ecoppens/infrastructure
1
0
Fork 0
forked from DGNum/infrastructure
Code Pull requests Activity

Compare commits

base: ecoppens:0d7b4efbd3b232ba3b7958c7436cc225a3335dc1
Branches Tags
ecoppens:main
DGNum:npins-update
DGNum:main
DGNum:lix-patched
DGNum:web01
DGNum:declarative-buckets
DGNum:victoria-metrics
DGNum:mattermost
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:ds-fr
DGNum:colmena-liminix
...
compare: ecoppens:93c47f47be4ecb817b9e6f91c02cfccee833f64d
Branches Tags
ecoppens:main
DGNum:npins-update
DGNum:main
DGNum:lix-patched
DGNum:web01
DGNum:declarative-buckets
DGNum:victoria-metrics
DGNum:mattermost
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:ds-fr
DGNum:colmena-liminix

80 commits
0d7b4efbd3 ... 93c47f47be

Author SHA1 Message Date
soyouzpanda
93c47f47be
fix: laptop change 2024-10-09 23:47:29 +02:00
Tom Hubrecht
47ad002f12
feat(workflows/eval): Try to build and upload in one fell swoop 2024-10-09 21:34:22 +02:00
Tom Hubrecht
6b23df6b54
feat(workflows/eval): Try to build and upload in one fell swoop 2024-10-09 21:32:38 +02:00
Tom Hubrecht
6c4099d369 feat(infra): Internalize nix-lib, and make keys management simpler 2024-10-09 18:58:46 +02:00
Tom Hubrecht
53c865a335
fix(dgsi): Set to an existing version 2024-10-09 18:57:06 +02:00
Ryan Lahfa
34640d467b feat(krz01): finish ollama integration and whisper.cpp 
My sanity was used in the process.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-10-09 13:59:05 +02:00
Ryan Lahfa
8441992408 feat(krz01): move to unstable 
Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-10-09 12:51:14 +02:00
Ryan Lahfa
4bedb3f497 feat(krz01): move the GPU stuff to the host for now 
We also add a K80 specific patch for ollama.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-10-09 09:33:57 +02:00
Ryan Lahfa
8160b2762f feat(krz01): passthrough the nVidia Tesla K80 in ml01 
This way, no need for reboot.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-10-09 09:33:57 +02:00
Ryan Lahfa
ebed6462f6 feat(krz01): introduce ML01 -- a machine learning VM 
I will add ollama on it later on and passthrough the GPU in there.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-10-09 09:33:57 +02:00
Tom Hubrecht
e200ae53a4
feat(proxmox): Revert the disabling 2024-10-08 20:59:34 +02:00
Ryan Lahfa
62b36ed124 fix(krz01): apply a correctness patch on proxmox-nixos 
To make CI happy.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-10-08 20:49:41 +02:00
Tom Hubrecht
9bc651db42
chore(nix-patches): Add helper function 2024-10-08 20:49:26 +02:00
Tom Hubrecht
bfe4957926
feat(patches): Generalize 2024-10-08 18:37:17 +02:00
Ryan Lahfa
3aeae4e33f feat(krz01): add basic microvm exprs 
For a router01.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-10-08 17:14:23 +02:00
Ryan Lahfa
4d689fee33 feat(krz01): enable proprietary drivers for nVidia 
For the Tesla K80.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-10-08 16:58:47 +02:00
Ryan Lahfa
862f004e3c fix(krz01): disable proxmox for now 
Until #139 is merged.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-10-08 16:40:18 +02:00
sinavir
da40fa9b3d fix(krz01): Fix root password hash 2024-10-08 16:05:19 +02:00
Tom Hubrecht
c642e98ab9
fix(cache): Make instructions and code work 2024-10-08 15:50:21 +02:00
Tom Hubrecht
fb610306ee
feat(workflows/eval): Add krz01 to the CI 2024-10-08 14:15:01 +02:00
Tom Hubrecht
37d0ca9489
chore(dgsi): Update? 2024-10-08 14:13:03 +02:00
sinavir
39f5cad75d feat(krz01): Proxmox 2024-10-08 13:59:28 +02:00
sinavir
c6588da802 fix(krz01): Use default target 2024-10-08 12:57:57 +02:00
sinavir
a194da9662 fix(krz01): Enable netbird 2024-10-08 12:51:57 +02:00
sinavir
70c69346fb feat(krz01): init 2024-10-08 12:35:59 +02:00
sinavir
bdf0e4cf7a feat(binary-cache): Add some hints on how to configure the cache 2024-10-06 23:57:57 +02:00
DGNum Chores
e4fc6a0d98
chore(npins): Update 2024-10-06 22:21:07 +02:00
Tom Hubrecht
8769d6738e
fix(cas-eleves): Remove dependency on pytest-runner 2024-10-06 18:40:48 +02:00
Tom Hubrecht
7d24e2dfc1
feat(dgsi): Update, with SAML provisional auth 2024-10-06 18:40:48 +02:00
sinavir
38231eb6e0 feat(attic): Bye bye attic 2024-10-06 18:33:04 +02:00
Tom Hubrecht
f589be422e
fix(meta): Use root@ for the proxyjump to bridge01 2024-10-03 12:57:43 +02:00
sinavir
e70d0be931 chore(garage): update 2024-10-02 19:20:17 +02:00
Tom Hubrecht
14ad93aed9
chore(dgsi): Update 2024-09-30 20:24:10 +02:00
sinavir
53379c88de feat(pub.dgnum.eu): Add a redirect toward instagram 2024-09-30 20:17:20 +02:00
sinavir
626577e2bc feat(redirections): Make it more flexible to allow temporary redirects 2024-09-30 20:17:20 +02:00
sinavir
1e85547490 fix(ci): Push vault01 to cache too 2024-09-30 20:07:08 +02:00
sinavir
44fefd6327 fix(stateless-uptime-kuma): Update to get the periodic refresh 2024-09-29 17:23:10 +02:00
Tom Hubrecht
e12b8454fe
chore(dgsi): Update 2024-09-27 13:23:55 +02:00
Tom Hubrecht
f18fb56876
chore(dgsi): Update 2024-09-26 23:18:52 +02:00
Tom Hubrecht
176cff5e6d
feat(dgsi): Update source and settings 2024-09-26 15:23:43 +02:00
Tom Hubrecht
681155318b
fix(nextcloud): Don't use fast_shutdown 2024-09-26 14:05:40 +02:00
sinavir
5c8db3544c chore(ci): Make the CI happy 2024-09-26 13:45:06 +02:00
Tom Hubrecht
bdeb55f9ec
feat(dgsi): Make it work 2024-09-25 13:57:55 +02:00
Tom Hubrecht
2b75890752
feat(compute01): Deploy dgsi 2024-09-24 20:54:51 +02:00
Tom Hubrecht
dd5c0c79f7
feat(meta): Prepare for dgsi deployment 2024-09-24 20:54:30 +02:00
sinavir
05f7be1983 fix(tvix-cache): Update the cache to a working version 2024-09-23 00:40:06 +02:00
sinavir
89d219fe8a feat(garage): Add hackens website 2024-09-22 00:52:04 +02:00
sinavir
9e7215b5b8 feat(hermes): Bridge more channels 2024-09-22 00:51:36 +02:00
Ryan Lahfa
6b30a95fbb feat(dgn-chatops): !pm shorthand for !probe_meet 
Bumped minor version of Takumi for non-breaking changes.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-09-21 00:52:13 +02:00
Ryan Lahfa
1c6124f376 feat(dgn-chatops): Takumi v1.0.0 
Can schedule meet.dgnum.eu in the chat upon demand.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-09-21 00:24:38 +02:00
Tom Hubrecht
4a275fd07e
fix(dns): Update to correct dns.nix version 2024-09-20 23:37:01 +02:00
Tom Hubrecht
6f41443cf5
chore(pre-commit): Update the list of ignored files 2024-09-20 23:37:01 +02:00
Tom Hubrecht
dcb0c3591e
feat(iso): Use latest kernel, and support bcachefs at installation 2024-09-20 23:37:01 +02:00
Ryan Lahfa
859418b377 feat(chatops): init takumi 
Takumi means "artisan" (in the sense of "master") in Japanese. It's an
accurate and efficient ChatOps for day-to-day operations of DGNum.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-09-20 21:50:15 +02:00
Tom Hubrecht
f791ba15a4
chore(metis): Update 2024-09-18 14:23:28 +02:00
sinavir
f6253021d7 feat(nuit website): migrate to s3 2024-09-18 14:21:13 +02:00
Tom Hubrecht
bc75d78a22
feat(shell): Add lon 2024-09-12 20:16:20 +02:00
Tom Hubrecht
69af2c4640
chore(shell): Remove disko 2024-09-12 20:14:35 +02:00
Tom Hubrecht
9174965f28
feat(pre-commit): Switch to pre-push stage for linters 2024-09-12 20:14:16 +02:00
Tom Hubrecht
99825b89ca
fix(stirling-pdf): Make it build again 2024-09-10 22:41:25 +02:00
Tom Hubrecht
3014fb79dc
fix(shell): No need to patch git-hooks anymore 2024-09-10 21:11:53 +02:00
DGNum Chores
06285b9108
chore(npins): Update 2024-09-10 21:11:03 +02:00
Julien Malka
dea475cea9 chore(shell): add agenix 2024-09-10 20:12:24 +02:00
Ryan Lahfa
595407c13b feat(ISP): enable SNAT on 5C:64:8E:F4:09:06 
For testing purposes.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-09-08 12:32:56 +02:00
catvayor
3b766e6a2b feat(ulogd): enabling ulogd 2024-09-08 12:21:08 +02:00
catvayor
b8601b0782 feat(nat): desactivating on vlan-apro 2024-09-07 16:09:01 +02:00
sinavir
7885442381 fix(web01): Update calendar 2024-09-04 16:21:26 +02:00
Tom Hubrecht
605f7beda2
fix(uptime-kuma): Don't try to get the radius endpoint 2024-09-01 23:34:07 +02:00
Tom Hubrecht
fe9c71f37e
fix(reaction): Use the correct netbird space 2024-09-01 23:33:34 +02:00
Tom Hubrecht
fd0aeacff4
feat(firewall): Sunset fail2ban and switch to reaction 2024-09-01 22:51:56 +02:00
Tom Hubrecht
86c1018dc8
fix(web01): Add a redirection from bds.ens.fr/gestion2 to its new location 2024-09-01 15:48:35 +02:00
Tom Hubrecht
8a42e18d98
feat(k-radius): Use LE certificates instead of self-signed ones 2024-09-01 15:40:59 +02:00
Ryan Lahfa
3ca3ff8939 feat(radius): add AP secret for RADIUS auth requests 
Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-08-31 22:38:35 +02:00
Tom Hubrecht
16f47ce227
feat(wordpress): Finish the migration of the BDS website 2024-08-31 00:36:19 +02:00
Tom Hubrecht
f5cc186ea1
feat(web01): Decomissionate kahulm 2024-08-30 18:44:58 +02:00
Tom Hubrecht
ad7eb40e51
fix(dns): Always end with a . ... 2024-08-30 10:13:33 +02:00
Tom Hubrecht
ccaa999adc
feat(wordpress): Prepare the migration 2024-08-30 10:08:12 +02:00
Tom Hubrecht
359d839ad4
feat(dns): Add BDS redirection 2024-08-30 10:08:12 +02:00
sinavir
b4b2cf3836 feat(metis): Update to add "Rentrée" 2024-08-28 16:55:23 +02:00
Ryan Lahfa
cbc5dea62b fix(kahulm): use non-gitrelease type for source 
And bump it to the latest main branch.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-08-19 09:34:55 +02:00
124 changed files with 3702 additions and 1669 deletions
Show stats Expand all files Collapse all files

40
.forgejo/workflows/eval.yaml
View file

@ -99,6 +99,25 @@ jobs:
# Enter the shell
nix-shell --run 'colmena build --on bridge01'
build_and_cache_krz01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "krz01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_krz01
path: paths.txt
push_to_cache_compute01:
runs-on: nix
needs:
@ -204,6 +223,27 @@ jobs:
name: outputs_geo02
path: uploaded.txt
push_to_cache_vault01:
runs-on: nix
needs:
- build_vault01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "vault01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_vault01
path: uploaded.txt
push_to_cache_web01:
runs-on: nix
needs:

2
.forgejo/workflows/lint.yaml
View file

@ -8,4 +8,4 @@ jobs:
- uses: actions/checkout@v3
- name: Run pre-commit on all files
run: nix-shell --run 'pre-commit run --all-files --show-diff-on-failure' -A shells.pre-commit ./.
run: nix-shell --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure' -A shells.pre-commit ./.

25
README.md
View file

@ -9,6 +9,21 @@ You're expected to read this document before commiting to the repo.
Some documentation for the development tools are provided in the aforementioned file.
# Using the binary cache
Add the following module to your configuration (and pin this repo using your favorite tool: npins, lon, etc...):
```
{ lib, ... }:
let
dgnum-infra = PINNED_PATH_TO_INFRA;
in {
nix.settings = (import dgnum-infra { }).mkCacheSettings {
caches = [ "infra" ];
};
}
```
# Adding a new machine
The first step is to create a minimal viable NixOS host, using tha means necessary.
@ -19,7 +34,7 @@ The second step is to find a name for this host, it must be unique from the othe
## Download the keys
The public SSH keys of `host02` have to be saved to `keys/machines/host02.keys`, preferably only the `ssh-ed25519` one.
The public SSH keys of `host02` have to be saved to `keys`, preferably only the `ssh-ed25519` one.
It can be retreived with :
@ -76,11 +91,9 @@ The general metadata is declared in `meta/nodes.nix`, the main values to declare
Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :
```nix
let
lib = import ../../../lib { };
in
lib.setDefault { publicKeys = lib.getNodeKeys "host02"; } [ ]
(import ../../../keys).mkSecrets [ "host02" ] [
# List of secrets for host02
]
```
This will be used for future secret management.

56
default.nix
View file

@ -41,33 +41,32 @@
}:
let
git-checks =
(import (
pkgs.applyPatches {
name = "git-hooks.nix";
src = builtins.storePath sources.git-hooks;
patches = [ ./patches/00-git-hooks-nixfmt.patch ];
}
)).run
{
src = ./.;
git-checks = (import (builtins.storePath sources.git-hooks)).run {
src = ./.;
hooks = {
# Nix Hooks
statix.enable = true;
deadnix.enable = true;
rfc101 = {
enable = true;
name = "RFC-101 formatting";
entry = "${pkgs.lib.getExe pkgs.nixfmt-rfc-style}";
files = "\\.nix$";
};
# Misc Hooks
commitizen.enable = true;
};
hooks = {
statix = {
enable = true;
stages = [ "pre-push" ];
settings.ignore = [
"**/lon.nix"
"**/npins"
];
};
deadnix = {
enable = true;
stages = [ "pre-push" ];
};
nixfmt-rfc-style = {
enable = true;
stages = [ "pre-push" ];
};
commitizen.enable = true;
};
};
in
{
@ -77,6 +76,8 @@ in
dns = import ./meta/dns.nix;
mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix;
shells = {
default = pkgs.mkShell {
name = "dgnum-infra";
@ -86,11 +87,12 @@ in
version = "1.8.0-unstable";
src = builtins.storePath sources.nixos-generators;
}))
pkgs.attic-client
pkgs.npins
(pkgs.callPackage (sources.disko + "/package.nix") { })
(pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
] ++ (import ./scripts { inherit pkgs; });
shellHook = ''

40
hive.nix
View file

@ -1,24 +1,25 @@
let
sources = import ./npins;
sources' = import ./npins;
lib = import (sources.nix-lib + "/src/trivial.nix");
# Patch sources directly
sources = builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; })
.applyPatches' sources';
patch = import sources.nix-patches { patchFile = ./patches; };
nix-lib = import ./lib/nix-lib;
patch = import ./lib/nix-patches { patchFile = ./patches; };
nodes' = import ./meta/nodes.nix;
nodes = builtins.attrNames nodes';
mkNode = node: {
# Import the base configuration for each node
imports = builtins.map (lib.mkRel (./machines/${node})) [
"_configuration.nix"
"_hardware-configuration.nix"
];
imports = [ ./machines/${node}/_configuration.nix ];
};
nixpkgs' = import ./meta/nixpkgs.nix;
# All supported nixpkgs versions, instanciated
nixpkgs = lib.mapSingleFuse mkNixpkgs nixpkgs'.supported;
nixpkgs = nix-lib.mapSingleFuse mkNixpkgs nixpkgs'.supported;
# Get the configured nixos version for the node,
# defaulting to the one defined in meta/nixpkgs
@ -27,12 +28,9 @@ let
# Builds a patched version of nixpkgs, only as the source
mkNixpkgs' =
v:
let
version = "nixos-${v}";
in
patch.mkNixpkgsSrc {
src = sources.${version};
inherit version;
patch.mkNixpkgsSrc rec {
src = sources'.${name};
name = "nixos-${v}";
};
# Instanciates the required nixpkgs version
@ -42,10 +40,8 @@ let
# Function to create arguments based on the node
#
mkArgs = node: rec {
lib = import sources.nix-lib {
inherit (nixpkgs.${version node}) lib;
keysRoot = ./keys;
lib = nixpkgs.${version node}.lib // {
extra = nix-lib;
};
meta = (import ./meta) lib;
@ -56,13 +52,15 @@ in
{
meta = {
nodeNixpkgs = lib.mapSingleFuse (n: nixpkgs.${version n}) nodes;
nodeNixpkgs = nix-lib.mapSingleFuse (n: nixpkgs.${version n}) nodes;
specialArgs = {
inherit nixpkgs sources;
dgn-keys = import ./keys;
};
nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes;
nodeSpecialArgs = nix-lib.mapSingleFuse mkArgs nodes;
};
defaults =
@ -112,4 +110,4 @@ in
};
};
}
// (lib.mapSingleFuse mkNode nodes)
// (nix-lib.mapSingleFuse mkNode nodes)

9
iso/configuration.nix
View file

@ -1,7 +1,7 @@
{ lib, pkgs, ... }:
let
dgn-lib = import ../lib { };
dgn-keys = import ../keys;
dgn-members = (import ../meta lib).organization.groups.root;
in
@ -11,7 +11,7 @@ in
boot = {
blacklistedKernelModules = [ "snd_pcsp" ];
kernelPackages = pkgs.linuxPackages_6_1;
kernelPackages = pkgs.linuxPackages_latest;
tmp.cleanOnBoot = true;
loader = {
@ -22,6 +22,7 @@ in
supportedFilesystems = [
"exfat"
"zfs"
"bcachefs"
];
swraid.enable = lib.mkForce false;
@ -33,7 +34,5 @@ in
openssh.enable = true;
};
users.users.root.openssh.authorizedKeys.keyFiles = builtins.map (
m: dgn-lib.mkRel ../keys "${m}.keys"
) dgn-members;
users.users.root.openssh.authorizedKeys.keys = dgn-keys.getKeys dgn-members;
}

1
keys/catvayor.keys
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor

80
keys/default.nix Normal file
View file

@ -0,0 +1,80 @@
let
_sources = import ../npins;
meta = import ../meta (import _sources.nixpkgs { }).lib;
getAttr = flip builtins.getAttr;
inherit (import ../lib/nix-lib) flip setDefault unique;
in
rec {
# WARNING: When updating this list, make sure that the nodes and members are alphabetically sorted
# If not, you will face an angry maintainer
_keys = {
# SSH keys of the nodes
bridge01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7" ];
compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
krz01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4o65gWOgNrxbSd3kiQIGZUM+YD6kuZOQtblvzUGsfB" ];
rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ];
web02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ];
# SSH keys of the DGNum members
catvayor = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
];
ecoppens = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
gdd = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ"
];
jemagius = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8="
];
luj = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
];
mdebray = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
];
raito = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
];
thubrecht = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
];
};
getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);
mkSecrets =
nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };
getNodeKeys' =
node:
let
names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
meta.nodes.${node}.admins ++ [ node ]
) meta.nodes.${node}.adminGroups;
in
unique (getKeys names);
getNodeKeys = node: rootKeys ++ getNodeKeys' node;
# List of keys for the root group
rootKeys = getKeys meta.organization.groups.root;
# List of 'machine' keys
machineKeys = rootKeys ++ (getKeys (builtins.attrNames meta.nodes));
}

1
keys/ecoppens.keys
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA

2
keys/gdd.keys
View file

@ -1,2 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ

2
keys/jemagius.keys
View file

@ -1,2 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8=

2
keys/luj.keys
View file

@ -1,2 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower

1
keys/machines/bridge01.keys
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7

1
keys/machines/compute01.keys
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu

1
keys/machines/geo01.keys
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4

1
keys/machines/geo02.keys
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket

1
keys/machines/rescue01.keys
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf

1
keys/machines/storage01.keys
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ

1
keys/machines/vault01.keys
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW

1
keys/machines/web01.keys
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5

1
keys/machines/web02.keys
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX

1
keys/mdebray.keys
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris

3
keys/raito.keys
View file

@ -1,3 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU

3
keys/thubrecht.keys
View file

@ -1,3 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn

33
lib/default.nix
View file

@ -1,33 +0,0 @@
_:
let
sources = import ../npins;
lib = import sources.nix-lib {
inherit ((import sources.nixpkgs { })) lib;
keysRoot = ../keys;
};
meta = import ../meta lib;
inherit (lib.extra) getAllKeys;
in
lib.extra
// rec {
# Get publickeys associated to a node
getNodeKeys =
node:
let
names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
meta.nodes.${node}.admins ++ [ "/machines/${node}" ]
) meta.nodes.${node}.adminGroups;
in
rootKeys ++ (getAllKeys names);
rootKeys = getAllKeys meta.organization.groups.root;
machineKeys =
rootKeys ++ (getAllKeys (builtins.map (n: "machines/${n}") (builtins.attrNames meta.nodes)));
}

197
lib/nix-lib/default.nix Normal file
View file

@ -0,0 +1,197 @@
# Copyright Tom Hubrecht, (2023)
#
# Tom Hubrecht <tom@hubrecht.ovh>
#
# This software is governed by the CeCILL license under French law and
# abiding by the rules of distribution of free software. You can use,
# modify and/ or redistribute the software under the terms of the CeCILL
# license as circulated by CEA, CNRS and INRIA at the following URL
# "http://www.cecill.info".
#
# As a counterpart to the access to the source code and rights to copy,
# modify and redistribute granted by the license, users are provided only
# with a limited warranty and the software's author, the holder of the
# economic rights, and the successive licensors have only limited
# liability.
#
# In this respect, the user's attention is drawn to the risks associated
# with loading, using, modifying and/or developing or reproducing the
# software by the user in light of its specific status of free software,
# that may mean that it is complicated to manipulate, and that also
# therefore means that it is reserved for developers and experienced
# professionals having in-depth computer knowledge. Users are therefore
# encouraged to load and test the software's suitability as regards their
# requirements in conditions enabling the security of their systems and/or
# data to be ensured and, more generally, to use and operate it in the
# same conditions as regards security.
#
# The fact that you are presently reading this means that you have had
# knowledge of the CeCILL license and that you accept its terms.
let
# Reimplement optional functions
_optional =
default: b: value:
if b then value else default;
in
rec {
inherit (import ./nixpkgs.nix)
flip
hasPrefix
recursiveUpdate
splitString
unique
;
/*
Fuses a list of attribute sets into a single attribute set.
Type: [attrs] -> attrs
Example:
x = [ { a = 1; } { b = 2; } ]
fuseAttrs x
=> { a = 1; b = 2; }
*/
fuseAttrs = builtins.foldl' (attrs: x: attrs // x) { };
fuseValueAttrs = attrs: fuseAttrs (builtins.attrValues attrs);
/*
Applies a function to `attrsList` before fusing the resulting list
of attribute sets.
Type: ('a -> attrs) -> ['a] -> attrs
Example:
x = [ "to" "ta" "ti" ]
f = s: { ${s} = s + s; }
mapFuse f x
=> { to = "toto"; ta = "tata"; ti = "titi"; }
*/
mapFuse =
# 'a -> attrs
f:
# ['a]
attrsList:
fuseAttrs (builtins.map f attrsList);
/*
Equivalent of lib.singleton but for an attribute set.
Type: str -> 'a -> attrs
Example:
singleAttr "a" 1
=> { a = 1; }
*/
singleAttr = name: value: { ${name} = value; };
# Enables a list of modules.
enableAttrs' =
enable:
mapFuse (m: {
${m}.${enable} = true;
});
enableModules = enableAttrs' "enable";
/*
Create an attribute set from a list of values, mapping those
values through the function `f`.
Example:
mapSingleFuse (x: "val-${x}") [ "a" "b" ]
=> { a = "val-a"; b = "val-b" }
*/
mapSingleFuse = f: mapFuse (x: singleAttr x (f x));
/*
Creates a relative path as a string
Type: path -> str -> path
Example:
mkRel /home/test/ "file.txt"
=> "/home/test/file.txt"
*/
mkRel = path: file: path + "/${file}";
setDefault =
default:
mapFuse (name: {
${name} = default;
});
mkBaseSecrets =
root:
mapFuse (secret: {
${secret}.file = mkRel root secret;
});
getSecrets = dir: builtins.attrNames (import (mkRel dir "secrets.nix"));
subAttr = attrs: name: attrs.${name};
subAttrs = attrs: builtins.map (subAttr attrs);
optionalList = _optional [ ];
optionalAttrs = _optional { };
optionalString = _optional "";
/*
Same as fuseAttrs but using `lib.recursiveUpdate` to merge attribute
sets together.
Type: [attrs] -> attrs
*/
recursiveFuse = builtins.foldl' recursiveUpdate { };
mkImport =
root: file:
let
path = mkRel root file;
in
path + (optionalString (!(builtins.pathExists path)) ".nix");
mkImports = root: builtins.map (mkImport root);
/*
Creates a confugiration by merging enabled modules,
services and extraConfig.
Example:
mkConfig {
enabledModules = [ "ht-defaults" ];
enabledServices = [ "toto" ];
extraConfig = { services.nginx.enable = true; };
root = ./.;
}
=>
{
imports = [ ./toto ];
ht-defaults.enable = true;
services.nginx.enable = true;
}
*/
mkConfig =
{
# List of modules to enable with `enableModules`
enabledModules,
# List of services to import
enabledServices,
# Extra configuration, defaults to `{ }`
extraConfig ? { },
# Path relative to which the enabled services will be imported
root,
}:
recursiveFuse [
(enableModules enabledModules)
{ imports = mkImports root ([ "_hardware-configuration" ] ++ enabledServices); }
extraConfig
];
}

416
lib/nix-lib/nixpkgs.nix Normal file
View file

@ -0,0 +1,416 @@
###
# Collection of nixpkgs library functions, those are necessary for defining our own lib
#
# They have been simplified and builtins are used in some places, instead of lib shims.
rec {
/**
Does the same as the update operator '//' except that attributes are
merged until the given predicate is verified. The predicate should
accept 3 arguments which are the path to reach the attribute, a part of
the first attribute set and a part of the second attribute set. When
the predicate is satisfied, the value of the first attribute set is
replaced by the value of the second attribute set.
# Inputs
`pred`
: Predicate, taking the path to the current attribute as a list of strings for attribute names, and the two values at that path from the original arguments.
`lhs`
: Left attribute set of the merge.
`rhs`
: Right attribute set of the merge.
# Type
```
recursiveUpdateUntil :: ( [ String ] -> AttrSet -> AttrSet -> Bool ) -> AttrSet -> AttrSet -> AttrSet
```
# Examples
:::{.example}
## `lib.attrsets.recursiveUpdateUntil` usage example
```nix
recursiveUpdateUntil (path: l: r: path == ["foo"]) {
# first attribute set
foo.bar = 1;
foo.baz = 2;
bar = 3;
} {
#second attribute set
foo.bar = 1;
foo.quz = 2;
baz = 4;
}
=> {
foo.bar = 1; # 'foo.*' from the second set
foo.quz = 2; #
bar = 3; # 'bar' from the first set
baz = 4; # 'baz' from the second set
}
```
:::
*/
recursiveUpdateUntil =
pred: lhs: rhs:
let
f =
attrPath:
builtins.zipAttrsWith (
n: values:
let
here = attrPath ++ [ n ];
in
if builtins.length values == 1 || pred here (builtins.elemAt values 1) (builtins.head values) then
builtins.head values
else
f here values
);
in
f [ ] [
rhs
lhs
];
/**
A recursive variant of the update operator //. The recursion
stops when one of the attribute values is not an attribute set,
in which case the right hand side value takes precedence over the
left hand side value.
# Inputs
`lhs`
: Left attribute set of the merge.
`rhs`
: Right attribute set of the merge.
# Type
```
recursiveUpdate :: AttrSet -> AttrSet -> AttrSet
```
# Examples
:::{.example}
## `lib.attrsets.recursiveUpdate` usage example
```nix
recursiveUpdate {
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/hda";
} {
boot.loader.grub.device = "";
}
returns: {
boot.loader.grub.enable = true;
boot.loader.grub.device = "";
}
```
:::
*/
recursiveUpdate =
lhs: rhs:
recursiveUpdateUntil (
_: lhs: rhs:
!(builtins.isAttrs lhs && builtins.isAttrs rhs)
) lhs rhs;
/**
Determine whether a string has given prefix.
# Inputs
`pref`
: Prefix to check for
`str`
: Input string
# Type
```
hasPrefix :: string -> string -> bool
```
# Examples
:::{.example}
## `lib.strings.hasPrefix` usage example
```nix
hasPrefix "foo" "foobar"
=> true
hasPrefix "foo" "barfoo"
=> false
```
:::
*/
hasPrefix = pref: str: (builtins.substring 0 (builtins.stringLength pref) str == pref);
/**
Escape occurrence of the elements of `list` in `string` by
prefixing it with a backslash.
# Inputs
`list`
: 1\. Function argument
`string`
: 2\. Function argument
# Type
```
escape :: [string] -> string -> string
```
# Examples
:::{.example}
## `lib.strings.escape` usage example
```nix
escape ["(" ")"] "(foo)"
=> "\\(foo\\)"
```
:::
*/
escape = list: builtins.replaceStrings list (builtins.map (c: "\\${c}") list);
/**
Convert a string `s` to a list of characters (i.e. singleton strings).
This allows you to, e.g., map a function over each character. However,
note that this will likely be horribly inefficient; Nix is not a
general purpose programming language. Complex string manipulations
should, if appropriate, be done in a derivation.
Also note that Nix treats strings as a list of bytes and thus doesn't
handle unicode.
# Inputs
`s`
: 1\. Function argument
# Type
```
stringToCharacters :: string -> [string]
```
# Examples
:::{.example}
## `lib.strings.stringToCharacters` usage example
```nix
stringToCharacters ""
=> [ ]
stringToCharacters "abc"
=> [ "a" "b" "c" ]
stringToCharacters "🦄"
=> [ "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" ]
```
:::
*/
stringToCharacters = s: builtins.genList (p: builtins.substring p 1 s) (builtins.stringLength s);
/**
Turn a string `s` into an exact regular expression
# Inputs
`s`
: 1\. Function argument
# Type
```
escapeRegex :: string -> string
```
# Examples
:::{.example}
## `lib.strings.escapeRegex` usage example
```nix
escapeRegex "[^a-z]*"
=> "\\[\\^a-z]\\*"
```
:::
*/
escapeRegex = escape (stringToCharacters "\\[{()^$?*+|.");
/**
Appends string context from string like object `src` to `target`.
:::{.warning}
This is an implementation
detail of Nix and should be used carefully.
:::
Strings in Nix carry an invisible `context` which is a list of strings
representing store paths. If the string is later used in a derivation
attribute, the derivation will properly populate the inputDrvs and
inputSrcs.
# Inputs
`src`
: The string to take the context from. If the argument is not a string,
it will be implicitly converted to a string.
`target`
: The string to append the context to. If the argument is not a string,
it will be implicitly converted to a string.
# Type
```
addContextFrom :: string -> string -> string
```
# Examples
:::{.example}
## `lib.strings.addContextFrom` usage example
```nix
pkgs = import <nixpkgs> { };
addContextFrom pkgs.coreutils "bar"
=> "bar"
```
The context can be displayed using the `toString` function:
```nix
nix-repl> builtins.getContext (lib.strings.addContextFrom pkgs.coreutils "bar")
{
"/nix/store/m1s1d2dk2dqqlw3j90jl3cjy2cykbdxz-coreutils-9.5.drv" = { ... };
}
```
:::
*/
addContextFrom = src: target: builtins.substring 0 0 src + target;
/**
Cut a string with a separator and produces a list of strings which
were separated by this separator.
# Inputs
`sep`
: 1\. Function argument
`s`
: 2\. Function argument
# Type
```
splitString :: string -> string -> [string]
```
# Examples
:::{.example}
## `lib.strings.splitString` usage example
```nix
splitString "." "foo.bar.baz"
=> [ "foo" "bar" "baz" ]
splitString "/" "/usr/local/bin"
=> [ "" "usr" "local" "bin" ]
```
:::
*/
splitString =
sep: s:
let
splits = builtins.filter builtins.isString (
builtins.split (escapeRegex (builtins.toString sep)) (builtins.toString s)
);
in
builtins.map (addContextFrom s) splits;
/**
Remove duplicate elements from the `list`. O(n^2) complexity.
# Inputs
`list`
: Input list
# Type
```
unique :: [a] -> [a]
```
# Examples
:::{.example}
## `lib.lists.unique` usage example
```nix
unique [ 3 2 3 4 ]
=> [ 3 2 4 ]
```
:::
*/
unique = builtins.foldl' (acc: e: if builtins.elem e acc then acc else acc ++ [ e ]) [ ];
/**
Flip the order of the arguments of a binary function.
# Inputs
`f`
: 1\. Function argument
`a`
: 2\. Function argument
`b`
: 3\. Function argument
# Type
```
flip :: (a -> b -> c) -> (b -> a -> c)
```
# Examples
:::{.example}
## `lib.trivial.flip` usage example
```nix
flip concat [1] [2]
=> [ 2 1 ]
```
:::
*/
flip =
f: a: b:
f b a;
}

110
lib/nix-patches/default.nix Normal file
View file

@ -0,0 +1,110 @@
# Copyright Tom Hubrecht, (2023-2024)
#
# Tom Hubrecht <tom@hubrecht.ovh>
#
# This software is governed by the CeCILL license under French law and
# abiding by the rules of distribution of free software. You can use,
# modify and/ or redistribute the software under the terms of the CeCILL
# license as circulated by CEA, CNRS and INRIA at the following URL
# "http://www.cecill.info".
#
# As a counterpart to the access to the source code and rights to copy,
# modify and redistribute granted by the license, users are provided only
# with a limited warranty and the software's author, the holder of the
# economic rights, and the successive licensors have only limited
# liability.
#
# In this respect, the user's attention is drawn to the risks associated
# with loading, using, modifying and/or developing or reproducing the
# software by the user in light of its specific status of free software,
# that may mean that it is complicated to manipulate, and that also
# therefore means that it is reserved for developers and experienced
# professionals having in-depth computer knowledge. Users are therefore
# encouraged to load and test the software's suitability as regards their
# requirements in conditions enabling the security of their systems and/or
# data to be ensured and, more generally, to use and operate it in the
# same conditions as regards security.
#
# The fact that you are presently reading this means that you have had
# knowledge of the CeCILL license and that you accept its terms.
{
patchFile,
excludeGitHubManual ? true,
fetchers ? { },
}:
rec {
base =
{ pkgs }:
rec {
mkUrlPatch =
attrs:
pkgs.fetchpatch (
{
hash = pkgs.lib.fakeHash;
}
// attrs
// (pkgs.lib.optionalAttrs (excludeGitHubManual && !(builtins.hasAttr "includes" attrs)) {
excludes = (attrs.excludes or [ ]) ++ [ "nixos/doc/manual/*" ];
})
);
mkGitHubPatch =
{ id, ... }@attrs:
mkUrlPatch (
(builtins.removeAttrs attrs [ "id" ])
// {
url = "https://github.com/NixOS/nixpkgs/pull/${builtins.toString id}.diff";
}
);
mkCommitPatch =
{ sha, ... }@attrs:
mkUrlPatch (
(builtins.removeAttrs attrs [ "sha" ])
// {
url = "https://github.com/NixOS/nixpkgs/commit/${builtins.toString sha}.diff";
}
);
patchFunctions = {
commit = mkCommitPatch;
github = mkGitHubPatch;
remote = pkgs.fetchpatch;
static = attrs: attrs.path;
url = mkUrlPatch;
} // fetchers;
mkPatch =
{
_type ? "github",
...
}@attrs:
if builtins.hasAttr _type patchFunctions then
patchFunctions.${_type} (builtins.removeAttrs attrs [ "_type" ])
else
throw "Unknown patch type: ${builtins.toString _type}.";
mkPatches = v: builtins.map mkPatch ((import patchFile).${v} or [ ]);
applyPatches =
{
src,
name,
patches ? mkPatches name,
}:
if patches == [ ] then
src
else
pkgs.applyPatches {
inherit patches src;
name = "${name}-patched";
};
applyPatches' = name: src: applyPatches { inherit name src; };
};
mkNixpkgsSrc = { src, name }: (base { pkgs = import src { }; }).applyPatches { inherit src name; };
}

8
machines/bridge01/secrets/secrets.nix
View file

@ -1,5 +1,3 @@
let
lib = import ../../../lib { };
in
lib.setDefault { publicKeys = lib.getNodeKeys "bridge01"; } [ ]
(import ../../../keys).mkSecrets [ "bridg01" ] [
# List of secrets for bridge01
]

17
machines/compute01/_configuration.nix
View file

@ -1,17 +1,19 @@
{ lib, ... }:
lib.extra.mkConfig {
# List of modules to enable
enabledModules = [
# List of modules to enable
# INFO: This list needs to stay sorted alphabetically
"dgn-backups"
"dgn-fail2ban"
"dgn-chatops"
"dgn-web"
];
# List of services to enable
enabledServices = [
# List of services to enable
# INFO: This list needs to stay sorted alphabetically
"arkheon"
"signal-irc-bridge"
"dgsi"
"ds-fr"
"grafana"
"hedgedoc"
@ -24,19 +26,16 @@ lib.extra.mkConfig {
"postgresql"
"rstudio-server"
"satosa"
"signal-irc-bridge"
"signald"
"stirling-pdf"
"takumi"
"telegraf"
"vaultwarden"
"zammad"
];
extraConfig = {
dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
"sshd-bruteforce"
"sshd-timeout"
];
dgn-hardware.useZfs = true;
services.netbird.enable = true;

222
machines/compute01/dgsi/default.nix Normal file
View file

@ -0,0 +1,222 @@
{
config,
lib,
pkgs,
utils,
sources,
...
}:
let
inherit (lib) toLower;
python =
let
python3 = pkgs.python312;
nix-pkgs = import sources.nix-pkgs { inherit pkgs python3; };
in
python3.override {
packageOverrides = _: _: {
inherit (nix-pkgs)
django-allauth
django-allauth-cas
django-browser-reload
django-bulma-forms
django-sass-processor
django-sass-processor-dart-sass
django-unfold
pykanidm
python-cas
loadcredential
xlwt
;
};
};
pythonEnv = python.withPackages (
ps:
[
ps.django
ps.gunicorn
ps.psycopg
ps.django-compressor
ps.django-import-export
# Local packages
ps.django-allauth
ps.django-allauth-cas
ps.django-browser-reload
ps.django-bulma-forms
ps.django-sass-processor
ps.django-sass-processor-dart-sass
ps.django-unfold
ps.loadcredential
ps.pykanidm
ps.python-cas
]
++ ps.django-allauth.optional-dependencies.saml
);
staticDrv = pkgs.stdenv.mkDerivation {
name = "dgsi-static";
src = sources.dgsi;
sourceRoot = "source/src";
nativeBuildInputs = [
pkgs.dart-sass
pythonEnv
];
configurePhase = ''
export DGSI_STATIC_ROOT=$out/static
export CREDENTIALS_DIRECTORY=$(pwd)/../.credentials
export DGSI_KANIDM_CLIENT="dgsi_test"
export DGSI_KANIDM_AUTH_TOKEN="fake.token"
export DGSI_X509_KEY=""
export DGSI_X509_CERT=""
'';
doBuild = false;
installPhase = ''
mkdir -p $out/static
python3 manage.py compilescss
python3 manage.py collectstatic
'';
};
in
{
users = {
users.nginx.extraGroups = [ "django-apps" ];
groups.django-apps = { };
};
systemd = {
services = {
dj-dgsi = {
description = "DGSI web app";
requires = [ "dj-dgsi.socket" ];
wantedBy = [ "multi-user.target" ];
after = [
"network.target"
"postgresql.service"
];
serviceConfig = {
DynamicUser = true;
LoadCredential = map (name: "${name}:${config.age.secrets."dgsi-${toLower name}_file".path}") [
"EMAIL_HOST_PASSWORD"
"KANIDM_AUTH_TOKEN"
"KANIDM_SECRET"
"SECRET_KEY"
"X509_CERT"
"X509_KEY"
];
RuntimeDirectory = "django-apps/dgsi";
StateDirectory = "django-apps/dgsi";
UMask = "0027";
User = "dj-dgsi";
Group = "django-apps";
WorkingDirectory = sources.dgsi;
ExecReload = "${lib.getExe' pkgs.coreutils "kill"} -s HUP $MAINPID";
KillMode = "mixed";
Type = "notify";
ExecStart = utils.escapeSystemdExecArgs [
(lib.getExe' pythonEnv "gunicorn")
"--workers"
4
"--bind"
"unix:/run/django-apps/dgsi.sock"
"--pythonpath"
"src"
"app.wsgi"
];
};
environment = {
DGSI_ALLOWED_HOSTS = builtins.toJSON [
"profil.dgnum.eu"
"dgsi.dgnum.eu"
];
DGSI_EMAIL_HOST = "kurisu.lahfa.xyz";
DGSI_EMAIL_HOST_USER = "web-services@infra.dgnum.eu";
DGSI_EMAIL_USE_SSL = builtins.toJSON true;
DGSI_FROM_EMAIL = "La Délégation Générale Numérique <noreply@infra.dgnum.eu>";
DGSI_SERVER_EMAIL = "dgsi@infra.dgnum.eu";
DGSI_KANIDM_CLIENT = "dgsi";
DGSI_KANIDM_URI = "https://sso.dgnum.eu";
DGSI_MEDIA_ROOT = "/var/lib/django-apps/dgsi/media";
DGSI_STATIC_ROOT = "${staticDrv}/static";
DGSI_DATABASES = builtins.toJSON {
default = {
ENGINE = "django.db.backends.postgresql";
NAME = "dj-dgsi";
};
};
DJANGO_SETTINGS_MODULE = "app.settings";
};
path = [ pythonEnv ];
preStart = ''
python3 src/manage.py migrate --no-input
'';
};
};
sockets."dj-dgsi" = {
description = "Socket for the DGSI Django Application";
wantedBy = [ "sockets.target" ];
socketConfig = {
ListenStream = "/run/django-apps/dgsi.sock";
SocketMode = "600";
SocketUser = config.services.nginx.user;
};
};
mounts = [
{
where = "/run/django-apps/dgsi/media";
what = "/var/lib/django-apps/dgsi/media";
options = "bind";
after = [ "dj-dgsi.service" ];
partOf = [ "dj-dgsi.service" ];
upheldBy = [ "dj-dgsi.service" ];
}
];
};
dgn-redirections.permanent."dgsi.dgnum.eu" = "profil.dgnum.eu";
services = {
postgresql = {
ensureDatabases = [ "dj-dgsi" ];
ensureUsers = [
{
name = "dj-dgsi";
ensureDBOwnership = true;
}
];
};
nginx.virtualHosts."profil.dgnum.eu" = {
enableACME = true;
forceSSL = true;
locations = {
"/".proxyPass = "http://unix:/run/django-apps/dgsi.sock";
"/static/".root = staticDrv;
"/media/".root = "/run/django-apps/dgsi";
};
};
};
}

7
machines/compute01/kanidm/secrets/secrets.nix
View file

@ -1,9 +1,4 @@
let
lib = import ../../../../lib { };
publicKeys = lib.getNodeKeys "compute01";
in
lib.setDefault { inherit publicKeys; } [
(import ../../../../keys).mkSecrets [ "compute01" ] [
"kanidm-password_admin"
"kanidm-password_idm_admin"
]

2
machines/compute01/nextcloud.nix
View file

@ -55,7 +55,7 @@ in
"opcache.max_accelerated_files" = "10000";
"opcache.memory_consumption" = "128";
"opcache.revalidate_freq" = "1";
"opcache.fast_shutdown" = "1";
"opcache.fast_shutdown" = "0";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
catch_workers_output = "yes";
};

28
machines/compute01/secrets/dgsi-email_host_password_file Normal file
View file

@ -0,0 +1,28 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA CQffZYaxexZ2f+HeNj+SHeSak0kzNPiq6ExW7tUyCBs
oJQhtMFD9KSnXSPGRb3zLwCB2/KEXo8cgxHN5ML83Qw
-> ssh-ed25519 QlRB9Q V1PnEYJvFCdBRzN4z3iDtIzHLxxCimejdkqRS4zMCG8
bVc87bxPmhofmoscGFBgQ+ffRlo216RiRkkV1MNoQyY
-> ssh-ed25519 r+nK/Q YI+1MYnCvSq5/QfA2y01IQlJeMGF0AfNs91QlrVaVGs
HSB8Gai96mjRbM68G3iRmXNkI4kqyJAWTMxWc8UOPr8
-> ssh-rsa krWCLQ
k2mssz4C9p8K+rJ6Jbbm+w7uLTqoUOiOKvlt2btEyw2Lup8PQNfyTNFSBvuBMmfj
re1zuAufH0HIw3B0xWYauBSD4pasc7EFTr/OLoM8BRFMEb11IM5ZKJrO+hnWy0Sk
eIs6cpkoBVi4GZmkRfbvaitk42i9JzjrKU0OeqLCWQbHmHkTb3acsGXCc6A6JSbF
AVb+Eaak6EIdX1dP4PWyCxU2PkcBtYBcLoGH74r1o0i3SzvmuzKvlBntx5IzsAvY
+QNGJLNZl0+NePafAkvVY8UOrlzxj+tCgfunAGXIXlZlVfNcjZX9Wv30sJOtwpbw
DdkJAqSrNkHianC5MEGgpA
-> ssh-ed25519 /vwQcQ yxGAMhwDcoDjw5MJudEE95PakhZvNpYfmfWiM6wbQBg
C1o3mNO2YFnBXamCcpAW0aQVGrNNcUpDtSn8+VLobmE
-> ssh-ed25519 0R97PA XRWbcwt3wXR3AYg0rhzc6OUuAA+blVTf3SHERYy3MkA
iCBd0E1NrV7tv3/0pD0FYWgUfGmB4M+VWfiixvVGv68
-> ssh-ed25519 JGx7Ng R47xTx4IGC/qf/v6WOXvJTd20MbeTdZ/8ovAA6d0iyQ
uBxcQVztpW4QaAR5rKfEVgtmrPk6l51+tY3brNjsTV4
-> ssh-ed25519 5SY7Kg LNtU+/1YlPX6T6gO2lb/wEei7hsy2oud8cTQXFQy0HY
xxPvBAIpFyCUqExjseerz6WlwWQEmw9fltzQBx51KI0
-> ssh-ed25519 p/Mg4Q uWIz5shMnsLXsh160cCW8E6kh9v4LPunOonugjWdSEY
5aRrIB5gxIplVWDGeMQ6g09togku6LxWRxBP7FbRNU0
-> ssh-ed25519 tDqJRg G8rNpeGY29czDVMvvt4LZ7nffZ/JAHDzxuIs7C/0SEM
HowgAvrQQcvUx93ZdK5q2bSsJDqaOxFf+x/lwTRss4I
--- ktcSPCC1TpguyYJ2ua7IuGcEw+Z9YuqjzcmH18abjo4
<EFBFBD><20><>ゥ煩 ネ9<1猤カワ簒<EFBE9C>pWJSWpsV/ム#<23>ウリ9タ{タ゚cHB<><42><EFBFBD>5<EFBFBD>ャ^ァ

BIN
machines/compute01/secrets/dgsi-kanidm_auth_token_file Normal file
View file

Binary file not shown.

30
machines/compute01/secrets/dgsi-kanidm_secret_file Normal file
View file

@ -0,0 +1,30 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA zSfj75mxEod8RszD4XGaFIeMvcLnBgUHShIW5yFPdiE
YXaCFZ07BMzehG/PCUFDEzRy+y4c+IESO9kcLx+eG8M
-> ssh-ed25519 QlRB9Q 39DPdLnRMs5YSQOr/rY2nXO/8s/oCnYDkRex51tZayw
W3GbNP7qbgW2b0RoZmcWH0kLtQaIV50APGcntjMfn8o
-> ssh-ed25519 r+nK/Q dnX8kPKvyHS5U1N52QTDwonaHbBh8sv2DPBL1PoBO2E
mxduSFeWB4tJlrHDEthNKGv/vxzeWUtNwq1b2nDP6Z0
-> ssh-rsa krWCLQ
QN1OOmCREY2LljXm0+TAsOSkjIQ0RXyX8w5TVOOus5QAt1WTJan/mm4X1SviWqmn
UFDIeCoG2l5tBSyZr4VpnDeq7koWRA2eC7WnwWW47PQIRFSyjf+sy00rGR9kxVuL
1M9gsAGa5sud/PvmgSPSLsGhhrPsH/ZxN9beyIXIwmssmjN34KygUz9+u4T8IkVz
oxdq75LMzE2o0gcgC1EZ5+rDq0NSPQ9+1KgqwJuKlLKRXGdudgaVEUxX60g2ZnkX
8fNEgxqEkQ5MNnPfwbVumF6SWmMWyZSJ0rwHC94O1RdRNDcD3yKimuBmNSv2X+3L
cS3kE9LfNst2zBKHBGBOHQ
-> ssh-ed25519 /vwQcQ ZD8aiyO6fWEM9zG0iPP1/lftRPNl+mmFLHvGxVpSWzg
ZcTmN8zSHz8iLQmCLTZCdaqX5En/KrciR8KHwoXl8t0
-> ssh-ed25519 0R97PA xLQYBS5ozP1e4NWVa9yahN2OQB0Luw7mm3nBYdoHyRI
SKTRzLfGNFQ9fSX8ZFkKIYPZ4If5QrxcmSoBoGVG2Xk
-> ssh-ed25519 JGx7Ng XPo1QJ8OS/ShEAaXWwzZCS1p5/C6mLNlk4Us63YTVQ8
HGbfr8WBfCDKnIlATAeiE6JcLWCbn64vn1Cg7i9QGbA
-> ssh-ed25519 5SY7Kg CFpRcZmZ7DTspxkmdD8x7dRh1mqOHpTF7GzW5xBtLxw
n1n6/Ciwwo4rb3Cb6Yv/b1dHSvVAbCuDZ52maNpCexg
-> ssh-ed25519 p/Mg4Q km6ZjasKtOlaQL8rdVXkjRP4sooql15PrW0lz6YZaDg
Yrpi65IC3RJS3YSAChKjVyvowGxxmSPFkwa6CXUYVZ4
-> ssh-ed25519 tDqJRg au3x6e4L1os7OH4WXbdST74LhMsHPjP6KYrTWKUc1i8
zxKFk51MteTETWEu8peSH/lninM3zZkQi+Xjx5OQMTU
-> l$R6Y:c1-grease
MY0HS+ErZAtAhg
--- w+3gxmkrZ+xxSAQHbERgvsqur0v6k2/U0KUsfegRGcI
7Ú”gpò7šæ«¹Š\ŠE„àø~Â$±\¹Ä”Q„™H˜Èî¼¼2'k4Ž¥zÿqȦì'ÍNò!{@qxÎ,ƒ+iTû

31
machines/compute01/secrets/dgsi-secret_key_file Normal file
View file

@ -0,0 +1,31 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA xQaZW42vwq7pndbRqiATFVgl1QM3LbD5Sqzz61yinUY
7N4GIIAnzwTPA2IgOPWLtE03kCZPihKu8ZAG9e7Bv7k
-> ssh-ed25519 QlRB9Q mfs9SndrSY1meTEYiVxXLbS7Ecf0rjaQ3vX4626+9CI
BDdh3a02EqMeO5jPlz6kjmjuLMldf/s9V7hDkIef+g4
-> ssh-ed25519 r+nK/Q HqduuibujATQyp2TUswgrFyTdcdmPsNsZJ2pOLZ+MTc
WjFm95dxVYKA2ekOgKzMrMmk1nxfuurmDyMXtUIGnIo
-> ssh-rsa krWCLQ
GzznBXY+5RpGFJKli2rOdzO5bun6REyjA78nV8RviQdAN/mGXEZfGFq4HFuQZM0e
fYADtpZxOZ3vyY/9DqCguay3R02DcyTpAhdb6A3kdzApUVR/3ZKJXy0+l5qRqKD7
j/cMfIxk/WpsHKHDWKXkG+FiTnF+V+ZtUom9W1aYFc1506OdDbjBVfTnBFs/+WVf
MWd+Y0ANCFiNH+kjzvALRazkmJgt9SvYWBG6suym6YZ2073GFu85jUJB2juSDmBN
tp0OJvNrjH5F/CcJXLMVrJz4Azin+2iM+re78cSVmZ1aqLf72RIrg/VhuuNy2MVn
gU32t9qy5EvTbzliWpAvxw
-> ssh-ed25519 /vwQcQ rVT/tH4fZ49hwxJTaZMZhzMgkS0MJILZmuL/J1CCPGY
mW3BNdXsylo0Yhg2KYpGNLoDkd7DYX+NEGF8a7j5R5g
-> ssh-ed25519 0R97PA vnXhW5pn1XgOJcMcD1cu7hQLlnIrJyp2Bu3TbThBIik
QFQFocftqwsPS1AbGykbDkIWqaAdZ7I9njS2ZUXz+4w
-> ssh-ed25519 JGx7Ng ljVNZ4AdZ3DLow2m3mf+6bf9zj6+t9RP7w8Bi7aMlAI
E5Q9yEA3d2nPTZO2jFkGnsHyo3W19P/lSG6yl3RL6Vo
-> ssh-ed25519 5SY7Kg 2LcgbYRROFSGfq0L5XBQMl6p62DreGceGqRFzKGi4X8
x4V+gnzdm1HgjYwhBnYAldkchX4YCsUhqoq1iCaOZ6s
-> ssh-ed25519 p/Mg4Q Y+o5nrSvL+xL43OHjEnesKV+9gCl4H4gBmBBjbqDABA
TvGky1wSVanvpq2Xj2FUmRtJ205iq92g6PVDASAfyaE
-> ssh-ed25519 tDqJRg X0Y8YCi5qOy3Du1/DIMMc4W7P6zQNTlwF4+QrisHCwM
SzJPH+h5847WSl9CrJatqIf9CSnKGUQZDK6ROD5LqXU
-> `--grease N]PH
fdR7jONsDC5Fj/FU++dDsFJSa4sLmvnTzPbt3X96zJDHVQypmV+JMhQNudQGrq9K
7oPr3+cA61qtqUv6v519zFLtRXkpY6FMiB2euGJufVZqGh9jDzfi0jNu6dUO7A
--- a0TP8YPal5jgd3BSIm0THbaMHgLOiOgMqdlwQwUGzWk
:È/ Àn ž±Ý§¦p=fu²hãT¶ÅêF—ÙêÂ¥nh¢„¾•œ¹ÀU2#„éµÆ©“ºôâ>Û“<4.<2E>uŸ‰…m3Ü&<26>g¤(ö<>5 Û¶Ã

BIN
machines/compute01/secrets/dgsi-x509_cert_file Normal file
View file

Binary file not shown.

BIN
machines/compute01/secrets/dgsi-x509_key_file Normal file
View file

Binary file not shown.

16
machines/compute01/secrets/secrets.nix
View file

@ -1,14 +1,16 @@
let
lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "compute01";
in
lib.setDefault { inherit publicKeys; } [
(import ../../../keys).mkSecrets [ "compute01" ] [
# List of secrets for compute01
"arkheon-env_file"
"bupstash-put_key"
"dgsi-email_host_password_file"
"dgsi-kanidm_auth_token_file"
"dgsi-kanidm_secret_file"
"dgsi-secret_key_file"
"dgsi-x509_cert_file"
"dgsi-x509_key_file"
"ds-fr-secret_file"
"grafana-smtp_password_file"
"grafana-oauth_client_secret_file"
"grafana-smtp_password_file"
"hedgedoc-environment_file"
"librenms-database_password_file"
"librenms-environment_file"

BIN
machines/compute01/secrets/signal-irc-bridge-config
View file

Binary file not shown.

44
machines/compute01/stirling-pdf/default.nix
View file

@ -1,42 +1,24 @@
{ pkgs, nixpkgs, ... }:
{ nixpkgs, ... }:
let
dgn-id = "5891e1bbda792e0546f8d785cdd4d3f570a01579";
###
# How to update:
# - clone https://git.dgnum.eu/DGNum/Stirling-PDF
# - switch to the branch dgn-v0.X.Y where X.Y is the version in production
# - fetch upstream changes up to the tagged release in nixos-unstable
# - rebase onto the upstream branch, so that the last commit is "feat: Add DGNum customization"
# - push to a new branch dgn-v0.A.B where A.B is the new version
# - finally, update the commit hash of the customization patch
dgn-id = "8f19cb1c9623f8da71f6512c1528d83acc35db57";
in
{
services.stirling-pdf = {
enable = true;
package = nixpkgs.unstable.stirling-pdf.overrideAttrs (old: rec {
version = "0.26.1";
src = pkgs.fetchFromGitHub {
owner = "Stirling-Tools";
repo = "Stirling-PDF";
rev = "v${version}";
hash = "sha256-msxP2n8Varc7/h9RVwYRBuD253JZu6/p7zQC1lmNmqc=";
};
deps = old.deps.overrideAttrs (_: {
patches = [
./01-spotless.patch
./05-java-output-test.patch
];
doCheck = false;
outputHash = "sha256-i2PJmsuJ8jqTUNwj4HoiWynaK4LlLrqjIZ67rSSYypc=";
});
patches = [
./01-spotless.patch
./02-propsfile.patch
./03-jar-timestamps.patch
(pkgs.substituteAll {
src = ./04-local-maven-deps.patch;
inherit deps;
})
./05-java-output-test.patch
package = nixpkgs.unstable.stirling-pdf.overrideAttrs (old: {
patches = (old.patches or [ ]) ++ [
(builtins.fetchurl "https://git.dgnum.eu/DGNum/Stirling-PDF/commit/${dgn-id}.patch")
];
});

1
machines/compute01/takumi.nix Normal file
View file

@ -0,0 +1 @@
_: { dgn-chatops.enable = true; }

8
machines/geo01/secrets/secrets.nix
View file

@ -1,5 +1,3 @@
let
lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "geo01";
in
lib.setDefault { inherit publicKeys; } [ ]
(import ../../../keys).mkSecrets [ "geo01" ] [
# List of secrets for geo01
]

8
machines/geo02/secrets/secrets.nix
View file

@ -1,5 +1,3 @@
let
lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "geo02";
in
lib.setDefault { inherit publicKeys; } [ ]
(import ../../../keys).mkSecrets [ "geo02" ] [
# List of secrets for geo02
]

179
machines/krz01/K80-support.patch Normal file
View file

@ -0,0 +1,179 @@
From 2abd226ff3093c5a9e18a618fba466853e7ebaf7 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Tue, 8 Oct 2024 18:27:41 +0200
Subject: [PATCH] K80 support
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
docs/development.md | 6 +++-
docs/gpu.md | 1 +
gpu/amd_linux.go | 6 +++-
gpu/gpu.go | 63 ++++++++++++++++++++++++++++++++++++-----
scripts/build_docker.sh | 2 +-
scripts/build_linux.sh | 2 +-
6 files changed, 69 insertions(+), 11 deletions(-)
diff --git a/docs/development.md b/docs/development.md
index 2f7b9ecf..9da35931 100644
--- a/docs/development.md
+++ b/docs/development.md
@@ -51,7 +51,11 @@ Typically the build scripts will auto-detect CUDA, however, if your Linux distro
or installation approach uses unusual paths, you can specify the location by
specifying an environment variable `CUDA_LIB_DIR` to the location of the shared
libraries, and `CUDACXX` to the location of the nvcc compiler. You can customize
-a set of target CUDA architectures by setting `CMAKE_CUDA_ARCHITECTURES` (e.g. "50;60;70")
+a set of target CUDA architectures by setting `CMAKE_CUDA_ARCHITECTURES` (e.g. "35;37;50;60;70")
+
+To support GPUs older than Compute Capability 5.0, you will need to use an older version of
+the Driver from [Unix Driver Archive](https://www.nvidia.com/en-us/drivers/unix/) (tested with 470) and [CUDA Toolkit Archive](https://developer.nvidia.com/cuda-toolkit-archive) (tested with cuda V11). When you build Ollama, you will need to set two environment variable to adjust the minimum compute capability Ollama supports via `export GOFLAGS="'-ldflags=-w -s \"-X=github.com/ollama/ollama/gpu.CudaComputeMajorMin=3\" \"-X=github.com/ollama/ollama/gpu.CudaComputeMinorMin=5\"'"` and the `CMAKE_CUDA_ARCHITECTURES`. To find the Compute Capability of your older GPU, refer to [GPU Compute Capability](https://developer.nvidia.com/cuda-gpus).
+
Then generate dependencies:
diff --git a/docs/gpu.md b/docs/gpu.md
index a6b559f0..66627611 100644
--- a/docs/gpu.md
+++ b/docs/gpu.md
@@ -28,6 +28,7 @@ Check your compute compatibility to see if your card is supported:
| 5.0 | GeForce GTX | `GTX 750 Ti` `GTX 750` `NVS 810` |
| | Quadro | `K2200` `K1200` `K620` `M1200` `M520` `M5000M` `M4000M` `M3000M` `M2000M` `M1000M` `K620M` `M600M` `M500M` |
+For building locally to support older GPUs, see [developer.md](./development.md#linux-cuda-nvidia)
### GPU Selection
diff --git a/gpu/amd_linux.go b/gpu/amd_linux.go
index 6b08ac2e..768fb97a 100644
--- a/gpu/amd_linux.go
+++ b/gpu/amd_linux.go
@@ -159,7 +159,11 @@ func AMDGetGPUInfo() []GpuInfo {
return []GpuInfo{}
}
- if int(major) < RocmComputeMin {
+ minVer, err := strconv.Atoi(RocmComputeMajorMin)
+ if err != nil {
+ slog.Error("invalid RocmComputeMajorMin setting", "value", RocmComputeMajorMin, "error", err)
+ }
+ if int(major) < minVer {
slog.Warn(fmt.Sprintf("amdgpu too old gfx%d%x%x", major, minor, patch), "gpu", gpuID)
continue
}
diff --git a/gpu/gpu.go b/gpu/gpu.go
index 781e23df..60d68c33 100644
--- a/gpu/gpu.go
+++ b/gpu/gpu.go
@@ -16,6 +16,7 @@ import (
"os"
"path/filepath"
"runtime"
+ "strconv"
"strings"
"sync"
"unsafe"
@@ -38,9 +39,11 @@ const (
var gpuMutex sync.Mutex
// With our current CUDA compile flags, older than 5.0 will not work properly
-var CudaComputeMin = [2]C.int{5, 0}
+// (string values used to allow ldflags overrides at build time)
+var CudaComputeMajorMin = "5"
+var CudaComputeMinorMin = "0"
-var RocmComputeMin = 9
+var RocmComputeMajorMin = "9"
// TODO find a better way to detect iGPU instead of minimum memory
const IGPUMemLimit = 1 * format.GibiByte // 512G is what they typically report, so anything less than 1G must be iGPU
@@ -175,11 +178,57 @@ func GetGPUInfo() GpuInfoList {
var memInfo C.mem_info_t
resp := []GpuInfo{}
- // NVIDIA first
- for i := 0; i < gpuHandles.deviceCount; i++ {
- // TODO once we support CPU compilation variants of GPU libraries refine this...
- if cpuVariant == "" && runtime.GOARCH == "amd64" {
- continue
+ // Load ALL libraries
+ cHandles = initCudaHandles()
+ minMajorVer, err := strconv.Atoi(CudaComputeMajorMin)
+ if err != nil {
+ slog.Error("invalid CudaComputeMajorMin setting", "value", CudaComputeMajorMin, "error", err)
+ }
+ minMinorVer, err := strconv.Atoi(CudaComputeMinorMin)
+ if err != nil {
+ slog.Error("invalid CudaComputeMinorMin setting", "value", CudaComputeMinorMin, "error", err)
+ }
+
+ // NVIDIA
+ for i := range cHandles.deviceCount {
+ if cHandles.cudart != nil || cHandles.nvcuda != nil {
+ gpuInfo := CudaGPUInfo{
+ GpuInfo: GpuInfo{
+ Library: "cuda",
+ },
+ index: i,
+ }
+ var driverMajor int
+ var driverMinor int
+ if cHandles.cudart != nil {
+ C.cudart_bootstrap(*cHandles.cudart, C.int(i), &memInfo)
+ } else {
+ C.nvcuda_bootstrap(*cHandles.nvcuda, C.int(i), &memInfo)
+ driverMajor = int(cHandles.nvcuda.driver_major)
+ driverMinor = int(cHandles.nvcuda.driver_minor)
+ }
+ if memInfo.err != nil {
+ slog.Info("error looking up nvidia GPU memory", "error", C.GoString(memInfo.err))
+ C.free(unsafe.Pointer(memInfo.err))
+ continue
+ }
+
+ if int(memInfo.major) < minMajorVer || (int(memInfo.major) == minMajorVer && int(memInfo.minor) < minMinorVer) {
+ slog.Info(fmt.Sprintf("[%d] CUDA GPU is too old. Compute Capability detected: %d.%d", i, memInfo.major, memInfo.minor))
+ continue
+ }
+ gpuInfo.TotalMemory = uint64(memInfo.total)
+ gpuInfo.FreeMemory = uint64(memInfo.free)
+ gpuInfo.ID = C.GoString(&memInfo.gpu_id[0])
+ gpuInfo.Compute = fmt.Sprintf("%d.%d", memInfo.major, memInfo.minor)
+ gpuInfo.MinimumMemory = cudaMinimumMemory
+ gpuInfo.DependencyPath = depPath
+ gpuInfo.Name = C.GoString(&memInfo.gpu_name[0])
+ gpuInfo.DriverMajor = driverMajor
+ gpuInfo.DriverMinor = driverMinor
+
+ // TODO potentially sort on our own algorithm instead of what the underlying GPU library does...
+ cudaGPUs = append(cudaGPUs, gpuInfo)
}
gpuInfo := GpuInfo{
Library: "cuda",
diff --git a/scripts/build_docker.sh b/scripts/build_docker.sh
index e91c56ed..c03bc25f 100755
--- a/scripts/build_docker.sh
+++ b/scripts/build_docker.sh
@@ -3,7 +3,7 @@
set -eu
export VERSION=${VERSION:-$(git describe --tags --first-parent --abbrev=7 --long --dirty --always | sed -e "s/^v//g")}
-export GOFLAGS="'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"
+export GOFLAGS=${GOFLAGS:-"'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"}
# We use 2 different image repositories to handle combining architecture images into multiarch manifest
# (The ROCm image is x86 only and is not a multiarch manifest)
diff --git a/scripts/build_linux.sh b/scripts/build_linux.sh
index 27c4ff1f..e7e6d0dd 100755
--- a/scripts/build_linux.sh
+++ b/scripts/build_linux.sh
@@ -3,7 +3,7 @@
set -eu
export VERSION=${VERSION:-$(git describe --tags --first-parent --abbrev=7 --long --dirty --always | sed -e "s/^v//g")}
-export GOFLAGS="'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"
+export GOFLAGS=${GOFLAGS:-"'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"}
BUILD_ARCH=${BUILD_ARCH:-"amd64 arm64"}
export AMDGPU_TARGETS=${AMDGPU_TARGETS:=""}
--
2.46.0

72
machines/krz01/_configuration.nix Normal file
View file

@ -0,0 +1,72 @@
{
config,
lib,
pkgs,
...
}:
lib.extra.mkConfig {
enabledModules = [
# INFO: This list needs to stay sorted alphabetically
];
enabledServices = [
# INFO: This list needs to stay sorted alphabetically
"microvm-router01"
"nvidia-tesla-k80"
"proxmox"
# Machine learning API machine
"microvm-ml01"
];
extraConfig = {
microvm = {
host.enable = true;
};
dgn-hardware = {
useZfs = true;
zfsPools = [
"dpool"
"ppool0"
];
};
services.netbird.enable = true;
# We are going to use CUDA here.
nixpkgs.config.cudaSupport = true;
hardware.graphics.enable = true;
environment.systemPackages = [
((pkgs.openai-whisper-cpp.override { cudaPackages = pkgs.cudaPackages_11; }).overrideAttrs (old: {
src = pkgs.fetchFromGitHub {
owner = "ggerganov";
repo = "whisper.cpp";
rev = "v1.7.1";
hash = "sha256-EDFUVjud79ZRCzGbOh9L9NcXfN3ikvsqkVSOME9F9oo=";
};
env = {
WHISPER_CUBLAS = "";
GGML_CUDA = "1";
};
# We only need Compute Capability 3.7.
CUDA_ARCH_FLAGS = [ "sm_37" ];
# We are GPU-only anyway.
patches = (old.patches or [ ]) ++ [
./no-weird-microarch.patch
./all-nvcc-arch.patch
];
}))
];
services.ollama = {
enable = true;
package = pkgs.callPackage ./ollama.nix {
cudaPackages = pkgs.cudaPackages_11;
# We need to thread our nvidia x11 driver for CUDA.
extraLibraries = [ config.hardware.nvidia.package ];
};
};
users.users.root.hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/";
};
root = ./.;
}

50
machines/krz01/_hardware-configuration.nix Normal file
View file

@ -0,0 +1,50 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [
"ehci_pci"
"ahci"
"mpt3sas"
"usbhid"
"sd_mod"
];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/92bf4d66-2693-4eca-9b26-f86ae09d468d";
fsType = "ext4";
};
boot.initrd.luks.devices."mainfs" = {
device = "/dev/disk/by-uuid/26f9737b-28aa-4c3f-bd3b-b028283cef88";
keyFileSize = 1;
keyFile = "/dev/zero";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/280C-8844";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

26
machines/krz01/all-nvcc-arch.patch Normal file
View file

@ -0,0 +1,26 @@
From 2278389ef9ac9231349440aa68f9544ddc69cdc7 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Wed, 9 Oct 2024 13:37:08 +0200
Subject: [PATCH] fix: sm_37 for nvcc
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 2ccb750..70dfd9b 100644
--- a/Makefile
+++ b/Makefile
@@ -537,7 +537,7 @@ endif #GGML_CUDA_NVCC
ifdef CUDA_DOCKER_ARCH
MK_NVCCFLAGS += -Wno-deprecated-gpu-targets -arch=$(CUDA_DOCKER_ARCH)
else ifndef CUDA_POWER_ARCH
- MK_NVCCFLAGS += -arch=native
+ MK_NVCCFLAGS += -arch=sm_37
endif # CUDA_DOCKER_ARCH
ifdef GGML_CUDA_FORCE_DMMV
--
2.46.0

20
machines/krz01/disable-git.patch Normal file
View file

@ -0,0 +1,20 @@
diff --git c/llm/generate/gen_common.sh i/llm/generate/gen_common.sh
index 3825c155..238a74a7 100644
--- c/llm/generate/gen_common.sh
+++ i/llm/generate/gen_common.sh
@@ -69,6 +69,7 @@ git_module_setup() {
}
apply_patches() {
+ return
# apply temporary patches until fix is upstream
for patch in ../patches/*.patch; do
git -c 'user.name=nobody' -c 'user.email=<>' -C ${LLAMACPP_DIR} am ${patch}
@@ -133,6 +134,7 @@ install() {
# Keep the local tree clean after we're done with the build
cleanup() {
+ return
(cd ${LLAMACPP_DIR}/ && git checkout CMakeLists.txt)
if [ -n "$(ls -A ../patches/*.diff)" ]; then

22
machines/krz01/microvm-ml01.nix Normal file
View file

@ -0,0 +1,22 @@
_: {
microvm.autostart = [ "ml01" ];
microvm.vms.ml01 = {
config = {
networking.hostName = "ml01";
microvm = {
hypervisor = "cloud-hypervisor";
vcpu = 4;
mem = 4096;
balloonMem = 2048;
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
];
};
};
};
}

16
machines/krz01/microvm-router01.nix Normal file
View file

@ -0,0 +1,16 @@
_: {
microvm.autostart = [ "router01" ];
microvm.vms.router01 = {
config = {
networking.hostName = "router01";
microvm.shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
];
};
};
}

34
machines/krz01/no-weird-microarch.patch Normal file
View file

@ -0,0 +1,34 @@
From 51568b61ef63ecd97867562571411082c32751d3 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Wed, 9 Oct 2024 13:36:51 +0200
Subject: [PATCH] fix: avx & f16c in Makefile
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
Makefile | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/Makefile b/Makefile
index 32b7cbb..2ccb750 100644
--- a/Makefile
+++ b/Makefile
@@ -361,12 +361,12 @@ ifndef RISCV
ifeq ($(UNAME_M),$(filter $(UNAME_M),x86_64 i686 amd64))
# Use all CPU extensions that are available:
- MK_CFLAGS += -march=native -mtune=native
- HOST_CXXFLAGS += -march=native -mtune=native
+ # MK_CFLAGS += -march=native -mtune=native
+ # HOST_CXXFLAGS += -march=native -mtune=native
# Usage AVX-only
- #MK_CFLAGS += -mfma -mf16c -mavx
- #MK_CXXFLAGS += -mfma -mf16c -mavx
+ MK_CFLAGS += -mf16c -mavx
+ MK_CXXFLAGS += -mf16c -mavx
# Usage SSSE3-only (Not is SSE3!)
#MK_CFLAGS += -mssse3
--
2.46.0

8
machines/krz01/nvidia-tesla-k80.nix Normal file
View file

@ -0,0 +1,8 @@
{ config, ... }:
{
nixpkgs.config.nvidia.acceptLicense = true;
# Tesla K80 is not supported by the latest driver.
hardware.nvidia.package = config.boot.kernelPackages.nvidia_x11_legacy470;
# Don't ask.
services.xserver.videoDrivers = [ "nvidia" ];
}

243
machines/krz01/ollama.nix Normal file
View file

@ -0,0 +1,243 @@
{
lib,
buildGoModule,
fetchFromGitHub,
buildEnv,
linkFarm,
overrideCC,
makeWrapper,
stdenv,
addDriverRunpath,
nix-update-script,
cmake,
gcc11,
clblast,
libdrm,
rocmPackages,
cudaPackages,
darwin,
autoAddDriverRunpath,
extraLibraries ? [ ],
nixosTests,
testers,
ollama,
ollama-rocm,
ollama-cuda,
config,
# one of `[ null false "rocm" "cuda" ]`
acceleration ? null,
}:
assert builtins.elem acceleration [
null
false
"rocm"
"cuda"
];
let
pname = "ollama";
version = "2024-09-10-cc35";
src = fetchFromGitHub {
owner = "aliotard";
repo = "ollama";
rev = "34827c01f7723c7f5f9f5e392fe85f5a4a5d5fc0";
hash = "sha256-xFNuqcW7YWeyCyw5QLBnCHHTSMITR6LJkJT0CXZC+Y8=";
fetchSubmodules = true;
};
vendorHash = "sha256-hSxcREAujhvzHVNwnRTfhi0MKI3s8HNavER2VLz6SYk=";
validateFallback = lib.warnIf (config.rocmSupport && config.cudaSupport) (lib.concatStrings [
"both `nixpkgs.config.rocmSupport` and `nixpkgs.config.cudaSupport` are enabled, "
"but they are mutually exclusive; falling back to cpu"
]) (!(config.rocmSupport && config.cudaSupport));
shouldEnable =
mode: fallback: (acceleration == mode) || (fallback && acceleration == null && validateFallback);
rocmRequested = shouldEnable "rocm" config.rocmSupport;
cudaRequested = shouldEnable "cuda" config.cudaSupport;
enableRocm = rocmRequested && stdenv.isLinux;
enableCuda = cudaRequested && stdenv.isLinux;
rocmLibs = [
rocmPackages.clr
rocmPackages.hipblas
rocmPackages.rocblas
rocmPackages.rocsolver
rocmPackages.rocsparse
rocmPackages.rocm-device-libs
rocmPackages.rocm-smi
];
rocmClang = linkFarm "rocm-clang" { llvm = rocmPackages.llvm.clang; };
rocmPath = buildEnv {
name = "rocm-path";
paths = rocmLibs ++ [ rocmClang ];
};
cudaLibs = [
cudaPackages.cuda_cudart
cudaPackages.libcublas
cudaPackages.cuda_cccl
];
cudaToolkit = buildEnv {
name = "cuda-merged";
paths = map lib.getLib cudaLibs ++ [
(lib.getOutput "static" cudaPackages.cuda_cudart)
(lib.getBin (cudaPackages.cuda_nvcc.__spliced.buildHost or cudaPackages.cuda_nvcc))
];
};
metalFrameworks = with darwin.apple_sdk_11_0.frameworks; [
Accelerate
Metal
MetalKit
MetalPerformanceShaders
];
wrapperOptions =
[
# ollama embeds llama-cpp binaries which actually run the ai models
# these llama-cpp binaries are unaffected by the ollama binary's DT_RUNPATH
# LD_LIBRARY_PATH is temporarily required to use the gpu
# until these llama-cpp binaries can have their runpath patched
"--suffix LD_LIBRARY_PATH : '${addDriverRunpath.driverLink}/lib'"
"--suffix LD_LIBRARY_PATH : '${lib.makeLibraryPath (map lib.getLib extraLibraries)}'"
]
++ lib.optionals enableRocm [
"--suffix LD_LIBRARY_PATH : '${rocmPath}/lib'"
"--set-default HIP_PATH '${rocmPath}'"
]
++ lib.optionals enableCuda [
"--suffix LD_LIBRARY_PATH : '${lib.makeLibraryPath (map lib.getLib cudaLibs)}'"
];
wrapperArgs = builtins.concatStringsSep " " wrapperOptions;
goBuild =
if enableCuda then buildGoModule.override { stdenv = overrideCC stdenv gcc11; } else buildGoModule;
inherit (lib) licenses platforms maintainers;
in
goBuild {
inherit
pname
version
src
vendorHash
;
env =
lib.optionalAttrs enableRocm {
ROCM_PATH = rocmPath;
CLBlast_DIR = "${clblast}/lib/cmake/CLBlast";
}
// lib.optionalAttrs enableCuda { CUDA_LIB_DIR = "${cudaToolkit}/lib"; }
// {
CMAKE_CUDA_ARCHITECTURES = "35;37";
};
nativeBuildInputs =
[ cmake ]
++ lib.optionals enableRocm [ rocmPackages.llvm.bintools ]
++ lib.optionals enableCuda [ cudaPackages.cuda_nvcc ]
++ lib.optionals (enableRocm || enableCuda) [
makeWrapper
autoAddDriverRunpath
]
++ lib.optionals stdenv.isDarwin metalFrameworks;
buildInputs =
lib.optionals enableRocm (rocmLibs ++ [ libdrm ])
++ lib.optionals enableCuda cudaLibs
++ lib.optionals stdenv.isDarwin metalFrameworks;
patches = [
# disable uses of `git` in the `go generate` script
# ollama's build script assumes the source is a git repo, but nix removes the git directory
# this also disables necessary patches contained in `ollama/llm/patches/`
# those patches are applied in `postPatch`
./disable-git.patch
];
postPatch = ''
# replace inaccurate version number with actual release version
substituteInPlace version/version.go --replace-fail 0.0.0 '${version}'
# apply ollama's patches to `llama.cpp` submodule
for diff in llm/patches/*; do
patch -p1 -d llm/llama.cpp < $diff
done
'';
overrideModAttrs = _: _: {
# don't run llama.cpp build in the module fetch phase
preBuild = "";
};
preBuild = ''
# disable uses of `git`, since nix removes the git directory
export OLLAMA_SKIP_PATCHING=true
# build llama.cpp libraries for ollama
go generate ./...
'';
postFixup =
''
# the app doesn't appear functional at the moment, so hide it
mv "$out/bin/app" "$out/bin/.ollama-app"
''
+ lib.optionalString (enableRocm || enableCuda) ''
# expose runtime libraries necessary to use the gpu
wrapProgram "$out/bin/ollama" ${wrapperArgs}
'';
ldflags = [
"-s"
"-w"
"-X=github.com/ollama/ollama/version.Version=${version}"
"-X=github.com/ollama/ollama/server.mode=release"
"-X=github.com/ollama/ollama/gpu.CudaComputeMajorMin=3"
"-X=github.com/ollama/ollama/gpu.CudaComputeMinorMin=5"
];
passthru = {
tests =
{
inherit ollama;
version = testers.testVersion {
inherit version;
package = ollama;
};
}
// lib.optionalAttrs stdenv.isLinux {
inherit ollama-rocm ollama-cuda;
service = nixosTests.ollama;
service-cuda = nixosTests.ollama-cuda;
service-rocm = nixosTests.ollama-rocm;
};
updateScript = nix-update-script { };
};
meta = {
description =
"Get up and running with large language models locally"
+ lib.optionalString rocmRequested ", using ROCm for AMD GPU acceleration"
+ lib.optionalString cudaRequested ", using CUDA for NVIDIA GPU acceleration";
homepage = "https://github.com/ollama/ollama";
changelog = "https://github.com/ollama/ollama/releases/tag/v${version}";
license = licenses.mit;
platforms = if (rocmRequested || cudaRequested) then platforms.linux else platforms.unix;
mainProgram = "ollama";
maintainers = with maintainers; [
abysssol
dit7ya
elohmeier
roydubnium
];
};
}

14
machines/krz01/proxmox/default.nix Normal file
View file

@ -0,0 +1,14 @@
{ sources, lib, ... }:
let
proxmox-nixos = import sources.proxmox-nixos;
in
{
imports = [ proxmox-nixos.nixosModules.proxmox-ve ];
services.proxmox-ve.enable = true;
nixpkgs.overlays = [ proxmox-nixos.overlays.x86_64-linux ];
networking.firewall = {
trustedInterfaces = [ "wt0" ];
allowedTCPPorts = lib.mkForce [ 22 ];
};
}

3
machines/krz01/secrets/secrets.nix Normal file
View file

@ -0,0 +1,3 @@
(import ../../../keys).mkSecrets [ "krz01" ] [
# List of secrets for krz01
]

6
machines/rescue01/_configuration.nix
View file

@ -3,7 +3,6 @@
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
"dgn-fail2ban"
];
enabledServices = [
@ -12,11 +11,6 @@ lib.extra.mkConfig {
];
extraConfig = {
dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
"sshd-bruteforce"
"sshd-timeout"
];
services.netbird.enable = true;
};

9
machines/rescue01/secrets/secrets.nix
View file

@ -1,5 +1,4 @@
let
lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "rescue01";
in
lib.setDefault { inherit publicKeys; } [ "stateless-uptime-kuma-password" ]
(import ../../../keys).mkSecrets [ "rescue01" ] [
# List of secrets for rescue01
"stateless-uptime-kuma-password"
]

1
machines/rescue01/uptime-kuma.nix
View file

@ -36,6 +36,7 @@ let
"cdn.dgnum.eu"
"saml-idp.dgnum.eu"
"status.dgnum.eu"
"radius.dgnum.eu"
] ++ (concatLists (mapAttrsToList (_: { config, ... }: config.dgn-redirections.retired) nodes));
extraProbes = {

5
machines/storage01/_configuration.nix
View file

@ -4,13 +4,11 @@ lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
"dgn-backups"
"dgn-fail2ban"
"dgn-web"
];
enabledServices = [
# List of services to enable
"atticd"
"tvix-cache"
"forgejo"
"forgejo-runners"
@ -19,11 +17,10 @@ lib.extra.mkConfig {
"netbird"
"peertube"
"prometheus"
"redirections"
];
extraConfig = {
dgn-fail2ban.jails.sshd-preauth.enabled = true;
dgn-hardware.useZfs = true;
services.netbird.enable = true;

82
machines/storage01/atticd.nix
View file

@ -1,82 +0,0 @@
{ config, nixpkgs, ... }:
let
host = "cachix.dgnum.eu";
in
{
services = {
atticd = {
enable = true;
credentialsFile = config.age.secrets."atticd-credentials_file".path;
settings = {
listen = "127.0.0.1:9099";
api-endpoint = "https://${host}/";
allowed-hosts = [ host ];
chunking = {
# The minimum NAR size to trigger chunking
#
# If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked.
nar-size-threshold = 0; # 64 KiB
# The preferred minimum size of a chunk, in bytes
min-size = 16 * 1024; # 16 KiB
# The preferred average size of a chunk, in bytes
avg-size = 64 * 1024; # 64 KiB
# The preferred maximum size of a chunk, in bytes
max-size = 256 * 1024; # 256 KiB
};
database.url = "postgresql://atticd?host=/run/postgresql";
storage = {
type = "s3";
region = "garage";
bucket = "attic-dgnum";
endpoint = "https://s3.dgnum.eu";
};
};
useFlakeCompatOverlay = false;
package = nixpkgs.unstable.attic-server;
};
nginx = {
enable = true;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:9099";
extraConfig = ''
client_max_body_size 10G;
'';
};
};
};
postgresql = {
enable = true;
ensureDatabases = [ "atticd" ];
ensureUsers = [
{
name = "atticd";
ensureDBOwnership = true;
}
];
};
};
systemd.services.atticd.environment.RUST_LOG = "warn";
}

17
machines/storage01/garage.nix
View file

@ -8,15 +8,18 @@ let
metadata_dir = "/data/fast/garage/meta";
domains = [
"boussole-sante.normalesup.eu"
"simi.normalesup.eu"
"bandarretdurgence.ens.fr"
"boussole-sante.normalesup.eu"
"lanuit.ens.fr"
"simi.normalesup.eu"
];
buckets = [
"castopod-dgnum"
"peertube-videos-dgnum"
"banda-website"
"castopod-dgnum"
"hackens-website"
"nuit-website"
"peertube-videos-dgnum"
] ++ domains;
mkHosted = host: builtins.map (b: "${b}.${host}");
@ -25,14 +28,14 @@ in
services.garage = {
enable = true;
package = pkgs.garage_0_9;
package = pkgs.garage_1_0_1;
settings = {
inherit data_dir metadata_dir;
db_engine = "lmdb";
replication_mode = "none";
replication_mode = "none"; # TODO: deprecated
compression_level = 7;
rpc_bind_addr = "[::]:3901";
@ -64,7 +67,7 @@ in
data_dir
metadata_dir
];
TimeoutSec = 3000;
TimeoutSec = 600;
};
users.users.garage = {

9
machines/storage01/redirections.nix Normal file
View file

@ -0,0 +1,9 @@
{
dgn-redirections = {
permanent = {
"www.lanuit.ens.fr" = "lanuit.ens.fr";
"lanuit.ens.psl.eu" = "lanuit.ens.fr";
"www.lanuit.ens.psl.eu" = "lanuit.ens.fr";
};
};
}

30
machines/storage01/secrets/atticd-credentials_file
View file

@ -1,30 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA HECtxDO0OV6To/Qs3A+2N8+3xqsHp6pz6d4ArgsgXS4
mnmDwWZ6d1aW5Qejzv2Jo112ee78wKVx90R7r5wQbYo
-> ssh-ed25519 QlRB9Q Rx3bV/DkoCCvQCMwJGOfibG8Rif5Ap+W6EqWlFOhUQc
jxEFUWqxedwIK3mNyOG+5dyFFZbJZ3XNFXnk0fe0vyw
-> ssh-ed25519 r+nK/Q J591Cg/4oP26LT7Tl/wrdDipR/gpg1WMsiKJN0ygbjw
WToE5xtuF2FOqtvRgz1SZStYGjTsKRxguIioan+vluU
-> ssh-rsa krWCLQ
hhp33AzK6wYWM6k7ZroV0J5i8C5MQXjQY9sksPQdABRQUd6XTmYOIOdA0ste0EA9
hqbbHQwbFy0oE/QKfnUZWbgJo5Us1DWKxip55L875CPfVcmxvC2ADRO5JKKNkQa/
P4zBALPqf+BXrafcGN4hT8D9gywIWdQ2zPSpKbJE+OdPcUrBVH/ndMUVoLfTEKL9
B3XgqRvLNkgsdu7FMEPnelWT3WrxkBME7AathdXcEYXSxiTmaKqxDzRtcNLdh+y2
6XfQU6lLMT+WWPD/Ro7UzLrWUnFJMYK0SinkOuX+PKxMq95lCc5kI3tZ7JL7bC5E
vBGnX9w0unyR//LLqrOPWA
-> ssh-ed25519 /vwQcQ eYSTWAYs/L+cYt/16TrKaIqoc9TFJQncM02Vd8hOg3A
lWalXa1ZBtrjXOB+sznWCjStFHF4ulLaBilEc3b7qWc
-> ssh-ed25519 0R97PA 78K7uF/mXT4pgTbnmfpyxY2czgs+DNueusuatUx7MCQ
C/pWPdVCWZuHFuM5fzJHdGZomM3Wbt22iwfLbLSznh0
-> ssh-ed25519 JGx7Ng xFzEGNVIiC0cXCbcSKUfmVLAdRBH7xu6/2E7nVoRwjI
+TgvIl03KGm5N55+jGc7UcyRHjMvAFm3Kbvx5Ma4HQ4
-> ssh-ed25519 5SY7Kg 7YO/crKVWSsr3Hy5HPr0/R3oPdCA2kWduZYeSlcxGnI
N0IpdylU+3ybInseGSKPONxeNr8mh/ZlBGCvY2c0WTA
-> ssh-ed25519 p/Mg4Q y1ekwzz3sSHGrLmb0NqF6VWfalARy+PykE77hVqD7Xc
0s9QrDsLH6XdzetyIXJEB2MrwwUi8CDpu7SEemm8zJ4
-> ssh-ed25519 rHotTw 7SMzV/pEmDISPL/fMjafXM3URZpbUPTg+9AngZ0GZTc
eIi1+i9JVBLvfQMkmMv5S0N8qgwVtyklX/J+6MdtlSc
--- Gjl7lNWG9gyMlg256Oa5i5bFLm1Cup1upjsEDVurgDo
uÂ;.ÿñË>pÔïÑ<C391>òh¸<68>2ÎŒ}£PJ4èú‘©‰Ñ×íè==#¯¾Úÿ¹8e¤UÊÉŠÇ$ 1»!z<E28093>jlA‡[@;òs®<>ŒÉáAB±á-§Rå=È0Ò·d“ðµú†Ê¢þ{«ÒF¹—hòà ù@%ˆŠä´›|×{ ¢åeÚÝÛ¯âøsbë«]Óèå¨ø.m8 8Bn"(Ûæ¤âïW½í!zxn\Ã(5:ïíÒÞ-ZDËÇÃ)}HŠü˜¦×ál}Sƒ˜ëFrn
øL¦-wÉÑ—¼j)ê â¶èÐ&:¥îÓCÞÆ2ÝÒÅÀÏB»ÛzïàŽŸt•WÍ!£8|lïí0
¾¸y8óÃkñbÔy×ËäÏ臃¹·k¤¨ÉÍ™ê°n/-'ÃZ<C383>ÅŸ ¾îƾ\Ûâê‰ù†uŸÍeu®"E ±/d

8
machines/storage01/secrets/secrets.nix
View file

@ -1,9 +1,5 @@
let
lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "storage01";
in
lib.setDefault { inherit publicKeys; } [
"atticd-credentials_file"
(import ../../../keys).mkSecrets [ "storage01" ] [
# List of secrets for storage01
"bupstash-put_key"
"forgejo-mailer_password_file"
"forgejo_runners-token_file"

14
machines/storage01/tvix-cache/cache-settings.nix Normal file
View file

@ -0,0 +1,14 @@
let
cache-info = {
infra = {
public-key = "infra.tvix-store.dgnum.eu-1:8CAY64o3rKjyw2uA5mzr/aTzstnc+Uj4g8OC6ClG1m8=";
url = "https://tvix-store.dgnum.eu/infra";
};
};
in
{ caches }:
{
trusted-substituters = builtins.map (cache: cache-info.${cache}.url) caches;
trusted-public-keys = builtins.map (cache: cache-info.${cache}.public-key) caches;
}

48
machines/storage01/tvix-cache/default.nix
View file

@ -1,9 +1,13 @@
{ pkgs, config, ... }:
let
settingsFormat = pkgs.formats.toml { };
dataDir = "/data/slow/tvix-store";
# How to add a cache:
# - Add the relevant services (likely only a pathinfoservice) to the
# composition config (store-config.composition).
# - Add an endpoint (store-config.endpoints).
# - Append a proxy configuration to nginx in order to make the store
# accessible.
# - Update cache-info.nix so users can add the cache to their configuration
store-config = {
composition = {
blobservices.default = {
@ -12,22 +16,17 @@ let
object_store_options = { };
};
directoryservices = {
sled = {
type = "sled";
redb = {
type = "redb";
is_temporary = false;
path = "${dataDir}/directory.sled";
};
object = {
type = "objectstore";
object_store_url = "file://${dataDir}/directory.objectstore";
object_store_options = { };
path = "${dataDir}/directory.redb";
};
};
pathinfoservices = {
infra = {
type = "sled";
type = "redb";
is_temporary = false;
path = "${dataDir}/pathinfo.sled";
path = "${dataDir}/pathinfo.redb";
};
infra-signing = {
type = "keyfile-signing";
@ -41,24 +40,31 @@ let
"127.0.0.1:8056" = {
endpoint_type = "Http";
blob_service = "default";
directory_service = "object";
directory_service = "redb";
path_info_service = "infra";
};
"127.0.0.1:8058" = {
endpoint_type = "Http";
blob_service = "default";
directory_service = "object";
directory_service = "redb";
path_info_service = "infra-signing";
};
# Add grpc for management and because it is nice
"127.0.0.1:8057" = {
endpoint_type = "Grpc";
blob_service = "default";
directory_service = "object";
directory_service = "redb";
path_info_service = "infra";
};
};
};
settingsFormat = pkgs.formats.toml { };
webHost = "tvix-store.dgnum.eu";
dataDir = "/data/slow/tvix-store";
systemdHardening = {
PrivateDevices = true;
PrivateTmp = true;
@ -75,10 +81,12 @@ let
RuntimeDirectoryMode = "0750";
StateDirectoryMode = "0750";
};
toml = {
composition = settingsFormat.generate "composition.toml" store-config.composition;
endpoints = settingsFormat.generate "endpoints.toml" store-config.endpoints;
};
package = pkgs.callPackage ./package { };
in
{
@ -88,7 +96,7 @@ in
"nginx"
];
services.nginx.virtualHosts."tvix-store.dgnum.eu" = {
services.nginx.virtualHosts.${webHost} = {
enableACME = true;
forceSSL = true;
locations = {
@ -110,14 +118,12 @@ in
auth_basic_user_file ${config.age.secrets."nginx-tvix-store-password-ci".path};
'';
};
"/.well-known/nix-signing-keys/" = {
alias = "${./pubkeys}/";
extraConfig = "autoindex on;";
};
};
};
# TODO add tvix-store cli here
# environment.systemPackages = [ ];
users.users.tvix-store = {
isSystemUser = true;
group = "tvix-store";

1316
machines/storage01/tvix-cache/package/Cargo.lock generated
View file

File diff suppressed because it is too large Load diff

9
machines/storage01/tvix-cache/package/default.nix
View file

@ -5,11 +5,11 @@
runCommand,
}:
let
tvix-hash = "sha256-KNl+Lv0aMqSFVFt6p/GdmNDddzccW4wKfZB7W6Gv5F0=";
tvix-hash = "sha256-It3brj6SX+9OIGyKsITnNLjzDnB7CBCZDS+S7arRiWY=";
tvix-src = fetchgit {
name = "tvix";
url = "https://git.dgnum.eu/mdebray/tvl-depot";
rev = "920b7118d5b0917e426367107f7b7b66089a8d7b";
rev = "3389c550b92d8b631f75e5a77e244fe698e4b4b2";
hash = tvix-hash;
};
protos = runCommand "tvix-protos" { } ''
@ -25,8 +25,8 @@ rustPlatform.buildRustPackage rec {
src = fetchgit {
url = "https://git.lix.systems/sinavir/multitenant-tvix-binary-cache.git";
rev = "0d7d4cf66242facecba485b1085e285e8d46c038";
hash = "sha256-IU3OS3ePJeBNiY8HbhoYW5b03Nq8BJ4AWe+bGv4dAuw=";
rev = "0d4c5ca8f75e156f9485fc085e93e85260e2e843";
hash = "sha256-OmXud+MhF2M02ofqDOnmazf190vu91i6RZ2y0NdA8oU=";
};
PROTO_ROOT = protos;
@ -36,6 +36,7 @@ rustPlatform.buildRustPackage rec {
cargoLock = {
lockFile = ./Cargo.lock;
outputHashes = {
"bigtable_rs-0.2.10" = "sha256-2NC3rHbS2rdD0Rnovymn1xaR22KaR6yzWr298wOPxlY=";
"nar-bridge-0.1.0" = tvix-hash;
};
};

1
machines/storage01/tvix-cache/pubkeys/infra
View file

@ -1 +0,0 @@
infra.tvix-store.dgnum.eu-1:8CAY64o3rKjyw2uA5mzr/aTzstnc+Uj4g8OC6ClG1m8=

9
machines/vault01/_configuration.nix
View file

@ -3,7 +3,6 @@
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
"dgn-fail2ban"
];
enabledServices = [
@ -11,15 +10,13 @@ lib.extra.mkConfig {
"k-radius"
"networking"
"ups"
"ulogd"
];
extraConfig = {
dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
"sshd-bruteforce"
"sshd-timeout"
];
services.netbird.enable = true;
services.nginx.enable = true;
networking.firewall.allowedTCPPorts = [ 80 ];
};
root = ./.;

23
machines/vault01/k-radius/default.nix
View file

@ -1,4 +1,4 @@
{ config, lib, ... }:
{ config, ... }:
{
imports = [ ./module.nix ];
@ -6,6 +6,15 @@
services.k-radius = {
enable = true;
domain = "radius.dgnum.eu";
radiusClients = {
ap = {
ipaddr = "0.0.0.0/0";
secret = config.age.secrets."radius-ap-radius-secret_file".path;
};
};
settings = {
# URL to the Kanidm server
uri = "https://sso.dgnum.eu";
@ -40,18 +49,6 @@
};
authTokenFile = config.age.secrets."radius-auth_token_file".path;
privateKeyPasswordFile = config.age.secrets."radius-private_key_password_file".path;
certs = builtins.listToAttrs (
builtins.map (name: lib.nameValuePair name config.age.secrets."radius-${name}_pem_file".path) [
"ca"
"cert"
"dh"
"key"
]
);
radiusClients = { };
};
age-secrets.autoMatch = [ "radius" ];

182
machines/vault01/k-radius/module.nix
View file

@ -15,7 +15,16 @@ let
mkIf
mkOption
optionalString
types
;
inherit (lib.types)
attrsOf
bool
enum
package
path
str
submodule
;
settingsFormat = pkgs.formats.toml { };
@ -24,99 +33,94 @@ let
rlm_python = pkgs.callPackage ./packages/rlm_python.nix { inherit pykanidm; };
cfg = config.services.k-radius;
acmeDirectory = config.security.acme.certs.${cfg.domain}.directory;
in
{
options.services.k-radius = {
enable = mkEnableOption "a freeradius service linked to kanidm.";
domain = mkOption {
type = str;
description = "The domain used for the RADIUS server.";
};
raddb = mkOption {
type = path;
default = "/var/lib/radius/raddb/";
description = "The location of the raddb directory.";
};
settings = mkOption { inherit (settingsFormat) type; };
freeradius = mkOption {
type = types.package;
type = package;
default = pkgs.freeradius.overrideAttrs (old: {
buildInputs = (old.buildInputs or [ ]) ++ [ (pkgs.python3.withPackages (ps: [ ps.kanidm ])) ];
});
};
configDir = mkOption {
type = types.path;
type = path;
default = "/var/lib/radius/raddb";
description = "The path of the freeradius server configuration directory.";
};
authTokenFile = mkOption {
type = types.path;
type = path;
description = "File to the auth token for the service account.";
};
extra-mods = mkOption {
type = types.attrsOf types.path;
type = attrsOf path;
default = { };
description = "Additional files to be linked in mods-enabled.";
};
extra-sites = mkOption {
type = types.attrsOf types.path;
type = attrsOf path;
default = { };
description = "Additional files to be linked in sites-enabled.";
};
dictionary = mkOption {
type = types.attrsOf (
types.enum [
"abinary"
"date"
"ipaddr"
"integer"
"string"
]
);
type = attrsOf (enum [
"abinary"
"date"
"ipaddr"
"integer"
"string"
]);
default = { };
description = "Declare additionnal attributes to be listed in the dictionary.";
};
radiusClients = mkOption {
type = types.attrsOf (
types.submodule {
options = {
secret = mkOption { type = types.path; };
ipaddr = mkOption { type = types.str; };
};
}
);
type = attrsOf (submodule {
options = {
secret = mkOption { type = path; };
ipaddr = mkOption { type = str; };
};
});
default = { };
description = "A mapping of clients and their authentication tokens.";
};
certs = {
ca = mkOption {
type = types.str;
description = "The signing CA of the RADIUS certificate.";
};
dh = mkOption {
type = types.str;
description = "The output of `openssl dhparam -in ca.pem -out dh.pem 2048`.";
};
cert = mkOption {
type = types.str;
description = "The certificate for the RADIUS server.";
};
key = mkOption {
type = types.str;
description = "The signing key for the RADIUS certificate.";
};
};
privateKeyPasswordFile = mkOption { type = types.path; };
checkConfiguration = mkOption {
type = types.bool;
type = bool;
description = "Check the configuration before starting the deamon. Useful for debugging.";
default = false;
};
};
config = mkIf cfg.enable {
# Certificate setup
services.nginx.virtualHosts.${cfg.domain} = {
http2 = false;
enableACME = true;
forceSSL = true;
};
users = {
users.radius = {
group = "radius";
@ -127,49 +131,45 @@ in
groups.radius = { };
};
services.k-radius.settings = {
ca_path = cfg.certs.ca;
radius_cert_path = cfg.certs.cert;
radius_key_path = cfg.certs.key;
radius_dh_path = cfg.certs.dh;
radius_ca_path = cfg.certs.ca;
};
systemd.services.radius = {
description = "FreeRadius server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
after = [
"network.target"
"acme-finished-${cfg.domain}.target"
];
wants = [ "network.target" ];
startLimitIntervalSec = 20;
startLimitBurst = 5;
preStart = ''
rm -rf ${cfg.configDir}
mkdir -p ${cfg.configDir}
raddb=${cfg.raddb}
cp -R --no-preserve=mode ${cfg.freeradius}/etc/raddb/* ${cfg.configDir}
cp -R --no-preserve=mode ${rlm_python}/etc/raddb/* ${cfg.configDir}
# Recreate the configuration directory
rm -rf $raddb && mkdir -p $raddb
chmod -R u+w ${cfg.configDir}
cp -R --no-preserve=mode ${cfg.freeradius}/etc/raddb/* $raddb
cp -R --no-preserve=mode ${rlm_python}/etc/raddb/* $raddb
chmod -R u+w $raddb
# disable auth via methods kanidm doesn't support
rm ${cfg.configDir}/mods-available/sql
rm ${cfg.configDir}/mods-enabled/{passwd,totp}
rm $raddb/mods-available/sql
rm $raddb/mods-enabled/{passwd,totp}
# enable the python and cache modules
ln -nsf ${cfg.configDir}/mods-available/python3 ${cfg.configDir}/mods-enabled/python3
ln -nsf ${cfg.configDir}/sites-available/check-eap-tls ${cfg.configDir}/sites-enabled/check-eap-tls
ln -nsf $raddb/mods-available/python3 $raddb/mods-enabled/python3
ln -nsf $raddb/sites-available/check-eap-tls $raddb/sites-enabled/check-eap-tls
# write the clients configuration
rm ${cfg.configDir}/clients.conf && touch ${cfg.configDir}/clients.conf
> $raddb/clients.conf
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs (
name:
{ secret, ipaddr }:
''
cat <<EOF >> ${cfg.configDir}/clients.conf
cat <<EOF >> $raddb/clients.conf
client ${name} {
ipaddr = ${ipaddr}
secret = $(cat "${secret}")
@ -190,19 +190,16 @@ in
chmod u+w /var/lib/radius/kanidm.toml
# Copy the certificates to the correct directory
rm -rf ${cfg.configDir}/certs && mkdir -p ${cfg.configDir}/certs
rm -rf $raddb/certs && mkdir -p $raddb/certs
cp ${cfg.certs.ca} ${cfg.configDir}/certs/ca.pem
cp ${acmeDirectory}/chain.pem $raddb/certs/ca.pem
${pkgs.openssl}/bin/openssl rehash ${cfg.configDir}/certs
${lib.getExe pkgs.openssl} rehash $raddb/certs
cp ${cfg.certs.dh} ${cfg.configDir}/certs/dh.pem
# Recreate the dh.pem file
${lib.getExe pkgs.openssl} dhparam -in $raddb/certs/ca.pem -out $raddb/certs/dh.pem 2048
cat ${cfg.certs.cert} ${cfg.certs.key} > ${cfg.configDir}/certs/server.pem
# Write the password of the private_key in the eap module
sed -i ${cfg.configDir}/mods-available/eap \
-e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/"
cp ${acmeDirectory}/full.pem $raddb/certs/server.pem
# Link the dictionary
ln -nsf ${
@ -213,22 +210,20 @@ in
)
)
)
} ${cfg.configDir}/dictionary
} $raddb/dictionary
# Link extra-mods
${builtins.concatStringsSep "\n" (
mapAttrsToList (name: path: "ln -nsf ${path} ${cfg.configDir}/mods-enabled/${name}") cfg.extra-mods
mapAttrsToList (name: path: "ln -nsf ${path} $raddb/mods-enabled/${name}") cfg.extra-mods
)}
# Link extra-sites
${builtins.concatStringsSep "\n" (
mapAttrsToList (
name: path: "ln -nsf ${path} ${cfg.configDir}/sites-enabled/${name}"
) cfg.extra-sites
mapAttrsToList (name: path: "ln -nsf ${path} $raddb/sites-enabled/${name}") cfg.extra-sites
)}
# Check the configuration
${optionalString cfg.checkConfiguration "${getExe' pkgs.freeradius "radiusd"} -C -d ${cfg.configDir} -l stdout"}
${optionalString cfg.checkConfiguration "${getExe' pkgs.freeradius "radiusd"} -C -d $raddb -l stdout"}
'';
path = [
@ -236,25 +231,28 @@ in
pkgs.gnused
];
environment = {
KANIDM_RLM_CONFIG = "/var/lib/radius/kanidm.toml";
PYTHONPATH = rlm_python.pythonPath;
};
serviceConfig = {
ExecStart = "${cfg.freeradius}/bin/radiusd -X -f -d ${cfg.configDir} -l stdout";
ExecStart = "${cfg.freeradius}/bin/radiusd -X -f -d /var/lib/radius/raddb -l stdout";
ExecReload = [
"${cfg.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout"
"${cfg.freeradius}/bin/radiusd -C -d /var/lib/radius/raddb -l stdout"
"${pkgs.coreutils}/bin/kill -HUP $MAINPID"
];
User = "radius";
Group = "radius";
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
DynamicUser = true;
Group = "radius";
LogsDirectory = "radius";
ReadOnlyPaths = [ acmeDirectory ];
Restart = "on-failure";
RestartSec = 2;
LogsDirectory = "radius";
StateDirectory = "radius";
RuntimeDirectory = "radius";
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
Environment = [
"KANIDM_RLM_CONFIG=/var/lib/radius/kanidm.toml"
"PYTHONPATH=${rlm_python.pythonPath}"
];
StateDirectory = "radius";
SupplementaryGroups = [ "nginx" ];
User = "radius";
};
};
};

2
machines/vault01/networking.nix
View file

@ -238,7 +238,7 @@ in
content = ''
chain postrouting {
type nat hook postrouting priority 100;
ip saddr 10.0.0.0/16 snat ip to 129.199.195.130-129.199.195.158
ip saddr 10.0.0.0/16 ether saddr 1c:1b:b5:14:9c:e5 snat ip to 129.199.195.130-129.199.195.158
}
'';
};

32
machines/vault01/secrets/radius-ap-radius-secret_file Normal file
View file

@ -0,0 +1,32 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA 2nFaxyP7O4GWU7U3wmET5sNrnFq72b9DEhiKEgWVrFk
l8uXfCBkTHogzVoUY0WOYhA99fodoT+N0HunacULydI
-> ssh-ed25519 QlRB9Q qDalihZE404oPOVHYQR5GIvozXNh4wNxhUa5Zwfz2DU
X8qvWf7qprbh0xu/uOHGsNLTQc8efYsgveH9R9kZZZw
-> ssh-ed25519 r+nK/Q mksHDhPoKKxQpk4sQPHapdq87EaJmgdmoVxMYjsAang
FTYHyxLp4nGOWJu1135yN/lQkGgAD9Jy4JJpMKFktrk
-> ssh-rsa krWCLQ
jEPt5eWP6NmpOikLhs1uPVo7kxHgg1y7WwdOPyR0z2vpFD2BWGlIi/BvnlE3OO5n
jtvDjAauWU0X2JarfdY9mY8MoPjT9qQ/ukxuVAHi5CoL/I1JCqcbuftssYY0B7Ab
SMfbyxjK8aIT1/4EQhMoWm0tuIylvgTBagL03Lw5mbyRqDkbpI/6YC9401YjT7Ts
dCDGIFAYM2BA7TuJiZr881ypUdU9rlm5rss1ZLMj90jyJPJC4SDYbzE0BoBat9l0
dYUrYGhGgZ1cDd6D6mPf6H95muiGHIhxaE8c+LdK/rKCSH9Rf6mfn/Ab/xvnaDNn
GW/WD0EpmdzpWVPby68+KA
-> ssh-ed25519 /vwQcQ 5DoMxdoK+KiHXKwwOpb7/1FZIEzAa/2/1l8yyxey6iw
RzmUkqZQLM5/jDXG9fxhZmfAywgVMjH9Y3O66BnhCSQ
-> ssh-ed25519 0R97PA g+uW/jfwHB3m0AdWxb9vPRjeaowhEx1Uoc2R0CVStlA
m5XvSEVQ8DiA7BSTsxVn6S1zv92CpbyZxSgUI3ObE4c
-> ssh-ed25519 JGx7Ng BtdJpskbfPyywYeFbmQw3HGPTLv5ri6x4bFocr9l6H8
88aFw+MCJLqMU/W/ikYDUZEAi0ImaPVbSc7cAZPbs/I
-> ssh-ed25519 5SY7Kg +JUMQfaxl7Orym43LVeqUyno0JfUbVnB+xv7smpdRhE
6K+Ewq1FhrXB2eYdljlsYpIfmVv49E4jSBsphgDpRJk
-> ssh-ed25519 p/Mg4Q AITnEN+Q41fEA2tkvVOKGCDZiuCXanG+qaiF5X4ukiA
NvP/HXOliNvi8tngH9PU90E616CPlh/QgkZ052H8wtk
-> ssh-ed25519 +mFdtQ RuaXIQNZ3s9C27XtpVTExJlAhYDYXRQni+Hwot0wrzU
WctqqoGS2hVfOZSU3ihCg5eI7PnxM7dkOJKM9DJ90Wk
-> ssh-ed25519 5rrg4g cAqJQ8z6T46YwzahtcTJxXZHklCGrupVCja5U/g+ZmM
wERu5T6rOi5/0qPSXeOnfA0Szg7/pbYFTW0Ys1yWq40
-> ssh-ed25519 oRtTqQ NF73c0d1qM4nVt2bEdWTEDjDcz/ZMCObn/7cDZfkVGA
Mivm+WWVqAfNs5pLwGmINIsmxlEZi7m7bQIRxGkf3/Q
--- 8R1h+xsovrLq+5QI1CoTXc9TBTQugnROZpOAHWBwG1w
G“Þ"û¤‡ã8ƒÈî&NF}x£ksyÖ\£.i§<69>קF¢¯}ê-ÍÁÓšLbì;{

8
machines/vault01/secrets/secrets.nix
View file

@ -1,8 +1,5 @@
let
lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "vault01";
in
lib.setDefault { inherit publicKeys; } [
(import ../../../keys).mkSecrets [ "vault01" ] [
# List of secrets for vault01
"radius-auth_token_file"
"radius-ca_pem_file"
"radius-cert_pem_file"
@ -10,4 +7,5 @@ lib.setDefault { inherit publicKeys; } [
"radius-key_pem_file"
"radius-private_key_password_file"
"eatonmon-password_file"
"radius-ap-radius-secret_file"
]

56
machines/vault01/ulogd.nix Normal file
View file

@ -0,0 +1,56 @@
{
config,
lib,
pkgs,
...
}:
{
services = {
ulogd = {
enable = true;
logLevel = 5;
settings = {
global = {
logfile = "/var/log/ulogd.log";
stack = [ "ct1:NFCT,ip2str1:IP2STR,pgsql1:PGSQL" ];
};
ct1 = { };
pgsql1 = {
db = "ulogd";
user = "ulogd";
table = "ulog2_ct";
procedure = "INSERT_CT";
};
};
};
postgresql = {
enable = true;
identMap = ''
ulogd-map root ulogd
'';
authentication = ''
local ulogd ulogd peer map=ulogd-map
'';
ensureUsers = [
{
name = "ulogd";
ensureDBOwnership = true;
}
];
ensureDatabases = [ "ulogd" ];
};
};
systemd.services.ulogd = {
serviceConfig.StateDirectory = "ulogd";
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
path = [ config.services.postgresql.package ];
preStart = lib.mkAfter ''
if ! test -e "/var/lib/ulogd/.initialized"; then
psql -f "${pkgs.ulogd.doc}/share/doc/ulogd-pgsql/pgsql-ulogd2.sql" -d ulogd -U ulogd
touch "/var/lib/ulogd/.initialized"
fi
'';
};
}

2
machines/web01/_configuration.nix
View file

@ -3,7 +3,6 @@
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
"dgn-fail2ban"
"dgn-web"
];
@ -19,7 +18,6 @@ lib.extra.mkConfig {
"static"
"wordpress"
"netbox"
"kahulm"
];
extraConfig = {

8
machines/web01/redirections.nix
View file

@ -14,7 +14,7 @@ in
dgn-redirections = {
inherit retiredHost;
redirections = {
permanent = {
"calendrier.eleves.ens.fr" = "calendrier.dgnum.eu";
"docs.beta.rz.ens.wtf" = "pads.dgnum.eu";
"git.rz.ens.wtf" = "git.dgnum.eu";
@ -25,11 +25,17 @@ in
"bda.wp.dgnum.eu" = "bda.ens.fr";
"www.cineclub.ens.fr" = "cineclub.ens.fr";
"cineclub.wp.dgnum.eu" = "cineclub.ens.fr";
"www.bds.ens.fr" = "bds.ens.fr";
"bds.wp.dgnum.eu" = "bds.ens.fr";
"www.tuteurs.ens.fr" = "tuteurs.ens.fr";
"www.interq.ens.fr" = "interq.ens.fr";
"www.lanuit.ens.fr" = "lanuit.ens.fr";
};
temporary = {
"pub.dgnum.eu".to = "https://www.instagram.com/dgnum_eu/";
};
retired = mkSubs {
"ens.fr" = [
"alevins"

7
machines/web01/secrets/secrets.nix
View file

@ -1,8 +1,5 @@
let
lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "web01";
in
lib.setDefault { inherit publicKeys; } [
(import ../../../keys).mkSecrets [ "web01" ] [
# List of secrets for web01
"acme-certs_secret"
"bupstash-put_key"
"matterbridge-config_file"

13
machines/web01/static/npins/sources.json
View file

@ -33,17 +33,6 @@
"url": null,
"hash": "05cdz26n8r8cihmcn772dwb05krzzxyyhqv5rasw4yd2s1dzsmwx"
},
"lanuit.ens.fr": {
"type": "Git",
"repository": {
"type": "Git",
"url": "https://git.dgnum.eu/DGNum/lanuit.ens.fr.git"
},
"branch": "main",
"revision": "f4dc07090fbd74970929b2cf411c74b090618c8f",
"url": null,
"hash": "0hpym1r8d8hgp4g7p6lk26fgcv9ia6993z91as1gfjs9ff3wgk0a"
},
"qda.ens.fr": {
"type": "Git",
"repository": {
@ -90,4 +79,4 @@
}
},
"version": 3
}
}

4
machines/web01/wordpress/default.nix
View file

@ -22,7 +22,7 @@ in
languages = [ pkgs.wordpressPackages.languages.fr_FR ];
};
"bds.wp.dgnum.eu" = {
"bds.ens.fr" = {
themes = {
inherit (wp4nix.themes) gateway twentytwentythree;
};
@ -53,4 +53,6 @@ in
};
dgn-backups.jobs.containers.settings.paths = [ "/var/lib/nixos-containers" ];
services.nginx.virtualHosts."bds.ens.fr".locations."/gestion2".return = "301 https://gestion.bds.ens.fr";
}

6
machines/web02/_configuration.nix
View file

@ -3,7 +3,6 @@
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
"dgn-fail2ban"
"dgn-web"
];
@ -14,11 +13,6 @@ lib.extra.mkConfig {
];
extraConfig = {
dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
"sshd-bruteforce"
"sshd-timeout"
];
# Restrict access to this node
dgn-access-control.users.root = [ "thubrecht" ];

12
machines/web02/cas-eleves/01-pytest-cas.patch
View file

@ -1,4 +1,14 @@
diff --git a/cas_server/tests/test_federate.py b/cas_server/tests/test_federate.py
diff --git a/setup.py b/setup.py
index 7c7b02d..3f677ff 100644
--- a/setup.py
+++ b/setup.py
@@ -67,6 +67,4 @@ if __name__ == '__main__':
url="https://github.com/nitmir/django-cas-server",
download_url="https://github.com/nitmir/django-cas-server/releases/latest",
zip_safe=False,
- setup_requires=['pytest-runner'],
- tests_require=['pytest', 'pytest-django', 'pytest-pythonpath', 'pytest-warnings', 'mock>=1'],
)
index 2b389d3..dcdfafd 100644
--- a/cas_server/tests/test_federate.py
+++ b/cas_server/tests/test_federate.py

2
machines/web02/cas-eleves/default.nix
View file

@ -126,7 +126,7 @@ in
};
};
dgn-redirections.redirections."cas-eleves.dgnum.eu" = "cas.eleves.ens.fr";
dgn-redirections.permanent."cas-eleves.dgnum.eu" = "cas.eleves.ens.fr";
services = {
postgresql = {

6
machines/web02/secrets/secrets.nix
View file

@ -1,7 +1,5 @@
let
lib = import ../../../lib { };
in
lib.setDefault { publicKeys = lib.getNodeKeys "web02"; } [
(import ../../../keys).mkSecrets [ "web02" ] [
# List of secrets for web02
"cas_eleves-secret_key_file"
"kadenios-secret_key_file"
"kadenios-email_password_file"

9
meta/dns.nix
View file

@ -40,6 +40,10 @@ let
# Miscelleanous redirections
"traque" = "traque.katvayor.net.";
# Temporary redirection for the BDS
# FIXME: finish the django apps module
"gestiobds.dj" = "cof.ens.fr.";
};
hosted = fuseAttrs (
@ -63,6 +67,10 @@ let
"sso" # Kanidm
"support" # Zammad support
"telegraf" # Telegraf
# DGSI
"dgsi"
"profil"
];
storage01.dual = [
@ -95,6 +103,7 @@ let
"netbox" # Netbox
"podcasts" # Castopod
"push" # Ntfy.sh
"pub" # Url de promotion (qrcodes etc...)
# Static websites
"eleves"

23
meta/network.nix
View file

@ -29,6 +29,29 @@
netbirdIp = "100.80.75.197";
};
krz01 = {
interfaces = {
eno1 = {
ipv4 = [
{
address = "129.199.146.21";
prefixLength = 24;
}
{
address = "192.168.1.145";
prefixLength = 24;
}
];
gateways = [ "129.199.146.254" ];
enableDefaultDNS = true;
};
};
hostId = "bd11e8fc";
netbirdIp = "100.80.103.206";
};
geo01 = {
interfaces = {
eno1 = {

9
meta/nodes.nix
View file

@ -30,7 +30,7 @@
targetHost = "fd26:baf9:d250:8000::ffff";
sshOptions = [
"-J"
"vault01.hyp01.infra.dgnum.eu"
"root@vault01.hyp01.infra.dgnum.eu"
];
};
};
@ -70,6 +70,13 @@
nixpkgs = "24.05";
};
krz01 = {
site = "pav01";
stateVersion = "24.05";
nixpkgs = "unstable";
};
storage01 = {
site = "pav01";
stateVersion = "23.11";

6
meta/options.nix
View file

@ -368,10 +368,10 @@ in
name: "A member of the external service ${name} admins was not found in the members list."
) org.external)
# Check that all members have a keyFile
# Check that all members have ssh keys
(builtins.map (name: {
assertion = builtins.pathExists "${builtins.toString ../keys}/${name}.keys";
message = "No ssh keys file found for ${name}.";
assertion = ((import ../keys)._keys.${name} or [ ]) != [ ];
message = "No ssh keys found for ${name}.";
}) members)
];
};

20
meta/verify.nix
View file

@ -4,13 +4,7 @@ let
sources = import ../npins;
pkgs = import sources.nixpkgs { };
dns = import sources."dns.nix";
lib = import sources.nix-lib {
inherit (pkgs) lib;
keysRoot = ../keys;
};
dns = import sources."dns.nix" { inherit pkgs; };
in
{
@ -28,7 +22,15 @@ in
else
pkgs.writers.writeJSON "meta.json" config;
dns = dns.util.${builtins.currentSystem}.writeZone "dgnum.eu" (
pkgs.lib.recursiveUpdate { SOA.serial = 0; } (import ./dns.nix { inherit dns lib; })
dns = dns.util.writeZone "dgnum.eu" (
pkgs.lib.recursiveUpdate { SOA.serial = 0; } (
import ./dns.nix {
inherit dns;
lib = pkgs.lib // {
extra = import ../lib/nix-lib;
};
}
)
);
}

6
modules/default.nix
View file

@ -46,7 +46,8 @@
"dgn-acme"
"dgn-backups"
"dgn-console"
"dgn-fail2ban"
"dgn-chatops"
"dgn-firewall"
"dgn-hardware"
"dgn-netbox-agent"
"dgn-network"
@ -60,13 +61,14 @@
])
++ [
"${sources.agenix}/modules/age.nix"
"${sources.attic}/nixos/atticd.nix"
"${sources.arkheon}/module.nix"
"${sources."microvm.nix"}/nixos-modules/host"
]
++ ((import sources.nix-modules { inherit lib; }).importModules (
[
"age-secrets"
"services/bupstash"
"services/reaction"
"services/systemd-notify"
]
++ nodeMeta.nix-modules

3
modules/dgn-access-control.nix
View file

@ -34,6 +34,7 @@
{
config,
lib,
dgn-keys,
meta,
nodeMeta,
...
@ -83,7 +84,7 @@ in
dgn-access-control.users.root = mkDefault admins;
users.users = builtins.mapAttrs (_: members: {
openssh.authorizedKeys.keys = lib.extra.getAllKeys members;
openssh.authorizedKeys.keys = dgn-keys.getKeys members;
}) cfg.users;
};
}

19
modules/dgn-backups/default.nix
View file

@ -1,6 +1,7 @@
{
config,
lib,
dgn-keys,
name,
...
}:
@ -103,15 +104,12 @@ in
access = [
{
repo = "default";
keys = lib.extra.getAllKeys (
# Nodes allowed to create backups
builtins.map (host: "machines/${host}") [
"compute01"
"storage01"
"vault01"
"web01"
]
);
keys = dgn-keys.getKeys [
"compute01"
"storage01"
"vault01"
"web01"
];
allowed = [ "put" ];
}
];
@ -121,8 +119,7 @@ in
};
programs.ssh.knownHosts =
lib.extra.mapFuse
(host: { "${host}.dgnum".publicKey = builtins.head (lib.extra.getKeys "machines/${host}"); })
lib.extra.mapFuse (host: { "${host}.dgnum".publicKey = builtins.head dgn-keys._keys.${host}; })
[
"compute01"
"geo01"

6
modules/dgn-backups/keys/secrets.nix
View file

@ -1,8 +1,4 @@
let
lib = import ../../../lib { };
in
lib.setDefault { publicKeys = lib.rootKeys; } [
(import ../../../keys).mkSecrets [ ] [
"compute01.key"
"storage01.key"
"web01.key"

1
modules/dgn-chatops/.envrc Normal file
View file

@ -0,0 +1 @@
use nix

75
modules/dgn-chatops/default.nix Normal file
View file

@ -0,0 +1,75 @@
# Copyright :
# - Ryan Lahfa <ryan.lahfa@dgnum.eu> 2024
#
# Ce logiciel est un programme informatique servant à déployer des
# configurations de serveurs via NixOS.
#
# Ce logiciel est régi par la licence CeCILL soumise au droit français et
# respectant les principes de diffusion des logiciels libres. Vous pouvez
# utiliser, modifier et/ou redistribuer ce programme sous les conditions
# de la licence CeCILL telle que diffusée par le CEA, le CNRS et l'INRIA
# sur le site "http://www.cecill.info".
#
# En contrepartie de l'accessibilité au code source et des droits de copie,
# de modification et de redistribution accordés par cette licence, il n'est
# offert aux utilisateurs qu'une garantie limitée. Pour les mêmes raisons,
# seule une responsabilité restreinte pèse sur l'auteur du programme, le
# titulaire des droits patrimoniaux et les concédants successifs.
#
# A cet égard l'attention de l'utilisateur est attirée sur les risques
# associés au chargement, à l'utilisation, à la modification et/ou au
# développement et à la reproduction du logiciel par l'utilisateur étant
# donné sa spécificité de logiciel libre, qui peut le rendre complexe à
# manipuler et qui le réserve donc à des développeurs et des professionnels
# avertis possédant des connaissances informatiques approfondies. Les
# utilisateurs sont donc invités à charger et tester l'adéquation du
# logiciel à leurs besoins dans des conditions permettant d'assurer la
# sécurité de leurs systèmes et ou de leurs données et, plus généralement,
# à l'utiliser et l'exploiter dans les mêmes conditions de sécurité.
#
# Le fait que vous puissiez accéder à cet en-tête signifie que vous avez
# pris connaissance de la licence CeCILL, et que vous en avez accepté les
# termes.
{
config,
pkgs,
lib,
...
}:
let
cfg = config.dgn-chatops;
inherit (lib) mkEnableOption mkIf;
python3 = pkgs.python311;
python3Pkgs = python3.pkgs;
ircrobots = python3Pkgs.callPackage ./ircrobots.nix { };
tortoise-orm = python3Pkgs.callPackage ./tortoise-orm.nix { };
ps = python3Pkgs.makePythonPath [
ircrobots
tortoise-orm
python3Pkgs.aiohttp
];
in
{
options.dgn-chatops = {
enable = mkEnableOption "the ChatOps layer";
};
# Our ChatOps bot.
config = mkIf cfg.enable {
systemd.services.irc-takumi = {
description = "DGNum IRC automation bot, Takumi";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
environment = {
PYTHONPATH = ps;
};
serviceConfig = {
RuntimeDirectory = "takumi";
StateDirectory = "takumi";
DynamicUser = true;
ExecStart = "${lib.getExe python3} ${./takumi.py}";
};
};
};
}

56
modules/dgn-chatops/ircrobots.nix Normal file
View file

@ -0,0 +1,56 @@
{
lib,
buildPythonPackage,
fetchFromGitea,
pythonOlder,
anyio,
asyncio-rlock,
asyncio-throttle,
ircstates,
async-stagger,
async-timeout,
python,
}:
buildPythonPackage rec {
pname = "ircrobots";
version = "0.7.0";
format = "setuptools";
disabled = pythonOlder "3.7";
src = fetchFromGitea {
domain = "git.dgnum.eu";
owner = "DGNum";
repo = pname;
# No tag yet :(.
rev = "63aa84b40450bd534fc232eee10e8088028c9f6d";
hash = "sha256-gXiPy6wjPEtc9v0cG0lb2QVXDlU5Q8ncxJO0lBm2RSE=";
};
postPatch = ''
# too specific pins https://github.com/jesopo/ircrobots/issues/3
sed -iE 's/anyio.*/anyio/' requirements.txt
'';
propagatedBuildInputs = [
anyio
asyncio-rlock
asyncio-throttle
ircstates
async-stagger
async-timeout
];
checkPhase = ''
${python.interpreter} -m unittest test
'';
pythonImportsCheck = [ "ircrobots" ];
meta = with lib; {
description = "Asynchronous bare-bones IRC bot framework for python3";
license = licenses.mit;
homepage = "https://github.com/jesopo/ircrobots";
maintainers = with maintainers; [ hexa ];
};
}

31
modules/dgn-chatops/pypika-tortoise.nix Normal file
View file

@ -0,0 +1,31 @@
{
lib,
buildPythonPackage,
fetchFromGitHub,
poetry-core,
}:
buildPythonPackage rec {
pname = "pypika-tortoise";
version = "0.1.6";
pyproject = true;
src = fetchFromGitHub {
owner = "tortoise";
repo = "pypika-tortoise";
rev = "v${version}";
hash = "sha256-xx5FUMHh6413fsvwrEA+Q0tBmJWy00h5O6YijvrJyCE=";
};
build-system = [ poetry-core ];
pythonImportsCheck = [ "pypika" ];
meta = {
description = "";
homepage = "https://github.com/tortoise/pypika-tortoise";
changelog = "https://github.com/tortoise/pypika-tortoise/blob/${src.rev}/CHANGELOG.md";
license = lib.licenses.asl20;
maintainers = with lib.maintainers; [ raitobezarius ];
};
}

Some files were not shown because too many files have changed in this diff Show more