feat(compute01): Deploy demarches simplifiees

2023-09-24 13:16:22 +02:00 · 2023-09-24 13:16:22 +02:00 · 9f24f1d98d
commit 9f24f1d98d
parent eb329666ce
16 changed files with 5257 additions and 1 deletions
--- a/machines/compute01/ds-fr/module.nix
+++ b/machines/compute01/ds-fr/module.nix
@ -0,0 +1,396 @@
+# Copyright Tom Hubrecht, (2023)
+#
+# Tom Hubrecht <tom@hubrecht.ovh>
+#
+# This software is a computer program whose purpose is to configure
+# machines and servers with NixOS.
+#
+# This software is governed by the CeCILL  license under French law and
+# abiding by the rules of distribution of free software.  You can  use,
+# modify and/ or redistribute the software under the terms of the CeCILL
+# license as circulated by CEA, CNRS and INRIA at the following URL
+# "http://www.cecill.info".
+#
+# As a counterpart to the access to the source code and  rights to copy,
+# modify and redistribute granted by the license, users are provided only
+# with a limited warranty  and the software's author,  the holder of the
+# economic rights,  and the successive licensors  have only  limited
+# liability.
+#
+# In this respect, the user's attention is drawn to the risks associated
+# with loading,  using,  modifying and/or developing or reproducing the
+# software by the user in light of its specific status of free software,
+# that may mean  that it is complicated to manipulate,  and  that  also
+# therefore means  that it is reserved for developers  and  experienced
+# professionals having in-depth computer knowledge. Users are therefore
+# encouraged to load and test the software's suitability as regards their
+# requirements in conditions enabling the security of their systems and/or
+# data to be ensured and,  more generally, to use and operate it in the
+# same conditions as regards security.
+#
+# The fact that you are presently reading this means that you have had
+# knowledge of the CeCILL license and that you accept its terms.
+
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib)
+    mdDoc mkDefault mkEnableOption mkIf mkOption
+
+    optional optionalString
+
+    types;
+
+  cfg = config.services.demarches-simplifiees;
+
+  settingsFormat = pkgs.formats.keyValue { };
+
+  env = settingsFormat.generate "ds-fr-env" cfg.settings;
+
+  ds-fr = pkgs.writeShellScriptBin "ds-fr" ''
+    set -a
+    cd ${cfg.package}
+
+    ${optionalString (cfg.secretFile != null) "source ${cfg.secretFile}"}
+    source ${env}
+
+    BIN="$1"
+    shift
+
+    SUDO="exec"
+    if [[ $USER != ${cfg.user} ]]; then
+      SUDO='exec /run/wrappers/bin/sudo -u ${cfg.user} --preserve-env'
+    fi
+
+    $SUDO ${cfg.package}/bin/$BIN "$@"
+  '';
+
+in {
+  options.services.demarches-simplifiees = {
+    enable = mkEnableOption "demarches-simplifiees.";
+
+    package = mkOption {
+      type = types.package;
+      default = pkgs.callPackage ./package {
+        inherit (cfg) initialDeploymentDate dataDir logDir;
+      };
+    };
+
+    user = mkOption {
+      type = types.str;
+      default = "ds-fr";
+      description = mdDoc "User account under which DS runs.";
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "ds-fr";
+      description = mdDoc "Group account under which DS runs.";
+    };
+
+    dataDir = mkOption {
+      type = types.str;
+      default = "/var/lib/ds-fr";
+    };
+
+    logDir = mkOption {
+      type = types.str;
+      default = "/var/log/ds-fr";
+    };
+
+    secretFile = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+    };
+
+    settings = mkOption { inherit (settingsFormat) type; };
+
+    initialDeploymentDate = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.demarches-simplifiees.settings =
+      (builtins.mapAttrs (_: mkDefault) {
+        RAILS_ENV = "production";
+        RAILS_ROOT = builtins.toString cfg.package;
+
+        # Application host name
+        #
+        # Examples:
+        # * For local development: localhost:3000
+        # * For preproduction: staging.ds.example.org
+        # * For production: ds.example.org
+        APP_HOST = "localhost:3000";
+
+        # Rails key for signing sensitive data
+        # See https://guides.rubyonrails.org/security.html
+        #
+        # For production you MUST generate a new key, and keep it secret.
+        # Secrets must be long and random. Use bin/rails secret to get new unique secrets.
+
+        # Secret key for One-Time-Password codes, used for 2-factors authentication
+        # OTP_SECRET_KEY = "";
+
+        # Protect access to the instance with a static login/password (useful for staging environments)
+        BASIC_AUTH_ENABLED = "disabled";
+        BASIC_AUTH_USERNAME = "";
+        BASIC_AUTH_PASSWORD = "";
+
+        # ActiveStorage service to use for attached files.
+        # Possible values:
+        # - "local": store files on the local filesystem
+        # - "amazon": store files remotely on an S3 storage service
+        # - "openstack": store files remotely on an OpenStack storage service
+        #
+        # (See config/storage.yml for the configuration of each service.)
+        ACTIVE_STORAGE_SERVICE = "local";
+
+        # Configuration for the OpenStack storage service (if enabled)
+        FOG_OPENSTACK_API_KEY = "";
+        FOG_OPENSTACK_USERNAME = "";
+        FOG_OPENSTACK_URL = "";
+        FOG_OPENSTACK_REGION = "";
+        DS_PROXY_URL = "";
+
+        # SAML
+        SAML_IDP_ENABLED = "disabled";
+
+        # External service: authentication through France Connect
+        FC_PARTICULIER_ID = "";
+        FC_PARTICULIER_SECRET = "";
+        FC_PARTICULIER_BASE_URL = "";
+
+        # External service: authentication through Agent Connect
+        AGENT_CONNECT_ID = "";
+        AGENT_CONNECT_SECRET = "";
+        AGENT_CONNECT_BASE_URL = "";
+        AGENT_CONNECT_JWKS = "";
+        AGENT_CONNECT_REDIRECT = "";
+
+        # External service: integration with HelpScout (optional)
+        HELPSCOUT_MAILBOX_ID = "";
+        HELPSCOUT_CLIENT_ID = "";
+        HELPSCOUT_CLIENT_SECRET = "";
+        HELPSCOUT_WEBHOOK_SECRET = "";
+
+        # External service: external supervision
+        SENTRY_ENABLED = "disabled";
+        SENTRY_CURRENT_ENV = "development";
+        SENTRY_DSN_RAILS = "";
+        SENTRY_DSN_JS = "";
+
+        # External service: Matomo web analytics
+        MATOMO_ENABLED = "disabled";
+        MATOMO_COOKIE_DOMAIN = "*.www.demarches-simplifiees.fr";
+        MATOMO_DOMAIN = "*.www.demarches-simplifiees.fr";
+        MATOMO_ID = "";
+        MATOMO_HOST = "matomo.example.org";
+
+        # Default SMTP Provider: Mailjet
+        MAILJET_API_KEY = "";
+        MAILJET_SECRET_KEY = "";
+
+        # Alternate SMTP Provider: SendInBlue/DoList
+        SENDINBLUE_CLIENT_KEY = "";
+        SENDINBLUE_SMTP_KEY = "";
+        SENDINBLUE_USER_NAME = "";
+        # SENDINBLUE_LOGIN_URL="https://app.sendinblue.com/account/saml/login/truc"
+
+        # Alternate SMTP Provider: Mailtrap (mail catcher for staging environments)
+        # When enabled, all emails will be sent using this provider
+        MAILTRAP_ENABLED = "disabled";
+        MAILTRAP_USERNAME = "";
+        MAILTRAP_PASSWORD = "";
+
+        # Alternative SMTP Provider: Mailcatcher (Catches mail and serves it through a dream.)
+        # When enabled, all emails will be sent using this provider
+        MAILCATCHER_ENABLED = "disabled";
+        MAILCATCHER_HOST = "";
+        MAILCATCHER_PORT = "";
+
+        # External service: live chat for admins (specific to démarches-simplifiées.fr)
+        CRISP_ENABLED = "disabled";
+        CRISP_CLIENT_KEY = "";
+
+        # API Entreprise credentials
+        # https://api.gouv.fr/api/api-entreprise.html
+        API_ENTREPRISE_KEY = "";
+
+        # External service: CRM for following admin accounts pipeline (specific to démarches-simplifiées.fr)
+        PIPEDRIVE_KEY = "";
+
+        # Networks bypassing the email login token that verifies new devices, and rack-attack throttling
+        TRUSTED_NETWORKS = "";
+
+        # External service: mesuring performance of the Rails app (specific to démarches-simplifiées.fr)
+        SKYLIGHT_AUTHENTICATION_KEY = "";
+        #   "sXaot-fKhBlkI8qaSirQyuZbrpv5sVFoOturQ0pFEh0";
+
+        # Enable or disable Lograge logs
+        LOGRAGE_ENABLED = "disabled";
+
+        # Logs source for Lograge
+        #
+        # Examples:
+        # * For local development: tps_local
+        # * For preproduction: tps_staging
+        # * For production: tps_prod
+        LOGRAGE_SOURCE = "tps_prod";
+
+        # External service: timestamping a daily archive of dossiers status changes
+        UNIVERSIGN_API_URL = "https://ws.universign.eu/tsa/post/";
+        UNIVERSIGN_USERPWD = "";
+
+        # External service: API Geo / Adresse
+        API_ADRESSE_URL = "https://api-adresse.data.gouv.fr";
+        API_GEO_URL = "https://geo.api.gouv.fr";
+
+        # External service: API Education
+        API_EDUCATION_URL = "https://data.education.gouv.fr/api/records/1.0";
+
+        # Encryption key for sensitive columns in the database
+        ENCRYPTION_SERVICE_SALT = "";
+
+        # ActiveRecord encryption keys. Generate them with bin/rails db:encryption:init (you can omit deterministic_key)
+        AR_ENCRYPTION_PRIMARY_KEY = "";
+        AR_ENCRYPTION_KEY_DERIVATION_SALT = "";
+
+        # Salt for invisible_captcha session data.
+        # Must be the same value for all app instances behind a load-balancer.
+        INVISIBLE_CAPTCHA_SECRET = "kikooloool";
+
+        # Clamav antivirus usage
+        CLAMAV_ENABLED = "disabled";
+
+        # Siret number used for API Entreprise, by default we use SIRET from dinum
+        API_ENTREPRISE_DEFAULT_SIRET = "put_your_own_siret";
+      }) // {
+        # Database credentials
+        DB_DATABASE = "ds-fr";
+        DB_USERNAME = cfg.user;
+        DB_PASSWORD = "";
+        DB_HOST = "/run/postgresql";
+        DB_POOL = "";
+
+        # Log on stdout
+        RAILS_LOG_TO_STDOUT = true;
+      };
+
+    environment.systemPackages = [ ds-fr ];
+
+    systemd.tmpfiles.rules = [
+      "f '${cfg.logDir}/production.log' 0640 ${cfg.user} ${cfg.group} - -"
+      "f '${cfg.dataDir}/.env' 0600 ${cfg.user} ${cfg.group} - -"
+      "d '${cfg.dataDir}/tmp' 0700 ${cfg.user} ${cfg.group} 10d -"
+    ];
+
+    systemd.services = {
+      ds-fr-setup = {
+        description = "Demarches Simplifiees setup";
+
+        wantedBy = [ "multi-user.target" ];
+        path = [ pkgs.bash ds-fr ];
+        after = [ "postgresql.service" ];
+
+        serviceConfig = {
+          Type = "oneshot";
+          User = cfg.user;
+          Group = cfg.group;
+          EnvironmentFile = [ env ]
+            ++ (optional (cfg.secretFile != null) cfg.secretFile);
+          StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
+          LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
+        };
+
+        script = ''
+          [[ ! -f ${cfg.dataDir}/.initial-migration ]] \
+            && ds-fr rails db:environment:set \
+            && ds-fr rails db:schema:load \
+            && ds-fr rails db:seed \
+            && touch ${cfg.dataDir}/.initial-migration
+
+          ds-fr rake db:migrate
+          ds-fr rake after_party:run
+        '';
+      };
+
+      ds-fr-work = {
+        description = "Demarches Simplifiees work service";
+
+        wantedBy = [ "multi-user.target" "ds-fr.service" ];
+        after = [ "network.target" "ds-fr-setup.service" ];
+        requires = [ "ds-fr-setup.service" ];
+
+        serviceConfig = {
+          ExecStart = "${ds-fr}/bin/ds-fr rails jobs:work";
+          EnvironmentFile = [ env ]
+            ++ (optional (cfg.secretFile != null) cfg.secretFile);
+          User = cfg.user;
+          Group = cfg.group;
+          StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
+          LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
+        };
+      };
+
+      ds-fr = {
+        description = "Demarches Simplifiees web service";
+
+        wantedBy = [ "multi-user.target" ];
+        after = [ "network.target" "ds-fr-setup.service" ];
+        requires = [ "ds-fr-setup.service" ];
+
+        serviceConfig = {
+          ExecStart = "${ds-fr}/bin/ds-fr rails server";
+          Environment = [ "RAILS_QUEUE_ADAPTER=delayed_job" ];
+          EnvironmentFile = [ env ]
+            ++ (optional (cfg.secretFile != null) cfg.secretFile);
+          User = cfg.user;
+          Group = cfg.group;
+          StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
+          LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
+        };
+      };
+    };
+
+    services.postgresql = {
+      enable = true;
+
+      ensureDatabases = [ "ds-fr" ];
+
+      ensureUsers = optional (cfg.user == "ds-fr") {
+        name = "ds-fr";
+        ensurePermissions = { "DATABASE \"ds-fr\"" = "ALL PRIVILEGES"; };
+      };
+
+      extraPlugins = with config.services.postgresql.package.pkgs; [ postgis ];
+    };
+
+    users.users = mkIf (cfg.user == "ds-fr") {
+      ds-fr = {
+        inherit (cfg) group;
+
+        isSystemUser = true;
+        home = cfg.package;
+      };
+    };
+
+    users.groups.${cfg.group} = { };
+
+    services.nginx = {
+      enable = true;
+
+      virtualHosts.${cfg.settings.APP_HOST} = {
+        enableACME = true;
+        forceSSL = true;
+        root = "${cfg.package}/public/";
+
+        locations."/".tryFiles = "$uri @proxy";
+        locations."@proxy" = { proxyPass = "http://127.0.0.1:3000"; };
+      };
+    };
+
+  };
+}