Tom Hubrecht
88d9b8c3e3
Some checks failed
Check meta / check_dns (pull_request) Successful in 19s
Check meta / check_meta (pull_request) Successful in 20s
Check workflows / check_workflows (pull_request) Successful in 24s
Build all the nodes / ap01 (pull_request) Successful in 1m15s
Build all the nodes / bridge01 (pull_request) Successful in 1m53s
Build all the nodes / geo01 (pull_request) Successful in 1m55s
Build all the nodes / geo02 (pull_request) Successful in 1m53s
Build all the nodes / compute01 (pull_request) Successful in 2m33s
Build all the nodes / rescue01 (pull_request) Successful in 2m13s
Build all the nodes / storage01 (pull_request) Successful in 1m57s
Run pre-commit on all files / check (pull_request) Successful in 30s
Build all the nodes / web02 (pull_request) Successful in 1m47s
Build all the nodes / vault01 (pull_request) Successful in 2m21s
Build all the nodes / web03 (pull_request) Successful in 1m40s
Build all the nodes / web01 (pull_request) Successful in 2m54s
Check meta / check_dns (push) Successful in 20s
Check meta / check_meta (push) Successful in 19s
Check workflows / check_workflows (push) Successful in 25s
Build all the nodes / ap01 (push) Successful in 1m16s
Build all the nodes / bridge01 (push) Successful in 1m41s
Build all the nodes / geo02 (push) Successful in 1m44s
Build all the nodes / geo01 (push) Successful in 1m53s
Build all the nodes / compute01 (push) Successful in 2m20s
Build all the nodes / rescue01 (push) Successful in 1m49s
Build all the nodes / storage01 (push) Successful in 1m46s
Build all the nodes / vault01 (push) Successful in 1m45s
Run pre-commit on all files / check (push) Successful in 30s
Build all the nodes / web02 (push) Has been cancelled
Build all the nodes / web01 (push) Has been cancelled
Build all the nodes / web03 (push) Has been cancelled
Signed-off-by: Tom Hubrecht <tom.hubrecht@dgnum.eu> Acked-by: Ryan Lahfa <ryan.lahfa@dgnum.eu> Acked-by: Maurice Debray <maurice.debray@dgnum.eu> Acked-by: Lubin Bailly <lubin.bailly@dgnum.eu> Acked-by: Jean-Marc Gailis <jean-marc.gailis@dgnum.eu> as the legal authority, at the time of writing, in DGNum. Acked-by: Elias Coppens <elias.coppens@dgnum.eu> as a member, at the time of writing, of the DGNum executive counsel.
226 lines
5.3 KiB
Nix
226 lines
5.3 KiB
Nix
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
|
|
#
|
|
# SPDX-License-Identifier: EUPL-1.2
|
|
|
|
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
utils,
|
|
sources,
|
|
...
|
|
}:
|
|
|
|
let
|
|
inherit (lib) toLower;
|
|
|
|
python =
|
|
let
|
|
python3 = pkgs.python312;
|
|
nix-pkgs = import sources.nix-pkgs { inherit pkgs python3; };
|
|
in
|
|
python3.override {
|
|
packageOverrides = _: _: {
|
|
inherit (nix-pkgs)
|
|
django-allauth
|
|
django-allauth-cas
|
|
django-browser-reload
|
|
django-bulma-forms
|
|
django-sass-processor
|
|
django-sass-processor-dart-sass
|
|
django-unfold
|
|
pykanidm
|
|
python-cas
|
|
loadcredential
|
|
xlwt
|
|
;
|
|
};
|
|
};
|
|
|
|
pythonEnv = python.withPackages (
|
|
ps:
|
|
[
|
|
ps.django
|
|
ps.gunicorn
|
|
ps.psycopg
|
|
ps.django-compressor
|
|
ps.django-import-export
|
|
|
|
# Local packages
|
|
ps.django-allauth
|
|
ps.django-allauth-cas
|
|
ps.django-browser-reload
|
|
ps.django-bulma-forms
|
|
ps.django-sass-processor
|
|
ps.django-sass-processor-dart-sass
|
|
ps.django-unfold
|
|
ps.loadcredential
|
|
ps.pykanidm
|
|
ps.python-cas
|
|
]
|
|
++ ps.django-allauth.optional-dependencies.saml
|
|
);
|
|
|
|
staticDrv = pkgs.stdenv.mkDerivation {
|
|
name = "dgsi-static";
|
|
|
|
src = sources.dgsi;
|
|
sourceRoot = "source/src";
|
|
|
|
nativeBuildInputs = [
|
|
pkgs.dart-sass
|
|
pythonEnv
|
|
];
|
|
|
|
configurePhase = ''
|
|
export DGSI_STATIC_ROOT=$out/static
|
|
export CREDENTIALS_DIRECTORY=$(pwd)/../.credentials
|
|
export DGSI_KANIDM_CLIENT="dgsi_test"
|
|
export DGSI_KANIDM_AUTH_TOKEN="fake.token"
|
|
export DGSI_X509_KEY=""
|
|
export DGSI_X509_CERT=""
|
|
'';
|
|
|
|
doBuild = false;
|
|
|
|
installPhase = ''
|
|
mkdir -p $out/static
|
|
python3 manage.py compilescss
|
|
python3 manage.py collectstatic
|
|
'';
|
|
};
|
|
in
|
|
|
|
{
|
|
users = {
|
|
users.nginx.extraGroups = [ "django-apps" ];
|
|
groups.django-apps = { };
|
|
};
|
|
|
|
systemd = {
|
|
services = {
|
|
dj-dgsi = {
|
|
description = "DGSI web app";
|
|
|
|
requires = [ "dj-dgsi.socket" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [
|
|
"network.target"
|
|
"postgresql.service"
|
|
];
|
|
|
|
serviceConfig = {
|
|
DynamicUser = true;
|
|
LoadCredential = map (name: "${name}:${config.age.secrets."dgsi-${toLower name}_file".path}") [
|
|
"EMAIL_HOST_PASSWORD"
|
|
"KANIDM_AUTH_TOKEN"
|
|
"KANIDM_SECRET"
|
|
"SECRET_KEY"
|
|
"X509_CERT"
|
|
"X509_KEY"
|
|
];
|
|
RuntimeDirectory = "django-apps/dgsi";
|
|
StateDirectory = "django-apps/dgsi";
|
|
UMask = "0027";
|
|
User = "dj-dgsi";
|
|
Group = "django-apps";
|
|
WorkingDirectory = sources.dgsi;
|
|
ExecReload = "${lib.getExe' pkgs.coreutils "kill"} -s HUP $MAINPID";
|
|
KillMode = "mixed";
|
|
Type = "notify";
|
|
ExecStart = utils.escapeSystemdExecArgs [
|
|
(lib.getExe' pythonEnv "gunicorn")
|
|
"--workers"
|
|
4
|
|
"--bind"
|
|
"unix:/run/django-apps/dgsi.sock"
|
|
"--pythonpath"
|
|
"src"
|
|
"app.wsgi"
|
|
];
|
|
};
|
|
|
|
environment = {
|
|
DGSI_ALLOWED_HOSTS = builtins.toJSON [
|
|
"profil.dgnum.eu"
|
|
"dgsi.dgnum.eu"
|
|
];
|
|
|
|
DGSI_EMAIL_HOST = "kurisu.lahfa.xyz";
|
|
DGSI_EMAIL_HOST_USER = "web-services@infra.dgnum.eu";
|
|
DGSI_EMAIL_USE_SSL = builtins.toJSON true;
|
|
DGSI_FROM_EMAIL = "La Délégation Générale Numérique <noreply@infra.dgnum.eu>";
|
|
DGSI_SERVER_EMAIL = "dgsi@infra.dgnum.eu";
|
|
|
|
DGSI_KANIDM_CLIENT = "dgsi";
|
|
DGSI_KANIDM_URI = "https://sso.dgnum.eu";
|
|
|
|
DGSI_MEDIA_ROOT = "/var/lib/django-apps/dgsi/media";
|
|
DGSI_STATIC_ROOT = "${staticDrv}/static";
|
|
|
|
DGSI_DATABASES = builtins.toJSON {
|
|
default = {
|
|
ENGINE = "django.db.backends.postgresql";
|
|
NAME = "dj-dgsi";
|
|
};
|
|
};
|
|
DJANGO_SETTINGS_MODULE = "app.settings";
|
|
};
|
|
|
|
path = [ pythonEnv ];
|
|
|
|
preStart = ''
|
|
python3 src/manage.py migrate --no-input
|
|
'';
|
|
};
|
|
};
|
|
|
|
sockets."dj-dgsi" = {
|
|
description = "Socket for the DGSI Django Application";
|
|
wantedBy = [ "sockets.target" ];
|
|
|
|
socketConfig = {
|
|
ListenStream = "/run/django-apps/dgsi.sock";
|
|
SocketMode = "600";
|
|
SocketUser = config.services.nginx.user;
|
|
};
|
|
};
|
|
|
|
mounts = [
|
|
{
|
|
where = "/run/django-apps/dgsi/media";
|
|
what = "/var/lib/django-apps/dgsi/media";
|
|
options = "bind";
|
|
|
|
after = [ "dj-dgsi.service" ];
|
|
partOf = [ "dj-dgsi.service" ];
|
|
upheldBy = [ "dj-dgsi.service" ];
|
|
}
|
|
];
|
|
};
|
|
|
|
dgn-redirections.permanent."dgsi.dgnum.eu" = "profil.dgnum.eu";
|
|
|
|
services = {
|
|
postgresql = {
|
|
ensureDatabases = [ "dj-dgsi" ];
|
|
ensureUsers = [
|
|
{
|
|
name = "dj-dgsi";
|
|
ensureDBOwnership = true;
|
|
}
|
|
];
|
|
};
|
|
|
|
nginx.virtualHosts."profil.dgnum.eu" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
|
|
locations = {
|
|
"/".proxyPass = "http://unix:/run/django-apps/dgsi.sock";
|
|
"/static/".root = staticDrv;
|
|
"/media/".root = "/run/django-apps/dgsi";
|
|
};
|
|
};
|
|
};
|
|
}
|