lbailly/infrastructure
1
0
Fork 0
forked from DGNum/infrastructure
Code Pull requests Activity

Compare commits

base: lbailly:liminix-v1
Branches Tags
lbailly:main
lbailly:nat
lbailly:firewall
lbailly:ulogd
lbailly:dns_for_rescue01
lbailly:systemd_notify
lbailly:npins-update
lbailly:liminix-v1
DGNum:main
DGNum:lix-patched
DGNum:web01
DGNum:declarative-buckets
DGNum:victoria-metrics
DGNum:mattermost
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:ds-fr
DGNum:colmena-liminix
..
compare: lbailly:main
Branches Tags
lbailly:nat
lbailly:main
lbailly:firewall
lbailly:ulogd
lbailly:dns_for_rescue01
lbailly:systemd_notify
lbailly:npins-update
lbailly:liminix-v1
DGNum:main
DGNum:lix-patched
DGNum:web01
DGNum:declarative-buckets
DGNum:victoria-metrics
DGNum:mattermost
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:ds-fr
DGNum:colmena-liminix

256 commits
liminix-v1 ... main

Author SHA1 Message Date
Tom Hubrecht
bc75d78a22
feat(shell): Add lon 2024-09-12 20:16:20 +02:00
Tom Hubrecht
69af2c4640
chore(shell): Remove disko 2024-09-12 20:14:35 +02:00
Tom Hubrecht
9174965f28
feat(pre-commit): Switch to pre-push stage for linters 2024-09-12 20:14:16 +02:00
Tom Hubrecht
99825b89ca
fix(stirling-pdf): Make it build again 2024-09-10 22:41:25 +02:00
Tom Hubrecht
3014fb79dc
fix(shell): No need to patch git-hooks anymore 2024-09-10 21:11:53 +02:00
DGNum Chores
06285b9108
chore(npins): Update 2024-09-10 21:11:03 +02:00
Julien Malka
dea475cea9 chore(shell): add agenix 2024-09-10 20:12:24 +02:00
Ryan Lahfa
595407c13b feat(ISP): enable SNAT on 5C:64:8E:F4:09:06 
For testing purposes.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-09-08 12:32:56 +02:00
catvayor
3b766e6a2b feat(ulogd): enabling ulogd 2024-09-08 12:21:08 +02:00
catvayor
b8601b0782 feat(nat): desactivating on vlan-apro 2024-09-07 16:09:01 +02:00
sinavir
7885442381 fix(web01): Update calendar 2024-09-04 16:21:26 +02:00
Tom Hubrecht
605f7beda2
fix(uptime-kuma): Don't try to get the radius endpoint 2024-09-01 23:34:07 +02:00
Tom Hubrecht
fe9c71f37e
fix(reaction): Use the correct netbird space 2024-09-01 23:33:34 +02:00
Tom Hubrecht
fd0aeacff4
feat(firewall): Sunset fail2ban and switch to reaction 2024-09-01 22:51:56 +02:00
Tom Hubrecht
86c1018dc8
fix(web01): Add a redirection from bds.ens.fr/gestion2 to its new location 2024-09-01 15:48:35 +02:00
Tom Hubrecht
8a42e18d98
feat(k-radius): Use LE certificates instead of self-signed ones 2024-09-01 15:40:59 +02:00
Ryan Lahfa
3ca3ff8939 feat(radius): add AP secret for RADIUS auth requests 
Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-08-31 22:38:35 +02:00
Tom Hubrecht
16f47ce227
feat(wordpress): Finish the migration of the BDS website 2024-08-31 00:36:19 +02:00
Tom Hubrecht
f5cc186ea1
feat(web01): Decomissionate kahulm 2024-08-30 18:44:58 +02:00
Tom Hubrecht
ad7eb40e51
fix(dns): Always end with a . ... 2024-08-30 10:13:33 +02:00
Tom Hubrecht
ccaa999adc
feat(wordpress): Prepare the migration 2024-08-30 10:08:12 +02:00
Tom Hubrecht
359d839ad4
feat(dns): Add BDS redirection 2024-08-30 10:08:12 +02:00
sinavir
b4b2cf3836 feat(metis): Update to add "Rentrée" 2024-08-28 16:55:23 +02:00
Ryan Lahfa
cbc5dea62b fix(kahulm): use non-gitrelease type for source 
And bump it to the latest main branch.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-08-19 09:34:55 +02:00
soyouzpanda
0d7b4efbd3 feat(kahulm): Added kahulm to web01 2024-08-17 18:00:30 +02:00
Tom Hubrecht
b70dd91eb2
fix(workflows): Run lint on pull_requests too 2024-08-17 18:00:10 +02:00
Tom Hubrecht
b3b21d1f96
feat(forgejo-runners): Switch to patched version of colmena 
This allows to evaluate bridge01 in the CI
 2024-08-14 18:56:11 +02:00
sinavir
53fe784b5a feat(CI): build bridge01 2024-08-04 16:19:43 +02:00
sinavir
18175ad4ab fix(CI): Upload artifact for all machines 2024-08-04 16:13:54 +02:00
Tom Hubrecht
d566336d5e
feat(iso): Use default nixpkgs version 2024-07-30 11:14:35 +02:00
Tom Hubrecht
e0cec882d8
feat(console): Add motd with system info 2024-07-30 10:39:10 +02:00
Tom Hubrecht
2cb6c24535
feat(git-hooks): Update 
- Patch git-hooks.nix source to rename `nixfmt` to `nixfmt-classic` and
avoid annoying warnings when reloading the shell
 2024-07-30 10:36:36 +02:00
sinavir
60267b4ff6 feat: Update CI to use tvix-store 2024-07-29 14:31:42 +02:00
sinavir
c14e263b98 feat(tvix-store): Init 2024-07-29 14:31:42 +02:00
Tom Hubrecht
fca52e471e
fix(crabfit): Don't depend on all of google-fonts 2024-07-29 14:31:02 +02:00
Tom Hubrecht
be128f6c3a
feat(kadenios): Fix build of static files and restore cas.eleves.ens.fr for authens 2024-07-28 14:30:03 +02:00
Tom Hubrecht
1216a0a780
feat(cas-eleves): Redirect from cas-eleves.dgnum.eu to cas.eleves 2024-07-28 14:10:42 +02:00
sinavir
f6c9137850 fix(signal-irc-bridge): make it work 2024-07-20 00:45:17 +02:00
Tom Hubrecht
5e7a6b09ec
fix(meta): Assign null to bridge01.netbirdIp 2024-07-19 17:33:04 +02:00
sinavir
61bdf34c70 feat(signal-irc-bridge): Add dns record for file server 2024-07-19 17:27:37 +02:00
Tom Hubrecht
23b2a19494
feat(kadenios): Don't include dev dependencies in the environment 2024-07-19 11:24:21 +02:00
Tom Hubrecht
060e04118d
chore(cas.eleves): Update 2024-07-12 20:04:50 +02:00
Tom Hubrecht
ce64be6e79
Revert "fix(web02): Don't be too fast" 
This reverts commit a6c3b42ad9.
 2024-07-12 19:13:04 +02:00
Tom Hubrecht
8e901ab790
feat(kadenios): Update 2024-07-12 11:02:15 +02:00
Tom Hubrecht
a6c3b42ad9
fix(web02): Don't be too fast 2024-07-12 11:02:04 +02:00
Tom Hubrecht
aee4ff41df
fix(npins): Stay on a stable version 2024-07-11 15:05:22 +02:00
Tom Hubrecht
b1d7147d86
fix(dns): Use correct redirection 2024-07-11 11:10:50 +02:00
Tom Hubrecht
d35a3a623b
feat(dns): Add CNAME for traque.dgnum.eu 2024-07-11 11:06:57 +02:00
Tom Hubrecht
a43e10d77d
fix(npins): Update the version used 2024-07-11 10:33:01 +02:00
Tom Hubrecht
680682f520
feat(bridge02): Initialize and add instructions to the README 2024-07-10 17:31:04 +02:00
Tom Hubrecht
0e8f752d79
feat(shell): Update colmena to a version that understands sshOptions 2024-07-10 17:29:20 +02:00
Tom Hubrecht
4bc2ebf429 feat(web02): Switch to cas.eleves.ens.fr for the cas server 2024-07-10 14:15:24 +02:00
Tom Hubrecht
1bf5ad93a2 feat(kadenios): Add management script 2024-07-09 14:52:01 +02:00
Tom Hubrecht
954ba45281 feat(web02): Deploy kadenios on vote.dgnum.eu 2024-07-09 10:47:30 +02:00
Tom Hubrecht
59aaf015dd chore(cas-eleves): There is no real build phase 2024-07-09 10:46:58 +02:00
catvayor
411795c664
fix(routing): clean icmp storm 2024-07-08 20:38:01 +02:00
catvayor
dce439fcca
fix(shitty-oob): Drop user vlans when no-uplink 2024-07-08 20:38:00 +02:00
catvayor
37a18c0347
feat(nat): Enable nat (with ip_forward) 2024-07-08 20:38:00 +02:00
Tom Hubrecht
a00833c682 fix(cas-eleves): Fix the build of django-cas-server 2024-07-08 16:23:12 +02:00
Tom Hubrecht
adf62b0534 feat(web02): Switch to nix-pkgs for python modules 2024-07-07 13:56:10 +02:00
Tom Hubrecht
61b2408564 feat(dns): Add vote.dgnum.eu to web02 2024-07-07 13:10:58 +02:00
Tom Hubrecht
7092c4e9c3 fix(attic): Don't use the same port as prometheus 2024-07-06 11:59:58 +02:00
Tom Hubrecht
d553d6efe7 fix(stirling-pdf): Vendor patches and update version 2024-07-06 11:36:54 +02:00
DGNum Chores
9e2b066cfc chore(npins): Update 2024-07-06 11:36:54 +02:00
Tom Hubrecht
9f7ddf2adf feat(nextcloud): Update collabora and settings 2024-07-05 18:44:49 +02:00
Tom Hubrecht
5279356835 feat(nextcloud): Upgrade to 29 2024-07-05 16:15:27 +02:00
Tom Hubrecht
8b3747fd22 fix(web02): Once more 2024-07-05 16:09:04 +02:00
Tom Hubrecht
38f6151fbb fix(web02): Don't let the CI choke 2024-07-05 15:31:57 +02:00
Tom Hubrecht
96e9f14e2d feat(infra): Switch to lix 2024-07-05 14:39:02 +02:00
Tom Hubrecht
c233a22a1a feat(web02): Switch to nixos-24.05 2024-07-05 14:38:53 +02:00
Tom Hubrecht
04854d24bc feat(nixpkgs): Update default version 2024-07-05 14:38:33 +02:00
sinavir
2b52c9997a fixup! feat: Upgrade machines to nixos-24.05 2024-07-05 10:54:33 +02:00
sinavir
f637ae9ea8 fixup! feat: Upgrade machines to nixos-24.05 2024-07-05 10:54:33 +02:00
Tom Hubrecht
ac09d221ad feat: Upgrade machines to nixos-24.05 2024-07-05 10:54:33 +02:00
Tom Hubrecht
7c5ed7b65a feat(cas-eleves): Update and load fixture 2024-07-04 21:29:22 +02:00
Tom Hubrecht
325e24f5f6 feat(cas-eleves): Update to latest version 2024-07-03 14:56:46 +02:00
Tom Hubrecht
5668b6bbfd feat(web02): Deploy a CAS server on cas-eleves.dgnum.eu 2024-07-02 20:54:45 +02:00
Tom Hubrecht
250a4b6c87 feat(meta): Add dns for cas-eleves 2024-07-02 18:04:46 +02:00
Tom Hubrecht
807415ae93 feat(arkheon): Update 2024-06-26 22:54:15 +02:00
Tom Hubrecht
0be91e4803 fix(web02): Use the correct fs configuration 2024-06-26 22:25:40 +02:00
Tom Hubrecht
83d8ff264d feat(web02): Reimage the node 2024-06-17 17:06:37 +02:00
Tom Hubrecht
1266091123 fix(iso): Use correct attribute 2024-06-17 15:33:49 +02:00
Tom Hubrecht
bf1eab1c5e fix(shell): Use an up to date version of nixos-generators 2024-06-17 15:33:49 +02:00
Ryan Lahfa
6a44aa3504 fix(meta/nodes): use the full FQDN for vault01 
Otherwise, I cannot really hit it… :D

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
 2024-06-14 22:15:46 +02:00
Tom Hubrecht
450d862b41 feat(dns): Add a redirection for the radius service 2024-06-14 21:03:10 +02:00
Tom Hubrecht
1ac7ca0d99 fix(forgejo): Re-enable gravatars 2024-06-06 11:24:13 +02:00
Tom Hubrecht
076e6a499a feat(forgejo): Enable cron actions 2024-06-06 11:21:42 +02:00
sinavir
45b776b94e feat(banda): Add domain name 2024-06-05 11:43:23 +02:00
catvayor
bc5ee80d69 style: requested changes 2024-05-26 20:50:33 +02:00
catvayor
9f256186e0 feat(dhcp): drop freeRadius to use networkd 2024-05-23 14:58:37 +02:00
catvayor
e9c5489bc2 feat(dhcp): dhcp configuration 
limit to 300 vlans because of freeRadius limitation
 2024-05-23 10:39:24 +02:00
catvayor
f9250e8886 feat(k-radius): Allow to enable extra mods and sites 2024-05-23 10:39:24 +02:00
catvayor
8c14c5d2c6 refactor(vlans): list vlans and their parameters in a separate file 2024-05-23 10:39:24 +02:00
catvayor
f22580dd26 fix(vlans): activate things to bypass vlan limit 2024-05-23 10:39:24 +02:00
catvayor
35ab7bfee3 feat(dhcp): Add DHCP on vlans 
Uses networkd, maybe it's better to do it with radius, but it's simpler
 2024-05-23 10:39:24 +02:00
catvayor
150e741263 feat(routing): Chaque vlan a une IP différente et policyrules 2024-05-23 10:39:24 +02:00
catvayor
93bf6f8baa feat: refactor du plan IP 2024-05-23 10:39:24 +02:00
catvayor
2329799c87 feat(monitoring): Add adminGroup emails 2024-05-22 19:05:03 +02:00
sinavir
bfeaa18530 feat(signal-irc-bridge): init 2024-05-22 18:26:06 +02:00
Tom Hubrecht
d3b7481188 fix(atticd): Don't chunk NARs as garage does it automatically 2024-05-21 09:24:01 +02:00
Tom Hubrecht
e2de21ed18 feat(cineclub): Add redirections 2024-05-18 19:14:24 +02:00
Tom Hubrecht
9a1f49d0ce fix(README): Use correct link 2024-05-18 16:48:05 +02:00
Tom Hubrecht
9a8c182a95 feat(wp): Update cineclub address 2024-05-18 16:47:54 +02:00
Tom Hubrecht
1d686b740b feat(verify): Tweak error message 2024-05-15 09:58:50 +02:00
Tom Hubrecht
e4e44dfd00 feat(meta): Add Elias 2024-05-14 23:50:20 +02:00
Tom Hubrecht
947e29aa57 feat(vault01): Make the fai group admin 2024-05-14 23:48:40 +02:00
Tom Hubrecht
a559d2e0c0 feat(meta): Add more assertions 2024-05-14 23:47:20 +02:00
Tom Hubrecht
e49ab86364 fix(iso): Correctly import meta 2024-05-14 23:32:08 +02:00
Tom Hubrecht
aad6490bd5 feat(meta): Add assertions 2024-05-14 23:31:49 +02:00
Tom Hubrecht
0e7dd1ea70 feat(organization): Add external and internal services 2024-05-14 17:32:54 +02:00
Tom Hubrecht
01b967fff0 feat(organization): Add FAI group 2024-05-14 17:23:02 +02:00
Tom Hubrecht
8d2a46e538 feat(meta): Remove the ISO group 2024-05-14 17:15:55 +02:00
Tom Hubrecht
a63f682aeb feat(monitoring): Add admin emails 2024-05-13 23:33:36 +02:00
DGNum Chores
b732c5e9fb chore(npins): Update 2024-05-07 13:27:24 +00:00
Tom Hubrecht
2c88c2bad7 fix(netbox-agent): batch requests filtering on interfaces 
Re-enable the service on vault01 now that it works
 2024-05-07 13:29:43 +02:00
sinavir
3494f609bb fix(netbox-agent): really disable on vault01 2024-05-07 09:07:22 +02:00
sinavir
bf4bdf70df fix(netbox-agent): disable on vault01 2024-05-07 08:45:19 +02:00
sinavir
ac67107c6d fix(patches): use again netbox-agent PR 2024-05-07 08:44:46 +02:00
Tom Hubrecht
efee0dd7b7 feat(patches): Vendor patches and rename 2024-05-07 08:17:49 +02:00
Tom Hubrecht
0eb813c8bf feat(compute01): Upgrade postgres to 16.2 2024-05-01 16:01:44 +02:00
Tom Hubrecht
17a6e085b5 feat(dgn-console): Add perf 2024-04-28 19:16:56 +02:00
Tom Hubrecht
4e7b3154da feat(compute01): Add postgres config 2024-04-28 19:14:52 +02:00
Tom Hubrecht
ed567cf432 chore(ds-fr): Update 2024-04-24 18:53:48 +02:00
Tom Hubrecht
6c843bb00f fix(garage): Restore logLevel and increase TimeoutSec 2024-04-24 10:05:33 +02:00
Tom Hubrecht
e86edb074b fix(garage): Make the logs readable 2024-04-24 09:42:06 +02:00
sinavir
d26370514a feat(garage): add banda's website 2024-04-23 23:28:09 +02:00
sinavir
9b6536f529 feat(prometheus): monitor garage 2024-04-23 23:26:03 +02:00
Tom Hubrecht
3f928ce90b feat(modules): Generalize redirections 2024-04-23 22:02:04 +02:00
Tom Hubrecht
dd10a8e2fe feat(ups): Use netbirdIp as given in the metadata 2024-04-23 13:47:21 +02:00
Tom Hubrecht
4296252fcc feat(meta): Add netbird ip 2024-04-23 13:46:33 +02:00
sinavir
d5d21ec204 fix(prometheus-nut-exporter): make it work 2024-04-22 08:28:40 +02:00
catvayor
1eea46b59f style: requested change 2024-04-21 23:14:53 +02:00
catvayor
4d16839a10 feat(upsmon): Send mails to isp team 2024-04-21 23:14:53 +02:00
catvayor
ee81052766 fix(ups): Password is a secret 2024-04-21 23:14:53 +02:00
catvayor
b8d3b34122 feat(upsmon): Auto-shutdown when on batterie for too long 2024-04-21 23:14:53 +02:00
catvayor
9ec9821556 feat(ups): nut_exporter and scraping 2024-04-21 23:14:53 +02:00
catvayor
f9de205aad feat(upsd): Enabling upsd 2024-04-21 23:14:53 +02:00
sinavir
20d3354a4d feat: declarative probes for uptime-kuma 2024-04-21 22:45:52 +02:00
Tom Hubrecht
c4154e0a35 fix(plausible): Make the migration effective 2024-04-21 22:42:51 +02:00
Tom Hubrecht
f065db687a feat(plausible): Transfer from web01 to compute01 2024-04-21 21:50:01 +02:00
sinavir
fd6674fd5d feat: Enable sendmail setuid wrapper 2024-04-20 20:40:26 +02:00
sinavir
dc341cf611 fix: attic s3 parameters bis 
Set AWS_REGION. Hope this will work
 2024-04-20 20:39:48 +02:00
sinavir
12bf83f68e fix: attic s3 parameters 2024-04-20 17:47:40 +02:00
sinavir
1b29118b98 fix: mastodon smtp setup bis 2024-04-20 17:47:02 +02:00
sinavir
b26d9f752e fix: mastodon smtp setup 2024-04-20 15:40:10 +02:00
Tom Hubrecht
f2e4e8aa5b chore(ds-fr): Update 2024-04-20 11:04:04 +02:00
Tom Hubrecht
ad7ce0be7e feat(stirling-pdf): Add DGNum custom patch 2024-04-19 16:13:01 +02:00
Tom Hubrecht
323caed4ed feat(static): Update eleves.dgnum.eu 2024-04-19 15:36:30 +02:00
Tom Hubrecht
496c1ff33f feat(stirling-pdf): Default to french locale 2024-04-19 14:58:13 +02:00
Tom Hubrecht
dba0c88f70 feat(compute01): Deploy stirling-pdf on pdf.dgnum.eu 2024-04-19 14:40:09 +02:00
Tom Hubrecht
c47437116b feat(modules): Introduce per node module import from meta 2024-04-18 16:23:25 +02:00
Tom Hubrecht
46b550781e chore(hive): Simplify path 2024-04-18 16:06:43 +02:00
Tom Hubrecht
cbdbed1099 feat(infra): Add nodeMeta argument 2024-04-18 15:53:20 +02:00
Tom Hubrecht
f63c95e4d9 fix(ds-fr): Test3 2024-04-17 17:27:25 +02:00
Tom Hubrecht
e51a7b4a81 fix(ds-fr): Test2 2024-04-17 17:10:28 +02:00
Tom Hubrecht
ace6f1d931 fix(ds-fr): Remove cache 2024-04-17 17:06:28 +02:00
Tom Hubrecht
63d7d7d658 fix(ds-fr): Test 2024-04-17 16:34:30 +02:00
Tom Hubrecht
22ef2cf79d feat(ds-fr): Update version and workflow 2024-04-17 15:14:34 +02:00
Tom Hubrecht
c6691cf9f1 feat(ds-fr): Switch to new upstream packaging..... 2024-04-17 14:47:55 +02:00
sinavir
0c45a88561 fix: change prometheus retention time 2024-04-16 18:57:18 +02:00
catvayor
01c2505491 feat(vault01): Add user vlans 
Only the first 300 vlans are activated, 850 make it crash
 2024-04-16 09:40:47 +02:00
Tom Hubrecht
9e75839ada feat(forgejo): Update config, and enable mail notifications 2024-04-16 09:32:32 +02:00
DGNum Chores
fe076d5ba4 chore(npins): Update 2024-04-15 16:23:01 +02:00
Tom Hubrecht
ee4c0ca4d6 fix(atticd): Run with less logs 2024-04-15 16:21:15 +02:00
Tom Hubrecht
dd4e2c62aa feat(infra): Make the gc run weekly 2024-04-15 11:36:31 +02:00
Tom Hubrecht
10a925021f feat(console): Upstream nsncd a les features dont on a besoin 2024-04-15 09:32:36 +02:00
Tom Hubrecht
eb7d4169cd fix(workflows): Enable meta check on PRs 2024-04-14 18:38:42 +02:00
Tom Hubrecht
93b7a242ab feat(vault01/networking): Simplify the configuration 2024-04-14 14:49:22 +02:00
sinavir
60ee43b577 feat(monitoring): Add uptime-kuma to prometheus targets 2024-04-14 01:10:10 +02:00
sinavir
c6fe6b5891 feat(monitoring): Enable node exporter on almost all nodes 2024-04-14 01:10:10 +02:00
sinavir
8e79b19101 fix(prometheus): Provide retention and scraping policy 2024-04-14 01:10:10 +02:00
sinavir
ba2284cc68 fix(netbox-agent): Increase randomized delay 2024-04-13 15:11:27 +02:00
Tom Hubrecht
161d9b8081 chore(npins): Update 2024-04-13 13:44:23 +02:00
Tom Hubrecht
75409ed0df feat(forgejo): Use package from nixos-unstable 2024-04-13 13:44:23 +02:00
Tom Hubrecht
199ccd4034 feat(kanidm): Update allowed domains for the CORS 2024-04-13 13:44:23 +02:00
sinavir
9826a7d8a3 fix(cache): Fix weird message when using cache command 2024-04-12 22:59:46 +02:00
sinavir
9f2165abc8 feat(ci): Cache CI results 2024-04-12 22:14:20 +02:00
sinavir
7645b6fd71 fix(attic): Change client_max_body_size 2024-04-12 19:49:27 +02:00
sinavir
d0684ead8a fix(attic): Use package from nixpkgs 2024-04-12 19:36:44 +02:00
Tom Hubrecht
e961fb1473 feat(static): Update interq.ens.fr 2024-04-12 11:44:49 +02:00
Tom Hubrecht
06ac087ab6 feat(static): Update interq.ens.fr 2024-04-11 21:50:25 +02:00
Tom Hubrecht
fe0b181fd9 feat(static): Update interq.ens.fr 2024-04-10 09:54:58 +02:00
Tom Hubrecht
84e5f4a33a fix(satosa): Use GH source 2024-04-08 23:23:25 +02:00
Tom Hubrecht
9eb89a03ab fix(radius): Don't lose our shit when copying files 2024-04-08 23:10:59 +02:00
Tom Hubrecht
e2cb4a7dca feat(k-radius): Update packages 2024-04-08 22:42:59 +02:00
Tom Hubrecht
ccfbc4be42 feat(radius): Move configuration from compute01 to vaul01 2024-04-08 22:21:17 +02:00
catvayor
e8fde45fbf feat(apro): Add vlan apro for AP flashing 2024-04-08 16:01:29 +02:00
Tom Hubrecht
999817ce8b feat(ds-fr): Update dependencies 2024-04-07 21:47:22 +02:00
DGNum Chores
ac2bd4bb13 chore(npins): Update 2024-04-07 21:32:03 +02:00
Tom Hubrecht
3573613033 feat(web02): Don't specify a kernel version 2024-04-07 21:31:48 +02:00
Tom Hubrecht
d23d53d5fc feat(vault01): Disable bcachefs 2024-04-07 21:29:18 +02:00
catvayor
beba4fb0f6 feat(mgmt): Add APs vlan access 2024-04-07 20:20:04 +02:00
catvayor
026653218f feat(mgmt): Use IPv6 instead of IPv4 2024-04-07 20:20:04 +02:00
sinavir
adb1690b08 feat(netbox-agent): update 
Add hardening to systemd unit
 2024-04-07 16:27:03 +02:00
Tom Hubrecht
5919b75851 feat(dgn-record): Use latest arkheon 2024-04-06 16:21:21 +02:00
Tom Hubrecht
158e9647bd feat(netbox): Update QR-Code config 2024-04-06 00:48:34 +02:00
catvayor
2e3bb99b84 feat(vault01): Add admin vlan 2024-04-06 00:02:47 +02:00
Tom Hubrecht
a64f5dac9e feat(static): Update interq.ens.fr 2024-04-06 00:02:09 +02:00
Tom Hubrecht
400e20d093 fix(patches): Update hash for the netbox-agent PR 2024-04-05 11:36:52 +02:00
Tom Hubrecht
812758447b feat(meta): Add README 2024-04-04 13:36:51 +02:00
Tom Hubrecht
bc5cc97511 fix(dns): Add comment 2024-04-04 13:36:41 +02:00
katvayor
f9a34353a3 Add keys/catvayor.keys (#83) 
Reviewed-on: DGNum/infrastructure#83
Co-authored-by: katvayor <catvayor@katvayor.net>
Co-committed-by: katvayor <catvayor@katvayor.net>
 2024-04-04 12:49:28 +02:00
Tom Hubrecht
b36b0d7d67 feat(infra): Rework nixpkgs version management 2024-04-03 22:05:37 +02:00
sinavir
47d09f6ffa feat(dns): IPv4 for rescue01 2024-04-03 21:20:56 +02:00
sinavir
732ed7081d feat(monitoring): Add simple systemd monitoring 2024-04-03 21:19:28 +02:00
Tom Hubrecht
23056a02c3 feat(meta/verify): Write the config as a json file 2024-04-03 19:49:36 +02:00
sinavir
22fb460650 feat(netbox): Add qr-codes 2024-04-03 19:31:46 +02:00
sinavir
39d1d2999b feat(hive): Add function to instantiate patched nixpkgs in specialArgs 2024-04-03 19:21:40 +02:00
Tom Hubrecht
c2bafcbc65 feat(static): Update interq.ens.fr 2024-04-03 16:04:37 +02:00
Tom Hubrecht
317cdf4abd feat(web01): Add redirections 2024-04-02 20:57:13 +02:00
Tom Hubrecht
3bede07e53 fix(web01): Use a version with a correct structure 2024-04-02 20:48:53 +02:00
DGNum Chores
14bb3aed8a chore(ds-fr): Update 2024-04-02 20:11:53 +02:00
Tom Hubrecht
42c1d3280f feat(web01): Deploy tuteurs.ens.fr on our infra 2024-04-02 14:32:35 +02:00
Tom Hubrecht
e9c6f0a2b6 feat(infra): Add checks for meta 2024-03-29 14:37:21 +01:00
sinavir
fdd4f4b443 feat(rescue01): deploy uptime-kuma 2024-03-28 16:25:29 +01:00
sinavir
747d8c08cb feat(netbox-agent): init 2024-03-28 13:26:19 +01:00
DGNum Chores
733c9c74a7 chore(ds-fr): Update 2024-03-27 16:29:42 +01:00
sinavir
ce05bee635 feat(vault01): CRI uplink is now connected to internet 2024-03-27 15:38:46 +01:00
Tom Hubrecht
9cbe1b828f feat(dgn-console): Add more utilities 2024-03-27 15:15:44 +01:00
Tom Hubrecht
5b0562d59e feat(static): Update interq.ens.fr 2024-03-27 14:36:34 +01:00
sinavir
51db3d1dbb fix(vault01): Fix connection to Catvayor's router 2024-03-27 10:26:53 +01:00
sinavir
3cce216ada feat(vault01): Add CRI link 2024-03-27 10:26:31 +01:00
DGNum Chores
a3b0dfa0b6 chore(npins): Update 2024-03-25 13:05:46 +01:00
Tom Hubrecht
7c977fc3d9 feat(ds-fr): Update 2024-03-25 12:50:22 +01:00
Tom Hubrecht
16ae324b62 feat(web01): Disable dolibarr 2024-03-24 18:41:22 +01:00
Tom Hubrecht
2a02fd6ef5 feat(dgn-console): Add more tools 2024-03-24 18:11:26 +01:00
Tom Hubrecht
88859390a6 feat(meta): Switch to new naming scheme for sites 2024-03-24 10:18:33 +01:00
sinavir
a894c3f299 fix(forgejo-runner): update nix-modules to fix store generation bug 2024-03-23 23:57:57 +01:00
Tom Hubrecht
3b9b2d4796 chore(static): Update 2024-03-16 17:57:30 +01:00
Tom Hubrecht
9cae38be02 feat(garage): Simplify management of domains and buckets 2024-03-16 17:34:42 +01:00
sinavir
f74fd8c8eb feat(simiweb): Move to S3 2024-03-16 16:17:02 +01:00
sinavir
a7664ce44b feat(garage): Add ambassadeurices sante website 2024-03-15 21:55:42 +01:00
DGNum Chores
84e439a89f chore(npins): Update 2024-03-15 09:44:59 +01:00
DGNum Chores
171505def2 chore(ds-fr): Update 2024-03-14 17:28:18 +00:00
sinavir
30e13a116f fix(web01): Fix disko config 2024-03-13 23:53:01 +01:00
Tom Hubrecht
c512d2d043 fix(netbox): Rename the backup 2024-03-13 20:34:17 +01:00
Tom Hubrecht
12704a5056 feat(netbox): Set up backups 2024-03-13 20:22:07 +01:00
sinavir
542114394e fix(meta): Document meta/verify.nix 2024-03-13 11:24:27 +01:00
Tom Hubrecht
d2261e6fd5 chore(static): Update 2024-03-13 09:33:15 +01:00
DGNum Chores
3afa84cf80 chore(npins): Update 2024-03-12 13:34:44 +01:00
DGNum Chores
032f6b92f1 chore(ds-fr): Update 2024-03-12 13:24:45 +01:00
sinavir
2e93649de3 fix(vault01): Connect to internet and deploy through vpn 2024-03-12 12:27:05 +01:00
sinavir
581fa6b560 chore: pre-commit hooks are supposed to be run.... 2024-03-10 01:03:30 +01:00
Tom Hubrecht
d946894d8f chore(npins): Update 
Remove the patched version of garage as the upstream version contains it
 2024-03-09 17:31:06 +01:00
Tom Hubrecht
3bccda09db feat(infra): Enable recording of deployments 2024-03-08 23:11:31 +01:00
Tom Hubrecht
5f899bc0e7 feat(lib): Add machineKeys 2024-03-08 23:11:10 +01:00
Tom Hubrecht
1d40e44399 feat(keys): Add rescue01 and web02 2024-03-08 23:10:47 +01:00
Tom Hubrecht
2a388f53ac fix(compute01): Make it work ? 2024-03-08 13:58:07 +01:00
Tom Hubrecht
2ade516d48 feat(compute01): Deploy arkheon 2024-03-08 11:55:02 +01:00
Tom Hubrecht
f71eedba77 fix(lib): Update due to meta rework 2024-03-08 11:55:02 +01:00
DGNum Chores
85c651a139 chore(ds-fr): Update 2024-03-08 11:15:13 +01:00
Tom Hubrecht
7cf8632998 feat(dns): Add cname for arkheon 2024-03-08 11:07:23 +01:00
Tom Hubrecht
d4c6f05ed3 feat(colmena): Apply deployment protection from Jade Lovelace 2024-03-08 11:07:23 +01:00
sinavir
4f1e579fa8 feat(castopod): big update 2024-03-06 22:53:24 +01:00
Tom Hubrecht
3c7cdd2679 chore(static): Update 2024-03-05 11:08:17 +01:00
DGNum Chores
c5f3a0b269 chore(ds-fr): Update 2024-03-04 17:28:11 +00:00
182 changed files with 10335 additions and 2338 deletions
Show stats Expand all files Collapse all files

25
.forgejo/workflows/check-meta.yaml Normal file
View file

@ -0,0 +1,25 @@
name: Check meta
on:
pull_request:
branches:
- main
push:
paths:
- 'meta/*'
jobs:
check_meta:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of meta options
run: nix-build meta/verify.nix -A meta
check_dns:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of the DNS configuration
run: nix-build meta/verify.nix -A dns --no-out-link

3
.forgejo/workflows/ds-fr.yaml
View file

@ -1,8 +1,7 @@
name: ds-fr update
on:
schedule:
# Run at 8 o'clock every day
- cron: "26 18 * * *"
- cron: "26 18 * * wed"
jobs:
npins_update:

198
.forgejo/workflows/eval.yaml
View file

@ -68,3 +68,201 @@ jobs:
run: |
# Enter the shell
nix-shell --run 'colmena build --on rescue01'
build_geo01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build geo01
run: |
# Enter the shell
nix-shell --run 'colmena build --on geo01'
build_geo02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build geo02
run: |
# Enter the shell
nix-shell --run 'colmena build --on geo02'
build_bridge01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build bridge01
run: |
# Enter the shell
nix-shell --run 'colmena build --on bridge01'
push_to_cache_compute01:
runs-on: nix
needs:
- build_compute01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "compute01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_compute01
path: uploaded.txt
push_to_cache_storage01:
runs-on: nix
needs:
- build_storage01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "storage01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_storage01
path: uploaded.txt
push_to_cache_rescue01:
runs-on: nix
needs:
- build_rescue01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "rescue01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_rescue01
path: uploaded.txt
push_to_cache_geo01:
runs-on: nix
needs:
- build_geo01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "geo01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_geo01
path: uploaded.txt
push_to_cache_geo02:
runs-on: nix
needs:
- build_geo02
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "geo02" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_geo02
path: uploaded.txt
push_to_cache_web01:
runs-on: nix
needs:
- build_web01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "web01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web01
path: uploaded.txt
push_to_cache_web02:
runs-on: nix
needs:
- build_web02
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "web02" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web02
path: uploaded.txt
push_to_cache_bridge01:
runs-on: nix
needs:
- build_bridge01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "bridge01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web02
path: uploaded.txt

4
.forgejo/workflows/lint.yaml
View file

@ -1,5 +1,5 @@
name: lint
on: push
on: [push, pull_request]
jobs:
check:
@ -8,4 +8,4 @@ jobs:
- uses: actions/checkout@v3
- name: Run pre-commit on all files
run: nix-shell --run 'pre-commit run --all-files --show-diff-on-failure' -A shells.pre-commit ./.
run: nix-shell --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure' -A shells.pre-commit ./.

98
README.md
View file

@ -3,6 +3,102 @@
The dgnum infrastructure.
# Contributing
Some instruction on how to contribute are available (in french) in [/CONTRIBUTING.md](CONTRIBUTING.md). You're expected to read this document before commiting to the repo.
Some instruction on how to contribute are available (in french) in [/CONTRIBUTE.md](CONTRIBUTE.md).
You're expected to read this document before commiting to the repo.
Some documentation for the development tools are provided in the aforementioned file.
# Adding a new machine
The first step is to create a minimal viable NixOS host, using tha means necessary.
The second step is to find a name for this host, it must be unique from the other hosts.
> [!TIP]
> For the rest of this part, we assume that the host is named `host02`
## Download the keys
The public SSH keys of `host02` have to be saved to `keys/machines/host02.keys`, preferably only the `ssh-ed25519` one.
It can be retreived with :
```bash
ssh-keyscan address.of.host02 2>/dev/null | awk '/ssh-ed25519/ {print $2,$3}'
```
## Initialize the machine folder and configuration
- Create a folder `host02` under `machines/`
- Copy the hardware configuration file generated by `nixos-generate-config` to `machines/host02/_hardware-configuration.nix`
- Create a `machines/host02/_configuration.nix` file, it will contain the main configuration options, the basic content of this file should be the following
```nix
{ lib, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
];
enabledServices = [
# List of services to enable
];
extraConfig = {
services.netbird.enable = true;
};
root = ./.;
}
```
## Fill in the metadata
### Network configuration
The network is declared in `meta/network.nix`, the necessary `hostId` value can be generated with :
```bash
head -c4 /dev/urandom | od -A none -t x4 | sed 's/ //'
```
### Other details
The general metadata is declared in `meta/nodes.nix`, the main values to declare are :
- `site`, where the node is physically located
- `stateVersion`
- `nixpkgs`, the nixpkgs version to use
## Initialize secrets
Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :
```nix
let
lib = import ../../../lib { };
in
lib.setDefault { publicKeys = lib.getNodeKeys "host02"; } [ ]
```
This will be used for future secret management.
## Update encrypted files
Both the Arkheon, Netbox and notification modules have secrets that are deployed on all machines. To make those services work correctly, run in `modules/dgn-records`, `modules/dgn-netbox-agent` and `modules/dgn-notify` :
```bash
agenix -r
```
## Commit and create a PR
Once all of this is done, check that the configuration builds correctly :
```bash
colmena build --on host02
```
Apply it, and create a Pull Request.

129
default.nix
View file

@ -1,68 +1,78 @@
/* Copyright :
- Maurice Debray <maurice.debray@dgnum.eu> 2023
- Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023
/*
Copyright :
- Maurice Debray <maurice.debray@dgnum.eu> 2023
- Tom Hubrecht <tom.hubrecht@dgnum.eu> 2023
Ce logiciel est un programme informatique servant à déployer des
configurations de serveurs via NixOS.
Ce logiciel est un programme informatique servant à déployer des
configurations de serveurs via NixOS.
Ce logiciel est régi par la licence CeCILL soumise au droit français et
respectant les principes de diffusion des logiciels libres. Vous pouvez
utiliser, modifier et/ou redistribuer ce programme sous les conditions
de la licence CeCILL telle que diffusée par le CEA, le CNRS et l'INRIA
sur le site "http://www.cecill.info".
Ce logiciel est régi par la licence CeCILL soumise au droit français et
respectant les principes de diffusion des logiciels libres. Vous pouvez
utiliser, modifier et/ou redistribuer ce programme sous les conditions
de la licence CeCILL telle que diffusée par le CEA, le CNRS et l'INRIA
sur le site "http://www.cecill.info".
En contrepartie de l'accessibilité au code source et des droits de copie,
de modification et de redistribution accordés par cette licence, il n'est
offert aux utilisateurs qu'une garantie limitée. Pour les mêmes raisons,
seule une responsabilité restreinte pèse sur l'auteur du programme, le
titulaire des droits patrimoniaux et les concédants successifs.
En contrepartie de l'accessibilité au code source et des droits de copie,
de modification et de redistribution accordés par cette licence, il n'est
offert aux utilisateurs qu'une garantie limitée. Pour les mêmes raisons,
seule une responsabilité restreinte pèse sur l'auteur du programme, le
titulaire des droits patrimoniaux et les concédants successifs.
A cet égard l'attention de l'utilisateur est attirée sur les risques
associés au chargement, à l'utilisation, à la modification et/ou au
développement et à la reproduction du logiciel par l'utilisateur étant
donné sa spécificité de logiciel libre, qui peut le rendre complexe à
manipuler et qui le réserve donc à des développeurs et des professionnels
avertis possédant des connaissances informatiques approfondies. Les
utilisateurs sont donc invités à charger et tester l'adéquation du
logiciel à leurs besoins dans des conditions permettant d'assurer la
sécurité de leurs systèmes et ou de leurs données et, plus généralement,
à l'utiliser et l'exploiter dans les mêmes conditions de sécurité.
A cet égard l'attention de l'utilisateur est attirée sur les risques
associés au chargement, à l'utilisation, à la modification et/ou au
développement et à la reproduction du logiciel par l'utilisateur étant
donné sa spécificité de logiciel libre, qui peut le rendre complexe à
manipuler et qui le réserve donc à des développeurs et des professionnels
avertis possédant des connaissances informatiques approfondies. Les
utilisateurs sont donc invités à charger et tester l'adéquation du
logiciel à leurs besoins dans des conditions permettant d'assurer la
sécurité de leurs systèmes et ou de leurs données et, plus généralement,
à l'utiliser et l'exploiter dans les mêmes conditions de sécurité.
Le fait que vous puissiez accéder à cet en-tête signifie que vous avez
pris connaissance de la licence CeCILL, et que vous en avez accepté les
termes.
Le fait que vous puissiez accéder à cet en-tête signifie que vous avez
pris connaissance de la licence CeCILL, et que vous en avez accepté les
termes.
*/
let
sources = import ./npins;
pkgs = import sources.nixpkgs { };
liminixHive = import ./liminix-hive.nix { inherit sources; };
{
sources ? import ./npins,
pkgs ? import sources.nixpkgs { },
nix-pkgs ? import sources.nix-pkgs { inherit pkgs; },
}:
pre-commit-check = (import sources.pre-commit-hooks).run {
let
git-checks = (import (builtins.storePath sources.git-hooks)).run {
src = ./.;
hooks = {
# Nix Hooks
statix.enable = true;
deadnix.enable = true;
rfc101 = {
statix = {
enable = true;
name = "RFC-101 formatting";
entry = "${pkgs.lib.getExe pkgs.nixfmt-rfc-style}";
files = "\\.nix$";
stages = [ "pre-push" ];
settings.ignore = [
"lon.nix"
"**/npins"
];
};
deadnix = {
enable = true;
stages = [ "pre-push" ];
};
nixfmt-rfc-style = {
enable = true;
stages = [ "pre-push" ];
};
# Misc Hooks
commitizen.enable = true;
};
};
in
{
nodes = builtins.mapAttrs (host: { site, ... }: "${host}.${site}.infra.dgnum.eu") (
import ./meta/nodes.nix
);
nodes = builtins.mapAttrs (
host: { site, ... }: "${host}.${site}.infra.dgnum.eu"
) (import ./meta/nodes.nix);
dns = import ./meta/dns.nix;
@ -70,21 +80,22 @@ in
default = pkgs.mkShell {
name = "dgnum-infra";
packages =
(
with pkgs;
[
npins
colmena
nixos-generators
liminixHive.liminix.pkgs.pkgsBuildBuild.min-copy-closure
]
++ (builtins.map (p: callPackage p { }) [ (sources.disko + "/package.nix") ])
)
++ (import ./scripts { inherit pkgs; });
packages = [
(pkgs.nixos-generators.overrideAttrs (_: {
version = "1.8.0-unstable";
src = builtins.storePath sources.nixos-generators;
}))
pkgs.attic-client
pkgs.npins
(pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
] ++ (import ./scripts { inherit pkgs; });
shellHook = ''
${pre-commit-check.shellHook}
${git-checks.shellHook}
'';
preferLocalBuild = true;
@ -94,7 +105,7 @@ in
name = "pre-commit-shell";
shellHook = ''
${pre-commit-check.shellHook}
${git-checks.shellHook}
'';
};
};

71
hive.nix
View file

@ -16,62 +16,99 @@ let
];
};
mkNixpkgs =
node:
patch.mkNixpkgsSrc rec {
nixpkgs' = import ./meta/nixpkgs.nix;
# All supported nixpkgs versions, instanciated
nixpkgs = lib.mapSingleFuse mkNixpkgs nixpkgs'.supported;
# Get the configured nixos version for the node,
# defaulting to the one defined in meta/nixpkgs
version = node: nodes'.${node}.nixpkgs or nixpkgs'.default;
# Builds a patched version of nixpkgs, only as the source
mkNixpkgs' =
v:
let
version = "nixos-${v}";
in
patch.mkNixpkgsSrc {
src = sources.${version};
version = "nixos-${nodes'.${node}.nixpkgs or (import ./meta/nixpkgs.nix)}";
inherit version;
};
mkNixpkgs' = node: import (mkNixpkgs node) { };
# Instanciates the required nixpkgs version
mkNixpkgs = version: import (mkNixpkgs' version) { };
###
# Function to create arguments based on the node
#
mkArgs = node: rec {
lib = import sources.nix-lib {
inherit (mkNixpkgs' node) lib;
inherit (nixpkgs.${version node}) lib;
keysRoot = ./keys;
};
meta = (import ./meta) lib;
nodeMeta = meta.nodes.${node};
};
in
# nodes = builtins.attrNames metadata.nodes;
{
meta = {
nodeNixpkgs = lib.mapSingleFuse mkNixpkgs' nodes;
nodeNixpkgs = lib.mapSingleFuse (n: nixpkgs.${version n}) nodes;
specialArgs = {
inherit sources;
inherit nixpkgs sources;
};
nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes;
};
defaults =
{ meta, name, ... }:
{
pkgs,
name,
nodeMeta,
...
}:
{
# Import the default modules
imports = [ ./modules ];
imports = [
./modules
(import "${sources.lix-module}/module.nix" {
lix = pkgs.applyPatches {
name = "lix-2.90.patched";
src = sources.lix;
patches = [ ./patches/00-disable-installChecks-lix.patch ];
};
})
];
# Include default secrets
age-secrets.sources = [ (./machines + "/${name}/secrets") ];
age-secrets.sources = [ ./machines/${name}/secrets ];
# Deployment config is specified in meta.nodes.${node}.deployment
inherit (meta.nodes.${name}) deployment;
inherit (nodeMeta) deployment;
# Set NIX_PATH to the patched version of nixpkgs
nix.nixPath = [ "nixpkgs=${mkNixpkgs name}" ];
nix.optimise.automatic = true;
nix = {
# Set NIX_PATH to the patched version of nixpkgs
nixPath = [ "nixpkgs=${mkNixpkgs' (version name)}" ];
optimise.automatic = true;
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
};
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# Use the stateVersion declared in the metadata
system = {
inherit (meta.nodes.${name}) stateVersion;
inherit (nodeMeta) stateVersion;
};
};
}

2
iso/build-iso.sh
View file

@ -1,5 +1,5 @@
#!/usr/bin/env bash
NIXPKGS=$(nix-build nixpkgs.nix)
NIXPKGS=$(nix-build --no-out-link nixpkgs.nix)
nixos-generate -c configuration.nix -I NIX_PATH="$NIXPKGS" -f install-iso

8
iso/configuration.nix
View file

@ -3,7 +3,7 @@
let
dgn-lib = import ../lib { };
dgn-members = (import ../meta).members.groups.iso;
dgn-members = (import ../meta lib).organization.groups.root;
in
{
@ -33,7 +33,7 @@ in
openssh.enable = true;
};
users.users.root.openssh.authorizedKeys.keyFiles =
builtins.map (m: dgn-lib.mkRel ../keys "${m}.keys")
dgn-members;
users.users.root.openssh.authorizedKeys.keyFiles = builtins.map (
m: dgn-lib.mkRel ../keys "${m}.keys"
) dgn-members;
}

3
iso/nixpkgs.nix
View file

@ -1,5 +1,6 @@
let
inherit (import ../npins) nixpkgs;
version = (import ../meta/nixpkgs.nix).default;
nixpkgs = (import ../npins)."nixos-${version}";
in
(import nixpkgs { }).srcOnly {

1
keys/catvayor.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor

1
keys/ecoppens.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA

1
keys/machines/bridge01.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7

1
keys/machines/rescue01.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf

1
keys/machines/web02.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX

11
lib/colmena/default.nix Normal file
View file

@ -0,0 +1,11 @@
# Copyright: Jade Lovelace <lix@jade.fyi> 2024
{ colmena, runCommandNoCC }:
runCommandNoCC "colmena-wrapper" { env.colmena = "${colmena}/bin/colmena"; } ''
mkdir -p $out
ln -s ${colmena}/share $out/share
mkdir $out/bin
substituteAll ${./wrapper.sh.in} $out/bin/colmena
chmod +x $out/bin/colmena
''

31
lib/colmena/wrapper.sh.in Normal file
View file

@ -0,0 +1,31 @@
#!/usr/bin/env bash
#
# Copyright: Jade Lovelace <lix@jade.fyi> 2024
doChecks() {
# creates refs in the refs/prefetch/remotes/origin namespace
echo "Prefetching repo changes..." >&2
git fetch --quiet --prefetch --no-write-fetch-head origin
diffs=$(git rev-list --left-right --count HEAD...refs/prefetch/remotes/origin/main)
only_in_local=$(echo "$diffs" | cut -f1)
only_in_main=$(echo "$diffs" | cut -f2)
if [[ $only_in_main -gt 0 && ! -v $FORCE_DEPLOY_DGNUM ]]; then
echo >&2
echo "Attempting to deploy when main has $only_in_main commits not in your branch!" >&2
echo "This will probably revert someone's changes. Consider merging them." >&2
echo "If you really mean it, set the environment variable FORCE_DEPLOY_DGNUM" >&2
exit 1
fi
if [[ $only_in_local -gt 0 ]]; then
echo "You have $only_in_local commits not yet pushed to main. Reminder to push them after :)" >&2
fi
}
if [[ $1 == 'apply' ]]; then
doChecks
fi
exec @colmena@ "$@"

30
lib/default.nix
View file

@ -3,27 +3,31 @@ _:
let
sources = import ../npins;
lib =
(import sources.nix-lib {
inherit ((import sources.nixpkgs { })) lib;
lib = import sources.nix-lib {
inherit ((import sources.nixpkgs { })) lib;
keysRoot = ../keys;
}).extra;
keysRoot = ../keys;
};
meta = import ../meta;
meta = import ../meta lib;
inherit (lib.extra) getAllKeys;
in
lib
lib.extra
// rec {
# Get publickeys associated to a node
getNodeKeys =
node:
let
names =
builtins.foldl' (names: group: names ++ meta.members.groups.${group})
(meta.nodes.${node}.admins ++ [ "/machines/${node}" ])
meta.nodes.${node}.adminGroups;
names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
meta.nodes.${node}.admins ++ [ "/machines/${node}" ]
) meta.nodes.${node}.adminGroups;
in
rootKeys ++ (lib.getAllKeys names);
rootKeys ++ (getAllKeys names);
rootKeys = lib.getAllKeys meta.members.groups.root;
rootKeys = getAllKeys meta.organization.groups.root;
machineKeys =
rootKeys ++ (getAllKeys (builtins.map (n: "machines/${n}") (builtins.attrNames meta.nodes)));
}

38
liminix-hive.nix
View file

@ -1,38 +0,0 @@
# This is a very rudimentary hive to deploy Liminix images.
{
sources ? import ./npins,
nixpkgs ? sources.nixpkgs,
liminix ? sources.liminix,
}:
let
evalLiminix =
{ config, device }:
{
primary = import liminix {
inherit device nixpkgs;
imageType = "primary";
liminix-config = config;
};
secondary = import liminix {
inherit device nixpkgs;
imageType = "secondary";
liminix-config = config;
};
};
zyxel = {
nwa50ax = import "${liminix}/devices/zyxel-nwa50ax";
};
in
{
liminix.pkgs =
(import liminix {
device = zyxel.nwa50ax;
imageType = "primary";
liminix-config = ./machines/ap/configuration.nix;
}).pkgs;
devices = zyxel;
ap-test = evalLiminix {
config = ./machines/ap/configuration.nix;
device = zyxel.nwa50ax;
};
}

1
liminix-rebuild.nix
View file

@ -1 +0,0 @@
{ liminix-system }: (import ./liminix-hive.nix { }).${liminix-system}.primary

140
machines/ap/configuration.nix
View file

@ -1,140 +0,0 @@
{
config,
pkgs,
modulesPath,
...
}:
let
# inherit (pkgs.liminix.services)
# oneshot
# longrun
# bundle
# target
# ;
# inherit (pkgs) writeText;
svc = config.system.service;
secrets-1 = {
ssid = "Zyxel 2G (N)";
wpa_passphrase = "diamond dogs";
};
secrets-2 = {
ssid = "Zyxel 5G (AX)";
wpa_passphrase = "diamond dogs";
};
baseParams = {
country_code = "FR";
hw_mode = "g";
channel = 6;
wmm_enabled = 1;
ieee80211n = 1;
ht_capab = "[LDPC][GF][HT40-][HT40+][SHORT-GI-40][MAX-AMSDU-7935][TX-STBC]";
auth_algs = 1;
wpa = 2;
wpa_key_mgmt = "WPA-PSK";
wpa_pairwise = "TKIP CCMP";
rsn_pairwise = "CCMP";
};
modernParams = {
hw_mode = "a";
he_su_beamformer = 1;
he_su_beamformee = 1;
he_mu_beamformer = 1;
preamble = 1;
# Allow radar detection.
ieee80211d = 1;
ieee80211h = 1;
ieee80211ac = 1;
ieee80211ax = 1;
vht_capab = "[MAX-MPDU-7991][SU-BEAMFORMEE][SU-BEAMFORMER][RXLDPC][SHORT-GI-80][MAX-A-MPDU-LEN-EXP3][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][TX-STBC-2BY1][RX-STBC-1][MU-BEAMFORMER]";
vht_oper_chwidth = 1;
he_oper_chwidth = 1;
channel = 36;
vht_oper_centr_freq_seg0_idx = 42;
he_oper_centr_freq_seg0_idx = 42;
require_vht = 1;
};
mkWifiSta =
params: interface: secrets:
svc.hostapd.build {
inherit interface;
params = params // {
inherit (secrets) ssid wpa_passphrase;
};
};
in
rec {
imports = [
"${modulesPath}/wlan.nix"
"${modulesPath}/network"
"${modulesPath}/hostapd"
"${modulesPath}/ssh"
"${modulesPath}/ntp"
"${modulesPath}/vlan"
"${modulesPath}/bridge"
];
hostname = "zyxel";
users.root = {
# EDIT: choose a root password and then use
# "mkpasswd -m sha512crypt" to determine the hash.
# It should start wirh $6$.
passwd = "$y$j9T$f8GhLiqYmr3lc58eKhgyD0$z7P/7S9u.kq/cANZExxhS98bze/6i7aBxU6tbl7RMi.";
openssh.authorizedKeys.keys = [
# EDIT: you can add your ssh pubkey here
# "ssh-rsa AAAAB3NzaC1....H6hKd user@example.com";
];
};
services.int = svc.bridge.primary.build { ifname = "int"; };
services.bridge = svc.bridge.members.build {
primary = services.int;
members = with config.hardware.networkInterfaces; [
lan
wlan0
wlan1
];
};
services.dhcpv4 =
let
iface = services.int;
in
svc.network.dhcp.client.build { interface = iface; };
services.defaultroute4 = svc.network.route.build {
via = "$(output ${services.dhcpv4} address)";
target = "default";
dependencies = [ services.dhcpv4 ];
};
services.packet_forwarding = svc.network.forward.build { };
services.sshd = svc.ssh.build { allowRoot = true; };
services.ntp = config.system.service.ntp.build {
pools = {
"pool.ntp.org" = [ "iburst" ];
};
};
boot.tftp = {
serverip = "192.0.2.10";
ipaddr = "192.0.2.12";
};
# wlan0 is the 2.4GHz interface.
services.hostap-1 = mkWifiSta baseParams config.hardware.networkInterfaces.wlan0 secrets-1;
# wlan1 is the 5GHz interface, e.g. AX capable.
services.hostap-2 =
mkWifiSta (baseParams // modernParams) config.hardware.networkInterfaces.wlan1
secrets-2;
defaultProfile.packages = with pkgs; [
zyxel-bootconfig
iw
min-collect-garbage
mtdutils
];
}

20
machines/bridge01/_configuration.nix Normal file
View file

@ -0,0 +1,20 @@
{ lib, pkgs, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
];
enabledServices = [
# List of services to enable
"network"
];
extraConfig = {
services.netbird.enable = true;
environment.systemPackages = [ pkgs.bcachefs-tools ];
};
root = ./.;
}

53
machines/bridge01/_hardware-configuration.nix Normal file
View file

@ -0,0 +1,53 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ modulesPath, pkgs, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [
"xhci_pci"
"ehci_pci"
"ahci"
"sd_mod"
"sr_mod"
];
};
kernelModules = [ "kvm-intel" ];
kernelPackages = pkgs.linuxPackages_latest;
supportedFilesystems.bcachefs = true;
};
fileSystems = {
"/" = {
device = "UUID=3da58b64-a2fd-428d-bde8-3a185e2f73fd";
fsType = "bcachefs";
options = [ "compression=zstd" ];
};
"/boot" = {
device = "/dev/disk/by-uuid/4D0A-AF11";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.vlan-admin.useDHCP = lib.mkDefault true;
# networking.interfaces.vlan-uplink-oob.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = "x86_64-linux";
hardware.cpu.intel.updateMicrocode = true;
}

79
machines/bridge01/network.nix Normal file
View file

@ -0,0 +1,79 @@
_:
{
networking = {
useNetworkd = true;
useDHCP = false;
nftables.enable = true;
firewall.allowedUDPPorts = [ 67 ];
};
systemd.network = {
networks = {
"10-eno1" = {
name = "eno1";
networkConfig = {
VLAN = [
"vlan-admin"
"vlan-uplink-oob"
];
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
# address = [ "192.168.222.1/24" ];
};
"10-vlan-admin" = {
name = "vlan-admin";
# DHCP for the BMC
networkConfig.DHCPServer = "yes";
dhcpServerConfig = {
PoolOffset = 128;
EmitDNS = false;
EmitNTP = false;
EmitSIP = false;
EmitPOP3 = false;
EmitSMTP = false;
EmitLPR = false;
UplinkInterface = ":none";
};
address = [
"fd26:baf9:d250:8000::ffff/64"
"192.168.222.1/24"
];
};
"10-vlan-uplink-oob" = {
name = "vlan-uplink-oob";
networkConfig.DHCP = "ipv4";
};
};
netdevs = {
"10-vlan-admin" = {
netdevConfig = {
Name = "vlan-admin";
Kind = "vlan";
};
vlanConfig.Id = 3000;
};
"10-vlan-uplink-oob" = {
netdevConfig = {
Name = "vlan-uplink-oob";
Kind = "vlan";
};
vlanConfig.Id = 500;
};
};
};
}

5
machines/bridge01/secrets/secrets.nix Normal file
View file

@ -0,0 +1,5 @@
let
lib = import ../../../lib { };
in
lib.setDefault { publicKeys = lib.getNodeKeys "bridge01"; } [ ]

14
machines/compute01/_configuration.nix
View file

@ -4,35 +4,33 @@ lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
"dgn-backups"
"dgn-fail2ban"
"dgn-web"
];
enabledServices = [
# List of services to enable
"arkheon"
"signal-irc-bridge"
"ds-fr"
"grafana"
"hedgedoc"
"k-radius"
"kanidm"
"librenms"
"mastodon"
"nextcloud"
"outline"
"plausible"
"postgresql"
"rstudio-server"
"satosa"
"signald"
"stirling-pdf"
"telegraf"
"vaultwarden"
"zammad"
"signald"
];
extraConfig = {
dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
"sshd-bruteforce"
"sshd-timeout"
];
dgn-hardware.useZfs = true;
services.netbird.enable = true;

28
machines/compute01/arkheon.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, sources, ... }:
{
nixpkgs.overlays = [ (import (sources.arkheon.outPath + "/overlay.nix")) ];
services.arkheon = {
enable = true;
pythonEnv =
(import sources.nixos-unstable {
overlays = [ (import (sources.arkheon.outPath + "/overlay.nix")) ];
}).python3.withPackages
(ps: [
ps.arkheon
ps.daphne
ps.psycopg2
]);
domain = "arkheon.dgnum.eu";
nginx = {
enableACME = true;
forceSSL = true;
};
envFile = config.age.secrets."arkheon-env_file".path;
};
}

58
machines/compute01/ds-fr/package/default.nix
View file

@ -3,9 +3,7 @@
stdenv,
fetchFromGitHub,
git,
fetchYarnDeps,
yarn,
fixup_yarn_lock,
bun,
nodejs,
ruby_3_2,
bundlerEnv,
@ -18,7 +16,7 @@ let
inherit (lib) getExe;
# Head of the DGNum repo
dgn-id = "8eecf28eeaf39bade8aed5e191a5bbf794dec4cc";
dgn-id = "f270f1cdd09e643a9c666c94df1841234430de49";
pname = "ds-fr";
meta = import ./meta.nix;
@ -50,20 +48,46 @@ let
};
};
node_modules = stdenv.mkDerivation {
pname = "${pname}-node_modules";
inherit src version;
impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ [
"GIT_PROXY_COMMAND"
"SOCKS_SERVER"
];
nativeBuildInputs = [ bun ];
dontConfigure = true;
buildPhase = ''
bun install --no-progress --frozen-lockfile --ignore-scripts
rm -r node_modules/.cache
# Remove inconsistent file
rm node_modules/.bin/grunt
'';
installPhase = ''
mv node_modules $out
'';
dontFixup = true;
outputHash = meta.deps-hash or lib.fakeHash;
outputHashAlgo = "sha256";
outputHashMode = "recursive";
};
dsModules = stdenv.mkDerivation {
pname = "${pname}-modules";
inherit src version;
offlineCache = fetchYarnDeps {
yarnLock = "${src}/yarn.lock";
hash = meta.deps-hash;
};
buildInputs = [ rubyEnv ];
nativeBuildInputs = [
fixup_yarn_lock
bun
nodejs
yarn
rubyEnv.wrappedRuby
];
@ -84,18 +108,13 @@ let
APP_HOST = "precompile_placeholder";
buildPhase = ''
export HOME=$(mktemp -d)
yarn config --offline set yarn-offline-mirror $offlineCache
fixup_yarn_lock yarn.lock
yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive
cp -R ${node_modules} node_modules
chmod u+w -R node_modules
patchShebangs node_modules/
patchShebangs node_modules
patchShebangs bin/
bin/rake assets:precompile
yarn cache clean --offline
rm -rf node_modules/
'';
installPhase = ''
@ -116,7 +135,6 @@ stdenv.mkDerivation {
./patches/replay_routing_engine_for_a_cloned_procedure.patch
./patches/smtp_settings.patch
./patches/garage.patch
./patches/secrets-fc.patch
];
postPatch = ''

6
machines/compute01/ds-fr/package/meta.nix
View file

@ -1,5 +1,5 @@
{
version = "2024-02-29-01";
src-hash = "sha256-YHK86sQMaa0Oa40uNMXDs25lPR9RkDnkzMcMFW+djYQ=";
deps-hash = "sha256-9HbZtk0sgBSWzzFrjXnSyEVWaQMiyC1v89vXB0UK9Hc=";
version = "2024-04-24-01";
src-hash = "sha256-+FjthJZb1KqqFttFmXr/FN5qaFcY9RGTKAqhdLGVFSg=";
deps-hash = "sha256-Vj8WCB+LSHJM67qbsZ5CPc+jK1KWO1MXnSFp/LH0Ow8=";
}

19
machines/compute01/ds-fr/package/patches/secrets-fc.patch
View file

@ -1,19 +0,0 @@
diff --git a/config/secrets.yml b/config/secrets.yml
index 866fa6159..6fd49ee59 100644
--- a/config/secrets.yml
+++ b/config/secrets.yml
@@ -23,10 +23,10 @@ defaults: &defaults
identifier: <%= ENV['FC_PARTICULIER_ID'] %>
secret: <%= ENV['FC_PARTICULIER_SECRET'] %>
redirect_uri: https://<%= ENV['APP_HOST'] %>/france_connect/particulier/callback
- authorization_endpoint: <%= ENV['FC_PARTICULIER_BASE_URL'] %>/api/v1/authorize
- token_endpoint: <%= ENV['FC_PARTICULIER_BASE_URL'] %>/api/v1/token
- userinfo_endpoint: <%= ENV['FC_PARTICULIER_BASE_URL'] %>/api/v1/userinfo
- logout_endpoint: <%= ENV['FC_PARTICULIER_BASE_URL'] %>/api/v1/logout
+ authorization_endpoint: <%= ENV['FC_PARTICULIER_BASE_URL'] %>/ui/oauth2
+ token_endpoint: <%= ENV['FC_PARTICULIER_BASE_URL'] %>/oauth2/token
+ userinfo_endpoint: <%= ENV['FC_PARTICULIER_BASE_URL'] %>/oauth2/openid/demarches_dgn/userinfo
+ logout_endpoint: <%= ENV['FC_PARTICULIER_BASE_URL'] %>/oauth2/token/revoke
agent_connect:
identifier: <%= ENV['AGENT_CONNECT_ID'] %>
secret: <%= ENV['AGENT_CONNECT_SECRET'] %>

19
machines/compute01/ds-fr/package/rubyEnv/Gemfile
View file

@ -10,6 +10,7 @@ gem 'active_storage_validations'
gem 'addressable'
gem 'administrate'
gem 'administrate-field-enum' # Allow using Field::Enum in administrate
gem 'after_commit_everywhere'
gem 'after_party'
gem 'ancestry'
gem 'anchored'
@ -22,21 +23,24 @@ gem 'chunky_png'
gem 'clamav-client', require: 'clamav/client'
gem 'daemons'
gem 'deep_cloneable' # Enable deep clone of active record models
gem 'delayed_cron_job' # Cron jobs
gem 'delayed_cron_job', require: false # Cron jobs
gem 'delayed_job_active_record'
gem 'delayed_job_web'
gem 'devise', git: 'https://github.com/heartcombo/devise.git', ref: "edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1" # Gestion des comptes utilisateurs, drop ref on next release: 4.9.4
gem 'devise'
gem 'devise-i18n'
gem 'devise-two-factor'
gem 'discard'
gem 'dotenv-rails', require: 'dotenv/rails-now' # dotenv should always be loaded before rails
gem 'dry-monads'
gem 'faraday-jwt'
gem 'flipper'
gem 'flipper-active_record'
gem 'flipper-active_support_cache_store'
gem 'flipper-ui'
gem 'fugit'
gem 'geocoder'
gem 'geo_coord', require: "geo/coord"
gem 'gitlab-sidekiq-fetcher', require: 'sidekiq-reliable-fetch', git: 'https://github.com/demarches-simplifiees/reliable-fetch.git'
gem 'gon'
gem 'graphql', '2.0.24'
gem 'graphql-batch', '0.5.1'
@ -73,6 +77,7 @@ gem 'puma' # Use Puma as the app server
gem 'pundit'
gem 'rack-attack'
gem 'rails-i18n' # Locales par défaut
gem 'rails-pg-extras'
gem 'rake-progressbar', require: false
gem 'redcarpet'
gem 'redis'
@ -86,15 +91,23 @@ gem 'sentry-ruby'
gem 'sentry-sidekiq'
gem 'sib-api-v3-sdk'
gem 'sidekiq'
gem 'sidekiq-cron'
gem 'skylight'
gem 'spreadsheet_architect'
gem 'strong_migrations' # lint database migrations
gem 'sys-proctable'
gem 'turbo-rails'
gem 'typhoeus'
gem 'ulid-ruby', require: 'ulid'
gem 'view_component'
gem 'vite_rails'
gem 'warden'
gem 'webrick', require: false
gem 'yabeda-graphql'
gem 'yabeda-prometheus'
gem 'yabeda-puma-plugin'
gem 'yabeda-rails'
gem 'yabeda-sidekiq'
gem 'zipline'
gem 'zxcvbn-ruby', require: 'zxcvbn'
@ -112,6 +125,8 @@ group :test do
gem 'selenium-devtools'
gem 'selenium-webdriver'
gem 'shoulda-matchers', require: false
gem 'simplecov', require: false
gem 'simplecov-cobertura', require: false
gem 'timecop'
gem 'vcr'
gem 'webmock'

279
machines/compute01/ds-fr/package/rubyEnv/Gemfile.lock
View file

@ -1,14 +1,10 @@
GIT
remote: https://github.com/heartcombo/devise.git
revision: edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1
ref: edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1
remote: https://github.com/demarches-simplifiees/reliable-fetch.git
revision: f547a270c402b0180091516d790434e83287fae7
specs:
devise (4.9.3)
bcrypt (~> 3.0)
orm_adapter (~> 0.1)
railties (>= 4.1.0)
responders
warden (~> 1.2.3)
gitlab-sidekiq-fetcher (0.11.0)
json (>= 2.5)
sidekiq (~> 7.0)
GEM
remote: https://rubygems.org/
@ -108,10 +104,15 @@ GEM
administrate-field-enum (0.0.9)
administrate (~> 0.12)
aes_key_wrap (1.1.0)
after_commit_everywhere (1.4.0)
activerecord (>= 4.2)
activesupport
after_party (1.11.2)
ancestry (4.3.3)
activerecord (>= 5.2.6)
anchored (1.1.0)
anyway_config (2.6.3)
ruby-next-core (~> 1.0)
ast (2.4.2)
attr_required (1.0.2)
axe-core-api (4.8.2)
@ -135,8 +136,8 @@ GEM
erubi (~> 1.4)
parser (>= 2.4)
smart_properties
bigdecimal (3.1.6)
bindata (2.4.15)
bigdecimal (3.1.7)
bindata (2.5.0)
bindex (0.8.1)
bootsnap (1.18.3)
msgpack (~> 1.2)
@ -167,7 +168,7 @@ GEM
nokogiri (~> 1.10, >= 1.10.4)
rubyzip (>= 1.3.0, < 3)
charlock_holmes (0.7.7)
chartkick (5.0.5)
chartkick (5.0.6)
choice (0.2.0)
chunky_png (1.4.0)
clamav-client (3.2.0)
@ -200,6 +201,12 @@ GEM
sinatra (>= 1.4.4)
descendants_tracker (0.0.4)
thread_safe (~> 0.3, >= 0.3.1)
devise (4.9.4)
bcrypt (~> 3.0)
orm_adapter (~> 0.1)
railties (>= 4.1.0)
responders
warden (~> 1.2.3)
devise-i18n (1.12.0)
devise (>= 4.9.0)
devise-two-factor (5.0.0)
@ -210,6 +217,7 @@ GEM
diff-lcs (1.5.1)
discard (1.3.0)
activerecord (>= 4.2, < 8)
docile (1.4.0)
dotenv (2.8.1)
dotenv-rails (2.8.1)
dotenv (= 2.8.1)
@ -218,25 +226,40 @@ GEM
dry-core (1.0.1)
concurrent-ruby (~> 1.0)
zeitwerk (~> 2.6)
dry-initializer (3.1.1)
dry-monads (1.6.0)
concurrent-ruby (~> 1.0)
dry-core (~> 1.0, < 2)
zeitwerk (~> 2.6)
dumb_delegator (1.0.0)
email_validator (2.2.4)
activemodel
erubi (1.12.0)
et-orbi (1.2.7)
et-orbi (1.2.11)
tzinfo
ethon (0.16.0)
ffi (>= 1.15.0)
excon (0.109.0)
factory_bot (6.4.6)
activesupport (>= 5.0.0)
faraday (2.9.0)
faraday-net_http (>= 2.0, < 3.2)
faraday-follow_redirects (0.3.0)
faraday (>= 1, < 3)
faraday-jwt (0.1.0)
faraday (~> 2.0)
json-jwt (~> 1.16)
faraday-net_http (3.1.0)
net-http
ffi (1.16.3)
flipper (1.2.2)
concurrent-ruby (< 2)
flipper-active_record (1.2.2)
activerecord (>= 4.2, < 8)
flipper (~> 1.2.2)
flipper-active_support_cache_store (1.2.2)
activesupport (>= 4.2, < 8)
flipper (~> 1.2.2)
flipper-ui (1.2.2)
erubi (>= 1.0.0, < 2.0.0)
flipper (~> 1.2.2)
@ -255,7 +278,7 @@ GEM
fog-core (~> 2.1)
fog-json (>= 1.0)
formatador (1.1.0)
fugit (1.9.0)
fugit (1.10.1)
et-orbi (~> 1, >= 1.2.7)
raabro (~> 1.4)
geo_coord (0.2.0)
@ -305,8 +328,7 @@ GEM
highline (3.0.1)
htmlentities (4.3.4)
http_accept_language (2.1.1)
httpclient (2.8.3)
i18n (1.14.1)
i18n (1.14.4)
concurrent-ruby (~> 1.0)
i18n-tasks (1.0.13)
activesupport (>= 4.0.2)
@ -328,7 +350,7 @@ GEM
invisible_captcha (2.2.0)
rails (>= 5.2)
io-console (0.7.2)
irb (1.11.2)
irb (1.12.0)
rdoc
reline (>= 0.4.2)
job-iteration (1.4.1)
@ -337,17 +359,23 @@ GEM
rails-dom-testing (>= 1, < 3)
railties (>= 4.2.0)
thor (>= 0.14, < 2.0)
json (2.7.1)
json-jwt (1.13.0)
json (2.7.2)
json-jwt (1.16.6)
activesupport (>= 4.2)
aes_key_wrap
base64
bindata
json_schemer (2.1.1)
faraday (~> 2.0)
faraday-follow_redirects
json_schemer (2.2.1)
base64
bigdecimal
hana (~> 1.3)
regexp_parser (~> 2.0)
simpleidn (~> 0.2)
jsonapi-renderer (0.2.2)
jwt (2.7.1)
jwt (2.8.1)
base64
kaminari (1.2.2)
activesupport (>= 4.1.0)
kaminari-actionview (= 1.2.2)
@ -374,7 +402,7 @@ GEM
letter_opener (~> 1.7)
railties (>= 5.2)
rexml
listen (3.8.0)
listen (3.9.0)
rb-fsevent (~> 0.10, >= 0.10.3)
rb-inotify (~> 0.9, >= 0.9.10)
lograge (0.14.0)
@ -391,7 +419,7 @@ GEM
net-imap
net-pop
net-smtp
maintenance_tasks (2.6.0)
maintenance_tasks (2.7.0)
actionpack (>= 6.0)
activejob (>= 6.0)
activerecord (>= 6.0)
@ -401,7 +429,7 @@ GEM
marcel (1.0.2)
matrix (0.4.2)
memory_profiler (1.0.1)
method_source (1.0.0)
method_source (1.1.0)
mime-types (3.5.2)
mime-types-data (~> 3.2015)
mime-types-data (3.2024.0206)
@ -409,12 +437,14 @@ GEM
rake
mini_magick (4.12.0)
mini_mime (1.1.5)
mini_portile2 (2.8.5)
minitest (5.22.2)
mini_portile2 (2.8.6)
minitest (5.22.3)
msgpack (1.7.2)
multi_json (1.15.0)
mustermann (3.0.0)
ruby2_keywords (~> 0.0.1)
net-http (0.4.1)
uri
net-imap (0.4.10)
date
net-protocol
@ -424,20 +454,23 @@ GEM
timeout
net-smtp (0.4.0.1)
net-protocol
nio4r (2.7.0)
nokogiri (1.16.2)
nio4r (2.7.1)
nokogiri (1.16.4)
mini_portile2 (~> 2.8.2)
racc (~> 1.4)
openid_connect (1.3.0)
openid_connect (2.3.0)
activemodel
attr_required (>= 1.0.0)
json-jwt (>= 1.5.0)
rack-oauth2 (>= 1.6.1)
swd (>= 1.0.0)
email_validator
faraday (~> 2.0)
faraday-follow_redirects
json-jwt (>= 1.16)
mail
rack-oauth2 (~> 2.2)
swd (~> 2.0)
tzinfo
validate_email
validate_url
webfinger (>= 1.0.1)
webfinger (~> 2.0)
orm_adapter (0.5.0)
parallel (1.24.0)
parsby (1.1.1)
@ -445,8 +478,8 @@ GEM
ast (~> 2.4.1)
racc
pdf-core (0.9.0)
pg (1.5.4)
phonelib (0.8.7)
pg (1.5.6)
phonelib (0.8.8)
prawn (2.4.0)
pdf-core (~> 0.9.0)
ttfunk (~> 1.7)
@ -464,25 +497,27 @@ GEM
actionmailer (>= 3)
net-smtp
premailer (~> 1.7, >= 1.7.9)
prometheus-client (4.2.2)
promise.rb (0.7.4)
psych (5.1.2)
stringio
public_suffix (5.0.4)
public_suffix (5.0.5)
puma (6.4.2)
nio4r (~> 2.0)
pundit (2.3.1)
activesupport (>= 3.0.0)
raabro (1.4.0)
racc (1.7.3)
rack (2.2.8.1)
rack (2.2.9)
rack-attack (6.7.0)
rack (>= 1.0, < 4)
rack-mini-profiler (3.3.1)
rack (>= 1.2.0)
rack-oauth2 (1.19.0)
rack-oauth2 (2.2.1)
activesupport
attr_required
httpclient
faraday (~> 2.0)
faraday-follow_redirects
json-jwt (>= 1.11.0)
rack (>= 2.1.0)
rack-protection (3.2.0)
@ -525,9 +560,12 @@ GEM
rails-html-sanitizer (1.6.0)
loofah (~> 2.21)
nokogiri (~> 1.14)
rails-i18n (7.0.8)
rails-i18n (7.0.9)
i18n (>= 0.7, < 2)
railties (>= 6.0.0, < 8)
rails-pg-extras (5.3.1)
rails
ruby-pg-extras (= 5.3.1)
railties (7.0.8.1)
actionpack (= 7.0.8.1)
activesupport (= 7.0.8.1)
@ -536,20 +574,20 @@ GEM
thor (~> 1.0)
zeitwerk (~> 2.5)
rainbow (3.1.1)
rake (13.1.0)
rake (13.2.1)
rake-progressbar (0.0.5)
rb-fsevent (0.11.2)
rb-inotify (0.10.1)
ffi (~> 1.0)
rdoc (6.6.2)
rdoc (6.6.3.1)
psych (>= 4.0.0)
redcarpet (3.6.0)
redis (5.1.0)
redis-client (>= 0.17.0)
redis-client (0.20.0)
redis (5.2.0)
redis-client (>= 0.22.0)
redis-client (0.22.1)
connection_pool
regexp_parser (2.9.0)
reline (0.4.2)
reline (0.5.3)
io-console (~> 0.5)
request_store (1.5.1)
rack (>= 1.4)
@ -574,20 +612,20 @@ GEM
rspec-mocks (3.13.0)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.13.0)
rspec-rails (6.1.1)
rspec-rails (6.1.2)
actionpack (>= 6.1)
activesupport (>= 6.1)
railties (>= 6.1)
rspec-core (~> 3.12)
rspec-expectations (~> 3.12)
rspec-mocks (~> 3.12)
rspec-support (~> 3.12)
rspec-core (~> 3.13)
rspec-expectations (~> 3.13)
rspec-mocks (~> 3.13)
rspec-support (~> 3.13)
rspec-retry (0.6.2)
rspec-core (> 3.3)
rspec-support (3.13.0)
rspec-support (3.13.1)
rspec_junit_formatter (0.6.0)
rspec-core (>= 2, < 4, != 2.12.0)
rubocop (1.60.2)
rubocop (1.63.3)
json (~> 2.3)
language_server-protocol (>= 3.17.0)
parallel (~> 1.10)
@ -595,29 +633,36 @@ GEM
rainbow (>= 2.2.2, < 4.0)
regexp_parser (>= 1.8, < 3.0)
rexml (>= 3.2.5, < 4.0)
rubocop-ast (>= 1.30.0, < 2.0)
rubocop-ast (>= 1.31.1, < 2.0)
ruby-progressbar (~> 1.7)
unicode-display_width (>= 2.4.0, < 3.0)
rubocop-ast (1.30.0)
parser (>= 3.2.1.0)
rubocop-ast (1.31.2)
parser (>= 3.3.0.4)
rubocop-capybara (2.20.0)
rubocop (~> 1.41)
rubocop-factory_bot (2.25.1)
rubocop (~> 1.41)
rubocop-performance (1.20.2)
rubocop-performance (1.21.0)
rubocop (>= 1.48.1, < 2.0)
rubocop-ast (>= 1.30.0, < 2.0)
rubocop-rails (2.23.1)
rubocop-ast (>= 1.31.1, < 2.0)
rubocop-rails (2.24.1)
activesupport (>= 4.2.0)
rack (>= 1.1)
rubocop (>= 1.33.0, < 2.0)
rubocop-ast (>= 1.30.0, < 2.0)
rubocop-rspec (2.26.1)
rubocop-ast (>= 1.31.1, < 2.0)
rubocop-rspec (2.29.1)
rubocop (~> 1.40)
rubocop-capybara (~> 2.17)
rubocop-factory_bot (~> 2.22)
rubocop-rspec_rails (~> 2.28)
rubocop-rspec_rails (2.28.3)
rubocop (~> 1.40)
ruby-graphviz (1.2.5)
rexml
ruby-next-core (1.0.2)
ruby-pg-extras (5.3.1)
pg
terminal-table
ruby-progressbar (1.13.0)
ruby-vips (2.2.0)
ffi (~> 1.12)
@ -648,38 +693,52 @@ GEM
scss_lint (0.60.0)
sass (~> 3.5, >= 3.5.5)
selectize-rails (0.12.6)
selenium-devtools (0.121.0)
selenium-devtools (0.123.0)
selenium-webdriver (~> 4.2)
selenium-webdriver (4.17.0)
selenium-webdriver (4.19.0)
base64 (~> 0.2)
rexml (~> 3.2, >= 3.2.5)
rubyzip (>= 1.2.2, < 3.0)
websocket (~> 1.0)
sentry-delayed_job (5.16.1)
sentry-delayed_job (5.17.3)
delayed_job (>= 4.0)
sentry-ruby (~> 5.16.1)
sentry-rails (5.16.1)
sentry-ruby (~> 5.17.3)
sentry-rails (5.17.3)
railties (>= 5.0)
sentry-ruby (~> 5.16.1)
sentry-ruby (5.16.1)
sentry-ruby (~> 5.17.3)
sentry-ruby (5.17.3)
bigdecimal
concurrent-ruby (~> 1.0, >= 1.0.2)
sentry-sidekiq (5.16.1)
sentry-ruby (~> 5.16.1)
sentry-sidekiq (5.17.3)
sentry-ruby (~> 5.17.3)
sidekiq (>= 3.0)
shoulda-matchers (6.1.0)
shoulda-matchers (6.2.0)
activesupport (>= 5.2.0)
sib-api-v3-sdk (9.1.0)
addressable (~> 2.3, >= 2.3.0)
json (~> 2.1, >= 2.1.0)
typhoeus (~> 1.0, >= 1.0.1)
sidekiq (7.2.1)
sidekiq (7.2.2)
concurrent-ruby (< 2)
connection_pool (>= 2.3.0)
rack (>= 2.2.4)
redis-client (>= 0.19.0)
sidekiq-cron (1.12.0)
fugit (~> 1.8)
globalid (>= 1.0.1)
sidekiq (>= 6)
simple_xlsx_reader (1.0.4)
nokogiri
rubyzip
simplecov (0.22.0)
docile (~> 1.1)
simplecov-html (~> 0.11)
simplecov_json_formatter (~> 0.1)
simplecov-cobertura (2.1.0)
rexml
simplecov (~> 0.19)
simplecov-html (0.12.3)
simplecov_json_formatter (0.1.4)
simpleidn (0.2.1)
unf (~> 0.1.4)
sinatra (3.2.0)
@ -687,13 +746,13 @@ GEM
rack (~> 2.2, >= 2.2.4)
rack-protection (= 3.2.0)
tilt (~> 2.0)
skylight (6.0.3)
skylight (6.0.4)
activesupport (>= 5.2.0)
smart_properties (1.17.0)
spreadsheet_architect (5.0.0)
caxlsx (>= 3.3.0, < 4)
rodf (>= 1.0.0, < 2)
spring (4.1.3)
spring (4.2.1)
spring-commands-rspec (1.0.4)
spring (>= 0.9.1)
sprockets (4.2.1)
@ -705,23 +764,26 @@ GEM
sprockets (>= 3.0.0)
stackprof (0.2.26)
stringio (3.1.0)
strong_migrations (1.7.0)
strong_migrations (1.8.0)
activerecord (>= 5.2)
swd (1.3.0)
swd (2.0.3)
activesupport (>= 3)
attr_required (>= 0.0.5)
httpclient (>= 2.4)
faraday (~> 2.0)
faraday-follow_redirects
sys-proctable (1.3.0)
ffi (~> 1.1)
sysexits (1.2.0)
temple (0.8.2)
terminal-table (3.0.2)
unicode-display_width (>= 1.1.1, < 3)
thor (1.3.0)
thor (1.3.1)
thread_safe (0.3.6)
tilt (2.3.0)
timecop (0.9.8)
timeout (0.4.1)
ttfunk (1.7.0)
turbo-rails (2.0.2)
turbo-rails (2.0.5)
actionpack (>= 6.0.0)
activejob (>= 6.0.0)
railties (>= 6.0.0)
@ -734,14 +796,12 @@ GEM
unf_ext
unf_ext (0.0.9.1)
unicode-display_width (2.5.0)
validate_email (0.1.6)
activemodel (>= 3.0)
mail (>= 2.2.5)
uri (0.13.0)
validate_url (1.0.15)
activemodel (>= 3.0.0)
public_suffix
vcr (6.2.0)
view_component (3.10.0)
view_component (3.12.1)
activesupport (>= 5.2.0, < 8.0)
concurrent-ruby (~> 1.0)
method_source (~> 1.0)
@ -763,13 +823,15 @@ GEM
activemodel (>= 6.0.0)
bindex (>= 0.4.0)
railties (>= 6.0.0)
webfinger (1.2.0)
webfinger (2.1.3)
activesupport
httpclient (>= 2.4)
webmock (3.20.0)
faraday (~> 2.0)
faraday-follow_redirects
webmock (3.23.0)
addressable (>= 2.8.0)
crack (>= 0.3.2)
hashdiff (>= 0.4.0, < 2.0.0)
webrick (1.8.1)
websocket (1.2.10)
websocket-driver (0.7.6)
websocket-extensions (>= 0.1.0)
@ -783,6 +845,30 @@ GEM
nokogiri (~> 1.11)
xpath (3.2.0)
nokogiri (~> 1.8)
yabeda (0.12.0)
anyway_config (>= 1.0, < 3)
concurrent-ruby
dry-initializer
yabeda-graphql (0.2.3)
graphql (>= 1.9, < 3)
yabeda (~> 0.2)
yabeda-prometheus (0.9.1)
prometheus-client (>= 3.0, < 5.0)
rack
yabeda (~> 0.10)
yabeda-puma-plugin (0.7.1)
json
puma
yabeda (~> 0.5)
yabeda-rails (0.9.0)
activesupport
anyway_config (>= 1.3, < 3)
railties
yabeda (~> 0.8)
yabeda-sidekiq (0.12.0)
anyway_config (>= 1.3, < 3)
sidekiq
yabeda (~> 0.6)
zeitwerk (2.6.13)
zip_tricks (5.6.0)
zipline (1.5.0)
@ -803,6 +889,7 @@ DEPENDENCIES
addressable
administrate
administrate-field-enum
after_commit_everywhere
after_party
ancestry
anchored
@ -824,19 +911,22 @@ DEPENDENCIES
delayed_cron_job
delayed_job_active_record
delayed_job_web
devise!
devise
devise-i18n
devise-two-factor
discard
dotenv-rails
dry-monads
factory_bot
faraday-jwt
flipper
flipper-active_record
flipper-active_support_cache_store
flipper-ui
fugit
geo_coord
geocoder
gitlab-sidekiq-fetcher!
gon
graphql (= 2.0.24)
graphql-batch (= 0.5.1)
@ -885,6 +975,7 @@ DEPENDENCIES
rails-controller-testing
rails-erd
rails-i18n
rails-pg-extras
rake-progressbar
redcarpet
redis
@ -909,13 +1000,17 @@ DEPENDENCIES
shoulda-matchers
sib-api-v3-sdk
sidekiq
sidekiq-cron
simple_xlsx_reader
simplecov
simplecov-cobertura
skylight
spreadsheet_architect
spring
spring-commands-rspec
stackprof
strong_migrations
sys-proctable
timecop
turbo-rails
typhoeus
@ -926,8 +1021,14 @@ DEPENDENCIES
warden
web-console
webmock
webrick
yabeda-graphql
yabeda-prometheus
yabeda-puma-plugin
yabeda-rails
yabeda-sidekiq
zipline
zxcvbn-ruby
BUNDLED WITH
2.5.4
2.5.9

660
machines/compute01/ds-fr/package/rubyEnv/gemset.nix
View file

File diff suppressed because it is too large Load diff

12
machines/compute01/ds-fr/package/update.sh
View file

@ -26,13 +26,13 @@ done
CWD=$(pwd)
TMP=$(mktemp -d)
cd "$TMP"
cd "$TMP" || exit 1
# Fetch the latest source or the required version
gitUrl="https://github.com/demarches-simplifiees/demarches-simplifiees.fr.git"
if [ -n "$version" ]; then
git clone --depth 1 --branch $version $gitUrl .
git clone --depth 1 --branch "$version" $gitUrl .
else
git clone --depth 1 $gitUrl .
@ -48,10 +48,10 @@ cp gemset.nix Gemfile Gemfile.lock "$CWD/rubyEnv/"
# Print the new source details
SRC_HASH=$(nix-shell -p nurl --run "nurl --hash $gitUrl $version")
# Print Yarn deps hash
hash=$(nix-shell -p prefetch-yarn-deps --run "prefetch-yarn-deps yarn.lock")
# Switch to bun
nix-shell -p bun --run "bun install --frozen-lockfile --no-cache --no-progress --ignore-scripts"
DEPS_HASH=$(nix-hash --to-sri --type sha256 "$hash")
DEPS_HASH=$(nix-hash --sri --type sha256 node_modules)
cat <<EOF >"$CWD/meta.nix"
{
@ -61,6 +61,6 @@ cat <<EOF >"$CWD/meta.nix"
}
EOF
nixfmt "$CWD"
nix-shell -p nixfmt-rfc-style --run "nixfmt $CWD"
rm -rf "$TMP"

200
machines/compute01/k-radius/module.nix
View file

@ -1,200 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
mkEnableOption
mkIf
mkOption
types
;
settingsFormat = pkgs.formats.toml { };
py-pkgs = import ./packages/python { inherit pkgs; };
pykanidm = pkgs.callPackage ./packages/pykanidm.nix { inherit (py-pkgs) pydantic; };
rlm_python = pkgs.callPackage ./packages/rlm_python.nix { inherit pykanidm; };
cfg = config.services.k-radius;
in
{
options.services.k-radius = {
enable = mkEnableOption "a freeradius service linked to kanidm.";
settings = mkOption { inherit (settingsFormat) type; };
freeradius = mkOption {
type = types.package;
default = pkgs.freeradius.overrideAttrs (
old: {
buildInputs = (old.buildInputs or [ ]) ++ [ (pkgs.python3.withPackages (ps: [ ps.kanidm ])) ];
}
);
};
configDir = mkOption {
type = types.path;
default = "/var/lib/radius/raddb";
description = "The path of the freeradius server configuration directory.";
};
authTokenFile = mkOption {
type = types.path;
description = "File to the auth token for the service account.";
};
radiusClients = mkOption {
type = types.attrsOf (
types.submodule {
options = {
secret = mkOption { type = types.path; };
ipaddr = mkOption { type = types.str; };
};
}
);
default = { };
description = "A mapping of clients and their authentication tokens.";
};
certs = {
ca = mkOption {
type = types.str;
description = "The signing CA of the RADIUS certificate.";
};
dh = mkOption {
type = types.str;
description = "The output of `openssl dhparam -in ca.pem -out dh.pem 2048`.";
};
cert = mkOption {
type = types.str;
description = "The certificate for the RADIUS server.";
};
key = mkOption {
type = types.str;
description = "The signing key for the RADIUS certificate.";
};
};
privateKeyPasswordFile = mkOption { type = types.path; };
};
config = mkIf cfg.enable {
users = {
users.radius = {
group = "radius";
description = "Radius daemon user";
isSystemUser = true;
};
groups.radius = { };
};
services.k-radius.settings = {
ca_path = cfg.certs.ca;
radius_cert_path = cfg.certs.cert;
radius_key_path = cfg.certs.key;
radius_dh_path = cfg.certs.dh;
radius_ca_path = cfg.certs.ca;
};
systemd.services.radius = {
description = "FreeRadius server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
wants = [ "network.target" ];
preStart = ''
cp -R ${cfg.freeradius}/etc/raddb/* ${cfg.configDir}
cp -R ${rlm_python}/etc/raddb/* ${cfg.configDir}
chmod -R u+w ${cfg.configDir}
# disable auth via methods kanidm doesn't support
rm ${cfg.configDir}/mods-available/sql
rm ${cfg.configDir}/mods-enabled/{passwd,totp}
# enable the python and cache modules
ln -nsf ${cfg.configDir}/mods-available/python3 ${cfg.configDir}/mods-enabled/python3
ln -nsf ${cfg.configDir}/sites-available/check-eap-tls ${cfg.configDir}/sites-enabled/check-eap-tls
# write the clients configuration
rm ${cfg.configDir}/clients.conf && touch ${cfg.configDir}/clients.conf
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs
(
name:
{ secret, ipaddr }:
''
cat <<EOF >> ${cfg.configDir}/clients.conf
client ${name} {
ipaddr = ${ipaddr}
secret = $(cat "${secret}")
proto = *
}
EOF
''
)
cfg.radiusClients
)
)}
# Copy the kanidm configuration
cat <<EOF > /var/lib/radius/kanidm.toml
auth_token = "$(cat "${cfg.authTokenFile}")"
EOF
cat ${settingsFormat.generate "kanidm.toml" cfg.settings} >> /var/lib/radius/kanidm.toml
chmod u+w /var/lib/radius/kanidm.toml
# Copy the certificates to the correct directory
rm -rf ${cfg.configDir}/certs && mkdir -p ${cfg.configDir}/certs
cp ${cfg.certs.ca} ${cfg.configDir}/certs/ca.pem
${pkgs.openssl}/bin/openssl rehash ${cfg.configDir}/certs
cp ${cfg.certs.dh} ${cfg.configDir}/certs/dh.pem
cat ${cfg.certs.cert} ${cfg.certs.key} > ${cfg.configDir}/certs/server.pem
# Write the password of the private_key in the eap module
sed -i ${cfg.configDir}/mods-available/eap \
-e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/"
# Check the configuration
# ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout
'';
path = [
pkgs.openssl
pkgs.gnused
];
serviceConfig = {
ExecStart = "${cfg.freeradius}/bin/radiusd -X -f -d ${cfg.configDir} -l stdout";
ExecReload = [
"${cfg.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout"
"${pkgs.coreutils}/bin/kill -HUP $MAINPID"
];
User = "radius";
Group = "radius";
DynamicUser = true;
Restart = "on-failure";
RestartSec = 2;
LogsDirectory = "radius";
StateDirectory = "radius";
RuntimeDirectory = "radius";
Environment = [
"KANIDM_RLM_CONFIG=/var/lib/radius/kanidm.toml"
"PYTHONPATH=${rlm_python.pythonPath}"
];
};
};
};
}

50
machines/compute01/k-radius/packages/pykanidm.nix
View file

@ -1,50 +0,0 @@
{
lib,
fetchFromGitHub,
python3,
pydantic,
}:
let
pname = "kanidm";
version = "0.0.3";
in
python3.pkgs.buildPythonPackage {
inherit pname version;
format = "pyproject";
disabled = python3.pythonOlder "3.8";
src =
(fetchFromGitHub {
owner = pname;
repo = pname;
# Latest 1.1.0-rc.15 tip
rev = "a5ca8018e3a636dbb0a79b3fd869db059d92979d";
hash = "sha256-PFGoeGn7a/lVR6rOmOKA3ydAoo3/+9RlkwBAKS22Psg=";
})
+ "/pykanidm";
nativeBuildInputs = with python3.pkgs; [ poetry-core ];
propagatedBuildInputs = with python3.pkgs; [
aiohttp
pydantic
toml
(authlib.overridePythonAttrs (_: { doCheck = false; }))
];
doCheck = false;
pythonImportsCheck = [ "kanidm" ];
meta = with lib; {
description = "Kanidm client library";
homepage = "https://github.com/kanidm/kanidm/tree/master/pykanidm";
license = licenses.mpl20;
maintainers = with maintainers; [
arianvp
hexa
];
};
}

18
machines/compute01/k-radius/packages/python/01-remove-benchmark-flags.patch
View file

@ -1,18 +0,0 @@
diff --git a/pyproject.toml b/pyproject.toml
index 1602e32..507048d 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -72,13 +72,6 @@ filterwarnings = [
]
timeout = 30
xfail_strict = true
-# min, max, mean, stddev, median, iqr, outliers, ops, rounds, iterations
-addopts = [
- '--benchmark-columns', 'min,mean,stddev,outliers,rounds,iterations',
- '--benchmark-group-by', 'group',
- '--benchmark-warmup', 'on',
- '--benchmark-disable', # this is enable by `make benchmark` when you actually want to run benchmarks
-]
[tool.coverage.run]
source = ['pydantic_core']

20
machines/compute01/k-radius/packages/python/default.nix
View file

@ -1,20 +0,0 @@
{ pkgs }:
let
inherit (pkgs) lib;
callPackage = lib.callPackageWith (pkgs // pkgs.python3.pkgs // self);
self = builtins.listToAttrs (
builtins.map
(name: {
inherit name;
value = callPackage (./. + "/${name}.nix") { };
})
[
"pydantic"
"pydantic-core"
]
);
in
self

84
machines/compute01/k-radius/packages/python/pydantic-core.nix
View file

@ -1,84 +0,0 @@
{
stdenv,
lib,
buildPythonPackage,
fetchFromGitHub,
cargo,
rustPlatform,
rustc,
libiconv,
typing-extensions,
pytestCheckHook,
hypothesis,
pytest-timeout,
pytest-mock,
dirty-equals,
}:
let
pydantic-core = buildPythonPackage rec {
pname = "pydantic-core";
version = "2.14.5";
format = "pyproject";
src = fetchFromGitHub {
owner = "pydantic";
repo = "pydantic-core";
rev = "refs/tags/v${version}";
hash = "sha256-UguZpA3KEutOgIavjx8Ie//0qJq+4FTZNQTwb/ZIgb8=";
};
patches = [ ./01-remove-benchmark-flags.patch ];
cargoDeps = rustPlatform.fetchCargoTarball {
inherit src;
name = "${pname}-${version}";
hash = "sha256-mMgw922QjHmk0yimXfolLNiYZntTsGydQywe7PTNnwc=";
};
nativeBuildInputs = [
cargo
rustPlatform.cargoSetupHook
rustPlatform.maturinBuildHook
rustc
typing-extensions
];
buildInputs = lib.optionals stdenv.isDarwin [ libiconv ];
propagatedBuildInputs = [ typing-extensions ];
pythonImportsCheck = [ "pydantic_core" ];
# escape infinite recursion with pydantic via dirty-equals
doCheck = false;
passthru.tests.pytest = pydantic-core.overrideAttrs { doCheck = true; };
nativeCheckInputs = [
pytestCheckHook
hypothesis
pytest-timeout
dirty-equals
pytest-mock
];
disabledTests = [
# RecursionError: maximum recursion depth exceeded while calling a Python object
"test_recursive"
];
disabledTestPaths = [
# no point in benchmarking in nixpkgs build farm
"tests/benchmarks"
];
meta = with lib; {
changelog = "https://github.com/pydantic/pydantic-core/releases/tag/v${version}";
description = "Core validation logic for pydantic written in rust";
homepage = "https://github.com/pydantic/pydantic-core";
license = licenses.mit;
maintainers = with maintainers; [ blaggacao ];
};
};
in
pydantic-core

92
machines/compute01/k-radius/packages/python/pydantic.nix
View file

@ -1,92 +0,0 @@
{
lib,
buildPythonPackage,
fetchFromGitHub,
pythonOlder,
# build-system
hatchling,
hatch-fancy-pypi-readme,
# native dependencies
libxcrypt,
# dependencies
annotated-types,
pydantic-core,
typing-extensions,
# tests
cloudpickle,
email-validator,
dirty-equals,
faker,
pytestCheckHook,
pytest-mock,
}:
buildPythonPackage rec {
pname = "pydantic";
version = "2.5.2";
pyproject = true;
disabled = pythonOlder "3.7";
src = fetchFromGitHub {
owner = "pydantic";
repo = "pydantic";
rev = "refs/tags/v${version}";
hash = "sha256-D0gYcyrKVVDhBgV9sCVTkGq/kFmIoT9l0i5bRM1qxzM=";
};
buildInputs = lib.optionals (pythonOlder "3.9") [ libxcrypt ];
nativeBuildInputs = [
hatch-fancy-pypi-readme
hatchling
];
propagatedBuildInputs = [
annotated-types
pydantic-core
typing-extensions
];
passthru.optional-dependencies = {
email = [ email-validator ];
};
nativeCheckInputs = [
cloudpickle
dirty-equals
faker
pytest-mock
pytestCheckHook
] ++ lib.flatten (lib.attrValues passthru.optional-dependencies);
preCheck = ''
export HOME=$(mktemp -d)
substituteInPlace pyproject.toml \
--replace "'--benchmark-columns', 'min,mean,stddev,outliers,rounds,iterations'," "" \
--replace "'--benchmark-group-by', 'group'," "" \
--replace "'--benchmark-warmup', 'on'," "" \
--replace "'--benchmark-disable'," ""
'';
disabledTestPaths = [
"tests/benchmarks"
# avoid cyclic dependency
"tests/test_docs.py"
];
pythonImportsCheck = [ "pydantic" ];
meta = with lib; {
description = "Data validation and settings management using Python type hinting";
homepage = "https://github.com/pydantic/pydantic";
changelog = "https://github.com/pydantic/pydantic/blob/v${version}/HISTORY.md";
license = licenses.mit;
maintainers = with maintainers; [ wd15 ];
};
}

45
machines/compute01/k-radius/packages/rlm_python.nix
View file

@ -1,45 +0,0 @@
{
stdenv,
fetchFromGitHub,
python3,
pykanidm,
}:
let
pythonPath = with python3.pkgs; makePythonPath [ pykanidm ];
in
stdenv.mkDerivation rec {
pname = "rlm_python";
version = "1.1.0-rc.15";
src = fetchFromGitHub {
owner = "kanidm";
repo = "kanidm";
rev = "v${version}";
hash = "sha256-0y8juXS61Z9zxOdsWAQ6lJurP+n855Nela6egYRecok=";
};
patches = [ ./python_path.patch ];
postPatch = ''
substituteInPlace rlm_python/mods-available/python3 \
--replace "@kanidm_python@" "${pythonPath}"
'';
installPhase = ''
mkdir -p $out/etc/raddb/
cp -R rlm_python/{mods-available,sites-available} $out/etc/raddb/
'';
phases = [
"unpackPhase"
"patchPhase"
"installPhase"
];
passthru = {
inherit pythonPath;
};
preferLocalBuild = true;
}

36
machines/compute01/kanidm/default.nix
View file

@ -1,24 +1,38 @@
{ config, sources, ... }:
{
config,
lib,
nixpkgs,
...
}:
let
inherit (lib) escapeRegex concatStringsSep;
domain = "sso.dgnum.eu";
cert = config.security.acme.certs.${domain};
allowedSubDomains = [
"cloud"
"git"
"videos"
"social"
"demarches"
"netbird"
];
allowedDomains = builtins.map escapeRegex (
(builtins.map (s: "${s}.dgnum.eu") [
# DGNum subdomains
"cloud"
"git"
"videos"
"social"
"demarches"
"netbird"
])
++ [
# Extra domains
"netbird-beta.hubrecht.ovh"
]
);
in
{
services.kanidm = {
enableServer = true;
package = (import sources.nixos-unstable { }).kanidm;
package = nixpkgs.unstable.kanidm;
serverSettings = {
inherit domain;
@ -53,7 +67,7 @@ in
set $origin $http_origin;
if ($origin !~ '^https?://(${builtins.concatStringsSep "|" allowedSubDomains})\.dgnum\.eu$') {
if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') {
set $origin 'https://${domain}';
}

10
machines/compute01/librenms/default.nix
View file

@ -12,12 +12,10 @@ in
package =
(pkgs.librenms.override { inherit (config.services.librenms) dataDir logDir; }).overrideAttrs
(
old: {
patches = (old.patches or [ ]) ++ [ ./kanidm.patch ];
vendorHash = "sha256-2RgtMXQp4fTE+WloO36rtfytO4Sh2q0plt8WkWxEGHI=";
}
);
(old: {
patches = (old.patches or [ ]) ++ [ ./kanidm.patch ];
vendorHash = "sha256-2RgtMXQp4fTE+WloO36rtfytO4Sh2q0plt8WkWxEGHI=";
});
hostname = host;

24
machines/compute01/librenms/module.nix
View file

@ -198,13 +198,11 @@ in
poolConfig = mkOption {
type =
with types;
attrsOf (
oneOf [
str
int
bool
]
);
attrsOf (oneOf [
str
int
bool
]);
default = {
"pm" = "dynamic";
"pm.max_children" = 32;
@ -221,9 +219,9 @@ in
nginx = mkOption {
type = types.submodule (
recursiveUpdate
(import "${modulesPath}/services/web-servers/nginx/vhost-options.nix" { inherit config lib; })
{ }
recursiveUpdate (import "${modulesPath}/services/web-servers/nginx/vhost-options.nix" {
inherit config lib;
}) { }
);
default = { };
example = literalExpression ''
@ -392,9 +390,9 @@ in
}
// (lib.optionalAttrs cfg.distributedPoller.enable {
"distributed_poller" = true;
"distributed_poller_name" =
lib.mkIf (cfg.distributedPoller.name != null)
cfg.distributedPoller.name;
"distributed_poller_name" = lib.mkIf (
cfg.distributedPoller.name != null
) cfg.distributedPoller.name;
"distributed_poller_group" = cfg.distributedPoller.group;
"distributed_billing" = cfg.distributedPoller.distributedBilling;
"distributed_poller_memcached_host" = cfg.distributedPoller.memcachedHost;

10
machines/compute01/mastodon.nix
View file

@ -9,8 +9,12 @@ in
localDomain = host;
smtp = {
# TODO: smtp setup
fromAddress = "social@services.dgnum.eu";
fromAddress = "noreply@infra.dgnum.eu";
host = "kurisu.lahfa.xyz";
port = 465;
user = "web-services@infra.dgnum.eu";
passwordFile = config.age.secrets.mastodon-smtp-password.path;
authenticate = true;
};
streamingProcesses = 4;
@ -22,6 +26,8 @@ in
# LOCAL_DOMAIN = "dgnum.eu";
WEB_DOMAIN = host;
SMTP_TLS = "true";
RAILS_LOG_LEVEL = "warn";
# ObjectStorage configuration

24
machines/compute01/nextcloud.nix
View file

@ -9,22 +9,16 @@ in
enable = true;
hostName = host;
package = pkgs.nextcloud28;
package = pkgs.nextcloud29;
https = true;
config = {
overwriteProtocol = "https";
dbtype = "pgsql";
adminpassFile = config.age.secrets."nextcloud-adminpass_file".path;
adminuser = "thubrecht";
defaultPhoneRegion = "FR";
trustedProxies = [ "::1" ];
objectstore.s3 = {
enable = true;
@ -71,11 +65,17 @@ in
autoUpdateApps.enable = true;
extraOptions = {
settings = {
overwriteprotocol = "https";
overwritehost = host;
"overwrite.cli.url" = "https://${host}";
updatechecker = false;
default_phone_region = "FR";
trusted_proxies = [ "::1" ];
allow_local_remote_servers = true;
maintenance_window_start = 1;
@ -97,15 +97,12 @@ in
};
virtualisation.oci-containers = {
# # Since 22.05, the default driver is podman but it doesn't work
# # with podman. It would however be nice to switch to podman.
# backend = "docker";
containers.collabora = {
image = "collabora/code";
imageFile = pkgs.dockerTools.pullImage {
imageName = "collabora/code";
imageDigest = "sha256:a8cce07c949aa59cea0a7f1f220266a1a6d886c717c3b5005782baf6f384d645";
sha256 = "sha256-lN6skv62x+x7G7SNOUyZ8W6S/uScrkqE1nbBwwSEWXQ=";
imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4";
sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM=";
};
ports = [ "9980:9980" ];
environment = {
@ -113,6 +110,7 @@ in
extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json";
};
extraOptions = [
"--network=host"
"--cap-add"
"MKNOD"
"--cap-add"

6
machines/web01/plausible.nix → machines/compute01/plausible.nix
View file

@ -14,7 +14,7 @@ in
smtp = {
user = "web-services@infra.dgnum.eu";
passwordFile = config.age.secrets."_smtp-password-file".path;
passwordFile = config.age.secrets."plausible-smtp_password_file".path;
hostPort = 465;
hostAddr = "kurisu.lahfa.xyz";
enableSSL = true;
@ -27,11 +27,11 @@ in
disableRegistration = false;
secretKeybaseFile = config.age.secrets."plausible_secret-key-base-file".path;
secretKeybaseFile = config.age.secrets."plausible-secret_key_base_file".path;
};
adminUser = {
passwordFile = config.age.secrets."plausible_admin-user-password-file".path;
passwordFile = config.age.secrets."plausible-admin_user_password_file".path;
email = "tom.hubrecht@dgnum.eu";
name = "thubrecht";
activate = true;

34
machines/compute01/postgresql.nix Normal file
View file

@ -0,0 +1,34 @@
{ pkgs, ... }:
{
services.postgresql = {
enable = true;
package = pkgs.postgresql_16;
settings = {
checkpoint_completion_target = 0.90625;
default_statistics_target = 100;
effective_cache_size = "32GB";
effective_io_concurrency = 200;
maintenance_work_mem = "2GB";
max_connections = 500;
max_parallel_maintenance_workers = 4;
max_parallel_workers = 12;
max_parallel_workers_per_gather = 4;
max_wal_size = "4GB";
max_worker_processes = 12;
min_wal_size = "1GB";
random_page_cost = 1.125;
shared_buffers = "16GB";
wal_buffers = "16MB";
work_mem = "83886kB";
};
};
dgn-console = {
# Update the versions below for upgrading
pg-upgrade-to = pkgs.postgresql_16.withPackages (ps: [ ps.postgis ]);
pg-upgrade-from = pkgs.postgresql_16.withPackages (ps: [ ps.postgis ]);
};
}

10
machines/compute01/satosa/module.nix
View file

@ -23,12 +23,10 @@ let
mkYamlFiles =
files: builtins.attrValues (builtins.mapAttrs (name: yamlFormat.generate "${name}.yaml") files);
pyEnv = cfg.package.python.withPackages (
ps: [
cfg.package
ps.gunicorn
]
);
pyEnv = cfg.package.python.withPackages (ps: [
cfg.package
ps.gunicorn
]);
in
{
options.services.satosa = {

18
machines/compute01/satosa/package/satosa.nix
View file

@ -1,7 +1,7 @@
{
lib,
python3,
fetchPypi,
fetchFromGitHub,
cookies-samesite-compat,
pyop,
}:
@ -11,17 +11,13 @@ python3.pkgs.buildPythonPackage rec {
version = "8.4.0";
pyproject = true;
src = fetchPypi {
pname = "SATOSA";
inherit version;
hash = "sha256-KREROjb157RJJVRr9YefzoR/eflR/U7ZmG6yOH5DjcU=";
src = fetchFromGitHub {
owner = "IdentityPython";
repo = "SATOSA";
rev = "v${version}";
hash = "sha256-q7XmZ3EnAFO1OXIhXIF4Vd0H8uaayFIHFZpWiZUsAFA=";
};
nativeBuildInputs = [
python3.pkgs.setuptools
python3.pkgs.wheel
];
propagatedBuildInputs = with python3.pkgs; [
chevron
click
@ -50,7 +46,7 @@ python3.pkgs.buildPythonPackage rec {
description = "Protocol proxy (SAML/OIDC)";
homepage = "https://pypi.org/project/SATOSA";
license = licenses.asl20;
maintainers = with maintainers; [ ];
maintainers = with maintainers; [ thubrecht ];
mainProgram = "satosa";
};
}

BIN
machines/compute01/secrets/arkheon-env_file Normal file
View file

Binary file not shown.

BIN
machines/compute01/secrets/mastodon-smtp-password Normal file
View file

Binary file not shown.

BIN
machines/compute01/secrets/plausible-admin_user_password_file Normal file
View file

Binary file not shown.

28
machines/compute01/secrets/plausible-secret_key_base_file Normal file
View file

@ -0,0 +1,28 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA T6TOJOuejaoxw3zdeLzGm0CrSkDCCIRenL7wMGnDtlU
dubdAXhc32S6BszHddOcMA6aStZLOvc+36s3nZsYFMU
-> ssh-ed25519 QlRB9Q akzRDbZzo0LwoS1cOwE/tYdz7M+6bhgI81d37d1GtBw
KsGqFhkjlcJNquMi2+1TfQDBy9qguwh5ED9KBg4Y2hU
-> ssh-ed25519 r+nK/Q bL6A9O6UnjjyY+iLvbQSvSTjXX38FLsNjaSngoQXHxY
YZ7Y11inKpzA2m6lro9XXX2qkW6FmkeFGZ3Ak6X+U2w
-> ssh-rsa krWCLQ
dZVUqAyqrP3KHZlpu70IBU8U3I9IP71RzjbiF1rp4rOdz4iQ9ik88ai+hXVuadcN
DMl/7pIkVky6EL8JxFXTQhLivJUpO3NcN3iAS+CLKC+0EFVc03sLyCjn8IExO85r
Lec37ICk9n4LUNEA91A2h4C8U9TbDxCt7MLrIKcQtfFcd+4U1o9g3n19xo9PK1Ho
mcqTbUVgW1nOLxsEeCp5zsCQ+/8tFLcnK08yUB0RlWK+PDFZkk8u8Q2SYZjnaeEp
cwOhUnm/1a15IbW2oGCrVaEd/ymnLDJc6S7vXGpFDWHmOzvJ4Av9KZlGFYaWCjbV
7bGIgWkiQ7iJvTxzu0ZEqw
-> ssh-ed25519 /vwQcQ /DR3Kox7XkbdYQH7SyIc9atjwwe7Ah7hH/63RlzDd0g
k/199lCIfxR7l4ETJMEr1Ch1Zx8v3M5zn0b8mg6ip2k
-> ssh-ed25519 0R97PA H1PS+SlW5FNOf15eO6MKJ/nnVJQkfFMub0IzTS4PhDo
77zwCD0tbrLu4J0vS0RxPK3YZucFV1VYkUVoMTHjf2o
-> ssh-ed25519 JGx7Ng 2WIYPKkWXplInR8v1q22ygs7uYNfIzETeiCt5+MKQQQ
9Gsyr30kaNhxn+fUCBicvoA+hHiWpUf0d0pxRZauhMY
-> ssh-ed25519 5SY7Kg QTnBfvkMcnXpGITtaHr+mRZGogI1kTUqO4byfyMZhGE
89A/PPHVPeBQvTxCeXH8ITVDMkcsYUMbwatyw8NQ04E
-> ssh-ed25519 p/Mg4Q n6hQLuUv3QOMADJF0zpcALYqVUVi5tZHmKGmVZA0IVQ
ZXa+3y33kyo4vQxcEa2XTMIwjH2HE+bAKZw993PgROk
-> ssh-ed25519 tDqJRg Hf1KIZjUTTaHo18P1vWxaSehyKTFElBOovrCN0uJFCc
H8qGw8vIqp4bNiyon2uvTkrrd8lIYnMWnIfzS+w4QRQ
--- QOKOfU20JY1Sj+K20UUxgtPZ7JxKuZ1GtK+OKBZ1Zhg
Íúâ?º}àæ2æŽýiÐM}6BÖw#b2Ï´žËŠ¹ÍÊžvu´¿,Ö'.ŒWÔ”øIPýã'ixYÍ€*·šKoÎtXI#Àß6b`„1pʬòÍœˆ×"§lâSf(ˆ`UöëÄê6 kT°Á'µÎÔM@ÈÖå„hŸï®{WYŸØÝÏÂ<SN;UŒœ ݨÿ

28
machines/compute01/secrets/plausible-smtp_password_file Normal file
View file

@ -0,0 +1,28 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA CQffZYaxexZ2f+HeNj+SHeSak0kzNPiq6ExW7tUyCBs
oJQhtMFD9KSnXSPGRb3zLwCB2/KEXo8cgxHN5ML83Qw
-> ssh-ed25519 QlRB9Q V1PnEYJvFCdBRzN4z3iDtIzHLxxCimejdkqRS4zMCG8
bVc87bxPmhofmoscGFBgQ+ffRlo216RiRkkV1MNoQyY
-> ssh-ed25519 r+nK/Q YI+1MYnCvSq5/QfA2y01IQlJeMGF0AfNs91QlrVaVGs
HSB8Gai96mjRbM68G3iRmXNkI4kqyJAWTMxWc8UOPr8
-> ssh-rsa krWCLQ
k2mssz4C9p8K+rJ6Jbbm+w7uLTqoUOiOKvlt2btEyw2Lup8PQNfyTNFSBvuBMmfj
re1zuAufH0HIw3B0xWYauBSD4pasc7EFTr/OLoM8BRFMEb11IM5ZKJrO+hnWy0Sk
eIs6cpkoBVi4GZmkRfbvaitk42i9JzjrKU0OeqLCWQbHmHkTb3acsGXCc6A6JSbF
AVb+Eaak6EIdX1dP4PWyCxU2PkcBtYBcLoGH74r1o0i3SzvmuzKvlBntx5IzsAvY
+QNGJLNZl0+NePafAkvVY8UOrlzxj+tCgfunAGXIXlZlVfNcjZX9Wv30sJOtwpbw
DdkJAqSrNkHianC5MEGgpA
-> ssh-ed25519 /vwQcQ yxGAMhwDcoDjw5MJudEE95PakhZvNpYfmfWiM6wbQBg
C1o3mNO2YFnBXamCcpAW0aQVGrNNcUpDtSn8+VLobmE
-> ssh-ed25519 0R97PA XRWbcwt3wXR3AYg0rhzc6OUuAA+blVTf3SHERYy3MkA
iCBd0E1NrV7tv3/0pD0FYWgUfGmB4M+VWfiixvVGv68
-> ssh-ed25519 JGx7Ng R47xTx4IGC/qf/v6WOXvJTd20MbeTdZ/8ovAA6d0iyQ
uBxcQVztpW4QaAR5rKfEVgtmrPk6l51+tY3brNjsTV4
-> ssh-ed25519 5SY7Kg LNtU+/1YlPX6T6gO2lb/wEei7hsy2oud8cTQXFQy0HY
xxPvBAIpFyCUqExjseerz6WlwWQEmw9fltzQBx51KI0
-> ssh-ed25519 p/Mg4Q uWIz5shMnsLXsh160cCW8E6kh9v4LPunOonugjWdSEY
5aRrIB5gxIplVWDGeMQ6g09togku6LxWRxBP7FbRNU0
-> ssh-ed25519 tDqJRg G8rNpeGY29czDVMvvt4LZ7nffZ/JAHDzxuIs7C/0SEM
HowgAvrQQcvUx93ZdK5q2bSsJDqaOxFf+x/lwTRss4I
--- ktcSPCC1TpguyYJ2ua7IuGcEw+Z9YuqjzcmH18abjo4
<EFBFBD><20><>ゥ煩 ネ9<1猤カワ簒<EFBE9C>pWJSWpsV/ム#<23>ウリ9タ{タ゚cHB<><42><EFBFBD>5<EFBFBD>ャ^ァ

BIN
machines/compute01/secrets/radius-auth_token_file
View file

Binary file not shown.

BIN
machines/compute01/secrets/radius-ca_pem_file
View file

Binary file not shown.

BIN
machines/compute01/secrets/radius-cert_pem_file
View file

Binary file not shown.

31
machines/compute01/secrets/radius-dh_pem_file
View file

@ -1,31 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 tDqJRg R3h8Ph1ooMaR/bmz09yRzVRq1mR3L7o87wMhsysC5kU
Go50Us/u8CgZS7Up20RH8NlRS0+ESBw30wa8SZ5dqoo
-> ssh-ed25519 jIXfPA gMaMIQvUIu5bK5mRWP6SSZQArMzhg4bDZDcjwx9dyDY
Vv8H7oTBvogaoW4dhdm81TOe995CSGeBxB8LtFgJqwc
-> ssh-ed25519 QlRB9Q 1CxZ2F8EMykWDzrAzN6NSPtjLmMJ99zf8UWLyV3e+Ag
ak7M8/mCeQOMKFPllTsA79glffS/vu51vHIRT3F8qLE
-> ssh-ed25519 r+nK/Q qcuIACZn+1ofDpWW1IBmY0IIj4WZNQhxtUJlHgh11ws
OJhEfDQHkg3s5CCBcVfba9S4OG4hBjJIYkCoLAIFwOI
-> ssh-rsa krWCLQ
1XseIDq7c94X7Dpp1sC3oBLhZSd4w7UJ7QI03SGmqVTd3VVwP5IV430vrSIFETMI
LopkMvCtF1XpIJQ+nHoxsukG/0kefh5Iodmd6anQNp0iVU/tWkQzWbkHlVlkxJ2M
o3fMRAaVyH5GvQkIT5ndWma34vqwydAinM2mchi0hy0ibP5lkk8K7OtafNP4eYNh
m7necRRI8yCuE1wBRy8sBpo5mEqGj1uINxXiF6yUI05pCBXHG1qDiFkDHfw8va9k
Qitfwv2Clkk/hQG6aEYuruoXwq4SZxSCswMpP5Nz70I+e5YkZw8G50ICaVBXxuAP
ABByGBZ/QKLw66NpE7rbSA
-> ssh-ed25519 /vwQcQ 1P92WFx8+9DaL2dPwmX+Bva+h7Hy9qXszDTyPvd81kc
gLVhBlE4lAMcod32/Y8xzypVCDu4vRca3aem3OHiocU
-> ssh-ed25519 0R97PA rZblJRi2bYJig4HyzOXdtpUEEkGDlHS456aKlqxwGX4
qjIkEyHjDxzmf34bS7qWJ9lexMXu2QMmcD9RP4MpkYQ
-> ssh-ed25519 JGx7Ng IbCSvxAUY1gDTny5KurzONVaQwX/VgvNs1hAQ9iUQRE
5ivoGkzEHAyTl3gUE+9nVYclF8/aqnyOF3a81fZfbW0
-> t|-grease (u /1\q}65 ]@
Dd2SJgnQFUSDlS4eSkKUaGwve8Rsv/4MNEwGRJftdtTvxv80bRuNBEFe+ah4YhiV
LA3n6c+Te9Q
--- wWhpJpx4IHeC1Qo4nH6iuEB3e9l5b8U5xOnsX8BoBgQ
5¥t·Œ °ÒxÚ@<1E>`zÈÔgCà Ѭ:4Œó¾&‡Spi8ñŸuæ"lÕ×)<29>aŒÁÄ,4ÃsÌ*uÿ€ƒ±v#ÿ*ÎàÜÊ^ݶ‚Ø«%´Ñº98¾,yBÙ
"¶%Ç㤄†NÎÓ· íò¬} [Ñ¿Ó(äØ{<11>ý0ô—f²<66>„|Š à-—&qF k Ö¶¹µùÔÎLì,¹À„žD™áΩ­QÍ—½è<C2BD>4N}<7D>ÙÐJ´·ÇÓˆ€]dU Ïø¿<C3B8>I—:ÌôÑÉ öì°¦£sý¨õB #}¹
ÞÃXzð‰N4·>ñ5iSan`‰¹.õÃPcHØÉAéßÈÿµH=¥ËæÂ~ö(Pçô±Š$ ,¡ã‹ù¯ZЬÆwçÚ /×
Á–+rC$†ýê&ØJñ ; ÉvÞjæ‰ÎY¹,š*`ºGå=ã¯M¼ƒƒeäA<51>\D˜ÿ@¥j¾$gö{Q´lhIoÊÏIM)};@ìNü½b‰<62>k5Dgüoþ'ItW(Ïk
ê6)ËŒä0£<30>tM¶É Ó(Ûê¡<C3AA>n²k®Zu%m<17>¡ bzÚõŠ¿ÁìÍÿ

BIN
machines/compute01/secrets/radius-key_pem_file
View file

Binary file not shown.

26
machines/compute01/secrets/radius-private_key_password_file
View file

@ -1,26 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 tDqJRg sTm4u+QVtvUqNgMJhufIljdH63oCmvfbRz6NRa2ZbwI
ZYjAINMp/ds7g+7Wjg26YRpRV+nznQPB1r7NzAHGfW0
-> ssh-ed25519 jIXfPA z4LS/Igwab0moIzxG9b06T5rZiODkdJyjaFepJVcxQ8
qNkDc+prvr1bNTSWJyygJj7yb8MOz2nR+Z8EMHUVVOs
-> ssh-ed25519 QlRB9Q 6TQ0Vp3KB5yDIEt029hIB3aCnDjTDP0JG6LN2J9gtjU
fZXeSxb7GJOJYvCr2nVf6BKf8QjaqOOuoi0I/xXV1qc
-> ssh-ed25519 r+nK/Q eW4wTH9PNd0mzVFsxwS4mEEn5gVUCpYA/g+ifeUB+00
kqED+vZVHn0SXTpgbaiMseI6vPCyTt5Gfu4pHxPvKp0
-> ssh-rsa krWCLQ
axyFJ/zhMoZ1mJLzWAbXbHjlAlLj7HraHyY6ddZBVibgRSEufdXsa8ABmdR6+EuM
ty37+/TZOBv11ew/D1C7vQ7B/1JXgej2TAAmYt4vN3lVZdgJI+tQGiOf1nsqfI64
p4ZbMi9G0wlzb+Z7Z5SLKo6HwharYI+vDEgh3Ua9Q+6bpZeXxxJHmkACikAI4xJV
3lLo1iTeyJy/9u/WoHmEOuqJLeZdhmPZBozxTdDTWz9wMHy+NotfXFaIFTyUpocu
OU19N95fyVyTRwmrGFcWs34O631Ejpo3oVLDvjXrFtV4HISSweB/YbU84EveFbz5
28gTWKdeOQcHJfmaeJV/Rg
-> ssh-ed25519 /vwQcQ cXNRE5eLKNh4lL7S7cMDfp79+TQyiJK3gTzYCuHeRHo
4bz0al2kf/S6VEhObpLxy8tvB1t/tBVdB1Gi/7XinD4
-> ssh-ed25519 0R97PA iGdUtE7KDRBNSXv1w0dJNPQWxAeDpIAePUU8t0qURV8
OUoeLNWl0rLt6+FNf5plNmQIgrULwIgEL/W4HFTYeB8
-> ssh-ed25519 JGx7Ng tPkAPvVDZOcP06+mrD5uK03dUJi4aMAvkoz21y9L6Ak
tcUItLMra+EIYH6MA1ULMpr8bkUql448jnurev8N5wk
-> \<?_-grease (+d_8zF H
--- /CiW5jTjVkXDOdwmb4P80FswPEpgTt2GZnqT7KlOvC0
=þ%©»gæÆQ³-¼ffÄUC.qÅ͘·H<C2B7>µ—ìäÙ=Vý£žØú<C398>ŽRåN

12
machines/compute01/secrets/secrets.nix
View file

@ -4,6 +4,7 @@ let
in
lib.setDefault { inherit publicKeys; } [
"arkheon-env_file"
"bupstash-put_key"
"ds-fr-secret_file"
"grafana-smtp_password_file"
@ -12,18 +13,17 @@ lib.setDefault { inherit publicKeys; } [
"librenms-database_password_file"
"librenms-environment_file"
"mastodon-extra_env_file"
"mastodon-smtp-password"
"nextcloud-adminpass_file"
"nextcloud-s3_secret_file"
"outline-oidc_client_secret_file"
"outline-smtp_password_file"
"outline-storage_secret_key_file"
"radius-auth_token_file"
"radius-ca_pem_file"
"radius-cert_pem_file"
"radius-dh_pem_file"
"radius-key_pem_file"
"radius-private_key_password_file"
"plausible-admin_user_password_file"
"plausible-secret_key_base_file"
"plausible-smtp_password_file"
"satosa-env_file"
"signal-irc-bridge-config"
"telegraf-environment_file"
"vaultwarden-environment_file"
"zammad-secret_key_base_file"

BIN
machines/compute01/secrets/signal-irc-bridge-config Normal file
View file

Binary file not shown.

22
machines/compute01/signal-irc-bridge.nix Normal file
View file

@ -0,0 +1,22 @@
{
config,
sources,
nixpkgs,
...
}:
{
imports = [ (import (sources.signal-irc-bridge.outPath + "/module.nix")) ];
services.signal-irc-bridge = {
enable = true;
package = nixpkgs.unstable.callPackage (sources.signal-irc-bridge.outPath + "/package.nix") { };
configFile = config.age.secrets."signal-irc-bridge-config".path;
};
services.nginx.virtualHosts."bridge.dgnum.eu" = {
forceSSL = true;
enableACME = true;
locations."/files/".alias = "/var/lib/signal-irc/hermes-media/";
};
users.users.nginx.extraGroups = [ "signal-irc" ];
}

35
machines/compute01/stirling-pdf/01-spotless.patch Normal file
View file

@ -0,0 +1,35 @@
diff --git a/build.gradle b/build.gradle
index 78901d8e..3a14ceee 100644
--- a/build.gradle
+++ b/build.gradle
@@ -70,20 +70,6 @@ launch4j {
messagesInstanceAlreadyExists="Stirling-PDF is already running."
}
-spotless {
- java {
- target project.fileTree('src/main/java')
-
- googleJavaFormat('1.19.1').aosp().reorderImports(false)
-
- importOrder('java', 'javax', 'org', 'com', 'net', 'io')
- toggleOffOn()
- trimTrailingWhitespace()
- indentWithSpaces()
- endWithNewline()
- }
-}
-
dependencies {
//security updates
implementation 'ch.qos.logback:logback-classic:1.5.3'
@@ -171,9 +157,6 @@ dependencies {
annotationProcessor 'org.projectlombok:lombok:1.18.32'
}
-tasks.withType(JavaCompile).configureEach {
- dependsOn 'spotlessApply'
-}
compileJava {
options.compilerArgs << '-parameters'
}

12
machines/compute01/stirling-pdf/02-propsfile.patch Normal file
View file

@ -0,0 +1,12 @@
diff --git a/build.gradle b/build.gradle
index 78901d8e..2e7ff96b 100644
--- a/build.gradle
+++ b/build.gradle
@@ -166,6 +166,7 @@ task writeVersion {
def props = new Properties()
props.setProperty('version', version)
props.store(propsFile.newWriter(), null)
+ propsFile.text = propsFile.readLines().tail().join('\n')
}
swaggerhubUpload {

16
machines/compute01/stirling-pdf/03-jar-timestamps.patch Normal file
View file

@ -0,0 +1,16 @@
diff --git a/build.gradle b/build.gradle
index 2e7ff96b..f3a4a15c 100644
--- a/build.gradle
+++ b/build.gradle
@@ -21,6 +21,11 @@ repositories {
mavenCentral()
}
+tasks.withType(AbstractArchiveTask) {
+ preserveFileTimestamps = false
+ reproducibleFileOrder = true
+}
+
licenseReport {
renderers = [new JsonReportRenderer()]
}

25
machines/compute01/stirling-pdf/04-local-maven-deps.patch Normal file
View file

@ -0,0 +1,25 @@
diff --git a/build.gradle b/build.gradle
index f3a4a15c..61fbd74e 100644
--- a/build.gradle
+++ b/build.gradle
@@ -18,7 +18,7 @@ version = '0.26.1'
sourceCompatibility = '17'
repositories {
- mavenCentral()
+ maven { url '@deps@' }
}
tasks.withType(AbstractArchiveTask) {
diff --git a/settings.gradle b/settings.gradle
index f8139930..2c87f3cc 100644
--- a/settings.gradle
+++ b/settings.gradle
@@ -1 +1,7 @@
+pluginManagement {
+ repositories {
+ maven { url '@deps@' }
+ }
+}
+
rootProject.name = 'Stirling-PDF'

22
machines/compute01/stirling-pdf/05-java-output-test.patch Normal file
View file

@ -0,0 +1,22 @@
diff --git a/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java b/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java
index cab78313..192922f3 100644
--- a/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java
+++ b/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java
@@ -19,7 +19,7 @@ public class ProcessExecutorTest {
processExecutor = ProcessExecutor.getInstance(ProcessExecutor.Processes.LIBRE_OFFICE);
}
- @Test
+ /* @Test
public void testRunCommandWithOutputHandling() throws IOException, InterruptedException {
// Mock the command to execute
List<String> command = new ArrayList<>();
@@ -32,7 +32,7 @@ public class ProcessExecutorTest {
// Check the exit code and output messages
assertEquals(0, result.getRc());
assertNotNull(result.getMessages()); // Check if messages are not null
- }
+ } */
@Test
public void testRunCommandWithOutputHandling_Error() {

30
machines/compute01/stirling-pdf/default.nix Normal file
View file

@ -0,0 +1,30 @@
{ nixpkgs, ... }:
let
dgn-id = "f756a0f47e704db815a7af6786f6eb0aec628d6b";
in
{
services.stirling-pdf = {
enable = true;
package = nixpkgs.unstable.stirling-pdf.overrideAttrs (old: {
patches = (old.patches or [ ]) ++ [
(builtins.fetchurl "https://git.dgnum.eu/DGNum/Stirling-PDF/commit/${dgn-id}.patch")
];
});
domain = "pdf.dgnum.eu";
port = 8084;
nginx = {
enableACME = true;
forceSSL = true;
};
environment = {
UI_APP_NAME = "DGNum PDF";
SYSTEM_DEFAULT_LOCALE = "fr-FR";
};
};
}

7
machines/rescue01/_configuration.nix
View file

@ -3,19 +3,14 @@
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
"dgn-fail2ban"
];
enabledServices = [
# List of services to enable
"uptime-kuma"
];
extraConfig = {
dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
"sshd-bruteforce"
"sshd-timeout"
];
services.netbird.enable = true;
};

2
machines/rescue01/secrets/secrets.nix
View file

@ -2,4 +2,4 @@ let
lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "rescue01";
in
lib.setDefault { inherit publicKeys; } [ ]
lib.setDefault { inherit publicKeys; } [ "stateless-uptime-kuma-password" ]

28
machines/rescue01/secrets/stateless-uptime-kuma-password Normal file
View file

@ -0,0 +1,28 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA wZdqi7vBlMEOJiY1VvbsmqyBSO/jl6SWLRGw+0ylKWo
UvKyh4Jh608Z9i9+6WuPu3mwnlC98aAr6jiV38JJGzk
-> ssh-ed25519 QlRB9Q +DUjR2Wqwg2SevBY+YgvLEDkcnoWGRTfcVFbl27CQT4
poWQnP4cOQGc5Xhgrgz2KKEOJ8dB+iCcqME5D/zJv5c
-> ssh-ed25519 r+nK/Q GsidIKDaPJmx8igrgoAbWGywJQB0nV/cY8Zm0CIByho
m4HrxUhPkp7gahyLO2gfQUnglkB715jaCrADg77ns34
-> ssh-rsa krWCLQ
VwNy3N6+l3Vgpo8AK7cJ2gRmHa+oBtB4w3n+E8gn7sugcEB16NDtjK861zwszUq7
OfOPUZ5mE+RWz20XYWPAJIPEYNaiqc5vJzguFvZdlyJNInJLxANlIaHydE1AGA9v
l07t9PAxxV5L40EiPHxjveEKaKiAAJVbWWfILX9f4U5vjKy5729IE/3aTRUbTD/M
CXINLnzFWwDLi3x2yBrGUly2mLIb4KyDuE8jnPmtCFveKsVxVsDEeiXvi0yeT+xM
viGvXJ9Ad6tAug4BE2suqwG1iPHsa98pFBqYM8gG2rp2WOFhzs0emkTu5LGYJOMr
VR39Qxcdp1WjPr9e+l/MDQ
-> ssh-ed25519 /vwQcQ GBXHQzwSFS+abM91umquafIEcUoI407reSuULz7SGGY
WpW9aHq2Eq8pXpvGsEKoByQLj0tr04GxNQrf09ronrY
-> ssh-ed25519 0R97PA BxlIEcd6G5GDLUxgoTzyUqRRxGIx49YCZSvzjVIBdjw
oDqUd2O+oBdDrOvrQysdptF1LuvXK/dKurFnHUjgNfk
-> ssh-ed25519 JGx7Ng Km6PmwRZ9HfGjEhkgb8P+ZCt+B/C+jg9bcvdwBvrS0Q
D+UC5nkMnpYuJtz5X30iF1avU+jlEy4zOEPkyj5o2x8
-> ssh-ed25519 5SY7Kg 3tf/eLI3ngqilOfEz8fayTDHWHNd14ANJTSt5lz1yDM
QUhDPYuiZ9YloKgYqY5UdMVmawyMAOS/T4jbpvsNJpI
-> ssh-ed25519 p/Mg4Q h/8lvmwcmoyTa6vW0N2AbgKt/dpNNqVmRW02NaYl7Wo
OaFeo+ZPa2LY5zRJzv/exq4bv734FxZwX3ql1kpv5bk
-> ssh-ed25519 +MNHsw iaiHp0x4Xzf886Q0Li6IleeO3wZUAQbYFHxn0jzdCk0
W4gaBtwKPbonB2g9+Ts+teXPEPoWDCVoVn1vixiQ+7M
--- 1ACvcwsxZKnjgKRAzJy8e4eBtxZXrwe00wPdDlMWnBo
Œ<ƒ¼î|ë=©r<2Ÿµ.>ÃÇ~,5J² Ä … àé[ºë^+͸Z‰ñjá×=Ï<Ï%Út뮪

159
machines/rescue01/uptime-kuma.nix Normal file
View file

@ -0,0 +1,159 @@
{
config,
lib,
nodes,
sources,
...
}:
let
inherit (lib)
concatLists
mapAttrsToList
mkForce
mkMerge
;
inherit (config.statelessUptimeKuma.lib)
pingProbesFromHive
fromHive
httpProbesFromConfig
probesWithTag
;
probesCfg = config.statelessUptimeKuma.probesConfig;
mkMonitors = name: builtins.attrNames (probesWithTag { inherit name; } probesCfg);
host = "status.dgnum.eu";
port = 3001;
httpExcludes = [
"localhost"
"ens.cal.dgnum.eu"
"luj-current.cal.dgnum.eu"
"s3.dgnum.eu"
"cdn.dgnum.eu"
"saml-idp.dgnum.eu"
"status.dgnum.eu"
"radius.dgnum.eu"
] ++ (concatLists (mapAttrsToList (_: { config, ... }: config.dgn-redirections.retired) nodes));
extraProbes = {
monitors = {
"prometheus.dgnum.eu" = {
type = mkForce "http";
accepted_statuscodes = [ "401" ];
};
"api.meet.dgnum.eu" = {
keyword = "Crab Fit API";
};
};
};
status_pages = {
"dgnum" = {
title = "DGNum";
description = "Etat de l'infra de la DGNum";
showTags = true;
publicGroupList = [
{
name = "Services";
weight = 1;
monitorList = mkMonitors "Service";
}
{
name = "Serveurs";
weight = 2;
monitorList = mkMonitors "Ping";
}
{
name = "VPN Interne";
weight = 2;
monitorList = mkMonitors "VPN";
}
];
};
};
pingProbes = pingProbesFromHive {
inherit nodes;
mkHost = _: config: config.networking.fqdn;
tags = [ { name = "Ping"; } ];
excludes = [
"geo01"
"geo02"
"rescue01"
];
};
vpnProbes = pingProbesFromHive {
inherit nodes;
prefix = "VPN - ";
mkHost = node: _: "${node}.dgnum";
tags = [ { name = "VPN"; } ];
excludes = [
"rescue01"
"web02"
];
};
httpProbes = fromHive {
inherit nodes;
builder =
_: module:
httpProbesFromConfig {
inherit (module) config;
tags = [
{
name = "Host";
value = module.config.networking.fqdn;
}
{ name = "Service"; }
];
excludes = httpExcludes;
};
};
in
{
imports = [ (sources.stateless-uptime-kuma + "/nixos/module.nix") ];
nixpkgs.overlays = [ (import (sources.stateless-uptime-kuma + "/overlay.nix")) ];
services.uptime-kuma.enable = true;
services.nginx = {
enable = true;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
};
};
};
networking.firewall.allowedTCPPorts = [
80
443
];
statelessUptimeKuma = {
probesConfig = mkMerge [
pingProbes
httpProbes
extraProbes
vpnProbes
{ inherit status_pages; }
];
extraFlags = [ "-s" ];
host = "http://localhost:${builtins.toString port}/";
username = "dgnum";
passwordFile = config.age.secrets."stateless-uptime-kuma-password".path;
enableService = true;
};
}

4
machines/storage01/_configuration.nix
View file

@ -4,13 +4,13 @@ lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
"dgn-backups"
"dgn-fail2ban"
"dgn-web"
];
enabledServices = [
# List of services to enable
"atticd"
"tvix-cache"
"forgejo"
"forgejo-runners"
"garage"
@ -21,8 +21,6 @@ lib.extra.mkConfig {
];
extraConfig = {
dgn-fail2ban.jails.sshd-preauth.enabled = true;
dgn-hardware.useZfs = true;
services.netbird.enable = true;

19
machines/storage01/atticd.nix
View file

@ -1,9 +1,4 @@
{
config,
pkgs,
sources,
...
}:
{ config, nixpkgs, ... }:
let
host = "cachix.dgnum.eu";
@ -16,7 +11,7 @@ in
credentialsFile = config.age.secrets."atticd-credentials_file".path;
settings = {
listen = "127.0.0.1:9090";
listen = "127.0.0.1:9099";
api-endpoint = "https://${host}/";
allowed-hosts = [ host ];
@ -26,7 +21,7 @@ in
#
# If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked.
nar-size-threshold = 64 * 1024; # 64 KiB
nar-size-threshold = 0; # 64 KiB
# The preferred minimum size of a chunk, in bytes
min-size = 16 * 1024; # 16 KiB
@ -49,7 +44,7 @@ in
};
useFlakeCompatOverlay = false;
package = pkgs.callPackage "${sources.attic}/package.nix" { };
package = nixpkgs.unstable.attic-server;
};
nginx = {
@ -60,10 +55,10 @@ in
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:9090";
proxyPass = "http://127.0.0.1:9099";
extraConfig = ''
client_max_body_size 100M;
client_max_body_size 10G;
'';
};
};
@ -82,4 +77,6 @@ in
];
};
};
systemd.services.atticd.environment.RUST_LOG = "warn";
}

7
machines/storage01/forgejo-runners.nix
View file

@ -1,6 +1,7 @@
{
config,
pkgs,
nixpkgs,
sources,
...
}:
@ -29,6 +30,8 @@ let
options = "--cpus=4";
};
};
nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
in
{
services.forgejo-nix-runners = {
@ -40,10 +43,10 @@ in
tokenFile = config.age.secrets."forgejo_runners-token_file".path;
dependencies = [
pkgs.colmena
nix-pkgs.colmena
pkgs.npins
pkgs.tea
(import sources.nixpkgs { }).nixfmt-rfc-style
nixpkgs.unstable.nixfmt-rfc-style
];
containerOptions = [ "--cpus=4" ];

53
machines/storage01/forgejo.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ config, nixpkgs, ... }:
let
port = 3000;
@ -10,7 +10,7 @@ in
enable = true;
user = "git";
package = pkgs.forgejo;
package = nixpkgs.unstable.forgejo;
stateDir = "/var/lib/git";
database = {
@ -24,30 +24,17 @@ in
APP_NAME = "Forge git de la DGNum";
};
server = {
ROOT_URL = "https://${host}/";
DOMAIN = host;
HTTP_ADDRESS = "127.0.0.1";
HTTP_PORT = port;
APP_DATA_PATH = "/var/lib/git/data";
};
service = {
EMAIL_DOMAIN_ALLOWLIST = "dgnum.eu,*";
DISABLE_REGISTRATION = false;
REGISTER_EMAIL_CONFIRM = true;
};
log.LEVEL = "Warn";
ui.THEMES = "forgejo-auto,forgejo-light,forgejo-dark";
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "https://gitea.com";
};
admin = {
DEFAULT_EMAIL_NOTIFICATIONS = "enabled";
};
log.LEVEL = "Warn";
mailer = {
ENABLED = true;
FROM = "git@infra.dgnum.eu";
@ -56,6 +43,30 @@ in
SMTP_PORT = 465;
USER = "web-services@infra.dgnum.eu";
};
server = {
ROOT_URL = "https://${host}/";
DOMAIN = host;
HTTP_ADDRESS = "127.0.0.1";
HTTP_PORT = port;
APP_DATA_PATH = "/var/lib/git/data";
OFFLINE_MODE = false;
};
service = {
EMAIL_DOMAIN_ALLOWLIST = "dgnum.eu,*";
ENABLE_NOTIFY_MAIL = true;
DISABLE_REGISTRATION = false;
REGISTER_EMAIL_CONFIRM = true;
};
ui.THEMES = "forgejo-auto,forgejo-light,forgejo-dark";
"cron.cleanup_actions".ENABLED = true;
"cron.delete_old_actions".ENABLED = true;
"cron.git_gc_repos".ENABLED = true;
"cron.update_checker".ENABLED = false;
};
mailerPasswordFile = config.age.secrets."forgejo-mailer_password_file".path;

36
machines/storage01/garage.nix
View file

@ -7,23 +7,25 @@ let
data_dir = "/data/slow/garage/data";
metadata_dir = "/data/fast/garage/meta";
buckets = [ "peertube-videos-dgnum" ];
domains = [
"boussole-sante.normalesup.eu"
"simi.normalesup.eu"
"bandarretdurgence.ens.fr"
];
buckets = [
"castopod-dgnum"
"peertube-videos-dgnum"
"banda-website"
] ++ domains;
mkHosted = host: builtins.map (b: "${b}.${host}");
in
{
services.garage = {
enable = true;
package = pkgs.garage_0_9.overrideAttrs (
old: {
patches = (old.patches or [ ]) ++ [
# Allow 0 as a part number marker
(pkgs.fetchpatch {
url = "https://git.deuxfleurs.fr/Deuxfleurs/garage/pulls/670.patch";
hash = "sha256-28ctLl1qscMRj2JEVnmhuLyK1Avub8QeyfQFxAK0y08=";
})
];
}
);
package = pkgs.garage_0_9;
settings = {
inherit data_dir metadata_dir;
@ -50,7 +52,7 @@ in
k2v_api.api_bind_addr = "[::]:3904";
admin.api_bind_addr = "0.0.0.0:3903";
admin.api_bind_addr = "127.0.0.1:3903";
};
environmentFile = config.age.secrets."garage-environment_file".path;
@ -62,6 +64,7 @@ in
data_dir
metadata_dir
];
TimeoutSec = 3000;
};
users.users.garage = {
@ -75,7 +78,7 @@ in
enableACME = true;
forceSSL = true;
serverAliases = builtins.map (b: "${b}.${host}") buckets;
serverAliases = mkHosted host buckets;
locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:3900;
@ -91,12 +94,13 @@ in
enableACME = true;
forceSSL = true;
serverAliases = builtins.map (b: "${b}.${webHost}") buckets;
serverAliases = domains ++ (mkHosted webHost buckets);
locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:3902;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;'';
proxy_set_header Host $host;
'';
};
};
}

33
machines/storage01/netbird/module.nix
View file

@ -30,9 +30,9 @@ let
managementFormat = pkgs.formats.json { };
settingsFile = settingsFormat.generate "setup.env" (
builtins.mapAttrs
(_: val: if builtins.isList val then ''"${builtins.concatStringsSep " " val}"'' else val)
settings
builtins.mapAttrs (
_: val: if builtins.isList val then ''"${builtins.concatStringsSep " " val}"'' else val
) settings
);
managementFile = managementFormat.generate "config.json" cfg.managementConfig;
@ -106,9 +106,9 @@ let
NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = "";
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS = [ "53000" ];
NETBIRD_AUTH_PKCE_REDIRECT_URLS =
builtins.map (p: "http://localhost:${p}")
cfg.settings.NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS or NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS;
NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (
p: "http://localhost:${p}"
) cfg.settings.NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS or NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS;
}
// (optionalAttrs cfg.setupAutoOidc {
NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT = "$NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT";
@ -138,15 +138,13 @@ in
type =
with types;
attrsOf (
nullOr (
oneOf [
(listOf str)
bool
int
float
str
]
)
nullOr (oneOf [
(listOf str)
bool
int
float
str
])
);
defaultText = lib.literalExpression ''
{
@ -493,8 +491,9 @@ in
export AUTH_AUTHORITY="$NETBIRD_AUTH_AUTHORITY"
export AUTH_CLIENT_ID="$NETBIRD_AUTH_CLIENT_ID"
${optionalString (cfg.secretFiles.AUTH_CLIENT_SECRET == null)
''export AUTH_CLIENT_SECRET="$NETBIRD_AUTH_CLIENT_SECRET"''}
${optionalString (
cfg.secretFiles.AUTH_CLIENT_SECRET == null
) ''export AUTH_CLIENT_SECRET="$NETBIRD_AUTH_CLIENT_SECRET"''}
export AUTH_AUDIENCE="$NETBIRD_AUTH_AUDIENCE"
export AUTH_REDIRECT_URI="$NETBIRD_AUTH_REDIRECT_URI"
export AUTH_SILENT_REDIRECT_URI="$NETBIRD_AUTH_SILENT_REDIRECT_URI"

51
machines/storage01/prometheus.nix
View file

@ -1,8 +1,26 @@
{ config, ... }:
{
config,
nodes,
lib,
...
}:
let
host = "prometheus.dgnum.eu";
port = 9091;
nodeExporterConfigs = lib.flatten (
lib.mapAttrsToList (
node:
{ config, ... }:
lib.optional config.dgn-node-monitoring.enable {
targets = [ "${node}.dgnum:${builtins.toString config.dgn-node-monitoring.port}" ];
labels = {
host = node;
};
}
) nodes
);
in
{
@ -20,11 +38,42 @@ in
webExternalUrl = "https://${host}";
retentionTime = "1y";
extraFlags = [ "--storage.tsdb.retention.size=20GB" ];
globalConfig = {
scrape_interval = "15s"; # if you change this settings, please do it in grafana also
};
scrapeConfigs = [
{
job_name = "prometheus";
static_configs = [ { targets = [ "localhost:9090" ]; } ];
}
{
job_name = "node_exporter";
static_configs = nodeExporterConfigs;
}
{
job_name = "uptime_kuma";
scheme = "https";
static_configs = [ { targets = [ "status.dgnum.eu" ]; } ];
basic_auth = {
username = "prometheus";
password_file = config.age.secrets."prometheus-uptime-kuma-apikey".path;
};
}
{
job_name = "hyp01_ups";
metrics_path = "/ups_metrics";
static_configs = [ { targets = [ "100.80.255.180:9199" ]; } ];
}
{
job_name = "garage";
static_configs = [ { targets = [ "localhost:3903" ]; } ];
bearer_token_file = config.age.secrets."prometheus-garage_api".path;
}
];
};

53
machines/storage01/secrets/atticd-credentials_file
View file

@ -1,27 +1,30 @@
age-encryption.org/v1
-> ssh-ed25519 rHotTw KgYJOa3x3qkH/QwL5YM7A7qDjrT/wur/PvRhD99PDjk
BrZwARaPH9YJ+jQMcOJl3B+0VVXyOeB/JKY/qclJ14E
-> ssh-ed25519 jIXfPA FRmqOILhQDwY8dnnVzsT9Yo+nAlr4LpKoIdKgLU8uRA
8PaCaIgR9xqR+dGTUjhuZVv9Uzp+24LeME2/J08poRw
-> ssh-ed25519 QlRB9Q VKLN5d4g3vvuJYh7bUx9M3YyITPMoYpmJEm3klzS8nU
1W0iuVux3/1IjlRfN5DpXcugXnZ1Nq/+bAJumb8VjSU
-> ssh-ed25519 r+nK/Q I2i+0w9tisUfGsQOHKmilVncCgJdad7ylKyeovYkgSA
Z8h9nmhSsFqlsnijKS2Q+iC388s4gdZ9CFFa9sK+vKA
-> ssh-ed25519 jIXfPA HECtxDO0OV6To/Qs3A+2N8+3xqsHp6pz6d4ArgsgXS4
mnmDwWZ6d1aW5Qejzv2Jo112ee78wKVx90R7r5wQbYo
-> ssh-ed25519 QlRB9Q Rx3bV/DkoCCvQCMwJGOfibG8Rif5Ap+W6EqWlFOhUQc
jxEFUWqxedwIK3mNyOG+5dyFFZbJZ3XNFXnk0fe0vyw
-> ssh-ed25519 r+nK/Q J591Cg/4oP26LT7Tl/wrdDipR/gpg1WMsiKJN0ygbjw
WToE5xtuF2FOqtvRgz1SZStYGjTsKRxguIioan+vluU
-> ssh-rsa krWCLQ
CwD5afln6hCMzH5s+0BUhdLW25rooaCUnF/EyP+HTUjJXVfjeGpHcJuwI1PVtRyy
/AXxXmDd5x3MC9xwonXCb4nLsMyFCZT3SLkxZB/hdFn4TBsd6UKc5wMg/jw8EhNu
1MplmtryNu9QaH9dtUWiW6Zu0DL9wCiJ4noubDpJ/MeQY4xUTShSfF7PB9yi/0AG
48iaoZgJbiklycqOXF5Z1u6MhjjuV5UeQq6JH7NpiuvypIYM2Ab0azGlkVsDYHvi
NTGEDGwPqtsexOcYnh5cHrPZw+6a7DFiz7mbc1UiUl3BFlfTi2jFdZFabVZ9gJg7
PyVp3aQ7jsIW4+DYsIWeMA
-> ssh-ed25519 /vwQcQ Askgv4zAzvT1NfOZqrSR10NCkx9jAWieCbtkTGemDAM
N2D0khW0Yvw6ZlaCtSDwD3R4CzfBArumkpq0YAv3fxE
-> ssh-ed25519 0R97PA H4Mqj2WiRljaW30ReWZihyhsHIxymK8PjuWQrjTpjS0
ESSRNIKjKeXFXJU7G7lokghQpsMNOAsMepACbk+W1L0
-> ssh-ed25519 JGx7Ng Vw/SjdUAmPW1tHMzRprkXgI6CefeSEiZeflWOgnAsDI
qBpv7uBQKxVOIAvv7V7yviI+AsbmvNM2DZ6Y4Fu2U8Y
-> KkV7*L_-grease
2cwIOQcWAOVX
--- w/DwnscRvLRGCXmMn0x+fEB9U6dApV7ydUBsOrjHDkE
2jWJů·‰”Ńű¸˛GpńP;ü<>ÔśBu R·Č‡Pcžňe‡@˘ČŘó;|nUM"ĎÔÄ4:Ź±ŃyąLŇE|+Zřˇ”Ľ#±ŐÁ:??1"kŠˇâhbZ gE^ńÔY>}ačĎąâŐr(C¸[FšµőHAĹé§q_÷Đ—ä űK$ÎP<Đ°bAĹ™MSľhśŠ„®›ćF<dw|«ď<C2AB>#Ĺ9U‡L|Ť;Ő‹ż‰˘ď üöý7Čfś ]żüš×EÔŚVŻ7¨_ń
÷fŚoďOÇ^Sż…Ż—ĺýż•ĚoOĂŁ<C482>łŢoń†+ëŐěĘ—Ň%Ţ•QUľ·ďµeĎßßŐ„´Đ.ҨR{g0ć|ĚĂ
hhp33AzK6wYWM6k7ZroV0J5i8C5MQXjQY9sksPQdABRQUd6XTmYOIOdA0ste0EA9
hqbbHQwbFy0oE/QKfnUZWbgJo5Us1DWKxip55L875CPfVcmxvC2ADRO5JKKNkQa/
P4zBALPqf+BXrafcGN4hT8D9gywIWdQ2zPSpKbJE+OdPcUrBVH/ndMUVoLfTEKL9
B3XgqRvLNkgsdu7FMEPnelWT3WrxkBME7AathdXcEYXSxiTmaKqxDzRtcNLdh+y2
6XfQU6lLMT+WWPD/Ro7UzLrWUnFJMYK0SinkOuX+PKxMq95lCc5kI3tZ7JL7bC5E
vBGnX9w0unyR//LLqrOPWA
-> ssh-ed25519 /vwQcQ eYSTWAYs/L+cYt/16TrKaIqoc9TFJQncM02Vd8hOg3A
lWalXa1ZBtrjXOB+sznWCjStFHF4ulLaBilEc3b7qWc
-> ssh-ed25519 0R97PA 78K7uF/mXT4pgTbnmfpyxY2czgs+DNueusuatUx7MCQ
C/pWPdVCWZuHFuM5fzJHdGZomM3Wbt22iwfLbLSznh0
-> ssh-ed25519 JGx7Ng xFzEGNVIiC0cXCbcSKUfmVLAdRBH7xu6/2E7nVoRwjI
+TgvIl03KGm5N55+jGc7UcyRHjMvAFm3Kbvx5Ma4HQ4
-> ssh-ed25519 5SY7Kg 7YO/crKVWSsr3Hy5HPr0/R3oPdCA2kWduZYeSlcxGnI
N0IpdylU+3ybInseGSKPONxeNr8mh/ZlBGCvY2c0WTA
-> ssh-ed25519 p/Mg4Q y1ekwzz3sSHGrLmb0NqF6VWfalARy+PykE77hVqD7Xc
0s9QrDsLH6XdzetyIXJEB2MrwwUi8CDpu7SEemm8zJ4
-> ssh-ed25519 rHotTw 7SMzV/pEmDISPL/fMjafXM3URZpbUPTg+9AngZ0GZTc
eIi1+i9JVBLvfQMkmMv5S0N8qgwVtyklX/J+6MdtlSc
--- Gjl7lNWG9gyMlg256Oa5i5bFLm1Cup1upjsEDVurgDo
uÂ;.ÿñË>pÔïÑ<C391>òh¸<68>2ÎŒ}£PJ4èú‘©‰Ñ×íè==#¯¾Úÿ¹8e¤UÊÉŠÇ$ 1»!z<E28093>jlA‡[@;òs®<>ŒÉáAB±á-§Rå=È0Ò·d“ðµú†Ê¢þ{«ÒF¹—hòà ù@%ˆŠä´›|×{ ¢åeÚÝÛ¯âøsbë«]Óèå¨ø.m8 8Bn"(Ûæ¤âïW½í!zxn\Ã(5:ïíÒÞ-ZDËÇÃ)}HŠü˜¦×ál}Sƒ˜ëFrn
øL¦-wÉÑ—¼j)ê â¶èÐ&:¥îÓCÞÆ2ÝÒÅÀÏB»ÛzïàŽŸt•WÍ!£8|lïí0
¾¸y8óÃkñbÔy×ËäÏ臃¹·k¤¨ÉÍ™ê°n/-'ÃZ<C383>ÅŸ ¾îƾ\Ûâê‰ù†uŸÍeu®"E ±/d

BIN
machines/storage01/secrets/garage-environment_file
View file

Binary file not shown.

28
machines/storage01/secrets/nginx-tvix-store-password Normal file
View file

@ -0,0 +1,28 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA hiozo++fCkzjrvUQRLnAh4uwlmIXcTwkVbjkYbcH4mQ
boST8EzrWdNAuyOylbBX//DnWtO7RL2W++Wnm40w2MA
-> ssh-ed25519 QlRB9Q i0StXRfRRlTsN7MNZmlfBQdacHQlmTmriyiRcJu74g0
dhkD9ZfW+mkkryHBu+2fHe76hXrWVGKl+orxkPJD6gU
-> ssh-ed25519 r+nK/Q Ekn/Bz+c+G+KwgZEOCdk58lV9XN12d7/f+wi8ZEysgU
QdvnL+HtpHnxUbKD06WZDAi55q3xOYn3OiHViNdFt+I
-> ssh-rsa krWCLQ
ijGL8v8Otp59VvF0tDIReazFzchihsutr+zbcQuB6m3JZ6SAWyoKwhFdwiaLOfUd
DMAo2FOKfCbWS+M1VpdSJfu9LKroMCkeW+FOK81h6ywEYSAw/vt2FJP2TLiljZou
d7hiqNv0u/yiIoQiTs9hwOAPtLofiWcX//18TNTCgqm9Ttn0mKlfBjTkUQJdkZVM
j1rofzgHDdkyZDdr1op3sc4iURJ98dVN7ic035Fz+Ggs0yBh9T7qtVsUe7swuoH9
b9yxOSHdV3b4BYg75UrfiRNTOeQq8pxsga1DIs2x7oHkeVb8Ypmr1tXuAtWi20eg
1cYP5+BxY8ry6uaYNLYpKw
-> ssh-ed25519 /vwQcQ ZuVSKV4sI53zDaTOHIkk6ntPy9IxSBNIN/JEDPfT71Y
C5UgzlDJCcA8CP5D0kppqJKti76qe5IVFFnNirRtl/s
-> ssh-ed25519 0R97PA bNQCB3PAp5Ka2drYm74R7nuGM7NFUsKluPo6EEEyiVA
1/NFavNSG1pdMiWr2q2z9XwHs6iqhh5+3KIlr8ToPOo
-> ssh-ed25519 JGx7Ng 6X2a/FNvglr8ZSWvgEb37B67JJpJV0x1+fdlo6K6pzo
8AxYhMJ5+XGKNnpRBTSUM4GSbRj8s7amMQa8sp+tQWM
-> ssh-ed25519 5SY7Kg xw7EQG3mz6gQZXSh2LpY5zFRyMZOqEypvnOorRLBBHQ
WTcl4rLfg/siaGFmk/Odc6fsX+C6OPRWTHFQ0eENwgY
-> ssh-ed25519 p/Mg4Q hSz69OeCJyLJIpnI1tJqGNRErbDF2v6OdxWxi/pfF3k
nM6aJWcuzXEqRarkkAQx4636bALK3g0AwCsSfc8fXrk
-> ssh-ed25519 rHotTw xyrUv1xRQGG+CyL7Ftdw50S8LtN3Bd07f+8JInmBdGg
ehZkeby649QdiSyCDP4wTplLU7mtXac9QzILFIkIX/8
--- xWjuc/9B2UAHi7vuOjdvwJ2K3MEeDeTon5XDU1zi6rw
i«(rçfJ!G$<24>e)¤ê ý¡é•%)„‚9<>KÙ®UK¿Ëé]oǹË@Âv<C382>ŒÀ2I­pè\<12>ˆ^©9ä]¿ÂL,Ÿ•5æö/wvYŽÒ<C5BD>Í«‡³ ¬¼

BIN
machines/storage01/secrets/nginx-tvix-store-password-ci Normal file
View file

Binary file not shown.

BIN
machines/storage01/secrets/prometheus-garage_api Normal file
View file

Binary file not shown.

BIN
machines/storage01/secrets/prometheus-uptime-kuma-apikey Normal file
View file

Binary file not shown.

5
machines/storage01/secrets/secrets.nix
View file

@ -13,8 +13,13 @@ lib.setDefault { inherit publicKeys; } [
"influxdb2-initial_token_file"
"influxdb2-telegraf_token_file"
"netbird-auth_client_secret_file"
"nginx-tvix-store-password"
"nginx-tvix-store-password-ci"
"peertube-secrets_file"
"peertube-service_environment_file"
"peertube-smtp_password_file"
"prometheus-garage_api"
"prometheus-uptime-kuma-apikey"
"prometheus-web_config_file"
"tvix-store-infra-signing-key"
]

29
machines/storage01/secrets/tvix-store-infra-signing-key Normal file
View file

@ -0,0 +1,29 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA /4nTbCIrufpN0Jho+8ZqTdZpc8mzSQrpG78flq+b9lM
x6Pg9oMGzboBg4WSAHxPwtNKcJUIG007Wx1ZjlzneLc
-> ssh-ed25519 QlRB9Q LsPsxbx6zvcLNf/EC3yFRP7Gr5tLYcg+8WGx6n0S724
4cyAHEdVBR885G4nfJSvUPqKWr/0abAtDTHmwksADp8
-> ssh-ed25519 r+nK/Q 9MisKxWalh0oubQFjwm2SDggxrj/fhdXGCYuYaP99jA
18o9juckqPtR4gh2MTXdmonxV9oZymyhCUqW3sOVltQ
-> ssh-rsa krWCLQ
j6AIypswOisUPlL538E3dpIWsHU/7H1c3+bEXXDFarP3Y5tjWltMRgKoPZUFlcRk
2yoVpOjDVkDvMTTu62Yn+Le6oYqoYQYzZ4e5incAR/v7sI76yPo1w+JN3BWBKPab
DN6h7Bdr8uzMISvxrRpCNDaU9n9GwA6ylJWvtFKjQZ6IDORVsa1tP44cndm6zAt6
Oq11bUDFSJLHiDtxjp0vJFa/4mq5Ay0G10xM/EI8Wf+Tiam/r3ytoBGnNYj1ENp8
AQkSxVF4cCORjQAokg+eUYCOzErJqpOx0ACx1SvuRvG4qcQ55ChYxs9zjnlCII2x
7JeUM/gjy0FnalxWWDX+cQ
-> ssh-ed25519 /vwQcQ bdzz3o+erI4c7ReafjhMYBgpebcJVcdB5vWK7cQ05Cs
3rVELKWfeiBksMzmm9XLmEgzdEASxSKcYJOpDQd7A+w
-> ssh-ed25519 0R97PA 4k2mZBQJTYhbjdzpxDuNw405iNxd96hVSMwzas/D3nU
neRy8ca2SguOJJQxalbPaq5SUH4taH+XxzkU/o/GVig
-> ssh-ed25519 JGx7Ng BlMr9FS9vuC1wnvDBAqEMJWzyuqoMqoU7YiFC9633xo
Xhvn+luDLE7AFbvgJs6V9cyRh8aJ2JrZfpVvXJhclu4
-> ssh-ed25519 5SY7Kg NkkDnN0z+2EzqpEdypnM7AROjjGVzoEvHfzaVbsyDiE
qbFUDBx4ghp9TG9YfjGjDXt35go0pMq0HH9GE+WT4v8
-> ssh-ed25519 p/Mg4Q rC/DrdXDUDWhbM7LMfQR203JClF/12o4rxJeGs+4rXY
Aj3P3skTbMvt2qN/FPSq97D1QwtHlKvFd4CsoujV2JI
-> ssh-ed25519 rHotTw 5IBV+q7+F7vNs5Tsx0S+ZEstiqoAaH1x78i/vAwrwDw
f729cEfMo/ozygHiRcNXmn8G+M+B68cM48ji7N6VgmY
--- TWScQDjdR4g/2v5oirYJgQw4zhhuMnmfvXtrigwmZC4
é°1ØLÅÄßán`Îq^ˆîÚ<C3AE>ï³Q²,ðT«Ó)Lñ aü„22 6M•¿Éú½Ü~4<E280BA>(~e±Y"´M·×!Žp!ÊU<ÖÜŒ<C592>Â;mn§`,öP6*&}HPM‡I¶ºòïH
Ûôï× Ãmõ<6D>‡ m£<6D>dGΠ߆ß÷T¥?G<>É»/

148
machines/storage01/tvix-cache/default.nix Normal file
View file

@ -0,0 +1,148 @@
{ pkgs, config, ... }:
let
settingsFormat = pkgs.formats.toml { };
dataDir = "/data/slow/tvix-store";
store-config = {
composition = {
blobservices.default = {
type = "objectstore";
object_store_url = "file://${dataDir}/blob.objectstore";
object_store_options = { };
};
directoryservices = {
sled = {
type = "sled";
is_temporary = false;
path = "${dataDir}/directory.sled";
};
object = {
type = "objectstore";
object_store_url = "file://${dataDir}/directory.objectstore";
object_store_options = { };
};
};
pathinfoservices = {
infra = {
type = "sled";
is_temporary = false;
path = "${dataDir}/pathinfo.sled";
};
infra-signing = {
type = "keyfile-signing";
inner = "infra";
keyfile = config.age.secrets."tvix-store-infra-signing-key".path;
};
};
};
endpoints = {
"127.0.0.1:8056" = {
endpoint_type = "Http";
blob_service = "default";
directory_service = "object";
path_info_service = "infra";
};
"127.0.0.1:8058" = {
endpoint_type = "Http";
blob_service = "default";
directory_service = "object";
path_info_service = "infra-signing";
};
# Add grpc for management and because it is nice
"127.0.0.1:8057" = {
endpoint_type = "Grpc";
blob_service = "default";
directory_service = "object";
path_info_service = "infra";
};
};
};
systemdHardening = {
PrivateDevices = true;
PrivateTmp = true;
ProtectControlGroups = true;
ProtectKernelTunables = true;
RestrictSUIDSGID = true;
ProtectSystem = "strict";
ProtectKernelLogs = true;
ProtectProc = "invisible";
PrivateUsers = true;
ProtectHome = true;
UMask = "0077";
RuntimeDirectoryMode = "0750";
StateDirectoryMode = "0750";
};
toml = {
composition = settingsFormat.generate "composition.toml" store-config.composition;
endpoints = settingsFormat.generate "endpoints.toml" store-config.endpoints;
};
package = pkgs.callPackage ./package { };
in
{
age-secrets.autoMatch = [
"tvix-store"
"nginx"
];
services.nginx.virtualHosts."tvix-store.dgnum.eu" = {
enableACME = true;
forceSSL = true;
locations = {
"/infra/" = {
proxyPass = "http://127.0.0.1:8056/";
extraConfig = ''
client_max_body_size 50G;
limit_except GET {
auth_basic "Password required";
auth_basic_user_file ${config.age.secrets."nginx-tvix-store-password".path};
}
'';
};
"/infra-signing/" = {
proxyPass = "http://127.0.0.1:8058/";
extraConfig = ''
client_max_body_size 50G;
auth_basic "Password required";
auth_basic_user_file ${config.age.secrets."nginx-tvix-store-password-ci".path};
'';
};
"/.well-known/nix-signing-keys/" = {
alias = "${./pubkeys}/";
extraConfig = "autoindex on;";
};
};
};
# TODO add tvix-store cli here
# environment.systemPackages = [ ];
users.users.tvix-store = {
isSystemUser = true;
group = "tvix-store";
};
users.groups.tvix-store = { };
systemd.tmpfiles.rules = [ "d ${dataDir} 770 tvix-castore tvix-castore -" ];
systemd.services."tvix-store" = {
wantedBy = [ "multi-user.target" ];
environment = {
RUST_LOG = "debug";
};
serviceConfig = {
UMask = "007";
ExecStart = "${package}/bin/multitier-tvix-cache --endpoints-config ${toml.endpoints} --store-composition ${toml.composition}";
StateDirectory = "tvix-store";
RuntimeDirectory = "tvix-store";
User = "tvix-store";
Group = "tvix-store";
ReadWritePaths = [ dataDir ];
} // systemdHardening;
};
networking.firewall.allowedTCPPorts = [
80
443
];
}

4378
machines/storage01/tvix-cache/package/Cargo.lock generated Normal file
View file

File diff suppressed because it is too large Load diff

45
machines/storage01/tvix-cache/package/default.nix Normal file
View file

@ -0,0 +1,45 @@
{
fetchgit,
rustPlatform,
protobuf,
runCommand,
}:
let
tvix-hash = "sha256-KNl+Lv0aMqSFVFt6p/GdmNDddzccW4wKfZB7W6Gv5F0=";
tvix-src = fetchgit {
name = "tvix";
url = "https://git.dgnum.eu/mdebray/tvl-depot";
rev = "920b7118d5b0917e426367107f7b7b66089a8d7b";
hash = tvix-hash;
};
protos = runCommand "tvix-protos" { } ''
mkdir $out
cd ${tvix-src}/tvix #remove tvix maybe
find . -name '*.proto' -exec install -D {} $out/{} \;
'';
in
rustPlatform.buildRustPackage rec {
pname = "multitenant-binary-cache";
version = "0.1.0";
src = fetchgit {
url = "https://git.lix.systems/sinavir/multitenant-tvix-binary-cache.git";
rev = "0d7d4cf66242facecba485b1085e285e8d46c038";
hash = "sha256-IU3OS3ePJeBNiY8HbhoYW5b03Nq8BJ4AWe+bGv4dAuw=";
};
PROTO_ROOT = protos;
nativeBuildInputs = [ protobuf ];
cargoLock = {
lockFile = ./Cargo.lock;
outputHashes = {
"nar-bridge-0.1.0" = tvix-hash;
};
};
cargoHash = "";
meta = { };
}

1
machines/storage01/tvix-cache/pubkeys/infra Normal file
View file

@ -0,0 +1 @@
infra.tvix-store.dgnum.eu-1:8CAY64o3rKjyw2uA5mzr/aTzstnc+Uj4g8OC6ClG1m8=

14
machines/vault01/_configuration.nix
View file

@ -3,22 +3,20 @@
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
"dgn-fail2ban"
];
enabledServices = [
# List of services to enable
"k-radius"
"networking"
"ups"
"ulogd"
];
extraConfig = {
dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
"sshd-bruteforce"
"sshd-timeout"
];
services.netbird.enable = true;
dgn-hardware.useBcachefs = true;
services.nginx.enable = true;
networking.firewall.allowedTCPPorts = [ 80 ];
};
root = ./.;

23
machines/compute01/k-radius/default.nix → machines/vault01/k-radius/default.nix
View file

@ -1,4 +1,4 @@
{ config, lib, ... }:
{ config, ... }:
{
imports = [ ./module.nix ];
@ -6,6 +6,15 @@
services.k-radius = {
enable = true;
domain = "radius.dgnum.eu";
radiusClients = {
ap = {
ipaddr = "0.0.0.0/0";
secret = config.age.secrets."radius-ap-radius-secret_file".path;
};
};
settings = {
# URL to the Kanidm server
uri = "https://sso.dgnum.eu";
@ -40,18 +49,6 @@
};
authTokenFile = config.age.secrets."radius-auth_token_file".path;
privateKeyPasswordFile = config.age.secrets."radius-private_key_password_file".path;
certs = builtins.listToAttrs (
builtins.map (name: lib.nameValuePair name config.age.secrets."radius-${name}_pem_file".path) [
"ca"
"cert"
"dh"
"key"
]
);
radiusClients = { };
};
age-secrets.autoMatch = [ "radius" ];

259
machines/vault01/k-radius/module.nix Normal file
View file

@ -0,0 +1,259 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
attrsToList
getExe'
imap0
mapAttrsToList
mkEnableOption
mkIf
mkOption
optionalString
;
inherit (lib.types)
attrsOf
bool
enum
package
path
str
submodule
;
settingsFormat = pkgs.formats.toml { };
pykanidm = pkgs.python3.pkgs.callPackage ./packages/pykanidm.nix { };
rlm_python = pkgs.callPackage ./packages/rlm_python.nix { inherit pykanidm; };
cfg = config.services.k-radius;
acmeDirectory = config.security.acme.certs.${cfg.domain}.directory;
in
{
options.services.k-radius = {
enable = mkEnableOption "a freeradius service linked to kanidm.";
domain = mkOption {
type = str;
description = "The domain used for the RADIUS server.";
};
raddb = mkOption {
type = path;
default = "/var/lib/radius/raddb/";
description = "The location of the raddb directory.";
};
settings = mkOption { inherit (settingsFormat) type; };
freeradius = mkOption {
type = package;
default = pkgs.freeradius.overrideAttrs (old: {
buildInputs = (old.buildInputs or [ ]) ++ [ (pkgs.python3.withPackages (ps: [ ps.kanidm ])) ];
});
};
configDir = mkOption {
type = path;
default = "/var/lib/radius/raddb";
description = "The path of the freeradius server configuration directory.";
};
authTokenFile = mkOption {
type = path;
description = "File to the auth token for the service account.";
};
extra-mods = mkOption {
type = attrsOf path;
default = { };
description = "Additional files to be linked in mods-enabled.";
};
extra-sites = mkOption {
type = attrsOf path;
default = { };
description = "Additional files to be linked in sites-enabled.";
};
dictionary = mkOption {
type = attrsOf (enum [
"abinary"
"date"
"ipaddr"
"integer"
"string"
]);
default = { };
description = "Declare additionnal attributes to be listed in the dictionary.";
};
radiusClients = mkOption {
type = attrsOf (submodule {
options = {
secret = mkOption { type = path; };
ipaddr = mkOption { type = str; };
};
});
default = { };
description = "A mapping of clients and their authentication tokens.";
};
checkConfiguration = mkOption {
type = bool;
description = "Check the configuration before starting the deamon. Useful for debugging.";
default = false;
};
};
config = mkIf cfg.enable {
# Certificate setup
services.nginx.virtualHosts.${cfg.domain} = {
http2 = false;
enableACME = true;
forceSSL = true;
};
users = {
users.radius = {
group = "radius";
description = "Radius daemon user";
isSystemUser = true;
};
groups.radius = { };
};
systemd.services.radius = {
description = "FreeRadius server";
wantedBy = [ "multi-user.target" ];
after = [
"network.target"
"acme-finished-${cfg.domain}.target"
];
wants = [ "network.target" ];
startLimitIntervalSec = 20;
startLimitBurst = 5;
preStart = ''
raddb=${cfg.raddb}
# Recreate the configuration directory
rm -rf $raddb && mkdir -p $raddb
cp -R --no-preserve=mode ${cfg.freeradius}/etc/raddb/* $raddb
cp -R --no-preserve=mode ${rlm_python}/etc/raddb/* $raddb
chmod -R u+w $raddb
# disable auth via methods kanidm doesn't support
rm $raddb/mods-available/sql
rm $raddb/mods-enabled/{passwd,totp}
# enable the python and cache modules
ln -nsf $raddb/mods-available/python3 $raddb/mods-enabled/python3
ln -nsf $raddb/sites-available/check-eap-tls $raddb/sites-enabled/check-eap-tls
# write the clients configuration
> $raddb/clients.conf
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs (
name:
{ secret, ipaddr }:
''
cat <<EOF >> $raddb/clients.conf
client ${name} {
ipaddr = ${ipaddr}
secret = $(cat "${secret}")
proto = *
}
EOF
''
) cfg.radiusClients
)
)}
# Copy the kanidm configuration
cat <<EOF > /var/lib/radius/kanidm.toml
auth_token = "$(cat "${cfg.authTokenFile}")"
EOF
cat ${settingsFormat.generate "kanidm.toml" cfg.settings} >> /var/lib/radius/kanidm.toml
chmod u+w /var/lib/radius/kanidm.toml
# Copy the certificates to the correct directory
rm -rf $raddb/certs && mkdir -p $raddb/certs
cp ${acmeDirectory}/chain.pem $raddb/certs/ca.pem
${lib.getExe pkgs.openssl} rehash $raddb/certs
# Recreate the dh.pem file
${lib.getExe pkgs.openssl} dhparam -in $raddb/certs/ca.pem -out $raddb/certs/dh.pem 2048
cp ${acmeDirectory}/full.pem $raddb/certs/server.pem
# Link the dictionary
ln -nsf ${
pkgs.writeText "radius-dictionary" (
builtins.concatStringsSep "\n" (
imap0 (i: { name, value }: "ATTRIBUTE ${name} ${builtins.toString (3000 + i)} ${value}") (
attrsToList cfg.dictionary
)
)
)
} $raddb/dictionary
# Link extra-mods
${builtins.concatStringsSep "\n" (
mapAttrsToList (name: path: "ln -nsf ${path} $raddb/mods-enabled/${name}") cfg.extra-mods
)}
# Link extra-sites
${builtins.concatStringsSep "\n" (
mapAttrsToList (name: path: "ln -nsf ${path} $raddb/sites-enabled/${name}") cfg.extra-sites
)}
# Check the configuration
${optionalString cfg.checkConfiguration "${getExe' pkgs.freeradius "radiusd"} -C -d $raddb -l stdout"}
'';
path = [
pkgs.openssl
pkgs.gnused
];
environment = {
KANIDM_RLM_CONFIG = "/var/lib/radius/kanidm.toml";
PYTHONPATH = rlm_python.pythonPath;
};
serviceConfig = {
ExecStart = "${cfg.freeradius}/bin/radiusd -X -f -d /var/lib/radius/raddb -l stdout";
ExecReload = [
"${cfg.freeradius}/bin/radiusd -C -d /var/lib/radius/raddb -l stdout"
"${pkgs.coreutils}/bin/kill -HUP $MAINPID"
];
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
DynamicUser = true;
Group = "radius";
LogsDirectory = "radius";
ReadOnlyPaths = [ acmeDirectory ];
Restart = "on-failure";
RestartSec = 2;
RuntimeDirectory = "radius";
StateDirectory = "radius";
SupplementaryGroups = [ "nginx" ];
User = "radius";
};
};
};
}

8
machines/compute01/k-radius/packages/python_path.patch → machines/vault01/k-radius/packages/01-python_path.patch
View file

@ -1,13 +1,13 @@
diff --git a/rlm_python/mods-available/python3 b/rlm_python/mods-available/python3
diff --git a/mods-available/python3 b/mods-available/python3
index 978536f8a..90c71fca0 100644
--- a/rlm_python/mods-available/python3
+++ b/rlm_python/mods-available/python3
--- a/mods-available/python3
+++ b/mods-available/python3
@@ -13,7 +13,7 @@ python3 {
# item is GLOBAL TO THE SERVER. That is, you cannot have two
# instances of the python module, each with a different path.
#
- python_path="/usr/lib64/python3.8:/usr/lib/python3.8:/usr/lib/python3.8/site-packages:/usr/lib64/python3.8/site-packages:/usr/lib64/python3.8/lib-dynload:/usr/local/lib/python3.8/site-packages:/etc/raddb/mods-config/python3/"
+ python_path="@kanidm_python@:/etc/raddb/mods-config/python3/"
+ python_path="@pythonPath@:/etc/raddb/mods-config/python3/"
module = "kanidm.radius"
# python_path = ${modconfdir}/${.:name}

43
machines/vault01/k-radius/packages/pykanidm.nix Normal file
View file

@ -0,0 +1,43 @@
{
lib,
buildPythonPackage,
fetchFromGitHub,
poetry-core,
aiohttp,
authlib,
pydantic,
toml,
}:
buildPythonPackage rec {
pname = "kanidm";
version = "1.1.0-rc.16";
pyproject = true;
src = fetchFromGitHub {
owner = "kanidm";
repo = "kanidm";
rev = "v${version}";
hash = "sha256-NH9V5KKI9LAtJ2/WuWtUJUzkjVMfO7Q5NQkK7Ys2olU=";
};
sourceRoot = "source/pykanidm";
build-system = [ poetry-core ];
dependencies = [
aiohttp
authlib
pydantic
toml
];
pythonImportsCheck = [ "kanidm" ];
meta = with lib; {
description = "Kanidm: A simple, secure and fast identity management platform";
homepage = "https://github.com/kanidm/kanidm";
license = licenses.mpl20;
maintainers = with maintainers; [ thubrecht ];
};
}

47
machines/vault01/k-radius/packages/rlm_python.nix Normal file
View file

@ -0,0 +1,47 @@
{
stdenv,
fetchFromGitHub,
substituteAll,
python3,
pykanidm,
}:
let
pythonPath = python3.pkgs.makePythonPath [ pykanidm ];
in
stdenv.mkDerivation rec {
pname = "rlm_python";
version = "1.1.0-rc.16";
src = fetchFromGitHub {
owner = "kanidm";
repo = "kanidm";
rev = "v${version}";
hash = "sha256-NH9V5KKI9LAtJ2/WuWtUJUzkjVMfO7Q5NQkK7Ys2olU=";
};
sourceRoot = "source/rlm_python";
patches = [
(substituteAll {
src = ./01-python_path.patch;
inherit pythonPath;
})
];
installPhase = ''
mkdir -p $out/etc/raddb/
cp -R mods-available sites-available $out/etc/raddb/
'';
phases = [
"unpackPhase"
"patchPhase"
"installPhase"
];
passthru = {
inherit pythonPath;
};
}

253
machines/vault01/networking.nix Normal file
View file

@ -0,0 +1,253 @@
{
pkgs,
lib,
meta,
name,
...
}:
let
inherit (lib) mapAttrs' nameValuePair;
uplink = {
ip = "10.120.33.250";
prefix = 30;
router = "10.120.33.249";
};
mkNetwork =
name:
{
address ? [ ],
extraNetwork ? { },
...
}:
nameValuePair "10-${name}" ({ inherit name address; } // extraNetwork);
mkNetdev =
name:
{ Id, ... }:
nameValuePair "10-${name}" {
netdevConfig = {
Name = name;
Kind = "vlan";
};
vlanConfig.Id = Id;
};
mkUserVlan =
{
vlan,
netIP,
servIP,
interfaceName,
...
}:
{
name = interfaceName;
value = {
Id = vlan;
extraNetwork = {
networkConfig = {
LinkLocalAddressing = "no";
DHCPServer = "yes";
};
linkConfig.Promiscuous = true;
addresses = [
{
addressConfig = {
Address = "${servIP}/27";
AddPrefixRoute = false;
};
}
];
routes = [
{
routeConfig = {
Destination = "${netIP}/27";
Table = "user";
};
}
];
routingPolicyRules = [
{
routingPolicyRuleConfig = {
From = "${netIP}/27";
To = "10.0.0.0/27";
IncomingInterface = interfaceName;
Table = "user";
};
}
];
};
};
};
userVlans = builtins.genList (id: rec {
vlan = 4094 - id;
prefix24nb = (id + 1) / 8;
prefix27nb = (id + 1 - prefix24nb * 8) * 32;
netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}";
servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}";
interfaceName = "vlan-user-${toString vlan}";
}) 850;
vlans = {
vlan-uplink-cri = {
Id = 223;
address = with uplink; [ "${ip}/${builtins.toString prefix}" ];
extraNetwork.routes = [
{
routeConfig = {
# Get the public ip from the metadata
PreferredSource = builtins.head meta.network.${name}.addresses.ipv4;
Gateway = uplink.router;
};
}
];
};
vlan-admin = {
Id = 3000;
address = [ "fd26:baf9:d250:8000::1/64" ];
};
vlan-admin-ap = {
Id = 3001;
address = [ "fd26:baf9:d250:8001::1/64" ];
extraNetwork.ipv6Prefixes = [
{
ipv6PrefixConfig = {
AddressAutoconfiguration = false;
OnLink = false;
Prefix = "fd26:baf9:d250:8001::/64";
};
}
];
};
vlan-apro = {
Id = 2000;
address = [ "10.0.255.1/24" ];
extraNetwork.networkConfig.DHCPServer = "yes";
};
} // builtins.listToAttrs (map mkUserVlan userVlans);
in
{
systemd = {
network = {
config.routeTables."user" = 1000;
networks = {
"10-lo" = {
name = "lo";
address = [
"::1/128"
"127.0.0.1/8"
"10.0.0.1/27"
];
routes = [
{
routeConfig = {
Destination = "10.0.0.0/27";
Table = "user";
};
}
];
routingPolicyRules = [
{
routingPolicyRuleConfig = {
IncomingInterface = "lo";
Table = "user";
};
}
];
};
"10-enp67s0f0np0" = {
name = "enp67s0f0np0";
linkConfig.Promiscuous = true;
networkConfig = {
VLAN = builtins.attrNames vlans;
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
};
} // (mapAttrs' mkNetwork vlans);
netdevs = mapAttrs' mkNetdev vlans;
};
services = {
ethtoolConfig = {
wantedBy = [ "systemd-networkd.service" ];
after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
script = builtins.concatStringsSep "\n" (
builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [
"rxvlan"
"txvlan"
"rx-vlan-filter"
"rx-vlan-offload"
"tx-vlan-offload"
"tx-vlan-stag-hw-insert"
]
);
};
systemd-networkd.serviceConfig.LimitNOFILE = 4096;
net-checker = {
path = [
pkgs.iputils
pkgs.systemd
];
script = ''
if ping -c 1 8.8.8.8 > /dev/null || ping -c 1 1.1.1.1 > /dev/null; then
${
lib.concatMapStringsSep "\n " ({ interfaceName, ... }: "networkctl up ${interfaceName}") userVlans
}
else
${
lib.concatMapStringsSep "\n " (
{ interfaceName, ... }: "networkctl down ${interfaceName}"
) userVlans
}
fi
'';
};
};
timers.net-checker = {
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "*-*-* *:*:42";
};
};
networking = {
nftables = {
enable = true;
tables.nat = {
family = "ip";
content = ''
chain postrouting {
type nat hook postrouting priority 100;
ip saddr 10.0.0.0/16 ether saddr 5c:64:8e:f4:09:06 snat ip to 129.199.195.130-129.199.195.158
}
'';
};
};
firewall = {
allowedUDPPorts = [ 67 ];
checkReversePath = false;
};
};
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
}

Some files were not shown because too many files have changed in this diff Show more