Compare commits

...

205 commits

Author SHA1 Message Date
sinavir
383911d619
fix(web03/redirections): import module 2024-12-22 15:16:48 +01:00
5fa7ccb8e7
fix(django-apps): Disable statedir backup until it is fixed 2024-12-21 17:18:32 +01:00
e19100f856
feat(django-apps): Add automatic backup 2024-12-21 08:24:11 +01:00
sinavir
3085d9e3a8
feat(dj-apps/ernestophone): Switch to production 2024-12-20 16:45:53 +01:00
31e3aabc8f
chore(npins): Update stateless-uptime-kuma
This version has exponential backoff for trying to connect to the
upstream server
2024-12-20 13:33:57 +01:00
sinavir
7c6c753c67
feat(django-apps): Init ernestophone website 2024-12-20 04:21:06 +01:00
4622da188c
fix(ds-fr): Make email work again 2024-12-18 09:51:28 +01:00
2855d62a43
chore(ds-fr): Disable var/lib backups for now
It is spitting out errors
2024-12-18 07:57:05 +01:00
f8df18f13c
fix(ds-fr): Update module 2024-12-18 00:42:12 +01:00
sinavir
324c37f884
fix(dns): Remove old pub.dgnum.eu 2024-12-17 22:21:52 +01:00
sinavir
9b71232c58
feat(garage): Deploy landing page 2024-12-17 22:14:40 +01:00
54f2057dfc chore(cas-eleves): Remove server alias as we have a permanent redirection in place 2024-12-17 20:06:13 +01:00
Elias Coppens
b8e75176e1
feat(hypervisors): Init 2024-12-17 17:41:33 +01:00
cab2bc381c
feat(vault01/networking): open vlan hypervisor 2024-12-17 12:09:03 +01:00
f6d2de3115
chore(patches): Drop patches from nixos-24.05 as only web02 and ap01 use it 2024-12-17 00:14:46 +01:00
200104bf84
chore(kanidm): Update origin uris, oauth2 endpoints and switch to 1.4 2024-12-17 00:11:05 +01:00
8c8093b778
feat(netbird): Use a kanidm-proof redirect uri 2024-12-16 22:37:51 +01:00
1b7b1c3a4f
chore(npins): Update cas-eleves 2024-12-16 22:37:31 +01:00
af1e11f01b
chore(git-hooks): Use a fixed nixfmt that does not depend on upstream 2024-12-16 16:40:39 +01:00
60a5aea5a8
chore(nextcloud): Update to v30 2024-12-16 16:21:37 +01:00
accf643294
chore(meta): Remove nodes.nix 2024-12-16 09:40:38 +01:00
09e55d4a80
chore(reuse): Add copyright and license information 2024-12-16 09:34:15 +01:00
fdb355bac7
feat(netconf/netcore02): ci build 2024-12-16 09:26:52 +01:00
3c9bf80f24
feat(netconf): use meta for access control 2024-12-16 09:26:52 +01:00
e8cdd06706
feat(netconf): toplevel rpc drv 2024-12-16 09:26:52 +01:00
9601caba4f
fix(netconf/dgn-hardware): missing parenthesis 2024-12-16 09:26:52 +01:00
sinavir
d63751578a
fix(HACK): not broken anymore 2024-12-16 09:26:52 +01:00
99ef0b76de
feat(netconf)!: wip! broken! netconf-eval 2024-12-16 09:26:52 +01:00
aa4cdf0fd4
fix(netconf): typo 2024-12-16 09:26:52 +01:00
318f6927c1
feat(lib): Init netconf-junos
The code is copied from netconf-module, `with lib;` have been replaced
by inherits
2024-12-16 09:26:52 +01:00
1980d3c34e
feat(modules/netconf): Add lbailly's dgn-interfaces module 2024-12-16 09:26:52 +01:00
9024590a34
fix(netconf/dgn-hardware): Some models are extension cards 2024-12-16 09:26:52 +01:00
fbfb22d777
feat(modules/netconf): Add hardware module 2024-12-16 09:26:52 +01:00
c5e3da3ac9
chore(meta): Split nodes into systems 2024-12-16 09:26:52 +01:00
a818917d77
chore(storage01): Disable vm for now 2024-12-16 00:19:57 +01:00
9a99c8a29e
chore(compute01): Update swap device 2024-12-16 00:12:28 +01:00
08d7dc46b3
fix(modules/dgn-network): Make it work on web02
This is the only node still on 24.05 as the cas server is f*cked
2024-12-15 23:33:14 +01:00
1c74c67de6
fix(compute01/librenms): Update patch and vendorHash 2024-12-15 23:33:14 +01:00
30da92618a
chore(compute01): Disable satosa for now 2024-12-15 23:08:42 +01:00
af66eb557f
fix(patches): Port necessary patches to nixos 24.11 2024-12-15 23:08:42 +01:00
12f19506fc
feat(compute01): Update nixos, but keep kanidm_1_3 2024-12-15 23:08:42 +01:00
659ddf39e5
fix(wordpress): Include the selected theme 2024-12-15 23:08:42 +01:00
7d99a0d334
chore(crabfit): Update 2024-12-15 23:08:42 +01:00
046ed0c005
chore(networking): Attributes have to me moved up 2024-12-15 23:08:42 +01:00
a2d397de70
feat(nodes): Update to nixos 24.11 2024-12-15 23:08:42 +01:00
a65e348f0e
feat(hive): Add tvix-store as a substituter 2024-12-15 22:15:56 +01:00
ecf5fefbaa fix(machines/storage01): scrape all exporter ports
There may be more than one port for a given node.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-15 20:47:04 +01:00
bb7f538110 fix(modules/nixos/dgn-node-monitoring): listen and fix the cgroup port
Otherwise, we cannot scrape that specific port.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-15 20:47:04 +01:00
a1f17d1850
feat(meta/options): Add the system type to the default tags 2024-12-15 12:49:13 +01:00
76419de740
fix(modules/django-apps): Add descriptions where missing 2024-12-13 16:38:36 +01:00
3872b17ff6
fix(modules/dgn-console): Udate description of psql options 2024-12-13 15:48:04 +01:00
f5147dec8d
feat(workflows/pre-commit): Check multiple stages 2024-12-13 12:50:25 +01:00
88d9b8c3e3
chore: Add license and copyright information
Signed-off-by: Tom Hubrecht <tom.hubrecht@dgnum.eu>
Acked-by: Ryan Lahfa <ryan.lahfa@dgnum.eu>
Acked-by: Maurice Debray <maurice.debray@dgnum.eu>
Acked-by: Lubin Bailly <lubin.bailly@dgnum.eu>
Acked-by: Jean-Marc Gailis <jean-marc.gailis@dgnum.eu> as the legal authority, at the time of writing, in DGNum.
Acked-by: Elias Coppens <elias.coppens@dgnum.eu> as a member, at the time of writing, of the DGNum executive counsel.
2024-12-13 12:41:38 +01:00
630b7c0ffc
chore(web01): Remove kahulm.nix 2024-12-12 14:03:32 +01:00
b2bebdc20d
chore(web01): Remove dolibarr.nix 2024-12-12 14:00:14 +01:00
a2ca441284
fix: remove lib.mdDoc references 2024-12-11 23:07:14 +01:00
fe19171d85 feat(nextcloud): Deploy collabora without docker 2024-12-11 14:46:32 +01:00
b23312dcaa feat(dgn-web): Add yearly logrotate for nginx 2024-12-11 14:40:29 +01:00
e0cf11276d feat(monitoring): support cgroup exporting of metrics
This needs an update in our node_exporter dashboard but nothing too
hard.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-11 11:08:07 +01:00
026acdecb7
fix(tvix-cache): Import an existing file 2024-12-10 11:14:10 +01:00
6d03c084a0
feat(hive): Add serverNodes to the arguments 2024-12-08 22:31:14 +01:00
25eee32a22 feat(scripts): introduce manual push script
This way, we can send some closures if some of our members build them on
more powerful machines.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-08 21:14:28 +01:00
f16d8ce68f fix(ap01): switch Liminix nodes to 24.05
There's a bug in 24.11 regarding GCC bootstrap for mipsel which makes it
impossible to use that NixOS version.

We will need to pin 24.05 and bisect until we find the root cause…

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-08 21:14:28 +01:00
ba62dcd6a6
fix(storage01): Make prometheus work again
By only looking at nixos nodes
2024-12-08 17:15:45 +01:00
65b188a7cd
fix(meta): Use correct optional 2024-12-08 17:15:45 +01:00
715201abc2
fix(rescue01): Filter nodes to only include real servers 2024-12-08 17:15:45 +01:00
a2295953da
fix(meta): Add required stuff for ap01 2024-12-08 17:15:45 +01:00
303f53af0f
chore: Apply the abstraction to ap01 2024-12-08 17:15:45 +01:00
e89ed2d0e7
feat(hive): ensure purity of cache-node.sh
Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-08 15:24:40 +01:00
e94d6fd16e
fix(hive): ensure we are in hermetic evaluation
We don't want any <nixpkgs> to appear out of nowhere.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-08 15:24:40 +01:00
6ca347ee51
Revert "chore(HACK): open a tmate session in the CI"
This reverts commit 5907ba80e1a608e1c2674e94bb4e5c98ac9dfc55.
2024-12-08 15:24:40 +01:00
4158d85efb
fix(npins): update liminix to fix graphviz incident
Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-08 15:24:40 +01:00
a12b180592
chore(HACK): open a tmate session in the CI
Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-08 15:24:40 +01:00
104d64f23f
feat(scripts/cache-node): support non-NixOS systems
Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-08 15:24:40 +01:00
cdd8b9cc12
feat(machines): add ap01 initial configuration
Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-08 15:24:40 +01:00
df6b48e2f3
feat(hive/registry): add Zyxel NWA50AX in the registry
Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-08 15:24:40 +01:00
d9a6d38d5e
feat(modules/dgn-access-control): support Liminix systems
Liminix are not totally aligned with their implementation of users.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-08 15:23:28 +01:00
a2a6bf8d1c
feat(npins/sources): switch to DGNum fork of Liminix
Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-08 15:23:28 +01:00
ec98e60c3d
feat(devshell): add SSO and serial access tools
Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-08 15:23:28 +01:00
750a2f90eb
feat(crabfit): Remove overzealous padding 2024-12-08 15:11:16 +01:00
0b27fef19f
fix(bridge01): Use correct node name 2024-12-08 13:46:29 +01:00
ecbad0a638
chore: Abstract machines and modules
This adds subdirectories for the different types of systems, for the
modules and the machines
2024-12-08 13:39:10 +01:00
c3f4e7ade6
fix(meta): Only define targetHost when the network config is defined 2024-12-08 12:49:46 +01:00
e1586b4873
fix(dns): Only generate infra records for nixos machines 2024-12-08 12:19:31 +01:00
4fa4d0bc21
feat(hive.nix): Refactor mkNixpkgsConfig 2024-12-08 12:10:50 +01:00
3a325437b8
chore(hive.nix): Simplify system management 2024-12-08 12:04:54 +01:00
3a58ac3fdc
fix(hive.nix): Remove inifinite recursion 2024-12-08 11:59:39 +01:00
eb5b8740a8
feat(meta): Remove default values for nixpkgs version
They are considered harmful, and it simplifies the code.
2024-12-08 11:52:26 +01:00
1821104e8e
feat(meta): Add system to the nodes meta 2024-12-08 11:40:01 +01:00
12c8870f6d
chore(meta): Sort nodes 2024-12-08 11:02:04 +01:00
4fabadccb4 feat(scripts/): use our own colmena
In the future, we should not have to do this.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-07 15:30:42 +01:00
344cc26d8e feat(meta/*): support generalized deployments
Our colmena knows how to deal with families of system types, e.g. NixOS
systems or Liminix-based systems.

This is a step 1 towards supporting our APs in our infrastructure.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-07 15:26:13 +01:00
ae057f480f
feat(lib): Add warn 2024-12-07 13:12:20 +01:00
f909853119
feat(dns): Add autoritative DNS for lab subdomain 2024-12-07 11:05:45 +01:00
a60b546277
feat(vault01/gretap): gretap for hackaton 2024-12-07 10:52:37 +01:00
sinavir
09b5963449
fix(ds-fr): Lock patch with hash 2024-12-06 10:58:57 +01:00
sinavir
d4dab1e7ae
fix(ds-fr): Update dgn patch 2024-12-06 10:31:29 +01:00
sinavir
41caf293b0
chore(ds-fr): Remove unused files 2024-12-06 09:50:23 +01:00
2a7a3aba83
fix(npins): Update hash 2024-12-02 17:25:41 +01:00
96e8bfff5b
feat(django-apps): Internalize 2024-11-25 23:29:39 +01:00
sinavir
aa154d1b1b
fix(web03/dj-apps): Use secret tokens 2024-11-25 16:06:08 +01:00
sinavir
f37a7449cb
fix(netbox-agent): Disable as it is broken 2024-11-25 15:18:28 +01:00
030803ba29
chore(patches): Reorganize 2024-11-25 11:15:20 +01:00
13abd5400b
fix(web03/dj-wikiens): Update dependencies 2024-11-23 11:33:56 +01:00
f6c933f374
fix(kanidm): Use last usable version: 1.3.3 2024-11-22 23:12:18 +01:00
c9839d4be6 chore(npins): Update 2024-11-22 15:27:34 +00:00
fe52f0ebe2
feat(forgejo-runners): Use /data/slow/nix and not /data/slow/nix/nix
The upstream module should be updated to reflect that, use rootPath
instead of storePath
2024-11-22 14:04:35 +01:00
1f9f56ac91
chore(lix): Use the global patch infrastructure for lix 2024-11-22 12:56:39 +01:00
75b621e298
fix(ds-fr): Switch to nix-pkgs 2024-11-21 15:13:25 +01:00
sinavir
32f68a54a9
chore(workflows): regenerate 2024-11-19 00:53:33 +01:00
sinavir
b00e47ec85
chore(netbox): Upgrade 2024-11-19 00:40:15 +01:00
a50637d55e
chore(stirling-pdf): New version 2024-11-19 00:13:49 +01:00
aa4f972085
fix(forgejo-runners): Let the shell handle colmena 2024-11-19 00:01:06 +01:00
8a5de73b47 chore(npins): Update 2024-11-18 15:29:55 +00:00
3fecacb482
chore(npins): Update nix-modules 2024-11-18 13:03:13 +01:00
ded867d274
feat(dj-interludes): Add a real secret 2024-11-18 13:02:54 +01:00
f61bd85d63
chore(forgejo): Disallow more domains 2024-11-17 19:01:26 +01:00
bf06d2573b
feat(nix): Use passthru for shells and return to importing the scripts 2024-11-14 22:18:40 +01:00
6fbda40e5e
feat(scripts): Unify behaviour and improve generation 2024-11-14 22:01:58 +01:00
2ffd7732ba
feat(django-apps/interludes): Allow base webapps domain 2024-11-12 15:08:17 +01:00
d45b044b22
feat(django-apps/interludes): Switch to interludes.ens.fr 2024-11-12 14:55:04 +01:00
21b422b1ad
fix(nix-lib): Allow defining top-level imports 2024-11-12 12:29:36 +01:00
420fe99984
fix(django-apps/interludes): Don't run in debug mode 2024-11-12 10:52:49 +01:00
32f13adaad
feat(web03): Deploy interludes.webapps.dgnum.eu 2024-11-12 10:40:09 +01:00
a816c81125
chore: Update nix-actions 2024-11-11 22:05:16 +01:00
6ab3e4b685
fix(workflows): Correct typos 2024-11-11 18:01:44 +01:00
5f1436e4bf
feat(workflows): Switch to a nix-based definition of workflows 2024-11-11 17:57:23 +01:00
sinavir
d8f90dd940
fix(patches): Label nextcloud patch 2024-11-11 00:57:49 +01:00
89b22a34da
feat(forgejo): Add blocklist for registering e-mails 2024-11-10 16:24:51 +01:00
32d28ed351
feat(organization): Added Antoine Groudiev and Matthieu Boyer to organization 2024-11-09 22:55:24 +01:00
46657a7f74
fix(tvix-cache): Turn down the log vomit, and increase the limit of file handles 2024-11-09 19:11:10 +01:00
0a40fbbda0
Revert "chore(npins): Update"
This reverts commit 045554b2e6.
2024-11-09 18:43:56 +01:00
045554b2e6 chore(npins): Update 2024-11-09 15:29:23 +00:00
sinavir
2cee8006d3
feat(access-control): Remove luj from admins 2024-11-08 00:18:14 +01:00
sinavir
9e5be2a279
fix(web01): www.lanuit.ens.fr redirection is not used anymore 2024-11-04 20:07:33 +01:00
0576d1ecf8
fix(web03): Use a different domain for webhooks endpoint 2024-10-31 10:58:07 +01:00
06bbe99769
feat(meta/dns): Add private subdomain linking to the netbird ips 2024-10-31 10:58:07 +01:00
sinavir
45f2f59055 feat(keys): Add a key for mdebray 2024-10-30 23:21:36 +01:00
0e3463102c
feat(metis): Update and validate providers 2024-10-24 00:27:15 +02:00
d2f039755b
chore(metis): Update 2024-10-23 23:40:21 +02:00
a6aac2b0b4
feat(web03): Deploy www-bocal on bocal.webapps.dgnum.eu 2024-10-23 13:56:47 +02:00
ae7aaabf29
feat(meta/network): Add web03 netbirdIp 2024-10-23 11:04:28 +02:00
7ab63fb4a5
fix(netbox-agent): Use the latest version, which returns the correct value to the shell 2024-10-23 10:05:25 +02:00
2bb03126cf
feat(web03): Deploy django-wiki on wiki.webapps.dgnum.eu 2024-10-22 14:19:58 +02:00
2b858bbae4
feat(web03): Switch to nixos-unstable 2024-10-22 14:09:54 +02:00
4f18e8d387
feat(meta/dns): Add apps-webhook domain, to separate from the apps 2024-10-22 13:55:30 +02:00
4a102117a4
feat(storage01): Init victoria-metrics DB 2024-10-22 13:07:07 +02:00
969f59fbc4
feat(web03): Deploy the new annuaire 2024-10-21 20:03:20 +02:00
972b9554b7 feat(netbox-agent): Internalize 2024-10-21 19:38:11 +02:00
sinavir
e993d6de34 fix(stateless-uptime-kuma): Typo in domain name 2024-10-21 12:25:18 +02:00
sinavir
e0eb7bbf7c fix(stateless-uptime-kuma): Correct probes for ollama and s3-api 2024-10-21 12:16:00 +02:00
7875007a4f
feat(meta/dns): Add victoria-metrics 2024-10-21 11:15:31 +02:00
b5fc554f0f
fix(patches): Update commit for netbox-qrcode 2024-10-21 09:41:01 +02:00
a93a64d747
feat(forgejo): Send email to admins when new users appear 2024-10-21 09:33:40 +02:00
51133e6e5f
feat(netbird): Update 2024-10-20 23:01:14 +02:00
5f0c7d4e22
feat(meta/nodes): Sort nodes 2024-10-20 22:35:35 +02:00
39abf0b62d chore(npins): Update 2024-10-20 13:29:01 +00:00
63c9f02b16
fix(meta): Use correct username
(Sorry @jemagius)
2024-10-18 18:46:33 +02:00
f0b3d4b490
feat(kanidm): Use kanidm-provision to setup active members 2024-10-18 14:36:38 +02:00
sinavir
e7edf29e11 fix(ollama-proxy): Use ip instead of vpn domain name
VPN dns is slow to start so nginx will fail
2024-10-18 12:45:27 +02:00
sinavir
c0435e694d fix(modules/dgn-records): Add enable option 2024-10-18 11:53:32 +02:00
sinavir
1a05ea3a9a feat(krz01): Move to lab-infra repo 2024-10-18 11:53:32 +02:00
113c83bb9c
feat: laptop change and smartphone add to authorized MACs 2024-10-18 11:12:14 +02:00
ac0aaa9228
fix(npins): Update nix-pkgs 2024-10-18 11:10:47 +02:00
16dfdf1032
feat(patches): Add kanidm provisioning 2024-10-17 23:03:37 +02:00
05edf3f295
feat(meta/dns): Update web02 2024-10-17 23:03:37 +02:00
sinavir
3c445ab4c7 feat(networking): Add a bridge to connect VMs to the world 2024-10-17 17:56:09 +02:00
sinavir
492fe550d9 chore(krz01): Put all ollama/whisper stuff in separate modules 2024-10-17 15:47:10 +02:00
sinavir
a02da5f496 chore(proxmox-nixos): Update 2024-10-17 15:34:11 +02:00
b850ee56c2
chore(nixpkgs): Drop nixos-23.11 2024-10-17 15:11:43 +02:00
db5859e472
feat(web03): Initial deployment of django-apps 2024-10-17 15:11:43 +02:00
fd6b9678ef
chore(netbox-agent): Rekey 2024-10-17 15:06:26 +02:00
f771ec72c8
fix(secrets): Rekey Arkheon and email secrets 2024-10-16 11:45:50 +02:00
9931c622b6
feat(workflows/eval): Add web03 to the list 2024-10-16 11:28:30 +02:00
ad8ddb1f4d
feat(dns): Redirect webapps subdomain to web03 2024-10-16 11:24:10 +02:00
14866df004
fix(dgn-web): Set a default for simpleProxies 2024-10-16 11:08:24 +02:00
b6cbf6e918
feat(infra): Deploy web03 2024-10-16 11:08:24 +02:00
4b2d1cde5b
chore(dgsi): Update 2024-10-12 22:25:53 +02:00
06653220bb
fix(kanidm): Revert switch to simpleProxies
As we proxy to an https endpoint, this was not supported
2024-10-12 22:11:34 +02:00
9ea51137fc
chore(dgsi): Update 2024-10-12 22:06:26 +02:00
2f06f22ac7 feat(nginx): Switch to simpleProxies for the majority of configs 2024-10-12 20:00:54 +02:00
af61ae6e61 feat(dgn-web): Add simpleProxies
This proxies the required host to localhost:$port and enables SSL
2024-10-12 20:00:54 +02:00
9ea6bada0a feat(dgn-web): Add a way to detect internal port clashes 2024-10-12 20:00:54 +02:00
f819acf9bc
feat(forgejo): 7 days sessions 2024-10-12 19:52:21 +02:00
8043f8d4ab
chore(metis): Update 2024-10-12 17:29:51 +02:00
bb4a24f9e9 feat: add cst1's member info 2024-10-11 14:53:13 +02:00
cafaa15ef3 fix(rights): add cst1 to lab adminGroup 2024-10-11 14:53:13 +02:00
54e2eeb6f3 feat(ssh): Add cst1's SSH key 2024-10-11 14:53:13 +02:00
aa3d83ca06
fix(scripts): Don't try to upload to the cache if no password is present 2024-10-11 14:53:00 +02:00
e37f56f85b
fix(dns): cachix.dgnum.eu is no longer in service 2024-10-11 01:45:41 +02:00
f20353b727 fix(storage01): pass through the admin API of Garage
not the web API!

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-10-10 17:52:22 +02:00
a4de5f4d31 feat(krz01): move ollama to compute01 via a reverse proxy
krz01 has no public web IP.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-10-10 17:40:56 +02:00
363f8d3c67 fix(krz01): open 80/443 for ACME
Oopsie!

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-10-10 17:20:28 +02:00
12b20e6acf feat(storage01): add monorepo-terraform-state.s3.dgnum.eu
This is required to bootstrap the Terranix setup.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-10-10 17:13:11 +02:00
de6742aa0d feat(storage01): add s3-admin.dgnum.eu
This is the administration endpoint of the S3, you can create new
buckets and more, from there.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-10-10 17:13:11 +02:00
d76e655174 feat(krz01): add a NGINX in front of ollama protected by password
This way, you can do direct requests to ollama from other places.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-10-10 16:43:33 +02:00
sinavir
7d70beb1f0 feat(krz01): create and add the lab admin group to krz01 2024-10-10 13:35:34 +02:00
dae3b7c7f6
fix(web02): Remove test user 2024-10-10 09:41:58 +02:00
1e71ef3636
feat(users): Add root passwords and deactivate mutableUsers 2024-10-10 09:23:19 +02:00
7bdc70632c
chore(scripts): Cleanup of old caching script 2024-10-10 01:04:16 +02:00
d05c003fd6
feat(workflows/eval): Generalize the new script to all nodes 2024-10-10 00:58:41 +02:00
5b271b7b4a
feat(nat): enabling for dgnum members for tests 2024-10-10 00:00:56 +02:00
93c47f47be
fix: laptop change 2024-10-09 23:47:29 +02:00
47ad002f12
feat(workflows/eval): Try to build and upload in one fell swoop 2024-10-09 21:34:22 +02:00
6b23df6b54
feat(workflows/eval): Try to build and upload in one fell swoop 2024-10-09 21:32:38 +02:00
426 changed files with 8946 additions and 16380 deletions

1
.envrc
View file

@ -1 +1,2 @@
watch_file workflows/*
use nix

View file

@ -1,25 +1,21 @@
jobs:
check_dns:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of the DNS configuration
run: nix-build meta/verify.nix -A dns
check_meta:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of meta options
run: nix-build meta/verify.nix -A meta
name: Check meta
on:
pull_request:
branches:
- main
- main
push:
paths:
- 'meta/*'
jobs:
check_meta:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of meta options
run: nix-build meta/verify.nix -A meta
check_dns:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of the DNS configuration
run: nix-build meta/verify.nix -A dns --no-out-link
- meta/*

View file

@ -0,0 +1,16 @@
jobs:
check_workflows:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check that the workflows are up to date
run: nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l)
-eq 0 ]'
name: Check workflows
on:
pull_request:
branches:
- main
push:
paths:
- workflows/*

View file

@ -1,56 +0,0 @@
name: ds-fr update
on:
schedule:
- cron: "26 18 * * wed"
jobs:
npins_update:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- name: Update DS and open PR if necessary
run: |
# Fetch the latest release tag
VERSION=$(curl -L \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/demarches-simplifiees/demarches-simplifiees.fr/releases/latest \
| jq -r '.tag_name')
# Move to the ds-fr directory
cd machines/compute01/ds-fr/package
# Run the update script
./update.sh -v "$VERSION"
if [ ! -z "$(git diff --name-only)" ]; then
echo "[+] Changes detected, pushing updates."
git switch -C ds-update
git add .
git config user.name "DGNum Chores"
git config user.email "tech@dgnum.eu"
git commit --message "chore(ds-fr): Update"
git push --set-upstream origin ds-update --force
# Connect to the server with the cli
tea login add \
-n dgnum-chores \
-t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
-u https://git.dgnum.eu
# Create a pull request if needed
# i.e. no PR with the same title exists
if [ -z "$(tea pr ls -f='title,author' -o simple | grep 'chore(ds-fr): Update dgnum-chores')" ]; then
tea pr create \
--description "Automatic ds-fr update" \
--title "chore(ds-fr): Update" \
--head ds-update
fi
fi

View file

@ -0,0 +1,174 @@
jobs:
ap01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: ap01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache ap01
run: nix-shell -A eval-nodes --run cache-node
bridge01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: bridge01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache bridge01
run: nix-shell -A eval-nodes --run cache-node
compute01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: compute01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache compute01
run: nix-shell -A eval-nodes --run cache-node
geo01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: geo01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache geo01
run: nix-shell -A eval-nodes --run cache-node
geo02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: geo02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache geo02
run: nix-shell -A eval-nodes --run cache-node
hypervisor01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: hypervisor01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache hypervisor01
run: nix-shell -A eval-nodes --run cache-node
hypervisor02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: hypervisor02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache hypervisor02
run: nix-shell -A eval-nodes --run cache-node
hypervisor03:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: hypervisor03
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache hypervisor03
run: nix-shell -A eval-nodes --run cache-node
netcore02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: netcore02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache netcore02
run: nix-shell -A eval-nodes --run cache-node
rescue01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: rescue01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache rescue01
run: nix-shell -A eval-nodes --run cache-node
storage01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: storage01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache storage01
run: nix-shell -A eval-nodes --run cache-node
vault01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: vault01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache vault01
run: nix-shell -A eval-nodes --run cache-node
web01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web01
run: nix-shell -A eval-nodes --run cache-node
web02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web02
run: nix-shell -A eval-nodes --run cache-node
web03:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web03
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web03
run: nix-shell -A eval-nodes --run cache-node
name: Build all the nodes
on:
pull_request:
branches:
- main
push:
branches:
- main

View file

@ -1,320 +0,0 @@
name: build configuration
on:
pull_request:
types: [opened, synchronize, edited, reopened]
branches:
- main
push:
branches:
- main
jobs:
build_krz01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build krz01
run: |
# Enter the shell
nix-shell --run 'colmena build --on krz01'
build_compute01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build compute01
run: |
# Enter the shell
nix-shell --run 'colmena build --on compute01'
build_storage01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build storage01
run: |
# Enter the shell
nix-shell --run 'colmena build --on storage01'
build_vault01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build vault01
run: |
# Enter the shell
nix-shell --run 'colmena build --on vault01'
build_web01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build web01
run: |
# Enter the shell
nix-shell --run 'colmena build --on web01'
build_web02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build web02
run: |
# Enter the shell
nix-shell --run 'colmena build --on web02'
build_rescue01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build rescue01
run: |
# Enter the shell
nix-shell --run 'colmena build --on rescue01'
build_geo01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build geo01
run: |
# Enter the shell
nix-shell --run 'colmena build --on geo01'
build_geo02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build geo02
run: |
# Enter the shell
nix-shell --run 'colmena build --on geo02'
build_bridge01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build bridge01
run: |
# Enter the shell
nix-shell --run 'colmena build --on bridge01'
push_to_cache_krz01:
runs-on: nix
needs:
- build_krz01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "krz01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_krz01
path: uploaded.txt
push_to_cache_compute01:
runs-on: nix
needs:
- build_compute01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "compute01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_compute01
path: uploaded.txt
push_to_cache_storage01:
runs-on: nix
needs:
- build_storage01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "storage01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_storage01
path: uploaded.txt
push_to_cache_rescue01:
runs-on: nix
needs:
- build_rescue01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "rescue01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_rescue01
path: uploaded.txt
push_to_cache_geo01:
runs-on: nix
needs:
- build_geo01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "geo01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_geo01
path: uploaded.txt
push_to_cache_geo02:
runs-on: nix
needs:
- build_geo02
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "geo02" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_geo02
path: uploaded.txt
push_to_cache_vault01:
runs-on: nix
needs:
- build_vault01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "vault01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_vault01
path: uploaded.txt
push_to_cache_web01:
runs-on: nix
needs:
- build_web01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "web01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web01
path: uploaded.txt
push_to_cache_web02:
runs-on: nix
needs:
- build_web02
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "web02" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web02
path: uploaded.txt
push_to_cache_bridge01:
runs-on: nix
needs:
- build_bridge01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "bridge01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web02
path: uploaded.txt

View file

@ -1,11 +0,0 @@
name: lint
on: [push, pull_request]
jobs:
check:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Run pre-commit on all files
run: nix-shell --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure' -A shells.pre-commit ./.

View file

@ -0,0 +1,25 @@
jobs:
npins_update:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- name: Update dependencies and open PR if necessary
run: "npins update\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n echo
\"[+] Changes detected, pushing updates.\"\n\n git switch -C npins-update\n\
\n git add npins\n\n git config user.name \"DGNum Chores\"\n git config
user.email \"tech@dgnum.eu\"\n\n git commit --message \"chore(npins): Update\"\
\n git push --set-upstream origin npins-update --force\n\n # Connect to
the server with the cli\n tea login add \\\n -n dgnum-chores \\\n -t
\"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" \\\n -u https://git.dgnum.eu\n\
\n # Create a pull request if needed\n # i.e. no PR with the same title
exists\n if [ -z \"$(tea pr ls -f='title,author' -o simple | grep 'chore(npins):
Update dgnum-chores')\" ]; then\n tea pr create \\\n --description
\"Automatic npins update\" \\\n --title \"chore(npins): Update\" \\\n\
\ --head npins-update\n fi\nfi\n"
name: npins update
on:
schedule:
- cron: 25 15 * * *

View file

@ -0,0 +1,15 @@
jobs:
pre-commit:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check stage pre-commit
run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
pre-commit --show-diff-on-failure'
- name: Check stage pre-push
run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
pre-push --show-diff-on-failure'
name: Run pre-commit on all files
on:
- push
- pull_request

View file

@ -1,3 +1,9 @@
<!--
SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
SPDX-License-Identifier: EUPL-1.2
-->
# Contribuer
Quelques éléments à savoir:

547
LICENSE
View file

@ -1,547 +0,0 @@
CONTRAT DE LICENCE DE LOGICIEL LIBRE CeCILL
Version 2.1 du 2013-06-21
Avertissement
Ce contrat est une licence de logiciel libre issue d'une concertation
entre ses auteurs afin que le respect de deux grands principes préside à
sa rédaction:
* d'une part, le respect des principes de diffusion des logiciels
libres: accès au code source, droits étendus conférés aux utilisateurs,
* d'autre part, la désignation d'un droit applicable, le droit
français, auquel elle est conforme, tant au regard du droit de la
responsabilité civile que du droit de la propriété intellectuelle et
de la protection qu'il offre aux auteurs et titulaires des droits
patrimoniaux sur un logiciel.
Les auteurs de la licence CeCILL (Ce[a] C[nrs] I[nria] L[ogiciel] L[ibre])
sont:
Commissariat à l'énergie atomique et aux énergies alternatives - CEA,
établissement public de recherche à caractère scientifique, technique et
industriel, dont le siège est situé 25 rue Leblanc, immeuble Le Ponant
D, 75015 Paris.
Centre National de la Recherche Scientifique - CNRS, établissement
public à caractère scientifique et technologique, dont le siège est
situé 3 rue Michel-Ange, 75794 Paris cedex 16.
Institut National de Recherche en Informatique et en Automatique -
Inria, établissement public à caractère scientifique et technologique,
dont le siège est situé Domaine de Voluceau, Rocquencourt, BP 105, 78153
Le Chesnay cedex.
Préambule
Ce contrat est une licence de logiciel libre dont l'objectif est de
conférer aux utilisateurs la liberté de modification et de
redistribution du logiciel régi par cette licence dans le cadre d'un
modèle de diffusion en logiciel libre.
L'exercice de ces libertés est assorti de certains devoirs à la charge
des utilisateurs afin de préserver ce statut au cours des
redistributions ultérieures.
L'accessibilité au code source et les droits de copie, de modification
et de redistribution qui en découlent ont pour contrepartie de n'offrir
aux utilisateurs qu'une garantie limitée et de ne faire peser sur
l'auteur du logiciel, le titulaire des droits patrimoniaux et les
concédants successifs qu'une responsabilité restreinte.
A cet égard l'attention de l'utilisateur est attirée sur les risques
associés au chargement, à l'utilisation, à la modification et/ou au
développement et à la reproduction du logiciel par l'utilisateur étant
donné sa spécificité de logiciel libre, qui peut le rendre complexe à
manipuler et qui le réserve donc à des développeurs ou des
professionnels avertis possédant des connaissances informatiques
approfondies. Les utilisateurs sont donc invités à charger et tester
l'adéquation du logiciel à leurs besoins dans des conditions permettant
d'assurer la sécurité de leurs systèmes et/ou de leurs données et, plus
généralement, à l'utiliser et l'exploiter dans les mêmes conditions de
sécurité. Ce contrat peut être reproduit et diffusé librement, sous
réserve de le conserver en l'état, sans ajout ni suppression de clauses.
Ce contrat est susceptible de s'appliquer à tout logiciel dont le
titulaire des droits patrimoniaux décide de soumettre l'exploitation aux
dispositions qu'il contient.
Une liste de questions fréquemment posées se trouve sur le site web
officiel de la famille des licences CeCILL
(http://www.cecill.info/index.fr.html) pour toute clarification qui
serait nécessaire.
Article 1 - DEFINITIONS
Dans ce contrat, les termes suivants, lorsqu'ils seront écrits avec une
lettre capitale, auront la signification suivante:
Contrat: désigne le présent contrat de licence, ses éventuelles versions
postérieures et annexes.
Logiciel: désigne le logiciel sous sa forme de Code Objet et/ou de Code
Source et le cas échéant sa documentation, dans leur état au moment de
l'acceptation du Contrat par le Licencié.
Logiciel Initial: désigne le Logiciel sous sa forme de Code Source et
éventuellement de Code Objet et le cas échéant sa documentation, dans
leur état au moment de leur première diffusion sous les termes du Contrat.
Logiciel Modifié: désigne le Logiciel modifié par au moins une
Contribution.
Code Source: désigne l'ensemble des instructions et des lignes de
programme du Logiciel et auquel l'accès est nécessaire en vue de
modifier le Logiciel.
Code Objet: désigne les fichiers binaires issus de la compilation du
Code Source.
Titulaire: désigne le ou les détenteurs des droits patrimoniaux d'auteur
sur le Logiciel Initial.
Licencié: désigne le ou les utilisateurs du Logiciel ayant accepté le
Contrat.
Contributeur: désigne le Licencié auteur d'au moins une Contribution.
Concédant: désigne le Titulaire ou toute personne physique ou morale
distribuant le Logiciel sous le Contrat.
Contribution: désigne l'ensemble des modifications, corrections,
traductions, adaptations et/ou nouvelles fonctionnalités intégrées dans
le Logiciel par tout Contributeur, ainsi que tout Module Interne.
Module: désigne un ensemble de fichiers sources y compris leur
documentation qui permet de réaliser des fonctionnalités ou services
supplémentaires à ceux fournis par le Logiciel.
Module Externe: désigne tout Module, non dérivé du Logiciel, tel que ce
Module et le Logiciel s'exécutent dans des espaces d'adressage
différents, l'un appelant l'autre au moment de leur exécution.
Module Interne: désigne tout Module lié au Logiciel de telle sorte
qu'ils s'exécutent dans le même espace d'adressage.
GNU GPL: désigne la GNU General Public License dans sa version 2 ou
toute version ultérieure, telle que publiée par Free Software Foundation
Inc.
GNU Affero GPL: désigne la GNU Affero General Public License dans sa
version 3 ou toute version ultérieure, telle que publiée par Free
Software Foundation Inc.
EUPL: désigne la Licence Publique de l'Union européenne dans sa version
1.1 ou toute version ultérieure, telle que publiée par la Commission
Européenne.
Parties: désigne collectivement le Licencié et le Concédant.
Ces termes s'entendent au singulier comme au pluriel.
Article 2 - OBJET
Le Contrat a pour objet la concession par le Concédant au Licencié d'une
licence non exclusive, cessible et mondiale du Logiciel telle que
définie ci-après à l'article 5 <#etendue> pour toute la durée de
protection des droits portant sur ce Logiciel.
Article 3 - ACCEPTATION
3.1 L'acceptation par le Licencié des termes du Contrat est réputée
acquise du fait du premier des faits suivants:
* (i) le chargement du Logiciel par tout moyen notamment par
téléchargement à partir d'un serveur distant ou par chargement à
partir d'un support physique;
* (ii) le premier exercice par le Licencié de l'un quelconque des
droits concédés par le Contrat.
3.2 Un exemplaire du Contrat, contenant notamment un avertissement
relatif aux spécificités du Logiciel, à la restriction de garantie et à
la limitation à un usage par des utilisateurs expérimentés a été mis à
disposition du Licencié préalablement à son acceptation telle que
définie à l'article 3.1 <#acceptation-acquise> ci dessus et le Licencié
reconnaît en avoir pris connaissance.
Article 4 - ENTREE EN VIGUEUR ET DUREE
4.1 ENTREE EN VIGUEUR
Le Contrat entre en vigueur à la date de son acceptation par le Licencié
telle que définie en 3.1 <#acceptation-acquise>.
4.2 DUREE
Le Contrat produira ses effets pendant toute la durée légale de
protection des droits patrimoniaux portant sur le Logiciel.
Article 5 - ETENDUE DES DROITS CONCEDES
Le Concédant concède au Licencié, qui accepte, les droits suivants sur
le Logiciel pour toutes destinations et pour la durée du Contrat dans
les conditions ci-après détaillées.
Par ailleurs, si le Concédant détient ou venait à détenir un ou
plusieurs brevets d'invention protégeant tout ou partie des
fonctionnalités du Logiciel ou de ses composants, il s'engage à ne pas
opposer les éventuels droits conférés par ces brevets aux Licenciés
successifs qui utiliseraient, exploiteraient ou modifieraient le
Logiciel. En cas de cession de ces brevets, le Concédant s'engage à
faire reprendre les obligations du présent alinéa aux cessionnaires.
5.1 DROIT D'UTILISATION
Le Licencié est autorisé à utiliser le Logiciel, sans restriction quant
aux domaines d'application, étant ci-après précisé que cela comporte:
1.
la reproduction permanente ou provisoire du Logiciel en tout ou
partie par tout moyen et sous toute forme.
2.
le chargement, l'affichage, l'exécution, ou le stockage du Logiciel
sur tout support.
3.
la possibilité d'en observer, d'en étudier, ou d'en tester le
fonctionnement afin de déterminer les idées et principes qui sont à
la base de n'importe quel élément de ce Logiciel; et ceci, lorsque
le Licencié effectue toute opération de chargement, d'affichage,
d'exécution, de transmission ou de stockage du Logiciel qu'il est en
droit d'effectuer en vertu du Contrat.
5.2 DROIT D'APPORTER DES CONTRIBUTIONS
Le droit d'apporter des Contributions comporte le droit de traduire,
d'adapter, d'arranger ou d'apporter toute autre modification au Logiciel
et le droit de reproduire le logiciel en résultant.
Le Licencié est autorisé à apporter toute Contribution au Logiciel sous
réserve de mentionner, de façon explicite, son nom en tant qu'auteur de
cette Contribution et la date de création de celle-ci.
5.3 DROIT DE DISTRIBUTION
Le droit de distribution comporte notamment le droit de diffuser, de
transmettre et de communiquer le Logiciel au public sur tout support et
par tout moyen ainsi que le droit de mettre sur le marché à titre
onéreux ou gratuit, un ou des exemplaires du Logiciel par tout procédé.
Le Licencié est autorisé à distribuer des copies du Logiciel, modifié ou
non, à des tiers dans les conditions ci-après détaillées.
5.3.1 DISTRIBUTION DU LOGICIEL SANS MODIFICATION
Le Licencié est autorisé à distribuer des copies conformes du Logiciel,
sous forme de Code Source ou de Code Objet, à condition que cette
distribution respecte les dispositions du Contrat dans leur totalité et
soit accompagnée:
1.
d'un exemplaire du Contrat,
2.
d'un avertissement relatif à la restriction de garantie et de
responsabilité du Concédant telle que prévue aux articles 8
<#responsabilite> et 9 <#garantie>,
et que, dans le cas où seul le Code Objet du Logiciel est redistribué,
le Licencié permette un accès effectif au Code Source complet du
Logiciel pour une durée d'au moins 3 ans à compter de la distribution du
logiciel, étant entendu que le coût additionnel d'acquisition du Code
Source ne devra pas excéder le simple coût de transfert des données.
5.3.2 DISTRIBUTION DU LOGICIEL MODIFIE
Lorsque le Licencié apporte une Contribution au Logiciel, les conditions
de distribution du Logiciel Modifié en résultant sont alors soumises à
l'intégralité des dispositions du Contrat.
Le Licencié est autorisé à distribuer le Logiciel Modifié, sous forme de
code source ou de code objet, à condition que cette distribution
respecte les dispositions du Contrat dans leur totalité et soit
accompagnée:
1.
d'un exemplaire du Contrat,
2.
d'un avertissement relatif à la restriction de garantie et de
responsabilité du Concédant telle que prévue aux articles 8
<#responsabilite> et 9 <#garantie>,
et, dans le cas où seul le code objet du Logiciel Modifié est redistribué,
3.
d'une note précisant les conditions d'accès effectif au code source
complet du Logiciel Modifié, pendant une période d'au moins 3 ans à
compter de la distribution du Logiciel Modifié, étant entendu que le
coût additionnel d'acquisition du code source ne devra pas excéder
le simple coût de transfert des données.
5.3.3 DISTRIBUTION DES MODULES EXTERNES
Lorsque le Licencié a développé un Module Externe les conditions du
Contrat ne s'appliquent pas à ce Module Externe, qui peut être distribué
sous un contrat de licence différent.
5.3.4 COMPATIBILITE AVEC D'AUTRES LICENCES
Le Licencié peut inclure un code soumis aux dispositions d'une des
versions de la licence GNU GPL, GNU Affero GPL et/ou EUPL dans le
Logiciel modifié ou non et distribuer l'ensemble sous les conditions de
la même version de la licence GNU GPL, GNU Affero GPL et/ou EUPL.
Le Licencié peut inclure le Logiciel modifié ou non dans un code soumis
aux dispositions d'une des versions de la licence GNU GPL, GNU Affero
GPL et/ou EUPL et distribuer l'ensemble sous les conditions de la même
version de la licence GNU GPL, GNU Affero GPL et/ou EUPL.
Article 6 - PROPRIETE INTELLECTUELLE
6.1 SUR LE LOGICIEL INITIAL
Le Titulaire est détenteur des droits patrimoniaux sur le Logiciel
Initial. Toute utilisation du Logiciel Initial est soumise au respect
des conditions dans lesquelles le Titulaire a choisi de diffuser son
oeuvre et nul autre n'a la faculté de modifier les conditions de
diffusion de ce Logiciel Initial.
Le Titulaire s'engage à ce que le Logiciel Initial reste au moins régi
par le Contrat et ce, pour la durée visée à l'article 4.2 <#duree>.
6.2 SUR LES CONTRIBUTIONS
Le Licencié qui a développé une Contribution est titulaire sur celle-ci
des droits de propriété intellectuelle dans les conditions définies par
la législation applicable.
6.3 SUR LES MODULES EXTERNES
Le Licencié qui a développé un Module Externe est titulaire sur celui-ci
des droits de propriété intellectuelle dans les conditions définies par
la législation applicable et reste libre du choix du contrat régissant
sa diffusion.
6.4 DISPOSITIONS COMMUNES
Le Licencié s'engage expressément:
1.
à ne pas supprimer ou modifier de quelque manière que ce soit les
mentions de propriété intellectuelle apposées sur le Logiciel;
2.
à reproduire à l'identique lesdites mentions de propriété
intellectuelle sur les copies du Logiciel modifié ou non.
Le Licencié s'engage à ne pas porter atteinte, directement ou
indirectement, aux droits de propriété intellectuelle du Titulaire et/ou
des Contributeurs sur le Logiciel et à prendre, le cas échéant, à
l'égard de son personnel toutes les mesures nécessaires pour assurer le
respect des dits droits de propriété intellectuelle du Titulaire et/ou
des Contributeurs.
Article 7 - SERVICES ASSOCIES
7.1 Le Contrat n'oblige en aucun cas le Concédant à la réalisation de
prestations d'assistance technique ou de maintenance du Logiciel.
Cependant le Concédant reste libre de proposer ce type de services. Les
termes et conditions d'une telle assistance technique et/ou d'une telle
maintenance seront alors déterminés dans un acte séparé. Ces actes de
maintenance et/ou assistance technique n'engageront que la seule
responsabilité du Concédant qui les propose.
7.2 De même, tout Concédant est libre de proposer, sous sa seule
responsabilité, à ses licenciés une garantie, qui n'engagera que lui,
lors de la redistribution du Logiciel et/ou du Logiciel Modifié et ce,
dans les conditions qu'il souhaite. Cette garantie et les modalités
financières de son application feront l'objet d'un acte séparé entre le
Concédant et le Licencié.
Article 8 - RESPONSABILITE
8.1 Sous réserve des dispositions de l'article 8.2
<#limite-responsabilite>, le Licencié a la faculté, sous réserve de
prouver la faute du Concédant concerné, de solliciter la réparation du
préjudice direct qu'il subirait du fait du Logiciel et dont il apportera
la preuve.
8.2 La responsabilité du Concédant est limitée aux engagements pris en
application du Contrat et ne saurait être engagée en raison notamment:
(i) des dommages dus à l'inexécution, totale ou partielle, de ses
obligations par le Licencié, (ii) des dommages directs ou indirects
découlant de l'utilisation ou des performances du Logiciel subis par le
Licencié et (iii) plus généralement d'un quelconque dommage indirect. En
particulier, les Parties conviennent expressément que tout préjudice
financier ou commercial (par exemple perte de données, perte de
bénéfices, perte d'exploitation, perte de clientèle ou de commandes,
manque à gagner, trouble commercial quelconque) ou toute action dirigée
contre le Licencié par un tiers, constitue un dommage indirect et
n'ouvre pas droit à réparation par le Concédant.
Article 9 - GARANTIE
9.1 Le Licencié reconnaît que l'état actuel des connaissances
scientifiques et techniques au moment de la mise en circulation du
Logiciel ne permet pas d'en tester et d'en vérifier toutes les
utilisations ni de détecter l'existence d'éventuels défauts. L'attention
du Licencié a été attirée sur ce point sur les risques associés au
chargement, à l'utilisation, la modification et/ou au développement et à
la reproduction du Logiciel qui sont réservés à des utilisateurs avertis.
Il relève de la responsabilité du Licencié de contrôler, par tous
moyens, l'adéquation du produit à ses besoins, son bon fonctionnement et
de s'assurer qu'il ne causera pas de dommages aux personnes et aux biens.
9.2 Le Concédant déclare de bonne foi être en droit de concéder
l'ensemble des droits attachés au Logiciel (comprenant notamment les
droits visés à l'article 5 <#etendue>).
9.3 Le Licencié reconnaît que le Logiciel est fourni "en l'état" par le
Concédant sans autre garantie, expresse ou tacite, que celle prévue à
l'article 9.2 <#bonne-foi> et notamment sans aucune garantie sur sa
valeur commerciale, son caractère sécurisé, innovant ou pertinent.
En particulier, le Concédant ne garantit pas que le Logiciel est exempt
d'erreur, qu'il fonctionnera sans interruption, qu'il sera compatible
avec l'équipement du Licencié et sa configuration logicielle ni qu'il
remplira les besoins du Licencié.
9.4 Le Concédant ne garantit pas, de manière expresse ou tacite, que le
Logiciel ne porte pas atteinte à un quelconque droit de propriété
intellectuelle d'un tiers portant sur un brevet, un logiciel ou sur tout
autre droit de propriété. Ainsi, le Concédant exclut toute garantie au
profit du Licencié contre les actions en contrefaçon qui pourraient être
diligentées au titre de l'utilisation, de la modification, et de la
redistribution du Logiciel. Néanmoins, si de telles actions sont
exercées contre le Licencié, le Concédant lui apportera son expertise
technique et juridique pour sa défense. Cette expertise technique et
juridique est déterminée au cas par cas entre le Concédant concerné et
le Licencié dans le cadre d'un protocole d'accord. Le Concédant dégage
toute responsabilité quant à l'utilisation de la dénomination du
Logiciel par le Licencié. Aucune garantie n'est apportée quant à
l'existence de droits antérieurs sur le nom du Logiciel et sur
l'existence d'une marque.
Article 10 - RESILIATION
10.1 En cas de manquement par le Licencié aux obligations mises à sa
charge par le Contrat, le Concédant pourra résilier de plein droit le
Contrat trente (30) jours après notification adressée au Licencié et
restée sans effet.
10.2 Le Licencié dont le Contrat est résilié n'est plus autorisé à
utiliser, modifier ou distribuer le Logiciel. Cependant, toutes les
licences qu'il aura concédées antérieurement à la résiliation du Contrat
resteront valides sous réserve qu'elles aient été effectuées en
conformité avec le Contrat.
Article 11 - DISPOSITIONS DIVERSES
11.1 CAUSE EXTERIEURE
Aucune des Parties ne sera responsable d'un retard ou d'une défaillance
d'exécution du Contrat qui serait dû à un cas de force majeure, un cas
fortuit ou une cause extérieure, telle que, notamment, le mauvais
fonctionnement ou les interruptions du réseau électrique ou de
télécommunication, la paralysie du réseau liée à une attaque
informatique, l'intervention des autorités gouvernementales, les
catastrophes naturelles, les dégâts des eaux, les tremblements de terre,
le feu, les explosions, les grèves et les conflits sociaux, l'état de
guerre...
11.2 Le fait, par l'une ou l'autre des Parties, d'omettre en une ou
plusieurs occasions de se prévaloir d'une ou plusieurs dispositions du
Contrat, ne pourra en aucun cas impliquer renonciation par la Partie
intéressée à s'en prévaloir ultérieurement.
11.3 Le Contrat annule et remplace toute convention antérieure, écrite
ou orale, entre les Parties sur le même objet et constitue l'accord
entier entre les Parties sur cet objet. Aucune addition ou modification
aux termes du Contrat n'aura d'effet à l'égard des Parties à moins
d'être faite par écrit et signée par leurs représentants dûment habilités.
11.4 Dans l'hypothèse où une ou plusieurs des dispositions du Contrat
s'avèrerait contraire à une loi ou à un texte applicable, existants ou
futurs, cette loi ou ce texte prévaudrait, et les Parties feraient les
amendements nécessaires pour se conformer à cette loi ou à ce texte.
Toutes les autres dispositions resteront en vigueur. De même, la
nullité, pour quelque raison que ce soit, d'une des dispositions du
Contrat ne saurait entraîner la nullité de l'ensemble du Contrat.
11.5 LANGUE
Le Contrat est rédigé en langue française et en langue anglaise, ces
deux versions faisant également foi.
Article 12 - NOUVELLES VERSIONS DU CONTRAT
12.1 Toute personne est autorisée à copier et distribuer des copies de
ce Contrat.
12.2 Afin d'en préserver la cohérence, le texte du Contrat est protégé
et ne peut être modifié que par les auteurs de la licence, lesquels se
réservent le droit de publier périodiquement des mises à jour ou de
nouvelles versions du Contrat, qui posséderont chacune un numéro
distinct. Ces versions ultérieures seront susceptibles de prendre en
compte de nouvelles problématiques rencontrées par les logiciels libres.
12.3 Tout Logiciel diffusé sous une version donnée du Contrat ne pourra
faire l'objet d'une diffusion ultérieure que sous la même version du
Contrat ou une version postérieure, sous réserve des dispositions de
l'article 5.3.4 <#compatibilite>.
Article 13 - LOI APPLICABLE ET COMPETENCE TERRITORIALE
13.1 Le Contrat est régi par la loi française. Les Parties conviennent
de tenter de régler à l'amiable les différends ou litiges qui
viendraient à se produire par suite ou à l'occasion du Contrat.
13.2 A défaut d'accord amiable dans un délai de deux (2) mois à compter
de leur survenance et sauf situation relevant d'une procédure d'urgence,
les différends ou litiges seront portés par la Partie la plus diligente
devant les Tribunaux compétents de Paris.

View file

@ -0,0 +1,155 @@
Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International
Creative Commons Corporation (“Creative Commons”) is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an “as-is” basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible.
Using Creative Commons Public Licenses
Creative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses.
Considerations for licensors: Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. More considerations for licensors.
Considerations for the public: By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensors permission is not necessary for any reasonfor example, because of any applicable exception or limitation to copyrightthen that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described. Although not required by our licenses, you are encouraged to respect those requests where reasonable. More considerations for the public.
Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License
By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions.
Section 1 Definitions.
a. Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image.
b. Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.
c. Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements.
d. Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material.
e. Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License.
f. Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license.
g. Licensor means the individual(s) or entity(ies) granting rights under this Public License.
h. NonCommercial means not primarily intended for or directed towards commercial advantage or monetary compensation. For purposes of this Public License, the exchange of the Licensed Material for other material subject to Copyright and Similar Rights by digital file-sharing or similar means is NonCommercial provided there is no payment of monetary compensation in connection with the exchange.
i. Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them.
j. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.
k. You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.
Section 2 Scope.
a. License grant.
1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:
A. reproduce and Share the Licensed Material, in whole or in part, for NonCommercial purposes only; and
B. produce and reproduce, but not Share, Adapted Material for NonCommercial purposes only.
2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions.
3. Term. The term of this Public License is specified in Section 6(a).
4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.
5. Downstream recipients.
A. Offer from the Licensor Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.
B. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.
6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).
b. Other rights.
1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.
2. Patent and trademark rights are not licensed under this Public License.
3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties, including when the Licensed Material is used other than for NonCommercial purposes.
Section 3 License Conditions.
Your exercise of the Licensed Rights is expressly made subject to the following conditions.
a. Attribution.
1. If You Share the Licensed Material, You must:
A. retain the following if it is supplied by the Licensor with the Licensed Material:
i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);
ii. a copyright notice;
iii. a notice that refers to this Public License;
iv. a notice that refers to the disclaimer of warranties;
v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable;
B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and
C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.
For the avoidance of doubt, You do not have permission under this Public License to Share Adapted Material.
2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.
3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.
Section 4 Sui Generis Database Rights.
Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:
a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database for NonCommercial purposes only and provided You do not Share Adapted Material;
b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material; and
c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.
For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights.
Section 5 Disclaimer of Warranties and Limitation of Liability.
a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.
b. To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.
c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.
Section 6 Term and Termination.
a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.
b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:
1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or
2. upon express reinstatement by the Licensor.
For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.
c. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.
d. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.
Section 7 Other Terms and Conditions.
a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed.
b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License.
Section 8 Interpretation.
a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.
b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions.
c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor.
d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.
Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.
Creative Commons may be contacted at creativecommons.org.

121
LICENSES/CC0-1.0.txt Normal file
View file

@ -0,0 +1,121 @@
Creative Commons Legal Code
CC0 1.0 Universal
CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
HEREUNDER.
Statement of Purpose
The laws of most jurisdictions throughout the world automatically confer
exclusive Copyright and Related Rights (defined below) upon the creator
and subsequent owner(s) (each and all, an "owner") of an original work of
authorship and/or a database (each, a "Work").
Certain owners wish to permanently relinquish those rights to a Work for
the purpose of contributing to a commons of creative, cultural and
scientific works ("Commons") that the public can reliably and without fear
of later claims of infringement build upon, modify, incorporate in other
works, reuse and redistribute as freely as possible in any form whatsoever
and for any purposes, including without limitation commercial purposes.
These owners may contribute to the Commons to promote the ideal of a free
culture and the further production of creative, cultural and scientific
works, or to gain reputation or greater distribution for their Work in
part through the use and efforts of others.
For these and/or other purposes and motivations, and without any
expectation of additional consideration or compensation, the person
associating CC0 with a Work (the "Affirmer"), to the extent that he or she
is an owner of Copyright and Related Rights in the Work, voluntarily
elects to apply CC0 to the Work and publicly distribute the Work under its
terms, with knowledge of his or her Copyright and Related Rights in the
Work and the meaning and intended legal effect of CC0 on those rights.
1. Copyright and Related Rights. A Work made available under CC0 may be
protected by copyright and related or neighboring rights ("Copyright and
Related Rights"). Copyright and Related Rights include, but are not
limited to, the following:
i. the right to reproduce, adapt, distribute, perform, display,
communicate, and translate a Work;
ii. moral rights retained by the original author(s) and/or performer(s);
iii. publicity and privacy rights pertaining to a person's image or
likeness depicted in a Work;
iv. rights protecting against unfair competition in regards to a Work,
subject to the limitations in paragraph 4(a), below;
v. rights protecting the extraction, dissemination, use and reuse of data
in a Work;
vi. database rights (such as those arising under Directive 96/9/EC of the
European Parliament and of the Council of 11 March 1996 on the legal
protection of databases, and under any national implementation
thereof, including any amended or successor version of such
directive); and
vii. other similar, equivalent or corresponding rights throughout the
world based on applicable law or treaty, and any national
implementations thereof.
2. Waiver. To the greatest extent permitted by, but not in contravention
of, applicable law, Affirmer hereby overtly, fully, permanently,
irrevocably and unconditionally waives, abandons, and surrenders all of
Affirmer's Copyright and Related Rights and associated claims and causes
of action, whether now known or unknown (including existing as well as
future claims and causes of action), in the Work (i) in all territories
worldwide, (ii) for the maximum duration provided by applicable law or
treaty (including future time extensions), (iii) in any current or future
medium and for any number of copies, and (iv) for any purpose whatsoever,
including without limitation commercial, advertising or promotional
purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
member of the public at large and to the detriment of Affirmer's heirs and
successors, fully intending that such Waiver shall not be subject to
revocation, rescission, cancellation, termination, or any other legal or
equitable action to disrupt the quiet enjoyment of the Work by the public
as contemplated by Affirmer's express Statement of Purpose.
3. Public License Fallback. Should any part of the Waiver for any reason
be judged legally invalid or ineffective under applicable law, then the
Waiver shall be preserved to the maximum extent permitted taking into
account Affirmer's express Statement of Purpose. In addition, to the
extent the Waiver is so judged Affirmer hereby grants to each affected
person a royalty-free, non transferable, non sublicensable, non exclusive,
irrevocable and unconditional license to exercise Affirmer's Copyright and
Related Rights in the Work (i) in all territories worldwide, (ii) for the
maximum duration provided by applicable law or treaty (including future
time extensions), (iii) in any current or future medium and for any number
of copies, and (iv) for any purpose whatsoever, including without
limitation commercial, advertising or promotional purposes (the
"License"). The License shall be deemed effective as of the date CC0 was
applied by Affirmer to the Work. Should any part of the License for any
reason be judged legally invalid or ineffective under applicable law, such
partial invalidity or ineffectiveness shall not invalidate the remainder
of the License, and in such case Affirmer hereby affirms that he or she
will not (i) exercise any of his or her remaining Copyright and Related
Rights in the Work or (ii) assert any associated claims and causes of
action with respect to the Work, in either case contrary to Affirmer's
express Statement of Purpose.
4. Limitations and Disclaimers.
a. No trademark or patent rights held by Affirmer are waived, abandoned,
surrendered, licensed or otherwise affected by this document.
b. Affirmer offers the Work as-is and makes no representations or
warranties of any kind concerning the Work, express, implied,
statutory or otherwise, including without limitation warranties of
title, merchantability, fitness for a particular purpose, non
infringement, or the absence of latent or other defects, accuracy, or
the present or absence of errors, whether or not discoverable, all to
the greatest extent permissible under applicable law.
c. Affirmer disclaims responsibility for clearing rights of other persons
that may apply to the Work or any use thereof, including without
limitation any person's Copyright and Related Rights in the Work.
Further, Affirmer disclaims responsibility for obtaining any necessary
consents, permissions or other rights required for any use of the
Work.
d. Affirmer understands and acknowledges that Creative Commons is not a
party to this document and has no duty or obligation with respect to
this CC0 or use of the Work.

190
LICENSES/EUPL-1.2.txt Normal file
View file

@ -0,0 +1,190 @@
EUROPEAN UNION PUBLIC LICENCE v. 1.2
EUPL © the European Union 2007, 2016
This European Union Public Licence (the EUPL) applies to the Work (as defined below) which is provided under the
terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such
use is covered by a right of the copyright holder of the Work).
The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following
notice immediately following the copyright notice for the Work:
Licensed under the EUPL
or has expressed by any other means his willingness to license under the EUPL.
1.Definitions
In this Licence, the following terms have the following meaning:
The Licence:this Licence.
The Original Work:the work or software distributed or communicated by the Licensor under this Licence, available
as Source Code and also as Executable Code as the case may be.
Derivative Works:the works or software that could be created by the Licensee, based upon the Original Work or
modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work
required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in
the country mentioned in Article 15.
The Work:the Original Work or its Derivative Works.
The Source Code:the human-readable form of the Work which is the most convenient for people to study and
modify.
The Executable Code:any code which has generally been compiled and which is meant to be interpreted by
a computer as a program.
The Licensor:the natural or legal person that distributes or communicates the Work under the Licence.
Contributor(s):any natural or legal person who modifies the Work under the Licence, or otherwise contributes to
the creation of a Derivative Work.
The Licensee or You:any natural or legal person who makes any usage of the Work under the terms of the
Licence.
Distribution or Communication:any act of selling, giving, lending, renting, distributing, communicating,
transmitting, or otherwise making available, online or offline, copies of the Work or providing access to its essential
functionalities at the disposal of any other natural or legal person.
2.Scope of the rights granted by the Licence
The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for
the duration of copyright vested in the Original Work:
— use the Work in any circumstance and for all usage,
— reproduce the Work,
— modify the Work, and make Derivative Works based upon the Work,
— communicate to the public, including the right to make available or display the Work or copies thereof to the public
and perform publicly, as the case may be, the Work,
— distribute the Work or copies thereof,
— lend and rent the Work or copies thereof,
— sublicense rights in the Work or copies thereof.
Those rights can be exercised on any media, supports and formats, whether now known or later invented, as far as the
applicable law permits so.
In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed
by law in order to make effective the licence of the economic rights here above listed.
The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the
extent necessary to make use of the rights granted on the Work under this Licence.
3.Communication of the Source Code
The Licensor may provide the Work either in its Source Code form, or as Executable Code. If the Work is provided as
Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with
each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to
the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to
distribute or communicate the Work.
4.Limitations on copyright
Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the
exclusive rights of the rights owners in the Work, of the exhaustion of those rights or of other applicable limitations
thereto.
5.Obligations of the Licensee
The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those
obligations are the following:
Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to
the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices and a copy of the
Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work
to carry prominent notices stating that the Work has been modified and the date of modification.
Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this
Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless
the Original Work is expressly distributed only under this version of the Licence — for example by communicating
EUPL v. 1.2 only. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the
Work or Derivative Work that alter or restrict the terms of the Licence.
Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both
the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done
under the terms of this Compatible Licence. For the sake of this clause, Compatible Licence refers to the licences listed
in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with
his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail.
Provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide
a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available
for as long as the Licensee continues to distribute or communicate the Work.
Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names
of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and
reproducing the content of the copyright notice.
6.Chain of Authorship
The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or
licensed to him/her and that he/she has the power and authority to grant the Licence.
Each Contributor warrants that the copyright in the modifications he/she brings to the Work are owned by him/her or
licensed to him/her and that he/she has the power and authority to grant the Licence.
Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions
to the Work, under the terms of this Licence.
7.Disclaimer of Warranty
The Work is a work in progress, which is continuously improved by numerous Contributors. It is not a finished work
and may therefore contain defects or bugs inherent to this type of development.
For the above reason, the Work is provided under the Licence on an as is basis and without warranties of any kind
concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or
errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this
Licence.
This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work.
8.Disclaimer of Liability
Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be
liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the
Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss
of data or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However,
the Licensor will be liable under statutory product liability laws as far such laws apply to the Work.
9.Additional agreements
While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services
consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole
responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such Contributor by
the fact You have accepted any warranty or additional liability.
10.Acceptance of the Licence
The provisions of this Licence can be accepted by clicking on an icon I agree placed under the bottom of a window
displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of
applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms
and conditions.
Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You
by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution
or Communication by You of the Work or copies thereof.
11.Information to the public
In case of any Distribution or Communication of the Work by means of electronic communication by You (for example,
by offering to download the Work from a remote location) the distribution channel or media (for example, a website)
must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence
and the way it may be accessible, concluded, stored and reproduced by the Licensee.
12.Termination of the Licence
The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms
of the Licence.
Such a termination will not terminate the licences of any person who has received the Work from the Licensee under
the Licence, provided such persons remain in full compliance with the Licence.
13.Miscellaneous
Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the
Work.
If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or
enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid
and enforceable.
The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of
the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence.
New versions of the Licence will be published with a unique version number.
All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take
advantage of the linguistic version of their choice.
14.Jurisdiction
Without prejudice to specific agreement between parties,
— any litigation resulting from the interpretation of this License, arising between the European Union institutions,
bodies, offices or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice
of the European Union, as laid down in article 272 of the Treaty on the Functioning of the European Union,
— any litigation arising between other parties and resulting from the interpretation of this License, will be subject to
the exclusive jurisdiction of the competent court where the Licensor resides or conducts its primary business.
15.Applicable Law
Without prejudice to specific agreement between parties,
— this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat,
resides or has his registered office,
— this licence shall be governed by Belgian law if the Licensor has no seat, residence or registered office inside
a European Union Member State.
Appendix
Compatible Licences according to Article 5 EUPL are:
— GNU General Public License (GPL) v. 2, v. 3
— GNU Affero General Public License (AGPL) v. 3
— Open Software License (OSL) v. 2.1, v. 3.0
— Eclipse Public License (EPL) v. 1.0
— CeCILL v. 2.0, v. 2.1
— Mozilla Public Licence (MPL) v. 2
— GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3
— Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software
— European Union Public Licence (EUPL) v. 1.1, v. 1.2
— Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+).
The European Commission may update this Appendix to later versions of the above licences without producing
a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the
covered Source Code from exclusive appropriation.
All other changes or additions to this Appendix require the production of a new EUPL version.

9
LICENSES/MIT.txt Normal file
View file

@ -0,0 +1,9 @@
MIT License
Copyright (c) <year> <copyright holders>
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

View file

@ -1,3 +1,10 @@
<!--
SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
SPDX-License-Identifier: EUPL-1.2
-->
# ❄️ infrastructure
The dgnum infrastructure.

42
REUSE.toml Normal file
View file

@ -0,0 +1,42 @@
version = 1
[[annotations]]
SPDX-FileCopyrightText = "NONE"
SPDX-License-Identifier = "CC0-1.0"
path = ["**/.envrc", "**/Cargo.lock", "**/_hardware-configuration.nix", ".gitignore", "REUSE.toml", "shell.nix"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2"
path = [".forgejo/workflows/*"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
SPDX-License-Identifier = "CC-BY-NC-ND-4.0"
path = ["machines/**/secrets/*", "modules/nixos/dgn-backups/keys/*", "modules/nixos/dgn-netbox-agent/secrets/netbox-agent", "modules/nixos/dgn-notify/mail", "modules/nixos/dgn-records/__arkheon-token_file"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2"
path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "2024 Maurice Debray <maurice.debray@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2"
path = ["patches/nixpkgs/06-netbox-qrcode.patch"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
SPDX-License-Identifier = "MIT"
path = "lib/colmena/*"
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "The [npins](https://github.com/andir/npins) contributors"
SPDX-License-Identifier = "EUPL-1.2"
path = "**/npins/*"
precedence = "closest"

View file

@ -1,47 +1,25 @@
/*
Copyright :
- Maurice Debray <maurice.debray@dgnum.eu> 2023
- Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023
Ce logiciel est un programme informatique servant à déployer des
configurations de serveurs via NixOS.
Ce logiciel est régi par la licence CeCILL soumise au droit français et
respectant les principes de diffusion des logiciels libres. Vous pouvez
utiliser, modifier et/ou redistribuer ce programme sous les conditions
de la licence CeCILL telle que diffusée par le CEA, le CNRS et l'INRIA
sur le site "http://www.cecill.info".
En contrepartie de l'accessibilité au code source et des droits de copie,
de modification et de redistribution accordés par cette licence, il n'est
offert aux utilisateurs qu'une garantie limitée. Pour les mêmes raisons,
seule une responsabilité restreinte pèse sur l'auteur du programme, le
titulaire des droits patrimoniaux et les concédants successifs.
A cet égard l'attention de l'utilisateur est attirée sur les risques
associés au chargement, à l'utilisation, à la modification et/ou au
développement et à la reproduction du logiciel par l'utilisateur étant
donné sa spécificité de logiciel libre, qui peut le rendre complexe à
manipuler et qui le réserve donc à des développeurs et des professionnels
avertis possédant des connaissances informatiques approfondies. Les
utilisateurs sont donc invités à charger et tester l'adéquation du
logiciel à leurs besoins dans des conditions permettant d'assurer la
sécurité de leurs systèmes et ou de leurs données et, plus généralement,
à l'utiliser et l'exploiter dans les mêmes conditions de sécurité.
Le fait que vous puissiez accéder à cet en-tête signifie que vous avez
pris connaissance de la licence CeCILL, et que vous en avez accepté les
termes.
*/
# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
sources ? import ./npins,
pkgs ? import sources.nixpkgs { },
nix-pkgs ? import sources.nix-pkgs { inherit pkgs; },
}:
let
git-checks = (import (builtins.storePath sources.git-hooks)).run {
inherit (pkgs.lib)
isFunction
mapAttrs
mapAttrs'
nameValuePair
removeSuffix
;
nix-reuse = import sources.nix-reuse { inherit pkgs; };
git-checks = (import sources.git-hooks).run {
src = ./.;
hooks = {
@ -62,11 +40,98 @@ let
nixfmt-rfc-style = {
enable = true;
stages = [ "pre-push" ];
package = pkgs.nixfmt-rfc-style;
};
reuse = nix-reuse.hook {
enable = true;
stages = [ "pre-push" ];
};
commitizen.enable = true;
};
};
reuse = nix-reuse.install {
defaultLicense = "EUPL-1.2";
defaultCopyright = "La Délégation Générale Numérique <contact@dgnum.eu>";
downloadLicenses = true;
generatedPaths = [
"**/.envrc"
"**/Cargo.lock"
"**/_hardware-configuration.nix"
".gitignore"
"REUSE.toml"
"shell.nix"
];
annotations = [
# Auto-generated workflow files using nix-actions
{ path = [ ".forgejo/workflows/*" ]; }
# Secrets
{
path = [
"machines/**/secrets/*"
"modules/nixos/dgn-backups/keys/*"
"modules/nixos/dgn-netbox-agent/secrets/netbox-agent"
"modules/nixos/dgn-notify/mail"
"modules/nixos/dgn-records/__arkheon-token_file"
];
license = "CC-BY-NC-ND-4.0";
}
# Patches
{
path = [
"machines/nixos/compute01/ds-fr/01-smtp-tls.patch"
"machines/nixos/compute01/librenms/kanidm.patch"
"machines/nixos/compute01/stirling-pdf/*.patch"
"machines/nixos/vault01/k-radius/packages/01-python_path.patch"
"machines/nixos/web01/crabfit/*.patch"
"machines/nixos/web02/cas-eleves/01-pytest-cas.patch"
"patches/lix/01-disable-installChecks.patch"
"patches/nixpkgs/03-crabfit-karla.patch"
"patches/nixpkgs/05-netbird-relay.patch"
];
copyright = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>";
}
{
path = [ "patches/nixpkgs/06-netbox-qrcode.patch" ];
copyright = "2024 Maurice Debray <maurice.debray@dgnum.eu>";
}
# colmena wrapper
{
path = "lib/colmena/*";
license = "MIT";
}
# npins generated files
{
path = "**/npins/*";
license = "EUPL-1.2";
copyright = "The [npins](https://github.com/andir/npins) contributors";
}
];
};
workflows = (import sources.nix-actions { inherit pkgs; }).install {
src = ./.;
workflows = mapAttrs' (
name: _:
nameValuePair (removeSuffix ".nix" name) (
let
w = import ./workflows/${name};
in
if isFunction w then w { inherit (pkgs) lib; } else w
)
) (builtins.readDir ./workflows);
};
scripts = import ./scripts { inherit pkgs sources; };
in
{
@ -76,38 +141,45 @@ in
dns = import ./meta/dns.nix;
mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix;
mkCacheSettings = import ./machines/nixos/storage01/tvix-cache/cache-settings.nix;
shells = {
default = pkgs.mkShell {
name = "dgnum-infra";
devShell = pkgs.mkShell {
name = "dgnum-infra";
packages = [
(pkgs.nixos-generators.overrideAttrs (_: {
version = "1.8.0-unstable";
src = builtins.storePath sources.nixos-generators;
}))
pkgs.npins
packages = [
(pkgs.nixos-generators.overrideAttrs (_: {
version = "1.8.0-unstable";
src = sources.nixos-generators;
}))
pkgs.npins
(pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
# SSO testing
pkgs.kanidm
pkgs.freeradius
pkgs.picocom # for serial access
] ++ (import ./scripts { inherit pkgs; });
(pkgs.callPackage ./lib/colmena {
colmena = pkgs.callPackage "${sources.colmena}/package.nix" { };
})
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
] ++ git-checks.enabledPackages ++ (builtins.attrValues scripts);
shellHook = ''
${git-checks.shellHook}
'';
shellHook = ''
${git-checks.shellHook}
${workflows.shellHook}
${reuse.shellHook}
'';
preferLocalBuild = true;
};
preferLocalBuild = true;
pre-commit = pkgs.mkShell {
name = "pre-commit-shell";
###
# Alternative shells
shellHook = ''
${git-checks.shellHook}
'';
passthru = mapAttrs (name: value: pkgs.mkShell (value // { inherit name; })) {
pre-commit.shellHook = git-checks.shellHook;
check-workflows.shellHook = workflows.shellHook;
eval-nodes.packages = [ scripts.cache-node ];
};
};
}

215
hive.nix
View file

@ -1,3 +1,9 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
# SPDX-FileContributor: Maurice Debray <maurice.debray@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
let
sources' = import ./npins;
@ -6,24 +12,28 @@ let
.applyPatches' sources';
nix-lib = import ./lib/nix-lib;
inherit (nix-lib) mapSingleFuse;
patch = import ./lib/nix-patches { patchFile = ./patches; };
nodes' = import ./meta/nodes.nix;
nodes' = import ./meta/nodes;
nodes = builtins.attrNames nodes';
mkNode = node: {
# Import the base configuration for each node
imports = [ ./machines/${node}/_configuration.nix ];
deployment.systemType = system node;
};
nixpkgs' = import ./meta/nixpkgs.nix;
# All supported nixpkgs versions, instanciated
nixpkgs = nix-lib.mapSingleFuse mkNixpkgs nixpkgs'.supported;
# All supported nixpkgs versions × systems, instanciated
nixpkgs = mapSingleFuse (s: mapSingleFuse (mkSystemNixpkgs s) nixpkgs'.versions) nixpkgs'.systems;
# Get the configured nixos version for the node,
# defaulting to the one defined in meta/nixpkgs
version = node: nodes'.${node}.nixpkgs or nixpkgs'.default;
version = node: nodes'.${node}.nixpkgs.version;
system = node: nodes'.${node}.nixpkgs.system;
category = node: nixpkgs'.categories.${system node};
nodePkgs = node: nixpkgs.${system node}.${version node};
# Builds a patched version of nixpkgs, only as the source
mkNixpkgs' =
@ -33,26 +43,53 @@ let
name = "nixos-${v}";
};
# Build up the nixpkgs configuration for Liminix embedded systems
mkLiminixConfig =
system: _:
(import "${sources.liminix}/devices/${system}").system
// {
overlays = [ (import "${sources.liminix}/overlay.nix") ];
config = {
allowUnsupportedSystem = true; # mipsel
permittedInsecurePackages = [
"python-2.7.18.8" # Python < 3.x is needed for kernel backports.
];
};
};
# Build up the arguments to instantiate a nixpkgs given a system and a version.
mkNixpkgsConfig =
system:
{
nixos = _: { };
zyxel-nwa50ax = mkLiminixConfig system;
netconf = _: { };
}
.${system} or (throw "Unknown system: ${system} for nixpkgs configuration instantiation");
# Instanciates the required nixpkgs version
mkNixpkgs = version: import (mkNixpkgs' version) { };
mkSystemNixpkgs = system: version: import (mkNixpkgs' version) (mkNixpkgsConfig system version);
###
# Function to create arguments based on the node
#
mkArgs = node: rec {
lib = nixpkgs.${version node}.lib // {
lib = sourcePkgs.lib // {
extra = nix-lib;
};
sourcePkgs = nodePkgs node;
meta = (import ./meta) lib;
nodeMeta = meta.nodes.${node};
nodePath = "machines/${category node}/${node}";
};
in
{
meta = {
nodeNixpkgs = nix-lib.mapSingleFuse (n: nixpkgs.${version n}) nodes;
nixpkgs = import nixpkgs.nixos.unstable.path;
nodeNixpkgs = mapSingleFuse nodePkgs nodes;
specialArgs = {
inherit nixpkgs sources;
@ -60,54 +97,126 @@ in
dgn-keys = import ./keys;
};
nodeSpecialArgs = nix-lib.mapSingleFuse mkArgs nodes;
nodeSpecialArgs = mapSingleFuse mkArgs nodes;
};
defaults =
{
pkgs,
name,
nodeMeta,
...
}:
{
# Import the default modules
imports = [
./modules
(import "${sources.lix-module}/module.nix" {
lix = pkgs.applyPatches {
name = "lix-2.90.patched";
src = sources.lix;
patches = [ ./patches/00-disable-installChecks-lix.patch ];
};
registry = {
zyxel-nwa50ax = {
evalConfig =
args:
(import "${sources.liminix}/lib/eval-config.nix" {
nixpkgs = args.specialArgs.sourcePkgs.path;
})
];
args;
# Include default secrets
age-secrets.sources = [ ./machines/${name}/secrets ];
# Deployment config is specified in meta.nodes.${node}.deployment
inherit (nodeMeta) deployment;
nix = {
# Set NIX_PATH to the patched version of nixpkgs
nixPath = [ "nixpkgs=${mkNixpkgs' (version name)}" ];
optimise.automatic = true;
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
defaults =
{ name, nodePath, ... }:
{
# Import the default modules
imports = [
# Import the base configuration for each node
./${nodePath}/_configuration.nix
./modules/generic
./modules/${category name}
];
# It's impure, but who cares?
# Can Flakes even do that? :)
nixpkgs.buildPlatform = builtins.currentSystem;
};
};
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# Use the stateVersion declared in the metadata
system = {
inherit (nodeMeta) stateVersion;
};
};
netconf = {
evalConfig = nixpkgs.nixos.unstable.lib.evalModules;
defaults =
{
name,
nodeMeta,
nodePath,
...
}:
{
_module.args = {
pkgs = nixpkgs.nixos.unstable;
};
# Import the default modules
imports = [
# Import the base configuration for each node
./${nodePath}.nix
./modules/netconf
./lib/netconf-junos
"${sources.nixpkgs}/nixos/modules/misc/assertions.nix"
];
system.host-name = name;
inherit (nodeMeta) deployment;
};
};
nixos = {
evalConfig = args: import "${args.specialArgs.sourcePkgs.path}/nixos/lib/eval-config.nix" args;
defaults =
{
lib,
name,
nodes,
nodeMeta,
nodePath,
meta,
sourcePkgs,
...
}:
{
# Import the default modules
imports = [
# Import the base configuration for each node
./${nodePath}/_configuration.nix
./modules/generic
(import "${sources.lix-module}/module.nix" { inherit (sources) lix; })
./modules/${category name}
];
_module.args.serverNodes = lib.filterAttrs (
name: _: meta.nodes.${name}.nixpkgs.system == "nixos"
) nodes;
# Include default secrets
age-secrets.sources = [ ./${nodePath}/secrets ];
# Deployment config is specified in meta.nodes.${node}.deployment
inherit (nodeMeta) deployment;
nix = {
# Set NIX_PATH to the patched version of nixpkgs
nixPath = [ "nixpkgs=${builtins.storePath sourcePkgs.path}" ];
optimise.automatic = true;
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
settings =
{
substituters = [ "https://tvix-store.dgnum.eu/infra" ];
}
// (import ./machines/nixos/storage01/tvix-cache/cache-settings.nix {
caches = [ "infra" ];
});
};
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# Use the stateVersion declared in the metadata
system = {
inherit (nodeMeta) stateVersion;
};
};
};
};
}
// (nix-lib.mapSingleFuse mkNode nodes)
// (mapSingleFuse mkNode nodes)

4
iso/build-iso.sh Executable file → Normal file
View file

@ -1,5 +1,9 @@
#!/usr/bin/env bash
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
NIXPKGS=$(nix-build --no-out-link nixpkgs.nix)
nixos-generate -c configuration.nix -I NIX_PATH="$NIXPKGS" -f install-iso

View file

@ -1,3 +1,7 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, pkgs, ... }:
let

View file

@ -1 +1,7 @@
<!--
SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
SPDX-License-Identifier: EUPL-1.2
-->
Script pour installer automatiquement NixOS sur les machines de la DGNum

View file

@ -1,3 +1,7 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ pkgs, ... }:
let

View file

@ -1,3 +1,7 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
bootDevice=
rootDevice=

View file

@ -1,3 +1,7 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
let
version = (import ../meta/nixpkgs.nix).default;
nixpkgs = (import ../npins)."nixos-${version}";

View file

@ -1,3 +1,7 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
let
_sources = import ../npins;
@ -17,17 +21,32 @@ rec {
compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
krz01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4o65gWOgNrxbSd3kiQIGZUM+YD6kuZOQtblvzUGsfB" ];
hypervisor01 = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPE0typcnvSioMfdLUloIfR5zcf/X0k6201xMHoQBCr"
];
hypervisor02 = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPETkWlOfESXQic+HgfGLV/T4Nqg0WjdDbEqtgDwkH+S"
];
hypervisor03 = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLF0mxSGitsDE3/YXfrHNjtOMUt4HT2MbryyUKPLSBI"
];
rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ];
web02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ];
web03 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrWsMEfK86iaO9SubMqE2UvZNtHkLY5VUod/bbqKC0L" ];
# SSH keys of the DGNum members
agroudiev = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM="
];
catvayor = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
];
cst1 = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270"
];
ecoppens = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
gdd = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc"
@ -41,8 +60,10 @@ rec {
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
];
mboyer = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ];
mdebray = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
];
raito = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"

View file

@ -0,0 +1,116 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
lib,
pkgs,
name,
...
}:
let
inherit (lib) mapAttrs mkOption;
inherit (lib.types)
attrsOf
bool
str
any
submodule
package
;
mandatory.options = {
supportPoE = mkOption {
type = bool;
example = true;
description = ''
Whether this interface supports PoE.
'';
};
};
in
{
imports = [
./interfaces.nix
./poe.nix
./protocols.nix
./system.nix
./vlans.nix
];
options = {
# Hack because of this https://git.dgnum.eu/DGNum/colmena/src/commit/71b1b660f2cda2e34e134d0028cafbd56bb22008/src/nix/hive/eval.nix#L166 which defines nixpkgs option but we don't have it here. What about liminix ?
nixpkgs = mkOption {
type = attrsOf any;
default = { };
};
netconf = {
xmls.configuration = mkOption {
type = str;
readOnly = true;
description = ''
The full configuration to send to a JunOS.
'';
};
mandatoryInterfaces = mkOption {
type = attrsOf (submodule mandatory);
example = {
"ge-0/0/0" = {
supportPoE = true;
};
"ge-0/0/1" = {
supportPoE = true;
};
"xe-0/0/0" = {
supportPoE = false;
};
};
description = ''
JunOS require some interfaces to always be configured (even if they are disabled),
which correspond to physical interfaces of the switch. They have to be declared here
with some information about it (only if it supports PoE for now).
'';
};
rpc = mkOption {
type = package;
readOnly = true;
};
};
};
config = {
interfaces =
let
mkIntf = _: _: { };
in
mapAttrs mkIntf config.netconf.mandatoryInterfaces;
netconf = {
xmls.configuration = with config.netconf.xmls; ''
<configuration>
${system}
${interfaces}
${protocols}
${vlans}
${poe}
</configuration>
'';
rpc = pkgs.writeText "${name}.rpc" ''
<rpc>
<edit-config>
<config>
${config.netconf.xmls.configuration}
</config>
<target>
<candidate/>
</target>
</edit-config>
</rpc>
<rpc>
<commit/>
</rpc>
'';
};
};
}

View file

@ -0,0 +1,172 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
inherit (lib)
mapAttrsToList
mkEnableOption
mkOption
optionalString
;
inherit (lib.types)
attrsOf
either
enum
ints
listOf
str
submodule
;
interface =
{ name, config, ... }:
let
unit =
{ name, config, ... }:
{
options = {
enable = mkEnableOption "this logical interface" // {
default = true;
example = false;
};
family = {
ethernet-switching = {
enable = mkEnableOption "the ethernet switching on this logical interface";
interface-mode = mkOption {
type = enum [
"trunk"
"access"
];
description = ''
Mode of operation for vlan addressing of this interface.
"trunk" means that the traffic is tagged, "access" means the
traffic is tagged by the switch.
'';
};
vlans = mkOption {
type = listOf (either str ints.unsigned);
default = [ ];
description = ''
Vlans that can be used on this interface.
Only one ID should be here for "access" mode of operation.
'';
};
};
#TODO : DHCP
inet = {
enable = mkEnableOption "the IPv4 configuration of this logical interface";
addresses = mkOption {
type = listOf str;
default = [ ];
description = ''
ipv4 addresses of this interface.
'';
};
};
inet6 = {
enable = mkEnableOption "the IPv6 configuration of this logical interface";
addresses = mkOption {
type = listOf str;
default = [ ];
description = ''
ipv6 addresses of this interface.
'';
};
};
};
xml = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.xml =
let
members = map (
vlan: "<members>${builtins.toString vlan}</members>"
) config.family.ethernet-switching.vlans;
eth = optionalString config.family.ethernet-switching.enable ''
<ethernet-switching>
<interface-mode>${config.family.ethernet-switching.interface-mode}</interface-mode>
<vlan>${builtins.concatStringsSep "" members}</vlan>
<storm-control><profile-name>default</profile-name></storm-control>
</ethernet-switching>
'';
addr4 = map (addr: "<name>${addr}</name>") config.family.inet.addresses;
inet = optionalString config.family.inet.enable ''
<inet>
<address>${builtins.concatStringsSep "" addr4}</address>
</inet>
'';
addr6 = map (addr: "<name>${addr}</name>") config.family.inet6.addresses;
inet6 = optionalString config.family.inet6.enable ''
<inet6>
<address>${builtins.concatStringsSep "" addr6}</address>
</inet6>
'';
in
''
<unit>
<name>${name}</name>
${optionalString (!config.enable) "<disable/>"}
<family>
${eth}${inet}${inet6}
</family>
</unit>'';
};
in
{
options = {
enable = mkEnableOption "this physical interface";
unit = mkOption {
type = attrsOf (submodule unit);
default = { };
description = ''
Configuration of the logical interfaces on this physical interface.
'';
};
xml = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.xml =
let
units = mapAttrsToList (_: unit: unit.xml) config.unit;
in
''
<interface>
<name>${name}</name>
${optionalString (!config.enable) "<disable/>"}
${builtins.concatStringsSep "" units}
</interface>
'';
};
in
{
options = {
interfaces = mkOption {
type = attrsOf (submodule interface);
description = ''
The interfaces configuration.
'';
};
netconf.xmls.interfaces = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.netconf.xmls.interfaces = ''
<interfaces operation="replace">
${builtins.concatStringsSep "" (mapAttrsToList (_: intf: intf.xml) config.interfaces)}
</interfaces>
'';
}

53
lib/netconf-junos/poe.nix Normal file
View file

@ -0,0 +1,53 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
inherit (lib)
mapAttrsToList
mkEnableOption
mkOption
optionalString
;
inherit (lib.types) attrsOf str submodule;
interface-module =
{ name, config, ... }:
{
options = {
enable = mkEnableOption "the PoE for this interface";
xml = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.xml = ''
<interface><name>${name}</name>${optionalString (!config.enable) "<disable/>"}</interface>
'';
};
in
{
options = {
poe.interfaces = mkOption {
type = attrsOf (submodule interface-module);
default = { };
description = ''
PoE configuration of interfaces.
'';
};
netconf.xmls.poe = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.netconf.xmls.poe = ''
<poe operation="replace">
${builtins.concatStringsSep "" (mapAttrsToList (_: intf: intf.xml) config.poe.interfaces)}
</poe>
'';
}

View file

@ -0,0 +1,37 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
inherit (lib) concatMapStringsSep mkOption;
inherit (lib.types) listOf str;
in
{
options = {
protocols.rstp = mkOption {
type = listOf str;
description = ''
List of interfaces on which Rapid Spanning Tree Protocol should be enabled.
'';
};
netconf.xmls.protocols = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.netconf.xmls.protocols = ''
<protocols>
<rstp operation="replace">
${
concatMapStringsSep "" (intf: "<interface><name>${intf}</name></interface>") config.protocols.rstp
}
</rstp>
</protocols>
'';
}

View file

@ -0,0 +1,95 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
inherit (lib)
concatStrings
concatStringsSep
filter
hasPrefix
length
mkOption
splitString
;
inherit (lib.types)
enum
listOf
port
str
;
in
{
options = {
system = {
host-name = mkOption {
type = str;
description = "The hostname of the switch.";
};
root-authentication = {
hashedPasswd = mkOption {
type = str;
description = "Hashed password for root.";
};
ssh-keys = mkOption {
type = listOf str;
description = "ssh keys for root user.";
default = [ ];
};
};
services = {
ssh.root-login = mkOption {
type = enum [
"allow"
"deny"
"deny-password"
];
description = "Login policy to use for root.";
};
netconf.port = mkOption {
type = port;
description = "Port to use for netconf.";
default = 830;
};
};
};
netconf.xmls.system = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.netconf.xmls.system =
let
ssh-keys1 = map (splitString " ") config.system.root-authentication.ssh-keys;
ssh-keys2 = map (key: if length key < 3 then key ++ [ "foo@bar" ] else key) ssh-keys1;
ssh-keys = map (concatStringsSep " ") ssh-keys2;
edsca = map (key: "<ssh-edsca><name>${key}</name></ssh-edsca>") (
filter (hasPrefix "ssh-edsca ") ssh-keys
);
rsa = map (key: "<ssh-rsa><name>${key}</name></ssh-rsa>") (filter (hasPrefix "ssh-rsa ") ssh-keys);
ed25519 = map (key: "<ssh-ed25519><name>${key}</name></ssh-ed25519>") (
filter (hasPrefix "ssh-ed25519 ") ssh-keys
);
in
''
<system>
<host-name operation="replace">${config.system.host-name}</host-name>
<root-authentication operation="replace">
<encrypted-password>${config.system.root-authentication.hashedPasswd}</encrypted-password>
${concatStrings (edsca ++ rsa ++ ed25519)}
</root-authentication>
<services operation="replace">
<ssh><root-login>${config.system.services.ssh.root-login}</root-login></ssh>
<netconf>
<ssh><port>${toString config.system.services.netconf.port}</port></ssh>
<rfc-compliant/><yang-compliant/>
</netconf>
</services>
</system>
'';
}

135
lib/netconf-junos/vlans.nix Normal file
View file

@ -0,0 +1,135 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
inherit (lib)
assertMsg
concatStringsSep
mapAttrsToList
mkOption
optionalString
;
inherit (lib.types)
attrsOf
either
ints
listOf
nullOr
str
submodule
unspecified
;
vlan =
{ name, config, ... }:
{
options = {
id = mkOption {
type = nullOr ints.unsigned;
default = null;
description = ''
The ID of this vlan, `null` means no ID.
Incompatible with vlans.${name}.id-list.
'';
};
id-list = mkOption {
type =
let
range_type =
{ config, ... }:
{
config.__toString = _: "${toString config.begin}-${toString config.end}";
options = {
begin = mkOption {
type = ints.unsigned;
visible = false;
};
end = mkOption {
type = ints.unsigned;
visible = false;
};
__toString = mkOption {
visible = false;
internal = true;
readOnly = true;
type = unspecified;
};
};
};
in
listOf (either ints.unsigned (submodule range_type));
default = [ ];
example = [
42
{
begin = 100;
end = 200;
}
];
description = ''
List of IDs or IDs range to classify as this vlan.
Incompatible with vlans.${name}.id.
'';
};
l3-interface = mkOption {
type = nullOr str;
default = null;
example = "irb.0";
description = ''
Switch's logical interface to connect directly to this vlan.
This allows to communicate with the switch from a vlan without
having a cable looping back on it's management interface.
'';
};
xml = mkOption {
type = str;
readOnly = true;
visible = false;
};
};
config.xml =
let
id = optionalString (config.id != null) "<vlan-id>${toString config.id}</vlan-id>";
id-list = concatStringsSep "" (
map (vlan: "<vlan-id-list>${toString vlan}</vlan-id-list>") config.id-list
);
l3-intf = optionalString (
config.l3-interface != null
) "<l3-interface>${config.l3-interface}</l3-interface>";
in
assert assertMsg (
config.id == null || config.id-list == [ ]
) "vlans.${name}.id and vlans.${name}.id-list are incompatible.";
''
<vlan>
<name>${name}</name>
${id}${id-list}${l3-intf}
</vlan>
'';
};
in
{
options = {
vlans = mkOption {
type = attrsOf (submodule vlan);
description = ''
Named vlans configuration. Allows to name vlans inside interface configuration,
instead of just using their IDs.
'';
};
netconf.xmls.vlans = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.netconf.xmls.vlans = ''
<vlans operation="replace">
${builtins.concatStringsSep "" (mapAttrsToList (_: vlan: vlan.xml) config.vlans)}
</vlans>
'';
}

View file

@ -1,32 +1,7 @@
# Copyright Tom Hubrecht, (2023)
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# Tom Hubrecht <tom@hubrecht.ovh>
#
# This software is governed by the CeCILL license under French law and
# abiding by the rules of distribution of free software. You can use,
# modify and/ or redistribute the software under the terms of the CeCILL
# license as circulated by CEA, CNRS and INRIA at the following URL
# "http://www.cecill.info".
#
# As a counterpart to the access to the source code and rights to copy,
# modify and redistribute granted by the license, users are provided only
# with a limited warranty and the software's author, the holder of the
# economic rights, and the successive licensors have only limited
# liability.
#
# In this respect, the user's attention is drawn to the risks associated
# with loading, using, modifying and/or developing or reproducing the
# software by the user in light of its specific status of free software,
# that may mean that it is complicated to manipulate, and that also
# therefore means that it is reserved for developers and experienced
# professionals having in-depth computer knowledge. Users are therefore
# encouraged to load and test the software's suitability as regards their
# requirements in conditions enabling the security of their systems and/or
# data to be ensured and, more generally, to use and operate it in the
# same conditions as regards security.
#
# The fact that you are presently reading this means that you have had
# knowledge of the CeCILL license and that you accept its terms.
# SPDX-License-Identifier: EUPL-1.2
let
# Reimplement optional functions
@ -42,6 +17,7 @@ rec {
recursiveUpdate
splitString
unique
warn
;
/*
@ -190,8 +166,11 @@ rec {
recursiveFuse [
(enableModules enabledModules)
{ imports = mkImports root ([ "_hardware-configuration" ] ++ enabledServices); }
{
imports =
(extraConfig.imports or [ ]) ++ (mkImports root ([ "_hardware-configuration" ] ++ enabledServices));
}
extraConfig
(removeAttrs extraConfig [ "imports" ])
];
}

View file

@ -1,3 +1,7 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
###
# Collection of nixpkgs library functions, those are necessary for defining our own lib
#
@ -413,4 +417,50 @@ rec {
flip =
f: a: b:
f b a;
/**
`warn` *`message`* *`value`*
Print a warning before returning the second argument.
See [`builtins.warn`](https://nix.dev/manual/nix/latest/language/builtins.html#builtins-warn) (Nix >= 2.23).
On older versions, the Nix 2.23 behavior is emulated with [`builtins.trace`](https://nix.dev/manual/nix/latest/language/builtins.html#builtins-warn), including the [`NIX_ABORT_ON_WARN`](https://nix.dev/manual/nix/latest/command-ref/conf-file#conf-abort-on-warn) behavior, but not the `nix.conf` setting or command line option.
# Inputs
*`message`* (String)
: Warning message to print before evaluating *`value`*.
*`value`* (any value)
: Value to return as-is.
# Type
```
String -> a -> a
```
*/
warn =
# Since Nix 2.23, https://github.com/NixOS/nix/pull/10592
builtins.warn or (
let
mustAbort = builtins.elem (builtins.getEnv "NIX_ABORT_ON_WARN") [
"1"
"true"
"yes"
];
in
# Do not eta reduce v, so that we have the same strictness as `builtins.warn`.
msg: v:
# `builtins.warn` requires a string message, so we enforce that in our implementation, so that callers aren't accidentally incompatible with newer Nix versions.
assert builtins.isString msg;
if mustAbort then
builtins.trace "evaluation warning: ${msg}" (
abort "NIX_ABORT_ON_WARN=true; warnings are treated as unrecoverable errors."
)
else
builtins.trace "evaluation warning: ${msg}" v
);
}

View file

@ -1,32 +1,7 @@
# Copyright Tom Hubrecht, (2023-2024)
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# Tom Hubrecht <tom@hubrecht.ovh>
#
# This software is governed by the CeCILL license under French law and
# abiding by the rules of distribution of free software. You can use,
# modify and/ or redistribute the software under the terms of the CeCILL
# license as circulated by CEA, CNRS and INRIA at the following URL
# "http://www.cecill.info".
#
# As a counterpart to the access to the source code and rights to copy,
# modify and redistribute granted by the license, users are provided only
# with a limited warranty and the software's author, the holder of the
# economic rights, and the successive licensors have only limited
# liability.
#
# In this respect, the user's attention is drawn to the risks associated
# with loading, using, modifying and/or developing or reproducing the
# software by the user in light of its specific status of free software,
# that may mean that it is complicated to manipulate, and that also
# therefore means that it is reserved for developers and experienced
# professionals having in-depth computer knowledge. Users are therefore
# encouraged to load and test the software's suitability as regards their
# requirements in conditions enabling the security of their systems and/or
# data to be ensured and, more generally, to use and operate it in the
# same conditions as regards security.
#
# The fact that you are presently reading this means that you have had
# knowledge of the CeCILL license and that you accept its terms.
# SPDX-License-Identifier: EUPL-1.2
{
patchFile,

View file

@ -1,3 +0,0 @@
(import ../../../keys).mkSecrets [ "bridg01" ] [
# List of secrets for bridge01
]

View file

@ -1,421 +0,0 @@
# Copyright Tom Hubrecht, (2023)
#
# Tom Hubrecht <tom@hubrecht.ovh>
#
# This software is a computer program whose purpose is to configure
# machines and servers with NixOS.
#
# This software is governed by the CeCILL license under French law and
# abiding by the rules of distribution of free software. You can use,
# modify and/ or redistribute the software under the terms of the CeCILL
# license as circulated by CEA, CNRS and INRIA at the following URL
# "http://www.cecill.info".
#
# As a counterpart to the access to the source code and rights to copy,
# modify and redistribute granted by the license, users are provided only
# with a limited warranty and the software's author, the holder of the
# economic rights, and the successive licensors have only limited
# liability.
#
# In this respect, the user's attention is drawn to the risks associated
# with loading, using, modifying and/or developing or reproducing the
# software by the user in light of its specific status of free software,
# that may mean that it is complicated to manipulate, and that also
# therefore means that it is reserved for developers and experienced
# professionals having in-depth computer knowledge. Users are therefore
# encouraged to load and test the software's suitability as regards their
# requirements in conditions enabling the security of their systems and/or
# data to be ensured and, more generally, to use and operate it in the
# same conditions as regards security.
#
# The fact that you are presently reading this means that you have had
# knowledge of the CeCILL license and that you accept its terms.
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
mdDoc
mkDefault
mkEnableOption
mkIf
mkOption
optional
optionalString
types
;
cfg = config.services.demarches-simplifiees;
settingsFormat = pkgs.formats.keyValue { };
env = settingsFormat.generate "ds-fr-env" cfg.settings;
ds-fr = pkgs.writeShellScriptBin "ds-fr" ''
set -a
cd ${cfg.package}
${optionalString (cfg.secretFile != null) "source ${cfg.secretFile}"}
source ${env}
BIN="$1"
shift
SUDO="exec"
if [[ $USER != ${cfg.user} ]]; then
SUDO='exec /run/wrappers/bin/sudo -u ${cfg.user} --preserve-env'
fi
$SUDO ${cfg.package}/bin/$BIN "$@"
'';
in
{
options.services.demarches-simplifiees = {
enable = mkEnableOption "demarches-simplifiees.";
package = mkOption {
type = types.package;
default = pkgs.callPackage ./package { inherit (cfg) initialDeploymentDate dataDir logDir; };
};
user = mkOption {
type = types.str;
default = "ds-fr";
description = mdDoc "User account under which DS runs.";
};
group = mkOption {
type = types.str;
default = "ds-fr";
description = mdDoc "Group account under which DS runs.";
};
dataDir = mkOption {
type = types.str;
default = "/var/lib/ds-fr";
};
logDir = mkOption {
type = types.str;
default = "/var/log/ds-fr";
};
secretFile = mkOption {
type = types.nullOr types.path;
default = null;
};
settings = mkOption { inherit (settingsFormat) type; };
initialDeploymentDate = mkOption {
type = types.nullOr types.str;
default = null;
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ ds-fr ];
systemd.tmpfiles.rules = [
"f '${cfg.logDir}/production.log' 0640 ${cfg.user} ${cfg.group} - -"
"f '${cfg.dataDir}/.env' 0600 ${cfg.user} ${cfg.group} - -"
"d '${cfg.dataDir}/tmp' 0700 ${cfg.user} ${cfg.group} 10d -"
"d '${cfg.dataDir}/storage' 0700 ${cfg.user} ${cfg.group} - -"
];
systemd.services = {
ds-fr-setup = {
description = "Demarches Simplifiees setup";
wantedBy = [ "multi-user.target" ];
path = [
pkgs.bash
ds-fr
];
after = [ "postgresql.service" ];
serviceConfig = {
Type = "oneshot";
User = cfg.user;
Group = cfg.group;
EnvironmentFile = [ env ] ++ (optional (cfg.secretFile != null) cfg.secretFile);
StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
};
script = ''
[[ ! -f ${cfg.dataDir}/.initial-migration ]] \
&& ds-fr rails db:environment:set \
&& ds-fr rails db:schema:load \
&& ds-fr rails db:seed \
&& touch ${cfg.dataDir}/.initial-migration
ds-fr rake db:migrate
ds-fr rake after_party:run
'';
};
ds-fr-work = {
description = "Demarches Simplifiees work service";
wantedBy = [
"multi-user.target"
"ds-fr.service"
];
after = [
"network.target"
"ds-fr-setup.service"
];
requires = [ "ds-fr-setup.service" ];
serviceConfig = {
ExecStart = "${ds-fr}/bin/ds-fr rails jobs:work";
EnvironmentFile = [ env ] ++ (optional (cfg.secretFile != null) cfg.secretFile);
User = cfg.user;
Group = cfg.group;
StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
};
};
ds-fr = {
description = "Demarches Simplifiees web service";
wantedBy = [ "multi-user.target" ];
after = [
"network.target"
"ds-fr-setup.service"
];
requires = [ "ds-fr-setup.service" ];
path = [ pkgs.imagemagick ];
serviceConfig = {
ExecStart = "${ds-fr}/bin/ds-fr rails server";
Environment = [ "RAILS_QUEUE_ADAPTER=delayed_job" ];
EnvironmentFile = [ env ] ++ (optional (cfg.secretFile != null) cfg.secretFile);
User = cfg.user;
Group = cfg.group;
StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
};
};
};
services = {
demarches-simplifiees.settings =
(builtins.mapAttrs (_: mkDefault) {
RAILS_ENV = "production";
RAILS_ROOT = builtins.toString cfg.package;
# Application host name
#
# Examples:
# * For local development: localhost:3000
# * For preproduction: staging.ds.example.org
# * For production: ds.example.org
APP_HOST = "localhost:3000";
# Rails key for signing sensitive data
# See https://guides.rubyonrails.org/security.html
#
# For production you MUST generate a new key, and keep it secret.
# Secrets must be long and random. Use bin/rails secret to get new unique secrets.
# Secret key for One-Time-Password codes, used for 2-factors authentication
# OTP_SECRET_KEY = "";
# Protect access to the instance with a static login/password (useful for staging environments)
BASIC_AUTH_ENABLED = "disabled";
BASIC_AUTH_USERNAME = "";
BASIC_AUTH_PASSWORD = "";
# ActiveStorage service to use for attached files.
# Possible values:
# - "local": store files on the local filesystem
# - "amazon": store files remotely on an S3 storage service
# - "openstack": store files remotely on an OpenStack storage service
#
# (See config/storage.yml for the configuration of each service.)
ACTIVE_STORAGE_SERVICE = "local";
# Configuration for the OpenStack storage service (if enabled)
FOG_OPENSTACK_API_KEY = "";
FOG_OPENSTACK_USERNAME = "";
FOG_OPENSTACK_URL = "";
FOG_OPENSTACK_REGION = "";
DS_PROXY_URL = "";
# SAML
SAML_IDP_ENABLED = "disabled";
# External service: authentication through France Connect
FC_PARTICULIER_ID = "";
FC_PARTICULIER_SECRET = "";
FC_PARTICULIER_BASE_URL = "";
# External service: authentication through Agent Connect
AGENT_CONNECT_ID = "";
AGENT_CONNECT_SECRET = "";
AGENT_CONNECT_BASE_URL = "";
AGENT_CONNECT_JWKS = "";
AGENT_CONNECT_REDIRECT = "";
# External service: integration with HelpScout (optional)
HELPSCOUT_MAILBOX_ID = "";
HELPSCOUT_CLIENT_ID = "";
HELPSCOUT_CLIENT_SECRET = "";
HELPSCOUT_WEBHOOK_SECRET = "";
# External service: external supervision
SENTRY_ENABLED = "disabled";
SENTRY_CURRENT_ENV = "development";
SENTRY_DSN_RAILS = "";
SENTRY_DSN_JS = "";
# External service: Matomo web analytics
MATOMO_ENABLED = "disabled";
MATOMO_COOKIE_DOMAIN = "*.www.demarches-simplifiees.fr";
MATOMO_DOMAIN = "*.www.demarches-simplifiees.fr";
MATOMO_ID = "";
MATOMO_HOST = "matomo.example.org";
# Default SMTP Provider: Mailjet
MAILJET_API_KEY = "";
MAILJET_SECRET_KEY = "";
# Alternate SMTP Provider: SendInBlue/DoList
SENDINBLUE_CLIENT_KEY = "";
SENDINBLUE_SMTP_KEY = "";
SENDINBLUE_USER_NAME = "";
# SENDINBLUE_LOGIN_URL="https://app.sendinblue.com/account/saml/login/truc"
# Alternate SMTP Provider: Mailtrap (mail catcher for staging environments)
# When enabled, all emails will be sent using this provider
MAILTRAP_ENABLED = "disabled";
MAILTRAP_USERNAME = "";
MAILTRAP_PASSWORD = "";
# Alternative SMTP Provider: Mailcatcher (Catches mail and serves it through a dream.)
# When enabled, all emails will be sent using this provider
MAILCATCHER_ENABLED = "disabled";
MAILCATCHER_HOST = "";
MAILCATCHER_PORT = "";
# External service: live chat for admins (specific to démarches-simplifiées.fr)
CRISP_ENABLED = "disabled";
CRISP_CLIENT_KEY = "";
# API Entreprise credentials
# https://api.gouv.fr/api/api-entreprise.html
API_ENTREPRISE_KEY = "";
# External service: CRM for following admin accounts pipeline (specific to démarches-simplifiées.fr)
PIPEDRIVE_KEY = "";
# Networks bypassing the email login token that verifies new devices, and rack-attack throttling
TRUSTED_NETWORKS = "";
# External service: mesuring performance of the Rails app (specific to démarches-simplifiées.fr)
SKYLIGHT_AUTHENTICATION_KEY = "";
# "sXaot-fKhBlkI8qaSirQyuZbrpv5sVFoOturQ0pFEh0";
# Enable or disable Lograge logs
LOGRAGE_ENABLED = "disabled";
# Logs source for Lograge
#
# Examples:
# * For local development: tps_local
# * For preproduction: tps_staging
# * For production: tps_prod
LOGRAGE_SOURCE = "tps_prod";
# External service: timestamping a daily archive of dossiers status changes
UNIVERSIGN_API_URL = "https://ws.universign.eu/tsa/post/";
UNIVERSIGN_USERPWD = "";
# External service: API Geo / Adresse
API_ADRESSE_URL = "https://api-adresse.data.gouv.fr";
API_GEO_URL = "https://geo.api.gouv.fr";
# External service: API Education
API_EDUCATION_URL = "https://data.education.gouv.fr/api/records/1.0";
# Encryption key for sensitive columns in the database
ENCRYPTION_SERVICE_SALT = "";
# ActiveRecord encryption keys. Generate them with bin/rails db:encryption:init (you can omit deterministic_key)
AR_ENCRYPTION_PRIMARY_KEY = "";
AR_ENCRYPTION_KEY_DERIVATION_SALT = "";
# Salt for invisible_captcha session data.
# Must be the same value for all app instances behind a load-balancer.
INVISIBLE_CAPTCHA_SECRET = "kikooloool";
# Clamav antivirus usage
CLAMAV_ENABLED = "disabled";
# Siret number used for API Entreprise, by default we use SIRET from dinum
API_ENTREPRISE_DEFAULT_SIRET = "put_your_own_siret";
})
// {
# Database credentials
DB_DATABASE = "ds-fr";
DB_USERNAME = cfg.user;
DB_PASSWORD = "";
DB_HOST = "/run/postgresql";
DB_POOL = "";
# Log on stdout
RAILS_LOG_TO_STDOUT = true;
};
postgresql = {
enable = true;
ensureDatabases = [ "ds-fr" ];
ensureUsers = optional (cfg.user == "ds-fr") {
name = "ds-fr";
ensureDBOwnership = true;
};
extraPlugins = with config.services.postgresql.package.pkgs; [ postgis ];
};
nginx = {
enable = true;
virtualHosts.${cfg.settings.APP_HOST} = {
enableACME = true;
forceSSL = true;
root = "${cfg.package}/public/";
locations."/".tryFiles = "$uri @proxy";
locations."@proxy" = {
proxyPass = "http://127.0.0.1:3000";
};
};
};
};
users.users = mkIf (cfg.user == "ds-fr") {
ds-fr = {
inherit (cfg) group;
isSystemUser = true;
home = cfg.package;
};
};
users.groups.${cfg.group} = { };
};
}

View file

@ -1,179 +0,0 @@
{
lib,
stdenv,
fetchFromGitHub,
git,
bun,
nodejs,
ruby_3_2,
bundlerEnv,
logDir ? "/var/log/ds-fr",
dataDir ? "/var/lib/ds-fr",
initialDeploymentDate ? "17941030",
}:
let
inherit (lib) getExe;
# Head of the DGNum repo
dgn-id = "f270f1cdd09e643a9c666c94df1841234430de49";
pname = "ds-fr";
meta = import ./meta.nix;
inherit (meta) version;
src = fetchFromGitHub {
owner = "demarches-simplifiees";
repo = "demarches-simplifiees.fr";
rev = version;
hash = meta.src-hash;
};
rubyEnv = bundlerEnv {
name = "env-${pname}";
gemdir = ./rubyEnv;
ruby = ruby_3_2;
gemset = (import ./rubyEnv/gemset.nix) // {
bundler = {
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "deeQ3fNwcSiGSO/yeB2yoTniRq2gHW8WueprXoPX6Jk=";
type = "gem";
};
version = "2.3.11";
};
};
};
node_modules = stdenv.mkDerivation {
pname = "${pname}-node_modules";
inherit src version;
impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ [
"GIT_PROXY_COMMAND"
"SOCKS_SERVER"
];
nativeBuildInputs = [ bun ];
dontConfigure = true;
buildPhase = ''
bun install --no-progress --frozen-lockfile --ignore-scripts
rm -r node_modules/.cache
# Remove inconsistent file
rm node_modules/.bin/grunt
'';
installPhase = ''
mv node_modules $out
'';
dontFixup = true;
outputHash = meta.deps-hash or lib.fakeHash;
outputHashAlgo = "sha256";
outputHashMode = "recursive";
};
dsModules = stdenv.mkDerivation {
pname = "${pname}-modules";
inherit src version;
buildInputs = [ rubyEnv ];
nativeBuildInputs = [
bun
nodejs
rubyEnv.wrappedRuby
];
RAILS_ENV = "production";
NODE_ENV = "dev";
patches = [
# Disable functionnalities as we only precompile assets
./patches/build.patch
];
postPatch = ''
${getExe git} apply -p1 < ${builtins.fetchurl "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch"}
'';
OTP_SECRET_KEY = "precompile_placeholder";
SECRET_KEY_BASE = "precompile_placeholder";
APP_HOST = "precompile_placeholder";
buildPhase = ''
cp -R ${node_modules} node_modules
chmod u+w -R node_modules
patchShebangs node_modules
patchShebangs bin/
bin/rake assets:precompile
'';
installPhase = ''
mkdir -p $out/public
cp -r public/* $out/public
'';
};
in
stdenv.mkDerivation {
name = "demarches-simplifiees.fr-${version}";
inherit src;
buildInputs = [ rubyEnv ];
propagatedBuildInputs = [ rubyEnv.wrappedRuby ];
patches = [
./patches/replay_routing_engine_for_a_cloned_procedure.patch
./patches/smtp_settings.patch
./patches/garage.patch
];
postPatch = ''
${getExe git} apply -p1 < ${builtins.fetchurl "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch"}
'';
buildPhase = ''
rm -rf public
ln -s ${dsModules}/public/ public
patchShebangs bin/
rm -rf log storage
ln -s ${logDir} log
ln -s ${dataDir}/tmp tmp
ln -s ${dataDir}/storage storage
for f in $(ls lib/tasks/deployment/); do
[[ ! ${initialDeploymentDate} < $f ]] \
&& rm lib/tasks/deployment/$f;
done;
echo "Removed unused data migrations"
'';
installPhase = ''
mkdir -p $out
cp -r * $out/
'';
passthru = {
inherit rubyEnv;
ruby = rubyEnv.wrappedRuby;
};
meta = with lib; {
description = "Dématérialiser et simplifier les démarches administratives";
homepage = "https://github.com/demarches-simplifiees/demarches-simplifiees.fr";
license = licenses.agpl3Only;
maintainers = with maintainers; [ thubrecht ];
};
}

View file

@ -1,5 +0,0 @@
{
version = "2024-04-24-01";
src-hash = "sha256-+FjthJZb1KqqFttFmXr/FN5qaFcY9RGTKAqhdLGVFSg=";
deps-hash = "sha256-Vj8WCB+LSHJM67qbsZ5CPc+jK1KWO1MXnSFp/LH0Ow8=";
}

View file

@ -1,42 +0,0 @@
diff --git a/config/environments/production.rb b/config/environments/production.rb
index 16d8c8e84..6262b8782 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -118,7 +118,7 @@ Rails.application.configure do
# the I18n.default_locale when a translation cannot be found).
config.i18n.fallbacks = true
- config.active_storage.service = ENV.fetch("ACTIVE_STORAGE_SERVICE").to_sym
+ config.active_storage.service = ENV.fetch("ACTIVE_STORAGE_SERVICE", 'local').to_sym
# Send deprecation notices to registered listeners.
config.active_support.deprecation = :notify
@@ -174,5 +174,5 @@ Rails.application.configure do
# The Content-Security-Policy is NOT in Report-Only mode
config.content_security_policy_report_only = false
- config.lograge.enabled = ENV['LOGRAGE_ENABLED'] == 'enabled'
+ config.lograge.enabled = ENV.fetch('LOGRAGE_ENABLED', 'disabled') == 'enabled'
end
diff --git a/config/initializers/mailcatcher.rb b/config/initializers/mailcatcher.rb
index 8b931f704..dbeceb4ec 100644
--- a/config/initializers/mailcatcher.rb
+++ b/config/initializers/mailcatcher.rb
@@ -1,4 +1,4 @@
-if ENV.fetch('MAILCATCHER_ENABLED') == 'enabled'
+if ENV.fetch('MAILCATCHER_ENABLED', 'disabled') == 'enabled'
ActiveSupport.on_load(:action_mailer) do
module Mailcatcher
class SMTP < ::Mail::SMTP; end
diff --git a/config/initializers/mailtrap.rb b/config/initializers/mailtrap.rb
index 6d1faa04b..658673ed1 100644
--- a/config/initializers/mailtrap.rb
+++ b/config/initializers/mailtrap.rb
@@ -1,4 +1,4 @@
-if ENV.fetch('MAILTRAP_ENABLED') == 'enabled'
+if ENV.fetch('MAILTRAP_ENABLED', 'disabled') == 'enabled'
ActiveSupport.on_load(:action_mailer) do
module Mailtrap
class SMTP < ::Mail::SMTP; end

View file

@ -1,16 +0,0 @@
diff --git a/config/storage.yml b/config/storage.yml
index d2b2d241f..1b2744504 100644
--- a/config/storage.yml
+++ b/config/storage.yml
@@ -19,3 +19,11 @@ amazon:
secret_access_key: <%= ENV.fetch("S3_SECRET_ACCESS_KEY", "") %>
region: <%= ENV.fetch("S3_REGION", "") %>
bucket: <%= ENV.fetch("S3_BUCKET", "") %>
+garage:
+ service: S3
+ access_key_id: <%= ENV.fetch("S3_ACCESS_KEY_ID", "") %>
+ secret_access_key: <%= ENV.fetch("S3_SECRET_ACCESS_KEY", "") %>
+ region: <%= ENV.fetch("S3_REGION", "garage") %>
+ bucket: <%= ENV.fetch("S3_BUCKET", "") %>
+ endpoint: <%= ENV.fetch("S3_ENDPOINT", "") %>
+ force_path_style: <%= ENV.fetch("S3_FORCE_PATH_STYLE", "").present? %>

View file

@ -1,35 +0,0 @@
diff --git a/lib/tasks/deployment/20230613114744_replay_routing_engine_for_a_cloned_procedure.rake b/lib/tasks/deployment/20230613114744_replay_routing_engine_for_a_cloned_procedure.rake
index 9d4f3a284..04d62a63b 100644
--- a/lib/tasks/deployment/20230613114744_replay_routing_engine_for_a_cloned_procedure.rake
+++ b/lib/tasks/deployment/20230613114744_replay_routing_engine_for_a_cloned_procedure.rake
@@ -4,18 +4,18 @@ namespace :after_party do
puts "Running deploy task 'replay_routing_engine_for_a_cloned_procedure'"
# Put your task implementation HERE.
- dossiers = Procedure
- .find(76266)
- .dossiers
- .en_construction
-
- progress = ProgressReport.new(dossiers.count)
-
- dossiers.find_each do |dossier|
- RoutingEngine.compute(dossier)
- progress.inc
- end
- progress.finish
+ # dossiers = Procedure
+ # .find(76266)
+ # .dossiers
+ # .en_construction
+ #
+ # progress = ProgressReport.new(dossiers.count)
+ #
+ # dossiers.find_each do |dossier|
+ # RoutingEngine.compute(dossier)
+ # progress.inc
+ # end
+ # progress.finish
# Update task as completed. If you remove the line below, the task will
# run with every deploy (or every time you call after_party:run).

View file

@ -1,14 +0,0 @@
diff --git a/config/environments/production.rb b/config/environments/production.rb
index 16d8c8e84..e0326d26d 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -86,7 +86,8 @@ Rails.application.configure do
user_name: ENV.fetch("SMTP_USER"),
password: ENV.fetch("SMTP_PASS"),
authentication: ENV.fetch("SMTP_AUTHENTICATION"),
- enable_starttls_auto: ENV.fetch("SMTP_TLS").present?
+ enable_starttls_auto: ENV.fetch("SMTP_TLS").present?,
+ ssl: ENV.fetch("SMTP_SSL").present?
}
elsif ENV['SENDMAIL_ENABLED'] == 'enabled'
config.action_mailer.delivery_method = :sendmail

View file

@ -1,12 +0,0 @@
diff --git a/app/controllers/concerns/uninterlace_png_concern.rb b/app/controllers/concerns/uninterlace_png_concern.rb
index 8e9d06251..0870357c6 100644
--- a/app/controllers/concerns/uninterlace_png_concern.rb
+++ b/app/controllers/concerns/uninterlace_png_concern.rb
@@ -14,6 +14,6 @@ module UninterlacePngConcern
def interlaced?(png_path)
png = MiniMagick::Image.open(png_path)
- png.data["interlace"] != "None"
+ png.details["interlace"] != "None"
end
end

View file

@ -1,160 +0,0 @@
source 'https://rubygems.org'
gem 'rails', '~> 7.0.8' # allows update to security fixes at any time
gem 'aasm'
gem 'acsv'
gem 'active_model_serializers'
gem 'activestorage-openstack'
gem 'active_storage_validations'
gem 'addressable'
gem 'administrate'
gem 'administrate-field-enum' # Allow using Field::Enum in administrate
gem 'after_commit_everywhere'
gem 'after_party'
gem 'ancestry'
gem 'anchored'
gem 'bcrypt'
gem 'bootsnap', '>= 1.4.4', require: false # Reduces boot times through caching; required in config/boot.rb
gem 'browser'
gem 'charlock_holmes'
gem 'chartkick'
gem 'chunky_png'
gem 'clamav-client', require: 'clamav/client'
gem 'daemons'
gem 'deep_cloneable' # Enable deep clone of active record models
gem 'delayed_cron_job', require: false # Cron jobs
gem 'delayed_job_active_record'
gem 'delayed_job_web'
gem 'devise'
gem 'devise-i18n'
gem 'devise-two-factor'
gem 'discard'
gem 'dotenv-rails', require: 'dotenv/rails-now' # dotenv should always be loaded before rails
gem 'dry-monads'
gem 'faraday-jwt'
gem 'flipper'
gem 'flipper-active_record'
gem 'flipper-active_support_cache_store'
gem 'flipper-ui'
gem 'fugit'
gem 'geocoder'
gem 'geo_coord', require: "geo/coord"
gem 'gitlab-sidekiq-fetcher', require: 'sidekiq-reliable-fetch', git: 'https://github.com/demarches-simplifiees/reliable-fetch.git'
gem 'gon'
gem 'graphql', '2.0.24'
gem 'graphql-batch', '0.5.1'
gem 'graphql-rails_logger'
gem 'groupdate'
gem 'haml-rails'
gem 'hashie'
gem 'http_accept_language'
gem 'i18n_data'
gem 'i18n-tasks', require: false
gem 'iban-tools'
gem 'image_processing'
gem 'invisible_captcha'
gem 'json_schemer'
gem 'jwt'
gem 'kaminari'
gem 'kredis'
gem 'listen' # Required by ActiveSupport::EventedFileUpdateChecker
gem 'lograge'
gem 'logstash-event'
gem 'maintenance_tasks'
gem 'matrix' # needed by prawn and not default in ruby 3.1
gem 'mini_magick'
gem 'net-imap', require: false # See https://github.com/mikel/mail/pull/1439
gem 'net-pop', require: false # same
gem 'net-smtp', require: false # same
gem 'openid_connect'
gem 'parsby'
gem 'pg'
gem 'phonelib'
gem 'prawn-rails' # PDF Generation
gem 'premailer-rails'
gem 'puma' # Use Puma as the app server
gem 'pundit'
gem 'rack-attack'
gem 'rails-i18n' # Locales par défaut
gem 'rails-pg-extras'
gem 'rake-progressbar', require: false
gem 'redcarpet'
gem 'redis'
gem 'rexml' # add missing gem due to ruby3 (https://github.com/Shopify/bootsnap/issues/325)
gem 'rqrcode'
gem 'saml_idp'
gem 'sassc-rails' # Use SCSS for stylesheets
gem 'sentry-delayed_job'
gem 'sentry-rails'
gem 'sentry-ruby'
gem 'sentry-sidekiq'
gem 'sib-api-v3-sdk'
gem 'sidekiq'
gem 'sidekiq-cron'
gem 'skylight'
gem 'spreadsheet_architect'
gem 'strong_migrations' # lint database migrations
gem 'sys-proctable'
gem 'turbo-rails'
gem 'typhoeus'
gem 'ulid-ruby', require: 'ulid'
gem 'view_component'
gem 'vite_rails'
gem 'warden'
gem 'webrick', require: false
gem 'yabeda-graphql'
gem 'yabeda-prometheus'
gem 'yabeda-puma-plugin'
gem 'yabeda-rails'
gem 'yabeda-sidekiq'
gem 'zipline'
gem 'zxcvbn-ruby', require: 'zxcvbn'
group :test do
gem 'axe-core-rspec' # accessibility rspec matchers
gem 'capybara' # Integration testing
gem 'capybara-email' # Access emails during integration tests
gem 'capybara-screenshot' # Save a dump of the page when an integration test fails
gem 'factory_bot'
gem 'launchy'
gem 'rack_session_access'
gem 'rails-controller-testing'
gem 'rspec_junit_formatter'
gem 'rspec-retry'
gem 'selenium-devtools'
gem 'selenium-webdriver'
gem 'shoulda-matchers', require: false
gem 'simplecov', require: false
gem 'simplecov-cobertura', require: false
gem 'timecop'
gem 'vcr'
gem 'webmock'
end
group :development do
gem 'benchmark-ips', require: false
gem 'brakeman', require: false
gem 'haml-lint'
gem 'letter_opener_web'
gem 'memory_profiler'
gem 'rack-mini-profiler'
gem 'rails-erd', require: false # generates `doc/database_models.pdf`
gem 'rubocop', require: false
gem 'rubocop-performance', require: false
gem 'rubocop-rails', require: false
gem 'rubocop-rspec', require: false
gem 'scss_lint', require: false
gem 'stackprof'
gem 'web-console'
end
group :development, :test do
gem 'graphql-schema_comparator'
gem 'irb'
gem 'mina', require: false # Deploy
gem 'rspec-rails'
gem 'simple_xlsx_reader'
gem 'spring' # Spring speeds up development by keeping your application running in the background
gem 'spring-commands-rspec'
end

File diff suppressed because it is too large Load diff

File diff suppressed because it is too large Load diff

View file

@ -1,66 +0,0 @@
#!/usr/bin/env bash
version=
gitArgs=
while [ "$#" -gt 0 ]; do
i="$1"
shift 1
case "$i" in
--version | -v)
version="$1"
shift 1
;;
--git-args)
gitArgs="$gitArgs $1"
shift 1
;;
*)
echo "$0: unknown option \`$i'"
exit 1
;;
esac
done
# Create a working environment
CWD=$(pwd)
TMP=$(mktemp -d)
cd "$TMP" || exit 1
# Fetch the latest source or the required version
gitUrl="https://github.com/demarches-simplifiees/demarches-simplifiees.fr.git"
if [ -n "$version" ]; then
git clone --depth 1 --branch "$version" $gitUrl .
else
git clone --depth 1 $gitUrl .
version="$(git rev-parse HEAD)"
fi
# Generate gemset.nix
nix-shell -p bundix --run "bundix -l" >/dev/null
# Copy the new files
cp gemset.nix Gemfile Gemfile.lock "$CWD/rubyEnv/"
# Print the new source details
SRC_HASH=$(nix-shell -p nurl --run "nurl --hash $gitUrl $version")
# Switch to bun
nix-shell -p bun --run "bun install --frozen-lockfile --no-cache --no-progress --ignore-scripts"
DEPS_HASH=$(nix-hash --sri --type sha256 node_modules)
cat <<EOF >"$CWD/meta.nix"
{
version = "$version";
src-hash = "$SRC_HASH";
deps-hash = "$DEPS_HASH";
}
EOF
nix-shell -p nixfmt-rfc-style --run "nixfmt $CWD"
rm -rf "$TMP"

View file

@ -1,103 +0,0 @@
{
config,
lib,
nixpkgs,
...
}:
let
inherit (lib) escapeRegex concatStringsSep;
domain = "sso.dgnum.eu";
cert = config.security.acme.certs.${domain};
allowedDomains = builtins.map escapeRegex (
(builtins.map (s: "${s}.dgnum.eu") [
# DGNum subdomains
"cloud"
"git"
"videos"
"social"
"demarches"
"netbird"
])
++ [
# Extra domains
"netbird-beta.hubrecht.ovh"
]
);
in
{
services.kanidm = {
enableServer = true;
package = nixpkgs.unstable.kanidm;
serverSettings = {
inherit domain;
origin = "https://${domain}";
bindaddress = "127.0.0.1:8443";
ldapbindaddress = "0.0.0.0:636";
trust_x_forward_for = true;
tls_chain = "${cert.directory}/fullchain.pem";
tls_key = "${cert.directory}/key.pem";
};
};
users.users.kanidm.extraGroups = [ cert.group ];
services.nginx = {
enable = true;
virtualHosts.${domain} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "https://127.0.0.1:8443";
extraConfig = ''
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
return 444;
}
set $origin $http_origin;
if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') {
set $origin 'https://${domain}';
}
proxy_hide_header Access-Control-Allow-Origin;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' "$origin" always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header Access-Control-Max-Age 1728000;
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
}
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
add_header Access-Control-Allow-Origin "$origin" always;
add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
add_header Access-Control-Allow-Credentials true always;
}
'';
};
};
};
networking.firewall.allowedTCPPorts = [ 636 ];
networking.firewall.allowedUDPPorts = [ 636 ];
dgn-backups.jobs.kanidm.settings.paths = [ "/var/lib/kanidm" ];
}

View file

@ -1,4 +0,0 @@
(import ../../../../keys).mkSecrets [ "compute01" ] [
"kanidm-password_admin"
"kanidm-password_idm_admin"
]

View file

@ -1,213 +0,0 @@
{ config, pkgs, ... }:
let
host = "cloud.dgnum.eu";
nextcloud-occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
in
{
services.nextcloud = {
enable = true;
hostName = host;
package = pkgs.nextcloud29;
https = true;
config = {
dbtype = "pgsql";
adminpassFile = config.age.secrets."nextcloud-adminpass_file".path;
adminuser = "thubrecht";
objectstore.s3 = {
enable = true;
hostname = "s3.dgnum.eu";
region = "garage";
usePathStyle = true;
port = 443;
bucket = "nextcloud-dgnum";
key = "GKda5367c73ca607c349d83c35";
verify_bucket_exists = false;
secretFile = config.age.secrets."nextcloud-s3_secret_file".path;
};
};
maxUploadSize = "4G";
poolSettings = {
pm = "dynamic";
"pm.max_children" = 64;
"pm.max_requests" = "500";
"pm.max_spare_servers" = "8";
"pm.min_spare_servers" = "4";
"pm.start_servers" = "6";
};
phpOptions = {
short_open_tag = "Off";
expose_php = "Off";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
display_errors = "stderr";
"opcache.enable_cli" = "1";
"opcache.interned_strings_buffer" = "32";
"opcache.max_accelerated_files" = "10000";
"opcache.memory_consumption" = "128";
"opcache.revalidate_freq" = "1";
"opcache.fast_shutdown" = "0";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
catch_workers_output = "yes";
};
database.createLocally = true;
configureRedis = true;
autoUpdateApps.enable = true;
settings = {
overwriteprotocol = "https";
overwritehost = host;
"overwrite.cli.url" = "https://${host}";
updatechecker = false;
default_phone_region = "FR";
trusted_proxies = [ "::1" ];
allow_local_remote_servers = true;
maintenance_window_start = 1;
"memories.exiftool" = "${pkgs.lib.getExe pkgs.exiftool}";
"memories.vod.ffmpeg" = "${pkgs.lib.getExe pkgs.ffmpeg-headless}";
"memories.vod.ffprobe" = "${pkgs.ffmpeg-headless}/bin/ffprobe";
};
};
virtualisation = {
podman = {
enable = true;
defaultNetwork.settings = {
dns_enable = true;
ipv6_enabled = true;
};
};
};
virtualisation.oci-containers = {
containers.collabora = {
image = "collabora/code";
imageFile = pkgs.dockerTools.pullImage {
imageName = "collabora/code";
imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4";
sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM=";
};
ports = [ "9980:9980" ];
environment = {
domain = "cloud.dgnum.eu";
extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json";
};
extraOptions = [
"--network=host"
"--cap-add"
"MKNOD"
"--cap-add"
"SYS_ADMIN"
];
};
};
services.nginx.virtualHosts = {
${host} = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_max_temp_file_size 4096m;
'';
};
"code.dgnum.eu" = {
forceSSL = true;
enableACME = true;
extraConfig = ''
# static files
location ^~ /browser {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# Capabilities
location ^~ /hosting/capabilities {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# main websocket
location ~ ^/cool/(.*)/ws$ {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/(c|l)ool {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# Admin Console websocket
location ^~ /cool/adminws {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 36000s;
}
'';
};
};
systemd.services = {
nextcloud-preview = {
description = "Generate preview for nextcloud media.";
script = "${nextcloud-occ} preview:pre-generate -vvv";
startAt = "*-*-* 01:00:00 UTC";
serviceConfig = {
Restart = "on-failure";
};
};
nextcloud-cron.path = [ pkgs.perl ];
};
environment.systemPackages = [ pkgs.ffmpeg_6-headless ];
networking.hosts = {
"129.199.146.148" = [ "s3.dgnum.eu" ];
};
age-secrets.autoMatch = [ "nextcloud" ];
system.activationScripts = {
restart-nextcloud.text = ''
if [ "$(${pkgs.systemd}/bin/systemctl is-active phpfpm-nextcloud)" == "active" ]; then
${pkgs.systemd}/bin/systemctl restart phpfpm-nextcloud
fi
'';
};
dgn-backups.jobs.nextcloud.settings.paths = [ "/var/lib/nextcloud" ];
dgn-backups.postgresDatabases = [ "nextcloud" ];
}

View file

@ -1,24 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 tDqJRg ukyCbDqq1/18sjxWxyCCwYgYDavNcRq5cBvpZoqSKVQ
2lmz4ONDnXiW0+FqLwi4OVOClm96YU6NUMxeLcwyqhI
-> ssh-ed25519 jIXfPA MNspuPXKkP/fUp3qoPDmew+htam1l8JczSCCZFil6zE
1ugIhchyaumzv/izKFq1dCer6QPfLt6Fv2rIiU6rzGs
-> ssh-ed25519 QlRB9Q teomppq6nVFhnQFELI/sQNCRuMGNs2Tu6AY/PMWAzzI
LDLn1CsC9xqBBszdp4TZV/uCaYHBb65HS5eoG2+vfzU
-> ssh-ed25519 r+nK/Q GK/IVVvWVNjq1Fa8DKvljC1pD4OUz3MsM+VjROVYfSA
jJ2vK3HFkOGzrxvQJg6PayrEhOPVyvAZS29IEfKRbhs
-> ssh-rsa krWCLQ
XywRp0R34ulA6AhRloj+OonbP3ZmvWvnxko+KSBNZHUEO3P84N/UTSJLhTJrJHps
uYWhOO1VXMdOmu8+s2ymvsFFHZlQ1Ngr28/8Cb4InYbOcjc1jGsA/laSFelGG/qZ
CxoSw59oga+wssAf7NRVDY0GLtZIhdACnlfCodBnwGgr7MrO/jtv6wUcNtTQwqyg
k6JvmeXVO54sAbcICfDNHiWLejOA9B1tQ4biAtNZrw2BRh1siXVcjtrlkjdfqsc4
4R/EDAYLHIMBnG/6Qpp5H3vPEEdwtaU2Tcd5RZHxWR+8ZjFFhLsZaGQZ5GxzlVOW
qd63AwlEvNGOSIMXBqc+tQ
-> ssh-ed25519 /vwQcQ Qm4OViiUxA0eIAiP+tPi+q9Uw+dluFKGi4J35q6dr3A
Byx5ohtc05YfpZhcZew6P7g90KEMammQ0KgvtRGAhBk
-> ssh-ed25519 0R97PA YKE87fWy7Gix4dk+YOqTkMMFyG1mTVjroO/I6rHtLXQ
o9O664qMLUIEwxti17O4VByFCMmOZ4vTtPH5qNscGnU
-> ssh-ed25519 JGx7Ng NfuL52cirg0LkXcoF3a0GYJx82Bt50YS9cpEnDH27T8
OdqOs4ViSnW1fWZ5GLro4Z5afqmnGya6TsoKr3aZs0w
--- oqm2jb9ZHSHAhbxUYWDxQW/FaPwiq3iFr6RIX1nHCYo
ì©šÎj½ó˪f¾©Fyz#ö뤄å…ùÕâ íz‰z¥}´ýÂø9(!SÂöÛ<C3B6>¸ûz2kªÈCæ<43>¦J¬T…Ÿ”þG<C3BE>€³“Z_àÑ

View file

@ -1,27 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 tDqJRg X/tRIl6TzF09a1Tvr8vP3SocmlfwKg307he8LP3Q5mo
hWjX3AUbREbQR+uCiW8Nsj5nCwYQYy1KV/41sbxBFo4
-> ssh-ed25519 jIXfPA 6EOXJfa+aY4JjOb0SO2k+s6xnNjtm/o8au6lbN1UfxA
dVsgH99btiE+pl7Q4uiOcYDTwtv6X0jgjYXoFFd+tPs
-> ssh-ed25519 QlRB9Q 4Hje1HQL+Zjm9+BGDQvb83KaizOjfKTwjiq1SJlXvA0
w2rMGVcZcS2aLNYxHZIJZF/j50CQm8UCmq89W9K7Q14
-> ssh-ed25519 r+nK/Q aPQh4X7xZnTbrkxIaAwUbaS7NnbHMY+Q31E0x7AvwSo
rnMus4wPVugzscVNPO33rNgboN7I42tdz4dikVOvWIw
-> ssh-rsa krWCLQ
Xe2Vv3tCZy19QQt26q6T3mJkZyltU7OVOrruwxWr8hlaKgOfR/pMa7nbR+eWm6jS
++39H+E6gssE/534ld5qz2J3oPV5E6+p4wok/Owy7zE6aWrALP1Mp296lumRjjGN
6aYhmf4fbpvOWDMNujExWURggswbUplk0f7l5UYjNpcSnM9Iq6s9fTAUVTMAlvoL
cmVvPTll6QlhhM7tkJL1fo+1nEimfmwDaOhE2lAKKJUD7DTqcBGsukpysOhcmCyr
Xtx38kcuF5eaDzjT9gXgi4QtCrxf31Lfjju44HSqJFB1LqO2Vzd9rASurD2LN7/1
uj8F5y+dmf6IqIM/kYXqPg
-> ssh-ed25519 /vwQcQ Byl5reTJslEFsIdUWp+rg5sZxG1jEHVduBE/grTD/Vc
SEzFbpWUZrVitO1Swfs3/pzfaZ6Zd4Roi8anJRHO7/o
-> ssh-ed25519 0R97PA CLDuGuFPHf0rgUoCUY2C1jtXAeBEqKiqaeiH4ZcRFk8
rBYZfmS7BSKDIJMVpWTGy5wRhhoi9xR1GchVsUn7Psw
-> ssh-ed25519 JGx7Ng xqTydh3Bt5bL/7R6ZnVtqhfSW2V3g1g2UWPcePt8TCU
lPQeGP4VQGU4xeGqVcIRnWZjeDp2Q4lH2CLg+C/weyM
-> .-grease
l4qPzZnL/yerx8Y3VUmUoO2GgK7OUAjbhfYsHPhDFSo+ZPgvYo7qpJBEsPQqrPA3
FF2/R9IFD+jFranJsg
--- ynZs900dI1cp+HWu6HdnUGKaJw/Wa1Y26eQSeO3fvH8
|Nös.­æ·»×KC²éi#<11>XôfÓéöÃÎq[í¶t{ŸôEkœÇ±­<AÿñYd'çÉ…²3ȆbMæÝ;0f”V[œ¥<ûàX;E

View file

@ -1 +0,0 @@
_: { dgn-chatops.enable = true; }

View file

@ -1,3 +0,0 @@
(import ../../../keys).mkSecrets [ "geo01" ] [
# List of secrets for geo01
]

View file

@ -1,3 +0,0 @@
(import ../../../keys).mkSecrets [ "geo02" ] [
# List of secrets for geo02
]

View file

@ -1,179 +0,0 @@
From 2abd226ff3093c5a9e18a618fba466853e7ebaf7 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Tue, 8 Oct 2024 18:27:41 +0200
Subject: [PATCH] K80 support
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
docs/development.md | 6 +++-
docs/gpu.md | 1 +
gpu/amd_linux.go | 6 +++-
gpu/gpu.go | 63 ++++++++++++++++++++++++++++++++++++-----
scripts/build_docker.sh | 2 +-
scripts/build_linux.sh | 2 +-
6 files changed, 69 insertions(+), 11 deletions(-)
diff --git a/docs/development.md b/docs/development.md
index 2f7b9ecf..9da35931 100644
--- a/docs/development.md
+++ b/docs/development.md
@@ -51,7 +51,11 @@ Typically the build scripts will auto-detect CUDA, however, if your Linux distro
or installation approach uses unusual paths, you can specify the location by
specifying an environment variable `CUDA_LIB_DIR` to the location of the shared
libraries, and `CUDACXX` to the location of the nvcc compiler. You can customize
-a set of target CUDA architectures by setting `CMAKE_CUDA_ARCHITECTURES` (e.g. "50;60;70")
+a set of target CUDA architectures by setting `CMAKE_CUDA_ARCHITECTURES` (e.g. "35;37;50;60;70")
+
+To support GPUs older than Compute Capability 5.0, you will need to use an older version of
+the Driver from [Unix Driver Archive](https://www.nvidia.com/en-us/drivers/unix/) (tested with 470) and [CUDA Toolkit Archive](https://developer.nvidia.com/cuda-toolkit-archive) (tested with cuda V11). When you build Ollama, you will need to set two environment variable to adjust the minimum compute capability Ollama supports via `export GOFLAGS="'-ldflags=-w -s \"-X=github.com/ollama/ollama/gpu.CudaComputeMajorMin=3\" \"-X=github.com/ollama/ollama/gpu.CudaComputeMinorMin=5\"'"` and the `CMAKE_CUDA_ARCHITECTURES`. To find the Compute Capability of your older GPU, refer to [GPU Compute Capability](https://developer.nvidia.com/cuda-gpus).
+
Then generate dependencies:
diff --git a/docs/gpu.md b/docs/gpu.md
index a6b559f0..66627611 100644
--- a/docs/gpu.md
+++ b/docs/gpu.md
@@ -28,6 +28,7 @@ Check your compute compatibility to see if your card is supported:
| 5.0 | GeForce GTX | `GTX 750 Ti` `GTX 750` `NVS 810` |
| | Quadro | `K2200` `K1200` `K620` `M1200` `M520` `M5000M` `M4000M` `M3000M` `M2000M` `M1000M` `K620M` `M600M` `M500M` |
+For building locally to support older GPUs, see [developer.md](./development.md#linux-cuda-nvidia)
### GPU Selection
diff --git a/gpu/amd_linux.go b/gpu/amd_linux.go
index 6b08ac2e..768fb97a 100644
--- a/gpu/amd_linux.go
+++ b/gpu/amd_linux.go
@@ -159,7 +159,11 @@ func AMDGetGPUInfo() []GpuInfo {
return []GpuInfo{}
}
- if int(major) < RocmComputeMin {
+ minVer, err := strconv.Atoi(RocmComputeMajorMin)
+ if err != nil {
+ slog.Error("invalid RocmComputeMajorMin setting", "value", RocmComputeMajorMin, "error", err)
+ }
+ if int(major) < minVer {
slog.Warn(fmt.Sprintf("amdgpu too old gfx%d%x%x", major, minor, patch), "gpu", gpuID)
continue
}
diff --git a/gpu/gpu.go b/gpu/gpu.go
index 781e23df..60d68c33 100644
--- a/gpu/gpu.go
+++ b/gpu/gpu.go
@@ -16,6 +16,7 @@ import (
"os"
"path/filepath"
"runtime"
+ "strconv"
"strings"
"sync"
"unsafe"
@@ -38,9 +39,11 @@ const (
var gpuMutex sync.Mutex
// With our current CUDA compile flags, older than 5.0 will not work properly
-var CudaComputeMin = [2]C.int{5, 0}
+// (string values used to allow ldflags overrides at build time)
+var CudaComputeMajorMin = "5"
+var CudaComputeMinorMin = "0"
-var RocmComputeMin = 9
+var RocmComputeMajorMin = "9"
// TODO find a better way to detect iGPU instead of minimum memory
const IGPUMemLimit = 1 * format.GibiByte // 512G is what they typically report, so anything less than 1G must be iGPU
@@ -175,11 +178,57 @@ func GetGPUInfo() GpuInfoList {
var memInfo C.mem_info_t
resp := []GpuInfo{}
- // NVIDIA first
- for i := 0; i < gpuHandles.deviceCount; i++ {
- // TODO once we support CPU compilation variants of GPU libraries refine this...
- if cpuVariant == "" && runtime.GOARCH == "amd64" {
- continue
+ // Load ALL libraries
+ cHandles = initCudaHandles()
+ minMajorVer, err := strconv.Atoi(CudaComputeMajorMin)
+ if err != nil {
+ slog.Error("invalid CudaComputeMajorMin setting", "value", CudaComputeMajorMin, "error", err)
+ }
+ minMinorVer, err := strconv.Atoi(CudaComputeMinorMin)
+ if err != nil {
+ slog.Error("invalid CudaComputeMinorMin setting", "value", CudaComputeMinorMin, "error", err)
+ }
+
+ // NVIDIA
+ for i := range cHandles.deviceCount {
+ if cHandles.cudart != nil || cHandles.nvcuda != nil {
+ gpuInfo := CudaGPUInfo{
+ GpuInfo: GpuInfo{
+ Library: "cuda",
+ },
+ index: i,
+ }
+ var driverMajor int
+ var driverMinor int
+ if cHandles.cudart != nil {
+ C.cudart_bootstrap(*cHandles.cudart, C.int(i), &memInfo)
+ } else {
+ C.nvcuda_bootstrap(*cHandles.nvcuda, C.int(i), &memInfo)
+ driverMajor = int(cHandles.nvcuda.driver_major)
+ driverMinor = int(cHandles.nvcuda.driver_minor)
+ }
+ if memInfo.err != nil {
+ slog.Info("error looking up nvidia GPU memory", "error", C.GoString(memInfo.err))
+ C.free(unsafe.Pointer(memInfo.err))
+ continue
+ }
+
+ if int(memInfo.major) < minMajorVer || (int(memInfo.major) == minMajorVer && int(memInfo.minor) < minMinorVer) {
+ slog.Info(fmt.Sprintf("[%d] CUDA GPU is too old. Compute Capability detected: %d.%d", i, memInfo.major, memInfo.minor))
+ continue
+ }
+ gpuInfo.TotalMemory = uint64(memInfo.total)
+ gpuInfo.FreeMemory = uint64(memInfo.free)
+ gpuInfo.ID = C.GoString(&memInfo.gpu_id[0])
+ gpuInfo.Compute = fmt.Sprintf("%d.%d", memInfo.major, memInfo.minor)
+ gpuInfo.MinimumMemory = cudaMinimumMemory
+ gpuInfo.DependencyPath = depPath
+ gpuInfo.Name = C.GoString(&memInfo.gpu_name[0])
+ gpuInfo.DriverMajor = driverMajor
+ gpuInfo.DriverMinor = driverMinor
+
+ // TODO potentially sort on our own algorithm instead of what the underlying GPU library does...
+ cudaGPUs = append(cudaGPUs, gpuInfo)
}
gpuInfo := GpuInfo{
Library: "cuda",
diff --git a/scripts/build_docker.sh b/scripts/build_docker.sh
index e91c56ed..c03bc25f 100755
--- a/scripts/build_docker.sh
+++ b/scripts/build_docker.sh
@@ -3,7 +3,7 @@
set -eu
export VERSION=${VERSION:-$(git describe --tags --first-parent --abbrev=7 --long --dirty --always | sed -e "s/^v//g")}
-export GOFLAGS="'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"
+export GOFLAGS=${GOFLAGS:-"'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"}
# We use 2 different image repositories to handle combining architecture images into multiarch manifest
# (The ROCm image is x86 only and is not a multiarch manifest)
diff --git a/scripts/build_linux.sh b/scripts/build_linux.sh
index 27c4ff1f..e7e6d0dd 100755
--- a/scripts/build_linux.sh
+++ b/scripts/build_linux.sh
@@ -3,7 +3,7 @@
set -eu
export VERSION=${VERSION:-$(git describe --tags --first-parent --abbrev=7 --long --dirty --always | sed -e "s/^v//g")}
-export GOFLAGS="'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"
+export GOFLAGS=${GOFLAGS:-"'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"}
BUILD_ARCH=${BUILD_ARCH:-"amd64 arm64"}
export AMDGPU_TARGETS=${AMDGPU_TARGETS:=""}
--
2.46.0

View file

@ -1,72 +0,0 @@
{
config,
lib,
pkgs,
...
}:
lib.extra.mkConfig {
enabledModules = [
# INFO: This list needs to stay sorted alphabetically
];
enabledServices = [
# INFO: This list needs to stay sorted alphabetically
"microvm-router01"
"nvidia-tesla-k80"
"proxmox"
# Machine learning API machine
"microvm-ml01"
];
extraConfig = {
microvm = {
host.enable = true;
};
dgn-hardware = {
useZfs = true;
zfsPools = [
"dpool"
"ppool0"
];
};
services.netbird.enable = true;
# We are going to use CUDA here.
nixpkgs.config.cudaSupport = true;
hardware.graphics.enable = true;
environment.systemPackages = [
((pkgs.openai-whisper-cpp.override { cudaPackages = pkgs.cudaPackages_11; }).overrideAttrs (old: {
src = pkgs.fetchFromGitHub {
owner = "ggerganov";
repo = "whisper.cpp";
rev = "v1.7.1";
hash = "sha256-EDFUVjud79ZRCzGbOh9L9NcXfN3ikvsqkVSOME9F9oo=";
};
env = {
WHISPER_CUBLAS = "";
GGML_CUDA = "1";
};
# We only need Compute Capability 3.7.
CUDA_ARCH_FLAGS = [ "sm_37" ];
# We are GPU-only anyway.
patches = (old.patches or [ ]) ++ [
./no-weird-microarch.patch
./all-nvcc-arch.patch
];
}))
];
services.ollama = {
enable = true;
package = pkgs.callPackage ./ollama.nix {
cudaPackages = pkgs.cudaPackages_11;
# We need to thread our nvidia x11 driver for CUDA.
extraLibraries = [ config.hardware.nvidia.package ];
};
};
users.users.root.hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/";
};
root = ./.;
}

View file

@ -1,50 +0,0 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [
"ehci_pci"
"ahci"
"mpt3sas"
"usbhid"
"sd_mod"
];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/92bf4d66-2693-4eca-9b26-f86ae09d468d";
fsType = "ext4";
};
boot.initrd.luks.devices."mainfs" = {
device = "/dev/disk/by-uuid/26f9737b-28aa-4c3f-bd3b-b028283cef88";
keyFileSize = 1;
keyFile = "/dev/zero";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/280C-8844";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View file

@ -1,26 +0,0 @@
From 2278389ef9ac9231349440aa68f9544ddc69cdc7 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Wed, 9 Oct 2024 13:37:08 +0200
Subject: [PATCH] fix: sm_37 for nvcc
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 2ccb750..70dfd9b 100644
--- a/Makefile
+++ b/Makefile
@@ -537,7 +537,7 @@ endif #GGML_CUDA_NVCC
ifdef CUDA_DOCKER_ARCH
MK_NVCCFLAGS += -Wno-deprecated-gpu-targets -arch=$(CUDA_DOCKER_ARCH)
else ifndef CUDA_POWER_ARCH
- MK_NVCCFLAGS += -arch=native
+ MK_NVCCFLAGS += -arch=sm_37
endif # CUDA_DOCKER_ARCH
ifdef GGML_CUDA_FORCE_DMMV
--
2.46.0

View file

@ -1,20 +0,0 @@
diff --git c/llm/generate/gen_common.sh i/llm/generate/gen_common.sh
index 3825c155..238a74a7 100644
--- c/llm/generate/gen_common.sh
+++ i/llm/generate/gen_common.sh
@@ -69,6 +69,7 @@ git_module_setup() {
}
apply_patches() {
+ return
# apply temporary patches until fix is upstream
for patch in ../patches/*.patch; do
git -c 'user.name=nobody' -c 'user.email=<>' -C ${LLAMACPP_DIR} am ${patch}
@@ -133,6 +134,7 @@ install() {
# Keep the local tree clean after we're done with the build
cleanup() {
+ return
(cd ${LLAMACPP_DIR}/ && git checkout CMakeLists.txt)
if [ -n "$(ls -A ../patches/*.diff)" ]; then

View file

@ -1,22 +0,0 @@
_: {
microvm.autostart = [ "ml01" ];
microvm.vms.ml01 = {
config = {
networking.hostName = "ml01";
microvm = {
hypervisor = "cloud-hypervisor";
vcpu = 4;
mem = 4096;
balloonMem = 2048;
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
];
};
};
};
}

View file

@ -1,16 +0,0 @@
_: {
microvm.autostart = [ "router01" ];
microvm.vms.router01 = {
config = {
networking.hostName = "router01";
microvm.shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
];
};
};
}

View file

@ -1,34 +0,0 @@
From 51568b61ef63ecd97867562571411082c32751d3 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Wed, 9 Oct 2024 13:36:51 +0200
Subject: [PATCH] fix: avx & f16c in Makefile
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
Makefile | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/Makefile b/Makefile
index 32b7cbb..2ccb750 100644
--- a/Makefile
+++ b/Makefile
@@ -361,12 +361,12 @@ ifndef RISCV
ifeq ($(UNAME_M),$(filter $(UNAME_M),x86_64 i686 amd64))
# Use all CPU extensions that are available:
- MK_CFLAGS += -march=native -mtune=native
- HOST_CXXFLAGS += -march=native -mtune=native
+ # MK_CFLAGS += -march=native -mtune=native
+ # HOST_CXXFLAGS += -march=native -mtune=native
# Usage AVX-only
- #MK_CFLAGS += -mfma -mf16c -mavx
- #MK_CXXFLAGS += -mfma -mf16c -mavx
+ MK_CFLAGS += -mf16c -mavx
+ MK_CXXFLAGS += -mf16c -mavx
# Usage SSSE3-only (Not is SSE3!)
#MK_CFLAGS += -mssse3
--
2.46.0

View file

@ -1,8 +0,0 @@
{ config, ... }:
{
nixpkgs.config.nvidia.acceptLicense = true;
# Tesla K80 is not supported by the latest driver.
hardware.nvidia.package = config.boot.kernelPackages.nvidia_x11_legacy470;
# Don't ask.
services.xserver.videoDrivers = [ "nvidia" ];
}

View file

@ -1,243 +0,0 @@
{
lib,
buildGoModule,
fetchFromGitHub,
buildEnv,
linkFarm,
overrideCC,
makeWrapper,
stdenv,
addDriverRunpath,
nix-update-script,
cmake,
gcc11,
clblast,
libdrm,
rocmPackages,
cudaPackages,
darwin,
autoAddDriverRunpath,
extraLibraries ? [ ],
nixosTests,
testers,
ollama,
ollama-rocm,
ollama-cuda,
config,
# one of `[ null false "rocm" "cuda" ]`
acceleration ? null,
}:
assert builtins.elem acceleration [
null
false
"rocm"
"cuda"
];
let
pname = "ollama";
version = "2024-09-10-cc35";
src = fetchFromGitHub {
owner = "aliotard";
repo = "ollama";
rev = "34827c01f7723c7f5f9f5e392fe85f5a4a5d5fc0";
hash = "sha256-xFNuqcW7YWeyCyw5QLBnCHHTSMITR6LJkJT0CXZC+Y8=";
fetchSubmodules = true;
};
vendorHash = "sha256-hSxcREAujhvzHVNwnRTfhi0MKI3s8HNavER2VLz6SYk=";
validateFallback = lib.warnIf (config.rocmSupport && config.cudaSupport) (lib.concatStrings [
"both `nixpkgs.config.rocmSupport` and `nixpkgs.config.cudaSupport` are enabled, "
"but they are mutually exclusive; falling back to cpu"
]) (!(config.rocmSupport && config.cudaSupport));
shouldEnable =
mode: fallback: (acceleration == mode) || (fallback && acceleration == null && validateFallback);
rocmRequested = shouldEnable "rocm" config.rocmSupport;
cudaRequested = shouldEnable "cuda" config.cudaSupport;
enableRocm = rocmRequested && stdenv.isLinux;
enableCuda = cudaRequested && stdenv.isLinux;
rocmLibs = [
rocmPackages.clr
rocmPackages.hipblas
rocmPackages.rocblas
rocmPackages.rocsolver
rocmPackages.rocsparse
rocmPackages.rocm-device-libs
rocmPackages.rocm-smi
];
rocmClang = linkFarm "rocm-clang" { llvm = rocmPackages.llvm.clang; };
rocmPath = buildEnv {
name = "rocm-path";
paths = rocmLibs ++ [ rocmClang ];
};
cudaLibs = [
cudaPackages.cuda_cudart
cudaPackages.libcublas
cudaPackages.cuda_cccl
];
cudaToolkit = buildEnv {
name = "cuda-merged";
paths = map lib.getLib cudaLibs ++ [
(lib.getOutput "static" cudaPackages.cuda_cudart)
(lib.getBin (cudaPackages.cuda_nvcc.__spliced.buildHost or cudaPackages.cuda_nvcc))
];
};
metalFrameworks = with darwin.apple_sdk_11_0.frameworks; [
Accelerate
Metal
MetalKit
MetalPerformanceShaders
];
wrapperOptions =
[
# ollama embeds llama-cpp binaries which actually run the ai models
# these llama-cpp binaries are unaffected by the ollama binary's DT_RUNPATH
# LD_LIBRARY_PATH is temporarily required to use the gpu
# until these llama-cpp binaries can have their runpath patched
"--suffix LD_LIBRARY_PATH : '${addDriverRunpath.driverLink}/lib'"
"--suffix LD_LIBRARY_PATH : '${lib.makeLibraryPath (map lib.getLib extraLibraries)}'"
]
++ lib.optionals enableRocm [
"--suffix LD_LIBRARY_PATH : '${rocmPath}/lib'"
"--set-default HIP_PATH '${rocmPath}'"
]
++ lib.optionals enableCuda [
"--suffix LD_LIBRARY_PATH : '${lib.makeLibraryPath (map lib.getLib cudaLibs)}'"
];
wrapperArgs = builtins.concatStringsSep " " wrapperOptions;
goBuild =
if enableCuda then buildGoModule.override { stdenv = overrideCC stdenv gcc11; } else buildGoModule;
inherit (lib) licenses platforms maintainers;
in
goBuild {
inherit
pname
version
src
vendorHash
;
env =
lib.optionalAttrs enableRocm {
ROCM_PATH = rocmPath;
CLBlast_DIR = "${clblast}/lib/cmake/CLBlast";
}
// lib.optionalAttrs enableCuda { CUDA_LIB_DIR = "${cudaToolkit}/lib"; }
// {
CMAKE_CUDA_ARCHITECTURES = "35;37";
};
nativeBuildInputs =
[ cmake ]
++ lib.optionals enableRocm [ rocmPackages.llvm.bintools ]
++ lib.optionals enableCuda [ cudaPackages.cuda_nvcc ]
++ lib.optionals (enableRocm || enableCuda) [
makeWrapper
autoAddDriverRunpath
]
++ lib.optionals stdenv.isDarwin metalFrameworks;
buildInputs =
lib.optionals enableRocm (rocmLibs ++ [ libdrm ])
++ lib.optionals enableCuda cudaLibs
++ lib.optionals stdenv.isDarwin metalFrameworks;
patches = [
# disable uses of `git` in the `go generate` script
# ollama's build script assumes the source is a git repo, but nix removes the git directory
# this also disables necessary patches contained in `ollama/llm/patches/`
# those patches are applied in `postPatch`
./disable-git.patch
];
postPatch = ''
# replace inaccurate version number with actual release version
substituteInPlace version/version.go --replace-fail 0.0.0 '${version}'
# apply ollama's patches to `llama.cpp` submodule
for diff in llm/patches/*; do
patch -p1 -d llm/llama.cpp < $diff
done
'';
overrideModAttrs = _: _: {
# don't run llama.cpp build in the module fetch phase
preBuild = "";
};
preBuild = ''
# disable uses of `git`, since nix removes the git directory
export OLLAMA_SKIP_PATCHING=true
# build llama.cpp libraries for ollama
go generate ./...
'';
postFixup =
''
# the app doesn't appear functional at the moment, so hide it
mv "$out/bin/app" "$out/bin/.ollama-app"
''
+ lib.optionalString (enableRocm || enableCuda) ''
# expose runtime libraries necessary to use the gpu
wrapProgram "$out/bin/ollama" ${wrapperArgs}
'';
ldflags = [
"-s"
"-w"
"-X=github.com/ollama/ollama/version.Version=${version}"
"-X=github.com/ollama/ollama/server.mode=release"
"-X=github.com/ollama/ollama/gpu.CudaComputeMajorMin=3"
"-X=github.com/ollama/ollama/gpu.CudaComputeMinorMin=5"
];
passthru = {
tests =
{
inherit ollama;
version = testers.testVersion {
inherit version;
package = ollama;
};
}
// lib.optionalAttrs stdenv.isLinux {
inherit ollama-rocm ollama-cuda;
service = nixosTests.ollama;
service-cuda = nixosTests.ollama-cuda;
service-rocm = nixosTests.ollama-rocm;
};
updateScript = nix-update-script { };
};
meta = {
description =
"Get up and running with large language models locally"
+ lib.optionalString rocmRequested ", using ROCm for AMD GPU acceleration"
+ lib.optionalString cudaRequested ", using CUDA for NVIDIA GPU acceleration";
homepage = "https://github.com/ollama/ollama";
changelog = "https://github.com/ollama/ollama/releases/tag/v${version}";
license = licenses.mit;
platforms = if (rocmRequested || cudaRequested) then platforms.linux else platforms.unix;
mainProgram = "ollama";
maintainers = with maintainers; [
abysssol
dit7ya
elohmeier
roydubnium
];
};
}

View file

@ -1,14 +0,0 @@
{ sources, lib, ... }:
let
proxmox-nixos = import sources.proxmox-nixos;
in
{
imports = [ proxmox-nixos.nixosModules.proxmox-ve ];
services.proxmox-ve.enable = true;
nixpkgs.overlays = [ proxmox-nixos.overlays.x86_64-linux ];
networking.firewall = {
trustedInterfaces = [ "wt0" ];
allowedTCPPorts = lib.mkForce [ 22 ];
};
}

View file

@ -1,3 +0,0 @@
(import ../../../keys).mkSecrets [ "krz01" ] [
# List of secrets for krz01
]

View file

@ -0,0 +1,44 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
modulesPath,
sourcePkgs,
...
}:
{
imports = [
"${modulesPath}/wlan.nix"
"${modulesPath}/network"
"${modulesPath}/hostapd"
"${modulesPath}/ssh"
"${modulesPath}/ntp"
"${modulesPath}/vlan"
"${modulesPath}/bridge"
"${modulesPath}/jitter-rng"
"${modulesPath}/pki"
"${modulesPath}/ubus"
# System-level configuration
./system.nix
# Configures our own WLAN.
./wlan.nix
# Configures our LAN interfaces, e.g. bridge + VLANs.
./lan.nix
# Configures our IPv4/IPv6 addresses, e.g. DHCPv4 on VLAN 0, SLAAC on VLAN 3001.
./addresses.nix
# Configures a basic local DNS.
./dns.nix
# Configures our management layer, e.g. SSH server + DGNum FAI keys.
./management.nix
# Configures our recovery system, e.g. a levitation script.
./recovery.nix
# Metadata on the system for field recovery.
./metadata.nix
# TODO: god that's so a fucking hack.
(import "${modulesPath}/../devices/zyxel-nwa50ax").module
];
hostname = "ap01-prototype";
nixpkgs.source = sourcePkgs.path;
}

View file

@ -0,0 +1,22 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
let
svc = config.system.service;
in
{
services.dhcpv4 = svc.network.dhcp.client.build {
interface = config.services.int;
dependencies = [
config.services.bridge.components.lan
];
};
services.defaultroute4 = svc.network.route.build {
via = "$(output ${config.services.dhcpv4} router)";
target = "default";
dependencies = [ config.services.dhcpv4 ];
};
}

View file

@ -0,0 +1,34 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, pkgs, ... }:
let
inherit (pkgs.liminix.services) oneshot;
inherit (pkgs.pseudofile) dir symlink;
inherit (pkgs) serviceFns;
in
{
# TODO: support dynamic reconfiguration once we are in the target VLAN?
services.resolvconf = oneshot rec {
name = "resolvconf";
up = ''
. ${serviceFns}
( in_outputs ${name}
for i in $(output ${config.services.dhcpv4} dns); do
echo "nameserver $i" >> resolv.conf
done
)
'';
dependencies = [
config.services.dhcpv4
];
};
filesystem = dir {
etc = dir {
"resolv.conf" = symlink "${config.services.resolvconf}/.outputs/resolv.conf";
};
};
}

View file

@ -0,0 +1,12 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
let
svc = config.system.service;
in
{
# ubus socket for various needs.
services.ubus = svc.ubus.build { };
}

View file

@ -0,0 +1,43 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
let
svc = config.system.service;
in
{
services.int = svc.bridge.primary.build {
ifname = "int";
macAddressFromInterface = config.hardware.networkInterfaces.lan;
};
services.bridge = svc.bridge.members.build {
primary = config.services.int;
members = {
lan.member = config.hardware.networkInterfaces.lan;
wlan0 = {
member = config.hardware.networkInterfaces.wlan0;
# Bridge only once hostapd is ready.
dependencies = [ config.services.hostap-1-ready ];
};
wlan1 = {
member = config.hardware.networkInterfaces.wlan1;
# Bridge only once hostapd is ready.
dependencies = [ config.services.hostap-2-ready ];
};
};
};
# Default VLAN
# services.vlan-apro = svc.vlan.build {
# vlanId = 0;
# interface = config.services.int;
# };
# # Administration VLAN
# services.vlan-admin = svc.vlan.build {
# vlan = 3001;
# interface = config.services.int;
# };
}

View file

@ -0,0 +1,16 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
let
svc = config.system.service;
in
{
# SSH keys are handled by the access control module.
dgn-access-control.enable = true;
users.root = {
passwd = "$6$Z2MiaMXkpUJRPl2/$fxVE3iD/n208CISM2F6OnWj0Qq0QG2tTQqLCjU80PFJJGIwNLLyOp6SeYH3dH20OvJX1loZRETrThZfIPw.rb/";
};
services.sshd = svc.ssh.build { allowRoot = true; };
}

View file

@ -0,0 +1,19 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ pkgs, ... }:
let
inherit (pkgs.pseudofile) dir;
in
{
filesystem = dir {
etc = dir {
"nixpkgs.version" = {
type = "f";
file = "${pkgs.lib.version}";
mode = "0444";
};
};
};
}

View file

@ -0,0 +1,49 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
pkgs,
modulesPath,
...
}:
let
svc = config.system.service;
in
{
defaultProfile.packages = with pkgs; [
# Levitate enable us to mass-reinstall the system on the fly.
(levitate.override {
config = {
imports = [
"${modulesPath}/network"
"${modulesPath}/ssh"
"${modulesPath}/hardware.nix"
"${modulesPath}/kernel"
"${modulesPath}/outputs/tftpboot.nix"
"${modulesPath}/outputs.nix"
];
nixpkgs.buildPlatform = builtins.currentSystem;
services = {
# In this situation, we fallback to the appro VLAN.
# TODO: add support for the admin VLAN.
# Simplest DHCPv4 we can find.
dhcpv4 = svc.network.dhcp.client.build {
interface = config.hardware.networkInterfaces.lan;
};
inherit (config.services) sshd;
defaultroute4 = svc.network.route.build {
via = "$(output ${config.services.dhcpv4} router)";
target = "default";
dependencies = [ config.services.dhcpv4 ];
};
};
defaultProfile.packages = [ mtdutils ];
# Only keep root, which should inherit from DGN access control's root permissions.
users.root = config.users.root;
};
})
];
}

View file

@ -0,0 +1,32 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ pkgs, config, ... }:
let
svc = config.system.service;
in
{
# Get moar random please
services = {
jitter = svc.jitter-rng.build { };
packet_forwarding = svc.network.forward.build { };
ntp = config.system.service.ntp.build {
pools = {
"pool.ntp.org" = [ "iburst" ];
};
dependencies = [ config.services.jitter ];
};
};
boot.tftp = {
serverip = "192.0.2.10";
ipaddr = "192.0.2.12";
};
defaultProfile.packages = with pkgs; [
zyxel-bootconfig
min-collect-garbage
];
}

View file

@ -0,0 +1,97 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, pkgs, ... }:
let
svc = config.system.service;
secrets-1 = {
ssid = "DGNum 2G (N)";
};
secrets-2 = {
ssid = "DGNum 5G (AX)";
};
baseParams = {
country_code = "FR";
hw_mode = "g";
channel = 6;
wmm_enabled = 1;
ieee80211n = 1;
ht_capab = "[LDPC][GF][HT40-][HT40+][SHORT-GI-40][MAX-AMSDU-7935][TX-STBC]";
auth_algs = 1;
wpa = 2;
wpa_pairwise = "TKIP CCMP";
rsn_pairwise = "CCMP";
};
radiusKeyMgmt = {
wpa_key_mgmt = "WPA-EAP";
};
modernParams = {
hw_mode = "a";
he_su_beamformer = 1;
he_su_beamformee = 1;
he_mu_beamformer = 1;
preamble = 1;
# Allow radar detection.
ieee80211d = 1;
ieee80211h = 1;
ieee80211ac = 1;
ieee80211ax = 1;
vht_capab = "[MAX-MPDU-7991][SU-BEAMFORMEE][SU-BEAMFORMER][RXLDPC][SHORT-GI-80][MAX-A-MPDU-LEN-EXP3][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][TX-STBC-2BY1][RX-STBC-1][MU-BEAMFORMER]";
vht_oper_chwidth = 1;
he_oper_chwidth = 1;
channel = 36;
vht_oper_centr_freq_seg0_idx = 42;
he_oper_centr_freq_seg0_idx = 42;
require_vht = 1;
};
clientRadius = {
ieee8021x = 1;
eapol_version = 2;
use_pae_group_addr = 1;
dynamic_vlan = 0;
vlan_tagged_interface = "lan";
};
externalRadius = {
# TODO: when we have proper IPAM, set the right value here.
own_ip_addr = "127.0.0.1";
nas_identifier = "ap01.dgnum.eu";
# No DNS here, hostapd do not support this mode.
auth_server_addr = "129.199.195.129";
auth_server_port = 1812;
auth_server_shared_secret = "read it online";
};
mkWifiSta =
params: interface: secrets:
svc.hostapd.build {
inherit interface;
package = pkgs.hostapd-radius;
params = params // secrets;
dependencies = [ config.services.jitter ];
};
in
{
services = {
# wlan0 is the 2.4GHz interface.
hostap-1 = mkWifiSta (
baseParams // radiusKeyMgmt
) config.hardware.networkInterfaces.wlan0 secrets-1;
hostap-1-ready = svc.hostapd-ready.build {
interface = config.hardware.networkInterfaces.wlan0;
};
# wlan1 is the 5GHz interface, e.g. AX capable.
hostap-2 = mkWifiSta (
baseParams // clientRadius // externalRadius // radiusKeyMgmt // modernParams
) config.hardware.networkInterfaces.wlan1 secrets-2;
# Oneshot that waits until the hostapd has set the interface in operational state.
hostap-2-ready = svc.hostapd-ready.build {
interface = config.hardware.networkInterfaces.wlan1;
};
};
}

View file

@ -0,0 +1,113 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
let
#TODO: meta
vlansPlan = {
"uplink-cri".id = 223;
"admin-core" = {
id = 3000;
l3-interface = "irb.0";
};
"admin-ap".id = 3001;
"users".id-list = [
{
begin = 3045;
end = 4094;
}
];
"ap-staging".id = 2000;
};
#TODO: additionnal module (always the same for APs)
AP-staging = {
poe = true;
ethernet-switching = {
interface-mode = "access";
vlans = [ "ap-staging" ];
};
};
in
{
vlans = vlansPlan;
dgn-hardware.model = "EX2300-48P";
dgn-interfaces = {
# "ge-0/0/0" = AP-staging;
# "ge-0/0/1" = AP-staging;
# "ge-0/0/2" = AP-staging;
# "ge-0/0/3" = AP-staging;
"ge-0/0/4" = AP-staging;
# "ge-0/0/5" = AP-staging;
# "ge-0/0/6" = AP-staging;
# "ge-0/0/7" = AP-staging;
# "ge-0/0/8" = AP-staging;
# "ge-0/0/9" = AP-staging;
# "ge-0/0/10" = AP-staging;
# "ge-0/0/11" = AP-staging;
# "ge-0/0/12" = AP-staging;
# "ge-0/0/13" = AP-staging;
# "ge-0/0/14" = AP-staging;
# "ge-0/0/15" = AP-staging;
# "ge-0/0/16" = AP-staging;
# "ge-0/0/17" = AP-staging;
# oob
"ge-0/0/42".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
};
# AP de test
"ge-0/0/43" = {
poe = true;
ethernet-switching = {
interface-mode = "access";
vlans = [ 4000 ];
};
};
# uplink oob
"ge-0/0/46".ethernet-switching = {
interface-mode = "access";
vlans = [ 222 ];
rstp = false;
};
# ilo
"ge-0/0/47".ethernet-switching = {
interface-mode = "access";
vlans = [ "admin-core" ];
};
# router
"xe-0/1/0".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
};
# netaccess01
"xe-0/1/1".ethernet-switching = {
interface-mode = "trunk";
vlans = [
"users"
"ap-staging"
"admin-ap"
"admin-core"
];
};
# netcore01 (Potos)
"xe-0/1/2".ethernet-switching = {
interface-mode = "access";
vlans = [
"ap-staging"
];
};
# uplink
"ge-0/1/3".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "uplink-cri" ];
};
# management
"me0".inet.addresses = [ "192.168.42.6/24" ];
"irb".inet6.addresses = [ "fd26:baf9:d250:8000::1001/64" ];
};
}

View file

@ -1,3 +1,7 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, pkgs, ... }:
lib.extra.mkConfig {

View file

@ -1,3 +1,8 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
_:
{

View file

@ -0,0 +1,7 @@
# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique <contact@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys).mkSecrets [ "bridge01" ] [
# List of secrets for bridge01
]

View file

@ -1,3 +1,7 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, ... }:
lib.extra.mkConfig {
@ -21,11 +25,12 @@ lib.extra.mkConfig {
"librenms"
"mastodon"
"nextcloud"
"ollama-proxy"
"outline"
"plausible"
"postgresql"
"rstudio-server"
"satosa"
# "satosa"
"signal-irc-bridge"
"signald"
"stirling-pdf"

View file

@ -29,5 +29,5 @@
fsType = "vfat";
};
swapDevices = [ { device = "/dev/disk/by-uuid/30547280-00e9-4ee1-8a07-d116590d9fbf"; } ];
swapDevices = [ { device = "/dev/disk/by-uuid/edbb5acc-84fc-4a2f-9f1b-086eb137d6dc"; } ];
}

View file

@ -1,3 +1,7 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, sources, ... }:
{

View file

@ -1,3 +1,7 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
lib,

View file

@ -0,0 +1,63 @@
From de5e8237e4bd8f3e325473c789fb542d01557f27 Mon Sep 17 00:00:00 2001
From: Tom Hubrecht <tom@hubrecht.ovh>
Date: Fri, 22 Sep 2023 17:26:27 +0200
Subject: [PATCH 1/2] fix(smtp): Allow specifying SSL settings
---
config/environments/production.rb | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/config/environments/production.rb b/config/environments/production.rb
index cf942cd6c70..39692890213 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -105,7 +105,8 @@
user_name: ENV.fetch("SMTP_USER"),
password: ENV.fetch("SMTP_PASS"),
authentication: ENV.fetch("SMTP_AUTHENTICATION"),
- enable_starttls_auto: ENV.fetch("SMTP_TLS").present?
+ enable_starttls_auto: ENV.fetch("SMTP_TLS").present?,
+ ssl: ENV.fetch("SMTP_SSL").present?
}
elsif ENV['SENDMAIL_ENABLED'] == 'enabled'
config.action_mailer.delivery_method = :sendmail
From a406428ee761231c3e82dd5c8f5154d04474a238 Mon Sep 17 00:00:00 2001
From: Tom Hubrecht <tom@hubrecht.ovh>
Date: Mon, 25 Sep 2023 10:17:37 +0200
Subject: [PATCH 2/2] fix(smtp): Disambiguate configuration options for SMTP
---
config/env.example.optional | 3 ++-
config/environments/production.rb | 4 ++--
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/config/env.example.optional b/config/env.example.optional
index 050e5d49bec..25bea8328fb 100644
--- a/config/env.example.optional
+++ b/config/env.example.optional
@@ -206,7 +206,8 @@ SMTP_HOST=""
SMTP_PORT=""
SMTP_USER=""
SMTP_PASS=""
-SMTP_TLS=""
+SMTP_STARTTLS="enabled" # Use any non-blank value to enable starttls
+SMTP_TLS="" # Use any non-blank value to enable TLS
SMTP_AUTHENTICATION="plain"
# Sendmail
diff --git a/config/environments/production.rb b/config/environments/production.rb
index 39692890213..bc203bbbaab 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -105,8 +105,8 @@
user_name: ENV.fetch("SMTP_USER"),
password: ENV.fetch("SMTP_PASS"),
authentication: ENV.fetch("SMTP_AUTHENTICATION"),
- enable_starttls_auto: ENV.fetch("SMTP_TLS").present?,
- ssl: ENV.fetch("SMTP_SSL").present?
+ enable_starttls_auto: ENV.fetch("SMTP_STARTTLS", "enabled").present?,
+ tls: ENV.fetch("SMTP_TLS", "").present?
}
elsif ENV['SENDMAIL_ENABLED'] == 'enabled'
config.action_mailer.delivery_method = :sendmail

View file

@ -1,21 +1,59 @@
{ config, ... }:
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
pkgs,
sources,
...
}:
let
host = "demarches.dgnum.eu";
port = 3000;
dgn-id = "8dfdc60d1aa66e7206461ed7a49199f624a66b4e";
patch = pkgs.fetchurl {
url = "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch";
hash = "sha256-6JdbUf2fc79E5F1wtYFnP1JLGJffhGbjaxysRFr8xN4=";
};
in
{
imports = [ ./module.nix ];
dgn-web.internalPorts.ds-fr = port;
services.demarches-simplifiees = {
enable = true;
secretFile = config.age.secrets."ds-fr-secret_file".path;
package = (import sources.nix-pkgs { inherit pkgs; }).demarches-simplifiees.overrideAttrs (old: {
dsModules = old.dsModules.overrideAttrs {
prePatch = ''
${pkgs.lib.getExe pkgs.git} apply -p1 < ${patch}
'';
};
patches = (old.patches or [ ]) ++ [ ./01-smtp-tls.patch ];
prePatch = ''
${pkgs.lib.getExe pkgs.git} apply -p1 < ${patch}
'';
postPatch = ''
rm -f lib/tasks/deployment/20240830192553_backfill_hide_instructeurs_email.rake
rm -f lib/tasks/deployment/20240912151317_clean_virtual_column_from_procedure_presentation.rake
rm -f lib/tasks/deployment/20240920130741_migrate_procedure_presentation_to_columns.rake
'';
});
inherit host port;
environmentFile = config.age.secrets."ds-fr-secret_file".path;
initialDeploymentDate = "20230923";
settings = {
APP_HOST = host;
environment = {
# Disable France Connect and Agent Connect
FRANCE_CONNECT_ENABLED = "disabled";
AGENT_CONNECT_ENABLED = "disabled";
@ -35,8 +73,8 @@ in
SMTP_HOST = "kurisu.lahfa.xyz";
SMTP_PORT = "465";
SMTP_USER = "web-services@infra.dgnum.eu";
SMTP_TLS = "";
SMTP_SSL = "true";
SMTP_STARTTLS = "";
SMTP_TLS = "true";
SMTP_AUTHENTICATION = "plain";
SUPER_ADMIN_OTP_ENABLED = "disabled";
@ -57,18 +95,10 @@ in
RUBY_YJIT_ENABLE = "1";
STRICT_EMAIL_VALIDATION_STARTS_ON = "2024-02-23";
WEASYPRINT_URL = "http://127.0.0.1:5000/pdf";
# Customization
# HEADER_LOGO_SRC = "logo_ens_psl_couleur.png";
# HEADER_LOGO_ALT = "Par la Recherche, pour la Recherche";
# PROCEDURE_DEFAULT_LOGO_SRC = "logo_ens_psl_couleur.png";
STRICT_EMAIL_VALIDATION_STARTS_ON = "2024-12-18";
};
};
age-secrets.autoMatch = [ "ds-fr" ];
dgn-backups.jobs.ds-fr.settings.paths = [ "/var/lib/ds-fr" ];
# dgn-backups.jobs.ds-fr.settings.paths = [ "/var/lib/private/demarches-simplifiees/" ];
dgn-backups.postgresDatabases = [ "ds-fr" ];
}

View file

@ -0,0 +1,459 @@
# SPDX-FileCopyrightText: 2023-2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
lib,
pkgs,
utils,
...
}:
let
inherit (lib)
getExe
getExe'
mapAttrs
mkDefault
mkEnableOption
mkIf
mkOption
mkPackageOption
optional
;
inherit (lib.types)
attrsOf
nullOr
oneOf
package
path
port
str
;
inherit (utils) escapeSystemdExecArgs;
cfg = config.services.demarches-simplifiees;
weasyprintEnv = pkgs.python3.withPackages (ps: [
ps.flask
ps.sentry-sdk
ps.weasyprint
]);
in
{
options.services.demarches-simplifiees = {
enable = mkEnableOption "Démarches Simplifiées";
package = mkPackageOption pkgs "demarches-simplifiees" { };
finalPackage = mkOption {
type = package;
default = cfg.package.override { inherit (cfg) initialDeploymentDate; };
};
host = mkOption {
type = str;
description = ''
Hostname of the web server.
'';
};
port = mkOption {
type = port;
default = 3000;
description = ''
Listening port for the web server.
'';
};
weasyprintPort = mkOption {
type = port;
default = 5000;
description = ''
Port of the weasyprint server.
'';
};
environment = mkOption {
type = attrsOf (
nullOr (oneOf [
package
path
str
])
);
description = ''
Evironment variables available to Démarches Simplifiées.
'';
};
environmentFile = mkOption {
type = nullOr path;
default = null;
description = ''
Path to a file containing environment variables.
Required secrets are `SECRET_KEY_BASE` and `OTP_SECRET_KEY`,
which can be generated using `rails secret`.
'';
};
initialDeploymentDate = mkOption {
type = nullOr str;
default = null;
description = ''
Initial deployment date, used to ignore some migrations,
which are known to be buggy and are supposed to change old production data.
'';
};
interactScript = mkOption {
type = package;
default = pkgs.writeShellApplication {
name = "ds-fr";
runtimeInputs = [
cfg.finalPackage
config.systemd.package
pkgs.util-linux
];
text = ''
MainPID=$(systemctl show -p MainPID --value demarches-simplifiees.service)
nsenter -e -a -w -t "$MainPID" -G follow -S follow "$@"
'';
};
description = ''
Script to run ds-fr tasks.
'';
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.interactScript ];
systemd.services =
let
serviceConfig = {
User = "ds-fr";
DynamicUser = true;
EnvironmentFile = optional (cfg.environmentFile != null) cfg.environmentFile;
CacheDirectory = "demarches-simplifiees";
LogsDirectory = "demarches-simplifiees";
RuntimeDirectory = "demarches-simplifiees";
StateDirectory = "demarches-simplifiees";
WorkingDirectory = cfg.finalPackage;
};
in
{
demarches-simplifiees = {
description = "Démarches Simplifiées";
inherit (cfg) environment;
path = [
cfg.finalPackage
pkgs.imagemagick
];
after = [
"network.target"
"postgresql.target"
];
wantedBy = [ "multi-user.target" ];
preStart = ''
mkdir -p "$STATE_DIRECTORY/storage"
if [[ ! -f "$STATE_DIRECTORY/.version" ]]; then
# Run initial setup
rails db:environment:set
rails db:schema:load
rails db:seed
rails jobs:schedule
touch "$STATE_DIRECTORY/.version"
fi
if [[ $(cat "$STATE_DIRECTORY/.version") != "$__DS_VERSION" ]]; then
# Run migrations on version change
rake db:migrate
rake after_party:run
echo "$__DS_VERSION" > "$STATE_DIRECTORY/.version"
fi
'';
serviceConfig = serviceConfig // {
ExecStart = escapeSystemdExecArgs [
(getExe' cfg.finalPackage "rails")
"server"
"-b"
"127.0.0.1"
"-p"
cfg.port
];
};
};
demarches-simplifiees-work = {
description = "Démarches Simplifiées work service";
inherit (cfg) environment;
after = [ "demarches-simplifiees.service" ];
wantedBy = [ "multi-user.target" ];
bindsTo = [ "demarches-simplifiees.service" ];
partOf = [ "demarches-simplifiees.service" ];
serviceConfig = serviceConfig // {
ExecStart = escapeSystemdExecArgs [
(getExe' cfg.finalPackage "rails")
"jobs:work"
];
};
};
weasyprint-server = {
description = "Weasyprint server";
wantedBy = [ "multi-user.target" ];
environment = {
BASE_URL = "https://${cfg.host}";
LOG_DIR = "/var/log/weasyprint";
UWSGI_PYTHONPATH = weasyprintEnv;
UWSGI_MODULE = "wgsi:app";
};
serviceConfig = {
DynamicUser = true;
Type = "notify";
WorkingDirectory = cfg.finalPackage.weasyprint_server;
LogsDirectory = "weasyprint";
ExecStart = escapeSystemdExecArgs [
(getExe (pkgs.uwsgi.override { plugins = [ "python3" ]; }))
"--http-socket"
"127.0.0.1:${builtins.toString cfg.weasyprintPort}"
"--processes=4"
"--enable-threads"
];
NotifyAccess = "all";
KillSignal = "SIGQUIT";
ExecReload = "${getExe' pkgs.coreutils "kill"} -HUP $MainPID";
ExecStop = "${getExe' pkgs.coreutils "kill"} -INT $MainPID";
ProtectSystem = "full";
ProtectHome = true;
NoNewPrivileges = true;
PrivateDevices = true;
};
};
};
services = {
demarches-simplifiees.environment =
# Hardcoded values
{
# Application host name
#
# Examples:
# * For local development: localhost:3000
# * For preproduction: staging.ds.example.org
# * For production: ds.example.org
APP_HOST = cfg.host;
# Database credentials
DB_DATABASE = "ds-fr";
DB_USERNAME = "ds-fr";
DB_HOST = "/run/postgresql";
DB_PORT = "5432";
# The variables must be present even if empty...
DB_PASSWORD = "";
DB_POOL = "";
# Jobs configuration
RAILS_QUEUE_ADAPTER = "delayed_job";
# Log on stdout
RAILS_LOG_TO_STDOUT = "true";
# Package version
__DS_VERSION = cfg.finalPackage.version;
# Weasyprint endpoint generating attestations v2
# See https://github.com/demarches-simplifiees/weasyprint_server
WEASYPRINT_URL = "http://127.0.0.1:${builtins.toString cfg.weasyprintPort}/pdf";
}
// (mapAttrs (_: mkDefault) {
RAILS_ENV = "production";
RAILS_ROOT = builtins.toString cfg.finalPackage;
# Rails key for signing sensitive data
# See https://guides.rubyonrails.org/security.html
#
# For production you MUST generate a new key, and keep it secret.
# Secrets must be long and random. Use bin/rails secret to get new unique secrets.
# Secret key for One-Time-Password codes, used for 2-factors authentication
# OTP_SECRET_KEY = "";
# Protect access to the instance with a static login/password (useful for staging environments)
BASIC_AUTH_ENABLED = "disabled";
BASIC_AUTH_USERNAME = "";
BASIC_AUTH_PASSWORD = "";
# ActiveStorage service to use for attached files.
# Possible values:
# - "local": store files on the local filesystem
# - "amazon": store files remotely on an S3 storage service
# - "openstack": store files remotely on an OpenStack storage service
#
# (See config/storage.yml for the configuration of each service.)
ACTIVE_STORAGE_SERVICE = "local";
# Configuration for the OpenStack storage service (if enabled)
FOG_OPENSTACK_API_KEY = "";
FOG_OPENSTACK_USERNAME = "";
FOG_OPENSTACK_URL = "";
FOG_OPENSTACK_REGION = "";
DS_PROXY_URL = "";
# SAML
SAML_IDP_ENABLED = "disabled";
# External service: integration with HelpScout (optional)
HELPSCOUT_MAILBOX_ID = "";
HELPSCOUT_CLIENT_ID = "";
HELPSCOUT_CLIENT_SECRET = "";
HELPSCOUT_WEBHOOK_SECRET = "";
# External service: external supervision
SENTRY_ENABLED = "disabled";
SENTRY_CURRENT_ENV = "development";
SENTRY_DSN_RAILS = "";
SENTRY_DSN_JS = "";
# External service: Matomo web analytics
MATOMO_ENABLED = "disabled";
MATOMO_COOKIE_DOMAIN = "*.www.demarches-simplifiees.fr";
MATOMO_DOMAIN = "*.www.demarches-simplifiees.fr";
MATOMO_ID = "";
MATOMO_HOST = "matomo.example.org";
# Default SMTP Provider: Mailjet
MAILJET_API_KEY = "";
MAILJET_SECRET_KEY = "";
# Alternate SMTP Provider: SendInBlue/DoList
SENDINBLUE_CLIENT_KEY = "";
SENDINBLUE_SMTP_KEY = "";
SENDINBLUE_USER_NAME = "";
# SENDINBLUE_LOGIN_URL="https://app.sendinblue.com/account/saml/login/truc"
# Alternate SMTP Provider: Mailtrap (mail catcher for staging environments)
# When enabled, all emails will be sent using this provider
MAILTRAP_ENABLED = "disabled";
MAILTRAP_USERNAME = "";
MAILTRAP_PASSWORD = "";
# Alternative SMTP Provider: Mailcatcher (Catches mail and serves it through a dream.)
# When enabled, all emails will be sent using this provider
MAILCATCHER_ENABLED = "disabled";
MAILCATCHER_HOST = "";
MAILCATCHER_PORT = "";
# External service: live chat for admins (specific to démarches-simplifiées.fr)
CRISP_ENABLED = "disabled";
CRISP_CLIENT_KEY = "";
# API Entreprise credentials
# https://api.gouv.fr/api/api-entreprise.html
API_ENTREPRISE_KEY = "";
# Networks bypassing the email login token that verifies new devices, and rack-attack throttling
TRUSTED_NETWORKS = "";
# External service: mesuring performance of the Rails app (specific to démarches-simplifiées.fr)
SKYLIGHT_AUTHENTICATION_KEY = "";
# "sXaot-fKhBlkI8qaSirQyuZbrpv5sVFoOturQ0pFEh0";
# Enable or disable Lograge logs
LOGRAGE_ENABLED = "enabled";
# Logs source for Lograge
#
# Examples:
# * For local development: tps_local
# * For preproduction: tps_staging
# * For production: tps_prod
LOGRAGE_SOURCE = "tps_prod";
# External service: timestamping a daily archive of dossiers status changes
UNIVERSIGN_API_URL = "https://ws.universign.eu/tsa/post/";
UNIVERSIGN_USERPWD = "";
# External service: API Geo / Adresse
API_ADRESSE_URL = "https://api-adresse.data.gouv.fr";
API_GEO_URL = "https://geo.api.gouv.fr";
# External service: API Education
API_EDUCATION_URL = "https://data.education.gouv.fr/api/records/1.0";
# Encryption key for sensitive columns in the database
ENCRYPTION_SERVICE_SALT = "";
# ActiveRecord encryption keys. Generate them with bin/rails db:encryption:init (you can omit deterministic_key)
AR_ENCRYPTION_PRIMARY_KEY = "";
AR_ENCRYPTION_KEY_DERIVATION_SALT = "";
# Salt for invisible_captcha session data.
# Must be the same value for all app instances behind a load-balancer.
INVISIBLE_CAPTCHA_SECRET = "kikooloool";
# Clamav antivirus usage
CLAMAV_ENABLED = "disabled";
# Siret number used for API Entreprise, by default we use SIRET from dinum
API_ENTREPRISE_DEFAULT_SIRET = "put_your_own_siret";
# Date from which email validation requires a TLD in email adresses.
# This change had been introduced by : cc53946d221d6f64c365ad6c6c4c544802eb94b4
# Records (users, …) created before this date won't be affected. See #9978
# To set a date, we recommend using *the day after* you have deployed this commit,
# so existing records won't be invalid.
STRICT_EMAIL_VALIDATION_STARTS_ON = "2024-02-19";
});
postgresql = {
enable = true;
ensureDatabases = [ "ds-fr" ];
ensureUsers = [
{
name = "ds-fr";
ensureDBOwnership = true;
}
];
extensions = [ config.services.postgresql.package.pkgs.postgis ];
};
nginx = {
enable = true;
virtualHosts.${cfg.host} = {
enableACME = true;
forceSSL = true;
root = "${cfg.finalPackage}/public/";
locations."/".tryFiles = "$uri @proxy";
locations."@proxy".proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}";
};
};
};
};
}

View file

@ -1,3 +1,7 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
let
@ -14,9 +18,9 @@ in
settings = {
"auth.generic_oauth" = {
api_url = "https://sso.dgnum.eu/oauth2/openid/grafana_dgn/userinfo";
api_url = "https://sso.dgnum.eu/oauth2/openid/dgn_grafana/userinfo";
auth_url = "https://sso.dgnum.eu/ui/oauth2";
client_id = "grafana_dgn";
client_id = "dgn_grafana";
client_secret = file "oauth_client_secret";
enabled = true;
id_token_attribute_name = "sub";
@ -69,17 +73,11 @@ in
}
];
};
};
nginx.virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
dgn-web.simpleProxies.grafana = {
inherit host port;
proxyWebsockets = true;
};
age-secrets.autoMatch = [ "grafana" ];

View file

@ -1,3 +1,7 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
@ -29,16 +33,6 @@ in
};
};
nginx.virtualHosts.${host} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
};
};
postgresql = {
enable = true;
@ -53,6 +47,11 @@ in
};
};
dgn-web.simpleProxies.hedgedoc = {
inherit host port;
proxyWebsockets = true;
};
systemd.services.hedgedoc.serviceConfig.StateDirectory = lib.mkForce [
"hedgedoc"
"hedgedoc/uploads"

View file

@ -0,0 +1,224 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
lib,
pkgs,
meta,
...
}:
let
inherit (lib)
attrValues
catAttrs
escapeRegex
concatStringsSep
mapAttrs'
nameValuePair
;
domain = "sso.dgnum.eu";
port = 8443;
cert = config.security.acme.certs.${domain};
allowedDomains = builtins.map escapeRegex (
(builtins.map (s: "${s}.dgnum.eu") [
# DGNum subdomains
"cloud"
"git"
"videos"
"social"
"demarches"
"netbird"
])
++ [
# Extra domains
"netbird-beta.hubrecht.ovh"
]
);
usernameFor = member: meta.organization.members.${member}.username;
in
{
nixpkgs.config.permittedInsecurePackages = [ "kanidm-1.3.3" ];
services.kanidm = {
enableServer = true;
package = pkgs.kanidm_1_4;
serverSettings = {
inherit domain;
origin = "https://${domain}";
bindaddress = "127.0.0.1:${builtins.toString port}";
ldapbindaddress = "0.0.0.0:636";
trust_x_forward_for = true;
tls_chain = "${cert.directory}/fullchain.pem";
tls_key = "${cert.directory}/key.pem";
};
provision = {
enable = true;
persons = mapAttrs' (
_:
{
email,
name,
username,
...
}:
nameValuePair username {
displayName = name;
mailAddresses = [ email ];
}
) meta.organization.members;
groups =
{
grp_active.members = catAttrs "username" (attrValues meta.organization.members);
}
// (mapAttrs' (
name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
) meta.organization.groups);
# INFO: The authentication resources declared here can only be for internal services,
# as regular members cannot be statically known.
systems.oauth2 = {
dgn_grafana = {
displayName = "Grafana [Analysis]";
originLanding = "https://grafana.dgnum.eu";
originUrl = "https://grafana.dgnum.eu/login/generic_oauth";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_librenms = {
allowInsecureClientDisablePkce = true;
displayName = "LibreNMS [Network]";
enableLegacyCrypto = true;
originLanding = "https://nms.dgnum.eu";
originUrl = "https://nms.dgnum.eu/auth/kanidm/callback";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_netbird = {
displayName = "Netbird [VPN]";
enableLocalhostRedirects = true;
originLanding = "https://netbird.dgnum.eu";
originUrl = "https://netbird.dgnum.eu/index";
preferShortUsername = true;
public = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_netbox = {
allowInsecureClientDisablePkce = true;
displayName = "Netbox [Inventory]";
enableLegacyCrypto = true;
originLanding = "https://netbox.dgnum.eu";
originUrl = "https://netbox.dgnum.eu/oauth/complete/oidc/";
preferShortUsername = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
dgn_outline = {
displayName = "Outline [Docs]";
originUrl = "https://docs.dgnum.eu/auth/oidc.callback";
originLanding = "https://docs.dgnum.eu";
preferShortUsername = true;
allowInsecureClientDisablePkce = true;
scopeMaps.grp_active = [
"openid"
"profile"
"email"
];
};
};
};
};
users.users.kanidm.extraGroups = [ cert.group ];
dgn-web.internalPorts.kanidm = port;
services.nginx = {
enable = true;
virtualHosts.${domain} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "https://127.0.0.1:${builtins.toString port}";
extraConfig = ''
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
return 444;
}
set $origin $http_origin;
if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') {
set $origin 'https://${domain}';
}
proxy_hide_header Access-Control-Allow-Origin;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' "$origin" always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header Access-Control-Max-Age 1728000;
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
}
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
add_header Access-Control-Allow-Origin "$origin" always;
add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
add_header Access-Control-Allow-Credentials true always;
}
'';
};
};
};
networking.firewall.allowedTCPPorts = [ 636 ];
networking.firewall.allowedUDPPorts = [ 636 ];
dgn-backups.jobs.kanidm.settings.paths = [ "/var/lib/kanidm" ];
}

View file

@ -0,0 +1,8 @@
# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique <contact@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
(import ../../../../../keys).mkSecrets [ "compute01" ] [
"kanidm-password_admin"
"kanidm-password_idm_admin"
]

View file

@ -1,3 +1,7 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, pkgs, ... }:
let
@ -14,7 +18,7 @@ in
(pkgs.librenms.override { inherit (config.services.librenms) dataDir logDir; }).overrideAttrs
(old: {
patches = (old.patches or [ ]) ++ [ ./kanidm.patch ];
vendorHash = "sha256-2RgtMXQp4fTE+WloO36rtfytO4Sh2q0plt8WkWxEGHI=";
vendorHash = "sha256-J/whSL1keEZKkfOtHpkJ2vSrN/s+DpUGb6RBXpQZQXg=";
});
hostname = host;

View file

@ -1,63 +1,50 @@
diff --git a/composer.json b/composer.json
index 13571c07c..dbe810a57 100644
index af8168f4c..1775f150e 100644
--- a/composer.json
+++ b/composer.json
@@ -11,6 +11,12 @@
"snmp",
"distributed"
],
+ "repositories": [
+ {
+ "type": "vcs",
+ "url": "https://github.com/Tom-Hubrecht/Kanidm"
+ }
+ ],
"homepage": "https://www.librenms.org/",
"license": "GPL-3.0-or-later",
"require": {
@@ -49,6 +55,7 @@
@@ -54,6 +54,7 @@
"phpmailer/phpmailer": "~6.0",
"predis/predis": "^2.0",
"silber/bouncer": "^1.0",
+ "socialiteproviders/kanidm": "^0.1.4",
+ "socialiteproviders/kanidm": "^5.0",
"socialiteproviders/manager": "^4.3",
"spatie/laravel-ignition": "^2.0",
"symfony/yaml": "^6.2",
diff --git a/composer.lock b/composer.lock
index b26090101..aa1fd3cef 100644
index 3d89a1530..a00c5f307 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
- "content-hash": "21dbcfec63eafb1ae9172473314a57f8",
+ "content-hash": "16c250180b65a1f71acd5653914d7037",
- "content-hash": "fee5d24447dced4397e26066f8c9ee59",
+ "content-hash": "b9316a47587c8e6f6b0adbe3d54777f3",
"packages": [
{
"name": "amenadiel/jpgraph",
@@ -5244,6 +5244,55 @@
@@ -5906,6 +5906,56 @@
},
"time": "2023-02-10T16:47:25+00:00"
},
+ {
+ "name": "socialiteproviders/kanidm",
+ "version": "v0.1.4",
+ "version": "5.0.0",
+ "source": {
+ "type": "git",
+ "url": "https://github.com/Tom-Hubrecht/Kanidm.git",
+ "reference": "b87d75b8342e00c46ef1c29c42e92b629bb206b1"
+ "url": "https://github.com/SocialiteProviders/Kanidm.git",
+ "reference": "111ad45941e7150e3219ddfdeb8159f758bde2fd"
+ },
+ "dist": {
+ "type": "zip",
+ "url": "https://api.github.com/repos/Tom-Hubrecht/Kanidm/zipball/b87d75b8342e00c46ef1c29c42e92b629bb206b1",
+ "reference": "b87d75b8342e00c46ef1c29c42e92b629bb206b1",
+ "url": "https://api.github.com/repos/SocialiteProviders/Kanidm/zipball/111ad45941e7150e3219ddfdeb8159f758bde2fd",
+ "reference": "111ad45941e7150e3219ddfdeb8159f758bde2fd",
+ "shasum": ""
+ },
+ "require": {
+ "ext-json": "*",
+ "php": "^8.0",
+ "socialiteproviders/manager": "^4.3"
+ "socialiteproviders/manager": "^4.4"
+ },
+ "type": "library",
+ "autoload": {
@ -65,6 +52,7 @@ index b26090101..aa1fd3cef 100644
+ "SocialiteProviders\\Kanidm\\": ""
+ }
+ },
+ "notification-url": "https://packagist.org/downloads/",
+ "license": [
+ "MIT"
+ ],
@ -83,19 +71,12 @@ index b26090101..aa1fd3cef 100644
+ "socialite"
+ ],
+ "support": {
+ "docs": "https://socialiteproviders.com/kanidm",
+ "issues": "https://github.com/socialiteproviders/providers/issues",
+ "source": "https://github.com/socialiteproviders/providers",
+ "docs": "https://socialiteproviders.com/kanidm"
+ "source": "https://github.com/socialiteproviders/providers"
+ },
+ "time": "2024-02-18T14:12:08+00:00"
+ "time": "2024-02-19T19:49:21+00:00"
+ },
{
"name": "socialiteproviders/manager",
"version": "v4.3.0",
@@ -13357,5 +13406,5 @@
"ext-zlib": "*"
},
"platform-dev": [],
- "plugin-api-version": "2.3.0"
+ "plugin-api-version": "2.6.0"
}
"version": "v4.6.0",

View file

@ -1,3 +1,7 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
lib,

View file

@ -1,3 +1,8 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
# SPDX-FileContributor: Maurice Debray <maurice.debray@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
let

Some files were not shown because too many files have changed in this diff Show more