cst1/infrastructure
1
0
Fork 0
forked from DGNum/infrastructure
Code Pull requests Activity

Compare commits

merge into: cst1:add_cst1_ssh
Branches Tags
cst1:main
cst1:add_cst1_ssh
cst1:init-dgnum-page
cst1:takumi-can-do-ollama
cst1:declarative-buckets
cst1:move-ollama
cst1:prepare-for-terranix
cst1:ollama-api
cst1:npins-update
cst1:internal-lib
cst1:ds-update
cst1:ds-fr
cst1:colmena-liminix
cst1:tvix-store
cst1:nixpkgs
cst1:liminix-v1
DGNum:main
DGNum:lix-patched
DGNum:web01
DGNum:declarative-buckets
DGNum:victoria-metrics
DGNum:mattermost
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:ds-fr
DGNum:colmena-liminix
...
pull from: DGNum:main
Branches Tags
DGNum:main
DGNum:lix-patched
DGNum:web01
DGNum:declarative-buckets
DGNum:victoria-metrics
DGNum:mattermost
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:ds-fr
DGNum:colmena-liminix
cst1:main
cst1:add_cst1_ssh
cst1:init-dgnum-page
cst1:takumi-can-do-ollama
cst1:declarative-buckets
cst1:move-ollama
cst1:prepare-for-terranix
cst1:ollama-api
cst1:npins-update
cst1:internal-lib
cst1:ds-update
cst1:ds-fr
cst1:colmena-liminix
cst1:tvix-store
cst1:nixpkgs
cst1:liminix-v1

80 commits
add_cst1_s ... main

Author SHA1 Message Date
DGNum Chores
c9839d4be6 chore(npins): Update 2024-11-22 15:27:34 +00:00
Tom Hubrecht
fe52f0ebe2
feat(forgejo-runners): Use /data/slow/nix and not /data/slow/nix/nix 
The upstream module should be updated to reflect that, use rootPath
instead of storePath
 2024-11-22 14:04:35 +01:00
Tom Hubrecht
1f9f56ac91
chore(lix): Use the global patch infrastructure for lix 2024-11-22 12:56:39 +01:00
Tom Hubrecht
75b621e298
fix(ds-fr): Switch to nix-pkgs 2024-11-21 15:13:25 +01:00
sinavir
32f68a54a9
chore(workflows): regenerate 2024-11-19 00:53:33 +01:00
sinavir
b00e47ec85
chore(netbox): Upgrade 2024-11-19 00:40:15 +01:00
Tom Hubrecht
a50637d55e
chore(stirling-pdf): New version 2024-11-19 00:13:49 +01:00
Tom Hubrecht
aa4f972085
fix(forgejo-runners): Let the shell handle colmena 2024-11-19 00:01:06 +01:00
DGNum Chores
8a5de73b47 chore(npins): Update 2024-11-18 15:29:55 +00:00
Tom Hubrecht
3fecacb482
chore(npins): Update nix-modules 2024-11-18 13:03:13 +01:00
Tom Hubrecht
ded867d274
feat(dj-interludes): Add a real secret 2024-11-18 13:02:54 +01:00
Tom Hubrecht
f61bd85d63
chore(forgejo): Disallow more domains 2024-11-17 19:01:26 +01:00
Tom Hubrecht
bf06d2573b
feat(nix): Use passthru for shells and return to importing the scripts 2024-11-14 22:18:40 +01:00
Tom Hubrecht
6fbda40e5e
feat(scripts): Unify behaviour and improve generation 2024-11-14 22:01:58 +01:00
Tom Hubrecht
2ffd7732ba
feat(django-apps/interludes): Allow base webapps domain 2024-11-12 15:08:17 +01:00
Tom Hubrecht
d45b044b22
feat(django-apps/interludes): Switch to interludes.ens.fr 2024-11-12 14:55:04 +01:00
Tom Hubrecht
21b422b1ad
fix(nix-lib): Allow defining top-level imports 2024-11-12 12:29:36 +01:00
Tom Hubrecht
420fe99984
fix(django-apps/interludes): Don't run in debug mode 2024-11-12 10:52:49 +01:00
Tom Hubrecht
32f13adaad
feat(web03): Deploy interludes.webapps.dgnum.eu 2024-11-12 10:40:09 +01:00
Tom Hubrecht
a816c81125
chore: Update nix-actions 2024-11-11 22:05:16 +01:00
Tom Hubrecht
6ab3e4b685
fix(workflows): Correct typos 2024-11-11 18:01:44 +01:00
Tom Hubrecht
5f1436e4bf
feat(workflows): Switch to a nix-based definition of workflows 2024-11-11 17:57:23 +01:00
sinavir
d8f90dd940
fix(patches): Label nextcloud patch 2024-11-11 00:57:49 +01:00
Tom Hubrecht
89b22a34da
feat(forgejo): Add blocklist for registering e-mails 2024-11-10 16:24:51 +01:00
soyouzpanda
32d28ed351
feat(organization): Added Antoine Groudiev and Matthieu Boyer to organization 2024-11-09 22:55:24 +01:00
Tom Hubrecht
46657a7f74
fix(tvix-cache): Turn down the log vomit, and increase the limit of file handles 2024-11-09 19:11:10 +01:00
Tom Hubrecht
0a40fbbda0
Revert "chore(npins): Update" 
This reverts commit 045554b2e6.
 2024-11-09 18:43:56 +01:00
DGNum Chores
045554b2e6 chore(npins): Update 2024-11-09 15:29:23 +00:00
sinavir
2cee8006d3
feat(access-control): Remove luj from admins 2024-11-08 00:18:14 +01:00
sinavir
9e5be2a279
fix(web01): www.lanuit.ens.fr redirection is not used anymore 2024-11-04 20:07:33 +01:00
Tom Hubrecht
0576d1ecf8
fix(web03): Use a different domain for webhooks endpoint 2024-10-31 10:58:07 +01:00
Tom Hubrecht
06bbe99769
feat(meta/dns): Add private subdomain linking to the netbird ips 2024-10-31 10:58:07 +01:00
sinavir
45f2f59055 feat(keys): Add a key for mdebray 2024-10-30 23:21:36 +01:00
Tom Hubrecht
0e3463102c
feat(metis): Update and validate providers 2024-10-24 00:27:15 +02:00
Tom Hubrecht
d2f039755b
chore(metis): Update 2024-10-23 23:40:21 +02:00
Tom Hubrecht
a6aac2b0b4
feat(web03): Deploy www-bocal on bocal.webapps.dgnum.eu 2024-10-23 13:56:47 +02:00
Tom Hubrecht
ae7aaabf29
feat(meta/network): Add web03 netbirdIp 2024-10-23 11:04:28 +02:00
Tom Hubrecht
7ab63fb4a5
fix(netbox-agent): Use the latest version, which returns the correct value to the shell 2024-10-23 10:05:25 +02:00
Tom Hubrecht
2bb03126cf
feat(web03): Deploy django-wiki on wiki.webapps.dgnum.eu 2024-10-22 14:19:58 +02:00
Tom Hubrecht
2b858bbae4
feat(web03): Switch to nixos-unstable 2024-10-22 14:09:54 +02:00
Tom Hubrecht
4f18e8d387
feat(meta/dns): Add apps-webhook domain, to separate from the apps 2024-10-22 13:55:30 +02:00
Tom Hubrecht
4a102117a4
feat(storage01): Init victoria-metrics DB 2024-10-22 13:07:07 +02:00
Tom Hubrecht
969f59fbc4
feat(web03): Deploy the new annuaire 2024-10-21 20:03:20 +02:00
Tom Hubrecht
972b9554b7 feat(netbox-agent): Internalize 2024-10-21 19:38:11 +02:00
sinavir
e993d6de34 fix(stateless-uptime-kuma): Typo in domain name 2024-10-21 12:25:18 +02:00
sinavir
e0eb7bbf7c fix(stateless-uptime-kuma): Correct probes for ollama and s3-api 2024-10-21 12:16:00 +02:00
Tom Hubrecht
7875007a4f
feat(meta/dns): Add victoria-metrics 2024-10-21 11:15:31 +02:00
Tom Hubrecht
b5fc554f0f
fix(patches): Update commit for netbox-qrcode 2024-10-21 09:41:01 +02:00
Tom Hubrecht
a93a64d747
feat(forgejo): Send email to admins when new users appear 2024-10-21 09:33:40 +02:00
Tom Hubrecht
51133e6e5f
feat(netbird): Update 2024-10-20 23:01:14 +02:00
Tom Hubrecht
5f0c7d4e22
feat(meta/nodes): Sort nodes 2024-10-20 22:35:35 +02:00
DGNum Chores
39abf0b62d chore(npins): Update 2024-10-20 13:29:01 +00:00
Tom Hubrecht
63c9f02b16
fix(meta): Use correct username 
(Sorry @jemagius)
 2024-10-18 18:46:33 +02:00
Tom Hubrecht
f0b3d4b490
feat(kanidm): Use kanidm-provision to setup active members 2024-10-18 14:36:38 +02:00
sinavir
e7edf29e11 fix(ollama-proxy): Use ip instead of vpn domain name 
VPN dns is slow to start so nginx will fail
 2024-10-18 12:45:27 +02:00
sinavir
c0435e694d fix(modules/dgn-records): Add enable option 2024-10-18 11:53:32 +02:00
sinavir
1a05ea3a9a feat(krz01): Move to lab-infra repo 2024-10-18 11:53:32 +02:00
soyouzpanda
113c83bb9c
feat: laptop change and smartphone add to authorized MACs 2024-10-18 11:12:14 +02:00
Tom Hubrecht
ac0aaa9228
fix(npins): Update nix-pkgs 2024-10-18 11:10:47 +02:00
Tom Hubrecht
16dfdf1032
feat(patches): Add kanidm provisioning 2024-10-17 23:03:37 +02:00
Tom Hubrecht
05edf3f295
feat(meta/dns): Update web02 2024-10-17 23:03:37 +02:00
sinavir
3c445ab4c7 feat(networking): Add a bridge to connect VMs to the world 2024-10-17 17:56:09 +02:00
sinavir
492fe550d9 chore(krz01): Put all ollama/whisper stuff in separate modules 2024-10-17 15:47:10 +02:00
sinavir
a02da5f496 chore(proxmox-nixos): Update 2024-10-17 15:34:11 +02:00
Tom Hubrecht
b850ee56c2
chore(nixpkgs): Drop nixos-23.11 2024-10-17 15:11:43 +02:00
Tom Hubrecht
db5859e472
feat(web03): Initial deployment of django-apps 2024-10-17 15:11:43 +02:00
Tom Hubrecht
fd6b9678ef
chore(netbox-agent): Rekey 2024-10-17 15:06:26 +02:00
Tom Hubrecht
f771ec72c8
fix(secrets): Rekey Arkheon and email secrets 2024-10-16 11:45:50 +02:00
Tom Hubrecht
9931c622b6
feat(workflows/eval): Add web03 to the list 2024-10-16 11:28:30 +02:00
Tom Hubrecht
ad8ddb1f4d
feat(dns): Redirect webapps subdomain to web03 2024-10-16 11:24:10 +02:00
Tom Hubrecht
14866df004
fix(dgn-web): Set a default for simpleProxies 2024-10-16 11:08:24 +02:00
Tom Hubrecht
b6cbf6e918
feat(infra): Deploy web03 2024-10-16 11:08:24 +02:00
Tom Hubrecht
4b2d1cde5b
chore(dgsi): Update 2024-10-12 22:25:53 +02:00
Tom Hubrecht
06653220bb
fix(kanidm): Revert switch to simpleProxies 
As we proxy to an https endpoint, this was not supported
 2024-10-12 22:11:34 +02:00
Tom Hubrecht
9ea51137fc
chore(dgsi): Update 2024-10-12 22:06:26 +02:00
Tom Hubrecht
2f06f22ac7 feat(nginx): Switch to simpleProxies for the majority of configs 2024-10-12 20:00:54 +02:00
Tom Hubrecht
af61ae6e61 feat(dgn-web): Add simpleProxies 
This proxies the required host to localhost:$port and enables SSL
 2024-10-12 20:00:54 +02:00
Tom Hubrecht
9ea6bada0a feat(dgn-web): Add a way to detect internal port clashes 2024-10-12 20:00:54 +02:00
Julien Malka
f819acf9bc
feat(forgejo): 7 days sessions 2024-10-12 19:52:21 +02:00
Tom Hubrecht
8043f8d4ab
chore(metis): Update 2024-10-12 17:29:51 +02:00
112 changed files with 2187 additions and 2616 deletions
Show stats Expand all files Collapse all files

1
.envrc
View file

@ -1 +1,2 @@
watch_file workflows/*
use nix use nix

32
.forgejo/workflows/check-meta.yaml
View file

@ -1,3 +1,16 @@
jobs:
check_dns:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of the DNS configuration
run: nix-build meta/verify.nix -A dns
check_meta:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of meta options
run: nix-build meta/verify.nix -A meta
name: Check meta name: Check meta
on: on:
pull_request: pull_request:
@ -5,21 +18,4 @@ on:
- main - main
push: push:
paths: paths:
- 'meta/*' - meta/*
jobs:
check_meta:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of meta options
run: nix-build meta/verify.nix -A meta
check_dns:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of the DNS configuration
run: nix-build meta/verify.nix -A dns --no-out-link

16
.forgejo/workflows/check-workflows.yaml Normal file
View file

@ -0,0 +1,16 @@
jobs:
check_workflows:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check that the workflows are up to date
run: nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l)
-eq 0 ]'
name: Check workflows
on:
pull_request:
branches:
- main
push:
paths:
- workflows/*

56
.forgejo/workflows/ds-fr.yaml
View file

@ -1,56 +0,0 @@
name: ds-fr update
on:
schedule:
- cron: "26 18 * * wed"
jobs:
npins_update:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- name: Update DS and open PR if necessary
run: |
# Fetch the latest release tag
VERSION=$(curl -L \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/demarches-simplifiees/demarches-simplifiees.fr/releases/latest \
| jq -r '.tag_name')
# Move to the ds-fr directory
cd machines/compute01/ds-fr/package
# Run the update script
./update.sh -v "$VERSION"
if [ ! -z "$(git diff --name-only)" ]; then
echo "[+] Changes detected, pushing updates."
git switch -C ds-update
git add .
git config user.name "DGNum Chores"
git config user.email "tech@dgnum.eu"
git commit --message "chore(ds-fr): Update"
git push --set-upstream origin ds-update --force
# Connect to the server with the cli
tea login add \
-n dgnum-chores \
-t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
-u https://git.dgnum.eu
# Create a pull request if needed
# i.e. no PR with the same title exists
if [ -z "$(tea pr ls -f='title,author' -o simple | grep 'chore(ds-fr): Update dgnum-chores')" ]; then
tea pr create \
--description "Automatic ds-fr update" \
--title "chore(ds-fr): Update" \
--head ds-update
fi
fi

119
.forgejo/workflows/eval-nodes.yaml Normal file
View file

@ -0,0 +1,119 @@
jobs:
bridge01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: bridge01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache bridge01
run: nix-shell -A eval-nodes --run cache-node
compute01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: compute01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache compute01
run: nix-shell -A eval-nodes --run cache-node
geo01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: geo01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache geo01
run: nix-shell -A eval-nodes --run cache-node
geo02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: geo02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache geo02
run: nix-shell -A eval-nodes --run cache-node
rescue01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: rescue01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache rescue01
run: nix-shell -A eval-nodes --run cache-node
storage01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: storage01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache storage01
run: nix-shell -A eval-nodes --run cache-node
vault01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: vault01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache vault01
run: nix-shell -A eval-nodes --run cache-node
web01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web01
run: nix-shell -A eval-nodes --run cache-node
web02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web02
run: nix-shell -A eval-nodes --run cache-node
web03:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web03
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web03
run: nix-shell -A eval-nodes --run cache-node
name: Build all the nodes
on:
pull_request:
branches:
- main
push:
branches:
- main

200
.forgejo/workflows/eval.yaml
View file

@ -1,200 +0,0 @@
name: build configuration
on:
pull_request:
types: [opened, synchronize, edited, reopened]
branches:
- main
push:
branches:
- main
jobs:
build_and_cache_krz01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "krz01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_krz01
path: paths.txt
build_and_cache_compute01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "compute01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_compute01
path: paths.txt
build_and_cache_storage01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "storage01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_storage01
path: paths.txt
build_and_cache_rescue01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "rescue01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_rescue01
path: paths.txt
build_and_cache_geo01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "geo01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_geo01
path: paths.txt
build_and_cache_geo02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "geo02"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_geo02
path: paths.txt
build_and_cache_vault01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "vault01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_vault01
path: paths.txt
build_and_cache_web01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "web01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web01
path: paths.txt
build_and_cache_web02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "web02"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web02
path: paths.txt
build_and_cache_bridge01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "bridge01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web02
path: paths.txt

11
.forgejo/workflows/lint.yaml
View file

@ -1,11 +0,0 @@
name: lint
on: [push, pull_request]
jobs:
check:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Run pre-commit on all files
run: nix-shell --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure' -A shells.pre-commit ./.

25
.forgejo/workflows/npins-update.yaml Normal file
View file

@ -0,0 +1,25 @@
jobs:
npins_update:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- name: Update dependencies and open PR if necessary
run: "npins update\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n echo
\"[+] Changes detected, pushing updates.\"\n\n git switch -C npins-update\n\
\n git add npins\n\n git config user.name \"DGNum Chores\"\n git config
user.email \"tech@dgnum.eu\"\n\n git commit --message \"chore(npins): Update\"\
\n git push --set-upstream origin npins-update --force\n\n # Connect to
the server with the cli\n tea login add \\\n -n dgnum-chores \\\n -t
\"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" \\\n -u https://git.dgnum.eu\n\
\n # Create a pull request if needed\n # i.e. no PR with the same title
exists\n if [ -z \"$(tea pr ls -f='title,author' -o simple | grep 'chore(npins):
Update dgnum-chores')\" ]; then\n tea pr create \\\n --description
\"Automatic npins update\" \\\n --title \"chore(npins): Update\" \\\n\
\ --head npins-update\n fi\nfi\n"
name: npins update
on:
schedule:
- cron: 25 15 * * *

12
.forgejo/workflows/pre-commit.yaml Normal file
View file

@ -0,0 +1,12 @@
jobs:
check:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Run pre-commit on all files
run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
pre-push --show-diff-on-failure'
name: Run pre-commit on all files
on:
- push
- pull_request

47
default.nix
View file

@ -41,7 +41,15 @@
}: }:
let let
git-checks = (import (builtins.storePath sources.git-hooks)).run { inherit (pkgs.lib)
isFunction
mapAttrs
mapAttrs'
nameValuePair
removeSuffix
;
git-checks = (import sources.git-hooks).run {
src = ./.; src = ./.;
hooks = { hooks = {
@ -67,6 +75,22 @@ let
commitizen.enable = true; commitizen.enable = true;
}; };
}; };
workflows = (import sources.nix-actions { inherit pkgs; }).install {
src = ./.;
workflows = mapAttrs' (
name: _:
nameValuePair (removeSuffix ".nix" name) (
let
w = import ./workflows/${name};
in
if isFunction w then w { inherit (pkgs) lib; } else w
)
) (builtins.readDir ./workflows);
};
scripts = import ./scripts { inherit pkgs; };
in in
{ {
@ -78,36 +102,35 @@ in
mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix; mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix;
shells = { devShell = pkgs.mkShell {
default = pkgs.mkShell {
name = "dgnum-infra"; name = "dgnum-infra";
packages = [ packages = [
(pkgs.nixos-generators.overrideAttrs (_: { (pkgs.nixos-generators.overrideAttrs (_: {
version = "1.8.0-unstable"; version = "1.8.0-unstable";
src = builtins.storePath sources.nixos-generators; src = sources.nixos-generators;
})) }))
pkgs.npins pkgs.npins
(pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; }) (pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { }) (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { }) (pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
] ++ (builtins.attrValues scripts);
] ++ (import ./scripts { inherit pkgs; });
shellHook = '' shellHook = ''
${git-checks.shellHook} ${git-checks.shellHook}
${workflows.shellHook}
''; '';
preferLocalBuild = true; preferLocalBuild = true;
};
pre-commit = pkgs.mkShell { ###
name = "pre-commit-shell"; # Alternative shells
shellHook = '' passthru = mapAttrs (name: value: pkgs.mkShell (value // { inherit name; })) {
${git-checks.shellHook} pre-commit.shellHook = git-checks.shellHook;
''; check-workflows.shellHook = workflows.shellHook;
eval-nodes.packages = [ scripts.cache-node ];
}; };
}; };
} }

15
hive.nix
View file

@ -64,23 +64,12 @@ in
}; };
defaults = defaults =
{ { name, nodeMeta, ... }:
pkgs,
name,
nodeMeta,
...
}:
{ {
# Import the default modules # Import the default modules
imports = [ imports = [
./modules ./modules
(import "${sources.lix-module}/module.nix" { (import "${sources.lix-module}/module.nix" { inherit (sources) lix; })
lix = pkgs.applyPatches {
name = "lix-2.90.patched";
src = sources.lix;
patches = [ ./patches/00-disable-installChecks-lix.patch ];
};
})
]; ];
# Include default secrets # Include default secrets

7
keys/default.nix
View file

@ -17,14 +17,17 @@ rec {
compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ]; compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ]; geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ]; geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
krz01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4o65gWOgNrxbSd3kiQIGZUM+YD6kuZOQtblvzUGsfB" ];
rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ]; rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ]; storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ]; vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ]; web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ];
web02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ]; web02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ];
web03 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrWsMEfK86iaO9SubMqE2UvZNtHkLY5VUod/bbqKC0L" ];
# SSH keys of the DGNum members # SSH keys of the DGNum members
agroudiev = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM="
];
catvayor = [ catvayor = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
]; ];
@ -44,8 +47,10 @@ rec {
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
]; ];
mboyer = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ];
mdebray = [ mdebray = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
]; ];
raito = [ raito = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"

7
lib/nix-lib/default.nix
View file

@ -190,8 +190,11 @@ rec {
recursiveFuse [ recursiveFuse [
(enableModules enabledModules) (enableModules enabledModules)
{ imports = mkImports root ([ "_hardware-configuration" ] ++ enabledServices); } {
imports =
(extraConfig.imports or [ ]) ++ (mkImports root ([ "_hardware-configuration" ] ++ enabledServices));
}
extraConfig (removeAttrs extraConfig [ "imports" ])
]; ];
} }

23
machines/compute01/ds-fr/default.nix
View file

@ -1,14 +1,35 @@
{ config, ... }: {
config,
pkgs,
sources,
...
}:
let let
host = "demarches.dgnum.eu"; host = "demarches.dgnum.eu";
dgn-id = "fca8f72cd60c00e74d7735ec13e4e3a22e8e1244";
in in
{ {
imports = [ ./module.nix ]; imports = [ ./module.nix ];
dgn-web.internalPorts.ds-fr = 3000;
services.demarches-simplifiees = { services.demarches-simplifiees = {
enable = true; enable = true;
package =
((import sources.nix-pkgs { inherit pkgs; }).demarches-simplifiees.override {
initialDeploymentDate = "20230923";
}).overrideAttrs
(old: {
dsModules = old.dsModules.overrideAttrs {
prePatch = ''
${pkgs.lib.getExe pkgs.git} apply -p1 < ${builtins.fetchurl "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch"}
'';
};
});
secretFile = config.age.secrets."ds-fr-secret_file".path; secretFile = config.age.secrets."ds-fr-secret_file".path;
initialDeploymentDate = "20230923"; initialDeploymentDate = "20230923";

12
machines/compute01/grafana.nix
View file

@ -69,17 +69,11 @@ in
} }
]; ];
}; };
};
nginx.virtualHosts.${host} = { dgn-web.simpleProxies.grafana = {
enableACME = true; inherit host port;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true; proxyWebsockets = true;
recommendedProxySettings = true;
};
};
}; };
age-secrets.autoMatch = [ "grafana" ]; age-secrets.autoMatch = [ "grafana" ];

15
machines/compute01/hedgedoc.nix
View file

@ -29,16 +29,6 @@ in
}; };
}; };
nginx.virtualHosts.${host} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
};
};
postgresql = { postgresql = {
enable = true; enable = true;
@ -53,6 +43,11 @@ in
}; };
}; };
dgn-web.simpleProxies.hedgedoc = {
inherit host port;
proxyWebsockets = true;
};
systemd.services.hedgedoc.serviceConfig.StateDirectory = lib.mkForce [ systemd.services.hedgedoc.serviceConfig.StateDirectory = lib.mkForce [
"hedgedoc" "hedgedoc"
"hedgedoc/uploads" "hedgedoc/uploads"

120
machines/compute01/kanidm/default.nix
View file

@ -1,14 +1,23 @@
{ {
config, config,
lib, lib,
meta,
nixpkgs, nixpkgs,
... ...
}: }:
let let
inherit (lib) escapeRegex concatStringsSep; inherit (lib)
attrValues
catAttrs
escapeRegex
concatStringsSep
mapAttrs'
nameValuePair
;
domain = "sso.dgnum.eu"; domain = "sso.dgnum.eu";
port = 8443;
cert = config.security.acme.certs.${domain}; cert = config.security.acme.certs.${domain};
@ -27,6 +36,8 @@ let
"netbird-beta.hubrecht.ovh" "netbird-beta.hubrecht.ovh"
] ]
); );
usernameFor = member: meta.organization.members.${member}.username;
in in
{ {
services.kanidm = { services.kanidm = {
@ -39,7 +50,7 @@ in
origin = "https://${domain}"; origin = "https://${domain}";
bindaddress = "127.0.0.1:8443"; bindaddress = "127.0.0.1:${builtins.toString port}";
ldapbindaddress = "0.0.0.0:636"; ldapbindaddress = "0.0.0.0:636";
trust_x_forward_for = true; trust_x_forward_for = true;
@ -47,10 +58,113 @@ in
tls_chain = "${cert.directory}/fullchain.pem"; tls_chain = "${cert.directory}/fullchain.pem";
tls_key = "${cert.directory}/key.pem"; tls_key = "${cert.directory}/key.pem";
}; };
provision = {
enable = true;
persons = mapAttrs' (
_:
{
email,
name,
username,
...
}:
nameValuePair username {
displayName = name;
mailAddresses = [ email ];
}
) meta.organization.members;
groups =
{
grp_active.members = catAttrs "username" (attrValues meta.organization.members);
}
// (mapAttrs' (
name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
) meta.organization.groups);
# INFO: The authentication resources declared here can only be for internal services,
# as regular members cannot be statically known.
systems.oauth2 = {
dgn_grafana = {
displayName = "Grafana [Analysis]";
originLanding = "https://grafana.dgnum.eu";
originUrl = "https://grafana.dgnum.eu/";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_librenms = {
allowInsecureClientDisablePkce = true;
displayName = "LibreNMS [Network]";
enableLegacyCrypto = true;
originLanding = "https://nms.dgnum.eu";
originUrl = "https://nms.dgnum.eu/";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_netbird = {
displayName = "Netbird [VPN]";
enableLocalhostRedirects = true;
originLanding = "https://netbird.dgnum.eu";
originUrl = "https://netbird.dgnum.eu/";
preferShortUsername = true;
public = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_netbox = {
allowInsecureClientDisablePkce = true;
displayName = "Netbox [Inventory]";
enableLegacyCrypto = true;
originLanding = "https://netbox.dgnum.eu";
originUrl = "https://netbox.dgnum.eu/";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_outline = {
displayName = "Outline [Docs]";
originUrl = "https://docs.dgnum.eu/";
originLanding = "https://docs.dgnum.eu";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
};
};
}; };
users.users.kanidm.extraGroups = [ cert.group ]; users.users.kanidm.extraGroups = [ cert.group ];
dgn-web.internalPorts.kanidm = port;
services.nginx = { services.nginx = {
enable = true; enable = true;
@ -58,7 +172,7 @@ in
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyPass = "https://127.0.0.1:8443"; proxyPass = "https://127.0.0.1:${builtins.toString port}";
extraConfig = '' extraConfig = ''
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) { if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {

18
machines/compute01/nextcloud.nix
View file

@ -3,6 +3,8 @@
let let
host = "cloud.dgnum.eu"; host = "cloud.dgnum.eu";
nextcloud-occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ"; nextcloud-occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
port = 9980;
in in
{ {
services.nextcloud = { services.nextcloud = {
@ -104,7 +106,7 @@ in
imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4"; imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4";
sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM="; sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM=";
}; };
ports = [ "9980:9980" ]; ports = [ "${builtins.toString port}:${builtins.toString port}" ];
environment = { environment = {
domain = "cloud.dgnum.eu"; domain = "cloud.dgnum.eu";
extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json"; extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json";
@ -119,6 +121,8 @@ in
}; };
}; };
dgn-web.internalPorts.collabora = port;
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
${host} = { ${host} = {
enableACME = true; enableACME = true;
@ -136,25 +140,25 @@ in
extraConfig = '' extraConfig = ''
# static files # static files
location ^~ /browser { location ^~ /browser {
proxy_pass http://127.0.0.1:9980; proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Host $host; proxy_set_header Host $host;
} }
# WOPI discovery URL # WOPI discovery URL
location ^~ /hosting/discovery { location ^~ /hosting/discovery {
proxy_pass http://127.0.0.1:9980; proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Host $host; proxy_set_header Host $host;
} }
# Capabilities # Capabilities
location ^~ /hosting/capabilities { location ^~ /hosting/capabilities {
proxy_pass http://127.0.0.1:9980; proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Host $host; proxy_set_header Host $host;
} }
# main websocket # main websocket
location ~ ^/cool/(.*)/ws$ { location ~ ^/cool/(.*)/ws$ {
proxy_pass http://127.0.0.1:9980; proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade"; proxy_set_header Connection "Upgrade";
proxy_set_header Host $host; proxy_set_header Host $host;
@ -163,13 +167,13 @@ in
# download, presentation and image upload # download, presentation and image upload
location ~ ^/(c|l)ool { location ~ ^/(c|l)ool {
proxy_pass http://127.0.0.1:9980; proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Host $host; proxy_set_header Host $host;
} }
# Admin Console websocket # Admin Console websocket
location ^~ /cool/adminws { location ^~ /cool/adminws {
proxy_pass http://127.0.0.1:9980; proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade"; proxy_set_header Connection "Upgrade";
proxy_set_header Host $host; proxy_set_header Host $host;

16
machines/compute01/ollama-proxy.nix
View file

@ -1,27 +1,15 @@
{ { pkgs, ... }:
pkgs,
nodes,
meta,
...
}:
{ {
services.nginx = { services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts."ollama01.beta.dgnum.eu" = { virtualHosts."ollama01.beta.dgnum.eu" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyPass = "http://${meta.network.krz01.netbirdIp}:${toString nodes.krz01.config.services.ollama.port}"; proxyPass = "http://100.80.103.206:11434";
basicAuthFile = pkgs.writeText "ollama-htpasswd" '' basicAuthFile = pkgs.writeText "ollama-htpasswd" ''
raito:$y$j9T$UDEHpLtM52hRGK0I4qT6M0$N75AhENLqgtJnTGaPzq51imhjZvuPr.ow81Co1ZTcX2 raito:$y$j9T$UDEHpLtM52hRGK0I4qT6M0$N75AhENLqgtJnTGaPzq51imhjZvuPr.ow81Co1ZTcX2
''; '';
}; };
}; };
}; };
networking.firewall.allowedTCPPorts = [
80
443
];
} }

18
machines/compute01/outline.nix
View file

@ -2,6 +2,7 @@
let let
host = "docs.dgnum.eu"; host = "docs.dgnum.eu";
port = 3003;
in in
{ {
services.outline = { services.outline = {
@ -35,21 +36,12 @@ in
defaultLanguage = "fr_FR"; defaultLanguage = "fr_FR";
forceHttps = false; forceHttps = false;
port = 3003; inherit port;
}; };
services.nginx.virtualHosts.${host} = { dgn-web.simpleProxies.outline = {
enableACME = true; inherit host port;
forceSSL = true; vhostConfig.locations."/robots.txt".return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
locations."/" = {
proxyPass = "http://localhost:3003";
proxyWebsockets = true;
};
locations."/robots.txt" = {
return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
};
}; };
age-secrets.autoMatch = [ "outline" ]; age-secrets.autoMatch = [ "outline" ];

13
machines/compute01/plausible.nix
View file

@ -38,16 +38,7 @@ in
}; };
}; };
services.nginx = { dgn-web.simpleProxies.plausible = {
enable = true; inherit host port;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
};
};
}; };
} }

10
machines/compute01/satosa/default.nix
View file

@ -2,16 +2,15 @@
let let
host = "saml-idp.dgnum.eu"; host = "saml-idp.dgnum.eu";
port = 8090;
in in
{ {
imports = [ ./module.nix ]; imports = [ ./module.nix ];
services.satosa = { services.satosa = {
enable = true; enable = true;
inherit host; inherit host port;
port = 8090;
envFile = config.age.secrets."satosa-env_file".path; envFile = config.age.secrets."satosa-env_file".path;
@ -148,9 +147,8 @@ in
}; };
}; };
services.nginx.virtualHosts.${host} = { dgn-web.simpleProxies.satosa = {
enableACME = true; inherit host port;
forceSSL = true;
}; };
age-secrets.autoMatch = [ "satosa" ]; age-secrets.autoMatch = [ "satosa" ];

8
machines/compute01/satosa/module.nix
View file

@ -190,14 +190,6 @@ in
}; };
}; };
services.nginx = mkIf cfg.configureNginx {
enable = true;
virtualHosts.${cfg.host} = {
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}";
};
};
users.users.satosa = { users.users.satosa = {
isSystemUser = true; isSystemUser = true;
group = "satosa"; group = "satosa";

7
machines/compute01/stirling-pdf/default.nix
View file

@ -10,10 +10,13 @@ let
# - push to a new branch dgn-v0.A.B where A.B is the new version # - push to a new branch dgn-v0.A.B where A.B is the new version
# - finally, update the commit hash of the customization patch # - finally, update the commit hash of the customization patch
dgn-id = "8f19cb1c9623f8da71f6512c1528d83acc35db57"; dgn-id = "d73e347b1cefe23092bfcb2d3f8a23903410203e";
port = 8084;
in in
{ {
dgn-web.internalPorts.stirling-pdf = port;
services.stirling-pdf = { services.stirling-pdf = {
enable = true; enable = true;
@ -24,7 +27,7 @@ in
}); });
domain = "pdf.dgnum.eu"; domain = "pdf.dgnum.eu";
port = 8084; inherit port;
nginx = { nginx = {
enableACME = true; enableACME = true;

29
machines/compute01/vaultwarden.nix
View file

@ -2,6 +2,8 @@
let let
host = "pass.dgnum.eu"; host = "pass.dgnum.eu";
port = 10501;
wsPort = 10500;
in in
{ {
services.vaultwarden = { services.vaultwarden = {
@ -10,9 +12,9 @@ in
config = { config = {
DOMAIN = "https://${host}"; DOMAIN = "https://${host}";
WEBSOCKET_ENABLED = true; WEBSOCKET_ENABLED = true;
WEBSOCKET_PORT = 10500; WEBSOCKET_PORT = wsPort;
SIGNUPS_DOMAINS_WHITELIST = "dgnum.eu,ens.fr,ens.psl.eu"; SIGNUPS_DOMAINS_WHITELIST = "dgnum.eu,ens.fr,ens.psl.eu";
ROCKET_PORT = 10501; ROCKET_PORT = port;
ROCKET_ADDRESS = "127.0.0.1"; ROCKET_ADDRESS = "127.0.0.1";
SIGNUPS_VERIFY = true; SIGNUPS_VERIFY = true;
USE_SYSLOG = true; USE_SYSLOG = true;
@ -31,34 +33,28 @@ in
environmentFile = config.age.secrets."vaultwarden-environment_file".path; environmentFile = config.age.secrets."vaultwarden-environment_file".path;
}; };
services = { dgn-web = {
nginx = { internalPorts.vaultwarden-websockets = wsPort;
enable = true;
virtualHosts.${host} = { simpleProxies.vaultwarden = {
forceSSL = true; inherit host port;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:10501";
proxyWebsockets = true; proxyWebsockets = true;
};
vhostConfig.locations = {
"/notifications/hub" = { "/notifications/hub" = {
proxyPass = "http://127.0.0.1:10500"; proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true; proxyWebsockets = true;
}; };
"/notifications/hub/negotiate" = { "/notifications/hub/negotiate" = {
proxyPass = "http://127.0.0.1:10501"; proxyPass = "http://127.0.0.1:${builtins.toString wsPort}";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
}; };
}; };
postgresql = { services.postgresql = {
enable = true; enable = true;
ensureDatabases = [ "vaultwarden" ]; ensureDatabases = [ "vaultwarden" ];
@ -70,7 +66,6 @@ in
} }
]; ];
}; };
};
dgn-backups.jobs.vaultwarden.settings.paths = [ "/var/lib/bitwarden_rs" ]; dgn-backups.jobs.vaultwarden.settings.paths = [ "/var/lib/bitwarden_rs" ];
dgn-backups.postgresDatabases = [ "vaultwarden" ]; dgn-backups.postgresDatabases = [ "vaultwarden" ];

179
machines/krz01/K80-support.patch
View file

@ -1,179 +0,0 @@
From 2abd226ff3093c5a9e18a618fba466853e7ebaf7 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Tue, 8 Oct 2024 18:27:41 +0200
Subject: [PATCH] K80 support
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
docs/development.md | 6 +++-
docs/gpu.md | 1 +
gpu/amd_linux.go | 6 +++-
gpu/gpu.go | 63 ++++++++++++++++++++++++++++++++++++-----
scripts/build_docker.sh | 2 +-
scripts/build_linux.sh | 2 +-
6 files changed, 69 insertions(+), 11 deletions(-)
diff --git a/docs/development.md b/docs/development.md
index 2f7b9ecf..9da35931 100644
--- a/docs/development.md
+++ b/docs/development.md
@@ -51,7 +51,11 @@ Typically the build scripts will auto-detect CUDA, however, if your Linux distro
or installation approach uses unusual paths, you can specify the location by
specifying an environment variable `CUDA_LIB_DIR` to the location of the shared
libraries, and `CUDACXX` to the location of the nvcc compiler. You can customize
-a set of target CUDA architectures by setting `CMAKE_CUDA_ARCHITECTURES` (e.g. "50;60;70")
+a set of target CUDA architectures by setting `CMAKE_CUDA_ARCHITECTURES` (e.g. "35;37;50;60;70")
+
+To support GPUs older than Compute Capability 5.0, you will need to use an older version of
+the Driver from [Unix Driver Archive](https://www.nvidia.com/en-us/drivers/unix/) (tested with 470) and [CUDA Toolkit Archive](https://developer.nvidia.com/cuda-toolkit-archive) (tested with cuda V11). When you build Ollama, you will need to set two environment variable to adjust the minimum compute capability Ollama supports via `export GOFLAGS="'-ldflags=-w -s \"-X=github.com/ollama/ollama/gpu.CudaComputeMajorMin=3\" \"-X=github.com/ollama/ollama/gpu.CudaComputeMinorMin=5\"'"` and the `CMAKE_CUDA_ARCHITECTURES`. To find the Compute Capability of your older GPU, refer to [GPU Compute Capability](https://developer.nvidia.com/cuda-gpus).
+
Then generate dependencies:
diff --git a/docs/gpu.md b/docs/gpu.md
index a6b559f0..66627611 100644
--- a/docs/gpu.md
+++ b/docs/gpu.md
@@ -28,6 +28,7 @@ Check your compute compatibility to see if your card is supported:
| 5.0 | GeForce GTX | `GTX 750 Ti` `GTX 750` `NVS 810` |
| | Quadro | `K2200` `K1200` `K620` `M1200` `M520` `M5000M` `M4000M` `M3000M` `M2000M` `M1000M` `K620M` `M600M` `M500M` |
+For building locally to support older GPUs, see [developer.md](./development.md#linux-cuda-nvidia)
### GPU Selection
diff --git a/gpu/amd_linux.go b/gpu/amd_linux.go
index 6b08ac2e..768fb97a 100644
--- a/gpu/amd_linux.go
+++ b/gpu/amd_linux.go
@@ -159,7 +159,11 @@ func AMDGetGPUInfo() []GpuInfo {
return []GpuInfo{}
}
- if int(major) < RocmComputeMin {
+ minVer, err := strconv.Atoi(RocmComputeMajorMin)
+ if err != nil {
+ slog.Error("invalid RocmComputeMajorMin setting", "value", RocmComputeMajorMin, "error", err)
+ }
+ if int(major) < minVer {
slog.Warn(fmt.Sprintf("amdgpu too old gfx%d%x%x", major, minor, patch), "gpu", gpuID)
continue
}
diff --git a/gpu/gpu.go b/gpu/gpu.go
index 781e23df..60d68c33 100644
--- a/gpu/gpu.go
+++ b/gpu/gpu.go
@@ -16,6 +16,7 @@ import (
"os"
"path/filepath"
"runtime"
+ "strconv"
"strings"
"sync"
"unsafe"
@@ -38,9 +39,11 @@ const (
var gpuMutex sync.Mutex
// With our current CUDA compile flags, older than 5.0 will not work properly
-var CudaComputeMin = [2]C.int{5, 0}
+// (string values used to allow ldflags overrides at build time)
+var CudaComputeMajorMin = "5"
+var CudaComputeMinorMin = "0"
-var RocmComputeMin = 9
+var RocmComputeMajorMin = "9"
// TODO find a better way to detect iGPU instead of minimum memory
const IGPUMemLimit = 1 * format.GibiByte // 512G is what they typically report, so anything less than 1G must be iGPU
@@ -175,11 +178,57 @@ func GetGPUInfo() GpuInfoList {
var memInfo C.mem_info_t
resp := []GpuInfo{}
- // NVIDIA first
- for i := 0; i < gpuHandles.deviceCount; i++ {
- // TODO once we support CPU compilation variants of GPU libraries refine this...
- if cpuVariant == "" && runtime.GOARCH == "amd64" {
- continue
+ // Load ALL libraries
+ cHandles = initCudaHandles()
+ minMajorVer, err := strconv.Atoi(CudaComputeMajorMin)
+ if err != nil {
+ slog.Error("invalid CudaComputeMajorMin setting", "value", CudaComputeMajorMin, "error", err)
+ }
+ minMinorVer, err := strconv.Atoi(CudaComputeMinorMin)
+ if err != nil {
+ slog.Error("invalid CudaComputeMinorMin setting", "value", CudaComputeMinorMin, "error", err)
+ }
+
+ // NVIDIA
+ for i := range cHandles.deviceCount {
+ if cHandles.cudart != nil || cHandles.nvcuda != nil {
+ gpuInfo := CudaGPUInfo{
+ GpuInfo: GpuInfo{
+ Library: "cuda",
+ },
+ index: i,
+ }
+ var driverMajor int
+ var driverMinor int
+ if cHandles.cudart != nil {
+ C.cudart_bootstrap(*cHandles.cudart, C.int(i), &memInfo)
+ } else {
+ C.nvcuda_bootstrap(*cHandles.nvcuda, C.int(i), &memInfo)
+ driverMajor = int(cHandles.nvcuda.driver_major)
+ driverMinor = int(cHandles.nvcuda.driver_minor)
+ }
+ if memInfo.err != nil {
+ slog.Info("error looking up nvidia GPU memory", "error", C.GoString(memInfo.err))
+ C.free(unsafe.Pointer(memInfo.err))
+ continue
+ }
+
+ if int(memInfo.major) < minMajorVer || (int(memInfo.major) == minMajorVer && int(memInfo.minor) < minMinorVer) {
+ slog.Info(fmt.Sprintf("[%d] CUDA GPU is too old. Compute Capability detected: %d.%d", i, memInfo.major, memInfo.minor))
+ continue
+ }
+ gpuInfo.TotalMemory = uint64(memInfo.total)
+ gpuInfo.FreeMemory = uint64(memInfo.free)
+ gpuInfo.ID = C.GoString(&memInfo.gpu_id[0])
+ gpuInfo.Compute = fmt.Sprintf("%d.%d", memInfo.major, memInfo.minor)
+ gpuInfo.MinimumMemory = cudaMinimumMemory
+ gpuInfo.DependencyPath = depPath
+ gpuInfo.Name = C.GoString(&memInfo.gpu_name[0])
+ gpuInfo.DriverMajor = driverMajor
+ gpuInfo.DriverMinor = driverMinor
+
+ // TODO potentially sort on our own algorithm instead of what the underlying GPU library does...
+ cudaGPUs = append(cudaGPUs, gpuInfo)
}
gpuInfo := GpuInfo{
Library: "cuda",
diff --git a/scripts/build_docker.sh b/scripts/build_docker.sh
index e91c56ed..c03bc25f 100755
--- a/scripts/build_docker.sh
+++ b/scripts/build_docker.sh
@@ -3,7 +3,7 @@
set -eu
export VERSION=${VERSION:-$(git describe --tags --first-parent --abbrev=7 --long --dirty --always | sed -e "s/^v//g")}
-export GOFLAGS="'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"
+export GOFLAGS=${GOFLAGS:-"'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"}
# We use 2 different image repositories to handle combining architecture images into multiarch manifest
# (The ROCm image is x86 only and is not a multiarch manifest)
diff --git a/scripts/build_linux.sh b/scripts/build_linux.sh
index 27c4ff1f..e7e6d0dd 100755
--- a/scripts/build_linux.sh
+++ b/scripts/build_linux.sh
@@ -3,7 +3,7 @@
set -eu
export VERSION=${VERSION:-$(git describe --tags --first-parent --abbrev=7 --long --dirty --always | sed -e "s/^v//g")}
-export GOFLAGS="'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"
+export GOFLAGS=${GOFLAGS:-"'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"}
BUILD_ARCH=${BUILD_ARCH:-"amd64 arm64"}
export AMDGPU_TARGETS=${AMDGPU_TARGETS:=""}
--
2.46.0

79
machines/krz01/_configuration.nix
View file

@ -1,79 +0,0 @@
{
config,
lib,
pkgs,
meta,
name,
...
}:
lib.extra.mkConfig {
enabledModules = [
# INFO: This list needs to stay sorted alphabetically
];
enabledServices = [
# INFO: This list needs to stay sorted alphabetically
# Machine learning API machine
"microvm-ml01"
"microvm-router01"
"nvidia-tesla-k80"
"proxmox"
];
extraConfig = {
microvm = {
host.enable = true;
};
dgn-hardware = {
useZfs = true;
zfsPools = [
"dpool"
"ppool0"
];
};
services.netbird.enable = true;
# We are going to use CUDA here.
nixpkgs.config.cudaSupport = true;
hardware.graphics.enable = true;
environment.systemPackages = [
((pkgs.openai-whisper-cpp.override { cudaPackages = pkgs.cudaPackages_11; }).overrideAttrs (old: {
src = pkgs.fetchFromGitHub {
owner = "ggerganov";
repo = "whisper.cpp";
rev = "v1.7.1";
hash = "sha256-EDFUVjud79ZRCzGbOh9L9NcXfN3ikvsqkVSOME9F9oo=";
};
env = {
WHISPER_CUBLAS = "";
GGML_CUDA = "1";
};
# We only need Compute Capability 3.7.
CUDA_ARCH_FLAGS = [ "sm_37" ];
# We are GPU-only anyway.
patches = (old.patches or [ ]) ++ [
./no-weird-microarch.patch
./all-nvcc-arch.patch
];
}))
];
services = {
ollama = {
enable = true;
host = meta.network.${name}.netbirdIp;
package = pkgs.callPackage ./ollama.nix {
cudaPackages = pkgs.cudaPackages_11;
# We need to thread our nvidia x11 driver for CUDA.
extraLibraries = [ config.hardware.nvidia.package ];
};
};
};
networking.firewall.interfaces.wt0.allowedTCPPorts = [ config.services.ollama.port ];
};
root = ./.;
}

50
machines/krz01/_hardware-configuration.nix
View file

@ -1,50 +0,0 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [
"ehci_pci"
"ahci"
"mpt3sas"
"usbhid"
"sd_mod"
];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/92bf4d66-2693-4eca-9b26-f86ae09d468d";
fsType = "ext4";
};
boot.initrd.luks.devices."mainfs" = {
device = "/dev/disk/by-uuid/26f9737b-28aa-4c3f-bd3b-b028283cef88";
keyFileSize = 1;
keyFile = "/dev/zero";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/280C-8844";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

26
machines/krz01/all-nvcc-arch.patch
View file

@ -1,26 +0,0 @@
From 2278389ef9ac9231349440aa68f9544ddc69cdc7 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Wed, 9 Oct 2024 13:37:08 +0200
Subject: [PATCH] fix: sm_37 for nvcc
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 2ccb750..70dfd9b 100644
--- a/Makefile
+++ b/Makefile
@@ -537,7 +537,7 @@ endif #GGML_CUDA_NVCC
ifdef CUDA_DOCKER_ARCH
MK_NVCCFLAGS += -Wno-deprecated-gpu-targets -arch=$(CUDA_DOCKER_ARCH)
else ifndef CUDA_POWER_ARCH
- MK_NVCCFLAGS += -arch=native
+ MK_NVCCFLAGS += -arch=sm_37
endif # CUDA_DOCKER_ARCH
ifdef GGML_CUDA_FORCE_DMMV
--
2.46.0

20
machines/krz01/disable-git.patch
View file

@ -1,20 +0,0 @@
diff --git c/llm/generate/gen_common.sh i/llm/generate/gen_common.sh
index 3825c155..238a74a7 100644
--- c/llm/generate/gen_common.sh
+++ i/llm/generate/gen_common.sh
@@ -69,6 +69,7 @@ git_module_setup() {
}
apply_patches() {
+ return
# apply temporary patches until fix is upstream
for patch in ../patches/*.patch; do
git -c 'user.name=nobody' -c 'user.email=<>' -C ${LLAMACPP_DIR} am ${patch}
@@ -133,6 +134,7 @@ install() {
# Keep the local tree clean after we're done with the build
cleanup() {
+ return
(cd ${LLAMACPP_DIR}/ && git checkout CMakeLists.txt)
if [ -n "$(ls -A ../patches/*.diff)" ]; then

22
machines/krz01/microvm-ml01.nix
View file

@ -1,22 +0,0 @@
_: {
microvm.autostart = [ "ml01" ];
microvm.vms.ml01 = {
config = {
networking.hostName = "ml01";
microvm = {
hypervisor = "cloud-hypervisor";
vcpu = 4;
mem = 4096;
balloonMem = 2048;
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
];
};
};
};
}

16
machines/krz01/microvm-router01.nix
View file

@ -1,16 +0,0 @@
_: {
microvm.autostart = [ "router01" ];
microvm.vms.router01 = {
config = {
networking.hostName = "router01";
microvm.shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
];
};
};
}

34
machines/krz01/no-weird-microarch.patch
View file

@ -1,34 +0,0 @@
From 51568b61ef63ecd97867562571411082c32751d3 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Wed, 9 Oct 2024 13:36:51 +0200
Subject: [PATCH] fix: avx & f16c in Makefile
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
Makefile | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/Makefile b/Makefile
index 32b7cbb..2ccb750 100644
--- a/Makefile
+++ b/Makefile
@@ -361,12 +361,12 @@ ifndef RISCV
ifeq ($(UNAME_M),$(filter $(UNAME_M),x86_64 i686 amd64))
# Use all CPU extensions that are available:
- MK_CFLAGS += -march=native -mtune=native
- HOST_CXXFLAGS += -march=native -mtune=native
+ # MK_CFLAGS += -march=native -mtune=native
+ # HOST_CXXFLAGS += -march=native -mtune=native
# Usage AVX-only
- #MK_CFLAGS += -mfma -mf16c -mavx
- #MK_CXXFLAGS += -mfma -mf16c -mavx
+ MK_CFLAGS += -mf16c -mavx
+ MK_CXXFLAGS += -mf16c -mavx
# Usage SSSE3-only (Not is SSE3!)
#MK_CFLAGS += -mssse3
--
2.46.0

8
machines/krz01/nvidia-tesla-k80.nix
View file

@ -1,8 +0,0 @@
{ config, ... }:
{
nixpkgs.config.nvidia.acceptLicense = true;
# Tesla K80 is not supported by the latest driver.
hardware.nvidia.package = config.boot.kernelPackages.nvidia_x11_legacy470;
# Don't ask.
services.xserver.videoDrivers = [ "nvidia" ];
}

243
machines/krz01/ollama.nix
View file

@ -1,243 +0,0 @@
{
lib,
buildGoModule,
fetchFromGitHub,
buildEnv,
linkFarm,
overrideCC,
makeWrapper,
stdenv,
addDriverRunpath,
nix-update-script,
cmake,
gcc11,
clblast,
libdrm,
rocmPackages,
cudaPackages,
darwin,
autoAddDriverRunpath,
extraLibraries ? [ ],
nixosTests,
testers,
ollama,
ollama-rocm,
ollama-cuda,
config,
# one of `[ null false "rocm" "cuda" ]`
acceleration ? null,
}:
assert builtins.elem acceleration [
null
false
"rocm"
"cuda"
];
let
pname = "ollama";
version = "2024-09-10-cc35";
src = fetchFromGitHub {
owner = "aliotard";
repo = "ollama";
rev = "34827c01f7723c7f5f9f5e392fe85f5a4a5d5fc0";
hash = "sha256-xFNuqcW7YWeyCyw5QLBnCHHTSMITR6LJkJT0CXZC+Y8=";
fetchSubmodules = true;
};
vendorHash = "sha256-hSxcREAujhvzHVNwnRTfhi0MKI3s8HNavER2VLz6SYk=";
validateFallback = lib.warnIf (config.rocmSupport && config.cudaSupport) (lib.concatStrings [
"both `nixpkgs.config.rocmSupport` and `nixpkgs.config.cudaSupport` are enabled, "
"but they are mutually exclusive; falling back to cpu"
]) (!(config.rocmSupport && config.cudaSupport));
shouldEnable =
mode: fallback: (acceleration == mode) || (fallback && acceleration == null && validateFallback);
rocmRequested = shouldEnable "rocm" config.rocmSupport;
cudaRequested = shouldEnable "cuda" config.cudaSupport;
enableRocm = rocmRequested && stdenv.isLinux;
enableCuda = cudaRequested && stdenv.isLinux;
rocmLibs = [
rocmPackages.clr
rocmPackages.hipblas
rocmPackages.rocblas
rocmPackages.rocsolver
rocmPackages.rocsparse
rocmPackages.rocm-device-libs
rocmPackages.rocm-smi
];
rocmClang = linkFarm "rocm-clang" { llvm = rocmPackages.llvm.clang; };
rocmPath = buildEnv {
name = "rocm-path";
paths = rocmLibs ++ [ rocmClang ];
};
cudaLibs = [
cudaPackages.cuda_cudart
cudaPackages.libcublas
cudaPackages.cuda_cccl
];
cudaToolkit = buildEnv {
name = "cuda-merged";
paths = map lib.getLib cudaLibs ++ [
(lib.getOutput "static" cudaPackages.cuda_cudart)
(lib.getBin (cudaPackages.cuda_nvcc.__spliced.buildHost or cudaPackages.cuda_nvcc))
];
};
metalFrameworks = with darwin.apple_sdk_11_0.frameworks; [
Accelerate
Metal
MetalKit
MetalPerformanceShaders
];
wrapperOptions =
[
# ollama embeds llama-cpp binaries which actually run the ai models
# these llama-cpp binaries are unaffected by the ollama binary's DT_RUNPATH
# LD_LIBRARY_PATH is temporarily required to use the gpu
# until these llama-cpp binaries can have their runpath patched
"--suffix LD_LIBRARY_PATH : '${addDriverRunpath.driverLink}/lib'"
"--suffix LD_LIBRARY_PATH : '${lib.makeLibraryPath (map lib.getLib extraLibraries)}'"
]
++ lib.optionals enableRocm [
"--suffix LD_LIBRARY_PATH : '${rocmPath}/lib'"
"--set-default HIP_PATH '${rocmPath}'"
]
++ lib.optionals enableCuda [
"--suffix LD_LIBRARY_PATH : '${lib.makeLibraryPath (map lib.getLib cudaLibs)}'"
];
wrapperArgs = builtins.concatStringsSep " " wrapperOptions;
goBuild =
if enableCuda then buildGoModule.override { stdenv = overrideCC stdenv gcc11; } else buildGoModule;
inherit (lib) licenses platforms maintainers;
in
goBuild {
inherit
pname
version
src
vendorHash
;
env =
lib.optionalAttrs enableRocm {
ROCM_PATH = rocmPath;
CLBlast_DIR = "${clblast}/lib/cmake/CLBlast";
}
// lib.optionalAttrs enableCuda { CUDA_LIB_DIR = "${cudaToolkit}/lib"; }
// {
CMAKE_CUDA_ARCHITECTURES = "35;37";
};
nativeBuildInputs =
[ cmake ]
++ lib.optionals enableRocm [ rocmPackages.llvm.bintools ]
++ lib.optionals enableCuda [ cudaPackages.cuda_nvcc ]
++ lib.optionals (enableRocm || enableCuda) [
makeWrapper
autoAddDriverRunpath
]
++ lib.optionals stdenv.isDarwin metalFrameworks;
buildInputs =
lib.optionals enableRocm (rocmLibs ++ [ libdrm ])
++ lib.optionals enableCuda cudaLibs
++ lib.optionals stdenv.isDarwin metalFrameworks;
patches = [
# disable uses of `git` in the `go generate` script
# ollama's build script assumes the source is a git repo, but nix removes the git directory
# this also disables necessary patches contained in `ollama/llm/patches/`
# those patches are applied in `postPatch`
./disable-git.patch
];
postPatch = ''
# replace inaccurate version number with actual release version
substituteInPlace version/version.go --replace-fail 0.0.0 '${version}'
# apply ollama's patches to `llama.cpp` submodule
for diff in llm/patches/*; do
patch -p1 -d llm/llama.cpp < $diff
done
'';
overrideModAttrs = _: _: {
# don't run llama.cpp build in the module fetch phase
preBuild = "";
};
preBuild = ''
# disable uses of `git`, since nix removes the git directory
export OLLAMA_SKIP_PATCHING=true
# build llama.cpp libraries for ollama
go generate ./...
'';
postFixup =
''
# the app doesn't appear functional at the moment, so hide it
mv "$out/bin/app" "$out/bin/.ollama-app"
''
+ lib.optionalString (enableRocm || enableCuda) ''
# expose runtime libraries necessary to use the gpu
wrapProgram "$out/bin/ollama" ${wrapperArgs}
'';
ldflags = [
"-s"
"-w"
"-X=github.com/ollama/ollama/version.Version=${version}"
"-X=github.com/ollama/ollama/server.mode=release"
"-X=github.com/ollama/ollama/gpu.CudaComputeMajorMin=3"
"-X=github.com/ollama/ollama/gpu.CudaComputeMinorMin=5"
];
passthru = {
tests =
{
inherit ollama;
version = testers.testVersion {
inherit version;
package = ollama;
};
}
// lib.optionalAttrs stdenv.isLinux {
inherit ollama-rocm ollama-cuda;
service = nixosTests.ollama;
service-cuda = nixosTests.ollama-cuda;
service-rocm = nixosTests.ollama-rocm;
};
updateScript = nix-update-script { };
};
meta = {
description =
"Get up and running with large language models locally"
+ lib.optionalString rocmRequested ", using ROCm for AMD GPU acceleration"
+ lib.optionalString cudaRequested ", using CUDA for NVIDIA GPU acceleration";
homepage = "https://github.com/ollama/ollama";
changelog = "https://github.com/ollama/ollama/releases/tag/v${version}";
license = licenses.mit;
platforms = if (rocmRequested || cudaRequested) then platforms.linux else platforms.unix;
mainProgram = "ollama";
maintainers = with maintainers; [
abysssol
dit7ya
elohmeier
roydubnium
];
};
}

14
machines/krz01/proxmox/default.nix
View file

@ -1,14 +0,0 @@
{ sources, lib, ... }:
let
proxmox-nixos = import sources.proxmox-nixos;
in
{
imports = [ proxmox-nixos.nixosModules.proxmox-ve ];
services.proxmox-ve.enable = true;
nixpkgs.overlays = [ proxmox-nixos.overlays.x86_64-linux ];
networking.firewall = {
trustedInterfaces = [ "wt0" ];
allowedTCPPorts = lib.mkForce [ 22 ];
};
}

3
machines/krz01/secrets/secrets.nix
View file

@ -1,3 +0,0 @@
(import ../../../keys).mkSecrets [ "krz01" ] [
# List of secrets for krz01
]

1
machines/rescue01/_configuration.nix
View file

@ -3,6 +3,7 @@
lib.extra.mkConfig { lib.extra.mkConfig {
enabledModules = [ enabledModules = [
# List of modules to enable # List of modules to enable
"dgn-web"
]; ];
enabledServices = [ enabledServices = [

27
machines/rescue01/uptime-kuma.nix
View file

@ -46,6 +46,16 @@ let
accepted_statuscodes = [ "401" ]; accepted_statuscodes = [ "401" ];
}; };
"ollama01.beta.dgnum.eu" = {
type = mkForce "http";
accepted_statuscodes = [ "401" ];
};
"s3-admin.dgnum.eu" = {
type = mkForce "http";
accepted_statuscodes = [ "400" ];
};
"api.meet.dgnum.eu" = { "api.meet.dgnum.eu" = {
keyword = "Crab Fit API"; keyword = "Crab Fit API";
}; };
@ -122,23 +132,10 @@ in
services.uptime-kuma.enable = true; services.uptime-kuma.enable = true;
services.nginx = { dgn-web.simpleProxies.uptime-kuma = {
enable = true; inherit host port;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true; proxyWebsockets = true;
}; };
};
};
networking.firewall.allowedTCPPorts = [
80
443
];
statelessUptimeKuma = { statelessUptimeKuma = {
probesConfig = mkMerge [ probesConfig = mkMerge [

1
machines/storage01/_configuration.nix
View file

@ -18,6 +18,7 @@ lib.extra.mkConfig {
"peertube" "peertube"
"prometheus" "prometheus"
"redirections" "redirections"
"victoria-metrics"
]; ];
extraConfig = { extraConfig = {

14
machines/storage01/forgejo-runners.nix
View file

@ -1,10 +1,4 @@
{ { config, pkgs, ... }:
config,
pkgs,
nixpkgs,
sources,
...
}:
let let
url = "https://git.dgnum.eu"; url = "https://git.dgnum.eu";
@ -30,8 +24,6 @@ let
options = "--cpus=4"; options = "--cpus=4";
}; };
}; };
nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
in in
{ {
services.forgejo-nix-runners = { services.forgejo-nix-runners = {
@ -39,14 +31,12 @@ in
inherit url; inherit url;
storePath = "/data/slow/nix"; storePath = "/data/slow";
tokenFile = config.age.secrets."forgejo_runners-token_file".path; tokenFile = config.age.secrets."forgejo_runners-token_file".path;
dependencies = [ dependencies = [
nix-pkgs.colmena
pkgs.npins pkgs.npins
pkgs.tea pkgs.tea
nixpkgs.unstable.nixfmt-rfc-style
]; ];
containerOptions = [ "--cpus=4" ]; containerOptions = [ "--cpus=4" ];

21
machines/storage01/forgejo.nix
View file

@ -31,6 +31,7 @@ in
admin = { admin = {
DEFAULT_EMAIL_NOTIFICATIONS = "enabled"; DEFAULT_EMAIL_NOTIFICATIONS = "enabled";
SEND_NOTIFICATION_EMAIL_ON_NEW_USER = true;
}; };
log.LEVEL = "Warn"; log.LEVEL = "Warn";
@ -44,6 +45,11 @@ in
USER = "web-services@infra.dgnum.eu"; USER = "web-services@infra.dgnum.eu";
}; };
session = {
SESSION_LIFE_TIME = 24 * 3600 * 7;
GC_INTERVAL_TIME = 24 * 3600 * 7;
};
server = { server = {
ROOT_URL = "https://${host}/"; ROOT_URL = "https://${host}/";
DOMAIN = host; DOMAIN = host;
@ -55,6 +61,7 @@ in
service = { service = {
EMAIL_DOMAIN_ALLOWLIST = "dgnum.eu,*"; EMAIL_DOMAIN_ALLOWLIST = "dgnum.eu,*";
EMAIL_DOMAIN_BLOCKLIST = "*.shop,*.online,*.store";
ENABLE_NOTIFY_MAIL = true; ENABLE_NOTIFY_MAIL = true;
DISABLE_REGISTRATION = false; DISABLE_REGISTRATION = false;
@ -71,18 +78,10 @@ in
mailerPasswordFile = config.age.secrets."forgejo-mailer_password_file".path; mailerPasswordFile = config.age.secrets."forgejo-mailer_password_file".path;
}; };
};
nginx = { dgn-web.simpleProxies.forgejo = {
enable = true; inherit host port;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString port}";
};
};
};
}; };
users.users.git = { users.users.git = {

37
machines/storage01/garage.nix
View file

@ -1,6 +1,13 @@
{ config, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
let let
inherit (lib) mapAttrs' nameValuePair;
host = "s3.dgnum.eu"; host = "s3.dgnum.eu";
webHost = "cdn.dgnum.eu"; webHost = "cdn.dgnum.eu";
@ -25,8 +32,18 @@ let
] ++ domains; ] ++ domains;
mkHosted = host: builtins.map (b: "${b}.${host}"); mkHosted = host: builtins.map (b: "${b}.${host}");
ports = {
admin_api = 3903;
k2v_api = 3904;
rpc = 3901;
s3_api = 3900;
s3_web = 3902;
};
in in
{ {
dgn-web.internalPorts = mapAttrs' (name: nameValuePair "garage-${name}") ports;
services.garage = { services.garage = {
enable = true; enable = true;
@ -40,24 +57,24 @@ in
replication_mode = "none"; # TODO: deprecated replication_mode = "none"; # TODO: deprecated
compression_level = 7; compression_level = 7;
rpc_bind_addr = "[::]:3901"; rpc_bind_addr = "[::]:${toString ports.rpc}";
rpc_public_addr = "127.0.0.1:3901"; rpc_public_addr = "127.0.0.1:${toString ports.rpc}";
s3_api = { s3_api = {
s3_region = "garage"; s3_region = "garage";
api_bind_addr = "127.0.0.1:3900"; api_bind_addr = "127.0.0.1:${toString ports.s3_api}";
root_domain = ".${host}"; root_domain = ".${host}";
}; };
s3_web = { s3_web = {
bind_addr = "127.0.0.1:3902"; bind_addr = "127.0.0.1:${toString ports.s3_web}";
root_domain = ".${webHost}"; root_domain = ".${webHost}";
index = "index.html"; index = "index.html";
}; };
k2v_api.api_bind_addr = "[::]:3904"; k2v_api.api_bind_addr = "[::]:${toString ports.k2v_api}";
admin.api_bind_addr = "127.0.0.1:3903"; admin.api_bind_addr = "127.0.0.1:${toString ports.admin_api}";
}; };
environmentFile = config.age.secrets."garage-environment_file".path; environmentFile = config.age.secrets."garage-environment_file".path;
@ -84,7 +101,7 @@ in
forceSSL = true; forceSSL = true;
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:3903; proxy_pass http://127.0.0.1:${toString ports.admin_api};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host; proxy_set_header Host $host;
''; '';
@ -97,7 +114,7 @@ in
serverAliases = mkHosted host buckets; serverAliases = mkHosted host buckets;
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:3900; proxy_pass http://127.0.0.1:${toString ports.s3_api};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host; proxy_set_header Host $host;
# Disable buffering to a temporary file. # Disable buffering to a temporary file.
@ -113,7 +130,7 @@ in
serverAliases = domains ++ (mkHosted webHost buckets); serverAliases = domains ++ (mkHosted webHost buckets);
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:3902; proxy_pass http://127.0.0.1:${toString ports.s3_web};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host; proxy_set_header Host $host;
''; '';

10
machines/storage01/influxdb.nix
View file

@ -5,6 +5,7 @@ let
token = user: secret "${user}_token_file"; token = user: secret "${user}_token_file";
host = "influx.dgnum.eu"; host = "influx.dgnum.eu";
port = 8086;
in in
{ {
@ -41,13 +42,8 @@ in
}; };
}; };
services.nginx.virtualHosts.${host} = { dgn-web.simpleProxies.influxdb = {
enableACME = true; inherit host port;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8086";
};
}; };
age-secrets.autoMatch = [ "influxdb2" ]; age-secrets.autoMatch = [ "influxdb2" ];

82
machines/storage01/netbird.nix Normal file
View file

@ -0,0 +1,82 @@
{
config,
lib,
nixpkgs,
...
}:
let
domain = "netbird.dgnum.eu";
s = name: config.age.secrets.${name}.path;
in
{
services = {
netbird.server = {
enable = true;
package = nixpkgs.unstable.netbird;
inherit domain;
enableNginx = true;
coturn.enable = lib.mkForce false;
relay = {
environmentFile = s "netbird-relay_environment_file";
metricsPort = 9094;
};
dashboard = {
settings = {
AUTH_AUTHORITY = "https://sso.dgnum.eu/oauth2/openid/dgn_netbird";
AUTH_AUDIENCE = "dgn_netbird";
AUTH_CLIENT_ID = "dgn_netbird";
};
};
management = {
oidcConfigEndpoint = "https://sso.dgnum.eu/oauth2/openid/dgn_netbird/.well-known/openid-configuration";
dnsDomain = "dgnum";
metricsPort = 9092;
settings = {
DataStoreEncryptionKey._secret = s "netbird-data_store_encryption_key_file";
PKCEAuthorizationFlow.ProviderConfig = {
Audience = "dgn_netbird";
ClientID = "dgn_netbird";
AuthorizationEndpoint = "https://sso.dgnum.eu/ui/oauth2";
TokenEndpoint = "https://sso.dgnum.eu/oauth2/token";
};
IdpManagerConfig.ClientConfig.ClientID = "dgn_netbird";
DeviceAuthorizationFlow = {
Provider = "none";
ProviderConfig = {
Audience = "dgn_netbird";
ClientID = "dgn_netbird";
};
};
Relay = {
Addresses = [ "rels://${domain}:443" ];
CredentialsTTL = "24h";
Secret._secret = s "netbird-relay_secret_file";
};
};
};
};
nginx.virtualHosts.${domain} = {
enableACME = true;
forceSSL = true;
};
};
dgn-backups.jobs.netbird.settings.paths = [ "/var/lib/netbird-mgmt" ];
}

47
machines/storage01/netbird/default.nix
View file

@ -1,47 +0,0 @@
{ config, ... }:
let
domain = "netbird.dgnum.eu";
in
{
imports = [ ./module.nix ];
services.netbird-server = {
enable = true;
logLevel = "DEBUG";
enableDeviceAuthorizationFlow = false;
enableNginx = true;
enableCoturn = true;
setupAutoOidc = true;
management.dnsDomain = "dgnum";
secretFiles.AUTH_CLIENT_SECRET = config.age.secrets."netbird-auth_client_secret_file".path;
settings = {
NETBIRD_DOMAIN = domain;
TURN_PASSWORD = "tototest1234";
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT = "https://sso.dgnum.eu/oauth2/openid/netbird_dgn/.well-known/openid-configuration";
NETBIRD_AUTH_PKCE_USE_ID_TOKEN = true;
NETBIRD_AUTH_AUDIENCE = "netbird_dgn";
NETBIRD_AUTH_CLIENT_ID = "netbird_dgn";
NETBIRD_AUTH_USER_ID_CLAIM = "sub";
# Updates the preference to use id tokens instead of access token on dashboard
# Okta and Gitlab IDPs can benefit from this
NETBIRD_TOKEN_SOURCE = "idToken";
# NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (p: "http://localhost:${p}") [
# "53000"
# "54000"
# ];
NETBIRD_STORE_CONFIG_ENGINE = "sqlite";
};
};
dgn-backups.jobs.netbird.settings.paths = [ "/var/lib/netbird-mgmt" ];
}

643
machines/storage01/netbird/module.nix
View file

@ -1,643 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
filterAttrs
literalExpression
maintainers
mkDefault
mkEnableOption
mkIf
mkMerge
mkOption
optionalAttrs
optionalString
optionals
types
;
inherit ((import ./package { inherit pkgs; })) dashboard;
cfg = config.services.netbird-server;
stateDir = "/var/lib/netbird-mgmt";
settingsFormat = pkgs.formats.keyValue { };
managementFormat = pkgs.formats.json { };
settingsFile = settingsFormat.generate "setup.env" (
builtins.mapAttrs (
_: val: if builtins.isList val then ''"${builtins.concatStringsSep " " val}"'' else val
) settings
);
managementFile = managementFormat.generate "config.json" cfg.managementConfig;
settings =
rec {
TURN_DOMAIN = cfg.settings.NETBIRD_DOMAIN;
TURN_PORT = 3478;
TURN_USER = "netbird";
TURN_MIN_PORT = 49152;
TURN_MAX_PORT = 65535;
TURN_PASSWORD = if cfg.secretFiles.TURN_PASSWORD != null then "$TURN_PASSWORD" else null;
TURN_SECRET = if cfg.secretFiles.TURN_SECRET != null then "$TURN_SECRET" else "secret";
STUN_USERNAME = "";
STUN_PASSWORD = if cfg.secretFiles.STUN_PASSWORD != null then "$STUN_PASSWORD" else null;
NETBIRD_DASHBOARD_ENDPOINT = "https://${cfg.settings.NETBIRD_DOMAIN}:443";
NETBIRD_MGMT_API_ENDPOINT = "https://${cfg.settings.NETBIRD_DOMAIN}:${
builtins.toString cfg.settings.NETBIRD_MGMT_API_PORT or NETBIRD_MGMT_API_PORT
}";
NETBIRD_SIGNAL_ENDPOINT = "https://${cfg.settings.NETBIRD_DOMAIN}:${
builtins.toString cfg.settings.NETBIRD_SIGNAL_PORT or NETBIRD_SIGNAL_PORT
}";
NETBIRD_SIGNAL_PROTOCOL = "https";
NETBIRD_SIGNAL_PORT = 443;
NETBIRD_AUTH_USER_ID_CLAIM = "sub";
NETBIRD_AUTH_CLIENT_SECRET =
if cfg.secretFiles.AUTH_CLIENT_SECRET != null then "$AUTH_CLIENT_SECRET" else "";
NETBIRD_AUTH_SUPPORTED_SCOPES = [
"openid"
"profile"
"email"
"offline_access"
"api"
];
NETBIRD_AUTH_REDIRECT_URI = "";
NETBIRD_AUTH_SILENT_REDIRECT_URI = "";
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER = "none";
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID;
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE = cfg.settings.NETBIRD_AUTH_AUDIENCE;
NETBIRD_AUTH_DEVICE_AUTH_SCOPE = [
"openid"
"profile"
"email"
"offline_access"
"api"
];
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN = false;
NETBIRD_MGMT_API_PORT = 443;
NETBIRD_MGMT_IDP = "none";
NETBIRD_IDP_MGMT_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID;
NETBIRD_IDP_MGMT_CLIENT_SECRET =
if cfg.secretFiles.IDP_MGMT_CLIENT_SECRET != null then
"$IDP_MGMT_CLIENT_SECRET"
else
cfg.settings.NETBIRD_AUTH_CLIENT_SECRET;
NETBIRD_IDP_MGMT_GRANT_TYPE = "client_credentials";
NETBIRD_TOKEN_SOURCE = "accessToken";
NETBIRD_DRAG_QUERY_PARAMS = false;
NETBIRD_USE_AUTH0 = false;
NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = "";
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS = [ "53000" ];
NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (
p: "http://localhost:${p}"
) cfg.settings.NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS or NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS;
}
// (optionalAttrs cfg.setupAutoOidc {
NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT = "$NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT";
NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = "$NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT";
NETBIRD_AUTH_TOKEN_ENDPOINT = "$NETBIRD_AUTH_TOKEN_ENDPOINT";
NETBIRD_AUTH_JWT_CERTS = "$NETBIRD_AUTH_JWT_CERTS";
NETBIRD_AUTH_AUTHORITY = "$NETBIRD_AUTH_AUTHORITY";
})
// cfg.settings;
in
{
meta = {
maintainers = with maintainers; [ thubrecht ];
};
options.services.netbird-server = {
enable = mkEnableOption (lib.mdDoc "netbird management service.");
package = mkOption {
type = types.package;
default = pkgs.netbird;
defaultText = literalExpression "pkgs.netbird";
description = lib.mdDoc "The package to use for netbird";
};
settings = mkOption {
type =
with types;
attrsOf (
nullOr (oneOf [
(listOf str)
bool
int
float
str
])
);
defaultText = lib.literalExpression ''
{
TURN_DOMAIN = cfg.settings.NETBIRD_DOMAIN;
TURN_PORT = 3478;
TURN_USER = "netbird";
TURN_MIN_PORT = 49152;
TURN_MAX_PORT = 65535;
TURN_PASSWORD = if cfg.secretFiles.TURN_PASSWORD != null then "$TURN_PASSWORD" else null;
TURN_SECRET = if cfg.secretFiles.TURN_SECRET != null then "$TURN_SECRET" else "secret";
STUN_USERNAME = "";
STUN_PASSWORD = if cfg.secretFiles.STUN_PASSWORD != null then "$STUN_PASSWORD" else null;
NETBIRD_DASHBOARD_ENDPOINT = "https://''${cfg.settings.NETBIRD_DOMAIN}:443";
NETBIRD_MGMT_API_ENDPOINT = "https://''${cfg.settings.NETBIRD_DOMAIN}:''${builtins.toString cfg.settings.NETBIRD_MGMT_API_PORT or NETBIRD_MGMT_API_PORT}";
NETBIRD_SIGNAL_ENDPOINT = "https://''${cfg.settings.NETBIRD_DOMAIN}:''${builtins.toString cfg.settings.NETBIRD_SIGNAL_PORT or NETBIRD_SIGNAL_PORT}";
NETBIRD_SIGNAL_PROTOCOL = "https";
NETBIRD_SIGNAL_PORT = 443;
NETBIRD_AUTH_USER_ID_CLAIM = "sub";
NETBIRD_AUTH_CLIENT_SECRET = if cfg.secretFiles.AUTH_CLIENT_SECRET != null then "$AUTH_CLIENT_SECRET" else "";
NETBIRD_AUTH_SUPPORTED_SCOPES = [ "openid" "profile" "email" "offline_access" "api" ];
NETBIRD_AUTH_REDIRECT_URI = "";
NETBIRD_AUTH_SILENT_REDIRECT_URI = "";
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER = "none";
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID;
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE = cfg.settings.NETBIRD_AUTH_AUDIENCE;
NETBIRD_AUTH_DEVICE_AUTH_SCOPE = [ "openid" "profile" "email" "offline_access" "api" ];
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN = false;
NETBIRD_MGMT_API_PORT = 443;
NETBIRD_MGMT_IDP = "none";
NETBIRD_IDP_MGMT_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID;
NETBIRD_IDP_MGMT_CLIENT_SECRET = if cfg.secretFiles.IDP_MGMT_CLIENT_SECRET != null then "$IDP_MGMT_CLIENT_SECRET" else cfg.settings.NETBIRD_AUTH_CLIENT_SECRET;
NETBIRD_IDP_MGMT_GRANT_TYPE = "client_credentials";
NETBIRD_TOKEN_SOURCE = "accessToken";
NETBIRD_DRAG_QUERY_PARAMS = false;
NETBIRD_USE_AUTH0 = false;
NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = "";
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS = [ "53000" ];
NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (p: "http://localhost:''${p}") cfg.settings.NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS or NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS;
}
'';
description = lib.mdDoc ''
Configuration settings for netbird.
Example config values can be found in [setup.env.example](https://github.com/netbirdio/netbird/blob/main/infrastructure_files/setup.env.example)
List of strings [ a b ] will be concatenated as "a b", useful for setting the supported scopes.
'';
};
managementConfig = mkOption {
inherit (managementFormat) type;
description = lib.mdDoc "Configuration of the netbird management server.";
};
idpManagerExtraConfig = mkOption {
type = types.attrsOf types.str;
default = { };
description = lib.mdDoc "Extra options passed to the IdpManagerConfig.";
};
ports.management = mkOption {
type = types.port;
default = 8011;
description = lib.mdDoc "Internal port of the management server.";
};
ports.signal = mkOption {
type = types.port;
default = 8012;
description = lib.mdDoc "Internal port of the signal server.";
};
logLevel = mkOption {
type = types.enum [
"ERROR"
"WARN"
"INFO"
"DEBUG"
];
default = "INFO";
description = lib.mdDoc "Log level of the netbird services.";
};
enableDeviceAuthorizationFlow = mkEnableOption "device authorization flow for netbird." // {
default = true;
};
enableNginx = mkEnableOption "NGINX reverse-proxy for the netbird server.";
enableCoturn = mkEnableOption "a Coturn server used for Netbird.";
setupAutoOidc = mkEnableOption "the automatic setup of the OIDC.";
management = {
dnsDomain = mkOption {
type = types.str;
default = "netbird.selfhosted";
description = lib.mdDoc "Domain used for peer resolution.";
};
singleAccountModeDomain = mkOption {
type = types.str;
default = "netbird.selfhosted";
description = lib.mdDoc ''
Enables single account mode.
This means that all the users will be under the same account grouped by the specified domain.
If the installation has more than one account, the property is ineffective.
'';
};
disableAnonymousMetrics = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc "Disables push of anonymous usage metrics to NetBird.";
};
disableSingleAccountMode = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
If set to true, disables single account mode.
The `singleAccountModeDomain` property will be ignored and every new user will have a separate NetBird account.
'';
};
};
secretFiles = {
TURN_PASSWORD = mkOption {
type = with types; nullOr path;
default = null;
description = lib.mdDoc "Path to a file containing the secret TURN_PASSWORD.";
};
TURN_SECRET = mkOption {
type = with types; nullOr path;
default = null;
description = lib.mdDoc "Path to a file containing the secret TURN_SECRET.";
};
STUN_PASSWORD = mkOption {
type = with types; nullOr path;
default = null;
description = lib.mdDoc "Path to a file containing the secret STUN_PASSWORD.";
};
AUTH_CLIENT_SECRET = mkOption {
type = with types; nullOr path;
default = null;
description = lib.mdDoc "Path to a file containing the secret NETBIRD_AUTH_CLIENT_SECRET.";
};
IDP_MGMT_CLIENT_SECRET = mkOption {
type = with types; nullOr path;
default = cfg.secretFiles.AUTH_CLIENT_SECRET;
defaultText = lib.literalExpression "cfg.secretFiles.AUTH_CLIENT_SECRET;";
description = lib.mdDoc "Path to a file containing the secret NETBIRD_IDP_MGMT_CLIENT_SECRET.";
};
};
};
config = mkMerge [
(mkIf cfg.enable {
services.netbird-server.managementConfig = with settings; {
Stuns = mkDefault [
{
Proto = "udp";
URI = "stun:${TURN_DOMAIN}:${builtins.toString TURN_PORT}";
Username = STUN_USERNAME;
Password = STUN_PASSWORD;
}
];
TURNConfig = {
Turns = [
{
Proto = "udp";
URI = "turn:${TURN_DOMAIN}:${builtins.toString TURN_PORT}";
Username = TURN_USER;
Password = TURN_PASSWORD;
}
];
CredentialsTTL = "12h";
Secret = TURN_SECRET;
TimeBasedCredentials = false;
};
Signal = {
Proto = NETBIRD_SIGNAL_PROTOCOL;
URI = "${NETBIRD_DOMAIN}:${builtins.toString NETBIRD_SIGNAL_PORT}";
Username = "";
Password = null;
};
Datadir = "${stateDir}/data";
HttpConfig = {
Address = "127.0.0.1:${builtins.toString cfg.ports.management}";
AuthIssuer = NETBIRD_AUTH_AUTHORITY;
AuthAudience = NETBIRD_AUTH_AUDIENCE;
AuthKeysLocation = NETBIRD_AUTH_JWT_CERTS;
AuthUserIDClaim = NETBIRD_AUTH_USER_ID_CLAIM;
OIDCConfigEndpoint = NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT;
};
IdpManagerConfig = {
ManagerType = NETBIRD_MGMT_IDP;
ClientConfig = {
Issuer = NETBIRD_AUTH_AUTHORITY;
TokenEndpoint = NETBIRD_AUTH_TOKEN_ENDPOINT;
ClientID = NETBIRD_IDP_MGMT_CLIENT_ID;
ClientSecret = NETBIRD_IDP_MGMT_CLIENT_SECRET;
GrantType = NETBIRD_IDP_MGMT_GRANT_TYPE;
};
ExtraConfig = cfg.idpManagerExtraConfig;
};
DeviceAuthorizationFlow = mkIf cfg.enableDeviceAuthorizationFlow {
Provider = NETBIRD_AUTH_DEVICE_AUTH_PROVIDER;
ProviderConfig = {
Audience = NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE;
Domain = NETBIRD_AUTH_AUTHORITY;
ClientID = NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID;
TokenEndpoint = NETBIRD_AUTH_TOKEN_ENDPOINT;
DeviceAuthEndpoint = NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT;
Scope = builtins.concatStringsSep " " NETBIRD_AUTH_DEVICE_AUTH_SCOPE;
UseIDToken = NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN;
};
};
PKCEAuthorizationFlow = {
ProviderConfig = {
Audience = NETBIRD_AUTH_AUDIENCE;
ClientID = NETBIRD_AUTH_CLIENT_ID;
ClientSecret = NETBIRD_AUTH_CLIENT_SECRET;
AuthorizationEndpoint = NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT;
TokenEndpoint = NETBIRD_AUTH_TOKEN_ENDPOINT;
Scope = builtins.concatStringsSep " " NETBIRD_AUTH_SUPPORTED_SCOPES;
RedirectURLs = NETBIRD_AUTH_PKCE_REDIRECT_URLS;
UseIDToken = NETBIRD_AUTH_PKCE_USE_ID_TOKEN;
};
};
};
services.nginx.virtualHosts = mkIf cfg.enableNginx {
${cfg.settings.NETBIRD_DOMAIN} = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
root = "${stateDir}/web-ui/";
tryFiles = "$uri /index.html";
};
"/signalexchange.SignalExchange/".extraConfig = ''
grpc_pass grpc://localhost:${builtins.toString cfg.ports.signal};
grpc_read_timeout 1d;
grpc_send_timeout 1d;
grpc_socket_keepalive on;
'';
"/api".proxyPass = "http://localhost:${builtins.toString cfg.ports.management}";
"/management.ManagementService/".extraConfig = ''
grpc_pass grpc://localhost:${builtins.toString cfg.ports.management};
grpc_read_timeout 1d;
grpc_send_timeout 1d;
grpc_socket_keepalive on;
'';
};
};
};
systemd.services = {
netbird-setup = {
wantedBy = [
"netbird-management.service"
"netbird-signal.service"
"multi-user.target"
];
serviceConfig = {
Type = "oneshot";
RuntimeDirectory = "netbird-mgmt";
StateDirectory = "netbird-mgmt";
WorkingDirectory = stateDir;
EnvironmentFile = [ settingsFile ];
};
unitConfig = {
StartLimitInterval = 5;
StartLimitBurst = 10;
};
path =
(with pkgs; [
coreutils
findutils
gettext
gnused
])
++ (optionals cfg.setupAutoOidc (
with pkgs;
[
curl
jq
]
));
script =
''
cp ${managementFile} ${stateDir}/management.json.copy
''
+ (optionalString cfg.setupAutoOidc ''
mv ${stateDir}/management.json.copy ${stateDir}/management.json
echo "loading OpenID configuration from $NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT to the openid-configuration.json file"
curl "$NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT" -q -o ${stateDir}/openid-configuration.json
export NETBIRD_AUTH_AUTHORITY=$(jq -r '.issuer' ${stateDir}/openid-configuration.json)
export NETBIRD_AUTH_JWT_CERTS=$(jq -r '.jwks_uri' ${stateDir}/openid-configuration.json)
export NETBIRD_AUTH_TOKEN_ENDPOINT=$(jq -r '.token_endpoint' ${stateDir}/openid-configuration.json)
export NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT=$(jq -r '.device_authorization_endpoint' ${stateDir}/openid-configuration.json)
export NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT=$(jq -r '.authorization_endpoint' ${stateDir}/openid-configuration.json)
envsubst '$NETBIRD_AUTH_AUTHORITY $NETBIRD_AUTH_JWT_CERTS $NETBIRD_AUTH_TOKEN_ENDPOINT $NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT $NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT' < ${stateDir}/management.json > ${stateDir}/management.json.copy
'')
+ ''
# Update secrets in management.json
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs (name: path: "export ${name}=$(cat ${path})") (
filterAttrs (_: p: p != null) cfg.secretFiles
)
)
)}
envsubst '$TURN_PASSWORD $TURN_SECRET $STUN_PASSWORD $AUTH_CLIENT_SECRET $IDP_MGMT_CLIENT_SECRET' < ${stateDir}/management.json.copy > ${stateDir}/management.json
rm -rf ${stateDir}/web-ui
mkdir -p ${stateDir}/web-ui
cp -R ${dashboard}/* ${stateDir}/web-ui
export AUTH_AUTHORITY="$NETBIRD_AUTH_AUTHORITY"
export AUTH_CLIENT_ID="$NETBIRD_AUTH_CLIENT_ID"
${optionalString (
cfg.secretFiles.AUTH_CLIENT_SECRET == null
) ''export AUTH_CLIENT_SECRET="$NETBIRD_AUTH_CLIENT_SECRET"''}
export AUTH_AUDIENCE="$NETBIRD_AUTH_AUDIENCE"
export AUTH_REDIRECT_URI="$NETBIRD_AUTH_REDIRECT_URI"
export AUTH_SILENT_REDIRECT_URI="$NETBIRD_AUTH_SILENT_REDIRECT_URI"
export USE_AUTH0="$NETBIRD_USE_AUTH0"
export AUTH_SUPPORTED_SCOPES=$(echo $NETBIRD_AUTH_SUPPORTED_SCOPES | sed -E 's/"//g')
export NETBIRD_MGMT_API_ENDPOINT=$(echo $NETBIRD_MGMT_API_ENDPOINT | sed -E 's/(:80|:443)$//')
MAIN_JS=$(find ${stateDir}/web-ui/static/js/main.*js)
OIDC_TRUSTED_DOMAINS=${stateDir}/web-ui/OidcTrustedDomains.js
mv "$MAIN_JS" "$MAIN_JS".copy
envsubst '$USE_AUTH0 $AUTH_AUTHORITY $AUTH_CLIENT_ID $AUTH_CLIENT_SECRET $AUTH_SUPPORTED_SCOPES $AUTH_AUDIENCE $NETBIRD_MGMT_API_ENDPOINT $NETBIRD_MGMT_GRPC_API_ENDPOINT $NETBIRD_HOTJAR_TRACK_ID $AUTH_REDIRECT_URI $AUTH_SILENT_REDIRECT_URI $NETBIRD_TOKEN_SOURCE $NETBIRD_DRAG_QUERY_PARAMS' < "$MAIN_JS".copy > "$MAIN_JS"
envsubst '$NETBIRD_MGMT_API_ENDPOINT' < "$OIDC_TRUSTED_DOMAINS".tmpl > "$OIDC_TRUSTED_DOMAINS"
'';
};
netbird-signal = {
after = [ "network.target" ];
wantedBy = [ "netbird-management.service" ];
restartTriggers = [
settingsFile
managementFile
];
serviceConfig = {
ExecStart = ''
${cfg.package}/bin/netbird-signal run \
--port ${builtins.toString cfg.ports.signal} \
--log-file console \
--log-level ${cfg.logLevel}
'';
Restart = "always";
RuntimeDirectory = "netbird-mgmt";
StateDirectory = "netbird-mgmt";
WorkingDirectory = stateDir;
};
unitConfig = {
StartLimitInterval = 5;
StartLimitBurst = 10;
};
stopIfChanged = false;
};
netbird-management = {
description = "The management server for Netbird, a wireguard VPN";
documentation = [ "https://netbird.io/docs/" ];
after = [
"network.target"
"netbird-setup.service"
];
wantedBy = [ "multi-user.target" ];
wants = [
"netbird-signal.service"
"netbird-setup.service"
];
restartTriggers = [
settingsFile
managementFile
];
serviceConfig = {
ExecStart = ''
${cfg.package}/bin/netbird-mgmt management \
--config ${stateDir}/management.json \
--datadir ${stateDir}/data \
${optionalString cfg.management.disableAnonymousMetrics "--disable-anonymous-metrics"} \
${optionalString cfg.management.disableSingleAccountMode "--disable-single-account-mode"} \
--dns-domain ${cfg.management.dnsDomain} \
--single-account-mode-domain ${cfg.management.singleAccountModeDomain} \
--idp-sign-key-refresh-enabled \
--port ${builtins.toString cfg.ports.management} \
--log-file console \
--log-level ${cfg.logLevel}
'';
Restart = "always";
RuntimeDirectory = "netbird-mgmt";
StateDirectory = [
"netbird-mgmt"
"netbird-mgmt/data"
];
WorkingDirectory = stateDir;
};
unitConfig = {
StartLimitInterval = 5;
StartLimitBurst = 10;
};
stopIfChanged = false;
};
};
})
(mkIf cfg.enableCoturn {
services.coturn = {
enable = true;
realm = settings.NETBIRD_DOMAIN;
lt-cred-mech = true;
no-cli = true;
extraConfig = ''
fingerprint
user=${settings.TURN_USER}:${builtins.toString settings.TURN_PASSWORD}
no-software-attribute
'';
};
networking.firewall = {
allowedUDPPorts = with settings; [
TURN_PORT
(TURN_PORT + 1)
5349
5350
];
allowedTCPPorts = with settings; [
TURN_PORT
(TURN_PORT + 1)
];
allowedUDPPortRanges = [
{
from = settings.TURN_MIN_PORT;
to = settings.TURN_MAX_PORT;
}
];
};
})
(mkIf (cfg.enableNginx && cfg.enableCoturn) {
services.coturn =
let
cert = config.security.acme.certs.${settings.TURN_DOMAIN};
in
{
cert = "${cert.directory}/fullchain.pem";
pkey = "${cert.directory}/key.pem";
};
users.users.nginx.extraGroups = [ "turnserver" ];
# share certs with coturn and restart on renewal
security.acme.certs.${settings.TURN_DOMAIN} = {
group = "turnserver";
postRun = "systemctl reload nginx.service; systemctl restart coturn.service";
};
})
];
}

31
machines/storage01/netbird/package/dashboard.nix
View file

@ -1,31 +0,0 @@
{
lib,
buildNpmPackage,
fetchFromGitHub,
}:
buildNpmPackage rec {
pname = "netbird-dashboard";
version = "1.17.6";
src = fetchFromGitHub {
owner = "netbirdio";
repo = "dashboard";
rev = "v${version}";
hash = "sha256-MDxN/58dv6OqPYnNgDVZ+YRzfw2dER7x8mEWe14rQ40=";
};
npmDepsHash = "sha256-x7YyzBPAiXyxaIcAvUrXBexYaw0TaYnKgQKT3KadW8w=";
npmFlags = [ "--legacy-peer-deps" ];
installPhase = ''
cp -R build $out
'';
meta = with lib; {
description = "NetBird Management Service Web UI Panel";
homepage = "https://github.com/netbirdio/dashboard";
license = licenses.bsd3;
maintainers = with maintainers; [ thubrecht ];
};
}

7
machines/storage01/netbird/package/default.nix
View file

@ -1,7 +0,0 @@
{
pkgs ? import <nixpkgs> { },
}:
{
dashboard = pkgs.callPackage ./dashboard.nix { };
}

2
machines/storage01/peertube.nix
View file

@ -4,6 +4,8 @@ let
host = "videos.dgnum.eu"; host = "videos.dgnum.eu";
in in
{ {
dgn-web.internalPorts.peertube = config.services.peertube.listenHttp;
services.peertube = { services.peertube = {
enable = true; enable = true;

10
machines/storage01/prometheus.nix
View file

@ -77,15 +77,9 @@ in
]; ];
}; };
services.nginx.virtualHosts.${host} = { dgn-web.simpleProxies.prometheus = {
enableACME = true; inherit host port;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true; proxyWebsockets = true;
recommendedProxySettings = true;
};
}; };
age-secrets.autoMatch = [ "prometheus" ]; age-secrets.autoMatch = [ "prometheus" ];

BIN
machines/storage01/secrets/netbird-auth_client_secret_file
View file

Binary file not shown.

30
machines/storage01/secrets/netbird-data_store_encryption_key_file Normal file
View file

@ -0,0 +1,30 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA xId0d57S+YmTeZzTTNOs7Pt3RPQ7MLNiKg6Mox2MEFo
hFUYZMNoxZQBEKz4SYDC4nLDDXRftXtUtCLCX2kvwZ8
-> ssh-ed25519 QlRB9Q kmsgaV+FRbqcKkhttlbmY22M6pO6kMCqLUYsq1yGSyA
VmprdWLh380qm6aarum1q17pDrMF0KLyXV/PN1OmEO8
-> ssh-ed25519 r+nK/Q XVeZFVNLv0FlL/lPhXrvVJcHAubE1tTfSxl5iiixtF0
Udm/qZMOzNcg2LMffkns+jUlrtXAC8Mk8ofCSD6zf/0
-> ssh-rsa krWCLQ
OJlswMZEz2ONsqvFH8aMo4cRXzNiSkqtOmNQuWbRcAI4sXKCNuNtNcv6WPcpBMPZ
8eTvoIOf8triUwGBWLZ9oRvYOeoucyWCqx0zf11VwOclRBeziRPOQ5Uon+5gpsg2
H1FO7Sk0sVjME/2INUjd1Q4TlPF9tlUOcEDBgyc81cLI0JrR7S2D6Hl/rAN9Gees
D9c+q5PJkvbw7KQPEu7WOxPNCi1gRyHSlKv5ef5gToNOl/c8GAJR5FutO/bTgTTl
P+yLysKXK+r2IwNNMHGFBDVbsp09IjQ+H623Sfr6H0pR7FYShohfzcM6JA3ydztN
Gy5MiJasx3nWCUYJZUL1Fw
-> ssh-ed25519 /vwQcQ OelREEMNnpUXuJ8BA1VPVM8yqEd8PS9m81sw5gaq8U8
wPUQOWxzsj55/hii7Cd4+P1eFWVDQANwIcImOliOqog
-> ssh-ed25519 0R97PA 9NzXGY3sZb8srqaVWWbZhbNJdDfCfeZIhJHPWy9U4FU
+LvE5cI8heO8XhsejCWaJrwaRGYGCziymPZLrYTOXtg
-> ssh-ed25519 JGx7Ng 1jWoS1sqmY9MxZT7fAMsg5QbokAMNlTg9jmpxzr1ekQ
7MndRQ0ruZP2/cOKaid60rQg8Q3ljy2oknf0czOLGSo
-> ssh-ed25519 5SY7Kg Bm19KVQA8DkrDxiYsVRdKVubML7J9L/apLoUs+otehk
kQMv/7uijZlyGDbDt2aNF85vp4nYM9o3fIetvnykX6I
-> ssh-ed25519 p/Mg4Q /vhTds9k+5uwSDjLyKp18ge+bu/Aeg72nHx2joWUTw0
zeim4NPL7floIvZ296vYuyk5XAVFCCaWRc0iRQQxbyg
-> ssh-ed25519 rHotTw YbKb6NyxsknA125fdWj5/RJjmaY22yDwNx+bLKV6ZW4
jJw+YJqQC/B+UMLYAtTAIZuON2hiZAY171ovJ0ceKjg
-> @K'k$-grease x>ie }CH4sS h|s
bVzOpc2vPj8ldZskVlQSmOE7wHR2q/dXcdC6vrPXSvYWCKK8Rg
--- uDaSBMjg5lvDnZyTKHqveb5B+y71HjrDzOqtsJycuBs
1Ò¨Rq¢<>nýµ{”ý5?HXH1¢ Ê%)Í01RGr׿fÖNT4å2B(í);ìíÿ‰íÁœ

BIN
machines/storage01/secrets/netbird-relay_environment_file Normal file
View file

Binary file not shown.

31
machines/storage01/secrets/netbird-relay_secret_file Normal file
View file

@ -0,0 +1,31 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA lI9DxAFp/gbF+77Sofv9KIrs3kMTYTLEm8C6AsZBPyI
8RFGt1aJnZbd7Lpr4iy1VlMr3yzpPf6sI79cik5X77c
-> ssh-ed25519 QlRB9Q eMENLAMY+eNXJhduTnJoyPimbThM7VA+4m6BrnZa8RE
NpwcJhh0U8pMU1hnXFz2bfwSmCQra1CI5Tr2cbXGMT0
-> ssh-ed25519 r+nK/Q eyuD/hYyYmG96AcPEZVNsohXgK9WD+g+ZyMpIyaiYjY
Ef+R/eXkqvOmYJvjz4muTjGamkXzgHzD31vXDXsgo3M
-> ssh-rsa krWCLQ
BuBMUp5uijNV71OYvMGS9NhBBplfFugJy14EOHclJ2TKjQ19RVKHPj0wX0AxuPCT
iV6j6Po/oKSsGuoKy6JMTLKjYtROPF70Ld8PlC4tFI5i0xQagEFhKONfk1Rd/mF0
2qGriQhSUMvkMirbkhE3CxrAzSqcjuoGji+ZWwpz2LYUVsF89nnoLsTRri+Sg5ZW
4qhoo23UTU+IlrVtqjB7W1rNAwHKhWPZnjc08x1x/qnLATemmDMsFmTEGljJNGMR
kEg+oUdwdvLjDsnGBWkE+Ck/mrEGwjcsDTmZmCYcH/Q11EMdj5hnCfG68PRhLF9K
b28fHveM3i5/jHrrTxWbrA
-> ssh-ed25519 /vwQcQ 1xQWlLW6xCrheirHSKcGEu+KM644y8NP1KYvwOganQc
IFVYj83X1uLvgIRlnDvnLiaoZNM9viLT7X11vIHdLxY
-> ssh-ed25519 0R97PA I8K03IKgC59zmHqVr8h8TaxuuTSbmYsyap830JyhIhw
AGxW9sq7PQNgs9WFcbINI2CnE3lJJ0rDmseN83YSeT0
-> ssh-ed25519 JGx7Ng syz/pzdj3Lg1VwulZhT8UQncgXjOH1nlbtqHgASLAws
IKaU32zbjFc319PctmGPtHt4RXjgzun0K+9HeuGS3FU
-> ssh-ed25519 5SY7Kg 06EjOyKw1zIWcdZGC7EfNt9mFix+fVcy1iS+SBhPgCQ
ZxcNbC1QmTPJkWlwBnD9YjuzekGZtSDeI7RYxq0uwgw
-> ssh-ed25519 p/Mg4Q uCbjjN5S0ZoZtsj5jva9mTrlZ2UE02A3DysxV1PZ/lM
7jWWiWp4ei5VjftKZz29osbaFxfpId+X3GLzgWZ9Wgo
-> ssh-ed25519 rHotTw Q1/zZpGbUCbXiEELad5710uNkllrFuQlhonSLfIoQVo
h6iW26rADPn1MRqNoD33ZVVDRDr2DBoNK+BjrDxwZik
-> ss-grease
A3WDPMHgipAaXF0MStKGx8CAbFTqks74CRTKButwwJYvgnMFp2Yglx3D2NOWTdJm
yde7gp5XInweYf2TjvQK88l0MD0VYlG9Lu7+wbWGFElCpQ
--- 0d/8UVX6ubUZpKG3LzJsFKbsZNRKUwQq7LuWMiyezKo
P?j@¦Hˆ´ßš¥¼ówgêìÚ©L¥_ã+ì|ζãÙ¦Ö#“fu#c涯„IæS†|¨À²å 

4
machines/storage01/secrets/secrets.nix
View file

@ -8,7 +8,9 @@
"influxdb2-initial_password_file" "influxdb2-initial_password_file"
"influxdb2-initial_token_file" "influxdb2-initial_token_file"
"influxdb2-telegraf_token_file" "influxdb2-telegraf_token_file"
"netbird-auth_client_secret_file" "netbird-data_store_encryption_key_file"
"netbird-relay_environment_file"
"netbird-relay_secret_file"
"nginx-tvix-store-password" "nginx-tvix-store-password"
"nginx-tvix-store-password-ci" "nginx-tvix-store-password-ci"
"peertube-secrets_file" "peertube-secrets_file"

3
machines/storage01/tvix-cache/default.nix
View file

@ -135,10 +135,11 @@ in
systemd.services."tvix-store" = { systemd.services."tvix-store" = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
environment = { environment = {
RUST_LOG = "debug"; RUST_LOG = "info";
}; };
serviceConfig = { serviceConfig = {
UMask = "007"; UMask = "007";
LimitNOFILE = 1048576;
ExecStart = "${package}/bin/multitier-tvix-cache --endpoints-config ${toml.endpoints} --store-composition ${toml.composition}"; ExecStart = "${package}/bin/multitier-tvix-cache --endpoints-config ${toml.endpoints} --store-composition ${toml.composition}";
StateDirectory = "tvix-store"; StateDirectory = "tvix-store";
RuntimeDirectory = "tvix-store"; RuntimeDirectory = "tvix-store";

16
machines/storage01/victoria-metrics.nix Normal file
View file

@ -0,0 +1,16 @@
let
host = "victoria-metrics.dgnum.eu";
port = 9099;
in
{
services.victoriametrics = {
enable = true;
listenAddress = "127.0.0.1:${builtins.toString port}";
};
dgn-web.simpleProxies.victoria-metrics = {
inherit host port;
};
}

2
machines/vault01/networking.nix
View file

@ -239,7 +239,7 @@ in
chain postrouting { chain postrouting {
type nat hook postrouting priority 100; type nat hook postrouting priority 100;
ip saddr 10.0.0.0/16 ip saddr != 10.0.255.0/24 snat ip to 129.199.195.130-129.199.195.158 ip saddr 10.0.0.0/16 ip saddr != 10.0.255.0/24 snat ip to 129.199.195.130-129.199.195.158
ether saddr e0:2b:e9:b5:b4:cc snat to 129.199.195.130 comment "Elias" ether saddr { e0:2e:0b:bd:97:73, e8:d5:2b:0d:fe:4a } snat to 129.199.195.130 comment "Elias"
ether saddr { 1c:1b:b5:14:9c:e5, e6:ce:e2:b6:e3:82 } snat to 129.199.195.131 comment "Lubin" ether saddr { 1c:1b:b5:14:9c:e5, e6:ce:e2:b6:e3:82 } snat to 129.199.195.131 comment "Lubin"
ether saddr d0:49:7c:46:f6:39 snat to 129.199.195.132 comment "Jean-Marc" ether saddr d0:49:7c:46:f6:39 snat to 129.199.195.132 comment "Jean-Marc"
ether saddr { 5c:64:8e:f4:09:06 } snat to 129.199.195.158 comment "APs" ether saddr { 5c:64:8e:f4:09:06 } snat to 129.199.195.158 comment "APs"

23
machines/web01/crabfit/default.nix
View file

@ -12,25 +12,12 @@
dgn-backups.postgresDatabases = [ "crabfit" ]; dgn-backups.postgresDatabases = [ "crabfit" ];
services.nginx = dgn-web.simpleProxies = {
let crabfit-api = {
cfg = config.services.crabfit; inherit (config.services.crabfit.api) host port;
in
{
enable = true;
virtualHosts.${cfg.frontend.host} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.frontend.port}";
}; };
crabfit-frontend = {
virtualHosts.${cfg.api.host} = { inherit (config.services.crabfit.frontend) host port;
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.api.port}";
}; };
}; };
} }

15
machines/web01/linkal/module.nix
View file

@ -101,20 +101,13 @@ in
# }; # };
# }; # };
services.nginx = { dgn-web.simpleProxies = mapAttrs' (
enable = true;
virtualHosts = mapAttrs' (
name: name:
{ port, ... }: { port, ... }:
nameValuePair "${name}.${cfg.domain}" { nameValuePair "linkal-${name}" {
enableACME = true; inherit port;
# acmeRoot = null; # Use DNS-01 validation host = "${name}.${cfg.domain}";
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString port}/";
} }
) cfg.calendarGroups; ) cfg.calendarGroups;
}; };
};
} }

17
machines/web01/metis/default.nix
View file

@ -6,30 +6,35 @@
}: }:
let let
metis = import sources.metis { inherit pkgs; }; inherit (lib) mapAttrsToList match;
inherit (metis) providers; metis = import sources.metis { inherit pkgs; };
in in
{ {
services.nginx.virtualHosts."calendrier.dgnum.eu" = { services.nginx.virtualHosts."calendrier.dgnum.eu" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
root = metis.production; root = metis.package;
locations = lib.mapAttrs' ( locations = lib.mapAttrs' (
name: value: name: domain:
lib.nameValuePair "/cal/${name}/" { lib.nameValuePair "/cal/${name}/" {
extraConfig = '' extraConfig = ''
proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass ${value}; proxy_pass https://${domain}/remote.php/dav/public-calendars/;
''; '';
} }
) providers; ) metis.providers;
extraConfig = '' extraConfig = ''
rewrite ^/calendrier(.*)$ $1 permanent; rewrite ^/calendrier(.*)$ $1 permanent;
''; '';
}; };
assertions = mapAttrsToList (name: domain: {
assertion = (match "[a-z-]+" name == [ ]) && (match "[a-z.-]+" domain == [ ]);
message = "The provider `${name}` associated to the domain `${domain}` seems to have an incorrect definition.";
}) metis.providers;
} }

23
machines/web01/netbox.nix
View file

@ -13,7 +13,7 @@ in
services = { services = {
netbox = { netbox = {
enable = true; enable = true;
package = nixpkgs.unstable.netbox_3_7; package = nixpkgs.unstable.netbox_4_1;
secretKeyFile = "/dev/null"; secretKeyFile = "/dev/null";
listenAddress = "127.0.0.1"; listenAddress = "127.0.0.1";
plugins = p: [ p.netbox-qrcode ]; plugins = p: [ p.netbox-qrcode ];
@ -39,17 +39,6 @@ in
SOCIAL_AUTH_OIDC_SECRET = env["NETBOX_OIDC_SECRET"] SOCIAL_AUTH_OIDC_SECRET = env["NETBOX_OIDC_SECRET"]
''; '';
}; };
nginx = {
enable = true;
virtualHosts."netbox.dgnum.eu" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}";
locations."/static/".alias = "${config.services.netbox.dataDir}/static/";
};
};
}; };
systemd.services = { systemd.services = {
@ -69,10 +58,12 @@ in
}; };
users.users.nginx.extraGroups = [ "netbox" ]; users.users.nginx.extraGroups = [ "netbox" ];
networking.firewall.allowedTCPPorts = [
443 dgn-web.simpleProxies.netbox = {
80 inherit (config.services.netbox) port;
]; host = "netbox.dgnum.eu";
vhostConfig.locations."/static/".alias = "${config.services.netbox.dataDir}/static/";
};
dgn-backups.jobs.netbox.settings.paths = [ "/var/lib/netbox" ]; dgn-backups.jobs.netbox.settings.paths = [ "/var/lib/netbox" ];
dgn-backups.postgresDatabases = [ "netbox" ]; dgn-backups.postgresDatabases = [ "netbox" ];

10
machines/web01/ntfy-sh.nix
View file

@ -2,6 +2,7 @@
let let
host = "push.dgnum.eu"; host = "push.dgnum.eu";
port = 2586;
in in
{ {
services.ntfy-sh = { services.ntfy-sh = {
@ -17,15 +18,10 @@ in
}; };
}; };
services.nginx.virtualHosts.${host} = { dgn-web.simpleProxies.ntfy-sh = {
enableACME = true; inherit host port;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:2586";
proxyWebsockets = true; proxyWebsockets = true;
}; };
};
systemd.services.ntfy-sh.serviceConfig.EnvironmentFile = [ systemd.services.ntfy-sh.serviceConfig.EnvironmentFile = [
config.age.secrets."ntfy_sh-environment_file".path config.age.secrets."ntfy_sh-environment_file".path

1
machines/web01/redirections.nix
View file

@ -29,7 +29,6 @@ in
"bds.wp.dgnum.eu" = "bds.ens.fr"; "bds.wp.dgnum.eu" = "bds.ens.fr";
"www.tuteurs.ens.fr" = "tuteurs.ens.fr"; "www.tuteurs.ens.fr" = "tuteurs.ens.fr";
"www.interq.ens.fr" = "interq.ens.fr"; "www.interq.ens.fr" = "interq.ens.fr";
"www.lanuit.ens.fr" = "lanuit.ens.fr";
}; };
temporary = { temporary = {

29
machines/web02/cas-eleves/default.nix
View file

@ -9,6 +9,7 @@
let let
inherit (lib) mapAttrsToList; inherit (lib) mapAttrsToList;
host = "cas.eleves.ens.fr";
port = 9889; port = 9889;
python3 = python3 =
@ -128,8 +129,18 @@ in
dgn-redirections.permanent."cas-eleves.dgnum.eu" = "cas.eleves.ens.fr"; dgn-redirections.permanent."cas-eleves.dgnum.eu" = "cas.eleves.ens.fr";
services = { dgn-web.simpleProxies.cas-eleves = {
postgresql = { inherit host port;
vhostConfig = {
serverAliases = [ "cas-eleves.dgnum.eu" ];
locations = {
"/static/".root = staticDrv;
"= /robots.txt".root = "${staticDrv}/static";
};
};
};
services.postgresql = {
ensureDatabases = [ "cas_server" ]; ensureDatabases = [ "cas_server" ];
ensureUsers = [ ensureUsers = [
{ {
@ -138,18 +149,4 @@ in
} }
]; ];
}; };
nginx.virtualHosts."cas.eleves.ens.fr" = {
enableACME = true;
forceSSL = true;
serverAliases = [ "cas-eleves.dgnum.eu" ];
locations = {
"/".proxyPass = "http://127.0.0.1:${builtins.toString port}";
"/static/".root = staticDrv;
"= /robots.txt".root = "${staticDrv}/static";
};
};
};
} }

20
machines/web02/kadenios/default.nix
View file

@ -9,6 +9,7 @@
let let
inherit (lib) mapAttrsToList optionals; inherit (lib) mapAttrsToList optionals;
host = "vote.dgnum.eu";
port = 9888; port = 9888;
python3 = python3 =
@ -168,8 +169,12 @@ in
}; };
}; };
services = { dgn-web.simpleProxies.kadenios = {
postgresql = { inherit host port;
vhostConfig.locations."/static/".root = staticDrv;
};
services.postgresql = {
ensureDatabases = [ "kadenios" ]; ensureDatabases = [ "kadenios" ];
ensureUsers = [ ensureUsers = [
{ {
@ -178,15 +183,4 @@ in
} }
]; ];
}; };
nginx.virtualHosts."vote.dgnum.eu" = {
enableACME = true;
forceSSL = true;
locations = {
"/".proxyPass = "http://127.0.0.1:${builtins.toString port}";
"/static/".root = staticDrv;
};
};
};
} }

19
machines/web03/_configuration.nix Normal file
View file

@ -0,0 +1,19 @@
{ lib, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
"dgn-web"
];
enabledServices = [
# List of services to enable
"django-apps"
];
extraConfig = {
services.netbird.enable = true;
};
root = ./.;
}

45
machines/web03/_hardware-configuration.nix Normal file
View file

@ -0,0 +1,45 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
initrd = {
availableKernelModules = [
"ahci"
"xhci_pci"
"virtio_pci"
"sr_mod"
"virtio_blk"
];
kernelModules = [ ];
luks.devices."main" = {
device = "/dev/disk/by-uuid/21a5fa9b-35d2-49c9-80f8-5161c652bdc8";
tryEmptyPassphrase = true;
};
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/9069a0a6-2f9f-4219-a2c4-248de932da6f";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/9826-E466";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
swapDevices = [ { device = "/dev/disk/by-uuid/a91c29b4-9b1b-477e-820f-3cf610158e2a"; } ];
}

52
machines/web03/django-apps/annuaire.nix Normal file
View file

@ -0,0 +1,52 @@
{ pkgs, sources, ... }:
let
nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
in
{
services.django-apps.sites.annuaire = {
source = "https://git.dgnum.eu/DGNum/annuaire-eleves";
branch = "main";
domain = "annuaire-ens.webapps.dgnum.eu";
nginx = {
enableACME = true;
forceSSL = true;
};
webHookSecret = builtins.toFile "insecure-secret" "T5hNeDraMivRZLUkrekv&QeM";
python = pkgs.python3.override {
packageOverrides = _: _: { inherit (nix-pkgs) authens loadcredential; };
};
dependencies = ps: [
ps.django
ps.pillow
ps.loadcredential
ps.authens
ps.python-dateutil
];
credentials = {
SECRET_KEY = builtins.toFile "insecure-key" "insecure-key";
};
environment = {
ANNUAIRE_ALLOWED_HOSTS = [ "annuaire-ens.webapps.dgnum.eu" ];
ANNUAIRE_LDAP = {
SPI = {
PROTOCOL = "ldaps";
URL = "ldap.spi.ens.fr";
PORT = 636;
};
CRI = {
PROTOCOL = "ldaps";
URL = "annuaire.ens.fr";
PORT = 636;
};
};
};
};
}

44
machines/web03/django-apps/bocal.nix Normal file
View file

@ -0,0 +1,44 @@
{ pkgs, sources, ... }:
let
nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
in
{
services.django-apps.sites.bocal = {
source = "https://git.dgnum.eu/DGNum/www-bocal";
branch = "main";
domain = "bocal.webapps.dgnum.eu";
nginx = {
enableACME = true;
forceSSL = true;
};
webHookSecret = builtins.toFile "insecure-secret" "T5hNeDraMivRZLUkrekv&QeM";
python = pkgs.python3.override {
packageOverrides = _: _: { inherit (nix-pkgs) django-cas-ng django-solo loadcredential; };
};
dependencies = ps: [
ps.django
ps.django-cas-ng
ps.django-markdownx
ps.django-solo
ps.markdown
ps.pillow
ps.loadcredential
];
credentials = {
SECRET_KEY = builtins.toFile "insecure-key" "insecure-key";
};
environment = {
DJANGO_SETTINGS_MODULE = "app.settings";
BOCAL_ALLOWED_HOSTS = [ "bocal.webapps.dgnum.eu" ];
BOCAL_RHOSTS_PATH = "/var/lib/django-apps/bocal/.rhosts";
};
};
}

22
machines/web03/django-apps/default.nix Normal file
View file

@ -0,0 +1,22 @@
{
imports = [
./annuaire.nix
./bocal.nix
./gestiojeux.nix
./interludes.nix
./wikiens.nix
];
services.django-apps = {
enable = true;
webhook = {
domain = "apps-webhook.dgnum.eu";
nginx = {
enableACME = true;
forceSSL = true;
};
};
};
}

69
machines/web03/django-apps/gestiojeux.nix Normal file
View file

@ -0,0 +1,69 @@
{ pkgs, sources, ... }:
let
nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
in
{
services.django-apps.sites.gestiojeux = {
source = "https://git.dgnum.eu/DGNum/gestiojeux";
branch = "production";
domain = "gestiojeux.webapps.dgnum.eu";
nginx = {
enableACME = true;
forceSSL = true;
};
webHookSecret = builtins.toFile "insecure-secret" "T5hNeDraMivRZLUkrekv&QeM";
application = {
type = "wsgi";
module = "gestiojeux";
};
python = pkgs.python3.override {
packageOverrides = _: _: {
inherit (nix-pkgs)
django-autoslug
django-cas-ng
loadcredential
markdown-icons
;
};
};
django = ps: ps.django_4;
dependencies = ps: [
ps.django-autoslug
ps.loadcredential
ps.django-cas-ng
ps.django-cleanup
ps.django-haystack
ps.django-markdownx
ps.django-tables2
ps.pillow
ps.psycopg2
ps.whoosh
# Django haystack is drunk
ps.setuptools
];
staticDirectory = "source/public/static";
mediaDirectory = "source/public/media";
credentials = {
SECRET_KEY = builtins.toFile "insecure-key" "insecure-key";
};
environment = {
GESTIOJEUX_ALLOWED_HOSTS = [ "gestiojeux.webapps.dgnum.eu" ];
GESTIOJEUX_EMAIL_HOST_USER = "web-services@infra.dgnum.eu";
GESTIOJEUX_DEFAULT_FROM_EMAIL = "Kadenios <web-services@infra.dgnum.eu>";
GESTIOJEUX_SERVER_EMAIL = "webapps@infra.dgnum.eu";
GESTIOJEUX_DB_NAME = "dj-gestiojeux";
GESTIOJEUX_DB_USER = "dj-gestiojeux";
};
};
}

66
machines/web03/django-apps/interludes.nix Normal file
View file

@ -0,0 +1,66 @@
{
config,
pkgs,
sources,
...
}:
let
nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
in
{
services.webhook.extraArgs = [ "-debug" ];
services.django-apps.sites.interludes = {
source = "https://git.eleves.ens.fr/dlesbre/site-interludes";
branch = "master";
domain = "interludes.ens.fr";
nginx = {
enableACME = true;
forceSSL = true;
serverAliases = [ "interludes.webapps.dgnum.eu" ];
};
webHookSecret = config.age.secrets."webhook-interludes_token".path;
application = {
type = "wsgi";
module = "interludes";
};
dbType = "sqlite";
python = pkgs.python3.override {
packageOverrides = _: _: { inherit (nix-pkgs) python-cas loadcredential; };
};
django = ps: ps.django_4;
dependencies = ps: [
ps.loadcredential
ps.python-ldap
ps.python-cas
];
credentials = {
SECRET_KEY = config.age.secrets."dj_interludes-secret_key_file".path;
EMAIL_HOST_PASSWORD = config.age.secrets."dj_interludes-email_host_password_file".path;
};
environment = {
INTERLUDES_ALLOWED_HOSTS = [
"interludes.ens.fr"
"interludes.webapps.dgnum.eu"
];
# E-mail configuration
INTERLUDES_SERVER_EMAIL = "noreply-interludes-admin@ens.fr";
INTERLUDES_DEFAULT_FROM_EMAIL = "noreply-interludes@ens.fr";
INTERLUDES_EMAIL_HOST = "clipper.ens.fr";
INTERLUDES_EMAIL_PORT = 465;
INTERLUDES_EMAIL_HOST_USER = "interludes";
INTERLUDES_DEBUG = false;
};
};
}

40
machines/web03/django-apps/wikiens.nix Normal file
View file

@ -0,0 +1,40 @@
{ pkgs, sources, ... }:
let
nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
in
{
services.django-apps.sites.wikiens = {
source = "https://git.dgnum.eu/DGNum/wiki-eleves";
branch = "main";
domain = "wiki.webapps.dgnum.eu";
nginx = {
enableACME = true;
forceSSL = true;
};
webHookSecret = builtins.toFile "insecure-secret" "T5hNeDraMivRZLUkrekv&QeM";
python = pkgs.python3.override {
packageOverrides = _: _: { inherit (nix-pkgs) django-allauth-ens django-wiki loadcredential; };
};
dependencies = ps: [
ps.django
ps.django-allauth-ens
ps.django-wiki
ps.loadcredential
ps.tinycss2
];
credentials = {
SECRET_KEY = builtins.toFile "insecure-key" "insecure-key";
};
environment = {
WIKIENS_ALLOWED_HOSTS = [ "wiki.webapps.dgnum.eu" ];
};
};
}

29
machines/web03/secrets/dj_interludes-email_host_password_file Normal file
View file

@ -0,0 +1,29 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA iJSzsbA8RiEhUIyhlKWCASQKoSQstjK4drMYl+PsChw
8THrknrBu0WGFEb4xTZiJxEY26q7sW83rwViDjyTE24
-> ssh-ed25519 QlRB9Q e7PRE212Ggt8nO6Bb+BabO85FOARsJGs9cPJmZNI9kg
ubKIBxI1ZBXttA7TWj401siKNT1HyB+N2MsZ+ldkgb8
-> ssh-ed25519 r+nK/Q EWV24Emm9hENa+yUAuQpkuJ0uJ0zIv+vRIbWpM4Wtg4
J59wnHRytgNqpX4+5HaJ9KZ5GvhckgtRK6TzfX7Ci8Y
-> ssh-rsa krWCLQ
AvmrzShR+XTpUpKaScoqvgFQ40PTSqh8p383p98xjG5LIz5kqJoWBnxJK7JabBpq
JkqVeq5XdH5RX4weobieG4KYUV8EDheLfOMXH5BrPgeJO4yhJ1rzH+oHBw4TwvFM
UvEZEAVgi3G1/suPfJAkO7QRkZjE7fRppEo5RAI0gMlM43YyJavrfqVIqB40Uugk
h0b0ybChUbKpXlZjqhYAAMN45jTAvW1emO0DMeIk6dbmnbZNdibul8f+NNdWKbI1
9NN5iH2IzuqTdc6gkE4912hdDeUJ4NZ6x/Fxp1/u3d1z/Yg7daUQUXUIoDX0Hyvb
+01dH0D/7kzRhEdNLO2NXA
-> ssh-ed25519 /vwQcQ GAsAj2i65KDQeFhe69YR2ycdGskop1wu3Lzrxp59sTg
wCSUqEtWv0i6sNg1RVtHI/jZh3VeNX3qtnbagXoNGT4
-> ssh-ed25519 0R97PA mFZ3q/3jd1guXl8bhRWyYjgsgE4JErJEels6vdmpfCs
7oIAT0MTsaKxbf26PSDBk7KqfyFgcBq09FGJ9v/rXqE
-> ssh-ed25519 JGx7Ng tpslfMWMJMUH46EGycbLiXotVdXlP4xmK0slb7XKYS8
wLLfX4jX4mIxzI8zr2GBlpBcPztTrHqKngi/ON0TExg
-> ssh-ed25519 bUjjig zLoniLfwKGH9Ctu34103WHBvjIyImtPyKx8O+5UMLUU
sYsterVGvCg6JWA0z3AO5sSlj9DBfj8u5o5jH9K2xeA
-> ssh-ed25519 VQSaNw oHzU9Lc/7p+MZAjVylzC63h586vOcffXkkpAi4XB8Q0
7T8CREpaCxM58KMYW28FY2i+ELjrx3eC3K7xaBy7O6A
-> (_o61>U-grease .P>ZRrj~ -=7S;N
6vnQVKKZwp4JowIwVb4klrhaR6NZjwlZYnngVQ0wqVenMZPj9oyhIXthLRqE1Q6/
k+sGxA
--- +yT0o8oZJS+32MeUAl8T9zREh31rq77pSVsSoFjHO5A
è ™ñΗ´ä!î^ûØÖ8ÔzøÑaÒÓ ÐàÔ@Ö¡s\ ˜_ÃÃúoÖö<C396>wõÖ¥Cr)¾€fû¿AÃ'•3D€â

29
machines/web03/secrets/dj_interludes-secret_key_file Normal file
View file

@ -0,0 +1,29 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA 7v2qJ+2ZSp0tf4m6gcK2ShFF9ulNm/g3aHu3Wqe4Sxo
ZyVqTqBCK51/U5yxtp23nywprQv46yL90zwx6+DqKRg
-> ssh-ed25519 QlRB9Q IePmluoRImtaDplOoVqNiwfTQMKF1CuF4M6AzurXGRY
JjtOeyvARlc9t5Q+LS2+TZwAUgV4Qn2L8SFkw9YLnaU
-> ssh-ed25519 r+nK/Q LGPI7PmVPnZDQe6Su5MZQauxRHZkBKehyNbMq+BKlGQ
3RvcfLAFKaScusYKf47zFNAtnot7wySvytuD81s6TwM
-> ssh-rsa krWCLQ
xGH7rl+r8L5HEp6JUlAm04ktn9rQsWfBBlSRp7UsOi6ojwCfjjIA91yUrYw8TYRs
Ci60uoLS7cuMtSE/jQVU/FuVtR5kwjhOkWmQDHrC7rUWb6CufusxPIVJ0xanp3wo
cc2t+EfSdpVyGIx5N8BEMhQ6sR2EfERHGfUrnKCpcL5hM5L8ZHnVh6CkRBtvZaq0
Zy44Ob4pqH6fDz7EziM1hBkfg9myN+/Iqfvg5OUnfSrqooLZ8l0gDvGafS5fok91
uqb0PGDiv6lwzpaj87jKUCaXAF3ag2KAa6j8sbZ4+fSsQeB/jhH7hTlWcAR/oEFW
fuPQDFKxMucAsPjv1H1iaQ
-> ssh-ed25519 /vwQcQ +5+xDNQyRwBWXT6c593S01OG9IemNul/81G4ie1hTVg
Tzkq0toOCqdHOZNPiy/rUrO2eQXTDHi7g+jKbrWU/hU
-> ssh-ed25519 0R97PA WEMs0phnuvw1kQaqeSkovwFUL6w7J6wh+V7D82NxfDs
V5npmkeTPVcnaNwDtoy7PqBRllPTuQjvF9Qu14V59os
-> ssh-ed25519 JGx7Ng 3bty0WCf+ElvPEFt7fSpgYf5MeFUPaZ4vVGWPUAjn0I
ggl5CgXaUx4T6qbA9EG1oaF9NbfFYye4davm7lKqUvI
-> ssh-ed25519 bUjjig zFlaOVzFEkPG+J3Yz7alPgSiCVbC/7u/hCTVIP8X/Ho
3PBIRu9ZKfb9lkzijw6kKjX0ztXBkiwVaQUx8rxuYJc
-> ssh-ed25519 VQSaNw btusrepFF5Jhl3x2YWs6wVrHwzb6qBXfDXESclQJAXo
HwfOU3tyP9OsNjTkaMMmJnd4b+0ZfxJLkP6xe5jsAZE
-> Tp-grease s03Py `u6"4 E|5 _
3CvcQ6NEZKLY1F6y0cTMQPwV9mJvHB0T7dauvWJAYKkfb95TymqfDYGWwW1veND2
n1XD/arAJHVwva95K7TaQdsNLPGo8/VePQGUnYqi
--- qe75UTWqdDd0gGg0nm054SFZ2AgqVBw/bbycvcZSfQY
ãñêÕ]¹¦zÂg©;Ê¡îñ˜öÓ´0éÅYëÀHãŒ!@ìp­ö¸T«?£iÞ‰áèÚ>I^ül·o5”¯ë:{¬gJk£vø>€W8ði

6
machines/web03/secrets/secrets.nix Normal file
View file

@ -0,0 +1,6 @@
(import ../../../keys).mkSecrets [ "web03" ] [
# List of secrets for web03
"dj_interludes-email_host_password_file"
"dj_interludes-secret_key_file"
"webhook-interludes_token"
]

BIN
machines/web03/secrets/webhook-interludes_token Normal file
View file

Binary file not shown.

24
meta/dns.nix
View file

@ -1,7 +1,7 @@
{ lib, dns, ... }: { lib, dns, ... }:
let let
inherit (lib) mapAttrs' nameValuePair; inherit (lib) mapAttrs' nameValuePair optional;
inherit (lib.extra) fuseAttrs mapSingleFuse; inherit (lib.extra) fuseAttrs mapSingleFuse;
inherit (dns.lib.combinators) mx spf ttl; inherit (dns.lib.combinators) mx spf ttl;
@ -85,6 +85,7 @@ let
"influx" # InfluxDB "influx" # InfluxDB
"netbird" # Netbird "netbird" # Netbird
"prometheus" # Prometheus "prometheus" # Prometheus
"victoria-metrics" # Victoria Metrics
"videos" # Peertube "videos" # Peertube
# Garage S3 # Garage S3
@ -131,8 +132,15 @@ let
]; ];
web02.dual = [ web02.dual = [
"cas-eleves" "cas-eleves" # CAS server
"vote" "chat" # Mattermost
"vote" # Kadenios
];
web03.dual = [
# Django Apps
"*.webapps"
"apps-webhook"
]; ];
} }
) )
@ -209,17 +217,19 @@ in
subdomains = mapAttrs' ( subdomains = mapAttrs' (
host: host:
{ site, ... }: { site, ... }:
nameValuePair "${host}.${site}" ( let
with meta.network.${host}.addresses; net = meta.network.${host};
{ inherit (net.addresses) ipv4 ipv6;
in
nameValuePair "${host}.${site}" {
A = ipv4; A = ipv4;
AAAA = ipv6; AAAA = ipv6;
subdomains = { subdomains = {
v4.A = ipv4; v4.A = ipv4;
v6.AAAA = ipv6; v6.AAAA = ipv6;
private.A = optional (net.netbirdIp != null) net.netbirdIp;
}; };
} }
)
) meta.nodes; ) meta.nodes;
}; };
}; };

42
meta/network.nix
View file

@ -29,29 +29,6 @@
netbirdIp = "100.80.75.197"; netbirdIp = "100.80.75.197";
}; };
krz01 = {
interfaces = {
eno1 = {
ipv4 = [
{
address = "129.199.146.21";
prefixLength = 24;
}
{
address = "192.168.1.145";
prefixLength = 24;
}
];
gateways = [ "129.199.146.254" ];
enableDefaultDNS = true;
};
};
hostId = "bd11e8fc";
netbirdIp = "100.80.103.206";
};
geo01 = { geo01 = {
interfaces = { interfaces = {
eno1 = { eno1 = {
@ -178,6 +155,25 @@
netbirdIp = null; # web02 is not to be connected on the VPN netbirdIp = null; # web02 is not to be connected on the VPN
}; };
web03 = {
interfaces = {
enp1s0 = {
ipv4 = [
{
address = "129.199.129.223";
prefixLength = 24;
}
];
gateways = [ "129.199.129.1" ];
enableDefaultDNS = true;
};
};
hostId = "8afc7749";
netbirdIp = "100.80.157.46";
};
rescue01 = { rescue01 = {
interfaces = { interfaces = {
ens18 = { ens18 = {

56
meta/nodes.nix
View file

@ -37,19 +37,6 @@
}; };
}; };
web01 = {
site = "rat01";
deployment.tags = [ "web" ];
hashedPassword = "$y$j9T$9YqXO93VJE/GP3z8Sh4h51$hrBsEPL2O1eP/wBZTrNT8XV906V4JKbQ0g04IWBcyd2";
stateVersion = "23.05";
vm-cluster = "Hyperviseur NPS";
nixpkgs = "24.05";
};
compute01 = { compute01 = {
site = "pav01"; site = "pav01";
@ -80,15 +67,15 @@
nixpkgs = "24.05"; nixpkgs = "24.05";
}; };
krz01 = { rescue01 = {
site = "pav01"; site = "luj01";
hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/"; deployment.targetHost = "v6.rescue01.luj01.infra.dgnum.eu";
stateVersion = "24.05"; hashedPassword = "$y$j9T$nqoMMu/axrD0m8AlUFdbs.$UFVmIdPAOHBe2jJv5HJJTcDgINC7LTnSGRQNs9zS1mC";
nixpkgs = "unstable";
adminGroups = [ "lab" ]; stateVersion = "23.11";
vm-cluster = "Hyperviseur Luj";
}; };
storage01 = { storage01 = {
@ -99,7 +86,10 @@
stateVersion = "23.11"; stateVersion = "23.11";
nixpkgs = "24.05"; nixpkgs = "24.05";
nix-modules = [ "services/forgejo-nix-runners" ]; nix-modules = [
"services/forgejo-nix-runners"
"services/netbird/server.nix"
];
}; };
vault01 = { vault01 = {
@ -114,6 +104,19 @@
adminGroups = [ "fai" ]; adminGroups = [ "fai" ];
}; };
web01 = {
site = "rat01";
deployment.tags = [ "web" ];
hashedPassword = "$y$j9T$9YqXO93VJE/GP3z8Sh4h51$hrBsEPL2O1eP/wBZTrNT8XV906V4JKbQ0g04IWBcyd2";
stateVersion = "23.05";
vm-cluster = "Hyperviseur NPS";
nixpkgs = "24.05";
};
web02 = { web02 = {
site = "rat01"; site = "rat01";
@ -124,14 +127,15 @@
vm-cluster = "Hyperviseur NPS"; vm-cluster = "Hyperviseur NPS";
}; };
rescue01 = { web03 = {
site = "luj01"; site = "rat01";
deployment.targetHost = "v6.rescue01.luj01.infra.dgnum.eu"; hashedPassword = "$y$j9T$Un/tcX5SPKNXG.sy/BcTa.$kyNHELjb1GAOWnauJfcjyVi5tacWcuEBKflZDCUC6x4";
hashedPassword = "$y$j9T$nqoMMu/axrD0m8AlUFdbs.$UFVmIdPAOHBe2jJv5HJJTcDgINC7LTnSGRQNs9zS1mC"; nix-modules = [ "services/django-apps" ];
stateVersion = "23.11"; stateVersion = "24.05";
vm-cluster = "Hyperviseur Luj"; nixpkgs = "unstable";
vm-cluster = "Hyperviseur NPS";
}; };
} }

18
meta/options.nix
View file

@ -41,7 +41,10 @@ in
options = { options = {
organization = { organization = {
members = mkOption { members = mkOption {
type = attrsOf (submodule { type = attrsOf (
submodule (
{ name, ... }:
{
options = { options = {
name = mkOption { name = mkOption {
type = str; type = str;
@ -56,8 +59,19 @@ in
Main e-mail address of the member. Main e-mail address of the member.
''; '';
}; };
username = mkOption {
type = str;
default = name;
description = ''
The username used for authentication.
WARNING: Must be the same as the ens login!
'';
}; };
}); };
}
)
);
description = '' description = ''
Members of the DGNum organization. Members of the DGNum organization.

17
meta/organization.nix
View file

@ -5,14 +5,21 @@
{ {
members = { members = {
agroudiev = {
name = "Antoine Groudiev";
email = "antoine.groudiev@dgnum.eu";
};
catvayor = { catvayor = {
name = "Lubin Bailly"; name = "Lubin Bailly";
email = "catvayor@dgnum.eu"; email = "catvayor@dgnum.eu";
username = "lbailly";
}; };
cst1 = { cst1 = {
name = "Constantin Gierczak--Galle"; name = "Constantin Gierczak--Galle";
email = "cst1@dgnum.eu"; email = "cst1@dgnum.eu";
username = "cgierczakgalle";
}; };
ecoppens = { ecoppens = {
@ -23,11 +30,19 @@
jemagius = { jemagius = {
name = "Jean-Marc Gailis"; name = "Jean-Marc Gailis";
email = "jm@dgnum.eu"; email = "jm@dgnum.eu";
username = "jgailis";
}; };
luj = { luj = {
name = "Julien Malka"; name = "Julien Malka";
email = "luj@dgnum.eu"; email = "luj@dgnum.eu";
username = "jmalka";
};
mboyer = {
name = "Matthieu Boyer";
email = "matthieu.boyer@dgnum.eu";
username = "mboyer02";
}; };
mdebray = { mdebray = {
@ -38,6 +53,7 @@
raito = { raito = {
name = "Ryan Lahfa"; name = "Ryan Lahfa";
email = "ryan@dgnum.eu"; email = "ryan@dgnum.eu";
username = "rlahfa";
}; };
thubrecht = { thubrecht = {
@ -52,7 +68,6 @@
"thubrecht" "thubrecht"
"raito" "raito"
"mdebray" "mdebray"
"luj"
]; ];
# members of this group are root on the fai infrastructure # members of this group are root on the fai infrastructure

35
modules/dgn-netbox-agent/01-batch-filter.patch
View file

@ -1,35 +0,0 @@
diff --git a/netbox_agent/network.py b/netbox_agent/network.py
index 673dfc1..8ef60aa 100644
--- a/netbox_agent/network.py
+++ b/netbox_agent/network.py
@@ -1,7 +1,7 @@
import logging
import os
import re
-from itertools import chain
+from itertools import chain, islice
import netifaces
from netaddr import IPAddress
@@ -413,11 +413,17 @@ class Network(object):
# delete IP on netbox that are not known on this server
if len(nb_nics):
- netbox_ips = nb.ipam.ip_addresses.filter(
- **{self.intf_type: [x.id for x in nb_nics]}
- )
+
+ def batched(it, n):
+ while batch := tuple(islice(it, n)):
+ yield batch
+
+ netbox_ips = []
+ for ids in batched((x.id for x in nb_nics), 25):
+ netbox_ips += list(
+ nb.ipam.ip_addresses.filter(**{self.intf_type: ids})
+ )
- netbox_ips = list(netbox_ips)
all_local_ips = list(chain.from_iterable([
x['ip'] for x in self.nics if x['ip'] is not None
]))

13
modules/dgn-netbox-agent/default.nix
View file

@ -7,7 +7,9 @@
let let
inherit (config.networking) hostName domain; inherit (config.networking) hostName domain;
in in
{ {
imports = [ ./module.nix ];
options.dgn-netbox-agent = { options.dgn-netbox-agent = {
enable = lib.mkEnableOption "DGNum netbox agent setup." // { enable = lib.mkEnableOption "DGNum netbox agent setup." // {
@ -16,14 +18,6 @@ in
}; };
config = lib.mkIf config.dgn-netbox-agent.enable { config = lib.mkIf config.dgn-netbox-agent.enable {
nixpkgs.overlays = [
(_: super: {
netbox-agent = super.netbox-agent.overrideAttrs (old: {
patches = (old.patches or [ ]) ++ [ ./01-batch-filter.patch ];
});
})
];
services.netbox-agent = { services.netbox-agent = {
enable = true; enable = true;
@ -51,6 +45,7 @@ in
randomizedDelaySec = "3h"; randomizedDelaySec = "3h";
environmentFile = config.age.secrets."netbox-agent".path; environmentFile = config.age.secrets."netbox-agent".path;
}; };
age-secrets.sources = [ ./. ];
age-secrets.sources = [ ./secrets ];
}; };
} }

115
modules/dgn-netbox-agent/module.nix Normal file
View file

@ -0,0 +1,115 @@
{
config,
pkgs,
lib,
utils,
...
}:
let
inherit (lib)
getExe
mkEnableOption
mkIf
mkOption
mkPackageOption
;
inherit (lib.types)
either
listOf
nullOr
path
str
;
settingsFormat = pkgs.formats.yaml { };
cfg = config.services.netbox-agent;
in
{
options.services.netbox-agent = {
enable = mkEnableOption "Netbox-agent";
package = (mkPackageOption pkgs "netbox-agent" { }) // {
default = pkgs.callPackage ./package.nix { };
};
startAt = mkOption {
type = either str (listOf str);
default = "*-*-* 00:00:00";
description = ''
Automatically start this unit at the given date/time, which
must be in the format described in
{manpage}`systemd.time(7)`.
'';
};
randomizedDelaySec = mkOption {
type = str;
default = "0";
example = "45min";
description = ''
Add a randomized delay before each netbox-agent runs.
The delay will be chosen between zero and this value.
This value must be a time span in the format specified by
{manpage}`systemd.time(7)`
'';
};
settings = mkOption {
inherit (settingsFormat) type;
description = ''
Settings to be passed to the netbox agent. Will be converted to a YAML
config file
'';
default = { };
};
environmentFile = mkOption {
type = nullOr path;
default = null;
description = ''
Environment file to pass to netbox-agent. See `netbox-agent --help` for
possible environment variables
'';
};
};
config = mkIf cfg.enable {
systemd.services.netbox-agent = {
description = "Netbox-agent service. It generates an existing infrastructure on Netbox and have the ability to update it regularly through this service.";
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
serviceConfig = {
Type = "oneshot";
# We could link directly into pkgs.tzdata, but at least timedatectl seems
# to expect the symlink to point directly to a file in etc.
# Setting the "debian timezone file" to point at /dev/null stops it doing anything.
ExecStart = utils.escapeSystemdExecArgs [
(getExe cfg.package)
"-c"
(settingsFormat.generate "config.yaml" cfg.settings)
];
EnvironmentFile = cfg.environmentFile;
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateTmp = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
};
inherit (cfg) startAt;
};
systemd.timers.netbox-agent.timerConfig.RandomizedDelaySec = cfg.randomizedDelaySec;
};
}

46
modules/dgn-netbox-agent/netbox-agent
View file

@ -1,46 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA NUkF7lh+zUlEhOD+NEPL5g4VZiljYtL9dmRYXwIXuDU
DLAlaC41tFIyuWa0Jj48PhVR+Z3FRv+/XVdxQsZwDSI
-> ssh-ed25519 QlRB9Q OZZomAuABy7/HE+mnxzKX2JKAtPfASCLeovOD8WPiSM
9SzTBIziqCI3geAi5e8GwW5w+my6bTga3exjBFyg9Ek
-> ssh-ed25519 r+nK/Q QPepIFvtYrJmLiCZCB0UkQPeegGwl1YJt4+5KXxhr0c
z1oacvWwv9zY1SoTEXQkCiglRp43Pod0qwId+1gk3ho
-> ssh-rsa krWCLQ
GJRazPf0i2LBvHGMzGxtWcCOAU+ftg893i869ZbunOdOeFHZHip5u0WHdsSYB8cU
pRISjEONpGKbcZHEWNK9BDdEs/a7ysN4Jpl/2jRvqaNH21son2921d7KOLnpxRCx
11UrPn6H6KedDhThGxPUFfZRuW9qePlyLLQo/W6N/y9wLQ1YXvmrvzDKeYsH5uZE
NWdwcTCvkCDIvrc899wTUjDHeMEZ7HXM5sUTF0uCzuURDzXiDU0Fb0DpNckyHp+9
mHV7JnE9hMb3cFKX0ICYWLdxQZ3gBb3GHiY7JWmk2CaYMEGnrFrGVTfXOeYyTRhp
2iTIOvkJ0F7vhSseiJOPdw
-> ssh-ed25519 /vwQcQ 6RGiLik5D+yo5BYVZ6zsTOjAXVU4s+In06SSUwLO20Q
9liiNqGLNu7yMoPN5UOWigj9svMdY6pFZPwyD6ykzxY
-> ssh-ed25519 0R97PA VTD/SyvWPXHXDqe6PztyOyngDeCjC/EvuGk0mdG27y0
+B6MiMt5949O1rsVCU7PETDJ2xrX02cQwaCm65Jvp7w
-> ssh-ed25519 JGx7Ng kAbPiA0jJIr1cx861DHMJDM3dEWH/JErsVT3UheqNHQ
eYTTBPu/h8SrpvDkbuvv4VkNDIuFlMnv46xupUgWKrE
-> ssh-ed25519 5SY7Kg f5D29L5Br9NxZBYeNYuIoLPWeKgdtqEJKgqy/ynKTw0
7ym1s9hyo+Pd9O7kGcseafExd38uER+lOi8t8sP5o5c
-> ssh-ed25519 p/Mg4Q mMMcON4YC9xaNesoNnuhC8AmO8OYOXgXXalJbcbf/iI
ls4IThQ7bZ7hmdZFwNvid+9sBWTQS+pHUkNa1NslmMc
-> ssh-ed25519 DqHxWQ RvGN0POhPDMrr6u9JeOCHp2MN7RUmKsPY9cpZ+k82yI
LozUXuuVtQStR4duamN4HY7Kdiq2IoqRV1LWqU0cyfI
-> ssh-ed25519 tDqJRg LwZ+eTu8EIgV77YnrtXGPSY0aVZJbeJe4ejobtadAUM
vITC+8MrHkmzJ0zMsk9AU+hcc+bwJ/ZPv6JXTuqUltw
-> ssh-ed25519 9pVK7Q oOySxJ2tO7ECQZEJC2UlUErVO4v7mPwIi2zn2FkPHB0
oSw4tQY8492A/XZFsq+lfNowbiiZz2kgKAfJfVJ//jQ
-> ssh-ed25519 /BRpBQ XBfnufkT0rdvt3588w6xuVL5XK7VnLTNG0d+SBZ82mM
jgtG4VDZaq5AI8/RoBp3XjMFsNNT7x7eQbdaLp9ycwU
-> ssh-ed25519 /x+F2Q aUwvBNo9iOYP4RhoH6SYSmSTZ8adGYZQdM+qC3UYnVM
Kv0R/MIrEEamJzs9TLSI6PfbbaOqqKOT0lsZBcNmrXs
-> ssh-ed25519 +MNHsw 1aektirbIrnR6rq0UndczpXzS588bHcYINTJnvdNLyU
he0QY7CWeQ+eGdJ/gqAI1m+pN7GlLeGEivAONt2BLak
-> ssh-ed25519 rHotTw OX9NgiDaBLqRC/DgLceOmZFrljgNfRywPeSAhZNlKG0
0spiVg3+KYwoWONJf8ZaPDN59LImHxlzhypI8awovIw
-> ssh-ed25519 +mFdtQ Qya0JWuy8YhkkWYcJjwedHtVG8OTcplwaFwUfT3gGzM
kaqko1aL2UE9rQbT5JfCJ+QtdBwCVvzNcL49Lk2UJ94
-> ssh-ed25519 0IVRbA Yajfo3uixZ9oJL/BGWzjkaF89moLHCqtgGhAAWc6d3Y
qUz3pemzPRVOp7CNN/S09+56Fj/6bu1NZR0JTNwuIWk
-> ssh-ed25519 IY5FSQ KZGVezKb0D7M7N7ry2BpOb4Vh/RaNQR94JO8imFTvGM
Et8UN82Ortb0nvP749hYrpwHR7CCcJ/cfw4MgchwUBM
--- h/4Bn/fiFPmNZYIDIRv2fQmZdOn6iDouzUf+ejfIdl4
“ÙxŒ û»6ïž—â?Jt°ý†èfü܆{Äf];•a-ì6p+Œi;ìjªÖ…œ<E280A6>®ÏtÊ-¤3¯·Cezrì¼¹î h¾—:œn>j˜¡í»Û <15>ø]eç¿—%þš¬í´Ý‚

46
modules/dgn-netbox-agent/netifaces2.nix Normal file
View file

@ -0,0 +1,46 @@
{
lib,
buildPythonPackage,
fetchFromGitHub,
cargo,
rustPlatform,
rustc,
typing-extensions,
}:
buildPythonPackage rec {
pname = "netifaces-2";
version = "0.0.22";
pyproject = true;
src = fetchFromGitHub {
owner = "SamuelYvon";
repo = "netifaces-2";
rev = "V${version}";
hash = "sha256-XO3HWq8FOVzvpbK8mIBOup6hFMnhDpqOK/5bPziPZQ8=";
};
cargoDeps = rustPlatform.fetchCargoTarball {
inherit src;
name = "${pname}-${version}";
hash = "sha256-uoUa6DSBuIV3RrE7svT1TVLxPHdx8BFu/C6mbpRmor0=";
};
build-system = [
cargo
rustPlatform.cargoSetupHook
rustPlatform.maturinBuildHook
rustc
];
dependencies = [ typing-extensions ];
pythonImportsCheck = [ "netifaces" ];
meta = {
description = "Netifaces reborn";
homepage = "https://github.com/SamuelYvon/netifaces-2.git";
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ ];
};
}

64
modules/dgn-netbox-agent/package.nix Normal file
View file

@ -0,0 +1,64 @@
{
lib,
python3,
fetchgit,
ethtool,
dmidecode,
ipmitool,
lldpd,
lshw,
}:
python3.pkgs.buildPythonApplication {
pname = "netbox-agent";
version = "unstable-2023-03-19";
pyproject = true;
src = fetchgit {
url = "https://git.dgnum.eu/DGNum/netbox-agent";
rev = "424283239658516feb34c0f68496775350b1bf22";
hash = "sha256-sp1QVy8AIezR2LRDDYS9G0g0GQRwGKGmEE7ykITPxtY=";
};
nativeBuildInputs = with python3.pkgs; [
setuptools
wheel
pythonRelaxDepsHook
];
pythonRelaxDeps = true;
propagatedBuildInputs = with python3.pkgs; [
distro
jsonargparse
netaddr
(callPackage ./netifaces2.nix { })
packaging
pynetbox
python-slugify
pyyaml
];
postInstall = ''
wrapProgram $out/bin/netbox_agent \
--prefix PATH ":" ${
lib.makeBinPath [
ethtool
dmidecode
ipmitool
lldpd
lshw
]
}
'';
pythonImportsCheck = [ "netbox_agent" ];
meta = with lib; {
description = "Netbox agent to run on your infrastructure's servers";
homepage = "https://git.dgnum.eu/DGNum/netbox-agent";
license = licenses.asl20;
maintainers = [ ];
mainProgram = "netbox_agent";
};
}

53
modules/dgn-netbox-agent/secrets/netbox-agent Normal file
View file

@ -0,0 +1,53 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA zyp8jIQ/BGlaOe2hCYdO2/jpiCJO/yASFn2v4yxF3XE
tnajUOFI/LeiRRK2+XEmgAhU8PfyerYDPZ3CASAx6uE
-> ssh-ed25519 QlRB9Q GTRAu+AUZ2MJs3ZaZR8GcS8U2xyGR0mx1FB78TmVhik
PmenwNgQQUd6JWgUU1zmJWF+Lek4QwCKc0MzD/iLGUE
-> ssh-ed25519 r+nK/Q 2cOo2pK5KN0keAbW62MaC0/wDysciEZPgY8+3vhx30s
ZmjX2vi9qYOVWtctWcEt95l2kBlZH1uNLFUdUxSHyus
-> ssh-rsa krWCLQ
xNCMgSxO8SA2rQqU14RD2TU5PQyssMlWomoA9VjoT6FsYZleRd7nPeABYqlnzUNj
wWk3obSp3AO+NNscnmFrAijYQl0C+hBBplsgEyQ87j60s0ReAZGaURbrxRJr0dr/
2JBrPtQ7tiSQYRZG9DH6ASUYrlVCB3Vq18OOa+os8PpqyL6Q6pglx0ePY1wx9irG
6qj54LAR34C+uOi620LZuJ3YhZYIp0blmxqrXGeVTY1c7mmELKCdslFpiBvKE5jf
71Lj6ihc5Z5kJxi0vPXMXkuGXtmlIr57dre2XWhynuXq9sLj0KEE0GVQa/vMV3Hd
4/ATD4bbpkzwkfZIlL1LRQ
-> ssh-ed25519 /vwQcQ 63EfH8Eu6Rdyz01sN7yfpaQpxJ2w4VqzQRWMw3AMSAk
bj1CFYkCOcoMtuq/mC+vn9YM8aM9rLClcGo1rpytN7k
-> ssh-ed25519 0R97PA gOIroiigdZxulsng29mz0o3gLYnMb5YjmBOmTd9UvHw
mgvgYedm7U1y5BlRcvPEZhHpPEnczungDuBAEGcJwMw
-> ssh-ed25519 JGx7Ng FeQyBpbGZ2WGztFXBpJ5uYXIPIEJqnf2FedleYRQJUc
SzbinTIdwa1pvc9AZSWj2GRR86hD+SHY63QzBSv4D3I
-> ssh-ed25519 5SY7Kg BgCKJrxjRS8QNCndIfySdq2u+hv3Q7Dg/hToWOE8e3g
/rKzCb9fdZTEwTP1/QW4vn1ewQDn5TtV4Ui3MwChdB8
-> ssh-ed25519 p/Mg4Q ftfpqvy3TuWoq+Hcmt+oYiJ1GhwYvR+GDh3MzVsfv3s
I2dj0FSRGfoBqwSetdKz9NX11zUeHxIizmjctYrmjD8
-> ssh-ed25519 DqHxWQ Zs+uNTp/4plSisoBzUpnvlZXLrbYphYvaeogHCyg4As
hvXMQNPnJK7ZQrkYIyHW07rWd06QkNpiNuL3oUXxoQo
-> ssh-ed25519 tDqJRg hMw/doebsExNtZ9oC1OFrnWOsiPOKh3D76RPfw0If00
p5dxioeIt558deMFrRiTMxYocmP6p8kTk/nzSb5yuPA
-> ssh-ed25519 9pVK7Q mctwqK3IkQdbeajO9mbvejtG85rFXTmFdptrzIzP9Cc
sVG1NKMmTR0Sf60hvPJ4QRypmBT4a6yUZ+gyp/Xf+EQ
-> ssh-ed25519 /BRpBQ C6CjF9H+x1fd2s4sjHw0IzKpNvbnr3H0tnxJdwzrzlQ
gcrSM7NoHqeFdsTAWpO23cfAISile0uVEHu4fBvqwME
-> ssh-ed25519 /x+F2Q t6mrvde1VJP7ARlwQAFOQxg6Uu2+GDDzN8GG/F/C5zA
z3jOcIvHjH4TgiMHqABBU5t9bilBtv5rBKHJLMp9CaA
-> ssh-ed25519 +MNHsw 5FBjw08c8F2wqrJe8KfWdn5bjzYmXXqLpVIozq8c8WE
47oEgYMsl6/JtL1JqOOajHdB22gIdIGhhtcchUK7ZX4
-> ssh-ed25519 rHotTw 4/W5DKJCc18KOcJQ1s4DveOVEjf5oy3HeQF5AThpvFM
vG9LsTXTFk6TLHNDDS3qtirjm7iyZnhN+FM++xU0qGI
-> ssh-ed25519 +mFdtQ bh0b+b2J2dg9hpBVYM3hDUwJOO/xi+dcH41abtVjt2E
NPU1M+fXjOSROEWY73hftAniWUpr0ymbfo8mqZTPC/M
-> ssh-ed25519 0IVRbA ioMW4UYJ+kKlZBdf430FHnbqdw3BcwWSr2RmOHCv+hA
qw0VDAu93LSEZqhs9nRTCMGWsXKjxK65VfkKJbUU5fY
-> ssh-ed25519 IY5FSQ 1aD4KWKITo+88CEwuTKq1QH+Pf5qoOXlI+EY2FX9IG4
KzOGMeIxLypf7S6WeUM4Zr/S/g9HWXHBGcKkgHMLRJc
-> ssh-ed25519 VQSaNw fCt2YDODTAtamSSYH+RNIpWAQ53WPwOeR92rHa89QBE
2KAY4EgfxnNxvQGV4lgoGT+sb4nJV1eE50GHRljngEo
-> x!p-grease Qza ,IU!}' (fMHX0~ m
DGgaSNyr7o+hl8p9viIHBbTdiTdY79TgFsTdM2oBJAqT5P/LkFzg8TYNsH04eReH
dmTu9wjN2OM
--- +/E2Y1+KnzcreXm8DtJE39wR4dVL6vneloVFzK33c8Y
T|ïá+¡ÆTÔŒÄ
vΧ“8»,OÔ¸lžÇ±z)/0­<30>>hkJMèl öÝ®GØßûGÜ>lU¯1Ÿ}€Š¤£T<C2A3>ÞhèÅý,åÎ8Åç%ßÓ¤lQ‰
ëb©,@

0
modules/dgn-netbox-agent/secrets.nix → modules/dgn-netbox-agent/secrets/secrets.nix
View file

92
modules/dgn-notify/mail
View file

@ -1,46 +1,50 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 jIXfPA yR3cPS4s9FfwKAkXOoX1z9noWB76Dtp1GRHwltjHJGI -> ssh-ed25519 jIXfPA zVe/xwQCEtVnX8qWShePzBmhfQbENRMn8XgPzEqb1gY
Xm9BU7AhD4gQtHHhp/10Qf2q9hgk8mus2loreeycxd0 CFa4qXtY8lBlSIxnWVbejVta8BFYmsCtp9TdXXexZYE
-> ssh-ed25519 QlRB9Q t+0hmPXKCm+lNnHzQtBWkenKqnPIxnf3qR05zFdtZww -> ssh-ed25519 QlRB9Q 3EJeDSBkwJU2LaKHygG/a0tfFRXcp8SNJBxyhIOwBDU
djP+WapwpCStUdL1pvpTR4aI6oj6SgookP7fluDLG44 PI63A4YJFC1XTNPbl73SBlUMV25o0ZeojAr8tr5mtlY
-> ssh-ed25519 r+nK/Q BUsgW8EA2lk5i63114kH5G9bQ5uSJrsWBpktXIPIYTo -> ssh-ed25519 r+nK/Q /4HQCHPBBk7lD2mwJOMEmTeRpPGnPgTcL+htNRvkxkk
DuxpBQqYFXq/bdtsezmGLPza+Y9GUMRhIsdF63IY9jc oXLQoX+AK8zn82wsnLHK4BOpK3gn5lThWiFXh8+rxUU
-> ssh-rsa krWCLQ -> ssh-rsa krWCLQ
cyG9NELJZ6kHuXixzqrQgxi9Mi0I7322DsNS+jhAi7igHfc2ta6tNL0qNngmYaHI ox5TBB9buXII2U32S/XpQVdr3r87p9lt/7WwELq//ik7vf4B6mZPbYvIV05JZ5bO
+eAO3+IPH4g8pd1tuP+YpRjvBAz0guPCOKMoDdHBDDkC3qTDr91D1zsZ7I/EgGa8 4f5khDdw+q1bbniDCBH2aPKM0ni3wBdLkT3jwdQBL5imSQuly/cFMdvVwSTuwN9k
0YXbHziCqlwo3W49rz+0lKBsz1gOH2UMrsEh6ZmFysvxiHdVxSwOkfqwmNpRMmiv 8smSavsUYK5q5xgE49oMYJBAhNVGFI7NKlx7/a3VaVybsLAnzp3AeWy1o5BB1fKT
zLjDmTSosP1DUEvd8ljHy/KFVgvoxGx6DB39vqg4+IaL62pkblbO+b0dj1rhxq9u 7Emt88ht4lymL/gyxSMLT5Dreb5Sm+AcE+gYAK92OnX4Z1k8FqETppTKZDuoZUmv
iyOSc4G9laEB+umrvIhzbs+9r6tVwFqTIeauaNuKykhkWwq+3e3HYsUEzomMoxwE hJPpylXw7/YJU7Q0CluwtcGWFaTuE6AT0IrlCdY3NuMGA9IfpVsZr1kocdq2qB02
EhGpDVfVw/Tf9zUkfuBNdA 90/yy51Ulwhfhiy1/3mlfw
-> ssh-ed25519 /vwQcQ 71hXw3fsK7gvQNzNzHgJYXWVlQTkx7xvSKkZldoyNy4 -> ssh-ed25519 /vwQcQ SGCKP+4m5p9SiYnU3vL0QaKp/3+yztZ0snZ6os+mUAo
+HgmrnLrK+k/j/Fkn/e/pXfAMpuQz72hSmx8p8dN7ts ZEVgV6jo7tRdM1KxQJ2UJRDEYaiQy9PYzaeSAstHYFQ
-> ssh-ed25519 0R97PA hm9JuJDRq7J3unX6vHPuM15FKV+C4ClETXkUIJcs9iI -> ssh-ed25519 0R97PA Bblz2DxUIBovbFqHhwGSRrs3Hbc1vNMtn8SK976YYAU
8zSV49d5JBojuvB4ob1/5l9oAnmIEF7qI+fum1Ypbic FtEsqOUChH+uzFuTsATraNyyJXXdkesmbe8T+LeK9nU
-> ssh-ed25519 JGx7Ng jFGivHErkaUGpxIdgOmzbZDihBKDLjgy6pd9QxdpEUk -> ssh-ed25519 JGx7Ng 3umTe7hK60ghA4fXbapBRjjJ9K6hXLfV5kQrBzwsmS8
U/GQwv6YZCqpVmBy05NPOn3Iy3S07hKz4+5uCfUzhM8 oRBFSJsVStw2ul6JxdJuan18GriwYF+d8asKXnWDpZA
-> ssh-ed25519 5SY7Kg 5wLPRuunyDGAeh/cF46X24rQwlqoDbSkEowNE0Rz8BI -> ssh-ed25519 5SY7Kg Ft714PG5dVVJWHu0aJh+wdT04vSb/vlDVsWmUhdjUXw
qoriKBAeOA98oQEyaCICP1VyrOMxwsiWJRQ8oMFlFaM qY7OJduSibFheBQOrGnSFUOhou/WyyY/M5tAYGvaTJI
-> ssh-ed25519 p/Mg4Q /lA5xli1c/nsYVsiGzbZg5QNpuTF/wVG0ByyWcoZQWM -> ssh-ed25519 p/Mg4Q u6ES8PpiDb1OY97sMQ/kL6sTIjBhDk1aqoIEd0I5BgA
ikGP4kX1kxFyn/gui2H2YUgA7ph4N+j1ZZLIZp8RGe8 pbX1Wk+5aTbf5rU2JM0rf4SR/fJGLKcDcqLF1yDXbiE
-> ssh-ed25519 DqHxWQ sPPbe/HX+ZMvTzP+IGYZlqUzGWdrw+5Fq+JenoxnMUI -> ssh-ed25519 DqHxWQ n8qHGzdwY1RfajPN+oZV0Ps44rqbW5tcUFSSPbyZmAw
tel2fWk2B4To5KtdvS6vlQIAVvN+MeOHlBLMZpmaABQ EAK0hA/94/ZxBz0iNaTl2RlpswiO+2eIWugozHrZZfw
-> ssh-ed25519 tDqJRg /kVkNfR+SNGS6iOs185A5XwApB9DjjD4kIPnfka3IzA -> ssh-ed25519 tDqJRg RAEIORbyHLRNkm+mFsq07E1uzbEEIBQ3eG+kpyXLLG0
0h/svIu2/MCs1/i/X0qhGad59r8lJA+k16Luh/qN67M 1S7gL5WgXiFZxgH6kSp1zANafDTEKsC4Wo4kT8oB7b8
-> ssh-ed25519 9pVK7Q wRzALhF6YWQBaxqtZoaPNtLAWXUcGhdeEorWXXWDRiY -> ssh-ed25519 9pVK7Q p7tGHwbC3CWap6feMXq2twGHkyszLP0EKwhW4McAoj4
4ivHOIPeXs7YQoiKn0nEK2Q82PxDoulCrfVZhguOayc 7F0zZEON8H2H+v0XRCOiYeUuhJBRUVkFoEP+Cz4vHZo
-> ssh-ed25519 /BRpBQ dUJdnbTI/Rq2CkAlHnPDfSajTW93rLL4X6vJDgrGO08 -> ssh-ed25519 /BRpBQ stXNcOvGwPBPz8TtLhQUVgpcvu4BtfUACAZtrEI0eGY
6itr9WBj0EiuKdyRuRM+4i+c+6DiFyBYI+COkvvPDSA FN2yFmvc3GhMGNTUCT+XMr1qsfLvmjHIkYoi5B3MDsE
-> ssh-ed25519 /x+F2Q biQXbA1oZ3ujAw6Pwh5P4iUGNiFYI+R3r7KJrsikuQ4 -> ssh-ed25519 /x+F2Q fmGbMAGFJbjR0zVdJqsigKQ28nbDq8Zx1FsgviLWqHc
QZcrNLEbpki6KDW33TwVt84TwT58g6qcSlluZ5J0i1I +v09rkeHZTvFQLaXfOnFaZMBc2G2BD5dXWYg/Nlx2Og
-> ssh-ed25519 +MNHsw vOgZMXC+tHWRVRpGwYxrR5C1Nrh0fCkRoNOjgTJHgHc -> ssh-ed25519 +MNHsw KqIxZ4L1aoqLevCwx6Zp0jBHfTOU7WdrE0UN56/xARE
dj0m2fbl4V2MUR8Uri4evfWolPoBKf5Rfg/0FjGmntc OwQ2/WUEfl/oXxfbv5rlLu4OOdrACzPfSS6HfcLpi60
-> ssh-ed25519 rHotTw wgphy9glZhVqnF+idQDFJ8crMbhuXnGcCU9iVT0dEgc -> ssh-ed25519 rHotTw hwCwUHi/xbAQaWt26kOn3/QSP0m0ZKRdIYs55TDMLSM
sFoc7VjZHDMCBTJJ/fBvcVVxl72EcHeur8SSjeH26E0 DCvnBearzyPQ6ErYuawsyobpMsD9SSEhkVmFKyp5jUI
-> ssh-ed25519 +mFdtQ pehvyrKd9oYpA5VWwN6DOJckooAMkpm7wSEAuVMjkRg -> ssh-ed25519 +mFdtQ ZlEsxLPDfy29aIQ9eNsRkZCHSeRmX8+GsuGtikQF4ms
oPWQRFBSLKU0Ic6+qudFzxnM3wggL4Y86zqWxc2p7kY n1N2xQb4oRWaJgLtrXMFasc8u516e1M4Q/qLNLA0e0A
-> ssh-ed25519 0IVRbA iSgsYBbpWlAgUAGM9JNRqoZTOuEP3NMdmrKDReCXfSs -> ssh-ed25519 0IVRbA keVcQ4Vx3Avd97N89nUklRnGMABBenHIi+aufVoTABU
Z+zHgn96/09FqhyJZmpCZBB4BHDE6P6/j8avd39I68k yrsC1OitS6sqbUsaIaWeU8vYGOQm9afFfc6DprB8Whc
-> ssh-ed25519 IY5FSQ qQOXJr6TkdwfGFgVe58QqpNjV1uzUPzuV6Vbc5jhnlg -> ssh-ed25519 IY5FSQ npdYCAEfVSpuDNMZnWS469BgvivTKHRKtEAtxmxDZl8
fdfonQACyNyJb4q5CgtTArqD4Ht6Cz/W+FWG+nNevvs gOB1vpBO8ZqtLVwxCj8V/KrWgnYmZGn5QQJzMhiHH4A
--- F7Ci+t2UpR0PkulLA9cJOjoTXO2GxjmPNX+Go2L9qB8 -> ssh-ed25519 VQSaNw S3dSnOPVQdMcz1dJYai0DvZATuMBDsG/+a0sJBDc/iE
Ä<š×]´­D ìÕ¡²À÷HÇ©ßA°&EàÙ¡°V 0ýxRŠÜEÚáб¦R¾eA#üÌ/{`Ø5. Q1gl1nIpDESMvTBX03i4lStAtdWqlTkVABHZ3cqocDE
-> t-grease bvZAq
NTQBWWf5UW4zsTEEt7rgmTv+B2rFIk/8WwQPrC/s59Ik
--- 46n57xU0XlDQgUM0vIYveqDifz57FrTcRwCEpoh62+4
[07Æ~Þ3dïálÃÅô!fãš4ÐHßA‡íœ÷<C593>9 ×ò@d»BÌ&½L‰{aãþm…X2ãD‰Å ´

92
modules/dgn-records/__arkheon-token_file
View file

@ -1,46 +1,50 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 jIXfPA sHMGZvBA3KQ+vgyPRvthm7RrZv+cpA8rVaLMG11tWzc -> ssh-ed25519 jIXfPA YaucboAId6lgc1Y/jV6hLyovkJQnMBnKhJ2QWAci53U
wb74jb8YFbu4hTaKECNpaCV5besptdBoXXstKd+eLTI Q8RUPu4GUC5QbzTROgL9xaG3BUWO1QU/q1p0/yimBQ0
-> ssh-ed25519 QlRB9Q RILFFiLngUvfSPOmw6ZLmFLVyIIQqzib7LTV8hZP/w4 -> ssh-ed25519 QlRB9Q y1tbd/81NoECRtKwOw41Tlls5y+WSu2jGmeOlC939VM
na6S3iWEs3cxff30X59wD0SUNEP0/9LcuCyCUi7wgxg DT1zZgWJkkIWRWxzfu4VgiGpV8CioaDKnVemowH59N4
-> ssh-ed25519 r+nK/Q Mtrr3NKJG1MBw150IZK1ZTKCglktIK8mV2M7FiLz9EQ -> ssh-ed25519 r+nK/Q dDmGkZ3Y7xAzZGKvGIyIdhD+P0tkV6SMPx3UxphoTXo
zEEJwKeucMsZePFTZF/Cxfcuqn7KiSoBmBnNVKX1jAY tkanRbPfu3/cuMPoTrcWBlNcu6RmK+txif+9aIRLy+s
-> ssh-rsa krWCLQ -> ssh-rsa krWCLQ
r3OX+AaSGO0zLoEAvAo3UrtWwU/Vjyfdp+qy4haB3tpl305I6Y6O6n2iHnc1PFgw IZGpFoWjQuQzqkS2KbpVr+fP7NLPhyaxS4yQroVEkPEZnXx2c6eH3ul218zytZld
qQ7Sa0GekbxNcwD7MzAmKbsm9wmnrF2hX03gFDI5isEPxaLC6ha207Ykauc2q1JC YRBCxiCtV6VfOB2N2QGuiK7YCGl6oUfN1DePy0jPrGKsnvWBitTuqzADiGQB7aSI
/SOZ/OUiizBUuO5OjywYz2AJUfEabmd+X1fw5QxAPSfp57KBZDJCGSpEDeJigU7M ie7GgblPpi4q3ovJPgf7Bs+Mi2dKW5hiD8Jnped7rEW7SEnESkQa3Cx22Ww/UYcW
1n1XsT6eCyNDIIozRzIIyxLZU+tDDswjvjCaDJ/t2BE76LienwMRZK4P4tSn8DQP 9Uj7ZaDVVbP0ZWyc41HdoJwEnV6MYMRnXUJ/qrLMCIvRaYk8UdiCDgco+XxqAnbs
Jbm7bb5T2P1VAK4qIMP04DXQ861Kr2DvpLA/aPtHd9yMcZn5wQWMCVDgsL3ko0fU iyUqCvz8iVNsWbJxK+7jJHXp0dQJRciHzSGStIVRSGx4gvuXOGjsuBMjfwoq1XoR
VThQwBW4qe59CCxA68TUcQ 5PE3BnP/atHZg3CkQcC2eA
-> ssh-ed25519 /vwQcQ KYM+4CPxNwxwh3liBBJYIqlWzpDO3h/dl54rEKQXGHU -> ssh-ed25519 /vwQcQ WL0PdIIsSWzw+ar2QNXCp7Xs1NH9gUk2fSPskGC9o2I
uteNJEqwLKUC3Gjm0BiRmb3uLb3bzRfpf3c1Da3vGjY +kHedFsYHgpsGfILtywJaIrTRj8HtHZvVyhtbRhKYC0
-> ssh-ed25519 0R97PA Sc9QAI4UNY6x0fZAoQOpUjzFzwev196x+7fjeIry3AU -> ssh-ed25519 0R97PA +G7wUHF6NJimsAxe6M9RVVTa3GLPoW1bhsgMsWXKNC8
puUi8W0jCbMW3cN7PjoDM+vXnHjdQ2RLfX0kdpsaWhI i++lKoe8hFFb1rilkO9lcwBJujRqFsLGDOPvbaiz6Nw
-> ssh-ed25519 JGx7Ng LzO5qvnVWhF3+cR4J3nJv9IB55/FYKillkJ2jKadfQA -> ssh-ed25519 JGx7Ng o66YGXN0uMC2qZo1tVcEMOa4SwxNZaf4HvnGsgzlqjo
r3F+FKdpoKTB0/e5Vz5JFh9u8BKBOjn9XXE4dJEriuw Tc4KMMrnJbybrNIkhEJz42PVHc3fVMFFSs96lKsEKCA
-> ssh-ed25519 5SY7Kg Uz/EgMgi0ACJStIvz06efUQpeU6VAuXVj+Veki0LkXA -> ssh-ed25519 5SY7Kg P8Xp9wVJDcPdj3uSiq0yLnLMDInMeFs6XX30VwlXWlg
ukCkNIQMYbZBCBfd5R5dKWJwOcIKHzS9HN9CNk5iSF4 uJfxXOZl8EX8fjRsHZ61JMKFpYksZJucZwVaRJs7qW8
-> ssh-ed25519 p/Mg4Q 9+IsF8fUNcQhRxRddI6WQyKP8Ky0HV4jAUvS0ySDDwM -> ssh-ed25519 p/Mg4Q yUyxue7Oda0b+CjdF9VfUCliWyzXNOsVPH7OFoHzWCw
7WamT/OA2Os6uE/hKzWkfjlwOKQpZ6j+fcgkvsk6wCY +zi+TSojvSc+VDXZG8XXSsTezxKRNC2XHc/hGGv4baM
-> ssh-ed25519 DqHxWQ WndaDm+ApRfFj+KL5cJgJqwaZXUYrXHpQ6AxDtGb5FY -> ssh-ed25519 DqHxWQ 7Vnq/xidbguw/PkZPUOTHUBTe8/x4PvTjCusUe10jio
u5RHgWaY28QfA3jsD54PLR50Jl5KQyVpPv4CFhLPiYI 7Sl1MptpElvEA9VUj7JiVGuEWC0F3aA2rgYvfIchOB0
-> ssh-ed25519 tDqJRg Wgx7QpoPeendwBsWB+jAN5K+1uhxPsEHMugOPeC+Ono -> ssh-ed25519 tDqJRg udOCDV4/vszObNxcQhJ6iGiDkxgZlrBDyKt3MbibMx4
CRWVWTQB2eCVSKAwIzNNaWefAmniVtF5hu8xYeTGF0Q CDDd0LNCCdYvEww/h8q2z4f5QtjnL+kJsnPFtlbiD28
-> ssh-ed25519 9pVK7Q kB5gWwwNNcCnjN5+1j7alWzqEgYMDQ3IvA8/0ltfLwo -> ssh-ed25519 9pVK7Q DXqkIewHGpUUDtL2ivAoFwY/HCjoQXjxoHGPGkuFfH0
Tp7n6v/s4swKjOqEDKEKhM8agghKEvaz+zymG+b72f8 JZ7xC2kdtnRNq8WADL2SNw/Ukezu1s4TuUbQnbP8L4o
-> ssh-ed25519 /BRpBQ 6B5ODsRsRx8EIOrzBnAAw1bYsAQMvssSC1xxbAh+bGE -> ssh-ed25519 /BRpBQ 9j1+wzO733ej03ra8LQOkpOyvY63UCbO9sfT6bV6+zs
Xmhe74XTMwfcGvk620XixhR/6GtOt2fynSMdJ7riZxs 2F0UjpAqgCK5JS0y0kkHX30EV8JCcjhnJ1NkW06ww4w
-> ssh-ed25519 /x+F2Q /idVQW3v18G3e++zLmmcpZTvSW6YTfYKYX0xalx3DTU -> ssh-ed25519 /x+F2Q wYchtMn7MCGllfiFwTrycdLEY3dl297ns26PHs7l320
ybNKGMgW5ChQU2HXHfM0Od6GWC+HRKDemibhzi+NCA4 feRd57Z5k6iJ71JRHud0wyYWo3O56q4rrYZt5y3aoqA
-> ssh-ed25519 +MNHsw +5EkjYR0CD0tF3jazvyz6WtzIG+84czuEsGzPmucOVI -> ssh-ed25519 +MNHsw FHfvx1FQWcsRlKrFF0SRcVZ+XG6LXBwIMcPCVeu/ZCg
AqBXlugxP84nJ9jK1dPWWRJAAAzZjKl0RKd1+aXeIJg w9fZGhZpEJHlf8JPcbWcNoAO9S06hi15LZxkv1dJUWk
-> ssh-ed25519 rHotTw IzGcfj5jNooeVt7+iJwnxUfka95NVEtE9dStQUt+gCE -> ssh-ed25519 rHotTw QDcThfb0AJMQBfQDbbtqm6z7BGxC4/sBioprElUTXFA
+lrjFHAgNOxI4JS6tGXcDSnbdn6/qwt2tI2WdVX2tO4 2JOFoMLcVhMoGzZDDNOTL3PBWsqVnrFx8o/W/cWuzl0
-> ssh-ed25519 +mFdtQ AieFjWmv27LvUbZXCBEqmvfTQM7SLXL12qIOzZLxdi8 -> ssh-ed25519 +mFdtQ tWg17VH1Q4gQj/1IK9yrxjw4kRPzsp4dDHFwDKYxvDE
s0qzhUO2FDqr/w8B4cbnX8NuXfZM+nv4gj6SF0DreCY 9H4ohD3XN4Xtk15SsZQf5k0db+yIVcWp4EV5jKsZgHI
-> ssh-ed25519 0IVRbA +S10pCaLByp+UrfbZXIIhMvUW79NPSSr5qHbm8Q8nxY -> ssh-ed25519 0IVRbA rkMPsBgVEaiYtaBN5JzHNCPFYFKr/7dqoY+RX19+03o
fLU4Shu/luX9gLrJDM8rY+HRpHuuLKJAz0BSiLfXkj8 baQK5t5sG8WabaCuMTZ2ZIfMTRH0jQU4l7JEyJ6H+LU
-> ssh-ed25519 IY5FSQ FJGXPcN7XjZTl3zc8iLSmc2IfhHx/xqIqnNz7j0dXGg -> ssh-ed25519 IY5FSQ c1+2+CMJFMw/iF2XNx5ma28KhwdKKQ9dNC1nBvFz/B0
D99jvNKh7yzafKB9qzOX6xNjhf3WS4bYBcc91dVX6Ow 3AE1FQq+//dNIQfuW9BHcpfNbGn724Ydq7aJc95KmmY
--- USWnD/9XEj6tW0aHMZiVK1Guf43b/8wWcsafnVT0+h4 -> ssh-ed25519 VQSaNw t9yLak0T7FO8hgGrPWFeR3Jw0D6cPxjR5LOIcMnAmgo
RqÏHª,XHs8ÌÛÔtAbAGI<47>áΤÂ,åÖÝ¥¿è:<G=bFb†ÀTGSGäÊÙ _ ˜ 869SBp0nM5v/9+Xjib6rkmmelhTBfXcyuHiAXh08AWo
-> r32t]I\-grease ka<*
nkxH0w1aQ64
--- LlTR5EcQzCLJ5trkQcomW0+soQoec/IZZNW+g5dyOo0
M"ÏLm“õh]ñÖa£uq±ýÏ4ßÏ+ö“9;ФˆÇ-Z±L»¯H0o1»Eâ<>

14
modules/dgn-records/default.nix
View file

@ -1,6 +1,17 @@
{ config, ... }: { config, lib, ... }:
let
inherit (lib) mkEnableOption mkIf;
cfg = config.dgn-records;
in
{ {
options.dgn-records.enable = mkEnableOption "Arkheon deployment recording." // {
default = true;
};
config = mkIf cfg.enable {
services.arkheon.record = { services.arkheon.record = {
enable = true; enable = true;
@ -10,4 +21,5 @@
}; };
age-secrets.sources = [ ./. ]; age-secrets.sources = [ ./. ];
};
} }

122
modules/dgn-web.nix
View file

@ -1,19 +1,139 @@
{ config, lib, ... }: { config, lib, ... }:
let let
inherit (lib) mkEnableOption mkIf; inherit (lib)
attrsToList
concatStringsSep
filterAttrs
getAttr
mapAttrs
mapAttrs'
mkEnableOption
mkIf
mkOption
nameValuePair
recursiveUpdate
;
inherit (lib.types)
attrs
attrsOf
bool
port
str
submodule
;
cfg = config.dgn-web; cfg = config.dgn-web;
in in
{ {
options.dgn-web = { options.dgn-web = {
enable = mkEnableOption "sane defaults for web services."; enable = mkEnableOption "sane defaults for web services.";
internalPorts = mkOption {
type = attrsOf port;
default = { };
description = ''
Map from the web services to their internal ports, it should avoid port clashes.
'';
};
simpleProxies = mkOption {
type = attrsOf (submodule {
options = {
port = mkOption {
type = port;
description = ''
Port where the service will listen.
'';
};
host = mkOption {
type = str;
description = ''
Hostname of the service.
'';
};
proxyWebsockets = mkOption {
type = bool;
default = false;
description = ''
Whether to support proxying websocket connections with HTTP/1.1.
'';
};
vhostConfig = mkOption {
type = attrs;
default = { };
description = ''
Additional virtualHost settings.
'';
};
};
});
default = { };
description = ''
A set of simple localhost redirections.
'';
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
assertions = [
(
let
duplicates = builtins.attrValues (
builtins.mapAttrs (p: serv: "${p}: ${concatStringsSep ", " serv}") (
filterAttrs (_: ls: builtins.length ls != 1) (
builtins.foldl' (
rev:
{ name, value }:
let
str = builtins.toString value;
in
rev // { ${str} = (rev.${str} or [ ]) ++ [ name ]; }
) { } (attrsToList cfg.internalPorts)
)
)
);
in
{
assertion = duplicates == [ ];
message = ''
Internal ports cannot be used for multiple services, the clashes are:
${concatStringsSep "\n " duplicates}
'';
}
)
];
dgn-web.internalPorts = mapAttrs (_: getAttr "port") cfg.simpleProxies;
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts = mapAttrs' (
_:
{
host,
port,
proxyWebsockets,
vhostConfig,
}:
nameValuePair host (
recursiveUpdate {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
inherit proxyWebsockets;
};
} vhostConfig
)
) cfg.simpleProxies;
recommendedBrotliSettings = true; recommendedBrotliSettings = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;

92
npins/sources.json
View file

@ -45,9 +45,9 @@
"url": "https://git.dgnum.eu/DGNum/dgsi.git" "url": "https://git.dgnum.eu/DGNum/dgsi.git"
}, },
"branch": "main", "branch": "main",
"revision": "f6fcd90622151e116adedb41f53da0445f1ee387", "revision": "24f825c1dd34a3948cce7d39c19623ecf948ffa7",
"url": null, "url": null,
"hash": "1rrm4j142h2dkphya34hg341xhklrdvqim35jy6g0152a7y1nkk4" "hash": "0b1pmfzckdbha9j7bvnkvqccf62dqyll8ip6mrdm90m0y8kdkzvg"
}, },
"disko": { "disko": {
"type": "GitRelease", "type": "GitRelease",
@ -59,10 +59,10 @@
"pre_releases": false, "pre_releases": false,
"version_upper_bound": null, "version_upper_bound": null,
"release_prefix": null, "release_prefix": null,
"version": "v1.8.0", "version": "v1.9.0",
"revision": "624fd86460e482017ed9c3c3c55a3758c06a4e7f", "revision": "49a4936cee640e27d74baee6fd1278285d29b100",
"url": "https://api.github.com/repos/nix-community/disko/tarball/v1.8.0", "url": "https://api.github.com/repos/nix-community/disko/tarball/v1.9.0",
"hash": "06ifryv6rw25cz8zda4isczajdgrvcl3aqr145p8njxx5jya2d77" "hash": "0j76ar4qz320fakdii4659w5lww8wiz6yb7g47npywqvf2lbp388"
}, },
"dns.nix": { "dns.nix": {
"type": "GitRelease", "type": "GitRelease",
@ -87,9 +87,9 @@
"repo": "git-hooks.nix" "repo": "git-hooks.nix"
}, },
"branch": "master", "branch": "master",
"revision": "1211305a5b237771e13fcca0c51e60ad47326a9a", "revision": "3308484d1a443fc5bc92012435d79e80458fe43c",
"url": "https://github.com/cachix/git-hooks.nix/archive/1211305a5b237771e13fcca0c51e60ad47326a9a.tar.gz", "url": "https://github.com/cachix/git-hooks.nix/archive/3308484d1a443fc5bc92012435d79e80458fe43c.tar.gz",
"hash": "1qz8d9g7rhwjk4p2x0rx59alsf0dpjrb6kpzs681gi3rjr685ivq" "hash": "0qdhcqisil8zhnf600y0vpa1mayrca8z2bja79p4j5vajy7dnx4s"
}, },
"kadenios": { "kadenios": {
"type": "Git", "type": "Git",
@ -144,9 +144,9 @@
"url": "https://git.lix.systems/lix-project/lix.git" "url": "https://git.lix.systems/lix-project/lix.git"
}, },
"branch": "main", "branch": "main",
"revision": "ed9b7f4f84fd60ad8618645cc1bae2d686ff0db6", "revision": "66f6dbda32959dd5cf3a9aaba15af72d037ab7ff",
"url": null, "url": null,
"hash": "05kxga8fs9h4qm0yvp5l7jvsda7hzqs7rvxcn8r52dqg3c80hva9" "hash": "10mfry8k0jab4ngnhvx9d7ia8m7qf4va4395ylwg3qlsxziqvc8z"
}, },
"lix-module": { "lix-module": {
"type": "Git", "type": "Git",
@ -155,9 +155,9 @@
"url": "https://git.lix.systems/lix-project/nixos-module.git" "url": "https://git.lix.systems/lix-project/nixos-module.git"
}, },
"branch": "main", "branch": "main",
"revision": "fd186f535a4ac7ae35d98c1dd5d79f0a81b7976d", "revision": "aa2846680fa9a2032939d720487942567fd9eb63",
"url": null, "url": null,
"hash": "0jxpqaz12lqibg03iv36sa0shfvamn2yhg937llv3kl4csijd34f" "hash": "0gb174800sgh6y6sir23nxsx85xrk478hbwqbzyd46ac34clz9wz"
}, },
"lon": { "lon": {
"type": "Git", "type": "Git",
@ -178,9 +178,9 @@
"url": "https://git.dgnum.eu/DGNum/metis" "url": "https://git.dgnum.eu/DGNum/metis"
}, },
"branch": "master", "branch": "master",
"revision": "9eaa1f289751b6b62f700e8e0e0ddbfbaa98c021", "revision": "ed6fafda45d638b1bafd5deaee098b80156b41e8",
"url": null, "url": null,
"hash": "0m9il1lllw59a6l9vwfi1bika7g4pxs20clc48kklpflnk0scb1f" "hash": "086spyhn2x1x2h31b0y4an501fdhph1nk64riybqnh6mqjkzlq4m"
}, },
"microvm.nix": { "microvm.nix": {
"type": "Git", "type": "Git",
@ -194,6 +194,20 @@
"url": "https://github.com/RaitoBezarius/microvm.nix/archive/49899c9a4fdf75320785e79709bf1608c34caeb8.tar.gz", "url": "https://github.com/RaitoBezarius/microvm.nix/archive/49899c9a4fdf75320785e79709bf1608c34caeb8.tar.gz",
"hash": "0sz6azdpiz4bd36x23bcdhx6mwyqj8zl5cczjgv48xqfmysy8zwy" "hash": "0sz6azdpiz4bd36x23bcdhx6mwyqj8zl5cczjgv48xqfmysy8zwy"
}, },
"nix-actions": {
"type": "GitRelease",
"repository": {
"type": "Git",
"url": "https://git.dgnum.eu/DGNum/nix-actions.git"
},
"pre_releases": false,
"version_upper_bound": null,
"release_prefix": null,
"version": "v0.2.2",
"revision": "b9cb5d6f945d1e3fd7b70d63848c70335e9912e8",
"url": null,
"hash": "0m6bw5qlrchsigx7x4nz3xkcn3dnr14k5j0ws9lbggnldnz9qg2w"
},
"nix-modules": { "nix-modules": {
"type": "Git", "type": "Git",
"repository": { "repository": {
@ -201,9 +215,9 @@
"url": "https://git.hubrecht.ovh/hubrecht/nix-modules.git" "url": "https://git.hubrecht.ovh/hubrecht/nix-modules.git"
}, },
"branch": "main", "branch": "main",
"revision": "2fd7c7810b2a901020ddd2d0cc82810b83a313fc", "revision": "75e8d70a051dd19d126b5248b62f61d6f8ce4361",
"url": null, "url": null,
"hash": "0rag870ll745r5isnk6hlxv0b0sbgriba5k6nihahcwsal2f4830" "hash": "0yx5by3v2cshiidyh27n75lcqy9d1kk5zz5mchmfv63s9p0cjzqn"
}, },
"nix-patches": { "nix-patches": {
"type": "GitRelease", "type": "GitRelease",
@ -226,21 +240,15 @@
"url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs" "url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs"
}, },
"branch": "main", "branch": "main",
"revision": "3e731378f3984313ef902c5e5a49e002e6e2c27e", "revision": "fe54340f49449f01c2ee489abf7016d97706eb59",
"url": null, "url": null,
"hash": "1vy2dj9fyy653w6idvi1r73s0nd2a332a1xkppddjip6rk0i030p" "hash": "1sv9nqhzcqn8anqfgf63i2j5qcqzyy4vl0a45rvllv7rhbhw9adq"
},
"nixos-23.11": {
"type": "Channel",
"name": "nixos-23.11",
"url": "https://releases.nixos.org/nixos/23.11/nixos-23.11.7870.205fd4226592/nixexprs.tar.xz",
"hash": "1mbp7jydzxqgv9w3a8fqggq1x8h3cd0vh9wafri5pls52ngyww47"
}, },
"nixos-24.05": { "nixos-24.05": {
"type": "Channel", "type": "Channel",
"name": "nixos-24.05", "name": "nixos-24.05",
"url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.5518.ecbc1ca8ffd6/nixexprs.tar.xz", "url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.6668.e8c38b73aeb2/nixexprs.tar.xz",
"hash": "1yr2v17d8jg9567rvadv62bpr6i47fp73by2454yjxh1m9ric2cm" "hash": "0lhh36z3fvd3b64dz7an08y3c3shb67aj17ny9z28bs21i3dc5yh"
}, },
"nixos-generators": { "nixos-generators": {
"type": "Git", "type": "Git",
@ -250,21 +258,21 @@
"repo": "nixos-generators" "repo": "nixos-generators"
}, },
"branch": "master", "branch": "master",
"revision": "9ae128172f823956e54947fe471bc6dfa670ecb4", "revision": "3280fdde8c8f0276c9f5286ad5c0f433dfa5d56c",
"url": "https://github.com/nix-community/nixos-generators/archive/9ae128172f823956e54947fe471bc6dfa670ecb4.tar.gz", "url": "https://github.com/nix-community/nixos-generators/archive/3280fdde8c8f0276c9f5286ad5c0f433dfa5d56c.tar.gz",
"hash": "1zn3lykymimzh21q4fixw6ql42n8j82dqwm5axifhcnl8dsdgrvr" "hash": "12v6lxls3bfkj20rwxy62l8g6zlkhsp29m6wd7764j1wwfwjk274"
}, },
"nixos-unstable": { "nixos-unstable": {
"type": "Channel", "type": "Channel",
"name": "nixos-unstable", "name": "nixos-unstable",
"url": "https://releases.nixos.org/nixos/unstable/nixos-24.11pre688563.bc947f541ae5/nixexprs.tar.xz", "url": "https://releases.nixos.org/nixos/unstable/nixos-25.05beta710087.23e89b7da85c/nixexprs.tar.xz",
"hash": "1jsaxwi128fiach3dj8rdj5agqivsr4sidb8lmdnl7g07fl9x0kj" "hash": "0b695yx17sarr7d3ypb9z6njd0qhiga1682wjxidl053lvx6g33b"
}, },
"nixpkgs": { "nixpkgs": {
"type": "Channel", "type": "Channel",
"name": "nixpkgs-unstable", "name": "nixpkgs-unstable",
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre689466.7d49afd36b55/nixexprs.tar.xz", "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.05pre709559.5083ec887760/nixexprs.tar.xz",
"hash": "0r4zb6j8in4dk7gxciapfm49dqbdd0c7ajjzj9iy2xrrj5aj32qp" "hash": "1z912j1lmrg8zp2hpmmi69dls9zlpvqfvdkvh5xc3x6iqkqwn0cd"
}, },
"proxmox-nixos": { "proxmox-nixos": {
"type": "Git", "type": "Git",
@ -274,9 +282,9 @@
"repo": "proxmox-nixos" "repo": "proxmox-nixos"
}, },
"branch": "main", "branch": "main",
"revision": "7869ffc2e0db36f314fb60f1ab0087b760700b00", "revision": "c6a126238e8f8efc3660b523d314a0074e61fe44",
"url": "https://github.com/SaumonNet/proxmox-nixos/archive/7869ffc2e0db36f314fb60f1ab0087b760700b00.tar.gz", "url": "https://github.com/SaumonNet/proxmox-nixos/archive/c6a126238e8f8efc3660b523d314a0074e61fe44.tar.gz",
"hash": "0cam36s3ar366y41rvihjqghkdjl9a1n1wzym8p2mkar1r9x7haj" "hash": "0apinc8iiqsjazlj3nh75m4w5f93fd53xs4nj1s06qay4nq1h49w"
}, },
"signal-irc-bridge": { "signal-irc-bridge": {
"type": "Git", "type": "Git",
@ -296,9 +304,9 @@
"url": "https://git.dgnum.eu/mdebray/stateless-uptime-kuma" "url": "https://git.dgnum.eu/mdebray/stateless-uptime-kuma"
}, },
"branch": "master", "branch": "master",
"revision": "390363e6a977d71a96c53d7f8b252038dfee2e2e", "revision": "880f444ff7862d6127b051cf1a993ad1585b1652",
"url": null, "url": null,
"hash": "11vvfxw2sznc155x0xlgl00g6n9sr90xa0b1hr14vchg7gkz46r5" "hash": "166057469hhxnyqbpd7jjlccdmigzch51616n1d5r617xg0y1mwp"
}, },
"wp4nix": { "wp4nix": {
"type": "Git", "type": "Git",
@ -308,9 +316,9 @@
"server": "https://git.helsinki.tools/" "server": "https://git.helsinki.tools/"
}, },
"branch": "master", "branch": "master",
"revision": "4c47608f349dd45e4895e1f61f19ad9e8dfcc0bf", "revision": "cce6f7961eb99fd56a039623c4d9e561d9a98928",
"url": "https://git.helsinki.tools/api/v4/projects/helsinki-systems%2Fwp4nix/repository/archive.tar.gz?sha=4c47608f349dd45e4895e1f61f19ad9e8dfcc0bf", "url": "https://git.helsinki.tools/api/v4/projects/helsinki-systems%2Fwp4nix/repository/archive.tar.gz?sha=cce6f7961eb99fd56a039623c4d9e561d9a98928",
"hash": "1pnjhbljihf2ras9lbp1f6izzxghccfygkkf2ikkahjr1vbicdbq" "hash": "0ggqc92mh4xbsrrdv8j0jl6f3cagwizd93sdl8p8mqpxv9445xrf"
} }
}, },
"version": 3 "version": 3

21
patches/05-netbird-relay.patch Normal file
View file

@ -0,0 +1,21 @@
diff --git a/pkgs/tools/networking/netbird/default.nix b/pkgs/tools/networking/netbird/default.nix
index 07a1e906dad3..d5799446628b 100644
--- a/pkgs/tools/networking/netbird/default.nix
+++ b/pkgs/tools/networking/netbird/default.nix
@@ -26,6 +26,7 @@ let
} else {
client = "netbird";
management = "netbird-mgmt";
+ relay = "netbird-relay";
signal = "netbird-signal";
};
in
@@ -82,7 +83,7 @@ buildGoModule rec {
(lib.mapAttrsToList
(module: binary: ''
mv $out/bin/${lib.last (lib.splitString "/" module)} $out/bin/${binary}
- '' + lib.optionalString (!ui) ''
+ '' + lib.optionalString (!ui && module != "relay") ''
installShellCompletion --cmd ${binary} \
--bash <($out/bin/${binary} completion bash) \
--fish <($out/bin/${binary} completion fish) \

54
patches/05-pmnos-correctness-build-directory.patch
View file

@ -1,54 +0,0 @@
From 4d6e57d2d577cc105c9e0cd397408e9e3ce85cd0 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Tue, 8 Oct 2024 16:33:14 +0200
Subject: [PATCH] fix(packaging): correctness of the build top directory
It was using /build which is an implementation detail and not
guaranteed.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
pkgs/pve-container/default.nix | 6 +++---
pkgs/pve-rs/default.nix | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/pkgs/pve-container/default.nix b/pkgs/pve-container/default.nix
index 445c271..5633c0f 100644
--- a/pkgs/pve-container/default.nix
+++ b/pkgs/pve-container/default.nix
@@ -30,7 +30,7 @@ perl536.pkgs.toPerlModule (
postPatch = ''
sed -i Makefile \
-e "s/pct.1 pct.conf.5 pct.bash-completion pct.zsh-completion //" \
- -e "s,/usr/share/lxc,/build/lxc," \
+ -e "s,/usr/share/lxc,$NIX_BUILD_TOP/lxc," \
-e "/pve-doc-generator/d" \
-e "/PVE_GENERATING_DOCS/d" \
-e "/SERVICEDIR/d" \
@@ -45,8 +45,8 @@ perl536.pkgs.toPerlModule (
dontPatchShebangs = true;
postConfigure = ''
- cp -r ${lxc}/share/lxc /build
- chmod -R +w /build/lxc
+ cp -r ${lxc}/share/lxc $NIX_BUILD_TOP/
+ chmod -R +w $NIX_BUILD_TOP/lxc
'';
makeFlags = [
diff --git a/pkgs/pve-rs/default.nix b/pkgs/pve-rs/default.nix
index c024287..881beab 100644
--- a/pkgs/pve-rs/default.nix
+++ b/pkgs/pve-rs/default.nix
@@ -57,7 +57,7 @@ perl536.pkgs.toPerlModule (
];
makeFlags = [
- "BUILDIR=/build"
+ "BUILDIR=$NIX_BUILD_TOP"
"BUILD_MODE=release"
"DESTDIR=$(out)"
"GITVERSION:=${src.rev}"
--
2.46.0

70
patches/06-netbox-qrcode.patch Normal file
View file

@ -0,0 +1,70 @@
diff --git a/pkgs/development/python-modules/netbox-qrcode/default.nix b/pkgs/development/python-modules/netbox-qrcode/default.nix
new file mode 100644
index 000000000000..b378b839a8dc
--- /dev/null
+++ b/pkgs/development/python-modules/netbox-qrcode/default.nix
@@ -0,0 +1,51 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, setuptools
+, wheel
+, pillow
+, qrcode
+, netbox
+}:
+
+buildPythonPackage rec {
+ pname = "netbox-qrcode";
+ version = "0.0.13";
+ pyproject = true;
+
+ src = fetchFromGitHub {
+ owner = "netbox-community";
+ repo = "netbox-qrcode";
+ rev = "v${version}";
+ hash = "sha256-/labSZyB1SkU/uemuL946RDk8IVEAgCYJY2vrJFney0=";
+ };
+
+ nativeBuildInputs = [
+ setuptools
+ wheel
+ ];
+
+ propagatedBuildInputs = [
+ qrcode
+ pillow
+ ];
+
+ checkInputs = [
+ netbox
+ ];
+
+ preFixup = ''
+ export PYTHONPATH=${netbox}/opt/netbox/netbox:$PYTHONPATH
+ '';
+
+ pythonImportsCheck = [
+ "netbox_qrcode"
+ ];
+
+ meta = with lib; {
+ description = "NetBox Plugin for generate QR Codes";
+ homepage = "https://github.com/netbox-community/netbox-qrcode";
+ license = licenses.asl20;
+ maintainers = with maintainers; [ sinavir ];
+ };
+}
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index 9999d745e3ac..b226e0063672 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -8989,6 +8989,8 @@ self: super: with self; {
netbox-reorder-rack = callPackage ../development/python-modules/netbox-reorder-rack { };
+ netbox-qrcode = callPackage ../development/python-modules/netbox-qrcode { };
+
netcdf4 = callPackage ../development/python-modules/netcdf4 { };
netdata = callPackage ../development/python-modules/netdata { };

Some files were not shown because too many files have changed in this diff Show more