forked from DGNum/infrastructure
Compare commits
191 commits
tvix-store
...
main
Author | SHA1 | Date | |
---|---|---|---|
96e8bfff5b | |||
|
aa154d1b1b | ||
|
f37a7449cb | ||
030803ba29 | |||
13abd5400b | |||
f6c933f374 | |||
c9839d4be6 | |||
fe52f0ebe2 | |||
1f9f56ac91 | |||
75b621e298 | |||
|
32f68a54a9 | ||
|
b00e47ec85 | ||
a50637d55e | |||
aa4f972085 | |||
8a5de73b47 | |||
3fecacb482 | |||
ded867d274 | |||
f61bd85d63 | |||
bf06d2573b | |||
6fbda40e5e | |||
2ffd7732ba | |||
d45b044b22 | |||
21b422b1ad | |||
420fe99984 | |||
32f13adaad | |||
a816c81125 | |||
6ab3e4b685 | |||
5f1436e4bf | |||
|
d8f90dd940 | ||
89b22a34da | |||
32d28ed351 | |||
46657a7f74 | |||
0a40fbbda0 | |||
045554b2e6 | |||
|
2cee8006d3 | ||
|
9e5be2a279 | ||
0576d1ecf8 | |||
06bbe99769 | |||
|
45f2f59055 | ||
0e3463102c | |||
d2f039755b | |||
a6aac2b0b4 | |||
ae7aaabf29 | |||
7ab63fb4a5 | |||
2bb03126cf | |||
2b858bbae4 | |||
4f18e8d387 | |||
4a102117a4 | |||
969f59fbc4 | |||
972b9554b7 | |||
|
e993d6de34 | ||
|
e0eb7bbf7c | ||
7875007a4f | |||
b5fc554f0f | |||
a93a64d747 | |||
51133e6e5f | |||
5f0c7d4e22 | |||
39abf0b62d | |||
63c9f02b16 | |||
f0b3d4b490 | |||
|
e7edf29e11 | ||
|
c0435e694d | ||
|
1a05ea3a9a | ||
113c83bb9c | |||
ac0aaa9228 | |||
16dfdf1032 | |||
05edf3f295 | |||
|
3c445ab4c7 | ||
|
492fe550d9 | ||
|
a02da5f496 | ||
b850ee56c2 | |||
db5859e472 | |||
fd6b9678ef | |||
f771ec72c8 | |||
9931c622b6 | |||
ad8ddb1f4d | |||
14866df004 | |||
b6cbf6e918 | |||
4b2d1cde5b | |||
06653220bb | |||
9ea51137fc | |||
2f06f22ac7 | |||
af61ae6e61 | |||
9ea6bada0a | |||
f819acf9bc | |||
8043f8d4ab | |||
bb4a24f9e9 | |||
cafaa15ef3 | |||
54e2eeb6f3 | |||
aa3d83ca06 | |||
e37f56f85b | |||
f20353b727 | |||
a4de5f4d31 | |||
363f8d3c67 | |||
12b20e6acf | |||
de6742aa0d | |||
d76e655174 | |||
|
7d70beb1f0 | ||
dae3b7c7f6 | |||
1e71ef3636 | |||
7bdc70632c | |||
d05c003fd6 | |||
5b271b7b4a | |||
93c47f47be | |||
47ad002f12 | |||
6b23df6b54 | |||
6c4099d369 | |||
53c865a335 | |||
34640d467b | |||
8441992408 | |||
4bedb3f497 | |||
8160b2762f | |||
ebed6462f6 | |||
e200ae53a4 | |||
62b36ed124 | |||
9bc651db42 | |||
bfe4957926 | |||
3aeae4e33f | |||
4d689fee33 | |||
862f004e3c | |||
|
da40fa9b3d | ||
c642e98ab9 | |||
fb610306ee | |||
37d0ca9489 | |||
|
39f5cad75d | ||
|
c6588da802 | ||
|
a194da9662 | ||
|
70c69346fb | ||
|
bdf0e4cf7a | ||
e4fc6a0d98 | |||
8769d6738e | |||
7d24e2dfc1 | |||
|
38231eb6e0 | ||
f589be422e | |||
|
e70d0be931 | ||
14ad93aed9 | |||
|
53379c88de | ||
|
626577e2bc | ||
|
1e85547490 | ||
|
44fefd6327 | ||
e12b8454fe | |||
f18fb56876 | |||
176cff5e6d | |||
681155318b | |||
|
5c8db3544c | ||
bdeb55f9ec | |||
2b75890752 | |||
dd5c0c79f7 | |||
|
05f7be1983 | ||
|
89d219fe8a | ||
|
9e7215b5b8 | ||
6b30a95fbb | |||
1c6124f376 | |||
4a275fd07e | |||
6f41443cf5 | |||
dcb0c3591e | |||
859418b377 | |||
f791ba15a4 | |||
|
f6253021d7 | ||
bc75d78a22 | |||
69af2c4640 | |||
9174965f28 | |||
99825b89ca | |||
3014fb79dc | |||
06285b9108 | |||
dea475cea9 | |||
595407c13b | |||
3b766e6a2b | |||
b8601b0782 | |||
|
7885442381 | ||
605f7beda2 | |||
fe9c71f37e | |||
fd0aeacff4 | |||
86c1018dc8 | |||
8a42e18d98 | |||
3ca3ff8939 | |||
16f47ce227 | |||
f5cc186ea1 | |||
ad7eb40e51 | |||
ccaa999adc | |||
359d839ad4 | |||
|
b4b2cf3836 | ||
cbc5dea62b | |||
0d7b4efbd3 | |||
b70dd91eb2 | |||
b3b21d1f96 | |||
|
53fe784b5a | ||
|
18175ad4ab | ||
d566336d5e | |||
e0cec882d8 | |||
2cb6c24535 |
201 changed files with 6104 additions and 4154 deletions
1
.envrc
1
.envrc
|
@ -1 +1,2 @@
|
||||||
|
watch_file workflows/*
|
||||||
use nix
|
use nix
|
||||||
|
|
|
@ -1,3 +1,16 @@
|
||||||
|
jobs:
|
||||||
|
check_dns:
|
||||||
|
runs-on: nix
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- name: Check the validity of the DNS configuration
|
||||||
|
run: nix-build meta/verify.nix -A dns
|
||||||
|
check_meta:
|
||||||
|
runs-on: nix
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- name: Check the validity of meta options
|
||||||
|
run: nix-build meta/verify.nix -A meta
|
||||||
name: Check meta
|
name: Check meta
|
||||||
on:
|
on:
|
||||||
pull_request:
|
pull_request:
|
||||||
|
@ -5,21 +18,4 @@ on:
|
||||||
- main
|
- main
|
||||||
push:
|
push:
|
||||||
paths:
|
paths:
|
||||||
- 'meta/*'
|
- meta/*
|
||||||
|
|
||||||
jobs:
|
|
||||||
check_meta:
|
|
||||||
runs-on: nix
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
|
|
||||||
- name: Check the validity of meta options
|
|
||||||
run: nix-build meta/verify.nix -A meta
|
|
||||||
|
|
||||||
check_dns:
|
|
||||||
runs-on: nix
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
|
|
||||||
- name: Check the validity of the DNS configuration
|
|
||||||
run: nix-build meta/verify.nix -A dns --no-out-link
|
|
||||||
|
|
16
.forgejo/workflows/check-workflows.yaml
Normal file
16
.forgejo/workflows/check-workflows.yaml
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
jobs:
|
||||||
|
check_workflows:
|
||||||
|
runs-on: nix
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- name: Check that the workflows are up to date
|
||||||
|
run: nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l)
|
||||||
|
-eq 0 ]'
|
||||||
|
name: Check workflows
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
push:
|
||||||
|
paths:
|
||||||
|
- workflows/*
|
|
@ -1,56 +0,0 @@
|
||||||
name: ds-fr update
|
|
||||||
on:
|
|
||||||
schedule:
|
|
||||||
- cron: "26 18 * * wed"
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
npins_update:
|
|
||||||
runs-on: nix
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
with:
|
|
||||||
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
|
|
||||||
|
|
||||||
- name: Update DS and open PR if necessary
|
|
||||||
run: |
|
|
||||||
# Fetch the latest release tag
|
|
||||||
VERSION=$(curl -L \
|
|
||||||
-H "Accept: application/vnd.github+json" \
|
|
||||||
-H "X-GitHub-Api-Version: 2022-11-28" \
|
|
||||||
https://api.github.com/repos/demarches-simplifiees/demarches-simplifiees.fr/releases/latest \
|
|
||||||
| jq -r '.tag_name')
|
|
||||||
|
|
||||||
# Move to the ds-fr directory
|
|
||||||
cd machines/compute01/ds-fr/package
|
|
||||||
|
|
||||||
# Run the update script
|
|
||||||
./update.sh -v "$VERSION"
|
|
||||||
|
|
||||||
if [ ! -z "$(git diff --name-only)" ]; then
|
|
||||||
echo "[+] Changes detected, pushing updates."
|
|
||||||
|
|
||||||
git switch -C ds-update
|
|
||||||
|
|
||||||
git add .
|
|
||||||
|
|
||||||
git config user.name "DGNum Chores"
|
|
||||||
git config user.email "tech@dgnum.eu"
|
|
||||||
|
|
||||||
git commit --message "chore(ds-fr): Update"
|
|
||||||
git push --set-upstream origin ds-update --force
|
|
||||||
|
|
||||||
# Connect to the server with the cli
|
|
||||||
tea login add \
|
|
||||||
-n dgnum-chores \
|
|
||||||
-t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
|
|
||||||
-u https://git.dgnum.eu
|
|
||||||
|
|
||||||
# Create a pull request if needed
|
|
||||||
# i.e. no PR with the same title exists
|
|
||||||
if [ -z "$(tea pr ls -f='title,author' -o simple | grep 'chore(ds-fr): Update dgnum-chores')" ]; then
|
|
||||||
tea pr create \
|
|
||||||
--description "Automatic ds-fr update" \
|
|
||||||
--title "chore(ds-fr): Update" \
|
|
||||||
--head ds-update
|
|
||||||
fi
|
|
||||||
fi
|
|
119
.forgejo/workflows/eval-nodes.yaml
Normal file
119
.forgejo/workflows/eval-nodes.yaml
Normal file
|
@ -0,0 +1,119 @@
|
||||||
|
jobs:
|
||||||
|
bridge01:
|
||||||
|
runs-on: nix
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- env:
|
||||||
|
BUILD_NODE: bridge01
|
||||||
|
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||||
|
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||||
|
STORE_USER: admin
|
||||||
|
name: Build and cache bridge01
|
||||||
|
run: nix-shell -A eval-nodes --run cache-node
|
||||||
|
compute01:
|
||||||
|
runs-on: nix
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- env:
|
||||||
|
BUILD_NODE: compute01
|
||||||
|
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||||
|
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||||
|
STORE_USER: admin
|
||||||
|
name: Build and cache compute01
|
||||||
|
run: nix-shell -A eval-nodes --run cache-node
|
||||||
|
geo01:
|
||||||
|
runs-on: nix
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- env:
|
||||||
|
BUILD_NODE: geo01
|
||||||
|
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||||
|
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||||
|
STORE_USER: admin
|
||||||
|
name: Build and cache geo01
|
||||||
|
run: nix-shell -A eval-nodes --run cache-node
|
||||||
|
geo02:
|
||||||
|
runs-on: nix
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- env:
|
||||||
|
BUILD_NODE: geo02
|
||||||
|
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||||
|
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||||
|
STORE_USER: admin
|
||||||
|
name: Build and cache geo02
|
||||||
|
run: nix-shell -A eval-nodes --run cache-node
|
||||||
|
rescue01:
|
||||||
|
runs-on: nix
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- env:
|
||||||
|
BUILD_NODE: rescue01
|
||||||
|
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||||
|
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||||
|
STORE_USER: admin
|
||||||
|
name: Build and cache rescue01
|
||||||
|
run: nix-shell -A eval-nodes --run cache-node
|
||||||
|
storage01:
|
||||||
|
runs-on: nix
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- env:
|
||||||
|
BUILD_NODE: storage01
|
||||||
|
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||||
|
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||||
|
STORE_USER: admin
|
||||||
|
name: Build and cache storage01
|
||||||
|
run: nix-shell -A eval-nodes --run cache-node
|
||||||
|
vault01:
|
||||||
|
runs-on: nix
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- env:
|
||||||
|
BUILD_NODE: vault01
|
||||||
|
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||||
|
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||||
|
STORE_USER: admin
|
||||||
|
name: Build and cache vault01
|
||||||
|
run: nix-shell -A eval-nodes --run cache-node
|
||||||
|
web01:
|
||||||
|
runs-on: nix
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- env:
|
||||||
|
BUILD_NODE: web01
|
||||||
|
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||||
|
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||||
|
STORE_USER: admin
|
||||||
|
name: Build and cache web01
|
||||||
|
run: nix-shell -A eval-nodes --run cache-node
|
||||||
|
web02:
|
||||||
|
runs-on: nix
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- env:
|
||||||
|
BUILD_NODE: web02
|
||||||
|
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||||
|
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||||
|
STORE_USER: admin
|
||||||
|
name: Build and cache web02
|
||||||
|
run: nix-shell -A eval-nodes --run cache-node
|
||||||
|
web03:
|
||||||
|
runs-on: nix
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- env:
|
||||||
|
BUILD_NODE: web03
|
||||||
|
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
|
||||||
|
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
||||||
|
STORE_USER: admin
|
||||||
|
name: Build and cache web03
|
||||||
|
run: nix-shell -A eval-nodes --run cache-node
|
||||||
|
name: Build all the nodes
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- main
|
|
@ -1,207 +0,0 @@
|
||||||
name: build configuration
|
|
||||||
on:
|
|
||||||
pull_request:
|
|
||||||
types: [opened, synchronize, edited, reopened]
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
build_compute01:
|
|
||||||
runs-on: nix
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
|
|
||||||
- name: Build compute01
|
|
||||||
run: |
|
|
||||||
# Enter the shell
|
|
||||||
nix-shell --run 'colmena build --on compute01'
|
|
||||||
|
|
||||||
build_storage01:
|
|
||||||
runs-on: nix
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
|
|
||||||
- name: Build storage01
|
|
||||||
run: |
|
|
||||||
# Enter the shell
|
|
||||||
nix-shell --run 'colmena build --on storage01'
|
|
||||||
|
|
||||||
build_vault01:
|
|
||||||
runs-on: nix
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
|
|
||||||
- name: Build vault01
|
|
||||||
run: |
|
|
||||||
# Enter the shell
|
|
||||||
nix-shell --run 'colmena build --on vault01'
|
|
||||||
|
|
||||||
build_web01:
|
|
||||||
runs-on: nix
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
|
|
||||||
- name: Build web01
|
|
||||||
run: |
|
|
||||||
# Enter the shell
|
|
||||||
nix-shell --run 'colmena build --on web01'
|
|
||||||
|
|
||||||
build_web02:
|
|
||||||
runs-on: nix
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
|
|
||||||
- name: Build web02
|
|
||||||
run: |
|
|
||||||
# Enter the shell
|
|
||||||
nix-shell --run 'colmena build --on web02'
|
|
||||||
|
|
||||||
build_rescue01:
|
|
||||||
runs-on: nix
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
|
|
||||||
- name: Build rescue01
|
|
||||||
run: |
|
|
||||||
# Enter the shell
|
|
||||||
nix-shell --run 'colmena build --on rescue01'
|
|
||||||
|
|
||||||
build_geo01:
|
|
||||||
runs-on: nix
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
|
|
||||||
- name: Build geo01
|
|
||||||
run: |
|
|
||||||
# Enter the shell
|
|
||||||
nix-shell --run 'colmena build --on geo01'
|
|
||||||
|
|
||||||
build_geo02:
|
|
||||||
runs-on: nix
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
|
|
||||||
- name: Build geo02
|
|
||||||
run: |
|
|
||||||
# Enter the shell
|
|
||||||
nix-shell --run 'colmena build --on geo02'
|
|
||||||
|
|
||||||
push_to_cache_compute01:
|
|
||||||
runs-on: nix
|
|
||||||
needs:
|
|
||||||
- build_compute01
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
|
|
||||||
- name: Push to cache
|
|
||||||
run: nix-shell --run push-to-nix-cache
|
|
||||||
env:
|
|
||||||
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
|
|
||||||
STORE_USER: "admin"
|
|
||||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
|
||||||
NODES: '[ "compute01" ]'
|
|
||||||
|
|
||||||
- uses: actions/upload-artifact@v3
|
|
||||||
if: always()
|
|
||||||
with:
|
|
||||||
name: outputs_compute01
|
|
||||||
path: uploaded.txt
|
|
||||||
|
|
||||||
push_to_cache_storage01:
|
|
||||||
runs-on: nix
|
|
||||||
needs:
|
|
||||||
- build_storage01
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
|
|
||||||
- name: Push to cache
|
|
||||||
run: nix-shell --run push-to-nix-cache
|
|
||||||
env:
|
|
||||||
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
|
|
||||||
STORE_USER: "admin"
|
|
||||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
|
||||||
NODES: '[ "storage01" ]'
|
|
||||||
|
|
||||||
- uses: actions/upload-artifact@v3
|
|
||||||
if: always()
|
|
||||||
with:
|
|
||||||
name: outputs_storage01
|
|
||||||
path: uploaded.txt
|
|
||||||
|
|
||||||
push_to_cache_rescue01:
|
|
||||||
runs-on: nix
|
|
||||||
needs:
|
|
||||||
- build_rescue01
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
|
|
||||||
- name: Push to cache
|
|
||||||
run: nix-shell --run push-to-nix-cache
|
|
||||||
env:
|
|
||||||
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
|
|
||||||
STORE_USER: "admin"
|
|
||||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
|
||||||
NODES: '[ "rescue01" ]'
|
|
||||||
|
|
||||||
push_to_cache_geo01:
|
|
||||||
runs-on: nix
|
|
||||||
needs:
|
|
||||||
- build_geo01
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
|
|
||||||
- name: Push to cache
|
|
||||||
run: nix-shell --run push-to-nix-cache
|
|
||||||
env:
|
|
||||||
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
|
|
||||||
STORE_USER: "admin"
|
|
||||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
|
||||||
NODES: '[ "geo01" ]'
|
|
||||||
|
|
||||||
push_to_cache_geo02:
|
|
||||||
runs-on: nix
|
|
||||||
needs:
|
|
||||||
- build_geo02
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
|
|
||||||
- name: Push to cache
|
|
||||||
run: nix-shell --run push-to-nix-cache
|
|
||||||
env:
|
|
||||||
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
|
|
||||||
STORE_USER: "admin"
|
|
||||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
|
||||||
NODES: '[ "geo02" ]'
|
|
||||||
|
|
||||||
push_to_cache_web01:
|
|
||||||
runs-on: nix
|
|
||||||
needs:
|
|
||||||
- build_web01
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
|
|
||||||
- name: Push to cache
|
|
||||||
run: nix-shell --run push-to-nix-cache
|
|
||||||
env:
|
|
||||||
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
|
|
||||||
STORE_USER: "admin"
|
|
||||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
|
||||||
NODES: '[ "web01" ]'
|
|
||||||
|
|
||||||
push_to_cache_web02:
|
|
||||||
runs-on: nix
|
|
||||||
needs:
|
|
||||||
- build_web02
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
|
|
||||||
- name: Push to cache
|
|
||||||
run: nix-shell --run push-to-nix-cache
|
|
||||||
env:
|
|
||||||
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
|
|
||||||
STORE_USER: "admin"
|
|
||||||
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
|
|
||||||
NODES: '[ "web02" ]'
|
|
|
@ -1,11 +0,0 @@
|
||||||
name: lint
|
|
||||||
on: push
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
check:
|
|
||||||
runs-on: nix
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
|
|
||||||
- name: Run pre-commit on all files
|
|
||||||
run: nix-shell --run 'pre-commit run --all-files --show-diff-on-failure' -A shells.pre-commit ./.
|
|
25
.forgejo/workflows/npins-update.yaml
Normal file
25
.forgejo/workflows/npins-update.yaml
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
jobs:
|
||||||
|
npins_update:
|
||||||
|
runs-on: nix
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
with:
|
||||||
|
depth: 0
|
||||||
|
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
|
||||||
|
- name: Update dependencies and open PR if necessary
|
||||||
|
run: "npins update\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n echo
|
||||||
|
\"[+] Changes detected, pushing updates.\"\n\n git switch -C npins-update\n\
|
||||||
|
\n git add npins\n\n git config user.name \"DGNum Chores\"\n git config
|
||||||
|
user.email \"tech@dgnum.eu\"\n\n git commit --message \"chore(npins): Update\"\
|
||||||
|
\n git push --set-upstream origin npins-update --force\n\n # Connect to
|
||||||
|
the server with the cli\n tea login add \\\n -n dgnum-chores \\\n -t
|
||||||
|
\"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" \\\n -u https://git.dgnum.eu\n\
|
||||||
|
\n # Create a pull request if needed\n # i.e. no PR with the same title
|
||||||
|
exists\n if [ -z \"$(tea pr ls -f='title,author' -o simple | grep 'chore(npins):
|
||||||
|
Update dgnum-chores')\" ]; then\n tea pr create \\\n --description
|
||||||
|
\"Automatic npins update\" \\\n --title \"chore(npins): Update\" \\\n\
|
||||||
|
\ --head npins-update\n fi\nfi\n"
|
||||||
|
name: npins update
|
||||||
|
on:
|
||||||
|
schedule:
|
||||||
|
- cron: 25 15 * * *
|
12
.forgejo/workflows/pre-commit.yaml
Normal file
12
.forgejo/workflows/pre-commit.yaml
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
jobs:
|
||||||
|
check:
|
||||||
|
runs-on: nix
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- name: Run pre-commit on all files
|
||||||
|
run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
|
||||||
|
pre-push --show-diff-on-failure'
|
||||||
|
name: Run pre-commit on all files
|
||||||
|
on:
|
||||||
|
- push
|
||||||
|
- pull_request
|
25
README.md
25
README.md
|
@ -9,6 +9,21 @@ You're expected to read this document before commiting to the repo.
|
||||||
|
|
||||||
Some documentation for the development tools are provided in the aforementioned file.
|
Some documentation for the development tools are provided in the aforementioned file.
|
||||||
|
|
||||||
|
# Using the binary cache
|
||||||
|
|
||||||
|
Add the following module to your configuration (and pin this repo using your favorite tool: npins, lon, etc...):
|
||||||
|
```
|
||||||
|
{ lib, ... }:
|
||||||
|
let
|
||||||
|
dgnum-infra = PINNED_PATH_TO_INFRA;
|
||||||
|
in {
|
||||||
|
nix.settings = (import dgnum-infra { }).mkCacheSettings {
|
||||||
|
caches = [ "infra" ];
|
||||||
|
};
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
# Adding a new machine
|
# Adding a new machine
|
||||||
|
|
||||||
The first step is to create a minimal viable NixOS host, using tha means necessary.
|
The first step is to create a minimal viable NixOS host, using tha means necessary.
|
||||||
|
@ -19,7 +34,7 @@ The second step is to find a name for this host, it must be unique from the othe
|
||||||
|
|
||||||
## Download the keys
|
## Download the keys
|
||||||
|
|
||||||
The public SSH keys of `host02` have to be saved to `keys/machines/host02.keys`, preferably only the `ssh-ed25519` one.
|
The public SSH keys of `host02` have to be saved to `keys`, preferably only the `ssh-ed25519` one.
|
||||||
|
|
||||||
It can be retreived with :
|
It can be retreived with :
|
||||||
|
|
||||||
|
@ -76,11 +91,9 @@ The general metadata is declared in `meta/nodes.nix`, the main values to declare
|
||||||
Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :
|
Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :
|
||||||
|
|
||||||
```nix
|
```nix
|
||||||
let
|
(import ../../../keys).mkSecrets [ "host02" ] [
|
||||||
lib = import ../../../lib { };
|
# List of secrets for host02
|
||||||
in
|
]
|
||||||
|
|
||||||
lib.setDefault { publicKeys = lib.getNodeKeys "host02"; } [ ]
|
|
||||||
```
|
```
|
||||||
|
|
||||||
This will be used for future secret management.
|
This will be used for future secret management.
|
||||||
|
|
79
default.nix
79
default.nix
|
@ -41,25 +41,56 @@
|
||||||
}:
|
}:
|
||||||
|
|
||||||
let
|
let
|
||||||
pre-commit-check = (import sources.pre-commit-hooks).run {
|
inherit (pkgs.lib)
|
||||||
|
isFunction
|
||||||
|
mapAttrs
|
||||||
|
mapAttrs'
|
||||||
|
nameValuePair
|
||||||
|
removeSuffix
|
||||||
|
;
|
||||||
|
|
||||||
|
git-checks = (import sources.git-hooks).run {
|
||||||
src = ./.;
|
src = ./.;
|
||||||
|
|
||||||
hooks = {
|
hooks = {
|
||||||
# Nix Hooks
|
statix = {
|
||||||
statix.enable = true;
|
|
||||||
deadnix.enable = true;
|
|
||||||
rfc101 = {
|
|
||||||
enable = true;
|
enable = true;
|
||||||
|
stages = [ "pre-push" ];
|
||||||
name = "RFC-101 formatting";
|
settings.ignore = [
|
||||||
entry = "${pkgs.lib.getExe pkgs.nixfmt-rfc-style}";
|
"**/lon.nix"
|
||||||
files = "\\.nix$";
|
"**/npins"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
deadnix = {
|
||||||
|
enable = true;
|
||||||
|
stages = [ "pre-push" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
nixfmt-rfc-style = {
|
||||||
|
enable = true;
|
||||||
|
stages = [ "pre-push" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
# Misc Hooks
|
|
||||||
commitizen.enable = true;
|
commitizen.enable = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
workflows = (import sources.nix-actions { inherit pkgs; }).install {
|
||||||
|
src = ./.;
|
||||||
|
|
||||||
|
workflows = mapAttrs' (
|
||||||
|
name: _:
|
||||||
|
nameValuePair (removeSuffix ".nix" name) (
|
||||||
|
let
|
||||||
|
w = import ./workflows/${name};
|
||||||
|
in
|
||||||
|
if isFunction w then w { inherit (pkgs) lib; } else w
|
||||||
|
)
|
||||||
|
) (builtins.readDir ./workflows);
|
||||||
|
};
|
||||||
|
|
||||||
|
scripts = import ./scripts { inherit pkgs; };
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
|
@ -69,35 +100,37 @@ in
|
||||||
|
|
||||||
dns = import ./meta/dns.nix;
|
dns = import ./meta/dns.nix;
|
||||||
|
|
||||||
shells = {
|
mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix;
|
||||||
default = pkgs.mkShell {
|
|
||||||
|
devShell = pkgs.mkShell {
|
||||||
name = "dgnum-infra";
|
name = "dgnum-infra";
|
||||||
|
|
||||||
packages = [
|
packages = [
|
||||||
(pkgs.nixos-generators.overrideAttrs (_: {
|
(pkgs.nixos-generators.overrideAttrs (_: {
|
||||||
version = "1.8.0-unstable";
|
version = "1.8.0-unstable";
|
||||||
src = builtins.storePath sources.nixos-generators;
|
src = sources.nixos-generators;
|
||||||
}))
|
}))
|
||||||
pkgs.attic-client
|
|
||||||
pkgs.npins
|
pkgs.npins
|
||||||
|
|
||||||
(pkgs.callPackage (sources.disko + "/package.nix") { })
|
|
||||||
(pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
|
(pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
|
||||||
] ++ (import ./scripts { inherit pkgs; });
|
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
|
||||||
|
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
|
||||||
|
] ++ (builtins.attrValues scripts);
|
||||||
|
|
||||||
shellHook = ''
|
shellHook = ''
|
||||||
${pre-commit-check.shellHook}
|
${git-checks.shellHook}
|
||||||
|
${workflows.shellHook}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
preferLocalBuild = true;
|
preferLocalBuild = true;
|
||||||
};
|
|
||||||
|
|
||||||
pre-commit = pkgs.mkShell {
|
###
|
||||||
name = "pre-commit-shell";
|
# Alternative shells
|
||||||
|
|
||||||
shellHook = ''
|
passthru = mapAttrs (name: value: pkgs.mkShell (value // { inherit name; })) {
|
||||||
${pre-commit-check.shellHook}
|
pre-commit.shellHook = git-checks.shellHook;
|
||||||
'';
|
check-workflows.shellHook = workflows.shellHook;
|
||||||
|
eval-nodes.packages = [ scripts.cache-node ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
55
hive.nix
55
hive.nix
|
@ -1,24 +1,25 @@
|
||||||
let
|
let
|
||||||
sources = import ./npins;
|
sources' = import ./npins;
|
||||||
|
|
||||||
lib = import (sources.nix-lib + "/src/trivial.nix");
|
# Patch sources directly
|
||||||
|
sources = builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; })
|
||||||
|
.applyPatches' sources';
|
||||||
|
|
||||||
patch = import sources.nix-patches { patchFile = ./patches; };
|
nix-lib = import ./lib/nix-lib;
|
||||||
|
|
||||||
|
patch = import ./lib/nix-patches { patchFile = ./patches; };
|
||||||
|
|
||||||
nodes' = import ./meta/nodes.nix;
|
nodes' = import ./meta/nodes.nix;
|
||||||
nodes = builtins.attrNames nodes';
|
nodes = builtins.attrNames nodes';
|
||||||
|
|
||||||
mkNode = node: {
|
mkNode = node: {
|
||||||
# Import the base configuration for each node
|
# Import the base configuration for each node
|
||||||
imports = builtins.map (lib.mkRel (./machines/${node})) [
|
imports = [ ./machines/${node}/_configuration.nix ];
|
||||||
"_configuration.nix"
|
|
||||||
"_hardware-configuration.nix"
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
nixpkgs' = import ./meta/nixpkgs.nix;
|
nixpkgs' = import ./meta/nixpkgs.nix;
|
||||||
# All supported nixpkgs versions, instanciated
|
# All supported nixpkgs versions, instanciated
|
||||||
nixpkgs = lib.mapSingleFuse mkNixpkgs nixpkgs'.supported;
|
nixpkgs = nix-lib.mapSingleFuse mkNixpkgs nixpkgs'.supported;
|
||||||
|
|
||||||
# Get the configured nixos version for the node,
|
# Get the configured nixos version for the node,
|
||||||
# defaulting to the one defined in meta/nixpkgs
|
# defaulting to the one defined in meta/nixpkgs
|
||||||
|
@ -27,12 +28,9 @@ let
|
||||||
# Builds a patched version of nixpkgs, only as the source
|
# Builds a patched version of nixpkgs, only as the source
|
||||||
mkNixpkgs' =
|
mkNixpkgs' =
|
||||||
v:
|
v:
|
||||||
let
|
patch.mkNixpkgsSrc rec {
|
||||||
version = "nixos-${v}";
|
src = sources'.${name};
|
||||||
in
|
name = "nixos-${v}";
|
||||||
patch.mkNixpkgsSrc {
|
|
||||||
src = sources.${version};
|
|
||||||
inherit version;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# Instanciates the required nixpkgs version
|
# Instanciates the required nixpkgs version
|
||||||
|
@ -42,10 +40,8 @@ let
|
||||||
# Function to create arguments based on the node
|
# Function to create arguments based on the node
|
||||||
#
|
#
|
||||||
mkArgs = node: rec {
|
mkArgs = node: rec {
|
||||||
lib = import sources.nix-lib {
|
lib = nixpkgs.${version node}.lib // {
|
||||||
inherit (nixpkgs.${version node}) lib;
|
extra = nix-lib;
|
||||||
|
|
||||||
keysRoot = ./keys;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
meta = (import ./meta) lib;
|
meta = (import ./meta) lib;
|
||||||
|
@ -56,33 +52,24 @@ in
|
||||||
|
|
||||||
{
|
{
|
||||||
meta = {
|
meta = {
|
||||||
nodeNixpkgs = lib.mapSingleFuse (n: nixpkgs.${version n}) nodes;
|
nodeNixpkgs = nix-lib.mapSingleFuse (n: nixpkgs.${version n}) nodes;
|
||||||
|
|
||||||
specialArgs = {
|
specialArgs = {
|
||||||
inherit nixpkgs sources;
|
inherit nixpkgs sources;
|
||||||
|
|
||||||
|
dgn-keys = import ./keys;
|
||||||
};
|
};
|
||||||
|
|
||||||
nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes;
|
nodeSpecialArgs = nix-lib.mapSingleFuse mkArgs nodes;
|
||||||
};
|
};
|
||||||
|
|
||||||
defaults =
|
defaults =
|
||||||
{
|
{ name, nodeMeta, ... }:
|
||||||
pkgs,
|
|
||||||
name,
|
|
||||||
nodeMeta,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
{
|
{
|
||||||
# Import the default modules
|
# Import the default modules
|
||||||
imports = [
|
imports = [
|
||||||
./modules
|
./modules
|
||||||
(import "${sources.lix-module}/module.nix" {
|
(import "${sources.lix-module}/module.nix" { inherit (sources) lix; })
|
||||||
lix = pkgs.applyPatches {
|
|
||||||
name = "lix-2.90.patched";
|
|
||||||
src = sources.lix;
|
|
||||||
patches = [ ./patches/00-disable-installChecks-lix.patch ];
|
|
||||||
};
|
|
||||||
})
|
|
||||||
];
|
];
|
||||||
|
|
||||||
# Include default secrets
|
# Include default secrets
|
||||||
|
@ -112,4 +99,4 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
// (lib.mapSingleFuse mkNode nodes)
|
// (nix-lib.mapSingleFuse mkNode nodes)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
NIXPKGS=$(nix-build nixpkgs.nix)
|
NIXPKGS=$(nix-build --no-out-link nixpkgs.nix)
|
||||||
|
|
||||||
nixos-generate -c configuration.nix -I NIX_PATH="$NIXPKGS" -f install-iso
|
nixos-generate -c configuration.nix -I NIX_PATH="$NIXPKGS" -f install-iso
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ lib, pkgs, ... }:
|
{ lib, pkgs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
dgn-lib = import ../lib { };
|
dgn-keys = import ../keys;
|
||||||
|
|
||||||
dgn-members = (import ../meta lib).organization.groups.root;
|
dgn-members = (import ../meta lib).organization.groups.root;
|
||||||
in
|
in
|
||||||
|
@ -11,7 +11,7 @@ in
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
blacklistedKernelModules = [ "snd_pcsp" ];
|
blacklistedKernelModules = [ "snd_pcsp" ];
|
||||||
kernelPackages = pkgs.linuxPackages_6_1;
|
kernelPackages = pkgs.linuxPackages_latest;
|
||||||
tmp.cleanOnBoot = true;
|
tmp.cleanOnBoot = true;
|
||||||
|
|
||||||
loader = {
|
loader = {
|
||||||
|
@ -22,6 +22,7 @@ in
|
||||||
supportedFilesystems = [
|
supportedFilesystems = [
|
||||||
"exfat"
|
"exfat"
|
||||||
"zfs"
|
"zfs"
|
||||||
|
"bcachefs"
|
||||||
];
|
];
|
||||||
|
|
||||||
swraid.enable = lib.mkForce false;
|
swraid.enable = lib.mkForce false;
|
||||||
|
@ -33,7 +34,5 @@ in
|
||||||
openssh.enable = true;
|
openssh.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.root.openssh.authorizedKeys.keyFiles = builtins.map (
|
users.users.root.openssh.authorizedKeys.keys = dgn-keys.getKeys dgn-members;
|
||||||
m: dgn-lib.mkRel ../keys "${m}.keys"
|
|
||||||
) dgn-members;
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
let
|
let
|
||||||
inherit (import ../npins) nixpkgs;
|
version = (import ../meta/nixpkgs.nix).default;
|
||||||
|
nixpkgs = (import ../npins)."nixos-${version}";
|
||||||
in
|
in
|
||||||
|
|
||||||
(import nixpkgs { }).srcOnly {
|
(import nixpkgs { }).srcOnly {
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor
|
|
88
keys/default.nix
Normal file
88
keys/default.nix
Normal file
|
@ -0,0 +1,88 @@
|
||||||
|
let
|
||||||
|
_sources = import ../npins;
|
||||||
|
|
||||||
|
meta = import ../meta (import _sources.nixpkgs { }).lib;
|
||||||
|
|
||||||
|
getAttr = flip builtins.getAttr;
|
||||||
|
|
||||||
|
inherit (import ../lib/nix-lib) flip setDefault unique;
|
||||||
|
in
|
||||||
|
|
||||||
|
rec {
|
||||||
|
# WARNING: When updating this list, make sure that the nodes and members are alphabetically sorted
|
||||||
|
# If not, you will face an angry maintainer
|
||||||
|
_keys = {
|
||||||
|
# SSH keys of the nodes
|
||||||
|
bridge01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7" ];
|
||||||
|
compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
|
||||||
|
geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
|
||||||
|
geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
|
||||||
|
rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
|
||||||
|
storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
|
||||||
|
vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
|
||||||
|
web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ];
|
||||||
|
web02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ];
|
||||||
|
web03 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrWsMEfK86iaO9SubMqE2UvZNtHkLY5VUod/bbqKC0L" ];
|
||||||
|
|
||||||
|
# SSH keys of the DGNum members
|
||||||
|
agroudiev = [
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM="
|
||||||
|
];
|
||||||
|
catvayor = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
|
||||||
|
];
|
||||||
|
cst1 = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270"
|
||||||
|
];
|
||||||
|
ecoppens = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
|
||||||
|
gdd = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ"
|
||||||
|
];
|
||||||
|
jemagius = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F"
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8="
|
||||||
|
];
|
||||||
|
luj = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
|
||||||
|
];
|
||||||
|
mboyer = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ];
|
||||||
|
mdebray = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
|
||||||
|
];
|
||||||
|
raito = [
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
|
||||||
|
];
|
||||||
|
thubrecht = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);
|
||||||
|
|
||||||
|
mkSecrets =
|
||||||
|
nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };
|
||||||
|
|
||||||
|
getNodeKeys' =
|
||||||
|
node:
|
||||||
|
let
|
||||||
|
names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
|
||||||
|
meta.nodes.${node}.admins ++ [ node ]
|
||||||
|
) meta.nodes.${node}.adminGroups;
|
||||||
|
in
|
||||||
|
unique (getKeys names);
|
||||||
|
|
||||||
|
getNodeKeys = node: rootKeys ++ getNodeKeys' node;
|
||||||
|
|
||||||
|
# List of keys for the root group
|
||||||
|
rootKeys = getKeys meta.organization.groups.root;
|
||||||
|
|
||||||
|
# List of 'machine' keys
|
||||||
|
machineKeys = rootKeys ++ (getKeys (builtins.attrNames meta.nodes));
|
||||||
|
}
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA
|
|
|
@ -1,2 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc
|
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ
|
|
|
@ -1,2 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F
|
|
||||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8=
|
|
|
@ -1,2 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma
|
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX
|
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris
|
|
|
@ -1,3 +0,0 @@
|
||||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD
|
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr
|
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU
|
|
|
@ -1,3 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3
|
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy
|
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn
|
|
|
@ -1,33 +0,0 @@
|
||||||
_:
|
|
||||||
|
|
||||||
let
|
|
||||||
sources = import ../npins;
|
|
||||||
|
|
||||||
lib = import sources.nix-lib {
|
|
||||||
inherit ((import sources.nixpkgs { })) lib;
|
|
||||||
|
|
||||||
keysRoot = ../keys;
|
|
||||||
};
|
|
||||||
|
|
||||||
meta = import ../meta lib;
|
|
||||||
|
|
||||||
inherit (lib.extra) getAllKeys;
|
|
||||||
in
|
|
||||||
|
|
||||||
lib.extra
|
|
||||||
// rec {
|
|
||||||
# Get publickeys associated to a node
|
|
||||||
getNodeKeys =
|
|
||||||
node:
|
|
||||||
let
|
|
||||||
names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
|
|
||||||
meta.nodes.${node}.admins ++ [ "/machines/${node}" ]
|
|
||||||
) meta.nodes.${node}.adminGroups;
|
|
||||||
in
|
|
||||||
rootKeys ++ (getAllKeys names);
|
|
||||||
|
|
||||||
rootKeys = getAllKeys meta.organization.groups.root;
|
|
||||||
|
|
||||||
machineKeys =
|
|
||||||
rootKeys ++ (getAllKeys (builtins.map (n: "machines/${n}") (builtins.attrNames meta.nodes)));
|
|
||||||
}
|
|
200
lib/nix-lib/default.nix
Normal file
200
lib/nix-lib/default.nix
Normal file
|
@ -0,0 +1,200 @@
|
||||||
|
# Copyright Tom Hubrecht, (2023)
|
||||||
|
#
|
||||||
|
# Tom Hubrecht <tom@hubrecht.ovh>
|
||||||
|
#
|
||||||
|
# This software is governed by the CeCILL license under French law and
|
||||||
|
# abiding by the rules of distribution of free software. You can use,
|
||||||
|
# modify and/ or redistribute the software under the terms of the CeCILL
|
||||||
|
# license as circulated by CEA, CNRS and INRIA at the following URL
|
||||||
|
# "http://www.cecill.info".
|
||||||
|
#
|
||||||
|
# As a counterpart to the access to the source code and rights to copy,
|
||||||
|
# modify and redistribute granted by the license, users are provided only
|
||||||
|
# with a limited warranty and the software's author, the holder of the
|
||||||
|
# economic rights, and the successive licensors have only limited
|
||||||
|
# liability.
|
||||||
|
#
|
||||||
|
# In this respect, the user's attention is drawn to the risks associated
|
||||||
|
# with loading, using, modifying and/or developing or reproducing the
|
||||||
|
# software by the user in light of its specific status of free software,
|
||||||
|
# that may mean that it is complicated to manipulate, and that also
|
||||||
|
# therefore means that it is reserved for developers and experienced
|
||||||
|
# professionals having in-depth computer knowledge. Users are therefore
|
||||||
|
# encouraged to load and test the software's suitability as regards their
|
||||||
|
# requirements in conditions enabling the security of their systems and/or
|
||||||
|
# data to be ensured and, more generally, to use and operate it in the
|
||||||
|
# same conditions as regards security.
|
||||||
|
#
|
||||||
|
# The fact that you are presently reading this means that you have had
|
||||||
|
# knowledge of the CeCILL license and that you accept its terms.
|
||||||
|
|
||||||
|
let
|
||||||
|
# Reimplement optional functions
|
||||||
|
_optional =
|
||||||
|
default: b: value:
|
||||||
|
if b then value else default;
|
||||||
|
in
|
||||||
|
|
||||||
|
rec {
|
||||||
|
inherit (import ./nixpkgs.nix)
|
||||||
|
flip
|
||||||
|
hasPrefix
|
||||||
|
recursiveUpdate
|
||||||
|
splitString
|
||||||
|
unique
|
||||||
|
;
|
||||||
|
|
||||||
|
/*
|
||||||
|
Fuses a list of attribute sets into a single attribute set.
|
||||||
|
|
||||||
|
Type: [attrs] -> attrs
|
||||||
|
|
||||||
|
Example:
|
||||||
|
x = [ { a = 1; } { b = 2; } ]
|
||||||
|
fuseAttrs x
|
||||||
|
=> { a = 1; b = 2; }
|
||||||
|
*/
|
||||||
|
fuseAttrs = builtins.foldl' (attrs: x: attrs // x) { };
|
||||||
|
|
||||||
|
fuseValueAttrs = attrs: fuseAttrs (builtins.attrValues attrs);
|
||||||
|
|
||||||
|
/*
|
||||||
|
Applies a function to `attrsList` before fusing the resulting list
|
||||||
|
of attribute sets.
|
||||||
|
|
||||||
|
Type: ('a -> attrs) -> ['a] -> attrs
|
||||||
|
|
||||||
|
Example:
|
||||||
|
x = [ "to" "ta" "ti" ]
|
||||||
|
f = s: { ${s} = s + s; }
|
||||||
|
mapFuse f x
|
||||||
|
=> { to = "toto"; ta = "tata"; ti = "titi"; }
|
||||||
|
*/
|
||||||
|
mapFuse =
|
||||||
|
# 'a -> attrs
|
||||||
|
f:
|
||||||
|
# ['a]
|
||||||
|
attrsList:
|
||||||
|
fuseAttrs (builtins.map f attrsList);
|
||||||
|
|
||||||
|
/*
|
||||||
|
Equivalent of lib.singleton but for an attribute set.
|
||||||
|
|
||||||
|
Type: str -> 'a -> attrs
|
||||||
|
|
||||||
|
Example:
|
||||||
|
singleAttr "a" 1
|
||||||
|
=> { a = 1; }
|
||||||
|
*/
|
||||||
|
singleAttr = name: value: { ${name} = value; };
|
||||||
|
|
||||||
|
# Enables a list of modules.
|
||||||
|
enableAttrs' =
|
||||||
|
enable:
|
||||||
|
mapFuse (m: {
|
||||||
|
${m}.${enable} = true;
|
||||||
|
});
|
||||||
|
|
||||||
|
enableModules = enableAttrs' "enable";
|
||||||
|
|
||||||
|
/*
|
||||||
|
Create an attribute set from a list of values, mapping those
|
||||||
|
values through the function `f`.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
mapSingleFuse (x: "val-${x}") [ "a" "b" ]
|
||||||
|
=> { a = "val-a"; b = "val-b" }
|
||||||
|
*/
|
||||||
|
mapSingleFuse = f: mapFuse (x: singleAttr x (f x));
|
||||||
|
|
||||||
|
/*
|
||||||
|
Creates a relative path as a string
|
||||||
|
|
||||||
|
Type: path -> str -> path
|
||||||
|
|
||||||
|
Example:
|
||||||
|
mkRel /home/test/ "file.txt"
|
||||||
|
=> "/home/test/file.txt"
|
||||||
|
*/
|
||||||
|
mkRel = path: file: path + "/${file}";
|
||||||
|
|
||||||
|
setDefault =
|
||||||
|
default:
|
||||||
|
mapFuse (name: {
|
||||||
|
${name} = default;
|
||||||
|
});
|
||||||
|
|
||||||
|
mkBaseSecrets =
|
||||||
|
root:
|
||||||
|
mapFuse (secret: {
|
||||||
|
${secret}.file = mkRel root secret;
|
||||||
|
});
|
||||||
|
|
||||||
|
getSecrets = dir: builtins.attrNames (import (mkRel dir "secrets.nix"));
|
||||||
|
|
||||||
|
subAttr = attrs: name: attrs.${name};
|
||||||
|
|
||||||
|
subAttrs = attrs: builtins.map (subAttr attrs);
|
||||||
|
|
||||||
|
optionalList = _optional [ ];
|
||||||
|
|
||||||
|
optionalAttrs = _optional { };
|
||||||
|
|
||||||
|
optionalString = _optional "";
|
||||||
|
/*
|
||||||
|
Same as fuseAttrs but using `lib.recursiveUpdate` to merge attribute
|
||||||
|
sets together.
|
||||||
|
|
||||||
|
Type: [attrs] -> attrs
|
||||||
|
*/
|
||||||
|
recursiveFuse = builtins.foldl' recursiveUpdate { };
|
||||||
|
|
||||||
|
mkImport =
|
||||||
|
root: file:
|
||||||
|
let
|
||||||
|
path = mkRel root file;
|
||||||
|
in
|
||||||
|
path + (optionalString (!(builtins.pathExists path)) ".nix");
|
||||||
|
|
||||||
|
mkImports = root: builtins.map (mkImport root);
|
||||||
|
|
||||||
|
/*
|
||||||
|
Creates a confugiration by merging enabled modules,
|
||||||
|
services and extraConfig.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
mkConfig {
|
||||||
|
enabledModules = [ "ht-defaults" ];
|
||||||
|
enabledServices = [ "toto" ];
|
||||||
|
extraConfig = { services.nginx.enable = true; };
|
||||||
|
root = ./.;
|
||||||
|
}
|
||||||
|
=>
|
||||||
|
{
|
||||||
|
imports = [ ./toto ];
|
||||||
|
ht-defaults.enable = true;
|
||||||
|
services.nginx.enable = true;
|
||||||
|
}
|
||||||
|
*/
|
||||||
|
mkConfig =
|
||||||
|
{
|
||||||
|
# List of modules to enable with `enableModules`
|
||||||
|
enabledModules,
|
||||||
|
# List of services to import
|
||||||
|
enabledServices,
|
||||||
|
# Extra configuration, defaults to `{ }`
|
||||||
|
extraConfig ? { },
|
||||||
|
# Path relative to which the enabled services will be imported
|
||||||
|
root,
|
||||||
|
}:
|
||||||
|
recursiveFuse [
|
||||||
|
(enableModules enabledModules)
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
(extraConfig.imports or [ ]) ++ (mkImports root ([ "_hardware-configuration" ] ++ enabledServices));
|
||||||
|
}
|
||||||
|
|
||||||
|
(removeAttrs extraConfig [ "imports" ])
|
||||||
|
];
|
||||||
|
}
|
416
lib/nix-lib/nixpkgs.nix
Normal file
416
lib/nix-lib/nixpkgs.nix
Normal file
|
@ -0,0 +1,416 @@
|
||||||
|
###
|
||||||
|
# Collection of nixpkgs library functions, those are necessary for defining our own lib
|
||||||
|
#
|
||||||
|
# They have been simplified and builtins are used in some places, instead of lib shims.
|
||||||
|
|
||||||
|
rec {
|
||||||
|
/**
|
||||||
|
Does the same as the update operator '//' except that attributes are
|
||||||
|
merged until the given predicate is verified. The predicate should
|
||||||
|
accept 3 arguments which are the path to reach the attribute, a part of
|
||||||
|
the first attribute set and a part of the second attribute set. When
|
||||||
|
the predicate is satisfied, the value of the first attribute set is
|
||||||
|
replaced by the value of the second attribute set.
|
||||||
|
|
||||||
|
# Inputs
|
||||||
|
|
||||||
|
`pred`
|
||||||
|
|
||||||
|
: Predicate, taking the path to the current attribute as a list of strings for attribute names, and the two values at that path from the original arguments.
|
||||||
|
|
||||||
|
`lhs`
|
||||||
|
|
||||||
|
: Left attribute set of the merge.
|
||||||
|
|
||||||
|
`rhs`
|
||||||
|
|
||||||
|
: Right attribute set of the merge.
|
||||||
|
|
||||||
|
# Type
|
||||||
|
|
||||||
|
```
|
||||||
|
recursiveUpdateUntil :: ( [ String ] -> AttrSet -> AttrSet -> Bool ) -> AttrSet -> AttrSet -> AttrSet
|
||||||
|
```
|
||||||
|
|
||||||
|
# Examples
|
||||||
|
:::{.example}
|
||||||
|
## `lib.attrsets.recursiveUpdateUntil` usage example
|
||||||
|
|
||||||
|
```nix
|
||||||
|
recursiveUpdateUntil (path: l: r: path == ["foo"]) {
|
||||||
|
# first attribute set
|
||||||
|
foo.bar = 1;
|
||||||
|
foo.baz = 2;
|
||||||
|
bar = 3;
|
||||||
|
} {
|
||||||
|
#second attribute set
|
||||||
|
foo.bar = 1;
|
||||||
|
foo.quz = 2;
|
||||||
|
baz = 4;
|
||||||
|
}
|
||||||
|
|
||||||
|
=> {
|
||||||
|
foo.bar = 1; # 'foo.*' from the second set
|
||||||
|
foo.quz = 2; #
|
||||||
|
bar = 3; # 'bar' from the first set
|
||||||
|
baz = 4; # 'baz' from the second set
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
:::
|
||||||
|
*/
|
||||||
|
recursiveUpdateUntil =
|
||||||
|
pred: lhs: rhs:
|
||||||
|
let
|
||||||
|
f =
|
||||||
|
attrPath:
|
||||||
|
builtins.zipAttrsWith (
|
||||||
|
n: values:
|
||||||
|
let
|
||||||
|
here = attrPath ++ [ n ];
|
||||||
|
in
|
||||||
|
if builtins.length values == 1 || pred here (builtins.elemAt values 1) (builtins.head values) then
|
||||||
|
builtins.head values
|
||||||
|
else
|
||||||
|
f here values
|
||||||
|
);
|
||||||
|
in
|
||||||
|
f [ ] [
|
||||||
|
rhs
|
||||||
|
lhs
|
||||||
|
];
|
||||||
|
|
||||||
|
/**
|
||||||
|
A recursive variant of the update operator ‘//’. The recursion
|
||||||
|
stops when one of the attribute values is not an attribute set,
|
||||||
|
in which case the right hand side value takes precedence over the
|
||||||
|
left hand side value.
|
||||||
|
|
||||||
|
# Inputs
|
||||||
|
|
||||||
|
`lhs`
|
||||||
|
|
||||||
|
: Left attribute set of the merge.
|
||||||
|
|
||||||
|
`rhs`
|
||||||
|
|
||||||
|
: Right attribute set of the merge.
|
||||||
|
|
||||||
|
# Type
|
||||||
|
|
||||||
|
```
|
||||||
|
recursiveUpdate :: AttrSet -> AttrSet -> AttrSet
|
||||||
|
```
|
||||||
|
|
||||||
|
# Examples
|
||||||
|
:::{.example}
|
||||||
|
## `lib.attrsets.recursiveUpdate` usage example
|
||||||
|
|
||||||
|
```nix
|
||||||
|
recursiveUpdate {
|
||||||
|
boot.loader.grub.enable = true;
|
||||||
|
boot.loader.grub.device = "/dev/hda";
|
||||||
|
} {
|
||||||
|
boot.loader.grub.device = "";
|
||||||
|
}
|
||||||
|
|
||||||
|
returns: {
|
||||||
|
boot.loader.grub.enable = true;
|
||||||
|
boot.loader.grub.device = "";
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
:::
|
||||||
|
*/
|
||||||
|
recursiveUpdate =
|
||||||
|
lhs: rhs:
|
||||||
|
recursiveUpdateUntil (
|
||||||
|
_: lhs: rhs:
|
||||||
|
!(builtins.isAttrs lhs && builtins.isAttrs rhs)
|
||||||
|
) lhs rhs;
|
||||||
|
|
||||||
|
/**
|
||||||
|
Determine whether a string has given prefix.
|
||||||
|
|
||||||
|
# Inputs
|
||||||
|
|
||||||
|
`pref`
|
||||||
|
: Prefix to check for
|
||||||
|
|
||||||
|
`str`
|
||||||
|
: Input string
|
||||||
|
|
||||||
|
# Type
|
||||||
|
|
||||||
|
```
|
||||||
|
hasPrefix :: string -> string -> bool
|
||||||
|
```
|
||||||
|
|
||||||
|
# Examples
|
||||||
|
:::{.example}
|
||||||
|
## `lib.strings.hasPrefix` usage example
|
||||||
|
|
||||||
|
```nix
|
||||||
|
hasPrefix "foo" "foobar"
|
||||||
|
=> true
|
||||||
|
hasPrefix "foo" "barfoo"
|
||||||
|
=> false
|
||||||
|
```
|
||||||
|
|
||||||
|
:::
|
||||||
|
*/
|
||||||
|
hasPrefix = pref: str: (builtins.substring 0 (builtins.stringLength pref) str == pref);
|
||||||
|
|
||||||
|
/**
|
||||||
|
Escape occurrence of the elements of `list` in `string` by
|
||||||
|
prefixing it with a backslash.
|
||||||
|
|
||||||
|
# Inputs
|
||||||
|
|
||||||
|
`list`
|
||||||
|
: 1\. Function argument
|
||||||
|
|
||||||
|
`string`
|
||||||
|
: 2\. Function argument
|
||||||
|
|
||||||
|
# Type
|
||||||
|
|
||||||
|
```
|
||||||
|
escape :: [string] -> string -> string
|
||||||
|
```
|
||||||
|
|
||||||
|
# Examples
|
||||||
|
:::{.example}
|
||||||
|
## `lib.strings.escape` usage example
|
||||||
|
|
||||||
|
```nix
|
||||||
|
escape ["(" ")"] "(foo)"
|
||||||
|
=> "\\(foo\\)"
|
||||||
|
```
|
||||||
|
|
||||||
|
:::
|
||||||
|
*/
|
||||||
|
escape = list: builtins.replaceStrings list (builtins.map (c: "\\${c}") list);
|
||||||
|
|
||||||
|
/**
|
||||||
|
Convert a string `s` to a list of characters (i.e. singleton strings).
|
||||||
|
This allows you to, e.g., map a function over each character. However,
|
||||||
|
note that this will likely be horribly inefficient; Nix is not a
|
||||||
|
general purpose programming language. Complex string manipulations
|
||||||
|
should, if appropriate, be done in a derivation.
|
||||||
|
Also note that Nix treats strings as a list of bytes and thus doesn't
|
||||||
|
handle unicode.
|
||||||
|
|
||||||
|
# Inputs
|
||||||
|
|
||||||
|
`s`
|
||||||
|
: 1\. Function argument
|
||||||
|
|
||||||
|
# Type
|
||||||
|
|
||||||
|
```
|
||||||
|
stringToCharacters :: string -> [string]
|
||||||
|
```
|
||||||
|
|
||||||
|
# Examples
|
||||||
|
:::{.example}
|
||||||
|
## `lib.strings.stringToCharacters` usage example
|
||||||
|
|
||||||
|
```nix
|
||||||
|
stringToCharacters ""
|
||||||
|
=> [ ]
|
||||||
|
stringToCharacters "abc"
|
||||||
|
=> [ "a" "b" "c" ]
|
||||||
|
stringToCharacters "🦄"
|
||||||
|
=> [ "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" ]
|
||||||
|
```
|
||||||
|
|
||||||
|
:::
|
||||||
|
*/
|
||||||
|
stringToCharacters = s: builtins.genList (p: builtins.substring p 1 s) (builtins.stringLength s);
|
||||||
|
|
||||||
|
/**
|
||||||
|
Turn a string `s` into an exact regular expression
|
||||||
|
|
||||||
|
# Inputs
|
||||||
|
|
||||||
|
`s`
|
||||||
|
: 1\. Function argument
|
||||||
|
|
||||||
|
# Type
|
||||||
|
|
||||||
|
```
|
||||||
|
escapeRegex :: string -> string
|
||||||
|
```
|
||||||
|
|
||||||
|
# Examples
|
||||||
|
:::{.example}
|
||||||
|
## `lib.strings.escapeRegex` usage example
|
||||||
|
|
||||||
|
```nix
|
||||||
|
escapeRegex "[^a-z]*"
|
||||||
|
=> "\\[\\^a-z]\\*"
|
||||||
|
```
|
||||||
|
|
||||||
|
:::
|
||||||
|
*/
|
||||||
|
escapeRegex = escape (stringToCharacters "\\[{()^$?*+|.");
|
||||||
|
|
||||||
|
/**
|
||||||
|
Appends string context from string like object `src` to `target`.
|
||||||
|
|
||||||
|
:::{.warning}
|
||||||
|
This is an implementation
|
||||||
|
detail of Nix and should be used carefully.
|
||||||
|
:::
|
||||||
|
|
||||||
|
Strings in Nix carry an invisible `context` which is a list of strings
|
||||||
|
representing store paths. If the string is later used in a derivation
|
||||||
|
attribute, the derivation will properly populate the inputDrvs and
|
||||||
|
inputSrcs.
|
||||||
|
|
||||||
|
# Inputs
|
||||||
|
|
||||||
|
`src`
|
||||||
|
: The string to take the context from. If the argument is not a string,
|
||||||
|
it will be implicitly converted to a string.
|
||||||
|
|
||||||
|
`target`
|
||||||
|
: The string to append the context to. If the argument is not a string,
|
||||||
|
it will be implicitly converted to a string.
|
||||||
|
|
||||||
|
# Type
|
||||||
|
|
||||||
|
```
|
||||||
|
addContextFrom :: string -> string -> string
|
||||||
|
```
|
||||||
|
|
||||||
|
# Examples
|
||||||
|
:::{.example}
|
||||||
|
## `lib.strings.addContextFrom` usage example
|
||||||
|
|
||||||
|
```nix
|
||||||
|
pkgs = import <nixpkgs> { };
|
||||||
|
addContextFrom pkgs.coreutils "bar"
|
||||||
|
=> "bar"
|
||||||
|
```
|
||||||
|
|
||||||
|
The context can be displayed using the `toString` function:
|
||||||
|
|
||||||
|
```nix
|
||||||
|
nix-repl> builtins.getContext (lib.strings.addContextFrom pkgs.coreutils "bar")
|
||||||
|
{
|
||||||
|
"/nix/store/m1s1d2dk2dqqlw3j90jl3cjy2cykbdxz-coreutils-9.5.drv" = { ... };
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
:::
|
||||||
|
*/
|
||||||
|
addContextFrom = src: target: builtins.substring 0 0 src + target;
|
||||||
|
|
||||||
|
/**
|
||||||
|
Cut a string with a separator and produces a list of strings which
|
||||||
|
were separated by this separator.
|
||||||
|
|
||||||
|
# Inputs
|
||||||
|
|
||||||
|
`sep`
|
||||||
|
: 1\. Function argument
|
||||||
|
|
||||||
|
`s`
|
||||||
|
: 2\. Function argument
|
||||||
|
|
||||||
|
# Type
|
||||||
|
|
||||||
|
```
|
||||||
|
splitString :: string -> string -> [string]
|
||||||
|
```
|
||||||
|
|
||||||
|
# Examples
|
||||||
|
:::{.example}
|
||||||
|
## `lib.strings.splitString` usage example
|
||||||
|
|
||||||
|
```nix
|
||||||
|
splitString "." "foo.bar.baz"
|
||||||
|
=> [ "foo" "bar" "baz" ]
|
||||||
|
splitString "/" "/usr/local/bin"
|
||||||
|
=> [ "" "usr" "local" "bin" ]
|
||||||
|
```
|
||||||
|
|
||||||
|
:::
|
||||||
|
*/
|
||||||
|
splitString =
|
||||||
|
sep: s:
|
||||||
|
let
|
||||||
|
splits = builtins.filter builtins.isString (
|
||||||
|
builtins.split (escapeRegex (builtins.toString sep)) (builtins.toString s)
|
||||||
|
);
|
||||||
|
in
|
||||||
|
builtins.map (addContextFrom s) splits;
|
||||||
|
|
||||||
|
/**
|
||||||
|
Remove duplicate elements from the `list`. O(n^2) complexity.
|
||||||
|
|
||||||
|
# Inputs
|
||||||
|
|
||||||
|
`list`
|
||||||
|
|
||||||
|
: Input list
|
||||||
|
|
||||||
|
# Type
|
||||||
|
|
||||||
|
```
|
||||||
|
unique :: [a] -> [a]
|
||||||
|
```
|
||||||
|
|
||||||
|
# Examples
|
||||||
|
:::{.example}
|
||||||
|
## `lib.lists.unique` usage example
|
||||||
|
|
||||||
|
```nix
|
||||||
|
unique [ 3 2 3 4 ]
|
||||||
|
=> [ 3 2 4 ]
|
||||||
|
```
|
||||||
|
|
||||||
|
:::
|
||||||
|
*/
|
||||||
|
unique = builtins.foldl' (acc: e: if builtins.elem e acc then acc else acc ++ [ e ]) [ ];
|
||||||
|
|
||||||
|
/**
|
||||||
|
Flip the order of the arguments of a binary function.
|
||||||
|
|
||||||
|
# Inputs
|
||||||
|
|
||||||
|
`f`
|
||||||
|
|
||||||
|
: 1\. Function argument
|
||||||
|
|
||||||
|
`a`
|
||||||
|
|
||||||
|
: 2\. Function argument
|
||||||
|
|
||||||
|
`b`
|
||||||
|
|
||||||
|
: 3\. Function argument
|
||||||
|
|
||||||
|
# Type
|
||||||
|
|
||||||
|
```
|
||||||
|
flip :: (a -> b -> c) -> (b -> a -> c)
|
||||||
|
```
|
||||||
|
|
||||||
|
# Examples
|
||||||
|
:::{.example}
|
||||||
|
## `lib.trivial.flip` usage example
|
||||||
|
|
||||||
|
```nix
|
||||||
|
flip concat [1] [2]
|
||||||
|
=> [ 2 1 ]
|
||||||
|
```
|
||||||
|
|
||||||
|
:::
|
||||||
|
*/
|
||||||
|
flip =
|
||||||
|
f: a: b:
|
||||||
|
f b a;
|
||||||
|
}
|
110
lib/nix-patches/default.nix
Normal file
110
lib/nix-patches/default.nix
Normal file
|
@ -0,0 +1,110 @@
|
||||||
|
# Copyright Tom Hubrecht, (2023-2024)
|
||||||
|
#
|
||||||
|
# Tom Hubrecht <tom@hubrecht.ovh>
|
||||||
|
#
|
||||||
|
# This software is governed by the CeCILL license under French law and
|
||||||
|
# abiding by the rules of distribution of free software. You can use,
|
||||||
|
# modify and/ or redistribute the software under the terms of the CeCILL
|
||||||
|
# license as circulated by CEA, CNRS and INRIA at the following URL
|
||||||
|
# "http://www.cecill.info".
|
||||||
|
#
|
||||||
|
# As a counterpart to the access to the source code and rights to copy,
|
||||||
|
# modify and redistribute granted by the license, users are provided only
|
||||||
|
# with a limited warranty and the software's author, the holder of the
|
||||||
|
# economic rights, and the successive licensors have only limited
|
||||||
|
# liability.
|
||||||
|
#
|
||||||
|
# In this respect, the user's attention is drawn to the risks associated
|
||||||
|
# with loading, using, modifying and/or developing or reproducing the
|
||||||
|
# software by the user in light of its specific status of free software,
|
||||||
|
# that may mean that it is complicated to manipulate, and that also
|
||||||
|
# therefore means that it is reserved for developers and experienced
|
||||||
|
# professionals having in-depth computer knowledge. Users are therefore
|
||||||
|
# encouraged to load and test the software's suitability as regards their
|
||||||
|
# requirements in conditions enabling the security of their systems and/or
|
||||||
|
# data to be ensured and, more generally, to use and operate it in the
|
||||||
|
# same conditions as regards security.
|
||||||
|
#
|
||||||
|
# The fact that you are presently reading this means that you have had
|
||||||
|
# knowledge of the CeCILL license and that you accept its terms.
|
||||||
|
|
||||||
|
{
|
||||||
|
patchFile,
|
||||||
|
excludeGitHubManual ? true,
|
||||||
|
fetchers ? { },
|
||||||
|
}:
|
||||||
|
|
||||||
|
rec {
|
||||||
|
base =
|
||||||
|
{ pkgs }:
|
||||||
|
rec {
|
||||||
|
mkUrlPatch =
|
||||||
|
attrs:
|
||||||
|
pkgs.fetchpatch (
|
||||||
|
{
|
||||||
|
hash = pkgs.lib.fakeHash;
|
||||||
|
}
|
||||||
|
// attrs
|
||||||
|
// (pkgs.lib.optionalAttrs (excludeGitHubManual && !(builtins.hasAttr "includes" attrs)) {
|
||||||
|
excludes = (attrs.excludes or [ ]) ++ [ "nixos/doc/manual/*" ];
|
||||||
|
})
|
||||||
|
);
|
||||||
|
|
||||||
|
mkGitHubPatch =
|
||||||
|
{ id, ... }@attrs:
|
||||||
|
mkUrlPatch (
|
||||||
|
(builtins.removeAttrs attrs [ "id" ])
|
||||||
|
// {
|
||||||
|
url = "https://github.com/NixOS/nixpkgs/pull/${builtins.toString id}.diff";
|
||||||
|
}
|
||||||
|
);
|
||||||
|
|
||||||
|
mkCommitPatch =
|
||||||
|
{ sha, ... }@attrs:
|
||||||
|
mkUrlPatch (
|
||||||
|
(builtins.removeAttrs attrs [ "sha" ])
|
||||||
|
// {
|
||||||
|
url = "https://github.com/NixOS/nixpkgs/commit/${builtins.toString sha}.diff";
|
||||||
|
}
|
||||||
|
);
|
||||||
|
|
||||||
|
patchFunctions = {
|
||||||
|
commit = mkCommitPatch;
|
||||||
|
github = mkGitHubPatch;
|
||||||
|
remote = pkgs.fetchpatch;
|
||||||
|
static = attrs: attrs.path;
|
||||||
|
url = mkUrlPatch;
|
||||||
|
} // fetchers;
|
||||||
|
|
||||||
|
mkPatch =
|
||||||
|
{
|
||||||
|
_type ? "github",
|
||||||
|
...
|
||||||
|
}@attrs:
|
||||||
|
if builtins.hasAttr _type patchFunctions then
|
||||||
|
patchFunctions.${_type} (builtins.removeAttrs attrs [ "_type" ])
|
||||||
|
else
|
||||||
|
throw "Unknown patch type: ${builtins.toString _type}.";
|
||||||
|
|
||||||
|
mkPatches = v: builtins.map mkPatch ((import patchFile).${v} or [ ]);
|
||||||
|
|
||||||
|
applyPatches =
|
||||||
|
{
|
||||||
|
src,
|
||||||
|
name,
|
||||||
|
patches ? mkPatches name,
|
||||||
|
}:
|
||||||
|
if patches == [ ] then
|
||||||
|
src
|
||||||
|
else
|
||||||
|
pkgs.applyPatches {
|
||||||
|
inherit patches src;
|
||||||
|
|
||||||
|
name = "${name}-patched";
|
||||||
|
};
|
||||||
|
|
||||||
|
applyPatches' = name: src: applyPatches { inherit name src; };
|
||||||
|
};
|
||||||
|
|
||||||
|
mkNixpkgsSrc = { src, name }: (base { pkgs = import src { }; }).applyPatches { inherit src name; };
|
||||||
|
}
|
|
@ -1,5 +1,3 @@
|
||||||
let
|
(import ../../../keys).mkSecrets [ "bridg01" ] [
|
||||||
lib = import ../../../lib { };
|
# List of secrets for bridge01
|
||||||
in
|
]
|
||||||
|
|
||||||
lib.setDefault { publicKeys = lib.getNodeKeys "bridge01"; } [ ]
|
|
||||||
|
|
|
@ -1,17 +1,19 @@
|
||||||
{ lib, ... }:
|
{ lib, ... }:
|
||||||
|
|
||||||
lib.extra.mkConfig {
|
lib.extra.mkConfig {
|
||||||
enabledModules = [
|
|
||||||
# List of modules to enable
|
# List of modules to enable
|
||||||
|
enabledModules = [
|
||||||
|
# INFO: This list needs to stay sorted alphabetically
|
||||||
"dgn-backups"
|
"dgn-backups"
|
||||||
"dgn-fail2ban"
|
"dgn-chatops"
|
||||||
"dgn-web"
|
"dgn-web"
|
||||||
];
|
];
|
||||||
|
|
||||||
enabledServices = [
|
|
||||||
# List of services to enable
|
# List of services to enable
|
||||||
|
enabledServices = [
|
||||||
|
# INFO: This list needs to stay sorted alphabetically
|
||||||
"arkheon"
|
"arkheon"
|
||||||
"signal-irc-bridge"
|
"dgsi"
|
||||||
"ds-fr"
|
"ds-fr"
|
||||||
"grafana"
|
"grafana"
|
||||||
"hedgedoc"
|
"hedgedoc"
|
||||||
|
@ -19,24 +21,22 @@ lib.extra.mkConfig {
|
||||||
"librenms"
|
"librenms"
|
||||||
"mastodon"
|
"mastodon"
|
||||||
"nextcloud"
|
"nextcloud"
|
||||||
|
"ollama-proxy"
|
||||||
"outline"
|
"outline"
|
||||||
"plausible"
|
"plausible"
|
||||||
"postgresql"
|
"postgresql"
|
||||||
"rstudio-server"
|
"rstudio-server"
|
||||||
"satosa"
|
"satosa"
|
||||||
|
"signal-irc-bridge"
|
||||||
"signald"
|
"signald"
|
||||||
"stirling-pdf"
|
"stirling-pdf"
|
||||||
|
"takumi"
|
||||||
"telegraf"
|
"telegraf"
|
||||||
"vaultwarden"
|
"vaultwarden"
|
||||||
"zammad"
|
"zammad"
|
||||||
];
|
];
|
||||||
|
|
||||||
extraConfig = {
|
extraConfig = {
|
||||||
dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
|
|
||||||
"sshd-bruteforce"
|
|
||||||
"sshd-timeout"
|
|
||||||
];
|
|
||||||
|
|
||||||
dgn-hardware.useZfs = true;
|
dgn-hardware.useZfs = true;
|
||||||
|
|
||||||
services.netbird.enable = true;
|
services.netbird.enable = true;
|
||||||
|
|
222
machines/compute01/dgsi/default.nix
Normal file
222
machines/compute01/dgsi/default.nix
Normal file
|
@ -0,0 +1,222 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
utils,
|
||||||
|
sources,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
|
||||||
|
let
|
||||||
|
inherit (lib) toLower;
|
||||||
|
|
||||||
|
python =
|
||||||
|
let
|
||||||
|
python3 = pkgs.python312;
|
||||||
|
nix-pkgs = import sources.nix-pkgs { inherit pkgs python3; };
|
||||||
|
in
|
||||||
|
python3.override {
|
||||||
|
packageOverrides = _: _: {
|
||||||
|
inherit (nix-pkgs)
|
||||||
|
django-allauth
|
||||||
|
django-allauth-cas
|
||||||
|
django-browser-reload
|
||||||
|
django-bulma-forms
|
||||||
|
django-sass-processor
|
||||||
|
django-sass-processor-dart-sass
|
||||||
|
django-unfold
|
||||||
|
pykanidm
|
||||||
|
python-cas
|
||||||
|
loadcredential
|
||||||
|
xlwt
|
||||||
|
;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
pythonEnv = python.withPackages (
|
||||||
|
ps:
|
||||||
|
[
|
||||||
|
ps.django
|
||||||
|
ps.gunicorn
|
||||||
|
ps.psycopg
|
||||||
|
ps.django-compressor
|
||||||
|
ps.django-import-export
|
||||||
|
|
||||||
|
# Local packages
|
||||||
|
ps.django-allauth
|
||||||
|
ps.django-allauth-cas
|
||||||
|
ps.django-browser-reload
|
||||||
|
ps.django-bulma-forms
|
||||||
|
ps.django-sass-processor
|
||||||
|
ps.django-sass-processor-dart-sass
|
||||||
|
ps.django-unfold
|
||||||
|
ps.loadcredential
|
||||||
|
ps.pykanidm
|
||||||
|
ps.python-cas
|
||||||
|
]
|
||||||
|
++ ps.django-allauth.optional-dependencies.saml
|
||||||
|
);
|
||||||
|
|
||||||
|
staticDrv = pkgs.stdenv.mkDerivation {
|
||||||
|
name = "dgsi-static";
|
||||||
|
|
||||||
|
src = sources.dgsi;
|
||||||
|
sourceRoot = "source/src";
|
||||||
|
|
||||||
|
nativeBuildInputs = [
|
||||||
|
pkgs.dart-sass
|
||||||
|
pythonEnv
|
||||||
|
];
|
||||||
|
|
||||||
|
configurePhase = ''
|
||||||
|
export DGSI_STATIC_ROOT=$out/static
|
||||||
|
export CREDENTIALS_DIRECTORY=$(pwd)/../.credentials
|
||||||
|
export DGSI_KANIDM_CLIENT="dgsi_test"
|
||||||
|
export DGSI_KANIDM_AUTH_TOKEN="fake.token"
|
||||||
|
export DGSI_X509_KEY=""
|
||||||
|
export DGSI_X509_CERT=""
|
||||||
|
'';
|
||||||
|
|
||||||
|
doBuild = false;
|
||||||
|
|
||||||
|
installPhase = ''
|
||||||
|
mkdir -p $out/static
|
||||||
|
python3 manage.py compilescss
|
||||||
|
python3 manage.py collectstatic
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
users = {
|
||||||
|
users.nginx.extraGroups = [ "django-apps" ];
|
||||||
|
groups.django-apps = { };
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd = {
|
||||||
|
services = {
|
||||||
|
dj-dgsi = {
|
||||||
|
description = "DGSI web app";
|
||||||
|
|
||||||
|
requires = [ "dj-dgsi.socket" ];
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [
|
||||||
|
"network.target"
|
||||||
|
"postgresql.service"
|
||||||
|
];
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
DynamicUser = true;
|
||||||
|
LoadCredential = map (name: "${name}:${config.age.secrets."dgsi-${toLower name}_file".path}") [
|
||||||
|
"EMAIL_HOST_PASSWORD"
|
||||||
|
"KANIDM_AUTH_TOKEN"
|
||||||
|
"KANIDM_SECRET"
|
||||||
|
"SECRET_KEY"
|
||||||
|
"X509_CERT"
|
||||||
|
"X509_KEY"
|
||||||
|
];
|
||||||
|
RuntimeDirectory = "django-apps/dgsi";
|
||||||
|
StateDirectory = "django-apps/dgsi";
|
||||||
|
UMask = "0027";
|
||||||
|
User = "dj-dgsi";
|
||||||
|
Group = "django-apps";
|
||||||
|
WorkingDirectory = sources.dgsi;
|
||||||
|
ExecReload = "${lib.getExe' pkgs.coreutils "kill"} -s HUP $MAINPID";
|
||||||
|
KillMode = "mixed";
|
||||||
|
Type = "notify";
|
||||||
|
ExecStart = utils.escapeSystemdExecArgs [
|
||||||
|
(lib.getExe' pythonEnv "gunicorn")
|
||||||
|
"--workers"
|
||||||
|
4
|
||||||
|
"--bind"
|
||||||
|
"unix:/run/django-apps/dgsi.sock"
|
||||||
|
"--pythonpath"
|
||||||
|
"src"
|
||||||
|
"app.wsgi"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
environment = {
|
||||||
|
DGSI_ALLOWED_HOSTS = builtins.toJSON [
|
||||||
|
"profil.dgnum.eu"
|
||||||
|
"dgsi.dgnum.eu"
|
||||||
|
];
|
||||||
|
|
||||||
|
DGSI_EMAIL_HOST = "kurisu.lahfa.xyz";
|
||||||
|
DGSI_EMAIL_HOST_USER = "web-services@infra.dgnum.eu";
|
||||||
|
DGSI_EMAIL_USE_SSL = builtins.toJSON true;
|
||||||
|
DGSI_FROM_EMAIL = "La Délégation Générale Numérique <noreply@infra.dgnum.eu>";
|
||||||
|
DGSI_SERVER_EMAIL = "dgsi@infra.dgnum.eu";
|
||||||
|
|
||||||
|
DGSI_KANIDM_CLIENT = "dgsi";
|
||||||
|
DGSI_KANIDM_URI = "https://sso.dgnum.eu";
|
||||||
|
|
||||||
|
DGSI_MEDIA_ROOT = "/var/lib/django-apps/dgsi/media";
|
||||||
|
DGSI_STATIC_ROOT = "${staticDrv}/static";
|
||||||
|
|
||||||
|
DGSI_DATABASES = builtins.toJSON {
|
||||||
|
default = {
|
||||||
|
ENGINE = "django.db.backends.postgresql";
|
||||||
|
NAME = "dj-dgsi";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
DJANGO_SETTINGS_MODULE = "app.settings";
|
||||||
|
};
|
||||||
|
|
||||||
|
path = [ pythonEnv ];
|
||||||
|
|
||||||
|
preStart = ''
|
||||||
|
python3 src/manage.py migrate --no-input
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
sockets."dj-dgsi" = {
|
||||||
|
description = "Socket for the DGSI Django Application";
|
||||||
|
wantedBy = [ "sockets.target" ];
|
||||||
|
|
||||||
|
socketConfig = {
|
||||||
|
ListenStream = "/run/django-apps/dgsi.sock";
|
||||||
|
SocketMode = "600";
|
||||||
|
SocketUser = config.services.nginx.user;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
mounts = [
|
||||||
|
{
|
||||||
|
where = "/run/django-apps/dgsi/media";
|
||||||
|
what = "/var/lib/django-apps/dgsi/media";
|
||||||
|
options = "bind";
|
||||||
|
|
||||||
|
after = [ "dj-dgsi.service" ];
|
||||||
|
partOf = [ "dj-dgsi.service" ];
|
||||||
|
upheldBy = [ "dj-dgsi.service" ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
dgn-redirections.permanent."dgsi.dgnum.eu" = "profil.dgnum.eu";
|
||||||
|
|
||||||
|
services = {
|
||||||
|
postgresql = {
|
||||||
|
ensureDatabases = [ "dj-dgsi" ];
|
||||||
|
ensureUsers = [
|
||||||
|
{
|
||||||
|
name = "dj-dgsi";
|
||||||
|
ensureDBOwnership = true;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
nginx.virtualHosts."profil.dgnum.eu" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
|
||||||
|
locations = {
|
||||||
|
"/".proxyPass = "http://unix:/run/django-apps/dgsi.sock";
|
||||||
|
"/static/".root = staticDrv;
|
||||||
|
"/media/".root = "/run/django-apps/dgsi";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,14 +1,35 @@
|
||||||
{ config, ... }:
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
sources,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
|
||||||
let
|
let
|
||||||
host = "demarches.dgnum.eu";
|
host = "demarches.dgnum.eu";
|
||||||
|
|
||||||
|
dgn-id = "fca8f72cd60c00e74d7735ec13e4e3a22e8e1244";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
imports = [ ./module.nix ];
|
imports = [ ./module.nix ];
|
||||||
|
|
||||||
|
dgn-web.internalPorts.ds-fr = 3000;
|
||||||
|
|
||||||
services.demarches-simplifiees = {
|
services.demarches-simplifiees = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
|
package =
|
||||||
|
((import sources.nix-pkgs { inherit pkgs; }).demarches-simplifiees.override {
|
||||||
|
initialDeploymentDate = "20230923";
|
||||||
|
}).overrideAttrs
|
||||||
|
(old: {
|
||||||
|
dsModules = old.dsModules.overrideAttrs {
|
||||||
|
prePatch = ''
|
||||||
|
${pkgs.lib.getExe pkgs.git} apply -p1 < ${builtins.fetchurl "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch"}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
});
|
||||||
|
|
||||||
secretFile = config.age.secrets."ds-fr-secret_file".path;
|
secretFile = config.age.secrets."ds-fr-secret_file".path;
|
||||||
|
|
||||||
initialDeploymentDate = "20230923";
|
initialDeploymentDate = "20230923";
|
||||||
|
|
|
@ -69,17 +69,11 @@ in
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
};
|
||||||
|
|
||||||
nginx.virtualHosts.${host} = {
|
dgn-web.simpleProxies.grafana = {
|
||||||
enableACME = true;
|
inherit host port;
|
||||||
forceSSL = true;
|
|
||||||
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:${builtins.toString port}";
|
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
recommendedProxySettings = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
age-secrets.autoMatch = [ "grafana" ];
|
age-secrets.autoMatch = [ "grafana" ];
|
||||||
|
|
|
@ -29,16 +29,6 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
nginx.virtualHosts.${host} = {
|
|
||||||
forceSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:${builtins.toString port}";
|
|
||||||
proxyWebsockets = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
postgresql = {
|
postgresql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
|
@ -53,6 +43,11 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
dgn-web.simpleProxies.hedgedoc = {
|
||||||
|
inherit host port;
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
|
||||||
systemd.services.hedgedoc.serviceConfig.StateDirectory = lib.mkForce [
|
systemd.services.hedgedoc.serviceConfig.StateDirectory = lib.mkForce [
|
||||||
"hedgedoc"
|
"hedgedoc"
|
||||||
"hedgedoc/uploads"
|
"hedgedoc/uploads"
|
||||||
|
|
|
@ -1,14 +1,22 @@
|
||||||
{
|
{
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
nixpkgs,
|
meta,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (lib) escapeRegex concatStringsSep;
|
inherit (lib)
|
||||||
|
attrValues
|
||||||
|
catAttrs
|
||||||
|
escapeRegex
|
||||||
|
concatStringsSep
|
||||||
|
mapAttrs'
|
||||||
|
nameValuePair
|
||||||
|
;
|
||||||
|
|
||||||
domain = "sso.dgnum.eu";
|
domain = "sso.dgnum.eu";
|
||||||
|
port = 8443;
|
||||||
|
|
||||||
cert = config.security.acme.certs.${domain};
|
cert = config.security.acme.certs.${domain};
|
||||||
|
|
||||||
|
@ -27,19 +35,21 @@ let
|
||||||
"netbird-beta.hubrecht.ovh"
|
"netbird-beta.hubrecht.ovh"
|
||||||
]
|
]
|
||||||
);
|
);
|
||||||
|
|
||||||
|
usernameFor = member: meta.organization.members.${member}.username;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services.kanidm = {
|
services.kanidm = {
|
||||||
enableServer = true;
|
enableServer = true;
|
||||||
|
|
||||||
package = nixpkgs.unstable.kanidm;
|
# package = nixpkgs.unstable.kanidm;
|
||||||
|
|
||||||
serverSettings = {
|
serverSettings = {
|
||||||
inherit domain;
|
inherit domain;
|
||||||
|
|
||||||
origin = "https://${domain}";
|
origin = "https://${domain}";
|
||||||
|
|
||||||
bindaddress = "127.0.0.1:8443";
|
bindaddress = "127.0.0.1:${builtins.toString port}";
|
||||||
ldapbindaddress = "0.0.0.0:636";
|
ldapbindaddress = "0.0.0.0:636";
|
||||||
|
|
||||||
trust_x_forward_for = true;
|
trust_x_forward_for = true;
|
||||||
|
@ -47,10 +57,113 @@ in
|
||||||
tls_chain = "${cert.directory}/fullchain.pem";
|
tls_chain = "${cert.directory}/fullchain.pem";
|
||||||
tls_key = "${cert.directory}/key.pem";
|
tls_key = "${cert.directory}/key.pem";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
provision = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
persons = mapAttrs' (
|
||||||
|
_:
|
||||||
|
{
|
||||||
|
email,
|
||||||
|
name,
|
||||||
|
username,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
nameValuePair username {
|
||||||
|
displayName = name;
|
||||||
|
mailAddresses = [ email ];
|
||||||
|
}
|
||||||
|
) meta.organization.members;
|
||||||
|
|
||||||
|
groups =
|
||||||
|
{
|
||||||
|
grp_active.members = catAttrs "username" (attrValues meta.organization.members);
|
||||||
|
}
|
||||||
|
// (mapAttrs' (
|
||||||
|
name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
|
||||||
|
) meta.organization.groups);
|
||||||
|
|
||||||
|
# INFO: The authentication resources declared here can only be for internal services,
|
||||||
|
# as regular members cannot be statically known.
|
||||||
|
systems.oauth2 = {
|
||||||
|
dgn_grafana = {
|
||||||
|
displayName = "Grafana [Analysis]";
|
||||||
|
originLanding = "https://grafana.dgnum.eu";
|
||||||
|
originUrl = "https://grafana.dgnum.eu/";
|
||||||
|
preferShortUsername = true;
|
||||||
|
|
||||||
|
scopeMaps.grp_active = [
|
||||||
|
"openid"
|
||||||
|
"profile"
|
||||||
|
"email"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
dgn_librenms = {
|
||||||
|
allowInsecureClientDisablePkce = true;
|
||||||
|
displayName = "LibreNMS [Network]";
|
||||||
|
enableLegacyCrypto = true;
|
||||||
|
originLanding = "https://nms.dgnum.eu";
|
||||||
|
originUrl = "https://nms.dgnum.eu/";
|
||||||
|
preferShortUsername = true;
|
||||||
|
|
||||||
|
scopeMaps.grp_active = [
|
||||||
|
"openid"
|
||||||
|
"profile"
|
||||||
|
"email"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
dgn_netbird = {
|
||||||
|
displayName = "Netbird [VPN]";
|
||||||
|
enableLocalhostRedirects = true;
|
||||||
|
originLanding = "https://netbird.dgnum.eu";
|
||||||
|
originUrl = "https://netbird.dgnum.eu/";
|
||||||
|
preferShortUsername = true;
|
||||||
|
public = true;
|
||||||
|
|
||||||
|
scopeMaps.grp_active = [
|
||||||
|
"openid"
|
||||||
|
"profile"
|
||||||
|
"email"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
dgn_netbox = {
|
||||||
|
allowInsecureClientDisablePkce = true;
|
||||||
|
displayName = "Netbox [Inventory]";
|
||||||
|
enableLegacyCrypto = true;
|
||||||
|
originLanding = "https://netbox.dgnum.eu";
|
||||||
|
originUrl = "https://netbox.dgnum.eu/";
|
||||||
|
preferShortUsername = true;
|
||||||
|
|
||||||
|
scopeMaps.grp_active = [
|
||||||
|
"openid"
|
||||||
|
"profile"
|
||||||
|
"email"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
dgn_outline = {
|
||||||
|
displayName = "Outline [Docs]";
|
||||||
|
originUrl = "https://docs.dgnum.eu/";
|
||||||
|
originLanding = "https://docs.dgnum.eu";
|
||||||
|
preferShortUsername = true;
|
||||||
|
|
||||||
|
scopeMaps.grp_active = [
|
||||||
|
"openid"
|
||||||
|
"profile"
|
||||||
|
"email"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.kanidm.extraGroups = [ cert.group ];
|
users.users.kanidm.extraGroups = [ cert.group ];
|
||||||
|
|
||||||
|
dgn-web.internalPorts.kanidm = port;
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
|
@ -58,7 +171,7 @@ in
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "https://127.0.0.1:8443";
|
proxyPass = "https://127.0.0.1:${builtins.toString port}";
|
||||||
|
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
|
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
|
||||||
|
|
|
@ -1,9 +1,4 @@
|
||||||
let
|
(import ../../../../keys).mkSecrets [ "compute01" ] [
|
||||||
lib = import ../../../../lib { };
|
|
||||||
publicKeys = lib.getNodeKeys "compute01";
|
|
||||||
in
|
|
||||||
|
|
||||||
lib.setDefault { inherit publicKeys; } [
|
|
||||||
"kanidm-password_admin"
|
"kanidm-password_admin"
|
||||||
"kanidm-password_idm_admin"
|
"kanidm-password_idm_admin"
|
||||||
]
|
]
|
||||||
|
|
|
@ -3,6 +3,8 @@
|
||||||
let
|
let
|
||||||
host = "cloud.dgnum.eu";
|
host = "cloud.dgnum.eu";
|
||||||
nextcloud-occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
|
nextcloud-occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
|
||||||
|
|
||||||
|
port = 9980;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services.nextcloud = {
|
services.nextcloud = {
|
||||||
|
@ -55,7 +57,7 @@ in
|
||||||
"opcache.max_accelerated_files" = "10000";
|
"opcache.max_accelerated_files" = "10000";
|
||||||
"opcache.memory_consumption" = "128";
|
"opcache.memory_consumption" = "128";
|
||||||
"opcache.revalidate_freq" = "1";
|
"opcache.revalidate_freq" = "1";
|
||||||
"opcache.fast_shutdown" = "1";
|
"opcache.fast_shutdown" = "0";
|
||||||
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
|
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
|
||||||
catch_workers_output = "yes";
|
catch_workers_output = "yes";
|
||||||
};
|
};
|
||||||
|
@ -104,7 +106,7 @@ in
|
||||||
imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4";
|
imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4";
|
||||||
sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM=";
|
sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM=";
|
||||||
};
|
};
|
||||||
ports = [ "9980:9980" ];
|
ports = [ "${builtins.toString port}:${builtins.toString port}" ];
|
||||||
environment = {
|
environment = {
|
||||||
domain = "cloud.dgnum.eu";
|
domain = "cloud.dgnum.eu";
|
||||||
extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json";
|
extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json";
|
||||||
|
@ -119,6 +121,8 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
dgn-web.internalPorts.collabora = port;
|
||||||
|
|
||||||
services.nginx.virtualHosts = {
|
services.nginx.virtualHosts = {
|
||||||
${host} = {
|
${host} = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
|
@ -136,25 +140,25 @@ in
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
# static files
|
# static files
|
||||||
location ^~ /browser {
|
location ^~ /browser {
|
||||||
proxy_pass http://127.0.0.1:9980;
|
proxy_pass http://127.0.0.1:${builtins.toString port};
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
}
|
}
|
||||||
|
|
||||||
# WOPI discovery URL
|
# WOPI discovery URL
|
||||||
location ^~ /hosting/discovery {
|
location ^~ /hosting/discovery {
|
||||||
proxy_pass http://127.0.0.1:9980;
|
proxy_pass http://127.0.0.1:${builtins.toString port};
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Capabilities
|
# Capabilities
|
||||||
location ^~ /hosting/capabilities {
|
location ^~ /hosting/capabilities {
|
||||||
proxy_pass http://127.0.0.1:9980;
|
proxy_pass http://127.0.0.1:${builtins.toString port};
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
}
|
}
|
||||||
|
|
||||||
# main websocket
|
# main websocket
|
||||||
location ~ ^/cool/(.*)/ws$ {
|
location ~ ^/cool/(.*)/ws$ {
|
||||||
proxy_pass http://127.0.0.1:9980;
|
proxy_pass http://127.0.0.1:${builtins.toString port};
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection "Upgrade";
|
proxy_set_header Connection "Upgrade";
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
@ -163,13 +167,13 @@ in
|
||||||
|
|
||||||
# download, presentation and image upload
|
# download, presentation and image upload
|
||||||
location ~ ^/(c|l)ool {
|
location ~ ^/(c|l)ool {
|
||||||
proxy_pass http://127.0.0.1:9980;
|
proxy_pass http://127.0.0.1:${builtins.toString port};
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Admin Console websocket
|
# Admin Console websocket
|
||||||
location ^~ /cool/adminws {
|
location ^~ /cool/adminws {
|
||||||
proxy_pass http://127.0.0.1:9980;
|
proxy_pass http://127.0.0.1:${builtins.toString port};
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection "Upgrade";
|
proxy_set_header Connection "Upgrade";
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
|
15
machines/compute01/ollama-proxy.nix
Normal file
15
machines/compute01/ollama-proxy.nix
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
{ pkgs, ... }:
|
||||||
|
{
|
||||||
|
services.nginx = {
|
||||||
|
virtualHosts."ollama01.beta.dgnum.eu" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://100.80.103.206:11434";
|
||||||
|
basicAuthFile = pkgs.writeText "ollama-htpasswd" ''
|
||||||
|
raito:$y$j9T$UDEHpLtM52hRGK0I4qT6M0$N75AhENLqgtJnTGaPzq51imhjZvuPr.ow81Co1ZTcX2
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -2,6 +2,7 @@
|
||||||
|
|
||||||
let
|
let
|
||||||
host = "docs.dgnum.eu";
|
host = "docs.dgnum.eu";
|
||||||
|
port = 3003;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services.outline = {
|
services.outline = {
|
||||||
|
@ -35,21 +36,12 @@ in
|
||||||
defaultLanguage = "fr_FR";
|
defaultLanguage = "fr_FR";
|
||||||
|
|
||||||
forceHttps = false;
|
forceHttps = false;
|
||||||
port = 3003;
|
inherit port;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts.${host} = {
|
dgn-web.simpleProxies.outline = {
|
||||||
enableACME = true;
|
inherit host port;
|
||||||
forceSSL = true;
|
vhostConfig.locations."/robots.txt".return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
|
||||||
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://localhost:3003";
|
|
||||||
proxyWebsockets = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
locations."/robots.txt" = {
|
|
||||||
return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
age-secrets.autoMatch = [ "outline" ];
|
age-secrets.autoMatch = [ "outline" ];
|
||||||
|
|
|
@ -38,16 +38,7 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx = {
|
dgn-web.simpleProxies.plausible = {
|
||||||
enable = true;
|
inherit host port;
|
||||||
|
|
||||||
virtualHosts.${host} = {
|
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:${builtins.toString port}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,16 +2,15 @@
|
||||||
|
|
||||||
let
|
let
|
||||||
host = "saml-idp.dgnum.eu";
|
host = "saml-idp.dgnum.eu";
|
||||||
|
port = 8090;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
|
||||||
imports = [ ./module.nix ];
|
imports = [ ./module.nix ];
|
||||||
|
|
||||||
services.satosa = {
|
services.satosa = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
inherit host;
|
inherit host port;
|
||||||
port = 8090;
|
|
||||||
|
|
||||||
envFile = config.age.secrets."satosa-env_file".path;
|
envFile = config.age.secrets."satosa-env_file".path;
|
||||||
|
|
||||||
|
@ -148,9 +147,8 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts.${host} = {
|
dgn-web.simpleProxies.satosa = {
|
||||||
enableACME = true;
|
inherit host port;
|
||||||
forceSSL = true;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
age-secrets.autoMatch = [ "satosa" ];
|
age-secrets.autoMatch = [ "satosa" ];
|
||||||
|
|
|
@ -190,14 +190,6 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx = mkIf cfg.configureNginx {
|
|
||||||
enable = true;
|
|
||||||
|
|
||||||
virtualHosts.${cfg.host} = {
|
|
||||||
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
users.users.satosa = {
|
users.users.satosa = {
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
group = "satosa";
|
group = "satosa";
|
||||||
|
|
28
machines/compute01/secrets/dgsi-email_host_password_file
Normal file
28
machines/compute01/secrets/dgsi-email_host_password_file
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 jIXfPA CQffZYaxexZ2f+HeNj+SHeSak0kzNPiq6ExW7tUyCBs
|
||||||
|
oJQhtMFD9KSnXSPGRb3zLwCB2/KEXo8cgxHN5ML83Qw
|
||||||
|
-> ssh-ed25519 QlRB9Q V1PnEYJvFCdBRzN4z3iDtIzHLxxCimejdkqRS4zMCG8
|
||||||
|
bVc87bxPmhofmoscGFBgQ+ffRlo216RiRkkV1MNoQyY
|
||||||
|
-> ssh-ed25519 r+nK/Q YI+1MYnCvSq5/QfA2y01IQlJeMGF0AfNs91QlrVaVGs
|
||||||
|
HSB8Gai96mjRbM68G3iRmXNkI4kqyJAWTMxWc8UOPr8
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
k2mssz4C9p8K+rJ6Jbbm+w7uLTqoUOiOKvlt2btEyw2Lup8PQNfyTNFSBvuBMmfj
|
||||||
|
re1zuAufH0HIw3B0xWYauBSD4pasc7EFTr/OLoM8BRFMEb11IM5ZKJrO+hnWy0Sk
|
||||||
|
eIs6cpkoBVi4GZmkRfbvaitk42i9JzjrKU0OeqLCWQbHmHkTb3acsGXCc6A6JSbF
|
||||||
|
AVb+Eaak6EIdX1dP4PWyCxU2PkcBtYBcLoGH74r1o0i3SzvmuzKvlBntx5IzsAvY
|
||||||
|
+QNGJLNZl0+NePafAkvVY8UOrlzxj+tCgfunAGXIXlZlVfNcjZX9Wv30sJOtwpbw
|
||||||
|
DdkJAqSrNkHianC5MEGgpA
|
||||||
|
-> ssh-ed25519 /vwQcQ yxGAMhwDcoDjw5MJudEE95PakhZvNpYfmfWiM6wbQBg
|
||||||
|
C1o3mNO2YFnBXamCcpAW0aQVGrNNcUpDtSn8+VLobmE
|
||||||
|
-> ssh-ed25519 0R97PA XRWbcwt3wXR3AYg0rhzc6OUuAA+blVTf3SHERYy3MkA
|
||||||
|
iCBd0E1NrV7tv3/0pD0FYWgUfGmB4M+VWfiixvVGv68
|
||||||
|
-> ssh-ed25519 JGx7Ng R47xTx4IGC/qf/v6WOXvJTd20MbeTdZ/8ovAA6d0iyQ
|
||||||
|
uBxcQVztpW4QaAR5rKfEVgtmrPk6l51+tY3brNjsTV4
|
||||||
|
-> ssh-ed25519 5SY7Kg LNtU+/1YlPX6T6gO2lb/wEei7hsy2oud8cTQXFQy0HY
|
||||||
|
xxPvBAIpFyCUqExjseerz6WlwWQEmw9fltzQBx51KI0
|
||||||
|
-> ssh-ed25519 p/Mg4Q uWIz5shMnsLXsh160cCW8E6kh9v4LPunOonugjWdSEY
|
||||||
|
5aRrIB5gxIplVWDGeMQ6g09togku6LxWRxBP7FbRNU0
|
||||||
|
-> ssh-ed25519 tDqJRg G8rNpeGY29czDVMvvt4LZ7nffZ/JAHDzxuIs7C/0SEM
|
||||||
|
HowgAvrQQcvUx93ZdK5q2bSsJDqaOxFf+x/lwTRss4I
|
||||||
|
--- ktcSPCC1TpguyYJ2ua7IuGcEw+Z9YuqjzcmH18abjo4
|
||||||
|
サ<EFBFBD>虎 <20><>ゥ煩 ネ9<1猤カワ簒<EFBE9C>pWJSWpsV/ム#<23>ウリ9タ{タ゚cHB<><42><EFBFBD>5<EFBFBD>ャ^ァ
|
BIN
machines/compute01/secrets/dgsi-kanidm_auth_token_file
Normal file
BIN
machines/compute01/secrets/dgsi-kanidm_auth_token_file
Normal file
Binary file not shown.
30
machines/compute01/secrets/dgsi-kanidm_secret_file
Normal file
30
machines/compute01/secrets/dgsi-kanidm_secret_file
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 jIXfPA zSfj75mxEod8RszD4XGaFIeMvcLnBgUHShIW5yFPdiE
|
||||||
|
YXaCFZ07BMzehG/PCUFDEzRy+y4c+IESO9kcLx+eG8M
|
||||||
|
-> ssh-ed25519 QlRB9Q 39DPdLnRMs5YSQOr/rY2nXO/8s/oCnYDkRex51tZayw
|
||||||
|
W3GbNP7qbgW2b0RoZmcWH0kLtQaIV50APGcntjMfn8o
|
||||||
|
-> ssh-ed25519 r+nK/Q dnX8kPKvyHS5U1N52QTDwonaHbBh8sv2DPBL1PoBO2E
|
||||||
|
mxduSFeWB4tJlrHDEthNKGv/vxzeWUtNwq1b2nDP6Z0
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
QN1OOmCREY2LljXm0+TAsOSkjIQ0RXyX8w5TVOOus5QAt1WTJan/mm4X1SviWqmn
|
||||||
|
UFDIeCoG2l5tBSyZr4VpnDeq7koWRA2eC7WnwWW47PQIRFSyjf+sy00rGR9kxVuL
|
||||||
|
1M9gsAGa5sud/PvmgSPSLsGhhrPsH/ZxN9beyIXIwmssmjN34KygUz9+u4T8IkVz
|
||||||
|
oxdq75LMzE2o0gcgC1EZ5+rDq0NSPQ9+1KgqwJuKlLKRXGdudgaVEUxX60g2ZnkX
|
||||||
|
8fNEgxqEkQ5MNnPfwbVumF6SWmMWyZSJ0rwHC94O1RdRNDcD3yKimuBmNSv2X+3L
|
||||||
|
cS3kE9LfNst2zBKHBGBOHQ
|
||||||
|
-> ssh-ed25519 /vwQcQ ZD8aiyO6fWEM9zG0iPP1/lftRPNl+mmFLHvGxVpSWzg
|
||||||
|
ZcTmN8zSHz8iLQmCLTZCdaqX5En/KrciR8KHwoXl8t0
|
||||||
|
-> ssh-ed25519 0R97PA xLQYBS5ozP1e4NWVa9yahN2OQB0Luw7mm3nBYdoHyRI
|
||||||
|
SKTRzLfGNFQ9fSX8ZFkKIYPZ4If5QrxcmSoBoGVG2Xk
|
||||||
|
-> ssh-ed25519 JGx7Ng XPo1QJ8OS/ShEAaXWwzZCS1p5/C6mLNlk4Us63YTVQ8
|
||||||
|
HGbfr8WBfCDKnIlATAeiE6JcLWCbn64vn1Cg7i9QGbA
|
||||||
|
-> ssh-ed25519 5SY7Kg CFpRcZmZ7DTspxkmdD8x7dRh1mqOHpTF7GzW5xBtLxw
|
||||||
|
n1n6/Ciwwo4rb3Cb6Yv/b1dHSvVAbCuDZ52maNpCexg
|
||||||
|
-> ssh-ed25519 p/Mg4Q km6ZjasKtOlaQL8rdVXkjRP4sooql15PrW0lz6YZaDg
|
||||||
|
Yrpi65IC3RJS3YSAChKjVyvowGxxmSPFkwa6CXUYVZ4
|
||||||
|
-> ssh-ed25519 tDqJRg au3x6e4L1os7OH4WXbdST74LhMsHPjP6KYrTWKUc1i8
|
||||||
|
zxKFk51MteTETWEu8peSH/lninM3zZkQi+Xjx5OQMTU
|
||||||
|
-> l$R6Y:c1-grease
|
||||||
|
MY0HS+ErZAtAhg
|
||||||
|
--- w+3gxmkrZ+xxSAQHbERgvsqur0v6k2/U0KUsfegRGcI
|
||||||
|
7Ú”gpò7šæ«¹Š\ŠE„àø~Â$±\¹Ä”Q„™H‹R¥˜Èî¼¼2'k4Ž¥zÿqȦì'ÍNò!{‹@qx΋,ƒ+iTû
|
31
machines/compute01/secrets/dgsi-secret_key_file
Normal file
31
machines/compute01/secrets/dgsi-secret_key_file
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 jIXfPA xQaZW42vwq7pndbRqiATFVgl1QM3LbD5Sqzz61yinUY
|
||||||
|
7N4GIIAnzwTPA2IgOPWLtE03kCZPihKu8ZAG9e7Bv7k
|
||||||
|
-> ssh-ed25519 QlRB9Q mfs9SndrSY1meTEYiVxXLbS7Ecf0rjaQ3vX4626+9CI
|
||||||
|
BDdh3a02EqMeO5jPlz6kjmjuLMldf/s9V7hDkIef+g4
|
||||||
|
-> ssh-ed25519 r+nK/Q HqduuibujATQyp2TUswgrFyTdcdmPsNsZJ2pOLZ+MTc
|
||||||
|
WjFm95dxVYKA2ekOgKzMrMmk1nxfuurmDyMXtUIGnIo
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
GzznBXY+5RpGFJKli2rOdzO5bun6REyjA78nV8RviQdAN/mGXEZfGFq4HFuQZM0e
|
||||||
|
fYADtpZxOZ3vyY/9DqCguay3R02DcyTpAhdb6A3kdzApUVR/3ZKJXy0+l5qRqKD7
|
||||||
|
j/cMfIxk/WpsHKHDWKXkG+FiTnF+V+ZtUom9W1aYFc1506OdDbjBVfTnBFs/+WVf
|
||||||
|
MWd+Y0ANCFiNH+kjzvALRazkmJgt9SvYWBG6suym6YZ2073GFu85jUJB2juSDmBN
|
||||||
|
tp0OJvNrjH5F/CcJXLMVrJz4Azin+2iM+re78cSVmZ1aqLf72RIrg/VhuuNy2MVn
|
||||||
|
gU32t9qy5EvTbzliWpAvxw
|
||||||
|
-> ssh-ed25519 /vwQcQ rVT/tH4fZ49hwxJTaZMZhzMgkS0MJILZmuL/J1CCPGY
|
||||||
|
mW3BNdXsylo0Yhg2KYpGNLoDkd7DYX+NEGF8a7j5R5g
|
||||||
|
-> ssh-ed25519 0R97PA vnXhW5pn1XgOJcMcD1cu7hQLlnIrJyp2Bu3TbThBIik
|
||||||
|
QFQFocftqwsPS1AbGykbDkIWqaAdZ7I9njS2ZUXz+4w
|
||||||
|
-> ssh-ed25519 JGx7Ng ljVNZ4AdZ3DLow2m3mf+6bf9zj6+t9RP7w8Bi7aMlAI
|
||||||
|
E5Q9yEA3d2nPTZO2jFkGnsHyo3W19P/lSG6yl3RL6Vo
|
||||||
|
-> ssh-ed25519 5SY7Kg 2LcgbYRROFSGfq0L5XBQMl6p62DreGceGqRFzKGi4X8
|
||||||
|
x4V+gnzdm1HgjYwhBnYAldkchX4YCsUhqoq1iCaOZ6s
|
||||||
|
-> ssh-ed25519 p/Mg4Q Y+o5nrSvL+xL43OHjEnesKV+9gCl4H4gBmBBjbqDABA
|
||||||
|
TvGky1wSVanvpq2Xj2FUmRtJ205iq92g6PVDASAfyaE
|
||||||
|
-> ssh-ed25519 tDqJRg X0Y8YCi5qOy3Du1/DIMMc4W7P6zQNTlwF4+QrisHCwM
|
||||||
|
SzJPH+h5847WSl9CrJatqIf9CSnKGUQZDK6ROD5LqXU
|
||||||
|
-> `--grease N]PH
|
||||||
|
fdR7jONsDC5Fj/FU++dDsFJSa4sLmvnTzPbt3X96zJDHVQypmV+JMhQNudQGrq9K
|
||||||
|
7oPr3+cA61qtqUv6v519zFLtRXkpY6FMiB2euGJufVZqGh9jDzfi0jNu6dUO7A
|
||||||
|
--- a0TP8YPal5jgd3BSIm0THbaMHgLOiOgMqdlwQwUGzWk
|
||||||
|
:È/Àn ž±Ý§¦p=fu²hã–T¶ÅêF—ÙêÂ¥nh¢„¾•œ¹ÀU2#„éµÆ©“ºôâ>Û“<4.<2E>uŸ‰’…m3Ü&<26>g¤(ö<>5۶Û
|
BIN
machines/compute01/secrets/dgsi-x509_cert_file
Normal file
BIN
machines/compute01/secrets/dgsi-x509_cert_file
Normal file
Binary file not shown.
BIN
machines/compute01/secrets/dgsi-x509_key_file
Normal file
BIN
machines/compute01/secrets/dgsi-x509_key_file
Normal file
Binary file not shown.
|
@ -1,14 +1,16 @@
|
||||||
let
|
(import ../../../keys).mkSecrets [ "compute01" ] [
|
||||||
lib = import ../../../lib { };
|
# List of secrets for compute01
|
||||||
publicKeys = lib.getNodeKeys "compute01";
|
|
||||||
in
|
|
||||||
|
|
||||||
lib.setDefault { inherit publicKeys; } [
|
|
||||||
"arkheon-env_file"
|
"arkheon-env_file"
|
||||||
"bupstash-put_key"
|
"bupstash-put_key"
|
||||||
|
"dgsi-email_host_password_file"
|
||||||
|
"dgsi-kanidm_auth_token_file"
|
||||||
|
"dgsi-kanidm_secret_file"
|
||||||
|
"dgsi-secret_key_file"
|
||||||
|
"dgsi-x509_cert_file"
|
||||||
|
"dgsi-x509_key_file"
|
||||||
"ds-fr-secret_file"
|
"ds-fr-secret_file"
|
||||||
"grafana-smtp_password_file"
|
|
||||||
"grafana-oauth_client_secret_file"
|
"grafana-oauth_client_secret_file"
|
||||||
|
"grafana-smtp_password_file"
|
||||||
"hedgedoc-environment_file"
|
"hedgedoc-environment_file"
|
||||||
"librenms-database_password_file"
|
"librenms-database_password_file"
|
||||||
"librenms-environment_file"
|
"librenms-environment_file"
|
||||||
|
|
Binary file not shown.
|
@ -1,48 +1,33 @@
|
||||||
{ pkgs, nixpkgs, ... }:
|
{ nixpkgs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
dgn-id = "5891e1bbda792e0546f8d785cdd4d3f570a01579";
|
###
|
||||||
|
# How to update:
|
||||||
|
# - clone https://git.dgnum.eu/DGNum/Stirling-PDF
|
||||||
|
# - switch to the branch dgn-v0.X.Y where X.Y is the version in production
|
||||||
|
# - fetch upstream changes up to the tagged release in nixos-unstable
|
||||||
|
# - rebase onto the upstream branch, so that the last commit is "feat: Add DGNum customization"
|
||||||
|
# - push to a new branch dgn-v0.A.B where A.B is the new version
|
||||||
|
# - finally, update the commit hash of the customization patch
|
||||||
|
|
||||||
|
dgn-id = "d73e347b1cefe23092bfcb2d3f8a23903410203e";
|
||||||
|
port = 8084;
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
|
dgn-web.internalPorts.stirling-pdf = port;
|
||||||
|
|
||||||
services.stirling-pdf = {
|
services.stirling-pdf = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
package = nixpkgs.unstable.stirling-pdf.overrideAttrs (old: rec {
|
package = nixpkgs.unstable.stirling-pdf.overrideAttrs (old: {
|
||||||
version = "0.26.1";
|
patches = (old.patches or [ ]) ++ [
|
||||||
|
|
||||||
src = pkgs.fetchFromGitHub {
|
|
||||||
owner = "Stirling-Tools";
|
|
||||||
repo = "Stirling-PDF";
|
|
||||||
rev = "v${version}";
|
|
||||||
hash = "sha256-msxP2n8Varc7/h9RVwYRBuD253JZu6/p7zQC1lmNmqc=";
|
|
||||||
};
|
|
||||||
|
|
||||||
deps = old.deps.overrideAttrs (_: {
|
|
||||||
patches = [
|
|
||||||
./01-spotless.patch
|
|
||||||
./05-java-output-test.patch
|
|
||||||
];
|
|
||||||
|
|
||||||
doCheck = false;
|
|
||||||
outputHash = "sha256-i2PJmsuJ8jqTUNwj4HoiWynaK4LlLrqjIZ67rSSYypc=";
|
|
||||||
});
|
|
||||||
|
|
||||||
patches = [
|
|
||||||
./01-spotless.patch
|
|
||||||
./02-propsfile.patch
|
|
||||||
./03-jar-timestamps.patch
|
|
||||||
(pkgs.substituteAll {
|
|
||||||
src = ./04-local-maven-deps.patch;
|
|
||||||
inherit deps;
|
|
||||||
})
|
|
||||||
./05-java-output-test.patch
|
|
||||||
(builtins.fetchurl "https://git.dgnum.eu/DGNum/Stirling-PDF/commit/${dgn-id}.patch")
|
(builtins.fetchurl "https://git.dgnum.eu/DGNum/Stirling-PDF/commit/${dgn-id}.patch")
|
||||||
];
|
];
|
||||||
});
|
});
|
||||||
|
|
||||||
domain = "pdf.dgnum.eu";
|
domain = "pdf.dgnum.eu";
|
||||||
port = 8084;
|
inherit port;
|
||||||
|
|
||||||
nginx = {
|
nginx = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
|
|
1
machines/compute01/takumi.nix
Normal file
1
machines/compute01/takumi.nix
Normal file
|
@ -0,0 +1 @@
|
||||||
|
_: { dgn-chatops.enable = true; }
|
|
@ -2,6 +2,8 @@
|
||||||
|
|
||||||
let
|
let
|
||||||
host = "pass.dgnum.eu";
|
host = "pass.dgnum.eu";
|
||||||
|
port = 10501;
|
||||||
|
wsPort = 10500;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services.vaultwarden = {
|
services.vaultwarden = {
|
||||||
|
@ -10,9 +12,9 @@ in
|
||||||
config = {
|
config = {
|
||||||
DOMAIN = "https://${host}";
|
DOMAIN = "https://${host}";
|
||||||
WEBSOCKET_ENABLED = true;
|
WEBSOCKET_ENABLED = true;
|
||||||
WEBSOCKET_PORT = 10500;
|
WEBSOCKET_PORT = wsPort;
|
||||||
SIGNUPS_DOMAINS_WHITELIST = "dgnum.eu,ens.fr,ens.psl.eu";
|
SIGNUPS_DOMAINS_WHITELIST = "dgnum.eu,ens.fr,ens.psl.eu";
|
||||||
ROCKET_PORT = 10501;
|
ROCKET_PORT = port;
|
||||||
ROCKET_ADDRESS = "127.0.0.1";
|
ROCKET_ADDRESS = "127.0.0.1";
|
||||||
SIGNUPS_VERIFY = true;
|
SIGNUPS_VERIFY = true;
|
||||||
USE_SYSLOG = true;
|
USE_SYSLOG = true;
|
||||||
|
@ -31,34 +33,28 @@ in
|
||||||
environmentFile = config.age.secrets."vaultwarden-environment_file".path;
|
environmentFile = config.age.secrets."vaultwarden-environment_file".path;
|
||||||
};
|
};
|
||||||
|
|
||||||
services = {
|
dgn-web = {
|
||||||
nginx = {
|
internalPorts.vaultwarden-websockets = wsPort;
|
||||||
enable = true;
|
|
||||||
|
|
||||||
virtualHosts.${host} = {
|
simpleProxies.vaultwarden = {
|
||||||
forceSSL = true;
|
inherit host port;
|
||||||
enableACME = true;
|
|
||||||
|
|
||||||
locations = {
|
|
||||||
"/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:10501";
|
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
};
|
|
||||||
|
|
||||||
|
vhostConfig.locations = {
|
||||||
"/notifications/hub" = {
|
"/notifications/hub" = {
|
||||||
proxyPass = "http://127.0.0.1:10500";
|
proxyPass = "http://127.0.0.1:${builtins.toString port}";
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
"/notifications/hub/negotiate" = {
|
"/notifications/hub/negotiate" = {
|
||||||
proxyPass = "http://127.0.0.1:10501";
|
proxyPass = "http://127.0.0.1:${builtins.toString wsPort}";
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
postgresql = {
|
services.postgresql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
ensureDatabases = [ "vaultwarden" ];
|
ensureDatabases = [ "vaultwarden" ];
|
||||||
|
@ -70,7 +66,6 @@ in
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
|
||||||
|
|
||||||
dgn-backups.jobs.vaultwarden.settings.paths = [ "/var/lib/bitwarden_rs" ];
|
dgn-backups.jobs.vaultwarden.settings.paths = [ "/var/lib/bitwarden_rs" ];
|
||||||
dgn-backups.postgresDatabases = [ "vaultwarden" ];
|
dgn-backups.postgresDatabases = [ "vaultwarden" ];
|
||||||
|
|
|
@ -1,5 +1,3 @@
|
||||||
let
|
(import ../../../keys).mkSecrets [ "geo01" ] [
|
||||||
lib = import ../../../lib { };
|
# List of secrets for geo01
|
||||||
publicKeys = lib.getNodeKeys "geo01";
|
]
|
||||||
in
|
|
||||||
lib.setDefault { inherit publicKeys; } [ ]
|
|
||||||
|
|
|
@ -1,5 +1,3 @@
|
||||||
let
|
(import ../../../keys).mkSecrets [ "geo02" ] [
|
||||||
lib = import ../../../lib { };
|
# List of secrets for geo02
|
||||||
publicKeys = lib.getNodeKeys "geo02";
|
]
|
||||||
in
|
|
||||||
lib.setDefault { inherit publicKeys; } [ ]
|
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
lib.extra.mkConfig {
|
lib.extra.mkConfig {
|
||||||
enabledModules = [
|
enabledModules = [
|
||||||
# List of modules to enable
|
# List of modules to enable
|
||||||
"dgn-fail2ban"
|
"dgn-web"
|
||||||
];
|
];
|
||||||
|
|
||||||
enabledServices = [
|
enabledServices = [
|
||||||
|
@ -12,11 +12,6 @@ lib.extra.mkConfig {
|
||||||
];
|
];
|
||||||
|
|
||||||
extraConfig = {
|
extraConfig = {
|
||||||
dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
|
|
||||||
"sshd-bruteforce"
|
|
||||||
"sshd-timeout"
|
|
||||||
];
|
|
||||||
|
|
||||||
services.netbird.enable = true;
|
services.netbird.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
let
|
(import ../../../keys).mkSecrets [ "rescue01" ] [
|
||||||
lib = import ../../../lib { };
|
# List of secrets for rescue01
|
||||||
publicKeys = lib.getNodeKeys "rescue01";
|
"stateless-uptime-kuma-password"
|
||||||
in
|
]
|
||||||
lib.setDefault { inherit publicKeys; } [ "stateless-uptime-kuma-password" ]
|
|
||||||
|
|
|
@ -36,6 +36,7 @@ let
|
||||||
"cdn.dgnum.eu"
|
"cdn.dgnum.eu"
|
||||||
"saml-idp.dgnum.eu"
|
"saml-idp.dgnum.eu"
|
||||||
"status.dgnum.eu"
|
"status.dgnum.eu"
|
||||||
|
"radius.dgnum.eu"
|
||||||
] ++ (concatLists (mapAttrsToList (_: { config, ... }: config.dgn-redirections.retired) nodes));
|
] ++ (concatLists (mapAttrsToList (_: { config, ... }: config.dgn-redirections.retired) nodes));
|
||||||
|
|
||||||
extraProbes = {
|
extraProbes = {
|
||||||
|
@ -45,6 +46,16 @@ let
|
||||||
accepted_statuscodes = [ "401" ];
|
accepted_statuscodes = [ "401" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
"ollama01.beta.dgnum.eu" = {
|
||||||
|
type = mkForce "http";
|
||||||
|
accepted_statuscodes = [ "401" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
"s3-admin.dgnum.eu" = {
|
||||||
|
type = mkForce "http";
|
||||||
|
accepted_statuscodes = [ "400" ];
|
||||||
|
};
|
||||||
|
|
||||||
"api.meet.dgnum.eu" = {
|
"api.meet.dgnum.eu" = {
|
||||||
keyword = "Crab Fit API";
|
keyword = "Crab Fit API";
|
||||||
};
|
};
|
||||||
|
@ -121,23 +132,10 @@ in
|
||||||
|
|
||||||
services.uptime-kuma.enable = true;
|
services.uptime-kuma.enable = true;
|
||||||
|
|
||||||
services.nginx = {
|
dgn-web.simpleProxies.uptime-kuma = {
|
||||||
enable = true;
|
inherit host port;
|
||||||
|
|
||||||
virtualHosts.${host} = {
|
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:${builtins.toString port}";
|
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
};
|
};
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
|
||||||
80
|
|
||||||
443
|
|
||||||
];
|
|
||||||
|
|
||||||
statelessUptimeKuma = {
|
statelessUptimeKuma = {
|
||||||
probesConfig = mkMerge [
|
probesConfig = mkMerge [
|
||||||
|
|
|
@ -4,13 +4,11 @@ lib.extra.mkConfig {
|
||||||
enabledModules = [
|
enabledModules = [
|
||||||
# List of modules to enable
|
# List of modules to enable
|
||||||
"dgn-backups"
|
"dgn-backups"
|
||||||
"dgn-fail2ban"
|
|
||||||
"dgn-web"
|
"dgn-web"
|
||||||
];
|
];
|
||||||
|
|
||||||
enabledServices = [
|
enabledServices = [
|
||||||
# List of services to enable
|
# List of services to enable
|
||||||
"atticd"
|
|
||||||
"tvix-cache"
|
"tvix-cache"
|
||||||
"forgejo"
|
"forgejo"
|
||||||
"forgejo-runners"
|
"forgejo-runners"
|
||||||
|
@ -19,11 +17,11 @@ lib.extra.mkConfig {
|
||||||
"netbird"
|
"netbird"
|
||||||
"peertube"
|
"peertube"
|
||||||
"prometheus"
|
"prometheus"
|
||||||
|
"redirections"
|
||||||
|
"victoria-metrics"
|
||||||
];
|
];
|
||||||
|
|
||||||
extraConfig = {
|
extraConfig = {
|
||||||
dgn-fail2ban.jails.sshd-preauth.enabled = true;
|
|
||||||
|
|
||||||
dgn-hardware.useZfs = true;
|
dgn-hardware.useZfs = true;
|
||||||
|
|
||||||
services.netbird.enable = true;
|
services.netbird.enable = true;
|
||||||
|
|
|
@ -1,82 +0,0 @@
|
||||||
{ config, nixpkgs, ... }:
|
|
||||||
|
|
||||||
let
|
|
||||||
host = "cachix.dgnum.eu";
|
|
||||||
in
|
|
||||||
{
|
|
||||||
services = {
|
|
||||||
atticd = {
|
|
||||||
enable = true;
|
|
||||||
|
|
||||||
credentialsFile = config.age.secrets."atticd-credentials_file".path;
|
|
||||||
|
|
||||||
settings = {
|
|
||||||
listen = "127.0.0.1:9099";
|
|
||||||
api-endpoint = "https://${host}/";
|
|
||||||
|
|
||||||
allowed-hosts = [ host ];
|
|
||||||
|
|
||||||
chunking = {
|
|
||||||
# The minimum NAR size to trigger chunking
|
|
||||||
#
|
|
||||||
# If 0, chunking is disabled entirely for newly-uploaded NARs.
|
|
||||||
# If 1, all NARs are chunked.
|
|
||||||
nar-size-threshold = 0; # 64 KiB
|
|
||||||
|
|
||||||
# The preferred minimum size of a chunk, in bytes
|
|
||||||
min-size = 16 * 1024; # 16 KiB
|
|
||||||
|
|
||||||
# The preferred average size of a chunk, in bytes
|
|
||||||
avg-size = 64 * 1024; # 64 KiB
|
|
||||||
|
|
||||||
# The preferred maximum size of a chunk, in bytes
|
|
||||||
max-size = 256 * 1024; # 256 KiB
|
|
||||||
};
|
|
||||||
|
|
||||||
database.url = "postgresql://atticd?host=/run/postgresql";
|
|
||||||
|
|
||||||
storage = {
|
|
||||||
type = "s3";
|
|
||||||
region = "garage";
|
|
||||||
bucket = "attic-dgnum";
|
|
||||||
endpoint = "https://s3.dgnum.eu";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
useFlakeCompatOverlay = false;
|
|
||||||
package = nixpkgs.unstable.attic-server;
|
|
||||||
};
|
|
||||||
|
|
||||||
nginx = {
|
|
||||||
enable = true;
|
|
||||||
|
|
||||||
virtualHosts.${host} = {
|
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:9099";
|
|
||||||
|
|
||||||
extraConfig = ''
|
|
||||||
client_max_body_size 10G;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
postgresql = {
|
|
||||||
enable = true;
|
|
||||||
|
|
||||||
ensureDatabases = [ "atticd" ];
|
|
||||||
|
|
||||||
ensureUsers = [
|
|
||||||
{
|
|
||||||
name = "atticd";
|
|
||||||
ensureDBOwnership = true;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.atticd.environment.RUST_LOG = "warn";
|
|
||||||
}
|
|
|
@ -1,9 +1,4 @@
|
||||||
{
|
{ config, pkgs, ... }:
|
||||||
config,
|
|
||||||
pkgs,
|
|
||||||
nixpkgs,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
|
|
||||||
let
|
let
|
||||||
url = "https://git.dgnum.eu";
|
url = "https://git.dgnum.eu";
|
||||||
|
@ -36,14 +31,12 @@ in
|
||||||
|
|
||||||
inherit url;
|
inherit url;
|
||||||
|
|
||||||
storePath = "/data/slow/nix";
|
storePath = "/data/slow";
|
||||||
tokenFile = config.age.secrets."forgejo_runners-token_file".path;
|
tokenFile = config.age.secrets."forgejo_runners-token_file".path;
|
||||||
|
|
||||||
dependencies = [
|
dependencies = [
|
||||||
pkgs.colmena
|
|
||||||
pkgs.npins
|
pkgs.npins
|
||||||
pkgs.tea
|
pkgs.tea
|
||||||
nixpkgs.unstable.nixfmt-rfc-style
|
|
||||||
];
|
];
|
||||||
|
|
||||||
containerOptions = [ "--cpus=4" ];
|
containerOptions = [ "--cpus=4" ];
|
||||||
|
|
|
@ -31,6 +31,7 @@ in
|
||||||
|
|
||||||
admin = {
|
admin = {
|
||||||
DEFAULT_EMAIL_NOTIFICATIONS = "enabled";
|
DEFAULT_EMAIL_NOTIFICATIONS = "enabled";
|
||||||
|
SEND_NOTIFICATION_EMAIL_ON_NEW_USER = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
log.LEVEL = "Warn";
|
log.LEVEL = "Warn";
|
||||||
|
@ -44,6 +45,11 @@ in
|
||||||
USER = "web-services@infra.dgnum.eu";
|
USER = "web-services@infra.dgnum.eu";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
session = {
|
||||||
|
SESSION_LIFE_TIME = 24 * 3600 * 7;
|
||||||
|
GC_INTERVAL_TIME = 24 * 3600 * 7;
|
||||||
|
};
|
||||||
|
|
||||||
server = {
|
server = {
|
||||||
ROOT_URL = "https://${host}/";
|
ROOT_URL = "https://${host}/";
|
||||||
DOMAIN = host;
|
DOMAIN = host;
|
||||||
|
@ -55,6 +61,7 @@ in
|
||||||
|
|
||||||
service = {
|
service = {
|
||||||
EMAIL_DOMAIN_ALLOWLIST = "dgnum.eu,*";
|
EMAIL_DOMAIN_ALLOWLIST = "dgnum.eu,*";
|
||||||
|
EMAIL_DOMAIN_BLOCKLIST = "*.shop,*.online,*.store";
|
||||||
ENABLE_NOTIFY_MAIL = true;
|
ENABLE_NOTIFY_MAIL = true;
|
||||||
|
|
||||||
DISABLE_REGISTRATION = false;
|
DISABLE_REGISTRATION = false;
|
||||||
|
@ -71,18 +78,10 @@ in
|
||||||
|
|
||||||
mailerPasswordFile = config.age.secrets."forgejo-mailer_password_file".path;
|
mailerPasswordFile = config.age.secrets."forgejo-mailer_password_file".path;
|
||||||
};
|
};
|
||||||
|
};
|
||||||
|
|
||||||
nginx = {
|
dgn-web.simpleProxies.forgejo = {
|
||||||
enable = true;
|
inherit host port;
|
||||||
|
|
||||||
virtualHosts.${host} = {
|
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:${toString port}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.git = {
|
users.users.git = {
|
||||||
|
|
|
@ -1,6 +1,13 @@
|
||||||
{ config, pkgs, ... }:
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
|
||||||
let
|
let
|
||||||
|
inherit (lib) mapAttrs' nameValuePair;
|
||||||
|
|
||||||
host = "s3.dgnum.eu";
|
host = "s3.dgnum.eu";
|
||||||
webHost = "cdn.dgnum.eu";
|
webHost = "cdn.dgnum.eu";
|
||||||
|
|
||||||
|
@ -8,51 +15,66 @@ let
|
||||||
metadata_dir = "/data/fast/garage/meta";
|
metadata_dir = "/data/fast/garage/meta";
|
||||||
|
|
||||||
domains = [
|
domains = [
|
||||||
"boussole-sante.normalesup.eu"
|
|
||||||
"simi.normalesup.eu"
|
|
||||||
"bandarretdurgence.ens.fr"
|
"bandarretdurgence.ens.fr"
|
||||||
|
"boussole-sante.normalesup.eu"
|
||||||
|
"lanuit.ens.fr"
|
||||||
|
"simi.normalesup.eu"
|
||||||
];
|
];
|
||||||
|
|
||||||
buckets = [
|
buckets = [
|
||||||
"castopod-dgnum"
|
"monorepo-terraform-state"
|
||||||
"peertube-videos-dgnum"
|
|
||||||
"banda-website"
|
"banda-website"
|
||||||
|
"castopod-dgnum"
|
||||||
|
"hackens-website"
|
||||||
|
"nuit-website"
|
||||||
|
"peertube-videos-dgnum"
|
||||||
] ++ domains;
|
] ++ domains;
|
||||||
|
|
||||||
mkHosted = host: builtins.map (b: "${b}.${host}");
|
mkHosted = host: builtins.map (b: "${b}.${host}");
|
||||||
|
|
||||||
|
ports = {
|
||||||
|
admin_api = 3903;
|
||||||
|
k2v_api = 3904;
|
||||||
|
rpc = 3901;
|
||||||
|
s3_api = 3900;
|
||||||
|
s3_web = 3902;
|
||||||
|
};
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
dgn-web.internalPorts = mapAttrs' (name: nameValuePair "garage-${name}") ports;
|
||||||
|
|
||||||
services.garage = {
|
services.garage = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
package = pkgs.garage_0_9;
|
package = pkgs.garage_1_0_1;
|
||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
inherit data_dir metadata_dir;
|
inherit data_dir metadata_dir;
|
||||||
|
|
||||||
db_engine = "lmdb";
|
db_engine = "lmdb";
|
||||||
|
|
||||||
replication_mode = "none";
|
replication_mode = "none"; # TODO: deprecated
|
||||||
compression_level = 7;
|
compression_level = 7;
|
||||||
|
|
||||||
rpc_bind_addr = "[::]:3901";
|
rpc_bind_addr = "[::]:${toString ports.rpc}";
|
||||||
rpc_public_addr = "127.0.0.1:3901";
|
rpc_public_addr = "127.0.0.1:${toString ports.rpc}";
|
||||||
|
|
||||||
s3_api = {
|
s3_api = {
|
||||||
s3_region = "garage";
|
s3_region = "garage";
|
||||||
api_bind_addr = "127.0.0.1:3900";
|
api_bind_addr = "127.0.0.1:${toString ports.s3_api}";
|
||||||
root_domain = ".${host}";
|
root_domain = ".${host}";
|
||||||
};
|
};
|
||||||
|
|
||||||
s3_web = {
|
s3_web = {
|
||||||
bind_addr = "127.0.0.1:3902";
|
bind_addr = "127.0.0.1:${toString ports.s3_web}";
|
||||||
root_domain = ".${webHost}";
|
root_domain = ".${webHost}";
|
||||||
index = "index.html";
|
index = "index.html";
|
||||||
};
|
};
|
||||||
|
|
||||||
k2v_api.api_bind_addr = "[::]:3904";
|
k2v_api.api_bind_addr = "[::]:${toString ports.k2v_api}";
|
||||||
|
|
||||||
admin.api_bind_addr = "127.0.0.1:3903";
|
admin.api_bind_addr = "127.0.0.1:${toString ports.admin_api}";
|
||||||
};
|
};
|
||||||
|
|
||||||
environmentFile = config.age.secrets."garage-environment_file".path;
|
environmentFile = config.age.secrets."garage-environment_file".path;
|
||||||
|
@ -64,7 +86,7 @@ in
|
||||||
data_dir
|
data_dir
|
||||||
metadata_dir
|
metadata_dir
|
||||||
];
|
];
|
||||||
TimeoutSec = 3000;
|
TimeoutSec = 600;
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.garage = {
|
users.users.garage = {
|
||||||
|
@ -74,6 +96,17 @@ in
|
||||||
users.groups.garage = { };
|
users.groups.garage = { };
|
||||||
|
|
||||||
services.nginx.virtualHosts = {
|
services.nginx.virtualHosts = {
|
||||||
|
"s3-admin.dgnum.eu" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
|
||||||
|
locations."/".extraConfig = ''
|
||||||
|
proxy_pass http://127.0.0.1:${toString ports.admin_api};
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
${host} = {
|
${host} = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
@ -81,7 +114,7 @@ in
|
||||||
serverAliases = mkHosted host buckets;
|
serverAliases = mkHosted host buckets;
|
||||||
|
|
||||||
locations."/".extraConfig = ''
|
locations."/".extraConfig = ''
|
||||||
proxy_pass http://127.0.0.1:3900;
|
proxy_pass http://127.0.0.1:${toString ports.s3_api};
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
# Disable buffering to a temporary file.
|
# Disable buffering to a temporary file.
|
||||||
|
@ -97,7 +130,7 @@ in
|
||||||
serverAliases = domains ++ (mkHosted webHost buckets);
|
serverAliases = domains ++ (mkHosted webHost buckets);
|
||||||
|
|
||||||
locations."/".extraConfig = ''
|
locations."/".extraConfig = ''
|
||||||
proxy_pass http://127.0.0.1:3902;
|
proxy_pass http://127.0.0.1:${toString ports.s3_web};
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
'';
|
'';
|
||||||
|
|
|
@ -5,6 +5,7 @@ let
|
||||||
token = user: secret "${user}_token_file";
|
token = user: secret "${user}_token_file";
|
||||||
|
|
||||||
host = "influx.dgnum.eu";
|
host = "influx.dgnum.eu";
|
||||||
|
port = 8086;
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
|
@ -41,13 +42,8 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts.${host} = {
|
dgn-web.simpleProxies.influxdb = {
|
||||||
enableACME = true;
|
inherit host port;
|
||||||
forceSSL = true;
|
|
||||||
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:8086";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
age-secrets.autoMatch = [ "influxdb2" ];
|
age-secrets.autoMatch = [ "influxdb2" ];
|
||||||
|
|
82
machines/storage01/netbird.nix
Normal file
82
machines/storage01/netbird.nix
Normal file
|
@ -0,0 +1,82 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
nixpkgs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
|
||||||
|
let
|
||||||
|
domain = "netbird.dgnum.eu";
|
||||||
|
|
||||||
|
s = name: config.age.secrets.${name}.path;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
services = {
|
||||||
|
netbird.server = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
package = nixpkgs.unstable.netbird;
|
||||||
|
|
||||||
|
inherit domain;
|
||||||
|
|
||||||
|
enableNginx = true;
|
||||||
|
|
||||||
|
coturn.enable = lib.mkForce false;
|
||||||
|
|
||||||
|
relay = {
|
||||||
|
environmentFile = s "netbird-relay_environment_file";
|
||||||
|
metricsPort = 9094;
|
||||||
|
};
|
||||||
|
|
||||||
|
dashboard = {
|
||||||
|
settings = {
|
||||||
|
AUTH_AUTHORITY = "https://sso.dgnum.eu/oauth2/openid/dgn_netbird";
|
||||||
|
AUTH_AUDIENCE = "dgn_netbird";
|
||||||
|
AUTH_CLIENT_ID = "dgn_netbird";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
management = {
|
||||||
|
oidcConfigEndpoint = "https://sso.dgnum.eu/oauth2/openid/dgn_netbird/.well-known/openid-configuration";
|
||||||
|
|
||||||
|
dnsDomain = "dgnum";
|
||||||
|
|
||||||
|
metricsPort = 9092;
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
DataStoreEncryptionKey._secret = s "netbird-data_store_encryption_key_file";
|
||||||
|
|
||||||
|
PKCEAuthorizationFlow.ProviderConfig = {
|
||||||
|
Audience = "dgn_netbird";
|
||||||
|
ClientID = "dgn_netbird";
|
||||||
|
AuthorizationEndpoint = "https://sso.dgnum.eu/ui/oauth2";
|
||||||
|
TokenEndpoint = "https://sso.dgnum.eu/oauth2/token";
|
||||||
|
};
|
||||||
|
|
||||||
|
IdpManagerConfig.ClientConfig.ClientID = "dgn_netbird";
|
||||||
|
|
||||||
|
DeviceAuthorizationFlow = {
|
||||||
|
Provider = "none";
|
||||||
|
ProviderConfig = {
|
||||||
|
Audience = "dgn_netbird";
|
||||||
|
ClientID = "dgn_netbird";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
Relay = {
|
||||||
|
Addresses = [ "rels://${domain}:443" ];
|
||||||
|
CredentialsTTL = "24h";
|
||||||
|
Secret._secret = s "netbird-relay_secret_file";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
nginx.virtualHosts.${domain} = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
dgn-backups.jobs.netbird.settings.paths = [ "/var/lib/netbird-mgmt" ];
|
||||||
|
}
|
|
@ -1,47 +0,0 @@
|
||||||
{ config, ... }:
|
|
||||||
|
|
||||||
let
|
|
||||||
domain = "netbird.dgnum.eu";
|
|
||||||
in
|
|
||||||
{
|
|
||||||
imports = [ ./module.nix ];
|
|
||||||
|
|
||||||
services.netbird-server = {
|
|
||||||
enable = true;
|
|
||||||
|
|
||||||
logLevel = "DEBUG";
|
|
||||||
enableDeviceAuthorizationFlow = false;
|
|
||||||
enableNginx = true;
|
|
||||||
enableCoturn = true;
|
|
||||||
setupAutoOidc = true;
|
|
||||||
|
|
||||||
management.dnsDomain = "dgnum";
|
|
||||||
|
|
||||||
secretFiles.AUTH_CLIENT_SECRET = config.age.secrets."netbird-auth_client_secret_file".path;
|
|
||||||
|
|
||||||
settings = {
|
|
||||||
NETBIRD_DOMAIN = domain;
|
|
||||||
|
|
||||||
TURN_PASSWORD = "tototest1234";
|
|
||||||
|
|
||||||
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT = "https://sso.dgnum.eu/oauth2/openid/netbird_dgn/.well-known/openid-configuration";
|
|
||||||
NETBIRD_AUTH_PKCE_USE_ID_TOKEN = true;
|
|
||||||
|
|
||||||
NETBIRD_AUTH_AUDIENCE = "netbird_dgn";
|
|
||||||
NETBIRD_AUTH_CLIENT_ID = "netbird_dgn";
|
|
||||||
NETBIRD_AUTH_USER_ID_CLAIM = "sub";
|
|
||||||
# Updates the preference to use id tokens instead of access token on dashboard
|
|
||||||
# Okta and Gitlab IDPs can benefit from this
|
|
||||||
NETBIRD_TOKEN_SOURCE = "idToken";
|
|
||||||
|
|
||||||
# NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (p: "http://localhost:${p}") [
|
|
||||||
# "53000"
|
|
||||||
# "54000"
|
|
||||||
# ];
|
|
||||||
|
|
||||||
NETBIRD_STORE_CONFIG_ENGINE = "sqlite";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
dgn-backups.jobs.netbird.settings.paths = [ "/var/lib/netbird-mgmt" ];
|
|
||||||
}
|
|
|
@ -1,643 +0,0 @@
|
||||||
{
|
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
pkgs,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
let
|
|
||||||
inherit (lib)
|
|
||||||
filterAttrs
|
|
||||||
literalExpression
|
|
||||||
maintainers
|
|
||||||
mkDefault
|
|
||||||
mkEnableOption
|
|
||||||
mkIf
|
|
||||||
mkMerge
|
|
||||||
mkOption
|
|
||||||
optionalAttrs
|
|
||||||
optionalString
|
|
||||||
optionals
|
|
||||||
types
|
|
||||||
;
|
|
||||||
|
|
||||||
inherit ((import ./package { inherit pkgs; })) dashboard;
|
|
||||||
|
|
||||||
cfg = config.services.netbird-server;
|
|
||||||
|
|
||||||
stateDir = "/var/lib/netbird-mgmt";
|
|
||||||
|
|
||||||
settingsFormat = pkgs.formats.keyValue { };
|
|
||||||
managementFormat = pkgs.formats.json { };
|
|
||||||
|
|
||||||
settingsFile = settingsFormat.generate "setup.env" (
|
|
||||||
builtins.mapAttrs (
|
|
||||||
_: val: if builtins.isList val then ''"${builtins.concatStringsSep " " val}"'' else val
|
|
||||||
) settings
|
|
||||||
);
|
|
||||||
|
|
||||||
managementFile = managementFormat.generate "config.json" cfg.managementConfig;
|
|
||||||
|
|
||||||
settings =
|
|
||||||
rec {
|
|
||||||
TURN_DOMAIN = cfg.settings.NETBIRD_DOMAIN;
|
|
||||||
TURN_PORT = 3478;
|
|
||||||
TURN_USER = "netbird";
|
|
||||||
TURN_MIN_PORT = 49152;
|
|
||||||
TURN_MAX_PORT = 65535;
|
|
||||||
TURN_PASSWORD = if cfg.secretFiles.TURN_PASSWORD != null then "$TURN_PASSWORD" else null;
|
|
||||||
TURN_SECRET = if cfg.secretFiles.TURN_SECRET != null then "$TURN_SECRET" else "secret";
|
|
||||||
|
|
||||||
STUN_USERNAME = "";
|
|
||||||
STUN_PASSWORD = if cfg.secretFiles.STUN_PASSWORD != null then "$STUN_PASSWORD" else null;
|
|
||||||
|
|
||||||
NETBIRD_DASHBOARD_ENDPOINT = "https://${cfg.settings.NETBIRD_DOMAIN}:443";
|
|
||||||
NETBIRD_MGMT_API_ENDPOINT = "https://${cfg.settings.NETBIRD_DOMAIN}:${
|
|
||||||
builtins.toString cfg.settings.NETBIRD_MGMT_API_PORT or NETBIRD_MGMT_API_PORT
|
|
||||||
}";
|
|
||||||
NETBIRD_SIGNAL_ENDPOINT = "https://${cfg.settings.NETBIRD_DOMAIN}:${
|
|
||||||
builtins.toString cfg.settings.NETBIRD_SIGNAL_PORT or NETBIRD_SIGNAL_PORT
|
|
||||||
}";
|
|
||||||
|
|
||||||
NETBIRD_SIGNAL_PROTOCOL = "https";
|
|
||||||
NETBIRD_SIGNAL_PORT = 443;
|
|
||||||
|
|
||||||
NETBIRD_AUTH_USER_ID_CLAIM = "sub";
|
|
||||||
NETBIRD_AUTH_CLIENT_SECRET =
|
|
||||||
if cfg.secretFiles.AUTH_CLIENT_SECRET != null then "$AUTH_CLIENT_SECRET" else "";
|
|
||||||
NETBIRD_AUTH_SUPPORTED_SCOPES = [
|
|
||||||
"openid"
|
|
||||||
"profile"
|
|
||||||
"email"
|
|
||||||
"offline_access"
|
|
||||||
"api"
|
|
||||||
];
|
|
||||||
|
|
||||||
NETBIRD_AUTH_REDIRECT_URI = "";
|
|
||||||
NETBIRD_AUTH_SILENT_REDIRECT_URI = "";
|
|
||||||
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER = "none";
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID;
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE = cfg.settings.NETBIRD_AUTH_AUDIENCE;
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_SCOPE = [
|
|
||||||
"openid"
|
|
||||||
"profile"
|
|
||||||
"email"
|
|
||||||
"offline_access"
|
|
||||||
"api"
|
|
||||||
];
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN = false;
|
|
||||||
|
|
||||||
NETBIRD_MGMT_API_PORT = 443;
|
|
||||||
|
|
||||||
NETBIRD_MGMT_IDP = "none";
|
|
||||||
NETBIRD_IDP_MGMT_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID;
|
|
||||||
NETBIRD_IDP_MGMT_CLIENT_SECRET =
|
|
||||||
if cfg.secretFiles.IDP_MGMT_CLIENT_SECRET != null then
|
|
||||||
"$IDP_MGMT_CLIENT_SECRET"
|
|
||||||
else
|
|
||||||
cfg.settings.NETBIRD_AUTH_CLIENT_SECRET;
|
|
||||||
NETBIRD_IDP_MGMT_GRANT_TYPE = "client_credentials";
|
|
||||||
|
|
||||||
NETBIRD_TOKEN_SOURCE = "accessToken";
|
|
||||||
NETBIRD_DRAG_QUERY_PARAMS = false;
|
|
||||||
|
|
||||||
NETBIRD_USE_AUTH0 = false;
|
|
||||||
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = "";
|
|
||||||
|
|
||||||
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS = [ "53000" ];
|
|
||||||
NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (
|
|
||||||
p: "http://localhost:${p}"
|
|
||||||
) cfg.settings.NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS or NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS;
|
|
||||||
}
|
|
||||||
// (optionalAttrs cfg.setupAutoOidc {
|
|
||||||
NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT = "$NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT";
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = "$NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT";
|
|
||||||
NETBIRD_AUTH_TOKEN_ENDPOINT = "$NETBIRD_AUTH_TOKEN_ENDPOINT";
|
|
||||||
NETBIRD_AUTH_JWT_CERTS = "$NETBIRD_AUTH_JWT_CERTS";
|
|
||||||
NETBIRD_AUTH_AUTHORITY = "$NETBIRD_AUTH_AUTHORITY";
|
|
||||||
})
|
|
||||||
// cfg.settings;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
meta = {
|
|
||||||
maintainers = with maintainers; [ thubrecht ];
|
|
||||||
};
|
|
||||||
|
|
||||||
options.services.netbird-server = {
|
|
||||||
enable = mkEnableOption (lib.mdDoc "netbird management service.");
|
|
||||||
|
|
||||||
package = mkOption {
|
|
||||||
type = types.package;
|
|
||||||
default = pkgs.netbird;
|
|
||||||
defaultText = literalExpression "pkgs.netbird";
|
|
||||||
description = lib.mdDoc "The package to use for netbird";
|
|
||||||
};
|
|
||||||
|
|
||||||
settings = mkOption {
|
|
||||||
type =
|
|
||||||
with types;
|
|
||||||
attrsOf (
|
|
||||||
nullOr (oneOf [
|
|
||||||
(listOf str)
|
|
||||||
bool
|
|
||||||
int
|
|
||||||
float
|
|
||||||
str
|
|
||||||
])
|
|
||||||
);
|
|
||||||
defaultText = lib.literalExpression ''
|
|
||||||
{
|
|
||||||
TURN_DOMAIN = cfg.settings.NETBIRD_DOMAIN;
|
|
||||||
TURN_PORT = 3478;
|
|
||||||
TURN_USER = "netbird";
|
|
||||||
TURN_MIN_PORT = 49152;
|
|
||||||
TURN_MAX_PORT = 65535;
|
|
||||||
TURN_PASSWORD = if cfg.secretFiles.TURN_PASSWORD != null then "$TURN_PASSWORD" else null;
|
|
||||||
TURN_SECRET = if cfg.secretFiles.TURN_SECRET != null then "$TURN_SECRET" else "secret";
|
|
||||||
|
|
||||||
STUN_USERNAME = "";
|
|
||||||
STUN_PASSWORD = if cfg.secretFiles.STUN_PASSWORD != null then "$STUN_PASSWORD" else null;
|
|
||||||
|
|
||||||
NETBIRD_DASHBOARD_ENDPOINT = "https://''${cfg.settings.NETBIRD_DOMAIN}:443";
|
|
||||||
NETBIRD_MGMT_API_ENDPOINT = "https://''${cfg.settings.NETBIRD_DOMAIN}:''${builtins.toString cfg.settings.NETBIRD_MGMT_API_PORT or NETBIRD_MGMT_API_PORT}";
|
|
||||||
NETBIRD_SIGNAL_ENDPOINT = "https://''${cfg.settings.NETBIRD_DOMAIN}:''${builtins.toString cfg.settings.NETBIRD_SIGNAL_PORT or NETBIRD_SIGNAL_PORT}";
|
|
||||||
|
|
||||||
NETBIRD_SIGNAL_PROTOCOL = "https";
|
|
||||||
NETBIRD_SIGNAL_PORT = 443;
|
|
||||||
|
|
||||||
NETBIRD_AUTH_USER_ID_CLAIM = "sub";
|
|
||||||
NETBIRD_AUTH_CLIENT_SECRET = if cfg.secretFiles.AUTH_CLIENT_SECRET != null then "$AUTH_CLIENT_SECRET" else "";
|
|
||||||
NETBIRD_AUTH_SUPPORTED_SCOPES = [ "openid" "profile" "email" "offline_access" "api" ];
|
|
||||||
|
|
||||||
NETBIRD_AUTH_REDIRECT_URI = "";
|
|
||||||
NETBIRD_AUTH_SILENT_REDIRECT_URI = "";
|
|
||||||
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER = "none";
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID;
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE = cfg.settings.NETBIRD_AUTH_AUDIENCE;
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_SCOPE = [ "openid" "profile" "email" "offline_access" "api" ];
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN = false;
|
|
||||||
|
|
||||||
NETBIRD_MGMT_API_PORT = 443;
|
|
||||||
|
|
||||||
NETBIRD_MGMT_IDP = "none";
|
|
||||||
NETBIRD_IDP_MGMT_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID;
|
|
||||||
NETBIRD_IDP_MGMT_CLIENT_SECRET = if cfg.secretFiles.IDP_MGMT_CLIENT_SECRET != null then "$IDP_MGMT_CLIENT_SECRET" else cfg.settings.NETBIRD_AUTH_CLIENT_SECRET;
|
|
||||||
NETBIRD_IDP_MGMT_GRANT_TYPE = "client_credentials";
|
|
||||||
|
|
||||||
NETBIRD_TOKEN_SOURCE = "accessToken";
|
|
||||||
NETBIRD_DRAG_QUERY_PARAMS = false;
|
|
||||||
|
|
||||||
NETBIRD_USE_AUTH0 = false;
|
|
||||||
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = "";
|
|
||||||
|
|
||||||
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS = [ "53000" ];
|
|
||||||
NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (p: "http://localhost:''${p}") cfg.settings.NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS or NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS;
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
Configuration settings for netbird.
|
|
||||||
Example config values can be found in [setup.env.example](https://github.com/netbirdio/netbird/blob/main/infrastructure_files/setup.env.example)
|
|
||||||
List of strings [ a b ] will be concatenated as "a b", useful for setting the supported scopes.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
managementConfig = mkOption {
|
|
||||||
inherit (managementFormat) type;
|
|
||||||
description = lib.mdDoc "Configuration of the netbird management server.";
|
|
||||||
};
|
|
||||||
|
|
||||||
idpManagerExtraConfig = mkOption {
|
|
||||||
type = types.attrsOf types.str;
|
|
||||||
default = { };
|
|
||||||
description = lib.mdDoc "Extra options passed to the IdpManagerConfig.";
|
|
||||||
};
|
|
||||||
|
|
||||||
ports.management = mkOption {
|
|
||||||
type = types.port;
|
|
||||||
default = 8011;
|
|
||||||
description = lib.mdDoc "Internal port of the management server.";
|
|
||||||
};
|
|
||||||
|
|
||||||
ports.signal = mkOption {
|
|
||||||
type = types.port;
|
|
||||||
default = 8012;
|
|
||||||
description = lib.mdDoc "Internal port of the signal server.";
|
|
||||||
};
|
|
||||||
|
|
||||||
logLevel = mkOption {
|
|
||||||
type = types.enum [
|
|
||||||
"ERROR"
|
|
||||||
"WARN"
|
|
||||||
"INFO"
|
|
||||||
"DEBUG"
|
|
||||||
];
|
|
||||||
default = "INFO";
|
|
||||||
description = lib.mdDoc "Log level of the netbird services.";
|
|
||||||
};
|
|
||||||
|
|
||||||
enableDeviceAuthorizationFlow = mkEnableOption "device authorization flow for netbird." // {
|
|
||||||
default = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
enableNginx = mkEnableOption "NGINX reverse-proxy for the netbird server.";
|
|
||||||
|
|
||||||
enableCoturn = mkEnableOption "a Coturn server used for Netbird.";
|
|
||||||
|
|
||||||
setupAutoOidc = mkEnableOption "the automatic setup of the OIDC.";
|
|
||||||
|
|
||||||
management = {
|
|
||||||
|
|
||||||
dnsDomain = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "netbird.selfhosted";
|
|
||||||
description = lib.mdDoc "Domain used for peer resolution.";
|
|
||||||
};
|
|
||||||
|
|
||||||
singleAccountModeDomain = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "netbird.selfhosted";
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
Enables single account mode.
|
|
||||||
This means that all the users will be under the same account grouped by the specified domain.
|
|
||||||
If the installation has more than one account, the property is ineffective.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
disableAnonymousMetrics = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = true;
|
|
||||||
description = lib.mdDoc "Disables push of anonymous usage metrics to NetBird.";
|
|
||||||
};
|
|
||||||
|
|
||||||
disableSingleAccountMode = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
If set to true, disables single account mode.
|
|
||||||
The `singleAccountModeDomain` property will be ignored and every new user will have a separate NetBird account.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
secretFiles = {
|
|
||||||
TURN_PASSWORD = mkOption {
|
|
||||||
type = with types; nullOr path;
|
|
||||||
default = null;
|
|
||||||
description = lib.mdDoc "Path to a file containing the secret TURN_PASSWORD.";
|
|
||||||
};
|
|
||||||
|
|
||||||
TURN_SECRET = mkOption {
|
|
||||||
type = with types; nullOr path;
|
|
||||||
default = null;
|
|
||||||
description = lib.mdDoc "Path to a file containing the secret TURN_SECRET.";
|
|
||||||
};
|
|
||||||
|
|
||||||
STUN_PASSWORD = mkOption {
|
|
||||||
type = with types; nullOr path;
|
|
||||||
default = null;
|
|
||||||
description = lib.mdDoc "Path to a file containing the secret STUN_PASSWORD.";
|
|
||||||
};
|
|
||||||
|
|
||||||
AUTH_CLIENT_SECRET = mkOption {
|
|
||||||
type = with types; nullOr path;
|
|
||||||
default = null;
|
|
||||||
description = lib.mdDoc "Path to a file containing the secret NETBIRD_AUTH_CLIENT_SECRET.";
|
|
||||||
};
|
|
||||||
|
|
||||||
IDP_MGMT_CLIENT_SECRET = mkOption {
|
|
||||||
type = with types; nullOr path;
|
|
||||||
default = cfg.secretFiles.AUTH_CLIENT_SECRET;
|
|
||||||
defaultText = lib.literalExpression "cfg.secretFiles.AUTH_CLIENT_SECRET;";
|
|
||||||
description = lib.mdDoc "Path to a file containing the secret NETBIRD_IDP_MGMT_CLIENT_SECRET.";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkMerge [
|
|
||||||
(mkIf cfg.enable {
|
|
||||||
services.netbird-server.managementConfig = with settings; {
|
|
||||||
Stuns = mkDefault [
|
|
||||||
{
|
|
||||||
Proto = "udp";
|
|
||||||
URI = "stun:${TURN_DOMAIN}:${builtins.toString TURN_PORT}";
|
|
||||||
Username = STUN_USERNAME;
|
|
||||||
Password = STUN_PASSWORD;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
TURNConfig = {
|
|
||||||
Turns = [
|
|
||||||
{
|
|
||||||
Proto = "udp";
|
|
||||||
URI = "turn:${TURN_DOMAIN}:${builtins.toString TURN_PORT}";
|
|
||||||
Username = TURN_USER;
|
|
||||||
Password = TURN_PASSWORD;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
CredentialsTTL = "12h";
|
|
||||||
Secret = TURN_SECRET;
|
|
||||||
TimeBasedCredentials = false;
|
|
||||||
};
|
|
||||||
Signal = {
|
|
||||||
Proto = NETBIRD_SIGNAL_PROTOCOL;
|
|
||||||
URI = "${NETBIRD_DOMAIN}:${builtins.toString NETBIRD_SIGNAL_PORT}";
|
|
||||||
Username = "";
|
|
||||||
Password = null;
|
|
||||||
};
|
|
||||||
Datadir = "${stateDir}/data";
|
|
||||||
HttpConfig = {
|
|
||||||
Address = "127.0.0.1:${builtins.toString cfg.ports.management}";
|
|
||||||
AuthIssuer = NETBIRD_AUTH_AUTHORITY;
|
|
||||||
AuthAudience = NETBIRD_AUTH_AUDIENCE;
|
|
||||||
AuthKeysLocation = NETBIRD_AUTH_JWT_CERTS;
|
|
||||||
AuthUserIDClaim = NETBIRD_AUTH_USER_ID_CLAIM;
|
|
||||||
OIDCConfigEndpoint = NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT;
|
|
||||||
};
|
|
||||||
IdpManagerConfig = {
|
|
||||||
ManagerType = NETBIRD_MGMT_IDP;
|
|
||||||
ClientConfig = {
|
|
||||||
Issuer = NETBIRD_AUTH_AUTHORITY;
|
|
||||||
TokenEndpoint = NETBIRD_AUTH_TOKEN_ENDPOINT;
|
|
||||||
ClientID = NETBIRD_IDP_MGMT_CLIENT_ID;
|
|
||||||
ClientSecret = NETBIRD_IDP_MGMT_CLIENT_SECRET;
|
|
||||||
GrantType = NETBIRD_IDP_MGMT_GRANT_TYPE;
|
|
||||||
};
|
|
||||||
ExtraConfig = cfg.idpManagerExtraConfig;
|
|
||||||
};
|
|
||||||
DeviceAuthorizationFlow = mkIf cfg.enableDeviceAuthorizationFlow {
|
|
||||||
Provider = NETBIRD_AUTH_DEVICE_AUTH_PROVIDER;
|
|
||||||
ProviderConfig = {
|
|
||||||
Audience = NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE;
|
|
||||||
Domain = NETBIRD_AUTH_AUTHORITY;
|
|
||||||
ClientID = NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID;
|
|
||||||
TokenEndpoint = NETBIRD_AUTH_TOKEN_ENDPOINT;
|
|
||||||
DeviceAuthEndpoint = NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT;
|
|
||||||
Scope = builtins.concatStringsSep " " NETBIRD_AUTH_DEVICE_AUTH_SCOPE;
|
|
||||||
UseIDToken = NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
PKCEAuthorizationFlow = {
|
|
||||||
ProviderConfig = {
|
|
||||||
Audience = NETBIRD_AUTH_AUDIENCE;
|
|
||||||
ClientID = NETBIRD_AUTH_CLIENT_ID;
|
|
||||||
ClientSecret = NETBIRD_AUTH_CLIENT_SECRET;
|
|
||||||
AuthorizationEndpoint = NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT;
|
|
||||||
TokenEndpoint = NETBIRD_AUTH_TOKEN_ENDPOINT;
|
|
||||||
Scope = builtins.concatStringsSep " " NETBIRD_AUTH_SUPPORTED_SCOPES;
|
|
||||||
RedirectURLs = NETBIRD_AUTH_PKCE_REDIRECT_URLS;
|
|
||||||
UseIDToken = NETBIRD_AUTH_PKCE_USE_ID_TOKEN;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx.virtualHosts = mkIf cfg.enableNginx {
|
|
||||||
${cfg.settings.NETBIRD_DOMAIN} = {
|
|
||||||
forceSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
|
|
||||||
locations = {
|
|
||||||
"/" = {
|
|
||||||
root = "${stateDir}/web-ui/";
|
|
||||||
tryFiles = "$uri /index.html";
|
|
||||||
};
|
|
||||||
|
|
||||||
"/signalexchange.SignalExchange/".extraConfig = ''
|
|
||||||
grpc_pass grpc://localhost:${builtins.toString cfg.ports.signal};
|
|
||||||
grpc_read_timeout 1d;
|
|
||||||
grpc_send_timeout 1d;
|
|
||||||
grpc_socket_keepalive on;
|
|
||||||
'';
|
|
||||||
|
|
||||||
"/api".proxyPass = "http://localhost:${builtins.toString cfg.ports.management}";
|
|
||||||
|
|
||||||
"/management.ManagementService/".extraConfig = ''
|
|
||||||
grpc_pass grpc://localhost:${builtins.toString cfg.ports.management};
|
|
||||||
grpc_read_timeout 1d;
|
|
||||||
grpc_send_timeout 1d;
|
|
||||||
grpc_socket_keepalive on;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services = {
|
|
||||||
netbird-setup = {
|
|
||||||
wantedBy = [
|
|
||||||
"netbird-management.service"
|
|
||||||
"netbird-signal.service"
|
|
||||||
"multi-user.target"
|
|
||||||
];
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "oneshot";
|
|
||||||
RuntimeDirectory = "netbird-mgmt";
|
|
||||||
StateDirectory = "netbird-mgmt";
|
|
||||||
WorkingDirectory = stateDir;
|
|
||||||
EnvironmentFile = [ settingsFile ];
|
|
||||||
};
|
|
||||||
unitConfig = {
|
|
||||||
StartLimitInterval = 5;
|
|
||||||
StartLimitBurst = 10;
|
|
||||||
};
|
|
||||||
|
|
||||||
path =
|
|
||||||
(with pkgs; [
|
|
||||||
coreutils
|
|
||||||
findutils
|
|
||||||
gettext
|
|
||||||
gnused
|
|
||||||
])
|
|
||||||
++ (optionals cfg.setupAutoOidc (
|
|
||||||
with pkgs;
|
|
||||||
[
|
|
||||||
curl
|
|
||||||
jq
|
|
||||||
]
|
|
||||||
));
|
|
||||||
|
|
||||||
script =
|
|
||||||
''
|
|
||||||
cp ${managementFile} ${stateDir}/management.json.copy
|
|
||||||
''
|
|
||||||
+ (optionalString cfg.setupAutoOidc ''
|
|
||||||
mv ${stateDir}/management.json.copy ${stateDir}/management.json
|
|
||||||
echo "loading OpenID configuration from $NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT to the openid-configuration.json file"
|
|
||||||
curl "$NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT" -q -o ${stateDir}/openid-configuration.json
|
|
||||||
|
|
||||||
export NETBIRD_AUTH_AUTHORITY=$(jq -r '.issuer' ${stateDir}/openid-configuration.json)
|
|
||||||
export NETBIRD_AUTH_JWT_CERTS=$(jq -r '.jwks_uri' ${stateDir}/openid-configuration.json)
|
|
||||||
export NETBIRD_AUTH_TOKEN_ENDPOINT=$(jq -r '.token_endpoint' ${stateDir}/openid-configuration.json)
|
|
||||||
export NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT=$(jq -r '.device_authorization_endpoint' ${stateDir}/openid-configuration.json)
|
|
||||||
export NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT=$(jq -r '.authorization_endpoint' ${stateDir}/openid-configuration.json)
|
|
||||||
|
|
||||||
envsubst '$NETBIRD_AUTH_AUTHORITY $NETBIRD_AUTH_JWT_CERTS $NETBIRD_AUTH_TOKEN_ENDPOINT $NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT $NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT' < ${stateDir}/management.json > ${stateDir}/management.json.copy
|
|
||||||
'')
|
|
||||||
+ ''
|
|
||||||
# Update secrets in management.json
|
|
||||||
${builtins.concatStringsSep "\n" (
|
|
||||||
builtins.attrValues (
|
|
||||||
builtins.mapAttrs (name: path: "export ${name}=$(cat ${path})") (
|
|
||||||
filterAttrs (_: p: p != null) cfg.secretFiles
|
|
||||||
)
|
|
||||||
)
|
|
||||||
)}
|
|
||||||
|
|
||||||
envsubst '$TURN_PASSWORD $TURN_SECRET $STUN_PASSWORD $AUTH_CLIENT_SECRET $IDP_MGMT_CLIENT_SECRET' < ${stateDir}/management.json.copy > ${stateDir}/management.json
|
|
||||||
|
|
||||||
rm -rf ${stateDir}/web-ui
|
|
||||||
mkdir -p ${stateDir}/web-ui
|
|
||||||
cp -R ${dashboard}/* ${stateDir}/web-ui
|
|
||||||
|
|
||||||
export AUTH_AUTHORITY="$NETBIRD_AUTH_AUTHORITY"
|
|
||||||
export AUTH_CLIENT_ID="$NETBIRD_AUTH_CLIENT_ID"
|
|
||||||
${optionalString (
|
|
||||||
cfg.secretFiles.AUTH_CLIENT_SECRET == null
|
|
||||||
) ''export AUTH_CLIENT_SECRET="$NETBIRD_AUTH_CLIENT_SECRET"''}
|
|
||||||
export AUTH_AUDIENCE="$NETBIRD_AUTH_AUDIENCE"
|
|
||||||
export AUTH_REDIRECT_URI="$NETBIRD_AUTH_REDIRECT_URI"
|
|
||||||
export AUTH_SILENT_REDIRECT_URI="$NETBIRD_AUTH_SILENT_REDIRECT_URI"
|
|
||||||
export USE_AUTH0="$NETBIRD_USE_AUTH0"
|
|
||||||
export AUTH_SUPPORTED_SCOPES=$(echo $NETBIRD_AUTH_SUPPORTED_SCOPES | sed -E 's/"//g')
|
|
||||||
|
|
||||||
export NETBIRD_MGMT_API_ENDPOINT=$(echo $NETBIRD_MGMT_API_ENDPOINT | sed -E 's/(:80|:443)$//')
|
|
||||||
|
|
||||||
MAIN_JS=$(find ${stateDir}/web-ui/static/js/main.*js)
|
|
||||||
OIDC_TRUSTED_DOMAINS=${stateDir}/web-ui/OidcTrustedDomains.js
|
|
||||||
mv "$MAIN_JS" "$MAIN_JS".copy
|
|
||||||
envsubst '$USE_AUTH0 $AUTH_AUTHORITY $AUTH_CLIENT_ID $AUTH_CLIENT_SECRET $AUTH_SUPPORTED_SCOPES $AUTH_AUDIENCE $NETBIRD_MGMT_API_ENDPOINT $NETBIRD_MGMT_GRPC_API_ENDPOINT $NETBIRD_HOTJAR_TRACK_ID $AUTH_REDIRECT_URI $AUTH_SILENT_REDIRECT_URI $NETBIRD_TOKEN_SOURCE $NETBIRD_DRAG_QUERY_PARAMS' < "$MAIN_JS".copy > "$MAIN_JS"
|
|
||||||
envsubst '$NETBIRD_MGMT_API_ENDPOINT' < "$OIDC_TRUSTED_DOMAINS".tmpl > "$OIDC_TRUSTED_DOMAINS"
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
netbird-signal = {
|
|
||||||
after = [ "network.target" ];
|
|
||||||
wantedBy = [ "netbird-management.service" ];
|
|
||||||
restartTriggers = [
|
|
||||||
settingsFile
|
|
||||||
managementFile
|
|
||||||
];
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
ExecStart = ''
|
|
||||||
${cfg.package}/bin/netbird-signal run \
|
|
||||||
--port ${builtins.toString cfg.ports.signal} \
|
|
||||||
--log-file console \
|
|
||||||
--log-level ${cfg.logLevel}
|
|
||||||
'';
|
|
||||||
Restart = "always";
|
|
||||||
RuntimeDirectory = "netbird-mgmt";
|
|
||||||
StateDirectory = "netbird-mgmt";
|
|
||||||
WorkingDirectory = stateDir;
|
|
||||||
};
|
|
||||||
unitConfig = {
|
|
||||||
StartLimitInterval = 5;
|
|
||||||
StartLimitBurst = 10;
|
|
||||||
};
|
|
||||||
stopIfChanged = false;
|
|
||||||
};
|
|
||||||
|
|
||||||
netbird-management = {
|
|
||||||
description = "The management server for Netbird, a wireguard VPN";
|
|
||||||
documentation = [ "https://netbird.io/docs/" ];
|
|
||||||
after = [
|
|
||||||
"network.target"
|
|
||||||
"netbird-setup.service"
|
|
||||||
];
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
wants = [
|
|
||||||
"netbird-signal.service"
|
|
||||||
"netbird-setup.service"
|
|
||||||
];
|
|
||||||
restartTriggers = [
|
|
||||||
settingsFile
|
|
||||||
managementFile
|
|
||||||
];
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
ExecStart = ''
|
|
||||||
${cfg.package}/bin/netbird-mgmt management \
|
|
||||||
--config ${stateDir}/management.json \
|
|
||||||
--datadir ${stateDir}/data \
|
|
||||||
${optionalString cfg.management.disableAnonymousMetrics "--disable-anonymous-metrics"} \
|
|
||||||
${optionalString cfg.management.disableSingleAccountMode "--disable-single-account-mode"} \
|
|
||||||
--dns-domain ${cfg.management.dnsDomain} \
|
|
||||||
--single-account-mode-domain ${cfg.management.singleAccountModeDomain} \
|
|
||||||
--idp-sign-key-refresh-enabled \
|
|
||||||
--port ${builtins.toString cfg.ports.management} \
|
|
||||||
--log-file console \
|
|
||||||
--log-level ${cfg.logLevel}
|
|
||||||
'';
|
|
||||||
Restart = "always";
|
|
||||||
RuntimeDirectory = "netbird-mgmt";
|
|
||||||
StateDirectory = [
|
|
||||||
"netbird-mgmt"
|
|
||||||
"netbird-mgmt/data"
|
|
||||||
];
|
|
||||||
WorkingDirectory = stateDir;
|
|
||||||
};
|
|
||||||
unitConfig = {
|
|
||||||
StartLimitInterval = 5;
|
|
||||||
StartLimitBurst = 10;
|
|
||||||
};
|
|
||||||
stopIfChanged = false;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
})
|
|
||||||
|
|
||||||
(mkIf cfg.enableCoturn {
|
|
||||||
services.coturn = {
|
|
||||||
enable = true;
|
|
||||||
|
|
||||||
realm = settings.NETBIRD_DOMAIN;
|
|
||||||
lt-cred-mech = true;
|
|
||||||
no-cli = true;
|
|
||||||
|
|
||||||
extraConfig = ''
|
|
||||||
fingerprint
|
|
||||||
|
|
||||||
user=${settings.TURN_USER}:${builtins.toString settings.TURN_PASSWORD}
|
|
||||||
no-software-attribute
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.firewall = {
|
|
||||||
allowedUDPPorts = with settings; [
|
|
||||||
TURN_PORT
|
|
||||||
(TURN_PORT + 1)
|
|
||||||
5349
|
|
||||||
5350
|
|
||||||
];
|
|
||||||
allowedTCPPorts = with settings; [
|
|
||||||
TURN_PORT
|
|
||||||
(TURN_PORT + 1)
|
|
||||||
];
|
|
||||||
allowedUDPPortRanges = [
|
|
||||||
{
|
|
||||||
from = settings.TURN_MIN_PORT;
|
|
||||||
to = settings.TURN_MAX_PORT;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
})
|
|
||||||
|
|
||||||
(mkIf (cfg.enableNginx && cfg.enableCoturn) {
|
|
||||||
services.coturn =
|
|
||||||
let
|
|
||||||
cert = config.security.acme.certs.${settings.TURN_DOMAIN};
|
|
||||||
in
|
|
||||||
{
|
|
||||||
cert = "${cert.directory}/fullchain.pem";
|
|
||||||
pkey = "${cert.directory}/key.pem";
|
|
||||||
};
|
|
||||||
|
|
||||||
users.users.nginx.extraGroups = [ "turnserver" ];
|
|
||||||
|
|
||||||
# share certs with coturn and restart on renewal
|
|
||||||
security.acme.certs.${settings.TURN_DOMAIN} = {
|
|
||||||
group = "turnserver";
|
|
||||||
postRun = "systemctl reload nginx.service; systemctl restart coturn.service";
|
|
||||||
};
|
|
||||||
})
|
|
||||||
];
|
|
||||||
}
|
|
|
@ -1,31 +0,0 @@
|
||||||
{
|
|
||||||
lib,
|
|
||||||
buildNpmPackage,
|
|
||||||
fetchFromGitHub,
|
|
||||||
}:
|
|
||||||
|
|
||||||
buildNpmPackage rec {
|
|
||||||
pname = "netbird-dashboard";
|
|
||||||
version = "1.17.6";
|
|
||||||
|
|
||||||
src = fetchFromGitHub {
|
|
||||||
owner = "netbirdio";
|
|
||||||
repo = "dashboard";
|
|
||||||
rev = "v${version}";
|
|
||||||
hash = "sha256-MDxN/58dv6OqPYnNgDVZ+YRzfw2dER7x8mEWe14rQ40=";
|
|
||||||
};
|
|
||||||
|
|
||||||
npmDepsHash = "sha256-x7YyzBPAiXyxaIcAvUrXBexYaw0TaYnKgQKT3KadW8w=";
|
|
||||||
npmFlags = [ "--legacy-peer-deps" ];
|
|
||||||
|
|
||||||
installPhase = ''
|
|
||||||
cp -R build $out
|
|
||||||
'';
|
|
||||||
|
|
||||||
meta = with lib; {
|
|
||||||
description = "NetBird Management Service Web UI Panel";
|
|
||||||
homepage = "https://github.com/netbirdio/dashboard";
|
|
||||||
license = licenses.bsd3;
|
|
||||||
maintainers = with maintainers; [ thubrecht ];
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,7 +0,0 @@
|
||||||
{
|
|
||||||
pkgs ? import <nixpkgs> { },
|
|
||||||
}:
|
|
||||||
|
|
||||||
{
|
|
||||||
dashboard = pkgs.callPackage ./dashboard.nix { };
|
|
||||||
}
|
|
|
@ -4,6 +4,8 @@ let
|
||||||
host = "videos.dgnum.eu";
|
host = "videos.dgnum.eu";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
dgn-web.internalPorts.peertube = config.services.peertube.listenHttp;
|
||||||
|
|
||||||
services.peertube = {
|
services.peertube = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
|
|
|
@ -77,15 +77,9 @@ in
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts.${host} = {
|
dgn-web.simpleProxies.prometheus = {
|
||||||
enableACME = true;
|
inherit host port;
|
||||||
forceSSL = true;
|
|
||||||
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:${builtins.toString port}";
|
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
recommendedProxySettings = true;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
age-secrets.autoMatch = [ "prometheus" ];
|
age-secrets.autoMatch = [ "prometheus" ];
|
||||||
|
|
9
machines/storage01/redirections.nix
Normal file
9
machines/storage01/redirections.nix
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
{
|
||||||
|
dgn-redirections = {
|
||||||
|
permanent = {
|
||||||
|
"www.lanuit.ens.fr" = "lanuit.ens.fr";
|
||||||
|
"lanuit.ens.psl.eu" = "lanuit.ens.fr";
|
||||||
|
"www.lanuit.ens.psl.eu" = "lanuit.ens.fr";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,30 +0,0 @@
|
||||||
age-encryption.org/v1
|
|
||||||
-> ssh-ed25519 jIXfPA HECtxDO0OV6To/Qs3A+2N8+3xqsHp6pz6d4ArgsgXS4
|
|
||||||
mnmDwWZ6d1aW5Qejzv2Jo112ee78wKVx90R7r5wQbYo
|
|
||||||
-> ssh-ed25519 QlRB9Q Rx3bV/DkoCCvQCMwJGOfibG8Rif5Ap+W6EqWlFOhUQc
|
|
||||||
jxEFUWqxedwIK3mNyOG+5dyFFZbJZ3XNFXnk0fe0vyw
|
|
||||||
-> ssh-ed25519 r+nK/Q J591Cg/4oP26LT7Tl/wrdDipR/gpg1WMsiKJN0ygbjw
|
|
||||||
WToE5xtuF2FOqtvRgz1SZStYGjTsKRxguIioan+vluU
|
|
||||||
-> ssh-rsa krWCLQ
|
|
||||||
hhp33AzK6wYWM6k7ZroV0J5i8C5MQXjQY9sksPQdABRQUd6XTmYOIOdA0ste0EA9
|
|
||||||
hqbbHQwbFy0oE/QKfnUZWbgJo5Us1DWKxip55L875CPfVcmxvC2ADRO5JKKNkQa/
|
|
||||||
P4zBALPqf+BXrafcGN4hT8D9gywIWdQ2zPSpKbJE+OdPcUrBVH/ndMUVoLfTEKL9
|
|
||||||
B3XgqRvLNkgsdu7FMEPnelWT3WrxkBME7AathdXcEYXSxiTmaKqxDzRtcNLdh+y2
|
|
||||||
6XfQU6lLMT+WWPD/Ro7UzLrWUnFJMYK0SinkOuX+PKxMq95lCc5kI3tZ7JL7bC5E
|
|
||||||
vBGnX9w0unyR//LLqrOPWA
|
|
||||||
-> ssh-ed25519 /vwQcQ eYSTWAYs/L+cYt/16TrKaIqoc9TFJQncM02Vd8hOg3A
|
|
||||||
lWalXa1ZBtrjXOB+sznWCjStFHF4ulLaBilEc3b7qWc
|
|
||||||
-> ssh-ed25519 0R97PA 78K7uF/mXT4pgTbnmfpyxY2czgs+DNueusuatUx7MCQ
|
|
||||||
C/pWPdVCWZuHFuM5fzJHdGZomM3Wbt22iwfLbLSznh0
|
|
||||||
-> ssh-ed25519 JGx7Ng xFzEGNVIiC0cXCbcSKUfmVLAdRBH7xu6/2E7nVoRwjI
|
|
||||||
+TgvIl03KGm5N55+jGc7UcyRHjMvAFm3Kbvx5Ma4HQ4
|
|
||||||
-> ssh-ed25519 5SY7Kg 7YO/crKVWSsr3Hy5HPr0/R3oPdCA2kWduZYeSlcxGnI
|
|
||||||
N0IpdylU+3ybInseGSKPONxeNr8mh/ZlBGCvY2c0WTA
|
|
||||||
-> ssh-ed25519 p/Mg4Q y1ekwzz3sSHGrLmb0NqF6VWfalARy+PykE77hVqD7Xc
|
|
||||||
0s9QrDsLH6XdzetyIXJEB2MrwwUi8CDpu7SEemm8zJ4
|
|
||||||
-> ssh-ed25519 rHotTw 7SMzV/pEmDISPL/fMjafXM3URZpbUPTg+9AngZ0GZTc
|
|
||||||
eIi1+i9JVBLvfQMkmMv5S0N8qgwVtyklX/J+6MdtlSc
|
|
||||||
--- Gjl7lNWG9gyMlg256Oa5i5bFLm1Cup1upjsEDVurgDo
|
|
||||||
uÂ;.ÿñË>pÔïÑ–<C391>òh¸<68>2ÎŒ›}£PJ4èú‘©‰Ñ×íè==#¯¾Úÿ¹8e¤UÊÉŠÇ$1»!–z<E28093>jlA‡[@;ò‚s®<>ŒÉáAB±á-§Rå=È0Ò·d“ðµú†Ê¢þ{«ÒF¹—h›ò–à ù@%ˆŠä´›|×{ ¢åeÚÝÛ¯âøsbë«]Óèå¨ø.m8 8Bn"(Ûæ¤âïW½í!zxn\Ã(5:ïíÒÞ-ZD’ËÇÃ)}HŠü˜¦×ál}Sƒ‘˜ëFrn
|
|
||||||
øL¦-wÉÑ—¼j)ê â¶èÐ&:¥îÓCÞÆ2ÝÒÅÀÏB»ÛzïàŽŸt•WÍ!£8|lïí0
|
|
||||||
¾¸y8óÃkñbÔy×ËäÏ臃‹¹·k’¤¨ÉÍ™ê°n/-’'ÃZ<C383>ÅŸ
¾îƾ\Ûâê‰ù†uŸÍeu®"E ±/d
|
|
Binary file not shown.
|
@ -0,0 +1,30 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 jIXfPA xId0d57S+YmTeZzTTNOs7Pt3RPQ7MLNiKg6Mox2MEFo
|
||||||
|
hFUYZMNoxZQBEKz4SYDC4nLDDXRftXtUtCLCX2kvwZ8
|
||||||
|
-> ssh-ed25519 QlRB9Q kmsgaV+FRbqcKkhttlbmY22M6pO6kMCqLUYsq1yGSyA
|
||||||
|
VmprdWLh380qm6aarum1q17pDrMF0KLyXV/PN1OmEO8
|
||||||
|
-> ssh-ed25519 r+nK/Q XVeZFVNLv0FlL/lPhXrvVJcHAubE1tTfSxl5iiixtF0
|
||||||
|
Udm/qZMOzNcg2LMffkns+jUlrtXAC8Mk8ofCSD6zf/0
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
OJlswMZEz2ONsqvFH8aMo4cRXzNiSkqtOmNQuWbRcAI4sXKCNuNtNcv6WPcpBMPZ
|
||||||
|
8eTvoIOf8triUwGBWLZ9oRvYOeoucyWCqx0zf11VwOclRBeziRPOQ5Uon+5gpsg2
|
||||||
|
H1FO7Sk0sVjME/2INUjd1Q4TlPF9tlUOcEDBgyc81cLI0JrR7S2D6Hl/rAN9Gees
|
||||||
|
D9c+q5PJkvbw7KQPEu7WOxPNCi1gRyHSlKv5ef5gToNOl/c8GAJR5FutO/bTgTTl
|
||||||
|
P+yLysKXK+r2IwNNMHGFBDVbsp09IjQ+H623Sfr6H0pR7FYShohfzcM6JA3ydztN
|
||||||
|
Gy5MiJasx3nWCUYJZUL1Fw
|
||||||
|
-> ssh-ed25519 /vwQcQ OelREEMNnpUXuJ8BA1VPVM8yqEd8PS9m81sw5gaq8U8
|
||||||
|
wPUQOWxzsj55/hii7Cd4+P1eFWVDQANwIcImOliOqog
|
||||||
|
-> ssh-ed25519 0R97PA 9NzXGY3sZb8srqaVWWbZhbNJdDfCfeZIhJHPWy9U4FU
|
||||||
|
+LvE5cI8heO8XhsejCWaJrwaRGYGCziymPZLrYTOXtg
|
||||||
|
-> ssh-ed25519 JGx7Ng 1jWoS1sqmY9MxZT7fAMsg5QbokAMNlTg9jmpxzr1ekQ
|
||||||
|
7MndRQ0ruZP2/cOKaid60rQg8Q3ljy2oknf0czOLGSo
|
||||||
|
-> ssh-ed25519 5SY7Kg Bm19KVQA8DkrDxiYsVRdKVubML7J9L/apLoUs+otehk
|
||||||
|
kQMv/7uijZlyGDbDt2aNF85vp4nYM9o3fIetvnykX6I
|
||||||
|
-> ssh-ed25519 p/Mg4Q /vhTds9k+5uwSDjLyKp18ge+bu/Aeg72nHx2joWUTw0
|
||||||
|
zeim4NPL7floIvZ296vYuyk5XAVFCCaWRc0iRQQxbyg
|
||||||
|
-> ssh-ed25519 rHotTw YbKb6NyxsknA125fdWj5/RJjmaY22yDwNx+bLKV6ZW4
|
||||||
|
jJw+YJqQC/B+UMLYAtTAIZuON2hiZAY171ovJ0ceKjg
|
||||||
|
-> @K'k$-grease x>ie }CH4sS h|s
|
||||||
|
bVzOpc2vPj8ldZskVlQSmOE7wHR2q/dXcdC6vrPXSvYWCKK8Rg
|
||||||
|
--- uDaSBMjg5lvDnZyTKHqveb5B+y71HjrDzOqtsJycuBs
|
||||||
|
1Ò¨Rq¢<>nýµ{”ýT°5?HXH1¢ Ê%‘)Í01’RGr׿fÖNT4å2B(í);ìíÿ‰íÁœ
|
BIN
machines/storage01/secrets/netbird-relay_environment_file
Normal file
BIN
machines/storage01/secrets/netbird-relay_environment_file
Normal file
Binary file not shown.
31
machines/storage01/secrets/netbird-relay_secret_file
Normal file
31
machines/storage01/secrets/netbird-relay_secret_file
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 jIXfPA lI9DxAFp/gbF+77Sofv9KIrs3kMTYTLEm8C6AsZBPyI
|
||||||
|
8RFGt1aJnZbd7Lpr4iy1VlMr3yzpPf6sI79cik5X77c
|
||||||
|
-> ssh-ed25519 QlRB9Q eMENLAMY+eNXJhduTnJoyPimbThM7VA+4m6BrnZa8RE
|
||||||
|
NpwcJhh0U8pMU1hnXFz2bfwSmCQra1CI5Tr2cbXGMT0
|
||||||
|
-> ssh-ed25519 r+nK/Q eyuD/hYyYmG96AcPEZVNsohXgK9WD+g+ZyMpIyaiYjY
|
||||||
|
Ef+R/eXkqvOmYJvjz4muTjGamkXzgHzD31vXDXsgo3M
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
BuBMUp5uijNV71OYvMGS9NhBBplfFugJy14EOHclJ2TKjQ19RVKHPj0wX0AxuPCT
|
||||||
|
iV6j6Po/oKSsGuoKy6JMTLKjYtROPF70Ld8PlC4tFI5i0xQagEFhKONfk1Rd/mF0
|
||||||
|
2qGriQhSUMvkMirbkhE3CxrAzSqcjuoGji+ZWwpz2LYUVsF89nnoLsTRri+Sg5ZW
|
||||||
|
4qhoo23UTU+IlrVtqjB7W1rNAwHKhWPZnjc08x1x/qnLATemmDMsFmTEGljJNGMR
|
||||||
|
kEg+oUdwdvLjDsnGBWkE+Ck/mrEGwjcsDTmZmCYcH/Q11EMdj5hnCfG68PRhLF9K
|
||||||
|
b28fHveM3i5/jHrrTxWbrA
|
||||||
|
-> ssh-ed25519 /vwQcQ 1xQWlLW6xCrheirHSKcGEu+KM644y8NP1KYvwOganQc
|
||||||
|
IFVYj83X1uLvgIRlnDvnLiaoZNM9viLT7X11vIHdLxY
|
||||||
|
-> ssh-ed25519 0R97PA I8K03IKgC59zmHqVr8h8TaxuuTSbmYsyap830JyhIhw
|
||||||
|
AGxW9sq7PQNgs9WFcbINI2CnE3lJJ0rDmseN83YSeT0
|
||||||
|
-> ssh-ed25519 JGx7Ng syz/pzdj3Lg1VwulZhT8UQncgXjOH1nlbtqHgASLAws
|
||||||
|
IKaU32zbjFc319PctmGPtHt4RXjgzun0K+9HeuGS3FU
|
||||||
|
-> ssh-ed25519 5SY7Kg 06EjOyKw1zIWcdZGC7EfNt9mFix+fVcy1iS+SBhPgCQ
|
||||||
|
ZxcNbC1QmTPJkWlwBnD9YjuzekGZtSDeI7RYxq0uwgw
|
||||||
|
-> ssh-ed25519 p/Mg4Q uCbjjN5S0ZoZtsj5jva9mTrlZ2UE02A3DysxV1PZ/lM
|
||||||
|
7jWWiWp4ei5VjftKZz29osbaFxfpId+X3GLzgWZ9Wgo
|
||||||
|
-> ssh-ed25519 rHotTw Q1/zZpGbUCbXiEELad5710uNkllrFuQlhonSLfIoQVo
|
||||||
|
h6iW26rADPn1MRqNoD33ZVVDRDr2DBoNK+BjrDxwZik
|
||||||
|
-> ss-grease
|
||||||
|
A3WDPMHgipAaXF0MStKGx8CAbFTqks74CRTKButwwJYvgnMFp2Yglx3D2NOWTdJm
|
||||||
|
yde7gp5XInweYf2TjvQK88l0MD0VYlG9Lu7+wbWGFElCpQ
|
||||||
|
--- 0d/8UVX6ubUZpKG3LzJsFKbsZNRKUwQq7LuWMiyezKo
|
||||||
|
P?j@¦Hˆ´ßš¥¼ówgêìÚ©L¥_ã+ì|ζãÙ¦Ö#‘“fu#c涯„IæS†|¨À²å 4Š
|
|
@ -1,9 +1,5 @@
|
||||||
let
|
(import ../../../keys).mkSecrets [ "storage01" ] [
|
||||||
lib = import ../../../lib { };
|
# List of secrets for storage01
|
||||||
publicKeys = lib.getNodeKeys "storage01";
|
|
||||||
in
|
|
||||||
lib.setDefault { inherit publicKeys; } [
|
|
||||||
"atticd-credentials_file"
|
|
||||||
"bupstash-put_key"
|
"bupstash-put_key"
|
||||||
"forgejo-mailer_password_file"
|
"forgejo-mailer_password_file"
|
||||||
"forgejo_runners-token_file"
|
"forgejo_runners-token_file"
|
||||||
|
@ -12,7 +8,9 @@ lib.setDefault { inherit publicKeys; } [
|
||||||
"influxdb2-initial_password_file"
|
"influxdb2-initial_password_file"
|
||||||
"influxdb2-initial_token_file"
|
"influxdb2-initial_token_file"
|
||||||
"influxdb2-telegraf_token_file"
|
"influxdb2-telegraf_token_file"
|
||||||
"netbird-auth_client_secret_file"
|
"netbird-data_store_encryption_key_file"
|
||||||
|
"netbird-relay_environment_file"
|
||||||
|
"netbird-relay_secret_file"
|
||||||
"nginx-tvix-store-password"
|
"nginx-tvix-store-password"
|
||||||
"nginx-tvix-store-password-ci"
|
"nginx-tvix-store-password-ci"
|
||||||
"peertube-secrets_file"
|
"peertube-secrets_file"
|
||||||
|
|
14
machines/storage01/tvix-cache/cache-settings.nix
Normal file
14
machines/storage01/tvix-cache/cache-settings.nix
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
let
|
||||||
|
cache-info = {
|
||||||
|
infra = {
|
||||||
|
public-key = "infra.tvix-store.dgnum.eu-1:8CAY64o3rKjyw2uA5mzr/aTzstnc+Uj4g8OC6ClG1m8=";
|
||||||
|
url = "https://tvix-store.dgnum.eu/infra";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in
|
||||||
|
|
||||||
|
{ caches }:
|
||||||
|
{
|
||||||
|
trusted-substituters = builtins.map (cache: cache-info.${cache}.url) caches;
|
||||||
|
trusted-public-keys = builtins.map (cache: cache-info.${cache}.public-key) caches;
|
||||||
|
}
|
|
@ -1,9 +1,13 @@
|
||||||
{ pkgs, config, ... }:
|
{ pkgs, config, ... }:
|
||||||
let
|
let
|
||||||
settingsFormat = pkgs.formats.toml { };
|
|
||||||
|
|
||||||
dataDir = "/data/slow/tvix-store";
|
|
||||||
|
|
||||||
|
# How to add a cache:
|
||||||
|
# - Add the relevant services (likely only a pathinfoservice) to the
|
||||||
|
# composition config (store-config.composition).
|
||||||
|
# - Add an endpoint (store-config.endpoints).
|
||||||
|
# - Append a proxy configuration to nginx in order to make the store
|
||||||
|
# accessible.
|
||||||
|
# - Update cache-info.nix so users can add the cache to their configuration
|
||||||
store-config = {
|
store-config = {
|
||||||
composition = {
|
composition = {
|
||||||
blobservices.default = {
|
blobservices.default = {
|
||||||
|
@ -12,22 +16,17 @@ let
|
||||||
object_store_options = { };
|
object_store_options = { };
|
||||||
};
|
};
|
||||||
directoryservices = {
|
directoryservices = {
|
||||||
sled = {
|
redb = {
|
||||||
type = "sled";
|
type = "redb";
|
||||||
is_temporary = false;
|
is_temporary = false;
|
||||||
path = "${dataDir}/directory.sled";
|
path = "${dataDir}/directory.redb";
|
||||||
};
|
|
||||||
object = {
|
|
||||||
type = "objectstore";
|
|
||||||
object_store_url = "file://${dataDir}/directory.objectstore";
|
|
||||||
object_store_options = { };
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
pathinfoservices = {
|
pathinfoservices = {
|
||||||
infra = {
|
infra = {
|
||||||
type = "sled";
|
type = "redb";
|
||||||
is_temporary = false;
|
is_temporary = false;
|
||||||
path = "${dataDir}/pathinfo.sled";
|
path = "${dataDir}/pathinfo.redb";
|
||||||
};
|
};
|
||||||
infra-signing = {
|
infra-signing = {
|
||||||
type = "keyfile-signing";
|
type = "keyfile-signing";
|
||||||
|
@ -41,24 +40,31 @@ let
|
||||||
"127.0.0.1:8056" = {
|
"127.0.0.1:8056" = {
|
||||||
endpoint_type = "Http";
|
endpoint_type = "Http";
|
||||||
blob_service = "default";
|
blob_service = "default";
|
||||||
directory_service = "object";
|
directory_service = "redb";
|
||||||
path_info_service = "infra";
|
path_info_service = "infra";
|
||||||
};
|
};
|
||||||
"127.0.0.1:8058" = {
|
"127.0.0.1:8058" = {
|
||||||
endpoint_type = "Http";
|
endpoint_type = "Http";
|
||||||
blob_service = "default";
|
blob_service = "default";
|
||||||
directory_service = "object";
|
directory_service = "redb";
|
||||||
path_info_service = "infra-signing";
|
path_info_service = "infra-signing";
|
||||||
};
|
};
|
||||||
# Add grpc for management and because it is nice
|
# Add grpc for management and because it is nice
|
||||||
"127.0.0.1:8057" = {
|
"127.0.0.1:8057" = {
|
||||||
endpoint_type = "Grpc";
|
endpoint_type = "Grpc";
|
||||||
blob_service = "default";
|
blob_service = "default";
|
||||||
directory_service = "object";
|
directory_service = "redb";
|
||||||
path_info_service = "infra";
|
path_info_service = "infra";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
settingsFormat = pkgs.formats.toml { };
|
||||||
|
|
||||||
|
webHost = "tvix-store.dgnum.eu";
|
||||||
|
|
||||||
|
dataDir = "/data/slow/tvix-store";
|
||||||
|
|
||||||
systemdHardening = {
|
systemdHardening = {
|
||||||
PrivateDevices = true;
|
PrivateDevices = true;
|
||||||
PrivateTmp = true;
|
PrivateTmp = true;
|
||||||
|
@ -75,10 +81,12 @@ let
|
||||||
RuntimeDirectoryMode = "0750";
|
RuntimeDirectoryMode = "0750";
|
||||||
StateDirectoryMode = "0750";
|
StateDirectoryMode = "0750";
|
||||||
};
|
};
|
||||||
|
|
||||||
toml = {
|
toml = {
|
||||||
composition = settingsFormat.generate "composition.toml" store-config.composition;
|
composition = settingsFormat.generate "composition.toml" store-config.composition;
|
||||||
endpoints = settingsFormat.generate "endpoints.toml" store-config.endpoints;
|
endpoints = settingsFormat.generate "endpoints.toml" store-config.endpoints;
|
||||||
};
|
};
|
||||||
|
|
||||||
package = pkgs.callPackage ./package { };
|
package = pkgs.callPackage ./package { };
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
@ -88,7 +96,7 @@ in
|
||||||
"nginx"
|
"nginx"
|
||||||
];
|
];
|
||||||
|
|
||||||
services.nginx.virtualHosts."tvix-store.dgnum.eu" = {
|
services.nginx.virtualHosts.${webHost} = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
locations = {
|
locations = {
|
||||||
|
@ -110,14 +118,12 @@ in
|
||||||
auth_basic_user_file ${config.age.secrets."nginx-tvix-store-password-ci".path};
|
auth_basic_user_file ${config.age.secrets."nginx-tvix-store-password-ci".path};
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
"/.well-known/nix-signing-keys/" = {
|
|
||||||
alias = "${./pubkeys}/";
|
|
||||||
extraConfig = "autoindex on;";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# TODO add tvix-store cli here
|
# TODO add tvix-store cli here
|
||||||
# environment.systemPackages = [ ];
|
# environment.systemPackages = [ ];
|
||||||
|
|
||||||
users.users.tvix-store = {
|
users.users.tvix-store = {
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
group = "tvix-store";
|
group = "tvix-store";
|
||||||
|
@ -129,10 +135,11 @@ in
|
||||||
systemd.services."tvix-store" = {
|
systemd.services."tvix-store" = {
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
environment = {
|
environment = {
|
||||||
RUST_LOG = "debug";
|
RUST_LOG = "info";
|
||||||
};
|
};
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
UMask = "007";
|
UMask = "007";
|
||||||
|
LimitNOFILE = 1048576;
|
||||||
ExecStart = "${package}/bin/multitier-tvix-cache --endpoints-config ${toml.endpoints} --store-composition ${toml.composition}";
|
ExecStart = "${package}/bin/multitier-tvix-cache --endpoints-config ${toml.endpoints} --store-composition ${toml.composition}";
|
||||||
StateDirectory = "tvix-store";
|
StateDirectory = "tvix-store";
|
||||||
RuntimeDirectory = "tvix-store";
|
RuntimeDirectory = "tvix-store";
|
||||||
|
|
1316
machines/storage01/tvix-cache/package/Cargo.lock
generated
1316
machines/storage01/tvix-cache/package/Cargo.lock
generated
File diff suppressed because it is too large
Load diff
|
@ -5,11 +5,11 @@
|
||||||
runCommand,
|
runCommand,
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
tvix-hash = "sha256-KNl+Lv0aMqSFVFt6p/GdmNDddzccW4wKfZB7W6Gv5F0=";
|
tvix-hash = "sha256-It3brj6SX+9OIGyKsITnNLjzDnB7CBCZDS+S7arRiWY=";
|
||||||
tvix-src = fetchgit {
|
tvix-src = fetchgit {
|
||||||
name = "tvix";
|
name = "tvix";
|
||||||
url = "https://git.dgnum.eu/mdebray/tvl-depot";
|
url = "https://git.dgnum.eu/mdebray/tvl-depot";
|
||||||
rev = "920b7118d5b0917e426367107f7b7b66089a8d7b";
|
rev = "3389c550b92d8b631f75e5a77e244fe698e4b4b2";
|
||||||
hash = tvix-hash;
|
hash = tvix-hash;
|
||||||
};
|
};
|
||||||
protos = runCommand "tvix-protos" { } ''
|
protos = runCommand "tvix-protos" { } ''
|
||||||
|
@ -25,8 +25,8 @@ rustPlatform.buildRustPackage rec {
|
||||||
|
|
||||||
src = fetchgit {
|
src = fetchgit {
|
||||||
url = "https://git.lix.systems/sinavir/multitenant-tvix-binary-cache.git";
|
url = "https://git.lix.systems/sinavir/multitenant-tvix-binary-cache.git";
|
||||||
rev = "0d7d4cf66242facecba485b1085e285e8d46c038";
|
rev = "0d4c5ca8f75e156f9485fc085e93e85260e2e843";
|
||||||
hash = "sha256-IU3OS3ePJeBNiY8HbhoYW5b03Nq8BJ4AWe+bGv4dAuw=";
|
hash = "sha256-OmXud+MhF2M02ofqDOnmazf190vu91i6RZ2y0NdA8oU=";
|
||||||
};
|
};
|
||||||
|
|
||||||
PROTO_ROOT = protos;
|
PROTO_ROOT = protos;
|
||||||
|
@ -36,6 +36,7 @@ rustPlatform.buildRustPackage rec {
|
||||||
cargoLock = {
|
cargoLock = {
|
||||||
lockFile = ./Cargo.lock;
|
lockFile = ./Cargo.lock;
|
||||||
outputHashes = {
|
outputHashes = {
|
||||||
|
"bigtable_rs-0.2.10" = "sha256-2NC3rHbS2rdD0Rnovymn1xaR22KaR6yzWr298wOPxlY=";
|
||||||
"nar-bridge-0.1.0" = tvix-hash;
|
"nar-bridge-0.1.0" = tvix-hash;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
infra.tvix-store.dgnum.eu-1:8CAY64o3rKjyw2uA5mzr/aTzstnc+Uj4g8OC6ClG1m8=
|
|
16
machines/storage01/victoria-metrics.nix
Normal file
16
machines/storage01/victoria-metrics.nix
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
let
|
||||||
|
host = "victoria-metrics.dgnum.eu";
|
||||||
|
port = 9099;
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
services.victoriametrics = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
listenAddress = "127.0.0.1:${builtins.toString port}";
|
||||||
|
};
|
||||||
|
|
||||||
|
dgn-web.simpleProxies.victoria-metrics = {
|
||||||
|
inherit host port;
|
||||||
|
};
|
||||||
|
}
|
|
@ -3,7 +3,6 @@
|
||||||
lib.extra.mkConfig {
|
lib.extra.mkConfig {
|
||||||
enabledModules = [
|
enabledModules = [
|
||||||
# List of modules to enable
|
# List of modules to enable
|
||||||
"dgn-fail2ban"
|
|
||||||
];
|
];
|
||||||
|
|
||||||
enabledServices = [
|
enabledServices = [
|
||||||
|
@ -11,15 +10,13 @@ lib.extra.mkConfig {
|
||||||
"k-radius"
|
"k-radius"
|
||||||
"networking"
|
"networking"
|
||||||
"ups"
|
"ups"
|
||||||
|
"ulogd"
|
||||||
];
|
];
|
||||||
|
|
||||||
extraConfig = {
|
extraConfig = {
|
||||||
dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
|
|
||||||
"sshd-bruteforce"
|
|
||||||
"sshd-timeout"
|
|
||||||
];
|
|
||||||
|
|
||||||
services.netbird.enable = true;
|
services.netbird.enable = true;
|
||||||
|
services.nginx.enable = true;
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 ];
|
||||||
};
|
};
|
||||||
|
|
||||||
root = ./.;
|
root = ./.;
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, lib, ... }:
|
{ config, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports = [ ./module.nix ];
|
imports = [ ./module.nix ];
|
||||||
|
@ -6,6 +6,15 @@
|
||||||
services.k-radius = {
|
services.k-radius = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
|
domain = "radius.dgnum.eu";
|
||||||
|
|
||||||
|
radiusClients = {
|
||||||
|
ap = {
|
||||||
|
ipaddr = "0.0.0.0/0";
|
||||||
|
secret = config.age.secrets."radius-ap-radius-secret_file".path;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
# URL to the Kanidm server
|
# URL to the Kanidm server
|
||||||
uri = "https://sso.dgnum.eu";
|
uri = "https://sso.dgnum.eu";
|
||||||
|
@ -40,18 +49,6 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
authTokenFile = config.age.secrets."radius-auth_token_file".path;
|
authTokenFile = config.age.secrets."radius-auth_token_file".path;
|
||||||
privateKeyPasswordFile = config.age.secrets."radius-private_key_password_file".path;
|
|
||||||
|
|
||||||
certs = builtins.listToAttrs (
|
|
||||||
builtins.map (name: lib.nameValuePair name config.age.secrets."radius-${name}_pem_file".path) [
|
|
||||||
"ca"
|
|
||||||
"cert"
|
|
||||||
"dh"
|
|
||||||
"key"
|
|
||||||
]
|
|
||||||
);
|
|
||||||
|
|
||||||
radiusClients = { };
|
|
||||||
};
|
};
|
||||||
|
|
||||||
age-secrets.autoMatch = [ "radius" ];
|
age-secrets.autoMatch = [ "radius" ];
|
||||||
|
|
|
@ -15,7 +15,16 @@ let
|
||||||
mkIf
|
mkIf
|
||||||
mkOption
|
mkOption
|
||||||
optionalString
|
optionalString
|
||||||
types
|
;
|
||||||
|
|
||||||
|
inherit (lib.types)
|
||||||
|
attrsOf
|
||||||
|
bool
|
||||||
|
enum
|
||||||
|
package
|
||||||
|
path
|
||||||
|
str
|
||||||
|
submodule
|
||||||
;
|
;
|
||||||
|
|
||||||
settingsFormat = pkgs.formats.toml { };
|
settingsFormat = pkgs.formats.toml { };
|
||||||
|
@ -24,99 +33,94 @@ let
|
||||||
rlm_python = pkgs.callPackage ./packages/rlm_python.nix { inherit pykanidm; };
|
rlm_python = pkgs.callPackage ./packages/rlm_python.nix { inherit pykanidm; };
|
||||||
|
|
||||||
cfg = config.services.k-radius;
|
cfg = config.services.k-radius;
|
||||||
|
|
||||||
|
acmeDirectory = config.security.acme.certs.${cfg.domain}.directory;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.services.k-radius = {
|
options.services.k-radius = {
|
||||||
enable = mkEnableOption "a freeradius service linked to kanidm.";
|
enable = mkEnableOption "a freeradius service linked to kanidm.";
|
||||||
|
|
||||||
|
domain = mkOption {
|
||||||
|
type = str;
|
||||||
|
description = "The domain used for the RADIUS server.";
|
||||||
|
};
|
||||||
|
|
||||||
|
raddb = mkOption {
|
||||||
|
type = path;
|
||||||
|
default = "/var/lib/radius/raddb/";
|
||||||
|
description = "The location of the raddb directory.";
|
||||||
|
};
|
||||||
|
|
||||||
settings = mkOption { inherit (settingsFormat) type; };
|
settings = mkOption { inherit (settingsFormat) type; };
|
||||||
|
|
||||||
freeradius = mkOption {
|
freeradius = mkOption {
|
||||||
type = types.package;
|
type = package;
|
||||||
default = pkgs.freeradius.overrideAttrs (old: {
|
default = pkgs.freeradius.overrideAttrs (old: {
|
||||||
buildInputs = (old.buildInputs or [ ]) ++ [ (pkgs.python3.withPackages (ps: [ ps.kanidm ])) ];
|
buildInputs = (old.buildInputs or [ ]) ++ [ (pkgs.python3.withPackages (ps: [ ps.kanidm ])) ];
|
||||||
});
|
});
|
||||||
};
|
};
|
||||||
|
|
||||||
configDir = mkOption {
|
configDir = mkOption {
|
||||||
type = types.path;
|
type = path;
|
||||||
default = "/var/lib/radius/raddb";
|
default = "/var/lib/radius/raddb";
|
||||||
description = "The path of the freeradius server configuration directory.";
|
description = "The path of the freeradius server configuration directory.";
|
||||||
};
|
};
|
||||||
|
|
||||||
authTokenFile = mkOption {
|
authTokenFile = mkOption {
|
||||||
type = types.path;
|
type = path;
|
||||||
description = "File to the auth token for the service account.";
|
description = "File to the auth token for the service account.";
|
||||||
};
|
};
|
||||||
|
|
||||||
extra-mods = mkOption {
|
extra-mods = mkOption {
|
||||||
type = types.attrsOf types.path;
|
type = attrsOf path;
|
||||||
default = { };
|
default = { };
|
||||||
description = "Additional files to be linked in mods-enabled.";
|
description = "Additional files to be linked in mods-enabled.";
|
||||||
};
|
};
|
||||||
|
|
||||||
extra-sites = mkOption {
|
extra-sites = mkOption {
|
||||||
type = types.attrsOf types.path;
|
type = attrsOf path;
|
||||||
default = { };
|
default = { };
|
||||||
description = "Additional files to be linked in sites-enabled.";
|
description = "Additional files to be linked in sites-enabled.";
|
||||||
};
|
};
|
||||||
|
|
||||||
dictionary = mkOption {
|
dictionary = mkOption {
|
||||||
type = types.attrsOf (
|
type = attrsOf (enum [
|
||||||
types.enum [
|
|
||||||
"abinary"
|
"abinary"
|
||||||
"date"
|
"date"
|
||||||
"ipaddr"
|
"ipaddr"
|
||||||
"integer"
|
"integer"
|
||||||
"string"
|
"string"
|
||||||
]
|
]);
|
||||||
);
|
|
||||||
default = { };
|
default = { };
|
||||||
description = "Declare additionnal attributes to be listed in the dictionary.";
|
description = "Declare additionnal attributes to be listed in the dictionary.";
|
||||||
};
|
};
|
||||||
|
|
||||||
radiusClients = mkOption {
|
radiusClients = mkOption {
|
||||||
type = types.attrsOf (
|
type = attrsOf (submodule {
|
||||||
types.submodule {
|
|
||||||
options = {
|
options = {
|
||||||
secret = mkOption { type = types.path; };
|
secret = mkOption { type = path; };
|
||||||
ipaddr = mkOption { type = types.str; };
|
ipaddr = mkOption { type = str; };
|
||||||
};
|
};
|
||||||
}
|
});
|
||||||
);
|
|
||||||
default = { };
|
default = { };
|
||||||
description = "A mapping of clients and their authentication tokens.";
|
description = "A mapping of clients and their authentication tokens.";
|
||||||
};
|
};
|
||||||
|
|
||||||
certs = {
|
|
||||||
ca = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = "The signing CA of the RADIUS certificate.";
|
|
||||||
};
|
|
||||||
dh = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = "The output of `openssl dhparam -in ca.pem -out dh.pem 2048`.";
|
|
||||||
};
|
|
||||||
cert = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = "The certificate for the RADIUS server.";
|
|
||||||
};
|
|
||||||
key = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = "The signing key for the RADIUS certificate.";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
privateKeyPasswordFile = mkOption { type = types.path; };
|
|
||||||
|
|
||||||
checkConfiguration = mkOption {
|
checkConfiguration = mkOption {
|
||||||
type = types.bool;
|
type = bool;
|
||||||
description = "Check the configuration before starting the deamon. Useful for debugging.";
|
description = "Check the configuration before starting the deamon. Useful for debugging.";
|
||||||
default = false;
|
default = false;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
|
# Certificate setup
|
||||||
|
services.nginx.virtualHosts.${cfg.domain} = {
|
||||||
|
http2 = false;
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
};
|
||||||
|
|
||||||
users = {
|
users = {
|
||||||
users.radius = {
|
users.radius = {
|
||||||
group = "radius";
|
group = "radius";
|
||||||
|
@ -127,49 +131,45 @@ in
|
||||||
groups.radius = { };
|
groups.radius = { };
|
||||||
};
|
};
|
||||||
|
|
||||||
services.k-radius.settings = {
|
|
||||||
ca_path = cfg.certs.ca;
|
|
||||||
|
|
||||||
radius_cert_path = cfg.certs.cert;
|
|
||||||
radius_key_path = cfg.certs.key;
|
|
||||||
radius_dh_path = cfg.certs.dh;
|
|
||||||
radius_ca_path = cfg.certs.ca;
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.radius = {
|
systemd.services.radius = {
|
||||||
description = "FreeRadius server";
|
description = "FreeRadius server";
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
after = [ "network.target" ];
|
after = [
|
||||||
|
"network.target"
|
||||||
|
"acme-finished-${cfg.domain}.target"
|
||||||
|
];
|
||||||
wants = [ "network.target" ];
|
wants = [ "network.target" ];
|
||||||
startLimitIntervalSec = 20;
|
startLimitIntervalSec = 20;
|
||||||
startLimitBurst = 5;
|
startLimitBurst = 5;
|
||||||
|
|
||||||
preStart = ''
|
preStart = ''
|
||||||
rm -rf ${cfg.configDir}
|
raddb=${cfg.raddb}
|
||||||
mkdir -p ${cfg.configDir}
|
|
||||||
|
|
||||||
cp -R --no-preserve=mode ${cfg.freeradius}/etc/raddb/* ${cfg.configDir}
|
# Recreate the configuration directory
|
||||||
cp -R --no-preserve=mode ${rlm_python}/etc/raddb/* ${cfg.configDir}
|
rm -rf $raddb && mkdir -p $raddb
|
||||||
|
|
||||||
chmod -R u+w ${cfg.configDir}
|
cp -R --no-preserve=mode ${cfg.freeradius}/etc/raddb/* $raddb
|
||||||
|
cp -R --no-preserve=mode ${rlm_python}/etc/raddb/* $raddb
|
||||||
|
|
||||||
|
chmod -R u+w $raddb
|
||||||
|
|
||||||
# disable auth via methods kanidm doesn't support
|
# disable auth via methods kanidm doesn't support
|
||||||
rm ${cfg.configDir}/mods-available/sql
|
rm $raddb/mods-available/sql
|
||||||
rm ${cfg.configDir}/mods-enabled/{passwd,totp}
|
rm $raddb/mods-enabled/{passwd,totp}
|
||||||
|
|
||||||
# enable the python and cache modules
|
# enable the python and cache modules
|
||||||
ln -nsf ${cfg.configDir}/mods-available/python3 ${cfg.configDir}/mods-enabled/python3
|
ln -nsf $raddb/mods-available/python3 $raddb/mods-enabled/python3
|
||||||
ln -nsf ${cfg.configDir}/sites-available/check-eap-tls ${cfg.configDir}/sites-enabled/check-eap-tls
|
ln -nsf $raddb/sites-available/check-eap-tls $raddb/sites-enabled/check-eap-tls
|
||||||
|
|
||||||
# write the clients configuration
|
# write the clients configuration
|
||||||
rm ${cfg.configDir}/clients.conf && touch ${cfg.configDir}/clients.conf
|
> $raddb/clients.conf
|
||||||
${builtins.concatStringsSep "\n" (
|
${builtins.concatStringsSep "\n" (
|
||||||
builtins.attrValues (
|
builtins.attrValues (
|
||||||
builtins.mapAttrs (
|
builtins.mapAttrs (
|
||||||
name:
|
name:
|
||||||
{ secret, ipaddr }:
|
{ secret, ipaddr }:
|
||||||
''
|
''
|
||||||
cat <<EOF >> ${cfg.configDir}/clients.conf
|
cat <<EOF >> $raddb/clients.conf
|
||||||
client ${name} {
|
client ${name} {
|
||||||
ipaddr = ${ipaddr}
|
ipaddr = ${ipaddr}
|
||||||
secret = $(cat "${secret}")
|
secret = $(cat "${secret}")
|
||||||
|
@ -190,19 +190,16 @@ in
|
||||||
chmod u+w /var/lib/radius/kanidm.toml
|
chmod u+w /var/lib/radius/kanidm.toml
|
||||||
|
|
||||||
# Copy the certificates to the correct directory
|
# Copy the certificates to the correct directory
|
||||||
rm -rf ${cfg.configDir}/certs && mkdir -p ${cfg.configDir}/certs
|
rm -rf $raddb/certs && mkdir -p $raddb/certs
|
||||||
|
|
||||||
cp ${cfg.certs.ca} ${cfg.configDir}/certs/ca.pem
|
cp ${acmeDirectory}/chain.pem $raddb/certs/ca.pem
|
||||||
|
|
||||||
${pkgs.openssl}/bin/openssl rehash ${cfg.configDir}/certs
|
${lib.getExe pkgs.openssl} rehash $raddb/certs
|
||||||
|
|
||||||
cp ${cfg.certs.dh} ${cfg.configDir}/certs/dh.pem
|
# Recreate the dh.pem file
|
||||||
|
${lib.getExe pkgs.openssl} dhparam -in $raddb/certs/ca.pem -out $raddb/certs/dh.pem 2048
|
||||||
|
|
||||||
cat ${cfg.certs.cert} ${cfg.certs.key} > ${cfg.configDir}/certs/server.pem
|
cp ${acmeDirectory}/full.pem $raddb/certs/server.pem
|
||||||
|
|
||||||
# Write the password of the private_key in the eap module
|
|
||||||
sed -i ${cfg.configDir}/mods-available/eap \
|
|
||||||
-e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/"
|
|
||||||
|
|
||||||
# Link the dictionary
|
# Link the dictionary
|
||||||
ln -nsf ${
|
ln -nsf ${
|
||||||
|
@ -213,22 +210,20 @@ in
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
} ${cfg.configDir}/dictionary
|
} $raddb/dictionary
|
||||||
|
|
||||||
# Link extra-mods
|
# Link extra-mods
|
||||||
${builtins.concatStringsSep "\n" (
|
${builtins.concatStringsSep "\n" (
|
||||||
mapAttrsToList (name: path: "ln -nsf ${path} ${cfg.configDir}/mods-enabled/${name}") cfg.extra-mods
|
mapAttrsToList (name: path: "ln -nsf ${path} $raddb/mods-enabled/${name}") cfg.extra-mods
|
||||||
)}
|
)}
|
||||||
|
|
||||||
# Link extra-sites
|
# Link extra-sites
|
||||||
${builtins.concatStringsSep "\n" (
|
${builtins.concatStringsSep "\n" (
|
||||||
mapAttrsToList (
|
mapAttrsToList (name: path: "ln -nsf ${path} $raddb/sites-enabled/${name}") cfg.extra-sites
|
||||||
name: path: "ln -nsf ${path} ${cfg.configDir}/sites-enabled/${name}"
|
|
||||||
) cfg.extra-sites
|
|
||||||
)}
|
)}
|
||||||
|
|
||||||
# Check the configuration
|
# Check the configuration
|
||||||
${optionalString cfg.checkConfiguration "${getExe' pkgs.freeradius "radiusd"} -C -d ${cfg.configDir} -l stdout"}
|
${optionalString cfg.checkConfiguration "${getExe' pkgs.freeradius "radiusd"} -C -d $raddb -l stdout"}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
path = [
|
path = [
|
||||||
|
@ -236,25 +231,28 @@ in
|
||||||
pkgs.gnused
|
pkgs.gnused
|
||||||
];
|
];
|
||||||
|
|
||||||
|
environment = {
|
||||||
|
KANIDM_RLM_CONFIG = "/var/lib/radius/kanidm.toml";
|
||||||
|
PYTHONPATH = rlm_python.pythonPath;
|
||||||
|
};
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = "${cfg.freeradius}/bin/radiusd -X -f -d ${cfg.configDir} -l stdout";
|
ExecStart = "${cfg.freeradius}/bin/radiusd -X -f -d /var/lib/radius/raddb -l stdout";
|
||||||
ExecReload = [
|
ExecReload = [
|
||||||
"${cfg.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout"
|
"${cfg.freeradius}/bin/radiusd -C -d /var/lib/radius/raddb -l stdout"
|
||||||
"${pkgs.coreutils}/bin/kill -HUP $MAINPID"
|
"${pkgs.coreutils}/bin/kill -HUP $MAINPID"
|
||||||
];
|
];
|
||||||
User = "radius";
|
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
||||||
Group = "radius";
|
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
|
Group = "radius";
|
||||||
|
LogsDirectory = "radius";
|
||||||
|
ReadOnlyPaths = [ acmeDirectory ];
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = 2;
|
RestartSec = 2;
|
||||||
LogsDirectory = "radius";
|
|
||||||
StateDirectory = "radius";
|
|
||||||
RuntimeDirectory = "radius";
|
RuntimeDirectory = "radius";
|
||||||
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
StateDirectory = "radius";
|
||||||
Environment = [
|
SupplementaryGroups = [ "nginx" ];
|
||||||
"KANIDM_RLM_CONFIG=/var/lib/radius/kanidm.toml"
|
User = "radius";
|
||||||
"PYTHONPATH=${rlm_python.pythonPath}"
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -238,7 +238,11 @@ in
|
||||||
content = ''
|
content = ''
|
||||||
chain postrouting {
|
chain postrouting {
|
||||||
type nat hook postrouting priority 100;
|
type nat hook postrouting priority 100;
|
||||||
ip saddr 10.0.0.0/16 snat ip to 129.199.195.130-129.199.195.158
|
ip saddr 10.0.0.0/16 ip saddr != 10.0.255.0/24 snat ip to 129.199.195.130-129.199.195.158
|
||||||
|
ether saddr { e0:2e:0b:bd:97:73, e8:d5:2b:0d:fe:4a } snat to 129.199.195.130 comment "Elias"
|
||||||
|
ether saddr { 1c:1b:b5:14:9c:e5, e6:ce:e2:b6:e3:82 } snat to 129.199.195.131 comment "Lubin"
|
||||||
|
ether saddr d0:49:7c:46:f6:39 snat to 129.199.195.132 comment "Jean-Marc"
|
||||||
|
ether saddr { 5c:64:8e:f4:09:06 } snat to 129.199.195.158 comment "APs"
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
32
machines/vault01/secrets/radius-ap-radius-secret_file
Normal file
32
machines/vault01/secrets/radius-ap-radius-secret_file
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 jIXfPA 2nFaxyP7O4GWU7U3wmET5sNrnFq72b9DEhiKEgWVrFk
|
||||||
|
l8uXfCBkTHogzVoUY0WOYhA99fodoT+N0HunacULydI
|
||||||
|
-> ssh-ed25519 QlRB9Q qDalihZE404oPOVHYQR5GIvozXNh4wNxhUa5Zwfz2DU
|
||||||
|
X8qvWf7qprbh0xu/uOHGsNLTQc8efYsgveH9R9kZZZw
|
||||||
|
-> ssh-ed25519 r+nK/Q mksHDhPoKKxQpk4sQPHapdq87EaJmgdmoVxMYjsAang
|
||||||
|
FTYHyxLp4nGOWJu1135yN/lQkGgAD9Jy4JJpMKFktrk
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
jEPt5eWP6NmpOikLhs1uPVo7kxHgg1y7WwdOPyR0z2vpFD2BWGlIi/BvnlE3OO5n
|
||||||
|
jtvDjAauWU0X2JarfdY9mY8MoPjT9qQ/ukxuVAHi5CoL/I1JCqcbuftssYY0B7Ab
|
||||||
|
SMfbyxjK8aIT1/4EQhMoWm0tuIylvgTBagL03Lw5mbyRqDkbpI/6YC9401YjT7Ts
|
||||||
|
dCDGIFAYM2BA7TuJiZr881ypUdU9rlm5rss1ZLMj90jyJPJC4SDYbzE0BoBat9l0
|
||||||
|
dYUrYGhGgZ1cDd6D6mPf6H95muiGHIhxaE8c+LdK/rKCSH9Rf6mfn/Ab/xvnaDNn
|
||||||
|
GW/WD0EpmdzpWVPby68+KA
|
||||||
|
-> ssh-ed25519 /vwQcQ 5DoMxdoK+KiHXKwwOpb7/1FZIEzAa/2/1l8yyxey6iw
|
||||||
|
RzmUkqZQLM5/jDXG9fxhZmfAywgVMjH9Y3O66BnhCSQ
|
||||||
|
-> ssh-ed25519 0R97PA g+uW/jfwHB3m0AdWxb9vPRjeaowhEx1Uoc2R0CVStlA
|
||||||
|
m5XvSEVQ8DiA7BSTsxVn6S1zv92CpbyZxSgUI3ObE4c
|
||||||
|
-> ssh-ed25519 JGx7Ng BtdJpskbfPyywYeFbmQw3HGPTLv5ri6x4bFocr9l6H8
|
||||||
|
88aFw+MCJLqMU/W/ikYDUZEAi0ImaPVbSc7cAZPbs/I
|
||||||
|
-> ssh-ed25519 5SY7Kg +JUMQfaxl7Orym43LVeqUyno0JfUbVnB+xv7smpdRhE
|
||||||
|
6K+Ewq1FhrXB2eYdljlsYpIfmVv49E4jSBsphgDpRJk
|
||||||
|
-> ssh-ed25519 p/Mg4Q AITnEN+Q41fEA2tkvVOKGCDZiuCXanG+qaiF5X4ukiA
|
||||||
|
NvP/HXOliNvi8tngH9PU90E616CPlh/QgkZ052H8wtk
|
||||||
|
-> ssh-ed25519 +mFdtQ RuaXIQNZ3s9C27XtpVTExJlAhYDYXRQni+Hwot0wrzU
|
||||||
|
WctqqoGS2hVfOZSU3ihCg5eI7PnxM7dkOJKM9DJ90Wk
|
||||||
|
-> ssh-ed25519 5rrg4g cAqJQ8z6T46YwzahtcTJxXZHklCGrupVCja5U/g+ZmM
|
||||||
|
wERu5T6rOi5/0qPSXeOnfA0Szg7/pbYFTW0Ys1yWq40
|
||||||
|
-> ssh-ed25519 oRtTqQ NF73c0d1qM4nVt2bEdWTEDjDcz/ZMCObn/7cDZfkVGA
|
||||||
|
Mivm+WWVqAfNs5pLwGmINIsmxlEZi7m7bQIRxGkf3/Q
|
||||||
|
--- 8R1h+xsovrLq+5QI1CoTXc9TBTQugnROZpOAHWBwG1w
|
||||||
|
G“Þ"û¤‡ã8ƒÈî‚&NF}x£ksyÖ\£.i§<69>קF¢‹¯}ê-ÍÁÓšLbì;{
|
|
@ -1,8 +1,5 @@
|
||||||
let
|
(import ../../../keys).mkSecrets [ "vault01" ] [
|
||||||
lib = import ../../../lib { };
|
# List of secrets for vault01
|
||||||
publicKeys = lib.getNodeKeys "vault01";
|
|
||||||
in
|
|
||||||
lib.setDefault { inherit publicKeys; } [
|
|
||||||
"radius-auth_token_file"
|
"radius-auth_token_file"
|
||||||
"radius-ca_pem_file"
|
"radius-ca_pem_file"
|
||||||
"radius-cert_pem_file"
|
"radius-cert_pem_file"
|
||||||
|
@ -10,4 +7,5 @@ lib.setDefault { inherit publicKeys; } [
|
||||||
"radius-key_pem_file"
|
"radius-key_pem_file"
|
||||||
"radius-private_key_password_file"
|
"radius-private_key_password_file"
|
||||||
"eatonmon-password_file"
|
"eatonmon-password_file"
|
||||||
|
"radius-ap-radius-secret_file"
|
||||||
]
|
]
|
||||||
|
|
56
machines/vault01/ulogd.nix
Normal file
56
machines/vault01/ulogd.nix
Normal file
|
@ -0,0 +1,56 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
{
|
||||||
|
services = {
|
||||||
|
ulogd = {
|
||||||
|
enable = true;
|
||||||
|
logLevel = 5;
|
||||||
|
settings = {
|
||||||
|
global = {
|
||||||
|
logfile = "/var/log/ulogd.log";
|
||||||
|
stack = [ "ct1:NFCT,ip2str1:IP2STR,pgsql1:PGSQL" ];
|
||||||
|
};
|
||||||
|
ct1 = { };
|
||||||
|
pgsql1 = {
|
||||||
|
db = "ulogd";
|
||||||
|
user = "ulogd";
|
||||||
|
table = "ulog2_ct";
|
||||||
|
procedure = "INSERT_CT";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
postgresql = {
|
||||||
|
enable = true;
|
||||||
|
identMap = ''
|
||||||
|
ulogd-map root ulogd
|
||||||
|
'';
|
||||||
|
authentication = ''
|
||||||
|
local ulogd ulogd peer map=ulogd-map
|
||||||
|
'';
|
||||||
|
|
||||||
|
ensureUsers = [
|
||||||
|
{
|
||||||
|
name = "ulogd";
|
||||||
|
ensureDBOwnership = true;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
ensureDatabases = [ "ulogd" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
systemd.services.ulogd = {
|
||||||
|
serviceConfig.StateDirectory = "ulogd";
|
||||||
|
requires = [ "postgresql.service" ];
|
||||||
|
after = [ "postgresql.service" ];
|
||||||
|
path = [ config.services.postgresql.package ];
|
||||||
|
preStart = lib.mkAfter ''
|
||||||
|
if ! test -e "/var/lib/ulogd/.initialized"; then
|
||||||
|
psql -f "${pkgs.ulogd.doc}/share/doc/ulogd-pgsql/pgsql-ulogd2.sql" -d ulogd -U ulogd
|
||||||
|
touch "/var/lib/ulogd/.initialized"
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue