forked from DGNum/infrastructure
feat(compute01): Deploy dgsi
This commit is contained in:
parent
dd5c0c79f7
commit
2b75890752
7 changed files with 266 additions and 8 deletions
|
@ -1,18 +1,19 @@
|
||||||
{ lib, ... }:
|
{ lib, ... }:
|
||||||
|
|
||||||
lib.extra.mkConfig {
|
lib.extra.mkConfig {
|
||||||
enabledModules = [
|
|
||||||
# List of modules to enable
|
# List of modules to enable
|
||||||
|
enabledModules = [
|
||||||
|
# INFO: This list needs to stay sorted alphabetically
|
||||||
"dgn-backups"
|
"dgn-backups"
|
||||||
"dgn-web"
|
|
||||||
"dgn-chatops"
|
"dgn-chatops"
|
||||||
|
"dgn-web"
|
||||||
];
|
];
|
||||||
|
|
||||||
enabledServices = [
|
|
||||||
# List of services to enable
|
# List of services to enable
|
||||||
|
enabledServices = [
|
||||||
|
# INFO: This list needs to stay sorted alphabetically
|
||||||
"arkheon"
|
"arkheon"
|
||||||
"takumi"
|
"dgsi"
|
||||||
"signal-irc-bridge"
|
|
||||||
"ds-fr"
|
"ds-fr"
|
||||||
"grafana"
|
"grafana"
|
||||||
"hedgedoc"
|
"hedgedoc"
|
||||||
|
@ -25,8 +26,10 @@ lib.extra.mkConfig {
|
||||||
"postgresql"
|
"postgresql"
|
||||||
"rstudio-server"
|
"rstudio-server"
|
||||||
"satosa"
|
"satosa"
|
||||||
|
"signal-irc-bridge"
|
||||||
"signald"
|
"signald"
|
||||||
"stirling-pdf"
|
"stirling-pdf"
|
||||||
|
"takumi"
|
||||||
"telegraf"
|
"telegraf"
|
||||||
"vaultwarden"
|
"vaultwarden"
|
||||||
"zammad"
|
"zammad"
|
||||||
|
|
180
machines/compute01/dgsi/default.nix
Normal file
180
machines/compute01/dgsi/default.nix
Normal file
|
@ -0,0 +1,180 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
sources,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
|
||||||
|
let
|
||||||
|
inherit (lib) mapAttrsToList;
|
||||||
|
|
||||||
|
python =
|
||||||
|
let
|
||||||
|
python3 = pkgs.python312;
|
||||||
|
nix-pkgs = import sources.nix-pkgs { inherit pkgs python3; };
|
||||||
|
in
|
||||||
|
python3.override {
|
||||||
|
packageOverrides = _: _: {
|
||||||
|
inherit (nix-pkgs)
|
||||||
|
django-allauth
|
||||||
|
django-allauth-cas
|
||||||
|
django-browser-reload
|
||||||
|
django-bulma-forms
|
||||||
|
django-sass-processor
|
||||||
|
django-sass-processor-dart-sass
|
||||||
|
django-unfold
|
||||||
|
pykanidm
|
||||||
|
python-cas
|
||||||
|
loadcredential
|
||||||
|
;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
pythonEnv = python.withPackages (ps: [
|
||||||
|
ps.django
|
||||||
|
ps.gunicorn
|
||||||
|
ps.psycopg
|
||||||
|
ps.django-compressor
|
||||||
|
|
||||||
|
# Local packages
|
||||||
|
ps.django-allauth
|
||||||
|
ps.django-allauth-cas
|
||||||
|
ps.django-bulma-forms
|
||||||
|
ps.django-sass-processor
|
||||||
|
ps.django-sass-processor-dart-sass
|
||||||
|
ps.django-unfold
|
||||||
|
ps.loadcredential
|
||||||
|
ps.pykanidm
|
||||||
|
ps.python-cas
|
||||||
|
]);
|
||||||
|
|
||||||
|
staticDrv = pkgs.stdenv.mkDerivation {
|
||||||
|
name = "dgsi-static";
|
||||||
|
|
||||||
|
src = sources.dgsi;
|
||||||
|
sourceRoot = "source/src";
|
||||||
|
|
||||||
|
nativeBuildInputs = [
|
||||||
|
pkgs.dart-sass
|
||||||
|
pythonEnv
|
||||||
|
];
|
||||||
|
|
||||||
|
configurePhase = ''
|
||||||
|
export DGSI_STATIC_ROOT=$out/static
|
||||||
|
export CREDENTIALS_DIRECTORY=$(pwd)/../.credentials
|
||||||
|
export DGSI_KANIDM_CLIENT="dgsi_test";
|
||||||
|
export DGSI_KANIDM_AUTH_TOKEN="fake.token";
|
||||||
|
'';
|
||||||
|
|
||||||
|
doBuild = false;
|
||||||
|
|
||||||
|
installPhase = ''
|
||||||
|
mkdir -p $out/static
|
||||||
|
python3 manage.py compilescss
|
||||||
|
python3 manage.py collectstatic
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
users = {
|
||||||
|
users.nginx.extraGroups = [ "django-apps" ];
|
||||||
|
groups.django-apps = { };
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd = {
|
||||||
|
services = {
|
||||||
|
dj-dgsi = {
|
||||||
|
description = "DGSI web app";
|
||||||
|
|
||||||
|
requires = [ "dj-dgsi.socket" ];
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [
|
||||||
|
"network.target"
|
||||||
|
"postgresql.service"
|
||||||
|
];
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
DynamicUser = true;
|
||||||
|
LoadCredential = mapAttrsToList (name: value: "${name}:${value}") {
|
||||||
|
SECRET_KEY = config.age.secrets."dgsi-secret_key_file".path;
|
||||||
|
KANIDM_AUTH_TOKEN = config.age.secrets."dgsi-kanidm_auth_token_file".path;
|
||||||
|
KANIDM_SECRET = config.age.secrets."dgsi-kanidm_secret_file".path;
|
||||||
|
};
|
||||||
|
RuntimeDirectory = "django-apps/dgsi";
|
||||||
|
StateDirectory = "django-dgsi";
|
||||||
|
UMask = "0027";
|
||||||
|
User = "dj-dgsi";
|
||||||
|
WorkingDirectory = "${sources.dgsi}/src";
|
||||||
|
};
|
||||||
|
|
||||||
|
environment = {
|
||||||
|
DGSI_ALLOWED_HOSTS = builtins.toJSON [
|
||||||
|
"profil.dgnum.eu"
|
||||||
|
"dgsi.dgnum.eu"
|
||||||
|
];
|
||||||
|
DGSI_STATIC_ROOT = staticDrv;
|
||||||
|
DGSI_MEDIA_ROOT = "/var/lib/django-apps/dgsi/media";
|
||||||
|
};
|
||||||
|
|
||||||
|
path = [ pythonEnv ];
|
||||||
|
|
||||||
|
script = ''
|
||||||
|
python3 manage.py migrate
|
||||||
|
gunicorn --pythonpath ${sources.dgsi}/src --bind unix:/run/django-apps/dgsi.sock --workers=4 app.wsgi
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
sockets."dj-dgsi" = {
|
||||||
|
description = "Socket for the DGSI Django Application";
|
||||||
|
wantedBy = [ "sockets.target" ];
|
||||||
|
|
||||||
|
socketConfig = {
|
||||||
|
ListenStream = "/run/django-apps/dgsi.sock";
|
||||||
|
SocketMode = "600";
|
||||||
|
SocketUser = config.services.nginx.user;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
mounts = [
|
||||||
|
{
|
||||||
|
where = "/run/django-apps/dgsi/media";
|
||||||
|
what = "/var/lib/django-apps/dgsi/media";
|
||||||
|
options = "bind";
|
||||||
|
|
||||||
|
after = [ "dj-dgsi.service" ];
|
||||||
|
partOf = [ "dj-dgsi.service" ];
|
||||||
|
upheldBy = [ "dj-dgsi.service" ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
dgn-redirections.redirections."dgsi.dgnum.eu" = "profil.dgnum.eu";
|
||||||
|
|
||||||
|
services = {
|
||||||
|
postgresql = {
|
||||||
|
ensureDatabases = [ "dgsi" ];
|
||||||
|
ensureUsers = [
|
||||||
|
{
|
||||||
|
name = "dgsi";
|
||||||
|
ensureDBOwnership = true;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
nginx.virtualHosts."profil.dgnum.eu" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
|
||||||
|
serverAliases = [ "dgsi.dgnum.eu" ];
|
||||||
|
|
||||||
|
locations = {
|
||||||
|
"/".proxyPass = "http://unix:/run/django-apps/dgsi.sock";
|
||||||
|
"/static/".root = staticDrv;
|
||||||
|
"/media/".root = "/run/django-apps/dgsi";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
BIN
machines/compute01/secrets/dgsi-kanidm_auth_token_file
Normal file
BIN
machines/compute01/secrets/dgsi-kanidm_auth_token_file
Normal file
Binary file not shown.
30
machines/compute01/secrets/dgsi-kanidm_secret_file
Normal file
30
machines/compute01/secrets/dgsi-kanidm_secret_file
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 jIXfPA 7Nd4K/ivG8LyRcT+XhfN8K8OmoGKUPiUacgd5H/YyCY
|
||||||
|
qHdajtgWM/ON3VHB76DhkDF0BCOhA5UtDTTiOM8Woy8
|
||||||
|
-> ssh-ed25519 QlRB9Q 25AYqzBKePKEH4Ml+9xB+YxSvIIMY/M7Qo+LomdivHM
|
||||||
|
SQN/1T/Judvtk8TjhUxhCsJVS73bLqaih6Gn8weVjvs
|
||||||
|
-> ssh-ed25519 r+nK/Q iHlAURzupmiysH9XtEqhg+wbgYlsdLHvVyRzMsWsVmg
|
||||||
|
R6yA3bt+5E5vhIVEHxu8h3sB9FjLiUH0tp5SKzHM8Kk
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
BxDfl3xriUdWiihr0RtfSpJ0UtDnF1oTa3n/1w4AMPNowh+kIVRKuaWFa+sVIJMB
|
||||||
|
RZc+vdymNoUg/i3lAzlX2mo17LGEnX1jGSHtsMY7j1psS4b72i3hCvBLQ9n+kir7
|
||||||
|
ub1CVvrsgn6SMzjQWrSNP6IsIPmYcgfJ2pG0J7oD8T6s0hnemm9ywtCmdpiVjh+O
|
||||||
|
C2DB10qgVACLWOd/Gqd7ILiqeTOlaDHjuFJ3xRoUd7jzeOnG4BZOV8mfT443MoIa
|
||||||
|
Kg/prr+MN9uf42a6iLb5avf8ZZLnrzoIyT5vJ3BFt1aUz3FX4DyZUrZmhm9pmYR9
|
||||||
|
4YTArDtTP6X3+Rimd5rlbA
|
||||||
|
-> ssh-ed25519 /vwQcQ NkudSMrSLIE0WOE3ScJSMBKwVnuz9p3UwKGg9SPDGiY
|
||||||
|
w2rE2oO1bs0eoySeS0tT0Ic6Hji9qD7iNn0qYiwc2kU
|
||||||
|
-> ssh-ed25519 0R97PA YH3uoQ/zJR/lrvC0TuWTSig/AJYsxI7sVrEhS173i1E
|
||||||
|
DOdCOmorgGsg4hAXV0nYg9JeDmon2JY02iKq614jxUA
|
||||||
|
-> ssh-ed25519 JGx7Ng YV6RIaM6oIoajPXVDrOuLRy2897e8LUEibyLiS/gf0o
|
||||||
|
xz+guHt2N+tfIX5kvpxGDNqaez2VA8dD+QTu7fK7Pf4
|
||||||
|
-> ssh-ed25519 5SY7Kg 4DhAsi0gqOunzEzlFFKeP3qYWos9Mc1UpVCDVQIBEws
|
||||||
|
4/duAufrk/GHSbj5tEXdL+C+2AO+Es375as+/R+6PgY
|
||||||
|
-> ssh-ed25519 p/Mg4Q +5WtmMV6ruLgQoTZpmBztrH+FS2aCKFcwuLKcweLr3s
|
||||||
|
xRIVcBt4wV2PtEhO68sJ8/FB177QAq6zoZ1Dwfg1kPo
|
||||||
|
-> ssh-ed25519 tDqJRg wWaBzLqsoPa8/0hjl4eu07dQvGFMLI3R6IrNNZzquBU
|
||||||
|
ppzkds/p5BF2dIRZERhDD3rtQNxKhlIaoxCSIf20yJQ
|
||||||
|
-> T9':1EB-grease / #'BD[s
|
||||||
|
lZHA3xsgAESG
|
||||||
|
--- uk+H++45TIOcuW3Qj4/D1S65Kw8OEb5ZHqWWIlYlSIg
|
||||||
|
u=J¾f£‹ÏtüÉíãQ²]¶Epfž ÍêOëeëd<Í…ã6<C3A3> G'Æ¡a.ήշ^H¾´ñú|Lß*QN5öìþMGatʶ±§
|
31
machines/compute01/secrets/dgsi-secret_key_file
Normal file
31
machines/compute01/secrets/dgsi-secret_key_file
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 jIXfPA xQaZW42vwq7pndbRqiATFVgl1QM3LbD5Sqzz61yinUY
|
||||||
|
7N4GIIAnzwTPA2IgOPWLtE03kCZPihKu8ZAG9e7Bv7k
|
||||||
|
-> ssh-ed25519 QlRB9Q mfs9SndrSY1meTEYiVxXLbS7Ecf0rjaQ3vX4626+9CI
|
||||||
|
BDdh3a02EqMeO5jPlz6kjmjuLMldf/s9V7hDkIef+g4
|
||||||
|
-> ssh-ed25519 r+nK/Q HqduuibujATQyp2TUswgrFyTdcdmPsNsZJ2pOLZ+MTc
|
||||||
|
WjFm95dxVYKA2ekOgKzMrMmk1nxfuurmDyMXtUIGnIo
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
GzznBXY+5RpGFJKli2rOdzO5bun6REyjA78nV8RviQdAN/mGXEZfGFq4HFuQZM0e
|
||||||
|
fYADtpZxOZ3vyY/9DqCguay3R02DcyTpAhdb6A3kdzApUVR/3ZKJXy0+l5qRqKD7
|
||||||
|
j/cMfIxk/WpsHKHDWKXkG+FiTnF+V+ZtUom9W1aYFc1506OdDbjBVfTnBFs/+WVf
|
||||||
|
MWd+Y0ANCFiNH+kjzvALRazkmJgt9SvYWBG6suym6YZ2073GFu85jUJB2juSDmBN
|
||||||
|
tp0OJvNrjH5F/CcJXLMVrJz4Azin+2iM+re78cSVmZ1aqLf72RIrg/VhuuNy2MVn
|
||||||
|
gU32t9qy5EvTbzliWpAvxw
|
||||||
|
-> ssh-ed25519 /vwQcQ rVT/tH4fZ49hwxJTaZMZhzMgkS0MJILZmuL/J1CCPGY
|
||||||
|
mW3BNdXsylo0Yhg2KYpGNLoDkd7DYX+NEGF8a7j5R5g
|
||||||
|
-> ssh-ed25519 0R97PA vnXhW5pn1XgOJcMcD1cu7hQLlnIrJyp2Bu3TbThBIik
|
||||||
|
QFQFocftqwsPS1AbGykbDkIWqaAdZ7I9njS2ZUXz+4w
|
||||||
|
-> ssh-ed25519 JGx7Ng ljVNZ4AdZ3DLow2m3mf+6bf9zj6+t9RP7w8Bi7aMlAI
|
||||||
|
E5Q9yEA3d2nPTZO2jFkGnsHyo3W19P/lSG6yl3RL6Vo
|
||||||
|
-> ssh-ed25519 5SY7Kg 2LcgbYRROFSGfq0L5XBQMl6p62DreGceGqRFzKGi4X8
|
||||||
|
x4V+gnzdm1HgjYwhBnYAldkchX4YCsUhqoq1iCaOZ6s
|
||||||
|
-> ssh-ed25519 p/Mg4Q Y+o5nrSvL+xL43OHjEnesKV+9gCl4H4gBmBBjbqDABA
|
||||||
|
TvGky1wSVanvpq2Xj2FUmRtJ205iq92g6PVDASAfyaE
|
||||||
|
-> ssh-ed25519 tDqJRg X0Y8YCi5qOy3Du1/DIMMc4W7P6zQNTlwF4+QrisHCwM
|
||||||
|
SzJPH+h5847WSl9CrJatqIf9CSnKGUQZDK6ROD5LqXU
|
||||||
|
-> `--grease N]PH
|
||||||
|
fdR7jONsDC5Fj/FU++dDsFJSa4sLmvnTzPbt3X96zJDHVQypmV+JMhQNudQGrq9K
|
||||||
|
7oPr3+cA61qtqUv6v519zFLtRXkpY6FMiB2euGJufVZqGh9jDzfi0jNu6dUO7A
|
||||||
|
--- a0TP8YPal5jgd3BSIm0THbaMHgLOiOgMqdlwQwUGzWk
|
||||||
|
:È/Àn ž±Ý§¦p=fu²hã–T¶ÅêF—ÙêÂ¥nh¢„¾•œ¹ÀU2#„éµÆ©“ºôâ>Û“<4.<2E>uŸ‰’…m3Ü&<26>g¤(ö<>5۶Û
|
|
@ -6,9 +6,12 @@ in
|
||||||
lib.setDefault { inherit publicKeys; } [
|
lib.setDefault { inherit publicKeys; } [
|
||||||
"arkheon-env_file"
|
"arkheon-env_file"
|
||||||
"bupstash-put_key"
|
"bupstash-put_key"
|
||||||
|
"dgsi-kanidm_auth_token_file"
|
||||||
|
"dgsi-kanidm_secret_file"
|
||||||
|
"dgsi-secret_key_file"
|
||||||
"ds-fr-secret_file"
|
"ds-fr-secret_file"
|
||||||
"grafana-smtp_password_file"
|
|
||||||
"grafana-oauth_client_secret_file"
|
"grafana-oauth_client_secret_file"
|
||||||
|
"grafana-smtp_password_file"
|
||||||
"hedgedoc-environment_file"
|
"hedgedoc-environment_file"
|
||||||
"librenms-database_password_file"
|
"librenms-database_password_file"
|
||||||
"librenms-environment_file"
|
"librenms-environment_file"
|
||||||
|
|
|
@ -50,6 +50,17 @@
|
||||||
"url": null,
|
"url": null,
|
||||||
"hash": "09z5l5yh4zm0mf9hb3xc18gjk2dgv3l1icywrsxax00y1i1zlvna"
|
"hash": "09z5l5yh4zm0mf9hb3xc18gjk2dgv3l1icywrsxax00y1i1zlvna"
|
||||||
},
|
},
|
||||||
|
"dgsi": {
|
||||||
|
"type": "Git",
|
||||||
|
"repository": {
|
||||||
|
"type": "Git",
|
||||||
|
"url": "https://git.dgnum.eu/DGNum/dgsi.git"
|
||||||
|
},
|
||||||
|
"branch": "main",
|
||||||
|
"revision": "8a46e4ddb522a145046d9a5bfc729a8e46d99f44",
|
||||||
|
"url": null,
|
||||||
|
"hash": "1blyh1xcppcb6qjaww8aw00c4nh1dl50i64bf6ampj0idx0y93qh"
|
||||||
|
},
|
||||||
"disko": {
|
"disko": {
|
||||||
"type": "GitRelease",
|
"type": "GitRelease",
|
||||||
"repository": {
|
"repository": {
|
||||||
|
@ -229,9 +240,9 @@
|
||||||
"url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs"
|
"url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs"
|
||||||
},
|
},
|
||||||
"branch": "main",
|
"branch": "main",
|
||||||
"revision": "c3257569375903f94ad1af9fe8b77186bd824332",
|
"revision": "d1af0a922edc1ef82b023ebe1158b5c1e02b4f2d",
|
||||||
"url": null,
|
"url": null,
|
||||||
"hash": "01kmivbk0ji5n7fifydq0wvlv34v1ima66r6icxrfykshh635w4p"
|
"hash": "1vbhprwnjn6r0wd70ymv78yry6cbz6ip06q7bl3jwp6v0lqgwmf4"
|
||||||
},
|
},
|
||||||
"nixos-23.11": {
|
"nixos-23.11": {
|
||||||
"type": "Channel",
|
"type": "Channel",
|
||||||
|
|
Loading…
Reference in a new issue