feat(compute01): Deploy dgsi

This commit is contained in:
Tom Hubrecht 2024-09-24 20:54:22 +02:00
parent dd5c0c79f7
commit 2b75890752
Signed by: thubrecht
SSH key fingerprint: SHA256:r+nK/SIcWlJ0zFZJGHtlAoRwq1Rm+WcKAm5ADYMoQPc
7 changed files with 266 additions and 8 deletions

View file

@ -1,18 +1,19 @@
{ lib, ... }: { lib, ... }:
lib.extra.mkConfig { lib.extra.mkConfig {
# List of modules to enable
enabledModules = [ enabledModules = [
# List of modules to enable # INFO: This list needs to stay sorted alphabetically
"dgn-backups" "dgn-backups"
"dgn-web"
"dgn-chatops" "dgn-chatops"
"dgn-web"
]; ];
# List of services to enable
enabledServices = [ enabledServices = [
# List of services to enable # INFO: This list needs to stay sorted alphabetically
"arkheon" "arkheon"
"takumi" "dgsi"
"signal-irc-bridge"
"ds-fr" "ds-fr"
"grafana" "grafana"
"hedgedoc" "hedgedoc"
@ -25,8 +26,10 @@ lib.extra.mkConfig {
"postgresql" "postgresql"
"rstudio-server" "rstudio-server"
"satosa" "satosa"
"signal-irc-bridge"
"signald" "signald"
"stirling-pdf" "stirling-pdf"
"takumi"
"telegraf" "telegraf"
"vaultwarden" "vaultwarden"
"zammad" "zammad"

View file

@ -0,0 +1,180 @@
{
config,
lib,
pkgs,
sources,
...
}:
let
inherit (lib) mapAttrsToList;
python =
let
python3 = pkgs.python312;
nix-pkgs = import sources.nix-pkgs { inherit pkgs python3; };
in
python3.override {
packageOverrides = _: _: {
inherit (nix-pkgs)
django-allauth
django-allauth-cas
django-browser-reload
django-bulma-forms
django-sass-processor
django-sass-processor-dart-sass
django-unfold
pykanidm
python-cas
loadcredential
;
};
};
pythonEnv = python.withPackages (ps: [
ps.django
ps.gunicorn
ps.psycopg
ps.django-compressor
# Local packages
ps.django-allauth
ps.django-allauth-cas
ps.django-bulma-forms
ps.django-sass-processor
ps.django-sass-processor-dart-sass
ps.django-unfold
ps.loadcredential
ps.pykanidm
ps.python-cas
]);
staticDrv = pkgs.stdenv.mkDerivation {
name = "dgsi-static";
src = sources.dgsi;
sourceRoot = "source/src";
nativeBuildInputs = [
pkgs.dart-sass
pythonEnv
];
configurePhase = ''
export DGSI_STATIC_ROOT=$out/static
export CREDENTIALS_DIRECTORY=$(pwd)/../.credentials
export DGSI_KANIDM_CLIENT="dgsi_test";
export DGSI_KANIDM_AUTH_TOKEN="fake.token";
'';
doBuild = false;
installPhase = ''
mkdir -p $out/static
python3 manage.py compilescss
python3 manage.py collectstatic
'';
};
in
{
users = {
users.nginx.extraGroups = [ "django-apps" ];
groups.django-apps = { };
};
systemd = {
services = {
dj-dgsi = {
description = "DGSI web app";
requires = [ "dj-dgsi.socket" ];
wantedBy = [ "multi-user.target" ];
after = [
"network.target"
"postgresql.service"
];
serviceConfig = {
DynamicUser = true;
LoadCredential = mapAttrsToList (name: value: "${name}:${value}") {
SECRET_KEY = config.age.secrets."dgsi-secret_key_file".path;
KANIDM_AUTH_TOKEN = config.age.secrets."dgsi-kanidm_auth_token_file".path;
KANIDM_SECRET = config.age.secrets."dgsi-kanidm_secret_file".path;
};
RuntimeDirectory = "django-apps/dgsi";
StateDirectory = "django-dgsi";
UMask = "0027";
User = "dj-dgsi";
WorkingDirectory = "${sources.dgsi}/src";
};
environment = {
DGSI_ALLOWED_HOSTS = builtins.toJSON [
"profil.dgnum.eu"
"dgsi.dgnum.eu"
];
DGSI_STATIC_ROOT = staticDrv;
DGSI_MEDIA_ROOT = "/var/lib/django-apps/dgsi/media";
};
path = [ pythonEnv ];
script = ''
python3 manage.py migrate
gunicorn --pythonpath ${sources.dgsi}/src --bind unix:/run/django-apps/dgsi.sock --workers=4 app.wsgi
'';
};
};
sockets."dj-dgsi" = {
description = "Socket for the DGSI Django Application";
wantedBy = [ "sockets.target" ];
socketConfig = {
ListenStream = "/run/django-apps/dgsi.sock";
SocketMode = "600";
SocketUser = config.services.nginx.user;
};
};
mounts = [
{
where = "/run/django-apps/dgsi/media";
what = "/var/lib/django-apps/dgsi/media";
options = "bind";
after = [ "dj-dgsi.service" ];
partOf = [ "dj-dgsi.service" ];
upheldBy = [ "dj-dgsi.service" ];
}
];
};
dgn-redirections.redirections."dgsi.dgnum.eu" = "profil.dgnum.eu";
services = {
postgresql = {
ensureDatabases = [ "dgsi" ];
ensureUsers = [
{
name = "dgsi";
ensureDBOwnership = true;
}
];
};
nginx.virtualHosts."profil.dgnum.eu" = {
enableACME = true;
forceSSL = true;
serverAliases = [ "dgsi.dgnum.eu" ];
locations = {
"/".proxyPass = "http://unix:/run/django-apps/dgsi.sock";
"/static/".root = staticDrv;
"/media/".root = "/run/django-apps/dgsi";
};
};
};
}

Binary file not shown.

View file

@ -0,0 +1,30 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA 7Nd4K/ivG8LyRcT+XhfN8K8OmoGKUPiUacgd5H/YyCY
qHdajtgWM/ON3VHB76DhkDF0BCOhA5UtDTTiOM8Woy8
-> ssh-ed25519 QlRB9Q 25AYqzBKePKEH4Ml+9xB+YxSvIIMY/M7Qo+LomdivHM
SQN/1T/Judvtk8TjhUxhCsJVS73bLqaih6Gn8weVjvs
-> ssh-ed25519 r+nK/Q iHlAURzupmiysH9XtEqhg+wbgYlsdLHvVyRzMsWsVmg
R6yA3bt+5E5vhIVEHxu8h3sB9FjLiUH0tp5SKzHM8Kk
-> ssh-rsa krWCLQ
BxDfl3xriUdWiihr0RtfSpJ0UtDnF1oTa3n/1w4AMPNowh+kIVRKuaWFa+sVIJMB
RZc+vdymNoUg/i3lAzlX2mo17LGEnX1jGSHtsMY7j1psS4b72i3hCvBLQ9n+kir7
ub1CVvrsgn6SMzjQWrSNP6IsIPmYcgfJ2pG0J7oD8T6s0hnemm9ywtCmdpiVjh+O
C2DB10qgVACLWOd/Gqd7ILiqeTOlaDHjuFJ3xRoUd7jzeOnG4BZOV8mfT443MoIa
Kg/prr+MN9uf42a6iLb5avf8ZZLnrzoIyT5vJ3BFt1aUz3FX4DyZUrZmhm9pmYR9
4YTArDtTP6X3+Rimd5rlbA
-> ssh-ed25519 /vwQcQ NkudSMrSLIE0WOE3ScJSMBKwVnuz9p3UwKGg9SPDGiY
w2rE2oO1bs0eoySeS0tT0Ic6Hji9qD7iNn0qYiwc2kU
-> ssh-ed25519 0R97PA YH3uoQ/zJR/lrvC0TuWTSig/AJYsxI7sVrEhS173i1E
DOdCOmorgGsg4hAXV0nYg9JeDmon2JY02iKq614jxUA
-> ssh-ed25519 JGx7Ng YV6RIaM6oIoajPXVDrOuLRy2897e8LUEibyLiS/gf0o
xz+guHt2N+tfIX5kvpxGDNqaez2VA8dD+QTu7fK7Pf4
-> ssh-ed25519 5SY7Kg 4DhAsi0gqOunzEzlFFKeP3qYWos9Mc1UpVCDVQIBEws
4/duAufrk/GHSbj5tEXdL+C+2AO+Es375as+/R+6PgY
-> ssh-ed25519 p/Mg4Q +5WtmMV6ruLgQoTZpmBztrH+FS2aCKFcwuLKcweLr3s
xRIVcBt4wV2PtEhO68sJ8/FB177QAq6zoZ1Dwfg1kPo
-> ssh-ed25519 tDqJRg wWaBzLqsoPa8/0hjl4eu07dQvGFMLI3R6IrNNZzquBU
ppzkds/p5BF2dIRZERhDD3rtQNxKhlIaoxCSIf20yJQ
-> T9':1EB-grease / #'BD[s
lZHA3xsgAESG
--- uk+H++45TIOcuW3Qj4/D1S65Kw8OEb5ZHqWWIlYlSIg
u=J¾f£ÏtüÉíãQ²]¶Epfž ÍêOëeëd<Í…ã6<C3A3> G'Æ¡a.ήշ^H¾´ñú|Lß*QN5öìþMGatʶ±§

View file

@ -0,0 +1,31 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA xQaZW42vwq7pndbRqiATFVgl1QM3LbD5Sqzz61yinUY
7N4GIIAnzwTPA2IgOPWLtE03kCZPihKu8ZAG9e7Bv7k
-> ssh-ed25519 QlRB9Q mfs9SndrSY1meTEYiVxXLbS7Ecf0rjaQ3vX4626+9CI
BDdh3a02EqMeO5jPlz6kjmjuLMldf/s9V7hDkIef+g4
-> ssh-ed25519 r+nK/Q HqduuibujATQyp2TUswgrFyTdcdmPsNsZJ2pOLZ+MTc
WjFm95dxVYKA2ekOgKzMrMmk1nxfuurmDyMXtUIGnIo
-> ssh-rsa krWCLQ
GzznBXY+5RpGFJKli2rOdzO5bun6REyjA78nV8RviQdAN/mGXEZfGFq4HFuQZM0e
fYADtpZxOZ3vyY/9DqCguay3R02DcyTpAhdb6A3kdzApUVR/3ZKJXy0+l5qRqKD7
j/cMfIxk/WpsHKHDWKXkG+FiTnF+V+ZtUom9W1aYFc1506OdDbjBVfTnBFs/+WVf
MWd+Y0ANCFiNH+kjzvALRazkmJgt9SvYWBG6suym6YZ2073GFu85jUJB2juSDmBN
tp0OJvNrjH5F/CcJXLMVrJz4Azin+2iM+re78cSVmZ1aqLf72RIrg/VhuuNy2MVn
gU32t9qy5EvTbzliWpAvxw
-> ssh-ed25519 /vwQcQ rVT/tH4fZ49hwxJTaZMZhzMgkS0MJILZmuL/J1CCPGY
mW3BNdXsylo0Yhg2KYpGNLoDkd7DYX+NEGF8a7j5R5g
-> ssh-ed25519 0R97PA vnXhW5pn1XgOJcMcD1cu7hQLlnIrJyp2Bu3TbThBIik
QFQFocftqwsPS1AbGykbDkIWqaAdZ7I9njS2ZUXz+4w
-> ssh-ed25519 JGx7Ng ljVNZ4AdZ3DLow2m3mf+6bf9zj6+t9RP7w8Bi7aMlAI
E5Q9yEA3d2nPTZO2jFkGnsHyo3W19P/lSG6yl3RL6Vo
-> ssh-ed25519 5SY7Kg 2LcgbYRROFSGfq0L5XBQMl6p62DreGceGqRFzKGi4X8
x4V+gnzdm1HgjYwhBnYAldkchX4YCsUhqoq1iCaOZ6s
-> ssh-ed25519 p/Mg4Q Y+o5nrSvL+xL43OHjEnesKV+9gCl4H4gBmBBjbqDABA
TvGky1wSVanvpq2Xj2FUmRtJ205iq92g6PVDASAfyaE
-> ssh-ed25519 tDqJRg X0Y8YCi5qOy3Du1/DIMMc4W7P6zQNTlwF4+QrisHCwM
SzJPH+h5847WSl9CrJatqIf9CSnKGUQZDK6ROD5LqXU
-> `--grease N]PH
fdR7jONsDC5Fj/FU++dDsFJSa4sLmvnTzPbt3X96zJDHVQypmV+JMhQNudQGrq9K
7oPr3+cA61qtqUv6v519zFLtRXkpY6FMiB2euGJufVZqGh9jDzfi0jNu6dUO7A
--- a0TP8YPal5jgd3BSIm0THbaMHgLOiOgMqdlwQwUGzWk
:È/ Àn ž±Ý§¦p=fu²hãT¶ÅêF—ÙêÂ¥nh¢„¾•œ¹ÀU2#„éµÆ©“ºôâ>Û“<4.<2E>uŸ‰…m3Ü&<26>g¤(ö<>5 Û¶Ã

View file

@ -6,9 +6,12 @@ in
lib.setDefault { inherit publicKeys; } [ lib.setDefault { inherit publicKeys; } [
"arkheon-env_file" "arkheon-env_file"
"bupstash-put_key" "bupstash-put_key"
"dgsi-kanidm_auth_token_file"
"dgsi-kanidm_secret_file"
"dgsi-secret_key_file"
"ds-fr-secret_file" "ds-fr-secret_file"
"grafana-smtp_password_file"
"grafana-oauth_client_secret_file" "grafana-oauth_client_secret_file"
"grafana-smtp_password_file"
"hedgedoc-environment_file" "hedgedoc-environment_file"
"librenms-database_password_file" "librenms-database_password_file"
"librenms-environment_file" "librenms-environment_file"

View file

@ -50,6 +50,17 @@
"url": null, "url": null,
"hash": "09z5l5yh4zm0mf9hb3xc18gjk2dgv3l1icywrsxax00y1i1zlvna" "hash": "09z5l5yh4zm0mf9hb3xc18gjk2dgv3l1icywrsxax00y1i1zlvna"
}, },
"dgsi": {
"type": "Git",
"repository": {
"type": "Git",
"url": "https://git.dgnum.eu/DGNum/dgsi.git"
},
"branch": "main",
"revision": "8a46e4ddb522a145046d9a5bfc729a8e46d99f44",
"url": null,
"hash": "1blyh1xcppcb6qjaww8aw00c4nh1dl50i64bf6ampj0idx0y93qh"
},
"disko": { "disko": {
"type": "GitRelease", "type": "GitRelease",
"repository": { "repository": {
@ -229,9 +240,9 @@
"url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs" "url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs"
}, },
"branch": "main", "branch": "main",
"revision": "c3257569375903f94ad1af9fe8b77186bd824332", "revision": "d1af0a922edc1ef82b023ebe1158b5c1e02b4f2d",
"url": null, "url": null,
"hash": "01kmivbk0ji5n7fifydq0wvlv34v1ima66r6icxrfykshh635w4p" "hash": "1vbhprwnjn6r0wd70ymv78yry6cbz6ip06q7bl3jwp6v0lqgwmf4"
}, },
"nixos-23.11": { "nixos-23.11": {
"type": "Channel", "type": "Channel",