Compare commits

...

463 commits

Author SHA1 Message Date
sinavir
383911d619
fix(web03/redirections): import module 2024-12-22 15:16:48 +01:00
5fa7ccb8e7
fix(django-apps): Disable statedir backup until it is fixed 2024-12-21 17:18:32 +01:00
e19100f856
feat(django-apps): Add automatic backup 2024-12-21 08:24:11 +01:00
sinavir
3085d9e3a8
feat(dj-apps/ernestophone): Switch to production 2024-12-20 16:45:53 +01:00
31e3aabc8f
chore(npins): Update stateless-uptime-kuma
This version has exponential backoff for trying to connect to the
upstream server
2024-12-20 13:33:57 +01:00
sinavir
7c6c753c67
feat(django-apps): Init ernestophone website 2024-12-20 04:21:06 +01:00
4622da188c
fix(ds-fr): Make email work again 2024-12-18 09:51:28 +01:00
2855d62a43
chore(ds-fr): Disable var/lib backups for now
It is spitting out errors
2024-12-18 07:57:05 +01:00
f8df18f13c
fix(ds-fr): Update module 2024-12-18 00:42:12 +01:00
sinavir
324c37f884
fix(dns): Remove old pub.dgnum.eu 2024-12-17 22:21:52 +01:00
sinavir
9b71232c58
feat(garage): Deploy landing page 2024-12-17 22:14:40 +01:00
54f2057dfc chore(cas-eleves): Remove server alias as we have a permanent redirection in place 2024-12-17 20:06:13 +01:00
Elias Coppens
b8e75176e1
feat(hypervisors): Init 2024-12-17 17:41:33 +01:00
cab2bc381c
feat(vault01/networking): open vlan hypervisor 2024-12-17 12:09:03 +01:00
f6d2de3115
chore(patches): Drop patches from nixos-24.05 as only web02 and ap01 use it 2024-12-17 00:14:46 +01:00
200104bf84
chore(kanidm): Update origin uris, oauth2 endpoints and switch to 1.4 2024-12-17 00:11:05 +01:00
8c8093b778
feat(netbird): Use a kanidm-proof redirect uri 2024-12-16 22:37:51 +01:00
1b7b1c3a4f
chore(npins): Update cas-eleves 2024-12-16 22:37:31 +01:00
af1e11f01b
chore(git-hooks): Use a fixed nixfmt that does not depend on upstream 2024-12-16 16:40:39 +01:00
60a5aea5a8
chore(nextcloud): Update to v30 2024-12-16 16:21:37 +01:00
accf643294
chore(meta): Remove nodes.nix 2024-12-16 09:40:38 +01:00
09e55d4a80
chore(reuse): Add copyright and license information 2024-12-16 09:34:15 +01:00
fdb355bac7
feat(netconf/netcore02): ci build 2024-12-16 09:26:52 +01:00
3c9bf80f24
feat(netconf): use meta for access control 2024-12-16 09:26:52 +01:00
e8cdd06706
feat(netconf): toplevel rpc drv 2024-12-16 09:26:52 +01:00
9601caba4f
fix(netconf/dgn-hardware): missing parenthesis 2024-12-16 09:26:52 +01:00
sinavir
d63751578a
fix(HACK): not broken anymore 2024-12-16 09:26:52 +01:00
99ef0b76de
feat(netconf)!: wip! broken! netconf-eval 2024-12-16 09:26:52 +01:00
aa4cdf0fd4
fix(netconf): typo 2024-12-16 09:26:52 +01:00
318f6927c1
feat(lib): Init netconf-junos
The code is copied from netconf-module, `with lib;` have been replaced
by inherits
2024-12-16 09:26:52 +01:00
1980d3c34e
feat(modules/netconf): Add lbailly's dgn-interfaces module 2024-12-16 09:26:52 +01:00
9024590a34
fix(netconf/dgn-hardware): Some models are extension cards 2024-12-16 09:26:52 +01:00
fbfb22d777
feat(modules/netconf): Add hardware module 2024-12-16 09:26:52 +01:00
c5e3da3ac9
chore(meta): Split nodes into systems 2024-12-16 09:26:52 +01:00
a818917d77
chore(storage01): Disable vm for now 2024-12-16 00:19:57 +01:00
9a99c8a29e
chore(compute01): Update swap device 2024-12-16 00:12:28 +01:00
08d7dc46b3
fix(modules/dgn-network): Make it work on web02
This is the only node still on 24.05 as the cas server is f*cked
2024-12-15 23:33:14 +01:00
1c74c67de6
fix(compute01/librenms): Update patch and vendorHash 2024-12-15 23:33:14 +01:00
30da92618a
chore(compute01): Disable satosa for now 2024-12-15 23:08:42 +01:00
af66eb557f
fix(patches): Port necessary patches to nixos 24.11 2024-12-15 23:08:42 +01:00
12f19506fc
feat(compute01): Update nixos, but keep kanidm_1_3 2024-12-15 23:08:42 +01:00
659ddf39e5
fix(wordpress): Include the selected theme 2024-12-15 23:08:42 +01:00
7d99a0d334
chore(crabfit): Update 2024-12-15 23:08:42 +01:00
046ed0c005
chore(networking): Attributes have to me moved up 2024-12-15 23:08:42 +01:00
a2d397de70
feat(nodes): Update to nixos 24.11 2024-12-15 23:08:42 +01:00
a65e348f0e
feat(hive): Add tvix-store as a substituter 2024-12-15 22:15:56 +01:00
ecf5fefbaa fix(machines/storage01): scrape all exporter ports
There may be more than one port for a given node.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-15 20:47:04 +01:00
bb7f538110 fix(modules/nixos/dgn-node-monitoring): listen and fix the cgroup port
Otherwise, we cannot scrape that specific port.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-15 20:47:04 +01:00
a1f17d1850
feat(meta/options): Add the system type to the default tags 2024-12-15 12:49:13 +01:00
76419de740
fix(modules/django-apps): Add descriptions where missing 2024-12-13 16:38:36 +01:00
3872b17ff6
fix(modules/dgn-console): Udate description of psql options 2024-12-13 15:48:04 +01:00
f5147dec8d
feat(workflows/pre-commit): Check multiple stages 2024-12-13 12:50:25 +01:00
88d9b8c3e3
chore: Add license and copyright information
Signed-off-by: Tom Hubrecht <tom.hubrecht@dgnum.eu>
Acked-by: Ryan Lahfa <ryan.lahfa@dgnum.eu>
Acked-by: Maurice Debray <maurice.debray@dgnum.eu>
Acked-by: Lubin Bailly <lubin.bailly@dgnum.eu>
Acked-by: Jean-Marc Gailis <jean-marc.gailis@dgnum.eu> as the legal authority, at the time of writing, in DGNum.
Acked-by: Elias Coppens <elias.coppens@dgnum.eu> as a member, at the time of writing, of the DGNum executive counsel.
2024-12-13 12:41:38 +01:00
630b7c0ffc
chore(web01): Remove kahulm.nix 2024-12-12 14:03:32 +01:00
b2bebdc20d
chore(web01): Remove dolibarr.nix 2024-12-12 14:00:14 +01:00
a2ca441284
fix: remove lib.mdDoc references 2024-12-11 23:07:14 +01:00
fe19171d85 feat(nextcloud): Deploy collabora without docker 2024-12-11 14:46:32 +01:00
b23312dcaa feat(dgn-web): Add yearly logrotate for nginx 2024-12-11 14:40:29 +01:00
e0cf11276d feat(monitoring): support cgroup exporting of metrics
This needs an update in our node_exporter dashboard but nothing too
hard.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-11 11:08:07 +01:00
026acdecb7
fix(tvix-cache): Import an existing file 2024-12-10 11:14:10 +01:00
6d03c084a0
feat(hive): Add serverNodes to the arguments 2024-12-08 22:31:14 +01:00
25eee32a22 feat(scripts): introduce manual push script
This way, we can send some closures if some of our members build them on
more powerful machines.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-08 21:14:28 +01:00
f16d8ce68f fix(ap01): switch Liminix nodes to 24.05
There's a bug in 24.11 regarding GCC bootstrap for mipsel which makes it
impossible to use that NixOS version.

We will need to pin 24.05 and bisect until we find the root cause…

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-08 21:14:28 +01:00
ba62dcd6a6
fix(storage01): Make prometheus work again
By only looking at nixos nodes
2024-12-08 17:15:45 +01:00
65b188a7cd
fix(meta): Use correct optional 2024-12-08 17:15:45 +01:00
715201abc2
fix(rescue01): Filter nodes to only include real servers 2024-12-08 17:15:45 +01:00
a2295953da
fix(meta): Add required stuff for ap01 2024-12-08 17:15:45 +01:00
303f53af0f
chore: Apply the abstraction to ap01 2024-12-08 17:15:45 +01:00
e89ed2d0e7
feat(hive): ensure purity of cache-node.sh
Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-08 15:24:40 +01:00
e94d6fd16e
fix(hive): ensure we are in hermetic evaluation
We don't want any <nixpkgs> to appear out of nowhere.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-08 15:24:40 +01:00
6ca347ee51
Revert "chore(HACK): open a tmate session in the CI"
This reverts commit 5907ba80e1a608e1c2674e94bb4e5c98ac9dfc55.
2024-12-08 15:24:40 +01:00
4158d85efb
fix(npins): update liminix to fix graphviz incident
Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-08 15:24:40 +01:00
a12b180592
chore(HACK): open a tmate session in the CI
Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-08 15:24:40 +01:00
104d64f23f
feat(scripts/cache-node): support non-NixOS systems
Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-08 15:24:40 +01:00
cdd8b9cc12
feat(machines): add ap01 initial configuration
Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-08 15:24:40 +01:00
df6b48e2f3
feat(hive/registry): add Zyxel NWA50AX in the registry
Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-08 15:24:40 +01:00
d9a6d38d5e
feat(modules/dgn-access-control): support Liminix systems
Liminix are not totally aligned with their implementation of users.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-08 15:23:28 +01:00
a2a6bf8d1c
feat(npins/sources): switch to DGNum fork of Liminix
Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-08 15:23:28 +01:00
ec98e60c3d
feat(devshell): add SSO and serial access tools
Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-08 15:23:28 +01:00
750a2f90eb
feat(crabfit): Remove overzealous padding 2024-12-08 15:11:16 +01:00
0b27fef19f
fix(bridge01): Use correct node name 2024-12-08 13:46:29 +01:00
ecbad0a638
chore: Abstract machines and modules
This adds subdirectories for the different types of systems, for the
modules and the machines
2024-12-08 13:39:10 +01:00
c3f4e7ade6
fix(meta): Only define targetHost when the network config is defined 2024-12-08 12:49:46 +01:00
e1586b4873
fix(dns): Only generate infra records for nixos machines 2024-12-08 12:19:31 +01:00
4fa4d0bc21
feat(hive.nix): Refactor mkNixpkgsConfig 2024-12-08 12:10:50 +01:00
3a325437b8
chore(hive.nix): Simplify system management 2024-12-08 12:04:54 +01:00
3a58ac3fdc
fix(hive.nix): Remove inifinite recursion 2024-12-08 11:59:39 +01:00
eb5b8740a8
feat(meta): Remove default values for nixpkgs version
They are considered harmful, and it simplifies the code.
2024-12-08 11:52:26 +01:00
1821104e8e
feat(meta): Add system to the nodes meta 2024-12-08 11:40:01 +01:00
12c8870f6d
chore(meta): Sort nodes 2024-12-08 11:02:04 +01:00
4fabadccb4 feat(scripts/): use our own colmena
In the future, we should not have to do this.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-07 15:30:42 +01:00
344cc26d8e feat(meta/*): support generalized deployments
Our colmena knows how to deal with families of system types, e.g. NixOS
systems or Liminix-based systems.

This is a step 1 towards supporting our APs in our infrastructure.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-12-07 15:26:13 +01:00
ae057f480f
feat(lib): Add warn 2024-12-07 13:12:20 +01:00
f909853119
feat(dns): Add autoritative DNS for lab subdomain 2024-12-07 11:05:45 +01:00
a60b546277
feat(vault01/gretap): gretap for hackaton 2024-12-07 10:52:37 +01:00
sinavir
09b5963449
fix(ds-fr): Lock patch with hash 2024-12-06 10:58:57 +01:00
sinavir
d4dab1e7ae
fix(ds-fr): Update dgn patch 2024-12-06 10:31:29 +01:00
sinavir
41caf293b0
chore(ds-fr): Remove unused files 2024-12-06 09:50:23 +01:00
2a7a3aba83
fix(npins): Update hash 2024-12-02 17:25:41 +01:00
96e8bfff5b
feat(django-apps): Internalize 2024-11-25 23:29:39 +01:00
sinavir
aa154d1b1b
fix(web03/dj-apps): Use secret tokens 2024-11-25 16:06:08 +01:00
sinavir
f37a7449cb
fix(netbox-agent): Disable as it is broken 2024-11-25 15:18:28 +01:00
030803ba29
chore(patches): Reorganize 2024-11-25 11:15:20 +01:00
13abd5400b
fix(web03/dj-wikiens): Update dependencies 2024-11-23 11:33:56 +01:00
f6c933f374
fix(kanidm): Use last usable version: 1.3.3 2024-11-22 23:12:18 +01:00
c9839d4be6 chore(npins): Update 2024-11-22 15:27:34 +00:00
fe52f0ebe2
feat(forgejo-runners): Use /data/slow/nix and not /data/slow/nix/nix
The upstream module should be updated to reflect that, use rootPath
instead of storePath
2024-11-22 14:04:35 +01:00
1f9f56ac91
chore(lix): Use the global patch infrastructure for lix 2024-11-22 12:56:39 +01:00
75b621e298
fix(ds-fr): Switch to nix-pkgs 2024-11-21 15:13:25 +01:00
sinavir
32f68a54a9
chore(workflows): regenerate 2024-11-19 00:53:33 +01:00
sinavir
b00e47ec85
chore(netbox): Upgrade 2024-11-19 00:40:15 +01:00
a50637d55e
chore(stirling-pdf): New version 2024-11-19 00:13:49 +01:00
aa4f972085
fix(forgejo-runners): Let the shell handle colmena 2024-11-19 00:01:06 +01:00
8a5de73b47 chore(npins): Update 2024-11-18 15:29:55 +00:00
3fecacb482
chore(npins): Update nix-modules 2024-11-18 13:03:13 +01:00
ded867d274
feat(dj-interludes): Add a real secret 2024-11-18 13:02:54 +01:00
f61bd85d63
chore(forgejo): Disallow more domains 2024-11-17 19:01:26 +01:00
bf06d2573b
feat(nix): Use passthru for shells and return to importing the scripts 2024-11-14 22:18:40 +01:00
6fbda40e5e
feat(scripts): Unify behaviour and improve generation 2024-11-14 22:01:58 +01:00
2ffd7732ba
feat(django-apps/interludes): Allow base webapps domain 2024-11-12 15:08:17 +01:00
d45b044b22
feat(django-apps/interludes): Switch to interludes.ens.fr 2024-11-12 14:55:04 +01:00
21b422b1ad
fix(nix-lib): Allow defining top-level imports 2024-11-12 12:29:36 +01:00
420fe99984
fix(django-apps/interludes): Don't run in debug mode 2024-11-12 10:52:49 +01:00
32f13adaad
feat(web03): Deploy interludes.webapps.dgnum.eu 2024-11-12 10:40:09 +01:00
a816c81125
chore: Update nix-actions 2024-11-11 22:05:16 +01:00
6ab3e4b685
fix(workflows): Correct typos 2024-11-11 18:01:44 +01:00
5f1436e4bf
feat(workflows): Switch to a nix-based definition of workflows 2024-11-11 17:57:23 +01:00
sinavir
d8f90dd940
fix(patches): Label nextcloud patch 2024-11-11 00:57:49 +01:00
89b22a34da
feat(forgejo): Add blocklist for registering e-mails 2024-11-10 16:24:51 +01:00
32d28ed351
feat(organization): Added Antoine Groudiev and Matthieu Boyer to organization 2024-11-09 22:55:24 +01:00
46657a7f74
fix(tvix-cache): Turn down the log vomit, and increase the limit of file handles 2024-11-09 19:11:10 +01:00
0a40fbbda0
Revert "chore(npins): Update"
This reverts commit 045554b2e6.
2024-11-09 18:43:56 +01:00
045554b2e6 chore(npins): Update 2024-11-09 15:29:23 +00:00
sinavir
2cee8006d3
feat(access-control): Remove luj from admins 2024-11-08 00:18:14 +01:00
sinavir
9e5be2a279
fix(web01): www.lanuit.ens.fr redirection is not used anymore 2024-11-04 20:07:33 +01:00
0576d1ecf8
fix(web03): Use a different domain for webhooks endpoint 2024-10-31 10:58:07 +01:00
06bbe99769
feat(meta/dns): Add private subdomain linking to the netbird ips 2024-10-31 10:58:07 +01:00
sinavir
45f2f59055 feat(keys): Add a key for mdebray 2024-10-30 23:21:36 +01:00
0e3463102c
feat(metis): Update and validate providers 2024-10-24 00:27:15 +02:00
d2f039755b
chore(metis): Update 2024-10-23 23:40:21 +02:00
a6aac2b0b4
feat(web03): Deploy www-bocal on bocal.webapps.dgnum.eu 2024-10-23 13:56:47 +02:00
ae7aaabf29
feat(meta/network): Add web03 netbirdIp 2024-10-23 11:04:28 +02:00
7ab63fb4a5
fix(netbox-agent): Use the latest version, which returns the correct value to the shell 2024-10-23 10:05:25 +02:00
2bb03126cf
feat(web03): Deploy django-wiki on wiki.webapps.dgnum.eu 2024-10-22 14:19:58 +02:00
2b858bbae4
feat(web03): Switch to nixos-unstable 2024-10-22 14:09:54 +02:00
4f18e8d387
feat(meta/dns): Add apps-webhook domain, to separate from the apps 2024-10-22 13:55:30 +02:00
4a102117a4
feat(storage01): Init victoria-metrics DB 2024-10-22 13:07:07 +02:00
969f59fbc4
feat(web03): Deploy the new annuaire 2024-10-21 20:03:20 +02:00
972b9554b7 feat(netbox-agent): Internalize 2024-10-21 19:38:11 +02:00
sinavir
e993d6de34 fix(stateless-uptime-kuma): Typo in domain name 2024-10-21 12:25:18 +02:00
sinavir
e0eb7bbf7c fix(stateless-uptime-kuma): Correct probes for ollama and s3-api 2024-10-21 12:16:00 +02:00
7875007a4f
feat(meta/dns): Add victoria-metrics 2024-10-21 11:15:31 +02:00
b5fc554f0f
fix(patches): Update commit for netbox-qrcode 2024-10-21 09:41:01 +02:00
a93a64d747
feat(forgejo): Send email to admins when new users appear 2024-10-21 09:33:40 +02:00
51133e6e5f
feat(netbird): Update 2024-10-20 23:01:14 +02:00
5f0c7d4e22
feat(meta/nodes): Sort nodes 2024-10-20 22:35:35 +02:00
39abf0b62d chore(npins): Update 2024-10-20 13:29:01 +00:00
63c9f02b16
fix(meta): Use correct username
(Sorry @jemagius)
2024-10-18 18:46:33 +02:00
f0b3d4b490
feat(kanidm): Use kanidm-provision to setup active members 2024-10-18 14:36:38 +02:00
sinavir
e7edf29e11 fix(ollama-proxy): Use ip instead of vpn domain name
VPN dns is slow to start so nginx will fail
2024-10-18 12:45:27 +02:00
sinavir
c0435e694d fix(modules/dgn-records): Add enable option 2024-10-18 11:53:32 +02:00
sinavir
1a05ea3a9a feat(krz01): Move to lab-infra repo 2024-10-18 11:53:32 +02:00
113c83bb9c
feat: laptop change and smartphone add to authorized MACs 2024-10-18 11:12:14 +02:00
ac0aaa9228
fix(npins): Update nix-pkgs 2024-10-18 11:10:47 +02:00
16dfdf1032
feat(patches): Add kanidm provisioning 2024-10-17 23:03:37 +02:00
05edf3f295
feat(meta/dns): Update web02 2024-10-17 23:03:37 +02:00
sinavir
3c445ab4c7 feat(networking): Add a bridge to connect VMs to the world 2024-10-17 17:56:09 +02:00
sinavir
492fe550d9 chore(krz01): Put all ollama/whisper stuff in separate modules 2024-10-17 15:47:10 +02:00
sinavir
a02da5f496 chore(proxmox-nixos): Update 2024-10-17 15:34:11 +02:00
b850ee56c2
chore(nixpkgs): Drop nixos-23.11 2024-10-17 15:11:43 +02:00
db5859e472
feat(web03): Initial deployment of django-apps 2024-10-17 15:11:43 +02:00
fd6b9678ef
chore(netbox-agent): Rekey 2024-10-17 15:06:26 +02:00
f771ec72c8
fix(secrets): Rekey Arkheon and email secrets 2024-10-16 11:45:50 +02:00
9931c622b6
feat(workflows/eval): Add web03 to the list 2024-10-16 11:28:30 +02:00
ad8ddb1f4d
feat(dns): Redirect webapps subdomain to web03 2024-10-16 11:24:10 +02:00
14866df004
fix(dgn-web): Set a default for simpleProxies 2024-10-16 11:08:24 +02:00
b6cbf6e918
feat(infra): Deploy web03 2024-10-16 11:08:24 +02:00
4b2d1cde5b
chore(dgsi): Update 2024-10-12 22:25:53 +02:00
06653220bb
fix(kanidm): Revert switch to simpleProxies
As we proxy to an https endpoint, this was not supported
2024-10-12 22:11:34 +02:00
9ea51137fc
chore(dgsi): Update 2024-10-12 22:06:26 +02:00
2f06f22ac7 feat(nginx): Switch to simpleProxies for the majority of configs 2024-10-12 20:00:54 +02:00
af61ae6e61 feat(dgn-web): Add simpleProxies
This proxies the required host to localhost:$port and enables SSL
2024-10-12 20:00:54 +02:00
9ea6bada0a feat(dgn-web): Add a way to detect internal port clashes 2024-10-12 20:00:54 +02:00
f819acf9bc
feat(forgejo): 7 days sessions 2024-10-12 19:52:21 +02:00
8043f8d4ab
chore(metis): Update 2024-10-12 17:29:51 +02:00
bb4a24f9e9 feat: add cst1's member info 2024-10-11 14:53:13 +02:00
cafaa15ef3 fix(rights): add cst1 to lab adminGroup 2024-10-11 14:53:13 +02:00
54e2eeb6f3 feat(ssh): Add cst1's SSH key 2024-10-11 14:53:13 +02:00
aa3d83ca06
fix(scripts): Don't try to upload to the cache if no password is present 2024-10-11 14:53:00 +02:00
e37f56f85b
fix(dns): cachix.dgnum.eu is no longer in service 2024-10-11 01:45:41 +02:00
f20353b727 fix(storage01): pass through the admin API of Garage
not the web API!

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-10-10 17:52:22 +02:00
a4de5f4d31 feat(krz01): move ollama to compute01 via a reverse proxy
krz01 has no public web IP.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-10-10 17:40:56 +02:00
363f8d3c67 fix(krz01): open 80/443 for ACME
Oopsie!

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-10-10 17:20:28 +02:00
12b20e6acf feat(storage01): add monorepo-terraform-state.s3.dgnum.eu
This is required to bootstrap the Terranix setup.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-10-10 17:13:11 +02:00
de6742aa0d feat(storage01): add s3-admin.dgnum.eu
This is the administration endpoint of the S3, you can create new
buckets and more, from there.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-10-10 17:13:11 +02:00
d76e655174 feat(krz01): add a NGINX in front of ollama protected by password
This way, you can do direct requests to ollama from other places.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-10-10 16:43:33 +02:00
sinavir
7d70beb1f0 feat(krz01): create and add the lab admin group to krz01 2024-10-10 13:35:34 +02:00
dae3b7c7f6
fix(web02): Remove test user 2024-10-10 09:41:58 +02:00
1e71ef3636
feat(users): Add root passwords and deactivate mutableUsers 2024-10-10 09:23:19 +02:00
7bdc70632c
chore(scripts): Cleanup of old caching script 2024-10-10 01:04:16 +02:00
d05c003fd6
feat(workflows/eval): Generalize the new script to all nodes 2024-10-10 00:58:41 +02:00
5b271b7b4a
feat(nat): enabling for dgnum members for tests 2024-10-10 00:00:56 +02:00
93c47f47be
fix: laptop change 2024-10-09 23:47:29 +02:00
47ad002f12
feat(workflows/eval): Try to build and upload in one fell swoop 2024-10-09 21:34:22 +02:00
6b23df6b54
feat(workflows/eval): Try to build and upload in one fell swoop 2024-10-09 21:32:38 +02:00
6c4099d369 feat(infra): Internalize nix-lib, and make keys management simpler 2024-10-09 18:58:46 +02:00
53c865a335
fix(dgsi): Set to an existing version 2024-10-09 18:57:06 +02:00
34640d467b feat(krz01): finish ollama integration and whisper.cpp
My sanity was used in the process.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-10-09 13:59:05 +02:00
8441992408 feat(krz01): move to unstable
Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-10-09 12:51:14 +02:00
4bedb3f497 feat(krz01): move the GPU stuff to the host for now
We also add a K80 specific patch for ollama.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-10-09 09:33:57 +02:00
8160b2762f feat(krz01): passthrough the nVidia Tesla K80 in ml01
This way, no need for reboot.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-10-09 09:33:57 +02:00
ebed6462f6 feat(krz01): introduce ML01 -- a machine learning VM
I will add ollama on it later on and passthrough the GPU in there.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-10-09 09:33:57 +02:00
e200ae53a4
feat(proxmox): Revert the disabling 2024-10-08 20:59:34 +02:00
62b36ed124 fix(krz01): apply a correctness patch on proxmox-nixos
To make CI happy.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-10-08 20:49:41 +02:00
9bc651db42
chore(nix-patches): Add helper function 2024-10-08 20:49:26 +02:00
bfe4957926
feat(patches): Generalize 2024-10-08 18:37:17 +02:00
3aeae4e33f feat(krz01): add basic microvm exprs
For a router01.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-10-08 17:14:23 +02:00
4d689fee33 feat(krz01): enable proprietary drivers for nVidia
For the Tesla K80.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-10-08 16:58:47 +02:00
862f004e3c fix(krz01): disable proxmox for now
Until #139 is merged.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-10-08 16:40:18 +02:00
sinavir
da40fa9b3d fix(krz01): Fix root password hash 2024-10-08 16:05:19 +02:00
c642e98ab9
fix(cache): Make instructions and code work 2024-10-08 15:50:21 +02:00
fb610306ee
feat(workflows/eval): Add krz01 to the CI 2024-10-08 14:15:01 +02:00
37d0ca9489
chore(dgsi): Update? 2024-10-08 14:13:03 +02:00
sinavir
39f5cad75d feat(krz01): Proxmox 2024-10-08 13:59:28 +02:00
sinavir
c6588da802 fix(krz01): Use default target 2024-10-08 12:57:57 +02:00
sinavir
a194da9662 fix(krz01): Enable netbird 2024-10-08 12:51:57 +02:00
sinavir
70c69346fb feat(krz01): init 2024-10-08 12:35:59 +02:00
sinavir
bdf0e4cf7a feat(binary-cache): Add some hints on how to configure the cache 2024-10-06 23:57:57 +02:00
e4fc6a0d98
chore(npins): Update 2024-10-06 22:21:07 +02:00
8769d6738e
fix(cas-eleves): Remove dependency on pytest-runner 2024-10-06 18:40:48 +02:00
7d24e2dfc1
feat(dgsi): Update, with SAML provisional auth 2024-10-06 18:40:48 +02:00
sinavir
38231eb6e0 feat(attic): Bye bye attic 2024-10-06 18:33:04 +02:00
f589be422e
fix(meta): Use root@ for the proxyjump to bridge01 2024-10-03 12:57:43 +02:00
sinavir
e70d0be931 chore(garage): update 2024-10-02 19:20:17 +02:00
14ad93aed9
chore(dgsi): Update 2024-09-30 20:24:10 +02:00
sinavir
53379c88de feat(pub.dgnum.eu): Add a redirect toward instagram 2024-09-30 20:17:20 +02:00
sinavir
626577e2bc feat(redirections): Make it more flexible to allow temporary redirects 2024-09-30 20:17:20 +02:00
sinavir
1e85547490 fix(ci): Push vault01 to cache too 2024-09-30 20:07:08 +02:00
sinavir
44fefd6327 fix(stateless-uptime-kuma): Update to get the periodic refresh 2024-09-29 17:23:10 +02:00
e12b8454fe
chore(dgsi): Update 2024-09-27 13:23:55 +02:00
f18fb56876
chore(dgsi): Update 2024-09-26 23:18:52 +02:00
176cff5e6d
feat(dgsi): Update source and settings 2024-09-26 15:23:43 +02:00
681155318b
fix(nextcloud): Don't use fast_shutdown 2024-09-26 14:05:40 +02:00
sinavir
5c8db3544c chore(ci): Make the CI happy 2024-09-26 13:45:06 +02:00
bdeb55f9ec
feat(dgsi): Make it work 2024-09-25 13:57:55 +02:00
2b75890752
feat(compute01): Deploy dgsi 2024-09-24 20:54:51 +02:00
dd5c0c79f7
feat(meta): Prepare for dgsi deployment 2024-09-24 20:54:30 +02:00
sinavir
05f7be1983 fix(tvix-cache): Update the cache to a working version 2024-09-23 00:40:06 +02:00
sinavir
89d219fe8a feat(garage): Add hackens website 2024-09-22 00:52:04 +02:00
sinavir
9e7215b5b8 feat(hermes): Bridge more channels 2024-09-22 00:51:36 +02:00
6b30a95fbb feat(dgn-chatops): !pm shorthand for !probe_meet
Bumped minor version of Takumi for non-breaking changes.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-09-21 00:52:13 +02:00
1c6124f376 feat(dgn-chatops): Takumi v1.0.0
Can schedule meet.dgnum.eu in the chat upon demand.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-09-21 00:24:38 +02:00
4a275fd07e
fix(dns): Update to correct dns.nix version 2024-09-20 23:37:01 +02:00
6f41443cf5
chore(pre-commit): Update the list of ignored files 2024-09-20 23:37:01 +02:00
dcb0c3591e
feat(iso): Use latest kernel, and support bcachefs at installation 2024-09-20 23:37:01 +02:00
859418b377 feat(chatops): init takumi
Takumi means "artisan" (in the sense of "master") in Japanese. It's an
accurate and efficient ChatOps for day-to-day operations of DGNum.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-09-20 21:50:15 +02:00
f791ba15a4
chore(metis): Update 2024-09-18 14:23:28 +02:00
sinavir
f6253021d7 feat(nuit website): migrate to s3 2024-09-18 14:21:13 +02:00
bc75d78a22
feat(shell): Add lon 2024-09-12 20:16:20 +02:00
69af2c4640
chore(shell): Remove disko 2024-09-12 20:14:35 +02:00
9174965f28
feat(pre-commit): Switch to pre-push stage for linters 2024-09-12 20:14:16 +02:00
99825b89ca
fix(stirling-pdf): Make it build again 2024-09-10 22:41:25 +02:00
3014fb79dc
fix(shell): No need to patch git-hooks anymore 2024-09-10 21:11:53 +02:00
06285b9108
chore(npins): Update 2024-09-10 21:11:03 +02:00
dea475cea9 chore(shell): add agenix 2024-09-10 20:12:24 +02:00
595407c13b feat(ISP): enable SNAT on 5C:64:8E:F4:09:06
For testing purposes.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-09-08 12:32:56 +02:00
3b766e6a2b feat(ulogd): enabling ulogd 2024-09-08 12:21:08 +02:00
b8601b0782 feat(nat): desactivating on vlan-apro 2024-09-07 16:09:01 +02:00
sinavir
7885442381 fix(web01): Update calendar 2024-09-04 16:21:26 +02:00
605f7beda2
fix(uptime-kuma): Don't try to get the radius endpoint 2024-09-01 23:34:07 +02:00
fe9c71f37e
fix(reaction): Use the correct netbird space 2024-09-01 23:33:34 +02:00
fd0aeacff4
feat(firewall): Sunset fail2ban and switch to reaction 2024-09-01 22:51:56 +02:00
86c1018dc8
fix(web01): Add a redirection from bds.ens.fr/gestion2 to its new location 2024-09-01 15:48:35 +02:00
8a42e18d98
feat(k-radius): Use LE certificates instead of self-signed ones 2024-09-01 15:40:59 +02:00
3ca3ff8939 feat(radius): add AP secret for RADIUS auth requests
Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-08-31 22:38:35 +02:00
16f47ce227
feat(wordpress): Finish the migration of the BDS website 2024-08-31 00:36:19 +02:00
f5cc186ea1
feat(web01): Decomissionate kahulm 2024-08-30 18:44:58 +02:00
ad7eb40e51
fix(dns): Always end with a . ... 2024-08-30 10:13:33 +02:00
ccaa999adc
feat(wordpress): Prepare the migration 2024-08-30 10:08:12 +02:00
359d839ad4
feat(dns): Add BDS redirection 2024-08-30 10:08:12 +02:00
sinavir
b4b2cf3836 feat(metis): Update to add "Rentrée" 2024-08-28 16:55:23 +02:00
cbc5dea62b fix(kahulm): use non-gitrelease type for source
And bump it to the latest main branch.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-08-19 09:34:55 +02:00
0d7b4efbd3 feat(kahulm): Added kahulm to web01 2024-08-17 18:00:30 +02:00
b70dd91eb2
fix(workflows): Run lint on pull_requests too 2024-08-17 18:00:10 +02:00
b3b21d1f96
feat(forgejo-runners): Switch to patched version of colmena
This allows to evaluate bridge01 in the CI
2024-08-14 18:56:11 +02:00
sinavir
53fe784b5a feat(CI): build bridge01 2024-08-04 16:19:43 +02:00
sinavir
18175ad4ab fix(CI): Upload artifact for all machines 2024-08-04 16:13:54 +02:00
d566336d5e
feat(iso): Use default nixpkgs version 2024-07-30 11:14:35 +02:00
e0cec882d8
feat(console): Add motd with system info 2024-07-30 10:39:10 +02:00
2cb6c24535
feat(git-hooks): Update
- Patch git-hooks.nix source to rename `nixfmt` to `nixfmt-classic` and
avoid annoying warnings when reloading the shell
2024-07-30 10:36:36 +02:00
sinavir
60267b4ff6 feat: Update CI to use tvix-store 2024-07-29 14:31:42 +02:00
sinavir
c14e263b98 feat(tvix-store): Init 2024-07-29 14:31:42 +02:00
fca52e471e
fix(crabfit): Don't depend on all of google-fonts 2024-07-29 14:31:02 +02:00
be128f6c3a
feat(kadenios): Fix build of static files and restore cas.eleves.ens.fr for authens 2024-07-28 14:30:03 +02:00
1216a0a780
feat(cas-eleves): Redirect from cas-eleves.dgnum.eu to cas.eleves 2024-07-28 14:10:42 +02:00
sinavir
f6c9137850 fix(signal-irc-bridge): make it work 2024-07-20 00:45:17 +02:00
5e7a6b09ec
fix(meta): Assign null to bridge01.netbirdIp 2024-07-19 17:33:04 +02:00
sinavir
61bdf34c70 feat(signal-irc-bridge): Add dns record for file server 2024-07-19 17:27:37 +02:00
23b2a19494
feat(kadenios): Don't include dev dependencies in the environment 2024-07-19 11:24:21 +02:00
060e04118d
chore(cas.eleves): Update 2024-07-12 20:04:50 +02:00
ce64be6e79
Revert "fix(web02): Don't be too fast"
This reverts commit a6c3b42ad9.
2024-07-12 19:13:04 +02:00
8e901ab790
feat(kadenios): Update 2024-07-12 11:02:15 +02:00
a6c3b42ad9
fix(web02): Don't be too fast 2024-07-12 11:02:04 +02:00
aee4ff41df
fix(npins): Stay on a stable version 2024-07-11 15:05:22 +02:00
b1d7147d86
fix(dns): Use correct redirection 2024-07-11 11:10:50 +02:00
d35a3a623b
feat(dns): Add CNAME for traque.dgnum.eu 2024-07-11 11:06:57 +02:00
a43e10d77d
fix(npins): Update the version used 2024-07-11 10:33:01 +02:00
680682f520
feat(bridge02): Initialize and add instructions to the README 2024-07-10 17:31:04 +02:00
0e8f752d79
feat(shell): Update colmena to a version that understands sshOptions 2024-07-10 17:29:20 +02:00
4bc2ebf429 feat(web02): Switch to cas.eleves.ens.fr for the cas server 2024-07-10 14:15:24 +02:00
1bf5ad93a2 feat(kadenios): Add management script 2024-07-09 14:52:01 +02:00
954ba45281 feat(web02): Deploy kadenios on vote.dgnum.eu 2024-07-09 10:47:30 +02:00
59aaf015dd chore(cas-eleves): There is no real build phase 2024-07-09 10:46:58 +02:00
411795c664
fix(routing): clean icmp storm 2024-07-08 20:38:01 +02:00
dce439fcca
fix(shitty-oob): Drop user vlans when no-uplink 2024-07-08 20:38:00 +02:00
37a18c0347
feat(nat): Enable nat (with ip_forward) 2024-07-08 20:38:00 +02:00
a00833c682 fix(cas-eleves): Fix the build of django-cas-server 2024-07-08 16:23:12 +02:00
adf62b0534 feat(web02): Switch to nix-pkgs for python modules 2024-07-07 13:56:10 +02:00
61b2408564 feat(dns): Add vote.dgnum.eu to web02 2024-07-07 13:10:58 +02:00
7092c4e9c3 fix(attic): Don't use the same port as prometheus 2024-07-06 11:59:58 +02:00
d553d6efe7 fix(stirling-pdf): Vendor patches and update version 2024-07-06 11:36:54 +02:00
9e2b066cfc chore(npins): Update 2024-07-06 11:36:54 +02:00
9f7ddf2adf feat(nextcloud): Update collabora and settings 2024-07-05 18:44:49 +02:00
5279356835 feat(nextcloud): Upgrade to 29 2024-07-05 16:15:27 +02:00
8b3747fd22 fix(web02): Once more 2024-07-05 16:09:04 +02:00
38f6151fbb fix(web02): Don't let the CI choke 2024-07-05 15:31:57 +02:00
96e9f14e2d feat(infra): Switch to lix 2024-07-05 14:39:02 +02:00
c233a22a1a feat(web02): Switch to nixos-24.05 2024-07-05 14:38:53 +02:00
04854d24bc feat(nixpkgs): Update default version 2024-07-05 14:38:33 +02:00
sinavir
2b52c9997a fixup! feat: Upgrade machines to nixos-24.05 2024-07-05 10:54:33 +02:00
sinavir
f637ae9ea8 fixup! feat: Upgrade machines to nixos-24.05 2024-07-05 10:54:33 +02:00
ac09d221ad feat: Upgrade machines to nixos-24.05 2024-07-05 10:54:33 +02:00
7c5ed7b65a feat(cas-eleves): Update and load fixture 2024-07-04 21:29:22 +02:00
325e24f5f6 feat(cas-eleves): Update to latest version 2024-07-03 14:56:46 +02:00
5668b6bbfd feat(web02): Deploy a CAS server on cas-eleves.dgnum.eu 2024-07-02 20:54:45 +02:00
250a4b6c87 feat(meta): Add dns for cas-eleves 2024-07-02 18:04:46 +02:00
807415ae93 feat(arkheon): Update 2024-06-26 22:54:15 +02:00
0be91e4803 fix(web02): Use the correct fs configuration 2024-06-26 22:25:40 +02:00
83d8ff264d feat(web02): Reimage the node 2024-06-17 17:06:37 +02:00
1266091123 fix(iso): Use correct attribute 2024-06-17 15:33:49 +02:00
bf1eab1c5e fix(shell): Use an up to date version of nixos-generators 2024-06-17 15:33:49 +02:00
6a44aa3504 fix(meta/nodes): use the full FQDN for vault01
Otherwise, I cannot really hit it… :D

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
2024-06-14 22:15:46 +02:00
450d862b41 feat(dns): Add a redirection for the radius service 2024-06-14 21:03:10 +02:00
1ac7ca0d99 fix(forgejo): Re-enable gravatars 2024-06-06 11:24:13 +02:00
076e6a499a feat(forgejo): Enable cron actions 2024-06-06 11:21:42 +02:00
sinavir
45b776b94e feat(banda): Add domain name 2024-06-05 11:43:23 +02:00
bc5ee80d69 style: requested changes 2024-05-26 20:50:33 +02:00
9f256186e0 feat(dhcp): drop freeRadius to use networkd 2024-05-23 14:58:37 +02:00
e9c5489bc2 feat(dhcp): dhcp configuration
limit to 300 vlans because of freeRadius limitation
2024-05-23 10:39:24 +02:00
f9250e8886 feat(k-radius): Allow to enable extra mods and sites 2024-05-23 10:39:24 +02:00
8c14c5d2c6 refactor(vlans): list vlans and their parameters in a separate file 2024-05-23 10:39:24 +02:00
f22580dd26 fix(vlans): activate things to bypass vlan limit 2024-05-23 10:39:24 +02:00
35ab7bfee3 feat(dhcp): Add DHCP on vlans
Uses networkd, maybe it's better to do it with radius, but it's simpler
2024-05-23 10:39:24 +02:00
150e741263 feat(routing): Chaque vlan a une IP différente et policyrules 2024-05-23 10:39:24 +02:00
93bf6f8baa feat: refactor du plan IP 2024-05-23 10:39:24 +02:00
2329799c87 feat(monitoring): Add adminGroup emails 2024-05-22 19:05:03 +02:00
sinavir
bfeaa18530 feat(signal-irc-bridge): init 2024-05-22 18:26:06 +02:00
d3b7481188 fix(atticd): Don't chunk NARs as garage does it automatically 2024-05-21 09:24:01 +02:00
e2de21ed18 feat(cineclub): Add redirections 2024-05-18 19:14:24 +02:00
9a1f49d0ce fix(README): Use correct link 2024-05-18 16:48:05 +02:00
9a8c182a95 feat(wp): Update cineclub address 2024-05-18 16:47:54 +02:00
1d686b740b feat(verify): Tweak error message 2024-05-15 09:58:50 +02:00
e4e44dfd00 feat(meta): Add Elias 2024-05-14 23:50:20 +02:00
947e29aa57 feat(vault01): Make the fai group admin 2024-05-14 23:48:40 +02:00
a559d2e0c0 feat(meta): Add more assertions 2024-05-14 23:47:20 +02:00
e49ab86364 fix(iso): Correctly import meta 2024-05-14 23:32:08 +02:00
aad6490bd5 feat(meta): Add assertions 2024-05-14 23:31:49 +02:00
0e7dd1ea70 feat(organization): Add external and internal services 2024-05-14 17:32:54 +02:00
01b967fff0 feat(organization): Add FAI group 2024-05-14 17:23:02 +02:00
8d2a46e538 feat(meta): Remove the ISO group 2024-05-14 17:15:55 +02:00
a63f682aeb feat(monitoring): Add admin emails 2024-05-13 23:33:36 +02:00
b732c5e9fb chore(npins): Update 2024-05-07 13:27:24 +00:00
2c88c2bad7 fix(netbox-agent): batch requests filtering on interfaces
Re-enable the service on vault01 now that it works
2024-05-07 13:29:43 +02:00
sinavir
3494f609bb fix(netbox-agent): really disable on vault01 2024-05-07 09:07:22 +02:00
sinavir
bf4bdf70df fix(netbox-agent): disable on vault01 2024-05-07 08:45:19 +02:00
sinavir
ac67107c6d fix(patches): use again netbox-agent PR 2024-05-07 08:44:46 +02:00
efee0dd7b7 feat(patches): Vendor patches and rename 2024-05-07 08:17:49 +02:00
0eb813c8bf feat(compute01): Upgrade postgres to 16.2 2024-05-01 16:01:44 +02:00
17a6e085b5 feat(dgn-console): Add perf 2024-04-28 19:16:56 +02:00
4e7b3154da feat(compute01): Add postgres config 2024-04-28 19:14:52 +02:00
ed567cf432 chore(ds-fr): Update 2024-04-24 18:53:48 +02:00
6c843bb00f fix(garage): Restore logLevel and increase TimeoutSec 2024-04-24 10:05:33 +02:00
e86edb074b fix(garage): Make the logs readable 2024-04-24 09:42:06 +02:00
sinavir
d26370514a feat(garage): add banda's website 2024-04-23 23:28:09 +02:00
sinavir
9b6536f529 feat(prometheus): monitor garage 2024-04-23 23:26:03 +02:00
3f928ce90b feat(modules): Generalize redirections 2024-04-23 22:02:04 +02:00
dd10a8e2fe feat(ups): Use netbirdIp as given in the metadata 2024-04-23 13:47:21 +02:00
4296252fcc feat(meta): Add netbird ip 2024-04-23 13:46:33 +02:00
sinavir
d5d21ec204 fix(prometheus-nut-exporter): make it work 2024-04-22 08:28:40 +02:00
1eea46b59f style: requested change 2024-04-21 23:14:53 +02:00
4d16839a10 feat(upsmon): Send mails to isp team 2024-04-21 23:14:53 +02:00
ee81052766 fix(ups): Password is a secret 2024-04-21 23:14:53 +02:00
b8d3b34122 feat(upsmon): Auto-shutdown when on batterie for too long 2024-04-21 23:14:53 +02:00
9ec9821556 feat(ups): nut_exporter and scraping 2024-04-21 23:14:53 +02:00
f9de205aad feat(upsd): Enabling upsd 2024-04-21 23:14:53 +02:00
sinavir
20d3354a4d feat: declarative probes for uptime-kuma 2024-04-21 22:45:52 +02:00
c4154e0a35 fix(plausible): Make the migration effective 2024-04-21 22:42:51 +02:00
f065db687a feat(plausible): Transfer from web01 to compute01 2024-04-21 21:50:01 +02:00
sinavir
fd6674fd5d feat: Enable sendmail setuid wrapper 2024-04-20 20:40:26 +02:00
sinavir
dc341cf611 fix: attic s3 parameters bis
Set AWS_REGION. Hope this will work
2024-04-20 20:39:48 +02:00
sinavir
12bf83f68e fix: attic s3 parameters 2024-04-20 17:47:40 +02:00
sinavir
1b29118b98 fix: mastodon smtp setup bis 2024-04-20 17:47:02 +02:00
sinavir
b26d9f752e fix: mastodon smtp setup 2024-04-20 15:40:10 +02:00
f2e4e8aa5b chore(ds-fr): Update 2024-04-20 11:04:04 +02:00
ad7ce0be7e feat(stirling-pdf): Add DGNum custom patch 2024-04-19 16:13:01 +02:00
323caed4ed feat(static): Update eleves.dgnum.eu 2024-04-19 15:36:30 +02:00
496c1ff33f feat(stirling-pdf): Default to french locale 2024-04-19 14:58:13 +02:00
dba0c88f70 feat(compute01): Deploy stirling-pdf on pdf.dgnum.eu 2024-04-19 14:40:09 +02:00
c47437116b feat(modules): Introduce per node module import from meta 2024-04-18 16:23:25 +02:00
46b550781e chore(hive): Simplify path 2024-04-18 16:06:43 +02:00
cbdbed1099 feat(infra): Add nodeMeta argument 2024-04-18 15:53:20 +02:00
f63c95e4d9 fix(ds-fr): Test3 2024-04-17 17:27:25 +02:00
e51a7b4a81 fix(ds-fr): Test2 2024-04-17 17:10:28 +02:00
ace6f1d931 fix(ds-fr): Remove cache 2024-04-17 17:06:28 +02:00
63d7d7d658 fix(ds-fr): Test 2024-04-17 16:34:30 +02:00
22ef2cf79d feat(ds-fr): Update version and workflow 2024-04-17 15:14:34 +02:00
c6691cf9f1 feat(ds-fr): Switch to new upstream packaging..... 2024-04-17 14:47:55 +02:00
sinavir
0c45a88561 fix: change prometheus retention time 2024-04-16 18:57:18 +02:00
01c2505491 feat(vault01): Add user vlans
Only the first 300 vlans are activated, 850 make it crash
2024-04-16 09:40:47 +02:00
9e75839ada feat(forgejo): Update config, and enable mail notifications 2024-04-16 09:32:32 +02:00
fe076d5ba4 chore(npins): Update 2024-04-15 16:23:01 +02:00
ee4c0ca4d6 fix(atticd): Run with less logs 2024-04-15 16:21:15 +02:00
dd4e2c62aa feat(infra): Make the gc run weekly 2024-04-15 11:36:31 +02:00
10a925021f feat(console): Upstream nsncd a les features dont on a besoin 2024-04-15 09:32:36 +02:00
eb7d4169cd fix(workflows): Enable meta check on PRs 2024-04-14 18:38:42 +02:00
93b7a242ab feat(vault01/networking): Simplify the configuration 2024-04-14 14:49:22 +02:00
sinavir
60ee43b577 feat(monitoring): Add uptime-kuma to prometheus targets 2024-04-14 01:10:10 +02:00
sinavir
c6fe6b5891 feat(monitoring): Enable node exporter on almost all nodes 2024-04-14 01:10:10 +02:00
sinavir
8e79b19101 fix(prometheus): Provide retention and scraping policy 2024-04-14 01:10:10 +02:00
sinavir
ba2284cc68 fix(netbox-agent): Increase randomized delay 2024-04-13 15:11:27 +02:00
161d9b8081 chore(npins): Update 2024-04-13 13:44:23 +02:00
75409ed0df feat(forgejo): Use package from nixos-unstable 2024-04-13 13:44:23 +02:00
199ccd4034 feat(kanidm): Update allowed domains for the CORS 2024-04-13 13:44:23 +02:00
sinavir
9826a7d8a3 fix(cache): Fix weird message when using cache command 2024-04-12 22:59:46 +02:00
sinavir
9f2165abc8 feat(ci): Cache CI results 2024-04-12 22:14:20 +02:00
sinavir
7645b6fd71 fix(attic): Change client_max_body_size 2024-04-12 19:49:27 +02:00
sinavir
d0684ead8a fix(attic): Use package from nixpkgs 2024-04-12 19:36:44 +02:00
e961fb1473 feat(static): Update interq.ens.fr 2024-04-12 11:44:49 +02:00
06ac087ab6 feat(static): Update interq.ens.fr 2024-04-11 21:50:25 +02:00
fe0b181fd9 feat(static): Update interq.ens.fr 2024-04-10 09:54:58 +02:00
84e5f4a33a fix(satosa): Use GH source 2024-04-08 23:23:25 +02:00
9eb89a03ab fix(radius): Don't lose our shit when copying files 2024-04-08 23:10:59 +02:00
e2cb4a7dca feat(k-radius): Update packages 2024-04-08 22:42:59 +02:00
ccfbc4be42 feat(radius): Move configuration from compute01 to vaul01 2024-04-08 22:21:17 +02:00
e8fde45fbf feat(apro): Add vlan apro for AP flashing 2024-04-08 16:01:29 +02:00
999817ce8b feat(ds-fr): Update dependencies 2024-04-07 21:47:22 +02:00
ac2bd4bb13 chore(npins): Update 2024-04-07 21:32:03 +02:00
3573613033 feat(web02): Don't specify a kernel version 2024-04-07 21:31:48 +02:00
d23d53d5fc feat(vault01): Disable bcachefs 2024-04-07 21:29:18 +02:00
beba4fb0f6 feat(mgmt): Add APs vlan access 2024-04-07 20:20:04 +02:00
026653218f feat(mgmt): Use IPv6 instead of IPv4 2024-04-07 20:20:04 +02:00
sinavir
adb1690b08 feat(netbox-agent): update
Add hardening to systemd unit
2024-04-07 16:27:03 +02:00
5919b75851 feat(dgn-record): Use latest arkheon 2024-04-06 16:21:21 +02:00
158e9647bd feat(netbox): Update QR-Code config 2024-04-06 00:48:34 +02:00
2e3bb99b84 feat(vault01): Add admin vlan 2024-04-06 00:02:47 +02:00
a64f5dac9e feat(static): Update interq.ens.fr 2024-04-06 00:02:09 +02:00
400e20d093 fix(patches): Update hash for the netbox-agent PR 2024-04-05 11:36:52 +02:00
812758447b feat(meta): Add README 2024-04-04 13:36:51 +02:00
bc5cc97511 fix(dns): Add comment 2024-04-04 13:36:41 +02:00
f9a34353a3 Add keys/catvayor.keys (#83)
Reviewed-on: DGNum/infrastructure#83
Co-authored-by: katvayor <catvayor@katvayor.net>
Co-committed-by: katvayor <catvayor@katvayor.net>
2024-04-04 12:49:28 +02:00
b36b0d7d67 feat(infra): Rework nixpkgs version management 2024-04-03 22:05:37 +02:00
sinavir
47d09f6ffa feat(dns): IPv4 for rescue01 2024-04-03 21:20:56 +02:00
sinavir
732ed7081d feat(monitoring): Add simple systemd monitoring 2024-04-03 21:19:28 +02:00
451 changed files with 16412 additions and 14509 deletions

1
.envrc
View file

@ -1 +1,2 @@
watch_file workflows/*
use nix

View file

@ -1,22 +1,21 @@
name: Check meta
on:
push:
paths:
- 'meta/*'
jobs:
check_meta:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of meta options
run: nix-build meta/verify.nix -A meta
check_dns:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of the DNS configuration
run: nix-build meta/verify.nix -A dns --no-out-link
- uses: actions/checkout@v3
- name: Check the validity of the DNS configuration
run: nix-build meta/verify.nix -A dns
check_meta:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of meta options
run: nix-build meta/verify.nix -A meta
name: Check meta
on:
pull_request:
branches:
- main
push:
paths:
- meta/*

View file

@ -0,0 +1,16 @@
jobs:
check_workflows:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check that the workflows are up to date
run: nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l)
-eq 0 ]'
name: Check workflows
on:
pull_request:
branches:
- main
push:
paths:
- workflows/*

View file

@ -1,57 +0,0 @@
name: ds-fr update
on:
schedule:
# Run at 8 o'clock every day
- cron: "26 18 * * *"
jobs:
npins_update:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- name: Update DS and open PR if necessary
run: |
# Fetch the latest release tag
VERSION=$(curl -L \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/demarches-simplifiees/demarches-simplifiees.fr/releases/latest \
| jq -r '.tag_name')
# Move to the ds-fr directory
cd machines/compute01/ds-fr/package
# Run the update script
./update.sh -v "$VERSION"
if [ ! -z "$(git diff --name-only)" ]; then
echo "[+] Changes detected, pushing updates."
git switch -C ds-update
git add .
git config user.name "DGNum Chores"
git config user.email "tech@dgnum.eu"
git commit --message "chore(ds-fr): Update"
git push --set-upstream origin ds-update --force
# Connect to the server with the cli
tea login add \
-n dgnum-chores \
-t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
-u https://git.dgnum.eu
# Create a pull request if needed
# i.e. no PR with the same title exists
if [ -z "$(tea pr ls -f='title,author' -o simple | grep 'chore(ds-fr): Update dgnum-chores')" ]; then
tea pr create \
--description "Automatic ds-fr update" \
--title "chore(ds-fr): Update" \
--head ds-update
fi
fi

View file

@ -0,0 +1,174 @@
jobs:
ap01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: ap01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache ap01
run: nix-shell -A eval-nodes --run cache-node
bridge01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: bridge01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache bridge01
run: nix-shell -A eval-nodes --run cache-node
compute01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: compute01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache compute01
run: nix-shell -A eval-nodes --run cache-node
geo01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: geo01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache geo01
run: nix-shell -A eval-nodes --run cache-node
geo02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: geo02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache geo02
run: nix-shell -A eval-nodes --run cache-node
hypervisor01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: hypervisor01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache hypervisor01
run: nix-shell -A eval-nodes --run cache-node
hypervisor02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: hypervisor02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache hypervisor02
run: nix-shell -A eval-nodes --run cache-node
hypervisor03:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: hypervisor03
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache hypervisor03
run: nix-shell -A eval-nodes --run cache-node
netcore02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: netcore02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache netcore02
run: nix-shell -A eval-nodes --run cache-node
rescue01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: rescue01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache rescue01
run: nix-shell -A eval-nodes --run cache-node
storage01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: storage01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache storage01
run: nix-shell -A eval-nodes --run cache-node
vault01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: vault01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache vault01
run: nix-shell -A eval-nodes --run cache-node
web01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web01
run: nix-shell -A eval-nodes --run cache-node
web02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web02
run: nix-shell -A eval-nodes --run cache-node
web03:
runs-on: nix
steps:
- uses: actions/checkout@v3
- env:
BUILD_NODE: web03
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web03
run: nix-shell -A eval-nodes --run cache-node
name: Build all the nodes
on:
pull_request:
branches:
- main
push:
branches:
- main

View file

@ -1,70 +0,0 @@
name: build configuration
on:
pull_request:
types: [opened, synchronize, edited, reopened]
branches:
- main
push:
branches:
- main
jobs:
build_compute01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build compute01
run: |
# Enter the shell
nix-shell --run 'colmena build --on compute01'
build_storage01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build storage01
run: |
# Enter the shell
nix-shell --run 'colmena build --on storage01'
build_vault01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build vault01
run: |
# Enter the shell
nix-shell --run 'colmena build --on vault01'
build_web01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build web01
run: |
# Enter the shell
nix-shell --run 'colmena build --on web01'
build_web02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build web02
run: |
# Enter the shell
nix-shell --run 'colmena build --on web02'
build_rescue01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build rescue01
run: |
# Enter the shell
nix-shell --run 'colmena build --on rescue01'

View file

@ -1,11 +0,0 @@
name: lint
on: push
jobs:
check:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Run pre-commit on all files
run: nix-shell --run 'pre-commit run --all-files --show-diff-on-failure' -A shells.pre-commit ./.

View file

@ -0,0 +1,25 @@
jobs:
npins_update:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- name: Update dependencies and open PR if necessary
run: "npins update\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n echo
\"[+] Changes detected, pushing updates.\"\n\n git switch -C npins-update\n\
\n git add npins\n\n git config user.name \"DGNum Chores\"\n git config
user.email \"tech@dgnum.eu\"\n\n git commit --message \"chore(npins): Update\"\
\n git push --set-upstream origin npins-update --force\n\n # Connect to
the server with the cli\n tea login add \\\n -n dgnum-chores \\\n -t
\"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" \\\n -u https://git.dgnum.eu\n\
\n # Create a pull request if needed\n # i.e. no PR with the same title
exists\n if [ -z \"$(tea pr ls -f='title,author' -o simple | grep 'chore(npins):
Update dgnum-chores')\" ]; then\n tea pr create \\\n --description
\"Automatic npins update\" \\\n --title \"chore(npins): Update\" \\\n\
\ --head npins-update\n fi\nfi\n"
name: npins update
on:
schedule:
- cron: 25 15 * * *

View file

@ -0,0 +1,15 @@
jobs:
pre-commit:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check stage pre-commit
run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
pre-commit --show-diff-on-failure'
- name: Check stage pre-push
run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
pre-push --show-diff-on-failure'
name: Run pre-commit on all files
on:
- push
- pull_request

View file

@ -1,3 +1,9 @@
<!--
SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
SPDX-License-Identifier: EUPL-1.2
-->
# Contribuer
Quelques éléments à savoir:

547
LICENSE
View file

@ -1,547 +0,0 @@
CONTRAT DE LICENCE DE LOGICIEL LIBRE CeCILL
Version 2.1 du 2013-06-21
Avertissement
Ce contrat est une licence de logiciel libre issue d'une concertation
entre ses auteurs afin que le respect de deux grands principes préside à
sa rédaction:
* d'une part, le respect des principes de diffusion des logiciels
libres: accès au code source, droits étendus conférés aux utilisateurs,
* d'autre part, la désignation d'un droit applicable, le droit
français, auquel elle est conforme, tant au regard du droit de la
responsabilité civile que du droit de la propriété intellectuelle et
de la protection qu'il offre aux auteurs et titulaires des droits
patrimoniaux sur un logiciel.
Les auteurs de la licence CeCILL (Ce[a] C[nrs] I[nria] L[ogiciel] L[ibre])
sont:
Commissariat à l'énergie atomique et aux énergies alternatives - CEA,
établissement public de recherche à caractère scientifique, technique et
industriel, dont le siège est situé 25 rue Leblanc, immeuble Le Ponant
D, 75015 Paris.
Centre National de la Recherche Scientifique - CNRS, établissement
public à caractère scientifique et technologique, dont le siège est
situé 3 rue Michel-Ange, 75794 Paris cedex 16.
Institut National de Recherche en Informatique et en Automatique -
Inria, établissement public à caractère scientifique et technologique,
dont le siège est situé Domaine de Voluceau, Rocquencourt, BP 105, 78153
Le Chesnay cedex.
Préambule
Ce contrat est une licence de logiciel libre dont l'objectif est de
conférer aux utilisateurs la liberté de modification et de
redistribution du logiciel régi par cette licence dans le cadre d'un
modèle de diffusion en logiciel libre.
L'exercice de ces libertés est assorti de certains devoirs à la charge
des utilisateurs afin de préserver ce statut au cours des
redistributions ultérieures.
L'accessibilité au code source et les droits de copie, de modification
et de redistribution qui en découlent ont pour contrepartie de n'offrir
aux utilisateurs qu'une garantie limitée et de ne faire peser sur
l'auteur du logiciel, le titulaire des droits patrimoniaux et les
concédants successifs qu'une responsabilité restreinte.
A cet égard l'attention de l'utilisateur est attirée sur les risques
associés au chargement, à l'utilisation, à la modification et/ou au
développement et à la reproduction du logiciel par l'utilisateur étant
donné sa spécificité de logiciel libre, qui peut le rendre complexe à
manipuler et qui le réserve donc à des développeurs ou des
professionnels avertis possédant des connaissances informatiques
approfondies. Les utilisateurs sont donc invités à charger et tester
l'adéquation du logiciel à leurs besoins dans des conditions permettant
d'assurer la sécurité de leurs systèmes et/ou de leurs données et, plus
généralement, à l'utiliser et l'exploiter dans les mêmes conditions de
sécurité. Ce contrat peut être reproduit et diffusé librement, sous
réserve de le conserver en l'état, sans ajout ni suppression de clauses.
Ce contrat est susceptible de s'appliquer à tout logiciel dont le
titulaire des droits patrimoniaux décide de soumettre l'exploitation aux
dispositions qu'il contient.
Une liste de questions fréquemment posées se trouve sur le site web
officiel de la famille des licences CeCILL
(http://www.cecill.info/index.fr.html) pour toute clarification qui
serait nécessaire.
Article 1 - DEFINITIONS
Dans ce contrat, les termes suivants, lorsqu'ils seront écrits avec une
lettre capitale, auront la signification suivante:
Contrat: désigne le présent contrat de licence, ses éventuelles versions
postérieures et annexes.
Logiciel: désigne le logiciel sous sa forme de Code Objet et/ou de Code
Source et le cas échéant sa documentation, dans leur état au moment de
l'acceptation du Contrat par le Licencié.
Logiciel Initial: désigne le Logiciel sous sa forme de Code Source et
éventuellement de Code Objet et le cas échéant sa documentation, dans
leur état au moment de leur première diffusion sous les termes du Contrat.
Logiciel Modifié: désigne le Logiciel modifié par au moins une
Contribution.
Code Source: désigne l'ensemble des instructions et des lignes de
programme du Logiciel et auquel l'accès est nécessaire en vue de
modifier le Logiciel.
Code Objet: désigne les fichiers binaires issus de la compilation du
Code Source.
Titulaire: désigne le ou les détenteurs des droits patrimoniaux d'auteur
sur le Logiciel Initial.
Licencié: désigne le ou les utilisateurs du Logiciel ayant accepté le
Contrat.
Contributeur: désigne le Licencié auteur d'au moins une Contribution.
Concédant: désigne le Titulaire ou toute personne physique ou morale
distribuant le Logiciel sous le Contrat.
Contribution: désigne l'ensemble des modifications, corrections,
traductions, adaptations et/ou nouvelles fonctionnalités intégrées dans
le Logiciel par tout Contributeur, ainsi que tout Module Interne.
Module: désigne un ensemble de fichiers sources y compris leur
documentation qui permet de réaliser des fonctionnalités ou services
supplémentaires à ceux fournis par le Logiciel.
Module Externe: désigne tout Module, non dérivé du Logiciel, tel que ce
Module et le Logiciel s'exécutent dans des espaces d'adressage
différents, l'un appelant l'autre au moment de leur exécution.
Module Interne: désigne tout Module lié au Logiciel de telle sorte
qu'ils s'exécutent dans le même espace d'adressage.
GNU GPL: désigne la GNU General Public License dans sa version 2 ou
toute version ultérieure, telle que publiée par Free Software Foundation
Inc.
GNU Affero GPL: désigne la GNU Affero General Public License dans sa
version 3 ou toute version ultérieure, telle que publiée par Free
Software Foundation Inc.
EUPL: désigne la Licence Publique de l'Union européenne dans sa version
1.1 ou toute version ultérieure, telle que publiée par la Commission
Européenne.
Parties: désigne collectivement le Licencié et le Concédant.
Ces termes s'entendent au singulier comme au pluriel.
Article 2 - OBJET
Le Contrat a pour objet la concession par le Concédant au Licencié d'une
licence non exclusive, cessible et mondiale du Logiciel telle que
définie ci-après à l'article 5 <#etendue> pour toute la durée de
protection des droits portant sur ce Logiciel.
Article 3 - ACCEPTATION
3.1 L'acceptation par le Licencié des termes du Contrat est réputée
acquise du fait du premier des faits suivants:
* (i) le chargement du Logiciel par tout moyen notamment par
téléchargement à partir d'un serveur distant ou par chargement à
partir d'un support physique;
* (ii) le premier exercice par le Licencié de l'un quelconque des
droits concédés par le Contrat.
3.2 Un exemplaire du Contrat, contenant notamment un avertissement
relatif aux spécificités du Logiciel, à la restriction de garantie et à
la limitation à un usage par des utilisateurs expérimentés a été mis à
disposition du Licencié préalablement à son acceptation telle que
définie à l'article 3.1 <#acceptation-acquise> ci dessus et le Licencié
reconnaît en avoir pris connaissance.
Article 4 - ENTREE EN VIGUEUR ET DUREE
4.1 ENTREE EN VIGUEUR
Le Contrat entre en vigueur à la date de son acceptation par le Licencié
telle que définie en 3.1 <#acceptation-acquise>.
4.2 DUREE
Le Contrat produira ses effets pendant toute la durée légale de
protection des droits patrimoniaux portant sur le Logiciel.
Article 5 - ETENDUE DES DROITS CONCEDES
Le Concédant concède au Licencié, qui accepte, les droits suivants sur
le Logiciel pour toutes destinations et pour la durée du Contrat dans
les conditions ci-après détaillées.
Par ailleurs, si le Concédant détient ou venait à détenir un ou
plusieurs brevets d'invention protégeant tout ou partie des
fonctionnalités du Logiciel ou de ses composants, il s'engage à ne pas
opposer les éventuels droits conférés par ces brevets aux Licenciés
successifs qui utiliseraient, exploiteraient ou modifieraient le
Logiciel. En cas de cession de ces brevets, le Concédant s'engage à
faire reprendre les obligations du présent alinéa aux cessionnaires.
5.1 DROIT D'UTILISATION
Le Licencié est autorisé à utiliser le Logiciel, sans restriction quant
aux domaines d'application, étant ci-après précisé que cela comporte:
1.
la reproduction permanente ou provisoire du Logiciel en tout ou
partie par tout moyen et sous toute forme.
2.
le chargement, l'affichage, l'exécution, ou le stockage du Logiciel
sur tout support.
3.
la possibilité d'en observer, d'en étudier, ou d'en tester le
fonctionnement afin de déterminer les idées et principes qui sont à
la base de n'importe quel élément de ce Logiciel; et ceci, lorsque
le Licencié effectue toute opération de chargement, d'affichage,
d'exécution, de transmission ou de stockage du Logiciel qu'il est en
droit d'effectuer en vertu du Contrat.
5.2 DROIT D'APPORTER DES CONTRIBUTIONS
Le droit d'apporter des Contributions comporte le droit de traduire,
d'adapter, d'arranger ou d'apporter toute autre modification au Logiciel
et le droit de reproduire le logiciel en résultant.
Le Licencié est autorisé à apporter toute Contribution au Logiciel sous
réserve de mentionner, de façon explicite, son nom en tant qu'auteur de
cette Contribution et la date de création de celle-ci.
5.3 DROIT DE DISTRIBUTION
Le droit de distribution comporte notamment le droit de diffuser, de
transmettre et de communiquer le Logiciel au public sur tout support et
par tout moyen ainsi que le droit de mettre sur le marché à titre
onéreux ou gratuit, un ou des exemplaires du Logiciel par tout procédé.
Le Licencié est autorisé à distribuer des copies du Logiciel, modifié ou
non, à des tiers dans les conditions ci-après détaillées.
5.3.1 DISTRIBUTION DU LOGICIEL SANS MODIFICATION
Le Licencié est autorisé à distribuer des copies conformes du Logiciel,
sous forme de Code Source ou de Code Objet, à condition que cette
distribution respecte les dispositions du Contrat dans leur totalité et
soit accompagnée:
1.
d'un exemplaire du Contrat,
2.
d'un avertissement relatif à la restriction de garantie et de
responsabilité du Concédant telle que prévue aux articles 8
<#responsabilite> et 9 <#garantie>,
et que, dans le cas où seul le Code Objet du Logiciel est redistribué,
le Licencié permette un accès effectif au Code Source complet du
Logiciel pour une durée d'au moins 3 ans à compter de la distribution du
logiciel, étant entendu que le coût additionnel d'acquisition du Code
Source ne devra pas excéder le simple coût de transfert des données.
5.3.2 DISTRIBUTION DU LOGICIEL MODIFIE
Lorsque le Licencié apporte une Contribution au Logiciel, les conditions
de distribution du Logiciel Modifié en résultant sont alors soumises à
l'intégralité des dispositions du Contrat.
Le Licencié est autorisé à distribuer le Logiciel Modifié, sous forme de
code source ou de code objet, à condition que cette distribution
respecte les dispositions du Contrat dans leur totalité et soit
accompagnée:
1.
d'un exemplaire du Contrat,
2.
d'un avertissement relatif à la restriction de garantie et de
responsabilité du Concédant telle que prévue aux articles 8
<#responsabilite> et 9 <#garantie>,
et, dans le cas où seul le code objet du Logiciel Modifié est redistribué,
3.
d'une note précisant les conditions d'accès effectif au code source
complet du Logiciel Modifié, pendant une période d'au moins 3 ans à
compter de la distribution du Logiciel Modifié, étant entendu que le
coût additionnel d'acquisition du code source ne devra pas excéder
le simple coût de transfert des données.
5.3.3 DISTRIBUTION DES MODULES EXTERNES
Lorsque le Licencié a développé un Module Externe les conditions du
Contrat ne s'appliquent pas à ce Module Externe, qui peut être distribué
sous un contrat de licence différent.
5.3.4 COMPATIBILITE AVEC D'AUTRES LICENCES
Le Licencié peut inclure un code soumis aux dispositions d'une des
versions de la licence GNU GPL, GNU Affero GPL et/ou EUPL dans le
Logiciel modifié ou non et distribuer l'ensemble sous les conditions de
la même version de la licence GNU GPL, GNU Affero GPL et/ou EUPL.
Le Licencié peut inclure le Logiciel modifié ou non dans un code soumis
aux dispositions d'une des versions de la licence GNU GPL, GNU Affero
GPL et/ou EUPL et distribuer l'ensemble sous les conditions de la même
version de la licence GNU GPL, GNU Affero GPL et/ou EUPL.
Article 6 - PROPRIETE INTELLECTUELLE
6.1 SUR LE LOGICIEL INITIAL
Le Titulaire est détenteur des droits patrimoniaux sur le Logiciel
Initial. Toute utilisation du Logiciel Initial est soumise au respect
des conditions dans lesquelles le Titulaire a choisi de diffuser son
oeuvre et nul autre n'a la faculté de modifier les conditions de
diffusion de ce Logiciel Initial.
Le Titulaire s'engage à ce que le Logiciel Initial reste au moins régi
par le Contrat et ce, pour la durée visée à l'article 4.2 <#duree>.
6.2 SUR LES CONTRIBUTIONS
Le Licencié qui a développé une Contribution est titulaire sur celle-ci
des droits de propriété intellectuelle dans les conditions définies par
la législation applicable.
6.3 SUR LES MODULES EXTERNES
Le Licencié qui a développé un Module Externe est titulaire sur celui-ci
des droits de propriété intellectuelle dans les conditions définies par
la législation applicable et reste libre du choix du contrat régissant
sa diffusion.
6.4 DISPOSITIONS COMMUNES
Le Licencié s'engage expressément:
1.
à ne pas supprimer ou modifier de quelque manière que ce soit les
mentions de propriété intellectuelle apposées sur le Logiciel;
2.
à reproduire à l'identique lesdites mentions de propriété
intellectuelle sur les copies du Logiciel modifié ou non.
Le Licencié s'engage à ne pas porter atteinte, directement ou
indirectement, aux droits de propriété intellectuelle du Titulaire et/ou
des Contributeurs sur le Logiciel et à prendre, le cas échéant, à
l'égard de son personnel toutes les mesures nécessaires pour assurer le
respect des dits droits de propriété intellectuelle du Titulaire et/ou
des Contributeurs.
Article 7 - SERVICES ASSOCIES
7.1 Le Contrat n'oblige en aucun cas le Concédant à la réalisation de
prestations d'assistance technique ou de maintenance du Logiciel.
Cependant le Concédant reste libre de proposer ce type de services. Les
termes et conditions d'une telle assistance technique et/ou d'une telle
maintenance seront alors déterminés dans un acte séparé. Ces actes de
maintenance et/ou assistance technique n'engageront que la seule
responsabilité du Concédant qui les propose.
7.2 De même, tout Concédant est libre de proposer, sous sa seule
responsabilité, à ses licenciés une garantie, qui n'engagera que lui,
lors de la redistribution du Logiciel et/ou du Logiciel Modifié et ce,
dans les conditions qu'il souhaite. Cette garantie et les modalités
financières de son application feront l'objet d'un acte séparé entre le
Concédant et le Licencié.
Article 8 - RESPONSABILITE
8.1 Sous réserve des dispositions de l'article 8.2
<#limite-responsabilite>, le Licencié a la faculté, sous réserve de
prouver la faute du Concédant concerné, de solliciter la réparation du
préjudice direct qu'il subirait du fait du Logiciel et dont il apportera
la preuve.
8.2 La responsabilité du Concédant est limitée aux engagements pris en
application du Contrat et ne saurait être engagée en raison notamment:
(i) des dommages dus à l'inexécution, totale ou partielle, de ses
obligations par le Licencié, (ii) des dommages directs ou indirects
découlant de l'utilisation ou des performances du Logiciel subis par le
Licencié et (iii) plus généralement d'un quelconque dommage indirect. En
particulier, les Parties conviennent expressément que tout préjudice
financier ou commercial (par exemple perte de données, perte de
bénéfices, perte d'exploitation, perte de clientèle ou de commandes,
manque à gagner, trouble commercial quelconque) ou toute action dirigée
contre le Licencié par un tiers, constitue un dommage indirect et
n'ouvre pas droit à réparation par le Concédant.
Article 9 - GARANTIE
9.1 Le Licencié reconnaît que l'état actuel des connaissances
scientifiques et techniques au moment de la mise en circulation du
Logiciel ne permet pas d'en tester et d'en vérifier toutes les
utilisations ni de détecter l'existence d'éventuels défauts. L'attention
du Licencié a été attirée sur ce point sur les risques associés au
chargement, à l'utilisation, la modification et/ou au développement et à
la reproduction du Logiciel qui sont réservés à des utilisateurs avertis.
Il relève de la responsabilité du Licencié de contrôler, par tous
moyens, l'adéquation du produit à ses besoins, son bon fonctionnement et
de s'assurer qu'il ne causera pas de dommages aux personnes et aux biens.
9.2 Le Concédant déclare de bonne foi être en droit de concéder
l'ensemble des droits attachés au Logiciel (comprenant notamment les
droits visés à l'article 5 <#etendue>).
9.3 Le Licencié reconnaît que le Logiciel est fourni "en l'état" par le
Concédant sans autre garantie, expresse ou tacite, que celle prévue à
l'article 9.2 <#bonne-foi> et notamment sans aucune garantie sur sa
valeur commerciale, son caractère sécurisé, innovant ou pertinent.
En particulier, le Concédant ne garantit pas que le Logiciel est exempt
d'erreur, qu'il fonctionnera sans interruption, qu'il sera compatible
avec l'équipement du Licencié et sa configuration logicielle ni qu'il
remplira les besoins du Licencié.
9.4 Le Concédant ne garantit pas, de manière expresse ou tacite, que le
Logiciel ne porte pas atteinte à un quelconque droit de propriété
intellectuelle d'un tiers portant sur un brevet, un logiciel ou sur tout
autre droit de propriété. Ainsi, le Concédant exclut toute garantie au
profit du Licencié contre les actions en contrefaçon qui pourraient être
diligentées au titre de l'utilisation, de la modification, et de la
redistribution du Logiciel. Néanmoins, si de telles actions sont
exercées contre le Licencié, le Concédant lui apportera son expertise
technique et juridique pour sa défense. Cette expertise technique et
juridique est déterminée au cas par cas entre le Concédant concerné et
le Licencié dans le cadre d'un protocole d'accord. Le Concédant dégage
toute responsabilité quant à l'utilisation de la dénomination du
Logiciel par le Licencié. Aucune garantie n'est apportée quant à
l'existence de droits antérieurs sur le nom du Logiciel et sur
l'existence d'une marque.
Article 10 - RESILIATION
10.1 En cas de manquement par le Licencié aux obligations mises à sa
charge par le Contrat, le Concédant pourra résilier de plein droit le
Contrat trente (30) jours après notification adressée au Licencié et
restée sans effet.
10.2 Le Licencié dont le Contrat est résilié n'est plus autorisé à
utiliser, modifier ou distribuer le Logiciel. Cependant, toutes les
licences qu'il aura concédées antérieurement à la résiliation du Contrat
resteront valides sous réserve qu'elles aient été effectuées en
conformité avec le Contrat.
Article 11 - DISPOSITIONS DIVERSES
11.1 CAUSE EXTERIEURE
Aucune des Parties ne sera responsable d'un retard ou d'une défaillance
d'exécution du Contrat qui serait dû à un cas de force majeure, un cas
fortuit ou une cause extérieure, telle que, notamment, le mauvais
fonctionnement ou les interruptions du réseau électrique ou de
télécommunication, la paralysie du réseau liée à une attaque
informatique, l'intervention des autorités gouvernementales, les
catastrophes naturelles, les dégâts des eaux, les tremblements de terre,
le feu, les explosions, les grèves et les conflits sociaux, l'état de
guerre...
11.2 Le fait, par l'une ou l'autre des Parties, d'omettre en une ou
plusieurs occasions de se prévaloir d'une ou plusieurs dispositions du
Contrat, ne pourra en aucun cas impliquer renonciation par la Partie
intéressée à s'en prévaloir ultérieurement.
11.3 Le Contrat annule et remplace toute convention antérieure, écrite
ou orale, entre les Parties sur le même objet et constitue l'accord
entier entre les Parties sur cet objet. Aucune addition ou modification
aux termes du Contrat n'aura d'effet à l'égard des Parties à moins
d'être faite par écrit et signée par leurs représentants dûment habilités.
11.4 Dans l'hypothèse où une ou plusieurs des dispositions du Contrat
s'avèrerait contraire à une loi ou à un texte applicable, existants ou
futurs, cette loi ou ce texte prévaudrait, et les Parties feraient les
amendements nécessaires pour se conformer à cette loi ou à ce texte.
Toutes les autres dispositions resteront en vigueur. De même, la
nullité, pour quelque raison que ce soit, d'une des dispositions du
Contrat ne saurait entraîner la nullité de l'ensemble du Contrat.
11.5 LANGUE
Le Contrat est rédigé en langue française et en langue anglaise, ces
deux versions faisant également foi.
Article 12 - NOUVELLES VERSIONS DU CONTRAT
12.1 Toute personne est autorisée à copier et distribuer des copies de
ce Contrat.
12.2 Afin d'en préserver la cohérence, le texte du Contrat est protégé
et ne peut être modifié que par les auteurs de la licence, lesquels se
réservent le droit de publier périodiquement des mises à jour ou de
nouvelles versions du Contrat, qui posséderont chacune un numéro
distinct. Ces versions ultérieures seront susceptibles de prendre en
compte de nouvelles problématiques rencontrées par les logiciels libres.
12.3 Tout Logiciel diffusé sous une version donnée du Contrat ne pourra
faire l'objet d'une diffusion ultérieure que sous la même version du
Contrat ou une version postérieure, sous réserve des dispositions de
l'article 5.3.4 <#compatibilite>.
Article 13 - LOI APPLICABLE ET COMPETENCE TERRITORIALE
13.1 Le Contrat est régi par la loi française. Les Parties conviennent
de tenter de régler à l'amiable les différends ou litiges qui
viendraient à se produire par suite ou à l'occasion du Contrat.
13.2 A défaut d'accord amiable dans un délai de deux (2) mois à compter
de leur survenance et sauf situation relevant d'une procédure d'urgence,
les différends ou litiges seront portés par la Partie la plus diligente
devant les Tribunaux compétents de Paris.

View file

@ -0,0 +1,155 @@
Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International
Creative Commons Corporation (“Creative Commons”) is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an “as-is” basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible.
Using Creative Commons Public Licenses
Creative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses.
Considerations for licensors: Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. More considerations for licensors.
Considerations for the public: By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensors permission is not necessary for any reasonfor example, because of any applicable exception or limitation to copyrightthen that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described. Although not required by our licenses, you are encouraged to respect those requests where reasonable. More considerations for the public.
Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License
By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions.
Section 1 Definitions.
a. Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image.
b. Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.
c. Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements.
d. Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material.
e. Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License.
f. Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license.
g. Licensor means the individual(s) or entity(ies) granting rights under this Public License.
h. NonCommercial means not primarily intended for or directed towards commercial advantage or monetary compensation. For purposes of this Public License, the exchange of the Licensed Material for other material subject to Copyright and Similar Rights by digital file-sharing or similar means is NonCommercial provided there is no payment of monetary compensation in connection with the exchange.
i. Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them.
j. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.
k. You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.
Section 2 Scope.
a. License grant.
1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:
A. reproduce and Share the Licensed Material, in whole or in part, for NonCommercial purposes only; and
B. produce and reproduce, but not Share, Adapted Material for NonCommercial purposes only.
2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions.
3. Term. The term of this Public License is specified in Section 6(a).
4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.
5. Downstream recipients.
A. Offer from the Licensor Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.
B. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.
6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).
b. Other rights.
1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.
2. Patent and trademark rights are not licensed under this Public License.
3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties, including when the Licensed Material is used other than for NonCommercial purposes.
Section 3 License Conditions.
Your exercise of the Licensed Rights is expressly made subject to the following conditions.
a. Attribution.
1. If You Share the Licensed Material, You must:
A. retain the following if it is supplied by the Licensor with the Licensed Material:
i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);
ii. a copyright notice;
iii. a notice that refers to this Public License;
iv. a notice that refers to the disclaimer of warranties;
v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable;
B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and
C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.
For the avoidance of doubt, You do not have permission under this Public License to Share Adapted Material.
2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.
3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.
Section 4 Sui Generis Database Rights.
Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:
a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database for NonCommercial purposes only and provided You do not Share Adapted Material;
b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material; and
c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.
For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights.
Section 5 Disclaimer of Warranties and Limitation of Liability.
a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.
b. To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.
c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.
Section 6 Term and Termination.
a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.
b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:
1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or
2. upon express reinstatement by the Licensor.
For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.
c. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.
d. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.
Section 7 Other Terms and Conditions.
a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed.
b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License.
Section 8 Interpretation.
a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.
b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions.
c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor.
d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.
Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.
Creative Commons may be contacted at creativecommons.org.

121
LICENSES/CC0-1.0.txt Normal file
View file

@ -0,0 +1,121 @@
Creative Commons Legal Code
CC0 1.0 Universal
CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
HEREUNDER.
Statement of Purpose
The laws of most jurisdictions throughout the world automatically confer
exclusive Copyright and Related Rights (defined below) upon the creator
and subsequent owner(s) (each and all, an "owner") of an original work of
authorship and/or a database (each, a "Work").
Certain owners wish to permanently relinquish those rights to a Work for
the purpose of contributing to a commons of creative, cultural and
scientific works ("Commons") that the public can reliably and without fear
of later claims of infringement build upon, modify, incorporate in other
works, reuse and redistribute as freely as possible in any form whatsoever
and for any purposes, including without limitation commercial purposes.
These owners may contribute to the Commons to promote the ideal of a free
culture and the further production of creative, cultural and scientific
works, or to gain reputation or greater distribution for their Work in
part through the use and efforts of others.
For these and/or other purposes and motivations, and without any
expectation of additional consideration or compensation, the person
associating CC0 with a Work (the "Affirmer"), to the extent that he or she
is an owner of Copyright and Related Rights in the Work, voluntarily
elects to apply CC0 to the Work and publicly distribute the Work under its
terms, with knowledge of his or her Copyright and Related Rights in the
Work and the meaning and intended legal effect of CC0 on those rights.
1. Copyright and Related Rights. A Work made available under CC0 may be
protected by copyright and related or neighboring rights ("Copyright and
Related Rights"). Copyright and Related Rights include, but are not
limited to, the following:
i. the right to reproduce, adapt, distribute, perform, display,
communicate, and translate a Work;
ii. moral rights retained by the original author(s) and/or performer(s);
iii. publicity and privacy rights pertaining to a person's image or
likeness depicted in a Work;
iv. rights protecting against unfair competition in regards to a Work,
subject to the limitations in paragraph 4(a), below;
v. rights protecting the extraction, dissemination, use and reuse of data
in a Work;
vi. database rights (such as those arising under Directive 96/9/EC of the
European Parliament and of the Council of 11 March 1996 on the legal
protection of databases, and under any national implementation
thereof, including any amended or successor version of such
directive); and
vii. other similar, equivalent or corresponding rights throughout the
world based on applicable law or treaty, and any national
implementations thereof.
2. Waiver. To the greatest extent permitted by, but not in contravention
of, applicable law, Affirmer hereby overtly, fully, permanently,
irrevocably and unconditionally waives, abandons, and surrenders all of
Affirmer's Copyright and Related Rights and associated claims and causes
of action, whether now known or unknown (including existing as well as
future claims and causes of action), in the Work (i) in all territories
worldwide, (ii) for the maximum duration provided by applicable law or
treaty (including future time extensions), (iii) in any current or future
medium and for any number of copies, and (iv) for any purpose whatsoever,
including without limitation commercial, advertising or promotional
purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
member of the public at large and to the detriment of Affirmer's heirs and
successors, fully intending that such Waiver shall not be subject to
revocation, rescission, cancellation, termination, or any other legal or
equitable action to disrupt the quiet enjoyment of the Work by the public
as contemplated by Affirmer's express Statement of Purpose.
3. Public License Fallback. Should any part of the Waiver for any reason
be judged legally invalid or ineffective under applicable law, then the
Waiver shall be preserved to the maximum extent permitted taking into
account Affirmer's express Statement of Purpose. In addition, to the
extent the Waiver is so judged Affirmer hereby grants to each affected
person a royalty-free, non transferable, non sublicensable, non exclusive,
irrevocable and unconditional license to exercise Affirmer's Copyright and
Related Rights in the Work (i) in all territories worldwide, (ii) for the
maximum duration provided by applicable law or treaty (including future
time extensions), (iii) in any current or future medium and for any number
of copies, and (iv) for any purpose whatsoever, including without
limitation commercial, advertising or promotional purposes (the
"License"). The License shall be deemed effective as of the date CC0 was
applied by Affirmer to the Work. Should any part of the License for any
reason be judged legally invalid or ineffective under applicable law, such
partial invalidity or ineffectiveness shall not invalidate the remainder
of the License, and in such case Affirmer hereby affirms that he or she
will not (i) exercise any of his or her remaining Copyright and Related
Rights in the Work or (ii) assert any associated claims and causes of
action with respect to the Work, in either case contrary to Affirmer's
express Statement of Purpose.
4. Limitations and Disclaimers.
a. No trademark or patent rights held by Affirmer are waived, abandoned,
surrendered, licensed or otherwise affected by this document.
b. Affirmer offers the Work as-is and makes no representations or
warranties of any kind concerning the Work, express, implied,
statutory or otherwise, including without limitation warranties of
title, merchantability, fitness for a particular purpose, non
infringement, or the absence of latent or other defects, accuracy, or
the present or absence of errors, whether or not discoverable, all to
the greatest extent permissible under applicable law.
c. Affirmer disclaims responsibility for clearing rights of other persons
that may apply to the Work or any use thereof, including without
limitation any person's Copyright and Related Rights in the Work.
Further, Affirmer disclaims responsibility for obtaining any necessary
consents, permissions or other rights required for any use of the
Work.
d. Affirmer understands and acknowledges that Creative Commons is not a
party to this document and has no duty or obligation with respect to
this CC0 or use of the Work.

190
LICENSES/EUPL-1.2.txt Normal file
View file

@ -0,0 +1,190 @@
EUROPEAN UNION PUBLIC LICENCE v. 1.2
EUPL © the European Union 2007, 2016
This European Union Public Licence (the EUPL) applies to the Work (as defined below) which is provided under the
terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such
use is covered by a right of the copyright holder of the Work).
The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following
notice immediately following the copyright notice for the Work:
Licensed under the EUPL
or has expressed by any other means his willingness to license under the EUPL.
1.Definitions
In this Licence, the following terms have the following meaning:
The Licence:this Licence.
The Original Work:the work or software distributed or communicated by the Licensor under this Licence, available
as Source Code and also as Executable Code as the case may be.
Derivative Works:the works or software that could be created by the Licensee, based upon the Original Work or
modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work
required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in
the country mentioned in Article 15.
The Work:the Original Work or its Derivative Works.
The Source Code:the human-readable form of the Work which is the most convenient for people to study and
modify.
The Executable Code:any code which has generally been compiled and which is meant to be interpreted by
a computer as a program.
The Licensor:the natural or legal person that distributes or communicates the Work under the Licence.
Contributor(s):any natural or legal person who modifies the Work under the Licence, or otherwise contributes to
the creation of a Derivative Work.
The Licensee or You:any natural or legal person who makes any usage of the Work under the terms of the
Licence.
Distribution or Communication:any act of selling, giving, lending, renting, distributing, communicating,
transmitting, or otherwise making available, online or offline, copies of the Work or providing access to its essential
functionalities at the disposal of any other natural or legal person.
2.Scope of the rights granted by the Licence
The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for
the duration of copyright vested in the Original Work:
— use the Work in any circumstance and for all usage,
— reproduce the Work,
— modify the Work, and make Derivative Works based upon the Work,
— communicate to the public, including the right to make available or display the Work or copies thereof to the public
and perform publicly, as the case may be, the Work,
— distribute the Work or copies thereof,
— lend and rent the Work or copies thereof,
— sublicense rights in the Work or copies thereof.
Those rights can be exercised on any media, supports and formats, whether now known or later invented, as far as the
applicable law permits so.
In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed
by law in order to make effective the licence of the economic rights here above listed.
The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the
extent necessary to make use of the rights granted on the Work under this Licence.
3.Communication of the Source Code
The Licensor may provide the Work either in its Source Code form, or as Executable Code. If the Work is provided as
Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with
each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to
the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to
distribute or communicate the Work.
4.Limitations on copyright
Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the
exclusive rights of the rights owners in the Work, of the exhaustion of those rights or of other applicable limitations
thereto.
5.Obligations of the Licensee
The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those
obligations are the following:
Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to
the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices and a copy of the
Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work
to carry prominent notices stating that the Work has been modified and the date of modification.
Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this
Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless
the Original Work is expressly distributed only under this version of the Licence — for example by communicating
EUPL v. 1.2 only. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the
Work or Derivative Work that alter or restrict the terms of the Licence.
Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both
the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done
under the terms of this Compatible Licence. For the sake of this clause, Compatible Licence refers to the licences listed
in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with
his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail.
Provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide
a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available
for as long as the Licensee continues to distribute or communicate the Work.
Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names
of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and
reproducing the content of the copyright notice.
6.Chain of Authorship
The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or
licensed to him/her and that he/she has the power and authority to grant the Licence.
Each Contributor warrants that the copyright in the modifications he/she brings to the Work are owned by him/her or
licensed to him/her and that he/she has the power and authority to grant the Licence.
Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions
to the Work, under the terms of this Licence.
7.Disclaimer of Warranty
The Work is a work in progress, which is continuously improved by numerous Contributors. It is not a finished work
and may therefore contain defects or bugs inherent to this type of development.
For the above reason, the Work is provided under the Licence on an as is basis and without warranties of any kind
concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or
errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this
Licence.
This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work.
8.Disclaimer of Liability
Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be
liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the
Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss
of data or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However,
the Licensor will be liable under statutory product liability laws as far such laws apply to the Work.
9.Additional agreements
While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services
consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole
responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such Contributor by
the fact You have accepted any warranty or additional liability.
10.Acceptance of the Licence
The provisions of this Licence can be accepted by clicking on an icon I agree placed under the bottom of a window
displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of
applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms
and conditions.
Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You
by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution
or Communication by You of the Work or copies thereof.
11.Information to the public
In case of any Distribution or Communication of the Work by means of electronic communication by You (for example,
by offering to download the Work from a remote location) the distribution channel or media (for example, a website)
must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence
and the way it may be accessible, concluded, stored and reproduced by the Licensee.
12.Termination of the Licence
The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms
of the Licence.
Such a termination will not terminate the licences of any person who has received the Work from the Licensee under
the Licence, provided such persons remain in full compliance with the Licence.
13.Miscellaneous
Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the
Work.
If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or
enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid
and enforceable.
The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of
the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence.
New versions of the Licence will be published with a unique version number.
All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take
advantage of the linguistic version of their choice.
14.Jurisdiction
Without prejudice to specific agreement between parties,
— any litigation resulting from the interpretation of this License, arising between the European Union institutions,
bodies, offices or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice
of the European Union, as laid down in article 272 of the Treaty on the Functioning of the European Union,
— any litigation arising between other parties and resulting from the interpretation of this License, will be subject to
the exclusive jurisdiction of the competent court where the Licensor resides or conducts its primary business.
15.Applicable Law
Without prejudice to specific agreement between parties,
— this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat,
resides or has his registered office,
— this licence shall be governed by Belgian law if the Licensor has no seat, residence or registered office inside
a European Union Member State.
Appendix
Compatible Licences according to Article 5 EUPL are:
— GNU General Public License (GPL) v. 2, v. 3
— GNU Affero General Public License (AGPL) v. 3
— Open Software License (OSL) v. 2.1, v. 3.0
— Eclipse Public License (EPL) v. 1.0
— CeCILL v. 2.0, v. 2.1
— Mozilla Public Licence (MPL) v. 2
— GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3
— Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software
— European Union Public Licence (EUPL) v. 1.1, v. 1.2
— Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+).
The European Commission may update this Appendix to later versions of the above licences without producing
a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the
covered Source Code from exclusive appropriation.
All other changes or additions to this Appendix require the production of a new EUPL version.

9
LICENSES/MIT.txt Normal file
View file

@ -0,0 +1,9 @@
MIT License
Copyright (c) <year> <copyright holders>
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

118
README.md
View file

@ -1,8 +1,124 @@
<!--
SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
SPDX-License-Identifier: EUPL-1.2
-->
# ❄️ infrastructure
The dgnum infrastructure.
# Contributing
Some instruction on how to contribute are available (in french) in [/CONTRIBUTING.md](CONTRIBUTING.md). You're expected to read this document before commiting to the repo.
Some instruction on how to contribute are available (in french) in [/CONTRIBUTE.md](CONTRIBUTE.md).
You're expected to read this document before commiting to the repo.
Some documentation for the development tools are provided in the aforementioned file.
# Using the binary cache
Add the following module to your configuration (and pin this repo using your favorite tool: npins, lon, etc...):
```
{ lib, ... }:
let
dgnum-infra = PINNED_PATH_TO_INFRA;
in {
nix.settings = (import dgnum-infra { }).mkCacheSettings {
caches = [ "infra" ];
};
}
```
# Adding a new machine
The first step is to create a minimal viable NixOS host, using tha means necessary.
The second step is to find a name for this host, it must be unique from the other hosts.
> [!TIP]
> For the rest of this part, we assume that the host is named `host02`
## Download the keys
The public SSH keys of `host02` have to be saved to `keys`, preferably only the `ssh-ed25519` one.
It can be retreived with :
```bash
ssh-keyscan address.of.host02 2>/dev/null | awk '/ssh-ed25519/ {print $2,$3}'
```
## Initialize the machine folder and configuration
- Create a folder `host02` under `machines/`
- Copy the hardware configuration file generated by `nixos-generate-config` to `machines/host02/_hardware-configuration.nix`
- Create a `machines/host02/_configuration.nix` file, it will contain the main configuration options, the basic content of this file should be the following
```nix
{ lib, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
];
enabledServices = [
# List of services to enable
];
extraConfig = {
services.netbird.enable = true;
};
root = ./.;
}
```
## Fill in the metadata
### Network configuration
The network is declared in `meta/network.nix`, the necessary `hostId` value can be generated with :
```bash
head -c4 /dev/urandom | od -A none -t x4 | sed 's/ //'
```
### Other details
The general metadata is declared in `meta/nodes.nix`, the main values to declare are :
- `site`, where the node is physically located
- `stateVersion`
- `nixpkgs`, the nixpkgs version to use
## Initialize secrets
Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :
```nix
(import ../../../keys).mkSecrets [ "host02" ] [
# List of secrets for host02
]
```
This will be used for future secret management.
## Update encrypted files
Both the Arkheon, Netbox and notification modules have secrets that are deployed on all machines. To make those services work correctly, run in `modules/dgn-records`, `modules/dgn-netbox-agent` and `modules/dgn-notify` :
```bash
agenix -r
```
## Commit and create a PR
Once all of this is done, check that the configuration builds correctly :
```bash
colmena build --on host02
```
Apply it, and create a Pull Request.

42
REUSE.toml Normal file
View file

@ -0,0 +1,42 @@
version = 1
[[annotations]]
SPDX-FileCopyrightText = "NONE"
SPDX-License-Identifier = "CC0-1.0"
path = ["**/.envrc", "**/Cargo.lock", "**/_hardware-configuration.nix", ".gitignore", "REUSE.toml", "shell.nix"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2"
path = [".forgejo/workflows/*"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
SPDX-License-Identifier = "CC-BY-NC-ND-4.0"
path = ["machines/**/secrets/*", "modules/nixos/dgn-backups/keys/*", "modules/nixos/dgn-netbox-agent/secrets/netbox-agent", "modules/nixos/dgn-notify/mail", "modules/nixos/dgn-records/__arkheon-token_file"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2"
path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "2024 Maurice Debray <maurice.debray@dgnum.eu>"
SPDX-License-Identifier = "EUPL-1.2"
path = ["patches/nixpkgs/06-netbox-qrcode.patch"]
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
SPDX-License-Identifier = "MIT"
path = "lib/colmena/*"
precedence = "closest"
[[annotations]]
SPDX-FileCopyrightText = "The [npins](https://github.com/andir/npins) contributors"
SPDX-License-Identifier = "EUPL-1.2"
path = "**/npins/*"
precedence = "closest"

View file

@ -1,62 +1,137 @@
/*
Copyright :
- Maurice Debray <maurice.debray@dgnum.eu> 2023
- Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023
# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
Ce logiciel est un programme informatique servant à déployer des
configurations de serveurs via NixOS.
Ce logiciel est régi par la licence CeCILL soumise au droit français et
respectant les principes de diffusion des logiciels libres. Vous pouvez
utiliser, modifier et/ou redistribuer ce programme sous les conditions
de la licence CeCILL telle que diffusée par le CEA, le CNRS et l'INRIA
sur le site "http://www.cecill.info".
En contrepartie de l'accessibilité au code source et des droits de copie,
de modification et de redistribution accordés par cette licence, il n'est
offert aux utilisateurs qu'une garantie limitée. Pour les mêmes raisons,
seule une responsabilité restreinte pèse sur l'auteur du programme, le
titulaire des droits patrimoniaux et les concédants successifs.
A cet égard l'attention de l'utilisateur est attirée sur les risques
associés au chargement, à l'utilisation, à la modification et/ou au
développement et à la reproduction du logiciel par l'utilisateur étant
donné sa spécificité de logiciel libre, qui peut le rendre complexe à
manipuler et qui le réserve donc à des développeurs et des professionnels
avertis possédant des connaissances informatiques approfondies. Les
utilisateurs sont donc invités à charger et tester l'adéquation du
logiciel à leurs besoins dans des conditions permettant d'assurer la
sécurité de leurs systèmes et ou de leurs données et, plus généralement,
à l'utiliser et l'exploiter dans les mêmes conditions de sécurité.
Le fait que vous puissiez accéder à cet en-tête signifie que vous avez
pris connaissance de la licence CeCILL, et que vous en avez accepté les
termes.
*/
{
sources ? import ./npins,
pkgs ? import sources.nixpkgs { },
}:
let
sources = import ./npins;
pkgs = import sources.nixpkgs { };
inherit (pkgs.lib)
isFunction
mapAttrs
mapAttrs'
nameValuePair
removeSuffix
;
pre-commit-check = (import sources.pre-commit-hooks).run {
nix-reuse = import sources.nix-reuse { inherit pkgs; };
git-checks = (import sources.git-hooks).run {
src = ./.;
hooks = {
# Nix Hooks
statix.enable = true;
deadnix.enable = true;
rfc101 = {
statix = {
enable = true;
name = "RFC-101 formatting";
entry = "${pkgs.lib.getExe pkgs.nixfmt-rfc-style}";
files = "\\.nix$";
stages = [ "pre-push" ];
settings.ignore = [
"**/lon.nix"
"**/npins"
];
};
deadnix = {
enable = true;
stages = [ "pre-push" ];
};
nixfmt-rfc-style = {
enable = true;
stages = [ "pre-push" ];
package = pkgs.nixfmt-rfc-style;
};
reuse = nix-reuse.hook {
enable = true;
stages = [ "pre-push" ];
};
# Misc Hooks
commitizen.enable = true;
};
};
reuse = nix-reuse.install {
defaultLicense = "EUPL-1.2";
defaultCopyright = "La Délégation Générale Numérique <contact@dgnum.eu>";
downloadLicenses = true;
generatedPaths = [
"**/.envrc"
"**/Cargo.lock"
"**/_hardware-configuration.nix"
".gitignore"
"REUSE.toml"
"shell.nix"
];
annotations = [
# Auto-generated workflow files using nix-actions
{ path = [ ".forgejo/workflows/*" ]; }
# Secrets
{
path = [
"machines/**/secrets/*"
"modules/nixos/dgn-backups/keys/*"
"modules/nixos/dgn-netbox-agent/secrets/netbox-agent"
"modules/nixos/dgn-notify/mail"
"modules/nixos/dgn-records/__arkheon-token_file"
];
license = "CC-BY-NC-ND-4.0";
}
# Patches
{
path = [
"machines/nixos/compute01/ds-fr/01-smtp-tls.patch"
"machines/nixos/compute01/librenms/kanidm.patch"
"machines/nixos/compute01/stirling-pdf/*.patch"
"machines/nixos/vault01/k-radius/packages/01-python_path.patch"
"machines/nixos/web01/crabfit/*.patch"
"machines/nixos/web02/cas-eleves/01-pytest-cas.patch"
"patches/lix/01-disable-installChecks.patch"
"patches/nixpkgs/03-crabfit-karla.patch"
"patches/nixpkgs/05-netbird-relay.patch"
];
copyright = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>";
}
{
path = [ "patches/nixpkgs/06-netbox-qrcode.patch" ];
copyright = "2024 Maurice Debray <maurice.debray@dgnum.eu>";
}
# colmena wrapper
{
path = "lib/colmena/*";
license = "MIT";
}
# npins generated files
{
path = "**/npins/*";
license = "EUPL-1.2";
copyright = "The [npins](https://github.com/andir/npins) contributors";
}
];
};
workflows = (import sources.nix-actions { inherit pkgs; }).install {
src = ./.;
workflows = mapAttrs' (
name: _:
nameValuePair (removeSuffix ".nix" name) (
let
w = import ./workflows/${name};
in
if isFunction w then w { inherit (pkgs) lib; } else w
)
) (builtins.readDir ./workflows);
};
scripts = import ./scripts { inherit pkgs sources; };
in
{
@ -66,37 +141,45 @@ in
dns = import ./meta/dns.nix;
shells = {
default = pkgs.mkShell {
name = "dgnum-infra";
mkCacheSettings = import ./machines/nixos/storage01/tvix-cache/cache-settings.nix;
packages =
(
with pkgs;
[
npins
nixos-generators
]
++ (builtins.map (p: callPackage p { }) [
(sources.disko + "/package.nix")
./lib/colmena
])
)
++ (import ./scripts { inherit pkgs; });
devShell = pkgs.mkShell {
name = "dgnum-infra";
shellHook = ''
${pre-commit-check.shellHook}
'';
packages = [
(pkgs.nixos-generators.overrideAttrs (_: {
version = "1.8.0-unstable";
src = sources.nixos-generators;
}))
pkgs.npins
preferLocalBuild = true;
};
# SSO testing
pkgs.kanidm
pkgs.freeradius
pkgs.picocom # for serial access
pre-commit = pkgs.mkShell {
name = "pre-commit-shell";
(pkgs.callPackage ./lib/colmena {
colmena = pkgs.callPackage "${sources.colmena}/package.nix" { };
})
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
] ++ git-checks.enabledPackages ++ (builtins.attrValues scripts);
shellHook = ''
${pre-commit-check.shellHook}
'';
shellHook = ''
${git-checks.shellHook}
${workflows.shellHook}
${reuse.shellHook}
'';
preferLocalBuild = true;
###
# Alternative shells
passthru = mapAttrs (name: value: pkgs.mkShell (value // { inherit name; })) {
pre-commit.shellHook = git-checks.shellHook;
check-workflows.shellHook = workflows.shellHook;
eval-nodes.packages = [ scripts.cache-node ];
};
};
}

237
hive.nix
View file

@ -1,81 +1,222 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
# SPDX-FileContributor: Maurice Debray <maurice.debray@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
let
sources = import ./npins;
sources' = import ./npins;
lib = import (sources.nix-lib + "/src/trivial.nix");
# Patch sources directly
sources = builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; })
.applyPatches' sources';
patch = import sources.nix-patches { patchFile = ./patches; };
nix-lib = import ./lib/nix-lib;
inherit (nix-lib) mapSingleFuse;
nodes' = import ./meta/nodes.nix;
patch = import ./lib/nix-patches { patchFile = ./patches; };
nodes' = import ./meta/nodes;
nodes = builtins.attrNames nodes';
mkNode = node: {
# Import the base configuration for each node
imports = builtins.map (lib.mkRel (./machines/${node})) [
"_configuration.nix"
"_hardware-configuration.nix"
];
deployment.systemType = system node;
};
mkPatchedNixpkgs =
version:
patch.mkNixpkgsSrc {
src = sources.${version};
inherit version;
nixpkgs' = import ./meta/nixpkgs.nix;
# All supported nixpkgs versions × systems, instanciated
nixpkgs = mapSingleFuse (s: mapSingleFuse (mkSystemNixpkgs s) nixpkgs'.versions) nixpkgs'.systems;
# Get the configured nixos version for the node,
# defaulting to the one defined in meta/nixpkgs
version = node: nodes'.${node}.nixpkgs.version;
system = node: nodes'.${node}.nixpkgs.system;
category = node: nixpkgs'.categories.${system node};
nodePkgs = node: nixpkgs.${system node}.${version node};
# Builds a patched version of nixpkgs, only as the source
mkNixpkgs' =
v:
patch.mkNixpkgsSrc rec {
src = sources'.${name};
name = "nixos-${v}";
};
mkNixpkgs = version: import (mkPatchedNixpkgs version) { };
# Build up the nixpkgs configuration for Liminix embedded systems
mkLiminixConfig =
system: _:
(import "${sources.liminix}/devices/${system}").system
// {
overlays = [ (import "${sources.liminix}/overlay.nix") ];
config = {
allowUnsupportedSystem = true; # mipsel
permittedInsecurePackages = [
"python-2.7.18.8" # Python < 3.x is needed for kernel backports.
];
};
};
mkNixpkgsVersion = node: "nixos-${nodes'.${node}.nixpkgs or (import ./meta/nixpkgs.nix)}";
# Build up the arguments to instantiate a nixpkgs given a system and a version.
mkNixpkgsConfig =
system:
{
nixos = _: { };
zyxel-nwa50ax = mkLiminixConfig system;
netconf = _: { };
}
.${system} or (throw "Unknown system: ${system} for nixpkgs configuration instantiation");
# Instanciates the required nixpkgs version
mkSystemNixpkgs = system: version: import (mkNixpkgs' version) (mkNixpkgsConfig system version);
###
# Function to create arguments based on the node
#
mkArgs = node: rec {
lib = import sources.nix-lib {
inherit (mkNixpkgs (mkNixpkgsVersion node)) lib;
keysRoot = ./keys;
lib = sourcePkgs.lib // {
extra = nix-lib;
};
sourcePkgs = nodePkgs node;
meta = (import ./meta) lib;
nodeMeta = meta.nodes.${node};
nodePath = "machines/${category node}/${node}";
};
in
# nodes = builtins.attrNames metadata.nodes;
{
meta = {
nodeNixpkgs = lib.mapSingleFuse (n: mkNixpkgs (mkNixpkgsVersion n)) nodes;
nixpkgs = import nixpkgs.nixos.unstable.path;
nodeNixpkgs = mapSingleFuse nodePkgs nodes;
specialArgs = {
inherit sources;
inherit mkNixpkgs;
inherit nixpkgs sources;
dgn-keys = import ./keys;
};
nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes;
nodeSpecialArgs = mapSingleFuse mkArgs nodes;
};
defaults =
{ meta, name, ... }:
{
# Import the default modules
imports = [ ./modules ];
registry = {
zyxel-nwa50ax = {
evalConfig =
args:
(import "${sources.liminix}/lib/eval-config.nix" {
nixpkgs = args.specialArgs.sourcePkgs.path;
})
args;
# Include default secrets
age-secrets.sources = [ (./machines + "/${name}/secrets") ];
# Deployment config is specified in meta.nodes.${node}.deployment
inherit (meta.nodes.${name}) deployment;
# Set NIX_PATH to the patched version of nixpkgs
nix.nixPath = [ "nixpkgs=${mkPatchedNixpkgs (mkNixpkgsVersion name)}" ];
nix.optimise.automatic = true;
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# Use the stateVersion declared in the metadata
system = {
inherit (meta.nodes.${name}) stateVersion;
};
defaults =
{ name, nodePath, ... }:
{
# Import the default modules
imports = [
# Import the base configuration for each node
./${nodePath}/_configuration.nix
./modules/generic
./modules/${category name}
];
# It's impure, but who cares?
# Can Flakes even do that? :)
nixpkgs.buildPlatform = builtins.currentSystem;
};
};
netconf = {
evalConfig = nixpkgs.nixos.unstable.lib.evalModules;
defaults =
{
name,
nodeMeta,
nodePath,
...
}:
{
_module.args = {
pkgs = nixpkgs.nixos.unstable;
};
# Import the default modules
imports = [
# Import the base configuration for each node
./${nodePath}.nix
./modules/netconf
./lib/netconf-junos
"${sources.nixpkgs}/nixos/modules/misc/assertions.nix"
];
system.host-name = name;
inherit (nodeMeta) deployment;
};
};
nixos = {
evalConfig = args: import "${args.specialArgs.sourcePkgs.path}/nixos/lib/eval-config.nix" args;
defaults =
{
lib,
name,
nodes,
nodeMeta,
nodePath,
meta,
sourcePkgs,
...
}:
{
# Import the default modules
imports = [
# Import the base configuration for each node
./${nodePath}/_configuration.nix
./modules/generic
(import "${sources.lix-module}/module.nix" { inherit (sources) lix; })
./modules/${category name}
];
_module.args.serverNodes = lib.filterAttrs (
name: _: meta.nodes.${name}.nixpkgs.system == "nixos"
) nodes;
# Include default secrets
age-secrets.sources = [ ./${nodePath}/secrets ];
# Deployment config is specified in meta.nodes.${node}.deployment
inherit (nodeMeta) deployment;
nix = {
# Set NIX_PATH to the patched version of nixpkgs
nixPath = [ "nixpkgs=${builtins.storePath sourcePkgs.path}" ];
optimise.automatic = true;
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
settings =
{
substituters = [ "https://tvix-store.dgnum.eu/infra" ];
}
// (import ./machines/nixos/storage01/tvix-cache/cache-settings.nix {
caches = [ "infra" ];
});
};
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# Use the stateVersion declared in the metadata
system = {
inherit (nodeMeta) stateVersion;
};
};
};
};
}
// (lib.mapSingleFuse mkNode nodes)
// (mapSingleFuse mkNode nodes)

6
iso/build-iso.sh Executable file → Normal file
View file

@ -1,5 +1,9 @@
#!/usr/bin/env bash
NIXPKGS=$(nix-build nixpkgs.nix)
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
NIXPKGS=$(nix-build --no-out-link nixpkgs.nix)
nixos-generate -c configuration.nix -I NIX_PATH="$NIXPKGS" -f install-iso

View file

@ -1,9 +1,13 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, pkgs, ... }:
let
dgn-lib = import ../lib { };
dgn-keys = import ../keys;
dgn-members = (import ../meta).members.groups.iso;
dgn-members = (import ../meta lib).organization.groups.root;
in
{
@ -11,7 +15,7 @@ in
boot = {
blacklistedKernelModules = [ "snd_pcsp" ];
kernelPackages = pkgs.linuxPackages_6_1;
kernelPackages = pkgs.linuxPackages_latest;
tmp.cleanOnBoot = true;
loader = {
@ -22,6 +26,7 @@ in
supportedFilesystems = [
"exfat"
"zfs"
"bcachefs"
];
swraid.enable = lib.mkForce false;
@ -33,7 +38,5 @@ in
openssh.enable = true;
};
users.users.root.openssh.authorizedKeys.keyFiles = builtins.map (
m: dgn-lib.mkRel ../keys "${m}.keys"
) dgn-members;
users.users.root.openssh.authorizedKeys.keys = dgn-keys.getKeys dgn-members;
}

View file

@ -1 +1,7 @@
<!--
SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
SPDX-License-Identifier: EUPL-1.2
-->
Script pour installer automatiquement NixOS sur les machines de la DGNum

View file

@ -1,3 +1,7 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ pkgs, ... }:
let

View file

@ -1,3 +1,7 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
bootDevice=
rootDevice=

View file

@ -1,5 +1,10 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
let
inherit (import ../npins) nixpkgs;
version = (import ../meta/nixpkgs.nix).default;
nixpkgs = (import ../npins)."nixos-${version}";
in
(import nixpkgs { }).srcOnly {

101
keys/default.nix Normal file
View file

@ -0,0 +1,101 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
let
_sources = import ../npins;
meta = import ../meta (import _sources.nixpkgs { }).lib;
getAttr = flip builtins.getAttr;
inherit (import ../lib/nix-lib) flip setDefault unique;
in
rec {
# WARNING: When updating this list, make sure that the nodes and members are alphabetically sorted
# If not, you will face an angry maintainer
_keys = {
# SSH keys of the nodes
bridge01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7" ];
compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
hypervisor01 = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPE0typcnvSioMfdLUloIfR5zcf/X0k6201xMHoQBCr"
];
hypervisor02 = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPETkWlOfESXQic+HgfGLV/T4Nqg0WjdDbEqtgDwkH+S"
];
hypervisor03 = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLF0mxSGitsDE3/YXfrHNjtOMUt4HT2MbryyUKPLSBI"
];
rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ];
web02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ];
web03 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrWsMEfK86iaO9SubMqE2UvZNtHkLY5VUod/bbqKC0L" ];
# SSH keys of the DGNum members
agroudiev = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM="
];
catvayor = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
];
cst1 = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270"
];
ecoppens = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
gdd = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ"
];
jemagius = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8="
];
luj = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
];
mboyer = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ];
mdebray = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
];
raito = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
];
thubrecht = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
];
};
getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);
mkSecrets =
nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };
getNodeKeys' =
node:
let
names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
meta.nodes.${node}.admins ++ [ node ]
) meta.nodes.${node}.adminGroups;
in
unique (getKeys names);
getNodeKeys = node: rootKeys ++ getNodeKeys' node;
# List of keys for the root group
rootKeys = getKeys meta.organization.groups.root;
# List of 'machine' keys
machineKeys = rootKeys ++ (getKeys (builtins.attrNames meta.nodes));
}

View file

@ -1,2 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ

View file

@ -1,2 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8=

View file

@ -1,2 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower

View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu

View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4

View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket

View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf

View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ

View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW

View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5

View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE020zqMJTlJ73czVxWVNmRof6il+N9dS4Knm43bJSpm

View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris

View file

@ -1,3 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU

View file

@ -1,3 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn

View file

@ -1,33 +0,0 @@
_:
let
sources = import ../npins;
lib = import sources.nix-lib {
inherit ((import sources.nixpkgs { })) lib;
keysRoot = ../keys;
};
meta = import ../meta lib;
inherit (lib.extra) getAllKeys;
in
lib.extra
// rec {
# Get publickeys associated to a node
getNodeKeys =
node:
let
names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
meta.nodes.${node}.admins ++ [ "/machines/${node}" ]
) meta.nodes.${node}.adminGroups;
in
rootKeys ++ (getAllKeys names);
rootKeys = getAllKeys meta.organization.groups.root;
machineKeys =
rootKeys ++ (getAllKeys (builtins.map (n: "machines/${n}") (builtins.attrNames meta.nodes)));
}

View file

@ -0,0 +1,116 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
lib,
pkgs,
name,
...
}:
let
inherit (lib) mapAttrs mkOption;
inherit (lib.types)
attrsOf
bool
str
any
submodule
package
;
mandatory.options = {
supportPoE = mkOption {
type = bool;
example = true;
description = ''
Whether this interface supports PoE.
'';
};
};
in
{
imports = [
./interfaces.nix
./poe.nix
./protocols.nix
./system.nix
./vlans.nix
];
options = {
# Hack because of this https://git.dgnum.eu/DGNum/colmena/src/commit/71b1b660f2cda2e34e134d0028cafbd56bb22008/src/nix/hive/eval.nix#L166 which defines nixpkgs option but we don't have it here. What about liminix ?
nixpkgs = mkOption {
type = attrsOf any;
default = { };
};
netconf = {
xmls.configuration = mkOption {
type = str;
readOnly = true;
description = ''
The full configuration to send to a JunOS.
'';
};
mandatoryInterfaces = mkOption {
type = attrsOf (submodule mandatory);
example = {
"ge-0/0/0" = {
supportPoE = true;
};
"ge-0/0/1" = {
supportPoE = true;
};
"xe-0/0/0" = {
supportPoE = false;
};
};
description = ''
JunOS require some interfaces to always be configured (even if they are disabled),
which correspond to physical interfaces of the switch. They have to be declared here
with some information about it (only if it supports PoE for now).
'';
};
rpc = mkOption {
type = package;
readOnly = true;
};
};
};
config = {
interfaces =
let
mkIntf = _: _: { };
in
mapAttrs mkIntf config.netconf.mandatoryInterfaces;
netconf = {
xmls.configuration = with config.netconf.xmls; ''
<configuration>
${system}
${interfaces}
${protocols}
${vlans}
${poe}
</configuration>
'';
rpc = pkgs.writeText "${name}.rpc" ''
<rpc>
<edit-config>
<config>
${config.netconf.xmls.configuration}
</config>
<target>
<candidate/>
</target>
</edit-config>
</rpc>
<rpc>
<commit/>
</rpc>
'';
};
};
}

View file

@ -0,0 +1,172 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
inherit (lib)
mapAttrsToList
mkEnableOption
mkOption
optionalString
;
inherit (lib.types)
attrsOf
either
enum
ints
listOf
str
submodule
;
interface =
{ name, config, ... }:
let
unit =
{ name, config, ... }:
{
options = {
enable = mkEnableOption "this logical interface" // {
default = true;
example = false;
};
family = {
ethernet-switching = {
enable = mkEnableOption "the ethernet switching on this logical interface";
interface-mode = mkOption {
type = enum [
"trunk"
"access"
];
description = ''
Mode of operation for vlan addressing of this interface.
"trunk" means that the traffic is tagged, "access" means the
traffic is tagged by the switch.
'';
};
vlans = mkOption {
type = listOf (either str ints.unsigned);
default = [ ];
description = ''
Vlans that can be used on this interface.
Only one ID should be here for "access" mode of operation.
'';
};
};
#TODO : DHCP
inet = {
enable = mkEnableOption "the IPv4 configuration of this logical interface";
addresses = mkOption {
type = listOf str;
default = [ ];
description = ''
ipv4 addresses of this interface.
'';
};
};
inet6 = {
enable = mkEnableOption "the IPv6 configuration of this logical interface";
addresses = mkOption {
type = listOf str;
default = [ ];
description = ''
ipv6 addresses of this interface.
'';
};
};
};
xml = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.xml =
let
members = map (
vlan: "<members>${builtins.toString vlan}</members>"
) config.family.ethernet-switching.vlans;
eth = optionalString config.family.ethernet-switching.enable ''
<ethernet-switching>
<interface-mode>${config.family.ethernet-switching.interface-mode}</interface-mode>
<vlan>${builtins.concatStringsSep "" members}</vlan>
<storm-control><profile-name>default</profile-name></storm-control>
</ethernet-switching>
'';
addr4 = map (addr: "<name>${addr}</name>") config.family.inet.addresses;
inet = optionalString config.family.inet.enable ''
<inet>
<address>${builtins.concatStringsSep "" addr4}</address>
</inet>
'';
addr6 = map (addr: "<name>${addr}</name>") config.family.inet6.addresses;
inet6 = optionalString config.family.inet6.enable ''
<inet6>
<address>${builtins.concatStringsSep "" addr6}</address>
</inet6>
'';
in
''
<unit>
<name>${name}</name>
${optionalString (!config.enable) "<disable/>"}
<family>
${eth}${inet}${inet6}
</family>
</unit>'';
};
in
{
options = {
enable = mkEnableOption "this physical interface";
unit = mkOption {
type = attrsOf (submodule unit);
default = { };
description = ''
Configuration of the logical interfaces on this physical interface.
'';
};
xml = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.xml =
let
units = mapAttrsToList (_: unit: unit.xml) config.unit;
in
''
<interface>
<name>${name}</name>
${optionalString (!config.enable) "<disable/>"}
${builtins.concatStringsSep "" units}
</interface>
'';
};
in
{
options = {
interfaces = mkOption {
type = attrsOf (submodule interface);
description = ''
The interfaces configuration.
'';
};
netconf.xmls.interfaces = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.netconf.xmls.interfaces = ''
<interfaces operation="replace">
${builtins.concatStringsSep "" (mapAttrsToList (_: intf: intf.xml) config.interfaces)}
</interfaces>
'';
}

53
lib/netconf-junos/poe.nix Normal file
View file

@ -0,0 +1,53 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
inherit (lib)
mapAttrsToList
mkEnableOption
mkOption
optionalString
;
inherit (lib.types) attrsOf str submodule;
interface-module =
{ name, config, ... }:
{
options = {
enable = mkEnableOption "the PoE for this interface";
xml = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.xml = ''
<interface><name>${name}</name>${optionalString (!config.enable) "<disable/>"}</interface>
'';
};
in
{
options = {
poe.interfaces = mkOption {
type = attrsOf (submodule interface-module);
default = { };
description = ''
PoE configuration of interfaces.
'';
};
netconf.xmls.poe = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.netconf.xmls.poe = ''
<poe operation="replace">
${builtins.concatStringsSep "" (mapAttrsToList (_: intf: intf.xml) config.poe.interfaces)}
</poe>
'';
}

View file

@ -0,0 +1,37 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
inherit (lib) concatMapStringsSep mkOption;
inherit (lib.types) listOf str;
in
{
options = {
protocols.rstp = mkOption {
type = listOf str;
description = ''
List of interfaces on which Rapid Spanning Tree Protocol should be enabled.
'';
};
netconf.xmls.protocols = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.netconf.xmls.protocols = ''
<protocols>
<rstp operation="replace">
${
concatMapStringsSep "" (intf: "<interface><name>${intf}</name></interface>") config.protocols.rstp
}
</rstp>
</protocols>
'';
}

View file

@ -0,0 +1,95 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
inherit (lib)
concatStrings
concatStringsSep
filter
hasPrefix
length
mkOption
splitString
;
inherit (lib.types)
enum
listOf
port
str
;
in
{
options = {
system = {
host-name = mkOption {
type = str;
description = "The hostname of the switch.";
};
root-authentication = {
hashedPasswd = mkOption {
type = str;
description = "Hashed password for root.";
};
ssh-keys = mkOption {
type = listOf str;
description = "ssh keys for root user.";
default = [ ];
};
};
services = {
ssh.root-login = mkOption {
type = enum [
"allow"
"deny"
"deny-password"
];
description = "Login policy to use for root.";
};
netconf.port = mkOption {
type = port;
description = "Port to use for netconf.";
default = 830;
};
};
};
netconf.xmls.system = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.netconf.xmls.system =
let
ssh-keys1 = map (splitString " ") config.system.root-authentication.ssh-keys;
ssh-keys2 = map (key: if length key < 3 then key ++ [ "foo@bar" ] else key) ssh-keys1;
ssh-keys = map (concatStringsSep " ") ssh-keys2;
edsca = map (key: "<ssh-edsca><name>${key}</name></ssh-edsca>") (
filter (hasPrefix "ssh-edsca ") ssh-keys
);
rsa = map (key: "<ssh-rsa><name>${key}</name></ssh-rsa>") (filter (hasPrefix "ssh-rsa ") ssh-keys);
ed25519 = map (key: "<ssh-ed25519><name>${key}</name></ssh-ed25519>") (
filter (hasPrefix "ssh-ed25519 ") ssh-keys
);
in
''
<system>
<host-name operation="replace">${config.system.host-name}</host-name>
<root-authentication operation="replace">
<encrypted-password>${config.system.root-authentication.hashedPasswd}</encrypted-password>
${concatStrings (edsca ++ rsa ++ ed25519)}
</root-authentication>
<services operation="replace">
<ssh><root-login>${config.system.services.ssh.root-login}</root-login></ssh>
<netconf>
<ssh><port>${toString config.system.services.netconf.port}</port></ssh>
<rfc-compliant/><yang-compliant/>
</netconf>
</services>
</system>
'';
}

135
lib/netconf-junos/vlans.nix Normal file
View file

@ -0,0 +1,135 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, lib, ... }:
let
inherit (lib)
assertMsg
concatStringsSep
mapAttrsToList
mkOption
optionalString
;
inherit (lib.types)
attrsOf
either
ints
listOf
nullOr
str
submodule
unspecified
;
vlan =
{ name, config, ... }:
{
options = {
id = mkOption {
type = nullOr ints.unsigned;
default = null;
description = ''
The ID of this vlan, `null` means no ID.
Incompatible with vlans.${name}.id-list.
'';
};
id-list = mkOption {
type =
let
range_type =
{ config, ... }:
{
config.__toString = _: "${toString config.begin}-${toString config.end}";
options = {
begin = mkOption {
type = ints.unsigned;
visible = false;
};
end = mkOption {
type = ints.unsigned;
visible = false;
};
__toString = mkOption {
visible = false;
internal = true;
readOnly = true;
type = unspecified;
};
};
};
in
listOf (either ints.unsigned (submodule range_type));
default = [ ];
example = [
42
{
begin = 100;
end = 200;
}
];
description = ''
List of IDs or IDs range to classify as this vlan.
Incompatible with vlans.${name}.id.
'';
};
l3-interface = mkOption {
type = nullOr str;
default = null;
example = "irb.0";
description = ''
Switch's logical interface to connect directly to this vlan.
This allows to communicate with the switch from a vlan without
having a cable looping back on it's management interface.
'';
};
xml = mkOption {
type = str;
readOnly = true;
visible = false;
};
};
config.xml =
let
id = optionalString (config.id != null) "<vlan-id>${toString config.id}</vlan-id>";
id-list = concatStringsSep "" (
map (vlan: "<vlan-id-list>${toString vlan}</vlan-id-list>") config.id-list
);
l3-intf = optionalString (
config.l3-interface != null
) "<l3-interface>${config.l3-interface}</l3-interface>";
in
assert assertMsg (
config.id == null || config.id-list == [ ]
) "vlans.${name}.id and vlans.${name}.id-list are incompatible.";
''
<vlan>
<name>${name}</name>
${id}${id-list}${l3-intf}
</vlan>
'';
};
in
{
options = {
vlans = mkOption {
type = attrsOf (submodule vlan);
description = ''
Named vlans configuration. Allows to name vlans inside interface configuration,
instead of just using their IDs.
'';
};
netconf.xmls.vlans = mkOption {
type = str;
visible = false;
readOnly = true;
};
};
config.netconf.xmls.vlans = ''
<vlans operation="replace">
${builtins.concatStringsSep "" (mapAttrsToList (_: vlan: vlan.xml) config.vlans)}
</vlans>
'';
}

176
lib/nix-lib/default.nix Normal file
View file

@ -0,0 +1,176 @@
# Copyright Tom Hubrecht, (2023)
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
let
# Reimplement optional functions
_optional =
default: b: value:
if b then value else default;
in
rec {
inherit (import ./nixpkgs.nix)
flip
hasPrefix
recursiveUpdate
splitString
unique
warn
;
/*
Fuses a list of attribute sets into a single attribute set.
Type: [attrs] -> attrs
Example:
x = [ { a = 1; } { b = 2; } ]
fuseAttrs x
=> { a = 1; b = 2; }
*/
fuseAttrs = builtins.foldl' (attrs: x: attrs // x) { };
fuseValueAttrs = attrs: fuseAttrs (builtins.attrValues attrs);
/*
Applies a function to `attrsList` before fusing the resulting list
of attribute sets.
Type: ('a -> attrs) -> ['a] -> attrs
Example:
x = [ "to" "ta" "ti" ]
f = s: { ${s} = s + s; }
mapFuse f x
=> { to = "toto"; ta = "tata"; ti = "titi"; }
*/
mapFuse =
# 'a -> attrs
f:
# ['a]
attrsList:
fuseAttrs (builtins.map f attrsList);
/*
Equivalent of lib.singleton but for an attribute set.
Type: str -> 'a -> attrs
Example:
singleAttr "a" 1
=> { a = 1; }
*/
singleAttr = name: value: { ${name} = value; };
# Enables a list of modules.
enableAttrs' =
enable:
mapFuse (m: {
${m}.${enable} = true;
});
enableModules = enableAttrs' "enable";
/*
Create an attribute set from a list of values, mapping those
values through the function `f`.
Example:
mapSingleFuse (x: "val-${x}") [ "a" "b" ]
=> { a = "val-a"; b = "val-b" }
*/
mapSingleFuse = f: mapFuse (x: singleAttr x (f x));
/*
Creates a relative path as a string
Type: path -> str -> path
Example:
mkRel /home/test/ "file.txt"
=> "/home/test/file.txt"
*/
mkRel = path: file: path + "/${file}";
setDefault =
default:
mapFuse (name: {
${name} = default;
});
mkBaseSecrets =
root:
mapFuse (secret: {
${secret}.file = mkRel root secret;
});
getSecrets = dir: builtins.attrNames (import (mkRel dir "secrets.nix"));
subAttr = attrs: name: attrs.${name};
subAttrs = attrs: builtins.map (subAttr attrs);
optionalList = _optional [ ];
optionalAttrs = _optional { };
optionalString = _optional "";
/*
Same as fuseAttrs but using `lib.recursiveUpdate` to merge attribute
sets together.
Type: [attrs] -> attrs
*/
recursiveFuse = builtins.foldl' recursiveUpdate { };
mkImport =
root: file:
let
path = mkRel root file;
in
path + (optionalString (!(builtins.pathExists path)) ".nix");
mkImports = root: builtins.map (mkImport root);
/*
Creates a confugiration by merging enabled modules,
services and extraConfig.
Example:
mkConfig {
enabledModules = [ "ht-defaults" ];
enabledServices = [ "toto" ];
extraConfig = { services.nginx.enable = true; };
root = ./.;
}
=>
{
imports = [ ./toto ];
ht-defaults.enable = true;
services.nginx.enable = true;
}
*/
mkConfig =
{
# List of modules to enable with `enableModules`
enabledModules,
# List of services to import
enabledServices,
# Extra configuration, defaults to `{ }`
extraConfig ? { },
# Path relative to which the enabled services will be imported
root,
}:
recursiveFuse [
(enableModules enabledModules)
{
imports =
(extraConfig.imports or [ ]) ++ (mkImports root ([ "_hardware-configuration" ] ++ enabledServices));
}
(removeAttrs extraConfig [ "imports" ])
];
}

466
lib/nix-lib/nixpkgs.nix Normal file
View file

@ -0,0 +1,466 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
###
# Collection of nixpkgs library functions, those are necessary for defining our own lib
#
# They have been simplified and builtins are used in some places, instead of lib shims.
rec {
/**
Does the same as the update operator '//' except that attributes are
merged until the given predicate is verified. The predicate should
accept 3 arguments which are the path to reach the attribute, a part of
the first attribute set and a part of the second attribute set. When
the predicate is satisfied, the value of the first attribute set is
replaced by the value of the second attribute set.
# Inputs
`pred`
: Predicate, taking the path to the current attribute as a list of strings for attribute names, and the two values at that path from the original arguments.
`lhs`
: Left attribute set of the merge.
`rhs`
: Right attribute set of the merge.
# Type
```
recursiveUpdateUntil :: ( [ String ] -> AttrSet -> AttrSet -> Bool ) -> AttrSet -> AttrSet -> AttrSet
```
# Examples
:::{.example}
## `lib.attrsets.recursiveUpdateUntil` usage example
```nix
recursiveUpdateUntil (path: l: r: path == ["foo"]) {
# first attribute set
foo.bar = 1;
foo.baz = 2;
bar = 3;
} {
#second attribute set
foo.bar = 1;
foo.quz = 2;
baz = 4;
}
=> {
foo.bar = 1; # 'foo.*' from the second set
foo.quz = 2; #
bar = 3; # 'bar' from the first set
baz = 4; # 'baz' from the second set
}
```
:::
*/
recursiveUpdateUntil =
pred: lhs: rhs:
let
f =
attrPath:
builtins.zipAttrsWith (
n: values:
let
here = attrPath ++ [ n ];
in
if builtins.length values == 1 || pred here (builtins.elemAt values 1) (builtins.head values) then
builtins.head values
else
f here values
);
in
f [ ] [
rhs
lhs
];
/**
A recursive variant of the update operator //. The recursion
stops when one of the attribute values is not an attribute set,
in which case the right hand side value takes precedence over the
left hand side value.
# Inputs
`lhs`
: Left attribute set of the merge.
`rhs`
: Right attribute set of the merge.
# Type
```
recursiveUpdate :: AttrSet -> AttrSet -> AttrSet
```
# Examples
:::{.example}
## `lib.attrsets.recursiveUpdate` usage example
```nix
recursiveUpdate {
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/hda";
} {
boot.loader.grub.device = "";
}
returns: {
boot.loader.grub.enable = true;
boot.loader.grub.device = "";
}
```
:::
*/
recursiveUpdate =
lhs: rhs:
recursiveUpdateUntil (
_: lhs: rhs:
!(builtins.isAttrs lhs && builtins.isAttrs rhs)
) lhs rhs;
/**
Determine whether a string has given prefix.
# Inputs
`pref`
: Prefix to check for
`str`
: Input string
# Type
```
hasPrefix :: string -> string -> bool
```
# Examples
:::{.example}
## `lib.strings.hasPrefix` usage example
```nix
hasPrefix "foo" "foobar"
=> true
hasPrefix "foo" "barfoo"
=> false
```
:::
*/
hasPrefix = pref: str: (builtins.substring 0 (builtins.stringLength pref) str == pref);
/**
Escape occurrence of the elements of `list` in `string` by
prefixing it with a backslash.
# Inputs
`list`
: 1\. Function argument
`string`
: 2\. Function argument
# Type
```
escape :: [string] -> string -> string
```
# Examples
:::{.example}
## `lib.strings.escape` usage example
```nix
escape ["(" ")"] "(foo)"
=> "\\(foo\\)"
```
:::
*/
escape = list: builtins.replaceStrings list (builtins.map (c: "\\${c}") list);
/**
Convert a string `s` to a list of characters (i.e. singleton strings).
This allows you to, e.g., map a function over each character. However,
note that this will likely be horribly inefficient; Nix is not a
general purpose programming language. Complex string manipulations
should, if appropriate, be done in a derivation.
Also note that Nix treats strings as a list of bytes and thus doesn't
handle unicode.
# Inputs
`s`
: 1\. Function argument
# Type
```
stringToCharacters :: string -> [string]
```
# Examples
:::{.example}
## `lib.strings.stringToCharacters` usage example
```nix
stringToCharacters ""
=> [ ]
stringToCharacters "abc"
=> [ "a" "b" "c" ]
stringToCharacters "🦄"
=> [ "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" ]
```
:::
*/
stringToCharacters = s: builtins.genList (p: builtins.substring p 1 s) (builtins.stringLength s);
/**
Turn a string `s` into an exact regular expression
# Inputs
`s`
: 1\. Function argument
# Type
```
escapeRegex :: string -> string
```
# Examples
:::{.example}
## `lib.strings.escapeRegex` usage example
```nix
escapeRegex "[^a-z]*"
=> "\\[\\^a-z]\\*"
```
:::
*/
escapeRegex = escape (stringToCharacters "\\[{()^$?*+|.");
/**
Appends string context from string like object `src` to `target`.
:::{.warning}
This is an implementation
detail of Nix and should be used carefully.
:::
Strings in Nix carry an invisible `context` which is a list of strings
representing store paths. If the string is later used in a derivation
attribute, the derivation will properly populate the inputDrvs and
inputSrcs.
# Inputs
`src`
: The string to take the context from. If the argument is not a string,
it will be implicitly converted to a string.
`target`
: The string to append the context to. If the argument is not a string,
it will be implicitly converted to a string.
# Type
```
addContextFrom :: string -> string -> string
```
# Examples
:::{.example}
## `lib.strings.addContextFrom` usage example
```nix
pkgs = import <nixpkgs> { };
addContextFrom pkgs.coreutils "bar"
=> "bar"
```
The context can be displayed using the `toString` function:
```nix
nix-repl> builtins.getContext (lib.strings.addContextFrom pkgs.coreutils "bar")
{
"/nix/store/m1s1d2dk2dqqlw3j90jl3cjy2cykbdxz-coreutils-9.5.drv" = { ... };
}
```
:::
*/
addContextFrom = src: target: builtins.substring 0 0 src + target;
/**
Cut a string with a separator and produces a list of strings which
were separated by this separator.
# Inputs
`sep`
: 1\. Function argument
`s`
: 2\. Function argument
# Type
```
splitString :: string -> string -> [string]
```
# Examples
:::{.example}
## `lib.strings.splitString` usage example
```nix
splitString "." "foo.bar.baz"
=> [ "foo" "bar" "baz" ]
splitString "/" "/usr/local/bin"
=> [ "" "usr" "local" "bin" ]
```
:::
*/
splitString =
sep: s:
let
splits = builtins.filter builtins.isString (
builtins.split (escapeRegex (builtins.toString sep)) (builtins.toString s)
);
in
builtins.map (addContextFrom s) splits;
/**
Remove duplicate elements from the `list`. O(n^2) complexity.
# Inputs
`list`
: Input list
# Type
```
unique :: [a] -> [a]
```
# Examples
:::{.example}
## `lib.lists.unique` usage example
```nix
unique [ 3 2 3 4 ]
=> [ 3 2 4 ]
```
:::
*/
unique = builtins.foldl' (acc: e: if builtins.elem e acc then acc else acc ++ [ e ]) [ ];
/**
Flip the order of the arguments of a binary function.
# Inputs
`f`
: 1\. Function argument
`a`
: 2\. Function argument
`b`
: 3\. Function argument
# Type
```
flip :: (a -> b -> c) -> (b -> a -> c)
```
# Examples
:::{.example}
## `lib.trivial.flip` usage example
```nix
flip concat [1] [2]
=> [ 2 1 ]
```
:::
*/
flip =
f: a: b:
f b a;
/**
`warn` *`message`* *`value`*
Print a warning before returning the second argument.
See [`builtins.warn`](https://nix.dev/manual/nix/latest/language/builtins.html#builtins-warn) (Nix >= 2.23).
On older versions, the Nix 2.23 behavior is emulated with [`builtins.trace`](https://nix.dev/manual/nix/latest/language/builtins.html#builtins-warn), including the [`NIX_ABORT_ON_WARN`](https://nix.dev/manual/nix/latest/command-ref/conf-file#conf-abort-on-warn) behavior, but not the `nix.conf` setting or command line option.
# Inputs
*`message`* (String)
: Warning message to print before evaluating *`value`*.
*`value`* (any value)
: Value to return as-is.
# Type
```
String -> a -> a
```
*/
warn =
# Since Nix 2.23, https://github.com/NixOS/nix/pull/10592
builtins.warn or (
let
mustAbort = builtins.elem (builtins.getEnv "NIX_ABORT_ON_WARN") [
"1"
"true"
"yes"
];
in
# Do not eta reduce v, so that we have the same strictness as `builtins.warn`.
msg: v:
# `builtins.warn` requires a string message, so we enforce that in our implementation, so that callers aren't accidentally incompatible with newer Nix versions.
assert builtins.isString msg;
if mustAbort then
builtins.trace "evaluation warning: ${msg}" (
abort "NIX_ABORT_ON_WARN=true; warnings are treated as unrecoverable errors."
)
else
builtins.trace "evaluation warning: ${msg}" v
);
}

View file

@ -0,0 +1,85 @@
# Copyright Tom Hubrecht, (2023-2024)
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
patchFile,
excludeGitHubManual ? true,
fetchers ? { },
}:
rec {
base =
{ pkgs }:
rec {
mkUrlPatch =
attrs:
pkgs.fetchpatch (
{
hash = pkgs.lib.fakeHash;
}
// attrs
// (pkgs.lib.optionalAttrs (excludeGitHubManual && !(builtins.hasAttr "includes" attrs)) {
excludes = (attrs.excludes or [ ]) ++ [ "nixos/doc/manual/*" ];
})
);
mkGitHubPatch =
{ id, ... }@attrs:
mkUrlPatch (
(builtins.removeAttrs attrs [ "id" ])
// {
url = "https://github.com/NixOS/nixpkgs/pull/${builtins.toString id}.diff";
}
);
mkCommitPatch =
{ sha, ... }@attrs:
mkUrlPatch (
(builtins.removeAttrs attrs [ "sha" ])
// {
url = "https://github.com/NixOS/nixpkgs/commit/${builtins.toString sha}.diff";
}
);
patchFunctions = {
commit = mkCommitPatch;
github = mkGitHubPatch;
remote = pkgs.fetchpatch;
static = attrs: attrs.path;
url = mkUrlPatch;
} // fetchers;
mkPatch =
{
_type ? "github",
...
}@attrs:
if builtins.hasAttr _type patchFunctions then
patchFunctions.${_type} (builtins.removeAttrs attrs [ "_type" ])
else
throw "Unknown patch type: ${builtins.toString _type}.";
mkPatches = v: builtins.map mkPatch ((import patchFile).${v} or [ ]);
applyPatches =
{
src,
name,
patches ? mkPatches name,
}:
if patches == [ ] then
src
else
pkgs.applyPatches {
inherit patches src;
name = "${name}-patched";
};
applyPatches' = name: src: applyPatches { inherit name src; };
};
mkNixpkgsSrc = { src, name }: (base { pkgs = import src { }; }).applyPatches { inherit src name; };
}

View file

@ -1,421 +0,0 @@
# Copyright Tom Hubrecht, (2023)
#
# Tom Hubrecht <tom@hubrecht.ovh>
#
# This software is a computer program whose purpose is to configure
# machines and servers with NixOS.
#
# This software is governed by the CeCILL license under French law and
# abiding by the rules of distribution of free software. You can use,
# modify and/ or redistribute the software under the terms of the CeCILL
# license as circulated by CEA, CNRS and INRIA at the following URL
# "http://www.cecill.info".
#
# As a counterpart to the access to the source code and rights to copy,
# modify and redistribute granted by the license, users are provided only
# with a limited warranty and the software's author, the holder of the
# economic rights, and the successive licensors have only limited
# liability.
#
# In this respect, the user's attention is drawn to the risks associated
# with loading, using, modifying and/or developing or reproducing the
# software by the user in light of its specific status of free software,
# that may mean that it is complicated to manipulate, and that also
# therefore means that it is reserved for developers and experienced
# professionals having in-depth computer knowledge. Users are therefore
# encouraged to load and test the software's suitability as regards their
# requirements in conditions enabling the security of their systems and/or
# data to be ensured and, more generally, to use and operate it in the
# same conditions as regards security.
#
# The fact that you are presently reading this means that you have had
# knowledge of the CeCILL license and that you accept its terms.
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
mdDoc
mkDefault
mkEnableOption
mkIf
mkOption
optional
optionalString
types
;
cfg = config.services.demarches-simplifiees;
settingsFormat = pkgs.formats.keyValue { };
env = settingsFormat.generate "ds-fr-env" cfg.settings;
ds-fr = pkgs.writeShellScriptBin "ds-fr" ''
set -a
cd ${cfg.package}
${optionalString (cfg.secretFile != null) "source ${cfg.secretFile}"}
source ${env}
BIN="$1"
shift
SUDO="exec"
if [[ $USER != ${cfg.user} ]]; then
SUDO='exec /run/wrappers/bin/sudo -u ${cfg.user} --preserve-env'
fi
$SUDO ${cfg.package}/bin/$BIN "$@"
'';
in
{
options.services.demarches-simplifiees = {
enable = mkEnableOption "demarches-simplifiees.";
package = mkOption {
type = types.package;
default = pkgs.callPackage ./package { inherit (cfg) initialDeploymentDate dataDir logDir; };
};
user = mkOption {
type = types.str;
default = "ds-fr";
description = mdDoc "User account under which DS runs.";
};
group = mkOption {
type = types.str;
default = "ds-fr";
description = mdDoc "Group account under which DS runs.";
};
dataDir = mkOption {
type = types.str;
default = "/var/lib/ds-fr";
};
logDir = mkOption {
type = types.str;
default = "/var/log/ds-fr";
};
secretFile = mkOption {
type = types.nullOr types.path;
default = null;
};
settings = mkOption { inherit (settingsFormat) type; };
initialDeploymentDate = mkOption {
type = types.nullOr types.str;
default = null;
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ ds-fr ];
systemd.tmpfiles.rules = [
"f '${cfg.logDir}/production.log' 0640 ${cfg.user} ${cfg.group} - -"
"f '${cfg.dataDir}/.env' 0600 ${cfg.user} ${cfg.group} - -"
"d '${cfg.dataDir}/tmp' 0700 ${cfg.user} ${cfg.group} 10d -"
"d '${cfg.dataDir}/storage' 0700 ${cfg.user} ${cfg.group} - -"
];
systemd.services = {
ds-fr-setup = {
description = "Demarches Simplifiees setup";
wantedBy = [ "multi-user.target" ];
path = [
pkgs.bash
ds-fr
];
after = [ "postgresql.service" ];
serviceConfig = {
Type = "oneshot";
User = cfg.user;
Group = cfg.group;
EnvironmentFile = [ env ] ++ (optional (cfg.secretFile != null) cfg.secretFile);
StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
};
script = ''
[[ ! -f ${cfg.dataDir}/.initial-migration ]] \
&& ds-fr rails db:environment:set \
&& ds-fr rails db:schema:load \
&& ds-fr rails db:seed \
&& touch ${cfg.dataDir}/.initial-migration
ds-fr rake db:migrate
ds-fr rake after_party:run
'';
};
ds-fr-work = {
description = "Demarches Simplifiees work service";
wantedBy = [
"multi-user.target"
"ds-fr.service"
];
after = [
"network.target"
"ds-fr-setup.service"
];
requires = [ "ds-fr-setup.service" ];
serviceConfig = {
ExecStart = "${ds-fr}/bin/ds-fr rails jobs:work";
EnvironmentFile = [ env ] ++ (optional (cfg.secretFile != null) cfg.secretFile);
User = cfg.user;
Group = cfg.group;
StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
};
};
ds-fr = {
description = "Demarches Simplifiees web service";
wantedBy = [ "multi-user.target" ];
after = [
"network.target"
"ds-fr-setup.service"
];
requires = [ "ds-fr-setup.service" ];
path = [ pkgs.imagemagick ];
serviceConfig = {
ExecStart = "${ds-fr}/bin/ds-fr rails server";
Environment = [ "RAILS_QUEUE_ADAPTER=delayed_job" ];
EnvironmentFile = [ env ] ++ (optional (cfg.secretFile != null) cfg.secretFile);
User = cfg.user;
Group = cfg.group;
StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
};
};
};
services = {
demarches-simplifiees.settings =
(builtins.mapAttrs (_: mkDefault) {
RAILS_ENV = "production";
RAILS_ROOT = builtins.toString cfg.package;
# Application host name
#
# Examples:
# * For local development: localhost:3000
# * For preproduction: staging.ds.example.org
# * For production: ds.example.org
APP_HOST = "localhost:3000";
# Rails key for signing sensitive data
# See https://guides.rubyonrails.org/security.html
#
# For production you MUST generate a new key, and keep it secret.
# Secrets must be long and random. Use bin/rails secret to get new unique secrets.
# Secret key for One-Time-Password codes, used for 2-factors authentication
# OTP_SECRET_KEY = "";
# Protect access to the instance with a static login/password (useful for staging environments)
BASIC_AUTH_ENABLED = "disabled";
BASIC_AUTH_USERNAME = "";
BASIC_AUTH_PASSWORD = "";
# ActiveStorage service to use for attached files.
# Possible values:
# - "local": store files on the local filesystem
# - "amazon": store files remotely on an S3 storage service
# - "openstack": store files remotely on an OpenStack storage service
#
# (See config/storage.yml for the configuration of each service.)
ACTIVE_STORAGE_SERVICE = "local";
# Configuration for the OpenStack storage service (if enabled)
FOG_OPENSTACK_API_KEY = "";
FOG_OPENSTACK_USERNAME = "";
FOG_OPENSTACK_URL = "";
FOG_OPENSTACK_REGION = "";
DS_PROXY_URL = "";
# SAML
SAML_IDP_ENABLED = "disabled";
# External service: authentication through France Connect
FC_PARTICULIER_ID = "";
FC_PARTICULIER_SECRET = "";
FC_PARTICULIER_BASE_URL = "";
# External service: authentication through Agent Connect
AGENT_CONNECT_ID = "";
AGENT_CONNECT_SECRET = "";
AGENT_CONNECT_BASE_URL = "";
AGENT_CONNECT_JWKS = "";
AGENT_CONNECT_REDIRECT = "";
# External service: integration with HelpScout (optional)
HELPSCOUT_MAILBOX_ID = "";
HELPSCOUT_CLIENT_ID = "";
HELPSCOUT_CLIENT_SECRET = "";
HELPSCOUT_WEBHOOK_SECRET = "";
# External service: external supervision
SENTRY_ENABLED = "disabled";
SENTRY_CURRENT_ENV = "development";
SENTRY_DSN_RAILS = "";
SENTRY_DSN_JS = "";
# External service: Matomo web analytics
MATOMO_ENABLED = "disabled";
MATOMO_COOKIE_DOMAIN = "*.www.demarches-simplifiees.fr";
MATOMO_DOMAIN = "*.www.demarches-simplifiees.fr";
MATOMO_ID = "";
MATOMO_HOST = "matomo.example.org";
# Default SMTP Provider: Mailjet
MAILJET_API_KEY = "";
MAILJET_SECRET_KEY = "";
# Alternate SMTP Provider: SendInBlue/DoList
SENDINBLUE_CLIENT_KEY = "";
SENDINBLUE_SMTP_KEY = "";
SENDINBLUE_USER_NAME = "";
# SENDINBLUE_LOGIN_URL="https://app.sendinblue.com/account/saml/login/truc"
# Alternate SMTP Provider: Mailtrap (mail catcher for staging environments)
# When enabled, all emails will be sent using this provider
MAILTRAP_ENABLED = "disabled";
MAILTRAP_USERNAME = "";
MAILTRAP_PASSWORD = "";
# Alternative SMTP Provider: Mailcatcher (Catches mail and serves it through a dream.)
# When enabled, all emails will be sent using this provider
MAILCATCHER_ENABLED = "disabled";
MAILCATCHER_HOST = "";
MAILCATCHER_PORT = "";
# External service: live chat for admins (specific to démarches-simplifiées.fr)
CRISP_ENABLED = "disabled";
CRISP_CLIENT_KEY = "";
# API Entreprise credentials
# https://api.gouv.fr/api/api-entreprise.html
API_ENTREPRISE_KEY = "";
# External service: CRM for following admin accounts pipeline (specific to démarches-simplifiées.fr)
PIPEDRIVE_KEY = "";
# Networks bypassing the email login token that verifies new devices, and rack-attack throttling
TRUSTED_NETWORKS = "";
# External service: mesuring performance of the Rails app (specific to démarches-simplifiées.fr)
SKYLIGHT_AUTHENTICATION_KEY = "";
# "sXaot-fKhBlkI8qaSirQyuZbrpv5sVFoOturQ0pFEh0";
# Enable or disable Lograge logs
LOGRAGE_ENABLED = "disabled";
# Logs source for Lograge
#
# Examples:
# * For local development: tps_local
# * For preproduction: tps_staging
# * For production: tps_prod
LOGRAGE_SOURCE = "tps_prod";
# External service: timestamping a daily archive of dossiers status changes
UNIVERSIGN_API_URL = "https://ws.universign.eu/tsa/post/";
UNIVERSIGN_USERPWD = "";
# External service: API Geo / Adresse
API_ADRESSE_URL = "https://api-adresse.data.gouv.fr";
API_GEO_URL = "https://geo.api.gouv.fr";
# External service: API Education
API_EDUCATION_URL = "https://data.education.gouv.fr/api/records/1.0";
# Encryption key for sensitive columns in the database
ENCRYPTION_SERVICE_SALT = "";
# ActiveRecord encryption keys. Generate them with bin/rails db:encryption:init (you can omit deterministic_key)
AR_ENCRYPTION_PRIMARY_KEY = "";
AR_ENCRYPTION_KEY_DERIVATION_SALT = "";
# Salt for invisible_captcha session data.
# Must be the same value for all app instances behind a load-balancer.
INVISIBLE_CAPTCHA_SECRET = "kikooloool";
# Clamav antivirus usage
CLAMAV_ENABLED = "disabled";
# Siret number used for API Entreprise, by default we use SIRET from dinum
API_ENTREPRISE_DEFAULT_SIRET = "put_your_own_siret";
})
// {
# Database credentials
DB_DATABASE = "ds-fr";
DB_USERNAME = cfg.user;
DB_PASSWORD = "";
DB_HOST = "/run/postgresql";
DB_POOL = "";
# Log on stdout
RAILS_LOG_TO_STDOUT = true;
};
postgresql = {
enable = true;
ensureDatabases = [ "ds-fr" ];
ensureUsers = optional (cfg.user == "ds-fr") {
name = "ds-fr";
ensureDBOwnership = true;
};
extraPlugins = with config.services.postgresql.package.pkgs; [ postgis ];
};
nginx = {
enable = true;
virtualHosts.${cfg.settings.APP_HOST} = {
enableACME = true;
forceSSL = true;
root = "${cfg.package}/public/";
locations."/".tryFiles = "$uri @proxy";
locations."@proxy" = {
proxyPass = "http://127.0.0.1:3000";
};
};
};
};
users.users = mkIf (cfg.user == "ds-fr") {
ds-fr = {
inherit (cfg) group;
isSystemUser = true;
home = cfg.package;
};
};
users.groups.${cfg.group} = { };
};
}

View file

@ -1,160 +0,0 @@
{
lib,
stdenv,
fetchFromGitHub,
git,
fetchYarnDeps,
yarn,
fixup_yarn_lock,
nodejs,
ruby_3_2,
bundlerEnv,
logDir ? "/var/log/ds-fr",
dataDir ? "/var/lib/ds-fr",
initialDeploymentDate ? "17941030",
}:
let
inherit (lib) getExe;
# Head of the DGNum repo
dgn-id = "12e4a32ca5d909a90ca6f7e53081cc6b6b14c416";
pname = "ds-fr";
meta = import ./meta.nix;
inherit (meta) version;
src = fetchFromGitHub {
owner = "demarches-simplifiees";
repo = "demarches-simplifiees.fr";
rev = version;
hash = meta.src-hash;
};
rubyEnv = bundlerEnv {
name = "env-${pname}";
gemdir = ./rubyEnv;
ruby = ruby_3_2;
gemset = (import ./rubyEnv/gemset.nix) // {
bundler = {
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "deeQ3fNwcSiGSO/yeB2yoTniRq2gHW8WueprXoPX6Jk=";
type = "gem";
};
version = "2.3.11";
};
};
};
dsModules = stdenv.mkDerivation {
pname = "${pname}-modules";
inherit src version;
offlineCache = fetchYarnDeps {
yarnLock = "${src}/yarn.lock";
hash = meta.deps-hash;
};
buildInputs = [ rubyEnv ];
nativeBuildInputs = [
fixup_yarn_lock
nodejs
yarn
rubyEnv.wrappedRuby
];
RAILS_ENV = "production";
NODE_ENV = "dev";
patches = [
# Disable functionnalities as we only precompile assets
./patches/build.patch
];
postPatch = ''
${getExe git} apply -p1 < ${builtins.fetchurl "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch"}
'';
OTP_SECRET_KEY = "precompile_placeholder";
SECRET_KEY_BASE = "precompile_placeholder";
APP_HOST = "precompile_placeholder";
buildPhase = ''
export HOME=$(mktemp -d)
yarn config --offline set yarn-offline-mirror $offlineCache
fixup_yarn_lock yarn.lock
yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive
patchShebangs node_modules/
patchShebangs bin/
bin/rake assets:precompile
yarn cache clean --offline
rm -rf node_modules/
'';
installPhase = ''
mkdir -p $out/public
cp -r public/* $out/public
'';
};
in
stdenv.mkDerivation {
name = "demarches-simplifiees.fr-${version}";
inherit src;
buildInputs = [ rubyEnv ];
propagatedBuildInputs = [ rubyEnv.wrappedRuby ];
patches = [
./patches/replay_routing_engine_for_a_cloned_procedure.patch
./patches/smtp_settings.patch
./patches/garage.patch
];
postPatch = ''
${getExe git} apply -p1 < ${builtins.fetchurl "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch"}
'';
buildPhase = ''
rm -rf public
ln -s ${dsModules}/public/ public
patchShebangs bin/
rm -rf log storage
ln -s ${logDir} log
ln -s ${dataDir}/tmp tmp
ln -s ${dataDir}/storage storage
for f in $(ls lib/tasks/deployment/); do
[[ ! ${initialDeploymentDate} < $f ]] \
&& rm lib/tasks/deployment/$f;
done;
echo "Removed unused data migrations"
'';
installPhase = ''
mkdir -p $out
cp -r * $out/
'';
passthru = {
inherit rubyEnv;
ruby = rubyEnv.wrappedRuby;
};
meta = with lib; {
description = "Dématérialiser et simplifier les démarches administratives";
homepage = "https://github.com/demarches-simplifiees/demarches-simplifiees.fr";
license = licenses.agpl3Only;
maintainers = with maintainers; [ thubrecht ];
};
}

View file

@ -1,5 +0,0 @@
{
version = "2024-04-02-03";
src-hash = "sha256-32FXEoQb1W1Bqf7lNpt6ljEU9QIDZkE/+njsu4DKFFY=";
deps-hash = "sha256-ZtZ1iqKHWGPR5+BDOtOvrpgdndfP5IiqrLkju96YAM4=";
}

View file

@ -1,42 +0,0 @@
diff --git a/config/environments/production.rb b/config/environments/production.rb
index 16d8c8e84..6262b8782 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -118,7 +118,7 @@ Rails.application.configure do
# the I18n.default_locale when a translation cannot be found).
config.i18n.fallbacks = true
- config.active_storage.service = ENV.fetch("ACTIVE_STORAGE_SERVICE").to_sym
+ config.active_storage.service = ENV.fetch("ACTIVE_STORAGE_SERVICE", 'local').to_sym
# Send deprecation notices to registered listeners.
config.active_support.deprecation = :notify
@@ -174,5 +174,5 @@ Rails.application.configure do
# The Content-Security-Policy is NOT in Report-Only mode
config.content_security_policy_report_only = false
- config.lograge.enabled = ENV['LOGRAGE_ENABLED'] == 'enabled'
+ config.lograge.enabled = ENV.fetch('LOGRAGE_ENABLED', 'disabled') == 'enabled'
end
diff --git a/config/initializers/mailcatcher.rb b/config/initializers/mailcatcher.rb
index 8b931f704..dbeceb4ec 100644
--- a/config/initializers/mailcatcher.rb
+++ b/config/initializers/mailcatcher.rb
@@ -1,4 +1,4 @@
-if ENV.fetch('MAILCATCHER_ENABLED') == 'enabled'
+if ENV.fetch('MAILCATCHER_ENABLED', 'disabled') == 'enabled'
ActiveSupport.on_load(:action_mailer) do
module Mailcatcher
class SMTP < ::Mail::SMTP; end
diff --git a/config/initializers/mailtrap.rb b/config/initializers/mailtrap.rb
index 6d1faa04b..658673ed1 100644
--- a/config/initializers/mailtrap.rb
+++ b/config/initializers/mailtrap.rb
@@ -1,4 +1,4 @@
-if ENV.fetch('MAILTRAP_ENABLED') == 'enabled'
+if ENV.fetch('MAILTRAP_ENABLED', 'disabled') == 'enabled'
ActiveSupport.on_load(:action_mailer) do
module Mailtrap
class SMTP < ::Mail::SMTP; end

View file

@ -1,16 +0,0 @@
diff --git a/config/storage.yml b/config/storage.yml
index d2b2d241f..1b2744504 100644
--- a/config/storage.yml
+++ b/config/storage.yml
@@ -19,3 +19,11 @@ amazon:
secret_access_key: <%= ENV.fetch("S3_SECRET_ACCESS_KEY", "") %>
region: <%= ENV.fetch("S3_REGION", "") %>
bucket: <%= ENV.fetch("S3_BUCKET", "") %>
+garage:
+ service: S3
+ access_key_id: <%= ENV.fetch("S3_ACCESS_KEY_ID", "") %>
+ secret_access_key: <%= ENV.fetch("S3_SECRET_ACCESS_KEY", "") %>
+ region: <%= ENV.fetch("S3_REGION", "garage") %>
+ bucket: <%= ENV.fetch("S3_BUCKET", "") %>
+ endpoint: <%= ENV.fetch("S3_ENDPOINT", "") %>
+ force_path_style: <%= ENV.fetch("S3_FORCE_PATH_STYLE", "").present? %>

View file

@ -1,35 +0,0 @@
diff --git a/lib/tasks/deployment/20230613114744_replay_routing_engine_for_a_cloned_procedure.rake b/lib/tasks/deployment/20230613114744_replay_routing_engine_for_a_cloned_procedure.rake
index 9d4f3a284..04d62a63b 100644
--- a/lib/tasks/deployment/20230613114744_replay_routing_engine_for_a_cloned_procedure.rake
+++ b/lib/tasks/deployment/20230613114744_replay_routing_engine_for_a_cloned_procedure.rake
@@ -4,18 +4,18 @@ namespace :after_party do
puts "Running deploy task 'replay_routing_engine_for_a_cloned_procedure'"
# Put your task implementation HERE.
- dossiers = Procedure
- .find(76266)
- .dossiers
- .en_construction
-
- progress = ProgressReport.new(dossiers.count)
-
- dossiers.find_each do |dossier|
- RoutingEngine.compute(dossier)
- progress.inc
- end
- progress.finish
+ # dossiers = Procedure
+ # .find(76266)
+ # .dossiers
+ # .en_construction
+ #
+ # progress = ProgressReport.new(dossiers.count)
+ #
+ # dossiers.find_each do |dossier|
+ # RoutingEngine.compute(dossier)
+ # progress.inc
+ # end
+ # progress.finish
# Update task as completed. If you remove the line below, the task will
# run with every deploy (or every time you call after_party:run).

View file

@ -1,14 +0,0 @@
diff --git a/config/environments/production.rb b/config/environments/production.rb
index 16d8c8e84..e0326d26d 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -86,7 +86,8 @@ Rails.application.configure do
user_name: ENV.fetch("SMTP_USER"),
password: ENV.fetch("SMTP_PASS"),
authentication: ENV.fetch("SMTP_AUTHENTICATION"),
- enable_starttls_auto: ENV.fetch("SMTP_TLS").present?
+ enable_starttls_auto: ENV.fetch("SMTP_TLS").present?,
+ ssl: ENV.fetch("SMTP_SSL").present?
}
elsif ENV['SENDMAIL_ENABLED'] == 'enabled'
config.action_mailer.delivery_method = :sendmail

View file

@ -1,12 +0,0 @@
diff --git a/app/controllers/concerns/uninterlace_png_concern.rb b/app/controllers/concerns/uninterlace_png_concern.rb
index 8e9d06251..0870357c6 100644
--- a/app/controllers/concerns/uninterlace_png_concern.rb
+++ b/app/controllers/concerns/uninterlace_png_concern.rb
@@ -14,6 +14,6 @@ module UninterlacePngConcern
def interlaced?(png_path)
png = MiniMagick::Image.open(png_path)
- png.data["interlace"] != "None"
+ png.details["interlace"] != "None"
end
end

View file

@ -1,154 +0,0 @@
source 'https://rubygems.org'
gem 'rails', '~> 7.0.8' # allows update to security fixes at any time
gem 'aasm'
gem 'acsv'
gem 'active_model_serializers'
gem 'activestorage-openstack'
gem 'active_storage_validations'
gem 'addressable'
gem 'administrate'
gem 'administrate-field-enum' # Allow using Field::Enum in administrate
gem 'after_commit_everywhere'
gem 'after_party'
gem 'ancestry'
gem 'anchored'
gem 'bcrypt'
gem 'bootsnap', '>= 1.4.4', require: false # Reduces boot times through caching; required in config/boot.rb
gem 'browser'
gem 'charlock_holmes'
gem 'chartkick'
gem 'chunky_png'
gem 'clamav-client', require: 'clamav/client'
gem 'daemons'
gem 'deep_cloneable' # Enable deep clone of active record models
gem 'delayed_cron_job' # Cron jobs
gem 'delayed_job_active_record'
gem 'delayed_job_web'
gem 'devise', git: 'https://github.com/heartcombo/devise.git', ref: "edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1" # Gestion des comptes utilisateurs, drop ref on next release: 4.9.4
gem 'devise-i18n'
gem 'devise-two-factor'
gem 'discard'
gem 'dotenv-rails', require: 'dotenv/rails-now' # dotenv should always be loaded before rails
gem 'dry-monads'
gem 'faraday-jwt'
gem 'flipper'
gem 'flipper-active_record'
gem 'flipper-active_support_cache_store'
gem 'flipper-ui'
gem 'fugit'
gem 'geocoder'
gem 'geo_coord', require: "geo/coord"
gem 'gitlab-sidekiq-fetcher', require: 'sidekiq-reliable-fetch', git: 'https://github.com/demarches-simplifiees/reliable-fetch.git'
gem 'gon'
gem 'graphql', '2.0.24'
gem 'graphql-batch', '0.5.1'
gem 'graphql-rails_logger'
gem 'groupdate'
gem 'haml-rails'
gem 'hashie'
gem 'http_accept_language'
gem 'i18n_data'
gem 'i18n-tasks', require: false
gem 'iban-tools'
gem 'image_processing'
gem 'invisible_captcha'
gem 'json_schemer'
gem 'jwt'
gem 'kaminari'
gem 'kredis'
gem 'listen' # Required by ActiveSupport::EventedFileUpdateChecker
gem 'lograge'
gem 'logstash-event'
gem 'maintenance_tasks'
gem 'matrix' # needed by prawn and not default in ruby 3.1
gem 'mini_magick'
gem 'net-imap', require: false # See https://github.com/mikel/mail/pull/1439
gem 'net-pop', require: false # same
gem 'net-smtp', require: false # same
gem 'openid_connect'
gem 'parsby'
gem 'pg'
gem 'phonelib'
gem 'prawn-rails' # PDF Generation
gem 'premailer-rails'
gem 'puma' # Use Puma as the app server
gem 'pundit'
gem 'rack-attack'
gem 'rails-i18n' # Locales par défaut
gem 'rails-pg-extras'
gem 'rake-progressbar', require: false
gem 'redcarpet'
gem 'redis'
gem 'rexml' # add missing gem due to ruby3 (https://github.com/Shopify/bootsnap/issues/325)
gem 'rqrcode'
gem 'saml_idp'
gem 'sassc-rails' # Use SCSS for stylesheets
gem 'sentry-delayed_job'
gem 'sentry-rails'
gem 'sentry-ruby'
gem 'sentry-sidekiq'
gem 'sib-api-v3-sdk'
gem 'sidekiq'
gem 'skylight'
gem 'spreadsheet_architect'
gem 'strong_migrations' # lint database migrations
gem 'sys-proctable'
gem 'turbo-rails'
gem 'typhoeus'
gem 'ulid-ruby', require: 'ulid'
gem 'view_component'
gem 'vite_rails'
gem 'warden'
gem 'webrick', require: false
gem 'yabeda-prometheus'
gem 'yabeda-sidekiq'
gem 'zipline'
gem 'zxcvbn-ruby', require: 'zxcvbn'
group :test do
gem 'axe-core-rspec' # accessibility rspec matchers
gem 'capybara' # Integration testing
gem 'capybara-email' # Access emails during integration tests
gem 'capybara-screenshot' # Save a dump of the page when an integration test fails
gem 'factory_bot'
gem 'launchy'
gem 'rack_session_access'
gem 'rails-controller-testing'
gem 'rspec_junit_formatter'
gem 'rspec-retry'
gem 'selenium-devtools'
gem 'selenium-webdriver'
gem 'shoulda-matchers', require: false
gem 'timecop'
gem 'vcr'
gem 'webmock'
end
group :development do
gem 'benchmark-ips', require: false
gem 'brakeman', require: false
gem 'haml-lint'
gem 'letter_opener_web'
gem 'memory_profiler'
gem 'rack-mini-profiler'
gem 'rails-erd', require: false # generates `doc/database_models.pdf`
gem 'rubocop', require: false
gem 'rubocop-performance', require: false
gem 'rubocop-rails', require: false
gem 'rubocop-rspec', require: false
gem 'scss_lint', require: false
gem 'stackprof'
gem 'web-console'
end
group :development, :test do
gem 'graphql-schema_comparator'
gem 'irb'
gem 'mina', require: false # Deploy
gem 'rspec-rails'
gem 'simple_xlsx_reader'
gem 'spring' # Spring speeds up development by keeping your application running in the background
gem 'spring-commands-rspec'
end

File diff suppressed because it is too large Load diff

File diff suppressed because it is too large Load diff

View file

@ -1,66 +0,0 @@
#!/usr/bin/env bash
version=
gitArgs=
while [ "$#" -gt 0 ]; do
i="$1"
shift 1
case "$i" in
--version | -v)
version="$1"
shift 1
;;
--git-args)
gitArgs="$gitArgs $1"
shift 1
;;
*)
echo "$0: unknown option \`$i'"
exit 1
;;
esac
done
# Create a working environment
CWD=$(pwd)
TMP=$(mktemp -d)
cd "$TMP"
# Fetch the latest source or the required version
gitUrl="https://github.com/demarches-simplifiees/demarches-simplifiees.fr.git"
if [ -n "$version" ]; then
git clone --depth 1 --branch $version $gitUrl .
else
git clone --depth 1 $gitUrl .
version="$(git rev-parse HEAD)"
fi
# Generate gemset.nix
nix-shell -p bundix --run "bundix -l" >/dev/null
# Copy the new files
cp gemset.nix Gemfile Gemfile.lock "$CWD/rubyEnv/"
# Print the new source details
SRC_HASH=$(nix-shell -p nurl --run "nurl --hash $gitUrl $version")
# Print Yarn deps hash
hash=$(nix-shell -p prefetch-yarn-deps --run "prefetch-yarn-deps yarn.lock")
DEPS_HASH=$(nix-hash --to-sri --type sha256 "$hash")
cat <<EOF >"$CWD/meta.nix"
{
version = "$version";
src-hash = "$SRC_HASH";
deps-hash = "$DEPS_HASH";
}
EOF
nixfmt "$CWD"
rm -rf "$TMP"

View file

@ -1,196 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
mkEnableOption
mkIf
mkOption
types
;
settingsFormat = pkgs.formats.toml { };
py-pkgs = import ./packages/python { inherit pkgs; };
pykanidm = pkgs.callPackage ./packages/pykanidm.nix { inherit (py-pkgs) pydantic; };
rlm_python = pkgs.callPackage ./packages/rlm_python.nix { inherit pykanidm; };
cfg = config.services.k-radius;
in
{
options.services.k-radius = {
enable = mkEnableOption "a freeradius service linked to kanidm.";
settings = mkOption { inherit (settingsFormat) type; };
freeradius = mkOption {
type = types.package;
default = pkgs.freeradius.overrideAttrs (old: {
buildInputs = (old.buildInputs or [ ]) ++ [ (pkgs.python3.withPackages (ps: [ ps.kanidm ])) ];
});
};
configDir = mkOption {
type = types.path;
default = "/var/lib/radius/raddb";
description = "The path of the freeradius server configuration directory.";
};
authTokenFile = mkOption {
type = types.path;
description = "File to the auth token for the service account.";
};
radiusClients = mkOption {
type = types.attrsOf (
types.submodule {
options = {
secret = mkOption { type = types.path; };
ipaddr = mkOption { type = types.str; };
};
}
);
default = { };
description = "A mapping of clients and their authentication tokens.";
};
certs = {
ca = mkOption {
type = types.str;
description = "The signing CA of the RADIUS certificate.";
};
dh = mkOption {
type = types.str;
description = "The output of `openssl dhparam -in ca.pem -out dh.pem 2048`.";
};
cert = mkOption {
type = types.str;
description = "The certificate for the RADIUS server.";
};
key = mkOption {
type = types.str;
description = "The signing key for the RADIUS certificate.";
};
};
privateKeyPasswordFile = mkOption { type = types.path; };
};
config = mkIf cfg.enable {
users = {
users.radius = {
group = "radius";
description = "Radius daemon user";
isSystemUser = true;
};
groups.radius = { };
};
services.k-radius.settings = {
ca_path = cfg.certs.ca;
radius_cert_path = cfg.certs.cert;
radius_key_path = cfg.certs.key;
radius_dh_path = cfg.certs.dh;
radius_ca_path = cfg.certs.ca;
};
systemd.services.radius = {
description = "FreeRadius server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
wants = [ "network.target" ];
preStart = ''
cp -R ${cfg.freeradius}/etc/raddb/* ${cfg.configDir}
cp -R ${rlm_python}/etc/raddb/* ${cfg.configDir}
chmod -R u+w ${cfg.configDir}
# disable auth via methods kanidm doesn't support
rm ${cfg.configDir}/mods-available/sql
rm ${cfg.configDir}/mods-enabled/{passwd,totp}
# enable the python and cache modules
ln -nsf ${cfg.configDir}/mods-available/python3 ${cfg.configDir}/mods-enabled/python3
ln -nsf ${cfg.configDir}/sites-available/check-eap-tls ${cfg.configDir}/sites-enabled/check-eap-tls
# write the clients configuration
rm ${cfg.configDir}/clients.conf && touch ${cfg.configDir}/clients.conf
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs (
name:
{ secret, ipaddr }:
''
cat <<EOF >> ${cfg.configDir}/clients.conf
client ${name} {
ipaddr = ${ipaddr}
secret = $(cat "${secret}")
proto = *
}
EOF
''
) cfg.radiusClients
)
)}
# Copy the kanidm configuration
cat <<EOF > /var/lib/radius/kanidm.toml
auth_token = "$(cat "${cfg.authTokenFile}")"
EOF
cat ${settingsFormat.generate "kanidm.toml" cfg.settings} >> /var/lib/radius/kanidm.toml
chmod u+w /var/lib/radius/kanidm.toml
# Copy the certificates to the correct directory
rm -rf ${cfg.configDir}/certs && mkdir -p ${cfg.configDir}/certs
cp ${cfg.certs.ca} ${cfg.configDir}/certs/ca.pem
${pkgs.openssl}/bin/openssl rehash ${cfg.configDir}/certs
cp ${cfg.certs.dh} ${cfg.configDir}/certs/dh.pem
cat ${cfg.certs.cert} ${cfg.certs.key} > ${cfg.configDir}/certs/server.pem
# Write the password of the private_key in the eap module
sed -i ${cfg.configDir}/mods-available/eap \
-e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/"
# Check the configuration
# ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout
'';
path = [
pkgs.openssl
pkgs.gnused
];
serviceConfig = {
ExecStart = "${cfg.freeradius}/bin/radiusd -X -f -d ${cfg.configDir} -l stdout";
ExecReload = [
"${cfg.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout"
"${pkgs.coreutils}/bin/kill -HUP $MAINPID"
];
User = "radius";
Group = "radius";
DynamicUser = true;
Restart = "on-failure";
RestartSec = 2;
LogsDirectory = "radius";
StateDirectory = "radius";
RuntimeDirectory = "radius";
Environment = [
"KANIDM_RLM_CONFIG=/var/lib/radius/kanidm.toml"
"PYTHONPATH=${rlm_python.pythonPath}"
];
};
};
};
}

View file

@ -1,52 +0,0 @@
{
lib,
fetchFromGitHub,
python3,
pydantic,
}:
let
pname = "kanidm";
version = "0.0.3";
in
python3.pkgs.buildPythonPackage {
inherit pname version;
format = "pyproject";
disabled = python3.pythonOlder "3.8";
src =
(fetchFromGitHub {
owner = pname;
repo = pname;
# Latest 1.1.0-rc.15 tip
rev = "a5ca8018e3a636dbb0a79b3fd869db059d92979d";
hash = "sha256-PFGoeGn7a/lVR6rOmOKA3ydAoo3/+9RlkwBAKS22Psg=";
})
+ "/pykanidm";
nativeBuildInputs = with python3.pkgs; [ poetry-core ];
propagatedBuildInputs = with python3.pkgs; [
aiohttp
pydantic
toml
(authlib.overridePythonAttrs (_: {
doCheck = false;
}))
];
doCheck = false;
pythonImportsCheck = [ "kanidm" ];
meta = with lib; {
description = "Kanidm client library";
homepage = "https://github.com/kanidm/kanidm/tree/master/pykanidm";
license = licenses.mpl20;
maintainers = with maintainers; [
arianvp
hexa
];
};
}

View file

@ -1,18 +0,0 @@
diff --git a/pyproject.toml b/pyproject.toml
index 1602e32..507048d 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -72,13 +72,6 @@ filterwarnings = [
]
timeout = 30
xfail_strict = true
-# min, max, mean, stddev, median, iqr, outliers, ops, rounds, iterations
-addopts = [
- '--benchmark-columns', 'min,mean,stddev,outliers,rounds,iterations',
- '--benchmark-group-by', 'group',
- '--benchmark-warmup', 'on',
- '--benchmark-disable', # this is enable by `make benchmark` when you actually want to run benchmarks
-]
[tool.coverage.run]
source = ['pydantic_core']

View file

@ -1,20 +0,0 @@
{ pkgs }:
let
inherit (pkgs) lib;
callPackage = lib.callPackageWith (pkgs // pkgs.python3.pkgs // self);
self = builtins.listToAttrs (
builtins.map
(name: {
inherit name;
value = callPackage (./. + "/${name}.nix") { };
})
[
"pydantic"
"pydantic-core"
]
);
in
self

View file

@ -1,84 +0,0 @@
{
stdenv,
lib,
buildPythonPackage,
fetchFromGitHub,
cargo,
rustPlatform,
rustc,
libiconv,
typing-extensions,
pytestCheckHook,
hypothesis,
pytest-timeout,
pytest-mock,
dirty-equals,
}:
let
pydantic-core = buildPythonPackage rec {
pname = "pydantic-core";
version = "2.14.5";
format = "pyproject";
src = fetchFromGitHub {
owner = "pydantic";
repo = "pydantic-core";
rev = "refs/tags/v${version}";
hash = "sha256-UguZpA3KEutOgIavjx8Ie//0qJq+4FTZNQTwb/ZIgb8=";
};
patches = [ ./01-remove-benchmark-flags.patch ];
cargoDeps = rustPlatform.fetchCargoTarball {
inherit src;
name = "${pname}-${version}";
hash = "sha256-mMgw922QjHmk0yimXfolLNiYZntTsGydQywe7PTNnwc=";
};
nativeBuildInputs = [
cargo
rustPlatform.cargoSetupHook
rustPlatform.maturinBuildHook
rustc
typing-extensions
];
buildInputs = lib.optionals stdenv.isDarwin [ libiconv ];
propagatedBuildInputs = [ typing-extensions ];
pythonImportsCheck = [ "pydantic_core" ];
# escape infinite recursion with pydantic via dirty-equals
doCheck = false;
passthru.tests.pytest = pydantic-core.overrideAttrs { doCheck = true; };
nativeCheckInputs = [
pytestCheckHook
hypothesis
pytest-timeout
dirty-equals
pytest-mock
];
disabledTests = [
# RecursionError: maximum recursion depth exceeded while calling a Python object
"test_recursive"
];
disabledTestPaths = [
# no point in benchmarking in nixpkgs build farm
"tests/benchmarks"
];
meta = with lib; {
changelog = "https://github.com/pydantic/pydantic-core/releases/tag/v${version}";
description = "Core validation logic for pydantic written in rust";
homepage = "https://github.com/pydantic/pydantic-core";
license = licenses.mit;
maintainers = with maintainers; [ blaggacao ];
};
};
in
pydantic-core

View file

@ -1,92 +0,0 @@
{
lib,
buildPythonPackage,
fetchFromGitHub,
pythonOlder,
# build-system
hatchling,
hatch-fancy-pypi-readme,
# native dependencies
libxcrypt,
# dependencies
annotated-types,
pydantic-core,
typing-extensions,
# tests
cloudpickle,
email-validator,
dirty-equals,
faker,
pytestCheckHook,
pytest-mock,
}:
buildPythonPackage rec {
pname = "pydantic";
version = "2.5.2";
pyproject = true;
disabled = pythonOlder "3.7";
src = fetchFromGitHub {
owner = "pydantic";
repo = "pydantic";
rev = "refs/tags/v${version}";
hash = "sha256-D0gYcyrKVVDhBgV9sCVTkGq/kFmIoT9l0i5bRM1qxzM=";
};
buildInputs = lib.optionals (pythonOlder "3.9") [ libxcrypt ];
nativeBuildInputs = [
hatch-fancy-pypi-readme
hatchling
];
propagatedBuildInputs = [
annotated-types
pydantic-core
typing-extensions
];
passthru.optional-dependencies = {
email = [ email-validator ];
};
nativeCheckInputs = [
cloudpickle
dirty-equals
faker
pytest-mock
pytestCheckHook
] ++ lib.flatten (lib.attrValues passthru.optional-dependencies);
preCheck = ''
export HOME=$(mktemp -d)
substituteInPlace pyproject.toml \
--replace "'--benchmark-columns', 'min,mean,stddev,outliers,rounds,iterations'," "" \
--replace "'--benchmark-group-by', 'group'," "" \
--replace "'--benchmark-warmup', 'on'," "" \
--replace "'--benchmark-disable'," ""
'';
disabledTestPaths = [
"tests/benchmarks"
# avoid cyclic dependency
"tests/test_docs.py"
];
pythonImportsCheck = [ "pydantic" ];
meta = with lib; {
description = "Data validation and settings management using Python type hinting";
homepage = "https://github.com/pydantic/pydantic";
changelog = "https://github.com/pydantic/pydantic/blob/v${version}/HISTORY.md";
license = licenses.mit;
maintainers = with maintainers; [ wd15 ];
};
}

View file

@ -1,45 +0,0 @@
{
stdenv,
fetchFromGitHub,
python3,
pykanidm,
}:
let
pythonPath = with python3.pkgs; makePythonPath [ pykanidm ];
in
stdenv.mkDerivation rec {
pname = "rlm_python";
version = "1.1.0-rc.15";
src = fetchFromGitHub {
owner = "kanidm";
repo = "kanidm";
rev = "v${version}";
hash = "sha256-0y8juXS61Z9zxOdsWAQ6lJurP+n855Nela6egYRecok=";
};
patches = [ ./python_path.patch ];
postPatch = ''
substituteInPlace rlm_python/mods-available/python3 \
--replace "@kanidm_python@" "${pythonPath}"
'';
installPhase = ''
mkdir -p $out/etc/raddb/
cp -R rlm_python/{mods-available,sites-available} $out/etc/raddb/
'';
phases = [
"unpackPhase"
"patchPhase"
"installPhase"
];
passthru = {
inherit pythonPath;
};
preferLocalBuild = true;
}

View file

@ -1,89 +0,0 @@
{ config, sources, ... }:
let
domain = "sso.dgnum.eu";
cert = config.security.acme.certs.${domain};
allowedSubDomains = [
"cloud"
"git"
"videos"
"social"
"demarches"
"netbird"
];
in
{
services.kanidm = {
enableServer = true;
package = (import sources.nixos-unstable { }).kanidm;
serverSettings = {
inherit domain;
origin = "https://${domain}";
bindaddress = "127.0.0.1:8443";
ldapbindaddress = "0.0.0.0:636";
trust_x_forward_for = true;
tls_chain = "${cert.directory}/fullchain.pem";
tls_key = "${cert.directory}/key.pem";
};
};
users.users.kanidm.extraGroups = [ cert.group ];
services.nginx = {
enable = true;
virtualHosts.${domain} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "https://127.0.0.1:8443";
extraConfig = ''
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
return 444;
}
set $origin $http_origin;
if ($origin !~ '^https?://(${builtins.concatStringsSep "|" allowedSubDomains})\.dgnum\.eu$') {
set $origin 'https://${domain}';
}
proxy_hide_header Access-Control-Allow-Origin;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' "$origin" always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header Access-Control-Max-Age 1728000;
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
}
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
add_header Access-Control-Allow-Origin "$origin" always;
add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
add_header Access-Control-Allow-Credentials true always;
}
'';
};
};
};
networking.firewall.allowedTCPPorts = [ 636 ];
networking.firewall.allowedUDPPorts = [ 636 ];
dgn-backups.jobs.kanidm.settings.paths = [ "/var/lib/kanidm" ];
}

View file

@ -1,9 +0,0 @@
let
lib = import ../../../../lib { };
publicKeys = lib.getNodeKeys "compute01";
in
lib.setDefault { inherit publicKeys; } [
"kanidm-password_admin"
"kanidm-password_idm_admin"
]

View file

@ -1,215 +0,0 @@
{ config, pkgs, ... }:
let
host = "cloud.dgnum.eu";
nextcloud-occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
in
{
services.nextcloud = {
enable = true;
hostName = host;
package = pkgs.nextcloud28;
https = true;
config = {
overwriteProtocol = "https";
dbtype = "pgsql";
adminpassFile = config.age.secrets."nextcloud-adminpass_file".path;
adminuser = "thubrecht";
defaultPhoneRegion = "FR";
trustedProxies = [ "::1" ];
objectstore.s3 = {
enable = true;
hostname = "s3.dgnum.eu";
region = "garage";
usePathStyle = true;
port = 443;
bucket = "nextcloud-dgnum";
key = "GKda5367c73ca607c349d83c35";
verify_bucket_exists = false;
secretFile = config.age.secrets."nextcloud-s3_secret_file".path;
};
};
maxUploadSize = "4G";
poolSettings = {
pm = "dynamic";
"pm.max_children" = 64;
"pm.max_requests" = "500";
"pm.max_spare_servers" = "8";
"pm.min_spare_servers" = "4";
"pm.start_servers" = "6";
};
phpOptions = {
short_open_tag = "Off";
expose_php = "Off";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
display_errors = "stderr";
"opcache.enable_cli" = "1";
"opcache.interned_strings_buffer" = "32";
"opcache.max_accelerated_files" = "10000";
"opcache.memory_consumption" = "128";
"opcache.revalidate_freq" = "1";
"opcache.fast_shutdown" = "1";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
catch_workers_output = "yes";
};
database.createLocally = true;
configureRedis = true;
autoUpdateApps.enable = true;
extraOptions = {
overwritehost = host;
"overwrite.cli.url" = "https://${host}";
updatechecker = false;
allow_local_remote_servers = true;
maintenance_window_start = 1;
"memories.exiftool" = "${pkgs.lib.getExe pkgs.exiftool}";
"memories.vod.ffmpeg" = "${pkgs.lib.getExe pkgs.ffmpeg-headless}";
"memories.vod.ffprobe" = "${pkgs.ffmpeg-headless}/bin/ffprobe";
};
};
virtualisation = {
podman = {
enable = true;
defaultNetwork.settings = {
dns_enable = true;
ipv6_enabled = true;
};
};
};
virtualisation.oci-containers = {
# # Since 22.05, the default driver is podman but it doesn't work
# # with podman. It would however be nice to switch to podman.
# backend = "docker";
containers.collabora = {
image = "collabora/code";
imageFile = pkgs.dockerTools.pullImage {
imageName = "collabora/code";
imageDigest = "sha256:a8cce07c949aa59cea0a7f1f220266a1a6d886c717c3b5005782baf6f384d645";
sha256 = "sha256-lN6skv62x+x7G7SNOUyZ8W6S/uScrkqE1nbBwwSEWXQ=";
};
ports = [ "9980:9980" ];
environment = {
domain = "cloud.dgnum.eu";
extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json";
};
extraOptions = [
"--cap-add"
"MKNOD"
"--cap-add"
"SYS_ADMIN"
];
};
};
services.nginx.virtualHosts = {
${host} = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_max_temp_file_size 4096m;
'';
};
"code.dgnum.eu" = {
forceSSL = true;
enableACME = true;
extraConfig = ''
# static files
location ^~ /browser {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# Capabilities
location ^~ /hosting/capabilities {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# main websocket
location ~ ^/cool/(.*)/ws$ {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/(c|l)ool {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# Admin Console websocket
location ^~ /cool/adminws {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 36000s;
}
'';
};
};
systemd.services = {
nextcloud-preview = {
description = "Generate preview for nextcloud media.";
script = "${nextcloud-occ} preview:pre-generate -vvv";
startAt = "*-*-* 01:00:00 UTC";
serviceConfig = {
Restart = "on-failure";
};
};
nextcloud-cron.path = [ pkgs.perl ];
};
environment.systemPackages = [ pkgs.ffmpeg_6-headless ];
networking.hosts = {
"129.199.146.148" = [ "s3.dgnum.eu" ];
};
age-secrets.autoMatch = [ "nextcloud" ];
system.activationScripts = {
restart-nextcloud.text = ''
if [ "$(${pkgs.systemd}/bin/systemctl is-active phpfpm-nextcloud)" == "active" ]; then
${pkgs.systemd}/bin/systemctl restart phpfpm-nextcloud
fi
'';
};
dgn-backups.jobs.nextcloud.settings.paths = [ "/var/lib/nextcloud" ];
dgn-backups.postgresDatabases = [ "nextcloud" ];
}

View file

@ -1,24 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 tDqJRg ukyCbDqq1/18sjxWxyCCwYgYDavNcRq5cBvpZoqSKVQ
2lmz4ONDnXiW0+FqLwi4OVOClm96YU6NUMxeLcwyqhI
-> ssh-ed25519 jIXfPA MNspuPXKkP/fUp3qoPDmew+htam1l8JczSCCZFil6zE
1ugIhchyaumzv/izKFq1dCer6QPfLt6Fv2rIiU6rzGs
-> ssh-ed25519 QlRB9Q teomppq6nVFhnQFELI/sQNCRuMGNs2Tu6AY/PMWAzzI
LDLn1CsC9xqBBszdp4TZV/uCaYHBb65HS5eoG2+vfzU
-> ssh-ed25519 r+nK/Q GK/IVVvWVNjq1Fa8DKvljC1pD4OUz3MsM+VjROVYfSA
jJ2vK3HFkOGzrxvQJg6PayrEhOPVyvAZS29IEfKRbhs
-> ssh-rsa krWCLQ
XywRp0R34ulA6AhRloj+OonbP3ZmvWvnxko+KSBNZHUEO3P84N/UTSJLhTJrJHps
uYWhOO1VXMdOmu8+s2ymvsFFHZlQ1Ngr28/8Cb4InYbOcjc1jGsA/laSFelGG/qZ
CxoSw59oga+wssAf7NRVDY0GLtZIhdACnlfCodBnwGgr7MrO/jtv6wUcNtTQwqyg
k6JvmeXVO54sAbcICfDNHiWLejOA9B1tQ4biAtNZrw2BRh1siXVcjtrlkjdfqsc4
4R/EDAYLHIMBnG/6Qpp5H3vPEEdwtaU2Tcd5RZHxWR+8ZjFFhLsZaGQZ5GxzlVOW
qd63AwlEvNGOSIMXBqc+tQ
-> ssh-ed25519 /vwQcQ Qm4OViiUxA0eIAiP+tPi+q9Uw+dluFKGi4J35q6dr3A
Byx5ohtc05YfpZhcZew6P7g90KEMammQ0KgvtRGAhBk
-> ssh-ed25519 0R97PA YKE87fWy7Gix4dk+YOqTkMMFyG1mTVjroO/I6rHtLXQ
o9O664qMLUIEwxti17O4VByFCMmOZ4vTtPH5qNscGnU
-> ssh-ed25519 JGx7Ng NfuL52cirg0LkXcoF3a0GYJx82Bt50YS9cpEnDH27T8
OdqOs4ViSnW1fWZ5GLro4Z5afqmnGya6TsoKr3aZs0w
--- oqm2jb9ZHSHAhbxUYWDxQW/FaPwiq3iFr6RIX1nHCYo
ì©šÎj½ó˪f¾©Fyz#ö뤄å…ùÕâ íz‰z¥}´ýÂø9(!SÂöÛ<C3B6>¸ûz2kªÈCæ<43>¦J¬T…Ÿ”þG<C3BE>€³“Z_àÑ

View file

@ -1,27 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 tDqJRg X/tRIl6TzF09a1Tvr8vP3SocmlfwKg307he8LP3Q5mo
hWjX3AUbREbQR+uCiW8Nsj5nCwYQYy1KV/41sbxBFo4
-> ssh-ed25519 jIXfPA 6EOXJfa+aY4JjOb0SO2k+s6xnNjtm/o8au6lbN1UfxA
dVsgH99btiE+pl7Q4uiOcYDTwtv6X0jgjYXoFFd+tPs
-> ssh-ed25519 QlRB9Q 4Hje1HQL+Zjm9+BGDQvb83KaizOjfKTwjiq1SJlXvA0
w2rMGVcZcS2aLNYxHZIJZF/j50CQm8UCmq89W9K7Q14
-> ssh-ed25519 r+nK/Q aPQh4X7xZnTbrkxIaAwUbaS7NnbHMY+Q31E0x7AvwSo
rnMus4wPVugzscVNPO33rNgboN7I42tdz4dikVOvWIw
-> ssh-rsa krWCLQ
Xe2Vv3tCZy19QQt26q6T3mJkZyltU7OVOrruwxWr8hlaKgOfR/pMa7nbR+eWm6jS
++39H+E6gssE/534ld5qz2J3oPV5E6+p4wok/Owy7zE6aWrALP1Mp296lumRjjGN
6aYhmf4fbpvOWDMNujExWURggswbUplk0f7l5UYjNpcSnM9Iq6s9fTAUVTMAlvoL
cmVvPTll6QlhhM7tkJL1fo+1nEimfmwDaOhE2lAKKJUD7DTqcBGsukpysOhcmCyr
Xtx38kcuF5eaDzjT9gXgi4QtCrxf31Lfjju44HSqJFB1LqO2Vzd9rASurD2LN7/1
uj8F5y+dmf6IqIM/kYXqPg
-> ssh-ed25519 /vwQcQ Byl5reTJslEFsIdUWp+rg5sZxG1jEHVduBE/grTD/Vc
SEzFbpWUZrVitO1Swfs3/pzfaZ6Zd4Roi8anJRHO7/o
-> ssh-ed25519 0R97PA CLDuGuFPHf0rgUoCUY2C1jtXAeBEqKiqaeiH4ZcRFk8
rBYZfmS7BSKDIJMVpWTGy5wRhhoi9xR1GchVsUn7Psw
-> ssh-ed25519 JGx7Ng xqTydh3Bt5bL/7R6ZnVtqhfSW2V3g1g2UWPcePt8TCU
lPQeGP4VQGU4xeGqVcIRnWZjeDp2Q4lH2CLg+C/weyM
-> .-grease
l4qPzZnL/yerx8Y3VUmUoO2GgK7OUAjbhfYsHPhDFSo+ZPgvYo7qpJBEsPQqrPA3
FF2/R9IFD+jFranJsg
--- ynZs900dI1cp+HWu6HdnUGKaJw/Wa1Y26eQSeO3fvH8
|Nös.­æ·»×KC²éi#<11>XôfÓéöÃÎq[í¶t{ŸôEkœÇ±­<AÿñYd'çÉ…²3ȆbMæÝ;0f”V[œ¥<ûàX;E

View file

@ -1,31 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 tDqJRg R3h8Ph1ooMaR/bmz09yRzVRq1mR3L7o87wMhsysC5kU
Go50Us/u8CgZS7Up20RH8NlRS0+ESBw30wa8SZ5dqoo
-> ssh-ed25519 jIXfPA gMaMIQvUIu5bK5mRWP6SSZQArMzhg4bDZDcjwx9dyDY
Vv8H7oTBvogaoW4dhdm81TOe995CSGeBxB8LtFgJqwc
-> ssh-ed25519 QlRB9Q 1CxZ2F8EMykWDzrAzN6NSPtjLmMJ99zf8UWLyV3e+Ag
ak7M8/mCeQOMKFPllTsA79glffS/vu51vHIRT3F8qLE
-> ssh-ed25519 r+nK/Q qcuIACZn+1ofDpWW1IBmY0IIj4WZNQhxtUJlHgh11ws
OJhEfDQHkg3s5CCBcVfba9S4OG4hBjJIYkCoLAIFwOI
-> ssh-rsa krWCLQ
1XseIDq7c94X7Dpp1sC3oBLhZSd4w7UJ7QI03SGmqVTd3VVwP5IV430vrSIFETMI
LopkMvCtF1XpIJQ+nHoxsukG/0kefh5Iodmd6anQNp0iVU/tWkQzWbkHlVlkxJ2M
o3fMRAaVyH5GvQkIT5ndWma34vqwydAinM2mchi0hy0ibP5lkk8K7OtafNP4eYNh
m7necRRI8yCuE1wBRy8sBpo5mEqGj1uINxXiF6yUI05pCBXHG1qDiFkDHfw8va9k
Qitfwv2Clkk/hQG6aEYuruoXwq4SZxSCswMpP5Nz70I+e5YkZw8G50ICaVBXxuAP
ABByGBZ/QKLw66NpE7rbSA
-> ssh-ed25519 /vwQcQ 1P92WFx8+9DaL2dPwmX+Bva+h7Hy9qXszDTyPvd81kc
gLVhBlE4lAMcod32/Y8xzypVCDu4vRca3aem3OHiocU
-> ssh-ed25519 0R97PA rZblJRi2bYJig4HyzOXdtpUEEkGDlHS456aKlqxwGX4
qjIkEyHjDxzmf34bS7qWJ9lexMXu2QMmcD9RP4MpkYQ
-> ssh-ed25519 JGx7Ng IbCSvxAUY1gDTny5KurzONVaQwX/VgvNs1hAQ9iUQRE
5ivoGkzEHAyTl3gUE+9nVYclF8/aqnyOF3a81fZfbW0
-> t|-grease (u /1\q}65 ]@
Dd2SJgnQFUSDlS4eSkKUaGwve8Rsv/4MNEwGRJftdtTvxv80bRuNBEFe+ah4YhiV
LA3n6c+Te9Q
--- wWhpJpx4IHeC1Qo4nH6iuEB3e9l5b8U5xOnsX8BoBgQ
5¥t·Œ °ÒxÚ@<1E>`zÈÔgCà Ѭ:4Œó¾&‡Spi8ñŸuæ"lÕ×)<29>aŒÁÄ,4ÃsÌ*uÿ€ƒ±v#ÿ*ÎàÜÊ^ݶ‚Ø«%´Ñº98¾,yBÙ
"¶%Ç㤄†NÎÓ· íò¬} [Ñ¿Ó(äØ{<11>ý0ô—f²<66>„|Š à-—&qF k Ö¶¹µùÔÎLì,¹À„žD™áΩ­QÍ—½è<C2BD>4N}<7D>ÙÐJ´·ÇÓˆ€]dU Ïø¿<C3B8>I—:ÌôÑÉ öì°¦£sý¨õB #}¹
ÞÃXzð‰N4·>ñ5iSan`‰¹.õÃPcHØÉAéßÈÿµH=¥ËæÂ~ö(Pçô±Š$ ,¡ã‹ù¯ZЬÆwçÚ /×
Á–+rC$†ýê&ØJñ ; ÉvÞjæ‰ÎY¹,š*`ºGå=ã¯M¼ƒƒeäA<51>\D˜ÿ@¥j¾$gö{Q´lhIoÊÏIM)};@ìNü½b‰<62>k5Dgüoþ'ItW(Ïk
ê6)ËŒä0£<30>tM¶É Ó(Ûê¡<C3AA>n²k®Zu%m<17>¡ bzÚõŠ¿ÁìÍÿ

View file

@ -1,26 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 tDqJRg sTm4u+QVtvUqNgMJhufIljdH63oCmvfbRz6NRa2ZbwI
ZYjAINMp/ds7g+7Wjg26YRpRV+nznQPB1r7NzAHGfW0
-> ssh-ed25519 jIXfPA z4LS/Igwab0moIzxG9b06T5rZiODkdJyjaFepJVcxQ8
qNkDc+prvr1bNTSWJyygJj7yb8MOz2nR+Z8EMHUVVOs
-> ssh-ed25519 QlRB9Q 6TQ0Vp3KB5yDIEt029hIB3aCnDjTDP0JG6LN2J9gtjU
fZXeSxb7GJOJYvCr2nVf6BKf8QjaqOOuoi0I/xXV1qc
-> ssh-ed25519 r+nK/Q eW4wTH9PNd0mzVFsxwS4mEEn5gVUCpYA/g+ifeUB+00
kqED+vZVHn0SXTpgbaiMseI6vPCyTt5Gfu4pHxPvKp0
-> ssh-rsa krWCLQ
axyFJ/zhMoZ1mJLzWAbXbHjlAlLj7HraHyY6ddZBVibgRSEufdXsa8ABmdR6+EuM
ty37+/TZOBv11ew/D1C7vQ7B/1JXgej2TAAmYt4vN3lVZdgJI+tQGiOf1nsqfI64
p4ZbMi9G0wlzb+Z7Z5SLKo6HwharYI+vDEgh3Ua9Q+6bpZeXxxJHmkACikAI4xJV
3lLo1iTeyJy/9u/WoHmEOuqJLeZdhmPZBozxTdDTWz9wMHy+NotfXFaIFTyUpocu
OU19N95fyVyTRwmrGFcWs34O631Ejpo3oVLDvjXrFtV4HISSweB/YbU84EveFbz5
28gTWKdeOQcHJfmaeJV/Rg
-> ssh-ed25519 /vwQcQ cXNRE5eLKNh4lL7S7cMDfp79+TQyiJK3gTzYCuHeRHo
4bz0al2kf/S6VEhObpLxy8tvB1t/tBVdB1Gi/7XinD4
-> ssh-ed25519 0R97PA iGdUtE7KDRBNSXv1w0dJNPQWxAeDpIAePUU8t0qURV8
OUoeLNWl0rLt6+FNf5plNmQIgrULwIgEL/W4HFTYeB8
-> ssh-ed25519 JGx7Ng tPkAPvVDZOcP06+mrD5uK03dUJi4aMAvkoz21y9L6Ak
tcUItLMra+EIYH6MA1ULMpr8bkUql448jnurev8N5wk
-> \<?_-grease (+d_8zF H
--- /CiW5jTjVkXDOdwmb4P80FswPEpgTt2GZnqT7KlOvC0
=þ%©»gæÆQ³-¼ffÄUC.qÅ͘·H<C2B7>µ—ìäÙ=Vý£žØú<C398>ŽRåN

View file

@ -1,31 +0,0 @@
let
lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "compute01";
in
lib.setDefault { inherit publicKeys; } [
"arkheon-env_file"
"bupstash-put_key"
"ds-fr-secret_file"
"grafana-smtp_password_file"
"grafana-oauth_client_secret_file"
"hedgedoc-environment_file"
"librenms-database_password_file"
"librenms-environment_file"
"mastodon-extra_env_file"
"nextcloud-adminpass_file"
"nextcloud-s3_secret_file"
"outline-oidc_client_secret_file"
"outline-smtp_password_file"
"outline-storage_secret_key_file"
"radius-auth_token_file"
"radius-ca_pem_file"
"radius-cert_pem_file"
"radius-dh_pem_file"
"radius-key_pem_file"
"radius-private_key_password_file"
"satosa-env_file"
"telegraf-environment_file"
"vaultwarden-environment_file"
"zammad-secret_key_base_file"
]

View file

@ -1,5 +0,0 @@
let
lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "geo01";
in
lib.setDefault { inherit publicKeys; } [ ]

View file

@ -1,5 +0,0 @@
let
lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "geo02";
in
lib.setDefault { inherit publicKeys; } [ ]

View file

@ -0,0 +1,44 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
modulesPath,
sourcePkgs,
...
}:
{
imports = [
"${modulesPath}/wlan.nix"
"${modulesPath}/network"
"${modulesPath}/hostapd"
"${modulesPath}/ssh"
"${modulesPath}/ntp"
"${modulesPath}/vlan"
"${modulesPath}/bridge"
"${modulesPath}/jitter-rng"
"${modulesPath}/pki"
"${modulesPath}/ubus"
# System-level configuration
./system.nix
# Configures our own WLAN.
./wlan.nix
# Configures our LAN interfaces, e.g. bridge + VLANs.
./lan.nix
# Configures our IPv4/IPv6 addresses, e.g. DHCPv4 on VLAN 0, SLAAC on VLAN 3001.
./addresses.nix
# Configures a basic local DNS.
./dns.nix
# Configures our management layer, e.g. SSH server + DGNum FAI keys.
./management.nix
# Configures our recovery system, e.g. a levitation script.
./recovery.nix
# Metadata on the system for field recovery.
./metadata.nix
# TODO: god that's so a fucking hack.
(import "${modulesPath}/../devices/zyxel-nwa50ax").module
];
hostname = "ap01-prototype";
nixpkgs.source = sourcePkgs.path;
}

View file

@ -0,0 +1,22 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
let
svc = config.system.service;
in
{
services.dhcpv4 = svc.network.dhcp.client.build {
interface = config.services.int;
dependencies = [
config.services.bridge.components.lan
];
};
services.defaultroute4 = svc.network.route.build {
via = "$(output ${config.services.dhcpv4} router)";
target = "default";
dependencies = [ config.services.dhcpv4 ];
};
}

View file

@ -0,0 +1,34 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, pkgs, ... }:
let
inherit (pkgs.liminix.services) oneshot;
inherit (pkgs.pseudofile) dir symlink;
inherit (pkgs) serviceFns;
in
{
# TODO: support dynamic reconfiguration once we are in the target VLAN?
services.resolvconf = oneshot rec {
name = "resolvconf";
up = ''
. ${serviceFns}
( in_outputs ${name}
for i in $(output ${config.services.dhcpv4} dns); do
echo "nameserver $i" >> resolv.conf
done
)
'';
dependencies = [
config.services.dhcpv4
];
};
filesystem = dir {
etc = dir {
"resolv.conf" = symlink "${config.services.resolvconf}/.outputs/resolv.conf";
};
};
}

View file

@ -0,0 +1,12 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
let
svc = config.system.service;
in
{
# ubus socket for various needs.
services.ubus = svc.ubus.build { };
}

View file

@ -0,0 +1,43 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
let
svc = config.system.service;
in
{
services.int = svc.bridge.primary.build {
ifname = "int";
macAddressFromInterface = config.hardware.networkInterfaces.lan;
};
services.bridge = svc.bridge.members.build {
primary = config.services.int;
members = {
lan.member = config.hardware.networkInterfaces.lan;
wlan0 = {
member = config.hardware.networkInterfaces.wlan0;
# Bridge only once hostapd is ready.
dependencies = [ config.services.hostap-1-ready ];
};
wlan1 = {
member = config.hardware.networkInterfaces.wlan1;
# Bridge only once hostapd is ready.
dependencies = [ config.services.hostap-2-ready ];
};
};
};
# Default VLAN
# services.vlan-apro = svc.vlan.build {
# vlanId = 0;
# interface = config.services.int;
# };
# # Administration VLAN
# services.vlan-admin = svc.vlan.build {
# vlan = 3001;
# interface = config.services.int;
# };
}

View file

@ -0,0 +1,16 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, ... }:
let
svc = config.system.service;
in
{
# SSH keys are handled by the access control module.
dgn-access-control.enable = true;
users.root = {
passwd = "$6$Z2MiaMXkpUJRPl2/$fxVE3iD/n208CISM2F6OnWj0Qq0QG2tTQqLCjU80PFJJGIwNLLyOp6SeYH3dH20OvJX1loZRETrThZfIPw.rb/";
};
services.sshd = svc.ssh.build { allowRoot = true; };
}

View file

@ -0,0 +1,19 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ pkgs, ... }:
let
inherit (pkgs.pseudofile) dir;
in
{
filesystem = dir {
etc = dir {
"nixpkgs.version" = {
type = "f";
file = "${pkgs.lib.version}";
mode = "0444";
};
};
};
}

View file

@ -0,0 +1,49 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{
config,
pkgs,
modulesPath,
...
}:
let
svc = config.system.service;
in
{
defaultProfile.packages = with pkgs; [
# Levitate enable us to mass-reinstall the system on the fly.
(levitate.override {
config = {
imports = [
"${modulesPath}/network"
"${modulesPath}/ssh"
"${modulesPath}/hardware.nix"
"${modulesPath}/kernel"
"${modulesPath}/outputs/tftpboot.nix"
"${modulesPath}/outputs.nix"
];
nixpkgs.buildPlatform = builtins.currentSystem;
services = {
# In this situation, we fallback to the appro VLAN.
# TODO: add support for the admin VLAN.
# Simplest DHCPv4 we can find.
dhcpv4 = svc.network.dhcp.client.build {
interface = config.hardware.networkInterfaces.lan;
};
inherit (config.services) sshd;
defaultroute4 = svc.network.route.build {
via = "$(output ${config.services.dhcpv4} router)";
target = "default";
dependencies = [ config.services.dhcpv4 ];
};
};
defaultProfile.packages = [ mtdutils ];
# Only keep root, which should inherit from DGN access control's root permissions.
users.root = config.users.root;
};
})
];
}

View file

@ -0,0 +1,32 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ pkgs, config, ... }:
let
svc = config.system.service;
in
{
# Get moar random please
services = {
jitter = svc.jitter-rng.build { };
packet_forwarding = svc.network.forward.build { };
ntp = config.system.service.ntp.build {
pools = {
"pool.ntp.org" = [ "iburst" ];
};
dependencies = [ config.services.jitter ];
};
};
boot.tftp = {
serverip = "192.0.2.10";
ipaddr = "192.0.2.12";
};
defaultProfile.packages = with pkgs; [
zyxel-bootconfig
min-collect-garbage
];
}

View file

@ -0,0 +1,97 @@
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ config, pkgs, ... }:
let
svc = config.system.service;
secrets-1 = {
ssid = "DGNum 2G (N)";
};
secrets-2 = {
ssid = "DGNum 5G (AX)";
};
baseParams = {
country_code = "FR";
hw_mode = "g";
channel = 6;
wmm_enabled = 1;
ieee80211n = 1;
ht_capab = "[LDPC][GF][HT40-][HT40+][SHORT-GI-40][MAX-AMSDU-7935][TX-STBC]";
auth_algs = 1;
wpa = 2;
wpa_pairwise = "TKIP CCMP";
rsn_pairwise = "CCMP";
};
radiusKeyMgmt = {
wpa_key_mgmt = "WPA-EAP";
};
modernParams = {
hw_mode = "a";
he_su_beamformer = 1;
he_su_beamformee = 1;
he_mu_beamformer = 1;
preamble = 1;
# Allow radar detection.
ieee80211d = 1;
ieee80211h = 1;
ieee80211ac = 1;
ieee80211ax = 1;
vht_capab = "[MAX-MPDU-7991][SU-BEAMFORMEE][SU-BEAMFORMER][RXLDPC][SHORT-GI-80][MAX-A-MPDU-LEN-EXP3][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][TX-STBC-2BY1][RX-STBC-1][MU-BEAMFORMER]";
vht_oper_chwidth = 1;
he_oper_chwidth = 1;
channel = 36;
vht_oper_centr_freq_seg0_idx = 42;
he_oper_centr_freq_seg0_idx = 42;
require_vht = 1;
};
clientRadius = {
ieee8021x = 1;
eapol_version = 2;
use_pae_group_addr = 1;
dynamic_vlan = 0;
vlan_tagged_interface = "lan";
};
externalRadius = {
# TODO: when we have proper IPAM, set the right value here.
own_ip_addr = "127.0.0.1";
nas_identifier = "ap01.dgnum.eu";
# No DNS here, hostapd do not support this mode.
auth_server_addr = "129.199.195.129";
auth_server_port = 1812;
auth_server_shared_secret = "read it online";
};
mkWifiSta =
params: interface: secrets:
svc.hostapd.build {
inherit interface;
package = pkgs.hostapd-radius;
params = params // secrets;
dependencies = [ config.services.jitter ];
};
in
{
services = {
# wlan0 is the 2.4GHz interface.
hostap-1 = mkWifiSta (
baseParams // radiusKeyMgmt
) config.hardware.networkInterfaces.wlan0 secrets-1;
hostap-1-ready = svc.hostapd-ready.build {
interface = config.hardware.networkInterfaces.wlan0;
};
# wlan1 is the 5GHz interface, e.g. AX capable.
hostap-2 = mkWifiSta (
baseParams // clientRadius // externalRadius // radiusKeyMgmt // modernParams
) config.hardware.networkInterfaces.wlan1 secrets-2;
# Oneshot that waits until the hostapd has set the interface in operational state.
hostap-2-ready = svc.hostapd-ready.build {
interface = config.hardware.networkInterfaces.wlan1;
};
};
}

View file

@ -0,0 +1,113 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
let
#TODO: meta
vlansPlan = {
"uplink-cri".id = 223;
"admin-core" = {
id = 3000;
l3-interface = "irb.0";
};
"admin-ap".id = 3001;
"users".id-list = [
{
begin = 3045;
end = 4094;
}
];
"ap-staging".id = 2000;
};
#TODO: additionnal module (always the same for APs)
AP-staging = {
poe = true;
ethernet-switching = {
interface-mode = "access";
vlans = [ "ap-staging" ];
};
};
in
{
vlans = vlansPlan;
dgn-hardware.model = "EX2300-48P";
dgn-interfaces = {
# "ge-0/0/0" = AP-staging;
# "ge-0/0/1" = AP-staging;
# "ge-0/0/2" = AP-staging;
# "ge-0/0/3" = AP-staging;
"ge-0/0/4" = AP-staging;
# "ge-0/0/5" = AP-staging;
# "ge-0/0/6" = AP-staging;
# "ge-0/0/7" = AP-staging;
# "ge-0/0/8" = AP-staging;
# "ge-0/0/9" = AP-staging;
# "ge-0/0/10" = AP-staging;
# "ge-0/0/11" = AP-staging;
# "ge-0/0/12" = AP-staging;
# "ge-0/0/13" = AP-staging;
# "ge-0/0/14" = AP-staging;
# "ge-0/0/15" = AP-staging;
# "ge-0/0/16" = AP-staging;
# "ge-0/0/17" = AP-staging;
# oob
"ge-0/0/42".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
};
# AP de test
"ge-0/0/43" = {
poe = true;
ethernet-switching = {
interface-mode = "access";
vlans = [ 4000 ];
};
};
# uplink oob
"ge-0/0/46".ethernet-switching = {
interface-mode = "access";
vlans = [ 222 ];
rstp = false;
};
# ilo
"ge-0/0/47".ethernet-switching = {
interface-mode = "access";
vlans = [ "admin-core" ];
};
# router
"xe-0/1/0".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "all" ];
};
# netaccess01
"xe-0/1/1".ethernet-switching = {
interface-mode = "trunk";
vlans = [
"users"
"ap-staging"
"admin-ap"
"admin-core"
];
};
# netcore01 (Potos)
"xe-0/1/2".ethernet-switching = {
interface-mode = "access";
vlans = [
"ap-staging"
];
};
# uplink
"ge-0/1/3".ethernet-switching = {
interface-mode = "trunk";
vlans = [ "uplink-cri" ];
};
# management
"me0".inet.addresses = [ "192.168.42.6/24" ];
"irb".inet6.addresses = [ "fd26:baf9:d250:8000::1001/64" ];
};
}

View file

@ -1,25 +1,23 @@
{ lib, ... }:
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, pkgs, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
"dgn-fail2ban"
];
enabledServices = [
# List of services to enable
"networking"
"network"
];
extraConfig = {
dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
"sshd-bruteforce"
"sshd-timeout"
];
services.netbird.enable = true;
dgn-hardware.useBcachefs = true;
environment.systemPackages = [ pkgs.bcachefs-tools ];
};
root = ./.;

View file

@ -0,0 +1,53 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ modulesPath, pkgs, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [
"xhci_pci"
"ehci_pci"
"ahci"
"sd_mod"
"sr_mod"
];
};
kernelModules = [ "kvm-intel" ];
kernelPackages = pkgs.linuxPackages_latest;
supportedFilesystems.bcachefs = true;
};
fileSystems = {
"/" = {
device = "UUID=3da58b64-a2fd-428d-bde8-3a185e2f73fd";
fsType = "bcachefs";
options = [ "compression=zstd" ];
};
"/boot" = {
device = "/dev/disk/by-uuid/4D0A-AF11";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.vlan-admin.useDHCP = lib.mkDefault true;
# networking.interfaces.vlan-uplink-oob.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = "x86_64-linux";
hardware.cpu.intel.updateMicrocode = true;
}

View file

@ -0,0 +1,84 @@
# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
_:
{
networking = {
useNetworkd = true;
useDHCP = false;
nftables.enable = true;
firewall.allowedUDPPorts = [ 67 ];
};
systemd.network = {
networks = {
"10-eno1" = {
name = "eno1";
networkConfig = {
VLAN = [
"vlan-admin"
"vlan-uplink-oob"
];
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
# address = [ "192.168.222.1/24" ];
};
"10-vlan-admin" = {
name = "vlan-admin";
# DHCP for the BMC
networkConfig.DHCPServer = "yes";
dhcpServerConfig = {
PoolOffset = 128;
EmitDNS = false;
EmitNTP = false;
EmitSIP = false;
EmitPOP3 = false;
EmitSMTP = false;
EmitLPR = false;
UplinkInterface = ":none";
};
address = [
"fd26:baf9:d250:8000::ffff/64"
"192.168.222.1/24"
];
};
"10-vlan-uplink-oob" = {
name = "vlan-uplink-oob";
networkConfig.DHCP = "ipv4";
};
};
netdevs = {
"10-vlan-admin" = {
netdevConfig = {
Name = "vlan-admin";
Kind = "vlan";
};
vlanConfig.Id = 3000;
};
"10-vlan-uplink-oob" = {
netdevConfig = {
Name = "vlan-uplink-oob";
Kind = "vlan";
};
vlanConfig.Id = 500;
};
};
};
}

View file

@ -0,0 +1,7 @@
# SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique <contact@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
(import ../../../../keys).mkSecrets [ "bridge01" ] [
# List of secrets for bridge01
]

View file

@ -1,39 +1,46 @@
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2
{ lib, ... }:
lib.extra.mkConfig {
# List of modules to enable
enabledModules = [
# List of modules to enable
# INFO: This list needs to stay sorted alphabetically
"dgn-backups"
"dgn-fail2ban"
"dgn-chatops"
"dgn-web"
];
# List of services to enable
enabledServices = [
# List of services to enable
# INFO: This list needs to stay sorted alphabetically
"arkheon"
"dgsi"
"ds-fr"
"grafana"
"hedgedoc"
"k-radius"
"kanidm"
"librenms"
"mastodon"
"nextcloud"
"ollama-proxy"
"outline"
"plausible"
"postgresql"
"rstudio-server"
"satosa"
# "satosa"
"signal-irc-bridge"
"signald"
"stirling-pdf"
"takumi"
"telegraf"
"vaultwarden"
"zammad"
"signald"
];
extraConfig = {
dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
"sshd-bruteforce"
"sshd-timeout"
];
dgn-hardware.useZfs = true;
services.netbird.enable = true;

Some files were not shown because too many files have changed in this diff Show more