From f778fb131f192910937a3cee4aba9f6d71d2b277 Mon Sep 17 00:00:00 2001
From: sinavir <sinavir@sinavir.fr>
Date: Fri, 23 Feb 2024 00:57:26 +0100
Subject: [PATCH] feat(web01): Netbox

---
 external/netbox/secrets/default.nix           | 10 ----
 external/netbox/secrets/maurice.keys          |  3 --
 external/netbox/secrets/netbox.age            | 32 ------------
 external/netbox/secrets/netbox_env.age        | 31 ------------
 external/netbox/secrets/secrets.nix           | 20 --------
 machines/web01/_configuration.nix             |  1 +
 .../default.nix => machines/web01/netbox.nix  | 25 +++++-----
 machines/web01/secrets/netbox_env             | 30 +++++++++++
 machines/web01/secrets/secrets.nix            |  1 +
 patches/default.nix                           |  3 ++
 patches/netbox.patch                          | 50 +++++++++++++++++++
 11 files changed, 98 insertions(+), 108 deletions(-)
 delete mode 100644 external/netbox/secrets/default.nix
 delete mode 100644 external/netbox/secrets/maurice.keys
 delete mode 100644 external/netbox/secrets/netbox.age
 delete mode 100644 external/netbox/secrets/netbox_env.age
 delete mode 100644 external/netbox/secrets/secrets.nix
 rename external/netbox/default.nix => machines/web01/netbox.nix (65%)
 create mode 100644 machines/web01/secrets/netbox_env
 create mode 100644 patches/netbox.patch

diff --git a/external/netbox/secrets/default.nix b/external/netbox/secrets/default.nix
deleted file mode 100644
index 5f21e7f..0000000
--- a/external/netbox/secrets/default.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-_: {
-  age.secrets = {
-    "netbox" = {
-      file = ./netbox.age;
-      group = "netbox";
-      owner = "netbox";
-    };
-    "netbox_env".file = ./netbox_env.age;
-  };
-}
diff --git a/external/netbox/secrets/maurice.keys b/external/netbox/secrets/maurice.keys
deleted file mode 100644
index 15b2d82..0000000
--- a/external/netbox/secrets/maurice.keys
+++ /dev/null
@@ -1,3 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAFZvpOfsBhbz9IvBj4akFr48VIuIrzSTP/6xUC0fyyF
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMtlR7TN69GgD5q0b+/DXC2aOKiNN8TiempaEZkfngut maurice@sirius
\ No newline at end of file
diff --git a/external/netbox/secrets/netbox.age b/external/netbox/secrets/netbox.age
deleted file mode 100644
index c6b541e..0000000
--- a/external/netbox/secrets/netbox.age
+++ /dev/null
@@ -1,32 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 6J6ApA Rw8khLEeN2Vc0ogKS37PVt8RtkX/AUIPvrEl1Y4o33s
-WfbB+OJWjer4p4c5WJ5/wWGTfzaP+ioSVICaWeN7v8Y
--> ssh-ed25519 JGx7Ng XPQNnVJUQnW4m6VRD5IvQLkI7M6ePLnh7I6qVmXkZUI
-iDE+Po4QpuesYyyLOx5jGurDBK4PVSqCyjTiLO8tIE4
--> ssh-ed25519 Ih+Lhw opXAdU106hSmF4j9w9QVs1PTtGFYqODit/Jzqnnm9hc
-oHW0aA3rR4ix+mp/XpH7ufKC6CDVgwojRAli0Rt0umY
--> ssh-ed25519 jIXfPA UpS2FGuwL08jjS7VtMlWuIKHzpVLDIHLCeDBUyzYaDk
-ekm1yEUuoxEsOhtmp0SvBeTCNEXfTlgCaS6i4OsyNkI
--> ssh-ed25519 QlRB9Q sJNeXiglN1YONRXpAknOkG7BCHTVq0eLVX/ulr/zuy8
-kZY5j2ilKr1eAxAB4eo8ku/068L8K9MGfywyQiwcGHk
--> ssh-ed25519 r+nK/Q 1AonFSikttoFe4bqaULTcTPWQxwig3VBmkEBSVqAwXg
-Y2CZAeaKG+z0Qc2wjkdJC+/TvEe4ZXwwmwg34mF1drI
--> ssh-rsa krWCLQ
-YA2SfssUpCkBkQ7eSQw7w9bCou04rvvSItcfYA4md41txuJ9pCKuEdAbPtBbxCBU
-UqPyUCor7abyVgsIqmYR5zSCLw5yfZqynwilLC5wx7DMYGWEs0OW1jBEP0Nj6ISD
-2zWLilvfiq1LPV1eKWlPUFb+STCha24LybDgNlo4O4a4AttQ5g7YgeFy3EAK4aN5
-/NTLn3Yn40WUB9XfiesL9OFiGVF2nPujyCYXBxGOL425cevVkpFpQTOrThKC3RzH
-vvkUCpdP8vOd8uEsy5qHxGrJGUwc4clrbLKBg4BZ9jbAPTpFj533aF71/qiJuwMH
-mhOZQzDTO3KWHSAM750HAA
--> ssh-ed25519 /vwQcQ L6Tpwg8hsUigry1IL2EbCjh+zR3AmZ8V6bPF8MgFcVs
-iy2o3Ci9CmmZ4YwEvIHOOXXJT+UXNQU45faL+ulPFGk
--> ssh-ed25519 0R97PA 0Pjmquwj5A7UkMl1aUYz8AEdGiDA9B402l9B47isXwg
-VM1wJWw6I7rDQkRiut2MMugRrYANgBFFAnoMhgPyBvI
--> ssh-ed25519 JGx7Ng gRZY4yXgZiftpgadbg+X9k9qF0wmSDywrk5N2Z1P4DU
-el60vd0Kq5Gx0Qm+k9AQNeWvVUUobI4KjMoHkmLzPaM
--> ')tE-grease
-7uJeStX+hLwArPoxtFWKhHI/p1uDPpJ2IhdEc0uNhEIbcVfthSkbQCbT7cLwHlKL
-LT0tC0FcYsoS/VMu+A
---- PglFR+GxbWtTM1/wHZOz1kF7VaSjgBhJopb01kJQKCk
-8á}lh—ž-*uè`¼Àõ-Xºñ
-Î^ÆpýlrÐDy¨}|¾’…Úq8Dd‡·Ü›ë²,l=¢aV8¦y˜tJ0»ä)'eJ·;ÁÉ
\ No newline at end of file
diff --git a/external/netbox/secrets/netbox_env.age b/external/netbox/secrets/netbox_env.age
deleted file mode 100644
index 2b8d3d5..0000000
--- a/external/netbox/secrets/netbox_env.age
+++ /dev/null
@@ -1,31 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 6J6ApA uOgCmOqPlLdETLFaMMPKIjbp6d41T0gtX0X0hGJDElA
-cBHPVEsfBpEEzHN7ryG7TF7VYt4ft0tO20UOfM1+J5E
--> ssh-ed25519 JGx7Ng IEeY5TQO0glsTZSsrPS9TlMnz5f1okeWlut640ahAio
-AYVWLcPETYKJAYxlUpFpQcPSsIffDIX9+9seqONrCFc
--> ssh-ed25519 Ih+Lhw UDpkkIBQKwPMKlby2KdPOauvW9fZdVzvpLy6PB55aCI
-YvuwrcEHiPVdg7qIzR+y86mSQSbMezbfXvWa8krucP0
--> ssh-ed25519 jIXfPA j7tG5njdpep2XrlFieR/DxhDdzAixDG++erR3KC6fQI
-h4BM2WgwJ0CZG5/XM50V086YF4UGJcmBiOmxsIyf190
--> ssh-ed25519 QlRB9Q vfE9b1Yo8zr+eUPGrWfl2T3rIlD2j0QweDXSI7wu1TU
-Uupo2QK0dbjE9UEt6A/6nxQViW1LvqhDU5lX+hOYX2o
--> ssh-ed25519 r+nK/Q zj475ZsZBzPjfOzqyyylvpG0J00ZiE8NWL+rvhURRWk
-ZSpCLcgfm3X2+KIllRVUVZamn3JZrlUOR/Nahk5sBUA
--> ssh-rsa krWCLQ
-Uij+BTfVAjkGIKQ3qSL+E5YGJfZ6nMB/Kw3IWwZD1QGih6CO3+oooGR1DOqAJv0O
-o2H9v3AbAr0qnaYjK0Gjw/2+6uSu5SDt75p1ocMvLu8gwM1Br+T/7uSuIw7wLgPz
-IinUGDPTFhjR7X7x16IxgXWGMowCa6K/285ztY8v0v9s22uNrrjNEGEiJ/qn41DX
-8hpOmRpxiq5xOG1fsWQYsSW+ZmobBWfJJXzM0iknQL+GniRZd/ySjWr84HcMjDns
-8CcTgeo6gVstQITekvMS3jkixmszJhFJR8WMS9b/bunDIGrxj3cUEObRAzlU48Jd
-dAzOQ+kjzqMwnXbNexq54w
--> ssh-ed25519 /vwQcQ kYZUqgKfoKSAaaJal1bl521wUkrZXR/12+U9Fuff4m8
-4foVQpY3UGsUz1jQFQF+5Es3ui0+QsRVRFgxEmmcws4
--> ssh-ed25519 0R97PA rW9FfcNNRzvCF7p8KOLjJnKZN0dOdJ1nANzaA1vEzw0
-yd1gOIEucTCXsciTtB3VPjdlJvrqv/SKuQwtNKVhGs0
--> ssh-ed25519 JGx7Ng KdsKUOQ+6VcZyxT63RoPpJyK8qg1xkVz8NuPDJUauQs
-MSwBdYg/wGrvylPoIy+UVjiIyVfqbyuliIEVuk+B7cQ
--> Ko+-grease
-xF0g4xMUtgeLzmHbpdZM/cKiQ1yXVpcgLXhpd4czuP4Mv0YDZPnE5//nFsh2N9M2
-ugEnZvPls1cMoKMh6DoM
---- VzbmV+CoC0fLoX3FKJqQqbde/H5E77JhGDcedYKbk+g
-„ï+m|L™å¬åŽ¬.·H£±2”®_©R~uév]¢OmR`ÿ&é˜d-Á¨äHñ8“ˆOð s,ÒpRéeÓš¿ö	®Åh¹t¤Kx=Y­¼ÖêÒ×è·Ìdâ`±FADñŒLÐqJo Ÿ›”¶Ð¯>ž:9`9|3cëÆ…’™<îGð$É)}©€?;-$öb•º!Éþ.÷¦†—³{¶Cï¡´0¿ )äk&¹úr<šöâf¥³
\ No newline at end of file
diff --git a/external/netbox/secrets/secrets.nix b/external/netbox/secrets/secrets.nix
deleted file mode 100644
index 9541d2b..0000000
--- a/external/netbox/secrets/secrets.nix
+++ /dev/null
@@ -1,20 +0,0 @@
-let
-  sources = import ../../../npins;
-
-  inherit ((import sources.nixpkgs { })) lib;
-  nix-lib = import ../../../lib { };
-
-  inherit ((import ../../../meta).members) groups;
-
-  publicKeys =
-    lib.splitString "\n" (builtins.readFile (./maurice.keys)) # maurice servers' keys
-    ++ nix-lib.getAllKeys (groups.netbox ++ groups.root);
-in
-{
-  "netbox.age" = {
-    inherit publicKeys;
-  };
-  "netbox_env.age" = {
-    inherit publicKeys;
-  };
-}
diff --git a/machines/web01/_configuration.nix b/machines/web01/_configuration.nix
index 9f6decb..17c76a5 100644
--- a/machines/web01/_configuration.nix
+++ b/machines/web01/_configuration.nix
@@ -20,6 +20,7 @@ lib.extra.mkConfig {
     "static"
     "wordpress"
     "dolibarr"
+    "netbox"
   ];
 
   extraConfig = {
diff --git a/external/netbox/default.nix b/machines/web01/netbox.nix
similarity index 65%
rename from external/netbox/default.nix
rename to machines/web01/netbox.nix
index 4de9690..72cff6a 100644
--- a/external/netbox/default.nix
+++ b/machines/web01/netbox.nix
@@ -1,20 +1,21 @@
-{ config, pkgs, ... }:
+{ config, pkgs, sources, lib, ... }:
 {
-  imports = [ ./secrets ];
-
   services = {
     netbox = {
       enable = true;
-      secretKeyFile = config.age.secrets."netbox".path;
+      package = (import sources.nixos-unstable {}).pkgs.netbox_3_7;
+      secretKeyFile = "/dev/null";
       listenAddress = "127.0.0.1";
       settings = {
-        ALLOWED_HOSTS = [ "netbox.dgnum.sinavir.fr" ];
+        ALLOWED_HOSTS = [ "netbox.dgnum.eu" ];
         REMOTE_AUTH_BACKEND = "social_core.backends.open_id_connect.OpenIdConnectAuth";
       };
 
-      extraConfig = ''
+      extraConfig = lib.mkForce ''
         from os import environ as env
 
+        SECRET_KEY = env["SECRET_KEY"]
+
         SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = env["NETBOX_OIDC_URL"]
         SOCIAL_AUTH_OIDC_KEY = env["NETBOX_OIDC_KEY"]
         SOCIAL_AUTH_OIDC_SECRET = env["NETBOX_OIDC_SECRET"]
@@ -23,7 +24,7 @@
 
     nginx = {
       enable = true;
-      virtualHosts."netbox.dgnum.sinavir.fr" = {
+      virtualHosts."netbox.dgnum.eu" = {
         enableACME = true;
         forceSSL = true;
 
@@ -31,18 +32,18 @@
         locations."/static/".alias = "${config.services.netbox.dataDir}/static/";
       };
     };
-
-    postgresql.package = pkgs.postgresql_14;
   };
 
-  # my server is slow sorry
   systemd.services.netbox.serviceConfig = {
     TimeoutStartSec = 600;
-    EnvironmentFile = config.age.secrets."netbox_env".path;
+    EnvironmentFile = config.age.secrets.netbox_env.path;
   };
 
   systemd.services.netbox-housekeeping.serviceConfig = {
-    EnvironmentFile = config.age.secrets."netbox_env".path;
+    EnvironmentFile = config.age.secrets.netbox_env.path;
+  };
+  systemd.services.netbox-rq.serviceConfig = {
+    EnvironmentFile = config.age.secrets.netbox_env.path;
   };
 
   users.users.nginx.extraGroups = [ "netbox" ];
diff --git a/machines/web01/secrets/netbox_env b/machines/web01/secrets/netbox_env
new file mode 100644
index 0000000..63cf31a
--- /dev/null
+++ b/machines/web01/secrets/netbox_env
@@ -0,0 +1,30 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA K4nQGkOuyKhZ5MQABKf5rqwmx27l9FO4U/RRE2oWv20
+X46HUllM5Vux3Xfk9bOuG3kLGKi7QrJfFDindJk1EnY
+-> ssh-ed25519 QlRB9Q b/j/g4cIT/1ZRj4q+ySzpumo6bzusP8/cWST6FlCo2w
+odNGXC9xVABjeuK60JCX2vZ9WDz2wIfIxfH/u89oPb0
+-> ssh-ed25519 r+nK/Q 93qftDQL3lrmBsoEf8Ii8W3GOYXRe7i1sxBnnB4QfQc
+nN9ydmZljxtSjfMSCaOqAZ9yJDZ7NszgFfxIO1AbruM
+-> ssh-rsa krWCLQ
+m539hM0zvYYZB4gX64dOvbTujaqPVvbwTw/y+ySIiOyBjplZAXH16m9//d7f0uDz
+Skh5OntPj1GorVoNEk+Eo+bLPfIAYkJrpjCWLd6FZgNkbHZ7STKCFTcUyg7lz2+r
+yc8fFwky9VgtYLFd96EBZV02y2R3z+euP+5Tysdq+yaM/DdOR3bTjRVdlpg7kzCo
+eGO25jvj/Mk3m2BJlUl2cOTQAo9e47q7StQhY7xgxG9g2xewhBpwdDbGu9NdrHDu
+aDMXBqWrPz1yVx3TAYi+VwUboL9gYY6oFp2XYZnhbxzQuy6Uf2sw34l+E/1QOjBj
+aPSTAn62r/bseYmSs9EEvQ
+-> ssh-ed25519 /vwQcQ tHXhAZFLaPkl1+wrbCaVcpytQqVOQ1fUEVFCpuNMMjA
+wgWF8GB79+1LVsNC1Id7kThjMrj3i98OjbT8rL9TO2A
+-> ssh-ed25519 0R97PA F5Q1k+4SKxc5mLSNh/djSzfFPXuG0ritZtpdI0RalGE
+RT0E4/Z75+sgUFtuJjuSa6q49/BWpvCikr83OIbTSOw
+-> ssh-ed25519 JGx7Ng me7czRBgNgb0I/JLnH2dh6h2Opxn/vy3FcxiaHsBPAo
+TfcvYvUgjL/IQLT0iMjVzyMbkUvfXL6yc28V1OKwitU
+-> ssh-ed25519 5SY7Kg VWQPzMOckhC6rW5rqN7rOdUlpzaZD1wzY0Z7Enp1sFU
+KkIJuPdZFc1EPqr8h696ixWhhXuCAr4CTsCvkxOyQPI
+-> ssh-ed25519 p/Mg4Q Cp0oC+3C/EguAAG9OJPUAS1lqFpKchrYFpEm16WDvhI
+MBytJhf9lKtlIuYFb0dFu1/oyoleJtIub8kDEm6D2fo
+-> ssh-ed25519 0IVRbA ycBqVdH0EqRNZmZ/8aw67PuFI5Gyf6PWwWHTsjH9TXU
+YmPbatp5q43yA0T/AFXnrYcJS3z/ECDxnkYg3/FVacQ
+--- neVy86qk1IY/DUoofRpOXfK3bwXitHIZYMzs4teIzYI
+È@ñÄâ"½ëN<$µ:ÃÒ Jê¾éb¤€rƒ¢â^xO0=gÐQš€éû¼;Ú@Æ[Ñ|.
+|ˆ7CÓû¥«RÜîƒ§«†’ýäIVè5þ§ƒ~m¿ÉzÉ‹á]|à£ÈÛérÎ£Ê`	»“É`?ÄÖpk±n”þRzSŸ Á)ß£YÇ6ÅgmWm˜D÷Õ|2-t¡„ÿBis×œÚ×Fµò¨ësr­b÷ux`ìmIFäîÉÔ…Ðkñ	9{Z\‚4œe»ýð;â‚s
+uøÂ•Ôž,üÕU]­êÆgo—`@øã¶™!‰*ó*¾@Ì‰ÁìpM´æ´Q
\ No newline at end of file
diff --git a/machines/web01/secrets/secrets.nix b/machines/web01/secrets/secrets.nix
index 1ae6145..9a3beb5 100644
--- a/machines/web01/secrets/secrets.nix
+++ b/machines/web01/secrets/secrets.nix
@@ -7,6 +7,7 @@ lib.setDefault { inherit publicKeys; } [
   "bupstash-put_key"
   "matterbridge-config_file"
   "named-bind_dnskeys_conf"
+  "netbox_env"
   "ntfy_sh-environment_file"
   "plausible_admin-user-password-file"
   "plausible_secret-key-base-file"
diff --git a/patches/default.nix b/patches/default.nix
index b4eb93d..56ac221 100644
--- a/patches/default.nix
+++ b/patches/default.nix
@@ -1,5 +1,8 @@
 {
   "nixos-23.11" = [
+    { _type = "static";
+      path = ./netbox.patch;
+    }
     # castopod: 1.6.4 -> 1.7.0 + ajout du support de loadcredentials
     {
       _type = "static";
diff --git a/patches/netbox.patch b/patches/netbox.patch
new file mode 100644
index 0000000..87e78e7
--- /dev/null
+++ b/patches/netbox.patch
@@ -0,0 +1,50 @@
+From 163fed297ed65a24241f190d8e954ce1877f9020 Mon Sep 17 00:00:00 2001
+From: Minijackson <minijackson@riseup.net>
+Date: Mon, 22 Jan 2024 16:17:57 +0100
+Subject: [PATCH] netbox: 3.6.9 -> 3.7.1
+
+Or another way to see it:
+
+netbox_3_7: init at 3.7.1
+
+Make NetBox 3.7 the default version if stateVersion >= 24.05,
+switch upgrade test to test upgrade from 3.6 to 3.7,
+remove clearcache command for >=3.7.0,
+make reindex command mandatory
+---
+ nixos/modules/services/web-apps/netbox.nix     | 15 +++++++++------
+
+diff --git a/nixos/modules/services/web-apps/netbox.nix b/nixos/modules/services/web-apps/netbox.nix
+index 72ec578146a764..b0921f461d2216 100644
+--- a/nixos/modules/services/web-apps/netbox.nix
++++ b/nixos/modules/services/web-apps/netbox.nix
+@@ -75,7 +75,9 @@ in {
+     package = lib.mkOption {
+       type = lib.types.package;
+       default =
+-        if lib.versionAtLeast config.system.stateVersion "23.11"
++        if lib.versionAtLeast config.system.stateVersion "24.05"
++        then pkgs.netbox_3_7
++        else if lib.versionAtLeast config.system.stateVersion "23.11"
+         then pkgs.netbox_3_6
+         else if lib.versionAtLeast config.system.stateVersion "23.05"
+         then pkgs.netbox_3_5
+@@ -306,12 +308,13 @@ in {
+           ${pkg}/bin/netbox trace_paths --no-input
+           ${pkg}/bin/netbox collectstatic --no-input
+           ${pkg}/bin/netbox remove_stale_contenttypes --no-input
+-          # TODO: remove the condition when we remove netbox_3_3
+-          ${lib.optionalString
+-            (lib.versionAtLeast cfg.package.version "3.5.0")
+-            "${pkg}/bin/netbox reindex --lazy"}
++          ${pkg}/bin/netbox reindex --lazy
+           ${pkg}/bin/netbox clearsessions
+-          ${pkg}/bin/netbox clearcache
++          ${lib.optionalString
++            # The clearcache command was removed in 3.7.0:
++            # https://github.com/netbox-community/netbox/issues/14458
++            (lib.versionOlder cfg.package.version "3.7.0")
++            "${pkg}/bin/netbox clearcache"}
+ 
+           echo "${cfg.package.version}" > "$versionFile"
+         '';