From 2b758907523f575f896a45e42680e3e62ee860c3 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Tue, 24 Sep 2024 20:54:22 +0200 Subject: [PATCH] feat(compute01): Deploy dgsi --- machines/compute01/_configuration.nix | 13 +- machines/compute01/dgsi/default.nix | 180 ++++++++++++++++++ .../secrets/dgsi-kanidm_auth_token_file | Bin 0 -> 1975 bytes .../compute01/secrets/dgsi-kanidm_secret_file | 30 +++ .../compute01/secrets/dgsi-secret_key_file | 31 +++ machines/compute01/secrets/secrets.nix | 5 +- npins/sources.json | 15 +- 7 files changed, 266 insertions(+), 8 deletions(-) create mode 100644 machines/compute01/dgsi/default.nix create mode 100644 machines/compute01/secrets/dgsi-kanidm_auth_token_file create mode 100644 machines/compute01/secrets/dgsi-kanidm_secret_file create mode 100644 machines/compute01/secrets/dgsi-secret_key_file diff --git a/machines/compute01/_configuration.nix b/machines/compute01/_configuration.nix index 0797105..11546d8 100644 --- a/machines/compute01/_configuration.nix +++ b/machines/compute01/_configuration.nix @@ -1,18 +1,19 @@ { lib, ... }: lib.extra.mkConfig { + # List of modules to enable enabledModules = [ - # List of modules to enable + # INFO: This list needs to stay sorted alphabetically "dgn-backups" - "dgn-web" "dgn-chatops" + "dgn-web" ]; + # List of services to enable enabledServices = [ - # List of services to enable + # INFO: This list needs to stay sorted alphabetically "arkheon" - "takumi" - "signal-irc-bridge" + "dgsi" "ds-fr" "grafana" "hedgedoc" @@ -25,8 +26,10 @@ lib.extra.mkConfig { "postgresql" "rstudio-server" "satosa" + "signal-irc-bridge" "signald" "stirling-pdf" + "takumi" "telegraf" "vaultwarden" "zammad" diff --git a/machines/compute01/dgsi/default.nix b/machines/compute01/dgsi/default.nix new file mode 100644 index 0000000..9afc74e --- /dev/null +++ b/machines/compute01/dgsi/default.nix @@ -0,0 +1,180 @@ +{ + config, + lib, + pkgs, + sources, + ... +}: + +let + inherit (lib) mapAttrsToList; + + python = + let + python3 = pkgs.python312; + nix-pkgs = import sources.nix-pkgs { inherit pkgs python3; }; + in + python3.override { + packageOverrides = _: _: { + inherit (nix-pkgs) + django-allauth + django-allauth-cas + django-browser-reload + django-bulma-forms + django-sass-processor + django-sass-processor-dart-sass + django-unfold + pykanidm + python-cas + loadcredential + ; + }; + }; + + pythonEnv = python.withPackages (ps: [ + ps.django + ps.gunicorn + ps.psycopg + ps.django-compressor + + # Local packages + ps.django-allauth + ps.django-allauth-cas + ps.django-bulma-forms + ps.django-sass-processor + ps.django-sass-processor-dart-sass + ps.django-unfold + ps.loadcredential + ps.pykanidm + ps.python-cas + ]); + + staticDrv = pkgs.stdenv.mkDerivation { + name = "dgsi-static"; + + src = sources.dgsi; + sourceRoot = "source/src"; + + nativeBuildInputs = [ + pkgs.dart-sass + pythonEnv + ]; + + configurePhase = '' + export DGSI_STATIC_ROOT=$out/static + export CREDENTIALS_DIRECTORY=$(pwd)/../.credentials + export DGSI_KANIDM_CLIENT="dgsi_test"; + export DGSI_KANIDM_AUTH_TOKEN="fake.token"; + ''; + + doBuild = false; + + installPhase = '' + mkdir -p $out/static + python3 manage.py compilescss + python3 manage.py collectstatic + ''; + }; +in + +{ + users = { + users.nginx.extraGroups = [ "django-apps" ]; + groups.django-apps = { }; + }; + + systemd = { + services = { + dj-dgsi = { + description = "DGSI web app"; + + requires = [ "dj-dgsi.socket" ]; + wantedBy = [ "multi-user.target" ]; + after = [ + "network.target" + "postgresql.service" + ]; + + serviceConfig = { + DynamicUser = true; + LoadCredential = mapAttrsToList (name: value: "${name}:${value}") { + SECRET_KEY = config.age.secrets."dgsi-secret_key_file".path; + KANIDM_AUTH_TOKEN = config.age.secrets."dgsi-kanidm_auth_token_file".path; + KANIDM_SECRET = config.age.secrets."dgsi-kanidm_secret_file".path; + }; + RuntimeDirectory = "django-apps/dgsi"; + StateDirectory = "django-dgsi"; + UMask = "0027"; + User = "dj-dgsi"; + WorkingDirectory = "${sources.dgsi}/src"; + }; + + environment = { + DGSI_ALLOWED_HOSTS = builtins.toJSON [ + "profil.dgnum.eu" + "dgsi.dgnum.eu" + ]; + DGSI_STATIC_ROOT = staticDrv; + DGSI_MEDIA_ROOT = "/var/lib/django-apps/dgsi/media"; + }; + + path = [ pythonEnv ]; + + script = '' + python3 manage.py migrate + gunicorn --pythonpath ${sources.dgsi}/src --bind unix:/run/django-apps/dgsi.sock --workers=4 app.wsgi + ''; + }; + }; + + sockets."dj-dgsi" = { + description = "Socket for the DGSI Django Application"; + wantedBy = [ "sockets.target" ]; + + socketConfig = { + ListenStream = "/run/django-apps/dgsi.sock"; + SocketMode = "600"; + SocketUser = config.services.nginx.user; + }; + }; + + mounts = [ + { + where = "/run/django-apps/dgsi/media"; + what = "/var/lib/django-apps/dgsi/media"; + options = "bind"; + + after = [ "dj-dgsi.service" ]; + partOf = [ "dj-dgsi.service" ]; + upheldBy = [ "dj-dgsi.service" ]; + } + ]; + }; + + dgn-redirections.redirections."dgsi.dgnum.eu" = "profil.dgnum.eu"; + + services = { + postgresql = { + ensureDatabases = [ "dgsi" ]; + ensureUsers = [ + { + name = "dgsi"; + ensureDBOwnership = true; + } + ]; + }; + + nginx.virtualHosts."profil.dgnum.eu" = { + enableACME = true; + forceSSL = true; + + serverAliases = [ "dgsi.dgnum.eu" ]; + + locations = { + "/".proxyPass = "http://unix:/run/django-apps/dgsi.sock"; + "/static/".root = staticDrv; + "/media/".root = "/run/django-apps/dgsi"; + }; + }; + }; +} diff --git a/machines/compute01/secrets/dgsi-kanidm_auth_token_file b/machines/compute01/secrets/dgsi-kanidm_auth_token_file new file mode 100644 index 0000000000000000000000000000000000000000..638c0066c5e0ac4b53379c3cd20ee80f4d020b7f GIT binary patch literal 1975 zcmZXU{qNia9mk0bk{ubz2w5U~;B*s}+n4sPch@`SAnjeR*K2!yxIWx<5qItNdhK1G zdu^}NO`V(5pu|nUO<|cRThNh##s?r9ljsb>z$iK;K`<)l05#Jg%S@av|!;yrt9411_lrpb4z#R!*H^sk4lwFv7Wbx{+LDb5KP2VypvRwJ}Yr9 z#Q2RWJ}B5=zdd68jwVjUrdOstS;le-r8k=+-yYiTw5|8cfaBrbLT_oYn_}Vukn~Ao zIF>W4i(E}MU!f@`rNocShOj1hSlmE!Beo+2zyK;tQRFPm)Q=C zk4>O14q2?_F%D*Sv`({MGo`d4gQDtz1Ky#CDq~zp3knViaCuaRGLbUGIGBqmU32?| zvZVyJAgUTDv{~JWS}a=B!VFAunu`N=yN-3cUI!k{#hRI5f(cW|qTK30B{NKELy61k zq#0hO1>rD14de#J<>pr41t=>r3l-3O6edP>f<-Nn4coA(cvOEV!J$5etr zC6x^mzBzUXff&;{+EI%Qt?np8EU6=$*lqL|Z3YHfvY1vqrY3^Im}=V@Ia94jE0N-q z$0ju%sjDM$NZR9EoQRev&Zw@84@^@xBaXm30?@;$cwr|vHWT22*1&LWO3_8XR;$EP zw?ipaMv9S1byCj>Q>Ihmb)F>*eQzkFOVL2;bi!#5 z<}bNJ)FVcOglcYHMq+C=FtWN6K>b3u0D%1vRgqGSiz8GGi}sL_1weBX214pt#+T=V z@^qXkR2gk)8j`DtxHpaf(@9a6pAxA`f|~FilYltkG%ha;ra*^iad=u=RDe{5_#UGG z8H?g|5l<%rScs@J9M3&0%<*Ojlo}Q`>`ltJLzgTa<($;3GIK(}d=YaRDbriH0NN%l z-}Z7#K)w!NY6;^P3e_H&)fcipuT7+$ScL{~oZ9_zqbNfIx!Vq)TAfxcI>(_fnb9_j zOt@NVk$j=Y*fML+o9-gfP{r+3!t$IfkF275C9Q*}aM#GwLJdwmQZ2%9tTxSrmhC<> zP={4tYDa#>1F%VGjse(i5V@((BAA*I^RC_2Lv7C%02;NkE*0SKm zrD-FfRYE+o<}E}jL<`0x%?({h`yDa4ayJj4jWU-XFOt&8DfP$+(|~Z&Nrzpe)zG52 zL-!oFD)wE$R(K0kCv*;(@<>cJ%$ZK`?RKVyb9xle#lXbq`i!;=pB+>Efb6#t@k(0M z^gFzfpYp>6GR%TPl4(O|(DlY~1~ru^6$+AvMMN}G`Ld3sgSMLsovcafmd6uz1JD}9 zly6UB8;T+b9ML$4`fLjUv5H`0;Qwj2-sUeEfj$iNynAPubCXgkJ6vz!@l1i7N{R#b zEoo7QdYO_y(sNY>$}e$ik?sr2{`UC3EpJz!-gNx~wN=N1oi`6i>ByT$zcJp3Za>RaR&Cky zMiR;ApZU1;&f4zI9iREt3!87>eddWTaEEU%M34RbJ4?Sk&SlmUo7Z=DzOrd|;oUp0 z12!K0unJ}IFW>q4#*@!{H)k97J_x^h_W0?ur=t0{zx>p*|GD>(Tfe$)*Zcp#2-oge zdGo39i^_(JdsgAh)#n~R#I^pyZr{~@y14(;cCvEU&wo<8_}uz6p8Y`krYEsKDk}={ zb)Sdn&u;#Jb`4Hf&;9T)vDbU|z*lbY4joL2e;RCi?HBugclwq)KKR&|&Xit0lD)BE z^=o*!c>m~mXzPz&*?jHj?DwAvE`04nn|3{V;mu_)ojA5{`Ofs{nr9DvWSLw&a2_-N z`trAo7kS26+&H|OU=O3$|6}s!WBzpS@837S>BNPVdw=?|_1ISFqq*0ii$8 ssh-ed25519 jIXfPA 7Nd4K/ivG8LyRcT+XhfN8K8OmoGKUPiUacgd5H/YyCY +qHdajtgWM/ON3VHB76DhkDF0BCOhA5UtDTTiOM8Woy8 +-> ssh-ed25519 QlRB9Q 25AYqzBKePKEH4Ml+9xB+YxSvIIMY/M7Qo+LomdivHM +SQN/1T/Judvtk8TjhUxhCsJVS73bLqaih6Gn8weVjvs +-> ssh-ed25519 r+nK/Q iHlAURzupmiysH9XtEqhg+wbgYlsdLHvVyRzMsWsVmg +R6yA3bt+5E5vhIVEHxu8h3sB9FjLiUH0tp5SKzHM8Kk +-> ssh-rsa krWCLQ +BxDfl3xriUdWiihr0RtfSpJ0UtDnF1oTa3n/1w4AMPNowh+kIVRKuaWFa+sVIJMB +RZc+vdymNoUg/i3lAzlX2mo17LGEnX1jGSHtsMY7j1psS4b72i3hCvBLQ9n+kir7 +ub1CVvrsgn6SMzjQWrSNP6IsIPmYcgfJ2pG0J7oD8T6s0hnemm9ywtCmdpiVjh+O +C2DB10qgVACLWOd/Gqd7ILiqeTOlaDHjuFJ3xRoUd7jzeOnG4BZOV8mfT443MoIa +Kg/prr+MN9uf42a6iLb5avf8ZZLnrzoIyT5vJ3BFt1aUz3FX4DyZUrZmhm9pmYR9 +4YTArDtTP6X3+Rimd5rlbA +-> ssh-ed25519 /vwQcQ NkudSMrSLIE0WOE3ScJSMBKwVnuz9p3UwKGg9SPDGiY +w2rE2oO1bs0eoySeS0tT0Ic6Hji9qD7iNn0qYiwc2kU +-> ssh-ed25519 0R97PA YH3uoQ/zJR/lrvC0TuWTSig/AJYsxI7sVrEhS173i1E +DOdCOmorgGsg4hAXV0nYg9JeDmon2JY02iKq614jxUA +-> ssh-ed25519 JGx7Ng YV6RIaM6oIoajPXVDrOuLRy2897e8LUEibyLiS/gf0o +xz+guHt2N+tfIX5kvpxGDNqaez2VA8dD+QTu7fK7Pf4 +-> ssh-ed25519 5SY7Kg 4DhAsi0gqOunzEzlFFKeP3qYWos9Mc1UpVCDVQIBEws +4/duAufrk/GHSbj5tEXdL+C+2AO+Es375as+/R+6PgY +-> ssh-ed25519 p/Mg4Q +5WtmMV6ruLgQoTZpmBztrH+FS2aCKFcwuLKcweLr3s +xRIVcBt4wV2PtEhO68sJ8/FB177QAq6zoZ1Dwfg1kPo +-> ssh-ed25519 tDqJRg wWaBzLqsoPa8/0hjl4eu07dQvGFMLI3R6IrNNZzquBU +ppzkds/p5BF2dIRZERhDD3rtQNxKhlIaoxCSIf20yJQ +-> T9':1EB-grease / #'BD[s +lZHA3xsgAESG +--- uk+H++45TIOcuW3Qj4/D1S65Kw8OEb5ZHqWWIlYlSIg +u=J¾f£‹ÏtüÉíãQ²]¶Epfž ÍêOëeëd<Í…ã6 G'Æ¡a.ήշ^H¾´ñú|Lß*QN5öìþMGatʶ±§ \ No newline at end of file diff --git a/machines/compute01/secrets/dgsi-secret_key_file b/machines/compute01/secrets/dgsi-secret_key_file new file mode 100644 index 0000000..bd6e682 --- /dev/null +++ b/machines/compute01/secrets/dgsi-secret_key_file @@ -0,0 +1,31 @@ +age-encryption.org/v1 +-> ssh-ed25519 jIXfPA xQaZW42vwq7pndbRqiATFVgl1QM3LbD5Sqzz61yinUY +7N4GIIAnzwTPA2IgOPWLtE03kCZPihKu8ZAG9e7Bv7k +-> ssh-ed25519 QlRB9Q mfs9SndrSY1meTEYiVxXLbS7Ecf0rjaQ3vX4626+9CI +BDdh3a02EqMeO5jPlz6kjmjuLMldf/s9V7hDkIef+g4 +-> ssh-ed25519 r+nK/Q HqduuibujATQyp2TUswgrFyTdcdmPsNsZJ2pOLZ+MTc +WjFm95dxVYKA2ekOgKzMrMmk1nxfuurmDyMXtUIGnIo +-> ssh-rsa krWCLQ +GzznBXY+5RpGFJKli2rOdzO5bun6REyjA78nV8RviQdAN/mGXEZfGFq4HFuQZM0e +fYADtpZxOZ3vyY/9DqCguay3R02DcyTpAhdb6A3kdzApUVR/3ZKJXy0+l5qRqKD7 +j/cMfIxk/WpsHKHDWKXkG+FiTnF+V+ZtUom9W1aYFc1506OdDbjBVfTnBFs/+WVf +MWd+Y0ANCFiNH+kjzvALRazkmJgt9SvYWBG6suym6YZ2073GFu85jUJB2juSDmBN +tp0OJvNrjH5F/CcJXLMVrJz4Azin+2iM+re78cSVmZ1aqLf72RIrg/VhuuNy2MVn +gU32t9qy5EvTbzliWpAvxw +-> ssh-ed25519 /vwQcQ rVT/tH4fZ49hwxJTaZMZhzMgkS0MJILZmuL/J1CCPGY +mW3BNdXsylo0Yhg2KYpGNLoDkd7DYX+NEGF8a7j5R5g +-> ssh-ed25519 0R97PA vnXhW5pn1XgOJcMcD1cu7hQLlnIrJyp2Bu3TbThBIik +QFQFocftqwsPS1AbGykbDkIWqaAdZ7I9njS2ZUXz+4w +-> ssh-ed25519 JGx7Ng ljVNZ4AdZ3DLow2m3mf+6bf9zj6+t9RP7w8Bi7aMlAI +E5Q9yEA3d2nPTZO2jFkGnsHyo3W19P/lSG6yl3RL6Vo +-> ssh-ed25519 5SY7Kg 2LcgbYRROFSGfq0L5XBQMl6p62DreGceGqRFzKGi4X8 +x4V+gnzdm1HgjYwhBnYAldkchX4YCsUhqoq1iCaOZ6s +-> ssh-ed25519 p/Mg4Q Y+o5nrSvL+xL43OHjEnesKV+9gCl4H4gBmBBjbqDABA +TvGky1wSVanvpq2Xj2FUmRtJ205iq92g6PVDASAfyaE +-> ssh-ed25519 tDqJRg X0Y8YCi5qOy3Du1/DIMMc4W7P6zQNTlwF4+QrisHCwM +SzJPH+h5847WSl9CrJatqIf9CSnKGUQZDK6ROD5LqXU +-> `--grease N]PH +fdR7jONsDC5Fj/FU++dDsFJSa4sLmvnTzPbt3X96zJDHVQypmV+JMhQNudQGrq9K +7oPr3+cA61qtqUv6v519zFLtRXkpY6FMiB2euGJufVZqGh9jDzfi0jNu6dUO7A +--- a0TP8YPal5jgd3BSIm0THbaMHgLOiOgMqdlwQwUGzWk +:È/ Àn ž±Ý§¦p=fu²hã–T¶ÅêF—ÙêÂ¥nh¢„¾•œ¹ÀU2#„éµÆ©“ºôâ>Û“<4.uŸ‰’…m3Ü&g¤(ö5 ۶Û \ No newline at end of file diff --git a/machines/compute01/secrets/secrets.nix b/machines/compute01/secrets/secrets.nix index 2ff76e4..5f7da8d 100644 --- a/machines/compute01/secrets/secrets.nix +++ b/machines/compute01/secrets/secrets.nix @@ -6,9 +6,12 @@ in lib.setDefault { inherit publicKeys; } [ "arkheon-env_file" "bupstash-put_key" + "dgsi-kanidm_auth_token_file" + "dgsi-kanidm_secret_file" + "dgsi-secret_key_file" "ds-fr-secret_file" - "grafana-smtp_password_file" "grafana-oauth_client_secret_file" + "grafana-smtp_password_file" "hedgedoc-environment_file" "librenms-database_password_file" "librenms-environment_file" diff --git a/npins/sources.json b/npins/sources.json index 644b8cb..31dafa4 100644 --- a/npins/sources.json +++ b/npins/sources.json @@ -50,6 +50,17 @@ "url": null, "hash": "09z5l5yh4zm0mf9hb3xc18gjk2dgv3l1icywrsxax00y1i1zlvna" }, + "dgsi": { + "type": "Git", + "repository": { + "type": "Git", + "url": "https://git.dgnum.eu/DGNum/dgsi.git" + }, + "branch": "main", + "revision": "8a46e4ddb522a145046d9a5bfc729a8e46d99f44", + "url": null, + "hash": "1blyh1xcppcb6qjaww8aw00c4nh1dl50i64bf6ampj0idx0y93qh" + }, "disko": { "type": "GitRelease", "repository": { @@ -229,9 +240,9 @@ "url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs" }, "branch": "main", - "revision": "c3257569375903f94ad1af9fe8b77186bd824332", + "revision": "d1af0a922edc1ef82b023ebe1158b5c1e02b4f2d", "url": null, - "hash": "01kmivbk0ji5n7fifydq0wvlv34v1ima66r6icxrfykshh635w4p" + "hash": "1vbhprwnjn6r0wd70ymv78yry6cbz6ip06q7bl3jwp6v0lqgwmf4" }, "nixos-23.11": { "type": "Channel",