Compare commits
20 commits
Author | SHA1 | Date | |
---|---|---|---|
|
383911d619 | ||
5fa7ccb8e7 | |||
e19100f856 | |||
|
3085d9e3a8 | ||
31e3aabc8f | |||
|
7c6c753c67 | ||
4622da188c | |||
2855d62a43 | |||
f8df18f13c | |||
|
324c37f884 | ||
|
9b71232c58 | ||
54f2057dfc | |||
|
b8e75176e1 | ||
cab2bc381c | |||
f6d2de3115 | |||
200104bf84 | |||
8c8093b778 | |||
1b7b1c3a4f | |||
af1e11f01b | |||
60a5aea5a8 |
50 changed files with 1173 additions and 366 deletions
|
@ -54,6 +54,39 @@ jobs:
|
|||
STORE_USER: admin
|
||||
name: Build and cache geo02
|
||||
run: nix-shell -A eval-nodes --run cache-node
|
||||
hypervisor01:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- env:
|
||||
BUILD_NODE: hypervisor01
|
||||
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
STORE_USER: admin
|
||||
name: Build and cache hypervisor01
|
||||
run: nix-shell -A eval-nodes --run cache-node
|
||||
hypervisor02:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- env:
|
||||
BUILD_NODE: hypervisor02
|
||||
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
STORE_USER: admin
|
||||
name: Build and cache hypervisor02
|
||||
run: nix-shell -A eval-nodes --run cache-node
|
||||
hypervisor03:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- env:
|
||||
BUILD_NODE: hypervisor03
|
||||
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||
STORE_USER: admin
|
||||
name: Build and cache hypervisor03
|
||||
run: nix-shell -A eval-nodes --run cache-node
|
||||
netcore02:
|
||||
runs-on: nix
|
||||
steps:
|
||||
|
|
|
@ -20,7 +20,7 @@ precedence = "closest"
|
|||
[[annotations]]
|
||||
SPDX-FileCopyrightText = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>"
|
||||
SPDX-License-Identifier = "EUPL-1.2"
|
||||
path = ["machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/04-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"]
|
||||
path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"]
|
||||
precedence = "closest"
|
||||
|
||||
[[annotations]]
|
||||
|
|
|
@ -40,6 +40,7 @@ let
|
|||
nixfmt-rfc-style = {
|
||||
enable = true;
|
||||
stages = [ "pre-push" ];
|
||||
package = pkgs.nixfmt-rfc-style;
|
||||
};
|
||||
|
||||
reuse = nix-reuse.hook {
|
||||
|
@ -84,6 +85,7 @@ let
|
|||
# Patches
|
||||
{
|
||||
path = [
|
||||
"machines/nixos/compute01/ds-fr/01-smtp-tls.patch"
|
||||
"machines/nixos/compute01/librenms/kanidm.patch"
|
||||
"machines/nixos/compute01/stirling-pdf/*.patch"
|
||||
"machines/nixos/vault01/k-radius/packages/01-python_path.patch"
|
||||
|
@ -91,7 +93,6 @@ let
|
|||
"machines/nixos/web02/cas-eleves/01-pytest-cas.patch"
|
||||
"patches/lix/01-disable-installChecks.patch"
|
||||
"patches/nixpkgs/03-crabfit-karla.patch"
|
||||
"patches/nixpkgs/04-crabfit-karla.patch"
|
||||
"patches/nixpkgs/05-netbird-relay.patch"
|
||||
];
|
||||
copyright = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>";
|
||||
|
@ -151,7 +152,6 @@ in
|
|||
src = sources.nixos-generators;
|
||||
}))
|
||||
pkgs.npins
|
||||
pkgs.reuse
|
||||
|
||||
# SSO testing
|
||||
pkgs.kanidm
|
||||
|
@ -163,7 +163,7 @@ in
|
|||
})
|
||||
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
|
||||
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
|
||||
] ++ (builtins.attrValues scripts);
|
||||
] ++ git-checks.enabledPackages ++ (builtins.attrValues scripts);
|
||||
|
||||
shellHook = ''
|
||||
${git-checks.shellHook}
|
||||
|
|
|
@ -21,6 +21,15 @@ rec {
|
|||
compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
|
||||
geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
|
||||
geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
|
||||
hypervisor01 = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPE0typcnvSioMfdLUloIfR5zcf/X0k6201xMHoQBCr"
|
||||
];
|
||||
hypervisor02 = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPETkWlOfESXQic+HgfGLV/T4Nqg0WjdDbEqtgDwkH+S"
|
||||
];
|
||||
hypervisor03 = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLF0mxSGitsDE3/YXfrHNjtOMUt4HT2MbryyUKPLSBI"
|
||||
];
|
||||
rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
|
||||
storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
|
||||
vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
|
||||
|
|
63
machines/nixos/compute01/ds-fr/01-smtp-tls.patch
Normal file
63
machines/nixos/compute01/ds-fr/01-smtp-tls.patch
Normal file
|
@ -0,0 +1,63 @@
|
|||
From de5e8237e4bd8f3e325473c789fb542d01557f27 Mon Sep 17 00:00:00 2001
|
||||
From: Tom Hubrecht <tom@hubrecht.ovh>
|
||||
Date: Fri, 22 Sep 2023 17:26:27 +0200
|
||||
Subject: [PATCH 1/2] fix(smtp): Allow specifying SSL settings
|
||||
|
||||
---
|
||||
config/environments/production.rb | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/config/environments/production.rb b/config/environments/production.rb
|
||||
index cf942cd6c70..39692890213 100644
|
||||
--- a/config/environments/production.rb
|
||||
+++ b/config/environments/production.rb
|
||||
@@ -105,7 +105,8 @@
|
||||
user_name: ENV.fetch("SMTP_USER"),
|
||||
password: ENV.fetch("SMTP_PASS"),
|
||||
authentication: ENV.fetch("SMTP_AUTHENTICATION"),
|
||||
- enable_starttls_auto: ENV.fetch("SMTP_TLS").present?
|
||||
+ enable_starttls_auto: ENV.fetch("SMTP_TLS").present?,
|
||||
+ ssl: ENV.fetch("SMTP_SSL").present?
|
||||
}
|
||||
elsif ENV['SENDMAIL_ENABLED'] == 'enabled'
|
||||
config.action_mailer.delivery_method = :sendmail
|
||||
|
||||
From a406428ee761231c3e82dd5c8f5154d04474a238 Mon Sep 17 00:00:00 2001
|
||||
From: Tom Hubrecht <tom@hubrecht.ovh>
|
||||
Date: Mon, 25 Sep 2023 10:17:37 +0200
|
||||
Subject: [PATCH 2/2] fix(smtp): Disambiguate configuration options for SMTP
|
||||
|
||||
---
|
||||
config/env.example.optional | 3 ++-
|
||||
config/environments/production.rb | 4 ++--
|
||||
2 files changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/config/env.example.optional b/config/env.example.optional
|
||||
index 050e5d49bec..25bea8328fb 100644
|
||||
--- a/config/env.example.optional
|
||||
+++ b/config/env.example.optional
|
||||
@@ -206,7 +206,8 @@ SMTP_HOST=""
|
||||
SMTP_PORT=""
|
||||
SMTP_USER=""
|
||||
SMTP_PASS=""
|
||||
-SMTP_TLS=""
|
||||
+SMTP_STARTTLS="enabled" # Use any non-blank value to enable starttls
|
||||
+SMTP_TLS="" # Use any non-blank value to enable TLS
|
||||
SMTP_AUTHENTICATION="plain"
|
||||
|
||||
# Sendmail
|
||||
diff --git a/config/environments/production.rb b/config/environments/production.rb
|
||||
index 39692890213..bc203bbbaab 100644
|
||||
--- a/config/environments/production.rb
|
||||
+++ b/config/environments/production.rb
|
||||
@@ -105,8 +105,8 @@
|
||||
user_name: ENV.fetch("SMTP_USER"),
|
||||
password: ENV.fetch("SMTP_PASS"),
|
||||
authentication: ENV.fetch("SMTP_AUTHENTICATION"),
|
||||
- enable_starttls_auto: ENV.fetch("SMTP_TLS").present?,
|
||||
- ssl: ENV.fetch("SMTP_SSL").present?
|
||||
+ enable_starttls_auto: ENV.fetch("SMTP_STARTTLS", "enabled").present?,
|
||||
+ tls: ENV.fetch("SMTP_TLS", "").present?
|
||||
}
|
||||
elsif ENV['SENDMAIL_ENABLED'] == 'enabled'
|
||||
config.action_mailer.delivery_method = :sendmail
|
|
@ -11,41 +11,49 @@
|
|||
|
||||
let
|
||||
host = "demarches.dgnum.eu";
|
||||
port = 3000;
|
||||
|
||||
dgn-id = "1fbe81d211b18dae7b9c1727362997c62636f24a";
|
||||
dgn-id = "8dfdc60d1aa66e7206461ed7a49199f624a66b4e";
|
||||
patch = pkgs.fetchurl {
|
||||
url = "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch";
|
||||
hash = "sha256-6JdbUf2fc79E5F1wtYFnP1JLGJffhGbjaxysRFr8xN4=";
|
||||
};
|
||||
in
|
||||
{
|
||||
imports = [ ./module.nix ];
|
||||
|
||||
dgn-web.internalPorts.ds-fr = 3000;
|
||||
dgn-web.internalPorts.ds-fr = port;
|
||||
|
||||
services.demarches-simplifiees = {
|
||||
enable = true;
|
||||
|
||||
package =
|
||||
((import sources.nix-pkgs { inherit pkgs; }).demarches-simplifiees.override {
|
||||
initialDeploymentDate = "20230923";
|
||||
}).overrideAttrs
|
||||
(old: {
|
||||
dsModules = old.dsModules.overrideAttrs {
|
||||
prePatch = ''
|
||||
${pkgs.lib.getExe pkgs.git} apply -p1 < ${
|
||||
pkgs.fetchurl {
|
||||
url = "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch";
|
||||
hash = "sha256-aCq/WkV4+PUSIzXgznwm2sAcaz12Y1zmUbh7QoXoMsM=";
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
});
|
||||
package = (import sources.nix-pkgs { inherit pkgs; }).demarches-simplifiees.overrideAttrs (old: {
|
||||
dsModules = old.dsModules.overrideAttrs {
|
||||
prePatch = ''
|
||||
${pkgs.lib.getExe pkgs.git} apply -p1 < ${patch}
|
||||
'';
|
||||
};
|
||||
|
||||
secretFile = config.age.secrets."ds-fr-secret_file".path;
|
||||
patches = (old.patches or [ ]) ++ [ ./01-smtp-tls.patch ];
|
||||
|
||||
prePatch = ''
|
||||
${pkgs.lib.getExe pkgs.git} apply -p1 < ${patch}
|
||||
'';
|
||||
|
||||
postPatch = ''
|
||||
rm -f lib/tasks/deployment/20240830192553_backfill_hide_instructeurs_email.rake
|
||||
rm -f lib/tasks/deployment/20240912151317_clean_virtual_column_from_procedure_presentation.rake
|
||||
rm -f lib/tasks/deployment/20240920130741_migrate_procedure_presentation_to_columns.rake
|
||||
'';
|
||||
});
|
||||
|
||||
inherit host port;
|
||||
|
||||
environmentFile = config.age.secrets."ds-fr-secret_file".path;
|
||||
|
||||
initialDeploymentDate = "20230923";
|
||||
|
||||
settings = {
|
||||
APP_HOST = host;
|
||||
|
||||
environment = {
|
||||
# Disable France Connect and Agent Connect
|
||||
FRANCE_CONNECT_ENABLED = "disabled";
|
||||
AGENT_CONNECT_ENABLED = "disabled";
|
||||
|
@ -65,8 +73,8 @@ in
|
|||
SMTP_HOST = "kurisu.lahfa.xyz";
|
||||
SMTP_PORT = "465";
|
||||
SMTP_USER = "web-services@infra.dgnum.eu";
|
||||
SMTP_TLS = "";
|
||||
SMTP_SSL = "true";
|
||||
SMTP_STARTTLS = "";
|
||||
SMTP_TLS = "true";
|
||||
SMTP_AUTHENTICATION = "plain";
|
||||
|
||||
SUPER_ADMIN_OTP_ENABLED = "disabled";
|
||||
|
@ -87,18 +95,10 @@ in
|
|||
|
||||
RUBY_YJIT_ENABLE = "1";
|
||||
|
||||
STRICT_EMAIL_VALIDATION_STARTS_ON = "2024-02-23";
|
||||
WEASYPRINT_URL = "http://127.0.0.1:5000/pdf";
|
||||
|
||||
# Customization
|
||||
# HEADER_LOGO_SRC = "logo_ens_psl_couleur.png";
|
||||
# HEADER_LOGO_ALT = "Par la Recherche, pour la Recherche";
|
||||
# PROCEDURE_DEFAULT_LOGO_SRC = "logo_ens_psl_couleur.png";
|
||||
STRICT_EMAIL_VALIDATION_STARTS_ON = "2024-12-18";
|
||||
};
|
||||
};
|
||||
|
||||
age-secrets.autoMatch = [ "ds-fr" ];
|
||||
|
||||
dgn-backups.jobs.ds-fr.settings.paths = [ "/var/lib/ds-fr" ];
|
||||
# dgn-backups.jobs.ds-fr.settings.paths = [ "/var/lib/private/demarches-simplifiees/" ];
|
||||
dgn-backups.postgresDatabases = [ "ds-fr" ];
|
||||
}
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
# Copyright Tom Hubrecht, (2023)
|
||||
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
|
||||
# SPDX-FileCopyrightText: 2023-2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
|
||||
#
|
||||
# SPDX-License-Identifier: EUPL-1.2
|
||||
|
||||
|
@ -7,192 +6,290 @@
|
|||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
utils,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
inherit (lib)
|
||||
getExe
|
||||
getExe'
|
||||
mapAttrs
|
||||
mkDefault
|
||||
mkEnableOption
|
||||
mkIf
|
||||
mkOption
|
||||
|
||||
mkPackageOption
|
||||
optional
|
||||
optionalString
|
||||
|
||||
types
|
||||
;
|
||||
|
||||
inherit (lib.types)
|
||||
attrsOf
|
||||
nullOr
|
||||
oneOf
|
||||
package
|
||||
path
|
||||
port
|
||||
str
|
||||
;
|
||||
|
||||
inherit (utils) escapeSystemdExecArgs;
|
||||
|
||||
cfg = config.services.demarches-simplifiees;
|
||||
|
||||
settingsFormat = pkgs.formats.keyValue { };
|
||||
|
||||
env = settingsFormat.generate "ds-fr-env" cfg.settings;
|
||||
|
||||
ds-fr = pkgs.writeShellScriptBin "ds-fr" ''
|
||||
set -a
|
||||
cd ${cfg.package}
|
||||
|
||||
${optionalString (cfg.secretFile != null) "source ${cfg.secretFile}"}
|
||||
source ${env}
|
||||
|
||||
BIN="$1"
|
||||
shift
|
||||
|
||||
SUDO="exec"
|
||||
if [[ $USER != ${cfg.user} ]]; then
|
||||
SUDO='exec /run/wrappers/bin/sudo -u ${cfg.user} --preserve-env'
|
||||
fi
|
||||
|
||||
$SUDO ${cfg.package}/bin/$BIN "$@"
|
||||
'';
|
||||
weasyprintEnv = pkgs.python3.withPackages (ps: [
|
||||
ps.flask
|
||||
ps.sentry-sdk
|
||||
ps.weasyprint
|
||||
]);
|
||||
in
|
||||
{
|
||||
options.services.demarches-simplifiees = {
|
||||
enable = mkEnableOption "demarches-simplifiees.";
|
||||
enable = mkEnableOption "Démarches Simplifiées";
|
||||
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.callPackage ./package { inherit (cfg) initialDeploymentDate dataDir logDir; };
|
||||
package = mkPackageOption pkgs "demarches-simplifiees" { };
|
||||
|
||||
finalPackage = mkOption {
|
||||
type = package;
|
||||
default = cfg.package.override { inherit (cfg) initialDeploymentDate; };
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "ds-fr";
|
||||
description = "User account under which DS runs.";
|
||||
host = mkOption {
|
||||
type = str;
|
||||
description = ''
|
||||
Hostname of the web server.
|
||||
'';
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = "ds-fr";
|
||||
description = "Group account under which DS runs.";
|
||||
port = mkOption {
|
||||
type = port;
|
||||
default = 3000;
|
||||
description = ''
|
||||
Listening port for the web server.
|
||||
'';
|
||||
};
|
||||
|
||||
dataDir = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/lib/ds-fr";
|
||||
weasyprintPort = mkOption {
|
||||
type = port;
|
||||
default = 5000;
|
||||
description = ''
|
||||
Port of the weasyprint server.
|
||||
'';
|
||||
};
|
||||
|
||||
logDir = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/log/ds-fr";
|
||||
environment = mkOption {
|
||||
type = attrsOf (
|
||||
nullOr (oneOf [
|
||||
package
|
||||
path
|
||||
str
|
||||
])
|
||||
);
|
||||
description = ''
|
||||
Evironment variables available to Démarches Simplifiées.
|
||||
'';
|
||||
};
|
||||
|
||||
secretFile = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
environmentFile = mkOption {
|
||||
type = nullOr path;
|
||||
default = null;
|
||||
description = ''
|
||||
Path to a file containing environment variables.
|
||||
Required secrets are `SECRET_KEY_BASE` and `OTP_SECRET_KEY`,
|
||||
which can be generated using `rails secret`.
|
||||
'';
|
||||
};
|
||||
|
||||
settings = mkOption { inherit (settingsFormat) type; };
|
||||
|
||||
initialDeploymentDate = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
type = nullOr str;
|
||||
default = null;
|
||||
description = ''
|
||||
Initial deployment date, used to ignore some migrations,
|
||||
which are known to be buggy and are supposed to change old production data.
|
||||
'';
|
||||
};
|
||||
|
||||
interactScript = mkOption {
|
||||
type = package;
|
||||
default = pkgs.writeShellApplication {
|
||||
name = "ds-fr";
|
||||
|
||||
runtimeInputs = [
|
||||
cfg.finalPackage
|
||||
config.systemd.package
|
||||
pkgs.util-linux
|
||||
];
|
||||
text = ''
|
||||
MainPID=$(systemctl show -p MainPID --value demarches-simplifiees.service)
|
||||
|
||||
nsenter -e -a -w -t "$MainPID" -G follow -S follow "$@"
|
||||
'';
|
||||
};
|
||||
description = ''
|
||||
Script to run ds-fr tasks.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
environment.systemPackages = [ ds-fr ];
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"f '${cfg.logDir}/production.log' 0640 ${cfg.user} ${cfg.group} - -"
|
||||
"f '${cfg.dataDir}/.env' 0600 ${cfg.user} ${cfg.group} - -"
|
||||
"d '${cfg.dataDir}/tmp' 0700 ${cfg.user} ${cfg.group} 10d -"
|
||||
"d '${cfg.dataDir}/storage' 0700 ${cfg.user} ${cfg.group} - -"
|
||||
];
|
||||
|
||||
systemd.services = {
|
||||
ds-fr-setup = {
|
||||
description = "Demarches Simplifiees setup";
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
path = [
|
||||
pkgs.bash
|
||||
ds-fr
|
||||
];
|
||||
after = [ "postgresql.service" ];
|
||||
environment.systemPackages = [ cfg.interactScript ];
|
||||
|
||||
systemd.services =
|
||||
let
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
EnvironmentFile = [ env ] ++ (optional (cfg.secretFile != null) cfg.secretFile);
|
||||
StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
|
||||
LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
|
||||
User = "ds-fr";
|
||||
DynamicUser = true;
|
||||
EnvironmentFile = optional (cfg.environmentFile != null) cfg.environmentFile;
|
||||
CacheDirectory = "demarches-simplifiees";
|
||||
LogsDirectory = "demarches-simplifiees";
|
||||
RuntimeDirectory = "demarches-simplifiees";
|
||||
StateDirectory = "demarches-simplifiees";
|
||||
WorkingDirectory = cfg.finalPackage;
|
||||
};
|
||||
in
|
||||
{
|
||||
demarches-simplifiees = {
|
||||
description = "Démarches Simplifiées";
|
||||
|
||||
inherit (cfg) environment;
|
||||
|
||||
path = [
|
||||
cfg.finalPackage
|
||||
pkgs.imagemagick
|
||||
];
|
||||
|
||||
after = [
|
||||
"network.target"
|
||||
"postgresql.target"
|
||||
];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
preStart = ''
|
||||
mkdir -p "$STATE_DIRECTORY/storage"
|
||||
|
||||
if [[ ! -f "$STATE_DIRECTORY/.version" ]]; then
|
||||
# Run initial setup
|
||||
rails db:environment:set
|
||||
rails db:schema:load
|
||||
rails db:seed
|
||||
rails jobs:schedule
|
||||
touch "$STATE_DIRECTORY/.version"
|
||||
fi
|
||||
|
||||
if [[ $(cat "$STATE_DIRECTORY/.version") != "$__DS_VERSION" ]]; then
|
||||
# Run migrations on version change
|
||||
rake db:migrate
|
||||
rake after_party:run
|
||||
echo "$__DS_VERSION" > "$STATE_DIRECTORY/.version"
|
||||
fi
|
||||
'';
|
||||
|
||||
serviceConfig = serviceConfig // {
|
||||
ExecStart = escapeSystemdExecArgs [
|
||||
(getExe' cfg.finalPackage "rails")
|
||||
"server"
|
||||
"-b"
|
||||
"127.0.0.1"
|
||||
"-p"
|
||||
cfg.port
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
script = ''
|
||||
[[ ! -f ${cfg.dataDir}/.initial-migration ]] \
|
||||
&& ds-fr rails db:environment:set \
|
||||
&& ds-fr rails db:schema:load \
|
||||
&& ds-fr rails db:seed \
|
||||
&& touch ${cfg.dataDir}/.initial-migration
|
||||
demarches-simplifiees-work = {
|
||||
description = "Démarches Simplifiées work service";
|
||||
|
||||
ds-fr rake db:migrate
|
||||
ds-fr rake after_party:run
|
||||
'';
|
||||
};
|
||||
inherit (cfg) environment;
|
||||
|
||||
ds-fr-work = {
|
||||
description = "Demarches Simplifiees work service";
|
||||
after = [ "demarches-simplifiees.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
bindsTo = [ "demarches-simplifiees.service" ];
|
||||
partOf = [ "demarches-simplifiees.service" ];
|
||||
|
||||
wantedBy = [
|
||||
"multi-user.target"
|
||||
"ds-fr.service"
|
||||
];
|
||||
after = [
|
||||
"network.target"
|
||||
"ds-fr-setup.service"
|
||||
];
|
||||
requires = [ "ds-fr-setup.service" ];
|
||||
serviceConfig = serviceConfig // {
|
||||
ExecStart = escapeSystemdExecArgs [
|
||||
(getExe' cfg.finalPackage "rails")
|
||||
"jobs:work"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${ds-fr}/bin/ds-fr rails jobs:work";
|
||||
EnvironmentFile = [ env ] ++ (optional (cfg.secretFile != null) cfg.secretFile);
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
|
||||
LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
|
||||
weasyprint-server = {
|
||||
description = "Weasyprint server";
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
environment = {
|
||||
BASE_URL = "https://${cfg.host}";
|
||||
LOG_DIR = "/var/log/weasyprint";
|
||||
UWSGI_PYTHONPATH = weasyprintEnv;
|
||||
UWSGI_MODULE = "wgsi:app";
|
||||
};
|
||||
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
Type = "notify";
|
||||
WorkingDirectory = cfg.finalPackage.weasyprint_server;
|
||||
LogsDirectory = "weasyprint";
|
||||
ExecStart = escapeSystemdExecArgs [
|
||||
(getExe (pkgs.uwsgi.override { plugins = [ "python3" ]; }))
|
||||
"--http-socket"
|
||||
"127.0.0.1:${builtins.toString cfg.weasyprintPort}"
|
||||
"--processes=4"
|
||||
"--enable-threads"
|
||||
];
|
||||
NotifyAccess = "all";
|
||||
KillSignal = "SIGQUIT";
|
||||
ExecReload = "${getExe' pkgs.coreutils "kill"} -HUP $MainPID";
|
||||
ExecStop = "${getExe' pkgs.coreutils "kill"} -INT $MainPID";
|
||||
|
||||
ProtectSystem = "full";
|
||||
ProtectHome = true;
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
ds-fr = {
|
||||
description = "Demarches Simplifiees web service";
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [
|
||||
"network.target"
|
||||
"ds-fr-setup.service"
|
||||
];
|
||||
requires = [ "ds-fr-setup.service" ];
|
||||
path = [ pkgs.imagemagick ];
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${ds-fr}/bin/ds-fr rails server";
|
||||
Environment = [ "RAILS_QUEUE_ADAPTER=delayed_job" ];
|
||||
EnvironmentFile = [ env ] ++ (optional (cfg.secretFile != null) cfg.secretFile);
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
|
||||
LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
demarches-simplifiees.settings =
|
||||
(builtins.mapAttrs (_: mkDefault) {
|
||||
RAILS_ENV = "production";
|
||||
RAILS_ROOT = builtins.toString cfg.package;
|
||||
|
||||
demarches-simplifiees.environment =
|
||||
# Hardcoded values
|
||||
{
|
||||
# Application host name
|
||||
#
|
||||
# Examples:
|
||||
# * For local development: localhost:3000
|
||||
# * For preproduction: staging.ds.example.org
|
||||
# * For production: ds.example.org
|
||||
APP_HOST = "localhost:3000";
|
||||
APP_HOST = cfg.host;
|
||||
|
||||
# Database credentials
|
||||
DB_DATABASE = "ds-fr";
|
||||
DB_USERNAME = "ds-fr";
|
||||
DB_HOST = "/run/postgresql";
|
||||
DB_PORT = "5432";
|
||||
|
||||
# The variables must be present even if empty...
|
||||
DB_PASSWORD = "";
|
||||
DB_POOL = "";
|
||||
|
||||
# Jobs configuration
|
||||
RAILS_QUEUE_ADAPTER = "delayed_job";
|
||||
|
||||
# Log on stdout
|
||||
RAILS_LOG_TO_STDOUT = "true";
|
||||
|
||||
# Package version
|
||||
__DS_VERSION = cfg.finalPackage.version;
|
||||
|
||||
# Weasyprint endpoint generating attestations v2
|
||||
# See https://github.com/demarches-simplifiees/weasyprint_server
|
||||
WEASYPRINT_URL = "http://127.0.0.1:${builtins.toString cfg.weasyprintPort}/pdf";
|
||||
}
|
||||
// (mapAttrs (_: mkDefault) {
|
||||
RAILS_ENV = "production";
|
||||
RAILS_ROOT = builtins.toString cfg.finalPackage;
|
||||
|
||||
# Rails key for signing sensitive data
|
||||
# See https://guides.rubyonrails.org/security.html
|
||||
|
@ -227,18 +324,6 @@ in
|
|||
# SAML
|
||||
SAML_IDP_ENABLED = "disabled";
|
||||
|
||||
# External service: authentication through France Connect
|
||||
FC_PARTICULIER_ID = "";
|
||||
FC_PARTICULIER_SECRET = "";
|
||||
FC_PARTICULIER_BASE_URL = "";
|
||||
|
||||
# External service: authentication through Agent Connect
|
||||
AGENT_CONNECT_ID = "";
|
||||
AGENT_CONNECT_SECRET = "";
|
||||
AGENT_CONNECT_BASE_URL = "";
|
||||
AGENT_CONNECT_JWKS = "";
|
||||
AGENT_CONNECT_REDIRECT = "";
|
||||
|
||||
# External service: integration with HelpScout (optional)
|
||||
HELPSCOUT_MAILBOX_ID = "";
|
||||
HELPSCOUT_CLIENT_ID = "";
|
||||
|
@ -288,9 +373,6 @@ in
|
|||
# https://api.gouv.fr/api/api-entreprise.html
|
||||
API_ENTREPRISE_KEY = "";
|
||||
|
||||
# External service: CRM for following admin accounts pipeline (specific to démarches-simplifiées.fr)
|
||||
PIPEDRIVE_KEY = "";
|
||||
|
||||
# Networks bypassing the email login token that verifies new devices, and rack-attack throttling
|
||||
TRUSTED_NETWORKS = "";
|
||||
|
||||
|
@ -299,7 +381,7 @@ in
|
|||
# "sXaot-fKhBlkI8qaSirQyuZbrpv5sVFoOturQ0pFEh0";
|
||||
|
||||
# Enable or disable Lograge logs
|
||||
LOGRAGE_ENABLED = "disabled";
|
||||
LOGRAGE_ENABLED = "enabled";
|
||||
|
||||
# Logs source for Lograge
|
||||
#
|
||||
|
@ -336,57 +418,42 @@ in
|
|||
|
||||
# Siret number used for API Entreprise, by default we use SIRET from dinum
|
||||
API_ENTREPRISE_DEFAULT_SIRET = "put_your_own_siret";
|
||||
})
|
||||
// {
|
||||
# Database credentials
|
||||
DB_DATABASE = "ds-fr";
|
||||
DB_USERNAME = cfg.user;
|
||||
DB_PASSWORD = "";
|
||||
DB_HOST = "/run/postgresql";
|
||||
DB_POOL = "";
|
||||
|
||||
# Log on stdout
|
||||
RAILS_LOG_TO_STDOUT = true;
|
||||
};
|
||||
# Date from which email validation requires a TLD in email adresses.
|
||||
# This change had been introduced by : cc53946d221d6f64c365ad6c6c4c544802eb94b4
|
||||
# Records (users, …) created before this date won't be affected. See #9978
|
||||
# To set a date, we recommend using *the day after* you have deployed this commit,
|
||||
# so existing records won't be invalid.
|
||||
STRICT_EMAIL_VALIDATION_STARTS_ON = "2024-02-19";
|
||||
});
|
||||
|
||||
postgresql = {
|
||||
enable = true;
|
||||
|
||||
ensureDatabases = [ "ds-fr" ];
|
||||
|
||||
ensureUsers = optional (cfg.user == "ds-fr") {
|
||||
name = "ds-fr";
|
||||
ensureDBOwnership = true;
|
||||
};
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "ds-fr";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
|
||||
extraPlugins = with config.services.postgresql.package.pkgs; [ postgis ];
|
||||
extensions = [ config.services.postgresql.package.pkgs.postgis ];
|
||||
};
|
||||
|
||||
nginx = {
|
||||
enable = true;
|
||||
|
||||
virtualHosts.${cfg.settings.APP_HOST} = {
|
||||
virtualHosts.${cfg.host} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
root = "${cfg.package}/public/";
|
||||
root = "${cfg.finalPackage}/public/";
|
||||
|
||||
locations."/".tryFiles = "$uri @proxy";
|
||||
locations."@proxy" = {
|
||||
proxyPass = "http://127.0.0.1:3000";
|
||||
};
|
||||
locations."@proxy".proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
users.users = mkIf (cfg.user == "ds-fr") {
|
||||
ds-fr = {
|
||||
inherit (cfg) group;
|
||||
|
||||
isSystemUser = true;
|
||||
home = cfg.package;
|
||||
};
|
||||
};
|
||||
|
||||
users.groups.${cfg.group} = { };
|
||||
};
|
||||
}
|
||||
|
|
|
@ -18,9 +18,9 @@ in
|
|||
|
||||
settings = {
|
||||
"auth.generic_oauth" = {
|
||||
api_url = "https://sso.dgnum.eu/oauth2/openid/grafana_dgn/userinfo";
|
||||
api_url = "https://sso.dgnum.eu/oauth2/openid/dgn_grafana/userinfo";
|
||||
auth_url = "https://sso.dgnum.eu/ui/oauth2";
|
||||
client_id = "grafana_dgn";
|
||||
client_id = "dgn_grafana";
|
||||
client_secret = file "oauth_client_secret";
|
||||
enabled = true;
|
||||
id_token_attribute_name = "sub";
|
||||
|
|
|
@ -49,7 +49,7 @@ in
|
|||
services.kanidm = {
|
||||
enableServer = true;
|
||||
|
||||
package = pkgs.kanidm_1_3;
|
||||
package = pkgs.kanidm_1_4;
|
||||
|
||||
serverSettings = {
|
||||
inherit domain;
|
||||
|
@ -96,7 +96,7 @@ in
|
|||
dgn_grafana = {
|
||||
displayName = "Grafana [Analysis]";
|
||||
originLanding = "https://grafana.dgnum.eu";
|
||||
originUrl = "https://grafana.dgnum.eu/";
|
||||
originUrl = "https://grafana.dgnum.eu/login/generic_oauth";
|
||||
preferShortUsername = true;
|
||||
|
||||
scopeMaps.grp_active = [
|
||||
|
@ -111,7 +111,7 @@ in
|
|||
displayName = "LibreNMS [Network]";
|
||||
enableLegacyCrypto = true;
|
||||
originLanding = "https://nms.dgnum.eu";
|
||||
originUrl = "https://nms.dgnum.eu/";
|
||||
originUrl = "https://nms.dgnum.eu/auth/kanidm/callback";
|
||||
preferShortUsername = true;
|
||||
|
||||
scopeMaps.grp_active = [
|
||||
|
@ -125,7 +125,7 @@ in
|
|||
displayName = "Netbird [VPN]";
|
||||
enableLocalhostRedirects = true;
|
||||
originLanding = "https://netbird.dgnum.eu";
|
||||
originUrl = "https://netbird.dgnum.eu/";
|
||||
originUrl = "https://netbird.dgnum.eu/index";
|
||||
preferShortUsername = true;
|
||||
public = true;
|
||||
|
||||
|
@ -141,7 +141,7 @@ in
|
|||
displayName = "Netbox [Inventory]";
|
||||
enableLegacyCrypto = true;
|
||||
originLanding = "https://netbox.dgnum.eu";
|
||||
originUrl = "https://netbox.dgnum.eu/";
|
||||
originUrl = "https://netbox.dgnum.eu/oauth/complete/oidc/";
|
||||
preferShortUsername = true;
|
||||
|
||||
scopeMaps.grp_active = [
|
||||
|
@ -153,9 +153,10 @@ in
|
|||
|
||||
dgn_outline = {
|
||||
displayName = "Outline [Docs]";
|
||||
originUrl = "https://docs.dgnum.eu/";
|
||||
originUrl = "https://docs.dgnum.eu/auth/oidc.callback";
|
||||
originLanding = "https://docs.dgnum.eu";
|
||||
preferShortUsername = true;
|
||||
allowInsecureClientDisablePkce = true;
|
||||
|
||||
scopeMaps.grp_active = [
|
||||
"openid"
|
||||
|
|
|
@ -22,7 +22,7 @@ in
|
|||
enable = true;
|
||||
hostName = host;
|
||||
|
||||
package = pkgs.nextcloud29;
|
||||
package = pkgs.nextcloud30;
|
||||
|
||||
https = true;
|
||||
|
||||
|
|
|
@ -28,10 +28,10 @@ in
|
|||
publicUrl = "https://${host}";
|
||||
|
||||
oidcAuthentication = {
|
||||
clientId = "outline_dgn";
|
||||
clientId = "dgn_outline";
|
||||
authUrl = "https://sso.dgnum.eu/ui/oauth2";
|
||||
tokenUrl = "https://sso.dgnum.eu/oauth2/token";
|
||||
userinfoUrl = "https://sso.dgnum.eu/oauth2/openid/outline_dgn/userinfo";
|
||||
userinfoUrl = "https://sso.dgnum.eu/oauth2/openid/dgn_outline/userinfo";
|
||||
displayName = "DGNum SSO";
|
||||
|
||||
clientSecretFile = config.age.secrets."outline-oidc_client_secret_file".path;
|
||||
|
|
|
@ -1,24 +1,28 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 tDqJRg ukyCbDqq1/18sjxWxyCCwYgYDavNcRq5cBvpZoqSKVQ
|
||||
2lmz4ONDnXiW0+FqLwi4OVOClm96YU6NUMxeLcwyqhI
|
||||
-> ssh-ed25519 jIXfPA MNspuPXKkP/fUp3qoPDmew+htam1l8JczSCCZFil6zE
|
||||
1ugIhchyaumzv/izKFq1dCer6QPfLt6Fv2rIiU6rzGs
|
||||
-> ssh-ed25519 QlRB9Q teomppq6nVFhnQFELI/sQNCRuMGNs2Tu6AY/PMWAzzI
|
||||
LDLn1CsC9xqBBszdp4TZV/uCaYHBb65HS5eoG2+vfzU
|
||||
-> ssh-ed25519 r+nK/Q GK/IVVvWVNjq1Fa8DKvljC1pD4OUz3MsM+VjROVYfSA
|
||||
jJ2vK3HFkOGzrxvQJg6PayrEhOPVyvAZS29IEfKRbhs
|
||||
-> ssh-ed25519 jIXfPA jjStc+COqzn2fkEU5y9p+h3KPL7ip0Sk7wwdjGME5Ag
|
||||
2eYwXQs/IbgzeEP1vFy9OLOhPVnyq4cki7voHSXKomQ
|
||||
-> ssh-ed25519 QlRB9Q rqJ1GzzA5IMgZoQD/u35k/qVr1GEbicWGCpDwzbSoRQ
|
||||
cqGLtH53VWP5Z21pjllWRGRO2PkMSOQftF/WHAldW0Q
|
||||
-> ssh-ed25519 r+nK/Q oPY6OIrUHYr3NSOes0KGNBjZJse4bNso3nGoKfqdOgw
|
||||
8CJeNP6AdhUTWFTiYpswsottSI1C25RGOMaxHsnAeNc
|
||||
-> ssh-rsa krWCLQ
|
||||
XywRp0R34ulA6AhRloj+OonbP3ZmvWvnxko+KSBNZHUEO3P84N/UTSJLhTJrJHps
|
||||
uYWhOO1VXMdOmu8+s2ymvsFFHZlQ1Ngr28/8Cb4InYbOcjc1jGsA/laSFelGG/qZ
|
||||
CxoSw59oga+wssAf7NRVDY0GLtZIhdACnlfCodBnwGgr7MrO/jtv6wUcNtTQwqyg
|
||||
k6JvmeXVO54sAbcICfDNHiWLejOA9B1tQ4biAtNZrw2BRh1siXVcjtrlkjdfqsc4
|
||||
4R/EDAYLHIMBnG/6Qpp5H3vPEEdwtaU2Tcd5RZHxWR+8ZjFFhLsZaGQZ5GxzlVOW
|
||||
qd63AwlEvNGOSIMXBqc+tQ
|
||||
-> ssh-ed25519 /vwQcQ Qm4OViiUxA0eIAiP+tPi+q9Uw+dluFKGi4J35q6dr3A
|
||||
Byx5ohtc05YfpZhcZew6P7g90KEMammQ0KgvtRGAhBk
|
||||
-> ssh-ed25519 0R97PA YKE87fWy7Gix4dk+YOqTkMMFyG1mTVjroO/I6rHtLXQ
|
||||
o9O664qMLUIEwxti17O4VByFCMmOZ4vTtPH5qNscGnU
|
||||
-> ssh-ed25519 JGx7Ng NfuL52cirg0LkXcoF3a0GYJx82Bt50YS9cpEnDH27T8
|
||||
OdqOs4ViSnW1fWZ5GLro4Z5afqmnGya6TsoKr3aZs0w
|
||||
--- oqm2jb9ZHSHAhbxUYWDxQW/FaPwiq3iFr6RIX1nHCYo
|
||||
ì©šÎj½ó˪f¾©Fyz#ö뤄å…ùÕâ íz‰z¥}´ýÂø9(!SÂöÛ<C3B6>$³
¸ûz2kªÈCæ<43>¦J¬T…Ÿ”þG<C3BE>‚€³“Z_àÑ
|
||||
BseveWlNY2C1A37CKs6rUBmJWDeYwr4JE6fGtjtvJG6oVaanIQqpAA0PkML1IG1V
|
||||
tTimA7j4L8RT01UmHdpcWQUdR2ZjGBznFCfT46yW2/W/uCxrtHdRJKFur8ZZVfqg
|
||||
3NNHTe87liDf9L1izNAhcMOWlSWXsDbj/xUYw07yopXoH9lA9bmbDytZp5oxrN5v
|
||||
JLlWjfoiKu92RAUxobfqra2TUFM98ljAX0U2jv+Vadyz2HiDV0WRl3rsymlDNyQp
|
||||
rWZRfNKmM4VVrBTB6raatgfdYaj9m3xN9x6xyTfz1Jw1etClrnvdTJOyROxR10B8
|
||||
qJ10Vvy1cu1Yt3aTzmBSpQ
|
||||
-> ssh-ed25519 /vwQcQ lBUUIhJo1cwZJAD8yEkPEjc3Wm5laQ4+oL47g0UUzDI
|
||||
oDMv1BAaAuoWL/lWb08l7sfz7Hjt7syFGxKlJ90IWx4
|
||||
-> ssh-ed25519 0R97PA oJ/bnbgfrfnozCOWyhPGrdhDD1N2VFVOhN56py0Lvic
|
||||
3MFXDBDOASpUqg9ZkBCQDc7oCaJSyc77cEHYZ41O8Fk
|
||||
-> ssh-ed25519 JGx7Ng lnd0RjCT6leBvk4uLXYWt+BeqstIycHYtWkbEhUqPjI
|
||||
i9IVIwDe80nRV8jk3YLqyqDXzatC0PwGM6yMmZT8DeA
|
||||
-> ssh-ed25519 bUjjig MFRe8FP5AQPHAUfLr3VLNAqEnnYI8wThQbFunl8fuj0
|
||||
U5//sg3BRjSvp4NbH9RqD9vugee3cEnNDRuKLaf506I
|
||||
-> ssh-ed25519 tDqJRg txHQKcCUKCAxc0/ZYL1IqeXfbjlGz74ccKZ7kj2bVSw
|
||||
4YzZQw7PyPGBoWw6GuBsdQo3p3f+XEbOdpGCXfOeHic
|
||||
-> IOpsGs-grease
|
||||
JFzNAbIaA7nJkfBBACoJDaQsVCo5TmArRwHtu5W91+YxSoyj22D0
|
||||
--- K4Uw4L8YfGsdUQfdxwm1zxkABRBBjORNIDoHv+sjosI
|
||||
@Ð,Â!!§øäç›?K¬Õ§!ò%™ô B¨åö¦*vßc?â:;ð 6¾’ãÎ{?.½EØ,þ˜;%Ä0iq^t‚l¨l=±Ž6.xvü\<5C>
|
Binary file not shown.
|
@ -1,27 +1,30 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 tDqJRg X/tRIl6TzF09a1Tvr8vP3SocmlfwKg307he8LP3Q5mo
|
||||
hWjX3AUbREbQR+uCiW8Nsj5nCwYQYy1KV/41sbxBFo4
|
||||
-> ssh-ed25519 jIXfPA 6EOXJfa+aY4JjOb0SO2k+s6xnNjtm/o8au6lbN1UfxA
|
||||
dVsgH99btiE+pl7Q4uiOcYDTwtv6X0jgjYXoFFd+tPs
|
||||
-> ssh-ed25519 QlRB9Q 4Hje1HQL+Zjm9+BGDQvb83KaizOjfKTwjiq1SJlXvA0
|
||||
w2rMGVcZcS2aLNYxHZIJZF/j50CQm8UCmq89W9K7Q14
|
||||
-> ssh-ed25519 r+nK/Q aPQh4X7xZnTbrkxIaAwUbaS7NnbHMY+Q31E0x7AvwSo
|
||||
rnMus4wPVugzscVNPO33rNgboN7I42tdz4dikVOvWIw
|
||||
-> ssh-ed25519 jIXfPA ffhnaA8PokIDyboOZVSebOxvu46CSvl3Sk6NEqXDlgo
|
||||
MTEYDDnKBVnGyMvQFLBVAedmEfdv90Lh7fFt8G4ogSg
|
||||
-> ssh-ed25519 QlRB9Q U9driMnVrc6FvJkIg0FGfCqjftbw4OozLMH3hNSeOns
|
||||
/2/Ripvin97IDSSpOkWiOrmMt1/WnsKDZQ9jvPpn2OA
|
||||
-> ssh-ed25519 r+nK/Q TabwYz+Z7Hr/TflaeYFT+svW+AGkTYRqDPN0iRrPmzc
|
||||
mi9r46HFwSjqPrW3x4Ik2Xerd80KjYuHaqy4wkLOgAc
|
||||
-> ssh-rsa krWCLQ
|
||||
Xe2Vv3tCZy19QQt26q6T3mJkZyltU7OVOrruwxWr8hlaKgOfR/pMa7nbR+eWm6jS
|
||||
++39H+E6gssE/534ld5qz2J3oPV5E6+p4wok/Owy7zE6aWrALP1Mp296lumRjjGN
|
||||
6aYhmf4fbpvOWDMNujExWURggswbUplk0f7l5UYjNpcSnM9Iq6s9fTAUVTMAlvoL
|
||||
cmVvPTll6QlhhM7tkJL1fo+1nEimfmwDaOhE2lAKKJUD7DTqcBGsukpysOhcmCyr
|
||||
Xtx38kcuF5eaDzjT9gXgi4QtCrxf31Lfjju44HSqJFB1LqO2Vzd9rASurD2LN7/1
|
||||
uj8F5y+dmf6IqIM/kYXqPg
|
||||
-> ssh-ed25519 /vwQcQ Byl5reTJslEFsIdUWp+rg5sZxG1jEHVduBE/grTD/Vc
|
||||
SEzFbpWUZrVitO1Swfs3/pzfaZ6Zd4Roi8anJRHO7/o
|
||||
-> ssh-ed25519 0R97PA CLDuGuFPHf0rgUoCUY2C1jtXAeBEqKiqaeiH4ZcRFk8
|
||||
rBYZfmS7BSKDIJMVpWTGy5wRhhoi9xR1GchVsUn7Psw
|
||||
-> ssh-ed25519 JGx7Ng xqTydh3Bt5bL/7R6ZnVtqhfSW2V3g1g2UWPcePt8TCU
|
||||
lPQeGP4VQGU4xeGqVcIRnWZjeDp2Q4lH2CLg+C/weyM
|
||||
-> .-grease
|
||||
l4qPzZnL/yerx8Y3VUmUoO2GgK7OUAjbhfYsHPhDFSo+ZPgvYo7qpJBEsPQqrPA3
|
||||
FF2/R9IFD+jFranJsg
|
||||
--- ynZs900dI1cp+HWu6HdnUGKaJw/Wa1Y26eQSeO3fvH8
|
||||
|Nös.æ·»×KC²éi#<11>XôfÓé‚öÃÎq[í¶t{ŸôEkœÇ±<A–ÿñYd'çÉ…²3ȆbMæÝ;0f”V[œ¥<ûàX;E‘
|
||||
DiRtuMIY8AdA3XJcW75mQwQN/CKtXFLbS/bHHMSH0xBzUPhY2JP5IwDrnS+YuAq8
|
||||
CTc+QXC8eWlZpujZnIMgX2lUMOVA9rfYLml3Dsjju048kLBOm/WlYAaf3l7Fpuwm
|
||||
m3BQK4mRWsdISdhwUHsNTaO8z9jkMwV/a+iWjQWDtNxscRnBqq8a2wms7zUHmJbJ
|
||||
HHYCykPZGrIhh6pOConMhuQZRN59W/HVCJ60+z4E0L5Yw1itqyInz/XQh+a6hrnY
|
||||
8R2ipE658KJmqSHIebeSriD49fvwEWaCssmI9JQ4GmuKLaKQuqNwTubmm+0cP9w5
|
||||
NtVCqqEGq3HX1/MLnpmbew
|
||||
-> ssh-ed25519 /vwQcQ p8fZnQh6objEcb9kVQ+iu49T7v54CZKES538A/3eXlo
|
||||
4bchuaemw++HSOi+1Nop2D1QP96zsDdK1SS5wzNLIeE
|
||||
-> ssh-ed25519 0R97PA j76+Z++DFCjrELtJuXlbXKO3GfDz4bqN4MjxrRjEunY
|
||||
s/Bouc5R6RAhV+fV8sqP3bQN7cubQ/zvmTbiFkEdShc
|
||||
-> ssh-ed25519 JGx7Ng FSufP2DJeNehiGWArgtLjnPTMJd1XYOGIydUDovgLjA
|
||||
HpuHpBUSrEgUDZHG2T6b2wdugRhCCWnCNC33W1mz7VQ
|
||||
-> ssh-ed25519 bUjjig 3lJvEVu3c8NNpm1cc6068n2pO75PLD5DyX00sL9Io1M
|
||||
QV4CiZ8q2YV3FjojL4eU+of4KNuvw/kuVcykOR/ndcY
|
||||
-> ssh-ed25519 tDqJRg 1++TmLtKpgOlKExGY4ZVWb82N/GrRHl63MpHsBYg83A
|
||||
C1hi8qlfY8Tx8a6Ik4b0FcxXFDorvmSklR53VgPeQqU
|
||||
-> i3xH-grease \0) ojM4J<
|
||||
ArfqJf5FcIndzy7XQ5vxY+1iJwPtjplV7Sx5R2kWoHsXBwYyI9pt8Co
|
||||
--- apFO9hGDSpGnlL3r1MliuT1axseRl7WLb5YhpOcd5GI
|
||||
ùÒЇÚv\yoKÜøCsáþ™AaãjMŸ<>¦–Š¶+2"À½îšäÉc4‚51ùÏ8÷)m‡¤ŒÚ$š„XÇÈkû<6B>Pj)FÜ
|
||||
ÃV*É‚
|
||||
c
|
17
machines/nixos/hypervisor01/_configuration.nix
Normal file
17
machines/nixos/hypervisor01/_configuration.nix
Normal file
|
@ -0,0 +1,17 @@
|
|||
# SPDX-FileCopyrightText: 2024 Elias Coppens <elias@dgnum.eu>
|
||||
#
|
||||
# SPDX-License-Identifier: EUPL-1.2
|
||||
|
||||
{ lib, ... }:
|
||||
|
||||
lib.extra.mkConfig {
|
||||
enabledModules = [ ];
|
||||
|
||||
enabledServices = [ ];
|
||||
|
||||
extraConfig = {
|
||||
services.netbird.enable = true;
|
||||
};
|
||||
|
||||
root = ./.;
|
||||
}
|
79
machines/nixos/hypervisor01/_hardware-configuration.nix
Normal file
79
machines/nixos/hypervisor01/_hardware-configuration.nix
Normal file
|
@ -0,0 +1,79 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
|
||||
{
|
||||
imports = [
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot = {
|
||||
initrd = {
|
||||
availableKernelModules = [
|
||||
"ehci_pci"
|
||||
"ahci"
|
||||
"mpt3sas"
|
||||
"usbhid"
|
||||
"sd_mod"
|
||||
];
|
||||
kernelModules = [ ];
|
||||
};
|
||||
|
||||
kernelModules = [ "kvm-intel" ];
|
||||
extraModulePackages = [ ];
|
||||
};
|
||||
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
device = "rootfs";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
"/nix" = {
|
||||
device = "rootfs/nix";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
"/var" = {
|
||||
device = "rootfs/var";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
# boot1 = boot partition in first disk (used by default)
|
||||
# boot2 = boot partition in second disk (used in backup)
|
||||
|
||||
"/boot1" = {
|
||||
device = "/dev/disk/by-label/BOOT1";
|
||||
fsType = "vfat";
|
||||
options = [
|
||||
"fmask=0022"
|
||||
"dmask=0022"
|
||||
];
|
||||
};
|
||||
|
||||
"/boot2" = {
|
||||
device = "/dev/disk/by-label/BOOT2";
|
||||
fsType = "vfat";
|
||||
options = [
|
||||
"fmask=0022"
|
||||
"dmask=0022"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
swapDevices = [
|
||||
{ device = "/dev/disk/by-uuid/759f1573-7593-400e-b310-c384fc6124c3"; }
|
||||
{ device = "/dev/disk/by-uuid/73f94cd3-3f0f-4a32-9e5b-abd6c2a9b219"; }
|
||||
];
|
||||
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
networking.interfaces.eno4.useDHCP = lib.mkDefault true;
|
||||
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
7
machines/nixos/hypervisor01/secrets/secrets.nix
Normal file
7
machines/nixos/hypervisor01/secrets/secrets.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique <context@dgnum.eu>
|
||||
#
|
||||
# SPDX-License-Identifer: EUPL-1.2
|
||||
|
||||
(import ../../../../keys).mkSecrets [ "hypervisor01" ] [
|
||||
|
||||
]
|
17
machines/nixos/hypervisor02/_configuration.nix
Normal file
17
machines/nixos/hypervisor02/_configuration.nix
Normal file
|
@ -0,0 +1,17 @@
|
|||
# SPDX-FileCopyrightText: 2024 Elias Coppens <elias@dgnum.eu>
|
||||
#
|
||||
# SPDX-License-Identifier: EUPL-1.2
|
||||
|
||||
{ lib, ... }:
|
||||
|
||||
lib.extra.mkConfig {
|
||||
enabledModules = [ ];
|
||||
|
||||
enabledServices = [ ];
|
||||
|
||||
extraConfig = {
|
||||
services.netbird.enable = true;
|
||||
};
|
||||
|
||||
root = ./.;
|
||||
}
|
81
machines/nixos/hypervisor02/_hardware-configuration.nix
Normal file
81
machines/nixos/hypervisor02/_hardware-configuration.nix
Normal file
|
@ -0,0 +1,81 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
|
||||
{
|
||||
imports = [
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot = {
|
||||
initrd = {
|
||||
availableKernelModules = [
|
||||
"ehci_pci"
|
||||
"ahci"
|
||||
"mpt3sas"
|
||||
"usbhid"
|
||||
"usb_storage"
|
||||
"sd_mod"
|
||||
"sr_mod"
|
||||
];
|
||||
kernelModules = [ ];
|
||||
};
|
||||
|
||||
kernelModules = [ "kvm-intel" ];
|
||||
extraModulePackages = [ ];
|
||||
};
|
||||
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
device = "rootfs";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
# boot1 = boot partition in first disk (used by default)
|
||||
# boot2 = boot partition in second disk (used in backup)
|
||||
|
||||
"/boot1" = {
|
||||
device = "/dev/disk/by-label/BOOT1";
|
||||
fsType = "vfat";
|
||||
options = [
|
||||
"fmask=0022"
|
||||
"dmask=0022"
|
||||
];
|
||||
};
|
||||
|
||||
"/boot2" = {
|
||||
device = "/dev/disk/by-label/BOOT2";
|
||||
fsType = "vfat";
|
||||
options = [
|
||||
"fmask=0022"
|
||||
"dmask=0022"
|
||||
];
|
||||
};
|
||||
|
||||
"/nix" = {
|
||||
device = "rootfs/nix";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
"/var" = {
|
||||
device = "rootfs/var";
|
||||
fsType = "zfs";
|
||||
};
|
||||
};
|
||||
|
||||
swapDevices = [
|
||||
{ device = "/dev/disk/by-uuid/46e20dc0-01bc-4f26-904a-1d23cb96bdb6"; }
|
||||
{ device = "/dev/disk/by-uuid/a8938e0f-3a00-45e7-bc6f-4bd9e2b1db6c"; }
|
||||
];
|
||||
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
networking.interfaces.eno4.useDHCP = lib.mkDefault true;
|
||||
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
7
machines/nixos/hypervisor02/secrets/secrets.nix
Normal file
7
machines/nixos/hypervisor02/secrets/secrets.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique <context@dgnum.eu>
|
||||
#
|
||||
# SPDX-License-Identifer: EUPL-1.2
|
||||
|
||||
(import ../../../../keys).mkSecrets [ "hypervisor02" ] [
|
||||
|
||||
]
|
17
machines/nixos/hypervisor03/_configuration.nix
Normal file
17
machines/nixos/hypervisor03/_configuration.nix
Normal file
|
@ -0,0 +1,17 @@
|
|||
# SPDX-FileCopyrightText: 2024 Elias Coppens <elias@dgnum.eu>
|
||||
#
|
||||
# SPDX-License-Identifier: EUPL-1.2
|
||||
|
||||
{ lib, ... }:
|
||||
|
||||
lib.extra.mkConfig {
|
||||
enabledModules = [ ];
|
||||
|
||||
enabledServices = [ ];
|
||||
|
||||
extraConfig = {
|
||||
services.netbird.enable = true;
|
||||
};
|
||||
|
||||
root = ./.;
|
||||
}
|
81
machines/nixos/hypervisor03/_hardware-configuration.nix
Normal file
81
machines/nixos/hypervisor03/_hardware-configuration.nix
Normal file
|
@ -0,0 +1,81 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
|
||||
{
|
||||
imports = [
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot = {
|
||||
initrd = {
|
||||
availableKernelModules = [
|
||||
"ehci_pci"
|
||||
"ahci"
|
||||
"mpt3sas"
|
||||
"usbhid"
|
||||
"usb_storage"
|
||||
"sd_mod"
|
||||
"sr_mod"
|
||||
];
|
||||
kernelModules = [ ];
|
||||
};
|
||||
kernelModules = [ "kvm-intel" ];
|
||||
extraModulePackages = [ ];
|
||||
};
|
||||
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
device = "rootfs";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
"/nix" = {
|
||||
device = "rootfs/nix";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
"/var" = {
|
||||
device = "rootfs/var";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
# boot1 = boot partition in first disk (used by default)
|
||||
# boot2 = boot partition in second disk (used in backup)
|
||||
|
||||
"/boot1" = {
|
||||
device = "/dev/disk/by-uuid/80E2-979C";
|
||||
fsType = "vfat";
|
||||
options = [
|
||||
"fmask=0022"
|
||||
"dmask=0022"
|
||||
];
|
||||
};
|
||||
|
||||
# TODO: put me in automounts + autosync between both boot partitions.
|
||||
"/boot2" = {
|
||||
device = "/dev/disk/by-uuid/8722-1B4F";
|
||||
fsType = "vfat";
|
||||
options = [
|
||||
"fmask=0022"
|
||||
"dmask=0022"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
swapDevices = [
|
||||
{ device = "/dev/disk/by-uuid/dfe3aa01-ed46-4996-8ae3-a913ebffba76"; }
|
||||
{ device = "/dev/disk/by-uuid/5531258d-3538-4744-be1b-e08e26ad377f"; }
|
||||
];
|
||||
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
networking.interfaces.eno4.useDHCP = lib.mkDefault true;
|
||||
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
7
machines/nixos/hypervisor03/secrets/secrets.nix
Normal file
7
machines/nixos/hypervisor03/secrets/secrets.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique <context@dgnum.eu>
|
||||
#
|
||||
# SPDX-License-Identifer: EUPL-1.2
|
||||
|
||||
(import ../../../../keys).mkSecrets [ "hypervisor03" ] [
|
||||
|
||||
]
|
|
@ -25,6 +25,7 @@ let
|
|||
"boussole-sante.normalesup.eu"
|
||||
"lanuit.ens.fr"
|
||||
"simi.normalesup.eu"
|
||||
"pub.dgnum.eu"
|
||||
];
|
||||
|
||||
buckets = [
|
||||
|
@ -35,6 +36,7 @@ let
|
|||
"hackens-website"
|
||||
"nuit-website"
|
||||
"peertube-videos-dgnum"
|
||||
"landing-website"
|
||||
] ++ domains;
|
||||
|
||||
mkHosted = host: builtins.map (b: "${b}.${host}");
|
||||
|
|
|
@ -37,6 +37,7 @@ in
|
|||
AUTH_AUTHORITY = "https://sso.dgnum.eu/oauth2/openid/dgn_netbird";
|
||||
AUTH_AUDIENCE = "dgn_netbird";
|
||||
AUTH_CLIENT_ID = "dgn_netbird";
|
||||
AUTH_REDIRECT_URI = "/index";
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -129,6 +129,13 @@ let
|
|||
|
||||
extraNetwork.networkConfig.DHCPServer = "yes";
|
||||
};
|
||||
|
||||
vlan-hypervisor = {
|
||||
Id = 2001;
|
||||
address = [ "10.0.254.1/24" ];
|
||||
|
||||
extraNetwork.networkConfig.DHCPServer = "yes";
|
||||
};
|
||||
} // builtins.listToAttrs (map mkUserVlan userVlans);
|
||||
in
|
||||
|
||||
|
|
|
@ -35,9 +35,9 @@ in
|
|||
"www.interq.ens.fr" = "interq.ens.fr";
|
||||
};
|
||||
|
||||
temporary = {
|
||||
"pub.dgnum.eu".to = "https://www.instagram.com/dgnum_eu/";
|
||||
};
|
||||
temporary =
|
||||
{
|
||||
};
|
||||
|
||||
retired = mkSubs {
|
||||
"ens.fr" = [
|
||||
|
|
Binary file not shown.
|
@ -135,12 +135,9 @@ in
|
|||
|
||||
dgn-web.simpleProxies.cas-eleves = {
|
||||
inherit host port;
|
||||
vhostConfig = {
|
||||
serverAliases = [ "cas-eleves.dgnum.eu" ];
|
||||
locations = {
|
||||
"/static/".root = staticDrv;
|
||||
"= /robots.txt".root = "${staticDrv}/static";
|
||||
};
|
||||
vhostConfig.locations = {
|
||||
"/static/".root = staticDrv;
|
||||
"= /robots.txt".root = "${staticDrv}/static";
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -13,6 +13,7 @@ lib.extra.mkConfig {
|
|||
enabledServices = [
|
||||
# List of services to enable
|
||||
"django-apps"
|
||||
"redirections"
|
||||
];
|
||||
|
||||
extraConfig = {
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
imports = [
|
||||
./annuaire.nix
|
||||
./bocal.nix
|
||||
./ernestophone.nix
|
||||
./gestiojeux.nix
|
||||
./interludes.nix
|
||||
./wikiens.nix
|
||||
|
|
65
machines/nixos/web03/django-apps/ernestophone.nix
Normal file
65
machines/nixos/web03/django-apps/ernestophone.nix
Normal file
|
@ -0,0 +1,65 @@
|
|||
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
|
||||
#
|
||||
# SPDX-License-Identifier: EUPL-1.2
|
||||
|
||||
{
|
||||
pkgs,
|
||||
sources,
|
||||
config,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
|
||||
in
|
||||
|
||||
{
|
||||
services.django-apps.sites.ernestophone = {
|
||||
source = "https://git.dgnum.eu/DGNum/ernestophone.ens.fr";
|
||||
branch = "update";
|
||||
domain = "ernestophone.ens.fr";
|
||||
|
||||
nginx = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations = {
|
||||
"/media/trombonoscope/".root = "/run/django-apps/ernestophone/";
|
||||
};
|
||||
};
|
||||
|
||||
serveMedia = false;
|
||||
|
||||
webHookSecret = config.age.secrets."webhook-ernestophone_token".path;
|
||||
|
||||
python = pkgs.python3.override {
|
||||
packageOverrides = _: _: {
|
||||
inherit (nix-pkgs)
|
||||
django-avatar
|
||||
django-cas-ng
|
||||
django-solo
|
||||
loadcredential
|
||||
;
|
||||
};
|
||||
};
|
||||
|
||||
dependencies = ps: [
|
||||
ps.django
|
||||
ps.django-avatar
|
||||
ps.django-colorful
|
||||
ps.gunicorn
|
||||
ps.pillow
|
||||
ps.loadcredential
|
||||
];
|
||||
|
||||
application.module = "Ernestophone";
|
||||
|
||||
credentials = {
|
||||
SECRET_KEY = config.age.secrets."dj_ernestophone-secret_key_file".path;
|
||||
};
|
||||
|
||||
environment = {
|
||||
DJANGO_SETTINGS_MODULE = "Ernestophone.settings";
|
||||
ERNESTOPHONE_ALLOWED_HOSTS = [ "ernestophone.ens.fr" ];
|
||||
};
|
||||
};
|
||||
}
|
11
machines/nixos/web03/redirections.nix
Normal file
11
machines/nixos/web03/redirections.nix
Normal file
|
@ -0,0 +1,11 @@
|
|||
# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
|
||||
#
|
||||
# SPDX-License-Identifier: EUPL-1.2
|
||||
|
||||
{
|
||||
dgn-redirections = {
|
||||
permanent = {
|
||||
"www.ernestophone.ens.fr" = "ernestophone.ens.fr";
|
||||
};
|
||||
};
|
||||
}
|
BIN
machines/nixos/web03/secrets/bupstash-put_key
Normal file
BIN
machines/nixos/web03/secrets/bupstash-put_key
Normal file
Binary file not shown.
31
machines/nixos/web03/secrets/dj_ernestophone-admins_file
Normal file
31
machines/nixos/web03/secrets/dj_ernestophone-admins_file
Normal file
|
@ -0,0 +1,31 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA 9RRZxLF9tCD5U+9qMdPjANj+uL/8klzK3MV+YW6fhEc
|
||||
gd8gQtbKWfOmN1mDRszw7vEnSg8pPHpHU5JDo9bM/ek
|
||||
-> ssh-ed25519 QlRB9Q hArXwJSPPrZySgU8/YBJwsVfXMhgMy7N72jFcslb1xo
|
||||
H3ifulIpmYpllXTsXh5TYit6JTxZwUs33Rey1qtvQnM
|
||||
-> ssh-ed25519 r+nK/Q jh3gdHmJMBCQbMQdYdko4Igwt0y62eIZaTlNsO/nw1Y
|
||||
NgflhTMQOIbyl1udyCuvRsIDxIkOK+QZbVRHLNThDJs
|
||||
-> ssh-rsa krWCLQ
|
||||
kOodyo51tOrDsqKSyN/WyJXq7Kot54eb66WBfHVVuYqAafQZnaUvSgXInc4Ba8M9
|
||||
+pdwX37zff47gGr/obadKkAGf42xnu7nB8c6T68u/TNwKlQoIUuebEFEdqqp+dFe
|
||||
KY3DlM9LPyMMLO+Tk0t3djE9lp1FkbUeeDOk06rEgQyCs0HATKoa2k/c6/pim6vZ
|
||||
wvu/YxkJAdIIOdkunkKs1kiuCIbeqIQfb2vz/hpBUNI8e8T4S2W7zIVMocRDfYoq
|
||||
dPYj4kHRbnqeyWcobymCuXNdtGnhsT50oS3UGEvr4flaRpREQ+babp1g9uApnU6s
|
||||
oPbmlrwTB50FJA9mxp9rSw
|
||||
-> ssh-ed25519 /vwQcQ SVB+hkmtVwrsNShWD7agmjuZs64+pah596YIFZH/Eww
|
||||
SyRzjAkoKTfNcOMf5OiIVU/wHiPi+rDuXQ0qns9vhf0
|
||||
-> ssh-ed25519 0R97PA mrJuOmOhgGEbRMC/VYvJ++e1RGTTAZl7dzAJPT+6jUo
|
||||
Rn4+0P0spe1Xjn+3twu/cCdKBmsj5y327bESx8FkqJk
|
||||
-> ssh-ed25519 JGx7Ng VXVauDsi3WOxQ2G90ElTdGMueEtVxlQsbUHsceFJTB0
|
||||
AZNRGSyxTZn+L9e9eggyGlINvDSg5hQowBtv0hX954Q
|
||||
-> ssh-ed25519 bUjjig OBwPeegYOacrZxLrlxdVpOkshBCUIYOOgyF6LdOVTjw
|
||||
MJAv6ieAneoAe3//A6b3dBvJCze9uxFVRqlQnkm+rAY
|
||||
-> ssh-ed25519 VQSaNw ldI3O8GyoxhxvrE3okoVvPTrFYnUKNA0See4buKO7GA
|
||||
wcpmfgUNs0MyVcm/VGmwBpkZ++UGkTNDCiqqpYL2XXw
|
||||
-> n>[M-grease _ D--b ? [8U|"=~
|
||||
YZ1c1yZ4273rUu4v+APm/eBy8HQyish8t2zkTvjYFd8/pdA9uRkHogQGIBnlAi3h
|
||||
tq6/02nnT/QgZPcccQCD3SlwzkU0U2qdXIAdGtgzCo0FZsIYdkeU+VyoJDfcVt1o
|
||||
qXc
|
||||
--- lzSSWa0AAP8vhy6RfNChbM71Apmn7b6pLT1CtYFVrpQ
|
||||
<04>Ôï\÷/Áºß£íÄ*‰ŒÿÙi"ºÅåÝa/[Rr
|
||||
O)u^½Ÿ,Ù"%Km£¥<C2A3>zµkÝ°3)›Ù¡‰ø)ÌbS{^§<13>!y°ÅLÉERñ˜Ç
‚Q»uÅE‹EË;Êä´¤VÐ-¶?[ù<>uÑñÏ`Fvè%+$Ú§{¯xŦüg–Qºëiôy°<79>»#.^ìŒÓÎùÈ_*¤=íò×1êîÜCõ ê
~¸
|
28
machines/nixos/web03/secrets/dj_ernestophone-password_file
Normal file
28
machines/nixos/web03/secrets/dj_ernestophone-password_file
Normal file
|
@ -0,0 +1,28 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA kBFUMktUZ09T8ujSXHRIo4OIWxIiwysmRv+UTiH+02M
|
||||
TvefF7CMKZIASBYaVQA22PzLr2rgZ3i7Q8ENBOmpQmI
|
||||
-> ssh-ed25519 QlRB9Q 0R2BthIX790DAiL36WPOemUa04tOnN0Drpg6u72j7UE
|
||||
nFGbwKZvSXo0SpO8AMfAGcZkphcXhX+GoFxYwadNzwQ
|
||||
-> ssh-ed25519 r+nK/Q cs+vGq5RzK/AogpcGjRG3KZjl4fp2Ghhv2ngHjTdvlE
|
||||
AyXbgDlQbe3HurX7lodUrMZyRSWADSFWmTndnHjh0dY
|
||||
-> ssh-rsa krWCLQ
|
||||
AnU8JBZXw8xIHA3L+220wCHwddC51Fx+sQx58tYsFg7eVH1NM2PKUr57a7+0KlxH
|
||||
TkIDMUuBotY4QPA0tzv212wnWaTw9ddV+T+Xe+l7JNyurCQRj1g1gWP3NLYIyYFC
|
||||
i/eXHg3XxByQG1BfBSL2nnUEiy6eJ2bLMFsJ9P6baB6hpdEnoFIuGdV4Bg3k/KGl
|
||||
Zp+Q1a7Ov0l/G7sRCw4WLQtq59otI2lxeKRSonCqSNOmDXyZBr82GMr/BmhebtK4
|
||||
h19K+EXU+Ze57lUf2kDCe0b4RSHbSGU1T1fSEMNcXFV0952r6zO9YClTsQeKl+ev
|
||||
1O7xqUhcRXgFUbDYRjTsLw
|
||||
-> ssh-ed25519 /vwQcQ AtEImZ61sgC2OzZvDldY7ttRf9I5+zmL2I7hZkmBoTY
|
||||
zQiLX4L6t+jZqzAJmN7iuRTeadD1jbs3E/NZZj/25UA
|
||||
-> ssh-ed25519 0R97PA JVheI/2kfdkqgM5Jf/py32lyYLtWjpmcx4zkHYMZl3g
|
||||
z/+qXmvziQo8yZ6f+2y5XVDv6d/uAghCVDQ9tpLXt54
|
||||
-> ssh-ed25519 JGx7Ng 41ZgklG6LmM5Mk6BkGWAf8N3j1safWPBKBAHKN2EQG0
|
||||
yOiGIHkyoMFI6NQMLCZavCaz+qxAy9jhf+vctWQ2z4k
|
||||
-> ssh-ed25519 bUjjig 0o9QkwuPZPOl/db1sQ9YL50DL1uyZqQ6ICxMEIupQ20
|
||||
FwFbAYzLUNwoAQNcbcwWckhqRSEicQTe4O4BMK7wHyg
|
||||
-> ssh-ed25519 VQSaNw iaWBGmaWmBxMJILFyob6CyVXyY24edPtT2itTQGP7xM
|
||||
EGmCuYElC5EgwqXtcXLAy7nNFt75Hl/gAehvfh+0sgg
|
||||
-> /Wa)P<iw-grease (;ag_e g#LM+oA Y n(M-1K+.
|
||||
lWfOmA
|
||||
--- k01yU9ZR8KIyG0JEfcYoP4iBlvqq7J676oPfDLpbvfs
|
||||
ÎD—èŒ<C3A8>Ptáçø4Õ•?6”N|ÐïZƒ³åM/œqo¨[ÄNä
|
29
machines/nixos/web03/secrets/dj_ernestophone-secret_key_file
Normal file
29
machines/nixos/web03/secrets/dj_ernestophone-secret_key_file
Normal file
|
@ -0,0 +1,29 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA hAdsxHTIT08JvDQGzY0Vz+Jxd48Kw3XNpf6TEjiGiTc
|
||||
hZgLRBDGwpfIFMhTRExY6JJ0poJ+nqrBK8Fy3ukINFI
|
||||
-> ssh-ed25519 QlRB9Q AyfmPVVcb9WVzrbyh2KdPQMwPypQ0uq3q6kkPFcMyjw
|
||||
S2h//+6MMnUiBWrznI/1+qS83Gw1vpFmU8Hlma40bdA
|
||||
-> ssh-ed25519 r+nK/Q 741XzH0HZf/y8HR1AQIn+qgn0+L+2kcdPsepRcXx7w8
|
||||
5aNoPnRTYHB5FTXipQV+8C/s8t1s5/ZF9PwnJfYy8bM
|
||||
-> ssh-rsa krWCLQ
|
||||
HhSOliN7XQZngyyrJ++S2JMBytkPjSt/dEUlJNbJP5n6HY5H7QKqd9rsc4LLu/Hz
|
||||
BXKC9T3IVeuabMPNOBhE6SiOUejGv/txbMHPMdPTCju6JL4wP/2gqIK696kP62pL
|
||||
CAS/cOZXrHS8etEFkpqSuEVquNIXbivXNHEwFMH/GkNut0SCpafvQHrN1wZdveH5
|
||||
rp60R9ULzTzS3ztjEomAt9gWN6s7CtqZEozCMExPTXSW+OmBJprY+/Ae/uxeKZMS
|
||||
x6pscBbZSEazZ476sZCWKTpeej7iFlSrIvLfkwYn9PtKqmaInoM/0F2thkqpVPkZ
|
||||
/pcg11dUQpXJdaIiPEowlg
|
||||
-> ssh-ed25519 /vwQcQ m01BxY0nPTfcW0D/iFRbCNbFFp+lE/XLW315aPyNbTM
|
||||
hiKCfZH9k5GcUAkCJ/+x5V20SCeql8031lOge0Y9WXk
|
||||
-> ssh-ed25519 0R97PA oGfUKErY65Jd0ZlcVox/HXA3itOI5KImRqDwH+UR6XI
|
||||
32BtXjqImmG6TjUKoDU2QaJiMxldZdZoAP9SKPfGuHA
|
||||
-> ssh-ed25519 JGx7Ng FJCtkG+Ig5dC+ftTClgrKtIt/D8s9Dr97eWObbNEZDs
|
||||
i6tf7p5FDsdTZMJuBNmcTgVnL6eQDZFkjjH7AaBakqE
|
||||
-> ssh-ed25519 bUjjig mOfri52IdeSNAawjBR5rhvL2eZNlVOwYK6u1uHv98xw
|
||||
nx0Ko3omL+OVq3JHuCIacYfjn96kb78IgyvECEGq0G4
|
||||
-> ssh-ed25519 VQSaNw gEQeKOEwwR8QlykdFlo7iqrsmhemiS02v8Kfx2ER9Xc
|
||||
jpAEZx64/AXpA8HahtJq9OdcZYbqIFti5mxaPztvul8
|
||||
-> $5-grease (y&6%5f<
|
||||
YSrHrNaXa7b7Ivv1yVP3idg8t4iIdu5NX3hzczFp64bY7Bjp/g7jK+bWnDG26ryd
|
||||
G+fhmUbFuDj8ZtXg6yk
|
||||
--- YmnVS7kPp6h4pC9u28A32/xh67NwhIXwB1dxolI1DCg
|
||||
.¼Zs‡…n}®ì,èémõR€ÏêeÞ)¾bOª¶<C2AA>îնܷ†m8¼z£RyúìT/¦@¿CÜÝôW™¨F5ˆ?<ð.[Ö†r¡Ó[°M
|
|
@ -4,14 +4,19 @@
|
|||
|
||||
(import ../../../../keys).mkSecrets [ "web03" ] [
|
||||
# List of secrets for web03
|
||||
"bupstash-put_key"
|
||||
"dj_annuaire-secret_key_file"
|
||||
"dj_bocal-secret_key_file"
|
||||
"dj_ernestophone-secret_key_file"
|
||||
"dj_ernestophone-password_file"
|
||||
"dj_ernestophone-admins_file"
|
||||
"dj_gestiojeux-secret_key_file"
|
||||
"dj_interludes-email_host_password_file"
|
||||
"dj_interludes-secret_key_file"
|
||||
"dj_wikiens-secret_key_file"
|
||||
"webhook-annuaire_token"
|
||||
"webhook-bocal_token"
|
||||
"webhook-ernestophone_token"
|
||||
"webhook-gestiojeux_token"
|
||||
"webhook-interludes_token"
|
||||
"webhook-wikiens_token"
|
||||
|
|
30
machines/nixos/web03/secrets/webhook-ernestophone_token
Normal file
30
machines/nixos/web03/secrets/webhook-ernestophone_token
Normal file
|
@ -0,0 +1,30 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA Ifc4K8jusXCbeMSYeAL+3jdvmDK1ojYiSzHJO/uefzk
|
||||
h5ewdTYV3o8+tPCzVWvLtqEM3WxVjtOqTRnrFAwKnes
|
||||
-> ssh-ed25519 QlRB9Q djvVFcR5y+WI5+rED8ztIQZuLfCj2z8wHx3WIutlfjk
|
||||
nsTUZEQRJAAZfNXw2YbzwV+RUJEx6Dmi0ujswMBqIro
|
||||
-> ssh-ed25519 r+nK/Q Ryx2iuVCefSFFMEyRjVbKFxTqaX6D+Ty4B1+6mRLSCg
|
||||
s7YjJa6NESaNZ9wzurlrsovu5ecJNnWLOhD80RnFqV4
|
||||
-> ssh-rsa krWCLQ
|
||||
utXBcdyAmbl463xcacn1+K9UyG78vKG9LW1vJ/q40ltqEsuxktP2C5YgBL2Whcld
|
||||
UYTsNFa3b02HP1wp0fPP4eVyk0NNKqO1rairMAvLJmQk15s0OVCk7LvjZe+Q31m1
|
||||
gYxBSuN4oy7gljtOlIfrHtcRqDMC5IToYSt91pwt/0wgkHDH1OcLap8jaQIuPdc1
|
||||
pQqd6iUTF96kvvp1P6XbvOHH3nVLNw/bITR5BUSqm/YBocJBrDNIL2wXcq27bBMs
|
||||
YqF2nykztoSss+YM40XnHx14wNU0WeocbSYuPKabKvtgV0ry62w+EW5t453TfMng
|
||||
y0dYmBdXVTKgCyL2v/onlA
|
||||
-> ssh-ed25519 /vwQcQ tax06kUoYtjoUZ8k0+2L0cBr9CTpZpWd5Ev1qRh4dWM
|
||||
x2RYQ+53UJnBXz8plzYrpga9JCWgm+WvkjpGg+CpG8M
|
||||
-> ssh-ed25519 0R97PA DoPbx9NVAHTe6NRxT50nwdStoUJRnATQDEKgIyq2hhA
|
||||
6DUg7uQ9L80KzaMJi6h/Nm5EgtLlAI+R01Mke9GpyzQ
|
||||
-> ssh-ed25519 JGx7Ng AG1PM5MB2TlfZoiF29gu01LqhcQ+rEQRQZHFVxdHYG8
|
||||
ePz8kT+axuMZe8MKi1Yj+ZOCITIYjVAuRE2iTScgpyY
|
||||
-> ssh-ed25519 bUjjig SgZgUi5qfE8wK54Mj8P/FJ4QPNs4HUV5qPc9jJTskmY
|
||||
n/fedObFehvhLwd3uhkhfBamFpjZDVK7M1J67BucoPI
|
||||
-> ssh-ed25519 VQSaNw a+SLVFR9PqKgyHfAPTjH4SGkp4XXjz6xz6uMjZgYOg0
|
||||
hv5F5ENsfpU27opx8OT4mvL0waGO+AieG/VXvHNi2hg
|
||||
-> g**u4-grease Fb|HQ E
|
||||
FcQESlzpmCxDtrbCZhddPdNjVROYKj2XsOppqa2GPZsWqQH8cFfKzxjwlNlE7WNF
|
||||
Q3xupVqn8H1Cg98i
|
||||
--- lYBZVJ4DEtBmKhenHOOkQpuPT7TrGGgN1OmTrfCTtY4
|
||||
Žy[§—‘ÀÒh{`Z³öNŠx/ùºóSyFú£–ç
|
||||
+‚¨Õr:¶úÀcJ¸L˜b¿M‹ô™w<E284A2>n+™õœ"§¢—|w¼¯¬kµ*
|
|
@ -99,6 +99,7 @@ let
|
|||
"prometheus" # Prometheus
|
||||
"victoria-metrics" # Victoria Metrics
|
||||
"videos" # Peertube
|
||||
"pub"
|
||||
|
||||
# Garage S3
|
||||
"*.cdn"
|
||||
|
@ -123,7 +124,6 @@ let
|
|||
"netbox" # Netbox
|
||||
"podcasts" # Castopod
|
||||
"push" # Ntfy.sh
|
||||
"pub" # Url de promotion (qrcodes etc...)
|
||||
|
||||
# Static websites
|
||||
"eleves"
|
||||
|
|
|
@ -82,6 +82,63 @@
|
|||
netbirdIp = "100.80.233.249";
|
||||
};
|
||||
|
||||
hypervisor01 = {
|
||||
interfaces = {
|
||||
eno4 = {
|
||||
ipv4 = [
|
||||
{
|
||||
address = "10.0.254.11";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
|
||||
gateways = [ "10.0.254.1" ];
|
||||
enableDefaultDNS = true;
|
||||
};
|
||||
};
|
||||
|
||||
hostId = "4dbbd76a";
|
||||
netbirdIp = "100.80.242.115";
|
||||
};
|
||||
|
||||
hypervisor02 = {
|
||||
interfaces = {
|
||||
eno4 = {
|
||||
ipv4 = [
|
||||
{
|
||||
address = "10.0.254.12";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
|
||||
gateways = [ "10.0.254.1" ];
|
||||
enableDefaultDNS = true;
|
||||
};
|
||||
};
|
||||
|
||||
hostId = "d0b48483";
|
||||
netbirdIp = "100.80.37.202";
|
||||
};
|
||||
|
||||
hypervisor03 = {
|
||||
interfaces = {
|
||||
eno4 = {
|
||||
ipv4 = [
|
||||
{
|
||||
address = "10.0.254.13";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
|
||||
gateways = [ "10.0.254.1" ];
|
||||
enableDefaultDNS = true;
|
||||
};
|
||||
};
|
||||
|
||||
hostId = "1c407ea8";
|
||||
netbirdIp = "100.80.58.178";
|
||||
};
|
||||
|
||||
rescue01 = {
|
||||
interfaces = {
|
||||
ens18 = {
|
||||
|
|
|
@ -91,6 +91,63 @@
|
|||
};
|
||||
};
|
||||
|
||||
hypervisor01 = {
|
||||
site = "pot01";
|
||||
|
||||
hashedPassword = "$y$j9T$Yw.M.epJj/sakb4Gq/9WV0$P85aQPo/FmFM1.ap413UL3vlGk3mavHwmaALKKDd4n.";
|
||||
|
||||
stateVersion = "24.11";
|
||||
|
||||
nixpkgs = {
|
||||
version = "24.11";
|
||||
system = "nixos";
|
||||
};
|
||||
|
||||
adminGroups = [ "hypervisors" ];
|
||||
|
||||
deployment = {
|
||||
targetHost = "hypervisor01.dgnum";
|
||||
};
|
||||
};
|
||||
|
||||
hypervisor02 = {
|
||||
site = "pot01";
|
||||
|
||||
hashedPassword = "$y$j9T$Zu98DVlKq7KP5GmIHOwBy1$Bd7W6LstWDm8zjbZ9JSPLnhMFPmZgmU4e7t7u6EhavA";
|
||||
|
||||
stateVersion = "24.11";
|
||||
|
||||
nixpkgs = {
|
||||
version = "24.11";
|
||||
system = "nixos";
|
||||
};
|
||||
|
||||
adminGroups = [ "hypervisors" ];
|
||||
|
||||
deployment = {
|
||||
targetHost = "hypervisor02.dgnum";
|
||||
};
|
||||
};
|
||||
|
||||
hypervisor03 = {
|
||||
site = "pot01";
|
||||
|
||||
hashedPassword = "$y$j9T$plTv9.UwmkTODagd4docj0$3zd35wPSsamygiYngwfDGICapKbx5UbzyLBhAwOUSfC";
|
||||
|
||||
stateVersion = "24.11";
|
||||
|
||||
nixpkgs = {
|
||||
version = "24.11";
|
||||
system = "nixos";
|
||||
};
|
||||
|
||||
adminGroups = [ "hypervisors" ];
|
||||
|
||||
deployment = {
|
||||
targetHost = "hypervisor03.dgnum";
|
||||
};
|
||||
};
|
||||
|
||||
rescue01 = {
|
||||
site = "luj01";
|
||||
|
||||
|
|
|
@ -91,6 +91,10 @@
|
|||
"ecoppens"
|
||||
];
|
||||
|
||||
hypervisors = [
|
||||
"catvayor"
|
||||
"ecoppens"
|
||||
];
|
||||
};
|
||||
|
||||
external = {
|
||||
|
|
|
@ -11,7 +11,12 @@
|
|||
}:
|
||||
|
||||
let
|
||||
inherit (lib) mkEnableOption mkOption remove;
|
||||
inherit (lib)
|
||||
getExe'
|
||||
mkEnableOption
|
||||
mkOption
|
||||
remove
|
||||
;
|
||||
|
||||
inherit (lib.types)
|
||||
attrs
|
||||
|
@ -34,6 +39,7 @@ let
|
|||
compute01 = "*-*-* *:38:00";
|
||||
storage01 = "*-*-* *:21:00";
|
||||
web01 = "*-*-* *:47:00";
|
||||
web03 = "*-*-* *:13:00";
|
||||
};
|
||||
|
||||
mkJobs = builtins.mapAttrs (
|
||||
|
@ -93,7 +99,7 @@ in
|
|||
"${db}-db".settings = {
|
||||
user = "postgres";
|
||||
command = [
|
||||
"${lib.getExe' config.services.postgresql.package "pg_dump"}"
|
||||
(getExe' config.services.postgresql.package "pg_dump")
|
||||
db
|
||||
];
|
||||
};
|
||||
|
@ -113,6 +119,8 @@ in
|
|||
"storage01"
|
||||
"vault01"
|
||||
"web01"
|
||||
"web02"
|
||||
"web03"
|
||||
];
|
||||
allowed = [ "put" ];
|
||||
}
|
||||
|
|
|
@ -6,4 +6,5 @@
|
|||
"compute01.key"
|
||||
"storage01.key"
|
||||
"web01.key"
|
||||
"web03.key"
|
||||
]
|
||||
|
|
28
modules/nixos/dgn-backups/keys/web03.key
Normal file
28
modules/nixos/dgn-backups/keys/web03.key
Normal file
|
@ -0,0 +1,28 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 jIXfPA CuALmA0MhxnWOn91YhtxAyn1h3xkoiuRoo4Ew1Eu32Q
|
||||
TRZxY9rF3NM9ulaA6s6SUetVcLT0He9yGaDZ38T9F6A
|
||||
-> ssh-ed25519 QlRB9Q TNA65R5tFs+KXJklNgfPPF12W52Fk6w7epstVzk9Ojw
|
||||
SD3IW1+ngBUkbBJz+53zDFVhne6b5rfVi2ym0UjTwLM
|
||||
-> ssh-ed25519 r+nK/Q b67auhVkYiVwthLGP3z719Ql/kHZQbxuJJgL7NzZiVc
|
||||
kl0ML0yd+QqBm9VZwMcMrZ8uuQkbJySaa9kI4RQFOak
|
||||
-> ssh-rsa krWCLQ
|
||||
NfHVOPshS0CR3ATrPcYAAiX/kAbgqw6mEVhxdTnvbWa8cPpblUpO/gm4UqW2vP0Q
|
||||
XUfvOCgH6ur3joLf/NylqwZ0UkQhmNj2hu8cOtjC4KgTohkMkZZmHlFKM9e3PuSS
|
||||
ZMx0GraugdTUD/ViCplwVxFPBUUblLcAuYx/BcV1hTb0ctbN9afi8DVzuSxoalDj
|
||||
Jy1UakJU0OwguB+ctv9kZcyLyV7zjchiq+dAoIDvkw0Z9bTCz7xhQ6uXAE7ahp3H
|
||||
rvycD/ZkK7h6yhg78x2lIBHP3sPaY3DFMFW9bDLtHYox22RVcm6/7oPbv0hTQ8ob
|
||||
n4Q7MWPF4vL1Xz9zyksetQ
|
||||
-> ssh-ed25519 /vwQcQ YvQmf/qYc6DVQT0gFPGuakvgDg/A76tor3f0+nTjbH4
|
||||
lMQoOb/kimcsSmNnUsUW7XmVdhLMee/s4NACiKi0Xls
|
||||
-> ssh-ed25519 0R97PA LzA+wuKlE3cEOpvGEW29/rx3qCU1X32F8HwJNic2Glg
|
||||
VOBmCcrtGrUk3ERWJL4QszdDtJrfoI/f1xA+X+a+PQk
|
||||
-> ssh-ed25519 JGx7Ng MIxNmk0eTtCUMHiWzklS2zNWdf16EHeOtere8cRoNSk
|
||||
X+gf1Ts9n2U+h6a0herR+WuiRXFS5BhicGKxpHQtQzM
|
||||
-> ssh-ed25519 bUjjig uSweFovyFxnz7Pqc/MCEE5/ZKgEblqs8xb1Ni+qrhS0
|
||||
AUhBDt7YN4x6k34g7mERYbn7rPVPZMmVvmZD668blRs
|
||||
-> m-grease \ %<B.PbZ ^G= >nhHA<}
|
||||
KhUslr0J28p4r62y0bCKOg2jGOx6M7deQ9Y8gfQ9oi7WYiEygoMghWdUP0lnzh3i
|
||||
a+rpJNPtRCIFScDWMazSvnmN6y5Y7W3dmOgLH8aN
|
||||
--- +/Cw6vq7b3Kn4D3/ogaSPxfxHBF0YxLXTxiskuD0vHg
|
||||
ðÎN½UÉÏôbÈ!D~Ò<>¬‰æ¿Aൟ¥1¯,ÙÍòe;y)N$Ô–NøO]9C_l{ œÎ„'Ù-÷q³‹<È°¢:¯ÊMÕ¯Á%ïqŒ¸Œ™í®“‰"Ûªð¦˜A®ÜMhè,iì<69>¦<EFBFBD>S9šÜyp&r /ŒÜÂlÙîÂ!.oƒ…ô¥èAº‰µ{#ƒt<08>ú¶–é4eA-ÆFšßÔ9+ˆ—"¿e¥7»pÏüN”¢BÚ×˶¾Úþ•OÝŸæOIÊ
kDèŒæ‹ˆZ=Pq—ðšQ üGB’²OÅj×ÒhHû+¡ëX<C3AB>¿‰Lά¶ÎP™ 4ÿÐX$¢Áy©÷ßÀxoÞáÄÍ <09>Ɩ܈]â»_‚µ³
\¼M<C2BC>7m.ByŽºlCr†-ŽHM¤“ãuªùu…+X}¦oÛgg.ÌŠG/$¯LXözÁBâ…¾¿¹sÔá©DÉÈK„Ç>þeü~2‡+W–ÿ‚©¹ƒÏq<C38F>Ï¢òPßSÕîRÆIñD {"jD¡‹ƒÉŸ9 åÈ<C3A5>¥= ¬SüÒ=<3D>®—HtHÕêbs¬Ÿµ£+èTÑãà0OŒ :¬£}˜mÓp«©ž¶
|
||||
z¥DÄ‹ƒÇ§±÷žmSå™8èïa±ípë2ÝÞ”° d°ÈÍÕSùròz½²í v#ÇÎœsñíÎÕ‰
0æMù¿ÂÎfÚA%Ó
™Ö³ïçD…뉆P<E280A0>drŠ£ÌX’IW±HôG©¾\IÑ8_ª„Lœ8Š Ù1MÚÚíôµMêz)ö$ì{ªM{S|b=ÙêÏkô*ïO”{Úêz•ª2:6}#–>_¨Ë-$ǪÈÑV‰ãp¨²("Wé«U[>>¤žÌ0Qh°-‰ê]¤§ªÞ†r;d&T¡£vÝ-i†Å]šû$ó°$<24>½aè™E94žéé`žçÐ<>í=!p©Æ[£ºqÖÏ›¦?U•/ÏkÀ… ÍwÓ^¥ZµÚIJèG¬lœiÇâè‘…€ö4C÷áb…ÑF÷´ªà+!Ót<C393>\¶t1ôc¡¯îSÇ~ž€+Òwª‘Ñ·[5¡jùû
g6†&©¯o¼´˜±ôÃ
|
|
@ -38,6 +38,7 @@ let
|
|||
inherit (lib.types)
|
||||
attrs
|
||||
attrsOf
|
||||
bool
|
||||
enum
|
||||
functionTo
|
||||
ints
|
||||
|
@ -129,6 +130,12 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
serveMedia = mkOption {
|
||||
type = bool;
|
||||
default = true;
|
||||
description = "Wther to serve the MEDIA_ROOT directory with nginx.";
|
||||
};
|
||||
|
||||
env_prefix = mkOption {
|
||||
type = str;
|
||||
default = toUpper name;
|
||||
|
@ -473,13 +480,18 @@ in
|
|||
{
|
||||
virtualHosts = mapAttrs' (
|
||||
name:
|
||||
{ domain, nginx, ... }:
|
||||
{
|
||||
domain,
|
||||
nginx,
|
||||
serveMedia,
|
||||
...
|
||||
}:
|
||||
nameValuePair domain (
|
||||
recursiveUpdate {
|
||||
locations = {
|
||||
"/".proxyPass = "http://unix:/run/django-apps/${name}.sock";
|
||||
"/static/".root = "/run/django-apps/${name}";
|
||||
"/media/".root = "/run/django-apps/${name}";
|
||||
"/media/".root = mkIf serveMedia "/run/django-apps/${name}";
|
||||
};
|
||||
} nginx
|
||||
)
|
||||
|
@ -720,5 +732,14 @@ in
|
|||
) config.extraServices)
|
||||
) cfg.sites);
|
||||
};
|
||||
|
||||
dgn-backups = {
|
||||
# jobs = mapAttrs' (
|
||||
# name: _: nameValuePair "dj-${name}" { settings.paths = [ "/var/lib/private/django-apps/${name}" ]; }
|
||||
# ) cfg.sites;
|
||||
postgresDatabases = builtins.map (name: "dj-${name}") (
|
||||
attrNames (filterAttrs (_: { dbType, ... }: dbType == "postgresql") cfg.sites)
|
||||
);
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -34,9 +34,9 @@
|
|||
"url": "https://git.dgnum.eu/DGNum/cas-eleves.git"
|
||||
},
|
||||
"branch": "main",
|
||||
"revision": "4590bba217cfb5bb2a04798a8344d5264715dc82",
|
||||
"revision": "acf98f1c6bfc97b7dae62e8cc723a1c16bf8d1a4",
|
||||
"url": null,
|
||||
"hash": "09z5l5yh4zm0mf9hb3xc18gjk2dgv3l1icywrsxax00y1i1zlvna"
|
||||
"hash": "1lhk46ickm2bv7rjzwb9ys7k7aj4kd75mbca27mkcddwpni5lm5l"
|
||||
},
|
||||
"cgroup-exporter": {
|
||||
"type": "Git",
|
||||
|
@ -262,9 +262,9 @@
|
|||
"url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs"
|
||||
},
|
||||
"branch": "main",
|
||||
"revision": "e8494b9d6110a97e2225b2fe43d29efa34cd9451",
|
||||
"revision": "cc01e1c2a6ecb1e38fde35ee54995a6a639fb057",
|
||||
"url": null,
|
||||
"hash": "1r2g3jdr311cn8y0cxvawc6qyp58lbydscp5hxadya2vl810vpln"
|
||||
"hash": "17a9vlwrk9365ccyl7a5xspqsn9wizcpwdpvr3qdimvq4fpwhjal"
|
||||
},
|
||||
"nix-reuse": {
|
||||
"type": "GitRelease",
|
||||
|
@ -346,9 +346,9 @@
|
|||
"url": "https://git.dgnum.eu/mdebray/stateless-uptime-kuma"
|
||||
},
|
||||
"branch": "master",
|
||||
"revision": "880f444ff7862d6127b051cf1a993ad1585b1652",
|
||||
"revision": "d378d1ce00c676fa22ef0808cf73f3e1c34e0191",
|
||||
"url": null,
|
||||
"hash": "166057469hhxnyqbpd7jjlccdmigzch51616n1d5r617xg0y1mwp"
|
||||
"hash": "00k5i3n1g869g4070ryfdwqnk3k78fan1s8pqmnbq2m7m29hmb8f"
|
||||
},
|
||||
"wp4nix": {
|
||||
"type": "Git",
|
||||
|
|
|
@ -14,52 +14,6 @@ in
|
|||
(local ./lix/01-disable-installChecks.patch)
|
||||
];
|
||||
|
||||
"nixos-24.05" = [
|
||||
(local ./nixpkgs/06-netbox-qrcode.patch)
|
||||
|
||||
# nixos/nextcloud: Rename autocreate (a no-op) to verify_bucket_exists
|
||||
{
|
||||
id = "275165";
|
||||
hash = "sha256-9a26V3Pi8yLD3N9+mC1kvJoruxRTp/qOHapnt6VX7pw=";
|
||||
}
|
||||
|
||||
# karla: init at 2.004
|
||||
{
|
||||
_type = "commit";
|
||||
sha = "7c51104112e8ea0e2ac53bf7d535e677f7686a9e";
|
||||
hash = "sha256-1TBLzZkvkFhCL8RYVVIUhTyrH3+X1iJIMkyHffmrOWc=";
|
||||
}
|
||||
|
||||
# Crabfit: don't depend on all google-fonts
|
||||
(local ./nixpkgs/04-crabfit-karla.patch)
|
||||
|
||||
# nixos/kanidm: add basic provisioning
|
||||
{
|
||||
id = 251598;
|
||||
excludes = [ "pkgs/by-name/ka/kanidm/package.nix" ];
|
||||
hash = "sha256-z4b1ljwapfj4KpXEEAMmhYKogstKtURyq+hoJcfEXiw=";
|
||||
}
|
||||
|
||||
# kanidm-provision: 1.1.1 -> 1.1.2
|
||||
{
|
||||
id = 336836;
|
||||
hash = "sha256-4ihpxYdLp559RIcKRC6GPt5flLCohFiPGp0k9h1s1hs=";
|
||||
}
|
||||
|
||||
# nixos/kanidm: fix systemd service type
|
||||
{
|
||||
id = 337527;
|
||||
excludes = [ ".git-blame-ignore-revs" ];
|
||||
hash = "sha256-ca7CsPuWJqucC77ejsvoDAt+wxWLUP30IdXtZQVQrko=";
|
||||
}
|
||||
|
||||
# Add Collabora Online
|
||||
{
|
||||
id = 330708;
|
||||
hash = "sha256-655zkmch5VLXEUzhT6+b7QpywslDoIMZ8mY0II55Wlw=";
|
||||
}
|
||||
];
|
||||
|
||||
"nixos-24.11" = [
|
||||
# nixos/nextcloud: Rename autocreate (a no-op) to verify_bucket_exists
|
||||
{
|
||||
|
|
|
@ -1,24 +0,0 @@
|
|||
diff --git a/pkgs/by-name/cr/crabfit-frontend/package.nix b/pkgs/by-name/cr/crabfit-frontend/package.nix
|
||||
index 99d7be0fdeae..9f858e8a9a9e 100644
|
||||
--- a/pkgs/by-name/cr/crabfit-frontend/package.nix
|
||||
+++ b/pkgs/by-name/cr/crabfit-frontend/package.nix
|
||||
@@ -8,7 +8,7 @@
|
||||
nodejs,
|
||||
yarn,
|
||||
fixup_yarn_lock,
|
||||
- google-fonts,
|
||||
+ karla,
|
||||
api_url ? "http://127.0.0.1:3000",
|
||||
frontend_url ? "crab.fit",
|
||||
}:
|
||||
@@ -83,9 +83,7 @@ stdenv.mkDerivation (finalAttrs: {
|
||||
patchShebangs node_modules
|
||||
|
||||
mkdir -p src/app/fonts
|
||||
- cp "${
|
||||
- google-fonts.override { fonts = [ "Karla" ]; }
|
||||
- }/share/fonts/truetype/Karla[wght].ttf" src/app/fonts/karla.ttf
|
||||
+ cp "${karla}/share/fonts/truetype/Karla-Regular.ttf" src/app/fonts/karla.ttf
|
||||
|
||||
runHook postConfigure
|
||||
'';
|
Loading…
Reference in a new issue