Compare commits

...

20 commits

Author SHA1 Message Date
sinavir
383911d619
fix(web03/redirections): import module
All checks were successful
Build all the nodes / ap01 (push) Successful in 1m31s
Build all the nodes / geo01 (push) Successful in 2m11s
Build all the nodes / bridge01 (push) Successful in 2m13s
Build all the nodes / geo02 (push) Successful in 2m11s
Build all the nodes / hypervisor01 (push) Successful in 2m19s
Build all the nodes / compute01 (push) Successful in 2m41s
Build all the nodes / netcore02 (push) Successful in 28s
Build all the nodes / hypervisor02 (push) Successful in 1m31s
Build all the nodes / hypervisor03 (push) Successful in 1m31s
Build all the nodes / rescue01 (push) Successful in 1m49s
Build all the nodes / storage01 (push) Successful in 1m51s
Build all the nodes / vault01 (push) Successful in 1m52s
Run pre-commit on all files / pre-commit (push) Successful in 39s
Build all the nodes / web01 (push) Successful in 2m9s
Build all the nodes / web02 (push) Successful in 1m38s
Build all the nodes / web03 (push) Successful in 1m42s
2024-12-22 15:16:48 +01:00
5fa7ccb8e7
fix(django-apps): Disable statedir backup until it is fixed
All checks were successful
Build all the nodes / ap01 (push) Successful in 1m21s
Build all the nodes / geo02 (push) Successful in 2m7s
Build all the nodes / bridge01 (push) Successful in 2m9s
Build all the nodes / geo01 (push) Successful in 2m9s
Build all the nodes / hypervisor01 (push) Successful in 2m13s
Build all the nodes / netcore02 (push) Successful in 33s
Build all the nodes / compute01 (push) Successful in 2m46s
Build all the nodes / hypervisor02 (push) Successful in 1m28s
Build all the nodes / hypervisor03 (push) Successful in 1m55s
Build all the nodes / rescue01 (push) Successful in 2m9s
Build all the nodes / storage01 (push) Successful in 2m7s
Build all the nodes / vault01 (push) Successful in 1m55s
Build all the nodes / web02 (push) Successful in 1m59s
Run pre-commit on all files / pre-commit (push) Successful in 37s
Build all the nodes / web01 (push) Successful in 2m35s
Build all the nodes / web03 (push) Successful in 1m36s
2024-12-21 17:18:32 +01:00
e19100f856
feat(django-apps): Add automatic backup
All checks were successful
Build all the nodes / geo01 (pull_request) Successful in 1m41s
Build all the nodes / compute01 (pull_request) Successful in 2m19s
Build all the nodes / geo02 (pull_request) Successful in 1m29s
Build all the nodes / netcore02 (pull_request) Successful in 31s
Build all the nodes / hypervisor01 (pull_request) Successful in 1m28s
Build all the nodes / hypervisor02 (pull_request) Successful in 1m35s
Build all the nodes / hypervisor03 (pull_request) Successful in 1m31s
Build all the nodes / rescue01 (pull_request) Successful in 1m47s
Build all the nodes / storage01 (pull_request) Successful in 1m50s
Build all the nodes / vault01 (pull_request) Successful in 1m47s
Run pre-commit on all files / pre-commit (pull_request) Successful in 35s
Build all the nodes / web01 (pull_request) Successful in 2m16s
Build all the nodes / web02 (pull_request) Successful in 1m36s
Build all the nodes / web03 (pull_request) Successful in 1m53s
Build all the nodes / ap01 (push) Successful in 1m17s
Build all the nodes / geo02 (push) Successful in 1m53s
Build all the nodes / geo01 (push) Successful in 1m56s
Build all the nodes / bridge01 (push) Successful in 2m1s
Build all the nodes / compute01 (push) Successful in 2m30s
Build all the nodes / netcore02 (push) Successful in 30s
Build all the nodes / hypervisor01 (push) Successful in 1m35s
Build all the nodes / hypervisor02 (push) Successful in 1m43s
Build all the nodes / hypervisor03 (push) Successful in 1m42s
Build all the nodes / rescue01 (push) Successful in 2m5s
Build all the nodes / storage01 (push) Successful in 2m8s
Build all the nodes / vault01 (push) Successful in 1m51s
Run pre-commit on all files / pre-commit (push) Successful in 37s
Build all the nodes / web02 (push) Successful in 1m42s
Build all the nodes / web01 (push) Successful in 2m18s
Build all the nodes / web03 (push) Successful in 1m33s
2024-12-21 08:24:11 +01:00
sinavir
3085d9e3a8
feat(dj-apps/ernestophone): Switch to production
All checks were successful
Build all the nodes / ap01 (push) Successful in 1m14s
Build all the nodes / bridge01 (push) Successful in 1m55s
Build all the nodes / geo01 (push) Successful in 1m57s
Build all the nodes / geo02 (push) Successful in 1m59s
Build all the nodes / compute01 (push) Successful in 2m29s
Build all the nodes / netcore02 (push) Successful in 32s
Build all the nodes / hypervisor01 (push) Successful in 1m30s
Build all the nodes / hypervisor02 (push) Successful in 1m34s
Build all the nodes / hypervisor03 (push) Successful in 1m36s
Build all the nodes / vault01 (push) Successful in 1m56s
Build all the nodes / rescue01 (push) Successful in 2m10s
Build all the nodes / storage01 (push) Successful in 2m10s
Build all the nodes / web02 (push) Successful in 1m42s
Run pre-commit on all files / pre-commit (push) Successful in 41s
Build all the nodes / web01 (push) Successful in 2m15s
Build all the nodes / web03 (push) Successful in 1m49s
2024-12-20 16:45:53 +01:00
31e3aabc8f
chore(npins): Update stateless-uptime-kuma
All checks were successful
Build all the nodes / ap01 (push) Successful in 1m4s
Build all the nodes / bridge01 (push) Successful in 1m48s
Build all the nodes / geo01 (push) Successful in 1m48s
Build all the nodes / compute01 (push) Successful in 2m14s
Build all the nodes / geo02 (push) Successful in 1m25s
Build all the nodes / netcore02 (push) Successful in 36s
Build all the nodes / hypervisor02 (push) Successful in 1m46s
Build all the nodes / hypervisor01 (push) Successful in 1m47s
Build all the nodes / hypervisor03 (push) Successful in 1m31s
Build all the nodes / rescue01 (push) Successful in 1m54s
Build all the nodes / vault01 (push) Successful in 1m45s
Build all the nodes / storage01 (push) Successful in 1m50s
Run pre-commit on all files / pre-commit (push) Successful in 36s
Build all the nodes / web01 (push) Successful in 2m21s
Build all the nodes / web02 (push) Successful in 1m53s
Build all the nodes / web03 (push) Successful in 1m41s
This version has exponential backoff for trying to connect to the
upstream server
2024-12-20 13:33:57 +01:00
sinavir
7c6c753c67
feat(django-apps): Init ernestophone website
All checks were successful
Build all the nodes / geo01 (pull_request) Successful in 1m57s
Build all the nodes / geo02 (pull_request) Successful in 1m58s
Build all the nodes / hypervisor01 (pull_request) Successful in 1m45s
Build all the nodes / compute01 (pull_request) Successful in 2m37s
Build all the nodes / netcore02 (pull_request) Successful in 39s
Build all the nodes / hypervisor02 (pull_request) Successful in 1m38s
Build all the nodes / hypervisor03 (pull_request) Successful in 1m36s
Build all the nodes / rescue01 (pull_request) Successful in 2m16s
Build all the nodes / storage01 (pull_request) Successful in 2m17s
Build all the nodes / vault01 (pull_request) Successful in 2m1s
Run pre-commit on all files / pre-commit (pull_request) Successful in 35s
Build all the nodes / web02 (pull_request) Successful in 1m56s
Build all the nodes / web01 (pull_request) Successful in 2m26s
Build all the nodes / web03 (pull_request) Successful in 1m37s
Build all the nodes / ap01 (push) Successful in 1m18s
Build all the nodes / geo02 (push) Successful in 2m12s
Build all the nodes / hypervisor01 (push) Successful in 2m13s
Build all the nodes / geo01 (push) Successful in 2m17s
Build all the nodes / bridge01 (push) Successful in 2m20s
Build all the nodes / netcore02 (push) Successful in 30s
Build all the nodes / hypervisor02 (push) Successful in 1m31s
Build all the nodes / compute01 (push) Successful in 3m25s
Build all the nodes / hypervisor03 (push) Successful in 1m33s
Build all the nodes / storage01 (push) Successful in 2m7s
Build all the nodes / rescue01 (push) Successful in 2m8s
Build all the nodes / vault01 (push) Successful in 2m3s
Build all the nodes / web02 (push) Successful in 1m41s
Run pre-commit on all files / pre-commit (push) Successful in 40s
Build all the nodes / web01 (push) Successful in 2m25s
Build all the nodes / web03 (push) Successful in 1m40s
2024-12-20 04:21:06 +01:00
4622da188c
fix(ds-fr): Make email work again
All checks were successful
Build all the nodes / ap01 (push) Successful in 1m29s
Build all the nodes / geo01 (push) Successful in 2m24s
Build all the nodes / bridge01 (push) Successful in 2m28s
Build all the nodes / hypervisor01 (push) Successful in 2m27s
Build all the nodes / geo02 (push) Successful in 2m27s
Build all the nodes / hypervisor02 (push) Successful in 1m32s
Build all the nodes / netcore02 (push) Successful in 33s
Build all the nodes / compute01 (push) Successful in 3m28s
Build all the nodes / hypervisor03 (push) Successful in 1m49s
Build all the nodes / rescue01 (push) Successful in 2m5s
Build all the nodes / vault01 (push) Successful in 2m8s
Build all the nodes / storage01 (push) Successful in 2m21s
Run pre-commit on all files / pre-commit (push) Successful in 34s
Build all the nodes / web02 (push) Successful in 1m39s
Build all the nodes / web01 (push) Successful in 2m33s
Build all the nodes / web03 (push) Successful in 1m40s
2024-12-18 09:51:28 +01:00
2855d62a43
chore(ds-fr): Disable var/lib backups for now
All checks were successful
Build all the nodes / ap01 (push) Successful in 1m23s
Build all the nodes / bridge01 (push) Successful in 2m27s
Build all the nodes / geo01 (push) Successful in 2m28s
Build all the nodes / hypervisor01 (push) Successful in 2m29s
Build all the nodes / geo02 (push) Successful in 2m32s
Build all the nodes / netcore02 (push) Successful in 29s
Build all the nodes / hypervisor02 (push) Successful in 1m46s
Build all the nodes / compute01 (push) Successful in 3m28s
Build all the nodes / hypervisor03 (push) Successful in 2m2s
Build all the nodes / rescue01 (push) Successful in 2m14s
Build all the nodes / storage01 (push) Successful in 2m26s
Build all the nodes / vault01 (push) Successful in 1m59s
Build all the nodes / web02 (push) Successful in 1m45s
Run pre-commit on all files / pre-commit (push) Successful in 42s
Build all the nodes / web01 (push) Successful in 2m31s
Build all the nodes / web03 (push) Successful in 1m40s
It is spitting out errors
2024-12-18 07:57:05 +01:00
f8df18f13c
fix(ds-fr): Update module
All checks were successful
Build all the nodes / ap01 (push) Successful in 1m18s
Build all the nodes / bridge01 (push) Successful in 1m58s
Build all the nodes / geo01 (push) Successful in 2m2s
Build all the nodes / geo02 (push) Successful in 2m9s
Build all the nodes / hypervisor01 (push) Successful in 1m29s
Build all the nodes / netcore02 (push) Successful in 37s
Build all the nodes / hypervisor03 (push) Successful in 1m36s
Build all the nodes / hypervisor02 (push) Successful in 1m41s
Build all the nodes / storage01 (push) Successful in 2m8s
Build all the nodes / rescue01 (push) Successful in 2m10s
Build all the nodes / vault01 (push) Successful in 2m7s
Build all the nodes / web01 (push) Successful in 2m28s
Run pre-commit on all files / pre-commit (push) Successful in 42s
Build all the nodes / web02 (push) Successful in 1m44s
Build all the nodes / web03 (push) Successful in 1m46s
Build all the nodes / compute01 (push) Successful in 9m44s
2024-12-18 00:42:12 +01:00
sinavir
324c37f884
fix(dns): Remove old pub.dgnum.eu
All checks were successful
Check meta / check_dns (push) Successful in 21s
Check meta / check_meta (push) Successful in 21s
Build all the nodes / ap01 (push) Successful in 1m22s
Build all the nodes / geo01 (push) Successful in 1m57s
Build all the nodes / bridge01 (push) Successful in 2m10s
Build all the nodes / compute01 (push) Successful in 2m31s
Build all the nodes / hypervisor01 (push) Successful in 2m17s
Build all the nodes / netcore02 (push) Successful in 32s
Build all the nodes / geo02 (push) Successful in 2m23s
Build all the nodes / hypervisor02 (push) Successful in 1m41s
Build all the nodes / hypervisor03 (push) Successful in 1m48s
Build all the nodes / rescue01 (push) Successful in 2m13s
Build all the nodes / web02 (push) Successful in 1m58s
Build all the nodes / vault01 (push) Successful in 2m21s
Build all the nodes / storage01 (push) Successful in 2m29s
Run pre-commit on all files / pre-commit (push) Successful in 37s
Build all the nodes / web01 (push) Successful in 3m0s
Build all the nodes / web03 (push) Successful in 1m36s
2024-12-17 22:21:52 +01:00
sinavir
9b71232c58
feat(garage): Deploy landing page
Some checks failed
Check meta / check_dns (push) Successful in 20s
Check meta / check_meta (push) Successful in 19s
Build all the nodes / ap01 (push) Successful in 1m9s
Build all the nodes / bridge01 (push) Successful in 1m48s
Build all the nodes / geo01 (push) Successful in 1m46s
Build all the nodes / compute01 (push) Successful in 2m16s
Build all the nodes / geo02 (push) Successful in 1m37s
Build all the nodes / netcore02 (push) Successful in 30s
Build all the nodes / hypervisor01 (push) Successful in 1m40s
Build all the nodes / hypervisor02 (push) Successful in 1m52s
Build all the nodes / hypervisor03 (push) Successful in 1m45s
Build all the nodes / storage01 (push) Successful in 2m5s
Build all the nodes / rescue01 (push) Successful in 2m19s
Build all the nodes / vault01 (push) Successful in 2m1s
Build all the nodes / web01 (push) Successful in 2m26s
Run pre-commit on all files / pre-commit (push) Successful in 40s
Build all the nodes / web02 (push) Has been cancelled
Build all the nodes / web03 (push) Has been cancelled
2024-12-17 22:14:40 +01:00
54f2057dfc chore(cas-eleves): Remove server alias as we have a permanent redirection in place
All checks were successful
Build all the nodes / geo02 (pull_request) Successful in 1m44s
Build all the nodes / geo01 (pull_request) Successful in 2m0s
Build all the nodes / compute01 (pull_request) Successful in 2m19s
Build all the nodes / netcore02 (pull_request) Successful in 37s
Build all the nodes / hypervisor01 (pull_request) Successful in 1m32s
Build all the nodes / hypervisor02 (pull_request) Successful in 1m34s
Build all the nodes / hypervisor03 (pull_request) Successful in 1m45s
Build all the nodes / rescue01 (pull_request) Successful in 2m1s
Build all the nodes / storage01 (pull_request) Successful in 2m2s
Build all the nodes / vault01 (pull_request) Successful in 1m55s
Build all the nodes / web02 (pull_request) Successful in 1m33s
Run pre-commit on all files / pre-commit (pull_request) Successful in 35s
Build all the nodes / web01 (pull_request) Successful in 2m13s
Build all the nodes / web03 (pull_request) Successful in 1m35s
Build all the nodes / ap01 (push) Successful in 1m36s
Build all the nodes / bridge01 (push) Successful in 2m15s
Build all the nodes / hypervisor01 (push) Successful in 2m27s
Build all the nodes / geo02 (push) Successful in 2m27s
Build all the nodes / geo01 (push) Successful in 2m28s
Build all the nodes / compute01 (push) Successful in 2m59s
Build all the nodes / netcore02 (push) Successful in 41s
Build all the nodes / hypervisor02 (push) Successful in 1m40s
Build all the nodes / hypervisor03 (push) Successful in 1m43s
Build all the nodes / rescue01 (push) Successful in 2m13s
Build all the nodes / storage01 (push) Successful in 1m58s
Build all the nodes / vault01 (push) Successful in 2m10s
Run pre-commit on all files / pre-commit (push) Successful in 38s
Build all the nodes / web02 (push) Successful in 1m44s
Build all the nodes / web01 (push) Successful in 2m38s
Build all the nodes / web03 (push) Successful in 1m36s
2024-12-17 20:06:13 +01:00
Elias Coppens
b8e75176e1
feat(hypervisors): Init
All checks were successful
Build all the nodes / compute01 (pull_request) Successful in 2m33s
Build all the nodes / hypervisor01 (pull_request) Successful in 1m31s
Build all the nodes / netcore02 (pull_request) Successful in 36s
Build all the nodes / hypervisor02 (pull_request) Successful in 1m48s
Build all the nodes / hypervisor03 (pull_request) Successful in 1m50s
Build all the nodes / vault01 (pull_request) Successful in 2m3s
Build all the nodes / storage01 (pull_request) Successful in 2m14s
Build all the nodes / rescue01 (pull_request) Successful in 2m30s
Build all the nodes / web02 (pull_request) Successful in 1m42s
Run pre-commit on all files / pre-commit (pull_request) Successful in 36s
Build all the nodes / web01 (pull_request) Successful in 2m11s
Build all the nodes / web03 (pull_request) Successful in 1m38s
Check meta / check_dns (push) Successful in 19s
Check meta / check_meta (push) Successful in 30s
Build all the nodes / ap01 (push) Successful in 1m27s
Build all the nodes / geo01 (push) Successful in 2m6s
Build all the nodes / bridge01 (push) Successful in 2m9s
Build all the nodes / hypervisor01 (push) Successful in 1m58s
Build all the nodes / geo02 (push) Successful in 2m10s
Build all the nodes / compute01 (push) Successful in 2m34s
Build all the nodes / netcore02 (push) Successful in 31s
Build all the nodes / hypervisor02 (push) Successful in 1m44s
Build all the nodes / hypervisor03 (push) Successful in 1m55s
Build all the nodes / vault01 (push) Successful in 2m5s
Build all the nodes / storage01 (push) Successful in 2m23s
Build all the nodes / rescue01 (push) Successful in 2m28s
Build all the nodes / web02 (push) Successful in 1m57s
Run pre-commit on all files / pre-commit (push) Successful in 35s
Build all the nodes / web01 (push) Successful in 2m40s
Build all the nodes / web03 (push) Successful in 1m48s
2024-12-17 17:41:33 +01:00
cab2bc381c
feat(vault01/networking): open vlan hypervisor
All checks were successful
Check meta / check_meta (pull_request) Successful in 20s
Check workflows / check_workflows (pull_request) Successful in 29s
Check meta / check_dns (pull_request) Successful in 31s
Build all the nodes / ap01 (pull_request) Successful in 1m10s
Build all the nodes / netcore02 (pull_request) Successful in 43s
Build all the nodes / bridge01 (pull_request) Successful in 1m59s
Build all the nodes / geo01 (pull_request) Successful in 1m54s
Build all the nodes / geo02 (pull_request) Successful in 1m56s
Build all the nodes / compute01 (pull_request) Successful in 2m40s
Build all the nodes / rescue01 (pull_request) Successful in 2m23s
Build all the nodes / storage01 (pull_request) Successful in 2m21s
Build all the nodes / vault01 (pull_request) Successful in 2m3s
Run pre-commit on all files / pre-commit (pull_request) Successful in 36s
Build all the nodes / web02 (pull_request) Successful in 1m54s
Build all the nodes / web03 (pull_request) Successful in 1m44s
Build all the nodes / web01 (pull_request) Successful in 2m28s
Build all the nodes / netcore02 (push) Successful in 39s
Build all the nodes / ap01 (push) Successful in 1m18s
Build all the nodes / geo01 (push) Successful in 2m9s
Build all the nodes / bridge01 (push) Successful in 2m10s
Build all the nodes / geo02 (push) Successful in 2m8s
Build all the nodes / compute01 (push) Successful in 2m34s
Build all the nodes / rescue01 (push) Successful in 2m15s
Build all the nodes / storage01 (push) Successful in 1m53s
Run pre-commit on all files / pre-commit (push) Successful in 44s
Build all the nodes / vault01 (push) Successful in 1m47s
Build all the nodes / web02 (push) Successful in 1m42s
Build all the nodes / web01 (push) Successful in 2m17s
Build all the nodes / web03 (push) Successful in 1m45s
2024-12-17 12:09:03 +01:00
f6d2de3115
chore(patches): Drop patches from nixos-24.05 as only web02 and ap01 use it
All checks were successful
Build all the nodes / netcore02 (push) Successful in 41s
Build all the nodes / bridge01 (push) Successful in 2m5s
Build all the nodes / geo01 (push) Successful in 1m59s
Build all the nodes / geo02 (push) Successful in 1m56s
Build all the nodes / ap01 (push) Successful in 2m11s
Build all the nodes / compute01 (push) Successful in 2m25s
Build all the nodes / rescue01 (push) Successful in 2m9s
Build all the nodes / vault01 (push) Successful in 2m3s
Build all the nodes / storage01 (push) Successful in 2m25s
Build all the nodes / web01 (push) Successful in 2m24s
Run pre-commit on all files / pre-commit (push) Successful in 37s
Build all the nodes / web03 (push) Successful in 1m39s
Build all the nodes / web02 (push) Successful in 4m53s
2024-12-17 00:14:46 +01:00
200104bf84
chore(kanidm): Update origin uris, oauth2 endpoints and switch to 1.4
Some checks failed
Build all the nodes / web02 (push) Waiting to run
Build all the nodes / web03 (push) Waiting to run
Run pre-commit on all files / pre-commit (push) Waiting to run
Build all the nodes / ap01 (push) Successful in 1m2s
Build all the nodes / bridge01 (push) Successful in 1m35s
Build all the nodes / netcore02 (push) Successful in 39s
Build all the nodes / compute01 (push) Successful in 2m29s
Build all the nodes / geo01 (push) Successful in 1m35s
Build all the nodes / geo02 (push) Successful in 1m30s
Build all the nodes / rescue01 (push) Has been cancelled
Build all the nodes / vault01 (push) Has been cancelled
Build all the nodes / storage01 (push) Has been cancelled
Build all the nodes / web01 (push) Has been cancelled
2024-12-17 00:11:05 +01:00
8c8093b778
feat(netbird): Use a kanidm-proof redirect uri 2024-12-16 22:37:51 +01:00
1b7b1c3a4f
chore(npins): Update cas-eleves 2024-12-16 22:37:31 +01:00
af1e11f01b
chore(git-hooks): Use a fixed nixfmt that does not depend on upstream
All checks were successful
Build all the nodes / ap01 (push) Successful in 55s
Build all the nodes / bridge01 (push) Successful in 1m36s
Build all the nodes / netcore02 (push) Successful in 42s
Build all the nodes / compute01 (push) Successful in 2m9s
Build all the nodes / geo02 (push) Successful in 1m55s
Build all the nodes / geo01 (push) Successful in 2m7s
Build all the nodes / rescue01 (push) Successful in 2m21s
Build all the nodes / vault01 (push) Successful in 2m2s
Build all the nodes / storage01 (push) Successful in 2m21s
Run pre-commit on all files / pre-commit (push) Successful in 43s
Build all the nodes / web02 (push) Successful in 2m0s
Build all the nodes / web03 (push) Successful in 1m53s
Build all the nodes / web01 (push) Successful in 2m28s
2024-12-16 16:40:39 +01:00
60a5aea5a8
chore(nextcloud): Update to v30
All checks were successful
Build all the nodes / ap01 (push) Successful in 1m38s
Build all the nodes / netcore02 (push) Successful in 40s
Build all the nodes / geo02 (push) Successful in 2m3s
Build all the nodes / geo01 (push) Successful in 2m9s
Build all the nodes / bridge01 (push) Successful in 2m20s
Build all the nodes / rescue01 (push) Successful in 2m33s
Build all the nodes / storage01 (push) Successful in 2m38s
Build all the nodes / compute01 (push) Successful in 4m21s
Run pre-commit on all files / pre-commit (push) Successful in 37s
Build all the nodes / web02 (push) Successful in 2m33s
Build all the nodes / vault01 (push) Successful in 2m48s
Build all the nodes / web01 (push) Successful in 3m2s
Build all the nodes / web03 (push) Successful in 1m47s
2024-12-16 16:21:37 +01:00
50 changed files with 1173 additions and 366 deletions

View file

@ -54,6 +54,39 @@ jobs:
STORE_USER: admin
name: Build and cache geo02
run: nix-shell -A eval-nodes --run cache-node
hypervisor01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: hypervisor01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache hypervisor01
run: nix-shell -A eval-nodes --run cache-node
hypervisor02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: hypervisor02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache hypervisor02
run: nix-shell -A eval-nodes --run cache-node
hypervisor03:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: hypervisor03
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache hypervisor03
run: nix-shell -A eval-nodes --run cache-node
netcore02:
runs-on: nix
steps:

View file

@ -20,7 +20,7 @@ precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2"
path = ["machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/04-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"]
path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"]
precedence = "closest"
[[annotations]]

View file

@ -40,6 +40,7 @@ let
nixfmt-rfc-style = {
enable = true;
stages = [ "pre-push" ];
package = pkgs.nixfmt-rfc-style;
};
reuse = nix-reuse.hook {
@ -84,6 +85,7 @@ let
# Patches
{
path = [
"machines/nixos/compute01/ds-fr/01-smtp-tls.patch"
"machines/nixos/compute01/librenms/kanidm.patch"
"machines/nixos/compute01/stirling-pdf/*.patch"
"machines/nixos/vault01/k-radius/packages/01-python_path.patch"
@ -91,7 +93,6 @@ let
"machines/nixos/web02/cas-eleves/01-pytest-cas.patch"
"patches/lix/01-disable-installChecks.patch"
"patches/nixpkgs/03-crabfit-karla.patch"
"patches/nixpkgs/04-crabfit-karla.patch"
"patches/nixpkgs/05-netbird-relay.patch"
];
copyright = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>";
@ -151,7 +152,6 @@ in
src = sources.nixos-generators;
}))
pkgs.npins
pkgs.reuse
# SSO testing
pkgs.kanidm
@ -163,7 +163,7 @@ in
})
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
] ++ (builtins.attrValues scripts);
] ++ git-checks.enabledPackages ++ (builtins.attrValues scripts);
shellHook = ''
${git-checks.shellHook}

View file

@ -21,6 +21,15 @@ rec {
compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
hypervisor01 = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPE0typcnvSioMfdLUloIfR5zcf/X0k6201xMHoQBCr"
];
hypervisor02 = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPETkWlOfESXQic+HgfGLV/T4Nqg0WjdDbEqtgDwkH+S"
];
hypervisor03 = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLF0mxSGitsDE3/YXfrHNjtOMUt4HT2MbryyUKPLSBI"
];
rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];

View file

@ -0,0 +1,63 @@
From de5e8237e4bd8f3e325473c789fb542d01557f27 Mon Sep 17 00:00:00 2001
From: Tom Hubrecht <tom@hubrecht.ovh>
Date: Fri, 22 Sep 2023 17:26:27 +0200
Subject: [PATCH 1/2] fix(smtp): Allow specifying SSL settings
---
config/environments/production.rb | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/config/environments/production.rb b/config/environments/production.rb
index cf942cd6c70..39692890213 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -105,7 +105,8 @@
user_name: ENV.fetch("SMTP_USER"),
password: ENV.fetch("SMTP_PASS"),
authentication: ENV.fetch("SMTP_AUTHENTICATION"),
- enable_starttls_auto: ENV.fetch("SMTP_TLS").present?
+ enable_starttls_auto: ENV.fetch("SMTP_TLS").present?,
+ ssl: ENV.fetch("SMTP_SSL").present?
}
elsif ENV['SENDMAIL_ENABLED'] == 'enabled'
config.action_mailer.delivery_method = :sendmail
From a406428ee761231c3e82dd5c8f5154d04474a238 Mon Sep 17 00:00:00 2001
From: Tom Hubrecht <tom@hubrecht.ovh>
Date: Mon, 25 Sep 2023 10:17:37 +0200
Subject: [PATCH 2/2] fix(smtp): Disambiguate configuration options for SMTP
---
config/env.example.optional | 3 ++-
config/environments/production.rb | 4 ++--
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/config/env.example.optional b/config/env.example.optional
index 050e5d49bec..25bea8328fb 100644
--- a/config/env.example.optional
+++ b/config/env.example.optional
@@ -206,7 +206,8 @@ SMTP_HOST=""
SMTP_PORT=""
SMTP_USER=""
SMTP_PASS=""
-SMTP_TLS=""
+SMTP_STARTTLS="enabled" # Use any non-blank value to enable starttls
+SMTP_TLS="" # Use any non-blank value to enable TLS
SMTP_AUTHENTICATION="plain"
# Sendmail
diff --git a/config/environments/production.rb b/config/environments/production.rb
index 39692890213..bc203bbbaab 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -105,8 +105,8 @@
user_name: ENV.fetch("SMTP_USER"),
password: ENV.fetch("SMTP_PASS"),
authentication: ENV.fetch("SMTP_AUTHENTICATION"),
- enable_starttls_auto: ENV.fetch("SMTP_TLS").present?,
- ssl: ENV.fetch("SMTP_SSL").present?
+ enable_starttls_auto: ENV.fetch("SMTP_STARTTLS", "enabled").present?,
+ tls: ENV.fetch("SMTP_TLS", "").present?
}
elsif ENV['SENDMAIL_ENABLED'] == 'enabled'
config.action_mailer.delivery_method = :sendmail

View file

@ -11,41 +11,49 @@
let
host = "demarches.dgnum.eu";
port = 3000;
dgn-id = "1fbe81d211b18dae7b9c1727362997c62636f24a";
dgn-id = "8dfdc60d1aa66e7206461ed7a49199f624a66b4e";
patch = pkgs.fetchurl {
url = "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch";
hash = "sha256-6JdbUf2fc79E5F1wtYFnP1JLGJffhGbjaxysRFr8xN4=";
};
in
{
imports = [ ./module.nix ];
dgn-web.internalPorts.ds-fr = 3000;
dgn-web.internalPorts.ds-fr = port;
services.demarches-simplifiees = {
enable = true;
package =
((import sources.nix-pkgs { inherit pkgs; }).demarches-simplifiees.override {
initialDeploymentDate = "20230923";
}).overrideAttrs
(old: {
package = (import sources.nix-pkgs { inherit pkgs; }).demarches-simplifiees.overrideAttrs (old: {
dsModules = old.dsModules.overrideAttrs {
prePatch = ''
${pkgs.lib.getExe pkgs.git} apply -p1 < ${
pkgs.fetchurl {
url = "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch";
hash = "sha256-aCq/WkV4+PUSIzXgznwm2sAcaz12Y1zmUbh7QoXoMsM=";
}
}
${pkgs.lib.getExe pkgs.git} apply -p1 < ${patch}
'';
};
patches = (old.patches or [ ]) ++ [ ./01-smtp-tls.patch ];
prePatch = ''
${pkgs.lib.getExe pkgs.git} apply -p1 < ${patch}
'';
postPatch = ''
rm -f lib/tasks/deployment/20240830192553_backfill_hide_instructeurs_email.rake
rm -f lib/tasks/deployment/20240912151317_clean_virtual_column_from_procedure_presentation.rake
rm -f lib/tasks/deployment/20240920130741_migrate_procedure_presentation_to_columns.rake
'';
});
secretFile = config.age.secrets."ds-fr-secret_file".path;
inherit host port;
environmentFile = config.age.secrets."ds-fr-secret_file".path;
initialDeploymentDate = "20230923";
settings = {
APP_HOST = host;
environment = {
# Disable France Connect and Agent Connect
FRANCE_CONNECT_ENABLED = "disabled";
AGENT_CONNECT_ENABLED = "disabled";
@ -65,8 +73,8 @@ in
SMTP_HOST = "kurisu.lahfa.xyz";
SMTP_PORT = "465";
SMTP_USER = "web-services@infra.dgnum.eu";
SMTP_TLS = "";
SMTP_SSL = "true";
SMTP_STARTTLS = "";
SMTP_TLS = "true";
SMTP_AUTHENTICATION = "plain";
SUPER_ADMIN_OTP_ENABLED = "disabled";
@ -87,18 +95,10 @@ in
RUBY_YJIT_ENABLE = "1";
STRICT_EMAIL_VALIDATION_STARTS_ON = "2024-02-23";
WEASYPRINT_URL = "http://127.0.0.1:5000/pdf";
# Customization
# HEADER_LOGO_SRC = "logo_ens_psl_couleur.png";
# HEADER_LOGO_ALT = "Par la Recherche, pour la Recherche";
# PROCEDURE_DEFAULT_LOGO_SRC = "logo_ens_psl_couleur.png";
STRICT_EMAIL_VALIDATION_STARTS_ON = "2024-12-18";
};
};
age-secrets.autoMatch = [ "ds-fr" ];
dgn-backups.jobs.ds-fr.settings.paths = [ "/var/lib/ds-fr" ];
# dgn-backups.jobs.ds-fr.settings.paths = [ "/var/lib/private/demarches-simplifiees/" ];
dgn-backups.postgresDatabases = [ "ds-fr" ];
}

View file

@ -1,5 +1,4 @@
# Copyright Tom Hubrecht, (2023)
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
# SPDX-FileCopyrightText: 2023-2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
@ -7,192 +6,290 @@
config,
lib,
pkgs,
utils,
...
}:
let
inherit (lib)
getExe
getExe'
mapAttrs
mkDefault
mkEnableOption
mkIf
mkOption
mkPackageOption
optional
optionalString
types
;
inherit (lib.types)
attrsOf
nullOr
oneOf
package
path
port
str
;
inherit (utils) escapeSystemdExecArgs;
cfg = config.services.demarches-simplifiees;
settingsFormat = pkgs.formats.keyValue { };
env = settingsFormat.generate "ds-fr-env" cfg.settings;
ds-fr = pkgs.writeShellScriptBin "ds-fr" ''
set -a
cd ${cfg.package}
${optionalString (cfg.secretFile != null) "source ${cfg.secretFile}"}
source ${env}
BIN="$1"
shift
SUDO="exec"
if [[ $USER != ${cfg.user} ]]; then
SUDO='exec /run/wrappers/bin/sudo -u ${cfg.user} --preserve-env'
fi
$SUDO ${cfg.package}/bin/$BIN "$@"
'';
weasyprintEnv = pkgs.python3.withPackages (ps: [
ps.flask
ps.sentry-sdk
ps.weasyprint
]);
in
{
options.services.demarches-simplifiees = {
enable = mkEnableOption "demarches-simplifiees.";
enable = mkEnableOption "Démarches Simplifiées";
package = mkOption {
type = types.package;
default = pkgs.callPackage ./package { inherit (cfg) initialDeploymentDate dataDir logDir; };
package = mkPackageOption pkgs "demarches-simplifiees" { };
finalPackage = mkOption {
type = package;
default = cfg.package.override { inherit (cfg) initialDeploymentDate; };
};
user = mkOption {
type = types.str;
default = "ds-fr";
description = "User account under which DS runs.";
host = mkOption {
type = str;
description = ''
Hostname of the web server.
'';
};
group = mkOption {
type = types.str;
default = "ds-fr";
description = "Group account under which DS runs.";
port = mkOption {
type = port;
default = 3000;
description = ''
Listening port for the web server.
'';
};
dataDir = mkOption {
type = types.str;
default = "/var/lib/ds-fr";
weasyprintPort = mkOption {
type = port;
default = 5000;
description = ''
Port of the weasyprint server.
'';
};
logDir = mkOption {
type = types.str;
default = "/var/log/ds-fr";
environment = mkOption {
type = attrsOf (
nullOr (oneOf [
package
path
str
])
);
description = ''
Evironment variables available to Démarches Simplifiées.
'';
};
secretFile = mkOption {
type = types.nullOr types.path;
environmentFile = mkOption {
type = nullOr path;
default = null;
description = ''
Path to a file containing environment variables.
Required secrets are `SECRET_KEY_BASE` and `OTP_SECRET_KEY`,
which can be generated using `rails secret`.
'';
};
settings = mkOption { inherit (settingsFormat) type; };
initialDeploymentDate = mkOption {
type = types.nullOr types.str;
type = nullOr str;
default = null;
description = ''
Initial deployment date, used to ignore some migrations,
which are known to be buggy and are supposed to change old production data.
'';
};
interactScript = mkOption {
type = package;
default = pkgs.writeShellApplication {
name = "ds-fr";
runtimeInputs = [
cfg.finalPackage
config.systemd.package
pkgs.util-linux
];
text = ''
MainPID=$(systemctl show -p MainPID --value demarches-simplifiees.service)
nsenter -e -a -w -t "$MainPID" -G follow -S follow "$@"
'';
};
description = ''
Script to run ds-fr tasks.
'';
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ ds-fr ];
environment.systemPackages = [ cfg.interactScript ];
systemd.tmpfiles.rules = [
"f '${cfg.logDir}/production.log' 0640 ${cfg.user} ${cfg.group} - -"
"f '${cfg.dataDir}/.env' 0600 ${cfg.user} ${cfg.group} - -"
"d '${cfg.dataDir}/tmp' 0700 ${cfg.user} ${cfg.group} 10d -"
"d '${cfg.dataDir}/storage' 0700 ${cfg.user} ${cfg.group} - -"
];
systemd.services =
let
serviceConfig = {
User = "ds-fr";
DynamicUser = true;
EnvironmentFile = optional (cfg.environmentFile != null) cfg.environmentFile;
CacheDirectory = "demarches-simplifiees";
LogsDirectory = "demarches-simplifiees";
RuntimeDirectory = "demarches-simplifiees";
StateDirectory = "demarches-simplifiees";
WorkingDirectory = cfg.finalPackage;
};
in
{
demarches-simplifiees = {
description = "Démarches Simplifiées";
systemd.services = {
ds-fr-setup = {
description = "Demarches Simplifiees setup";
inherit (cfg) environment;
wantedBy = [ "multi-user.target" ];
path = [
pkgs.bash
ds-fr
cfg.finalPackage
pkgs.imagemagick
];
after = [ "postgresql.service" ];
serviceConfig = {
Type = "oneshot";
User = cfg.user;
Group = cfg.group;
EnvironmentFile = [ env ] ++ (optional (cfg.secretFile != null) cfg.secretFile);
StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
};
script = ''
[[ ! -f ${cfg.dataDir}/.initial-migration ]] \
&& ds-fr rails db:environment:set \
&& ds-fr rails db:schema:load \
&& ds-fr rails db:seed \
&& touch ${cfg.dataDir}/.initial-migration
ds-fr rake db:migrate
ds-fr rake after_party:run
'';
};
ds-fr-work = {
description = "Demarches Simplifiees work service";
wantedBy = [
"multi-user.target"
"ds-fr.service"
];
after = [
"network.target"
"ds-fr-setup.service"
"postgresql.target"
];
requires = [ "ds-fr-setup.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${ds-fr}/bin/ds-fr rails jobs:work";
EnvironmentFile = [ env ] ++ (optional (cfg.secretFile != null) cfg.secretFile);
User = cfg.user;
Group = cfg.group;
StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
preStart = ''
mkdir -p "$STATE_DIRECTORY/storage"
if [[ ! -f "$STATE_DIRECTORY/.version" ]]; then
# Run initial setup
rails db:environment:set
rails db:schema:load
rails db:seed
rails jobs:schedule
touch "$STATE_DIRECTORY/.version"
fi
if [[ $(cat "$STATE_DIRECTORY/.version") != "$__DS_VERSION" ]]; then
# Run migrations on version change
rake db:migrate
rake after_party:run
echo "$__DS_VERSION" > "$STATE_DIRECTORY/.version"
fi
'';
serviceConfig = serviceConfig // {
ExecStart = escapeSystemdExecArgs [
(getExe' cfg.finalPackage "rails")
"server"
"-b"
"127.0.0.1"
"-p"
cfg.port
];
};
};
ds-fr = {
description = "Demarches Simplifiees web service";
demarches-simplifiees-work = {
description = "Démarches Simplifiées work service";
inherit (cfg) environment;
after = [ "demarches-simplifiees.service" ];
wantedBy = [ "multi-user.target" ];
bindsTo = [ "demarches-simplifiees.service" ];
partOf = [ "demarches-simplifiees.service" ];
serviceConfig = serviceConfig // {
ExecStart = escapeSystemdExecArgs [
(getExe' cfg.finalPackage "rails")
"jobs:work"
];
};
};
weasyprint-server = {
description = "Weasyprint server";
wantedBy = [ "multi-user.target" ];
after = [
"network.target"
"ds-fr-setup.service"
];
requires = [ "ds-fr-setup.service" ];
path = [ pkgs.imagemagick ];
environment = {
BASE_URL = "https://${cfg.host}";
LOG_DIR = "/var/log/weasyprint";
UWSGI_PYTHONPATH = weasyprintEnv;
UWSGI_MODULE = "wgsi:app";
};
serviceConfig = {
ExecStart = "${ds-fr}/bin/ds-fr rails server";
Environment = [ "RAILS_QUEUE_ADAPTER=delayed_job" ];
EnvironmentFile = [ env ] ++ (optional (cfg.secretFile != null) cfg.secretFile);
User = cfg.user;
Group = cfg.group;
StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
DynamicUser = true;
Type = "notify";
WorkingDirectory = cfg.finalPackage.weasyprint_server;
LogsDirectory = "weasyprint";
ExecStart = escapeSystemdExecArgs [
(getExe (pkgs.uwsgi.override { plugins = [ "python3" ]; }))
"--http-socket"
"127.0.0.1:${builtins.toString cfg.weasyprintPort}"
"--processes=4"
"--enable-threads"
];
NotifyAccess = "all";
KillSignal = "SIGQUIT";
ExecReload = "${getExe' pkgs.coreutils "kill"} -HUP $MainPID";
ExecStop = "${getExe' pkgs.coreutils "kill"} -INT $MainPID";
ProtectSystem = "full";
ProtectHome = true;
NoNewPrivileges = true;
PrivateDevices = true;
};
};
};
services = {
demarches-simplifiees.settings =
(builtins.mapAttrs (_: mkDefault) {
RAILS_ENV = "production";
RAILS_ROOT = builtins.toString cfg.package;
demarches-simplifiees.environment =
# Hardcoded values
{
# Application host name
#
# Examples:
# * For local development: localhost:3000
# * For preproduction: staging.ds.example.org
# * For production: ds.example.org
APP_HOST = "localhost:3000";
APP_HOST = cfg.host;
# Database credentials
DB_DATABASE = "ds-fr";
DB_USERNAME = "ds-fr";
DB_HOST = "/run/postgresql";
DB_PORT = "5432";
# The variables must be present even if empty...
DB_PASSWORD = "";
DB_POOL = "";
# Jobs configuration
RAILS_QUEUE_ADAPTER = "delayed_job";
# Log on stdout
RAILS_LOG_TO_STDOUT = "true";
# Package version
__DS_VERSION = cfg.finalPackage.version;
# Weasyprint endpoint generating attestations v2
# See https://github.com/demarches-simplifiees/weasyprint_server
WEASYPRINT_URL = "http://127.0.0.1:${builtins.toString cfg.weasyprintPort}/pdf";
}
// (mapAttrs (_: mkDefault) {
RAILS_ENV = "production";
RAILS_ROOT = builtins.toString cfg.finalPackage;
# Rails key for signing sensitive data
# See https://guides.rubyonrails.org/security.html
@ -227,18 +324,6 @@ in
# SAML
SAML_IDP_ENABLED = "disabled";
# External service: authentication through France Connect
FC_PARTICULIER_ID = "";
FC_PARTICULIER_SECRET = "";
FC_PARTICULIER_BASE_URL = "";
# External service: authentication through Agent Connect
AGENT_CONNECT_ID = "";
AGENT_CONNECT_SECRET = "";
AGENT_CONNECT_BASE_URL = "";
AGENT_CONNECT_JWKS = "";
AGENT_CONNECT_REDIRECT = "";
# External service: integration with HelpScout (optional)
HELPSCOUT_MAILBOX_ID = "";
HELPSCOUT_CLIENT_ID = "";
@ -288,9 +373,6 @@ in
# https://api.gouv.fr/api/api-entreprise.html
API_ENTREPRISE_KEY = "";
# External service: CRM for following admin accounts pipeline (specific to démarches-simplifiées.fr)
PIPEDRIVE_KEY = "";
# Networks bypassing the email login token that verifies new devices, and rack-attack throttling
TRUSTED_NETWORKS = "";
@ -299,7 +381,7 @@ in
# "sXaot-fKhBlkI8qaSirQyuZbrpv5sVFoOturQ0pFEh0";
# Enable or disable Lograge logs
LOGRAGE_ENABLED = "disabled";
LOGRAGE_ENABLED = "enabled";
# Logs source for Lograge
#
@ -336,57 +418,42 @@ in
# Siret number used for API Entreprise, by default we use SIRET from dinum
API_ENTREPRISE_DEFAULT_SIRET = "put_your_own_siret";
})
// {
# Database credentials
DB_DATABASE = "ds-fr";
DB_USERNAME = cfg.user;
DB_PASSWORD = "";
DB_HOST = "/run/postgresql";
DB_POOL = "";
# Log on stdout
RAILS_LOG_TO_STDOUT = true;
};
# Date from which email validation requires a TLD in email adresses.
# This change had been introduced by : cc53946d221d6f64c365ad6c6c4c544802eb94b4
# Records (users, …) created before this date won't be affected. See #9978
# To set a date, we recommend using *the day after* you have deployed this commit,
# so existing records won't be invalid.
STRICT_EMAIL_VALIDATION_STARTS_ON = "2024-02-19";
});
postgresql = {
enable = true;
ensureDatabases = [ "ds-fr" ];
ensureUsers = optional (cfg.user == "ds-fr") {
ensureUsers = [
{
name = "ds-fr";
ensureDBOwnership = true;
};
}
];
extraPlugins = with config.services.postgresql.package.pkgs; [ postgis ];
extensions = [ config.services.postgresql.package.pkgs.postgis ];
};
nginx = {
enable = true;
virtualHosts.${cfg.settings.APP_HOST} = {
virtualHosts.${cfg.host} = {
enableACME = true;
forceSSL = true;
root = "${cfg.package}/public/";
root = "${cfg.finalPackage}/public/";
locations."/".tryFiles = "$uri @proxy";
locations."@proxy" = {
proxyPass = "http://127.0.0.1:3000";
locations."@proxy".proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}";
};
};
};
};
users.users = mkIf (cfg.user == "ds-fr") {
ds-fr = {
inherit (cfg) group;
isSystemUser = true;
home = cfg.package;
};
};
users.groups.${cfg.group} = { };
};
}

View file

@ -18,9 +18,9 @@ in
settings = {
"auth.generic_oauth" = {
api_url = "https://sso.dgnum.eu/oauth2/openid/grafana_dgn/userinfo";
api_url = "https://sso.dgnum.eu/oauth2/openid/dgn_grafana/userinfo";
auth_url = "https://sso.dgnum.eu/ui/oauth2";
client_id = "grafana_dgn";
client_id = "dgn_grafana";
client_secret = file "oauth_client_secret";
enabled = true;
id_token_attribute_name = "sub";

View file

@ -49,7 +49,7 @@ in
services.kanidm = {
enableServer = true;
package = pkgs.kanidm_1_3;
package = pkgs.kanidm_1_4;
serverSettings = {
inherit domain;
@ -96,7 +96,7 @@ in
dgn_grafana = {
displayName = "Grafana [Analysis]";
originLanding = "https://grafana.dgnum.eu";
originUrl = "https://grafana.dgnum.eu/";
originUrl = "https://grafana.dgnum.eu/login/generic_oauth";
preferShortUsername = true;
scopeMaps.grp_active = [
@ -111,7 +111,7 @@ in
displayName = "LibreNMS [Network]";
enableLegacyCrypto = true;
originLanding = "https://nms.dgnum.eu";
originUrl = "https://nms.dgnum.eu/";
originUrl = "https://nms.dgnum.eu/auth/kanidm/callback";
preferShortUsername = true;
scopeMaps.grp_active = [
@ -125,7 +125,7 @@ in
displayName = "Netbird [VPN]";
enableLocalhostRedirects = true;
originLanding = "https://netbird.dgnum.eu";
originUrl = "https://netbird.dgnum.eu/";
originUrl = "https://netbird.dgnum.eu/index";
preferShortUsername = true;
public = true;
@ -141,7 +141,7 @@ in
displayName = "Netbox [Inventory]";
enableLegacyCrypto = true;
originLanding = "https://netbox.dgnum.eu";
originUrl = "https://netbox.dgnum.eu/";
originUrl = "https://netbox.dgnum.eu/oauth/complete/oidc/";
preferShortUsername = true;
scopeMaps.grp_active = [
@ -153,9 +153,10 @@ in
dgn_outline = {
displayName = "Outline [Docs]";
originUrl = "https://docs.dgnum.eu/";
originUrl = "https://docs.dgnum.eu/auth/oidc.callback";
originLanding = "https://docs.dgnum.eu";
preferShortUsername = true;
allowInsecureClientDisablePkce = true;
scopeMaps.grp_active = [
"openid"

View file

@ -22,7 +22,7 @@ in
enable = true;
hostName = host;
package = pkgs.nextcloud29;
package = pkgs.nextcloud30;
https = true;

View file

@ -28,10 +28,10 @@ in
publicUrl = "https://${host}";
oidcAuthentication = {
clientId = "outline_dgn";
clientId = "dgn_outline";
authUrl = "https://sso.dgnum.eu/ui/oauth2";
tokenUrl = "https://sso.dgnum.eu/oauth2/token";
userinfoUrl = "https://sso.dgnum.eu/oauth2/openid/outline_dgn/userinfo";
userinfoUrl = "https://sso.dgnum.eu/oauth2/openid/dgn_outline/userinfo";
displayName = "DGNum SSO";
clientSecretFile = config.age.secrets."outline-oidc_client_secret_file".path;

View file

@ -1,24 +1,28 @@
age-encryption.org/v1
-> ssh-ed25519 tDqJRg ukyCbDqq1/18sjxWxyCCwYgYDavNcRq5cBvpZoqSKVQ
2lmz4ONDnXiW0+FqLwi4OVOClm96YU6NUMxeLcwyqhI
-> ssh-ed25519 jIXfPA MNspuPXKkP/fUp3qoPDmew+htam1l8JczSCCZFil6zE
1ugIhchyaumzv/izKFq1dCer6QPfLt6Fv2rIiU6rzGs
-> ssh-ed25519 QlRB9Q teomppq6nVFhnQFELI/sQNCRuMGNs2Tu6AY/PMWAzzI
LDLn1CsC9xqBBszdp4TZV/uCaYHBb65HS5eoG2+vfzU
-> ssh-ed25519 r+nK/Q GK/IVVvWVNjq1Fa8DKvljC1pD4OUz3MsM+VjROVYfSA
jJ2vK3HFkOGzrxvQJg6PayrEhOPVyvAZS29IEfKRbhs
-> ssh-ed25519 jIXfPA jjStc+COqzn2fkEU5y9p+h3KPL7ip0Sk7wwdjGME5Ag
2eYwXQs/IbgzeEP1vFy9OLOhPVnyq4cki7voHSXKomQ
-> ssh-ed25519 QlRB9Q rqJ1GzzA5IMgZoQD/u35k/qVr1GEbicWGCpDwzbSoRQ
cqGLtH53VWP5Z21pjllWRGRO2PkMSOQftF/WHAldW0Q
-> ssh-ed25519 r+nK/Q oPY6OIrUHYr3NSOes0KGNBjZJse4bNso3nGoKfqdOgw
8CJeNP6AdhUTWFTiYpswsottSI1C25RGOMaxHsnAeNc
-> ssh-rsa krWCLQ
XywRp0R34ulA6AhRloj+OonbP3ZmvWvnxko+KSBNZHUEO3P84N/UTSJLhTJrJHps
uYWhOO1VXMdOmu8+s2ymvsFFHZlQ1Ngr28/8Cb4InYbOcjc1jGsA/laSFelGG/qZ
CxoSw59oga+wssAf7NRVDY0GLtZIhdACnlfCodBnwGgr7MrO/jtv6wUcNtTQwqyg
k6JvmeXVO54sAbcICfDNHiWLejOA9B1tQ4biAtNZrw2BRh1siXVcjtrlkjdfqsc4
4R/EDAYLHIMBnG/6Qpp5H3vPEEdwtaU2Tcd5RZHxWR+8ZjFFhLsZaGQZ5GxzlVOW
qd63AwlEvNGOSIMXBqc+tQ
-> ssh-ed25519 /vwQcQ Qm4OViiUxA0eIAiP+tPi+q9Uw+dluFKGi4J35q6dr3A
Byx5ohtc05YfpZhcZew6P7g90KEMammQ0KgvtRGAhBk
-> ssh-ed25519 0R97PA YKE87fWy7Gix4dk+YOqTkMMFyG1mTVjroO/I6rHtLXQ
o9O664qMLUIEwxti17O4VByFCMmOZ4vTtPH5qNscGnU
-> ssh-ed25519 JGx7Ng NfuL52cirg0LkXcoF3a0GYJx82Bt50YS9cpEnDH27T8
OdqOs4ViSnW1fWZ5GLro4Z5afqmnGya6TsoKr3aZs0w
--- oqm2jb9ZHSHAhbxUYWDxQW/FaPwiq3iFr6RIX1nHCYo
ì©šÎj½ó˪f¾©Fyz#ö뤄å…ùÕâ íz‰z¥}´ýÂø9(!SÂöÛ<C3B6>¸ûz2kªÈCæ<43>¦J¬T…Ÿ”þG<C3BE>€³“Z_àÑ
BseveWlNY2C1A37CKs6rUBmJWDeYwr4JE6fGtjtvJG6oVaanIQqpAA0PkML1IG1V
tTimA7j4L8RT01UmHdpcWQUdR2ZjGBznFCfT46yW2/W/uCxrtHdRJKFur8ZZVfqg
3NNHTe87liDf9L1izNAhcMOWlSWXsDbj/xUYw07yopXoH9lA9bmbDytZp5oxrN5v
JLlWjfoiKu92RAUxobfqra2TUFM98ljAX0U2jv+Vadyz2HiDV0WRl3rsymlDNyQp
rWZRfNKmM4VVrBTB6raatgfdYaj9m3xN9x6xyTfz1Jw1etClrnvdTJOyROxR10B8
qJ10Vvy1cu1Yt3aTzmBSpQ
-> ssh-ed25519 /vwQcQ lBUUIhJo1cwZJAD8yEkPEjc3Wm5laQ4+oL47g0UUzDI
oDMv1BAaAuoWL/lWb08l7sfz7Hjt7syFGxKlJ90IWx4
-> ssh-ed25519 0R97PA oJ/bnbgfrfnozCOWyhPGrdhDD1N2VFVOhN56py0Lvic
3MFXDBDOASpUqg9ZkBCQDc7oCaJSyc77cEHYZ41O8Fk
-> ssh-ed25519 JGx7Ng lnd0RjCT6leBvk4uLXYWt+BeqstIycHYtWkbEhUqPjI
i9IVIwDe80nRV8jk3YLqyqDXzatC0PwGM6yMmZT8DeA
-> ssh-ed25519 bUjjig MFRe8FP5AQPHAUfLr3VLNAqEnnYI8wThQbFunl8fuj0
U5//sg3BRjSvp4NbH9RqD9vugee3cEnNDRuKLaf506I
-> ssh-ed25519 tDqJRg txHQKcCUKCAxc0/ZYL1IqeXfbjlGz74ccKZ7kj2bVSw
4YzZQw7PyPGBoWw6GuBsdQo3p3f+XEbOdpGCXfOeHic
-> IOpsGs-grease
JFzNAbIaA7nJkfBBACoJDaQsVCo5TmArRwHtu5W91+YxSoyj22D0
--- K4Uw4L8YfGsdUQfdxwm1zxkABRBBjORNIDoHv+sjosI
,Â!!§øäç›?K¬Õ§!ò%™ô B¨åö¦*vßc?â:;ð ãÎ{?.½EØ,þ˜;%Ä0iq^tl¨l=±Ž6.xvü\<5C>

View file

@ -1,27 +1,30 @@
age-encryption.org/v1
-> ssh-ed25519 tDqJRg X/tRIl6TzF09a1Tvr8vP3SocmlfwKg307he8LP3Q5mo
hWjX3AUbREbQR+uCiW8Nsj5nCwYQYy1KV/41sbxBFo4
-> ssh-ed25519 jIXfPA 6EOXJfa+aY4JjOb0SO2k+s6xnNjtm/o8au6lbN1UfxA
dVsgH99btiE+pl7Q4uiOcYDTwtv6X0jgjYXoFFd+tPs
-> ssh-ed25519 QlRB9Q 4Hje1HQL+Zjm9+BGDQvb83KaizOjfKTwjiq1SJlXvA0
w2rMGVcZcS2aLNYxHZIJZF/j50CQm8UCmq89W9K7Q14
-> ssh-ed25519 r+nK/Q aPQh4X7xZnTbrkxIaAwUbaS7NnbHMY+Q31E0x7AvwSo
rnMus4wPVugzscVNPO33rNgboN7I42tdz4dikVOvWIw
-> ssh-ed25519 jIXfPA ffhnaA8PokIDyboOZVSebOxvu46CSvl3Sk6NEqXDlgo
MTEYDDnKBVnGyMvQFLBVAedmEfdv90Lh7fFt8G4ogSg
-> ssh-ed25519 QlRB9Q U9driMnVrc6FvJkIg0FGfCqjftbw4OozLMH3hNSeOns
/2/Ripvin97IDSSpOkWiOrmMt1/WnsKDZQ9jvPpn2OA
-> ssh-ed25519 r+nK/Q TabwYz+Z7Hr/TflaeYFT+svW+AGkTYRqDPN0iRrPmzc
mi9r46HFwSjqPrW3x4Ik2Xerd80KjYuHaqy4wkLOgAc
-> ssh-rsa krWCLQ
Xe2Vv3tCZy19QQt26q6T3mJkZyltU7OVOrruwxWr8hlaKgOfR/pMa7nbR+eWm6jS
++39H+E6gssE/534ld5qz2J3oPV5E6+p4wok/Owy7zE6aWrALP1Mp296lumRjjGN
6aYhmf4fbpvOWDMNujExWURggswbUplk0f7l5UYjNpcSnM9Iq6s9fTAUVTMAlvoL
cmVvPTll6QlhhM7tkJL1fo+1nEimfmwDaOhE2lAKKJUD7DTqcBGsukpysOhcmCyr
Xtx38kcuF5eaDzjT9gXgi4QtCrxf31Lfjju44HSqJFB1LqO2Vzd9rASurD2LN7/1
uj8F5y+dmf6IqIM/kYXqPg
-> ssh-ed25519 /vwQcQ Byl5reTJslEFsIdUWp+rg5sZxG1jEHVduBE/grTD/Vc
SEzFbpWUZrVitO1Swfs3/pzfaZ6Zd4Roi8anJRHO7/o
-> ssh-ed25519 0R97PA CLDuGuFPHf0rgUoCUY2C1jtXAeBEqKiqaeiH4ZcRFk8
rBYZfmS7BSKDIJMVpWTGy5wRhhoi9xR1GchVsUn7Psw
-> ssh-ed25519 JGx7Ng xqTydh3Bt5bL/7R6ZnVtqhfSW2V3g1g2UWPcePt8TCU
lPQeGP4VQGU4xeGqVcIRnWZjeDp2Q4lH2CLg+C/weyM
-> .-grease
l4qPzZnL/yerx8Y3VUmUoO2GgK7OUAjbhfYsHPhDFSo+ZPgvYo7qpJBEsPQqrPA3
FF2/R9IFD+jFranJsg
--- ynZs900dI1cp+HWu6HdnUGKaJw/Wa1Y26eQSeO3fvH8
|Nös.­æ·»×KC²éi#<11>XôfÓéöÃÎq[í¶t{ŸôEkœÇ±­<AÿñYd'çÉ…²3ȆbMæÝ;0f”V[œ¥<ûàX;E
DiRtuMIY8AdA3XJcW75mQwQN/CKtXFLbS/bHHMSH0xBzUPhY2JP5IwDrnS+YuAq8
CTc+QXC8eWlZpujZnIMgX2lUMOVA9rfYLml3Dsjju048kLBOm/WlYAaf3l7Fpuwm
m3BQK4mRWsdISdhwUHsNTaO8z9jkMwV/a+iWjQWDtNxscRnBqq8a2wms7zUHmJbJ
HHYCykPZGrIhh6pOConMhuQZRN59W/HVCJ60+z4E0L5Yw1itqyInz/XQh+a6hrnY
8R2ipE658KJmqSHIebeSriD49fvwEWaCssmI9JQ4GmuKLaKQuqNwTubmm+0cP9w5
NtVCqqEGq3HX1/MLnpmbew
-> ssh-ed25519 /vwQcQ p8fZnQh6objEcb9kVQ+iu49T7v54CZKES538A/3eXlo
4bchuaemw++HSOi+1Nop2D1QP96zsDdK1SS5wzNLIeE
-> ssh-ed25519 0R97PA j76+Z++DFCjrELtJuXlbXKO3GfDz4bqN4MjxrRjEunY
s/Bouc5R6RAhV+fV8sqP3bQN7cubQ/zvmTbiFkEdShc
-> ssh-ed25519 JGx7Ng FSufP2DJeNehiGWArgtLjnPTMJd1XYOGIydUDovgLjA
HpuHpBUSrEgUDZHG2T6b2wdugRhCCWnCNC33W1mz7VQ
-> ssh-ed25519 bUjjig 3lJvEVu3c8NNpm1cc6068n2pO75PLD5DyX00sL9Io1M
QV4CiZ8q2YV3FjojL4eU+of4KNuvw/kuVcykOR/ndcY
-> ssh-ed25519 tDqJRg 1++TmLtKpgOlKExGY4ZVWb82N/GrRHl63MpHsBYg83A
C1hi8qlfY8Tx8a6Ik4b0FcxXFDorvmSklR53VgPeQqU
-> i3xH-grease \0) ojM4J<
ArfqJf5FcIndzy7XQ5vxY+1iJwPtjplV7Sx5R2kWoHsXBwYyI9pt8Co
--- apFO9hGDSpGnlL3r1MliuT1axseRl7WLb5YhpOcd5GI
ùÒЇÚv\yoKÜøCsáþ™AaãjMŸ<>¦Š¶+2"À½îšäÉc451ùÏ8÷)m‡¤ŒÚ$š„XÇÈkû<6B>Pj)FÜ
ÃV*É‚
c

View file

@ -0,0 +1,17 @@
# SPDX-FileCopyrightText: 2024 Elias Coppens <elias@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, ... }:
lib.extra.mkConfig {
enabledModules = [ ];
enabledServices = [ ];
extraConfig = {
services.netbird.enable = true;
};
root = ./.;
}

View file

@ -0,0 +1,79 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
initrd = {
availableKernelModules = [
"ehci_pci"
"ahci"
"mpt3sas"
"usbhid"
"sd_mod"
];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems = {
"/" = {
device = "rootfs";
fsType = "zfs";
};
"/nix" = {
device = "rootfs/nix";
fsType = "zfs";
};
"/var" = {
device = "rootfs/var";
fsType = "zfs";
};
# boot1 = boot partition in first disk (used by default)
# boot2 = boot partition in second disk (used in backup)
"/boot1" = {
device = "/dev/disk/by-label/BOOT1";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
"/boot2" = {
device = "/dev/disk/by-label/BOOT2";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
};
swapDevices = [
{ device = "/dev/disk/by-uuid/759f1573-7593-400e-b310-c384fc6124c3"; }
{ device = "/dev/disk/by-uuid/73f94cd3-3f0f-4a32-9e5b-abd6c2a9b219"; }
];
networking.useDHCP = lib.mkDefault true;
networking.interfaces.eno4.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View file

@ -0,0 +1,7 @@
# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique <context@dgnum.eu>
#
# SPDX-License-Identifer: EUPL-1.2
(import ../../../../keys).mkSecrets [ "hypervisor01" ] [
]

View file

@ -0,0 +1,17 @@
# SPDX-FileCopyrightText: 2024 Elias Coppens <elias@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, ... }:
lib.extra.mkConfig {
enabledModules = [ ];
enabledServices = [ ];
extraConfig = {
services.netbird.enable = true;
};
root = ./.;
}

View file

@ -0,0 +1,81 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
initrd = {
availableKernelModules = [
"ehci_pci"
"ahci"
"mpt3sas"
"usbhid"
"usb_storage"
"sd_mod"
"sr_mod"
];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems = {
"/" = {
device = "rootfs";
fsType = "zfs";
};
# boot1 = boot partition in first disk (used by default)
# boot2 = boot partition in second disk (used in backup)
"/boot1" = {
device = "/dev/disk/by-label/BOOT1";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
"/boot2" = {
device = "/dev/disk/by-label/BOOT2";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
"/nix" = {
device = "rootfs/nix";
fsType = "zfs";
};
"/var" = {
device = "rootfs/var";
fsType = "zfs";
};
};
swapDevices = [
{ device = "/dev/disk/by-uuid/46e20dc0-01bc-4f26-904a-1d23cb96bdb6"; }
{ device = "/dev/disk/by-uuid/a8938e0f-3a00-45e7-bc6f-4bd9e2b1db6c"; }
];
networking.useDHCP = lib.mkDefault true;
networking.interfaces.eno4.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View file

@ -0,0 +1,7 @@
# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique <context@dgnum.eu>
#
# SPDX-License-Identifer: EUPL-1.2
(import ../../../../keys).mkSecrets [ "hypervisor02" ] [
]

View file

@ -0,0 +1,17 @@
# SPDX-FileCopyrightText: 2024 Elias Coppens <elias@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, ... }:
lib.extra.mkConfig {
enabledModules = [ ];
enabledServices = [ ];
extraConfig = {
services.netbird.enable = true;
};
root = ./.;
}

View file

@ -0,0 +1,81 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
initrd = {
availableKernelModules = [
"ehci_pci"
"ahci"
"mpt3sas"
"usbhid"
"usb_storage"
"sd_mod"
"sr_mod"
];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems = {
"/" = {
device = "rootfs";
fsType = "zfs";
};
"/nix" = {
device = "rootfs/nix";
fsType = "zfs";
};
"/var" = {
device = "rootfs/var";
fsType = "zfs";
};
# boot1 = boot partition in first disk (used by default)
# boot2 = boot partition in second disk (used in backup)
"/boot1" = {
device = "/dev/disk/by-uuid/80E2-979C";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
# TODO: put me in automounts + autosync between both boot partitions.
"/boot2" = {
device = "/dev/disk/by-uuid/8722-1B4F";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
};
swapDevices = [
{ device = "/dev/disk/by-uuid/dfe3aa01-ed46-4996-8ae3-a913ebffba76"; }
{ device = "/dev/disk/by-uuid/5531258d-3538-4744-be1b-e08e26ad377f"; }
];
networking.useDHCP = lib.mkDefault true;
networking.interfaces.eno4.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View file

@ -0,0 +1,7 @@
# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique <context@dgnum.eu>
#
# SPDX-License-Identifer: EUPL-1.2
(import ../../../../keys).mkSecrets [ "hypervisor03" ] [
]

View file

@ -25,6 +25,7 @@ let
"boussole-sante.normalesup.eu"
"lanuit.ens.fr"
"simi.normalesup.eu"
"pub.dgnum.eu"
];
buckets = [
@ -35,6 +36,7 @@ let
"hackens-website"
"nuit-website"
"peertube-videos-dgnum"
"landing-website"
] ++ domains;
mkHosted = host: builtins.map (b: "${b}.${host}");

View file

@ -37,6 +37,7 @@ in
AUTH_AUTHORITY = "https://sso.dgnum.eu/oauth2/openid/dgn_netbird";
AUTH_AUDIENCE = "dgn_netbird";
AUTH_CLIENT_ID = "dgn_netbird";
AUTH_REDIRECT_URI = "/index";
};
};

View file

@ -129,6 +129,13 @@ let
extraNetwork.networkConfig.DHCPServer = "yes";
};
vlan-hypervisor = {
Id = 2001;
address = [ "10.0.254.1/24" ];
extraNetwork.networkConfig.DHCPServer = "yes";
};
} // builtins.listToAttrs (map mkUserVlan userVlans);
in

View file

@ -35,8 +35,8 @@ in
"www.interq.ens.fr" = "interq.ens.fr";
};
temporary = {
"pub.dgnum.eu".to = "https://www.instagram.com/dgnum_eu/";
temporary =
{
};
retired = mkSubs {

View file

@ -135,14 +135,11 @@ in
dgn-web.simpleProxies.cas-eleves = {
inherit host port;
vhostConfig = {
serverAliases = [ "cas-eleves.dgnum.eu" ];
locations = {
vhostConfig.locations = {
"/static/".root = staticDrv;
"= /robots.txt".root = "${staticDrv}/static";
};
};
};
services.postgresql = {
ensureDatabases = [ "cas_server" ];

View file

@ -13,6 +13,7 @@ lib.extra.mkConfig {
enabledServices = [
# List of services to enable
"django-apps"
"redirections"
];
extraConfig = {

View file

@ -6,6 +6,7 @@
imports = [
./annuaire.nix
./bocal.nix
./ernestophone.nix
./gestiojeux.nix
./interludes.nix
./wikiens.nix

View file

@ -0,0 +1,65 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
pkgs,
sources,
config,
...
}:
let
nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
in
{
services.django-apps.sites.ernestophone = {
source = "https://git.dgnum.eu/DGNum/ernestophone.ens.fr";
branch = "update";
domain = "ernestophone.ens.fr";
nginx = {
enableACME = true;
forceSSL = true;
locations = {
"/media/trombonoscope/".root = "/run/django-apps/ernestophone/";
};
};
serveMedia = false;
webHookSecret = config.age.secrets."webhook-ernestophone_token".path;
python = pkgs.python3.override {
packageOverrides = _: _: {
inherit (nix-pkgs)
django-avatar
django-cas-ng
django-solo
loadcredential
;
};
};
dependencies = ps: [
ps.django
ps.django-avatar
ps.django-colorful
ps.gunicorn
ps.pillow
ps.loadcredential
];
application.module = "Ernestophone";
credentials = {
SECRET_KEY = config.age.secrets."dj_ernestophone-secret_key_file".path;
};
environment = {
DJANGO_SETTINGS_MODULE = "Ernestophone.settings";
ERNESTOPHONE_ALLOWED_HOSTS = [ "ernestophone.ens.fr" ];
};
};
}

View file

@ -0,0 +1,11 @@
# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
dgn-redirections = {
permanent = {
"www.ernestophone.ens.fr" = "ernestophone.ens.fr";
};
};
}

Binary file not shown.

View file

@ -0,0 +1,31 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA 9RRZxLF9tCD5U+9qMdPjANj+uL/8klzK3MV+YW6fhEc
gd8gQtbKWfOmN1mDRszw7vEnSg8pPHpHU5JDo9bM/ek
-> ssh-ed25519 QlRB9Q hArXwJSPPrZySgU8/YBJwsVfXMhgMy7N72jFcslb1xo
H3ifulIpmYpllXTsXh5TYit6JTxZwUs33Rey1qtvQnM
-> ssh-ed25519 r+nK/Q jh3gdHmJMBCQbMQdYdko4Igwt0y62eIZaTlNsO/nw1Y
NgflhTMQOIbyl1udyCuvRsIDxIkOK+QZbVRHLNThDJs
-> ssh-rsa krWCLQ
kOodyo51tOrDsqKSyN/WyJXq7Kot54eb66WBfHVVuYqAafQZnaUvSgXInc4Ba8M9
+pdwX37zff47gGr/obadKkAGf42xnu7nB8c6T68u/TNwKlQoIUuebEFEdqqp+dFe
KY3DlM9LPyMMLO+Tk0t3djE9lp1FkbUeeDOk06rEgQyCs0HATKoa2k/c6/pim6vZ
wvu/YxkJAdIIOdkunkKs1kiuCIbeqIQfb2vz/hpBUNI8e8T4S2W7zIVMocRDfYoq
dPYj4kHRbnqeyWcobymCuXNdtGnhsT50oS3UGEvr4flaRpREQ+babp1g9uApnU6s
oPbmlrwTB50FJA9mxp9rSw
-> ssh-ed25519 /vwQcQ SVB+hkmtVwrsNShWD7agmjuZs64+pah596YIFZH/Eww
SyRzjAkoKTfNcOMf5OiIVU/wHiPi+rDuXQ0qns9vhf0
-> ssh-ed25519 0R97PA mrJuOmOhgGEbRMC/VYvJ++e1RGTTAZl7dzAJPT+6jUo
Rn4+0P0spe1Xjn+3twu/cCdKBmsj5y327bESx8FkqJk
-> ssh-ed25519 JGx7Ng VXVauDsi3WOxQ2G90ElTdGMueEtVxlQsbUHsceFJTB0
AZNRGSyxTZn+L9e9eggyGlINvDSg5hQowBtv0hX954Q
-> ssh-ed25519 bUjjig OBwPeegYOacrZxLrlxdVpOkshBCUIYOOgyF6LdOVTjw
MJAv6ieAneoAe3//A6b3dBvJCze9uxFVRqlQnkm+rAY
-> ssh-ed25519 VQSaNw ldI3O8GyoxhxvrE3okoVvPTrFYnUKNA0See4buKO7GA
wcpmfgUNs0MyVcm/VGmwBpkZ++UGkTNDCiqqpYL2XXw
-> n>[M-grease _ D--b ? [8U|"=~
YZ1c1yZ4273rUu4v+APm/eBy8HQyish8t2zkTvjYFd8/pdA9uRkHogQGIBnlAi3h
tq6/02nnT/QgZPcccQCD3SlwzkU0U2qdXIAdGtgzCo0FZsIYdkeU+VyoJDfcVt1o
qXc
--- lzSSWa0AAP8vhy6RfNChbM71Apmn7b6pLT1CtYFVrpQ
<04>Ôï\÷/Áºß£íÄ*‰ŒÿÙi"ºÅåÝa/[Rr
O)u^½Ÿ,Ù"%Km£¥<C2A3>zµkÝ°3)›Ù¡‰ø)ÌbS{^§<13>!y°ÅLÉ ERñ˜Ç Q»uÅEEË;Êä´¤VÐ-¶?[ù<>uÑñÏ`Fvè%+$Ú§{¯xŦügQºëiôy°<79>»#.^ìŒÓÎùÈ_*¤=íò×1êîÜC õ ê ~¸

View file

@ -0,0 +1,28 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA kBFUMktUZ09T8ujSXHRIo4OIWxIiwysmRv+UTiH+02M
TvefF7CMKZIASBYaVQA22PzLr2rgZ3i7Q8ENBOmpQmI
-> ssh-ed25519 QlRB9Q 0R2BthIX790DAiL36WPOemUa04tOnN0Drpg6u72j7UE
nFGbwKZvSXo0SpO8AMfAGcZkphcXhX+GoFxYwadNzwQ
-> ssh-ed25519 r+nK/Q cs+vGq5RzK/AogpcGjRG3KZjl4fp2Ghhv2ngHjTdvlE
AyXbgDlQbe3HurX7lodUrMZyRSWADSFWmTndnHjh0dY
-> ssh-rsa krWCLQ
AnU8JBZXw8xIHA3L+220wCHwddC51Fx+sQx58tYsFg7eVH1NM2PKUr57a7+0KlxH
TkIDMUuBotY4QPA0tzv212wnWaTw9ddV+T+Xe+l7JNyurCQRj1g1gWP3NLYIyYFC
i/eXHg3XxByQG1BfBSL2nnUEiy6eJ2bLMFsJ9P6baB6hpdEnoFIuGdV4Bg3k/KGl
Zp+Q1a7Ov0l/G7sRCw4WLQtq59otI2lxeKRSonCqSNOmDXyZBr82GMr/BmhebtK4
h19K+EXU+Ze57lUf2kDCe0b4RSHbSGU1T1fSEMNcXFV0952r6zO9YClTsQeKl+ev
1O7xqUhcRXgFUbDYRjTsLw
-> ssh-ed25519 /vwQcQ AtEImZ61sgC2OzZvDldY7ttRf9I5+zmL2I7hZkmBoTY
zQiLX4L6t+jZqzAJmN7iuRTeadD1jbs3E/NZZj/25UA
-> ssh-ed25519 0R97PA JVheI/2kfdkqgM5Jf/py32lyYLtWjpmcx4zkHYMZl3g
z/+qXmvziQo8yZ6f+2y5XVDv6d/uAghCVDQ9tpLXt54
-> ssh-ed25519 JGx7Ng 41ZgklG6LmM5Mk6BkGWAf8N3j1safWPBKBAHKN2EQG0
yOiGIHkyoMFI6NQMLCZavCaz+qxAy9jhf+vctWQ2z4k
-> ssh-ed25519 bUjjig 0o9QkwuPZPOl/db1sQ9YL50DL1uyZqQ6ICxMEIupQ20
FwFbAYzLUNwoAQNcbcwWckhqRSEicQTe4O4BMK7wHyg
-> ssh-ed25519 VQSaNw iaWBGmaWmBxMJILFyob6CyVXyY24edPtT2itTQGP7xM
EGmCuYElC5EgwqXtcXLAy7nNFt75Hl/gAehvfh+0sgg
-> /Wa)P<iw-grease (;ag_e g#LM+oA Y n(M-1K+.
lWfOmA
--- k01yU9ZR8KIyG0JEfcYoP4iBlvqq7J676oPfDLpbvfs
ÎD—èŒ<C3A8>Ptáçø4Õ•?6”N|ÐïZƒ³åM/œqo¨[ÄNä

View file

@ -0,0 +1,29 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA hAdsxHTIT08JvDQGzY0Vz+Jxd48Kw3XNpf6TEjiGiTc
hZgLRBDGwpfIFMhTRExY6JJ0poJ+nqrBK8Fy3ukINFI
-> ssh-ed25519 QlRB9Q AyfmPVVcb9WVzrbyh2KdPQMwPypQ0uq3q6kkPFcMyjw
S2h//+6MMnUiBWrznI/1+qS83Gw1vpFmU8Hlma40bdA
-> ssh-ed25519 r+nK/Q 741XzH0HZf/y8HR1AQIn+qgn0+L+2kcdPsepRcXx7w8
5aNoPnRTYHB5FTXipQV+8C/s8t1s5/ZF9PwnJfYy8bM
-> ssh-rsa krWCLQ
HhSOliN7XQZngyyrJ++S2JMBytkPjSt/dEUlJNbJP5n6HY5H7QKqd9rsc4LLu/Hz
BXKC9T3IVeuabMPNOBhE6SiOUejGv/txbMHPMdPTCju6JL4wP/2gqIK696kP62pL
CAS/cOZXrHS8etEFkpqSuEVquNIXbivXNHEwFMH/GkNut0SCpafvQHrN1wZdveH5
rp60R9ULzTzS3ztjEomAt9gWN6s7CtqZEozCMExPTXSW+OmBJprY+/Ae/uxeKZMS
x6pscBbZSEazZ476sZCWKTpeej7iFlSrIvLfkwYn9PtKqmaInoM/0F2thkqpVPkZ
/pcg11dUQpXJdaIiPEowlg
-> ssh-ed25519 /vwQcQ m01BxY0nPTfcW0D/iFRbCNbFFp+lE/XLW315aPyNbTM
hiKCfZH9k5GcUAkCJ/+x5V20SCeql8031lOge0Y9WXk
-> ssh-ed25519 0R97PA oGfUKErY65Jd0ZlcVox/HXA3itOI5KImRqDwH+UR6XI
32BtXjqImmG6TjUKoDU2QaJiMxldZdZoAP9SKPfGuHA
-> ssh-ed25519 JGx7Ng FJCtkG+Ig5dC+ftTClgrKtIt/D8s9Dr97eWObbNEZDs
i6tf7p5FDsdTZMJuBNmcTgVnL6eQDZFkjjH7AaBakqE
-> ssh-ed25519 bUjjig mOfri52IdeSNAawjBR5rhvL2eZNlVOwYK6u1uHv98xw
nx0Ko3omL+OVq3JHuCIacYfjn96kb78IgyvECEGq0G4
-> ssh-ed25519 VQSaNw gEQeKOEwwR8QlykdFlo7iqrsmhemiS02v8Kfx2ER9Xc
jpAEZx64/AXpA8HahtJq9OdcZYbqIFti5mxaPztvul8
-> $5-grease (y&6%5f<
YSrHrNaXa7b7Ivv1yVP3idg8t4iIdu5NX3hzczFp64bY7Bjp/g7jK+bWnDG26ryd
G+fhmUbFuDj8ZtXg6yk
--- YmnVS7kPp6h4pC9u28A32/xh67NwhIXwB1dxolI1DCg
.¼Zs‡…n} ®ì,èémõR€ÏêeÞ)¾bOª¶<C2AA>îնܷ†m8¼z£RyúìT/¦@¿CÜÝôW™¨F5ˆ?<ð.[Ö†r¡Ó[°M

View file

@ -4,14 +4,19 @@
(import ../../../../keys).mkSecrets [ "web03" ] [
# List of secrets for web03
"bupstash-put_key"
"dj_annuaire-secret_key_file"
"dj_bocal-secret_key_file"
"dj_ernestophone-secret_key_file"
"dj_ernestophone-password_file"
"dj_ernestophone-admins_file"
"dj_gestiojeux-secret_key_file"
"dj_interludes-email_host_password_file"
"dj_interludes-secret_key_file"
"dj_wikiens-secret_key_file"
"webhook-annuaire_token"
"webhook-bocal_token"
"webhook-ernestophone_token"
"webhook-gestiojeux_token"
"webhook-interludes_token"
"webhook-wikiens_token"

View file

@ -0,0 +1,30 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA Ifc4K8jusXCbeMSYeAL+3jdvmDK1ojYiSzHJO/uefzk
h5ewdTYV3o8+tPCzVWvLtqEM3WxVjtOqTRnrFAwKnes
-> ssh-ed25519 QlRB9Q djvVFcR5y+WI5+rED8ztIQZuLfCj2z8wHx3WIutlfjk
nsTUZEQRJAAZfNXw2YbzwV+RUJEx6Dmi0ujswMBqIro
-> ssh-ed25519 r+nK/Q Ryx2iuVCefSFFMEyRjVbKFxTqaX6D+Ty4B1+6mRLSCg
s7YjJa6NESaNZ9wzurlrsovu5ecJNnWLOhD80RnFqV4
-> ssh-rsa krWCLQ
utXBcdyAmbl463xcacn1+K9UyG78vKG9LW1vJ/q40ltqEsuxktP2C5YgBL2Whcld
UYTsNFa3b02HP1wp0fPP4eVyk0NNKqO1rairMAvLJmQk15s0OVCk7LvjZe+Q31m1
gYxBSuN4oy7gljtOlIfrHtcRqDMC5IToYSt91pwt/0wgkHDH1OcLap8jaQIuPdc1
pQqd6iUTF96kvvp1P6XbvOHH3nVLNw/bITR5BUSqm/YBocJBrDNIL2wXcq27bBMs
YqF2nykztoSss+YM40XnHx14wNU0WeocbSYuPKabKvtgV0ry62w+EW5t453TfMng
y0dYmBdXVTKgCyL2v/onlA
-> ssh-ed25519 /vwQcQ tax06kUoYtjoUZ8k0+2L0cBr9CTpZpWd5Ev1qRh4dWM
x2RYQ+53UJnBXz8plzYrpga9JCWgm+WvkjpGg+CpG8M
-> ssh-ed25519 0R97PA DoPbx9NVAHTe6NRxT50nwdStoUJRnATQDEKgIyq2hhA
6DUg7uQ9L80KzaMJi6h/Nm5EgtLlAI+R01Mke9GpyzQ
-> ssh-ed25519 JGx7Ng AG1PM5MB2TlfZoiF29gu01LqhcQ+rEQRQZHFVxdHYG8
ePz8kT+axuMZe8MKi1Yj+ZOCITIYjVAuRE2iTScgpyY
-> ssh-ed25519 bUjjig SgZgUi5qfE8wK54Mj8P/FJ4QPNs4HUV5qPc9jJTskmY
n/fedObFehvhLwd3uhkhfBamFpjZDVK7M1J67BucoPI
-> ssh-ed25519 VQSaNw a+SLVFR9PqKgyHfAPTjH4SGkp4XXjz6xz6uMjZgYOg0
hv5F5ENsfpU27opx8OT4mvL0waGO+AieG/VXvHNi2hg
-> g**u4-grease Fb|HQ E
FcQESlzpmCxDtrbCZhddPdNjVROYKj2XsOppqa2GPZsWqQH8cFfKzxjwlNlE7WNF
Q3xupVqn8H1Cg98i
--- lYBZVJ4DEtBmKhenHOOkQpuPT7TrGGgN1OmTrfCTtY4
Žy[§—ÀÒh{`Z³öNŠx/ùºóSyFú£ç
+¨Õr: ¶úÀ cJ¸L˜b¿Mô™w<E284A2>n+™õœ"§¢—|w¼¯¬kµ*

View file

@ -99,6 +99,7 @@ let
"prometheus" # Prometheus
"victoria-metrics" # Victoria Metrics
"videos" # Peertube
"pub"
# Garage S3
"*.cdn"
@ -123,7 +124,6 @@ let
"netbox" # Netbox
"podcasts" # Castopod
"push" # Ntfy.sh
"pub" # Url de promotion (qrcodes etc...)
# Static websites
"eleves"

View file

@ -82,6 +82,63 @@
netbirdIp = "100.80.233.249";
};
hypervisor01 = {
interfaces = {
eno4 = {
ipv4 = [
{
address = "10.0.254.11";
prefixLength = 24;
}
];
gateways = [ "10.0.254.1" ];
enableDefaultDNS = true;
};
};
hostId = "4dbbd76a";
netbirdIp = "100.80.242.115";
};
hypervisor02 = {
interfaces = {
eno4 = {
ipv4 = [
{
address = "10.0.254.12";
prefixLength = 24;
}
];
gateways = [ "10.0.254.1" ];
enableDefaultDNS = true;
};
};
hostId = "d0b48483";
netbirdIp = "100.80.37.202";
};
hypervisor03 = {
interfaces = {
eno4 = {
ipv4 = [
{
address = "10.0.254.13";
prefixLength = 24;
}
];
gateways = [ "10.0.254.1" ];
enableDefaultDNS = true;
};
};
hostId = "1c407ea8";
netbirdIp = "100.80.58.178";
};
rescue01 = {
interfaces = {
ens18 = {

View file

@ -91,6 +91,63 @@
};
};
hypervisor01 = {
site = "pot01";
hashedPassword = "$y$j9T$Yw.M.epJj/sakb4Gq/9WV0$P85aQPo/FmFM1.ap413UL3vlGk3mavHwmaALKKDd4n.";
stateVersion = "24.11";
nixpkgs = {
version = "24.11";
system = "nixos";
};
adminGroups = [ "hypervisors" ];
deployment = {
targetHost = "hypervisor01.dgnum";
};
};
hypervisor02 = {
site = "pot01";
hashedPassword = "$y$j9T$Zu98DVlKq7KP5GmIHOwBy1$Bd7W6LstWDm8zjbZ9JSPLnhMFPmZgmU4e7t7u6EhavA";
stateVersion = "24.11";
nixpkgs = {
version = "24.11";
system = "nixos";
};
adminGroups = [ "hypervisors" ];
deployment = {
targetHost = "hypervisor02.dgnum";
};
};
hypervisor03 = {
site = "pot01";
hashedPassword = "$y$j9T$plTv9.UwmkTODagd4docj0$3zd35wPSsamygiYngwfDGICapKbx5UbzyLBhAwOUSfC";
stateVersion = "24.11";
nixpkgs = {
version = "24.11";
system = "nixos";
};
adminGroups = [ "hypervisors" ];
deployment = {
targetHost = "hypervisor03.dgnum";
};
};
rescue01 = {
site = "luj01";

View file

@ -91,6 +91,10 @@
"ecoppens"
];
hypervisors = [
"catvayor"
"ecoppens"
];
};
external = {

View file

@ -11,7 +11,12 @@
}:
let
inherit (lib) mkEnableOption mkOption remove;
inherit (lib)
getExe'
mkEnableOption
mkOption
remove
;
inherit (lib.types)
attrs
@ -34,6 +39,7 @@ let
compute01 = "*-*-* *:38:00";
storage01 = "*-*-* *:21:00";
web01 = "*-*-* *:47:00";
web03 = "*-*-* *:13:00";
};
mkJobs = builtins.mapAttrs (
@ -93,7 +99,7 @@ in
"${db}-db".settings = {
user = "postgres";
command = [
"${lib.getExe' config.services.postgresql.package "pg_dump"}"
(getExe' config.services.postgresql.package "pg_dump")
db
];
};
@ -113,6 +119,8 @@ in
"storage01"
"vault01"
"web01"
"web02"
"web03"
];
allowed = [ "put" ];
}

View file

@ -6,4 +6,5 @@
"compute01.key"
"storage01.key"
"web01.key"
"web03.key"
]

View file

@ -0,0 +1,28 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA CuALmA0MhxnWOn91YhtxAyn1h3xkoiuRoo4Ew1Eu32Q
TRZxY9rF3NM9ulaA6s6SUetVcLT0He9yGaDZ38T9F6A
-> ssh-ed25519 QlRB9Q TNA65R5tFs+KXJklNgfPPF12W52Fk6w7epstVzk9Ojw
SD3IW1+ngBUkbBJz+53zDFVhne6b5rfVi2ym0UjTwLM
-> ssh-ed25519 r+nK/Q b67auhVkYiVwthLGP3z719Ql/kHZQbxuJJgL7NzZiVc
kl0ML0yd+QqBm9VZwMcMrZ8uuQkbJySaa9kI4RQFOak
-> ssh-rsa krWCLQ
NfHVOPshS0CR3ATrPcYAAiX/kAbgqw6mEVhxdTnvbWa8cPpblUpO/gm4UqW2vP0Q
XUfvOCgH6ur3joLf/NylqwZ0UkQhmNj2hu8cOtjC4KgTohkMkZZmHlFKM9e3PuSS
ZMx0GraugdTUD/ViCplwVxFPBUUblLcAuYx/BcV1hTb0ctbN9afi8DVzuSxoalDj
Jy1UakJU0OwguB+ctv9kZcyLyV7zjchiq+dAoIDvkw0Z9bTCz7xhQ6uXAE7ahp3H
rvycD/ZkK7h6yhg78x2lIBHP3sPaY3DFMFW9bDLtHYox22RVcm6/7oPbv0hTQ8ob
n4Q7MWPF4vL1Xz9zyksetQ
-> ssh-ed25519 /vwQcQ YvQmf/qYc6DVQT0gFPGuakvgDg/A76tor3f0+nTjbH4
lMQoOb/kimcsSmNnUsUW7XmVdhLMee/s4NACiKi0Xls
-> ssh-ed25519 0R97PA LzA+wuKlE3cEOpvGEW29/rx3qCU1X32F8HwJNic2Glg
VOBmCcrtGrUk3ERWJL4QszdDtJrfoI/f1xA+X+a+PQk
-> ssh-ed25519 JGx7Ng MIxNmk0eTtCUMHiWzklS2zNWdf16EHeOtere8cRoNSk
X+gf1Ts9n2U+h6a0herR+WuiRXFS5BhicGKxpHQtQzM
-> ssh-ed25519 bUjjig uSweFovyFxnz7Pqc/MCEE5/ZKgEblqs8xb1Ni+qrhS0
AUhBDt7YN4x6k34g7mERYbn7rPVPZMmVvmZD668blRs
-> m-grease \ %<B.PbZ ^G= >nhHA<}
KhUslr0J28p4r62y0bCKOg2jGOx6M7deQ9Y8gfQ9oi7WYiEygoMghWdUP0lnzh3i
a+rpJNPtRCIFScDWMazSvnmN6y5Y7W3dmOgLH8aN
--- +/Cw6vq7b3Kn4D3/ogaSPxfxHBF0YxLXTxiskuD0vHg
ðÎN½UÉÏôbÈ!­D~Ò<>¬‰æ¿Aൟ¥1¯,ÙÍòe;y)NNøO­]9C_l{ œÎ„'Ù-÷<È°¢:¯ÊMÕ¯Á%ïq Œ¸Œ™í®“‰"Ûªð¦˜A­®ÜMhè,iì<69>¦<EFBFBD>S9šÜyp&r /ŒÜÃlÙîÂ!.oƒ…ô¥ èAº‰µ{#ƒt<08>úé4eA-ÆFš­ßÔ9+ˆ—"¿e¥7»pÏüN”¢BÚ×˶¾Úþ•OÝŸæOIÊ­ kDèŒæ‹ˆZ=Pq—ðšQ üGB²OÅj×ÒhHû+¡ëX<C3AB>¿‰Lά¶ÎP™ 4ÿÐX$¢Áy©÷ßÀxoÞáÄÍ <09>Æ܈]â»_µ³ \¼M<C2BC>7m.ByŽºlCr†-ŽH M¤“ãuªùu…+X}¦oÛgg.ÌŠG/$¯LXözÁBâ…¾¿¹sÔá©DÉÈK„Ç>þeü~2‡+WÂÿ©¹ƒÏq<C38F>Ï¢òPßSÕîRÆIñD {"jD¡ƒÉŸ9 åÈ<C3A5>¥= ¬SüÒ=<3D>®—HtHÕêbs¬Ÿµ£+èTÑãà0OŒ £}˜mÓp«©ž
ƒǧ±÷žmSå™8èïa±ípë2ÝÞ”° d°ÈÍÕSùròz½²í v#ÇÎœsñíÎÕ‰ 0æMù¿ÂÎfÚA%Ó ™Ö³ïçD…뉆P<E280A0>drŠ£ÌXIW±HôG©¾\IÑ8_ª„Lœ8Š Ù 1MÚÚíôµMêz)ö$ì{ªM{S|b=ÙêÏkô*ïO ”{Úêz•ª2:6}#>_¨Ë-$ǪÈÑV‰ãp¨²(" Wé«U[>>¤žÌ0Qh°-‰ê]¤§ªÞ†r;d&T¡£vÝ-i†Å]šû$ó°$<24>½aè™E94žéé`žçÐ<>í=!p©Æ[£ºqÖϦ?U•/ÏkÀ… ÍwÓ^¥ZµÚIJèG¬lœiÇâè…€ö4C÷áb…Ñ´ªà+!Ót<C393>\¶t1ôc¡ ¯îSÇ~ž€+Ò‘Ñ·[5­¡jùû g6†&©¯o¼´˜±ôÃ

View file

@ -38,6 +38,7 @@ let
inherit (lib.types)
attrs
attrsOf
bool
enum
functionTo
ints
@ -129,6 +130,12 @@ in
'';
};
serveMedia = mkOption {
type = bool;
default = true;
description = "Wther to serve the MEDIA_ROOT directory with nginx.";
};
env_prefix = mkOption {
type = str;
default = toUpper name;
@ -473,13 +480,18 @@ in
{
virtualHosts = mapAttrs' (
name:
{ domain, nginx, ... }:
{
domain,
nginx,
serveMedia,
...
}:
nameValuePair domain (
recursiveUpdate {
locations = {
"/".proxyPass = "http://unix:/run/django-apps/${name}.sock";
"/static/".root = "/run/django-apps/${name}";
"/media/".root = "/run/django-apps/${name}";
"/media/".root = mkIf serveMedia "/run/django-apps/${name}";
};
} nginx
)
@ -720,5 +732,14 @@ in
) config.extraServices)
) cfg.sites);
};
dgn-backups = {
# jobs = mapAttrs' (
# name: _: nameValuePair "dj-${name}" { settings.paths = [ "/var/lib/private/django-apps/${name}" ]; }
# ) cfg.sites;
postgresDatabases = builtins.map (name: "dj-${name}") (
attrNames (filterAttrs (_: { dbType, ... }: dbType == "postgresql") cfg.sites)
);
};
};
}

View file

@ -34,9 +34,9 @@
"url": "https://git.dgnum.eu/DGNum/cas-eleves.git"
},
"branch": "main",
"revision": "4590bba217cfb5bb2a04798a8344d5264715dc82",
"revision": "acf98f1c6bfc97b7dae62e8cc723a1c16bf8d1a4",
"url": null,
"hash": "09z5l5yh4zm0mf9hb3xc18gjk2dgv3l1icywrsxax00y1i1zlvna"
"hash": "1lhk46ickm2bv7rjzwb9ys7k7aj4kd75mbca27mkcddwpni5lm5l"
},
"cgroup-exporter": {
"type": "Git",
@ -262,9 +262,9 @@
"url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs"
},
"branch": "main",
"revision": "e8494b9d6110a97e2225b2fe43d29efa34cd9451",
"revision": "cc01e1c2a6ecb1e38fde35ee54995a6a639fb057",
"url": null,
"hash": "1r2g3jdr311cn8y0cxvawc6qyp58lbydscp5hxadya2vl810vpln"
"hash": "17a9vlwrk9365ccyl7a5xspqsn9wizcpwdpvr3qdimvq4fpwhjal"
},
"nix-reuse": {
"type": "GitRelease",
@ -346,9 +346,9 @@
"url": "https://git.dgnum.eu/mdebray/stateless-uptime-kuma"
},
"branch": "master",
"revision": "880f444ff7862d6127b051cf1a993ad1585b1652",
"revision": "d378d1ce00c676fa22ef0808cf73f3e1c34e0191",
"url": null,
"hash": "166057469hhxnyqbpd7jjlccdmigzch51616n1d5r617xg0y1mwp"
"hash": "00k5i3n1g869g4070ryfdwqnk3k78fan1s8pqmnbq2m7m29hmb8f"
},
"wp4nix": {
"type": "Git",

View file

@ -14,52 +14,6 @@ in
(local ./lix/01-disable-installChecks.patch)
];
"nixos-24.05" = [
(local ./nixpkgs/06-netbox-qrcode.patch)
# nixos/nextcloud: Rename autocreate (a no-op) to verify_bucket_exists
{
id = "275165";
hash = "sha256-9a26V3Pi8yLD3N9+mC1kvJoruxRTp/qOHapnt6VX7pw=";
}
# karla: init at 2.004
{
_type = "commit";
sha = "7c51104112e8ea0e2ac53bf7d535e677f7686a9e";
hash = "sha256-1TBLzZkvkFhCL8RYVVIUhTyrH3+X1iJIMkyHffmrOWc=";
}
# Crabfit: don't depend on all google-fonts
(local ./nixpkgs/04-crabfit-karla.patch)
# nixos/kanidm: add basic provisioning
{
id = 251598;
excludes = [ "pkgs/by-name/ka/kanidm/package.nix" ];
hash = "sha256-z4b1ljwapfj4KpXEEAMmhYKogstKtURyq+hoJcfEXiw=";
}
# kanidm-provision: 1.1.1 -> 1.1.2
{
id = 336836;
hash = "sha256-4ihpxYdLp559RIcKRC6GPt5flLCohFiPGp0k9h1s1hs=";
}
# nixos/kanidm: fix systemd service type
{
id = 337527;
excludes = [ ".git-blame-ignore-revs" ];
hash = "sha256-ca7CsPuWJqucC77ejsvoDAt+wxWLUP30IdXtZQVQrko=";
}
# Add Collabora Online
{
id = 330708;
hash = "sha256-655zkmch5VLXEUzhT6+b7QpywslDoIMZ8mY0II55Wlw=";
}
];
"nixos-24.11" = [
# nixos/nextcloud: Rename autocreate (a no-op) to verify_bucket_exists
{

View file

@ -1,24 +0,0 @@
diff --git a/pkgs/by-name/cr/crabfit-frontend/package.nix b/pkgs/by-name/cr/crabfit-frontend/package.nix
index 99d7be0fdeae..9f858e8a9a9e 100644
--- a/pkgs/by-name/cr/crabfit-frontend/package.nix
+++ b/pkgs/by-name/cr/crabfit-frontend/package.nix
@@ -8,7 +8,7 @@
nodejs,
yarn,
fixup_yarn_lock,
- google-fonts,
+ karla,
api_url ? "http://127.0.0.1:3000",
frontend_url ? "crab.fit",
}:
@@ -83,9 +83,7 @@ stdenv.mkDerivation (finalAttrs: {
patchShebangs node_modules
mkdir -p src/app/fonts
- cp "${
- google-fonts.override { fonts = [ "Karla" ]; }
- }/share/fonts/truetype/Karla[wght].ttf" src/app/fonts/karla.ttf
+ cp "${karla}/share/fonts/truetype/Karla-Regular.ttf" src/app/fonts/karla.ttf
runHook postConfigure
'';