From 3851a66193fa7cc54a56d58b150b0b473bc2c49e Mon Sep 17 00:00:00 2001
From: hackens server <hackens@ens.fr>
Date: Wed, 8 Mar 2023 00:48:11 +0100
Subject: [PATCH] add_hackens_orga

---
 hosts/org/configuration.nix      |   1 +
 hosts/org/orga/authens.nix       |  12 ++++++
 hosts/org/orga/default.nix       |  42 ++++++++++++++++++++
 hosts/org/orga/mkAssets.nix      |  27 +++++++++++++
 hosts/org/orga/module.nix        |  65 +++++++++++++++++++++++++++++++
 hosts/org/orga/python-cas.nix    |  13 +++++++
 hosts/org/orga/python.nix        |  20 ++++++++++
 hosts/org/orga/shell.nix         |   6 +++
 hosts/org/orga/static-assets.nix |  10 +++++
 secrets/default.nix              |   4 ++
 secrets/django.age               | Bin 0 -> 1654 bytes
 secrets/secrets.nix              |   3 ++
 12 files changed, 203 insertions(+)
 create mode 100644 hosts/org/orga/authens.nix
 create mode 100644 hosts/org/orga/default.nix
 create mode 100644 hosts/org/orga/mkAssets.nix
 create mode 100644 hosts/org/orga/module.nix
 create mode 100644 hosts/org/orga/python-cas.nix
 create mode 100644 hosts/org/orga/python.nix
 create mode 100644 hosts/org/orga/shell.nix
 create mode 100644 hosts/org/orga/static-assets.nix
 create mode 100644 secrets/django.age

diff --git a/hosts/org/configuration.nix b/hosts/org/configuration.nix
index 0f6dd94..86eb3a2 100644
--- a/hosts/org/configuration.nix
+++ b/hosts/org/configuration.nix
@@ -15,6 +15,7 @@
       ./nginx.nix
       ./dokuwiki.nix
       ./matterbridge.nix
+      ./orga
     ];
 
   networking.hostName = "hackens-org"; # Define your hostname.
diff --git a/hosts/org/orga/authens.nix b/hosts/org/orga/authens.nix
new file mode 100644
index 0000000..d7b5f82
--- /dev/null
+++ b/hosts/org/orga/authens.nix
@@ -0,0 +1,12 @@
+{ lib, pythoncas, django, ldap, buildPythonPackage }:
+buildPythonPackage rec {
+  pname = "authens";
+  version = "v0.1b5";
+  doCheck = false;
+  src = builtins.fetchGit {
+    url = "https://git.eleves.ens.fr/klub-dev-ens/authens.git";
+    #rev = "master";
+    #sha256 = "sha256-R0Nw212/BOPHfpspT5wzxtji1vxZ/JOuwr00naklWE8=";
+  };
+  propagatedBuildInputs = [ django ldap pythoncas ];
+}
diff --git a/hosts/org/orga/default.nix b/hosts/org/orga/default.nix
new file mode 100644
index 0000000..32ee748
--- /dev/null
+++ b/hosts/org/orga/default.nix
@@ -0,0 +1,42 @@
+{ pkgs, lib, config, ... }:
+let
+  assets = import ./mkAssets.nix {
+    inherit pkgs;
+    app = "hackens_orga";
+    settings = config.services.django.hackens_orga.settings;
+    source = pkgs.fetchgit {
+      url = "https://git.rz.ens.wtf/HackENS/hackens-orga.git";
+      rev = "1a7a2c00d7e2efd380cc63164e6b77542c465c2e";
+      hash = "sha256-tpRCy7kDqd129j882e2FtCKS/JgcckmTFaTPElLbcjg="; #lib.fakeSha256;
+    };
+  };
+in
+{
+  imports = [
+    ./module.nix
+  ];
+  services.nginx = {
+    enable = true;
+    virtualHosts."new.hackens.org" = {
+      locations = {
+        "/orga" = {
+          proxyPass = "http://localhost:51666/orga";
+          extraConfig = ''
+            proxy_set_header SCRIPT_NAME /orga;
+          '';
+        };
+        "/static".root = assets.static-assets;
+      };
+    };
+  };
+  services.django.hackens_orga = {
+    enable = true;
+    assets = assets;
+    settings = {
+      HACKENS_ORGA_DEBUG = "0";
+      HACKENS_ORGA_ALLOWED_HOSTS = [ "new.hackens.org" ];
+      HACKENS_ORGA_SECRET_KEY._file = config.age.secrets.django.path;
+      HACKENS_ORGA_DB_FILE = "/var/lib/hackens-orga/db.sqlite3";
+    };
+  };
+}
diff --git a/hosts/org/orga/mkAssets.nix b/hosts/org/orga/mkAssets.nix
new file mode 100644
index 0000000..61e744a
--- /dev/null
+++ b/hosts/org/orga/mkAssets.nix
@@ -0,0 +1,27 @@
+{ pkgs, settings, source, app }:
+let
+  manage-py-file = "${source}/${app}/manage.py";
+  python = import ./python.nix { inherit pkgs; };
+  static-assets = pkgs.callPackage ./static-assets.nix { inherit python source app; envPrefix = "HACKENS_ORGA_"; };
+  mkEnv = settings: let # make env file to source before using manage.py and other commands
+    lib = pkgs.lib;
+    mkVarVal = v: let
+      isHasAttr = s: lib.isAttrs v && lib.hasAttr s v;
+    in
+    if builtins.isString v then v
+    else if builtins.isList v && lib.any lib.strings.isCoercibleToString v then (lib.concatMapStringsSep "," toString v)
+    else if builtins.isInt v then toString v
+    else if builtins.isBool v then toString (if v then 1 else 0)
+    else if isHasAttr "_file" then "$(cat ${v._file} | xargs)"
+    else if isHasAttr "_raw" then v._raw
+    else abort "The django conf value ${lib.generators.toPretty {} v} can not be encoded.";
+  in lib.concatStringsSep "\n" (lib.mapAttrsToList (k: v: "export ${k}=${mkVarVal v}") settings);
+  envFile = pkgs.writeScript "django-${app}-env.sh" (mkEnv settings);
+  managePy = pkgs.writeScript "manage-${app}" ''
+    source ${envFile}
+    ${python}/bin/python ${manage-py-file} $@
+  '';
+in
+{
+  inherit managePy static-assets envFile source python;
+}
diff --git a/hosts/org/orga/module.nix b/hosts/org/orga/module.nix
new file mode 100644
index 0000000..9f32a2e
--- /dev/null
+++ b/hosts/org/orga/module.nix
@@ -0,0 +1,65 @@
+{ pkgs, lib, config, ... }:
+let
+  app = "hackens_orga";
+  cfg = config.services.django.${app};
+  assets = cfg.assets;
+in
+{
+
+  options = {
+    services.django.${app} = {
+      enable = lib.mkEnableOption (lib.mdDoc "Enable django ${app}");
+      settings = lib.mkOption {
+        type = lib.types.submodule {
+          freeformType = with lib.types; attrsOf anything;
+          options = {
+            HACKENS_ORGA_STATIC_ROOT = lib.mkOption {
+              type = lib.types.path;
+              default = builtins.toString assets.static-assets;
+            };
+          };
+        };
+      };
+      assets = lib.mkOption {
+        type = lib.types.attrsOf lib.types.anything;
+        description = lib.mdDoc "Assets for django";
+      };
+      port = lib.mkOption {
+        type = lib.types.port;
+        default = 51666;
+      };
+      processes = lib.mkOption {
+        type = lib.types.int;
+        default = 2;
+      };
+      threads = lib.mkOption {
+        type = lib.types.int;
+        default = 2;
+      };
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    systemd.services."django-${app}" = {
+      description = "${app} django service";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      serviceConfig = {
+        User = "django-${app}";
+      };
+      script = ''
+        source ${assets.envFile}
+        ${assets.managePy} migrate
+        ${assets.python}/bin/gunicorn ${app}.wsgi \
+            --pythonpath ${assets.source}/${app} \
+            -b 127.0.0.1:${toString cfg.port} \
+            --workers=${toString cfg.processes} \
+            --threads=${toString cfg.threads}
+      '';
+    };
+    users.users."django-${app}" = {
+      isSystemUser = true;
+      group = "django-${app}";
+    };
+    users.groups."django-${app}" = {};
+  };
+}
diff --git a/hosts/org/orga/python-cas.nix b/hosts/org/orga/python-cas.nix
new file mode 100644
index 0000000..e0bba1c
--- /dev/null
+++ b/hosts/org/orga/python-cas.nix
@@ -0,0 +1,13 @@
+{ lib, requests, lxml, six, buildPythonPackage, fetchFromGitHub }:
+buildPythonPackage rec {
+  pname = "python-cas";
+  version = "1.6.0";
+  doCheck = false;
+  src = fetchFromGitHub {
+    owner = "python-cas";
+    repo = "python-cas";
+    rev = "v1.6.0";
+    sha512 = "sha512-qnYzgwELUij2EdqA6H17q8vnNUsfI7DkbZSI8CCIGfXOM+cZ7vsWe7CJxzsDUw73sBPB4+zzpLxvb7tpm/IDeg==";
+  };
+  propagatedBuildInputs = [ requests lxml six ];
+}
diff --git a/hosts/org/orga/python.nix b/hosts/org/orga/python.nix
new file mode 100644
index 0000000..dc77ffc
--- /dev/null
+++ b/hosts/org/orga/python.nix
@@ -0,0 +1,20 @@
+{ pkgs ? import ../nix { }, debug ? false }:
+let
+  python = pkgs.python310.override {
+    packageOverrides = self: super: {
+      django = super.django_4;
+      authens = self.callPackage ./authens.nix { };
+      pythoncas = self.callPackage ./python-cas.nix { };
+    };
+  };
+in
+python.withPackages (ps: [
+  ps.django
+  ps.djangorestframework
+  ps.authens
+  ps.gunicorn
+] ++ pkgs.lib.optionals debug [
+  ps.django-debug-toolbar
+  ps.black
+  ps.isort
+])
diff --git a/hosts/org/orga/shell.nix b/hosts/org/orga/shell.nix
new file mode 100644
index 0000000..69ca0e9
--- /dev/null
+++ b/hosts/org/orga/shell.nix
@@ -0,0 +1,6 @@
+{ pkgs ? import ../nix { } }:
+pkgs.mkShell {
+  buildInputs = [
+    (import ./python.nix { inherit pkgs; debug = true; })
+  ];
+}
diff --git a/hosts/org/orga/static-assets.nix b/hosts/org/orga/static-assets.nix
new file mode 100644
index 0000000..4c4e128
--- /dev/null
+++ b/hosts/org/orga/static-assets.nix
@@ -0,0 +1,10 @@
+{ pkgs, python, source, app, envPrefix ? ""}:
+pkgs.runCommand "django-static" { } ''
+  mkdir -p $out/static
+  export ${envPrefix}SECRET_KEY="collectstatic"
+  export ${envPrefix}STATIC_ROOT=$out/static
+  export ${envPrefix}DEBUG=0
+  export ${envPrefix}ALLOWED_HOSTS=
+  export ${envPrefix}DB_FILE=
+  ${python}/bin/python ${source}/${app}/manage.py collectstatic
+''
diff --git a/secrets/default.nix b/secrets/default.nix
index 9853933..5fac86f 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -4,6 +4,10 @@
     file = ./wiki-openID.age;
     owner = "dokuwiki";
   };
+  age.secrets."django" = {
+    file = ./django.age;
+    owner = "django-hackens_orga";
+  };
   age.secrets."matterbridge-env" = {
     file = ./matterbridge-env.age;
     owner = "matterbridge";
diff --git a/secrets/django.age b/secrets/django.age
new file mode 100644
index 0000000000000000000000000000000000000000..a5b4e5daa2d7ad4bf63fa33a45fee480621a8b93
GIT binary patch
literal 1654
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUla<4G=OIL_Y&yV!>
zPx1E53AYR{3C}AiN=vc`iYSUSO)U@bNc1%bG%)b+4^2!rwBV{p3#$yw2`$g7a5kv4
zNH#Apa(BuPN{kHk_D%Fp4~cSh%ZxC{$#5w(3PiUpJ0d^HJ5Zs*GN{7D#IMrFrQ9zk
z%Eu`!)z8~3Ej2YI!!^UF*e%c`!$Uu_qRKG9pqMKsve3gT!=xfGG|ME%(Z|@lEU&Q0
zDBmZ=qc|(GB*j!ez$G|8)xFZvEE3%|^Ngr$gLDN;ugHvua`Rl5Fw;u+qB759?Xa>e
z&(PeUP#^6A|9lVqU}y8B0)w3V922gjGNUq&T*nfxq;Ty-gQOI{<ba~gqT)zXf5S|t
z$kaeX-y*l*+_2K@ynL8#Ma78<*+t>bK7m}>6^5y~CWYzV-kv#?rg^?0rs3v6iDp?9
zDN(tJt|_i1Ia%2u{)VZcRV6ur0m1qqg=yt3t_EhFVHU=wVNqpVS$<WOc@bfbImITf
z<vAf);W-tlPNt>lu7yRZRl%WYWu9i)W&uT|X1>~GCTV6V870mIg%w6VncB|fjs?c$
zTouNl+L?(#79JLUSuUkH1(hWQImxBvMrEGvVR_nKZiengrIkrJ>3(UMAr*N!Ug@b}
z>8_Ol7M|hGMs8{Trd)*?=0=WQDVde2jwxP-UP&STE|G?TRY}45*<Q(xrg`pp6#;&}
z=BeKP`sK#OZpD@+1*th{r5RbC=}wlGd4^m*Ipuk-iBai>-bSg;#`-B$+KI*9rp85K
zsoGB38Ij2zW~r`)d2U($mZ?Tr=}}(J$t3}Pjzw;PDLyHw$zC2@MQ%x!$tIcFNp2C|
zS^7DlZl(I+E*L3EzpOkkIZ(l@v?RdHv&1{a$fwBMBs;CJvdqOi$j8jgA~QM4-O{Ao
z+1V?pAj=~s*OANLqBz(mv%pw8I5Wu6!YSCapx83U%_2ERzoNuAH>9dOCA6ThN<S$x
zv>X<<uv}sgWN9AYsE}0U8&Z{?oe@~%TwYm~sjpvXQkj_I8EoR4=3Nn9;A&prp6*#0
z92xHF%M}^y>6u*UR_<=*nU)janrIN<S7_$p;$<Ec=IUWtoL_33VXp7zl<4h`k#3XA
zLYz#~74i&{d@7@SP4!(ZL(IKg^NqZ<6U}@qT+578jY|#vL$mVJyo=nkj01v0xgsOO
z3yUhv(!;aLeB3iD+&wJAd`v<rOcM1?O-(%tT|7<QQa!v3%+gCe(ft-)YT@M*s8AA+
z?BwB{s_$u95S&?_R1sO6;h!5;8m66_nw;jF92Mb~n`BvOmQ!36$mQykWA5o|5}ab>
z7h;?r8dMgpUE!S_;-8-A7nS918WHB|>se71<(pcC5t6Q+C5B~=3P}|fCFQ=so&{x2
zQRaTh1{S%cDL&;Tkx8aW-f8CMg+>LHp;cy8hJG#<T<-a4B^5cDm4-$7$)*uzRl(sN
zj+LdpWf|E;IY#a|;W-{zS=lM!rd8P(sU*VGu)HE&!N<ubD4?_~sL05`Nk6g7H7dd=
z$1pJ{$+<W(IVse#%*!t*Gr%`AJ+Ug3%g8ApP&*>cFsmxW*(cZ1$2~I4v&7gb%hcB(
zCn&ij%rql3-_yy^Io}r?Zz;OzMX8C!sS06*MUe`5MGA&W(ZM#gih*2Sex9XXp%GE8
zf%)a`5k`q#1zsj*p=HjdsXpmO?%Gj>A<2nGra3{$Rb@`b8Ah%?m44>_run7$*_9@q
z>1iQcMTM5xDV0_FIf2Q^rN!E2PNoK-mbqqriKPW*W@Y6WWu{SPMM?gyc@eIbjs=;4
z?v<s%T)Mit3Yq4fMOhV5<-rC%8Ii%pM&bS*&Ymv$5oxBCCZ=ANg?SNXl@Xz)8RZ2Q
zT)k%dzX((xNl=TGwR?WFMc!|>X!56U)!XgKD}HaiuyCH$j#FjX?)y$(nD_8WTN#7V
nUE}SR+~Sfm{Y=FlJUKb5!|uR}uOIyrj&U>l|BzYh9pMB36&EBA

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index f9c06e8..51a3c91 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -11,4 +11,7 @@ in
   "matterbridge-env.age".publicKeys = (readpubkeys "sinavir")
     ++ (readpubkeys "hackens-host") ++ (readpubkeys "raito")
     ++ (readpubkeys "gdd") ++ (readpubkeys "backslash");
+  "django.age".publicKeys = (readpubkeys "sinavir")
+    ++ (readpubkeys "hackens-host") ++ (readpubkeys "raito")
+    ++ (readpubkeys "gdd") ++ (readpubkeys "backslash");
 }