lbailly/infrastructure
1
0
Fork 0
forked from DGNum/infrastructure
Code Pull requests Activity

Compare commits

base: lbailly:main
Branches Tags
lbailly:main
lbailly:nat
lbailly:firewall
lbailly:ulogd
lbailly:dns_for_rescue01
lbailly:systemd_notify
lbailly:npins-update
lbailly:liminix-v1
DGNum:npins-update
DGNum:main
DGNum:declarative-buckets
DGNum:victoria-metrics
DGNum:netbox-agent
DGNum:mattermost
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:ds-fr
DGNum:colmena-liminix
..
compare: lbailly:npins-update
Branches Tags
lbailly:nat
lbailly:main
lbailly:firewall
lbailly:ulogd
lbailly:dns_for_rescue01
lbailly:systemd_notify
lbailly:npins-update
lbailly:liminix-v1
DGNum:npins-update
DGNum:main
DGNum:declarative-buckets
DGNum:victoria-metrics
DGNum:netbox-agent
DGNum:mattermost
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:ds-fr
DGNum:colmena-liminix

1 commit
main ... npins-upda

Author SHA1 Message Date
DGNum Chores
d3caba1503 chore(npins): Update 2024-04-03 13:26:57 +00:00
159 changed files with 1719 additions and 8974 deletions
Show stats Expand all files Collapse all files

3
.forgejo/workflows/check-meta.yaml
View file

@ -1,8 +1,5 @@
name: Check meta name: Check meta
on: on:
pull_request:
branches:
- main
push: push:
paths: paths:
- 'meta/*' - 'meta/*'

3
.forgejo/workflows/ds-fr.yaml
View file

@ -1,7 +1,8 @@
name: ds-fr update name: ds-fr update
on: on:
schedule: schedule:
- cron: "26 18 * * wed" # Run at 8 o'clock every day
- cron: "26 18 * * *"
jobs: jobs:
npins_update: npins_update:

198
.forgejo/workflows/eval.yaml
View file

@ -68,201 +68,3 @@ jobs:
run: | run: |
# Enter the shell # Enter the shell
nix-shell --run 'colmena build --on rescue01' nix-shell --run 'colmena build --on rescue01'
build_geo01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build geo01
run: |
# Enter the shell
nix-shell --run 'colmena build --on geo01'
build_geo02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build geo02
run: |
# Enter the shell
nix-shell --run 'colmena build --on geo02'
build_bridge01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build bridge01
run: |
# Enter the shell
nix-shell --run 'colmena build --on bridge01'
push_to_cache_compute01:
runs-on: nix
needs:
- build_compute01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "compute01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_compute01
path: uploaded.txt
push_to_cache_storage01:
runs-on: nix
needs:
- build_storage01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "storage01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_storage01
path: uploaded.txt
push_to_cache_rescue01:
runs-on: nix
needs:
- build_rescue01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "rescue01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_rescue01
path: uploaded.txt
push_to_cache_geo01:
runs-on: nix
needs:
- build_geo01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "geo01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_geo01
path: uploaded.txt
push_to_cache_geo02:
runs-on: nix
needs:
- build_geo02
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "geo02" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_geo02
path: uploaded.txt
push_to_cache_web01:
runs-on: nix
needs:
- build_web01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "web01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web01
path: uploaded.txt
push_to_cache_web02:
runs-on: nix
needs:
- build_web02
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "web02" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web02
path: uploaded.txt
push_to_cache_bridge01:
runs-on: nix
needs:
- build_bridge01
steps:
- uses: actions/checkout@v3
- name: Push to cache
run: nix-shell --run push-to-nix-cache
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
NODES: '[ "bridge01" ]'
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web02
path: uploaded.txt

4
.forgejo/workflows/lint.yaml
View file

@ -1,5 +1,5 @@
name: lint name: lint
on: [push, pull_request] on: push
jobs: jobs:
check: check:
@ -8,4 +8,4 @@ jobs:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- name: Run pre-commit on all files - name: Run pre-commit on all files
run: nix-shell --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure' -A shells.pre-commit ./. run: nix-shell --run 'pre-commit run --all-files --show-diff-on-failure' -A shells.pre-commit ./.

98
README.md
View file

@ -3,102 +3,6 @@
The dgnum infrastructure. The dgnum infrastructure.
# Contributing # Contributing
Some instruction on how to contribute are available (in french) in [/CONTRIBUTING.md](CONTRIBUTING.md). You're expected to read this document before commiting to the repo.
Some instruction on how to contribute are available (in french) in [/CONTRIBUTE.md](CONTRIBUTE.md).
You're expected to read this document before commiting to the repo.
Some documentation for the development tools are provided in the aforementioned file. Some documentation for the development tools are provided in the aforementioned file.
# Adding a new machine
The first step is to create a minimal viable NixOS host, using tha means necessary.
The second step is to find a name for this host, it must be unique from the other hosts.
> [!TIP]
> For the rest of this part, we assume that the host is named `host02`
## Download the keys
The public SSH keys of `host02` have to be saved to `keys/machines/host02.keys`, preferably only the `ssh-ed25519` one.
It can be retreived with :
```bash
ssh-keyscan address.of.host02 2>/dev/null | awk '/ssh-ed25519/ {print $2,$3}'
```
## Initialize the machine folder and configuration
- Create a folder `host02` under `machines/`
- Copy the hardware configuration file generated by `nixos-generate-config` to `machines/host02/_hardware-configuration.nix`
- Create a `machines/host02/_configuration.nix` file, it will contain the main configuration options, the basic content of this file should be the following
```nix
{ lib, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
];
enabledServices = [
# List of services to enable
];
extraConfig = {
services.netbird.enable = true;
};
root = ./.;
}
```
## Fill in the metadata
### Network configuration
The network is declared in `meta/network.nix`, the necessary `hostId` value can be generated with :
```bash
head -c4 /dev/urandom | od -A none -t x4 | sed 's/ //'
```
### Other details
The general metadata is declared in `meta/nodes.nix`, the main values to declare are :
- `site`, where the node is physically located
- `stateVersion`
- `nixpkgs`, the nixpkgs version to use
## Initialize secrets
Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :
```nix
let
lib = import ../../../lib { };
in
lib.setDefault { publicKeys = lib.getNodeKeys "host02"; } [ ]
```
This will be used for future secret management.
## Update encrypted files
Both the Arkheon, Netbox and notification modules have secrets that are deployed on all machines. To make those services work correctly, run in `modules/dgn-records`, `modules/dgn-netbox-agent` and `modules/dgn-notify` :
```bash
agenix -r
```
## Commit and create a PR
Once all of this is done, check that the configuration builds correctly :
```bash
colmena build --on host02
```
Apply it, and create a Pull Request.

66
default.nix
View file

@ -34,36 +34,26 @@
termes. termes.
*/ */
{
sources ? import ./npins,
pkgs ? import sources.nixpkgs { },
nix-pkgs ? import sources.nix-pkgs { inherit pkgs; },
}:
let let
git-checks = (import (builtins.storePath sources.git-hooks)).run { sources = import ./npins;
pkgs = import sources.nixpkgs { };
pre-commit-check = (import sources.pre-commit-hooks).run {
src = ./.; src = ./.;
hooks = { hooks = {
statix = { # Nix Hooks
statix.enable = true;
deadnix.enable = true;
rfc101 = {
enable = true; enable = true;
stages = [ "pre-push" ];
settings.ignore = [ name = "RFC-101 formatting";
"lon.nix" entry = "${pkgs.lib.getExe pkgs.nixfmt-rfc-style}";
"**/npins" files = "\\.nix$";
];
};
deadnix = {
enable = true;
stages = [ "pre-push" ];
};
nixfmt-rfc-style = {
enable = true;
stages = [ "pre-push" ];
}; };
# Misc Hooks
commitizen.enable = true; commitizen.enable = true;
}; };
}; };
@ -80,22 +70,22 @@ in
default = pkgs.mkShell { default = pkgs.mkShell {
name = "dgnum-infra"; name = "dgnum-infra";
packages = [ packages =
(pkgs.nixos-generators.overrideAttrs (_: { (
version = "1.8.0-unstable"; with pkgs;
src = builtins.storePath sources.nixos-generators; [
})) npins
pkgs.attic-client nixos-generators
pkgs.npins ]
++ (builtins.map (p: callPackage p { }) [
(pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; }) (sources.disko + "/package.nix")
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { }) ./lib/colmena
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { }) ])
)
] ++ (import ./scripts { inherit pkgs; }); ++ (import ./scripts { inherit pkgs; });
shellHook = '' shellHook = ''
${git-checks.shellHook} ${pre-commit-check.shellHook}
''; '';
preferLocalBuild = true; preferLocalBuild = true;
@ -105,7 +95,7 @@ in
name = "pre-commit-shell"; name = "pre-commit-shell";
shellHook = '' shellHook = ''
${git-checks.shellHook} ${pre-commit-check.shellHook}
''; '';
}; };
}; };

71
hive.nix
View file

@ -16,99 +16,62 @@ let
]; ];
}; };
nixpkgs' = import ./meta/nixpkgs.nix; mkNixpkgs =
# All supported nixpkgs versions, instanciated node:
nixpkgs = lib.mapSingleFuse mkNixpkgs nixpkgs'.supported; patch.mkNixpkgsSrc rec {
# Get the configured nixos version for the node,
# defaulting to the one defined in meta/nixpkgs
version = node: nodes'.${node}.nixpkgs or nixpkgs'.default;
# Builds a patched version of nixpkgs, only as the source
mkNixpkgs' =
v:
let
version = "nixos-${v}";
in
patch.mkNixpkgsSrc {
src = sources.${version}; src = sources.${version};
inherit version; version = "nixos-${nodes'.${node}.nixpkgs or (import ./meta/nixpkgs.nix)}";
}; };
# Instanciates the required nixpkgs version mkNixpkgs' = node: import (mkNixpkgs node) { };
mkNixpkgs = version: import (mkNixpkgs' version) { };
### ###
# Function to create arguments based on the node # Function to create arguments based on the node
# #
mkArgs = node: rec { mkArgs = node: rec {
lib = import sources.nix-lib { lib = import sources.nix-lib {
inherit (nixpkgs.${version node}) lib; inherit (mkNixpkgs' node) lib;
keysRoot = ./keys; keysRoot = ./keys;
}; };
meta = (import ./meta) lib; meta = (import ./meta) lib;
nodeMeta = meta.nodes.${node};
}; };
in in
# nodes = builtins.attrNames metadata.nodes;
{ {
meta = { meta = {
nodeNixpkgs = lib.mapSingleFuse (n: nixpkgs.${version n}) nodes; nodeNixpkgs = lib.mapSingleFuse mkNixpkgs' nodes;
specialArgs = { specialArgs = {
inherit nixpkgs sources; inherit sources;
}; };
nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes; nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes;
}; };
defaults = defaults =
{ { meta, name, ... }:
pkgs,
name,
nodeMeta,
...
}:
{ {
# Import the default modules # Import the default modules
imports = [ imports = [ ./modules ];
./modules
(import "${sources.lix-module}/module.nix" {
lix = pkgs.applyPatches {
name = "lix-2.90.patched";
src = sources.lix;
patches = [ ./patches/00-disable-installChecks-lix.patch ];
};
})
];
# Include default secrets # Include default secrets
age-secrets.sources = [ ./machines/${name}/secrets ]; age-secrets.sources = [ (./machines + "/${name}/secrets") ];
# Deployment config is specified in meta.nodes.${node}.deployment # Deployment config is specified in meta.nodes.${node}.deployment
inherit (nodeMeta) deployment; inherit (meta.nodes.${name}) deployment;
nix = { # Set NIX_PATH to the patched version of nixpkgs
# Set NIX_PATH to the patched version of nixpkgs nix.nixPath = [ "nixpkgs=${mkNixpkgs name}" ];
nixPath = [ "nixpkgs=${mkNixpkgs' (version name)}" ]; nix.optimise.automatic = true;
optimise.automatic = true;
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
};
# Allow unfree packages # Allow unfree packages
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
# Use the stateVersion declared in the metadata # Use the stateVersion declared in the metadata
system = { system = {
inherit (nodeMeta) stateVersion; inherit (meta.nodes.${name}) stateVersion;
}; };
}; };
} }

2
iso/build-iso.sh
View file

@ -1,5 +1,5 @@
#!/usr/bin/env bash #!/usr/bin/env bash
NIXPKGS=$(nix-build --no-out-link nixpkgs.nix) NIXPKGS=$(nix-build nixpkgs.nix)
nixos-generate -c configuration.nix -I NIX_PATH="$NIXPKGS" -f install-iso nixos-generate -c configuration.nix -I NIX_PATH="$NIXPKGS" -f install-iso

2
iso/configuration.nix
View file

@ -3,7 +3,7 @@
let let
dgn-lib = import ../lib { }; dgn-lib = import ../lib { };
dgn-members = (import ../meta lib).organization.groups.root; dgn-members = (import ../meta).members.groups.iso;
in in
{ {

3
iso/nixpkgs.nix
View file

@ -1,6 +1,5 @@
let let
version = (import ../meta/nixpkgs.nix).default; inherit (import ../npins) nixpkgs;
nixpkgs = (import ../npins)."nixos-${version}";
in in
(import nixpkgs { }).srcOnly { (import nixpkgs { }).srcOnly {

1
keys/catvayor.keys
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor

1
keys/ecoppens.keys
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA

1
keys/machines/bridge01.keys
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7

2
keys/machines/web02.keys
View file

@ -1 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE020zqMJTlJ73czVxWVNmRof6il+N9dS4Knm43bJSpm

20
machines/bridge01/_configuration.nix
View file

@ -1,20 +0,0 @@
{ lib, pkgs, ... }:
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
];
enabledServices = [
# List of services to enable
"network"
];
extraConfig = {
services.netbird.enable = true;
environment.systemPackages = [ pkgs.bcachefs-tools ];
};
root = ./.;
}

53
machines/bridge01/_hardware-configuration.nix
View file

@ -1,53 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ modulesPath, pkgs, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [
"xhci_pci"
"ehci_pci"
"ahci"
"sd_mod"
"sr_mod"
];
};
kernelModules = [ "kvm-intel" ];
kernelPackages = pkgs.linuxPackages_latest;
supportedFilesystems.bcachefs = true;
};
fileSystems = {
"/" = {
device = "UUID=3da58b64-a2fd-428d-bde8-3a185e2f73fd";
fsType = "bcachefs";
options = [ "compression=zstd" ];
};
"/boot" = {
device = "/dev/disk/by-uuid/4D0A-AF11";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.vlan-admin.useDHCP = lib.mkDefault true;
# networking.interfaces.vlan-uplink-oob.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = "x86_64-linux";
hardware.cpu.intel.updateMicrocode = true;
}

79
machines/bridge01/network.nix
View file

@ -1,79 +0,0 @@
_:
{
networking = {
useNetworkd = true;
useDHCP = false;
nftables.enable = true;
firewall.allowedUDPPorts = [ 67 ];
};
systemd.network = {
networks = {
"10-eno1" = {
name = "eno1";
networkConfig = {
VLAN = [
"vlan-admin"
"vlan-uplink-oob"
];
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
# address = [ "192.168.222.1/24" ];
};
"10-vlan-admin" = {
name = "vlan-admin";
# DHCP for the BMC
networkConfig.DHCPServer = "yes";
dhcpServerConfig = {
PoolOffset = 128;
EmitDNS = false;
EmitNTP = false;
EmitSIP = false;
EmitPOP3 = false;
EmitSMTP = false;
EmitLPR = false;
UplinkInterface = ":none";
};
address = [
"fd26:baf9:d250:8000::ffff/64"
"192.168.222.1/24"
];
};
"10-vlan-uplink-oob" = {
name = "vlan-uplink-oob";
networkConfig.DHCP = "ipv4";
};
};
netdevs = {
"10-vlan-admin" = {
netdevConfig = {
Name = "vlan-admin";
Kind = "vlan";
};
vlanConfig.Id = 3000;
};
"10-vlan-uplink-oob" = {
netdevConfig = {
Name = "vlan-uplink-oob";
Kind = "vlan";
};
vlanConfig.Id = 500;
};
};
};
}

5
machines/bridge01/secrets/secrets.nix
View file

@ -1,5 +0,0 @@
let
lib = import ../../../lib { };
in
lib.setDefault { publicKeys = lib.getNodeKeys "bridge01"; } [ ]

13
machines/compute01/_configuration.nix
View file

@ -4,33 +4,36 @@ lib.extra.mkConfig {
enabledModules = [ enabledModules = [
# List of modules to enable # List of modules to enable
"dgn-backups" "dgn-backups"
"dgn-fail2ban"
"dgn-web" "dgn-web"
]; ];
enabledServices = [ enabledServices = [
# List of services to enable # List of services to enable
"arkheon" "arkheon"
"signal-irc-bridge"
"ds-fr" "ds-fr"
"grafana" "grafana"
"hedgedoc" "hedgedoc"
"k-radius"
"kanidm" "kanidm"
"librenms" "librenms"
"mastodon" "mastodon"
"nextcloud" "nextcloud"
"outline" "outline"
"plausible"
"postgresql"
"rstudio-server" "rstudio-server"
"satosa" "satosa"
"signald"
"stirling-pdf"
"telegraf" "telegraf"
"vaultwarden" "vaultwarden"
"zammad" "zammad"
"signald"
]; ];
extraConfig = { extraConfig = {
dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
"sshd-bruteforce"
"sshd-timeout"
];
dgn-hardware.useZfs = true; dgn-hardware.useZfs = true;
services.netbird.enable = true; services.netbird.enable = true;

57
machines/compute01/ds-fr/package/default.nix
View file

@ -3,7 +3,9 @@
stdenv, stdenv,
fetchFromGitHub, fetchFromGitHub,
git, git,
bun, fetchYarnDeps,
yarn,
fixup_yarn_lock,
nodejs, nodejs,
ruby_3_2, ruby_3_2,
bundlerEnv, bundlerEnv,
@ -16,7 +18,7 @@ let
inherit (lib) getExe; inherit (lib) getExe;
# Head of the DGNum repo # Head of the DGNum repo
dgn-id = "f270f1cdd09e643a9c666c94df1841234430de49"; dgn-id = "12e4a32ca5d909a90ca6f7e53081cc6b6b14c416";
pname = "ds-fr"; pname = "ds-fr";
meta = import ./meta.nix; meta = import ./meta.nix;
@ -48,46 +50,20 @@ let
}; };
}; };
node_modules = stdenv.mkDerivation {
pname = "${pname}-node_modules";
inherit src version;
impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ [
"GIT_PROXY_COMMAND"
"SOCKS_SERVER"
];
nativeBuildInputs = [ bun ];
dontConfigure = true;
buildPhase = ''
bun install --no-progress --frozen-lockfile --ignore-scripts
rm -r node_modules/.cache
# Remove inconsistent file
rm node_modules/.bin/grunt
'';
installPhase = ''
mv node_modules $out
'';
dontFixup = true;
outputHash = meta.deps-hash or lib.fakeHash;
outputHashAlgo = "sha256";
outputHashMode = "recursive";
};
dsModules = stdenv.mkDerivation { dsModules = stdenv.mkDerivation {
pname = "${pname}-modules"; pname = "${pname}-modules";
inherit src version; inherit src version;
offlineCache = fetchYarnDeps {
yarnLock = "${src}/yarn.lock";
hash = meta.deps-hash;
};
buildInputs = [ rubyEnv ]; buildInputs = [ rubyEnv ];
nativeBuildInputs = [ nativeBuildInputs = [
bun fixup_yarn_lock
nodejs nodejs
yarn
rubyEnv.wrappedRuby rubyEnv.wrappedRuby
]; ];
@ -108,13 +84,18 @@ let
APP_HOST = "precompile_placeholder"; APP_HOST = "precompile_placeholder";
buildPhase = '' buildPhase = ''
cp -R ${node_modules} node_modules export HOME=$(mktemp -d)
chmod u+w -R node_modules yarn config --offline set yarn-offline-mirror $offlineCache
fixup_yarn_lock yarn.lock
yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive
patchShebangs node_modules patchShebangs node_modules/
patchShebangs bin/ patchShebangs bin/
bin/rake assets:precompile bin/rake assets:precompile
yarn cache clean --offline
rm -rf node_modules/
''; '';
installPhase = '' installPhase = ''

6
machines/compute01/ds-fr/package/meta.nix
View file

@ -1,5 +1,5 @@
{ {
version = "2024-04-24-01"; version = "2024-04-02-03";
src-hash = "sha256-+FjthJZb1KqqFttFmXr/FN5qaFcY9RGTKAqhdLGVFSg="; src-hash = "sha256-32FXEoQb1W1Bqf7lNpt6ljEU9QIDZkE/+njsu4DKFFY=";
deps-hash = "sha256-Vj8WCB+LSHJM67qbsZ5CPc+jK1KWO1MXnSFp/LH0Ow8="; deps-hash = "sha256-ZtZ1iqKHWGPR5+BDOtOvrpgdndfP5IiqrLkju96YAM4=";
} }

10
machines/compute01/ds-fr/package/rubyEnv/Gemfile
View file

@ -23,10 +23,10 @@ gem 'chunky_png'
gem 'clamav-client', require: 'clamav/client' gem 'clamav-client', require: 'clamav/client'
gem 'daemons' gem 'daemons'
gem 'deep_cloneable' # Enable deep clone of active record models gem 'deep_cloneable' # Enable deep clone of active record models
gem 'delayed_cron_job', require: false # Cron jobs gem 'delayed_cron_job' # Cron jobs
gem 'delayed_job_active_record' gem 'delayed_job_active_record'
gem 'delayed_job_web' gem 'delayed_job_web'
gem 'devise' gem 'devise', git: 'https://github.com/heartcombo/devise.git', ref: "edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1" # Gestion des comptes utilisateurs, drop ref on next release: 4.9.4
gem 'devise-i18n' gem 'devise-i18n'
gem 'devise-two-factor' gem 'devise-two-factor'
gem 'discard' gem 'discard'
@ -91,7 +91,6 @@ gem 'sentry-ruby'
gem 'sentry-sidekiq' gem 'sentry-sidekiq'
gem 'sib-api-v3-sdk' gem 'sib-api-v3-sdk'
gem 'sidekiq' gem 'sidekiq'
gem 'sidekiq-cron'
gem 'skylight' gem 'skylight'
gem 'spreadsheet_architect' gem 'spreadsheet_architect'
gem 'strong_migrations' # lint database migrations gem 'strong_migrations' # lint database migrations
@ -103,10 +102,7 @@ gem 'view_component'
gem 'vite_rails' gem 'vite_rails'
gem 'warden' gem 'warden'
gem 'webrick', require: false gem 'webrick', require: false
gem 'yabeda-graphql'
gem 'yabeda-prometheus' gem 'yabeda-prometheus'
gem 'yabeda-puma-plugin'
gem 'yabeda-rails'
gem 'yabeda-sidekiq' gem 'yabeda-sidekiq'
gem 'zipline' gem 'zipline'
gem 'zxcvbn-ruby', require: 'zxcvbn' gem 'zxcvbn-ruby', require: 'zxcvbn'
@ -125,8 +121,6 @@ group :test do
gem 'selenium-devtools' gem 'selenium-devtools'
gem 'selenium-webdriver' gem 'selenium-webdriver'
gem 'shoulda-matchers', require: false gem 'shoulda-matchers', require: false
gem 'simplecov', require: false
gem 'simplecov-cobertura', require: false
gem 'timecop' gem 'timecop'
gem 'vcr' gem 'vcr'
gem 'webmock' gem 'webmock'

177
machines/compute01/ds-fr/package/rubyEnv/Gemfile.lock
View file

@ -6,6 +6,18 @@ GIT
json (>= 2.5) json (>= 2.5)
sidekiq (~> 7.0) sidekiq (~> 7.0)
GIT
remote: https://github.com/heartcombo/devise.git
revision: edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1
ref: edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1
specs:
devise (4.9.3)
bcrypt (~> 3.0)
orm_adapter (~> 0.1)
railties (>= 4.1.0)
responders
warden (~> 1.2.3)
GEM GEM
remote: https://rubygems.org/ remote: https://rubygems.org/
specs: specs:
@ -136,7 +148,7 @@ GEM
erubi (~> 1.4) erubi (~> 1.4)
parser (>= 2.4) parser (>= 2.4)
smart_properties smart_properties
bigdecimal (3.1.7) bigdecimal (3.1.6)
bindata (2.5.0) bindata (2.5.0)
bindex (0.8.1) bindex (0.8.1)
bootsnap (1.18.3) bootsnap (1.18.3)
@ -168,7 +180,7 @@ GEM
nokogiri (~> 1.10, >= 1.10.4) nokogiri (~> 1.10, >= 1.10.4)
rubyzip (>= 1.3.0, < 3) rubyzip (>= 1.3.0, < 3)
charlock_holmes (0.7.7) charlock_holmes (0.7.7)
chartkick (5.0.6) chartkick (5.0.5)
choice (0.2.0) choice (0.2.0)
chunky_png (1.4.0) chunky_png (1.4.0)
clamav-client (3.2.0) clamav-client (3.2.0)
@ -201,12 +213,6 @@ GEM
sinatra (>= 1.4.4) sinatra (>= 1.4.4)
descendants_tracker (0.0.4) descendants_tracker (0.0.4)
thread_safe (~> 0.3, >= 0.3.1) thread_safe (~> 0.3, >= 0.3.1)
devise (4.9.4)
bcrypt (~> 3.0)
orm_adapter (~> 0.1)
railties (>= 4.1.0)
responders
warden (~> 1.2.3)
devise-i18n (1.12.0) devise-i18n (1.12.0)
devise (>= 4.9.0) devise (>= 4.9.0)
devise-two-factor (5.0.0) devise-two-factor (5.0.0)
@ -217,7 +223,6 @@ GEM
diff-lcs (1.5.1) diff-lcs (1.5.1)
discard (1.3.0) discard (1.3.0)
activerecord (>= 4.2, < 8) activerecord (>= 4.2, < 8)
docile (1.4.0)
dotenv (2.8.1) dotenv (2.8.1)
dotenv-rails (2.8.1) dotenv-rails (2.8.1)
dotenv (= 2.8.1) dotenv (= 2.8.1)
@ -235,7 +240,7 @@ GEM
email_validator (2.2.4) email_validator (2.2.4)
activemodel activemodel
erubi (1.12.0) erubi (1.12.0)
et-orbi (1.2.11) et-orbi (1.2.7)
tzinfo tzinfo
ethon (0.16.0) ethon (0.16.0)
ffi (>= 1.15.0) ffi (>= 1.15.0)
@ -278,7 +283,7 @@ GEM
fog-core (~> 2.1) fog-core (~> 2.1)
fog-json (>= 1.0) fog-json (>= 1.0)
formatador (1.1.0) formatador (1.1.0)
fugit (1.10.1) fugit (1.9.0)
et-orbi (~> 1, >= 1.2.7) et-orbi (~> 1, >= 1.2.7)
raabro (~> 1.4) raabro (~> 1.4)
geo_coord (0.2.0) geo_coord (0.2.0)
@ -350,7 +355,7 @@ GEM
invisible_captcha (2.2.0) invisible_captcha (2.2.0)
rails (>= 5.2) rails (>= 5.2)
io-console (0.7.2) io-console (0.7.2)
irb (1.12.0) irb (1.11.2)
rdoc rdoc
reline (>= 0.4.2) reline (>= 0.4.2)
job-iteration (1.4.1) job-iteration (1.4.1)
@ -359,7 +364,7 @@ GEM
rails-dom-testing (>= 1, < 3) rails-dom-testing (>= 1, < 3)
railties (>= 4.2.0) railties (>= 4.2.0)
thor (>= 0.14, < 2.0) thor (>= 0.14, < 2.0)
json (2.7.2) json (2.7.1)
json-jwt (1.16.6) json-jwt (1.16.6)
activesupport (>= 4.2) activesupport (>= 4.2)
aes_key_wrap aes_key_wrap
@ -367,15 +372,12 @@ GEM
bindata bindata
faraday (~> 2.0) faraday (~> 2.0)
faraday-follow_redirects faraday-follow_redirects
json_schemer (2.2.1) json_schemer (2.1.1)
base64
bigdecimal
hana (~> 1.3) hana (~> 1.3)
regexp_parser (~> 2.0) regexp_parser (~> 2.0)
simpleidn (~> 0.2) simpleidn (~> 0.2)
jsonapi-renderer (0.2.2) jsonapi-renderer (0.2.2)
jwt (2.8.1) jwt (2.7.1)
base64
kaminari (1.2.2) kaminari (1.2.2)
activesupport (>= 4.1.0) activesupport (>= 4.1.0)
kaminari-actionview (= 1.2.2) kaminari-actionview (= 1.2.2)
@ -402,7 +404,7 @@ GEM
letter_opener (~> 1.7) letter_opener (~> 1.7)
railties (>= 5.2) railties (>= 5.2)
rexml rexml
listen (3.9.0) listen (3.8.0)
rb-fsevent (~> 0.10, >= 0.10.3) rb-fsevent (~> 0.10, >= 0.10.3)
rb-inotify (~> 0.9, >= 0.9.10) rb-inotify (~> 0.9, >= 0.9.10)
lograge (0.14.0) lograge (0.14.0)
@ -419,7 +421,7 @@ GEM
net-imap net-imap
net-pop net-pop
net-smtp net-smtp
maintenance_tasks (2.7.0) maintenance_tasks (2.6.0)
actionpack (>= 6.0) actionpack (>= 6.0)
activejob (>= 6.0) activejob (>= 6.0)
activerecord (>= 6.0) activerecord (>= 6.0)
@ -429,7 +431,7 @@ GEM
marcel (1.0.2) marcel (1.0.2)
matrix (0.4.2) matrix (0.4.2)
memory_profiler (1.0.1) memory_profiler (1.0.1)
method_source (1.1.0) method_source (1.0.0)
mime-types (3.5.2) mime-types (3.5.2)
mime-types-data (~> 3.2015) mime-types-data (~> 3.2015)
mime-types-data (3.2024.0206) mime-types-data (3.2024.0206)
@ -437,8 +439,8 @@ GEM
rake rake
mini_magick (4.12.0) mini_magick (4.12.0)
mini_mime (1.1.5) mini_mime (1.1.5)
mini_portile2 (2.8.6) mini_portile2 (2.8.5)
minitest (5.22.3) minitest (5.22.2)
msgpack (1.7.2) msgpack (1.7.2)
multi_json (1.15.0) multi_json (1.15.0)
mustermann (3.0.0) mustermann (3.0.0)
@ -454,8 +456,8 @@ GEM
timeout timeout
net-smtp (0.4.0.1) net-smtp (0.4.0.1)
net-protocol net-protocol
nio4r (2.7.1) nio4r (2.7.0)
nokogiri (1.16.4) nokogiri (1.16.2)
mini_portile2 (~> 2.8.2) mini_portile2 (~> 2.8.2)
racc (~> 1.4) racc (~> 1.4)
openid_connect (2.3.0) openid_connect (2.3.0)
@ -478,8 +480,8 @@ GEM
ast (~> 2.4.1) ast (~> 2.4.1)
racc racc
pdf-core (0.9.0) pdf-core (0.9.0)
pg (1.5.6) pg (1.5.4)
phonelib (0.8.8) phonelib (0.8.7)
prawn (2.4.0) prawn (2.4.0)
pdf-core (~> 0.9.0) pdf-core (~> 0.9.0)
ttfunk (~> 1.7) ttfunk (~> 1.7)
@ -501,14 +503,14 @@ GEM
promise.rb (0.7.4) promise.rb (0.7.4)
psych (5.1.2) psych (5.1.2)
stringio stringio
public_suffix (5.0.5) public_suffix (5.0.4)
puma (6.4.2) puma (6.4.2)
nio4r (~> 2.0) nio4r (~> 2.0)
pundit (2.3.1) pundit (2.3.1)
activesupport (>= 3.0.0) activesupport (>= 3.0.0)
raabro (1.4.0) raabro (1.4.0)
racc (1.7.3) racc (1.7.3)
rack (2.2.9) rack (2.2.8.1)
rack-attack (6.7.0) rack-attack (6.7.0)
rack (>= 1.0, < 4) rack (>= 1.0, < 4)
rack-mini-profiler (3.3.1) rack-mini-profiler (3.3.1)
@ -560,7 +562,7 @@ GEM
rails-html-sanitizer (1.6.0) rails-html-sanitizer (1.6.0)
loofah (~> 2.21) loofah (~> 2.21)
nokogiri (~> 1.14) nokogiri (~> 1.14)
rails-i18n (7.0.9) rails-i18n (7.0.8)
i18n (>= 0.7, < 2) i18n (>= 0.7, < 2)
railties (>= 6.0.0, < 8) railties (>= 6.0.0, < 8)
rails-pg-extras (5.3.1) rails-pg-extras (5.3.1)
@ -574,7 +576,7 @@ GEM
thor (~> 1.0) thor (~> 1.0)
zeitwerk (~> 2.5) zeitwerk (~> 2.5)
rainbow (3.1.1) rainbow (3.1.1)
rake (13.2.1) rake (13.1.0)
rake-progressbar (0.0.5) rake-progressbar (0.0.5)
rb-fsevent (0.11.2) rb-fsevent (0.11.2)
rb-inotify (0.10.1) rb-inotify (0.10.1)
@ -582,12 +584,12 @@ GEM
rdoc (6.6.3.1) rdoc (6.6.3.1)
psych (>= 4.0.0) psych (>= 4.0.0)
redcarpet (3.6.0) redcarpet (3.6.0)
redis (5.2.0) redis (5.1.0)
redis-client (>= 0.22.0) redis-client (>= 0.17.0)
redis-client (0.22.1) redis-client (0.20.0)
connection_pool connection_pool
regexp_parser (2.9.0) regexp_parser (2.9.0)
reline (0.5.3) reline (0.4.2)
io-console (~> 0.5) io-console (~> 0.5)
request_store (1.5.1) request_store (1.5.1)
rack (>= 1.4) rack (>= 1.4)
@ -612,20 +614,20 @@ GEM
rspec-mocks (3.13.0) rspec-mocks (3.13.0)
diff-lcs (>= 1.2.0, < 2.0) diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.13.0) rspec-support (~> 3.13.0)
rspec-rails (6.1.2) rspec-rails (6.1.1)
actionpack (>= 6.1) actionpack (>= 6.1)
activesupport (>= 6.1) activesupport (>= 6.1)
railties (>= 6.1) railties (>= 6.1)
rspec-core (~> 3.13) rspec-core (~> 3.12)
rspec-expectations (~> 3.13) rspec-expectations (~> 3.12)
rspec-mocks (~> 3.13) rspec-mocks (~> 3.12)
rspec-support (~> 3.13) rspec-support (~> 3.12)
rspec-retry (0.6.2) rspec-retry (0.6.2)
rspec-core (> 3.3) rspec-core (> 3.3)
rspec-support (3.13.1) rspec-support (3.13.0)
rspec_junit_formatter (0.6.0) rspec_junit_formatter (0.6.0)
rspec-core (>= 2, < 4, != 2.12.0) rspec-core (>= 2, < 4, != 2.12.0)
rubocop (1.63.3) rubocop (1.60.2)
json (~> 2.3) json (~> 2.3)
language_server-protocol (>= 3.17.0) language_server-protocol (>= 3.17.0)
parallel (~> 1.10) parallel (~> 1.10)
@ -633,30 +635,27 @@ GEM
rainbow (>= 2.2.2, < 4.0) rainbow (>= 2.2.2, < 4.0)
regexp_parser (>= 1.8, < 3.0) regexp_parser (>= 1.8, < 3.0)
rexml (>= 3.2.5, < 4.0) rexml (>= 3.2.5, < 4.0)
rubocop-ast (>= 1.31.1, < 2.0) rubocop-ast (>= 1.30.0, < 2.0)
ruby-progressbar (~> 1.7) ruby-progressbar (~> 1.7)
unicode-display_width (>= 2.4.0, < 3.0) unicode-display_width (>= 2.4.0, < 3.0)
rubocop-ast (1.31.2) rubocop-ast (1.30.0)
parser (>= 3.3.0.4) parser (>= 3.2.1.0)
rubocop-capybara (2.20.0) rubocop-capybara (2.20.0)
rubocop (~> 1.41) rubocop (~> 1.41)
rubocop-factory_bot (2.25.1) rubocop-factory_bot (2.25.1)
rubocop (~> 1.41) rubocop (~> 1.41)
rubocop-performance (1.21.0) rubocop-performance (1.20.2)
rubocop (>= 1.48.1, < 2.0) rubocop (>= 1.48.1, < 2.0)
rubocop-ast (>= 1.31.1, < 2.0) rubocop-ast (>= 1.30.0, < 2.0)
rubocop-rails (2.24.1) rubocop-rails (2.23.1)
activesupport (>= 4.2.0) activesupport (>= 4.2.0)
rack (>= 1.1) rack (>= 1.1)
rubocop (>= 1.33.0, < 2.0) rubocop (>= 1.33.0, < 2.0)
rubocop-ast (>= 1.31.1, < 2.0) rubocop-ast (>= 1.30.0, < 2.0)
rubocop-rspec (2.29.1) rubocop-rspec (2.26.1)
rubocop (~> 1.40) rubocop (~> 1.40)
rubocop-capybara (~> 2.17) rubocop-capybara (~> 2.17)
rubocop-factory_bot (~> 2.22) rubocop-factory_bot (~> 2.22)
rubocop-rspec_rails (~> 2.28)
rubocop-rspec_rails (2.28.3)
rubocop (~> 1.40)
ruby-graphviz (1.2.5) ruby-graphviz (1.2.5)
rexml rexml
ruby-next-core (1.0.2) ruby-next-core (1.0.2)
@ -693,52 +692,38 @@ GEM
scss_lint (0.60.0) scss_lint (0.60.0)
sass (~> 3.5, >= 3.5.5) sass (~> 3.5, >= 3.5.5)
selectize-rails (0.12.6) selectize-rails (0.12.6)
selenium-devtools (0.123.0) selenium-devtools (0.121.0)
selenium-webdriver (~> 4.2) selenium-webdriver (~> 4.2)
selenium-webdriver (4.19.0) selenium-webdriver (4.17.0)
base64 (~> 0.2) base64 (~> 0.2)
rexml (~> 3.2, >= 3.2.5) rexml (~> 3.2, >= 3.2.5)
rubyzip (>= 1.2.2, < 3.0) rubyzip (>= 1.2.2, < 3.0)
websocket (~> 1.0) websocket (~> 1.0)
sentry-delayed_job (5.17.3) sentry-delayed_job (5.16.1)
delayed_job (>= 4.0) delayed_job (>= 4.0)
sentry-ruby (~> 5.17.3) sentry-ruby (~> 5.16.1)
sentry-rails (5.17.3) sentry-rails (5.16.1)
railties (>= 5.0) railties (>= 5.0)
sentry-ruby (~> 5.17.3) sentry-ruby (~> 5.16.1)
sentry-ruby (5.17.3) sentry-ruby (5.16.1)
bigdecimal
concurrent-ruby (~> 1.0, >= 1.0.2) concurrent-ruby (~> 1.0, >= 1.0.2)
sentry-sidekiq (5.17.3) sentry-sidekiq (5.16.1)
sentry-ruby (~> 5.17.3) sentry-ruby (~> 5.16.1)
sidekiq (>= 3.0) sidekiq (>= 3.0)
shoulda-matchers (6.2.0) shoulda-matchers (6.1.0)
activesupport (>= 5.2.0) activesupport (>= 5.2.0)
sib-api-v3-sdk (9.1.0) sib-api-v3-sdk (9.1.0)
addressable (~> 2.3, >= 2.3.0) addressable (~> 2.3, >= 2.3.0)
json (~> 2.1, >= 2.1.0) json (~> 2.1, >= 2.1.0)
typhoeus (~> 1.0, >= 1.0.1) typhoeus (~> 1.0, >= 1.0.1)
sidekiq (7.2.2) sidekiq (7.2.1)
concurrent-ruby (< 2) concurrent-ruby (< 2)
connection_pool (>= 2.3.0) connection_pool (>= 2.3.0)
rack (>= 2.2.4) rack (>= 2.2.4)
redis-client (>= 0.19.0) redis-client (>= 0.19.0)
sidekiq-cron (1.12.0)
fugit (~> 1.8)
globalid (>= 1.0.1)
sidekiq (>= 6)
simple_xlsx_reader (1.0.4) simple_xlsx_reader (1.0.4)
nokogiri nokogiri
rubyzip rubyzip
simplecov (0.22.0)
docile (~> 1.1)
simplecov-html (~> 0.11)
simplecov_json_formatter (~> 0.1)
simplecov-cobertura (2.1.0)
rexml
simplecov (~> 0.19)
simplecov-html (0.12.3)
simplecov_json_formatter (0.1.4)
simpleidn (0.2.1) simpleidn (0.2.1)
unf (~> 0.1.4) unf (~> 0.1.4)
sinatra (3.2.0) sinatra (3.2.0)
@ -746,13 +731,13 @@ GEM
rack (~> 2.2, >= 2.2.4) rack (~> 2.2, >= 2.2.4)
rack-protection (= 3.2.0) rack-protection (= 3.2.0)
tilt (~> 2.0) tilt (~> 2.0)
skylight (6.0.4) skylight (6.0.3)
activesupport (>= 5.2.0) activesupport (>= 5.2.0)
smart_properties (1.17.0) smart_properties (1.17.0)
spreadsheet_architect (5.0.0) spreadsheet_architect (5.0.0)
caxlsx (>= 3.3.0, < 4) caxlsx (>= 3.3.0, < 4)
rodf (>= 1.0.0, < 2) rodf (>= 1.0.0, < 2)
spring (4.2.1) spring (4.1.3)
spring-commands-rspec (1.0.4) spring-commands-rspec (1.0.4)
spring (>= 0.9.1) spring (>= 0.9.1)
sprockets (4.2.1) sprockets (4.2.1)
@ -764,7 +749,7 @@ GEM
sprockets (>= 3.0.0) sprockets (>= 3.0.0)
stackprof (0.2.26) stackprof (0.2.26)
stringio (3.1.0) stringio (3.1.0)
strong_migrations (1.8.0) strong_migrations (1.7.0)
activerecord (>= 5.2) activerecord (>= 5.2)
swd (2.0.3) swd (2.0.3)
activesupport (>= 3) activesupport (>= 3)
@ -777,13 +762,13 @@ GEM
temple (0.8.2) temple (0.8.2)
terminal-table (3.0.2) terminal-table (3.0.2)
unicode-display_width (>= 1.1.1, < 3) unicode-display_width (>= 1.1.1, < 3)
thor (1.3.1) thor (1.3.0)
thread_safe (0.3.6) thread_safe (0.3.6)
tilt (2.3.0) tilt (2.3.0)
timecop (0.9.8) timecop (0.9.8)
timeout (0.4.1) timeout (0.4.1)
ttfunk (1.7.0) ttfunk (1.7.0)
turbo-rails (2.0.5) turbo-rails (2.0.2)
actionpack (>= 6.0.0) actionpack (>= 6.0.0)
activejob (>= 6.0.0) activejob (>= 6.0.0)
railties (>= 6.0.0) railties (>= 6.0.0)
@ -801,7 +786,7 @@ GEM
activemodel (>= 3.0.0) activemodel (>= 3.0.0)
public_suffix public_suffix
vcr (6.2.0) vcr (6.2.0)
view_component (3.12.1) view_component (3.10.0)
activesupport (>= 5.2.0, < 8.0) activesupport (>= 5.2.0, < 8.0)
concurrent-ruby (~> 1.0) concurrent-ruby (~> 1.0)
method_source (~> 1.0) method_source (~> 1.0)
@ -827,7 +812,7 @@ GEM
activesupport activesupport
faraday (~> 2.0) faraday (~> 2.0)
faraday-follow_redirects faraday-follow_redirects
webmock (3.23.0) webmock (3.20.0)
addressable (>= 2.8.0) addressable (>= 2.8.0)
crack (>= 0.3.2) crack (>= 0.3.2)
hashdiff (>= 0.4.0, < 2.0.0) hashdiff (>= 0.4.0, < 2.0.0)
@ -849,22 +834,10 @@ GEM
anyway_config (>= 1.0, < 3) anyway_config (>= 1.0, < 3)
concurrent-ruby concurrent-ruby
dry-initializer dry-initializer
yabeda-graphql (0.2.3)
graphql (>= 1.9, < 3)
yabeda (~> 0.2)
yabeda-prometheus (0.9.1) yabeda-prometheus (0.9.1)
prometheus-client (>= 3.0, < 5.0) prometheus-client (>= 3.0, < 5.0)
rack rack
yabeda (~> 0.10) yabeda (~> 0.10)
yabeda-puma-plugin (0.7.1)
json
puma
yabeda (~> 0.5)
yabeda-rails (0.9.0)
activesupport
anyway_config (>= 1.3, < 3)
railties
yabeda (~> 0.8)
yabeda-sidekiq (0.12.0) yabeda-sidekiq (0.12.0)
anyway_config (>= 1.3, < 3) anyway_config (>= 1.3, < 3)
sidekiq sidekiq
@ -911,7 +884,7 @@ DEPENDENCIES
delayed_cron_job delayed_cron_job
delayed_job_active_record delayed_job_active_record
delayed_job_web delayed_job_web
devise devise!
devise-i18n devise-i18n
devise-two-factor devise-two-factor
discard discard
@ -1000,10 +973,7 @@ DEPENDENCIES
shoulda-matchers shoulda-matchers
sib-api-v3-sdk sib-api-v3-sdk
sidekiq sidekiq
sidekiq-cron
simple_xlsx_reader simple_xlsx_reader
simplecov
simplecov-cobertura
skylight skylight
spreadsheet_architect spreadsheet_architect
spring spring
@ -1022,13 +992,10 @@ DEPENDENCIES
web-console web-console
webmock webmock
webrick webrick
yabeda-graphql
yabeda-prometheus yabeda-prometheus
yabeda-puma-plugin
yabeda-rails
yabeda-sidekiq yabeda-sidekiq
zipline zipline
zxcvbn-ruby zxcvbn-ruby
BUNDLED WITH BUNDLED WITH
2.5.9 2.5.4

345
machines/compute01/ds-fr/package/rubyEnv/gemset.nix
View file

@ -518,10 +518,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "0cq1c29zbkcxgdihqisirhcw76xc768z2zpd5vbccpq0l1lv76g7"; sha256 = "00db5v09k1z3539g1zrk7vkjrln9967k08adh6qx33ng97a2gg5w";
type = "gem"; type = "gem";
}; };
version = "3.1.7"; version = "3.1.6";
}; };
bindata = { bindata = {
groups = [ "default" ]; groups = [ "default" ];
@ -682,10 +682,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "14vir1240ynwmad0a0qrklx8m7kzvayd2jwi51xh3hnlf529iicn"; sha256 = "1wnqscsnwjs809q33v3hmcr7isv35022bwd002mwviy5ic29dw32";
type = "gem"; type = "gem";
}; };
version = "5.0.6"; version = "5.0.5";
}; };
choice = { choice = {
groups = [ groups = [
@ -922,11 +922,13 @@
groups = [ "default" ]; groups = [ "default" ];
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; fetchSubmodules = false;
sha256 = "1y57fpcvy1kjd4nb7zk7mvzq62wqcpfynrgblj558k3hbvz4404j"; rev = "edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1";
type = "gem"; sha256 = "1vlcyp6qng7ws4gaw51rz6dhxwldryvfm6fsk33gf7drm7xvr5qf";
type = "git";
url = "https://github.com/heartcombo/devise.git";
}; };
version = "4.9.4"; version = "4.9.3";
}; };
devise-i18n = { devise-i18n = {
dependencies = [ "devise" ]; dependencies = [ "devise" ];
@ -980,19 +982,6 @@
}; };
version = "1.3.0"; version = "1.3.0";
}; };
docile = {
groups = [
"default"
"test"
];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1lxqxgq71rqwj1lpl9q1mbhhhhhhdkkj7my341f2889pwayk85sz";
type = "gem";
};
version = "1.4.0";
};
dotenv = { dotenv = {
groups = [ "default" ]; groups = [ "default" ];
platforms = [ ]; platforms = [ ];
@ -1110,10 +1099,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "0r6zylqjfv0xhdxvldr0kgmnglm57nm506pcm6085f0xqa68cvnj"; sha256 = "1d2z4ky2v15dpcz672i2p7lb2nc793dasq3yq3660h2az53kss9v";
type = "gem"; type = "gem";
}; };
version = "1.2.11"; version = "1.2.7";
}; };
ethon = { ethon = {
dependencies = [ "ffi" ]; dependencies = [ "ffi" ];
@ -1326,10 +1315,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "10m9b2gvwfvmm61000mq7n8q7pk2xkxmizgfydpis66n2ybrhwh5"; sha256 = "08fjxnzqvql8mg8wbpddg6fl9lrsp38dwhiyfpfsz550524f2ap9";
type = "gem"; type = "gem";
}; };
version = "1.10.1"; version = "1.9.0";
}; };
geo_coord = { geo_coord = {
groups = [ "default" ]; groups = [ "default" ];
@ -1718,10 +1707,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "17ak21ybbprj9vg0hk8pb1r2yk9vlh50v9bdwh3qvlmpzcvljqq7"; sha256 = "1f8wms39b7z83x6pflq2sjh3sikpk0xjh680igbpkp1j3pl0fpx0";
type = "gem"; type = "gem";
}; };
version = "1.12.0"; version = "1.11.2";
}; };
job-iteration = { job-iteration = {
dependencies = [ "activejob" ]; dependencies = [ "activejob" ];
@ -1757,10 +1746,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "0b4qsi8gay7ncmigr0pnbxyb17y3h8kavdyhsh7nrlqwr35vb60q"; sha256 = "0r9jmjhg2ly3l736flk7r2al47b5c8cayh0gqkq0yhjqzc9a6zhq";
type = "gem"; type = "gem";
}; };
version = "2.7.2"; version = "2.7.1";
}; };
json-jwt = { json-jwt = {
dependencies = [ dependencies = [
@ -1782,8 +1771,6 @@
}; };
json_schemer = { json_schemer = {
dependencies = [ dependencies = [
"base64"
"bigdecimal"
"hana" "hana"
"regexp_parser" "regexp_parser"
"simpleidn" "simpleidn"
@ -1792,10 +1779,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "0gp7zh16wk8qijcp9n4x460a5ks0mhacs0vb2f6rffi3v9k2fg4m"; sha256 = "02gnz7wajg7f5n67vlswfi8yjvwahypy36z6hrg0qfx3cc3589qg";
type = "gem"; type = "gem";
}; };
version = "2.2.1"; version = "2.1.1";
}; };
jsonapi-renderer = { jsonapi-renderer = {
groups = [ "default" ]; groups = [ "default" ];
@ -1808,15 +1795,14 @@
version = "0.2.2"; version = "0.2.2";
}; };
jwt = { jwt = {
dependencies = [ "base64" ];
groups = [ "default" ]; groups = [ "default" ];
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "02m3vza49pb9dirwpn8vmzbcypi3fc6l3a9dh253jwm1121g7ajb"; sha256 = "16z11alz13vfc4zs5l3fk6n51n2jw9lskvc4h4prnww0y797qd87";
type = "gem"; type = "gem";
}; };
version = "2.8.1"; version = "2.7.1";
}; };
kaminari = { kaminari = {
dependencies = [ dependencies = [
@ -1954,10 +1940,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "0rwwsmvq79qwzl6324yc53py02kbrcww35si720490z5w0j497nv"; sha256 = "13rgkfar8pp31z1aamxf5y7cfq88wv6rxxcwy7cmm177qq508ycn";
type = "gem"; type = "gem";
}; };
version = "3.9.0"; version = "3.8.0";
}; };
lograge = { lograge = {
dependencies = [ dependencies = [
@ -2036,10 +2022,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "1jybdhfr6mv4kgq5ph91r06r071jnvzx0lhm3988l1y3wqrdfmq8"; sha256 = "0ighmn1nnv31bykarkwf0pqgrqab09jxk0xp9hh6zwpfqi7b915n";
type = "gem"; type = "gem";
}; };
version = "2.7.0"; version = "2.6.0";
}; };
marcel = { marcel = {
groups = [ "default" ]; groups = [ "default" ];
@ -2083,10 +2069,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "1igmc3sq9ay90f8xjvfnswd1dybj1s3fi0dwd53inwsvqk4h24qq"; sha256 = "1pnyh44qycnf9mzi1j6fywd5fkskv3x7nmsqrrws0rjn5dd4ayfp";
type = "gem"; type = "gem";
}; };
version = "1.1.0"; version = "1.0.0";
}; };
mime-types = { mime-types = {
dependencies = [ "mime-types-data" ]; dependencies = [ "mime-types-data" ];
@ -2156,10 +2142,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "149r94xi6b3jbp6bv72f8383b95ndn0p5sxnq11gs1j9jadv0ajf"; sha256 = "1kl9c3kdchjabrihdqfmcplk3lq4cw1rr9f378y6q22qwy5dndvs";
type = "gem"; type = "gem";
}; };
version = "2.8.6"; version = "2.8.5";
}; };
minitest = { minitest = {
groups = [ groups = [
@ -2170,10 +2156,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "07lq26b86giy3ha3fhrywk9r1ajhc2pm2mzj657jnpnbj1i6g17a"; sha256 = "0667vf0zglacry87nkcl3ns8421aydvz71vfa3g3yjhiq8zh19f5";
type = "gem"; type = "gem";
}; };
version = "5.22.3"; version = "5.22.2";
}; };
msgpack = { msgpack = {
groups = [ "default" ]; groups = [ "default" ];
@ -2285,10 +2271,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "15iwbiij52x6jhdbl0rkcldnhfndmsy0sbnsygkr9vhskfqrp72m"; sha256 = "0xkjz56qc7hl7zy7i7bhiyw5pl85wwjsa4p70rj6s958xj2sd1lm";
type = "gem"; type = "gem";
}; };
version = "2.7.1"; version = "2.7.0";
}; };
nokogiri = { nokogiri = {
dependencies = [ dependencies = [
@ -2303,10 +2289,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "0i8g0i370jhn2sclml0bg9qlrgf4csi6sy7czbhx8kjbl71idhb2"; sha256 = "173zavvxlwyi48lfskk48wcrdbkvjlhjhvy4jpcrfx72rpjjx4k8";
type = "gem"; type = "gem";
}; };
version = "1.16.4"; version = "1.16.2";
}; };
openid_connect = { openid_connect = {
dependencies = [ dependencies = [
@ -2397,20 +2383,20 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "071b55bhsz7mivlnp2kv0a11msnl7xg5awvk8mlflpl270javhsb"; sha256 = "0pfj771p5a29yyyw58qacks464sl86d5m3jxjl5rlqqw2m3v5xq4";
type = "gem"; type = "gem";
}; };
version = "1.5.6"; version = "1.5.4";
}; };
phonelib = { phonelib = {
groups = [ "default" ]; groups = [ "default" ];
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "1ish2nzp5jz9xw80npgc5gqsr9krc50wk3irfj71hkw4iccjdn62"; sha256 = "1d97488hh70n56gdyra1ajynfp36fp1ca1hy55dghf52vklyjgac";
type = "gem"; type = "gem";
}; };
version = "0.8.8"; version = "0.8.7";
}; };
prawn = { prawn = {
dependencies = [ dependencies = [
@ -2526,10 +2512,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "14y4vzjwf5gp0mqgs880kis0k7n2biq8i6ci6q2n315kichl1hvj"; sha256 = "1bni4qjrsh2q49pnmmd6if4iv3ak36bd2cckrs6npl111n769k9m";
type = "gem"; type = "gem";
}; };
version = "5.0.5"; version = "5.0.4";
}; };
puma = { puma = {
dependencies = [ "nio4r" ]; dependencies = [ "nio4r" ];
@ -2586,10 +2572,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "0hj0rkw2z9r1lcg2wlrcld2n3phwrcgqcp7qd1g9a7hwgalh2qzx"; sha256 = "10mpk0hl6hnv324fp1pfimi2nw9acj0z4gyhrph36qg84pk1s4m7";
type = "gem"; type = "gem";
}; };
version = "2.2.9"; version = "2.2.8.1";
}; };
rack-attack = { rack-attack = {
dependencies = [ "rack" ]; dependencies = [ "rack" ];
@ -2786,10 +2772,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "0s8kvic2ia34ngssz6h15wqj0k3wwblhyh0f9v0j3gy7ly0dp161"; sha256 = "1k8jvm3l4gafw7hyvpky7yzjjnkr3iy7l59lyam8ah3kqhmzk7zf";
type = "gem"; type = "gem";
}; };
version = "7.0.9"; version = "7.0.8";
}; };
rails-pg-extras = { rails-pg-extras = {
dependencies = [ dependencies = [
@ -2849,10 +2835,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "17850wcwkgi30p7yqh60960ypn7yibacjjha0av78zaxwvd3ijs6"; sha256 = "1ilr853hawi09626axx0mps4rkkmxcs54mapz9jnqvpnlwd3wsmy";
type = "gem"; type = "gem";
}; };
version = "13.2.1"; version = "13.1.0";
}; };
rake-progressbar = { rake-progressbar = {
groups = [ "default" ]; groups = [ "default" ];
@ -2922,10 +2908,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "1d1ng78dwbzgfg1sljf9bnx2km5y3p3jc42a9npwcrmiard9fsrk"; sha256 = "1yv9z3cch7aay3rs2iildk7jnvhijhwyyxvcn2nfdn6yp9vn7kxz";
type = "gem"; type = "gem";
}; };
version = "5.2.0"; version = "5.1.0";
}; };
redis-client = { redis-client = {
dependencies = [ "connection_pool" ]; dependencies = [ "connection_pool" ];
@ -2933,10 +2919,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "0zhh37gdchzip97z1c6al0bx9m017gfm21n2kl31gy435s0v64dl"; sha256 = "136wddl18jl7zmlcigpf83fvfdmp369rhhc65n6jrdphwj7w76i3";
type = "gem"; type = "gem";
}; };
version = "0.22.1"; version = "0.20.0";
}; };
regexp_parser = { regexp_parser = {
groups = [ groups = [
@ -2962,10 +2948,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "0d90nhsqvzp576dsz622fcz0r4zj9hvqlvb6y00f20zx3mx78iic"; sha256 = "0fhwdmw89zqb1fdxcd6lr57zabbfi08z8j6kqwngak0xnxi2j10l";
type = "gem"; type = "gem";
}; };
version = "0.5.3"; version = "0.4.2";
}; };
request_store = { request_store = {
dependencies = [ "rack" ]; dependencies = [ "rack" ];
@ -3132,10 +3118,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "02wr7fl189p1lnpaylz48dlp1n5y763w92gk59s0345hwfr4m1q2"; sha256 = "1clmx6qzdbpm1g8ycg38gjbqsbr8ccqi6hqyx88g8yckz1hrx55x";
type = "gem"; type = "gem";
}; };
version = "6.1.2"; version = "6.1.1";
}; };
rspec-retry = { rspec-retry = {
dependencies = [ "rspec-core" ]; dependencies = [ "rspec-core" ];
@ -3157,10 +3143,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "03z7gpqz5xkw9rf53835pa8a9vgj4lic54rnix9vfwmp2m7pv1s8"; sha256 = "0msjfw99dkbvmviv3wsid4k9h1prdgq7pnm52dcyf362p19mywhf";
type = "gem"; type = "gem";
}; };
version = "3.13.1"; version = "3.13.0";
}; };
rspec_junit_formatter = { rspec_junit_formatter = {
dependencies = [ "rspec-core" ]; dependencies = [ "rspec-core" ];
@ -3190,10 +3176,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "0i2zimjixmjs6r88mgpklj6kdxq63a24mjvvphhbnbwgclb1z8qp"; sha256 = "0v67rgbhzanbf02fy5xasaxgmhxghlqb2cxjvbplinm2zfzs0380";
type = "gem"; type = "gem";
}; };
version = "1.63.3"; version = "1.60.2";
}; };
rubocop-ast = { rubocop-ast = {
dependencies = [ "parser" ]; dependencies = [ "parser" ];
@ -3204,10 +3190,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "1v3q8n48w8h809rqbgzihkikr4g3xk72m1na7s97jdsmjjq6y83w"; sha256 = "1cs9cc5p9q70valk4na3lki4xs88b52486p2v46yx3q1n5969bgs";
type = "gem"; type = "gem";
}; };
version = "1.31.2"; version = "1.30.0";
}; };
rubocop-capybara = { rubocop-capybara = {
dependencies = [ "rubocop" ]; dependencies = [ "rubocop" ];
@ -3246,10 +3232,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "16jayzjaaglhx69s6b83acpdzcxxccfkcn69gfpkimf2j64zlm7c"; sha256 = "0cf7fn4dwf45r3nhnda0dhnwn8qghswyqbfxr2ippb3z8a6gmc8v";
type = "gem"; type = "gem";
}; };
version = "1.21.0"; version = "1.20.2";
}; };
rubocop-rails = { rubocop-rails = {
dependencies = [ dependencies = [
@ -3262,40 +3248,25 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "06dcxrr71sn0kkw8fwh0w884zbig2ilxpkl66s7lcis9jmkggv83"; sha256 = "1id396xvixh5w19bjsli477mn4dr48ff8n1243d2z0y4zr1ld52h";
type = "gem"; type = "gem";
}; };
version = "2.24.1"; version = "2.23.1";
}; };
rubocop-rspec = { rubocop-rspec = {
dependencies = [ dependencies = [
"rubocop" "rubocop"
"rubocop-capybara" "rubocop-capybara"
"rubocop-factory_bot" "rubocop-factory_bot"
"rubocop-rspec_rails"
]; ];
groups = [ "development" ]; groups = [ "development" ];
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "04rfx0f0ns3vfz16fvbxgc9ivjh6gkpqfdi0qsg3grq660dfhkjk"; sha256 = "0n24wy34shczlr5fnim7vcbrgvs0hffzw89n06fxziim9iws406s";
type = "gem"; type = "gem";
}; };
version = "2.29.1"; version = "2.26.1";
};
rubocop-rspec_rails = {
dependencies = [ "rubocop" ];
groups = [
"default"
"development"
];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0618lfncmvnvkwa1jb0kga1f2yiiw1809flkj4kg52nagh3z4scp";
type = "gem";
};
version = "2.28.3";
}; };
ruby-graphviz = { ruby-graphviz = {
dependencies = [ "rexml" ]; dependencies = [ "rexml" ];
@ -3500,10 +3471,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "0fxhkxpczqg4f7gxdyvc6ccxy9hppnwl3ih03p42f6hbfy5q1x64"; sha256 = "1l2qf5w0bk01s50gzx8clzw4zchff9a01kk2s8fnpz65g7rgh4g9";
type = "gem"; type = "gem";
}; };
version = "0.123.0"; version = "0.121.0";
}; };
selenium-webdriver = { selenium-webdriver = {
dependencies = [ dependencies = [
@ -3516,10 +3487,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "0rjh9s5x7jqaxjfcz2m3hphhlajk9nxs6wdsnia62iba07bd32sc"; sha256 = "0g3l3invk95w1f72mpp0r4hc3vsc3070c1xd1wg76kfg2r182xnq";
type = "gem"; type = "gem";
}; };
version = "4.19.0"; version = "4.17.0";
}; };
sentry-delayed_job = { sentry-delayed_job = {
dependencies = [ dependencies = [
@ -3530,10 +3501,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "1bnglhd7cvy5y0kr50w4bgs89y72ym6zlgp751g2y50dp4ydl540"; sha256 = "1rbhzb3nmrs5lrfmcshrg5wp9liblc14m63ljxb12nc4w5fnnwf8";
type = "gem"; type = "gem";
}; };
version = "5.17.3"; version = "5.16.1";
}; };
sentry-rails = { sentry-rails = {
dependencies = [ dependencies = [
@ -3544,24 +3515,21 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "0ncl8br0k6fas4n6c4xw4wr59kq5s2liqn1s4790m73k5p272xq1"; sha256 = "16jyjm0rcj1y175bjmj6bhf7dclp5yw5dh1fna0xy4r07ysq864g";
type = "gem"; type = "gem";
}; };
version = "5.17.3"; version = "5.16.1";
}; };
sentry-ruby = { sentry-ruby = {
dependencies = [ dependencies = [ "concurrent-ruby" ];
"bigdecimal"
"concurrent-ruby"
];
groups = [ "default" ]; groups = [ "default" ];
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "1z5v5zzasy04hbgxbj9n8bb39ayllvps3snfgbc5rydh1d5ilyb1"; sha256 = "0fsqs1f7nb4y45qwlg14hz155r4pf8ny3j8gzpxlqafpd3dz2zkn";
type = "gem"; type = "gem";
}; };
version = "5.17.3"; version = "5.16.1";
}; };
sentry-sidekiq = { sentry-sidekiq = {
dependencies = [ dependencies = [
@ -3572,10 +3540,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "0n1cr9g15hp08jsqabprd6q34ap61r71f33x28w1xr4ri4hllwfh"; sha256 = "0ksmn3ca3rrdd33azmiprbd4hrcw3fr7hiya60sqp9apg6ir36v3";
type = "gem"; type = "gem";
}; };
version = "5.17.3"; version = "5.16.1";
}; };
shoulda-matchers = { shoulda-matchers = {
dependencies = [ "activesupport" ]; dependencies = [ "activesupport" ];
@ -3583,10 +3551,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "1pfq0w167v4055k0km64sxik1qslhsi32wl2jlidmfzkqmcw00m7"; sha256 = "1p83ca48h812h5gksw2q0x5289jsc4c417f8s6w9d4a12jzw86zi";
type = "gem"; type = "gem";
}; };
version = "6.2.0"; version = "6.1.0";
}; };
sib-api-v3-sdk = { sib-api-v3-sdk = {
dependencies = [ dependencies = [
@ -3614,25 +3582,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "18ykb35ab3fsg6jj8h7kb3kbba41sls4nvwn6vxb731iyh10v4h9"; sha256 = "057vw807x98r4xmhyv2m2rxa8qqxr7ysn7asp5hmdvn9sa9kkm3c";
type = "gem"; type = "gem";
}; };
version = "7.2.2"; version = "7.2.1";
};
sidekiq-cron = {
dependencies = [
"fugit"
"globalid"
"sidekiq"
];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0v09lg8kza19jmigqv5hx2ibhm75j6pa639sfy4bv2208l50hqv6";
type = "gem";
};
version = "1.12.0";
}; };
simple_xlsx_reader = { simple_xlsx_reader = {
dependencies = [ dependencies = [
@ -3651,61 +3604,6 @@
}; };
version = "1.0.4"; version = "1.0.4";
}; };
simplecov = {
dependencies = [
"docile"
"simplecov-html"
"simplecov_json_formatter"
];
groups = [ "test" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "198kcbrjxhhzca19yrdcd6jjj9sb51aaic3b0sc3pwjghg3j49py";
type = "gem";
};
version = "0.22.0";
};
simplecov-cobertura = {
dependencies = [
"rexml"
"simplecov"
];
groups = [ "test" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "00izmp202y48qvmvwrh5x56cc5ivbjhgkkkjklvqmqzj9pik4r9c";
type = "gem";
};
version = "2.1.0";
};
simplecov-html = {
groups = [
"default"
"test"
];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0yx01bxa8pbf9ip4hagqkp5m0mqfnwnw2xk8kjraiywz4lrss6jb";
type = "gem";
};
version = "0.12.3";
};
simplecov_json_formatter = {
groups = [
"default"
"test"
];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0a5l0733hj7sk51j81ykfmlk2vd5vaijlq9d5fn165yyx3xii52j";
type = "gem";
};
version = "0.1.4";
};
simpleidn = { simpleidn = {
dependencies = [ "unf" ]; dependencies = [ "unf" ];
groups = [ "default" ]; groups = [ "default" ];
@ -3739,10 +3637,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "035xplxkr21z73c7mzfaj7ak438w2j63118724s53fbnv8rrw790"; sha256 = "0607y37q3lc748ld6w5qhp9kcj1h2vi5026hsg30vb6dsdrpcyy6";
type = "gem"; type = "gem";
}; };
version = "6.0.4"; version = "6.0.3";
}; };
smart_properties = { smart_properties = {
groups = [ "default" ]; groups = [ "default" ];
@ -3776,10 +3674,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "1bm5w3mp597vy0cjwx609k3jdh5zik36ffmna7hchrn9g96s45w5"; sha256 = "0dqpd70xcaxsa8m8zd6rq464dfczy1rm086bascv9c5b7qnn2yyp";
type = "gem"; type = "gem";
}; };
version = "4.2.1"; version = "4.1.3";
}; };
spring-commands-rspec = { spring-commands-rspec = {
dependencies = [ "spring" ]; dependencies = [ "spring" ];
@ -3854,10 +3752,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "0p9g8jqcakpwmbs6f77ydmbiwbgx9c5nr6jgwxh4xx6xpig1bphq"; sha256 = "1742r643p4nigjj45gjjmgl3d9i5ja7klda0bhmxp02ay971c3n6";
type = "gem"; type = "gem";
}; };
version = "1.8.0"; version = "1.7.0";
}; };
swd = { swd = {
dependencies = [ dependencies = [
@ -3932,10 +3830,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "1vq1fjp45az9hfp6fxljhdrkv75cvbab1jfrwcw738pnsiqk8zps"; sha256 = "1hx77jxkrwi66yvs10wfxqa8s25ds25ywgrrf66acm9nbfg7zp0s";
type = "gem"; type = "gem";
}; };
version = "1.3.1"; version = "1.3.0";
}; };
thread_safe = { thread_safe = {
groups = [ groups = [
@ -4007,10 +3905,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "0ab2fr50fdzhpjlp78c17xmrd59ab32c55vrjd94wwr4khs7bxyf"; sha256 = "1vgz0y5ilnpgj3id9y5rshnq1hyhhjh4pjzb0hs9fv0p8kps4k07";
type = "gem"; type = "gem";
}; };
version = "2.0.5"; version = "2.0.2";
}; };
typhoeus = { typhoeus = {
dependencies = [ "ethon" ]; dependencies = [ "ethon" ];
@ -4126,10 +4024,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "12xi88jvx49p15nx2168wm0r00g90mb4cxzzsjxz92akjk92mkpj"; sha256 = "12sm1z0lk7rhrd18i4d5zhlj4d142rsw3arpdf9nx3hpflx8ib4j";
type = "gem"; type = "gem";
}; };
version = "3.12.1"; version = "3.10.0";
}; };
virtus = { virtus = {
dependencies = [ dependencies = [
@ -4230,10 +4128,10 @@
platforms = [ ]; platforms = [ ];
source = { source = {
remotes = [ "https://rubygems.org" ]; remotes = [ "https://rubygems.org" ];
sha256 = "07zk8ljq5kyd1mm9qw3452fcnf7frg3irh9ql8ln2m8zbi1qf1qh"; sha256 = "0rc3g9hhxi6v2l1cp9q3kcjd92bhmdbrb517l4v5pyzwq2nflcyc";
type = "gem"; type = "gem";
}; };
version = "3.23.0"; version = "3.20.0";
}; };
webrick = { webrick = {
groups = [ "default" ]; groups = [ "default" ];
@ -4335,20 +4233,6 @@
}; };
version = "0.12.0"; version = "0.12.0";
}; };
yabeda-graphql = {
dependencies = [
"graphql"
"yabeda"
];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0y422499vbs4m1555yvqrdjyk7bdg16rnj224zaw1b77d8irmrks";
type = "gem";
};
version = "0.2.3";
};
yabeda-prometheus = { yabeda-prometheus = {
dependencies = [ dependencies = [
"prometheus-client" "prometheus-client"
@ -4364,37 +4248,6 @@
}; };
version = "0.9.1"; version = "0.9.1";
}; };
yabeda-puma-plugin = {
dependencies = [
"json"
"puma"
"yabeda"
];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "0yxifgq9m11n73qz9jgxsapqp67ijm5gp6y5jbdvkdcf7c2p47d4";
type = "gem";
};
version = "0.7.1";
};
yabeda-rails = {
dependencies = [
"activesupport"
"anyway_config"
"railties"
"yabeda"
];
groups = [ "default" ];
platforms = [ ];
source = {
remotes = [ "https://rubygems.org" ];
sha256 = "1nl2jpx561mpwdxf63db9yshhwfmg8k72r8d9yxnsic2wahvy4b0";
type = "gem";
};
version = "0.9.0";
};
yabeda-sidekiq = { yabeda-sidekiq = {
dependencies = [ dependencies = [
"anyway_config" "anyway_config"

12
machines/compute01/ds-fr/package/update.sh
View file

@ -26,13 +26,13 @@ done
CWD=$(pwd) CWD=$(pwd)
TMP=$(mktemp -d) TMP=$(mktemp -d)
cd "$TMP" || exit 1 cd "$TMP"
# Fetch the latest source or the required version # Fetch the latest source or the required version
gitUrl="https://github.com/demarches-simplifiees/demarches-simplifiees.fr.git" gitUrl="https://github.com/demarches-simplifiees/demarches-simplifiees.fr.git"
if [ -n "$version" ]; then if [ -n "$version" ]; then
git clone --depth 1 --branch "$version" $gitUrl . git clone --depth 1 --branch $version $gitUrl .
else else
git clone --depth 1 $gitUrl . git clone --depth 1 $gitUrl .
@ -48,10 +48,10 @@ cp gemset.nix Gemfile Gemfile.lock "$CWD/rubyEnv/"
# Print the new source details # Print the new source details
SRC_HASH=$(nix-shell -p nurl --run "nurl --hash $gitUrl $version") SRC_HASH=$(nix-shell -p nurl --run "nurl --hash $gitUrl $version")
# Switch to bun # Print Yarn deps hash
nix-shell -p bun --run "bun install --frozen-lockfile --no-cache --no-progress --ignore-scripts" hash=$(nix-shell -p prefetch-yarn-deps --run "prefetch-yarn-deps yarn.lock")
DEPS_HASH=$(nix-hash --sri --type sha256 node_modules) DEPS_HASH=$(nix-hash --to-sri --type sha256 "$hash")
cat <<EOF >"$CWD/meta.nix" cat <<EOF >"$CWD/meta.nix"
{ {
@ -61,6 +61,6 @@ cat <<EOF >"$CWD/meta.nix"
} }
EOF EOF
nix-shell -p nixfmt-rfc-style --run "nixfmt $CWD" nixfmt "$CWD"
rm -rf "$TMP" rm -rf "$TMP"

23
machines/vault01/k-radius/default.nix → machines/compute01/k-radius/default.nix
View file

@ -1,4 +1,4 @@
{ config, ... }: { config, lib, ... }:
{ {
imports = [ ./module.nix ]; imports = [ ./module.nix ];
@ -6,15 +6,6 @@
services.k-radius = { services.k-radius = {
enable = true; enable = true;
domain = "radius.dgnum.eu";
radiusClients = {
ap = {
ipaddr = "0.0.0.0/0";
secret = config.age.secrets."radius-ap-radius-secret_file".path;
};
};
settings = { settings = {
# URL to the Kanidm server # URL to the Kanidm server
uri = "https://sso.dgnum.eu"; uri = "https://sso.dgnum.eu";
@ -49,6 +40,18 @@
}; };
authTokenFile = config.age.secrets."radius-auth_token_file".path; authTokenFile = config.age.secrets."radius-auth_token_file".path;
privateKeyPasswordFile = config.age.secrets."radius-private_key_password_file".path;
certs = builtins.listToAttrs (
builtins.map (name: lib.nameValuePair name config.age.secrets."radius-${name}_pem_file".path) [
"ca"
"cert"
"dh"
"key"
]
);
radiusClients = { };
}; };
age-secrets.autoMatch = [ "radius" ]; age-secrets.autoMatch = [ "radius" ];

196
machines/compute01/k-radius/module.nix Normal file
View file

@ -0,0 +1,196 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
mkEnableOption
mkIf
mkOption
types
;
settingsFormat = pkgs.formats.toml { };
py-pkgs = import ./packages/python { inherit pkgs; };
pykanidm = pkgs.callPackage ./packages/pykanidm.nix { inherit (py-pkgs) pydantic; };
rlm_python = pkgs.callPackage ./packages/rlm_python.nix { inherit pykanidm; };
cfg = config.services.k-radius;
in
{
options.services.k-radius = {
enable = mkEnableOption "a freeradius service linked to kanidm.";
settings = mkOption { inherit (settingsFormat) type; };
freeradius = mkOption {
type = types.package;
default = pkgs.freeradius.overrideAttrs (old: {
buildInputs = (old.buildInputs or [ ]) ++ [ (pkgs.python3.withPackages (ps: [ ps.kanidm ])) ];
});
};
configDir = mkOption {
type = types.path;
default = "/var/lib/radius/raddb";
description = "The path of the freeradius server configuration directory.";
};
authTokenFile = mkOption {
type = types.path;
description = "File to the auth token for the service account.";
};
radiusClients = mkOption {
type = types.attrsOf (
types.submodule {
options = {
secret = mkOption { type = types.path; };
ipaddr = mkOption { type = types.str; };
};
}
);
default = { };
description = "A mapping of clients and their authentication tokens.";
};
certs = {
ca = mkOption {
type = types.str;
description = "The signing CA of the RADIUS certificate.";
};
dh = mkOption {
type = types.str;
description = "The output of `openssl dhparam -in ca.pem -out dh.pem 2048`.";
};
cert = mkOption {
type = types.str;
description = "The certificate for the RADIUS server.";
};
key = mkOption {
type = types.str;
description = "The signing key for the RADIUS certificate.";
};
};
privateKeyPasswordFile = mkOption { type = types.path; };
};
config = mkIf cfg.enable {
users = {
users.radius = {
group = "radius";
description = "Radius daemon user";
isSystemUser = true;
};
groups.radius = { };
};
services.k-radius.settings = {
ca_path = cfg.certs.ca;
radius_cert_path = cfg.certs.cert;
radius_key_path = cfg.certs.key;
radius_dh_path = cfg.certs.dh;
radius_ca_path = cfg.certs.ca;
};
systemd.services.radius = {
description = "FreeRadius server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
wants = [ "network.target" ];
preStart = ''
cp -R ${cfg.freeradius}/etc/raddb/* ${cfg.configDir}
cp -R ${rlm_python}/etc/raddb/* ${cfg.configDir}
chmod -R u+w ${cfg.configDir}
# disable auth via methods kanidm doesn't support
rm ${cfg.configDir}/mods-available/sql
rm ${cfg.configDir}/mods-enabled/{passwd,totp}
# enable the python and cache modules
ln -nsf ${cfg.configDir}/mods-available/python3 ${cfg.configDir}/mods-enabled/python3
ln -nsf ${cfg.configDir}/sites-available/check-eap-tls ${cfg.configDir}/sites-enabled/check-eap-tls
# write the clients configuration
rm ${cfg.configDir}/clients.conf && touch ${cfg.configDir}/clients.conf
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs (
name:
{ secret, ipaddr }:
''
cat <<EOF >> ${cfg.configDir}/clients.conf
client ${name} {
ipaddr = ${ipaddr}
secret = $(cat "${secret}")
proto = *
}
EOF
''
) cfg.radiusClients
)
)}
# Copy the kanidm configuration
cat <<EOF > /var/lib/radius/kanidm.toml
auth_token = "$(cat "${cfg.authTokenFile}")"
EOF
cat ${settingsFormat.generate "kanidm.toml" cfg.settings} >> /var/lib/radius/kanidm.toml
chmod u+w /var/lib/radius/kanidm.toml
# Copy the certificates to the correct directory
rm -rf ${cfg.configDir}/certs && mkdir -p ${cfg.configDir}/certs
cp ${cfg.certs.ca} ${cfg.configDir}/certs/ca.pem
${pkgs.openssl}/bin/openssl rehash ${cfg.configDir}/certs
cp ${cfg.certs.dh} ${cfg.configDir}/certs/dh.pem
cat ${cfg.certs.cert} ${cfg.certs.key} > ${cfg.configDir}/certs/server.pem
# Write the password of the private_key in the eap module
sed -i ${cfg.configDir}/mods-available/eap \
-e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/"
# Check the configuration
# ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout
'';
path = [
pkgs.openssl
pkgs.gnused
];
serviceConfig = {
ExecStart = "${cfg.freeradius}/bin/radiusd -X -f -d ${cfg.configDir} -l stdout";
ExecReload = [
"${cfg.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout"
"${pkgs.coreutils}/bin/kill -HUP $MAINPID"
];
User = "radius";
Group = "radius";
DynamicUser = true;
Restart = "on-failure";
RestartSec = 2;
LogsDirectory = "radius";
StateDirectory = "radius";
RuntimeDirectory = "radius";
Environment = [
"KANIDM_RLM_CONFIG=/var/lib/radius/kanidm.toml"
"PYTHONPATH=${rlm_python.pythonPath}"
];
};
};
};
}

52
machines/compute01/k-radius/packages/pykanidm.nix Normal file
View file

@ -0,0 +1,52 @@
{
lib,
fetchFromGitHub,
python3,
pydantic,
}:
let
pname = "kanidm";
version = "0.0.3";
in
python3.pkgs.buildPythonPackage {
inherit pname version;
format = "pyproject";
disabled = python3.pythonOlder "3.8";
src =
(fetchFromGitHub {
owner = pname;
repo = pname;
# Latest 1.1.0-rc.15 tip
rev = "a5ca8018e3a636dbb0a79b3fd869db059d92979d";
hash = "sha256-PFGoeGn7a/lVR6rOmOKA3ydAoo3/+9RlkwBAKS22Psg=";
})
+ "/pykanidm";
nativeBuildInputs = with python3.pkgs; [ poetry-core ];
propagatedBuildInputs = with python3.pkgs; [
aiohttp
pydantic
toml
(authlib.overridePythonAttrs (_: {
doCheck = false;
}))
];
doCheck = false;
pythonImportsCheck = [ "kanidm" ];
meta = with lib; {
description = "Kanidm client library";
homepage = "https://github.com/kanidm/kanidm/tree/master/pykanidm";
license = licenses.mpl20;
maintainers = with maintainers; [
arianvp
hexa
];
};
}

18
machines/compute01/k-radius/packages/python/01-remove-benchmark-flags.patch Normal file
View file

@ -0,0 +1,18 @@
diff --git a/pyproject.toml b/pyproject.toml
index 1602e32..507048d 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -72,13 +72,6 @@ filterwarnings = [
]
timeout = 30
xfail_strict = true
-# min, max, mean, stddev, median, iqr, outliers, ops, rounds, iterations
-addopts = [
- '--benchmark-columns', 'min,mean,stddev,outliers,rounds,iterations',
- '--benchmark-group-by', 'group',
- '--benchmark-warmup', 'on',
- '--benchmark-disable', # this is enable by `make benchmark` when you actually want to run benchmarks
-]
[tool.coverage.run]
source = ['pydantic_core']

20
machines/compute01/k-radius/packages/python/default.nix Normal file
View file

@ -0,0 +1,20 @@
{ pkgs }:
let
inherit (pkgs) lib;
callPackage = lib.callPackageWith (pkgs // pkgs.python3.pkgs // self);
self = builtins.listToAttrs (
builtins.map
(name: {
inherit name;
value = callPackage (./. + "/${name}.nix") { };
})
[
"pydantic"
"pydantic-core"
]
);
in
self

84
machines/compute01/k-radius/packages/python/pydantic-core.nix Normal file
View file

@ -0,0 +1,84 @@
{
stdenv,
lib,
buildPythonPackage,
fetchFromGitHub,
cargo,
rustPlatform,
rustc,
libiconv,
typing-extensions,
pytestCheckHook,
hypothesis,
pytest-timeout,
pytest-mock,
dirty-equals,
}:
let
pydantic-core = buildPythonPackage rec {
pname = "pydantic-core";
version = "2.14.5";
format = "pyproject";
src = fetchFromGitHub {
owner = "pydantic";
repo = "pydantic-core";
rev = "refs/tags/v${version}";
hash = "sha256-UguZpA3KEutOgIavjx8Ie//0qJq+4FTZNQTwb/ZIgb8=";
};
patches = [ ./01-remove-benchmark-flags.patch ];
cargoDeps = rustPlatform.fetchCargoTarball {
inherit src;
name = "${pname}-${version}";
hash = "sha256-mMgw922QjHmk0yimXfolLNiYZntTsGydQywe7PTNnwc=";
};
nativeBuildInputs = [
cargo
rustPlatform.cargoSetupHook
rustPlatform.maturinBuildHook
rustc
typing-extensions
];
buildInputs = lib.optionals stdenv.isDarwin [ libiconv ];
propagatedBuildInputs = [ typing-extensions ];
pythonImportsCheck = [ "pydantic_core" ];
# escape infinite recursion with pydantic via dirty-equals
doCheck = false;
passthru.tests.pytest = pydantic-core.overrideAttrs { doCheck = true; };
nativeCheckInputs = [
pytestCheckHook
hypothesis
pytest-timeout
dirty-equals
pytest-mock
];
disabledTests = [
# RecursionError: maximum recursion depth exceeded while calling a Python object
"test_recursive"
];
disabledTestPaths = [
# no point in benchmarking in nixpkgs build farm
"tests/benchmarks"
];
meta = with lib; {
changelog = "https://github.com/pydantic/pydantic-core/releases/tag/v${version}";
description = "Core validation logic for pydantic written in rust";
homepage = "https://github.com/pydantic/pydantic-core";
license = licenses.mit;
maintainers = with maintainers; [ blaggacao ];
};
};
in
pydantic-core

92
machines/compute01/k-radius/packages/python/pydantic.nix Normal file
View file

@ -0,0 +1,92 @@
{
lib,
buildPythonPackage,
fetchFromGitHub,
pythonOlder,
# build-system
hatchling,
hatch-fancy-pypi-readme,
# native dependencies
libxcrypt,
# dependencies
annotated-types,
pydantic-core,
typing-extensions,
# tests
cloudpickle,
email-validator,
dirty-equals,
faker,
pytestCheckHook,
pytest-mock,
}:
buildPythonPackage rec {
pname = "pydantic";
version = "2.5.2";
pyproject = true;
disabled = pythonOlder "3.7";
src = fetchFromGitHub {
owner = "pydantic";
repo = "pydantic";
rev = "refs/tags/v${version}";
hash = "sha256-D0gYcyrKVVDhBgV9sCVTkGq/kFmIoT9l0i5bRM1qxzM=";
};
buildInputs = lib.optionals (pythonOlder "3.9") [ libxcrypt ];
nativeBuildInputs = [
hatch-fancy-pypi-readme
hatchling
];
propagatedBuildInputs = [
annotated-types
pydantic-core
typing-extensions
];
passthru.optional-dependencies = {
email = [ email-validator ];
};
nativeCheckInputs = [
cloudpickle
dirty-equals
faker
pytest-mock
pytestCheckHook
] ++ lib.flatten (lib.attrValues passthru.optional-dependencies);
preCheck = ''
export HOME=$(mktemp -d)
substituteInPlace pyproject.toml \
--replace "'--benchmark-columns', 'min,mean,stddev,outliers,rounds,iterations'," "" \
--replace "'--benchmark-group-by', 'group'," "" \
--replace "'--benchmark-warmup', 'on'," "" \
--replace "'--benchmark-disable'," ""
'';
disabledTestPaths = [
"tests/benchmarks"
# avoid cyclic dependency
"tests/test_docs.py"
];
pythonImportsCheck = [ "pydantic" ];
meta = with lib; {
description = "Data validation and settings management using Python type hinting";
homepage = "https://github.com/pydantic/pydantic";
changelog = "https://github.com/pydantic/pydantic/blob/v${version}/HISTORY.md";
license = licenses.mit;
maintainers = with maintainers; [ wd15 ];
};
}

8
machines/vault01/k-radius/packages/01-python_path.patch → machines/compute01/k-radius/packages/python_path.patch
View file

@ -1,13 +1,13 @@
diff --git a/mods-available/python3 b/mods-available/python3 diff --git a/rlm_python/mods-available/python3 b/rlm_python/mods-available/python3
index 978536f8a..90c71fca0 100644 index 978536f8a..90c71fca0 100644
--- a/mods-available/python3 --- a/rlm_python/mods-available/python3
+++ b/mods-available/python3 +++ b/rlm_python/mods-available/python3
@@ -13,7 +13,7 @@ python3 { @@ -13,7 +13,7 @@ python3 {
# item is GLOBAL TO THE SERVER. That is, you cannot have two # item is GLOBAL TO THE SERVER. That is, you cannot have two
# instances of the python module, each with a different path. # instances of the python module, each with a different path.
# #
- python_path="/usr/lib64/python3.8:/usr/lib/python3.8:/usr/lib/python3.8/site-packages:/usr/lib64/python3.8/site-packages:/usr/lib64/python3.8/lib-dynload:/usr/local/lib/python3.8/site-packages:/etc/raddb/mods-config/python3/" - python_path="/usr/lib64/python3.8:/usr/lib/python3.8:/usr/lib/python3.8/site-packages:/usr/lib64/python3.8/site-packages:/usr/lib64/python3.8/lib-dynload:/usr/local/lib/python3.8/site-packages:/etc/raddb/mods-config/python3/"
+ python_path="@pythonPath@:/etc/raddb/mods-config/python3/" + python_path="@kanidm_python@:/etc/raddb/mods-config/python3/"
module = "kanidm.radius" module = "kanidm.radius"
# python_path = ${modconfdir}/${.:name} # python_path = ${modconfdir}/${.:name}

45
machines/compute01/k-radius/packages/rlm_python.nix Normal file
View file

@ -0,0 +1,45 @@
{
stdenv,
fetchFromGitHub,
python3,
pykanidm,
}:
let
pythonPath = with python3.pkgs; makePythonPath [ pykanidm ];
in
stdenv.mkDerivation rec {
pname = "rlm_python";
version = "1.1.0-rc.15";
src = fetchFromGitHub {
owner = "kanidm";
repo = "kanidm";
rev = "v${version}";
hash = "sha256-0y8juXS61Z9zxOdsWAQ6lJurP+n855Nela6egYRecok=";
};
patches = [ ./python_path.patch ];
postPatch = ''
substituteInPlace rlm_python/mods-available/python3 \
--replace "@kanidm_python@" "${pythonPath}"
'';
installPhase = ''
mkdir -p $out/etc/raddb/
cp -R rlm_python/{mods-available,sites-available} $out/etc/raddb/
'';
phases = [
"unpackPhase"
"patchPhase"
"installPhase"
];
passthru = {
inherit pythonPath;
};
preferLocalBuild = true;
}

36
machines/compute01/kanidm/default.nix
View file

@ -1,38 +1,24 @@
{ { config, sources, ... }:
config,
lib,
nixpkgs,
...
}:
let let
inherit (lib) escapeRegex concatStringsSep;
domain = "sso.dgnum.eu"; domain = "sso.dgnum.eu";
cert = config.security.acme.certs.${domain}; cert = config.security.acme.certs.${domain};
allowedDomains = builtins.map escapeRegex ( allowedSubDomains = [
(builtins.map (s: "${s}.dgnum.eu") [ "cloud"
# DGNum subdomains "git"
"cloud" "videos"
"git" "social"
"videos" "demarches"
"social" "netbird"
"demarches" ];
"netbird"
])
++ [
# Extra domains
"netbird-beta.hubrecht.ovh"
]
);
in in
{ {
services.kanidm = { services.kanidm = {
enableServer = true; enableServer = true;
package = nixpkgs.unstable.kanidm; package = (import sources.nixos-unstable { }).kanidm;
serverSettings = { serverSettings = {
inherit domain; inherit domain;
@ -67,7 +53,7 @@ in
set $origin $http_origin; set $origin $http_origin;
if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') { if ($origin !~ '^https?://(${builtins.concatStringsSep "|" allowedSubDomains})\.dgnum\.eu$') {
set $origin 'https://${domain}'; set $origin 'https://${domain}';
} }

10
machines/compute01/mastodon.nix
View file

@ -9,12 +9,8 @@ in
localDomain = host; localDomain = host;
smtp = { smtp = {
fromAddress = "noreply@infra.dgnum.eu"; # TODO: smtp setup
host = "kurisu.lahfa.xyz"; fromAddress = "social@services.dgnum.eu";
port = 465;
user = "web-services@infra.dgnum.eu";
passwordFile = config.age.secrets.mastodon-smtp-password.path;
authenticate = true;
}; };
streamingProcesses = 4; streamingProcesses = 4;
@ -26,8 +22,6 @@ in
# LOCAL_DOMAIN = "dgnum.eu"; # LOCAL_DOMAIN = "dgnum.eu";
WEB_DOMAIN = host; WEB_DOMAIN = host;
SMTP_TLS = "true";
RAILS_LOG_LEVEL = "warn"; RAILS_LOG_LEVEL = "warn";
# ObjectStorage configuration # ObjectStorage configuration

24
machines/compute01/nextcloud.nix
View file

@ -9,16 +9,22 @@ in
enable = true; enable = true;
hostName = host; hostName = host;
package = pkgs.nextcloud29; package = pkgs.nextcloud28;
https = true; https = true;
config = { config = {
overwriteProtocol = "https";
dbtype = "pgsql"; dbtype = "pgsql";
adminpassFile = config.age.secrets."nextcloud-adminpass_file".path; adminpassFile = config.age.secrets."nextcloud-adminpass_file".path;
adminuser = "thubrecht"; adminuser = "thubrecht";
defaultPhoneRegion = "FR";
trustedProxies = [ "::1" ];
objectstore.s3 = { objectstore.s3 = {
enable = true; enable = true;
@ -65,17 +71,11 @@ in
autoUpdateApps.enable = true; autoUpdateApps.enable = true;
settings = { extraOptions = {
overwriteprotocol = "https";
overwritehost = host; overwritehost = host;
"overwrite.cli.url" = "https://${host}"; "overwrite.cli.url" = "https://${host}";
updatechecker = false; updatechecker = false;
default_phone_region = "FR";
trusted_proxies = [ "::1" ];
allow_local_remote_servers = true; allow_local_remote_servers = true;
maintenance_window_start = 1; maintenance_window_start = 1;
@ -97,12 +97,15 @@ in
}; };
virtualisation.oci-containers = { virtualisation.oci-containers = {
# # Since 22.05, the default driver is podman but it doesn't work
# # with podman. It would however be nice to switch to podman.
# backend = "docker";
containers.collabora = { containers.collabora = {
image = "collabora/code"; image = "collabora/code";
imageFile = pkgs.dockerTools.pullImage { imageFile = pkgs.dockerTools.pullImage {
imageName = "collabora/code"; imageName = "collabora/code";
imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4"; imageDigest = "sha256:a8cce07c949aa59cea0a7f1f220266a1a6d886c717c3b5005782baf6f384d645";
sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM="; sha256 = "sha256-lN6skv62x+x7G7SNOUyZ8W6S/uScrkqE1nbBwwSEWXQ=";
}; };
ports = [ "9980:9980" ]; ports = [ "9980:9980" ];
environment = { environment = {
@ -110,7 +113,6 @@ in
extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json"; extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json";
}; };
extraOptions = [ extraOptions = [
"--network=host"
"--cap-add" "--cap-add"
"MKNOD" "MKNOD"
"--cap-add" "--cap-add"

34
machines/compute01/postgresql.nix
View file

@ -1,34 +0,0 @@
{ pkgs, ... }:
{
services.postgresql = {
enable = true;
package = pkgs.postgresql_16;
settings = {
checkpoint_completion_target = 0.90625;
default_statistics_target = 100;
effective_cache_size = "32GB";
effective_io_concurrency = 200;
maintenance_work_mem = "2GB";
max_connections = 500;
max_parallel_maintenance_workers = 4;
max_parallel_workers = 12;
max_parallel_workers_per_gather = 4;
max_wal_size = "4GB";
max_worker_processes = 12;
min_wal_size = "1GB";
random_page_cost = 1.125;
shared_buffers = "16GB";
wal_buffers = "16MB";
work_mem = "83886kB";
};
};
dgn-console = {
# Update the versions below for upgrading
pg-upgrade-to = pkgs.postgresql_16.withPackages (ps: [ ps.postgis ]);
pg-upgrade-from = pkgs.postgresql_16.withPackages (ps: [ ps.postgis ]);
};
}

18
machines/compute01/satosa/package/satosa.nix
View file

@ -1,7 +1,7 @@
{ {
lib, lib,
python3, python3,
fetchFromGitHub, fetchPypi,
cookies-samesite-compat, cookies-samesite-compat,
pyop, pyop,
}: }:
@ -11,13 +11,17 @@ python3.pkgs.buildPythonPackage rec {
version = "8.4.0"; version = "8.4.0";
pyproject = true; pyproject = true;
src = fetchFromGitHub { src = fetchPypi {
owner = "IdentityPython"; pname = "SATOSA";
repo = "SATOSA"; inherit version;
rev = "v${version}"; hash = "sha256-KREROjb157RJJVRr9YefzoR/eflR/U7ZmG6yOH5DjcU=";
hash = "sha256-q7XmZ3EnAFO1OXIhXIF4Vd0H8uaayFIHFZpWiZUsAFA=";
}; };
nativeBuildInputs = [
python3.pkgs.setuptools
python3.pkgs.wheel
];
propagatedBuildInputs = with python3.pkgs; [ propagatedBuildInputs = with python3.pkgs; [
chevron chevron
click click
@ -46,7 +50,7 @@ python3.pkgs.buildPythonPackage rec {
description = "Protocol proxy (SAML/OIDC)"; description = "Protocol proxy (SAML/OIDC)";
homepage = "https://pypi.org/project/SATOSA"; homepage = "https://pypi.org/project/SATOSA";
license = licenses.asl20; license = licenses.asl20;
maintainers = with maintainers; [ thubrecht ]; maintainers = with maintainers; [ ];
mainProgram = "satosa"; mainProgram = "satosa";
}; };
} }

BIN
machines/compute01/secrets/mastodon-smtp-password
View file

Binary file not shown.

BIN
machines/compute01/secrets/plausible-admin_user_password_file
View file

Binary file not shown.

28
machines/compute01/secrets/plausible-secret_key_base_file
View file

@ -1,28 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA T6TOJOuejaoxw3zdeLzGm0CrSkDCCIRenL7wMGnDtlU
dubdAXhc32S6BszHddOcMA6aStZLOvc+36s3nZsYFMU
-> ssh-ed25519 QlRB9Q akzRDbZzo0LwoS1cOwE/tYdz7M+6bhgI81d37d1GtBw
KsGqFhkjlcJNquMi2+1TfQDBy9qguwh5ED9KBg4Y2hU
-> ssh-ed25519 r+nK/Q bL6A9O6UnjjyY+iLvbQSvSTjXX38FLsNjaSngoQXHxY
YZ7Y11inKpzA2m6lro9XXX2qkW6FmkeFGZ3Ak6X+U2w
-> ssh-rsa krWCLQ
dZVUqAyqrP3KHZlpu70IBU8U3I9IP71RzjbiF1rp4rOdz4iQ9ik88ai+hXVuadcN
DMl/7pIkVky6EL8JxFXTQhLivJUpO3NcN3iAS+CLKC+0EFVc03sLyCjn8IExO85r
Lec37ICk9n4LUNEA91A2h4C8U9TbDxCt7MLrIKcQtfFcd+4U1o9g3n19xo9PK1Ho
mcqTbUVgW1nOLxsEeCp5zsCQ+/8tFLcnK08yUB0RlWK+PDFZkk8u8Q2SYZjnaeEp
cwOhUnm/1a15IbW2oGCrVaEd/ymnLDJc6S7vXGpFDWHmOzvJ4Av9KZlGFYaWCjbV
7bGIgWkiQ7iJvTxzu0ZEqw
-> ssh-ed25519 /vwQcQ /DR3Kox7XkbdYQH7SyIc9atjwwe7Ah7hH/63RlzDd0g
k/199lCIfxR7l4ETJMEr1Ch1Zx8v3M5zn0b8mg6ip2k
-> ssh-ed25519 0R97PA H1PS+SlW5FNOf15eO6MKJ/nnVJQkfFMub0IzTS4PhDo
77zwCD0tbrLu4J0vS0RxPK3YZucFV1VYkUVoMTHjf2o
-> ssh-ed25519 JGx7Ng 2WIYPKkWXplInR8v1q22ygs7uYNfIzETeiCt5+MKQQQ
9Gsyr30kaNhxn+fUCBicvoA+hHiWpUf0d0pxRZauhMY
-> ssh-ed25519 5SY7Kg QTnBfvkMcnXpGITtaHr+mRZGogI1kTUqO4byfyMZhGE
89A/PPHVPeBQvTxCeXH8ITVDMkcsYUMbwatyw8NQ04E
-> ssh-ed25519 p/Mg4Q n6hQLuUv3QOMADJF0zpcALYqVUVi5tZHmKGmVZA0IVQ
ZXa+3y33kyo4vQxcEa2XTMIwjH2HE+bAKZw993PgROk
-> ssh-ed25519 tDqJRg Hf1KIZjUTTaHo18P1vWxaSehyKTFElBOovrCN0uJFCc
H8qGw8vIqp4bNiyon2uvTkrrd8lIYnMWnIfzS+w4QRQ
--- QOKOfU20JY1Sj+K20UUxgtPZ7JxKuZ1GtK+OKBZ1Zhg
Íúâ?º}àæ2æŽýiÐM}6BÖw#b2Ï´žËŠ¹ÍÊžvu´¿,Ö'.ŒWÔ”øIPýã'ixYÍ€*·šKoÎtXI#Àß6b`„1pʬòÍœˆ×"§lâSf(ˆ`UöëÄê6 kT°Á'µÎÔM@ÈÖå„hŸï®{WYŸØÝÏÂ<SN;UŒœ ݨÿ

28
machines/compute01/secrets/plausible-smtp_password_file
View file

@ -1,28 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA CQffZYaxexZ2f+HeNj+SHeSak0kzNPiq6ExW7tUyCBs
oJQhtMFD9KSnXSPGRb3zLwCB2/KEXo8cgxHN5ML83Qw
-> ssh-ed25519 QlRB9Q V1PnEYJvFCdBRzN4z3iDtIzHLxxCimejdkqRS4zMCG8
bVc87bxPmhofmoscGFBgQ+ffRlo216RiRkkV1MNoQyY
-> ssh-ed25519 r+nK/Q YI+1MYnCvSq5/QfA2y01IQlJeMGF0AfNs91QlrVaVGs
HSB8Gai96mjRbM68G3iRmXNkI4kqyJAWTMxWc8UOPr8
-> ssh-rsa krWCLQ
k2mssz4C9p8K+rJ6Jbbm+w7uLTqoUOiOKvlt2btEyw2Lup8PQNfyTNFSBvuBMmfj
re1zuAufH0HIw3B0xWYauBSD4pasc7EFTr/OLoM8BRFMEb11IM5ZKJrO+hnWy0Sk
eIs6cpkoBVi4GZmkRfbvaitk42i9JzjrKU0OeqLCWQbHmHkTb3acsGXCc6A6JSbF
AVb+Eaak6EIdX1dP4PWyCxU2PkcBtYBcLoGH74r1o0i3SzvmuzKvlBntx5IzsAvY
+QNGJLNZl0+NePafAkvVY8UOrlzxj+tCgfunAGXIXlZlVfNcjZX9Wv30sJOtwpbw
DdkJAqSrNkHianC5MEGgpA
-> ssh-ed25519 /vwQcQ yxGAMhwDcoDjw5MJudEE95PakhZvNpYfmfWiM6wbQBg
C1o3mNO2YFnBXamCcpAW0aQVGrNNcUpDtSn8+VLobmE
-> ssh-ed25519 0R97PA XRWbcwt3wXR3AYg0rhzc6OUuAA+blVTf3SHERYy3MkA
iCBd0E1NrV7tv3/0pD0FYWgUfGmB4M+VWfiixvVGv68
-> ssh-ed25519 JGx7Ng R47xTx4IGC/qf/v6WOXvJTd20MbeTdZ/8ovAA6d0iyQ
uBxcQVztpW4QaAR5rKfEVgtmrPk6l51+tY3brNjsTV4
-> ssh-ed25519 5SY7Kg LNtU+/1YlPX6T6gO2lb/wEei7hsy2oud8cTQXFQy0HY
xxPvBAIpFyCUqExjseerz6WlwWQEmw9fltzQBx51KI0
-> ssh-ed25519 p/Mg4Q uWIz5shMnsLXsh160cCW8E6kh9v4LPunOonugjWdSEY
5aRrIB5gxIplVWDGeMQ6g09togku6LxWRxBP7FbRNU0
-> ssh-ed25519 tDqJRg G8rNpeGY29czDVMvvt4LZ7nffZ/JAHDzxuIs7C/0SEM
HowgAvrQQcvUx93ZdK5q2bSsJDqaOxFf+x/lwTRss4I
--- ktcSPCC1TpguyYJ2ua7IuGcEw+Z9YuqjzcmH18abjo4
<EFBFBD><20><>ゥ煩 ネ9<1猤カワ簒<EFBE9C>pWJSWpsV/ム#<23>ウリ9タ{タ゚cHB<><42><EFBFBD>5<EFBFBD>ャ^ァ

BIN
machines/compute01/secrets/radius-auth_token_file Normal file
View file

Binary file not shown.

BIN
machines/compute01/secrets/radius-ca_pem_file Normal file
View file

Binary file not shown.

BIN
machines/compute01/secrets/radius-cert_pem_file Normal file
View file

Binary file not shown.

31
machines/compute01/secrets/radius-dh_pem_file Normal file
View file

@ -0,0 +1,31 @@
age-encryption.org/v1
-> ssh-ed25519 tDqJRg R3h8Ph1ooMaR/bmz09yRzVRq1mR3L7o87wMhsysC5kU
Go50Us/u8CgZS7Up20RH8NlRS0+ESBw30wa8SZ5dqoo
-> ssh-ed25519 jIXfPA gMaMIQvUIu5bK5mRWP6SSZQArMzhg4bDZDcjwx9dyDY
Vv8H7oTBvogaoW4dhdm81TOe995CSGeBxB8LtFgJqwc
-> ssh-ed25519 QlRB9Q 1CxZ2F8EMykWDzrAzN6NSPtjLmMJ99zf8UWLyV3e+Ag
ak7M8/mCeQOMKFPllTsA79glffS/vu51vHIRT3F8qLE
-> ssh-ed25519 r+nK/Q qcuIACZn+1ofDpWW1IBmY0IIj4WZNQhxtUJlHgh11ws
OJhEfDQHkg3s5CCBcVfba9S4OG4hBjJIYkCoLAIFwOI
-> ssh-rsa krWCLQ
1XseIDq7c94X7Dpp1sC3oBLhZSd4w7UJ7QI03SGmqVTd3VVwP5IV430vrSIFETMI
LopkMvCtF1XpIJQ+nHoxsukG/0kefh5Iodmd6anQNp0iVU/tWkQzWbkHlVlkxJ2M
o3fMRAaVyH5GvQkIT5ndWma34vqwydAinM2mchi0hy0ibP5lkk8K7OtafNP4eYNh
m7necRRI8yCuE1wBRy8sBpo5mEqGj1uINxXiF6yUI05pCBXHG1qDiFkDHfw8va9k
Qitfwv2Clkk/hQG6aEYuruoXwq4SZxSCswMpP5Nz70I+e5YkZw8G50ICaVBXxuAP
ABByGBZ/QKLw66NpE7rbSA
-> ssh-ed25519 /vwQcQ 1P92WFx8+9DaL2dPwmX+Bva+h7Hy9qXszDTyPvd81kc
gLVhBlE4lAMcod32/Y8xzypVCDu4vRca3aem3OHiocU
-> ssh-ed25519 0R97PA rZblJRi2bYJig4HyzOXdtpUEEkGDlHS456aKlqxwGX4
qjIkEyHjDxzmf34bS7qWJ9lexMXu2QMmcD9RP4MpkYQ
-> ssh-ed25519 JGx7Ng IbCSvxAUY1gDTny5KurzONVaQwX/VgvNs1hAQ9iUQRE
5ivoGkzEHAyTl3gUE+9nVYclF8/aqnyOF3a81fZfbW0
-> t|-grease (u /1\q}65 ]@
Dd2SJgnQFUSDlS4eSkKUaGwve8Rsv/4MNEwGRJftdtTvxv80bRuNBEFe+ah4YhiV
LA3n6c+Te9Q
--- wWhpJpx4IHeC1Qo4nH6iuEB3e9l5b8U5xOnsX8BoBgQ
5¥t·Œ °ÒxÚ@<1E>`zÈÔgCà Ѭ:4Œó¾&‡Spi8ñŸuæ"lÕ×)<29>aŒÁÄ,4ÃsÌ*uÿ€ƒ±v#ÿ*ÎàÜÊ^ݶ‚Ø«%´Ñº98¾,yBÙ
"¶%Ç㤄†NÎÓ· íò¬} [Ñ¿Ó(äØ{<11>ý0ô—f²<66>„|Š à-—&qF k Ö¶¹µùÔÎLì,¹À„žD™áΩ­QÍ—½è<C2BD>4N}<7D>ÙÐJ´·ÇÓˆ€]dU Ïø¿<C3B8>I—:ÌôÑÉ öì°¦£sý¨õB #}¹
ÞÃXzð‰N4·>ñ5iSan`‰¹.õÃPcHØÉAéßÈÿµH=¥ËæÂ~ö(Pçô±Š$ ,¡ã‹ù¯ZЬÆwçÚ /×
Á–+rC$†ýê&ØJñ ; ÉvÞjæ‰ÎY¹,š*`ºGå=ã¯M¼ƒƒeäA<51>\D˜ÿ@¥j¾$gö{Q´lhIoÊÏIM)};@ìNü½b‰<62>k5Dgüoþ'ItW(Ïk
ê6)ËŒä0£<30>tM¶É Ó(Ûê¡<C3AA>n²k®Zu%m<17>¡ bzÚõŠ¿ÁìÍÿ

BIN
machines/compute01/secrets/radius-key_pem_file Normal file
View file

Binary file not shown.

26
machines/compute01/secrets/radius-private_key_password_file Normal file
View file

@ -0,0 +1,26 @@
age-encryption.org/v1
-> ssh-ed25519 tDqJRg sTm4u+QVtvUqNgMJhufIljdH63oCmvfbRz6NRa2ZbwI
ZYjAINMp/ds7g+7Wjg26YRpRV+nznQPB1r7NzAHGfW0
-> ssh-ed25519 jIXfPA z4LS/Igwab0moIzxG9b06T5rZiODkdJyjaFepJVcxQ8
qNkDc+prvr1bNTSWJyygJj7yb8MOz2nR+Z8EMHUVVOs
-> ssh-ed25519 QlRB9Q 6TQ0Vp3KB5yDIEt029hIB3aCnDjTDP0JG6LN2J9gtjU
fZXeSxb7GJOJYvCr2nVf6BKf8QjaqOOuoi0I/xXV1qc
-> ssh-ed25519 r+nK/Q eW4wTH9PNd0mzVFsxwS4mEEn5gVUCpYA/g+ifeUB+00
kqED+vZVHn0SXTpgbaiMseI6vPCyTt5Gfu4pHxPvKp0
-> ssh-rsa krWCLQ
axyFJ/zhMoZ1mJLzWAbXbHjlAlLj7HraHyY6ddZBVibgRSEufdXsa8ABmdR6+EuM
ty37+/TZOBv11ew/D1C7vQ7B/1JXgej2TAAmYt4vN3lVZdgJI+tQGiOf1nsqfI64
p4ZbMi9G0wlzb+Z7Z5SLKo6HwharYI+vDEgh3Ua9Q+6bpZeXxxJHmkACikAI4xJV
3lLo1iTeyJy/9u/WoHmEOuqJLeZdhmPZBozxTdDTWz9wMHy+NotfXFaIFTyUpocu
OU19N95fyVyTRwmrGFcWs34O631Ejpo3oVLDvjXrFtV4HISSweB/YbU84EveFbz5
28gTWKdeOQcHJfmaeJV/Rg
-> ssh-ed25519 /vwQcQ cXNRE5eLKNh4lL7S7cMDfp79+TQyiJK3gTzYCuHeRHo
4bz0al2kf/S6VEhObpLxy8tvB1t/tBVdB1Gi/7XinD4
-> ssh-ed25519 0R97PA iGdUtE7KDRBNSXv1w0dJNPQWxAeDpIAePUU8t0qURV8
OUoeLNWl0rLt6+FNf5plNmQIgrULwIgEL/W4HFTYeB8
-> ssh-ed25519 JGx7Ng tPkAPvVDZOcP06+mrD5uK03dUJi4aMAvkoz21y9L6Ak
tcUItLMra+EIYH6MA1ULMpr8bkUql448jnurev8N5wk
-> \<?_-grease (+d_8zF H
--- /CiW5jTjVkXDOdwmb4P80FswPEpgTt2GZnqT7KlOvC0
=þ%©»gæÆQ³-¼ffÄUC.qÅ͘·H<C2B7>µ—ìäÙ=Vý£žØú<C398>ŽRåN

11
machines/compute01/secrets/secrets.nix
View file

@ -13,17 +13,18 @@ lib.setDefault { inherit publicKeys; } [
"librenms-database_password_file" "librenms-database_password_file"
"librenms-environment_file" "librenms-environment_file"
"mastodon-extra_env_file" "mastodon-extra_env_file"
"mastodon-smtp-password"
"nextcloud-adminpass_file" "nextcloud-adminpass_file"
"nextcloud-s3_secret_file" "nextcloud-s3_secret_file"
"outline-oidc_client_secret_file" "outline-oidc_client_secret_file"
"outline-smtp_password_file" "outline-smtp_password_file"
"outline-storage_secret_key_file" "outline-storage_secret_key_file"
"plausible-admin_user_password_file" "radius-auth_token_file"
"plausible-secret_key_base_file" "radius-ca_pem_file"
"plausible-smtp_password_file" "radius-cert_pem_file"
"radius-dh_pem_file"
"radius-key_pem_file"
"radius-private_key_password_file"
"satosa-env_file" "satosa-env_file"
"signal-irc-bridge-config"
"telegraf-environment_file" "telegraf-environment_file"
"vaultwarden-environment_file" "vaultwarden-environment_file"
"zammad-secret_key_base_file" "zammad-secret_key_base_file"

BIN
machines/compute01/secrets/signal-irc-bridge-config
View file

Binary file not shown.

22
machines/compute01/signal-irc-bridge.nix
View file

@ -1,22 +0,0 @@
{
config,
sources,
nixpkgs,
...
}:
{
imports = [ (import (sources.signal-irc-bridge.outPath + "/module.nix")) ];
services.signal-irc-bridge = {
enable = true;
package = nixpkgs.unstable.callPackage (sources.signal-irc-bridge.outPath + "/package.nix") { };
configFile = config.age.secrets."signal-irc-bridge-config".path;
};
services.nginx.virtualHosts."bridge.dgnum.eu" = {
forceSSL = true;
enableACME = true;
locations."/files/".alias = "/var/lib/signal-irc/hermes-media/";
};
users.users.nginx.extraGroups = [ "signal-irc" ];
}

35
machines/compute01/stirling-pdf/01-spotless.patch
View file

@ -1,35 +0,0 @@
diff --git a/build.gradle b/build.gradle
index 78901d8e..3a14ceee 100644
--- a/build.gradle
+++ b/build.gradle
@@ -70,20 +70,6 @@ launch4j {
messagesInstanceAlreadyExists="Stirling-PDF is already running."
}
-spotless {
- java {
- target project.fileTree('src/main/java')
-
- googleJavaFormat('1.19.1').aosp().reorderImports(false)
-
- importOrder('java', 'javax', 'org', 'com', 'net', 'io')
- toggleOffOn()
- trimTrailingWhitespace()
- indentWithSpaces()
- endWithNewline()
- }
-}
-
dependencies {
//security updates
implementation 'ch.qos.logback:logback-classic:1.5.3'
@@ -171,9 +157,6 @@ dependencies {
annotationProcessor 'org.projectlombok:lombok:1.18.32'
}
-tasks.withType(JavaCompile).configureEach {
- dependsOn 'spotlessApply'
-}
compileJava {
options.compilerArgs << '-parameters'
}

12
machines/compute01/stirling-pdf/02-propsfile.patch
View file

@ -1,12 +0,0 @@
diff --git a/build.gradle b/build.gradle
index 78901d8e..2e7ff96b 100644
--- a/build.gradle
+++ b/build.gradle
@@ -166,6 +166,7 @@ task writeVersion {
def props = new Properties()
props.setProperty('version', version)
props.store(propsFile.newWriter(), null)
+ propsFile.text = propsFile.readLines().tail().join('\n')
}
swaggerhubUpload {

16
machines/compute01/stirling-pdf/03-jar-timestamps.patch
View file

@ -1,16 +0,0 @@
diff --git a/build.gradle b/build.gradle
index 2e7ff96b..f3a4a15c 100644
--- a/build.gradle
+++ b/build.gradle
@@ -21,6 +21,11 @@ repositories {
mavenCentral()
}
+tasks.withType(AbstractArchiveTask) {
+ preserveFileTimestamps = false
+ reproducibleFileOrder = true
+}
+
licenseReport {
renderers = [new JsonReportRenderer()]
}

25
machines/compute01/stirling-pdf/04-local-maven-deps.patch
View file

@ -1,25 +0,0 @@
diff --git a/build.gradle b/build.gradle
index f3a4a15c..61fbd74e 100644
--- a/build.gradle
+++ b/build.gradle
@@ -18,7 +18,7 @@ version = '0.26.1'
sourceCompatibility = '17'
repositories {
- mavenCentral()
+ maven { url '@deps@' }
}
tasks.withType(AbstractArchiveTask) {
diff --git a/settings.gradle b/settings.gradle
index f8139930..2c87f3cc 100644
--- a/settings.gradle
+++ b/settings.gradle
@@ -1 +1,7 @@
+pluginManagement {
+ repositories {
+ maven { url '@deps@' }
+ }
+}
+
rootProject.name = 'Stirling-PDF'

22
machines/compute01/stirling-pdf/05-java-output-test.patch
View file

@ -1,22 +0,0 @@
diff --git a/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java b/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java
index cab78313..192922f3 100644
--- a/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java
+++ b/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java
@@ -19,7 +19,7 @@ public class ProcessExecutorTest {
processExecutor = ProcessExecutor.getInstance(ProcessExecutor.Processes.LIBRE_OFFICE);
}
- @Test
+ /* @Test
public void testRunCommandWithOutputHandling() throws IOException, InterruptedException {
// Mock the command to execute
List<String> command = new ArrayList<>();
@@ -32,7 +32,7 @@ public class ProcessExecutorTest {
// Check the exit code and output messages
assertEquals(0, result.getRc());
assertNotNull(result.getMessages()); // Check if messages are not null
- }
+ } */
@Test
public void testRunCommandWithOutputHandling_Error() {

30
machines/compute01/stirling-pdf/default.nix
View file

@ -1,30 +0,0 @@
{ nixpkgs, ... }:
let
dgn-id = "f756a0f47e704db815a7af6786f6eb0aec628d6b";
in
{
services.stirling-pdf = {
enable = true;
package = nixpkgs.unstable.stirling-pdf.overrideAttrs (old: {
patches = (old.patches or [ ]) ++ [
(builtins.fetchurl "https://git.dgnum.eu/DGNum/Stirling-PDF/commit/${dgn-id}.patch")
];
});
domain = "pdf.dgnum.eu";
port = 8084;
nginx = {
enableACME = true;
forceSSL = true;
};
environment = {
UI_APP_NAME = "DGNum PDF";
SYSTEM_DEFAULT_LOCALE = "fr-FR";
};
};
}

6
machines/rescue01/_configuration.nix
View file

@ -3,6 +3,7 @@
lib.extra.mkConfig { lib.extra.mkConfig {
enabledModules = [ enabledModules = [
# List of modules to enable # List of modules to enable
"dgn-fail2ban"
]; ];
enabledServices = [ enabledServices = [
@ -11,6 +12,11 @@ lib.extra.mkConfig {
]; ];
extraConfig = { extraConfig = {
dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
"sshd-bruteforce"
"sshd-timeout"
];
services.netbird.enable = true; services.netbird.enable = true;
}; };

2
machines/rescue01/secrets/secrets.nix
View file

@ -2,4 +2,4 @@ let
lib = import ../../../lib { }; lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "rescue01"; publicKeys = lib.getNodeKeys "rescue01";
in in
lib.setDefault { inherit publicKeys; } [ "stateless-uptime-kuma-password" ] lib.setDefault { inherit publicKeys; } [ ]

28
machines/rescue01/secrets/stateless-uptime-kuma-password
View file

@ -1,28 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA wZdqi7vBlMEOJiY1VvbsmqyBSO/jl6SWLRGw+0ylKWo
UvKyh4Jh608Z9i9+6WuPu3mwnlC98aAr6jiV38JJGzk
-> ssh-ed25519 QlRB9Q +DUjR2Wqwg2SevBY+YgvLEDkcnoWGRTfcVFbl27CQT4
poWQnP4cOQGc5Xhgrgz2KKEOJ8dB+iCcqME5D/zJv5c
-> ssh-ed25519 r+nK/Q GsidIKDaPJmx8igrgoAbWGywJQB0nV/cY8Zm0CIByho
m4HrxUhPkp7gahyLO2gfQUnglkB715jaCrADg77ns34
-> ssh-rsa krWCLQ
VwNy3N6+l3Vgpo8AK7cJ2gRmHa+oBtB4w3n+E8gn7sugcEB16NDtjK861zwszUq7
OfOPUZ5mE+RWz20XYWPAJIPEYNaiqc5vJzguFvZdlyJNInJLxANlIaHydE1AGA9v
l07t9PAxxV5L40EiPHxjveEKaKiAAJVbWWfILX9f4U5vjKy5729IE/3aTRUbTD/M
CXINLnzFWwDLi3x2yBrGUly2mLIb4KyDuE8jnPmtCFveKsVxVsDEeiXvi0yeT+xM
viGvXJ9Ad6tAug4BE2suqwG1iPHsa98pFBqYM8gG2rp2WOFhzs0emkTu5LGYJOMr
VR39Qxcdp1WjPr9e+l/MDQ
-> ssh-ed25519 /vwQcQ GBXHQzwSFS+abM91umquafIEcUoI407reSuULz7SGGY
WpW9aHq2Eq8pXpvGsEKoByQLj0tr04GxNQrf09ronrY
-> ssh-ed25519 0R97PA BxlIEcd6G5GDLUxgoTzyUqRRxGIx49YCZSvzjVIBdjw
oDqUd2O+oBdDrOvrQysdptF1LuvXK/dKurFnHUjgNfk
-> ssh-ed25519 JGx7Ng Km6PmwRZ9HfGjEhkgb8P+ZCt+B/C+jg9bcvdwBvrS0Q
D+UC5nkMnpYuJtz5X30iF1avU+jlEy4zOEPkyj5o2x8
-> ssh-ed25519 5SY7Kg 3tf/eLI3ngqilOfEz8fayTDHWHNd14ANJTSt5lz1yDM
QUhDPYuiZ9YloKgYqY5UdMVmawyMAOS/T4jbpvsNJpI
-> ssh-ed25519 p/Mg4Q h/8lvmwcmoyTa6vW0N2AbgKt/dpNNqVmRW02NaYl7Wo
OaFeo+ZPa2LY5zRJzv/exq4bv734FxZwX3ql1kpv5bk
-> ssh-ed25519 +MNHsw iaiHp0x4Xzf886Q0Li6IleeO3wZUAQbYFHxn0jzdCk0
W4gaBtwKPbonB2g9+Ts+teXPEPoWDCVoVn1vixiQ+7M
--- 1ACvcwsxZKnjgKRAzJy8e4eBtxZXrwe00wPdDlMWnBo
Œ<ƒ¼î|ë=©r<2Ÿµ.>ÃÇ~,5J² Ä … àé[ºë^+͸Z‰ñjá×=Ï<Ï%Út뮪

133
machines/rescue01/uptime-kuma.nix
View file

@ -1,125 +1,9 @@
{
config,
lib,
nodes,
sources,
...
}:
let let
inherit (lib)
concatLists
mapAttrsToList
mkForce
mkMerge
;
inherit (config.statelessUptimeKuma.lib)
pingProbesFromHive
fromHive
httpProbesFromConfig
probesWithTag
;
probesCfg = config.statelessUptimeKuma.probesConfig;
mkMonitors = name: builtins.attrNames (probesWithTag { inherit name; } probesCfg);
host = "status.dgnum.eu"; host = "status.dgnum.eu";
port = 3001; port = 3001;
httpExcludes = [
"localhost"
"ens.cal.dgnum.eu"
"luj-current.cal.dgnum.eu"
"s3.dgnum.eu"
"cdn.dgnum.eu"
"saml-idp.dgnum.eu"
"status.dgnum.eu"
"radius.dgnum.eu"
] ++ (concatLists (mapAttrsToList (_: { config, ... }: config.dgn-redirections.retired) nodes));
extraProbes = {
monitors = {
"prometheus.dgnum.eu" = {
type = mkForce "http";
accepted_statuscodes = [ "401" ];
};
"api.meet.dgnum.eu" = {
keyword = "Crab Fit API";
};
};
};
status_pages = {
"dgnum" = {
title = "DGNum";
description = "Etat de l'infra de la DGNum";
showTags = true;
publicGroupList = [
{
name = "Services";
weight = 1;
monitorList = mkMonitors "Service";
}
{
name = "Serveurs";
weight = 2;
monitorList = mkMonitors "Ping";
}
{
name = "VPN Interne";
weight = 2;
monitorList = mkMonitors "VPN";
}
];
};
};
pingProbes = pingProbesFromHive {
inherit nodes;
mkHost = _: config: config.networking.fqdn;
tags = [ { name = "Ping"; } ];
excludes = [
"geo01"
"geo02"
"rescue01"
];
};
vpnProbes = pingProbesFromHive {
inherit nodes;
prefix = "VPN - ";
mkHost = node: _: "${node}.dgnum";
tags = [ { name = "VPN"; } ];
excludes = [
"rescue01"
"web02"
];
};
httpProbes = fromHive {
inherit nodes;
builder =
_: module:
httpProbesFromConfig {
inherit (module) config;
tags = [
{
name = "Host";
value = module.config.networking.fqdn;
}
{ name = "Service"; }
];
excludes = httpExcludes;
};
};
in in
{ {
imports = [ (sources.stateless-uptime-kuma + "/nixos/module.nix") ];
nixpkgs.overlays = [ (import (sources.stateless-uptime-kuma + "/overlay.nix")) ];
services.uptime-kuma.enable = true; services.uptime-kuma.enable = true;
services.nginx = { services.nginx = {
@ -139,21 +23,4 @@ in
80 80
443 443
]; ];
statelessUptimeKuma = {
probesConfig = mkMerge [
pingProbes
httpProbes
extraProbes
vpnProbes
{ inherit status_pages; }
];
extraFlags = [ "-s" ];
host = "http://localhost:${builtins.toString port}/";
username = "dgnum";
passwordFile = config.age.secrets."stateless-uptime-kuma-password".path;
enableService = true;
};
} }

4
machines/storage01/_configuration.nix
View file

@ -4,13 +4,13 @@ lib.extra.mkConfig {
enabledModules = [ enabledModules = [
# List of modules to enable # List of modules to enable
"dgn-backups" "dgn-backups"
"dgn-fail2ban"
"dgn-web" "dgn-web"
]; ];
enabledServices = [ enabledServices = [
# List of services to enable # List of services to enable
"atticd" "atticd"
"tvix-cache"
"forgejo" "forgejo"
"forgejo-runners" "forgejo-runners"
"garage" "garage"
@ -21,6 +21,8 @@ lib.extra.mkConfig {
]; ];
extraConfig = { extraConfig = {
dgn-fail2ban.jails.sshd-preauth.enabled = true;
dgn-hardware.useZfs = true; dgn-hardware.useZfs = true;
services.netbird.enable = true; services.netbird.enable = true;

19
machines/storage01/atticd.nix
View file

@ -1,4 +1,9 @@
{ config, nixpkgs, ... }: {
config,
pkgs,
sources,
...
}:
let let
host = "cachix.dgnum.eu"; host = "cachix.dgnum.eu";
@ -11,7 +16,7 @@ in
credentialsFile = config.age.secrets."atticd-credentials_file".path; credentialsFile = config.age.secrets."atticd-credentials_file".path;
settings = { settings = {
listen = "127.0.0.1:9099"; listen = "127.0.0.1:9090";
api-endpoint = "https://${host}/"; api-endpoint = "https://${host}/";
allowed-hosts = [ host ]; allowed-hosts = [ host ];
@ -21,7 +26,7 @@ in
# #
# If 0, chunking is disabled entirely for newly-uploaded NARs. # If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked. # If 1, all NARs are chunked.
nar-size-threshold = 0; # 64 KiB nar-size-threshold = 64 * 1024; # 64 KiB
# The preferred minimum size of a chunk, in bytes # The preferred minimum size of a chunk, in bytes
min-size = 16 * 1024; # 16 KiB min-size = 16 * 1024; # 16 KiB
@ -44,7 +49,7 @@ in
}; };
useFlakeCompatOverlay = false; useFlakeCompatOverlay = false;
package = nixpkgs.unstable.attic-server; package = pkgs.callPackage "${sources.attic}/package.nix" { };
}; };
nginx = { nginx = {
@ -55,10 +60,10 @@ in
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:9099"; proxyPass = "http://127.0.0.1:9090";
extraConfig = '' extraConfig = ''
client_max_body_size 10G; client_max_body_size 100M;
''; '';
}; };
}; };
@ -77,6 +82,4 @@ in
]; ];
}; };
}; };
systemd.services.atticd.environment.RUST_LOG = "warn";
} }

7
machines/storage01/forgejo-runners.nix
View file

@ -1,7 +1,6 @@
{ {
config, config,
pkgs, pkgs,
nixpkgs,
sources, sources,
... ...
}: }:
@ -30,8 +29,6 @@ let
options = "--cpus=4"; options = "--cpus=4";
}; };
}; };
nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
in in
{ {
services.forgejo-nix-runners = { services.forgejo-nix-runners = {
@ -43,10 +40,10 @@ in
tokenFile = config.age.secrets."forgejo_runners-token_file".path; tokenFile = config.age.secrets."forgejo_runners-token_file".path;
dependencies = [ dependencies = [
nix-pkgs.colmena pkgs.colmena
pkgs.npins pkgs.npins
pkgs.tea pkgs.tea
nixpkgs.unstable.nixfmt-rfc-style (import sources.nixpkgs { }).nixfmt-rfc-style
]; ];
containerOptions = [ "--cpus=4" ]; containerOptions = [ "--cpus=4" ];

53
machines/storage01/forgejo.nix
View file

@ -1,4 +1,4 @@
{ config, nixpkgs, ... }: { config, pkgs, ... }:
let let
port = 3000; port = 3000;
@ -10,7 +10,7 @@ in
enable = true; enable = true;
user = "git"; user = "git";
package = nixpkgs.unstable.forgejo; package = pkgs.forgejo;
stateDir = "/var/lib/git"; stateDir = "/var/lib/git";
database = { database = {
@ -24,17 +24,30 @@ in
APP_NAME = "Forge git de la DGNum"; APP_NAME = "Forge git de la DGNum";
}; };
server = {
ROOT_URL = "https://${host}/";
DOMAIN = host;
HTTP_ADDRESS = "127.0.0.1";
HTTP_PORT = port;
APP_DATA_PATH = "/var/lib/git/data";
};
service = {
EMAIL_DOMAIN_ALLOWLIST = "dgnum.eu,*";
DISABLE_REGISTRATION = false;
REGISTER_EMAIL_CONFIRM = true;
};
log.LEVEL = "Warn";
ui.THEMES = "forgejo-auto,forgejo-light,forgejo-dark";
actions = { actions = {
ENABLED = true; ENABLED = true;
DEFAULT_ACTIONS_URL = "https://gitea.com"; DEFAULT_ACTIONS_URL = "https://gitea.com";
}; };
admin = {
DEFAULT_EMAIL_NOTIFICATIONS = "enabled";
};
log.LEVEL = "Warn";
mailer = { mailer = {
ENABLED = true; ENABLED = true;
FROM = "git@infra.dgnum.eu"; FROM = "git@infra.dgnum.eu";
@ -43,30 +56,6 @@ in
SMTP_PORT = 465; SMTP_PORT = 465;
USER = "web-services@infra.dgnum.eu"; USER = "web-services@infra.dgnum.eu";
}; };
server = {
ROOT_URL = "https://${host}/";
DOMAIN = host;
HTTP_ADDRESS = "127.0.0.1";
HTTP_PORT = port;
APP_DATA_PATH = "/var/lib/git/data";
OFFLINE_MODE = false;
};
service = {
EMAIL_DOMAIN_ALLOWLIST = "dgnum.eu,*";
ENABLE_NOTIFY_MAIL = true;
DISABLE_REGISTRATION = false;
REGISTER_EMAIL_CONFIRM = true;
};
ui.THEMES = "forgejo-auto,forgejo-light,forgejo-dark";
"cron.cleanup_actions".ENABLED = true;
"cron.delete_old_actions".ENABLED = true;
"cron.git_gc_repos".ENABLED = true;
"cron.update_checker".ENABLED = false;
}; };
mailerPasswordFile = config.age.secrets."forgejo-mailer_password_file".path; mailerPasswordFile = config.age.secrets."forgejo-mailer_password_file".path;

5
machines/storage01/garage.nix
View file

@ -10,13 +10,11 @@ let
domains = [ domains = [
"boussole-sante.normalesup.eu" "boussole-sante.normalesup.eu"
"simi.normalesup.eu" "simi.normalesup.eu"
"bandarretdurgence.ens.fr"
]; ];
buckets = [ buckets = [
"castopod-dgnum" "castopod-dgnum"
"peertube-videos-dgnum" "peertube-videos-dgnum"
"banda-website"
] ++ domains; ] ++ domains;
mkHosted = host: builtins.map (b: "${b}.${host}"); mkHosted = host: builtins.map (b: "${b}.${host}");
@ -52,7 +50,7 @@ in
k2v_api.api_bind_addr = "[::]:3904"; k2v_api.api_bind_addr = "[::]:3904";
admin.api_bind_addr = "127.0.0.1:3903"; admin.api_bind_addr = "0.0.0.0:3903";
}; };
environmentFile = config.age.secrets."garage-environment_file".path; environmentFile = config.age.secrets."garage-environment_file".path;
@ -64,7 +62,6 @@ in
data_dir data_dir
metadata_dir metadata_dir
]; ];
TimeoutSec = 3000;
}; };
users.users.garage = { users.users.garage = {

51
machines/storage01/prometheus.nix
View file

@ -1,26 +1,8 @@
{ { config, ... }:
config,
nodes,
lib,
...
}:
let let
host = "prometheus.dgnum.eu"; host = "prometheus.dgnum.eu";
port = 9091; port = 9091;
nodeExporterConfigs = lib.flatten (
lib.mapAttrsToList (
node:
{ config, ... }:
lib.optional config.dgn-node-monitoring.enable {
targets = [ "${node}.dgnum:${builtins.toString config.dgn-node-monitoring.port}" ];
labels = {
host = node;
};
}
) nodes
);
in in
{ {
@ -38,42 +20,11 @@ in
webExternalUrl = "https://${host}"; webExternalUrl = "https://${host}";
retentionTime = "1y";
extraFlags = [ "--storage.tsdb.retention.size=20GB" ];
globalConfig = {
scrape_interval = "15s"; # if you change this settings, please do it in grafana also
};
scrapeConfigs = [ scrapeConfigs = [
{ {
job_name = "prometheus"; job_name = "prometheus";
static_configs = [ { targets = [ "localhost:9090" ]; } ]; static_configs = [ { targets = [ "localhost:9090" ]; } ];
} }
{
job_name = "node_exporter";
static_configs = nodeExporterConfigs;
}
{
job_name = "uptime_kuma";
scheme = "https";
static_configs = [ { targets = [ "status.dgnum.eu" ]; } ];
basic_auth = {
username = "prometheus";
password_file = config.age.secrets."prometheus-uptime-kuma-apikey".path;
};
}
{
job_name = "hyp01_ups";
metrics_path = "/ups_metrics";
static_configs = [ { targets = [ "100.80.255.180:9199" ]; } ];
}
{
job_name = "garage";
static_configs = [ { targets = [ "localhost:3903" ]; } ];
bearer_token_file = config.age.secrets."prometheus-garage_api".path;
}
]; ];
}; };

53
machines/storage01/secrets/atticd-credentials_file
View file

@ -1,30 +1,27 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 jIXfPA HECtxDO0OV6To/Qs3A+2N8+3xqsHp6pz6d4ArgsgXS4 -> ssh-ed25519 rHotTw KgYJOa3x3qkH/QwL5YM7A7qDjrT/wur/PvRhD99PDjk
mnmDwWZ6d1aW5Qejzv2Jo112ee78wKVx90R7r5wQbYo BrZwARaPH9YJ+jQMcOJl3B+0VVXyOeB/JKY/qclJ14E
-> ssh-ed25519 QlRB9Q Rx3bV/DkoCCvQCMwJGOfibG8Rif5Ap+W6EqWlFOhUQc -> ssh-ed25519 jIXfPA FRmqOILhQDwY8dnnVzsT9Yo+nAlr4LpKoIdKgLU8uRA
jxEFUWqxedwIK3mNyOG+5dyFFZbJZ3XNFXnk0fe0vyw 8PaCaIgR9xqR+dGTUjhuZVv9Uzp+24LeME2/J08poRw
-> ssh-ed25519 r+nK/Q J591Cg/4oP26LT7Tl/wrdDipR/gpg1WMsiKJN0ygbjw -> ssh-ed25519 QlRB9Q VKLN5d4g3vvuJYh7bUx9M3YyITPMoYpmJEm3klzS8nU
WToE5xtuF2FOqtvRgz1SZStYGjTsKRxguIioan+vluU 1W0iuVux3/1IjlRfN5DpXcugXnZ1Nq/+bAJumb8VjSU
-> ssh-ed25519 r+nK/Q I2i+0w9tisUfGsQOHKmilVncCgJdad7ylKyeovYkgSA
Z8h9nmhSsFqlsnijKS2Q+iC388s4gdZ9CFFa9sK+vKA
-> ssh-rsa krWCLQ -> ssh-rsa krWCLQ
hhp33AzK6wYWM6k7ZroV0J5i8C5MQXjQY9sksPQdABRQUd6XTmYOIOdA0ste0EA9 CwD5afln6hCMzH5s+0BUhdLW25rooaCUnF/EyP+HTUjJXVfjeGpHcJuwI1PVtRyy
hqbbHQwbFy0oE/QKfnUZWbgJo5Us1DWKxip55L875CPfVcmxvC2ADRO5JKKNkQa/ /AXxXmDd5x3MC9xwonXCb4nLsMyFCZT3SLkxZB/hdFn4TBsd6UKc5wMg/jw8EhNu
P4zBALPqf+BXrafcGN4hT8D9gywIWdQ2zPSpKbJE+OdPcUrBVH/ndMUVoLfTEKL9 1MplmtryNu9QaH9dtUWiW6Zu0DL9wCiJ4noubDpJ/MeQY4xUTShSfF7PB9yi/0AG
B3XgqRvLNkgsdu7FMEPnelWT3WrxkBME7AathdXcEYXSxiTmaKqxDzRtcNLdh+y2 48iaoZgJbiklycqOXF5Z1u6MhjjuV5UeQq6JH7NpiuvypIYM2Ab0azGlkVsDYHvi
6XfQU6lLMT+WWPD/Ro7UzLrWUnFJMYK0SinkOuX+PKxMq95lCc5kI3tZ7JL7bC5E NTGEDGwPqtsexOcYnh5cHrPZw+6a7DFiz7mbc1UiUl3BFlfTi2jFdZFabVZ9gJg7
vBGnX9w0unyR//LLqrOPWA PyVp3aQ7jsIW4+DYsIWeMA
-> ssh-ed25519 /vwQcQ eYSTWAYs/L+cYt/16TrKaIqoc9TFJQncM02Vd8hOg3A -> ssh-ed25519 /vwQcQ Askgv4zAzvT1NfOZqrSR10NCkx9jAWieCbtkTGemDAM
lWalXa1ZBtrjXOB+sznWCjStFHF4ulLaBilEc3b7qWc N2D0khW0Yvw6ZlaCtSDwD3R4CzfBArumkpq0YAv3fxE
-> ssh-ed25519 0R97PA 78K7uF/mXT4pgTbnmfpyxY2czgs+DNueusuatUx7MCQ -> ssh-ed25519 0R97PA H4Mqj2WiRljaW30ReWZihyhsHIxymK8PjuWQrjTpjS0
C/pWPdVCWZuHFuM5fzJHdGZomM3Wbt22iwfLbLSznh0 ESSRNIKjKeXFXJU7G7lokghQpsMNOAsMepACbk+W1L0
-> ssh-ed25519 JGx7Ng xFzEGNVIiC0cXCbcSKUfmVLAdRBH7xu6/2E7nVoRwjI -> ssh-ed25519 JGx7Ng Vw/SjdUAmPW1tHMzRprkXgI6CefeSEiZeflWOgnAsDI
+TgvIl03KGm5N55+jGc7UcyRHjMvAFm3Kbvx5Ma4HQ4 qBpv7uBQKxVOIAvv7V7yviI+AsbmvNM2DZ6Y4Fu2U8Y
-> ssh-ed25519 5SY7Kg 7YO/crKVWSsr3Hy5HPr0/R3oPdCA2kWduZYeSlcxGnI -> KkV7*L_-grease
N0IpdylU+3ybInseGSKPONxeNr8mh/ZlBGCvY2c0WTA 2cwIOQcWAOVX
-> ssh-ed25519 p/Mg4Q y1ekwzz3sSHGrLmb0NqF6VWfalARy+PykE77hVqD7Xc --- w/DwnscRvLRGCXmMn0x+fEB9U6dApV7ydUBsOrjHDkE
0s9QrDsLH6XdzetyIXJEB2MrwwUi8CDpu7SEemm8zJ4 2jWJů·‰”Ńű¸˛GpńP;ü<>ÔśBu R·Č‡Pcžňe‡@˘ČŘó;|nUM"ĎÔÄ4:Ź±ŃyąLŇE|+Zřˇ”Ľ#±ŐÁ:??1"kŠˇâhbZ gE^ńÔY>}ačĎąâŐr(C¸[FšµőHAĹé§q_÷Đ—ä űK$ÎP<Đ°bAĹ™MSľhśŠ„®›ćF<dw|«ď<C2AB>#Ĺ9U‡L|Ť;Ő‹ż‰˘ď üöý7Čfś ]żüš×EÔŚVŻ7¨_ń
-> ssh-ed25519 rHotTw 7SMzV/pEmDISPL/fMjafXM3URZpbUPTg+9AngZ0GZTc ÷fŚoďOÇ^Sż…Ż—ĺýż•ĚoOĂŁ<C482>łŢoń†+ëŐěĘ—Ň%Ţ•QUľ·ďµeĎßßŐ„´Đ.ҨR{g0ć|ĚĂ
eIi1+i9JVBLvfQMkmMv5S0N8qgwVtyklX/J+6MdtlSc
--- Gjl7lNWG9gyMlg256Oa5i5bFLm1Cup1upjsEDVurgDo
uÂ;.ÿñË>pÔïÑ<C391>òh¸<68>2ÎŒ}£PJ4èú‘©‰Ñ×íè==#¯¾Úÿ¹8e¤UÊÉŠÇ$ 1»!z<E28093>jlA‡[@;òs®<>ŒÉáAB±á-§Rå=È0Ò·d“ðµú†Ê¢þ{«ÒF¹—hòà ù@%ˆŠä´›|×{ ¢åeÚÝÛ¯âøsbë«]Óèå¨ø.m8 8Bn"(Ûæ¤âïW½í!zxn\Ã(5:ïíÒÞ-ZDËÇÃ)}HŠü˜¦×ál}Sƒ˜ëFrn
øL¦-wÉÑ—¼j)ê â¶èÐ&:¥îÓCÞÆ2ÝÒÅÀÏB»ÛzïàŽŸt•WÍ!£8|lïí0
¾¸y8óÃkñbÔy×ËäÏ臃¹·k¤¨ÉÍ™ê°n/-'ÃZ<C383>ÅŸ ¾îƾ\Ûâê‰ù†uŸÍeu®"E ±/d

BIN
machines/storage01/secrets/garage-environment_file
View file

Binary file not shown.

28
machines/storage01/secrets/nginx-tvix-store-password
View file

@ -1,28 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA hiozo++fCkzjrvUQRLnAh4uwlmIXcTwkVbjkYbcH4mQ
boST8EzrWdNAuyOylbBX//DnWtO7RL2W++Wnm40w2MA
-> ssh-ed25519 QlRB9Q i0StXRfRRlTsN7MNZmlfBQdacHQlmTmriyiRcJu74g0
dhkD9ZfW+mkkryHBu+2fHe76hXrWVGKl+orxkPJD6gU
-> ssh-ed25519 r+nK/Q Ekn/Bz+c+G+KwgZEOCdk58lV9XN12d7/f+wi8ZEysgU
QdvnL+HtpHnxUbKD06WZDAi55q3xOYn3OiHViNdFt+I
-> ssh-rsa krWCLQ
ijGL8v8Otp59VvF0tDIReazFzchihsutr+zbcQuB6m3JZ6SAWyoKwhFdwiaLOfUd
DMAo2FOKfCbWS+M1VpdSJfu9LKroMCkeW+FOK81h6ywEYSAw/vt2FJP2TLiljZou
d7hiqNv0u/yiIoQiTs9hwOAPtLofiWcX//18TNTCgqm9Ttn0mKlfBjTkUQJdkZVM
j1rofzgHDdkyZDdr1op3sc4iURJ98dVN7ic035Fz+Ggs0yBh9T7qtVsUe7swuoH9
b9yxOSHdV3b4BYg75UrfiRNTOeQq8pxsga1DIs2x7oHkeVb8Ypmr1tXuAtWi20eg
1cYP5+BxY8ry6uaYNLYpKw
-> ssh-ed25519 /vwQcQ ZuVSKV4sI53zDaTOHIkk6ntPy9IxSBNIN/JEDPfT71Y
C5UgzlDJCcA8CP5D0kppqJKti76qe5IVFFnNirRtl/s
-> ssh-ed25519 0R97PA bNQCB3PAp5Ka2drYm74R7nuGM7NFUsKluPo6EEEyiVA
1/NFavNSG1pdMiWr2q2z9XwHs6iqhh5+3KIlr8ToPOo
-> ssh-ed25519 JGx7Ng 6X2a/FNvglr8ZSWvgEb37B67JJpJV0x1+fdlo6K6pzo
8AxYhMJ5+XGKNnpRBTSUM4GSbRj8s7amMQa8sp+tQWM
-> ssh-ed25519 5SY7Kg xw7EQG3mz6gQZXSh2LpY5zFRyMZOqEypvnOorRLBBHQ
WTcl4rLfg/siaGFmk/Odc6fsX+C6OPRWTHFQ0eENwgY
-> ssh-ed25519 p/Mg4Q hSz69OeCJyLJIpnI1tJqGNRErbDF2v6OdxWxi/pfF3k
nM6aJWcuzXEqRarkkAQx4636bALK3g0AwCsSfc8fXrk
-> ssh-ed25519 rHotTw xyrUv1xRQGG+CyL7Ftdw50S8LtN3Bd07f+8JInmBdGg
ehZkeby649QdiSyCDP4wTplLU7mtXac9QzILFIkIX/8
--- xWjuc/9B2UAHi7vuOjdvwJ2K3MEeDeTon5XDU1zi6rw
i«(rçfJ!G$<24>e)¤ê ý¡é•%)„‚9<>KÙ®UK¿Ëé]oǹË@Âv<C382>ŒÀ2I­pè\<12>ˆ^©9ä]¿ÂL,Ÿ•5æö/wvYŽÒ<C5BD>Í«‡³ ¬¼

BIN
machines/storage01/secrets/nginx-tvix-store-password-ci
View file

Binary file not shown.

BIN
machines/storage01/secrets/prometheus-garage_api
View file

Binary file not shown.

BIN
machines/storage01/secrets/prometheus-uptime-kuma-apikey
View file

Binary file not shown.

5
machines/storage01/secrets/secrets.nix
View file

@ -13,13 +13,8 @@ lib.setDefault { inherit publicKeys; } [
"influxdb2-initial_token_file" "influxdb2-initial_token_file"
"influxdb2-telegraf_token_file" "influxdb2-telegraf_token_file"
"netbird-auth_client_secret_file" "netbird-auth_client_secret_file"
"nginx-tvix-store-password"
"nginx-tvix-store-password-ci"
"peertube-secrets_file" "peertube-secrets_file"
"peertube-service_environment_file" "peertube-service_environment_file"
"peertube-smtp_password_file" "peertube-smtp_password_file"
"prometheus-garage_api"
"prometheus-uptime-kuma-apikey"
"prometheus-web_config_file" "prometheus-web_config_file"
"tvix-store-infra-signing-key"
] ]

29
machines/storage01/secrets/tvix-store-infra-signing-key
View file

@ -1,29 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA /4nTbCIrufpN0Jho+8ZqTdZpc8mzSQrpG78flq+b9lM
x6Pg9oMGzboBg4WSAHxPwtNKcJUIG007Wx1ZjlzneLc
-> ssh-ed25519 QlRB9Q LsPsxbx6zvcLNf/EC3yFRP7Gr5tLYcg+8WGx6n0S724
4cyAHEdVBR885G4nfJSvUPqKWr/0abAtDTHmwksADp8
-> ssh-ed25519 r+nK/Q 9MisKxWalh0oubQFjwm2SDggxrj/fhdXGCYuYaP99jA
18o9juckqPtR4gh2MTXdmonxV9oZymyhCUqW3sOVltQ
-> ssh-rsa krWCLQ
j6AIypswOisUPlL538E3dpIWsHU/7H1c3+bEXXDFarP3Y5tjWltMRgKoPZUFlcRk
2yoVpOjDVkDvMTTu62Yn+Le6oYqoYQYzZ4e5incAR/v7sI76yPo1w+JN3BWBKPab
DN6h7Bdr8uzMISvxrRpCNDaU9n9GwA6ylJWvtFKjQZ6IDORVsa1tP44cndm6zAt6
Oq11bUDFSJLHiDtxjp0vJFa/4mq5Ay0G10xM/EI8Wf+Tiam/r3ytoBGnNYj1ENp8
AQkSxVF4cCORjQAokg+eUYCOzErJqpOx0ACx1SvuRvG4qcQ55ChYxs9zjnlCII2x
7JeUM/gjy0FnalxWWDX+cQ
-> ssh-ed25519 /vwQcQ bdzz3o+erI4c7ReafjhMYBgpebcJVcdB5vWK7cQ05Cs
3rVELKWfeiBksMzmm9XLmEgzdEASxSKcYJOpDQd7A+w
-> ssh-ed25519 0R97PA 4k2mZBQJTYhbjdzpxDuNw405iNxd96hVSMwzas/D3nU
neRy8ca2SguOJJQxalbPaq5SUH4taH+XxzkU/o/GVig
-> ssh-ed25519 JGx7Ng BlMr9FS9vuC1wnvDBAqEMJWzyuqoMqoU7YiFC9633xo
Xhvn+luDLE7AFbvgJs6V9cyRh8aJ2JrZfpVvXJhclu4
-> ssh-ed25519 5SY7Kg NkkDnN0z+2EzqpEdypnM7AROjjGVzoEvHfzaVbsyDiE
qbFUDBx4ghp9TG9YfjGjDXt35go0pMq0HH9GE+WT4v8
-> ssh-ed25519 p/Mg4Q rC/DrdXDUDWhbM7LMfQR203JClF/12o4rxJeGs+4rXY
Aj3P3skTbMvt2qN/FPSq97D1QwtHlKvFd4CsoujV2JI
-> ssh-ed25519 rHotTw 5IBV+q7+F7vNs5Tsx0S+ZEstiqoAaH1x78i/vAwrwDw
f729cEfMo/ozygHiRcNXmn8G+M+B68cM48ji7N6VgmY
--- TWScQDjdR4g/2v5oirYJgQw4zhhuMnmfvXtrigwmZC4
é°1ØLÅÄßán`Îq^ˆîÚ<C3AE>ï³Q²,ðT«Ó)Lñ aü„22 6M•¿Éú½Ü~4<E280BA>(~e±Y"´M·×!Žp!ÊU<ÖÜŒ<C592>Â;mn§`,öP6*&}HPM‡I¶ºòïH
Ûôï× Ãmõ<6D>‡ m£<6D>dGΠ߆ß÷T¥?G<>É»/

148
machines/storage01/tvix-cache/default.nix
View file

@ -1,148 +0,0 @@
{ pkgs, config, ... }:
let
settingsFormat = pkgs.formats.toml { };
dataDir = "/data/slow/tvix-store";
store-config = {
composition = {
blobservices.default = {
type = "objectstore";
object_store_url = "file://${dataDir}/blob.objectstore";
object_store_options = { };
};
directoryservices = {
sled = {
type = "sled";
is_temporary = false;
path = "${dataDir}/directory.sled";
};
object = {
type = "objectstore";
object_store_url = "file://${dataDir}/directory.objectstore";
object_store_options = { };
};
};
pathinfoservices = {
infra = {
type = "sled";
is_temporary = false;
path = "${dataDir}/pathinfo.sled";
};
infra-signing = {
type = "keyfile-signing";
inner = "infra";
keyfile = config.age.secrets."tvix-store-infra-signing-key".path;
};
};
};
endpoints = {
"127.0.0.1:8056" = {
endpoint_type = "Http";
blob_service = "default";
directory_service = "object";
path_info_service = "infra";
};
"127.0.0.1:8058" = {
endpoint_type = "Http";
blob_service = "default";
directory_service = "object";
path_info_service = "infra-signing";
};
# Add grpc for management and because it is nice
"127.0.0.1:8057" = {
endpoint_type = "Grpc";
blob_service = "default";
directory_service = "object";
path_info_service = "infra";
};
};
};
systemdHardening = {
PrivateDevices = true;
PrivateTmp = true;
ProtectControlGroups = true;
ProtectKernelTunables = true;
RestrictSUIDSGID = true;
ProtectSystem = "strict";
ProtectKernelLogs = true;
ProtectProc = "invisible";
PrivateUsers = true;
ProtectHome = true;
UMask = "0077";
RuntimeDirectoryMode = "0750";
StateDirectoryMode = "0750";
};
toml = {
composition = settingsFormat.generate "composition.toml" store-config.composition;
endpoints = settingsFormat.generate "endpoints.toml" store-config.endpoints;
};
package = pkgs.callPackage ./package { };
in
{
age-secrets.autoMatch = [
"tvix-store"
"nginx"
];
services.nginx.virtualHosts."tvix-store.dgnum.eu" = {
enableACME = true;
forceSSL = true;
locations = {
"/infra/" = {
proxyPass = "http://127.0.0.1:8056/";
extraConfig = ''
client_max_body_size 50G;
limit_except GET {
auth_basic "Password required";
auth_basic_user_file ${config.age.secrets."nginx-tvix-store-password".path};
}
'';
};
"/infra-signing/" = {
proxyPass = "http://127.0.0.1:8058/";
extraConfig = ''
client_max_body_size 50G;
auth_basic "Password required";
auth_basic_user_file ${config.age.secrets."nginx-tvix-store-password-ci".path};
'';
};
"/.well-known/nix-signing-keys/" = {
alias = "${./pubkeys}/";
extraConfig = "autoindex on;";
};
};
};
# TODO add tvix-store cli here
# environment.systemPackages = [ ];
users.users.tvix-store = {
isSystemUser = true;
group = "tvix-store";
};
users.groups.tvix-store = { };
systemd.tmpfiles.rules = [ "d ${dataDir} 770 tvix-castore tvix-castore -" ];
systemd.services."tvix-store" = {
wantedBy = [ "multi-user.target" ];
environment = {
RUST_LOG = "debug";
};
serviceConfig = {
UMask = "007";
ExecStart = "${package}/bin/multitier-tvix-cache --endpoints-config ${toml.endpoints} --store-composition ${toml.composition}";
StateDirectory = "tvix-store";
RuntimeDirectory = "tvix-store";
User = "tvix-store";
Group = "tvix-store";
ReadWritePaths = [ dataDir ];
} // systemdHardening;
};
networking.firewall.allowedTCPPorts = [
80
443
];
}

4378
machines/storage01/tvix-cache/package/Cargo.lock generated
View file

File diff suppressed because it is too large Load diff

45
machines/storage01/tvix-cache/package/default.nix
View file

@ -1,45 +0,0 @@
{
fetchgit,
rustPlatform,
protobuf,
runCommand,
}:
let
tvix-hash = "sha256-KNl+Lv0aMqSFVFt6p/GdmNDddzccW4wKfZB7W6Gv5F0=";
tvix-src = fetchgit {
name = "tvix";
url = "https://git.dgnum.eu/mdebray/tvl-depot";
rev = "920b7118d5b0917e426367107f7b7b66089a8d7b";
hash = tvix-hash;
};
protos = runCommand "tvix-protos" { } ''
mkdir $out
cd ${tvix-src}/tvix #remove tvix maybe
find . -name '*.proto' -exec install -D {} $out/{} \;
'';
in
rustPlatform.buildRustPackage rec {
pname = "multitenant-binary-cache";
version = "0.1.0";
src = fetchgit {
url = "https://git.lix.systems/sinavir/multitenant-tvix-binary-cache.git";
rev = "0d7d4cf66242facecba485b1085e285e8d46c038";
hash = "sha256-IU3OS3ePJeBNiY8HbhoYW5b03Nq8BJ4AWe+bGv4dAuw=";
};
PROTO_ROOT = protos;
nativeBuildInputs = [ protobuf ];
cargoLock = {
lockFile = ./Cargo.lock;
outputHashes = {
"nar-bridge-0.1.0" = tvix-hash;
};
};
cargoHash = "";
meta = { };
}

1
machines/storage01/tvix-cache/pubkeys/infra
View file

@ -1 +0,0 @@
infra.tvix-store.dgnum.eu-1:8CAY64o3rKjyw2uA5mzr/aTzstnc+Uj4g8OC6ClG1m8=

13
machines/vault01/_configuration.nix
View file

@ -3,20 +3,23 @@
lib.extra.mkConfig { lib.extra.mkConfig {
enabledModules = [ enabledModules = [
# List of modules to enable # List of modules to enable
"dgn-fail2ban"
]; ];
enabledServices = [ enabledServices = [
# List of services to enable # List of services to enable
"k-radius"
"networking" "networking"
"ups"
"ulogd"
]; ];
extraConfig = { extraConfig = {
dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
"sshd-bruteforce"
"sshd-timeout"
];
services.netbird.enable = true; services.netbird.enable = true;
services.nginx.enable = true;
networking.firewall.allowedTCPPorts = [ 80 ]; dgn-hardware.useBcachefs = true;
}; };
root = ./.; root = ./.;

259
machines/vault01/k-radius/module.nix
View file

@ -1,259 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
attrsToList
getExe'
imap0
mapAttrsToList
mkEnableOption
mkIf
mkOption
optionalString
;
inherit (lib.types)
attrsOf
bool
enum
package
path
str
submodule
;
settingsFormat = pkgs.formats.toml { };
pykanidm = pkgs.python3.pkgs.callPackage ./packages/pykanidm.nix { };
rlm_python = pkgs.callPackage ./packages/rlm_python.nix { inherit pykanidm; };
cfg = config.services.k-radius;
acmeDirectory = config.security.acme.certs.${cfg.domain}.directory;
in
{
options.services.k-radius = {
enable = mkEnableOption "a freeradius service linked to kanidm.";
domain = mkOption {
type = str;
description = "The domain used for the RADIUS server.";
};
raddb = mkOption {
type = path;
default = "/var/lib/radius/raddb/";
description = "The location of the raddb directory.";
};
settings = mkOption { inherit (settingsFormat) type; };
freeradius = mkOption {
type = package;
default = pkgs.freeradius.overrideAttrs (old: {
buildInputs = (old.buildInputs or [ ]) ++ [ (pkgs.python3.withPackages (ps: [ ps.kanidm ])) ];
});
};
configDir = mkOption {
type = path;
default = "/var/lib/radius/raddb";
description = "The path of the freeradius server configuration directory.";
};
authTokenFile = mkOption {
type = path;
description = "File to the auth token for the service account.";
};
extra-mods = mkOption {
type = attrsOf path;
default = { };
description = "Additional files to be linked in mods-enabled.";
};
extra-sites = mkOption {
type = attrsOf path;
default = { };
description = "Additional files to be linked in sites-enabled.";
};
dictionary = mkOption {
type = attrsOf (enum [
"abinary"
"date"
"ipaddr"
"integer"
"string"
]);
default = { };
description = "Declare additionnal attributes to be listed in the dictionary.";
};
radiusClients = mkOption {
type = attrsOf (submodule {
options = {
secret = mkOption { type = path; };
ipaddr = mkOption { type = str; };
};
});
default = { };
description = "A mapping of clients and their authentication tokens.";
};
checkConfiguration = mkOption {
type = bool;
description = "Check the configuration before starting the deamon. Useful for debugging.";
default = false;
};
};
config = mkIf cfg.enable {
# Certificate setup
services.nginx.virtualHosts.${cfg.domain} = {
http2 = false;
enableACME = true;
forceSSL = true;
};
users = {
users.radius = {
group = "radius";
description = "Radius daemon user";
isSystemUser = true;
};
groups.radius = { };
};
systemd.services.radius = {
description = "FreeRadius server";
wantedBy = [ "multi-user.target" ];
after = [
"network.target"
"acme-finished-${cfg.domain}.target"
];
wants = [ "network.target" ];
startLimitIntervalSec = 20;
startLimitBurst = 5;
preStart = ''
raddb=${cfg.raddb}
# Recreate the configuration directory
rm -rf $raddb && mkdir -p $raddb
cp -R --no-preserve=mode ${cfg.freeradius}/etc/raddb/* $raddb
cp -R --no-preserve=mode ${rlm_python}/etc/raddb/* $raddb
chmod -R u+w $raddb
# disable auth via methods kanidm doesn't support
rm $raddb/mods-available/sql
rm $raddb/mods-enabled/{passwd,totp}
# enable the python and cache modules
ln -nsf $raddb/mods-available/python3 $raddb/mods-enabled/python3
ln -nsf $raddb/sites-available/check-eap-tls $raddb/sites-enabled/check-eap-tls
# write the clients configuration
> $raddb/clients.conf
${builtins.concatStringsSep "\n" (
builtins.attrValues (
builtins.mapAttrs (
name:
{ secret, ipaddr }:
''
cat <<EOF >> $raddb/clients.conf
client ${name} {
ipaddr = ${ipaddr}
secret = $(cat "${secret}")
proto = *
}
EOF
''
) cfg.radiusClients
)
)}
# Copy the kanidm configuration
cat <<EOF > /var/lib/radius/kanidm.toml
auth_token = "$(cat "${cfg.authTokenFile}")"
EOF
cat ${settingsFormat.generate "kanidm.toml" cfg.settings} >> /var/lib/radius/kanidm.toml
chmod u+w /var/lib/radius/kanidm.toml
# Copy the certificates to the correct directory
rm -rf $raddb/certs && mkdir -p $raddb/certs
cp ${acmeDirectory}/chain.pem $raddb/certs/ca.pem
${lib.getExe pkgs.openssl} rehash $raddb/certs
# Recreate the dh.pem file
${lib.getExe pkgs.openssl} dhparam -in $raddb/certs/ca.pem -out $raddb/certs/dh.pem 2048
cp ${acmeDirectory}/full.pem $raddb/certs/server.pem
# Link the dictionary
ln -nsf ${
pkgs.writeText "radius-dictionary" (
builtins.concatStringsSep "\n" (
imap0 (i: { name, value }: "ATTRIBUTE ${name} ${builtins.toString (3000 + i)} ${value}") (
attrsToList cfg.dictionary
)
)
)
} $raddb/dictionary
# Link extra-mods
${builtins.concatStringsSep "\n" (
mapAttrsToList (name: path: "ln -nsf ${path} $raddb/mods-enabled/${name}") cfg.extra-mods
)}
# Link extra-sites
${builtins.concatStringsSep "\n" (
mapAttrsToList (name: path: "ln -nsf ${path} $raddb/sites-enabled/${name}") cfg.extra-sites
)}
# Check the configuration
${optionalString cfg.checkConfiguration "${getExe' pkgs.freeradius "radiusd"} -C -d $raddb -l stdout"}
'';
path = [
pkgs.openssl
pkgs.gnused
];
environment = {
KANIDM_RLM_CONFIG = "/var/lib/radius/kanidm.toml";
PYTHONPATH = rlm_python.pythonPath;
};
serviceConfig = {
ExecStart = "${cfg.freeradius}/bin/radiusd -X -f -d /var/lib/radius/raddb -l stdout";
ExecReload = [
"${cfg.freeradius}/bin/radiusd -C -d /var/lib/radius/raddb -l stdout"
"${pkgs.coreutils}/bin/kill -HUP $MAINPID"
];
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
DynamicUser = true;
Group = "radius";
LogsDirectory = "radius";
ReadOnlyPaths = [ acmeDirectory ];
Restart = "on-failure";
RestartSec = 2;
RuntimeDirectory = "radius";
StateDirectory = "radius";
SupplementaryGroups = [ "nginx" ];
User = "radius";
};
};
};
}

43
machines/vault01/k-radius/packages/pykanidm.nix
View file

@ -1,43 +0,0 @@
{
lib,
buildPythonPackage,
fetchFromGitHub,
poetry-core,
aiohttp,
authlib,
pydantic,
toml,
}:
buildPythonPackage rec {
pname = "kanidm";
version = "1.1.0-rc.16";
pyproject = true;
src = fetchFromGitHub {
owner = "kanidm";
repo = "kanidm";
rev = "v${version}";
hash = "sha256-NH9V5KKI9LAtJ2/WuWtUJUzkjVMfO7Q5NQkK7Ys2olU=";
};
sourceRoot = "source/pykanidm";
build-system = [ poetry-core ];
dependencies = [
aiohttp
authlib
pydantic
toml
];
pythonImportsCheck = [ "kanidm" ];
meta = with lib; {
description = "Kanidm: A simple, secure and fast identity management platform";
homepage = "https://github.com/kanidm/kanidm";
license = licenses.mpl20;
maintainers = with maintainers; [ thubrecht ];
};
}

47
machines/vault01/k-radius/packages/rlm_python.nix
View file

@ -1,47 +0,0 @@
{
stdenv,
fetchFromGitHub,
substituteAll,
python3,
pykanidm,
}:
let
pythonPath = python3.pkgs.makePythonPath [ pykanidm ];
in
stdenv.mkDerivation rec {
pname = "rlm_python";
version = "1.1.0-rc.16";
src = fetchFromGitHub {
owner = "kanidm";
repo = "kanidm";
rev = "v${version}";
hash = "sha256-NH9V5KKI9LAtJ2/WuWtUJUzkjVMfO7Q5NQkK7Ys2olU=";
};
sourceRoot = "source/rlm_python";
patches = [
(substituteAll {
src = ./01-python_path.patch;
inherit pythonPath;
})
];
installPhase = ''
mkdir -p $out/etc/raddb/
cp -R mods-available sites-available $out/etc/raddb/
'';
phases = [
"unpackPhase"
"patchPhase"
"installPhase"
];
passthru = {
inherit pythonPath;
};
}

276
machines/vault01/networking.nix
View file

@ -1,253 +1,53 @@
{
pkgs,
lib,
meta,
name,
...
}:
let let
inherit (lib) mapAttrs' nameValuePair; vlanName = "vlan-uplink-cri";
uplink = { linkIp = "10.120.33.250";
ip = "10.120.33.250"; linkPrefix = "30";
prefix = 30;
router = "10.120.33.249"; upstreamRouterIp = "10.120.33.249";
};
mkNetwork = publicIp = "129.199.195.129"; # sync with meta
name:
{
address ? [ ],
extraNetwork ? { },
...
}:
nameValuePair "10-${name}" ({ inherit name address; } // extraNetwork);
mkNetdev = linkPrefixedIp = "${linkIp}/${linkPrefix}";
name:
{ Id, ... }:
nameValuePair "10-${name}" {
netdevConfig = {
Name = name;
Kind = "vlan";
};
vlanConfig.Id = Id;
};
mkUserVlan =
{
vlan,
netIP,
servIP,
interfaceName,
...
}:
{
name = interfaceName;
value = {
Id = vlan;
extraNetwork = {
networkConfig = {
LinkLocalAddressing = "no";
DHCPServer = "yes";
};
linkConfig.Promiscuous = true;
addresses = [
{
addressConfig = {
Address = "${servIP}/27";
AddPrefixRoute = false;
};
}
];
routes = [
{
routeConfig = {
Destination = "${netIP}/27";
Table = "user";
};
}
];
routingPolicyRules = [
{
routingPolicyRuleConfig = {
From = "${netIP}/27";
To = "10.0.0.0/27";
IncomingInterface = interfaceName;
Table = "user";
};
}
];
};
};
};
userVlans = builtins.genList (id: rec {
vlan = 4094 - id;
prefix24nb = (id + 1) / 8;
prefix27nb = (id + 1 - prefix24nb * 8) * 32;
netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}";
servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}";
interfaceName = "vlan-user-${toString vlan}";
}) 850;
vlans = {
vlan-uplink-cri = {
Id = 223;
address = with uplink; [ "${ip}/${builtins.toString prefix}" ];
extraNetwork.routes = [
{
routeConfig = {
# Get the public ip from the metadata
PreferredSource = builtins.head meta.network.${name}.addresses.ipv4;
Gateway = uplink.router;
};
}
];
};
vlan-admin = {
Id = 3000;
address = [ "fd26:baf9:d250:8000::1/64" ];
};
vlan-admin-ap = {
Id = 3001;
address = [ "fd26:baf9:d250:8001::1/64" ];
extraNetwork.ipv6Prefixes = [
{
ipv6PrefixConfig = {
AddressAutoconfiguration = false;
OnLink = false;
Prefix = "fd26:baf9:d250:8001::/64";
};
}
];
};
vlan-apro = {
Id = 2000;
address = [ "10.0.255.1/24" ];
extraNetwork.networkConfig.DHCPServer = "yes";
};
} // builtins.listToAttrs (map mkUserVlan userVlans);
in in
{ {
systemd = { systemd.network = {
network = { networks = {
config.routeTables."user" = 1000; "10-enp67s0f0np0" = {
networks = { name = "enp67s0f0np0";
"10-lo" = { networkConfig = {
name = "lo"; VLAN = [ vlanName ];
address = [
"::1/128" LinkLocalAddressing = false;
"127.0.0.1/8" LLDP = false;
"10.0.0.1/27" EmitLLDP = false;
]; IPv6AcceptRA = false;
routes = [ IPv6SendRA = false;
{
routeConfig = {
Destination = "10.0.0.0/27";
Table = "user";
};
}
];
routingPolicyRules = [
{
routingPolicyRuleConfig = {
IncomingInterface = "lo";
Table = "user";
};
}
];
}; };
"10-enp67s0f0np0" = {
name = "enp67s0f0np0";
linkConfig.Promiscuous = true;
networkConfig = {
VLAN = builtins.attrNames vlans;
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
};
} // (mapAttrs' mkNetwork vlans);
netdevs = mapAttrs' mkNetdev vlans;
};
services = {
ethtoolConfig = {
wantedBy = [ "systemd-networkd.service" ];
after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ];
script = builtins.concatStringsSep "\n" (
builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [
"rxvlan"
"txvlan"
"rx-vlan-filter"
"rx-vlan-offload"
"tx-vlan-offload"
"tx-vlan-stag-hw-insert"
]
);
}; };
"10-${vlanName}" = {
systemd-networkd.serviceConfig.LimitNOFILE = 4096; name = vlanName;
address = [ linkPrefixedIp ];
net-checker = { routes = [
path = [ {
pkgs.iputils routeConfig = {
pkgs.systemd PreferredSource = publicIp;
]; Gateway = upstreamRouterIp;
script = '' };
if ping -c 1 8.8.8.8 > /dev/null || ping -c 1 1.1.1.1 > /dev/null; then
${
lib.concatMapStringsSep "\n " ({ interfaceName, ... }: "networkctl up ${interfaceName}") userVlans
}
else
${
lib.concatMapStringsSep "\n " (
{ interfaceName, ... }: "networkctl down ${interfaceName}"
) userVlans
}
fi
'';
};
};
timers.net-checker = {
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "*-*-* *:*:42";
};
};
networking = {
nftables = {
enable = true;
tables.nat = {
family = "ip";
content = ''
chain postrouting {
type nat hook postrouting priority 100;
ip saddr 10.0.0.0/16 ether saddr 5c:64:8e:f4:09:06 snat ip to 129.199.195.130-129.199.195.158
} }
''; ];
}; };
}; };
firewall = { netdevs = {
allowedUDPPorts = [ 67 ]; "10-vlan-uplink-cri" = {
checkReversePath = false; netdevConfig = {
Name = vlanName;
Kind = "vlan";
};
vlanConfig = {
Id = 223;
};
};
}; };
}; };
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
} }

30
machines/vault01/secrets/eatonmon-password_file
View file

@ -1,30 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA Ja6ye8ABH4ueCSyJhFGU+TeN8RPVGSeV2IYFljvM7UI
FcvDIOBcKel4Y6DoMmmTuSCzp+3IrWEqhBO87l26dC8
-> ssh-ed25519 QlRB9Q g8LVlo+1lgQU8zlCnMj5TjhGIlxiSvB0cDRkjVzY3i8
gB5qfOtFKhZoOuAtsm3X5E5hHUCI6B3Byet7WnQMQRk
-> ssh-ed25519 r+nK/Q HKHlHM+cPfRkwWp3bc8A7fov+RT9C+9dvCpd4daHFmI
EJbSVhuPCwqfijFw4HumpFAg+q+2B4gh4pDHjCf+p94
-> ssh-rsa krWCLQ
i6ZVdAWq5siE57dP4vz8JYXGO7QiAqQ3+MPSms5pkPktlgQKZGKk+A5S42lAh1K7
vILNCuvzrQUO4jUNk9RhRnaDoMLBus0xqQtE5vwTbtqGI4P/M5IttyRQ5PuAHNgc
QSNDRetp0QvAcx9I9v0LxArxkGtBPUyICLKYYQcyttie4lfQbfu4jyjZ2Bqix8a4
/jFQ2GZgfIdjxfV+45DU3TCwFx0mDnNzHXZsI7u4qul+Z9tm2fYcIeyXCFK+GLa3
TUY46IeVElqDpBMIOQbnLXcivpbEQS8LAOvYSIAXUTNKs6WukXktLfo1Juc1YPcV
vSTcyV9EBV3DfcozPVdy9A
-> ssh-ed25519 /vwQcQ Obd9qr3rphOc9qK+nhSiR1j0Em1uv6OlKt/e76elEHs
PjjWoGeDiGVNyvPsQx7KvoO7hRL6wbgNN543tQp0+lQ
-> ssh-ed25519 0R97PA FPENiklw5FmKS0G0aqF4K8EEfzOSn+xiaDhb1jCm1l8
fswVo+JUSjAK/6P9XTDCRox14AJ25C2H6dqFTqY+UWk
-> ssh-ed25519 JGx7Ng CdsdUVx536gu6qYWBJY1jC/zfvuR2vgtDtfI0MJ+mRc
zgDkkN+N0Ig8D02t7/jS7KxYXToDa45pX8GIb9/8ax0
-> ssh-ed25519 5SY7Kg chOHq4oZGnaq9xRr2lzDBLI3ID90MC6aunlEWEBpgVw
ne/EgtRHYbCaiM8RyDJZMPheXhh2Z97zff/zs3oW+mE
-> ssh-ed25519 p/Mg4Q S3knEgzoT+1sgvAWAdx7sWwoaxlZY2DObgzAoQE/RDc
IXXxmzYKPvaNqFoJjs2278y4ZOfT3ErmZU3C0Fh7EC4
-> ssh-ed25519 5rrg4g n1Yz6UWkAx9lJfnx7e2kZWIlZNRvvdl8llZpf4yo8AU
kcmQ7mklyqGHulC35JY4ZaF6HE+uAWUClA6SapffXeY
-> ssh-ed25519 +mFdtQ 8UW9TtBphutHIMr5Cq1rfMBo2h/VgIAL5YsH4FrCU0U
F+ouCDOo9SyuIomV2Qmgv0gBBKukgHNmqLCJWH3+hfA
--- fwMG1ZjFgN0FFKM0KgSoJR+Zttxkwz+GBKasO0EXBn4
+<2B>šG[þ¿ÐŠeê*Ž*B·`jVÈ¥ËäÿˆïÜÖ@MIמé4y<02>tÐ|½¤ã)¬¥^¸V)q<1F>àÿI7>ÚI%R®x/â¯ê Ïü <20> ò_](]Œ5øŠ··Ô<C2B7>ñòªÛòOBÄËáøŽ˜“Œr xIM‰—«]ïÂÖÇ|.nçzÄ oñNº„­Ø;h%Ù ¤."¦ö

32
machines/vault01/secrets/radius-ap-radius-secret_file
View file

@ -1,32 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA 2nFaxyP7O4GWU7U3wmET5sNrnFq72b9DEhiKEgWVrFk
l8uXfCBkTHogzVoUY0WOYhA99fodoT+N0HunacULydI
-> ssh-ed25519 QlRB9Q qDalihZE404oPOVHYQR5GIvozXNh4wNxhUa5Zwfz2DU
X8qvWf7qprbh0xu/uOHGsNLTQc8efYsgveH9R9kZZZw
-> ssh-ed25519 r+nK/Q mksHDhPoKKxQpk4sQPHapdq87EaJmgdmoVxMYjsAang
FTYHyxLp4nGOWJu1135yN/lQkGgAD9Jy4JJpMKFktrk
-> ssh-rsa krWCLQ
jEPt5eWP6NmpOikLhs1uPVo7kxHgg1y7WwdOPyR0z2vpFD2BWGlIi/BvnlE3OO5n
jtvDjAauWU0X2JarfdY9mY8MoPjT9qQ/ukxuVAHi5CoL/I1JCqcbuftssYY0B7Ab
SMfbyxjK8aIT1/4EQhMoWm0tuIylvgTBagL03Lw5mbyRqDkbpI/6YC9401YjT7Ts
dCDGIFAYM2BA7TuJiZr881ypUdU9rlm5rss1ZLMj90jyJPJC4SDYbzE0BoBat9l0
dYUrYGhGgZ1cDd6D6mPf6H95muiGHIhxaE8c+LdK/rKCSH9Rf6mfn/Ab/xvnaDNn
GW/WD0EpmdzpWVPby68+KA
-> ssh-ed25519 /vwQcQ 5DoMxdoK+KiHXKwwOpb7/1FZIEzAa/2/1l8yyxey6iw
RzmUkqZQLM5/jDXG9fxhZmfAywgVMjH9Y3O66BnhCSQ
-> ssh-ed25519 0R97PA g+uW/jfwHB3m0AdWxb9vPRjeaowhEx1Uoc2R0CVStlA
m5XvSEVQ8DiA7BSTsxVn6S1zv92CpbyZxSgUI3ObE4c
-> ssh-ed25519 JGx7Ng BtdJpskbfPyywYeFbmQw3HGPTLv5ri6x4bFocr9l6H8
88aFw+MCJLqMU/W/ikYDUZEAi0ImaPVbSc7cAZPbs/I
-> ssh-ed25519 5SY7Kg +JUMQfaxl7Orym43LVeqUyno0JfUbVnB+xv7smpdRhE
6K+Ewq1FhrXB2eYdljlsYpIfmVv49E4jSBsphgDpRJk
-> ssh-ed25519 p/Mg4Q AITnEN+Q41fEA2tkvVOKGCDZiuCXanG+qaiF5X4ukiA
NvP/HXOliNvi8tngH9PU90E616CPlh/QgkZ052H8wtk
-> ssh-ed25519 +mFdtQ RuaXIQNZ3s9C27XtpVTExJlAhYDYXRQni+Hwot0wrzU
WctqqoGS2hVfOZSU3ihCg5eI7PnxM7dkOJKM9DJ90Wk
-> ssh-ed25519 5rrg4g cAqJQ8z6T46YwzahtcTJxXZHklCGrupVCja5U/g+ZmM
wERu5T6rOi5/0qPSXeOnfA0Szg7/pbYFTW0Ys1yWq40
-> ssh-ed25519 oRtTqQ NF73c0d1qM4nVt2bEdWTEDjDcz/ZMCObn/7cDZfkVGA
Mivm+WWVqAfNs5pLwGmINIsmxlEZi7m7bQIRxGkf3/Q
--- 8R1h+xsovrLq+5QI1CoTXc9TBTQugnROZpOAHWBwG1w
G“Þ"û¤‡ã8ƒÈî&NF}x£ksyÖ\£.i§<69>קF¢¯}ê-ÍÁÓšLbì;{

BIN
machines/vault01/secrets/radius-auth_token_file
View file

Binary file not shown.

BIN
machines/vault01/secrets/radius-ca_pem_file
View file

Binary file not shown.

BIN
machines/vault01/secrets/radius-cert_pem_file
View file

Binary file not shown.

BIN
machines/vault01/secrets/radius-dh_pem_file
View file

Binary file not shown.

BIN
machines/vault01/secrets/radius-key_pem_file
View file

Binary file not shown.

30
machines/vault01/secrets/radius-private_key_password_file
View file

@ -1,30 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA oTG4+leUhtu+taark5+znjTzfTPBjSgtJI5zNmLrxQw
+xsiH/nNjeBckEn1bi3OVPo/vy6WGqJftfnNgrh+7eA
-> ssh-ed25519 QlRB9Q dk3mYy/ziQL3Cx7XB+/IY8EkrEtBNZkvLf3iwAZtYFg
42ABG0MdenXCfgeVoTvJ8XYyKd9OuH/KVZPOdpfLTkc
-> ssh-ed25519 r+nK/Q 2nOZZkpvToMgbg66f/DYm2J4gfzhtGEAAzlqYM44V24
GJlZ857IA1firt/6A7dTtdqGncJg4XnCBxSLlDeIUe8
-> ssh-rsa krWCLQ
Z2DScQA6a5+Wzl1cD6fMcWtQRM00PM24eO2bjqlSAy+wk3J+62nxYGQJEXp4y5Ws
Rn6FENHllIoH1mXu7XbDpnmertZK1I6krf2jbC4LoUVdXf2czksqtITjwJqFEn9k
i27LhROdQN61xnz1OWPbTaNJAEgo6A4gzRnD6SxZjNqF0EHaBgA/SlX9lFfKtp50
yiy6rSncJbT7Kxya8Nll/YC8RC78shs6r0+JnuGdm+GstMnkEF8eOIQuNHCPWbdN
oT2K6oWjITwQnuSzb9+fIW9Orcl3QjFJPMlVl37p3r5BBNiuaW5Jk1ky8mP6hHRX
Hzqa0eHffbiUSTtFbNr6vA
-> ssh-ed25519 /vwQcQ wVRPD49z8MeLNz0XGu9HWXBPdbJkegHNOY4chmgzeCU
iABkdTWGE+ImvRA0N2mNuUdpqEWmPe0kWRf7yDGgkHs
-> ssh-ed25519 0R97PA 79n3SCQbXkjlk/5+GLr1bjapHNhID33zieUF0X2eZgU
5BX9Qw6hn1Ie97AaKtpkHnLD4aXEvJI29EwiuFOaDKY
-> ssh-ed25519 JGx7Ng vTCpM2b8rMa9o/H/0jKkEf2DRyqCnOJP3+0m9LmV42k
dyFkt3XtZDcGx4uiJni6tdXDNVEzlFZqqPHYD/A0g7k
-> ssh-ed25519 5SY7Kg wAHGb5dG04fIBCKSOzwTagFMC0z2eGNGLbBGdqAaFH4
RozSCdnelai3bOX+Ls2cl2go68mfQeKTlNMRiWGjJpk
-> ssh-ed25519 p/Mg4Q zGKTV2Z6+VG1oajB9EGRe7SsDwCeSWDjuS3Wj7D333g
7EartLedAduICpquQkN2a2dNy9u4KLm2d97heFrceqE
-> ssh-ed25519 5rrg4g T1fAxr/RHvWf/vh2VL41tSH9Mpmq3eFyqzJf+MJIBEk
eYJEC1pZ4xQeaXeDV5+gYtOftla9nSSnB/WQ3rLrXn0
-> ssh-ed25519 +mFdtQ QtrOIfJz3j4US5STmAIXOS6TsckNtJ5FPO+KHomSVGM
qWjtGdXHHNMGBP0qByAvka7YvWLYh+JPD9MqAU8Wuzs
--- tD/2gendSlu4C9HG5VAwueB8NPCZWC63ATSB7sETutI
x¡Çßv+z²m<C2B2>zZa>šF¿Þ=Oùøž(¤=¶ÿg aèôx¡¿Ÿ#

11
machines/vault01/secrets/secrets.nix
View file

@ -2,13 +2,4 @@ let
lib = import ../../../lib { }; lib = import ../../../lib { };
publicKeys = lib.getNodeKeys "vault01"; publicKeys = lib.getNodeKeys "vault01";
in in
lib.setDefault { inherit publicKeys; } [ lib.setDefault { inherit publicKeys; } [ ]
"radius-auth_token_file"
"radius-ca_pem_file"
"radius-cert_pem_file"
"radius-dh_pem_file"
"radius-key_pem_file"
"radius-private_key_password_file"
"eatonmon-password_file"
"radius-ap-radius-secret_file"
]

56
machines/vault01/ulogd.nix
View file

@ -1,56 +0,0 @@
{
config,
lib,
pkgs,
...
}:
{
services = {
ulogd = {
enable = true;
logLevel = 5;
settings = {
global = {
logfile = "/var/log/ulogd.log";
stack = [ "ct1:NFCT,ip2str1:IP2STR,pgsql1:PGSQL" ];
};
ct1 = { };
pgsql1 = {
db = "ulogd";
user = "ulogd";
table = "ulog2_ct";
procedure = "INSERT_CT";
};
};
};
postgresql = {
enable = true;
identMap = ''
ulogd-map root ulogd
'';
authentication = ''
local ulogd ulogd peer map=ulogd-map
'';
ensureUsers = [
{
name = "ulogd";
ensureDBOwnership = true;
}
];
ensureDatabases = [ "ulogd" ];
};
};
systemd.services.ulogd = {
serviceConfig.StateDirectory = "ulogd";
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
path = [ config.services.postgresql.package ];
preStart = lib.mkAfter ''
if ! test -e "/var/lib/ulogd/.initialized"; then
psql -f "${pkgs.ulogd.doc}/share/doc/ulogd-pgsql/pgsql-ulogd2.sql" -d ulogd -U ulogd
touch "/var/lib/ulogd/.initialized"
fi
'';
};
}

98
machines/vault01/ups.nix
View file

@ -1,98 +0,0 @@
{
config,
lib,
pkgs,
meta,
name,
...
}:
{
power.ups = {
enable = true;
ups.eaton = {
driver = "usbhid-ups";
port = "auto";
};
users.eatonmon = {
passwordFile = config.age.secrets."eatonmon-password_file".path;
upsmon = "primary";
};
upsmon.monitor.eaton = {
user = "eatonmon";
};
schedulerRules =
let
cmdScript = pkgs.writeShellApplication {
name = "upssched-cmd.sh";
runtimeInputs = with pkgs; [
systemd
msmtp
];
text = ''
case $1 in
shutdown-low) MEANING="Battery is low, shutting down.";;
shutdown-batt) MEANING="On battery for 15min, shutting down.";;
warn-batt) MEANING="Power line faillure, going on battery.";;
warn-comm) MEANING="Communication with the UPS was broken.";;
warn-bypass) MEANING="The UPS is not protecting the server, power line failure would kill $HOSTNAME instantly.";;
*) MEANING="Signal unknown, check configuration.";;
esac
sendmail -i -t <<ERRMAIL
To: fai+monitoring@dgnum.eu
Subject: [$HOSTNAME] Battery signal: $1
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
$MEANING
ERRMAIL
case $1 in
shutdown-*) shutdown 20s # let 20s to send the email
esac
'';
};
in
(pkgs.writeTextFile {
name = "upssched.conf";
text = ''
CMDSCRIPT ${lib.getExe cmdScript}
PIPEFN /var/state/ups/upssched/upssched.pipe
LOCKFN /var/state/ups/upssched/upssched.lock
AT LOWBATT * EXECUTE shutdown-low
AT ONBATT * EXECUTE warn-batt
AT ONBATT * START-TIMER shutdown-batt 900
AT ONLINE * CANCEL-TIMER shutdown-batt
AT COMMBAD * EXECUTE warn-comm
AT NOCOMM * EXECUTE warn-comm
AT BYPASS * EXECUTE warn-bypass
'';
}).outPath;
};
systemd.tmpfiles.settings."10-upsmon" =
let
root = {
user = "root";
group = "root";
mode = "0600";
};
in
{
"/var/state/ups/upssched".d = root // {
mode = "0700";
};
"/var/state/ups/upssched/upssched.pipe".p = root;
};
services.prometheus.exporters.nut = {
enable = true;
listenAddress = meta.network.${name}.netbirdIp;
port = 9199;
};
networking.firewall.interfaces.wt0.allowedTCPPorts = [ 9199 ];
}

2
machines/web01/_configuration.nix
View file

@ -3,6 +3,7 @@
lib.extra.mkConfig { lib.extra.mkConfig {
enabledModules = [ enabledModules = [
# List of modules to enable # List of modules to enable
"dgn-fail2ban"
"dgn-web" "dgn-web"
]; ];
@ -14,6 +15,7 @@ lib.extra.mkConfig {
"matterbridge" "matterbridge"
"metis" "metis"
"ntfy-sh" "ntfy-sh"
"plausible"
"redirections" "redirections"
"static" "static"
"wordpress" "wordpress"

33
machines/web01/castopod-head-proxy.nix Normal file
View file

@ -0,0 +1,33 @@
{ config, lib, ... }:
let
cfg = config.services.castopod;
fpm = config.services.phpfpm.pools.castopod;
in
{
services.nginx = {
resolver.addresses = [ "127.0.0.53" ];
virtualHosts."${cfg.localDomain}" = {
locations."@force_get" = {
extraConfig = lib.mkForce ''
recursive_error_pages on;
proxy_method GET;
proxy_pass https://podcasts.dgnum.eu/$request_uri;
'';
};
locations."~ .php$" = {
extraConfig = lib.mkForce ''
error_page 550 = @force_get;
if ($request_method = HEAD) { return 550; }
fastcgi_intercept_errors on;
fastcgi_index index.php;
fastcgi_pass unix:${fpm.socket};
try_files $uri =404;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
'';
};
};
};
}

2
machines/web01/castopod.nix
View file

@ -8,7 +8,7 @@ in
enable = true; enable = true;
localDomain = host; localDomain = host;
environmentFile = config.age.secrets.castopod-environment_file.path; environmentFile = config.age.secrets.castopod-environment_file.path;
maxUploadSize = "512M"; maxUploadSize = 512;
settings = { settings = {
"email.fromEmail" = "noreply@infra.dgnum.eu"; "email.fromEmail" = "noreply@infra.dgnum.eu";
"email.SMTPHost" = "kurisu.lahfa.xyz"; "email.SMTPHost" = "kurisu.lahfa.xyz";

26
machines/web01/crabfit/default.nix
View file

@ -1,4 +1,4 @@
{ config, ... }: _:
{ {
imports = [ ./packages ]; imports = [ ./packages ];
@ -8,29 +8,9 @@
api.host = "api.meet.dgnum.eu"; api.host = "api.meet.dgnum.eu";
frontend.host = "meet.dgnum.eu"; frontend.host = "meet.dgnum.eu";
configureNginx = true;
}; };
dgn-backups.postgresDatabases = [ "crabfit" ]; dgn-backups.postgresDatabases = [ "crabfit" ];
services.nginx =
let
cfg = config.services.crabfit;
in
{
enable = true;
virtualHosts.${cfg.frontend.host} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.frontend.port}";
};
virtualHosts.${cfg.api.host} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.api.port}";
};
};
} }

Some files were not shown because too many files have changed in this diff Show more