Successful in 58s
Details
Build all the nodes / web01 (pull_request) Successful in 2m30s
Details
Run pre-commit on all files / pre-commit (pull_request) Successful in 50s
Details
Build all the nodes / web02 (pull_request) Successful in 1m43s
Details
Build all the nodes / web03 (pull_request) Successful in 1m46s
Details
2025-01-06 14:09:04 +01:00
197 changed files with 3319 additions and 5126 deletions
Show stats Expand all files Collapse all files

2
.forgejo/workflows/check-meta.yaml
View file

@ -1,5 +1,3 @@
###
# This file was automatically generated with nix-actions.
jobs: jobs:
check_dns: check_dns:
runs-on: nix runs-on: nix

3
.forgejo/workflows/check-workflows.yaml
View file

@ -1,11 +1,8 @@
###
# This file was automatically generated with nix-actions.
jobs: jobs:
check_workflows: check_workflows:
runs-on: nix runs-on: nix
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
with: {}
- name: Check that the workflows are up to date - name: Check that the workflows are up to date
run: nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l) run: nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l)
-eq 0 ]' -eq 0 ]'

46
.forgejo/workflows/eval-nodes.yaml
View file

@ -1,5 +1,3 @@
###
# This file was automatically generated with nix-actions.
jobs: jobs:
ap01: ap01:
runs-on: nix runs-on: nix
@ -23,17 +21,6 @@ jobs:
STORE_USER: admin STORE_USER: admin
name: Build and cache bridge01 name: Build and cache bridge01
run: nix-shell -A eval-nodes --run cache-node run: nix-shell -A eval-nodes --run cache-node
build01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: build01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache build01
run: nix-shell -A eval-nodes --run cache-node
compute01: compute01:
runs-on: nix runs-on: nix
steps: steps:
@ -100,28 +87,6 @@ jobs:
STORE_USER: admin STORE_USER: admin
name: Build and cache hypervisor03 name: Build and cache hypervisor03
run: nix-shell -A eval-nodes --run cache-node run: nix-shell -A eval-nodes --run cache-node
netaccess01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: netaccess01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache netaccess01
run: nix-shell -A eval-nodes --run cache-node
netcore01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: netcore01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache netcore01
run: nix-shell -A eval-nodes --run cache-node
netcore02: netcore02:
runs-on: nix runs-on: nix
steps: steps:
@ -155,6 +120,17 @@ jobs:
STORE_USER: admin STORE_USER: admin
name: Build and cache storage01 name: Build and cache storage01
run: nix-shell -A eval-nodes --run cache-node run: nix-shell -A eval-nodes --run cache-node
testing02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: testing02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache testing02
run: nix-shell -A eval-nodes --run cache-node
tower01: tower01:
runs-on: nix runs-on: nix
steps: steps:

4
.forgejo/workflows/eval-shell.yaml
View file

@ -1,5 +1,3 @@
###
# This file was automatically generated with nix-actions.
jobs: jobs:
build-shell: build-shell:
runs-on: nix runs-on: nix
@ -10,7 +8,7 @@ jobs:
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }} STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin STORE_USER: admin
name: Build and cache shell name: Build and cache shell
run: nix-shell -A eval-shell --run 'nix-build-and-cache -A devShell' run: nix-shell -A eval-shell --run "nix-build-and-cache -A devShell"
name: Build the shell name: Build the shell
on: on:
pull_request: pull_request:

91
.forgejo/workflows/npins-update.yaml
View file

@ -1,5 +1,3 @@
###
# This file was automatically generated with nix-actions.
env: env:
GIT_AUTHOR_EMAIL: chores@mail.hubrecht.ovh GIT_AUTHOR_EMAIL: chores@mail.hubrecht.ovh
GIT_AUTHOR_NAME: HT Chores GIT_AUTHOR_NAME: HT Chores
@ -325,35 +323,6 @@ jobs:
-o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n tea pr create -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n tea pr create
--description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
\"$GIT_UPDATE_BRANCH\"\n fi\nfi\n" \"$GIT_UPDATE_BRANCH\"\n fi\nfi\n"
kat-pkgs:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/kat-pkgs
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update kat-pkgs'
GIT_UPDATE_BRANCH: npins-updates/kat-pkgs
name: Open a PR if updates are present
run: "npins update kat-pkgs\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
\ echo \"[+] Changes detected, pushing updates.\"\n\n git add npins\n\n\
\ if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='title,author'
-o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n tea pr create
--description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
\"$GIT_UPDATE_BRANCH\"\n fi\nfi\n"
liminix: liminix:
runs-on: nix runs-on: nix
steps: steps:
@ -615,6 +584,35 @@ jobs:
-o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n tea pr create -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n tea pr create
--description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
\"$GIT_UPDATE_BRANCH\"\n fi\nfi\n" \"$GIT_UPDATE_BRANCH\"\n fi\nfi\n"
nix-patches:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/nix-patches
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update nix-patches'
GIT_UPDATE_BRANCH: npins-updates/nix-patches
name: Open a PR if updates are present
run: "npins update nix-patches\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
\ echo \"[+] Changes detected, pushing updates.\"\n\n git add npins\n\n\
\ if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='title,author'
-o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n tea pr create
--description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
\"$GIT_UPDATE_BRANCH\"\n fi\nfi\n"
nix-pkgs: nix-pkgs:
runs-on: nix runs-on: nix
steps: steps:
@ -789,6 +787,35 @@ jobs:
-o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n tea pr create -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n tea pr create
--description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
\"$GIT_UPDATE_BRANCH\"\n fi\nfi\n" \"$GIT_UPDATE_BRANCH\"\n fi\nfi\n"
nixpkgs:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- env:
GIT_UPDATE_BRANCH: npins-updates/nixpkgs
name: Switch to a new branch
run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
; then\n git switch \"$GIT_UPDATE_BRANCH\"\n git rebase main\n echo \"\
EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n git switch -C \"$GIT_UPDATE_BRANCH\"\
\nfi\n"
- env:
COMMIT_MESSAGE: 'chore(npins): Update nixpkgs'
GIT_UPDATE_BRANCH: npins-updates/nixpkgs
name: Open a PR if updates are present
run: "npins update nixpkgs\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
\ echo \"[+] Changes detected, pushing updates.\"\n\n git add npins\n\n\
\ if [ -n \"$EXISTING_BRANCH\" ]; then\n git commit --amend --no-edit\n\
\ git push --force\n else\n git commit --message \"$COMMIT_MESSAGE\"\
\n git push -u origin \"$GIT_UPDATE_BRANCH\"\n fi\n\n # Connect to the
server with the cli\n tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
}}\" -u https://git.dgnum.eu\n\n # Create a pull request if needed\n # i.e.
no PR with the same title exists\n if [ -z $(tea pr ls -f='title,author'
-o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n tea pr create
--description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
\"$GIT_UPDATE_BRANCH\"\n fi\nfi\n"
proxmox-nixos: proxmox-nixos:
runs-on: nix runs-on: nix
steps: steps:
@ -908,4 +935,4 @@ jobs:
name: Update dependencies name: Update dependencies
on: on:
schedule: schedule:
- cron: 15 12 * * * - cron: 5 16 * * 6

2
.forgejo/workflows/pre-commit.yaml
View file

@ -1,5 +1,3 @@
###
# This file was automatically generated with nix-actions.
jobs: jobs:
pre-commit: pre-commit:
runs-on: nix runs-on: nix

2
README.md
View file

@ -98,7 +98,7 @@ The general metadata is declared in `meta/nodes.nix`, the main values to declare
Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing : Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :
```nix ```nix
(import ../../../keys.nix).mkSecrets [ "host02" ] [ (import ../../../keys).mkSecrets [ "host02" ] [
# List of secrets for host02 # List of secrets for host02
] ]
``` ```

10
REUSE.toml
View file

@ -14,19 +14,13 @@ precedence = "closest"
[[annotations]] [[annotations]]
SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>" SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
SPDX-License-Identifier = "CC-BY-NC-ND-4.0" SPDX-License-Identifier = "CC-BY-NC-ND-4.0"
path = ["machines/**/secrets/*", "modules/nixos/dgn-backups/keys/*", "modules/nixos/dgn-netbox-agent/secrets/netbox-agent", "modules/nixos/dgn-notify/mail", "modules/nixos/dgn-records/__arkheon-token_file", "modules/nixos/dgn-s3/garage-*_file"] path = ["machines/**/secrets/*", "modules/nixos/dgn-backups/keys/*", "modules/nixos/dgn-netbox-agent/secrets/netbox-agent", "modules/nixos/dgn-notify/mail", "modules/nixos/dgn-records/__arkheon-token_file"]
precedence = "closest" precedence = "closest"
[[annotations]] [[annotations]]
SPDX-FileCopyrightText = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>" SPDX-FileCopyrightText = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2" SPDX-License-Identifier = "EUPL-1.2"
path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/01-pretalx-environment-file.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"] path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "machines/nixos/testing02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = ["2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>", "2024 Maurice Debray <maurice.debray@dgnum.eu>"]
SPDX-License-Identifier = "EUPL-1.2"
path = ["patches/nixpkgs/07-kanidm-groups-module.patch", "patches/nixpkgs/08-kanidm-groups-pkgs.patch"]
precedence = "closest" precedence = "closest"
[[annotations]] [[annotations]]

33
bootstrap.nix
View file

@ -1,33 +0,0 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
# SPDX-FileContributor: Maurice Debray <maurice.debray@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
let
unpatchedSources = import ./npins;
pkgs = import unpatchedSources.nixos-unstable { };
patch = (import ./lib/nix-patches { patchFile = ./patches; }).base {
inherit pkgs;
};
sources = builtins.mapAttrs (
k: src:
patch.applyPatches {
inherit src;
name = k;
}
) unpatchedSources;
overlays.lib = _: lib: { extra = import ./lib/nix-lib { inherit lib; }; };
in
{
inherit overlays sources unpatchedSources;
pkgs = pkgs // {
lib = pkgs.lib.extend overlays.lib;
};
}

36
default.nix
View file

@ -3,13 +3,11 @@
# #
# SPDX-License-Identifier: EUPL-1.2 # SPDX-License-Identifier: EUPL-1.2
let
bootstrap = import ./bootstrap.nix;
in
{ {
sources ? bootstrap.sources, sources ? import ./npins,
pkgs ? bootstrap.pkgs, pkgs ? import sources.nixpkgs {
overlays = [ (import sources.proxmox-nixos).overlays.x86_64-linux ];
},
}: }:
let let
@ -51,7 +49,6 @@ let
reuse = nix-reuse.hook { reuse = nix-reuse.hook {
enable = true; enable = true;
stages = [ "pre-push" ]; stages = [ "pre-push" ];
package = pkgs.reuse; # git-hooks.nix is lagging on nixpkgs update
}; };
commitizen.enable = true; commitizen.enable = true;
@ -84,7 +81,6 @@ let
"modules/nixos/dgn-netbox-agent/secrets/netbox-agent" "modules/nixos/dgn-netbox-agent/secrets/netbox-agent"
"modules/nixos/dgn-notify/mail" "modules/nixos/dgn-notify/mail"
"modules/nixos/dgn-records/__arkheon-token_file" "modules/nixos/dgn-records/__arkheon-token_file"
"modules/nixos/dgn-s3/garage-*_file"
]; ];
license = "CC-BY-NC-ND-4.0"; license = "CC-BY-NC-ND-4.0";
} }
@ -98,23 +94,13 @@ let
"machines/nixos/vault01/k-radius/packages/01-python_path.patch" "machines/nixos/vault01/k-radius/packages/01-python_path.patch"
"machines/nixos/web01/crabfit/*.patch" "machines/nixos/web01/crabfit/*.patch"
"machines/nixos/web02/cas-eleves/01-pytest-cas.patch" "machines/nixos/web02/cas-eleves/01-pytest-cas.patch"
"machines/nixos/testing02/cas-eleves/01-pytest-cas.patch"
"patches/lix/01-disable-installChecks.patch" "patches/lix/01-disable-installChecks.patch"
"patches/nixpkgs/01-pretalx-environment-file.patch"
"patches/nixpkgs/03-crabfit-karla.patch" "patches/nixpkgs/03-crabfit-karla.patch"
"patches/nixpkgs/05-netbird-relay.patch" "patches/nixpkgs/05-netbird-relay.patch"
]; ];
copyright = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>"; copyright = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>";
} }
{
path = [
"patches/nixpkgs/07-kanidm-groups-module.patch"
"patches/nixpkgs/08-kanidm-groups-pkgs.patch"
];
copyright = [
"2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>"
"2024 Maurice Debray <maurice.debray@dgnum.eu>"
];
}
{ {
path = [ "patches/nixpkgs/06-netbox-qrcode.patch" ]; path = [ "patches/nixpkgs/06-netbox-qrcode.patch" ];
copyright = "2024 Maurice Debray <maurice.debray@dgnum.eu>"; copyright = "2024 Maurice Debray <maurice.debray@dgnum.eu>";
@ -184,7 +170,7 @@ in
{ {
nodes = builtins.mapAttrs ( nodes = builtins.mapAttrs (
host: { site, ... }: "${host}.${site}.infra.dgnum.eu" host: { site, ... }: "${host}.${site}.infra.dgnum.eu"
) (import ./meta/nodes); ) (import ./meta/nodes.nix);
dns = import ./meta/dns.nix; dns = import ./meta/dns.nix;
@ -193,14 +179,16 @@ in
devShell = pkgs.mkShell { devShell = pkgs.mkShell {
name = "dgnum-infra"; name = "dgnum-infra";
packages = packages = [
[
(pkgs.nixos-generators.overrideAttrs (_: { (pkgs.nixos-generators.overrideAttrs (_: {
version = "1.8.0-unstable"; version = "1.8.0-unstable";
src = sources.nixos-generators; src = sources.nixos-generators;
})) }))
pkgs.npins pkgs.npins
# deploying on testing hypervisor
pkgs.nixmoxer
# SSO testing # SSO testing
pkgs.kanidm pkgs.kanidm
pkgs.freeradius pkgs.freeradius
@ -211,9 +199,7 @@ in
}) })
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { }) (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { }) (pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
] ] ++ git-checks.enabledPackages ++ (builtins.attrValues scripts);
++ git-checks.enabledPackages
++ (builtins.attrValues scripts);
shellHook = builtins.concatStringsSep "\n" [ shellHook = builtins.concatStringsSep "\n" [
git-checks.shellHook git-checks.shellHook

84
hive.nix
View file

@ -4,26 +4,44 @@
# #
# SPDX-License-Identifier: EUPL-1.2 # SPDX-License-Identifier: EUPL-1.2
# TODO: change comments to ### \n # [text] \n #
let let
### Init some tooling sources' = import ./npins;
bootstrap = import ./bootstrap.nix; # Patch sources directly
sources = builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; })
.applyPatches' sources';
inherit (bootstrap.pkgs) lib; nix-lib = import ./lib/nix-lib;
inherit (lib.extra) mapSingleFuse; inherit (nix-lib) mapSingleFuse;
inherit (bootstrap) sources; patch = import ./lib/nix-patches { patchFile = ./patches; };
### Let's build meta nodes' = import ./meta/nodes;
metadata = (import ./meta) lib; nodes = builtins.attrNames nodes';
nodes = builtins.attrNames metadata.nodes; mkNode = node: {
deployment.systemType = system node;
### Nixpkgs instanciation };
nixpkgs' = import ./meta/nixpkgs.nix; nixpkgs' = import ./meta/nixpkgs.nix;
# All supported nixpkgs versions × systems, instanciated
nixpkgs = mapSingleFuse (s: mapSingleFuse (mkSystemNixpkgs s) nixpkgs'.versions) nixpkgs'.systems;
# Get the configured nixos version for the node,
# defaulting to the one defined in meta/nixpkgs
version = node: nodes'.${node}.nixpkgs.version;
system = node: nodes'.${node}.nixpkgs.system;
category = node: nixpkgs'.categories.${system node};
nodePkgs = node: nixpkgs.${system node}.${version node};
# Builds a patched version of nixpkgs, only as the source
mkNixpkgs' =
v:
patch.mkNixpkgsSrc rec {
src = sources'.${name};
name = "nixos-${v}";
};
# Build up the nixpkgs configuration for Liminix embedded systems # Build up the nixpkgs configuration for Liminix embedded systems
mkLiminixConfig = mkLiminixConfig =
@ -43,47 +61,29 @@ let
mkNixpkgsConfig = mkNixpkgsConfig =
system: system:
{ {
nixos = _: { }; # TODO: add nix-pkgs overlay here nixos = _: { };
zyxel-nwa50ax = mkLiminixConfig system; zyxel-nwa50ax = mkLiminixConfig system;
netconf = _: { }; netconf = _: { };
} }
.${system} or (throw "Unknown system: ${system} for nixpkgs configuration instantiation"); .${system} or (throw "Unknown system: ${system} for nixpkgs configuration instantiation");
# Instanciates the required nixpkgs version # Instanciates the required nixpkgs version
mkSystemNixpkgs = mkSystemNixpkgs = system: version: import (mkNixpkgs' version) (mkNixpkgsConfig system version);
system: version: import sources."nixos-${version}" (mkNixpkgsConfig system version);
# All supported nixpkgs versions × systems, instanciated ###
nixpkgs = mapSingleFuse (s: mapSingleFuse (mkSystemNixpkgs s) nixpkgs'.versions) nixpkgs'.systems;
# Get the configured nixos version for the node,
# defaulting to the one defined in meta/nixpkgs
version = node: metadata.nodes.${node}.nixpkgs.version;
system = node: metadata.nodes.${node}.nixpkgs.system;
category = node: nixpkgs'.categories.${system node};
nodePkgs = node: nixpkgs.${system node}.${version node};
##########
# Function to create arguments based on the node # Function to create arguments based on the node
# #
mkArgs = node: rec { mkArgs = node: rec {
lib = sourcePkgs.lib.extend bootstrap.overlays.lib; lib = sourcePkgs.lib // {
extra = nix-lib;
};
sourcePkgs = nodePkgs node; sourcePkgs = nodePkgs node;
meta = metadata; meta = (import ./meta) lib;
nodeMeta = metadata.nodes.${node}; nodeMeta = meta.nodes.${node};
nodePath = "machines/${category node}/${node}"; nodePath = "machines/${category node}/${node}";
}; };
##########
# Module for each node (quite empty since almost everything is in the default module)
#
mkNode = node: {
deployment.systemType = system node;
};
in in
{ {
@ -94,10 +94,7 @@ in
specialArgs = { specialArgs = {
inherit nixpkgs sources; inherit nixpkgs sources;
dgn-keys = import ./lib/keys { dgn-keys = import ./keys;
meta = metadata;
inherit lib;
};
}; };
nodeSpecialArgs = mapSingleFuse mkArgs nodes; nodeSpecialArgs = mapSingleFuse mkArgs nodes;
@ -149,7 +146,7 @@ in
./${nodePath}.nix ./${nodePath}.nix
./modules/netconf ./modules/netconf
./lib/netconf-junos ./lib/netconf-junos
"${sources.nixos-unstable}/nixos/modules/misc/assertions.nix" "${sources.nixpkgs}/nixos/modules/misc/assertions.nix"
]; ];
system.host-name = name; system.host-name = name;
@ -221,6 +218,5 @@ in
}; };
}; };
}; };
} }
// (mapSingleFuse mkNode nodes) // (mapSingleFuse mkNode nodes)

4
iso/configuration.nix
View file

@ -5,9 +5,9 @@
{ lib, pkgs, ... }: { lib, pkgs, ... }:
let let
dgn-keys = import ../keys.nix; dgn-keys = import ../keys;
dgn-members = (import ../meta lib).config.organization.groups.root; dgn-members = (import ../meta lib).organization.groups.root;
in in
{ {

13
keys.nix
View file

@ -1,13 +0,0 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
let
bootstrap = import ./bootstrap.nix;
inherit (bootstrap.pkgs) lib;
meta = import ./meta lib;
in
import ./lib/keys { inherit meta lib; }

109
keys/default.nix Normal file
View file

@ -0,0 +1,109 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
let
_sources = import ../npins;
inherit (import _sources.nixpkgs { }) lib;
meta = import ../meta lib;
getAttr = flip builtins.getAttr;
inherit (import ../lib/nix-lib) flip setDefault unique;
in
rec {
# WARNING: When updating this list, make sure that the nodes and members are alphabetically sorted
# If not, you will face an angry maintainer
_keys = {
# SSH keys of the nodes
bridge01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7" ];
compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
hypervisor01 = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPE0typcnvSioMfdLUloIfR5zcf/X0k6201xMHoQBCr"
];
hypervisor02 = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPETkWlOfESXQic+HgfGLV/T4Nqg0WjdDbEqtgDwkH+S"
];
hypervisor03 = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLF0mxSGitsDE3/YXfrHNjtOMUt4HT2MbryyUKPLSBI"
];
rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
testing02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN9ZLXDshhwRZs35oN3UYDtJXEBwMTP20nyWz453TvlY" ];
tower01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVpR+TMRLGAfhn7Q0C3tKOydYYjfoC/e1ZYbKpby01Z" ];
vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ];
web02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ];
web03 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrWsMEfK86iaO9SubMqE2UvZNtHkLY5VUod/bbqKC0L" ];
# SSH keys of the DGNum members
agroudiev = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM="
];
catvayor = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
];
cst1 = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270"
];
ecoppens = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
gdd = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ"
];
jemagius = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8="
];
luj = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
];
mboyer = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ];
mdebray = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
];
raito = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
];
thubrecht = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
];
};
getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);
mkSecrets =
nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };
getNodeKeys' =
node:
let
names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
meta.nodes.${node}.admins ++ [ node ]
) meta.nodes.${node}.adminGroups;
in
unique (getKeys names);
getNodeKeys = node: rootKeys ++ getNodeKeys' node;
# List of keys for the root group
rootKeys = getKeys meta.organization.groups.root;
# List of 'machine' keys
machineKeys = rootKeys ++ (getKeys (builtins.attrNames meta.nodes));
nixosMachineKeys =
rootKeys
++ (getKeys (builtins.attrNames (lib.filterAttrs (_: v: v.nixpkgs.system == "nixos") meta.nodes)));
}

2
lib/colmena/wrapper.sh.in
View file

@ -28,4 +28,4 @@ if [[ $1 == 'apply' ]]; then
doChecks doChecks
fi fi
exec @colmena@ --nix-option nix-path "" "$@" exec @colmena@ "$@"

51
lib/keys/default.nix
View file

@ -1,51 +0,0 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
# SPDX-FileContributor: Maurice Debray <maurice.debray@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ meta, lib }:
let
inherit (lib.extra) setDefault unique;
getAttr = lib.flip builtins.getAttr;
in
rec {
_memberKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.organization.members;
_builderKeys = builtins.mapAttrs (_: v: v.builderKeys) meta.organization.members;
_nodeKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.nodes;
# Get keys of the users
getMemberKeys = name: builtins.concatLists (builtins.map (getAttr _memberKeys) name);
# Get builder keys of the users
getBuilderKeys = getAttr _builderKeys;
# Get keys of the ssh server
getNodeKeys = name: builtins.concatLists (builtins.map (getAttr _nodeKeys) name);
# List of keys for the root group
rootKeys = getMemberKeys meta.organization.groups.root;
# All admins for a node
getNodeAdmins = node: meta.organization.groups.root ++ meta.nodes.${node}.admins;
# All keys needed for secret encryption
getSecretKeys = node: unique (getMemberKeys (getNodeAdmins node) ++ getNodeKeys [ node ]);
# List of keys for all machines wide secrets
machineKeys = rootKeys ++ (getNodeKeys (builtins.attrNames meta.nodes));
mkSecrets = nodes: setDefault { publicKeys = unique (builtins.concatMap getSecretKeys nodes); };
mkRootSecrets = setDefault { publicKeys = unique rootKeys; };
machineKeysBySystem =
system:
rootKeys
++ (getNodeKeys (
builtins.attrNames (lib.filterAttrs (_: v: v.nixpkgs.system == system) meta.nodes)
));
}

6
lib/netconf-junos/protocols.nix
View file

@ -28,9 +28,9 @@ in
config.netconf.xmls.protocols = '' config.netconf.xmls.protocols = ''
<protocols> <protocols>
<rstp operation="replace"> <rstp operation="replace">
${concatMapStringsSep "" ( ${
intf: "<interface><name>${intf}</name></interface>" concatMapStringsSep "" (intf: "<interface><name>${intf}</name></interface>") config.protocols.rstp
) config.protocols.rstp} }
</rstp> </rstp>
</protocols> </protocols>
''; '';

35
lib/nix-lib/default.nix
View file

@ -2,13 +2,17 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu> # SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
# #
# SPDX-License-Identifier: EUPL-1.2 # SPDX-License-Identifier: EUPL-1.2
{ lib }:
let
# Reimplement optional functions
_optional =
default: b: value:
if b then value else default;
in
rec { rec {
inherit (lib) inherit (import ./nixpkgs.nix)
flip flip
optionals
optionalString
hasPrefix hasPrefix
recursiveUpdate recursiveUpdate
splitString splitString
@ -49,24 +53,6 @@ rec {
attrsList: attrsList:
fuseAttrs (builtins.map f attrsList); fuseAttrs (builtins.map f attrsList);
/*
Generate an `attrsList` of given size with the generator before fusing
the resulting list of attribute sets.
Type: (Int -> attrs) -> Int -> attrs
Example:
f = s: { "a${toString s}" = s + s; }
genFuse f 3
=> { a0 = 0; a1 = 2; a2 = 4; }
*/
genFuse =
# Int -> attrs
f:
# Int
size:
fuseAttrs (builtins.genList f size);
/* /*
Equivalent of lib.singleton but for an attribute set. Equivalent of lib.singleton but for an attribute set.
@ -126,8 +112,11 @@ rec {
subAttrs = attrs: builtins.map (subAttr attrs); subAttrs = attrs: builtins.map (subAttr attrs);
optionalList = optionals; optionalList = _optional [ ];
optionalAttrs = _optional { };
optionalString = _optional "";
/* /*
Same as fuseAttrs but using `lib.recursiveUpdate` to merge attribute Same as fuseAttrs but using `lib.recursiveUpdate` to merge attribute
sets together. sets together.

466
lib/nix-lib/nixpkgs.nix Normal file
View file

@ -0,0 +1,466 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
###
# Collection of nixpkgs library functions, those are necessary for defining our own lib
#
# They have been simplified and builtins are used in some places, instead of lib shims.
rec {
/**
Does the same as the update operator '//' except that attributes are
merged until the given predicate is verified. The predicate should
accept 3 arguments which are the path to reach the attribute, a part of
the first attribute set and a part of the second attribute set. When
the predicate is satisfied, the value of the first attribute set is
replaced by the value of the second attribute set.
# Inputs
`pred`
: Predicate, taking the path to the current attribute as a list of strings for attribute names, and the two values at that path from the original arguments.
`lhs`
: Left attribute set of the merge.
`rhs`
: Right attribute set of the merge.
# Type
```
recursiveUpdateUntil :: ( [ String ] -> AttrSet -> AttrSet -> Bool ) -> AttrSet -> AttrSet -> AttrSet
```
# Examples
:::{.example}
## `lib.attrsets.recursiveUpdateUntil` usage example
```nix
recursiveUpdateUntil (path: l: r: path == ["foo"]) {
# first attribute set
foo.bar = 1;
foo.baz = 2;
bar = 3;
} {
#second attribute set
foo.bar = 1;
foo.quz = 2;
baz = 4;
}
=> {
foo.bar = 1; # 'foo.*' from the second set
foo.quz = 2; #
bar = 3; # 'bar' from the first set
baz = 4; # 'baz' from the second set
}
```
:::
*/
recursiveUpdateUntil =
pred: lhs: rhs:
let
f =
attrPath:
builtins.zipAttrsWith (
n: values:
let
here = attrPath ++ [ n ];
in
if builtins.length values == 1 || pred here (builtins.elemAt values 1) (builtins.head values) then
builtins.head values
else
f here values
);
in
f [ ] [
rhs
lhs
];
/**
A recursive variant of the update operator //. The recursion
stops when one of the attribute values is not an attribute set,
in which case the right hand side value takes precedence over the
left hand side value.
# Inputs
`lhs`
: Left attribute set of the merge.
`rhs`
: Right attribute set of the merge.
# Type
```
recursiveUpdate :: AttrSet -> AttrSet -> AttrSet
```
# Examples
:::{.example}
## `lib.attrsets.recursiveUpdate` usage example
```nix
recursiveUpdate {
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/hda";
} {
boot.loader.grub.device = "";
}
returns: {
boot.loader.grub.enable = true;
boot.loader.grub.device = "";
}
```
:::
*/
recursiveUpdate =
lhs: rhs:
recursiveUpdateUntil (
_: lhs: rhs:
!(builtins.isAttrs lhs && builtins.isAttrs rhs)
) lhs rhs;
/**
Determine whether a string has given prefix.
# Inputs
`pref`
: Prefix to check for
`str`
: Input string
# Type
```
hasPrefix :: string -> string -> bool
```
# Examples
:::{.example}
## `lib.strings.hasPrefix` usage example
```nix
hasPrefix "foo" "foobar"
=> true
hasPrefix "foo" "barfoo"
=> false
```
:::
*/
hasPrefix = pref: str: (builtins.substring 0 (builtins.stringLength pref) str == pref);
/**
Escape occurrence of the elements of `list` in `string` by
prefixing it with a backslash.
# Inputs
`list`
: 1\. Function argument
`string`
: 2\. Function argument
# Type
```
escape :: [string] -> string -> string
```
# Examples
:::{.example}
## `lib.strings.escape` usage example
```nix
escape ["(" ")"] "(foo)"
=> "\\(foo\\)"
```
:::
*/
escape = list: builtins.replaceStrings list (builtins.map (c: "\\${c}") list);
/**
Convert a string `s` to a list of characters (i.e. singleton strings).
This allows you to, e.g., map a function over each character. However,
note that this will likely be horribly inefficient; Nix is not a
general purpose programming language. Complex string manipulations
should, if appropriate, be done in a derivation.
Also note that Nix treats strings as a list of bytes and thus doesn't
handle unicode.
# Inputs
`s`
: 1\. Function argument
# Type
```
stringToCharacters :: string -> [string]
```
# Examples
:::{.example}
## `lib.strings.stringToCharacters` usage example
```nix
stringToCharacters ""
=> [ ]
stringToCharacters "abc"
=> [ "a" "b" "c" ]
stringToCharacters "🦄"
=> [ "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" ]
```
:::
*/
stringToCharacters = s: builtins.genList (p: builtins.substring p 1 s) (builtins.stringLength s);
/**
Turn a string `s` into an exact regular expression
# Inputs
`s`
: 1\. Function argument
# Type
```
escapeRegex :: string -> string
```
# Examples
:::{.example}
## `lib.strings.escapeRegex` usage example
```nix
escapeRegex "[^a-z]*"
=> "\\[\\^a-z]\\*"
```
:::
*/
escapeRegex = escape (stringToCharacters "\\[{()^$?*+|.");
/**
Appends string context from string like object `src` to `target`.
:::{.warning}
This is an implementation
detail of Nix and should be used carefully.
:::
Strings in Nix carry an invisible `context` which is a list of strings
representing store paths. If the string is later used in a derivation
attribute, the derivation will properly populate the inputDrvs and
inputSrcs.
# Inputs
`src`
: The string to take the context from. If the argument is not a string,
it will be implicitly converted to a string.
`target`
: The string to append the context to. If the argument is not a string,
it will be implicitly converted to a string.
# Type
```
addContextFrom :: string -> string -> string
```
# Examples
:::{.example}
## `lib.strings.addContextFrom` usage example
```nix
pkgs = import <nixpkgs> { };
addContextFrom pkgs.coreutils "bar"
=> "bar"
```
The context can be displayed using the `toString` function:
```nix
nix-repl> builtins.getContext (lib.strings.addContextFrom pkgs.coreutils "bar")
{
"/nix/store/m1s1d2dk2dqqlw3j90jl3cjy2cykbdxz-coreutils-9.5.drv" = { ... };
}
```
:::
*/
addContextFrom = src: target: builtins.substring 0 0 src + target;
/**
Cut a string with a separator and produces a list of strings which
were separated by this separator.
# Inputs
`sep`
: 1\. Function argument
`s`
: 2\. Function argument
# Type
```
splitString :: string -> string -> [string]
```
# Examples
:::{.example}
## `lib.strings.splitString` usage example
```nix
splitString "." "foo.bar.baz"
=> [ "foo" "bar" "baz" ]
splitString "/" "/usr/local/bin"
=> [ "" "usr" "local" "bin" ]
```
:::
*/
splitString =
sep: s:
let
splits = builtins.filter builtins.isString (
builtins.split (escapeRegex (builtins.toString sep)) (builtins.toString s)
);
in
builtins.map (addContextFrom s) splits;
/**
Remove duplicate elements from the `list`. O(n^2) complexity.
# Inputs
`list`
: Input list
# Type
```
unique :: [a] -> [a]
```
# Examples
:::{.example}
## `lib.lists.unique` usage example
```nix
unique [ 3 2 3 4 ]
=> [ 3 2 4 ]
```
:::
*/
unique = builtins.foldl' (acc: e: if builtins.elem e acc then acc else acc ++ [ e ]) [ ];
/**
Flip the order of the arguments of a binary function.
# Inputs
`f`
: 1\. Function argument
`a`
: 2\. Function argument
`b`
: 3\. Function argument
# Type
```
flip :: (a -> b -> c) -> (b -> a -> c)
```
# Examples
:::{.example}
## `lib.trivial.flip` usage example
```nix
flip concat [1] [2]
=> [ 2 1 ]
```
:::
*/
flip =
f: a: b:
f b a;
/**
`warn` *`message`* *`value`*
Print a warning before returning the second argument.
See [`builtins.warn`](https://nix.dev/manual/nix/latest/language/builtins.html#builtins-warn) (Nix >= 2.23).
On older versions, the Nix 2.23 behavior is emulated with [`builtins.trace`](https://nix.dev/manual/nix/latest/language/builtins.html#builtins-warn), including the [`NIX_ABORT_ON_WARN`](https://nix.dev/manual/nix/latest/command-ref/conf-file#conf-abort-on-warn) behavior, but not the `nix.conf` setting or command line option.
# Inputs
*`message`* (String)
: Warning message to print before evaluating *`value`*.
*`value`* (any value)
: Value to return as-is.
# Type
```
String -> a -> a
```
*/
warn =
# Since Nix 2.23, https://github.com/NixOS/nix/pull/10592
builtins.warn or (
let
mustAbort = builtins.elem (builtins.getEnv "NIX_ABORT_ON_WARN") [
"1"
"true"
"yes"
];
in
# Do not eta reduce v, so that we have the same strictness as `builtins.warn`.
msg: v:
# `builtins.warn` requires a string message, so we enforce that in our implementation, so that callers aren't accidentally incompatible with newer Nix versions.
assert builtins.isString msg;
if mustAbort then
builtins.trace "evaluation warning: ${msg}" (
abort "NIX_ABORT_ON_WARN=true; warnings are treated as unrecoverable errors."
)
else
builtins.trace "evaluation warning: ${msg}" v
);
}

9
lib/nix-patches/default.nix
View file

@ -14,15 +14,12 @@ rec {
{ pkgs }: { pkgs }:
rec { rec {
mkUrlPatch = mkUrlPatch =
{ attrs:
hash ? null,
...
}@attrs:
pkgs.fetchpatch ( pkgs.fetchpatch (
{ {
hash = if hash == null then pkgs.lib.fakeHash else hash; hash = pkgs.lib.fakeHash;
} }
// (builtins.removeAttrs attrs [ "hash" ]) // attrs
// (pkgs.lib.optionalAttrs (excludeGitHubManual && !(builtins.hasAttr "includes" attrs)) { // (pkgs.lib.optionalAttrs (excludeGitHubManual && !(builtins.hasAttr "includes" attrs)) {
excludes = (attrs.excludes or [ ]) ++ [ "nixos/doc/manual/*" ]; excludes = (attrs.excludes or [ ]) ++ [ "nixos/doc/manual/*" ];
}) })

29
machines/netconf/netaccess01.nix
View file

@ -1,29 +0,0 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
dgn-hardware.model = "EX2300-48P";
dgn-isp = {
enable = true;
AP = [
"ge-0/0/0"
"ge-0/0/1"
"ge-0/0/2"
"ge-0/0/3"
"ge-0/0/4"
"ge-0/0/5"
];
admin-ip = "fd26:baf9:d250:8000::2001/64";
};
dgn-interfaces = {
# netcore02
"xe-0/1/0".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
};
# debug management
"me0".inet.addresses = [ "192.168.42.6/24" ];
};
}

36
machines/netconf/netcore01.nix
View file

@ -1,36 +0,0 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
dgn-hardware.model = "EX2300-48P";
dgn-isp = {
enable = true;
admin-ip = "fd26:baf9:d250:8000::100f/64";
};
dgn-profiles."hypervisor" = {
interfaces = [
"ge-0/0/0"
"ge-0/0/1"
"ge-0/0/2"
"ge-0/0/3"
"ge-0/0/4"
"ge-0/0/5"
"ge-0/0/6"
"ge-0/0/7"
];
configuration.ethernet-switching = {
interface-mode = "access";
vlans = [ "hypervisor" ];
};
};
dgn-interfaces = {
"xe-0/2/0".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
};
# debug management
"me0".inet.addresses = [ "192.168.2.2/24" ];
};
}

98
machines/netconf/netcore02.nix
View file

@ -2,41 +2,76 @@
# #
# SPDX-License-Identifier: EUPL-1.2 # SPDX-License-Identifier: EUPL-1.2
{ let
dgn-hardware.model = "EX2300-48P"; #TODO: meta
dgn-isp = { vlansPlan = {
enable = true; "uplink-cri".id = 223;
AP = [
# H1-00 "admin-core" = {
"ge-0/0/0" id = 3000;
"ge-0/0/1" l3-interface = "irb.0";
"ge-0/0/2"
"ge-0/0/3"
"ge-0/0/4"
"ge-0/0/5"
# H1-01
"ge-0/0/6"
"ge-0/0/7"
"ge-0/0/8"
"ge-0/0/9"
"ge-0/0/10"
"ge-0/0/11"
# H1-02
"ge-0/0/12"
"ge-0/0/13"
"ge-0/0/14"
"ge-0/0/15"
"ge-0/0/16"
"ge-0/0/17"
];
admin-ip = "fd26:baf9:d250:8000::1001/64";
}; };
"admin-ap".id = 3001;
"users".id-list = [
{
begin = 3045;
end = 4094;
}
];
"ap-staging".id = 2000;
};
#TODO: additionnal module (always the same for APs)
AP-staging = {
poe = true;
ethernet-switching = {
interface-mode = "access";
vlans = [ "ap-staging" ];
};
};
in
{
vlans = vlansPlan;
dgn-hardware.model = "EX2300-48P";
dgn-interfaces = { dgn-interfaces = {
# "ge-0/0/0" = AP-staging;
# "ge-0/0/1" = AP-staging;
# "ge-0/0/2" = AP-staging;
# "ge-0/0/3" = AP-staging;
"ge-0/0/4" = AP-staging;
# "ge-0/0/5" = AP-staging;
# "ge-0/0/6" = AP-staging;
# "ge-0/0/7" = AP-staging;
# "ge-0/0/8" = AP-staging;
# "ge-0/0/9" = AP-staging;
# "ge-0/0/10" = AP-staging;
# "ge-0/0/11" = AP-staging;
# "ge-0/0/12" = AP-staging;
# "ge-0/0/13" = AP-staging;
# "ge-0/0/14" = AP-staging;
# "ge-0/0/15" = AP-staging;
# "ge-0/0/16" = AP-staging;
# "ge-0/0/17" = AP-staging;
# oob # oob
"ge-0/0/42".ethernet-switching = { "ge-0/0/42".ethernet-switching = {
interface-mode = "trunk"; interface-mode = "trunk";
vlans = [ "all" ]; vlans = [ "all" ];
}; };
# AP de test
"ge-0/0/43" = {
poe = true;
ethernet-switching = {
interface-mode = "access";
vlans = [ 4000 ];
};
};
# uplink oob
"ge-0/0/46".ethernet-switching = {
interface-mode = "access";
vlans = [ 222 ];
rstp = false;
};
# ilo # ilo
"ge-0/0/47".ethernet-switching = { "ge-0/0/47".ethernet-switching = {
interface-mode = "access"; interface-mode = "access";
@ -60,9 +95,9 @@
}; };
# netcore01 (Potos) # netcore01 (Potos)
"xe-0/1/2".ethernet-switching = { "xe-0/1/2".ethernet-switching = {
interface-mode = "trunk"; interface-mode = "access";
vlans = [ vlans = [
"all" "ap-staging"
]; ];
}; };
# uplink # uplink
@ -71,7 +106,8 @@
vlans = [ "uplink-cri" ]; vlans = [ "uplink-cri" ];
}; };
# debug management # management
"me0".inet.addresses = [ "192.168.42.6/24" ]; "me0".inet.addresses = [ "192.168.42.6/24" ];
"irb".inet6.addresses = [ "fd26:baf9:d250:8000::1001/64" ];
}; };
} }

65
machines/nixos/bridge01/network.nix
View file

@ -3,17 +3,8 @@
# #
# SPDX-License-Identifier: EUPL-1.2 # SPDX-License-Identifier: EUPL-1.2
{ _:
pkgs,
utils,
lib,
...
}:
let
inherit (lib)
getExe'
;
in
{ {
networking = { networking = {
useNetworkd = true; useNetworkd = true;
@ -23,28 +14,14 @@ in
firewall.allowedUDPPorts = [ 67 ]; firewall.allowedUDPPorts = [ 67 ];
}; };
systemd = { systemd.network = {
services."arp-resolve-router" = {
wantedBy = [ "systemd-networkd.service" ];
after = [ "systemd-networkd-wait-online.service" ];
bindsTo = [ "systemd-networkd-wait-online.service" ];
serviceConfig.ExecStart = utils.escapeSystemdExecArgs [
(getExe' pkgs.iputils "ping")
"-c"
1
"10.120.33.245"
];
};
network = {
wait-online.anyInterface = true;
networks = { networks = {
"10-enp1s0f0" = { "10-eno1" = {
name = "enp1s0f0"; name = "eno1";
# description = "To the switch";
networkConfig = { networkConfig = {
VLAN = [ VLAN = [
"vlan-admin" "vlan-admin"
"vlan-uplink-oob"
]; ];
LinkLocalAddressing = false; LinkLocalAddressing = false;
@ -53,21 +30,7 @@ in
IPv6AcceptRA = false; IPv6AcceptRA = false;
IPv6SendRA = false; IPv6SendRA = false;
}; };
}; # address = [ "192.168.222.1/24" ];
"10-eno1" = {
name = "eno1";
# description = "Uplink cri";
address = [
"10.120.33.246/30"
"129.199.195.158/32"
];
routes = [
{
PreferredSource = "129.199.195.158";
Gateway = "10.120.33.245";
}
];
}; };
"10-vlan-admin" = { "10-vlan-admin" = {
@ -91,6 +54,11 @@ in
"192.168.222.1/24" "192.168.222.1/24"
]; ];
}; };
"10-vlan-uplink-oob" = {
name = "vlan-uplink-oob";
networkConfig.DHCP = "ipv4";
};
}; };
netdevs = { netdevs = {
@ -99,8 +67,17 @@ in
Name = "vlan-admin"; Name = "vlan-admin";
Kind = "vlan"; Kind = "vlan";
}; };
vlanConfig.Id = 3000; vlanConfig.Id = 3000;
}; };
"10-vlan-uplink-oob" = {
netdevConfig = {
Name = "vlan-uplink-oob";
Kind = "vlan";
};
vlanConfig.Id = 500;
}; };
}; };
}; };

6
machines/nixos/bridge01/secrets/secrets.nix
View file

@ -2,8 +2,6 @@
# #
# SPDX-License-Identifier: EUPL-1.2 # SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys.nix).mkSecrets (import ../../../../keys).mkSecrets [ "bridge01" ] [
[ "bridge01" ]
[
# List of secrets for bridge01 # List of secrets for bridge01
] ]

26
machines/nixos/build01/_configuration.nix
View file

@ -1,26 +0,0 @@
# SPDX-FileCopyrightText: 2025 Elias Coppens <elias@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, ... }:
lib.extra.mkConfig {
enabledModules = [
"dgn-forgejo-runners"
];
enabledServices = [
"nix-builder"
];
extraConfig = {
dgn-forgejo-runners = {
nbRunners = 16;
dataDirectory = "/data";
};
services.netbird.enable = true;
};
root = ./.;
}

59
machines/nixos/build01/_hardware-configuration.nix
View file

@ -1,59 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
initrd = {
availableKernelModules = [
"xhci_pci"
"nvme"
"megaraid_sas"
"ehci_pci"
"ahci"
"usbhid"
"sd_mod"
];
kernelModules = [ "dm-snapshot" ];
};
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/fed99278-0916-4d9c-b974-c7125d3557b3";
fsType = "xfs";
};
"/data" = {
device = "/dev/disk/by-uuid/69b62f16-7db1-4720-a115-fd3b8dafe123";
fsType = "xfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/1372-46EA";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
};
swapDevices = [
{ device = "/dev/disk/by-uuid/34b9e0ab-c579-4293-849c-78f5093cf35a"; }
];
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

77
machines/nixos/build01/nix-builder.nix
View file

@ -1,77 +0,0 @@
# SPDX-FileCopyrightText: 2025 Elias Coppens <elias@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
pkgs,
lib,
dgn-keys,
meta,
...
}:
{
config = {
dgn-access-control.users = lib.genAttrs meta.organization.groups.nix-builder (u: lib.singleton u);
# FIXME(Raito): this should really go into `dgn-access-control` but I don't
# know what is the desired architecture for it. Leaving it for the people with opinions™.
users.groups.nix-builders = { };
users.users = lib.genAttrs meta.organization.groups.nix-builder (u: {
extraGroups = [ "nix-builders" ];
openssh.authorizedKeys.keys = dgn-keys.getBuilderKeys u;
});
security.pam.loginLimits = [
{
domain = "*";
item = "nofile";
type = "-";
value = "20480";
}
];
systemd.services.nix-daemon.serviceConfig = {
MemoryAccounting = true;
MemoryMax = "450G";
MemoryHigh = "440G";
MemorySwapMax = "2G";
ManagedOOMSwap = "kill";
ManagedOOMMemoryPressure = "kill";
MemoryPressureWatch = "on";
};
nix = {
gc = {
automatic = true;
dates = lib.mkForce "*:45";
options = lib.mkForce ''--max-freed "$((128 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"'';
randomizedDelaySec = "1800";
};
nrBuildUsers = 128;
settings = {
trusted-users = [
"@wheel"
"@nix-builders"
];
keep-outputs = false;
keep-derivations = false;
use-cgroups = true;
http-connections = 0;
auto-allocate-uids = true;
cores = 0;
max-jobs = 8;
fsync-metadata = true;
experimental-features = [
"auto-allocate-uids"
# "ca-derivations" this feature is really extremely broken.
"cgroups"
"fetch-closure"
"impure-derivations"
];
};
};
};
}

31
machines/nixos/build01/secrets/forgejo_runners-token_file
View file

@ -1,31 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA plGvUUrRbdkfNyD4UGIjjkv3Ktu4iqL4dImFZzWnqWA
asE0N7d6lqnOFJWoU+V1bCLhlD5oFAkjs9HSM+ps6Ak
-> ssh-ed25519 QlRB9Q hagbD6do4gKBuRBN8m8cDL6K0RFmiJwpvJOtAaPKXnA
9727tWz+PhGm/bycXUUQHV3YqeXc0AD/mM1DvTrBLC4
-> ssh-ed25519 r+nK/Q bnu+1g77I2LLnXNHZWMkIrgJpxpwJ1ZYgdAL4HE6hCo
cDLyOiULyjO9s6PACs6Ou6m5h0XcDzbdc7o2P7OAizQ
-> ssh-rsa krWCLQ
X8SpFIBmd7LOnJqI+V3MWlaYB8f4Mron5IKYZGrqRPWzLrrkAkJsr1QdV4K9vepe
zQsHecw8VvCKQesAKFrKTZxF8oXvoJU3GP5q9IVISLuEv8nLxgyhhLqQQqPVWLbC
0nGGtbke2Xw2QXgUpoe6GdZ53Neg2BShUmV6SYoGeTwdxGmuL6nFH7UMzwsKWLW5
95CoXfRyp4oxV7FQscuewPL+tNHXh6DoeW8Qlr3rxxgJkCSNMp+EchZJZOroGmtd
SQb2SgFs712x9han1vNR7Dn3o270xa/AVldmjRBNvDGyNefItb20OP4n3bWSK3b1
ejR3mZyP5SU2+Pr6navc0w
-> ssh-ed25519 /vwQcQ NQSD4lKvM7uWm0deYyc22DC7/IGYve0XB9Zg8yOY5GE
hpDWSKnlW6BtyKlXXS1anB78CvK+mnsm3BOxht7mL4Y
-> ssh-ed25519 0R97PA i4DSi49b4vQpt3hjiHPn0/H9MzyvHz0OEPJXcvn+G1M
C9uEKNTPRK8f4d2AYnPqDwTqDOV0SHmG/x/529l3YLA
-> ssh-ed25519 JGx7Ng 5WgVespkMD/X/67sBoF2RbG+YXu06UuSozHrLJSn2xE
pISCxxw/Hg9GBxh33gW6JO2mLKrdvSUVb6+AHMHwTtE
-> ssh-ed25519 bUjjig 14Ocpj1tCsZ5lZQ32wDHsO9iFkrNi8wZS8NUhQ5HEh0
ZbX31ejXuqmgKD1EcmH/B0zo1CeORzJn+QjrRuWNxh0
-> ssh-ed25519 oRtTqQ dSGSGECezsXdDeyFcOSLIvKT0jdOs2d73/dRAeBuJjc
2O/CXEu0rV5EdAewyvdA5XfLXMQvzEEtl8lPsBqICqk
-> ssh-ed25519 IxxZqA BbHNkDUiEoWcwGjjrkFbOHCXvq2gEd8Rv7tt3p8fXHA
yJsvxku/Kz26jTTEtuoHDLGO/gUotw/QZc+UwxCIwKE
-> Tqc#'yq%-grease b
X3iOhNF2FNp0ImC6uLsqjT1pAbNPBIxUCXLivDKbVIZYoBhtrLpQRJXoWK7GEakA
8TkORCQQUYZIlNqu2Psfbi0
--- 19Nolty0dET6QnYlxtieiluPP9R3HbrhEn5EDuFu/s4
“˜?l÷6r] úfBžo<ŸŒ9lj5M+Ší7íNõϹäô% Ñ.èœELĘâÂÒw§¾snÑáã¬nšN -×Ø̯pñûëËŠÓ

9
machines/nixos/build01/secrets/secrets.nix
View file

@ -1,9 +0,0 @@
# SPDX-FileCopyrightText: 2025 La Délégation Générale Numérique <contact@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys.nix).mkSecrets
[ "build01" ]
[
"forgejo_runners-token_file"
]

3
machines/nixos/compute01/_configuration.nix
View file

@ -25,14 +25,11 @@ lib.extra.mkConfig {
"kanidm" "kanidm"
"librenms" "librenms"
"mastodon" "mastodon"
# "netbox"
"nextcloud" "nextcloud"
"ollama-proxy" "ollama-proxy"
"outline" "outline"
"plausible" "plausible"
"postgresql" "postgresql"
"pretalx"
"pretix"
"rstudio-server" "rstudio-server"
# "satosa" # "satosa"
"signal-irc-bridge" "signal-irc-bridge"

55
machines/nixos/compute01/dgsi/default.nix
View file

@ -14,22 +14,26 @@
let let
inherit (lib) toLower; inherit (lib) toLower;
python = pkgs.python312.override { python =
packageOverrides = (import "${sources.nix-pkgs}/overlay.nix").mkOverlay { let
folder = "python-modules"; python3 = pkgs.python312;
plist = [ nix-pkgs = import sources.nix-pkgs { inherit pkgs python3; };
"django-allauth" in
"django-allauth-cas" python3.override {
"django-browser-reload" packageOverrides = _: _: {
"django-bulma-forms" inherit (nix-pkgs)
"django-sass-processor" django-allauth
"django-sass-processor-dart-sass" django-allauth-cas
"django-unfold" django-browser-reload
"loadcredential" django-bulma-forms
"pykanidm" django-sass-processor
"python-cas" django-sass-processor-dart-sass
"xlwt" django-unfold
]; pykanidm
python-cas
loadcredential
xlwt
;
}; };
}; };
@ -40,7 +44,6 @@ let
ps.gunicorn ps.gunicorn
ps.psycopg ps.psycopg
ps.django-compressor ps.django-compressor
ps.django-htmx
ps.django-import-export ps.django-import-export
# Local packages # Local packages
@ -76,7 +79,6 @@ let
export DGSI_KANIDM_AUTH_TOKEN="fake.token" export DGSI_KANIDM_AUTH_TOKEN="fake.token"
export DGSI_X509_KEY="" export DGSI_X509_KEY=""
export DGSI_X509_CERT="" export DGSI_X509_CERT=""
export DGSI_ARCHIVES_ROOT=""
''; '';
doBuild = false; doBuild = false;
@ -155,10 +157,6 @@ in
DGSI_MEDIA_ROOT = "/var/lib/django-apps/dgsi/media"; DGSI_MEDIA_ROOT = "/var/lib/django-apps/dgsi/media";
DGSI_STATIC_ROOT = "${staticDrv}/static"; DGSI_STATIC_ROOT = "${staticDrv}/static";
DGSI_ARCHIVES_ROOT = "/var/lib/django-apps/dgsi/archives";
DGSI_ARCHIVES_INTERNAL = "_archives";
DGSI_STAFF_GROUP = "grp_bureau@sso.dgnum.eu";
DGSI_DATABASES = builtins.toJSON { DGSI_DATABASES = builtins.toJSON {
default = { default = {
@ -189,15 +187,6 @@ in
}; };
mounts = [ mounts = [
{
where = "/run/django-apps/dgsi/archives";
what = "/var/lib/django-apps/dgsi/archives";
options = "bind";
after = [ "dj-dgsi.service" ];
partOf = [ "dj-dgsi.service" ];
upheldBy = [ "dj-dgsi.service" ];
}
{ {
where = "/run/django-apps/dgsi/media"; where = "/run/django-apps/dgsi/media";
what = "/var/lib/django-apps/dgsi/media"; what = "/var/lib/django-apps/dgsi/media";
@ -231,10 +220,6 @@ in
"/".proxyPass = "http://unix:/run/django-apps/dgsi.sock"; "/".proxyPass = "http://unix:/run/django-apps/dgsi.sock";
"/static/".root = staticDrv; "/static/".root = staticDrv;
"/media/".root = "/run/django-apps/dgsi"; "/media/".root = "/run/django-apps/dgsi";
"/_archives/".extraConfig = ''
internal;
alias /run/django-apps/dgsi/archives/;
'';
}; };
}; };
}; };

20
machines/nixos/compute01/extranix/default.nix
View file

@ -4,9 +4,7 @@
{ {
lib, lib,
meta,
sources, sources,
dgn-keys,
... ...
}: }:
let let
@ -39,7 +37,7 @@ in
"DGNum Infrastructure" = "DGNum Infrastructure" =
let let
# prefer a non-patched nixpkgs # prefer a non-patched nixpkgs
infra-nixpkgs = (import "${hive-root}/bootstrap.nix").pkgs; infra-nixpkgs = (import "${hive-root}/hive.nix").meta.nixpkgs { };
infra-modulesPath = "${infra-nixpkgs.path}/nixos/modules/"; infra-modulesPath = "${infra-nixpkgs.path}/nixos/modules/";
in in
{ {
@ -47,7 +45,7 @@ in
"modules/generic" "modules/generic"
"modules/nixos" "modules/nixos"
]; ];
ignored-modules = (import "${infra-modulesPath}/module-list.nix") ++ [ ignored-modules = import "${infra-modulesPath}/module-list.nix" ++ [
"${sources.agenix}/modules/age.nix" "${sources.agenix}/modules/age.nix"
"${sources.arkheon}/module.nix" "${sources.arkheon}/module.nix"
"${sources."microvm.nix"}/nixos-modules/host" "${sources."microvm.nix"}/nixos-modules/host"
@ -55,18 +53,20 @@ in
{ system.stateVersion = "25.05"; } { system.stateVersion = "25.05"; }
]; ];
specialArgs = { specialArgs = {
inherit meta sources; inherit
modulesPath = builtins.storePath infra-modulesPath; sources
lib
;
modulesPath = infra-modulesPath;
pkgs = infra-nixpkgs; pkgs = infra-nixpkgs;
inherit (infra-nixpkgs) lib; name = "<nodeName>";
name = "nodeName";
nodeMeta = { nodeMeta = {
nix-modules = [ ]; nix-modules = [ ];
admins = [ ]; admins = [ ];
adminGroups = [ ]; adminGroups = [ ];
}; };
dgn-keys = dgn-keys // { meta = {
getNodeAdmins = _: [ ]; organization.groups.root = [ ];
}; };
}; };
path-translations = [ path-translations = [

28
machines/nixos/compute01/grafana/default.nix → machines/nixos/compute01/grafana.nix
View file

@ -2,12 +2,7 @@
# #
# SPDX-License-Identifier: EUPL-1.2 # SPDX-License-Identifier: EUPL-1.2
{ { config, ... }:
config,
pkgs,
meta,
...
}:
let let
host = "grafana.dgnum.eu"; host = "grafana.dgnum.eu";
@ -67,27 +62,6 @@ in
auto_assign_org_role = "Admin"; auto_assign_org_role = "Admin";
}; };
}; };
declarativePlugins = import ./plugins.nix { inherit pkgs; };
provision = {
enable = true;
datasources.settings.datasources = [
{
name = "VictoriaLogs";
type = "victoriametrics-logs-datasource";
access = "proxy";
url = "http://${meta.network.storage01.netbirdIp}:9428";
}
{
name = "VictoriaMetrics";
type = "victoriametrics-metrics-datasource";
access = "proxy";
url = "http://${meta.network.storage01.netbirdIp}:8428";
}
];
};
}; };
postgresql = { postgresql = {

19
machines/nixos/compute01/grafana/plugins.nix
View file

@ -1,19 +0,0 @@
# SPDX-FileCopyrightText: 2025 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ pkgs, ... }:
builtins.map pkgs.grafanaPlugins.grafanaPlugin [
{
pname = "victoriametrics-logs-datasource";
version = "0.14.3";
zipHash = "sha256-g/ntmNyWJ9h/eYpZ0gqiESvVfm2fU6/Ci8R7FHIV7AQ=";
}
{
pname = "victoriametrics-metrics-datasource";
version = "0.13.1";
zipHash = "sha256-n1LskeOzp32LZS3PcsRh8FwQVBFVlzczfO2aGbEClSo=";
}
]

22
machines/nixos/compute01/kanidm/default.nix
View file

@ -44,6 +44,8 @@ let
usernameFor = member: meta.organization.members.${member}.username; usernameFor = member: meta.organization.members.${member}.username;
in in
{ {
nixpkgs.config.permittedInsecurePackages = [ "kanidm-1.3.3" ];
services.kanidm = { services.kanidm = {
enableServer = true; enableServer = true;
@ -81,17 +83,12 @@ in
) meta.organization.members; ) meta.organization.members;
groups = groups =
(lib.extra.genFuse (id: { "vlan_${builtins.toString (4094 - id)}".memberless = true; }) 850) {
// {
grp_active.members = catAttrs "username" (attrValues meta.organization.members); grp_active.members = catAttrs "username" (attrValues meta.organization.members);
grp-ext_cri.memberless = true;
} }
// (mapAttrs' ( // (mapAttrs' (
name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; } name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
) meta.organization.groups) ) meta.organization.groups);
// (mapAttrs' (
name: srv: nameValuePair "grp-admin_${name}" { members = builtins.map usernameFor srv.admins; }
) meta.organization.services);
# INFO: The authentication resources declared here can only be for internal services, # INFO: The authentication resources declared here can only be for internal services,
# as regular members cannot be statically known. # as regular members cannot be statically known.
@ -144,10 +141,7 @@ in
displayName = "Netbox [Inventory]"; displayName = "Netbox [Inventory]";
enableLegacyCrypto = true; enableLegacyCrypto = true;
originLanding = "https://netbox.dgnum.eu"; originLanding = "https://netbox.dgnum.eu";
originUrl = [ originUrl = "https://netbox.dgnum.eu/oauth/complete/oidc/";
"https://netbox.dgnum.eu/oauth/complete/oidc/"
"https://netbox-v2.dgnum.eu/oauth/complete/oidc/"
];
preferShortUsername = true; preferShortUsername = true;
scopeMaps.grp_active = [ scopeMaps.grp_active = [
@ -155,12 +149,6 @@ in
"profile" "profile"
"email" "email"
]; ];
scopeMaps.grp-ext_cri = [
"openid"
"profile"
"email"
];
}; };
dgn_outline = { dgn_outline = {

6
machines/nixos/compute01/kanidm/secrets/secrets.nix
View file

@ -2,9 +2,7 @@
# #
# SPDX-License-Identifier: EUPL-1.2 # SPDX-License-Identifier: EUPL-1.2
(import ../../../../../keys.nix).mkSecrets (import ../../../../../keys).mkSecrets [ "compute01" ] [
[ "compute01" ]
[
"kanidm-password_admin" "kanidm-password_admin"
"kanidm-password_idm_admin" "kanidm-password_idm_admin"
] ]

3
machines/nixos/compute01/librenms/module.nix
View file

@ -401,8 +401,7 @@ in
"distributed_billing" = cfg.distributedPoller.distributedBilling; "distributed_billing" = cfg.distributedPoller.distributedBilling;
"distributed_poller_memcached_host" = cfg.distributedPoller.memcachedHost; "distributed_poller_memcached_host" = cfg.distributedPoller.memcachedHost;
"distributed_poller_memcached_port" = cfg.distributedPoller.memcachedPort; "distributed_poller_memcached_port" = cfg.distributedPoller.memcachedPort;
"rrdcached" = "rrdcached" = "${cfg.distributedPoller.rrdcachedHost}:${toString cfg.distributedPoller.rrdcachedPort}";
"${cfg.distributedPoller.rrdcachedHost}:${toString cfg.distributedPoller.rrdcachedPort}";
}) })
// (lib.optionalAttrs cfg.useDistributedPollers { // (lib.optionalAttrs cfg.useDistributedPollers {
"distributed_poller" = true; "distributed_poller" = true;

74
machines/nixos/compute01/netbox.nix
View file

@ -1,74 +0,0 @@
# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
lib,
nixpkgs,
...
}:
let
EnvironmentFile = [ config.age.secrets."netbox-environment_file".path ];
in
{
services = {
netbox = {
enable = true;
package = nixpkgs.nixos.unstable.netbox_4_1;
secretKeyFile = "/dev/null";
listenAddress = "127.0.0.1";
plugins = p: [ p.netbox-qrcode ];
settings = {
ALLOWED_HOSTS = [ "netbox-v2.dgnum.eu" ];
REMOTE_AUTH_BACKEND = "social_core.backends.open_id_connect.OpenIdConnectAuth";
PLUGINS = [ "netbox_qrcode" ];
PLUGINS_CONFIG = {
netbox_qrcode = {
custom_text = "DGNum. contact@dgnum.eu";
font = "Tahoma";
};
};
};
extraConfig = lib.mkForce ''
from os import environ as env
SECRET_KEY = env["SECRET_KEY"]
SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = env["NETBOX_OIDC_URL"]
SOCIAL_AUTH_OIDC_KEY = env["NETBOX_OIDC_KEY"]
SOCIAL_AUTH_OIDC_SECRET = env["NETBOX_OIDC_SECRET"]
'';
};
};
systemd.services = {
netbox.serviceConfig = {
inherit EnvironmentFile;
TimeoutStartSec = 600;
};
netbox-housekeeping.serviceConfig = {
inherit EnvironmentFile;
};
netbox-rq.serviceConfig = {
inherit EnvironmentFile;
};
};
users.users.nginx.extraGroups = [ "netbox" ];
dgn-web.simpleProxies.netbox = {
inherit (config.services.netbox) port;
host = "netbox-v2.dgnum.eu";
vhostConfig.locations."/static/".alias = "${config.services.netbox.dataDir}/static/";
};
# dgn-backups.jobs.netbox.settings.paths = [ "/var/lib/netbox" ];
# dgn-backups.postgresDatabases = [ "netbox" ];
}

7
machines/nixos/compute01/nextcloud.nix
View file

@ -76,7 +76,7 @@ in
database.createLocally = true; database.createLocally = true;
configureRedis = true; configureRedis = true;
autoUpdateApps.enable = false; autoUpdateApps.enable = true;
settings = { settings = {
overwriteprotocol = "https"; overwriteprotocol = "https";
@ -197,11 +197,6 @@ in
nextcloud-cron.path = [ pkgs.perl ]; nextcloud-cron.path = [ pkgs.perl ];
}; };
users.users.cool = {
home = "/var/lib/cool/home";
createHome = true;
};
environment.systemPackages = [ pkgs.ffmpeg_6-headless ]; environment.systemPackages = [ pkgs.ffmpeg_6-headless ];
networking.hosts = { networking.hosts = {

4
machines/nixos/compute01/outline.nix
View file

@ -45,9 +45,7 @@ in
dgn-web.simpleProxies.outline = { dgn-web.simpleProxies.outline = {
inherit host port; inherit host port;
vhostConfig.locations."/robots.txt".return = vhostConfig.locations."/robots.txt".return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
proxyWebsockets = true;
}; };
age-secrets.autoMatch = [ "outline" ]; age-secrets.autoMatch = [ "outline" ];

59
machines/nixos/compute01/pretalx.nix
View file

@ -1,59 +0,0 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, pkgs, ... }:
{
services.nginx.virtualHosts.${config.services.pretalx.nginx.domain} = {
enableACME = true;
forceSSL = true;
};
services.pretalx = {
enable = true;
package = pkgs.pretalx.overrideAttrs (old: {
disabledTests = old.disabledTests ++ [
# Does not work in CI !?
"test_documentation_includes_config_options"
];
});
plugins = with config.services.pretalx.package.plugins; [
pages
venueless
];
nginx = {
enable = true;
domain = "pretalx.dgnum.eu";
};
environmentFile = config.age.secrets."pretalx-environment_file".path;
settings = {
files.upload_limit = 50;
mail = {
from = "pretalx@infra.dgnum.eu";
host = "kurisu.lahfa.xyz";
port = 465;
ssl = true;
user = "web-services@infra.dgnum.eu";
};
logging.email = "admins+pretalx@dgnum.eu";
locale = {
language_code = "fr";
time_zone = "Europe/Paris";
};
};
};
dgn-backups = {
postgresDatabases = [ "pretalx" ];
jobs.pretix.settings.paths = [ "/var/lib/pretalx" ];
};
}

55
machines/nixos/compute01/pretix.nix
View file

@ -1,55 +0,0 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
{
services.nginx.virtualHosts.${config.services.pretix.nginx.domain} = {
enableACME = true;
forceSSL = true;
};
services.pretix = {
enable = true;
plugins = with config.services.pretix.package.plugins; [
pages
passbook
];
nginx = {
enable = true;
domain = "pretix.dgnum.eu";
};
environmentFile = config.age.secrets."pretix-environment_file".path;
settings = {
pretix = {
instance_name = "pretix.dgnum.eu";
url = "https://${config.services.pretix.nginx.domain}";
};
mail = {
admins = "admins+pretix@dgnum.eu";
from = "pretix@infra.dgnum.eu";
host = "kurisu.lahfa.xyz";
port = 465;
ssl = "on";
user = "web-services@infra.dgnum.eu";
};
locale = {
default = "fr";
timezone = "Europe/Paris";
};
};
};
dgn-backups = {
postgresDatabases = [ "pretix" ];
jobs.pretix.settings.paths = [ "/var/lib/pretix" ];
};
}

BIN
machines/nixos/compute01/secrets/netbox-environment_file
View file

Binary file not shown.

30
machines/nixos/compute01/secrets/pretalx-environment_file
View file

@ -1,30 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA nxmUrwL0YLjmyml8KcWZ6dWwV5O6w2Dlg7uqb+eSYBY
BgVWB3Z3wJ9E68kmDbf4/NrmsZGR/goS2Kfx/nc49Vs
-> ssh-ed25519 QlRB9Q VB75tVIpYDO9Ta0MRsfuP24TAjbyT6OWEN0SjVkGVnA
oDn5Yal9NY2ce0p4jf0+ceBM14aF9+62J3Ich00bn60
-> ssh-ed25519 r+nK/Q ejM5Jc8o01aaFO55KL8O2IBf6XSb84zvirAUWyWI0Ck
UXPxGsxI+vZHPsSWirv9GTa/Etwh3GXlOxAHrBMiRZQ
-> ssh-rsa krWCLQ
noF/XAAr5oXO3yxHgoKlPuFSiexCG508JCHrvUK0Pkw71KASEcEAfEHb+rZTi6yA
vtRIoU6MnAG4RaDkilp2Cz4LDfx8JvT3ucmy///0UhwUwC8keeR7r/EIGPdB3Fyc
FyyhC0KflA0kmWsOR9EZi2YYAHRTPUMzXYdSdIGc/82WMVGEizTck8CH10GV2Bxl
SyiaJFk//q4fZZwyYUyaSVFjMwrjU1bbAipmB24SLLCLp1J+Xxq/OX83Mctjqutl
LlNC10GdvM1JoPFFxy9Chk63WHZXp745D5JppWKJ8FuUs89WpCspzYNgqRgyBoQA
wNlUgSD1p815tuCDs1+wlg
-> ssh-ed25519 /vwQcQ StDx98vbjAGhJu1o74uVBC6DhuqaZZjxIEPyyCS44Wo
CxNrC8Pdi9HMF0atPNQutowQG60DSyWhXA3n/vOS+HA
-> ssh-ed25519 0R97PA BfmW5ljTVp+tUs32lAMnSBz2q5jMSgwgza3pfS3L404
GibEScHuYz0b7kt+EQRXhiY01IfZzBhmMMJ7JxstWNo
-> ssh-ed25519 JGx7Ng hCbmKD+QH6SlFmFMM61Xv2Y8TjNZJyCYhhtFmjYQUEM
J8CLfOvhJeSdN2W8NQsIbfA1li6V4IzZc43Rq+yNuHc
-> ssh-ed25519 bUjjig jFfhHzfqTzuuN4IszblOGe7WFMxfFa5GvUbQ5TgWNmI
FU6hJSW0AT5FG49oQzN7c0dDsmgbhOYLAEz4YeAus6o
-> ssh-ed25519 tDqJRg 8DMYhpgIDvTQ+IshJCKvgFiY8J4qdVVA7nGRRc+clSA
EfRYOKCE6zv6BqbDyN4p6QdfN5Y+2GPie2tLqISbsSQ
-> {7;qZH-grease b'%
/q1kVYwytu14uIpZOi643OuIU7M3xNYoe2IPCVeH7A7lsAfhEuCbUOSwVGb1yvvP
Zuz3ZUD4ubs7a4By3LmbfYgTak2iHUMd7YCMOcWgwRJb
--- GrGJW7DhRg2lMfi+2fs81QGOIwUVuJkLuCzynlGtvUc
Ì©Û¼šÙô].r·@…ªÚ+ÔÅutb)ßÍÈõ^¿²É½*ñ‡;/†ˆÎçSôóš->dÚÆ™ôšY§û¯‡ukÿ{œôñªsž<>±<EFBFBD> VÊŠ
H¹o.

30
machines/nixos/compute01/secrets/pretix-environment_file
View file

@ -1,30 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA Rns+GrvYIYGr2bkT5PGqRYgVjiDYx5bZePFwX5n84z8
+vmlrK5mS00BLpJukWoHHDvJVOuHS/dfWSfPRqiiK2A
-> ssh-ed25519 QlRB9Q RKtrm6jKvSbOSBU8Lnd6Saui6yXHMuSgNcoYgGpwPEE
cU1kLd9jZ2qaeKcQEVaxxra2le1MwGMZNuDQBui76CU
-> ssh-ed25519 r+nK/Q J3IwXYXujMKTIDTW+zoP3kTlxd+WRWwrHo/uvH7y6Tg
YimrLo0a6W2baGbCx6WIw7PBnI/cBioMtiZhU4dcT8k
-> ssh-rsa krWCLQ
sX+yb3LCSr+PpOx/VHB6RCnlT2iARoPdoTlNhtz8DYGKY/UTNtqGtgHd0rV9cefh
MHdBlpjUnxpPkCuP2EwIEMTqyjGbPoq/AdpxklXNquMxWyeYD7Pe5ABbEx4vpAgH
+d3A+X3sJXV+lGqPtwIbRBBMCSYxffrS68V5DYfUWNG0rAF7xknfTE4IFNgg1yzR
4LJRpI/j77wlOn/8cH8jGtBrKtRPTq1z6a8MLU36bmBEpmS3EGMvOrfGrMnenhFr
vt6WEsEcHON5C57WyvfEV/qeLhkzaRBOcq3LnYGN4qc0EqVvWCLRqTHeMMJEWhK3
n6qGjzhE5n1FMPoxox83ig
-> ssh-ed25519 /vwQcQ brE7F9GWBMVcmBJskPLZYp2tD80LAWvQFWGxw5asvC0
aOsMTgH17u16P2oUzrIgvv3d70uYkMjAqBJDmmUYPq8
-> ssh-ed25519 0R97PA Ni0DxmzYhSN/mwgKs8AFNwcEMLGDBH2R7mxwyGqyRxg
EmtSYAQ7wwYWqNLu8CmOhEhZq09UvPE8mTL9xRlXq0A
-> ssh-ed25519 JGx7Ng 0iDIiH3slqmumi41n1xKDlxH4UG3TvN+apOZCBCC2B0
4uejPMfD2Qg9P9DPXr6kk06SdYIREc9/w5tId9ZkmjI
-> ssh-ed25519 bUjjig v0d0b2QdvJhiIlrYMRtfjvCWERTXyGIYmmocNTzFFBg
B+o4ZPftYBmc5CxdTqHSjIzyx5X6lCJ88M+XRj5ddrA
-> ssh-ed25519 tDqJRg I67xye4YEG7fRzMeSqmyY7g99YwBFG4TyIiABHnEd3k
Cj95yZeQZwGLFNnw4gK5pzS7Rvr/v0sIfNHoj/FWerU
-> 84t6-grease X|
ylGgBiG/KYc0vDvMho+lPMBe+2kZZ3DvlF5JHgtMRUAMy9ugXbwDYu5qq7GyPL38
aBw8Jx13iIRkJA9CisyygX7l2P5sOdaa/IE5fTABjL6EGkLbP1uI0OFTH9Dd1tYy
ww
--- qbaLv0BDEw2uSR1ccqH5HOinQSQeynDl0IFU9VwD3Ag
º?Ž’¸l¬BÛ†øï—iI ]å4x5¯¶ÎhMÜÍsÒ×Dz¹{ÍpTÅ}G‡U ¡ Cù]ÛQh~¯ªŒãf¯¾ˆËoQí<51>Gƒ¡“jÛ(j®

9
machines/nixos/compute01/secrets/secrets.nix
View file

@ -2,9 +2,7 @@
# #
# SPDX-License-Identifier: EUPL-1.2 # SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys.nix).mkSecrets (import ../../../../keys).mkSecrets [ "compute01" ] [
[ "compute01" ]
[
# List of secrets for compute01 # List of secrets for compute01
"arkheon-env_file" "arkheon-env_file"
"bupstash-put_key" "bupstash-put_key"
@ -22,7 +20,6 @@
"librenms-environment_file" "librenms-environment_file"
"mastodon-extra_env_file" "mastodon-extra_env_file"
"mastodon-smtp-password" "mastodon-smtp-password"
"netbox-environment_file"
"nextcloud-adminpass_file" "nextcloud-adminpass_file"
"nextcloud-s3_secret_file" "nextcloud-s3_secret_file"
"outline-oidc_client_secret_file" "outline-oidc_client_secret_file"
@ -31,11 +28,9 @@
"plausible-admin_user_password_file" "plausible-admin_user_password_file"
"plausible-secret_key_base_file" "plausible-secret_key_base_file"
"plausible-smtp_password_file" "plausible-smtp_password_file"
"pretalx-environment_file"
"pretix-environment_file"
"satosa-env_file" "satosa-env_file"
"signal-irc-bridge-config" "signal-irc-bridge-config"
"telegraf-environment_file" "telegraf-environment_file"
"vaultwarden-environment_file" "vaultwarden-environment_file"
"zammad-secret_key_base_file" "zammad-secret_key_base_file"
] ]

6
machines/nixos/geo01/secrets/secrets.nix
View file

@ -2,8 +2,6 @@
# #
# SPDX-License-Identifier: EUPL-1.2 # SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys.nix).mkSecrets (import ../../../../keys).mkSecrets [ "geo01" ] [
[ "geo01" ]
[
# List of secrets for geo01 # List of secrets for geo01
] ]

6
machines/nixos/geo02/secrets/secrets.nix
View file

@ -2,8 +2,6 @@
# #
# SPDX-License-Identifier: EUPL-1.2 # SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys.nix).mkSecrets (import ../../../../keys).mkSecrets [ "geo02" ] [
[ "geo02" ]
[
# List of secrets for geo02 # List of secrets for geo02
] ]

6
machines/nixos/hypervisor01/secrets/secrets.nix
View file

@ -2,8 +2,6 @@
# #
# SPDX-License-Identifer: EUPL-1.2 # SPDX-License-Identifer: EUPL-1.2
(import ../../../../keys.nix).mkSecrets (import ../../../../keys).mkSecrets [ "hypervisor01" ] [
[ "hypervisor01" ]
[
] ]

6
machines/nixos/hypervisor02/secrets/secrets.nix
View file

@ -2,8 +2,6 @@
# #
# SPDX-License-Identifer: EUPL-1.2 # SPDX-License-Identifer: EUPL-1.2
(import ../../../../keys.nix).mkSecrets (import ../../../../keys).mkSecrets [ "hypervisor02" ] [
[ "hypervisor02" ]
[
] ]

6
machines/nixos/hypervisor03/secrets/secrets.nix
View file

@ -2,8 +2,6 @@
# #
# SPDX-License-Identifer: EUPL-1.2 # SPDX-License-Identifer: EUPL-1.2
(import ../../../../keys.nix).mkSecrets (import ../../../../keys).mkSecrets [ "hypervisor03" ] [
[ "hypervisor03" ]
[
] ]

1
machines/nixos/rescue01/_configuration.nix
View file

@ -12,7 +12,6 @@ lib.extra.mkConfig {
enabledServices = [ enabledServices = [
# List of services to enable # List of services to enable
"netbird-relay"
"uptime-kuma" "uptime-kuma"
]; ];

34
machines/nixos/rescue01/netbird-relay.nix
View file

@ -1,34 +0,0 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
nixpkgs,
...
}:
let
domain = "nb-relay01.dgnum.eu";
in
{
services = {
netbird.server.relay = {
enable = true;
package = nixpkgs.nixos.unstable.netbird;
inherit domain;
enableNginx = true;
environmentFile = config.age.secrets."netbird-relay_environment_file".path;
metricsPort = 9094;
};
nginx.virtualHosts.${domain} = {
enableACME = true;
forceSSL = true;
};
};
}

BIN
machines/nixos/rescue01/secrets/netbird-relay_environment_file
View file

Binary file not shown.

7
machines/nixos/rescue01/secrets/secrets.nix
View file

@ -2,10 +2,7 @@
# #
# SPDX-License-Identifier: EUPL-1.2 # SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys.nix).mkSecrets (import ../../../../keys).mkSecrets [ "rescue01" ] [
[ "rescue01" ]
[
# List of secrets for rescue01 # List of secrets for rescue01
"netbird-relay_environment_file"
"stateless-uptime-kuma-password" "stateless-uptime-kuma-password"
] ]

3
machines/nixos/storage01/_configuration.nix
View file

@ -9,7 +9,6 @@ lib.extra.mkConfig {
# List of modules to enable # List of modules to enable
"dgn-backups" "dgn-backups"
"dgn-web" "dgn-web"
"dgn-forgejo-runners"
]; ];
enabledServices = [ enabledServices = [
@ -23,8 +22,6 @@ lib.extra.mkConfig {
"peertube" "peertube"
"prometheus" "prometheus"
"redirections" "redirections"
"victorialogs"
"victoriametrics"
]; ];
extraConfig = { extraConfig = {

39
machines/nixos/storage01/forgejo-runners.nix
View file

@ -2,7 +2,7 @@
# #
# SPDX-License-Identifier: EUPL-1.2 # SPDX-License-Identifier: EUPL-1.2
_: { config, pkgs, ... }:
let let
url = "https://git.dgnum.eu"; url = "https://git.dgnum.eu";
@ -30,10 +30,22 @@ let
}; };
in in
{ {
dgn-forgejo-runners = { services.forgejo-nix-runners = {
enable = true;
inherit url;
storePath = "/data/slow";
tokenFile = config.age.secrets."forgejo_runners-token_file".path;
dependencies = [
pkgs.npins
pkgs.tea
];
containerOptions = [ "--cpus=4" ];
nbRunners = 6; nbRunners = 6;
nbCpus = 4;
dataDirectory = "/data/slow";
}; };
services.gitea-actions-runner.instances = builtins.mapAttrs (_: mkRunner) { services.gitea-actions-runner.instances = builtins.mapAttrs (_: mkRunner) {
@ -51,4 +63,23 @@ in
labels = [ "debian-latest:docker://node:20-bookworm" ]; labels = [ "debian-latest:docker://node:20-bookworm" ];
}; };
}; };
virtualisation = {
podman = {
enable = true;
defaultNetwork.settings = {
dns_enable = true;
ipv6_enabled = true;
};
};
containers.storage.settings = {
storage = {
driver = "overlay";
graphroot = "/data/slow/containers/storage";
runroot = "/run/containers/storage";
};
};
};
} }

3
machines/nixos/storage01/forgejo.nix
View file

@ -79,7 +79,8 @@ in
"cron.git_gc_repos".ENABLED = true; "cron.git_gc_repos".ENABLED = true;
"cron.update_checker".ENABLED = false; "cron.update_checker".ENABLED = false;
}; };
secrets.mailer.PASSWD = config.age.secrets."forgejo-mailer_password_file".path;
mailerPasswordFile = config.age.secrets."forgejo-mailer_password_file".path;
}; };
}; };

75
machines/nixos/storage01/garage.nix
View file

@ -4,24 +4,34 @@
# #
# SPDX-License-Identifier: EUPL-1.2 # SPDX-License-Identifier: EUPL-1.2
{
config,
lib,
pkgs,
...
}:
let let
inherit (lib) mapAttrs' nameValuePair;
host = "s3.dgnum.eu"; host = "s3.dgnum.eu";
webHost = "cdn.dgnum.eu"; webHost = "cdn.dgnum.eu";
data_dir = "/data/slow/garage/data";
metadata_dir = "/data/fast/garage/meta";
domains = [ domains = [
"bandarretdurgence.ens.fr" "bandarretdurgence.ens.fr"
"boussole-sante.normalesup.eu" "boussole-sante.normalesup.eu"
"lanuit.ens.fr" "lanuit.ens.fr"
"simi.normalesup.eu" "simi.normalesup.eu"
"pub.dgnum.eu" "pub.dgnum.eu"
"actes-administratifs.dgnum.eu"
]; ];
buckets = [ buckets = [
"monorepo-terraform-state" "monorepo-terraform-state"
"banda-website" "banda-website"
"actes-administratifs-website"
"castopod-dgnum" "castopod-dgnum"
"hackens-website" "hackens-website"
"nuit-website" "nuit-website"
@ -40,27 +50,68 @@ let
}; };
in in
{ {
dgn-s3 = { dgn-web.internalPorts = mapAttrs' (name: nameValuePair "garage-${name}") ports;
services.garage = {
enable = true; enable = true;
inherit ports; package = pkgs.garage_1_0_1;
data_dir = "/data/slow/garage/data"; settings = {
metadata_dir = "/data/fast/garage/meta"; inherit data_dir metadata_dir;
db_engine = "lmdb";
consistency_mode = "consistent";
replication_factor = 1;
compression_level = 7;
rpc_bind_addr = "[::]:${toString ports.rpc}";
rpc_public_addr = "127.0.0.1:${toString ports.rpc}";
s3_api = {
s3_region = "garage";
api_bind_addr = "127.0.0.1:${toString ports.s3_api}";
root_domain = ".${host}";
}; };
services.garage.settings = { s3_web = {
s3_api.root_domain = ".${host}"; bind_addr = "127.0.0.1:${toString ports.s3_web}";
s3_web.root_domain = ".${webHost}"; root_domain = ".${webHost}";
index = "index.html";
}; };
k2v_api.api_bind_addr = "[::]:${toString ports.k2v_api}";
admin.api_bind_addr = "127.0.0.1:${toString ports.admin_api}";
};
environmentFile = config.age.secrets."garage-environment_file".path;
};
systemd.services.garage.serviceConfig = {
User = "garage";
ReadWriteDirectories = [
data_dir
metadata_dir
];
TimeoutSec = 600;
};
users.users.garage = {
isSystemUser = true;
group = "garage";
};
users.groups.garage = { };
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"s3-admin.dgnum.eu" = { "s3-admin.dgnum.eu" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:${builtins.toString ports.admin_api}; proxy_pass http://127.0.0.1:${toString ports.admin_api};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host; proxy_set_header Host $host;
''; '';
@ -73,7 +124,7 @@ in
serverAliases = mkHosted host buckets; serverAliases = mkHosted host buckets;
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:${builtins.toString ports.s3_api}; proxy_pass http://127.0.0.1:${toString ports.s3_api};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host; proxy_set_header Host $host;
# Disable buffering to a temporary file. # Disable buffering to a temporary file.
@ -89,7 +140,7 @@ in
serverAliases = domains ++ (mkHosted webHost buckets); serverAliases = domains ++ (mkHosted webHost buckets);
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:${builtins.toString ports.s3_web}; proxy_pass http://127.0.0.1:${toString ports.s3_web};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host; proxy_set_header Host $host;
''; '';

5
machines/nixos/storage01/netbird.nix
View file

@ -69,10 +69,7 @@ in
}; };
Relay = { Relay = {
Addresses = builtins.map (host: "rels://${host}:443") [ Addresses = [ "rels://${domain}:443" ];
domain
"nb-relay01.dgnum.eu"
];
CredentialsTTL = "24h"; CredentialsTTL = "24h";
Secret._secret = s "netbird-relay_secret_file"; Secret._secret = s "netbird-relay_secret_file";
}; };

4
machines/nixos/storage01/prometheus.nix
View file

@ -17,9 +17,9 @@ let
lib.mapAttrsToList ( lib.mapAttrsToList (
node: node:
{ config, ... }: { config, ... }:
lib.optional config.dgn-monitoring.exporters.enable { lib.optional config.dgn-node-monitoring.enable {
targets = map (p: "${node}.dgnum:${builtins.toString p}") ( targets = map (p: "${node}.dgnum:${builtins.toString p}") (
builtins.attrValues config.dgn-monitoring.exporters.ports builtins.attrValues config.dgn-node-monitoring.ports
); );
labels = { labels = {
host = node; host = node;

BIN
machines/nixos/storage01/secrets/garage-environment_file Normal file
View file

Binary file not shown.

7
machines/nixos/storage01/secrets/secrets.nix
View file

@ -2,13 +2,12 @@
# #
# SPDX-License-Identifier: EUPL-1.2 # SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys.nix).mkSecrets (import ../../../../keys).mkSecrets [ "storage01" ] [
[ "storage01" ]
[
# List of secrets for storage01 # List of secrets for storage01
"bupstash-put_key" "bupstash-put_key"
"forgejo-mailer_password_file" "forgejo-mailer_password_file"
"forgejo_runners-token_file" "forgejo_runners-token_file"
"garage-environment_file"
"influxdb2-grafana_token_file" "influxdb2-grafana_token_file"
"influxdb2-initial_password_file" "influxdb2-initial_password_file"
"influxdb2-initial_token_file" "influxdb2-initial_token_file"
@ -25,4 +24,4 @@
"prometheus-uptime-kuma-apikey" "prometheus-uptime-kuma-apikey"
"prometheus-web_config_file" "prometheus-web_config_file"
"tvix-store-infra-signing-key" "tvix-store-infra-signing-key"
] ]

2
machines/nixos/storage01/tvix-cache/cache-settings.nix
View file

@ -13,6 +13,6 @@ in
{ caches }: { caches }:
{ {
substituters = builtins.map (cache: cache-info.${cache}.url) caches; trusted-substituters = builtins.map (cache: cache-info.${cache}.url) caches;
trusted-public-keys = builtins.map (cache: cache-info.${cache}.public-key) caches; trusted-public-keys = builtins.map (cache: cache-info.${cache}.public-key) caches;
} }

20
machines/nixos/storage01/victoria-metrics.nix Normal file
View file

@ -0,0 +1,20 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
let
host = "victoria-metrics.dgnum.eu";
port = 9099;
in
{
services.victoriametrics = {
enable = true;
listenAddress = "127.0.0.1:${builtins.toString port}";
};
dgn-web.simpleProxies.victoria-metrics = {
inherit host port;
};
}

22
machines/nixos/storage01/victorialogs.nix
View file

@ -1,22 +0,0 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ meta, name, ... }:
let
port = 9428;
in
{
services.victorialogs = {
enable = true;
flags = {
retentionPeriod = "4w";
httpListenAddr = "${meta.network.${name}.netbirdIp}:${builtins.toString port}";
};
};
networking.firewall.interfaces.wt0.allowedTCPPorts = [ port ];
}

23
machines/nixos/storage01/victoriametrics.nix
View file

@ -1,23 +0,0 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ meta, name, ... }:
let
port = 8428;
in
{
services.victoriametrics = {
enable = true;
flags = {
# INFO: We keep the data for 2 years (24 months)
retentionPeriod = "24";
httpListenAddr = "${meta.network.${name}.netbirdIp}:${builtins.toString port}";
};
};
networking.firewall.interfaces.wt0.allowedTCPPorts = [ port ];
}

33
machines/nixos/testing02/_configuration.nix Normal file
View file

@ -0,0 +1,33 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, pkgs, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
"dgn-web"
];
enabledServices = [
# List of services to enable
"cas-eleves"
];
extraConfig = {
# Disable monitoring
dgn-node-monitoring.enable = false;
dgn-records.enable = false;
dgn-notify.enable = false;
# Enable Postgres databases
services.postgresql = {
enable = true;
package = pkgs.postgresql_16;
};
};
root = ./.;
}

33
machines/nixos/testing02/_hardware-configuration.nix Normal file
View file

@ -0,0 +1,33 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ modulesPath, sources, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
(sources.disko + "/module.nix")
./disko.nix
];
boot = {
initrd = {
availableKernelModules = [
"ata_piix"
"uhci_hcd"
"ehci_pci"
"virtio_pci"
"sr_mod"
"virtio_blk"
];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
}

98
machines/nixos/testing02/cas-eleves/01-pytest-cas.patch Normal file
View file

@ -0,0 +1,98 @@
diff --git a/setup.py b/setup.py
index 7c7b02d..3f677ff 100644
--- a/setup.py
+++ b/setup.py
@@ -67,6 +67,4 @@ if __name__ == '__main__':
url="https://github.com/nitmir/django-cas-server",
download_url="https://github.com/nitmir/django-cas-server/releases/latest",
zip_safe=False,
- setup_requires=['pytest-runner'],
- tests_require=['pytest', 'pytest-django', 'pytest-pythonpath', 'pytest-warnings', 'mock>=1'],
)
index 2b389d3..dcdfafd 100644
--- a/cas_server/tests/test_federate.py
+++ b/cas_server/tests/test_federate.py
@@ -16,6 +16,7 @@ from cas_server.default_settings import settings
import django
from django.test import TestCase, Client
from django.test.utils import override_settings
+import pytest
from six.moves import reload_module
@@ -64,6 +65,7 @@ class FederateAuthLoginLogoutTestCase(
) in response.content.decode("utf-8"))
self.assertEqual(response.context['post_url'], '/federate')
+ @pytest.mark.skip(reason="Address already in use")
def test_login_post_provider(self, remember=False):
"""test a successful login wrokflow"""
tickets = []
@@ -159,6 +161,7 @@ class FederateAuthLoginLogoutTestCase(
self.assertTrue(response["Location"].startswith("%s?ticket=" % self.service))
return tickets
+ @pytest.mark.skip(reason="Address already in use")
def test_login_twice(self):
"""Test that user id db is used for the second login (cf coverage)"""
self.test_login_post_provider()
@@ -253,6 +256,7 @@ class FederateAuthLoginLogoutTestCase(
self.assertEqual(response.status_code, 200)
self.assertIn(b"Invalid response from your identity provider CAS", response.content)
+ @pytest.mark.skip(reason="Address already in use")
def test_auth_federate_slo(self):
"""test that SLO receive from backend CAS log out the users"""
# get tickets and connected clients
@@ -301,6 +305,7 @@ class FederateAuthLoginLogoutTestCase(
client, response, username=provider.build_username(settings.CAS_TEST_USER)
)
+ @pytest.mark.skip(reason="Address already in use")
def test_federate_logout(self):
"""
test the logout function: the user should be log out
@@ -340,6 +345,7 @@ class FederateAuthLoginLogoutTestCase(
response = client.get("/login")
self.assert_login_failed(client, response)
+ @pytest.mark.skip(reason="Address already in use")
def test_remember_provider(self):
"""
If the user check remember, next login should not offer the chose of the backend CAS
@@ -355,6 +361,7 @@ class FederateAuthLoginLogoutTestCase(
provider.suffix
))
+ @pytest.mark.skip(reason="Address already in use")
def test_forget_provider(self):
"""Test the logout option to forget remembered provider"""
tickets = self.test_login_post_provider(remember=True)
@@ -365,6 +372,7 @@ class FederateAuthLoginLogoutTestCase(
client.get("/logout?forget_provider=1")
self.assertEqual(client.cookies["remember_provider"]["max-age"], 0)
+ @pytest.mark.skip(reason="Address already in use")
def test_renew(self):
"""
Test authentication renewal with federation mode
diff --git a/cas_server/tests/test_utils.py b/cas_server/tests/test_utils.py
index d690724..73ee761 100644
--- a/cas_server/tests/test_utils.py
+++ b/cas_server/tests/test_utils.py
@@ -17,6 +17,7 @@ from django.db import connection
import six
import warnings
import datetime
+import pytest
from cas_server import utils
@@ -61,6 +62,7 @@ class CheckPasswordCase(TestCase):
)
)
+ @pytest.mark.skip(reason="crypt is broken somehow")
def test_crypt(self):
"""test the crypt auth method"""
salts = ["$6$UVVAQvrMyXMF3FF3", "aa"]

155
machines/nixos/testing02/cas-eleves/default.nix Normal file
View file

@ -0,0 +1,155 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
lib,
pkgs,
sources,
...
}:
let
inherit (lib) mapAttrsToList;
host = "cas.eleves.ens.fr";
src = sources.cas-eleves;
port = 9889;
python3 =
let
nix-pkgs = import sources.nix-pkgs {
inherit pkgs;
python3 = pkgs.python312;
};
in
pkgs.python312.override {
packageOverrides = _: _: {
inherit (nix-pkgs) django-browser-reload django-bulma-forms loadcredential;
django-cas-server = nix-pkgs.django-cas-server.overridePythonAttrs (_: {
patches = [ ./01-pytest-cas.patch ];
});
};
};
pythonEnv = python3.withPackages (ps: [
ps.django
ps.ldap3
ps.gunicorn
ps.psycopg
# Local packages
ps.django-browser-reload
ps.django-bulma-forms
ps.django-cas-server
ps.loadcredential
]);
staticDrv = pkgs.stdenv.mkDerivation {
name = "cas_eleves-static";
inherit src;
nativeBuildInputs = [ pythonEnv ];
configurePhase = ''
export CE_STATIC_ROOT=$out/static
export CE_DEBUG=true
export CREDENTIALS_DIRECTORY=$(pwd)/.credentials
'';
doBuild = false;
installPhase = ''
mkdir -p $out/static
python3 manage.py collectstatic
'';
};
in
{
systemd.services = {
django-cas-eleves = {
description = "ENS CAS server";
wantedBy = [ "multi-user.target" ];
after = [
"network.target"
"postgresql.service"
];
serviceConfig = {
DynamicUser = true;
LoadCredential = mapAttrsToList (name: value: "${name}:${value}") {
SECRET_KEY = config.age.secrets."cas_eleves-secret_key_file".path;
};
StateDirectory = "django-cas-eleves";
User = "cas_server";
WorkingDirectory = src;
};
environment = {
CE_ALLOWED_HOSTS = builtins.toJSON [
host
];
CE_STATIC_ROOT = staticDrv;
};
path = [ pythonEnv ];
script = ''
python3 manage.py migrate
python3 manage.py loaddata patterns
gunicorn app.wsgi --pythonpath ${sources.cas-eleves} -b 127.0.0.1:${builtins.toString port} --workers=2 --threads=4
'';
};
cas-eleves-cleanup = {
description = "Periodic cleanup of cas_server database";
startAt = "daily";
serviceConfig = {
Type = "oneshot";
LoadCredential = mapAttrsToList (name: value: "${name}:${value}") {
SECRET_KEY = config.age.secrets."cas_eleves-secret_key_file".path;
};
StateDirectory = "django-cas-eleves";
User = "cas_server";
WorkingDirectory = src;
};
path = [ pythonEnv ];
script = ''
python3 manage.py clearsessions
python3 manage.py cas_clean_sessions
python3 manage.py cas_clean_tickets
'';
};
};
dgn-redirections.permanent."cas-eleves.dgnum.eu" = "cas.eleves.ens.fr";
dgn-web.simpleProxies.cas-eleves = {
inherit host port;
vhostConfig.locations = {
"/static/".root = staticDrv;
"= /robots.txt".root = "${staticDrv}/static";
};
};
services.postgresql = {
ensureDatabases = [ "cas_server" ];
ensureUsers = [
{
name = "cas_server";
ensureDBOwnership = true;
}
];
};
}

37
machines/nixos/testing02/disko.nix Normal file
View file

@ -0,0 +1,37 @@
# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
_: {
disko.devices = {
disk = {
main = {
device = "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
type = "EF00";
size = "1G";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
}

28
machines/nixos/testing02/secrets/cas_eleves-secret_key_file Normal file
View file

@ -0,0 +1,28 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA Y8DShtEMQgOntLe2D7DmyiBBk79lyqgnr+v2XU1wEUY
0Ld753OZvmra3hu2ZhDTb+D6fmEDFHF3N1KXf576vFs
-> ssh-ed25519 QlRB9Q UHxOhsZ4SVBxktiJZvdZWNoLTbDYwxgCxXH9kUOAHwc
LHpldriHj6V7o3NBzRY5XCuKBVyt1TY8PwAV/Sw/II0
-> ssh-ed25519 r+nK/Q Of86Jw9wbRO5FLqXBX9UBbgKvepsSs/RfoXA+WF5dEE
RHUU7tJkLWGbwPbths8K1+RD3kAprtr+tcrutNIx4kw
-> ssh-rsa krWCLQ
leBDZeUh6g7VShLphqdbiSqbcWlWrWd2rsU5FJQRBp93ou81uTSx7YX0k+2T3j68
oFwzYEAlCO+HS1pf4Xm+RU+v1Cek6v0GiKbOa0Qoq/quRACoz9XmYjuZymTywA9v
1fsKI5lZf3Wrm+mo5kLjsN3r5sOzOwMJPDuyVToU85smnHEVLsyVHgk0NYOR3/FQ
RfwCbIV8QDAQhO7wxeESbJc7uXV/Y3yW7R1beUqw10JjaP22+3XlBBirjJecfXbq
3BjePWWXCbJiBfwusCYYFnNB+IH5Z+Iq5jjBPoC2Ds2qWF/u8Zkzm5kKFNe3FZAF
irjyxq8Ig4mup8GbHJPhWQ
-> ssh-ed25519 /vwQcQ I2XFpnON3doHt211OVV2jup8Gq45AnXxngl4buX11iU
tETEki2X8DqWSobwkc3DIX5jRgEjIwEAkfwOgAn6XQQ
-> ssh-ed25519 0R97PA 3SLLzYOFPJIMHPNv+nNRj0AVKVdjjzLwklNxTP22i3o
SecCIijSQX9/trUkIcVZhkHkL0I91OoaVB0o7W7eQKY
-> ssh-ed25519 JGx7Ng xgn+3vNx3+LFiCddKIm4Liw0dY1Tu9LbIv0IO7PsnTQ
sBLQ5b+VfFna2NxRMiIKxPBS7ta25pB87g/w0dw5kBY
-> ssh-ed25519 bUjjig Wy37MyZlHKZgAYoiZ51C1aKXk3ViEbsjywzEtirniWE
xxO2NBD6XSRjD4V4LlrgFlgg6AfhDTXJeALjuSAMQ/E
-> ssh-ed25519 4AXTDw olhRRCwy6pQKn3SoDoEOZX5O5UcG0OLU0tuWWRMXS1I
EzE41m9GZSDUKa5YeE0yAboCqqPyA36/Y5jyrOuh1uY
-> 0M'P-grease
gY0
--- AXjB6LAy1sz5hu44nz2pRCgvppwN+n2VDjUUtYwPGcY
|¿&§Ð™·Ê*ê;ÕÌ<C395>C8qXå«.Þ3³#F˜ql„¬¯¨Þk?|•Œí¤¨t u7eÚ§ã­o¯"è±qad嶈Ü<ÑR

8
machines/nixos/testing02/secrets/secrets.nix Normal file
View file

@ -0,0 +1,8 @@
# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique <contact@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys).mkSecrets [ "testing02" ] [
# List of secrets for web02
"cas_eleves-secret_key_file"
]

4
machines/nixos/tower01/_configuration.nix
View file

@ -7,9 +7,7 @@
lib.extra.mkConfig { lib.extra.mkConfig {
enabledModules = [ ]; enabledModules = [ ];
enabledServices = [ enabledServices = [ ];
"garage"
];
extraConfig = { extraConfig = {
services.netbird.enable = true; services.netbird.enable = true;

18
machines/nixos/tower01/garage.nix
View file

@ -1,18 +0,0 @@
# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
# SPDX-License-Identifier: EUPL-1.2
{
dgn-s3 = {
enable = true;
ports = {
admin_api = 3903;
rpc = 3901;
s3_api = 3900;
s3_web = 3902;
};
data_dir = "/data/garage/data";
metadata_dir = "/data/garage/meta";
};
}

6
machines/nixos/tower01/secrets/secrets.nix
View file

@ -2,8 +2,6 @@
# #
# SPDX-License-Identifer: EUPL-1.2 # SPDX-License-Identifer: EUPL-1.2
(import ../../../../keys.nix).mkSecrets (import ../../../../keys).mkSecrets [ "tower01" ] [
[ "tower01" ]
[
] ]

1
machines/nixos/vault01/_configuration.nix
View file

@ -12,7 +12,6 @@ lib.extra.mkConfig {
enabledServices = [ enabledServices = [
# List of services to enable # List of services to enable
"k-radius" "k-radius"
"monitoring"
"networking" "networking"
"ups" "ups"
"ulogd" "ulogd"

13
machines/nixos/vault01/k-radius/default.nix
View file

@ -40,13 +40,16 @@
radius_required_groups = [ "radius_access@sso.dgnum.eu" ]; radius_required_groups = [ "radius_access@sso.dgnum.eu" ];
# A mapping between Kanidm groups and VLANS # A mapping between Kanidm groups and VLANS
radius_groups = map ( radius_groups = [
{ vlan, ... }:
{ {
inherit vlan; spn = "dgnum_members@sso.dgnum.eu";
spn = "vlan_${toString vlan}@sso.dgnum.eu"; vlan = 1;
} }
) config.networking.vlans-info; {
spn = "dgnum_clients@sso.dgnum.eu";
vlan = 2;
}
];
}; };
authTokenFile = config.age.secrets."radius-auth_token_file".path; authTokenFile = config.age.secrets."radius-auth_token_file".path;

9
machines/nixos/vault01/monitoring/default.nix
View file

@ -1,9 +0,0 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
imports = [
./victorialogs.nix
];
}

37
machines/nixos/vault01/monitoring/victorialogs.nix
View file

@ -1,37 +0,0 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ meta, ... }:
let
port = 9428;
in
{
services = {
nginx = {
enable = true;
streamConfig = ''
server {
listen 10.0.253.1:${toString port};
listen ${meta.network.vault01.netbirdIp}:${toString port};
proxy_pass 127.0.0.1:${toString port};
}
'';
};
victorialogs = {
enable = true;
flags = {
retentionPeriod = "52w";
httpListenAddr = "127.0.0.1:${builtins.toString port}";
};
};
};
networking.firewall.interfaces = {
wt0.allowedTCPPorts = [ port ];
vlan-admin-ap.allowedTCPPorts = [ port ];
};
}

143
machines/nixos/vault01/networking.nix
View file

@ -12,8 +12,7 @@
}: }:
let let
inherit (lib) mapAttrs' mkOption nameValuePair; inherit (lib) mapAttrs' nameValuePair;
inherit (lib.types) listOf attrs;
uplink = { uplink = {
ip = "10.120.33.250"; ip = "10.120.33.250";
@ -59,10 +58,7 @@ let
LinkLocalAddressing = "no"; LinkLocalAddressing = "no";
DHCPServer = "yes"; DHCPServer = "yes";
}; };
linkConfig = { linkConfig.Promiscuous = true;
Promiscuous = true;
MTUBytes = 1500;
};
addresses = [ addresses = [
{ {
Address = "${servIP}/27"; Address = "${servIP}/27";
@ -75,6 +71,14 @@ let
Table = "user"; Table = "user";
} }
]; ];
routingPolicyRules = [
{
From = "${netIP}/27";
To = "10.0.0.0/27";
IncomingInterface = interfaceName;
Table = "user";
}
];
}; };
}; };
}; };
@ -86,7 +90,6 @@ let
netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}"; netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}";
servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}"; servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}";
interfaceName = "vlan-user-${toString vlan}"; interfaceName = "vlan-user-${toString vlan}";
prefixLen = 27;
}) 850; }) 850;
vlans = { vlans = {
@ -94,16 +97,13 @@ let
Id = 223; Id = 223;
address = with uplink; [ "${ip}/${builtins.toString prefix}" ]; address = with uplink; [ "${ip}/${builtins.toString prefix}" ];
extraNetwork = { extraNetwork.routes = [
routes = [
{ {
# Get the public ip from the metadata # Get the public ip from the metadata
PreferredSource = builtins.head meta.network.${name}.addresses.ipv4; PreferredSource = builtins.head meta.network.${name}.addresses.ipv4;
Gateway = uplink.router; Gateway = uplink.router;
} }
]; ];
linkConfig.MTUBytes = 1500;
};
}; };
vlan-admin = { vlan-admin = {
@ -113,17 +113,8 @@ let
vlan-admin-ap = { vlan-admin-ap = {
Id = 3001; Id = 3001;
address = [ address = [ "fd26:baf9:d250:8001::1/64" ];
"fd26:baf9:d250:8001::1/64" extraNetwork.ipv6Prefixes = [
# FIXME: ipv4 is temporary for APs in production
"10.0.253.1/24"
];
extraNetwork = {
networkConfig = {
IPv6SendRA = true;
DHCPServer = "yes";
};
ipv6Prefixes = [
{ {
AddressAutoconfiguration = false; AddressAutoconfiguration = false;
OnLink = false; OnLink = false;
@ -131,38 +122,24 @@ let
} }
]; ];
}; };
};
vlan-apro = { vlan-apro = {
Id = 2000; Id = 2000;
address = [ "10.0.255.1/24" ]; address = [ "10.0.255.1/24" ];
extraNetwork = { extraNetwork.networkConfig.DHCPServer = "yes";
networkConfig.DHCPServer = "yes";
linkConfig.MTUBytes = 1500;
};
}; };
vlan-hypervisor = { vlan-hypervisor = {
Id = 2001; Id = 2001;
address = [ "10.0.254.1/24" ]; address = [ "10.0.254.1/24" ];
extraNetwork = { extraNetwork.networkConfig.DHCPServer = "yes";
networkConfig.DHCPServer = "yes";
linkConfig.MTUBytes = 1500;
};
}; };
} // builtins.listToAttrs (map mkUserVlan userVlans); } // builtins.listToAttrs (map mkUserVlan userVlans);
in in
{ {
options.networking.vlans-info = mkOption {
type = listOf attrs;
description = ''
Information about vlans for log analysis.
'';
readOnly = true;
};
config = {
systemd = { systemd = {
network = { network = {
config.routeTables."user" = 1000; config.routeTables."user" = 1000;
@ -182,7 +159,7 @@ in
]; ];
routingPolicyRules = [ routingPolicyRules = [
{ {
To = "10.0.0.0/16"; IncomingInterface = "lo";
Table = "user"; Table = "user";
} }
]; ];
@ -199,7 +176,6 @@ in
IPv6AcceptRA = false; IPv6AcceptRA = false;
IPv6SendRA = false; IPv6SendRA = false;
}; };
linkConfig.MTUBytes = 1504;
}; };
"50-gretap1" = { "50-gretap1" = {
name = "gretap1"; name = "gretap1";
@ -212,7 +188,6 @@ in
IPv6AcceptRA = false; IPv6AcceptRA = false;
IPv6SendRA = false; IPv6SendRA = false;
}; };
linkConfig.MTUBytes = 1504;
}; };
"50-br0" = { "50-br0" = {
name = "br0"; name = "br0";
@ -225,7 +200,6 @@ in
IPv6AcceptRA = false; IPv6AcceptRA = false;
IPv6SendRA = false; IPv6SendRA = false;
}; };
linkConfig.MTUBytes = 1504;
}; };
"50-wg0" = { "50-wg0" = {
name = "wg0"; name = "wg0";
@ -303,15 +277,15 @@ in
]; ];
script = '' script = ''
if ping -c 1 8.8.8.8 > /dev/null || ping -c 1 1.1.1.1 > /dev/null; then if ping -c 1 8.8.8.8 > /dev/null || ping -c 1 1.1.1.1 > /dev/null; then
echo network is up ${
${lib.concatMapStringsSep "\n " ( lib.concatMapStringsSep "\n " ({ interfaceName, ... }: "networkctl up ${interfaceName}") userVlans
{ interfaceName, ... }: "networkctl up ${interfaceName}" }
) userVlans}
else else
echo network is down ${
${lib.concatMapStringsSep "\n " ( lib.concatMapStringsSep "\n " (
{ interfaceName, ... }: "networkctl down ${interfaceName}" { interfaceName, ... }: "networkctl down ${interfaceName}"
) userVlans} ) userVlans
}
fi fi
''; '';
}; };
@ -324,82 +298,28 @@ in
}; };
networking = { networking = {
vlans-info = [
{
vlan = 2001;
netIP = "10.0.254.0";
prefixLen = 24;
}
{
vlan = 3001;
netIP = "10.0.253.0";
prefixLen = 24;
}
] ++ userVlans;
nftables = { nftables = {
enable = true; enable = true;
tables = { tables.nat = {
nat = {
family = "ip"; family = "ip";
content = '' content = ''
chain postrouting { chain postrouting {
type nat hook postrouting priority 100; type nat hook postrouting priority 100;
ip saddr 10.0.0.0/16 ip daddr != 10.0.0.0/16 snat ip to 129.199.195.130-129.199.195.157 ip saddr 10.0.0.0/16 ip saddr != 10.0.255.0/24 snat ip to 129.199.195.130-129.199.195.158
ether saddr { e0:2e:0b:bd:97:73, e8:d5:2b:0d:fe:4a } snat to 129.199.195.130 comment "Elias"
ether saddr { 1c:1b:b5:14:9c:e5, e6:ce:e2:b6:e3:82 } snat to 129.199.195.131 comment "Lubin"
ether saddr d0:49:7c:46:f6:39 snat to 129.199.195.132 comment "Jean-Marc"
ether saddr { 5c:64:8e:f4:09:06 } snat to 129.199.195.158 comment "APs"
} }
''; '';
}; };
filter = {
family = "inet";
content = ''
chain forward {
type filter hook forward priority filter; policy accept;
ct state vmap {
invalid: drop,
established: accept,
related: accept,
new: jump forward_decide,
untracked: jump forward_decide,
};
}
chain forward_decide {
# Block access to vpn
ip daddr {
10.10.17.0/30,
100.80.0.0/16,
} jump forward_reject;
# And administrative vlans
ip6 daddr {
fd26:baf9:d250::/48,
} jump forward_reject;
# These are being deployed, and so are not trusted
ip saddr 10.0.255.0/24 jump forward_reject;
# We only forward for ISP clients and our stuff
ip saddr != 10.0.0.0/16 jump forward_reject;
# Can talk to us
ip daddr 10.0.0.0/27 accept;
# Not others nor CRI
ip daddr 10.0.0.0/8 jump forward_reject;
}
chain forward_reject {
reject with icmpx type admin-prohibited;
}
'';
};
};
}; };
firewall = { firewall = {
allowedUDPPorts = [ allowedUDPPorts = [
67 67
1194 1194
]; ];
# FIXME: I dont't remember why it's here, and it doesn't seems right checkReversePath = false;
# comes from https://git.dgnum.eu/DGNum/infrastructure/commit/411795c664374549e5e831722a80180b51fbf0d5
# checkReversePath = false;
}; };
}; };
@ -407,5 +327,4 @@ in
users.users."systemd-network".extraGroups = [ "keys" ]; users.users."systemd-network".extraGroups = [ "keys" ];
boot.kernel.sysctl."net.ipv4.ip_forward" = true; boot.kernel.sysctl."net.ipv4.ip_forward" = true;
};
} }

6
machines/nixos/vault01/secrets/secrets.nix
View file

@ -2,9 +2,7 @@
# #
# SPDX-License-Identifier: EUPL-1.2 # SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys.nix).mkSecrets (import ../../../../keys).mkSecrets [ "vault01" ] [
[ "vault01" ]
[
# List of secrets for vault01 # List of secrets for vault01
"radius-auth_token_file" "radius-auth_token_file"
"radius-ca_pem_file" "radius-ca_pem_file"
@ -15,4 +13,4 @@
"eatonmon-password_file" "eatonmon-password_file"
"radius-ap-radius-secret_file" "radius-ap-radius-secret_file"
"wg-key" "wg-key"
] ]

9
machines/nixos/vault01/ulogd/default.nix → machines/nixos/vault01/ulogd.nix
View file

@ -57,13 +57,4 @@
fi fi
''; '';
}; };
environment.defaultPackages = [
(pkgs.callPackage ./fill-vlan_prefixes.nix {
inherit (config.networking) vlans-info;
postgresql = config.services.postgresql.package;
})
(pkgs.callPackage ./nat-request-daddr.nix {
postgresql = config.services.postgresql.package;
})
];
} }

39
machines/nixos/vault01/ulogd/fill-vlan_prefixes.nix
View file

@ -1,39 +0,0 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
lib,
writeShellApplication,
writeText,
vlans-info,
postgresql,
}:
let
inherit (lib) concatMapStringsSep;
sql-script = writeText "vlan-filling.sql" ''
DROP TABLE IF EXISTS vlan_prefixes;
CREATE TABLE vlan_prefixes (
vlan_id smallint PRIMARY KEY UNIQUE NOT NULL,
prefix inet NOT NULL
);
INSERT INTO vlan_prefixes VALUES
${concatMapStringsSep ",\n " (
{
vlan,
netIP,
prefixLen,
...
}:
"(${toString vlan}, inet '${netIP}/${toString prefixLen}')"
) vlans-info}
;
'';
in
writeShellApplication {
name = "fill-vlan_prefixes";
runtimeInputs = [ postgresql ];
text = ''
psql -d ulogd -U ulogd -f ${sql-script}
'';
}

35
machines/nixos/vault01/ulogd/nat-request-daddr.nix
View file

@ -1,35 +0,0 @@
# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
writeShellApplication,
postgresql,
}:
writeShellApplication {
name = "nat-request-daddr";
runtimeInputs = [ postgresql ];
text = ''
TARGET_TIMESTAMP=$2
TARGET_PREFIX=$1
psql -d ulogd -U ulogd -c "
select
vlan_id,
reply_ip_daddr_str as used_ip,
reply_l4_dport as used_port,
orig_ip_daddr_str as daddr,
orig_l4_dport as dport,
flow_start_sec, flow_end_sec
from ulog2_ct
join vlan_prefixes on ulog2_ct.orig_ip_saddr_str <<= vlan_prefixes.prefix
where
-- if we don't have conn start, we considered it started before the target time
( flow_start_sec IS NULL or flow_start_sec <= $TARGET_TIMESTAMP )
and
-- similar for conn end
( flow_end_sec IS NULL or flow_end_sec >= $TARGET_TIMESTAMP )
and
orig_ip_daddr_str <<= inet '$TARGET_PREFIX'
;"
'';
}

3
machines/nixos/web01/redirections.nix
View file

@ -35,7 +35,8 @@ in
"www.interq.ens.fr" = "interq.ens.fr"; "www.interq.ens.fr" = "interq.ens.fr";
}; };
temporary = { temporary =
{
}; };
retired = mkSubs { retired = mkSubs {

6
machines/nixos/web01/secrets/secrets.nix
View file

@ -2,9 +2,7 @@
# #
# SPDX-License-Identifier: EUPL-1.2 # SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys.nix).mkSecrets (import ../../../../keys).mkSecrets [ "web01" ] [
[ "web01" ]
[
# List of secrets for web01 # List of secrets for web01
"acme-certs_secret" "acme-certs_secret"
"bupstash-put_key" "bupstash-put_key"
@ -14,4 +12,4 @@
"ntfy_sh-environment_file" "ntfy_sh-environment_file"
"castopod-environment_file" "castopod-environment_file"
"kahulm-session_secret" "kahulm-session_secret"
] ]

15
machines/nixos/web01/wordpress/default.nix
View file

@ -61,23 +61,10 @@ in
languages = [ pkgs.wordpressPackages.languages.fr_FR ]; languages = [ pkgs.wordpressPackages.languages.fr_FR ];
}; };
"npr.wp.dgnum.eu" = {
themes = {
inherit (wp4nix.themes) twentytwentyfive;
};
plugins = {
inherit (wp4nix.plugins) user-role-editor;
};
languages = [ pkgs.wordpressPackages.languages.fr_FR ];
};
}; };
}; };
dgn-backups.jobs.containers.settings.paths = [ "/var/lib/nixos-containers" ]; dgn-backups.jobs.containers.settings.paths = [ "/var/lib/nixos-containers" ];
services.nginx.virtualHosts."bds.ens.fr".locations."/gestion2".return = services.nginx.virtualHosts."bds.ens.fr".locations."/gestion2".return = "301 https://gestion.bds.ens.fr";
"301 https://gestion.bds.ens.fr";
} }

5
machines/nixos/web02/_configuration.nix
View file

@ -13,8 +13,7 @@ lib.extra.mkConfig {
enabledServices = [ enabledServices = [
# List of services to enable # List of services to enable
"cas-eleves" "cas-eleves"
# "kadenios" "kadenios"
"django-apps"
]; ];
extraConfig = { extraConfig = {
@ -22,7 +21,7 @@ lib.extra.mkConfig {
dgn-access-control.users.root = [ "thubrecht" ]; dgn-access-control.users.root = [ "thubrecht" ];
# Disable monitoring # Disable monitoring
dgn-monitoring.enable = false; dgn-node-monitoring.enable = false;
# Enable Postgres databases # Enable Postgres databases
services.postgresql = { services.postgresql = {

22
machines/nixos/web02/django-apps/default.nix
View file

@ -1,22 +0,0 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
imports = [
./kadenios.nix
];
services.django-apps = {
enable = true;
webhook = {
domain = "web02.dj-hooks.dgnum.eu";
nginx = {
enableACME = true;
forceSSL = true;
};
};
};
}

66
machines/nixos/web02/django-apps/kadenios.nix
View file

@ -1,66 +0,0 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
{
services.django-apps.sites.kadenios = {
source = "https://git.dgnum.eu/DGNum/kadenios";
branch = "production";
domain = "vote.dgnum.eu";
nginx = {
enableACME = true;
forceSSL = true;
};
webHookSecret = config.age.secrets."webhook-kadenios_token".path;
overlays.nix-pkgs = [
# Required packages
"authens"
"django-background-tasks"
"django-bulma-forms"
"django-translated-fields"
"loadcredential"
# Dependencies
"python-cas"
];
dependencies = ps: [
ps.authens
ps.django
ps.django-background-tasks
ps.django-bulma-forms
ps.django-translated-fields
ps.gunicorn
ps.loadcredential
ps.markdown
ps.networkx
ps.numpy
ps.psycopg
];
environment = {
KADENIOS_EMAIL_HOST_USER = "web-services@infra.dgnum.eu";
KADENIOS_EMAIL_USE_SSL = true;
KADENIOS_FROM_EMAIL = "Kadenios <vote@infra.dgnum.eu>";
KADENIOS_SERVER_EMAIL = "kadenios@infra.dgnum.eu";
};
credentials = {
SECRET_KEY = config.age.secrets."dj_kadenios-secret_key_file".path;
EMAIL_HOST_PASSWORD = config.age.secrets."dj_kadenios-email_password_file".path;
};
extraServices.tasks = {
script = "python3 manage.py process_tasks";
serviceConfig = {
WorkingDirectory = "/var/lib/django-apps/kadenios/source";
};
};
};
}

190
machines/nixos/web02/kadenios/default.nix Normal file
View file

@ -0,0 +1,190 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
lib,
pkgs,
sources,
...
}:
let
inherit (lib) mapAttrsToList optionals;
host = "vote.dgnum.eu";
port = 9888;
python3 =
let
nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
in
pkgs.python3.override {
packageOverrides = _: _: {
inherit (nix-pkgs)
authens
django-background-tasks
django-browser-reload
django-bulma-forms
django-translated-fields
loadcredential
;
};
};
pythonEnv =
{
debug ? false,
}:
python3.withPackages (
ps:
[
ps.django
ps.gunicorn
ps.markdown
ps.numpy
ps.networkx
ps.psycopg
ps.authens
ps.django-background-tasks
ps.django-bulma-forms
ps.django-translated-fields
ps.loadcredential
]
++ (optionals debug [
ps.django-browser-reload
ps.django-debug-toolbar
])
);
manage = pkgs.writeShellApplication {
name = "kadenios-manage";
runtimeInputs = path ++ [
config.systemd.package
pkgs.util-linux
];
text = ''
MainPID=$(systemctl show -p MainPID --value django-kadenios.service)
nsenter -e -a -t "$MainPID" -G follow -S follow python ${sources.kadenios}/manage.py "$@"
'';
};
staticDrv = pkgs.stdenv.mkDerivation {
name = "kadenios-static";
src = sources.kadenios;
nativeBuildInputs = [ (pythonEnv { debug = true; }) ];
configurePhase = ''
export KADENIOS_STATIC_ROOT=$out/static
export KADENIOS_DEBUG=true
export CREDENTIALS_DIRECTORY=$(pwd)/.credentials
'';
doBuild = false;
installPhase = ''
mkdir -p $out/static
python3 manage.py collectstatic
'';
};
environment = builtins.mapAttrs (_: builtins.toJSON) {
KADENIOS_ALLOWED_HOSTS = [ "vote.dgnum.eu" ];
KADENIOS_STATIC_ROOT = staticDrv;
KADENIOS_DATABASES = {
default = {
ENGINE = "django.db.backends.postgresql";
NAME = "kadenios";
};
};
KADENIOS_EMAIL_HOST_USER = "web-services@infra.dgnum.eu";
KADENIOS_EMAIL_USE_SSL = true;
KADENIOS_FROM_EMAIL = "Kadenios <vote@infra.dgnum.eu>";
KADENIOS_SERVER_EMAIL = "kadenios@infra.dgnum.eu";
};
path = [ (pythonEnv { }) ];
in
{
environment.systemPackages = [ manage ];
systemd.services = {
django-kadenios = {
description = "ENS simple voting server";
wantedBy = [ "multi-user.target" ];
after = [
"network.target"
"postgresql.service"
];
serviceConfig = {
DynamicUser = true;
LoadCredential = mapAttrsToList (name: value: "${name}:${value}") {
SECRET_KEY = config.age.secrets."kadenios-secret_key_file".path;
EMAIL_HOST_PASSWORD = config.age.secrets."kadenios-email_password_file".path;
};
StateDirectory = "django-kadenios";
User = "kadenios";
};
inherit environment path;
script = ''
python3 ${sources.kadenios}/manage.py migrate
gunicorn app.wsgi --pythonpath ${sources.kadenios} -b 127.0.0.1:${builtins.toString port} --workers=2 --threads=4
'';
};
django-kadenios-tasks = {
description = "Background tasks worker for Kadenios";
wantedBy = [ "multi-user.target" ];
after = [
"network.target"
"postgresql.service"
"django-kadenios.service"
];
serviceConfig = {
DynamicUser = true;
LoadCredential = mapAttrsToList (name: value: "${name}:${value}") {
SECRET_KEY = config.age.secrets."kadenios-secret_key_file".path;
EMAIL_HOST_PASSWORD = config.age.secrets."kadenios-email_password_file".path;
};
StateDirectory = "django-kadenios";
User = "kadenios";
WorkingDirectory = sources.kadenios;
};
inherit environment path;
script = ''
python3 manage.py process_tasks
'';
};
};
dgn-web.simpleProxies.kadenios = {
inherit host port;
vhostConfig.locations."/static/".root = staticDrv;
};
services.postgresql = {
ensureDatabases = [ "kadenios" ];
ensureUsers = [
{
name = "kadenios";
ensureDBOwnership = true;
}
];
};
}

BIN
machines/nixos/web02/secrets/bupstash-put_key
View file

Binary file not shown.

0
machines/nixos/web02/secrets/dj_kadenios-email_password_file → machines/nixos/web02/secrets/kadenios-email_password_file
View file

0
machines/nixos/web02/secrets/dj_kadenios-secret_key_file → machines/nixos/web02/secrets/kadenios-secret_key_file
View file

12
machines/nixos/web02/secrets/secrets.nix
View file

@ -2,13 +2,9 @@
# #
# SPDX-License-Identifier: EUPL-1.2 # SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys.nix).mkSecrets (import ../../../../keys).mkSecrets [ "web02" ] [
[ "web02" ]
[
# List of secrets for web02 # List of secrets for web02
"bupstash-put_key"
"cas_eleves-secret_key_file" "cas_eleves-secret_key_file"
"dj_kadenios-secret_key_file" "kadenios-secret_key_file"
"dj_kadenios-email_password_file" "kadenios-email_password_file"
"webhook-kadenios_token" ]
]

29
machines/nixos/web02/secrets/webhook-kadenios_token
View file

@ -1,29 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA miVq8rZazx0Y0NYZklZh8ITlY7fOTwbPsAPcHwvJ3jI
Vs0xx9ulk2++7+DfD+HqhISSvYMtuSJIs9zyGlnW8Wk
-> ssh-ed25519 QlRB9Q z5TQpHovWNJ+Dq4GEcPfByMpTcTojIamJbU3kNKlmHQ
U+ZFJ/0TVcfo85xAWYqcnzpMfU0KcY8QJ8jqWlyt1U0
-> ssh-ed25519 r+nK/Q l5oBCnALC2HSoszpawrJZZUEFHjjGwei4Fd1Y+f7OjI
PLgEu00ItWIbT3ZSNioZ3oXwBBVQTD/wf8I8akEDNWs
-> ssh-rsa krWCLQ
2rt9GmpSxUJSArSOlXKQscrApgLLIWuTo/IXensBP1uCnrpLl4IdcpEJNTs7wtZq
h4OLCaLDoZvB3ZT3k+CXXXeBqLqz1DdBGo08RgfcUADTsm2Z9LsEyLo0GtHGEFjw
m1r/VF8githDxaEK52+znr1FG8CE7+DBQAU9ZydhKKjjFS7ckDHw0qFXyGqpyWk4
KnL7FGPX2z07V3nwauElDbaD1LLt0xHhqqEjmiRskhE2UU6q35IrLyKFHC1VHsFy
ItsONTu8lDiqXSi7Z5b5Iv+iAWWTtt/glTv3WFa8u7CIahuZIfemr8NzjD2Z+Vxh
yOEqBKyVgz8sFh1U7CgxCg
-> ssh-ed25519 /vwQcQ dcnBNyypzMkxHwh76v7bKhGckPjIOL2vP2aDWhB8WxQ
tTxcMXcLrFhD7u2xTOhsjWErSiCOfsVIDZgJldVePMw
-> ssh-ed25519 0R97PA stdF6UFkWDCwNUAv+aAetpku7O9XRvtaxafCjok9yhI
gXVXcwlY4Xue9WGk+WlByXvSgMju+VWKTBTXIngWYvE
-> ssh-ed25519 JGx7Ng e+Ux4HK63pAM4scQCi4wHTUmo28z105Ok59dlki0OS8
ulkU6zhXNpa3OswEC005BZ/YIExPysg25a4/O60fcWQ
-> ssh-ed25519 bUjjig SEnDWloeuVgCGLUJNvsBL1HPYJGBSBhqdDngkQk+KiE
MYL9SudJNuFyS4Inaod2Xxldi3d/kDwlIT9rVWs8vFc
-> ssh-ed25519 IY5FSQ TO9BPLBwdlqyKXOBiohCzfZWrTDwqhLjZYeq9rZgH2c
7Hqrqe+A3wg11H3wg9Cd+6F7mDwsLpzoh70sba32gCw
-> 1DV;-grease
9Ul6qKgH063H/HI1op+Gyk2+JRUGHwRG/SlOPTAnvBtq7xEy7yrR4lblBK8bcJNY
lwmI4xOokAnIveVaPS8SAig
--- GpJyGpk3QxJljiR6FZw8hdX0dXvEAIPZEZpL6oorLcM
}­o÷ÕŸ¦A¹qç ™Ò™ö>áp™€M Õ¬Ía“ zþƒÍT VVƒvI«f®<17>!>µ\Ö-þèÿ

1
machines/nixos/web03/_configuration.nix
View file

@ -14,7 +14,6 @@ lib.extra.mkConfig {
# List of services to enable # List of services to enable
"django-apps" "django-apps"
"redirections" "redirections"
"users-guests"
]; ];
extraConfig = { extraConfig = {

Some files were not shown because too many files have changed in this diff Show more