Deuxfleurs/nixcfg
17
6
Fork 2
Code Issues 10 Pull requests 1 Projects Releases Wiki Activity

Compare commits

base: Deuxfleurs:main
Branches Tags
Deuxfleurs:main
Deuxfleurs:telemetry-update
Deuxfleurs:jitsi
Deuxfleurs:feat/im-tls-proxy
Deuxfleurs:simplify-network-config
Deuxfleurs:plume-s3
Deuxfleurs:wgautomesh-service-v2
Deuxfleurs:refactor
tixie:update-woodpecker-2.4.0
tixie:main
tixie:telemetry-update
tixie:jitsi
tixie:feat/im-tls-proxy
tixie:simplify-network-config
tixie:plume-s3
tixie:wgautomesh-service-v2
tixie:refactor
..
compare: tixie:plume-s3
Branches Tags
tixie:update-woodpecker-2.4.0
tixie:main
tixie:telemetry-update
tixie:jitsi
tixie:feat/im-tls-proxy
tixie:simplify-network-config
tixie:plume-s3
tixie:wgautomesh-service-v2
tixie:refactor
Deuxfleurs:main
Deuxfleurs:telemetry-update
Deuxfleurs:jitsi
Deuxfleurs:feat/im-tls-proxy
Deuxfleurs:simplify-network-config
Deuxfleurs:plume-s3
Deuxfleurs:wgautomesh-service-v2
Deuxfleurs:refactor

No commits in common. "main" and "plume-s3" have entirely different histories.
main ... plume-s3

148 changed files with 10019 additions and 2374 deletions
Show stats Expand all files Collapse all files

5
README.md
View file

@ -1,6 +1,6 @@
# Deuxfleurs on NixOS!
This repository contains code to run Deuxfleurs' infrastructure on NixOS.
This repository contains code to run Deuxfleur's infrastructure on NixOS.
## Our abstraction stack
@ -50,6 +50,5 @@ See the following documentation topics:
- [List of TCP and UDP ports used by services](doc/ports)
- [Why not Ansible?](doc/why-not-ansible.md)
## Got personal services in addition to Deuxfleurs at home?
Go check [`cluster/prod/register_external_services.sh`](./cluster/prod/register_external_services.sh). In bash, we register a redirect from Tricot to your own services or your personal reverse proxy.

58
cluster/prod/app/backup/deploy/backup-daily.hcl
View file

@ -1,5 +1,5 @@
job "backup_daily" {
datacenters = ["neptune", "scorpio", "bespin"]
datacenters = ["orion", "neptune", "scorpio"]
type = "batch"
priority = "60"
@ -14,14 +14,14 @@ job "backup_daily" {
constraint {
attribute = "${attr.unique.hostname}"
operator = "="
value = "celeri"
value = "doradille"
}
task "main" {
driver = "docker"
config {
image = "restic/restic:0.16.4"
image = "restic/restic:0.14.0"
entrypoint = [ "/bin/sh", "-c" ]
args = [ "restic backup /mail && restic forget --group-by paths --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y && restic prune --max-unused 50% --max-repack-size 2G && restic check" ]
volumes = [
@ -56,6 +56,52 @@ EOH
}
}
group "backup-plume" {
constraint {
attribute = "${attr.unique.hostname}"
operator = "="
value = "dahlia"
}
task "main" {
driver = "docker"
config {
image = "restic/restic:0.14.0"
entrypoint = [ "/bin/sh", "-c" ]
args = [ "restic backup /plume && restic forget --group-by paths --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y && restic prune --max-unused 50% --max-repack-size 2G && restic check" ]
volumes = [
"/mnt/ssd/plume/media:/plume"
]
}
template {
data = <<EOH
AWS_ACCESS_KEY_ID={{ key "secrets/plume/backup_aws_access_key_id" }}
AWS_SECRET_ACCESS_KEY={{ key "secrets/plume/backup_aws_secret_access_key" }}
RESTIC_REPOSITORY={{ key "secrets/plume/backup_restic_repository" }}
RESTIC_PASSWORD={{ key "secrets/plume/backup_restic_password" }}
EOH
destination = "secrets/env_vars"
env = true
}
resources {
cpu = 500
memory = 100
memory_max = 1000
}
restart {
attempts = 2
interval = "30m"
delay = "15s"
mode = "fail"
}
}
}
group "backup-consul" {
task "consul-kv-export" {
driver = "docker"
@ -116,7 +162,7 @@ EOH
driver = "docker"
config {
image = "restic/restic:0.16.4"
image = "restic/restic:0.12.1"
entrypoint = [ "/bin/sh", "-c" ]
args = [ "restic backup $NOMAD_ALLOC_DIR/consul.json && restic forget --group-by paths --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y && restic prune --max-unused 50% --max-repack-size 2G && restic check" ]
}
@ -159,11 +205,11 @@ EOH
driver = "docker"
config {
image = "restic/restic:0.16.4"
image = "restic/restic:0.12.1"
entrypoint = [ "/bin/sh", "-c" ]
args = [ "restic backup /cryptpad && restic forget --group-by paths --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y && restic prune --max-unused 50% --max-repack-size 2G && restic check" ]
volumes = [
"/mnt/ssd/cryptpad:/cryptpad"
"/mnt/storage/cryptpad:/cryptpad"
]
}

2
cluster/prod/app/backup/deploy/backup-garage.hcl
View file

@ -1,5 +1,5 @@
job "backup-garage" {
datacenters = ["neptune", "bespin", "scorpio"]
datacenters = ["neptune", "bespin"]
type = "batch"
priority = "60"

2
cluster/prod/app/backup/deploy/backup-weekly.hcl
View file

@ -1,5 +1,5 @@
job "backup_weekly" {
datacenters = ["scorpio", "neptune", "bespin"]
datacenters = ["orion", "neptune", "bespin"]
type = "batch"
priority = "60"

8
cluster/prod/app/bagage/deploy/bagage.hcl
View file

@ -1,5 +1,5 @@
job "bagage" {
datacenters = ["scorpio", "neptune"]
datacenters = ["orion", "neptune"]
type = "service"
priority = 90
@ -25,7 +25,7 @@ job "bagage" {
task "server" {
driver = "docker"
config {
image = "lxpz/amd64_bagage:20231016-3"
image = "superboum/amd64_bagage:v11"
readonly_rootfs = false
network_mode = "host"
volumes = [
@ -54,9 +54,7 @@ job "bagage" {
address_mode = "host"
tags = [
"bagage",
"(diplonat (tcp_port 2222))",
"d53-a sftp.deuxfleurs.fr",
"d53-aaaa sftp.deuxfleurs.fr",
"(diplonat (tcp_port 2222))"
]
}

2
cluster/prod/app/cms/deploy/cms.hcl
View file

@ -1,5 +1,5 @@
job "cms" {
datacenters = ["neptune", "scorpio"]
datacenters = ["neptune", "orion"]
type = "service"
priority = 100

100
cluster/prod/app/core/deploy/bottin.hcl
View file

@ -1,100 +0,0 @@
job "core-bottin" {
datacenters = ["neptune", "scorpio"]
type = "system"
priority = 90
update {
max_parallel = 1
stagger = "1m"
}
group "bottin" {
constraint {
distinct_property = "${meta.site}"
value = "1"
}
network {
port "ldap_port" {
static = 389
to = 389
}
}
task "bottin" {
driver = "docker"
config {
image = "dxflrs/bottin:7h18i30cckckaahv87d3c86pn4a7q41z"
network_mode = "host"
readonly_rootfs = true
ports = [ "ldap_port" ]
volumes = [
"secrets/config.json:/config.json",
"secrets:/etc/bottin",
]
}
restart {
interval = "5m"
attempts = 10
delay = "15s"
mode = "delay"
}
resources {
memory = 100
memory_max = 200
}
template {
data = file("../config/bottin/config.json.tpl")
destination = "secrets/config.json"
}
template {
data = "{{ key \"secrets/consul/consul.crt\" }}"
destination = "secrets/consul.crt"
}
template {
data = "{{ key \"secrets/consul/consul-client.crt\" }}"
destination = "secrets/consul-client.crt"
}
template {
data = "{{ key \"secrets/consul/consul-client.key\" }}"
destination = "secrets/consul-client.key"
}
template {
data = <<EOH
CONSUL_HTTP_ADDR=https://consul.service.prod.consul:8501
CONSUL_HTTP_SSL=true
CONSUL_CACERT=/etc/bottin/consul.crt
CONSUL_CLIENT_CERT=/etc/bottin/consul-client.crt
CONSUL_CLIENT_KEY=/etc/bottin/consul-client.key
EOH
destination = "secrets/env"
env = true
}
service {
tags = [ "${meta.site}" ]
port = "ldap_port"
address_mode = "host"
name = "bottin"
check {
type = "tcp"
port = "ldap_port"
interval = "60s"
timeout = "5s"
check_restart {
limit = 3
grace = "90s"
ignore_warnings = false
}
}
}
}
}
}

44
cluster/prod/app/core/deploy/d53.hcl → cluster/prod/app/core/deploy/core-service.hcl
View file

@ -1,5 +1,5 @@
job "core-d53" {
datacenters = ["neptune", "scorpio", "bespin"]
job "core-service" {
datacenters = ["neptune", "orion", "bespin"]
type = "service"
priority = 90
@ -10,7 +10,7 @@ job "core-d53" {
driver = "docker"
config {
image = "lxpz/amd64_d53:4"
image = "lxpz/amd64_d53:3"
network_mode = "host"
readonly_rootfs = true
volumes = [
@ -61,42 +61,4 @@ EOH
}
}
}
# Dummy task for Gitea (still on an external VM), runs on any bespin node
# and allows D53 to automatically update the A record for git.deuxfleurs.fr
# to the IPv4 address of the bespin site (that changes occasionnaly)
group "gitea-dummy" {
count = 1
network {
port "dummy" {
to = 999
}
}
task "main" {
driver = "docker"
constraint {
attribute = "${meta.site}"
operator = "="
value = "bespin"
}
config {
image = "alpine"
command = "sh"
args = ["-c", "while true; do echo x; sleep 60; done"]
ports = [ "dummy" ]
}
service {
name = "gitea-dummy"
port = "dummy"
tags = [
"d53-a git.deuxfleurs.fr",
]
}
}
}
}

257
cluster/prod/app/core/deploy/core-system.hcl Normal file
View file

@ -0,0 +1,257 @@
job "core" {
datacenters = ["orion", "neptune", "scorpio"]
type = "system"
priority = 90
update {
max_parallel = 1
stagger = "5m"
}
group "diplonat" {
task "diplonat" {
driver = "docker"
config {
image = "lxpz/amd64_diplonat:5"
network_mode = "host"
readonly_rootfs = true
privileged = true
volumes = [
"secrets:/etc/diplonat",
]
}
restart {
interval = "5m"
attempts = 10
delay = "15s"
mode = "delay"
}
template {
data = "{{ key \"secrets/consul/consul.crt\" }}"
destination = "secrets/consul.crt"
}
template {
data = "{{ key \"secrets/consul/consul-client.crt\" }}"
destination = "secrets/consul-client.crt"
}
template {
data = "{{ key \"secrets/consul/consul-client.key\" }}"
destination = "secrets/consul-client.key"
}
template {
data = <<EOH
DIPLONAT_REFRESH_TIME=60
DIPLONAT_EXPIRATION_TIME=300
DIPLONAT_CONSUL_NODE_NAME={{ env "attr.unique.hostname" }}
DIPLONAT_CONSUL_URL=https://consul.service.prod.consul:8501
DIPLONAT_CONSUL_TLS_SKIP_VERIFY=true
DIPLONAT_CONSUL_CLIENT_CERT=/etc/diplonat/consul-client.crt
DIPLONAT_CONSUL_CLIENT_KEY=/etc/diplonat/consul-client.key
RUST_LOG=debug
EOH
destination = "secrets/env"
env = true
}
resources {
memory = 100
memory_max = 200
}
}
}
group "tricot" {
constraint {
distinct_property = "${meta.site}"
value = "1"
}
network {
port "http_port" { static = 80 }
port "https_port" { static = 443 }
port "metrics_port" { static = 9334 }
}
task "server" {
driver = "docker"
config {
image = "lxpz/amd64_tricot:47"
network_mode = "host"
readonly_rootfs = true
ports = [ "http_port", "https_port" ]
volumes = [
"secrets:/etc/tricot",
]
}
resources {
cpu = 1000
memory = 200
memory_max = 500
}
restart {
interval = "5m"
attempts = 10
delay = "15s"
mode = "delay"
}
template {
data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
destination = "secrets/consul-ca.crt"
}
template {
data = "{{ key \"secrets/consul/consul-client.crt\" }}"
destination = "secrets/consul-client.crt"
}
template {
data = "{{ key \"secrets/consul/consul-client.key\" }}"
destination = "secrets/consul-client.key"
}
template {
data = <<EOH
TRICOT_NODE_NAME={{ env "attr.unique.hostname" }}
TRICOT_LETSENCRYPT_EMAIL=prod-sysadmin@deuxfleurs.fr
TRICOT_ENABLE_COMPRESSION=true
TRICOT_CONSUL_HOST=https://consul.service.prod.consul:8501
TRICOT_CONSUL_TLS_SKIP_VERIFY=true
TRICOT_CONSUL_CLIENT_CERT=/etc/tricot/consul-client.crt
TRICOT_CONSUL_CLIENT_KEY=/etc/tricot/consul-client.key
TRICOT_HTTP_BIND_ADDR=[::]:80
TRICOT_HTTPS_BIND_ADDR=[::]:443
TRICOT_METRICS_BIND_ADDR=[::]:9334
RUST_LOG=tricot=debug
EOH
destination = "secrets/env"
env = true
}
service {
name = "tricot-http"
port = "http_port"
tags = [ "(diplonat (tcp_port 80))", "${meta.site}" ]
address_mode = "host"
}
service {
name = "tricot-https"
port = "https_port"
tags = [
"(diplonat (tcp_port 443))",
"${meta.site}",
"d53-aaaa ${meta.site}.site.deuxfleurs.fr",
"d53-a global.site.deuxfleurs.fr",
"d53-aaaa global.site.deuxfleurs.fr",
]
address_mode = "host"
}
service {
name = "tricot-metrics"
port = "metrics_port"
address_mode = "host"
}
}
}
group "bottin" {
constraint {
distinct_property = "${meta.site}"
value = "1"
}
network {
port "ldap_port" {
static = 389
to = 389
}
}
task "bottin" {
driver = "docker"
config {
image = "dxflrs/bottin:7h18i30cckckaahv87d3c86pn4a7q41z"
network_mode = "host"
readonly_rootfs = true
ports = [ "ldap_port" ]
volumes = [
"secrets/config.json:/config.json",
"secrets:/etc/bottin",
]
}
restart {
interval = "5m"
attempts = 10
delay = "15s"
mode = "delay"
}
resources {
memory = 100
memory_max = 200
}
template {
data = file("../config/bottin/config.json.tpl")
destination = "secrets/config.json"
}
template {
data = "{{ key \"secrets/consul/consul.crt\" }}"
destination = "secrets/consul.crt"
}
template {
data = "{{ key \"secrets/consul/consul-client.crt\" }}"
destination = "secrets/consul-client.crt"
}
template {
data = "{{ key \"secrets/consul/consul-client.key\" }}"
destination = "secrets/consul-client.key"
}
template {
data = <<EOH
CONSUL_HTTP_ADDR=https://consul.service.prod.consul:8501
CONSUL_HTTP_SSL=true
CONSUL_CACERT=/etc/bottin/consul.crt
CONSUL_CLIENT_CERT=/etc/bottin/consul-client.crt
CONSUL_CLIENT_KEY=/etc/bottin/consul-client.key
EOH
destination = "secrets/env"
env = true
}
service {
tags = [ "${meta.site}" ]
port = "ldap_port"
address_mode = "host"
name = "bottin"
check {
type = "tcp"
port = "ldap_port"
interval = "60s"
timeout = "5s"
check_restart {
limit = 3
grace = "90s"
ignore_warnings = false
}
}
}
}
}
}

68
cluster/prod/app/core/deploy/diplonat.hcl
View file

@ -1,68 +0,0 @@
job "core-diplonat" {
datacenters = ["neptune", "scorpio", "bespin"]
type = "system"
priority = 90
update {
max_parallel = 2
stagger = "1m"
}
group "diplonat" {
task "diplonat" {
driver = "docker"
config {
image = "lxpz/amd64_diplonat:7"
network_mode = "host"
readonly_rootfs = true
privileged = true
volumes = [
"secrets:/etc/diplonat",
]
}
restart {
interval = "5m"
attempts = 10
delay = "15s"
mode = "delay"
}
template {
data = "{{ key \"secrets/consul/consul.crt\" }}"
destination = "secrets/consul.crt"
}
template {
data = "{{ key \"secrets/consul/consul-client.crt\" }}"
destination = "secrets/consul-client.crt"
}
template {
data = "{{ key \"secrets/consul/consul-client.key\" }}"
destination = "secrets/consul-client.key"
}
template {
data = <<EOH
DIPLONAT_REFRESH_TIME=60
DIPLONAT_EXPIRATION_TIME=300
DIPLONAT_CONSUL_NODE_NAME={{ env "attr.unique.hostname" }}
DIPLONAT_CONSUL_URL=https://consul.service.prod.consul:8501
DIPLONAT_CONSUL_TLS_SKIP_VERIFY=true
DIPLONAT_CONSUL_CLIENT_CERT=/etc/diplonat/consul-client.crt
DIPLONAT_CONSUL_CLIENT_KEY=/etc/diplonat/consul-client.key
RUST_LOG=debug
EOH
destination = "secrets/env"
env = true
}
resources {
memory = 100
memory_max = 200
}
}
}
}

123
cluster/prod/app/core/deploy/tricot.hcl
View file

@ -1,123 +0,0 @@
job "core-tricot" {
# bespin pas pour l'instant, on a des soucis de SSL avec gitea
# on pourra mettre bespin quand on aura migré gitea de la vm vers le cluster
# en attendant, les deux ne sont pas capables de partager les certificats SSL
# donc on laisse la VM gitea gérer les certifs et prendre tout le trafic http(s)
datacenters = ["neptune", "scorpio"]
type = "system"
priority = 90
update {
max_parallel = 1
stagger = "5m"
}
group "tricot" {
constraint {
distinct_property = "${meta.site}"
value = "1"
}
network {
port "http_port" { static = 80 }
port "https_port" { static = 443 }
port "metrics_port" { static = 9334 }
}
task "server" {
driver = "docker"
config {
image = "superboum/amd64_tricot:54"
network_mode = "host"
readonly_rootfs = true
ports = [ "http_port", "https_port" ]
volumes = [
"secrets:/etc/tricot",
]
ulimit {
nofile = "65535:65535"
}
}
resources {
cpu = 1000
memory = 200
memory_max = 500
}
restart {
interval = "5m"
attempts = 10
delay = "15s"
mode = "delay"
}
template {
data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
destination = "secrets/consul-ca.crt"
}
template {
data = "{{ key \"secrets/consul/consul-client.crt\" }}"
destination = "secrets/consul-client.crt"
}
template {
data = "{{ key \"secrets/consul/consul-client.key\" }}"
destination = "secrets/consul-client.key"
}
template {
data = <<EOH
TRICOT_NODE_NAME={{ env "attr.unique.hostname" }}
TRICOT_LETSENCRYPT_EMAIL=prod-sysadmin@deuxfleurs.fr
TRICOT_ENABLE_COMPRESSION=true
TRICOT_CONSUL_HOST=https://consul.service.prod.consul:8501
TRICOT_CONSUL_TLS_SKIP_VERIFY=true
TRICOT_CONSUL_CLIENT_CERT=/etc/tricot/consul-client.crt
TRICOT_CONSUL_CLIENT_KEY=/etc/tricot/consul-client.key
TRICOT_HTTP_BIND_ADDR=[::]:80
TRICOT_HTTPS_BIND_ADDR=[::]:443
TRICOT_METRICS_BIND_ADDR=[::]:9334
TRICOT_WARMUP_CERT_MEMORY_STORE=true
RUST_LOG=tricot=debug
EOH
destination = "secrets/env"
env = true
}
service {
name = "tricot-http"
port = "http_port"
tags = [
"(diplonat (tcp_port 80))",
"${meta.site}"
]
address_mode = "host"
}
service {
name = "tricot-https"
port = "https_port"
tags = [
"(diplonat (tcp_port 443))",
"${meta.site}",
"d53-a global.site.deuxfleurs.fr",
"d53-aaaa global.site.deuxfleurs.fr",
"d53-a ${meta.site}.site.deuxfleurs.fr",
"d53-aaaa ${meta.site}.site.deuxfleurs.fr",
"d53-a v4.${meta.site}.site.deuxfleurs.fr",
"d53-aaaa v6.${meta.site}.site.deuxfleurs.fr",
]
address_mode = "host"
}
service {
name = "tricot-metrics"
port = "metrics_port"
address_mode = "host"
}
}
}
}

4
cluster/prod/app/core/secrets.toml
View file

@ -3,7 +3,3 @@ type = 'user'
description = 'LDAP base DN for everything'
example = 'dc=example,dc=com'
[secrets."d53/gandi_api_key"]
type = 'user'
description = 'Gandi API key'

8
cluster/prod/app/coturn/deploy/coturn.hcl
View file

@ -1,5 +1,5 @@
job "coturn" {
datacenters = ["neptune", "scorpio"]
datacenters = ["neptune", "orion"]
type = "service"
priority = 100
@ -34,13 +34,15 @@ job "coturn" {
ports = [ "prometheus", "turn_ctrl", "turn_data0", "turn_data1", "turn_data2",
"turn_data3", "turn_data4", "turn_data5", "turn_data6", "turn_data7",
"turn_data8", "turn_data9" ]
entrypoint = ["/local/docker-entrypoint.sh"]
network_mode = "host"
volumes = [
"secrets/docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh",
]
}
template {
data = file("../config/docker-entrypoint.sh")
destination = "local/docker-entrypoint.sh"
destination = "secrets/docker-entrypoint.sh"
perms = 555
}

57
cluster/prod/app/cryptpad/build/README.md
View file

@ -1,52 +1,29 @@
# CryptPad for NixOS with Deuxfleurs flavour
## Build
## Building
Cryptpad being not NixOS native, an upgrade must be done in 4 steps:
1. Bump the cryptpad version in `common.nix`
2. Rebuild the Nix lock files for the dependencies
3. Build the package for Nix
4. Create a container from the Nix package
The `default.nix` file follows the nixpkgs `callPackage` convention for fetching dependencies, so you need to either:
To bump the nix version, set the desired tag in `common.nix` in the `cryptpadVersion` entry.
Set the corresponding commit in the `cryptadCommit` field, its goal would be to detect unwanted update of the tag.
- Run `nix-build --expr '{ ... }@args: (import <nixpkgs> {}).callPackage ./default.nix args'`
- Do the `callPackage from a higher-level directory importing your package`
To rebuild the lock files (they are stored in the `nix.lock` folder):
### Docker
The `docker.nix` derives into a Docker image you can load simply by running:
```shell
docker load -i $(nix-build docker.nix)
```
nix-shell --run "update_lock"
```
You can then test the built Docker image using the provided `docker-compose.yml` and `config.js` files, which are
configured to render the instance accessible at `http://localhost:3000` with data stored into the `_data` folder.
To build cryptpad:
### Deuxfleurs flavour
The `deuxfleurs.nix` file derives into two derivations: The CryptPad derivation itself and a Docker image,
which can be choose by passing the `-A [name]` flags to `nix-build`
For example, to build and load the Deuxfleurs-flavoured CryptPad Docker image, you run:
```shell
docker load -i $(nix-build deuxfleurs.nix -A docker)
```
nix-build
```
## OnlyOffice integration
Apart for `deuxfleurs.nix`, both `default.nix` and `docker.nix` files build CryptPad with a copy of OnlyOffice pre-built and
used by CryptPad, which can result to large Docker image (~2.6GiB)
Create the container:
This behaviour is configurable by passing the `--arg withOnlyOffice false` flag to `nix-build` when building them.
## Updating the Deuxfleurs pinned nixpkgs
The pinned sources files are generated with the [npins](https://github.com/andir/npins) tool.
To update the pinned nixpkgs, you simply run the following command:
```shell
npins update
```
To modify the pinned nixpkgs, remove it and re-add it using the new target, for exemple for `nixos-unstable`:
```shell
npins remove nixpkgs
npins add --name nixpkgs channel nixos-unstable
docker load < $(nix-build docker.nix)
docker push superboum/cryptpad:???
```

22
cluster/prod/app/cryptpad/build/common.nix Normal file
View file

@ -0,0 +1,22 @@
rec {
cryptpadVersion = "4.14.1+2";
cryptpadCommit = "18c371bb5bda068a5d962dd7c4f0726320eea5e9";
pkgsSrc = fetchTarball {
# Latest commit on https://github.com/NixOS/nixpkgs/tree/nixos-21.11
# As of 2022-04-15
url ="https://github.com/NixOS/nixpkgs/archive/2f06b87f64bc06229e05045853e0876666e1b023.tar.gz";
sha256 = "sha256:1d7zg96xw4qsqh7c89pgha9wkq3rbi9as3k3d88jlxy2z0ns0cy2";
};
cryptpadSrc = builtins.fetchGit {
url = "https://github.com/superboum/cryptpad";
ref = "refs/tags/${cryptpadVersion}";
rev = cryptpadCommit;
};
bower2nixSrc = builtins.fetchGit {
url = "https://github.com/superboum/bower2nix";
ref = "new";
rev = "618ab3e206325c63fe4526ae842a1f6c792b0e27";
};
nodejs = "nodejs-slim-16_x";
}

189
cluster/prod/app/cryptpad/build/default.nix
View file

@ -1,132 +1,77 @@
{ lib
, stdenvNoCC
let
common = import ./common.nix;
pkgs = import common.pkgsSrc {};
nodejs = pkgs.${common.nodejs};
, buildNpmPackage
, fetchFromGitHub
, fetchzip
bower = (pkgs.buildBowerComponents {
name = "cryptpad-${common.cryptpadVersion}-bower";
generated = ./nix.lock/bower.nix;
src = common.cryptpadSrc;
}).overrideAttrs (old: {
bowerPackages = old.bowerPackages.override (old_: {
# add missing dependencies:
# Those dependencies are EOL and they are not installed by buildBowerComponents,
# but they are required, otherwise the resolver crashes.
# * add the second jquery ~2.1.0 entry
# * add the second bootstrap ~3.1.1 entry
paths = old_.paths ++ [
(pkgs.fetchbower "jquery" "2.1.0" "~2.1.0" "02kwvz93vzpv10qnp7s0dz3al0jh77awwrizb6wadsvgifxssnlr")
(pkgs.fetchbower "bootstrap" "3.1.1" "~3.1.1" "06bhjwa8p7mzbpr3jkgydd804z1nwrkdql66h7jkfml99psv9811")
];
});
});
, nodejs
, withOnlyOffice ? true
}: let
onlyOfficeVersions = {
v1 = {
rev = "4f370bebe96e3a0d4054df87412ee5b2c6ed8aaa";
hash = "sha256-TE/99qOx4wT2s0op9wi+SHwqTPYq/H+a9Uus9Zj4iSY=";
};
v2b = {
rev = "d9da72fda95daf93b90ffa345757c47eb5b919dd";
hash = "sha256-SiRDRc2vnLwCVnvtk+C8PKw7IeuSzHBaJmZHogRe3hQ=";
};
v4 = {
rev = "6ebc6938b6841440ffad2efc1e23f1dc1ceda964";
hash = "sha256-eto1+8Tk/s3kbUCpbUh8qCS8EOq700FYG1/KiHyynaA=";
};
v5 = {
rev = "88a356f08ded2f0f4620bda66951caf1d7f02c21";
hash = "sha256-8j1rlAyHlKx6oAs2pIhjPKcGhJFj6ZzahOcgenyeOCc=";
};
v6 = {
rev = "abd8a309f6dd37289f950cd8cea40df4492d8a15";
hash = "sha256-BZdExj2q/bqUD3k9uluOot2dlrWKA+vpad49EdgXKww=";
};
v7 = {
rev = "e1267803ea749cd93e9d5f81438011ea620d04af";
hash = "sha256-iIds0GnCHAyeIEdSD4aCCgDtnnwARh3NE470CywseS0=";
};
npm = import ./nix.lock/npm.nix {
inherit pkgs;
};
mkOnlyOffice = {
pname, version
}: stdenvNoCC.mkDerivation (final: {
pname = "${pname}-onlyoffice";
inherit version;
in
pkgs.stdenv.mkDerivation {
name = "cryptpad-${common.cryptpadVersion}";
src = common.cryptpadSrc;
x2t = let
version = "v7.3+1";
in fetchzip {
url = "https://github.com/cryptpad/onlyoffice-x2t-wasm/releases/download/${version}/x2t.zip";
hash = "sha256-d5raecsTOflo0UpjSEZW5lker4+wdkTb6IyHNq5iBg8=";
stripRoot = false;
};
buildPhase = ''
cp -r ${npm.nodeDependencies}/lib/node_modules node_modules
chmod +w -R node_modules
srcs = lib.mapAttrsToList (version: { rev, hash ? lib.fakeHash }: fetchFromGitHub {
name = "${final.pname}-${version}-source";
owner = "cryptpad";
repo = "onlyoffice-builds";
inherit rev hash;
}) onlyOfficeVersions;
# clear executable files inside the node_modules folder to reduce dependencies
# and attack surface
find node_modules -type f ! -path 'node_modules/gar/*' -executable -print | tee >(xargs -n 20 rm)
dontBuild = true;
sourceRoot = ".";
# Remove only office that IS BIG
# COMMENTED as it is not as easy as planned.
# rm -rf www/common/onlyoffice
'';
installPhase = ''
mkdir -p $out
${lib.concatLines (map
(version: "cp -Tr ${final.pname}-${version}-source $out/${version}")
(builtins.attrNames onlyOfficeVersions)
)}
cp -Tr $x2t $out/x2t
mkdir -p $out/{bin,opt}
out_cryptpad=$out/opt/
# copy the source code
cp -r .bowerrc bower.json package.json package-lock.json customize.dist lib server.js www $out_cryptpad
# mount node_modules
cp -r node_modules $out_cryptpad/node_modules
# patch
substituteInPlace $out_cryptpad/lib/workers/index.js --replace "lib/workers/db-worker" "$out_cryptpad/lib/workers/db-worker"
# mount bower, based on the .bowerrc file at the git repo root
cp -r ${bower}/bower_components $out_cryptpad/www/
# cryptpad is bugged with absolute path, this is a workaround to use absolute path as relative path
ln -s / $out_cryptpad/root
# start script, cryptpad is lost if its working directory is not its source directory
cat > $out/bin/cryptpad <<EOF
#!${pkgs.stdenv.shell}
cd $out_cryptpad
exec ${nodejs}/bin/node server.js
EOF
chmod +x $out/bin/cryptpad
'';
});
in buildNpmPackage rec {
pname = "cryptpad";
version = "2024.6.1";
src = fetchFromGitHub {
owner = "cryptpad";
repo = "cryptpad";
rev = version;
hash = "sha256-qwyXpTY8Ds7R5687PVGZa/rlEyrAZjNzJ4+VQZpF8v0=";
};
npmDepsHash = "sha256-GSTPsXqe/rxiDh5OW2t+ZY1YRNgRSDxkJ0pvcLIFtFw=";
inherit nodejs;
onlyOffice = lib.optional withOnlyOffice (mkOnlyOffice {
inherit pname version;
});
makeCacheWritable = true;
dontFixup = true;
preBuild = ''
npm run install:components
'' + lib.optionalString withOnlyOffice ''
ln -s $onlyOffice www/common/onlyoffice/dist
'';
postBuild = ''
rm -rf customize
'';
installPhase = ''
runHook preInstall
mkdir -p $out
cp -R . $out/
substituteInPlace $out/lib/workers/index.js \
--replace-warn "lib/workers/db-worker" "$out/lib/workers/db-worker"
makeWrapper ${lib.getExe nodejs} $out/bin/cryptpad-server \
--chdir $out \
--add-flags server.js
runHook postInstall
'';
passthru = {
inherit onlyOffice;
};
meta = {
description = "Collaborative office suite, end-to-end encrypted and open-source.";
homepage = "https://cryptpad.org";
changelog = "https://github.com/cryptpad/cryptpad/releases/tag/${version}";
license = lib.licenses.agpl3Plus;
platforms = lib.platforms.all;
mainProgram = "cryptpad-server";
};
}
dontFixup = true;
}

14
cluster/prod/app/cryptpad/build/deuxfleurs.nix
View file

@ -1,14 +0,0 @@
{ name ? "deuxfleurs/cryptpad"
, tag ? "nix-latest"
}: let
sources = import ./npins;
pkgs = import sources.nixpkgs {};
in rec {
cryptpad = pkgs.callPackage ./default.nix {};
docker = import ./docker.nix {
inherit pkgs;
inherit name tag;
inherit cryptpad;
withOnlyOffice = true;
};
}

36
cluster/prod/app/cryptpad/build/docker.nix
View file

@ -1,27 +1,11 @@
{ pkgs ? import <nixpkgs> {}
, name ? "cryptpad"
, tag ? "nix-latest"
, withOnlyOffice ? true
, cryptpad ? pkgs.callPackage ./default.nix { inherit withOnlyOffice; }
}: let
cryptpad' = cryptpad.overrideAttrs {
postInstall = ''
ln -sf /cryptpad/customize $out/customize
'';
};
in pkgs.dockerTools.buildImage {
inherit name tag;
config = {
Cmd = [
(pkgs.lib.getExe cryptpad')
];
Volumes = {
"/cryptpad/customize" = {};
let
common = import ./common.nix;
pkgs = import common.pkgsSrc {};
app = import ./default.nix;
in
pkgs.dockerTools.buildLayeredImage {
name = "superboum/cryptpad";
config = {
Cmd = [ "${app}/bin/cryptpad" ];
};
};
}
}

57
cluster/prod/app/cryptpad/build/nix.lock/bower.json Normal file
View file

@ -0,0 +1,57 @@
{
"name": "cryptpad",
"version": "0.1.0",
"authors": [
"Caleb James DeLisle <cjd@cjdns.fr>"
],
"description": "realtime collaborative visual editor with zero knowlege server",
"main": "www/index.html",
"moduleType": [
"node"
],
"license": "AGPLv3",
"ignore": [
"**/.*",
"node_modules",
"bower_components",
"test",
"tests"
],
"dependencies": {
"jquery": "3.6.0",
"tweetnacl": "0.12.2",
"components-font-awesome": "^4.6.3",
"ckeditor": "4.14.0",
"codemirror": "^5.19.0",
"requirejs": "2.3.5",
"marked": "1.1.0",
"rangy": "rangy-release#~1.3.0",
"json.sortify": "~2.1.0",
"hyperjson": "~1.4.0",
"chainpad-crypto": "^0.2.0",
"chainpad-listmap": "^1.0.0",
"chainpad": "^5.2.0",
"file-saver": "1.3.1",
"alertifyjs": "1.0.11",
"scrypt-async": "1.2.0",
"require-css": "0.1.10",
"bootstrap": "^v4.0.0",
"diff-dom": "2.1.1",
"nthen": "0.1.7",
"open-sans-fontface": "^1.4.2",
"bootstrap-tokenfield": "0.12.1",
"localforage": "^1.5.2",
"html2canvas": "^0.4.1",
"croppie": "^2.5.0",
"sortablejs": "^1.6.0",
"saferphore": "^0.0.1",
"jszip": "3.7.1",
"requirejs-plugins": "^1.0.3",
"dragula.js": "3.7.2",
"MathJax": "3.0.5"
},
"resolutions": {
"bootstrap": "^v4.0.0",
"jquery": "3.6.0"
}
}

37
cluster/prod/app/cryptpad/build/nix.lock/bower.nix Normal file
View file

@ -0,0 +1,37 @@
# Generated by bower2nix v3.3.0 (https://github.com/rvl/bower2nix)
{ fetchbower, buildEnv }:
buildEnv { name = "bower-env"; ignoreCollisions = true; paths = [
(fetchbower "jquery" "3.6.0" "3.6.0" "1wx5n605x6ga483hba43gxjncgzk8yvxc3h0jlwgpjd0h54y9v6l")
(fetchbower "tweetnacl" "0.12.2" "0.12.2" "1lfzbfrdaly3zyzbcp1p53yhxlrx56k8x04q924kg7l52gblm65g")
(fetchbower "components-font-awesome" "4.7.0" "^4.6.3" "1w27im6ayjrbgjqa0i49ml5d3wy4ld40h9b29hz9myv77bpx4lg1")
(fetchbower "ckeditor" "4.14.0" "4.14.0" "0lw9q0k8c0jlxvf35vrccab9c3c8rgpc6x66czj9si8yy2lyliyp")
(fetchbower "codemirror" "5.65.3" "^5.19.0" "0z6pd0q0cy0k0dkplx4f3cmmjqbiixv6wqlzbz5j8dnsxr5hhgzh")
(fetchbower "requirejs" "2.3.5" "2.3.5" "05lyvgz914h2w08r24rk0vkk3yxmqrvlg7j3i5av9ffkg9lpzsli")
(fetchbower "marked" "1.1.0" "1.1.0" "1sdgqw9iki9c1pfm4c5h6c956mchbip2jywjrcmrlb75k53flsjz")
(fetchbower "rangy" "rangy-release#1.3.0" "rangy-release#~1.3.0" "13x3wci003p8jyv2ncir0k23bxckx99b3555r0zvgmlwycg7w0zv")
(fetchbower "json.sortify" "2.1.0" "~2.1.0" "1rz9xz0gnm4ak31n10vhslqsw8fw493gjylwj8xsy3bxqq1ygpnh")
(fetchbower "hyperjson" "1.4.0" "~1.4.0" "1n68ls3x4lyhg1yy8i4q3xkgh5xqpyakf45sny4x91mkr68x4bd9")
(fetchbower "chainpad-crypto" "0.2.7" "^0.2.0" "16j0gjj1v8dckqpsg38229qs4dammz7vx8ywsik6f0brzf4py65a")
(fetchbower "chainpad-listmap" "1.0.1" "^1.0.0" "0s2v27hhraifb1yjw5fka4a922zmgsdngsaq1nfd48gbs8gd2rrd")
(fetchbower "chainpad" "5.2.4" "^5.2.0" "1f4nap0r8w50qpmjdfhhjhpz5xcl0n4zaxxnav1qaxi5j6dyg8h6")
(fetchbower "file-saver" "1.3.1" "1.3.1" "065nzkvdiicxnw06z1sjz1sbp9nyis8z839hv6ng1fk25dc5kvkg")
(fetchbower "alertifyjs" "1.0.11" "1.0.11" "0v7323bzq90k35shm3h6azj4wd9la3kbi1va1pw4qyvndkwma69l")
(fetchbower "scrypt-async" "1.2.0" "1.2.0" "0d076ax708p9b8hcmk4f82j925nlnm0hmp0ni45ql37g7iirfpyv")
(fetchbower "require-css" "0.1.10" "0.1.10" "106gz9i76v71q9zx2pnqkkj342m630lvssnw54023a0ljc0gqcwq")
(fetchbower "bootstrap" "4.6.1" "^v4.0.0" "0g8zy1fl396lawgjvfhlpcl38zxsgybhnzi8b6b4m9nccvmpxv83")
(fetchbower "diff-dom" "2.1.1" "2.1.1" "0bp8c80g11hhlkvl3lhrqc39jvqiiyqvrgk1nsn35ps01ava07z9")
(fetchbower "nthen" "0.1.7" "0.1.7" "03yap5ildigaw4rwxmxs37pcwhq415iham8w39zd56ka98gpfxa5")
(fetchbower "open-sans-fontface" "1.4.2" "^1.4.2" "0ksav1fcq640fmdz49ra4prwsrrfj35y2p4shx1jh1j7zxd044nf")
(fetchbower "bootstrap-tokenfield" "0.12.1" "0.12.1" "1dh791s6ih8bf9ihck9n39h68c273jb3lg4mqk94bvqraz45fvwx")
(fetchbower "localforage" "1.10.0" "^1.5.2" "019rh006v2w5x63mgk78qhw59kf8czbkwdvfngmac8fs6gz88lc8")
(fetchbower "html2canvas" "0.4.1" "^0.4.1" "0yg7y90nav068q0i5afc2c221zkddpf28hi0hwc46cawx4180c69")
(fetchbower "croppie" "2.6.5" "^2.5.0" "1j1v5620zi13ad42r358i4ay891abwn6nz357484kgq2bgjj6ccx")
(fetchbower "sortablejs" "1.15.0" "^1.6.0" "1wk1097jrxbp2c4ghcppqd3h2gnq5b01qkf9426mc08zgszlvjr7")
(fetchbower "saferphore" "0.0.1" "^0.0.1" "1wfr9wpbm3lswmvy2p0247ydb108h4qh5s286py89k871qh6jwdi")
(fetchbower "jszip" "3.7.1" "3.7.1" "0f14bak7vylxizi6pvj3znjc2cx922avbv7lslklvic85x0318lf")
(fetchbower "requirejs-plugins" "1.0.3" "^1.0.3" "00s3sdz1ykygx5shldwhhhybwgw7c99vkqd94i5i5x0gl97ifxf5")
(fetchbower "dragula.js" "3.7.2" "3.7.2" "0dbkmrl8bcxiplprmmp9fj96ri5nahb2ql8cc7zwawncv0drvlh0")
(fetchbower "MathJax" "3.0.5" "3.0.5" "087a9av15qj43m8pr3b9g59ncmydhmg40m6dfzsac62ykianh2a0")
(fetchbower "chainpad-netflux" "1.0.0" "^1.0.0" "08rpc73x1vyvd6zkb7w0m1smzjhq3b7cwb30nlmg93x873zjlsl6")
(fetchbower "netflux-websocket" "1.0.0" "^1.0.0" "10hgc5ra3ll7qc2r8aal6p03gx6dgz06l2b54lh995pvf901wzi6")
]; }

588
cluster/prod/app/cryptpad/build/nix.lock/node-env.nix Normal file
View file

@ -0,0 +1,588 @@
# This file originates from node2nix
{lib, stdenv, nodejs, python2, pkgs, libtool, runCommand, writeTextFile, writeShellScript}:
let
# Workaround to cope with utillinux in Nixpkgs 20.09 and util-linux in Nixpkgs master
utillinux = if pkgs ? utillinux then pkgs.utillinux else pkgs.util-linux;
python = if nodejs ? python then nodejs.python else python2;
# Create a tar wrapper that filters all the 'Ignoring unknown extended header keyword' noise
tarWrapper = runCommand "tarWrapper" {} ''
mkdir -p $out/bin
cat > $out/bin/tar <<EOF
#! ${stdenv.shell} -e
$(type -p tar) "\$@" --warning=no-unknown-keyword --delay-directory-restore
EOF
chmod +x $out/bin/tar
'';
# Function that generates a TGZ file from a NPM project
buildNodeSourceDist =
{ name, version, src, ... }:
stdenv.mkDerivation {
name = "node-tarball-${name}-${version}";
inherit src;
buildInputs = [ nodejs ];
buildPhase = ''
export HOME=$TMPDIR
tgzFile=$(npm pack | tail -n 1) # Hooks to the pack command will add output (https://docs.npmjs.com/misc/scripts)
'';
installPhase = ''
mkdir -p $out/tarballs
mv $tgzFile $out/tarballs
mkdir -p $out/nix-support
echo "file source-dist $out/tarballs/$tgzFile" >> $out/nix-support/hydra-build-products
'';
};
# Common shell logic
installPackage = writeShellScript "install-package" ''
installPackage() {
local packageName=$1 src=$2
local strippedName
local DIR=$PWD
cd $TMPDIR
unpackFile $src
# Make the base dir in which the target dependency resides first
mkdir -p "$(dirname "$DIR/$packageName")"
if [ -f "$src" ]
then
# Figure out what directory has been unpacked
packageDir="$(find . -maxdepth 1 -type d | tail -1)"
# Restore write permissions to make building work
find "$packageDir" -type d -exec chmod u+x {} \;
chmod -R u+w "$packageDir"
# Move the extracted tarball into the output folder
mv "$packageDir" "$DIR/$packageName"
elif [ -d "$src" ]
then
# Get a stripped name (without hash) of the source directory.
# On old nixpkgs it's already set internally.
if [ -z "$strippedName" ]
then
strippedName="$(stripHash $src)"
fi
# Restore write permissions to make building work
chmod -R u+w "$strippedName"
# Move the extracted directory into the output folder
mv "$strippedName" "$DIR/$packageName"
fi
# Change to the package directory to install dependencies
cd "$DIR/$packageName"
}
'';
# Bundle the dependencies of the package
#
# Only include dependencies if they don't exist. They may also be bundled in the package.
includeDependencies = {dependencies}:
lib.optionalString (dependencies != []) (
''
mkdir -p node_modules
cd node_modules
''
+ (lib.concatMapStrings (dependency:
''
if [ ! -e "${dependency.name}" ]; then
${composePackage dependency}
fi
''
) dependencies)
+ ''
cd ..
''
);
# Recursively composes the dependencies of a package
composePackage = { name, packageName, src, dependencies ? [], ... }@args:
builtins.addErrorContext "while evaluating node package '${packageName}'" ''
installPackage "${packageName}" "${src}"
${includeDependencies { inherit dependencies; }}
cd ..
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
'';
pinpointDependencies = {dependencies, production}:
let
pinpointDependenciesFromPackageJSON = writeTextFile {
name = "pinpointDependencies.js";
text = ''
var fs = require('fs');
var path = require('path');
function resolveDependencyVersion(location, name) {
if(location == process.env['NIX_STORE']) {
return null;
} else {
var dependencyPackageJSON = path.join(location, "node_modules", name, "package.json");
if(fs.existsSync(dependencyPackageJSON)) {
var dependencyPackageObj = JSON.parse(fs.readFileSync(dependencyPackageJSON));
if(dependencyPackageObj.name == name) {
return dependencyPackageObj.version;
}
} else {
return resolveDependencyVersion(path.resolve(location, ".."), name);
}
}
}
function replaceDependencies(dependencies) {
if(typeof dependencies == "object" && dependencies !== null) {
for(var dependency in dependencies) {
var resolvedVersion = resolveDependencyVersion(process.cwd(), dependency);
if(resolvedVersion === null) {
process.stderr.write("WARNING: cannot pinpoint dependency: "+dependency+", context: "+process.cwd()+"\n");
} else {
dependencies[dependency] = resolvedVersion;
}
}
}
}
/* Read the package.json configuration */
var packageObj = JSON.parse(fs.readFileSync('./package.json'));
/* Pinpoint all dependencies */
replaceDependencies(packageObj.dependencies);
if(process.argv[2] == "development") {
replaceDependencies(packageObj.devDependencies);
}
replaceDependencies(packageObj.optionalDependencies);
/* Write the fixed package.json file */
fs.writeFileSync("package.json", JSON.stringify(packageObj, null, 2));
'';
};
in
''
node ${pinpointDependenciesFromPackageJSON} ${if production then "production" else "development"}
${lib.optionalString (dependencies != [])
''
if [ -d node_modules ]
then
cd node_modules
${lib.concatMapStrings (dependency: pinpointDependenciesOfPackage dependency) dependencies}
cd ..
fi
''}
'';
# Recursively traverses all dependencies of a package and pinpoints all
# dependencies in the package.json file to the versions that are actually
# being used.
pinpointDependenciesOfPackage = { packageName, dependencies ? [], production ? true, ... }@args:
''
if [ -d "${packageName}" ]
then
cd "${packageName}"
${pinpointDependencies { inherit dependencies production; }}
cd ..
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
fi
'';
# Extract the Node.js source code which is used to compile packages with
# native bindings
nodeSources = runCommand "node-sources" {} ''
tar --no-same-owner --no-same-permissions -xf ${nodejs.src}
mv node-* $out
'';
# Script that adds _integrity fields to all package.json files to prevent NPM from consulting the cache (that is empty)
addIntegrityFieldsScript = writeTextFile {
name = "addintegrityfields.js";
text = ''
var fs = require('fs');
var path = require('path');
function augmentDependencies(baseDir, dependencies) {
for(var dependencyName in dependencies) {
var dependency = dependencies[dependencyName];
// Open package.json and augment metadata fields
var packageJSONDir = path.join(baseDir, "node_modules", dependencyName);
var packageJSONPath = path.join(packageJSONDir, "package.json");
if(fs.existsSync(packageJSONPath)) { // Only augment packages that exist. Sometimes we may have production installs in which development dependencies can be ignored
console.log("Adding metadata fields to: "+packageJSONPath);
var packageObj = JSON.parse(fs.readFileSync(packageJSONPath));
if(dependency.integrity) {
packageObj["_integrity"] = dependency.integrity;
} else {
packageObj["_integrity"] = "sha1-000000000000000000000000000="; // When no _integrity string has been provided (e.g. by Git dependencies), add a dummy one. It does not seem to harm and it bypasses downloads.
}
if(dependency.resolved) {
packageObj["_resolved"] = dependency.resolved; // Adopt the resolved property if one has been provided
} else {
packageObj["_resolved"] = dependency.version; // Set the resolved version to the version identifier. This prevents NPM from cloning Git repositories.
}
if(dependency.from !== undefined) { // Adopt from property if one has been provided
packageObj["_from"] = dependency.from;
}
fs.writeFileSync(packageJSONPath, JSON.stringify(packageObj, null, 2));
}
// Augment transitive dependencies
if(dependency.dependencies !== undefined) {
augmentDependencies(packageJSONDir, dependency.dependencies);
}
}
}
if(fs.existsSync("./package-lock.json")) {
var packageLock = JSON.parse(fs.readFileSync("./package-lock.json"));
if(![1, 2].includes(packageLock.lockfileVersion)) {
process.stderr.write("Sorry, I only understand lock file versions 1 and 2!\n");
process.exit(1);
}
if(packageLock.dependencies !== undefined) {
augmentDependencies(".", packageLock.dependencies);
}
}
'';
};
# Reconstructs a package-lock file from the node_modules/ folder structure and package.json files with dummy sha1 hashes
reconstructPackageLock = writeTextFile {
name = "addintegrityfields.js";
text = ''
var fs = require('fs');
var path = require('path');
var packageObj = JSON.parse(fs.readFileSync("package.json"));
var lockObj = {
name: packageObj.name,
version: packageObj.version,
lockfileVersion: 1,
requires: true,
dependencies: {}
};
function augmentPackageJSON(filePath, dependencies) {
var packageJSON = path.join(filePath, "package.json");
if(fs.existsSync(packageJSON)) {
var packageObj = JSON.parse(fs.readFileSync(packageJSON));
dependencies[packageObj.name] = {
version: packageObj.version,
integrity: "sha1-000000000000000000000000000=",
dependencies: {}
};
processDependencies(path.join(filePath, "node_modules"), dependencies[packageObj.name].dependencies);
}
}
function processDependencies(dir, dependencies) {
if(fs.existsSync(dir)) {
var files = fs.readdirSync(dir);
files.forEach(function(entry) {
var filePath = path.join(dir, entry);
var stats = fs.statSync(filePath);
if(stats.isDirectory()) {
if(entry.substr(0, 1) == "@") {
// When we encounter a namespace folder, augment all packages belonging to the scope
var pkgFiles = fs.readdirSync(filePath);
pkgFiles.forEach(function(entry) {
if(stats.isDirectory()) {
var pkgFilePath = path.join(filePath, entry);
augmentPackageJSON(pkgFilePath, dependencies);
}
});
} else {
augmentPackageJSON(filePath, dependencies);
}
}
});
}
}
processDependencies("node_modules", lockObj.dependencies);
fs.writeFileSync("package-lock.json", JSON.stringify(lockObj, null, 2));
'';
};
prepareAndInvokeNPM = {packageName, bypassCache, reconstructLock, npmFlags, production}:
let
forceOfflineFlag = if bypassCache then "--offline" else "--registry http://www.example.com";
in
''
# Pinpoint the versions of all dependencies to the ones that are actually being used
echo "pinpointing versions of dependencies..."
source $pinpointDependenciesScriptPath
# Patch the shebangs of the bundled modules to prevent them from
# calling executables outside the Nix store as much as possible
patchShebangs .
# Deploy the Node.js package by running npm install. Since the
# dependencies have been provided already by ourselves, it should not
# attempt to install them again, which is good, because we want to make
# it Nix's responsibility. If it needs to install any dependencies
# anyway (e.g. because the dependency parameters are
# incomplete/incorrect), it fails.
#
# The other responsibilities of NPM are kept -- version checks, build
# steps, postprocessing etc.
export HOME=$TMPDIR
cd "${packageName}"
runHook preRebuild
${lib.optionalString bypassCache ''
${lib.optionalString reconstructLock ''
if [ -f package-lock.json ]
then
echo "WARNING: Reconstruct lock option enabled, but a lock file already exists!"
echo "This will most likely result in version mismatches! We will remove the lock file and regenerate it!"
rm package-lock.json
else
echo "No package-lock.json file found, reconstructing..."
fi
node ${reconstructPackageLock}
''}
node ${addIntegrityFieldsScript}
''}
npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} rebuild
if [ "''${dontNpmInstall-}" != "1" ]
then
# NPM tries to download packages even when they already exist if npm-shrinkwrap is used.
rm -f npm-shrinkwrap.json
npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} install
fi
'';
# Builds and composes an NPM package including all its dependencies
buildNodePackage =
{ name
, packageName
, version
, dependencies ? []
, buildInputs ? []
, production ? true
, npmFlags ? ""
, dontNpmInstall ? false
, bypassCache ? false
, reconstructLock ? false
, preRebuild ? ""
, dontStrip ? true
, unpackPhase ? "true"
, buildPhase ? "true"
, meta ? {}
, ... }@args:
let
extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" "dontStrip" "dontNpmInstall" "preRebuild" "unpackPhase" "buildPhase" "meta" ];
in
stdenv.mkDerivation ({
name = "${name}-${version}";
buildInputs = [ tarWrapper python nodejs ]
++ lib.optional (stdenv.isLinux) utillinux
++ lib.optional (stdenv.isDarwin) libtool
++ buildInputs;
inherit nodejs;
inherit dontStrip; # Stripping may fail a build for some package deployments
inherit dontNpmInstall preRebuild unpackPhase buildPhase;
compositionScript = composePackage args;
pinpointDependenciesScript = pinpointDependenciesOfPackage args;
passAsFile = [ "compositionScript" "pinpointDependenciesScript" ];
installPhase = ''
source ${installPackage}
# Create and enter a root node_modules/ folder
mkdir -p $out/lib/node_modules
cd $out/lib/node_modules
# Compose the package and all its dependencies
source $compositionScriptPath
${prepareAndInvokeNPM { inherit packageName bypassCache reconstructLock npmFlags production; }}
# Create symlink to the deployed executable folder, if applicable
if [ -d "$out/lib/node_modules/.bin" ]
then
ln -s $out/lib/node_modules/.bin $out/bin
fi
# Create symlinks to the deployed manual page folders, if applicable
if [ -d "$out/lib/node_modules/${packageName}/man" ]
then
mkdir -p $out/share
for dir in "$out/lib/node_modules/${packageName}/man/"*
do
mkdir -p $out/share/man/$(basename "$dir")
for page in "$dir"/*
do
ln -s $page $out/share/man/$(basename "$dir")
done
done
fi
# Run post install hook, if provided
runHook postInstall
'';
meta = {
# default to Node.js' platforms
platforms = nodejs.meta.platforms;
} // meta;
} // extraArgs);
# Builds a node environment (a node_modules folder and a set of binaries)
buildNodeDependencies =
{ name
, packageName
, version
, src
, dependencies ? []
, buildInputs ? []
, production ? true
, npmFlags ? ""
, dontNpmInstall ? false
, bypassCache ? false
, reconstructLock ? false
, dontStrip ? true
, unpackPhase ? "true"
, buildPhase ? "true"
, ... }@args:
let
extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" ];
in
stdenv.mkDerivation ({
name = "node-dependencies-${name}-${version}";
buildInputs = [ tarWrapper python nodejs ]
++ lib.optional (stdenv.isLinux) utillinux
++ lib.optional (stdenv.isDarwin) libtool
++ buildInputs;
inherit dontStrip; # Stripping may fail a build for some package deployments
inherit dontNpmInstall unpackPhase buildPhase;
includeScript = includeDependencies { inherit dependencies; };
pinpointDependenciesScript = pinpointDependenciesOfPackage args;
passAsFile = [ "includeScript" "pinpointDependenciesScript" ];
installPhase = ''
source ${installPackage}
mkdir -p $out/${packageName}
cd $out/${packageName}
source $includeScriptPath
# Create fake package.json to make the npm commands work properly
cp ${src}/package.json .
chmod 644 package.json
${lib.optionalString bypassCache ''
if [ -f ${src}/package-lock.json ]
then
cp ${src}/package-lock.json .
fi
''}
# Go to the parent folder to make sure that all packages are pinpointed
cd ..
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
${prepareAndInvokeNPM { inherit packageName bypassCache reconstructLock npmFlags production; }}
# Expose the executables that were installed
cd ..
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
mv ${packageName} lib
ln -s $out/lib/node_modules/.bin $out/bin
'';
} // extraArgs);
# Builds a development shell
buildNodeShell =
{ name
, packageName
, version
, src
, dependencies ? []
, buildInputs ? []
, production ? true
, npmFlags ? ""
, dontNpmInstall ? false
, bypassCache ? false
, reconstructLock ? false
, dontStrip ? true
, unpackPhase ? "true"
, buildPhase ? "true"
, ... }@args:
let
nodeDependencies = buildNodeDependencies args;
in
stdenv.mkDerivation {
name = "node-shell-${name}-${version}";
buildInputs = [ python nodejs ] ++ lib.optional (stdenv.isLinux) utillinux ++ buildInputs;
buildCommand = ''
mkdir -p $out/bin
cat > $out/bin/shell <<EOF
#! ${stdenv.shell} -e
$shellHook
exec ${stdenv.shell}
EOF
chmod +x $out/bin/shell
'';
# Provide the dependencies in a development shell through the NODE_PATH environment variable
inherit nodeDependencies;
shellHook = lib.optionalString (dependencies != []) ''
export NODE_PATH=${nodeDependencies}/lib/node_modules
export PATH="${nodeDependencies}/bin:$PATH"
'';
};
in
{
buildNodeSourceDist = lib.makeOverridable buildNodeSourceDist;
buildNodePackage = lib.makeOverridable buildNodePackage;
buildNodeDependencies = lib.makeOverridable buildNodeDependencies;
buildNodeShell = lib.makeOverridable buildNodeShell;
}

756
cluster/prod/app/cryptpad/build/nix.lock/node-packages.nix Normal file
View file

@ -0,0 +1,756 @@
# This file has been generated by node2nix 1.9.0. Do not edit!
{nodeEnv, fetchurl, fetchgit, nix-gitignore, stdenv, lib, globalBuildInputs ? []}:
let
sources = {
"@mcrowe/minibloom-0.2.0" = {
name = "_at_mcrowe_slash_minibloom";
packageName = "@mcrowe/minibloom";
version = "0.2.0";
src = fetchurl {
url = "https://registry.npmjs.org/@mcrowe/minibloom/-/minibloom-0.2.0.tgz";
sha1 = "1bed96aec18388198da37443899b2c3ff5948053";
};
};
"accepts-1.3.8" = {
name = "accepts";
packageName = "accepts";
version = "1.3.8";
src = fetchurl {
url = "https://registry.npmjs.org/accepts/-/accepts-1.3.8.tgz";
sha512 = "PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw==";
};
};
"array-flatten-1.1.1" = {
name = "array-flatten";
packageName = "array-flatten";
version = "1.1.1";
src = fetchurl {
url = "https://registry.npmjs.org/array-flatten/-/array-flatten-1.1.1.tgz";
sha1 = "9a5f699051b1e7073328f2a008968b64ea2955d2";
};
};
"async-limiter-1.0.1" = {
name = "async-limiter";
packageName = "async-limiter";
version = "1.0.1";
src = fetchurl {
url = "https://registry.npmjs.org/async-limiter/-/async-limiter-1.0.1.tgz";
sha512 = "csOlWGAcRFJaI6m+F2WKdnMKr4HhdhFVBk0H/QbJFMCr+uO2kwohwXQPxw/9OCxp05r5ghVBFSyioixx3gfkNQ==";
};
};
"body-parser-1.18.3" = {
name = "body-parser";
packageName = "body-parser";
version = "1.18.3";
src = fetchurl {
url = "https://registry.npmjs.org/body-parser/-/body-parser-1.18.3.tgz";
sha1 = "5b292198ffdd553b3a0f20ded0592b956955c8b4";
};
};
"bytes-3.0.0" = {
name = "bytes";
packageName = "bytes";
version = "3.0.0";
src = fetchurl {
url = "https://registry.npmjs.org/bytes/-/bytes-3.0.0.tgz";
sha1 = "d32815404d689699f85a4ea4fa8755dd13a96048";
};
};
"chainpad-crypto-0.2.7" = {
name = "chainpad-crypto";
packageName = "chainpad-crypto";
version = "0.2.7";
src = fetchurl {
url = "https://registry.npmjs.org/chainpad-crypto/-/chainpad-crypto-0.2.7.tgz";
sha512 = "H2FfFmMwWw4i8XeGVjKUNEmgOnJohlAvc5IpnVnHqCDm6axntpZ15rv9hV70uhzDrmFhlAPW8MoY4roe5PhUyA==";
};
};
"chainpad-server-5.1.0" = {
name = "chainpad-server";
packageName = "chainpad-server";
version = "5.1.0";
src = fetchurl {
url = "https://registry.npmjs.org/chainpad-server/-/chainpad-server-5.1.0.tgz";
sha512 = "BdjgOOLTXXo1EjQ7lURDe7oqsqfQISNvwhILfp3K3diY2K1hxpPLbjYzOSgxNOTADeOAff0xnInR5eUCESVWaQ==";
};
};
"content-disposition-0.5.2" = {
name = "content-disposition";
packageName = "content-disposition";
version = "0.5.2";
src = fetchurl {
url = "https://registry.npmjs.org/content-disposition/-/content-disposition-0.5.2.tgz";
sha1 = "0cf68bb9ddf5f2be7961c3a85178cb85dba78cb4";
};
};
"content-type-1.0.4" = {
name = "content-type";
packageName = "content-type";
version = "1.0.4";
src = fetchurl {
url = "https://registry.npmjs.org/content-type/-/content-type-1.0.4.tgz";
sha512 = "hIP3EEPs8tB9AT1L+NUqtwOAps4mk2Zob89MWXMHjHWg9milF/j4osnnQLXBCBFBk/tvIG/tUc9mOUJiPBhPXA==";
};
};
"cookie-0.3.1" = {
name = "cookie";
packageName = "cookie";
version = "0.3.1";
src = fetchurl {
url = "https://registry.npmjs.org/cookie/-/cookie-0.3.1.tgz";
sha1 = "e7e0a1f9ef43b4c8ba925c5c5a96e806d16873bb";
};
};
"cookie-signature-1.0.6" = {
name = "cookie-signature";
packageName = "cookie-signature";
version = "1.0.6";
src = fetchurl {
url = "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz";
sha1 = "e303a882b342cc3ee8ca513a79999734dab3ae2c";
};
};
"debug-2.6.9" = {
name = "debug";
packageName = "debug";
version = "2.6.9";
src = fetchurl {
url = "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz";
sha512 = "bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==";
};
};
"depd-1.1.2" = {
name = "depd";
packageName = "depd";
version = "1.1.2";
src = fetchurl {
url = "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz";
sha1 = "9bcd52e14c097763e749b274c4346ed2e560b5a9";
};
};
"destroy-1.0.4" = {
name = "destroy";
packageName = "destroy";
version = "1.0.4";
src = fetchurl {
url = "https://registry.npmjs.org/destroy/-/destroy-1.0.4.tgz";
sha1 = "978857442c44749e4206613e37946205826abd80";
};
};
"ee-first-1.1.1" = {
name = "ee-first";
packageName = "ee-first";
version = "1.1.1";
src = fetchurl {
url = "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz";
sha1 = "590c61156b0ae2f4f0255732a158b266bc56b21d";
};
};
"encodeurl-1.0.2" = {
name = "encodeurl";
packageName = "encodeurl";
version = "1.0.2";
src = fetchurl {
url = "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.2.tgz";
sha1 = "ad3ff4c86ec2d029322f5a02c3a9a606c95b3f59";
};
};
"escape-html-1.0.3" = {
name = "escape-html";
packageName = "escape-html";
version = "1.0.3";
src = fetchurl {
url = "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz";
sha1 = "0258eae4d3d0c0974de1c169188ef0051d1d1988";
};
};
"etag-1.8.1" = {
name = "etag";
packageName = "etag";
version = "1.8.1";
src = fetchurl {
url = "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz";
sha1 = "41ae2eeb65efa62268aebfea83ac7d79299b0887";
};
};
"express-4.16.4" = {
name = "express";
packageName = "express";
version = "4.16.4";
src = fetchurl {
url = "https://registry.npmjs.org/express/-/express-4.16.4.tgz";
sha512 = "j12Uuyb4FMrd/qQAm6uCHAkPtO8FDTRJZBDd5D2KOL2eLaz1yUNdUB/NOIyq0iU4q4cFarsUCrnFDPBcnksuOg==";
};
};
"finalhandler-1.1.1" = {
name = "finalhandler";
packageName = "finalhandler";
version = "1.1.1";
src = fetchurl {
url = "https://registry.npmjs.org/finalhandler/-/finalhandler-1.1.1.tgz";
sha512 = "Y1GUDo39ez4aHAw7MysnUD5JzYX+WaIj8I57kO3aEPT1fFRL4sr7mjei97FgnwhAyyzRYmQZaTHb2+9uZ1dPtg==";
};
};
"forwarded-0.2.0" = {
name = "forwarded";
packageName = "forwarded";
version = "0.2.0";
src = fetchurl {
url = "https://registry.npmjs.org/forwarded/-/forwarded-0.2.0.tgz";
sha512 = "buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==";
};
};
"fresh-0.5.2" = {
name = "fresh";
packageName = "fresh";
version = "0.5.2";
src = fetchurl {
url = "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz";
sha1 = "3d8cadd90d976569fa835ab1f8e4b23a105605a7";
};
};
"fs-extra-7.0.1" = {
name = "fs-extra";
packageName = "fs-extra";
version = "7.0.1";
src = fetchurl {
url = "https://registry.npmjs.org/fs-extra/-/fs-extra-7.0.1.tgz";
sha512 = "YJDaCJZEnBmcbw13fvdAM9AwNOJwOzrE4pqMqBq5nFiEqXUqHwlK4B+3pUw6JNvfSPtX05xFHtYy/1ni01eGCw==";
};
};
"gar-1.0.4" = {
name = "gar";
packageName = "gar";
version = "1.0.4";
src = fetchurl {
url = "https://registry.npmjs.org/gar/-/gar-1.0.4.tgz";
sha512 = "w4n9cPWyP7aHxKxYHFQMegj7WIAsL/YX/C4Bs5Rr8s1H9M1rNtRWRsw+ovYMkXDQ5S4ZbYHsHAPmevPjPgw44w==";
};
};
"get-folder-size-2.0.1" = {
name = "get-folder-size";
packageName = "get-folder-size";
version = "2.0.1";
src = fetchurl {
url = "https://registry.npmjs.org/get-folder-size/-/get-folder-size-2.0.1.tgz";
sha512 = "+CEb+GDCM7tkOS2wdMKTn9vU7DgnKUTuDlehkNJKNSovdCOVxs14OfKCk4cvSaR3za4gj+OBdl9opPN9xrJ0zA==";
};
};
"graceful-fs-4.2.10" = {
name = "graceful-fs";
packageName = "graceful-fs";
version = "4.2.10";
src = fetchurl {
url = "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.10.tgz";
sha512 = "9ByhssR2fPVsNZj478qUUbKfmL0+t5BDVyjShtyZZLiK7ZDAArFFfopyOTj0M05wE2tJPisA4iTnnXl2YoPvOA==";
};
};
"http-errors-1.6.3" = {
name = "http-errors";
packageName = "http-errors";
version = "1.6.3";
src = fetchurl {
url = "https://registry.npmjs.org/http-errors/-/http-errors-1.6.3.tgz";
sha1 = "8b55680bb4be283a0b5bf4ea2e38580be1d9320d";
};
};
"iconv-lite-0.4.23" = {
name = "iconv-lite";
packageName = "iconv-lite";
version = "0.4.23";
src = fetchurl {
url = "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.23.tgz";
sha512 = "neyTUVFtahjf0mB3dZT77u+8O0QB89jFdnBkd5P1JgYPbPaia3gXXOVL2fq8VyU2gMMD7SaN7QukTB/pmXYvDA==";
};
};
"inherits-2.0.3" = {
name = "inherits";
packageName = "inherits";
version = "2.0.3";
src = fetchurl {
url = "https://registry.npmjs.org/inherits/-/inherits-2.0.3.tgz";
sha1 = "633c2c83e3da42a502f52466022480f4208261de";
};
};
"ipaddr.js-1.9.1" = {
name = "ipaddr.js";
packageName = "ipaddr.js";
version = "1.9.1";
src = fetchurl {
url = "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz";
sha512 = "0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==";
};
};
"jsonfile-4.0.0" = {
name = "jsonfile";
packageName = "jsonfile";
version = "4.0.0";
src = fetchurl {
url = "https://registry.npmjs.org/jsonfile/-/jsonfile-4.0.0.tgz";
sha1 = "8771aae0799b64076b76640fca058f9c10e33ecb";
};
};
"lex-1.7.9" = {
name = "lex";
packageName = "lex";
version = "1.7.9";
src = fetchurl {
url = "https://registry.npmjs.org/lex/-/lex-1.7.9.tgz";
sha1 = "5d5636ccef574348362938b79a47f0eed8ed0d43";
};
};
"looper-3.0.0" = {
name = "looper";
packageName = "looper";
version = "3.0.0";
src = fetchurl {
url = "https://registry.npmjs.org/looper/-/looper-3.0.0.tgz";
sha1 = "2efa54c3b1cbaba9b94aee2e5914b0be57fbb749";
};
};
"media-typer-0.3.0" = {
name = "media-typer";
packageName = "media-typer";
version = "0.3.0";
src = fetchurl {
url = "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz";
sha1 = "8710d7af0aa626f8fffa1ce00168545263255748";
};
};
"merge-descriptors-1.0.1" = {
name = "merge-descriptors";
packageName = "merge-descriptors";
version = "1.0.1";
src = fetchurl {
url = "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.1.tgz";
sha1 = "b00aaa556dd8b44568150ec9d1b953f3f90cbb61";
};
};
"methods-1.1.2" = {
name = "methods";
packageName = "methods";
version = "1.1.2";
src = fetchurl {
url = "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz";
sha1 = "5529a4d67654134edcc5266656835b0f851afcee";
};
};
"mime-1.4.1" = {
name = "mime";
packageName = "mime";
version = "1.4.1";
src = fetchurl {
url = "https://registry.npmjs.org/mime/-/mime-1.4.1.tgz";
sha512 = "KI1+qOZu5DcW6wayYHSzR/tXKCDC5Om4s1z2QJjDULzLcmf3DvzS7oluY4HCTrc+9FiKmWUgeNLg7W3uIQvxtQ==";
};
};
"mime-db-1.52.0" = {
name = "mime-db";
packageName = "mime-db";
version = "1.52.0";
src = fetchurl {
url = "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz";
sha512 = "sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==";
};
};
"mime-types-2.1.35" = {
name = "mime-types";
packageName = "mime-types";
version = "2.1.35";
src = fetchurl {
url = "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz";
sha512 = "ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==";
};
};
"ms-2.0.0" = {
name = "ms";
packageName = "ms";
version = "2.0.0";
src = fetchurl {
url = "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz";
sha1 = "5608aeadfc00be6c2901df5f9861788de0d597c8";
};
};
"negotiator-0.6.3" = {
name = "negotiator";
packageName = "negotiator";
version = "0.6.3";
src = fetchurl {
url = "https://registry.npmjs.org/negotiator/-/negotiator-0.6.3.tgz";
sha512 = "+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg==";
};
};
"netflux-websocket-0.1.21" = {
name = "netflux-websocket";
packageName = "netflux-websocket";
version = "0.1.21";
src = fetchurl {
url = "https://registry.npmjs.org/netflux-websocket/-/netflux-websocket-0.1.21.tgz";
sha512 = "Zjl5lefg8urC0a0T7YCPGiUgRsISZBsTZl1STylmQz8Bq4ohcZ8cP3r6VoCpeVcvJ1Y/e3ZCXPxndWlNP9Jfug==";
};
};
"nthen-0.1.8" = {
name = "nthen";
packageName = "nthen";
version = "0.1.8";
src = fetchurl {
url = "https://registry.npmjs.org/nthen/-/nthen-0.1.8.tgz";
sha512 = "Oh2CwIbhj+wUT94lQV7LKmmgw3UYAGGd8oLIqp6btQN3Bz3PuWp4BuvtUo35H3rqDknjPfKx5P6mt7v+aJNjcw==";
};
};
"on-finished-2.3.0" = {
name = "on-finished";
packageName = "on-finished";
version = "2.3.0";
src = fetchurl {
url = "https://registry.npmjs.org/on-finished/-/on-finished-2.3.0.tgz";
sha1 = "20f1336481b083cd75337992a16971aa2d906947";
};
};
"parseurl-1.3.3" = {
name = "parseurl";
packageName = "parseurl";
version = "1.3.3";
src = fetchurl {
url = "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz";
sha512 = "CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==";
};
};
"path-to-regexp-0.1.7" = {
name = "path-to-regexp";
packageName = "path-to-regexp";
version = "0.1.7";
src = fetchurl {
url = "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz";
sha1 = "df604178005f522f15eb4490e7247a1bfaa67f8c";
};
};
"proxy-addr-2.0.7" = {
name = "proxy-addr";
packageName = "proxy-addr";
version = "2.0.7";
src = fetchurl {
url = "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz";
sha512 = "llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==";
};
};
"pull-stream-3.6.14" = {
name = "pull-stream";
packageName = "pull-stream";
version = "3.6.14";
src = fetchurl {
url = "https://registry.npmjs.org/pull-stream/-/pull-stream-3.6.14.tgz";
sha512 = "KIqdvpqHHaTUA2mCYcLG1ibEbu/LCKoJZsBWyv9lSYtPkJPBq8m3Hxa103xHi6D2thj5YXa0TqK3L3GUkwgnew==";
};
};
"qs-6.5.2" = {
name = "qs";
packageName = "qs";
version = "6.5.2";
src = fetchurl {
url = "https://registry.npmjs.org/qs/-/qs-6.5.2.tgz";
sha512 = "N5ZAX4/LxJmF+7wN74pUD6qAh9/wnvdQcjq9TZjevvXzSUo7bfmw91saqMjzGS2xq91/odN2dW/WOl7qQHNDGA==";
};
};
"range-parser-1.2.1" = {
name = "range-parser";
packageName = "range-parser";
version = "1.2.1";
src = fetchurl {
url = "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz";
sha512 = "Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==";
};
};
"raw-body-2.3.3" = {
name = "raw-body";
packageName = "raw-body";
version = "2.3.3";
src = fetchurl {
url = "https://registry.npmjs.org/raw-body/-/raw-body-2.3.3.tgz";
sha512 = "9esiElv1BrZoI3rCDuOuKCBRbuApGGaDPQfjSflGxdy4oyzqghxu6klEkkVIvBje+FF0BX9coEv8KqW6X/7njw==";
};
};
"safe-buffer-5.1.2" = {
name = "safe-buffer";
packageName = "safe-buffer";
version = "5.1.2";
src = fetchurl {
url = "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz";
sha512 = "Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==";
};
};
"safer-buffer-2.1.2" = {
name = "safer-buffer";
packageName = "safer-buffer";
version = "2.1.2";
src = fetchurl {
url = "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz";
sha512 = "YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==";
};
};
"saferphore-0.0.1" = {
name = "saferphore";
packageName = "saferphore";
version = "0.0.1";
src = fetchurl {
url = "https://registry.npmjs.org/saferphore/-/saferphore-0.0.1.tgz";
sha1 = "cc962eda4e2b2452e6437fd32dcfb6f69ef2ea63";
};
};
"send-0.16.2" = {
name = "send";
packageName = "send";
version = "0.16.2";
src = fetchurl {
url = "https://registry.npmjs.org/send/-/send-0.16.2.tgz";
sha512 = "E64YFPUssFHEFBvpbbjr44NCLtI1AohxQ8ZSiJjQLskAdKuriYEP6VyGEsRDH8ScozGpkaX1BGvhanqCwkcEZw==";
};
};
"serve-static-1.13.2" = {
name = "serve-static";
packageName = "serve-static";
version = "1.13.2";
src = fetchurl {
url = "https://registry.npmjs.org/serve-static/-/serve-static-1.13.2.tgz";
sha512 = "p/tdJrO4U387R9oMjb1oj7qSMaMfmOyd4j9hOFoxZe2baQszgHcSWjuya/CiT5kgZZKRudHNOA0pYXOl8rQ5nw==";
};
};
"setprototypeof-1.1.0" = {
name = "setprototypeof";
packageName = "setprototypeof";
version = "1.1.0";
src = fetchurl {
url = "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.1.0.tgz";
sha512 = "BvE/TwpZX4FXExxOxZyRGQQv651MSwmWKZGqvmPcRIjDqWub67kTKuIMx43cZZrS/cBBzwBcNDWoFxt2XEFIpQ==";
};
};
"sortify-1.0.4" = {
name = "sortify";
packageName = "sortify";
version = "1.0.4";
src = fetchurl {
url = "https://registry.npmjs.org/sortify/-/sortify-1.0.4.tgz";
sha1 = "f0178687c83231be8a34fc0ec5462ea957b60284";
};
};
"statuses-1.4.0" = {
name = "statuses";
packageName = "statuses";
version = "1.4.0";
src = fetchurl {
url = "https://registry.npmjs.org/statuses/-/statuses-1.4.0.tgz";
sha512 = "zhSCtt8v2NDrRlPQpCNtw/heZLtfUDqxBM1udqikb/Hbk52LK4nQSwr10u77iopCW5LsyHpuXS0GnEc48mLeew==";
};
};
"stream-to-pull-stream-1.7.3" = {
name = "stream-to-pull-stream";
packageName = "stream-to-pull-stream";
version = "1.7.3";
src = fetchurl {
url = "https://registry.npmjs.org/stream-to-pull-stream/-/stream-to-pull-stream-1.7.3.tgz";
sha512 = "6sNyqJpr5dIOQdgNy/xcDWwDuzAsAwVzhzrWlAPAQ7Lkjx/rv0wgvxEyKwTq6FmNd5rjTrELt/CLmaSw7crMGg==";
};
};
"tiny-each-async-2.0.3" = {
name = "tiny-each-async";
packageName = "tiny-each-async";
version = "2.0.3";
src = fetchurl {
url = "https://registry.npmjs.org/tiny-each-async/-/tiny-each-async-2.0.3.tgz";
sha1 = "8ebbbfd6d6295f1370003fbb37162afe5a0a51d1";
};
};
"tweetnacl-0.12.2" = {
name = "tweetnacl";
packageName = "tweetnacl";
version = "0.12.2";
src = fetchurl {
url = "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.12.2.tgz";
sha1 = "bd59f890507856fb0a1136acc3a8b44547e29ddb";
};
};
"type-is-1.6.18" = {
name = "type-is";
packageName = "type-is";
version = "1.6.18";
src = fetchurl {
url = "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz";
sha512 = "TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==";
};
};
"ulimit-0.0.2" = {
name = "ulimit";
packageName = "ulimit";
version = "0.0.2";
src = fetchurl {
url = "https://registry.npmjs.org/ulimit/-/ulimit-0.0.2.tgz";
sha1 = "2b51f9dc8381ae4102636cec5eb338c2630588a0";
};
};
"ultron-1.1.1" = {
name = "ultron";
packageName = "ultron";
version = "1.1.1";
src = fetchurl {
url = "https://registry.npmjs.org/ultron/-/ultron-1.1.1.tgz";
sha512 = "UIEXBNeYmKptWH6z8ZnqTeS8fV74zG0/eRU9VGkpzz+LIJNs8W/zM/L+7ctCkRrgbNnnR0xxw4bKOr0cW0N0Og==";
};
};
"universalify-0.1.2" = {
name = "universalify";
packageName = "universalify";
version = "0.1.2";
src = fetchurl {
url = "https://registry.npmjs.org/universalify/-/universalify-0.1.2.tgz";
sha512 = "rBJeI5CXAlmy1pV+617WB9J63U6XcazHHF2f2dbJix4XzpUF0RS3Zbj0FGIOCAva5P/d/GBOYaACQ1w+0azUkg==";
};
};
"unpipe-1.0.0" = {
name = "unpipe";
packageName = "unpipe";
version = "1.0.0";
src = fetchurl {
url = "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz";
sha1 = "b2bf4ee8514aae6165b4817829d21b2ef49904ec";
};
};
"utils-merge-1.0.1" = {
name = "utils-merge";
packageName = "utils-merge";
version = "1.0.1";
src = fetchurl {
url = "https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.1.tgz";
sha1 = "9f95710f50a267947b2ccc124741c1028427e713";
};
};
"vary-1.1.2" = {
name = "vary";
packageName = "vary";
version = "1.1.2";
src = fetchurl {
url = "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz";
sha1 = "2299f02c6ded30d4a5961b0b9f74524a18f634fc";
};
};
"ws-3.3.3" = {
name = "ws";
packageName = "ws";
version = "3.3.3";
src = fetchurl {
url = "https://registry.npmjs.org/ws/-/ws-3.3.3.tgz";
sha512 = "nnWLa/NwZSt4KQJu51MYlCcSQ5g7INpOrOMt4XV8j4dqTXdmlUmSHQ8/oLC069ckre0fRsgfvsKwbTdtKLCDkA==";
};
};
};
args = {
name = "cryptpad";
packageName = "cryptpad";
version = "4.14.1";
src = ./.;
dependencies = [
sources."@mcrowe/minibloom-0.2.0"
sources."accepts-1.3.8"
sources."array-flatten-1.1.1"
sources."async-limiter-1.0.1"
sources."body-parser-1.18.3"
sources."bytes-3.0.0"
sources."chainpad-crypto-0.2.7"
sources."chainpad-server-5.1.0"
sources."content-disposition-0.5.2"
sources."content-type-1.0.4"
sources."cookie-0.3.1"
sources."cookie-signature-1.0.6"
sources."debug-2.6.9"
sources."depd-1.1.2"
sources."destroy-1.0.4"
sources."ee-first-1.1.1"
sources."encodeurl-1.0.2"
sources."escape-html-1.0.3"
sources."etag-1.8.1"
sources."express-4.16.4"
sources."finalhandler-1.1.1"
sources."forwarded-0.2.0"
sources."fresh-0.5.2"
sources."fs-extra-7.0.1"
sources."gar-1.0.4"
sources."get-folder-size-2.0.1"
sources."graceful-fs-4.2.10"
sources."http-errors-1.6.3"
sources."iconv-lite-0.4.23"
sources."inherits-2.0.3"
sources."ipaddr.js-1.9.1"
sources."jsonfile-4.0.0"
sources."lex-1.7.9"
sources."looper-3.0.0"
sources."media-typer-0.3.0"
sources."merge-descriptors-1.0.1"
sources."methods-1.1.2"
sources."mime-db-1.52.0"
sources."mime-types-2.1.35"
sources."ms-2.0.0"
sources."negotiator-0.6.3"
sources."netflux-websocket-0.1.21"
sources."nthen-0.1.8"
sources."on-finished-2.3.0"
sources."parseurl-1.3.3"
sources."path-to-regexp-0.1.7"
sources."proxy-addr-2.0.7"
sources."pull-stream-3.6.14"
sources."qs-6.5.2"
sources."range-parser-1.2.1"
sources."raw-body-2.3.3"
sources."safe-buffer-5.1.2"
sources."safer-buffer-2.1.2"
sources."saferphore-0.0.1"
(sources."send-0.16.2" // {
dependencies = [
sources."mime-1.4.1"
];
})
sources."serve-static-1.13.2"
sources."setprototypeof-1.1.0"
sources."sortify-1.0.4"
sources."statuses-1.4.0"
sources."stream-to-pull-stream-1.7.3"
sources."tiny-each-async-2.0.3"
sources."tweetnacl-0.12.2"
sources."type-is-1.6.18"
sources."ulimit-0.0.2"
sources."ultron-1.1.1"
sources."universalify-0.1.2"
sources."unpipe-1.0.0"
sources."utils-merge-1.0.1"
sources."vary-1.1.2"
sources."ws-3.3.3"
];
buildInputs = globalBuildInputs;
meta = {
description = "realtime collaborative visual editor with zero knowlege server";
license = "AGPL-3.0+";
};
production = true;
bypassCache = true;
reconstructLock = false;
};
in
{
args = args;
sources = sources;
tarball = nodeEnv.buildNodeSourceDist args;
package = nodeEnv.buildNodePackage args;
shell = nodeEnv.buildNodeShell args;
nodeDependencies = nodeEnv.buildNodeDependencies (lib.overrideExisting args {
src = stdenv.mkDerivation {
name = args.name + "-package-json";
src = nix-gitignore.gitignoreSourcePure [
"*"
"!package.json"
"!package-lock.json"
] args.src;
dontBuild = true;
installPhase = "mkdir -p $out; cp -r ./* $out;";
};
});
}

17
cluster/prod/app/cryptpad/build/nix.lock/npm.nix Normal file
View file

@ -0,0 +1,17 @@
# This file has been generated by node2nix 1.9.0. Do not edit!
{pkgs ? import <nixpkgs> {
inherit system;
}, system ? builtins.currentSystem, nodejs ? pkgs."nodejs-12_x"}:
let
nodeEnv = import ./node-env.nix {
inherit (pkgs) stdenv lib python2 runCommand writeTextFile writeShellScript;
inherit pkgs nodejs;
libtool = if pkgs.stdenv.isDarwin then pkgs.darwin.cctools else null;
};
in
import ./node-packages.nix {
inherit (pkgs) fetchurl nix-gitignore stdenv lib fetchgit;
inherit nodeEnv;
}

6618
cluster/prod/app/cryptpad/build/nix.lock/package-lock.json generated Normal file
View file

File diff suppressed because it is too large Load diff

55
cluster/prod/app/cryptpad/build/nix.lock/package.json Normal file
View file

@ -0,0 +1,55 @@
{
"name": "cryptpad",
"description": "realtime collaborative visual editor with zero knowlege server",
"version": "4.14.1",
"license": "AGPL-3.0+",
"repository": {
"type": "git",
"url": "git+https://github.com/xwiki-labs/cryptpad.git"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/cryptpad"
},
"dependencies": {
"@mcrowe/minibloom": "^0.2.0",
"chainpad-crypto": "^0.2.5",
"chainpad-server": "^5.1.0",
"express": "~4.16.0",
"fs-extra": "^7.0.0",
"get-folder-size": "^2.0.1",
"netflux-websocket": "^0.1.20",
"nthen": "0.1.8",
"pull-stream": "^3.6.1",
"saferphore": "0.0.1",
"sortify": "^1.0.4",
"stream-to-pull-stream": "^1.7.2",
"tweetnacl": "~0.12.2",
"ulimit": "0.0.2",
"ws": "^3.3.1"
},
"devDependencies": {
"jshint": "^2.13.4",
"less": "3.7.1",
"lesshint": "6.3.7",
"selenium-webdriver": "^3.6.0"
},
"scripts": {
"start": "node server.js",
"dev": "DEV=1 node server.js",
"fresh": "FRESH=1 node server.js",
"offline": "FRESH=1 OFFLINE=1 node server.js",
"offlinedev": "DEV=1 OFFLINE=1 node server.js",
"package": "PACKAGE=1 node server.js",
"lint": "jshint --config .jshintrc --exclude-path .jshintignore . && ./node_modules/lesshint/bin/lesshint -c ./.lesshintrc ./customize.dist/src/less2/",
"lint:js": "jshint --config .jshintrc --exclude-path .jshintignore .",
"lint:server": "jshint --config .jshintrc lib",
"lint:less": "./node_modules/lesshint/bin/lesshint -c ./.lesshintrc ./customize.dist/src/less2/",
"lint:translations": "node ./scripts/translations/lint-translations.js",
"unused-translations": "node ./scripts/translations/unused-translations.js",
"test": "node scripts/TestSelenium.js",
"test-rpc": "cd scripts/tests && node test-rpc",
"template": "cd customize.dist/src && for page in ../index.html ../privacy.html ../terms.html ../contact.html ../what-is-cryptpad.html ../features.html ../../www/login/index.html ../../www/register/index.html ../../www/user/index.html;do echo $page; cp template.html $page; done;",
"evict-inactive": "node scripts/evict-inactive.js"
}
}

80
cluster/prod/app/cryptpad/build/npins/default.nix
View file

@ -1,80 +0,0 @@
# Generated by npins. Do not modify; will be overwritten regularly
let
data = builtins.fromJSON (builtins.readFile ./sources.json);
version = data.version;
mkSource =
spec:
assert spec ? type;
let
path =
if spec.type == "Git" then
mkGitSource spec
else if spec.type == "GitRelease" then
mkGitSource spec
else if spec.type == "PyPi" then
mkPyPiSource spec
else if spec.type == "Channel" then
mkChannelSource spec
else
builtins.throw "Unknown source type ${spec.type}";
in
spec // { outPath = path; };
mkGitSource =
{
repository,
revision,
url ? null,
hash,
branch ? null,
...
}:
assert repository ? type;
# At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
# In the latter case, there we will always be an url to the tarball
if url != null then
(builtins.fetchTarball {
inherit url;
sha256 = hash; # FIXME: check nix version & use SRI hashes
})
else
assert repository.type == "Git";
let
urlToName =
url: rev:
let
matched = builtins.match "^.*/([^/]*)(\\.git)?$" repository.url;
short = builtins.substring 0 7 rev;
appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
in
"${if matched == null then "source" else builtins.head matched}${appendShort}";
name = urlToName repository.url revision;
in
builtins.fetchGit {
url = repository.url;
rev = revision;
inherit name;
# hash = hash;
};
mkPyPiSource =
{ url, hash, ... }:
builtins.fetchurl {
inherit url;
sha256 = hash;
};
mkChannelSource =
{ url, hash, ... }:
builtins.fetchTarball {
inherit url;
sha256 = hash;
};
in
if version == 3 then
builtins.mapAttrs (_: mkSource) data.pins
else
throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"

11
cluster/prod/app/cryptpad/build/npins/sources.json
View file

@ -1,11 +0,0 @@
{
"pins": {
"nixpkgs": {
"type": "Channel",
"name": "nixos-24.05",
"url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.3311.a1cc729dcbc3/nixexprs.tar.xz",
"hash": "13al93fac4xdxj0jllfby2v9klwqdhsf3yg10mnsm9ys84v7gsnn"
}
},
"version": 3
}

31
cluster/prod/app/cryptpad/build/shell.nix Normal file
View file

@ -0,0 +1,31 @@
let
common = import ./common.nix;
pkgs = import common.pkgsSrc {};
bower2nixRepo = (import common.bower2nixSrc {
inherit pkgs;
});
bower2nix = bower2nixRepo // {
package = bower2nixRepo.package.override {
postInstall = "tsc";
};
};
in
pkgs.mkShell {
nativeBuildInputs = [
bower2nix.package
pkgs.nodePackages.node2nix
];
shellHook = ''
function update_lock {
set -exuo pipefail
mkdir -p nix.lock
${pkgs.wget}/bin/wget https://raw.githubusercontent.com/xwiki-labs/cryptpad/${common.cryptpadCommit}/package.json -O nix.lock/package.json
${pkgs.wget}/bin/wget https://raw.githubusercontent.com/xwiki-labs/cryptpad/${common.cryptpadCommit}/package-lock.json -O nix.lock/package-lock.json
${pkgs.wget}/bin/wget https://raw.githubusercontent.com/xwiki-labs/cryptpad/${common.cryptpadCommit}/bower.json -O nix.lock/bower.json
${bower2nix.package}/bin/bower2nix nix.lock/bower.json nix.lock/bower.nix
${pkgs.nodePackages.node2nix}/bin/node2nix --input nix.lock/package.json --lock nix.lock/package-lock.json --composition nix.lock/npm.nix --node-env nix.lock/node-env.nix --output nix.lock/node-packages.nix
}
'';
}

31
cluster/prod/app/cryptpad/config/config.js
View file

@ -112,14 +112,7 @@ module.exports = {
* Entries should be strings separated by a comma.
*/
adminKeys: [
"[quentin@pad.deuxfleurs.fr/EWtzm-CiqJnM9RZL9mj-YyTgAtX-Zh76sru1K5bFpN8=]",
"[adrn@pad.deuxfleurs.fr/PxDpkPwd-jDJWkfWdAzFX7wtnLpnPlBeYZ4MmoEYS6E=]",
"[lx@pad.deuxfleurs.fr/FwQzcXywx1FIb83z6COB7c3sHnz8rNSDX1xhjPuH3Fg=]",
"[trinity-1686a@pad.deuxfleurs.fr/Pu6Ef03jEsAGBbZI6IOdKd6+5pORD5N51QIYt4-Ys1c=]",
"[Jill@pad.deuxfleurs.fr/tLW7W8EVNB2KYETXEaOYR+HmNiBQtZj7u+SOxS3hGmg=]",
"[vincent@pad.deuxfleurs.fr/07FQiE8w1iztRWwzbRJzEy3xIqnNR31mUFjLNiGXjwU=]",
"[boris@pad.deuxfleurs.fr/kHo5LIhSxDFk39GuhGRp+XKlMjNe+lWfFWM75cINoTQ=]",
"[maximilien@pad.deuxfleurs.fr/UoXHLejYRUjvX6t55hAQKpjMdU-3ecg4eDhAeckZmyE=]"
"[quentin@pad.deuxfleurs.fr/EWtzm-CiqJnM9RZL9mj-YyTgAtX-Zh76sru1K5bFpN8=]",
],
/* =====================
@ -188,18 +181,12 @@ module.exports = {
* DATABASE VOLUMES
* ===================== */
/*
* We need this config entry, else CryptPad will try to mkdir
* some stuff into Nix store apparently...
*/
base: '/mnt/data',
/*
* CryptPad stores each document in an individual file on your hard drive.
* Specify a directory where files should be stored.
* It will be created automatically if it does not already exist.
*/
filePath: '/mnt/datastore/',
filePath: './root/mnt/datastore/',
/* CryptPad offers the ability to archive data for a configurable period
* before deleting it, allowing a means of recovering data in the event
@ -208,36 +195,36 @@ module.exports = {
* To set the location of this archive directory to a custom value, change
* the path below:
*/
archivePath: '/mnt/data/archive',
archivePath: './root/mnt/data/archive',
/* CryptPad allows logged in users to request that particular documents be
* stored by the server indefinitely. This is called 'pinning'.
* Pin requests are stored in a pin-store. The location of this store is
* defined here.
*/
pinPath: '/mnt/data/pins',
pinPath: './root/mnt/data/pins',
/* if you would like the list of scheduled tasks to be stored in
a custom location, change the path below:
*/
taskPath: '/mnt/data/tasks',
taskPath: './root/mnt/data/tasks',
/* if you would like users' authenticated blocks to be stored in
a custom location, change the path below:
*/
blockPath: '/mnt/block',
blockPath: './root/mnt/block',
/* CryptPad allows logged in users to upload encrypted files. Files/blobs
* are stored in a 'blob-store'. Set its location here.
*/
blobPath: '/mnt/blob',
blobPath: './root/mnt/blob',
/* CryptPad stores incomplete blobs in a 'staging' area until they are
* fully uploaded. Set its location here.
*/
blobStagingPath: '/mnt/data/blobstage',
blobStagingPath: './root/mnt/data/blobstage',
decreePath: '/mnt/data/decrees',
decreePath: './root/mnt/data/decrees',
/* CryptPad supports logging events directly to the disk in a 'logs' directory
* Set its location here, or set it to false (or nothing) if you'd rather not log

12
cluster/prod/app/cryptpad/deploy/cryptpad.hcl
View file

@ -1,7 +1,7 @@
job "cryptpad" {
datacenters = ["neptune"]
type = "service"
group "cryptpad" {
count = 1
@ -22,20 +22,20 @@ job "cryptpad" {
constraint {
attribute = "${attr.unique.hostname}"
operator = "="
value = "courgette"
value = "concombre"
}
config {
image = "kokakiwi/cryptpad:2024.6.1"
image = "superboum/cryptpad:0p3s44hjh4s1x55kbwkmywmwmx4wfyb8"
ports = [ "http" ]
volumes = [
"/mnt/ssd/cryptpad:/mnt",
"secrets/config.js:/cryptpad/config.js",
"secrets/config.js:/etc/cryptpad/config.js",
]
}
env {
CRYPTPAD_CONFIG = "/cryptpad/config.js"
CRYPTPAD_CONFIG = "/etc/cryptpad/config.js"
}
template {
@ -63,8 +63,6 @@ job "cryptpad" {
"tricot pad-sandbox.deuxfleurs.fr",
"tricot-add-header Cross-Origin-Resource-Policy cross-origin",
"tricot-add-header Cross-Origin-Embedder-Policy require-corp",
"d53-cname pad.deuxfleurs.fr",
"d53-cname pad-sandbox.deuxfleurs.fr",
]
check {
type = "http"

10
cluster/prod/app/drone-ci/config/litestream.yml Normal file
View file

@ -0,0 +1,10 @@
dbs:
- path: /ephemeral/drone.db
replicas:
- url: s3://{{ key "secrets/drone-ci/s3_db_bucket" | trimSpace }}/drone.db
region: garage
endpoint: https://garage.deuxfleurs.fr
access-key-id: {{ key "secrets/drone-ci/s3_ak" | trimSpace }}
secret-access-key: {{ key "secrets/drone-ci/s3_sk" | trimSpace }}
force-path-style: true
sync-interval: 60s

138
cluster/prod/app/drone-ci/deploy/server.hcl Normal file
View file

@ -0,0 +1,138 @@
job "drone-ci" {
datacenters = ["neptune", "orion"]
type = "service"
group "server" {
count = 1
network {
port "web_port" {
to = 80
}
}
task "restore-db" {
lifecycle {
hook = "prestart"
sidecar = false
}
driver = "docker"
config {
image = "litestream/litestream:0.3.9"
args = [
"restore", "-config", "/etc/litestream.yml", "/ephemeral/drone.db"
]
volumes = [
"../alloc/data:/ephemeral",
"secrets/litestream.yml:/etc/litestream.yml"
]
}
template {
data = file("../config/litestream.yml")
destination = "secrets/litestream.yml"
}
resources {
memory = 200
cpu = 100
}
}
task "drone_server" {
driver = "docker"
config {
image = "drone/drone:2.14.0"
ports = [ "web_port" ]
volumes = [
"../alloc/data:/ephemeral",
]
}
template {
data = <<EOH
DRONE_GITEA_SERVER=https://git.deuxfleurs.fr
DRONE_GITEA_CLIENT_ID={{ key "secrets/drone-ci/oauth_client_id" }}
DRONE_GITEA_CLIENT_SECRET={{ key "secrets/drone-ci/oauth_client_secret" }}
DRONE_RPC_SECRET={{ key "secrets/drone-ci/rpc_secret" }}
DRONE_SERVER_HOST=drone.deuxfleurs.fr
DRONE_SERVER_PROTO=https
DRONE_DATABASE_SECRET={{ key "secrets/drone-ci/db_enc_secret" }}
DRONE_COOKIE_SECRET={{ key "secrets/drone-ci/cookie_secret" }}
AWS_ACCESS_KEY_ID={{ key "secrets/drone-ci/s3_ak" }}
AWS_SECRET_ACCESS_KEY={{ key "secrets/drone-ci/s3_sk" }}
AWS_DEFAULT_REGION=garage
AWS_REGION=garage
DRONE_S3_BUCKET={{ key "secrets/drone-ci/s3_storage_bucket" }}
DRONE_S3_ENDPOINT=https://garage.deuxfleurs.fr
DRONE_S3_PATH_STYLE=true
DRONE_DATABASE_DRIVER=sqlite3
DRONE_DATABASE_DATASOURCE=/ephemeral/drone.db
DRONE_USER_CREATE=username:lx-admin,admin:true
DRONE_REGISTRATION_CLOSED=true
DRONE_LOGS_DEBUG=true
DRONE_LOGS_TRACE=true
EOH
destination = "secrets/env"
env = true
}
resources {
cpu = 100
memory = 200
}
service {
name = "drone"
tags = [
"drone",
"tricot drone.deuxfleurs.fr",
"d53-cname drone.deuxfleurs.fr",
]
port = "web_port"
address_mode = "host"
check {
type = "http"
protocol = "http"
port = "web_port"
path = "/"
interval = "60s"
timeout = "5s"
check_restart {
limit = 3
grace = "600s"
ignore_warnings = false
}
}
}
}
task "replicate-db" {
driver = "docker"
config {
image = "litestream/litestream:0.3.9"
entrypoint = [ "/bin/sh" ]
args = [
"-c",
"echo sleeping; sleep 60; echo launching; litestream replicate -config /etc/litestream.yml"
]
volumes = [
"../alloc/data:/ephemeral",
"secrets/litestream.yml:/etc/litestream.yml"
]
}
template {
data = file("../config/litestream.yml")
destination = "secrets/litestream.yml"
}
resources {
memory = 200
cpu = 100
}
}
}
}

69
cluster/prod/app/drone-ci/integration/README.md Normal file
View file

@ -0,0 +1,69 @@
## Install Debian
We recommend Debian Bullseye
## Install Docker CE from docker.io
Do not use the docker engine shipped by Debian
Doc:
- https://docs.docker.com/engine/install/debian/
- https://docs.docker.com/compose/install/
On a fresh install, as root:
```bash
apt-get remove -y docker docker-engine docker.io containerd runc
apt-get update
apt-get install apt-transport-https ca-certificates curl gnupg lsb-release
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
apt-get install -y docker-ce docker-ce-cli containerd.io
curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
```
## Install the runner
*This is our Nix runner version 2, previously we had another way to start Nix runners. This one has a proper way to handle concurrency, require less boilerplate, and should be safer and more idiomatic.*
```bash
wget https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/raw/branch/main/app/drone-ci/integration/nix.conf
wget https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/raw/branch/main/app/drone-ci/integration/docker-compose.yml
# Edit the docker-compose.yml to adapt its variables to your needs,
# especially the capacitiy value and its name.
COMPOSE_PROJECT_NAME=drone DRONE_SECRET=xxx docker-compose up -d
```
That's all folks.
## Check if a given job is built by your runner
```bash
export URL=https://drone.deuxfleurs.fr
export REPO=Deuxfleurs/garage
export BUILD=1312
curl ${URL}/api/repos/${REPO}/builds/${BUILD} \
| jq -c '[.stages[] | { name: .name, machine: .machine }]'
```
It will give you the following result:
```json
[{"name":"default","machine":"1686a"},{"name":"release-linux-x86_64","machine":"vimaire"},{"name":"release-linux-i686","machine":"carcajou"},{"name":"release-linux-aarch64","machine":"caribou"},{"name":"release-linux-armv6l","machine":"cariacou"},{"name":"refresh-release-page","machine":null}]
```
## Random note
*This part might be deprecated!*
This setup is done mainly to allow nix builds with some cache.
To use the cache in Drone, you must set your repository as trusted.
The command line tool does not work (it says it successfully set your repository as trusted but it did nothing):
the only way to set your repository as trusted is to connect on the DB and set the `repo_trusted` field of your repo to true.

54
cluster/prod/app/drone-ci/integration/docker-compose.yml Normal file
View file

@ -0,0 +1,54 @@
version: '3.4'
services:
nix-daemon:
image: nixpkgs/nix:nixos-22.05
restart: always
command: nix-daemon
privileged: true
volumes:
- "nix:/nix"
- "./nix.conf:/etc/nix/nix.conf:ro"
drone-runner:
image: drone/drone-runner-docker:1.8.2
restart: always
environment:
- DRONE_RPC_PROTO=https
- DRONE_RPC_HOST=drone.deuxfleurs.fr
- DRONE_RPC_SECRET=${DRONE_SECRET}
- DRONE_RUNNER_CAPACITY=3
- DRONE_DEBUG=true
- DRONE_LOGS_TRACE=true
- DRONE_RPC_DUMP_HTTP=true
- DRONE_RPC_DUMP_HTTP_BODY=true
- DRONE_RUNNER_NAME=i_forgot_to_change_my_runner_name
- DRONE_RUNNER_LABELS=nix-daemon:1
# we should put "nix:/nix:ro but it is not supported by
# drone-runner-docker because the dependency envconfig does
# not support having two colons (:) in the same stanza.
# Without the RO flag (or using docker userns), build isolation
# is broken.
# https://discourse.drone.io/t/allow-mounting-a-host-volume-as-read-only/10071
# https://github.com/kelseyhightower/envconfig/pull/153
#
# A workaround for isolation is to configure docker with a userns,
# so even if the folder is writable to root, it is not to any non
# privileged docker daemon ran by drone!
- DRONE_RUNNER_VOLUMES=drone_nix:/nix
- DRONE_RUNNER_ENVIRON=NIX_REMOTE:daemon
ports:
- "3000:3000/tcp"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
drone-gc:
image: drone/gc:latest
restart: always
environment:
- GC_DEBUG=true
- GC_CACHE=10gb
- GC_INTERVAL=10m
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
volumes:
nix:

0
cluster/prod/app/woodpecker-ci/integration/nix.conf → cluster/prod/app/drone-ci/integration/nix.conf
View file

48
cluster/prod/app/drone-ci/secrets.toml Normal file
View file

@ -0,0 +1,48 @@
# Drone's secrets
[secrets."drone-ci/rpc_secret"]
type = 'command'
command = 'openssl rand -hex 16'
# don't rotate, it would break all runners
[secrets."drone-ci/cookie_secret"]
type = 'command'
rotate = true
command = 'openssl rand -hex 16'
[secrets."drone-ci/db_enc_secret"]
type = 'command'
command = 'openssl rand -hex 16'
# don't rotate, it is used to encrypt data which we would lose if we change this
# Oauth config for gitea
[secrets."drone-ci/oauth_client_secret"]
type = 'user'
description = 'OAuth client secret (for gitea)'
[secrets."drone-ci/oauth_client_id"]
type = 'user'
description = 'OAuth client ID (on Gitea)'
# S3 config for Git LFS storage
[secrets."drone-ci/s3_db_bucket"]
type = 'constant'
value = 'drone-db'
[secrets."drone-ci/s3_sk"]
type = 'user'
description = 'S3 (garage) secret key for Drone'
[secrets."drone-ci/s3_ak"]
type = 'user'
description = 'S3 (garage) access key for Drone'
[secrets."drone-ci/s3_storage_bucket"]
type = 'constant'
value = 'drone-storage'

6
cluster/prod/app/email/build/docker-compose.yml
View file

@ -26,9 +26,9 @@ services:
build:
context: ./postfix
args:
# https://packages.debian.org/fr/trixie/postfix
VERSION: 3.8.4-1
image: superboum/amd64_postfix:v4
# https://packages.debian.org/fr/buster/postfix
VERSION: 3.4.14-0+deb10u1
image: superboum/amd64_postfix:v3
opendkim:
build:

2
cluster/prod/app/email/build/postfix/Dockerfile
View file

@ -1,4 +1,4 @@
FROM amd64/debian:trixie
FROM amd64/debian:buster
ARG VERSION

6
cluster/prod/app/email/config/dkim/signingtable
View file

@ -1,9 +1,3 @@
*@deuxfleurs.fr smtp._domainkey.deuxfleurs.fr
*@dufour.io smtp._domainkey.deuxfleurs.fr
*@luxeylab.net smtp._domainkey.deuxfleurs.fr
*@estherbouquet.com smtp._domainkey.deuxfleurs.fr
*@pointecouteau.com smtp._domainkey.deuxfleurs.fr
*@maycausesideeffects.com smtp._domainkey.deuxfleurs.fr
*@e-x-t-r-a-c-t.me smtp._domainkey.deuxfleurs.fr
*@courderec.re smtp._domainkey.deuxfleurs.fr
*@trinity.fr.eu.org smtp._domainkey.deuxfleurs.fr

7
cluster/prod/app/email/config/postfix/main.cf
View file

@ -77,11 +77,7 @@ smtpd_relay_restrictions =
permit_mynetworks
reject_unauth_destination
# Disable SMTP smuggling attacks
# https://www.postfix.org/smtp-smuggling.html
smtpd_forbid_unauth_pipelining = yes
smtpd_discard_ehlo_keywords = chunking
smtpd_forbid_bare_newline = yes
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_client_connection_rate_limit = 2
@ -94,7 +90,6 @@ slow_destination_concurrency_limit = 2
#====
# Transport configuration
#====
default_transport = smtp-ipv4
transport_maps = hash:/etc/postfix/transport
virtual_mailbox_domains = ldap:/etc/postfix/ldap-virtual-domains.cf
virtual_mailbox_maps = ldap:/etc/postfix/ldap-account.cf

9
cluster/prod/app/email/config/sogo/sogo.conf.tpl
View file

@ -1,7 +1,7 @@
{
WONoDetach = NO;
WOWorkersCount = 3;
SxVMemLimit = 600;
SxVMemLimit = 300;
WOPort = "127.0.0.1:20000";
SOGoProfileURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul:5432/sogo/sogo_user_profile";
OCSFolderInfoURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul:5432/sogo/sogo_folder_info";
@ -46,13 +46,6 @@
SOGoLDAPContactInfoAttribute = "displayname";
SOGoDebugRequests = YES;
//SOGoEASDebugEnabled = YES;
//ImapDebugEnabled = YES;
LDAPDebugEnabled = YES;
//MySQL4DebugEnabled = YES;
PGDebugEnabled = YES;
SOGoUserSources = (
{
type = ldap;

2
cluster/prod/app/email/deploy/email-android7.hcl
View file

@ -1,5 +1,5 @@
job "email-android7" {
datacenters = ["neptune", "bespin"]
datacenters = ["neptune"]
type = "service"
priority = 100

17
cluster/prod/app/email/deploy/email.hcl
View file

@ -1,5 +1,5 @@
job "email" {
datacenters = ["neptune"]
datacenters = ["orion"]
type = "service"
priority = 65
@ -31,7 +31,7 @@ job "email" {
constraint {
attribute = "${attr.unique.hostname}"
operator = "="
value = "celeri"
value = "doradille"
}
config {
@ -253,7 +253,7 @@ job "email" {
task "server" {
driver = "docker"
config {
image = "superboum/amd64_postfix:v4"
image = "superboum/amd64_postfix:v3"
readonly_rootfs = false
network_mode = "host"
ports = [ "smtp_port", "smtps_port", "submission_port" ]
@ -429,8 +429,10 @@ job "email" {
address_mode = "host"
tags = [
"alps",
"traefik.enable=true",
"traefik.frontend.entryPoints=https,http",
"traefik.frontend.rule=Host:alps.deuxfleurs.fr",
"tricot alps.deuxfleurs.fr",
"d53-cname alps.deuxfleurs.fr",
]
check {
type = "tcp"
@ -472,9 +474,9 @@ job "email" {
}
resources {
cpu = 400
memory = 1500
memory_max = 2000
cpu = 200
memory = 500
memory_max = 1000
}
service {
@ -485,7 +487,6 @@ job "email" {
"sogo",
"tricot www.sogo.deuxfleurs.fr",
"tricot sogo.deuxfleurs.fr",
"d53-cname sogo.deuxfleurs.fr",
]
check {
type = "tcp"

15
cluster/prod/app/garage/config/garage.toml
View file

@ -6,19 +6,8 @@ db_engine = "lmdb"
replication_mode = "3"
metadata_auto_snapshot_interval = "24h"
# IPv6 config using the ipv6 address statically defined in Nomad's node metadata
# make sure to put back double { and } if re-enabling this
#rpc_bind_addr = "[{ env "meta.public_ipv6" }]:3901"
#rpc_public_addr = "[{ env "meta.public_ipv6" }]:3901"
# IPv6 config using the ipv6 address dynamically detected from diplonat
{{ with $a := env "attr.unique.hostname" | printf "diplonat/autodiscovery/ipv6/%s" | key | parseJSON }}
rpc_bind_addr = "[{{ $a.address }}]:3901"
rpc_public_addr = "[{{ $a.address }}]:3901"
{{ end }}
rpc_bind_addr = "[{{ env "meta.public_ipv6" }}]:3901"
rpc_public_addr = "[{{ env "meta.public_ipv6" }}]:3901"
rpc_secret = "{{ key "secrets/garage/rpc_secret" | trimSpace }}"
[consul_discovery]

172
cluster/prod/app/garage/deploy/garage.hcl
View file

@ -1,10 +1,10 @@
job "garage" {
datacenters = [ "neptune", "bespin", "scorpio" ]
datacenters = [ "neptune", "bespin", "orion", "scorpio" ]
type = "system"
priority = 80
update {
max_parallel = 2
max_parallel = 1
min_healthy_time = "60s"
}
@ -14,11 +14,11 @@ job "garage" {
port "rpc" { static = 3901 }
port "web" { static = 3902 }
port "admin" { static = 3903 }
port "k2v" { static = 3904 }
port "k2v" { static = 3904 }
}
update {
max_parallel = 10
max_parallel = 1
min_healthy_time = "30s"
healthy_deadline = "5m"
}
@ -26,7 +26,8 @@ job "garage" {
task "server" {
driver = "docker"
config {
image = "superboum/garage:v1.0.0-rc1-hotfix-red-ftr-wquorum"
advertise_ipv6_address = true
image = "dxflrs/garage:v0.8.2"
command = "/garage"
args = [ "server" ]
network_mode = "host"
@ -44,7 +45,6 @@ job "garage" {
template {
data = file("../config/garage.toml")
destination = "secrets/garage.toml"
#change_mode = "noop"
}
template {
@ -70,49 +70,20 @@ job "garage" {
kill_timeout = "20s"
restart {
interval = "30m"
attempts = 10
delay = "15s"
mode = "delay"
}
#### Configuration for service ports: admin port (internal use only)
service {
name = "garage-admin"
port = "admin"
address_mode = "host"
# Check that Garage is alive and answering TCP connections
check {
type = "tcp"
interval = "60s"
timeout = "5s"
check_restart {
limit = 3
grace = "90s"
ignore_warnings = false
}
}
}
#### Configuration for service ports: externally available ports (S3 API, K2V, web)
service {
name = "garage-api"
tags = [
"garage_api",
"tricot garage.deuxfleurs.fr",
"tricot *.garage.deuxfleurs.fr",
"tricot-on-demand-tls-ask http://garage-admin.service.prod.consul:3903/check",
"tricot-site-lb",
]
port = "s3"
address_mode = "host"
# Check 1: Garage is alive and answering TCP connections
port = 3900
address_mode = "driver"
name = "garage-api"
check {
name = "garage-api-live"
type = "tcp"
port = 3900
address_mode = "driver"
interval = "60s"
timeout = "5s"
check_restart {
@ -121,30 +92,66 @@ job "garage" {
ignore_warnings = false
}
}
# Check 2: Garage is in a healthy state and requests should be routed here
}
service {
tags = [
"garage-web",
"tricot * 1",
#"tricot-add-header Content-Security-Policy default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://code.jquery.com/; frame-ancestors 'self'",
"tricot-add-header Strict-Transport-Security max-age=63072000; includeSubDomains; preload",
"tricot-add-header X-Frame-Options SAMEORIGIN",
"tricot-add-header X-XSS-Protection 1; mode=block",
"tricot-site-lb",
]
port = 3902
address_mode = "driver"
name = "garage-web"
check {
name = "garage-api-healthy"
port = "admin"
type = "http"
path = "/health"
type = "tcp"
port = 3902
address_mode = "driver"
interval = "60s"
timeout = "5s"
check_restart {
limit = 3
grace = "90s"
ignore_warnings = false
}
}
}
service {
port = 3903
address_mode = "driver"
name = "garage-admin"
check {
type = "tcp"
port = 3903
address_mode = "driver"
interval = "60s"
timeout = "5s"
check_restart {
limit = 3
grace = "90s"
ignore_warnings = false
}
}
}
service {
name = "garage-k2v"
tags = [
"garage_k2v",
"tricot k2v.deuxfleurs.fr",
"tricot-site-lb",
]
port = "k2v"
address_mode = "host"
# Check 1: Garage is alive and answering TCP connections
port = 3904
address_mode = "driver"
name = "garage-k2v"
check {
name = "garage-k2v-live"
type = "tcp"
port = 3904
address_mode = "driver"
interval = "60s"
timeout = "5s"
check_restart {
@ -153,68 +160,13 @@ job "garage" {
ignore_warnings = false
}
}
# Check 2: Garage is in a healthy state and requests should be routed here
check {
name = "garage-k2v-healthy"
port = "admin"
type = "http"
path = "/health"
interval = "60s"
timeout = "5s"
}
}
service {
name = "garage-web"
tags = [
"garage-web",
"tricot * 1",
"tricot-add-header Strict-Transport-Security max-age=63072000; includeSubDomains; preload",
"tricot-add-header X-Frame-Options SAMEORIGIN",
"tricot-add-header X-XSS-Protection 1; mode=block",
"tricot-add-header X-Content-Type-Options nosniff",
"tricot-on-demand-tls-ask http://garage-admin.service.prod.consul:3903/check",
"tricot-site-lb",
]
port = "web"
address_mode = "host"
# Check 1: Garage is alive and answering TCP connections
check {
name = "garage-web-live"
type = "tcp"
interval = "60s"
timeout = "5s"
check_restart {
limit = 3
grace = "90s"
ignore_warnings = false
}
}
# Check 2: Garage is in a healthy state and requests should be routed here
check {
name = "garage-web-healthy"
port = "admin"
type = "http"
path = "/health"
interval = "60s"
timeout = "5s"
}
}
service {
tags = [
"garage-redirect-dummy",
"tricot www.deuxfleurs.fr 2",
"tricot osuny.org 2",
"tricot www.degrowth.net 2",
"tricot-add-redirect www.deuxfleurs.fr deuxfleurs.fr 301",
"tricot-add-redirect osuny.org www.osuny.org 301",
"tricot-add-redirect www.degrowth.net degrowth.net 301",
]
name = "garage-redirect-dummy"
address_mode = "host"
port = "web"
on_update = "ignore"
restart {
interval = "30m"
attempts = 10
delay = "15s"
mode = "delay"
}
}
}

7
cluster/prod/app/guichet/deploy/guichet.hcl → cluster/prod/app/guichet/deploy/directory.hcl
View file

@ -1,5 +1,5 @@
job "guichet" {
datacenters = [ "neptune", "scorpio" ]
datacenters = [ "neptune", "orion" ]
type = "service"
priority = 90
@ -13,12 +13,11 @@ job "guichet" {
task "guichet" {
driver = "docker"
config {
image = "dxflrs/guichet:0x4y7bj1qb8w8hckvpbzlgyxh63j66ij"
args = [ "server", "-config", "/etc/config.json" ]
image = "dxflrs/guichet:18"
readonly_rootfs = true
ports = [ "web_port" ]
volumes = [
"secrets/config.json:/etc/config.json"
"secrets/config.json:/config.json"
]
}

19
cluster/prod/app/jitsi/build/docker-compose.yml
View file

@ -6,17 +6,16 @@ services:
context: ./jitsi-meet
args:
# https://github.com/jitsi/jitsi-meet
MEET_TAG: stable/jitsi-meet_9646
NODE_MAJOR_VERSION: 22
image: superboum/amd64_jitsi_meet:v7
MEET_TAG: stable/jitsi-meet_8252
image: superboum/amd64_jitsi_meet:v6
jitsi-conference-focus:
build:
context: ./jitsi-conference-focus
args:
# https://github.com/jitsi/jicofo
JICOFO_TAG: stable/jitsi-meet_9646
image: superboum/amd64_jitsi_conference_focus:v11
JICOFO_TAG: stable/jitsi-meet_8252
image: superboum/amd64_jitsi_conference_focus:v10
jitsi-videobridge:
build:
@ -24,13 +23,13 @@ services:
args:
# https://github.com/jitsi/jitsi-videobridge
# note: JVB is not tagged with non-stable tags
JVB_TAG: stable/jitsi-meet_9646
image: superboum/amd64_jitsi_videobridge:v22
JVB_TAG: stable/jitsi-meet_8252
image: superboum/amd64_jitsi_videobridge:v21
jitsi-xmpp:
build:
context: ./jitsi-xmpp
args:
MEET_TAG: stable/jitsi-meet_9646
PROSODY_VERSION: 0.12.3-1
image: superboum/amd64_jitsi_xmpp:v12
MEET_TAG: stable/jitsi-meet_8252
PROSODY_VERSION: 1nightly191-1~bookworm
image: superboum/amd64_jitsi_xmpp:v11

3
cluster/prod/app/jitsi/build/jitsi-meet/Dockerfile
View file

@ -1,9 +1,8 @@
FROM debian:bookworm AS builder
ARG NODE_MAJOR_VERSION
RUN apt-get update && \
apt-get install -y curl && \
curl -sL https://deb.nodesource.com/setup_${NODE_MAJOR_VERSION}.x | bash - && \
curl -sL https://deb.nodesource.com/setup_19.x | bash - && \
apt-get install -y git nodejs make git unzip
ARG MEET_TAG

2
cluster/prod/app/jitsi/build/jitsi-videobridge/jvb_run
View file

@ -6,7 +6,7 @@ if [ -z "${JITSI_NAT_LOCAL_IP}" ]; then
fi
if [ -z "${JITSI_NAT_PUBLIC_IP}" ]; then
JITSI_NAT_PUBLIC_IP=$(curl -4 https://ifconfig.me)
JITSI_NAT_PUBLIC_IP=$(curl https://ifconfig.me)
fi
echo "NAT config: ${JITSI_NAT_LOCAL_IP} -> ${JITSI_NAT_PUBLIC_IP}"

4
cluster/prod/app/jitsi/build/jitsi-xmpp/Dockerfile
View file

@ -13,8 +13,8 @@ RUN apt-get update && \
apt-get install -y wget gnupg2 extrepo && \
extrepo enable prosody && \
apt-get update && \
apt-cache show prosody && \
apt-get install -y prosody=${PROSODY_VERSION} lua-event
apt-cache show prosody-0.12 && \
apt-get install -y prosody-0.12=${PROSODY_VERSION} lua-event
RUN mkdir -p /usr/local/share/ca-certificates/ && \
ln -sf \

3
cluster/prod/app/jitsi/config/config.js
View file

@ -368,8 +368,7 @@ var config = {
// Message to show the users. Example: 'The service will be down for
// maintenance at 01:00 AM GMT,
// Does only support plaintext. No line skip.
// noticeMessage: "Suite à une utilisation contraire à nos CGU, Deuxfleurs surveille activement cette instance Jitsi et enverra tout contenu illégal à la police. Pour toute question, commentaire ou suggestion, contactez moderation@deuxfleurs.fr . Following usage breaching our TOS, Deuxfleurs actively monitors this Jitsi instance and will send any illegal behavior to the Police. For any question, remark or suggestion, reach moderation@deuxfleurs.fr",
// noticeMessage: '',
// Enables calendar integration, depends on googleApiApplicationClientID
// and microsoftApiApplicationClientID

21
cluster/prod/app/jitsi/config/nginx.conf
View file

@ -37,12 +37,6 @@ http {
access_log /dev/stdout;
server_names_hash_bucket_size 64;
# Log real IPs
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
real_ip_header X-Forwarded-For;
# inspired by https://raw.githubusercontent.com/jitsi/docker-jitsi-meet/master/web/rootfs/defaults/meet.conf
server {
#listen 0.0.0.0:{{ env "NOMAD_PORT_https_port" }} ssl http2 default_server;
@ -81,12 +75,6 @@ http {
alias /srv/jitsi-meet/$1/$2;
}
# Disallow robots indexation
location = /robots.txt {
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
}
# not used yet VVV
# colibri (JVB) websockets
#location ~ ^/colibri-ws/([a-zA-Z0-9-\.]+)/(.*) {
@ -97,16 +85,7 @@ http {
# tcp_nodelay on;
#}
location ~* {{ key "secrets/jitsi/blacklist_regex" }} {
return 302 https://www.service-public.fr/particuliers/vosdroits/R17674;
}
location = /http-bind {
if ($args ~* {{ key "secrets/jitsi/blacklist_regex" }}) {
return 403 'forbidden';
}
# We add CORS to use a different frontend which is useful for load testing as we do not want to advertise too much our URL
add_header 'Access-Control-Allow-Headers' 'content-type';
add_header 'Access-Control-Allow-Methods' 'GET,POST,PUT,DELETE,OPTIONS';

28
cluster/prod/app/jitsi/deploy/jitsi.hcl
View file

@ -1,5 +1,5 @@
job "jitsi" {
datacenters = ["neptune", "scorpio"]
datacenters = ["neptune", "orion"]
type = "service"
priority = 50
@ -20,7 +20,7 @@ job "jitsi" {
task "xmpp" {
driver = "docker"
config {
image = "superboum/amd64_jitsi_xmpp:v12"
image = "superboum/amd64_jitsi_xmpp:v11"
ports = [ "bosh_port", "xmpp_port" ]
network_mode = "host"
volumes = [
@ -101,7 +101,7 @@ EOF
task "front" {
driver = "docker"
config {
image = "superboum/amd64_jitsi_meet:v7"
image = "superboum/amd64_jitsi_meet:v6"
network_mode = "host"
ports = [ "https_port" ]
volumes = [
@ -112,11 +112,6 @@ EOF
]
}
logs {
max_files = 25
max_file_size = 10
}
template {
data = file("../config/config.js")
destination = "secrets/config.js"
@ -168,7 +163,7 @@ EOF
task "jicofo" {
driver = "docker"
config {
image = "superboum/amd64_jitsi_conference_focus:v11"
image = "superboum/amd64_jitsi_conference_focus:v10"
network_mode = "host"
volumes = [
"secrets/certs/jitsi.crt:/usr/local/share/ca-certificates/jitsi.crt",
@ -208,7 +203,7 @@ EOF
task "videobridge" {
driver = "docker"
config {
image = "superboum/amd64_jitsi_videobridge:v22"
image = "superboum/amd64_jitsi_videobridge:v21"
network_mode = "host"
ports = [ "video_port" ]
ulimit {
@ -222,14 +217,11 @@ EOF
]
}
template {
data = <<EOH
{{ with $a := env "attr.unique.hostname" | printf "diplonat/autodiscovery/ipv4/%s" | key | parseJSON }}
JITSI_NAT_PUBLIC_IP = {{ $a.address }}
{{ end }}
EOH
destination = "secrets/jitsi-videobridge.env"
env = true
env {
# Our container can autodetect the public IP with the ifconfig.me service
# However we would like to avoid relying on a 3rd party service for production use
# That's why I am setting the public IP address statically here VVVV
#JITSI_NAT_PUBLIC_IP = "82.66.80.201"
}
template {

2
cluster/prod/app/jitsi/integration/README.md
View file

@ -52,7 +52,7 @@ But maybe this value is deprecated: the check is still here but it is not used a
start a maintainance container
```
docker run --rm -it -v `pwd`/prosody/certs/:/var/lib/prosody/ -v `pwd`/prosody/prosody.cfg.lua:/etc/prosody/prosody.cfg.lua:ro --user root superboum/amd64_jitsi_xmpp:v12 bash
docker run --rm -it -v `pwd`/prosody/certs/:/var/lib/prosody/ -v `pwd`/prosody/prosody.cfg.lua:/etc/prosody/prosody.cfg.lua:ro --user root superboum/amd64_jitsi_xmpp:v11 bash
```
then generate certificates from inside this container

11
cluster/prod/app/jitsi/integration/docker-compose.yml
View file

@ -1,7 +1,7 @@
version: '3.4'
services:
jitsi-xmpp:
image: superboum/amd64_jitsi_xmpp:v12
image: superboum/amd64_jitsi_xmpp:v11
volumes:
- "./prosody/prosody.cfg.lua:/etc/prosody/prosody.cfg.lua:ro"
- "./prosody/certs/jitsi.crt:/var/lib/prosody/jitsi.crt:ro"
@ -11,19 +11,16 @@ services:
environment:
- JICOFO_AUTH_PASSWORD=jicofopass
- JVB_AUTH_PASSWORD=jvbpass
ports:
- "5222:5222/tcp"
jitsi-conference-focus:
image: superboum/amd64_jitsi_conference_focus:v11
image: superboum/amd64_jitsi_conference_focus:v10
volumes:
- "./prosody/certs/jitsi.crt:/usr/local/share/ca-certificates/jitsi.crt:ro"
- "./prosody/certs/auth.jitsi.crt:/usr/local/share/ca-certificates/auth.jitsi.crt:ro"
- "./jicofo/jicofo.conf:/etc/jitsi/jicofo.conf:ro"
jitsi-videobridge:
image: superboum/amd64_jitsi_videobridge:v22
network_mode: "host"
image: superboum/amd64_jitsi_videobridge:v21
volumes:
- "./prosody/certs/jitsi.crt:/usr/local/share/ca-certificates/jitsi.crt:ro"
- "./prosody/certs/auth.jitsi.crt:/usr/local/share/ca-certificates/auth.jitsi.crt:ro"
@ -34,7 +31,7 @@ services:
- "10000:10000/udp"
jitsi-meet:
image: superboum/amd64_jitsi_meet:v7
image: superboum/amd64_jitsi_meet:v6
volumes:
- "./prosody/certs/jitsi.crt:/etc/nginx/jitsi.crt:ro"
- "./prosody/certs/jitsi.key:/etc/nginx/jitsi.key:ro"

2
cluster/prod/app/jitsi/integration/jvb/videobridge.conf
View file

@ -62,7 +62,7 @@ videobridge {
configs {
unique-xmpp-server {
hostname="172.17.0.1"
hostname="jitsi-xmpp"
domain = "auth.jitsi"
username = "jvb"
password = "jvbpass"

2
cluster/prod/app/jitsi/integration/meet/config.js
View file

@ -22,7 +22,7 @@ var config = {
},
// BOSH URL. FIXME: use XEP-0156 to discover it.
bosh: '//[2a0c:e303:0:2a00::de6]/http-bind',
bosh: '//192.168.1.143/http-bind',
// Websocket URL
// websocket: 'wss://jitsi-meet.example.com/xmpp-websocket',

12
cluster/prod/app/matrix/build/docker-compose.yml
View file

@ -5,19 +5,19 @@ services:
build:
context: ./riotweb
args:
# https://github.com/vector-im/element-web/releases
VERSION: 1.11.49
image: lxpz/amd64_elementweb:v35
# https://github.com/vector-im/riot-web/releases
VERSION: 1.11.25
image: superboum/amd64_riotweb:v33
synapse:
build:
context: ./matrix-synapse
args:
# https://github.com/matrix-org/synapse/releases
VERSION: 1.95.1
VERSION: 1.79.0
# https://github.com/matrix-org/synapse-s3-storage-provider/commits/main
# Update with the latest commit on main each time you update the synapse version
# otherwise synapse may fail to launch due to incompatibility issues
# see this issue for an example: https://github.com/matrix-org/synapse-s3-storage-provider/issues/64
S3_VERSION: v1.2.1
image: lxpz/amd64_synapse:v58
S3_VERSION: v1.2.0
image: superboum/amd64_synapse:v56

2
cluster/prod/app/matrix/config/synapse/homeserver.yaml
View file

@ -340,7 +340,7 @@ room_prejoin_state:
# A list of application service config file to use
#app_service_config_files:
app_service_config_files:
#- "/etc/matrix-synapse/easybridge_registration.yaml"
#- "/etc/matrix-synapse/fb2mx_registration.yaml"

76
cluster/prod/app/matrix/deploy/im.hcl
View file

@ -1,5 +1,5 @@
job "matrix" {
datacenters = ["scorpio", "neptune"]
datacenters = ["orion", "neptune"]
type = "service"
priority = 40
@ -15,7 +15,7 @@ job "matrix" {
driver = "docker"
config {
image = "lxpz/amd64_synapse:v58"
image = "superboum/amd64_synapse:v56"
network_mode = "host"
readonly_rootfs = true
ports = [ "api_port" ]
@ -101,7 +101,7 @@ job "matrix" {
driver = "docker"
config {
image = "lxpz/amd64_synapse:v58"
image = "superboum/amd64_synapse:v56"
readonly_rootfs = true
command = "/usr/local/bin/matrix-s3-async"
work_dir = "/tmp"
@ -114,8 +114,7 @@ job "matrix" {
resources {
cpu = 100
memory = 200
memory_max = 500
memory = 100
}
template {
@ -137,7 +136,7 @@ EOH
task "riotweb" {
driver = "docker"
config {
image = "lxpz/amd64_elementweb:v35"
image = "superboum/amd64_riotweb:v33"
ports = [ "web_port" ]
volumes = [
"secrets/config.json:/srv/http/config.json"
@ -177,70 +176,5 @@ EOH
}
}
}
group "syncv3" {
count = 1
network {
port "syncv3_api" { to = 8009 }
port "syncv3_metrics" { to = 2112 }
}
task "syncv3" {
driver = "docker"
config {
image = "ghcr.io/matrix-org/sliding-sync:v0.99.12"
ports = [ "syncv3_api", "syncv3_metrics" ]
}
resources {
cpu = 1000
memory = 500
memory_max = 1000
}
template {
data = <<EOH
SYNCV3_SERVER=http://synapse.service.prod.consul:8008
SYNCV3_DB=postgresql://{{ key "secrets/chat/syncv3/postgres_user"|trimSpace }}:{{ key "secrets/chat/syncv3/postgres_pwd"|trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul/{{ key "secrets/chat/syncv3/postgres_db"|trimSpace }}?sslmode=disable
SYNCV3_SECRET={{ key "secrets/chat/syncv3/secret"|trimSpace }}
SYNCV3_BINDADDR=0.0.0.0:8009
SYNCV3_PROM=0.0.0.0:2112
EOH
destination = "secrets/env"
env = true
}
service {
name = "matrix-syncv3"
port = "syncv3_api"
address_mode = "host"
tags = [
"matrix",
"tricot im-syncv3.deuxfleurs.fr 100",
"tricot-add-header Access-Control-Allow-Origin *",
"d53-cname im-syncv3.deuxfleurs.fr",
]
check {
type = "tcp"
port = "syncv3_api"
interval = "60s"
timeout = "5s"
check_restart {
limit = 3
grace = "90s"
ignore_warnings = false
}
}
}
service {
name = "matrix-syncv3-metrics"
port = "syncv3_metrics"
address_mode = "host"
}
}
}
}

2
cluster/prod/app/plume/deploy/plume.hcl
View file

@ -1,5 +1,5 @@
job "plume-blog" {
datacenters = ["scorpio", "neptune"]
datacenters = ["orion", "neptune"]
type = "service"
group "plume" {

6
cluster/prod/app/postgres/deploy/postgres.hcl
View file

@ -1,5 +1,5 @@
job "postgres14" {
datacenters = ["neptune", "bespin", "scorpio"]
datacenters = ["orion", "neptune", "bespin"]
type = "system"
priority = 90
@ -19,8 +19,8 @@ job "postgres14" {
constraint {
attribute = "${attr.unique.hostname}"
operator = "set_contains_any"
value = "courgette,df-ymf,abricot"
# old (orion) = diplotaxis
# target: courgette,df-ymf,abricot (or ananas)
value = "diplotaxis,courgette,concombre,df-ymf"
}
restart {

8
cluster/prod/app/telemetry/deploy/telemetry-service.hcl
View file

@ -1,5 +1,5 @@
job "telemetry-service" {
datacenters = ["neptune", "scorpio"]
datacenters = ["neptune", "orion"]
type = "service"
group "grafana" {
@ -19,7 +19,7 @@ job "telemetry-service" {
driver = "docker"
config {
image = "litestream/litestream:0.3.13"
image = "litestream/litestream:0.3.7"
args = [
"restore", "-config", "/etc/litestream.yml", "/ephemeral/grafana.db"
]
@ -45,7 +45,7 @@ job "telemetry-service" {
task "grafana" {
driver = "docker"
config {
image = "grafana/grafana:10.3.4"
image = "grafana/grafana:9.5.1"
network_mode = "host"
ports = [ "grafana" ]
volumes = [
@ -108,7 +108,7 @@ EOH
task "replicate-db" {
driver = "docker"
config {
image = "litestream/litestream:0.3.13"
image = "litestream/litestream:0.3.7"
args = [
"replicate", "-config", "/etc/litestream.yml"
]

5
cluster/prod/app/telemetry/deploy/telemetry-storage.hcl
View file

@ -20,7 +20,7 @@ job "telemetry-storage" {
task "prometheus" {
driver = "docker"
config {
image = "prom/prometheus:v2.46.0"
image = "prom/prometheus:v2.43.1"
network_mode = "host"
ports = [ "prometheus" ]
args = [
@ -70,8 +70,7 @@ job "telemetry-storage" {
}
resources {
memory = 1500
memory_max = 4000
memory = 1000
cpu = 1000
}

4
cluster/prod/app/telemetry/deploy/telemetry-system.hcl
View file

@ -1,5 +1,5 @@
job "telemetry-system" {
datacenters = ["neptune", "scorpio", "bespin"]
datacenters = ["neptune", "orion", "bespin"]
type = "system"
priority = "100"
@ -12,7 +12,7 @@ job "telemetry-system" {
driver = "docker"
config {
image = "quay.io/prometheus/node-exporter:v1.6.1"
image = "quay.io/prometheus/node-exporter:v1.5.0"
network_mode = "host"
volumes = [
"/:/host:ro,rslave"

159
cluster/prod/app/woodpecker-ci/deploy/server.hcl
View file

@ -1,159 +0,0 @@
job "woodpecker-ci" {
datacenters = ["neptune", "scorpio"]
type = "service"
group "server" {
count = 1
network {
port "web_port" {
static = 14080
to = 14080
}
port "grpc_port" {
static = 14090
to = 14090
}
port "grpc_tls_port" {
static = 14453
to = 14453
}
}
task "server" {
driver = "docker"
config {
image = "woodpeckerci/woodpecker-server:v2.7.0"
ports = [ "web_port", "grpc_port" ]
network_mode = "host"
}
template {
data = <<EOH
WOODPECKER_OPEN=true
WOODPECKER_ORGS=Deuxfleurs
WOODPECKER_ADMIN=lx
WOODPECKER_HOST=https://woodpecker.deuxfleurs.fr
WOODPECKER_AGENT_SECRET={{ key "secrets/woodpecker-ci/agent_secret" }}
# secret encryption is broken in woodpecker currently
# WOODPECKER_ENCRYPTION_KEY={{ key "secrets/woodpecker-ci/secrets_encryption_key" }}
WOODPECKER_SERVER_ADDR=[::]:14080
WOODPECKER_GRPC_ADDR=[::]:14090
# WOODPECKER_GRPC_SECRET={{ key "secrets/woodpecker-ci/grpc_secret" }}
WOODPECKER_DATABASE_DRIVER=postgres
WOODPECKER_DATABASE_DATASOURCE=postgres://woodpecker:{{ key "secrets/woodpecker-ci/db_password" | trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul:5432/woodpecker?sslmode=disable
WOODPECKER_GITEA=true
WOODPECKER_GITEA_URL=https://git.deuxfleurs.fr
WOODPECKER_GITEA_CLIENT={{ key "secrets/woodpecker-ci/oauth_client_id" }}
WOODPECKER_GITEA_SECRET={{ key "secrets/woodpecker-ci/oauth_client_secret" }}
WOODPECKER_LOG_LEVEL=debug
WOODPECKER_ENVIRONMENT=NIX_REMOTE:daemon
EOH
destination = "secrets/env"
env = true
}
resources {
cpu = 100
memory = 200
}
service {
name = "woodpecker"
tags = [
"woodpecker",
"tricot woodpecker.deuxfleurs.fr",
"d53-cname woodpecker.deuxfleurs.fr",
]
port = "web_port"
address_mode = "host"
/*
check {
type = "http"
protocol = "http"
port = "web_port"
path = "/"
interval = "60s"
timeout = "5s"
check_restart {
limit = 3
grace = "600s"
ignore_warnings = false
}
}
*/
}
service {
name = "woodpecker-grpc"
tags = [
"woodpecker-grpc",
]
port = "grpc_port"
address_mode = "host"
}
}
task "grpc_tls" {
driver = "docker"
config {
image = "nginx:1.25.3"
ports = [ "grpc_tls_port" ]
volumes = [
"secrets/ssl/certs:/etc/ssl/certs",
"secrets/ssl/private:/etc/ssl/private",
"secrets/conf/:/etc/nginx/",
]
network_mode = "host"
}
template {
data = <<EOH
events {}
http {
server {
listen 0.0.0.0:14453 ssl;
listen [::]:14453 ssl;
http2 on;
server_name woodpecker.deuxfleurs.fr;
ssl_certificate "/etc/ssl/certs/woodpecker.cert";
ssl_certificate_key "/etc/ssl/certs/woodpecker.key";
location / {
grpc_pass grpc://woodpecker-grpc.service.prod.consul:14090;
}
}
}
EOH
destination = "secrets/conf/nginx.conf"
}
template {
data = "{{ with $d := key \"tricot/certs/woodpecker.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}"
destination = "secrets/ssl/certs/woodpecker.key"
}
template {
data = "{{ with $d := key \"tricot/certs/woodpecker.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}"
destination = "secrets/ssl/certs/woodpecker.cert"
}
service {
name = "woodpecker-grpc-tls"
tags = [
"woodpecker-grpc-tls",
"d53-a woodpecker-grpc.deuxfleurs.fr",
"d53-aaaa woodpecker-grpc.deuxfleurs.fr",
"(diplonat (tcp_port 14453))"
]
port = "grpc_tls_port"
address_mode = "host"
}
}
}
}

54
cluster/prod/app/woodpecker-ci/integration/README.md
View file

@ -1,54 +0,0 @@
## Install Debian
We recommend Debian Bullseye
## Install Docker CE from docker.io
Do not use the docker engine shipped by Debian
Doc:
- https://docs.docker.com/engine/install/debian/
- https://docs.docker.com/compose/install/
On a fresh install, as root:
```bash
# Remove all pre-existing packages
for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do apt-get remove $pkg; done
# Add Docker's official GPG key:
apt-get update
apt-get install ca-certificates curl
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
# Install Docker
apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
```
## Install the runner
```bash
wget https://git.deuxfleurs.fr/Deuxfleurs/nixcfg/raw/branch/main/cluster/prod/app/woodpecker-ci/integration/nix.conf
wget https://git.deuxfleurs.fr/Deuxfleurs/nixcfg/raw/branch/main/cluster/prod/app/woodpecker-ci/integration/docker-compose.yml
```
Create a new Agent for your runner in the Woodpecker admin, and copy the agent secret value.
Edit `docker-compose.yml` and insert your agent secret as the value for WOODPECKER_AGENT_SECRET.
Update other values including hostname and max workflows for your runner.
```bash
COMPOSE_PROJECT_NAME=woodpecker docker-compose up -d
```
That's all folks.

33
cluster/prod/app/woodpecker-ci/integration/docker-compose.yml
View file

@ -1,33 +0,0 @@
version: '3.4'
services:
nix-daemon:
image: nixpkgs/nix:nixos-22.05
restart: always
command: nix-daemon
privileged: true
volumes:
- "nix:/nix"
- "./nix.conf:/etc/nix/nix.conf:ro"
woodpecker-runner:
image: woodpeckerci/woodpecker-agent:v2.4.1
restart: always
environment:
# -- change these for each agent
- WOODPECKER_HOSTNAME=i_forgot_to_change_my_runner_name
- WOODPECKER_AGENT_SECRET=xxxx
- WOODPECKER_MAX_WORKFLOWS=4
# -- if not using COMPOSE_PROJECT_NAME=woodpecker, change name of volume to mount
- WOODPECKER_BACKEND_DOCKER_VOLUMES=woodpecker_nix:/nix:ro
# -- should not need change
- WOODPECKER_SERVER=woodpecker-grpc.deuxfleurs.fr:14453
- WOODPECKER_HEALTHCHECK=false
- WOODPECKER_GRPC_SECURE=true
- WOODPECKER_LOG_LEVEL=info
- WOODPECKER_DEBUG_PRETTY=true
- WOODPECKER_ENVIRONMENT=NIX_REMOTE:daemon
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
volumes:
nix:

180
cluster/prod/cluster.nix
View file

@ -1,115 +1,84 @@
{ config, pkgs, ... } @ args:
{
deuxfleurs.clusterName = "prod";
deuxfleurs.cluster_name = "prod";
# The IP range to use for the Wireguard overlay of this cluster
deuxfleurs.clusterPrefix = "10.83.0.0/16";
deuxfleurs.cluster_prefix = "10.83.0.0";
deuxfleurs.cluster_prefix_length = 16;
deuxfleurs.clusterNodes = {
"concombre" = {
siteName = "neptune";
deuxfleurs.cluster_nodes = [
{
hostname = "concombre";
site_name = "neptune";
publicKey = "VvXT0fPDfWsHxumZqVShpS33dJQAdpJ1E79ZbCBJP34=";
address = "10.83.1.1";
endpoint = "82.67.87.112:33731";
};
"courgette" = {
siteName = "neptune";
IP = "10.83.1.1";
endpoint = "77.207.15.215:33731";
}
{
hostname = "courgette";
site_name = "neptune";
publicKey = "goTkBJGmzrGDOAjUcdH9G0JekipqSMoaYQdB6IHnzi0=";
address = "10.83.1.2";
endpoint = "82.67.87.112:33732";
};
"celeri" = {
siteName = "neptune";
IP = "10.83.1.2";
endpoint = "77.207.15.215:33732";
}
{
hostname = "celeri";
site_name = "neptune";
publicKey = "oZDAb8LoLW87ktUHyFFec0VaIar97bqq47mGbdVqJ0U=";
address = "10.83.1.3";
endpoint = "82.67.87.112:33733";
};
/*
"dahlia" = {
siteName = "orion";
IP = "10.83.1.3";
endpoint = "77.207.15.215:33733";
}
{
hostname = "dahlia";
site_name = "orion";
publicKey = "EtRoWBYCdjqgXX0L+uWLg8KxNfIK8k9OTh30tL19bXU=";
address = "10.83.2.1";
IP = "10.83.2.1";
endpoint = "82.66.80.201:33731";
};
"diplotaxis" = {
siteName = "orion";
}
{
hostname = "diplotaxis";
site_name = "orion";
publicKey = "HbLC938mysadMSOxWgq8+qrv+dBKzPP/43OMJp/3phA=";
address = "10.83.2.2";
IP = "10.83.2.2";
endpoint = "82.66.80.201:33732";
};
"doradille" = {
siteName = "orion";
}
{
hostname = "doradille";
site_name = "orion";
publicKey = "e1C8jgTj9eD20ywG08G1FQZ+Js3wMK/msDUE1wO3l1Y=";
address = "10.83.2.3";
IP = "10.83.2.3";
endpoint = "82.66.80.201:33733";
};
*/
"df-ykl" = {
siteName = "bespin";
}
{
hostname = "df-ykl";
site_name = "bespin";
publicKey = "bIjxey/VhBgVrLa0FxN/KISOt2XFmQeSh1MPivUq9gg=";
address = "10.83.3.1";
endpoint = "109.136.139.78:33731";
};
"df-ymf" = {
siteName = "bespin";
IP = "10.83.3.1";
endpoint = "109.136.55.235:33731";
}
{
hostname = "df-ymf";
site_name = "bespin";
publicKey = "pUIKv8UBl586O7DBrHBsb9BgNU7WlYQ2r2RSNkD+JAQ=";
address = "10.83.3.2";
endpoint = "109.136.139.78:33732";
};
"df-ymk" = {
siteName = "bespin";
IP = "10.83.3.2";
endpoint = "109.136.55.235:33732";
}
{
hostname = "df-ymk";
site_name = "bespin";
publicKey = "VBmpo15iIJP7250NAsF+ryhZc3j+8TZFnE1Djvn5TXI=";
address = "10.83.3.3";
endpoint = "109.136.139.78:33733";
};
"abricot" = {
siteName = "scorpio";
IP = "10.83.3.3";
endpoint = "109.136.55.235:33733";
}
{
hostname = "abricot";
site_name = "scorpio";
publicKey = "Sm9cmNZ/BfWVPFflMO+fuyiera4r203b/dKhHTQmBFg=";
address = "10.83.4.1";
IP = "10.83.4.1";
endpoint = "82.65.41.110:33741";
};
"ananas" = {
siteName = "scorpio";
publicKey = "YC78bXUaAQ02gz0bApenM4phIo/oMPR78QCmyG0tay4=";
address = "10.83.4.2";
endpoint = "82.65.41.110:33742";
};
"onion" = {
siteName = "dathomir";
publicKey = "gpeqalqAUaYlMuebv3glQeZyE64+OpkyIHFhfStJQA4=";
address = "10.83.5.1";
endpoint = "82.64.238.84:33740";
};
"oseille" = {
siteName = "dathomir";
publicKey = "T87GzAQt02i00iOMbEm7McA/VL9OBrG/kCrgoNh5MmY=";
address = "10.83.5.2";
endpoint = "82.64.238.84:33741";
};
"io" = {
siteName = "dathomir";
publicKey = "3+VvWJtABOAd6zUCMROhqGbNtkQRtoIkVmYn0M81jQw=";
address = "10.83.5.3";
endpoint = "82.64.238.84:33742";
};
"ortie" = {
siteName = "dathomir";
publicKey = "tbx2mvt3TN3Xd+ermwwZ6it80VWT5949cKH9BRFgvzE=";
address = "10.83.5.4";
endpoint = "82.64.238.84:33743";
};
"pamplemousse" = {
siteName = "corrin";
publicKey = "6y5GrNXEql12AObuSfOHGxxUKpdlcyapu+juLYOEBhc=";
address = "10.83.6.1";
endpoint = "45.81.62.36:33731";
};
};
# Pin Nomad version
services.nomad.package = pkgs.nomad_1_6;
nixpkgs.config.allowUnfree = true; # Accept nomad's BSL license
}
];
# Bootstrap IPs for Consul cluster,
# these are IPs on the Wireguard overlay
@ -119,7 +88,7 @@
"10.83.3.1" # df-ykl
];
deuxfleurs.adminAccounts = {
deuxfleurs.admin_accounts = {
lx = [
# Keys for accessing nodes from outside
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJpaBZdYxHqMxhv2RExAOa7nkKhPBOHupMP3mYaZ73w9 lx@lindy"
@ -142,31 +111,6 @@
baptiste = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnGkJZZrHIUp9q0DXmVLLuhCIe7Vu1J3j6dJ1z1BglqX7yOLdFQ6LhHXx65aND/KCOM1815tJSnaAyKWEj9qJ31RVUoRl42yBn54DvQumamJUaXAHqJrXhjwxfUkF9B73ZSUzHGADlQnxcBkmrjC5FkrpC/s4xr0o7/GIBkBdtZhX9YpxBfpH6wEcCruTOlm92E3HvvjpBb/wHsoxL1f2czvWe69021gqWEYRFjqtBwP36NYZnGOJZ0RrlP3wUrGCSHxOKW+2Su+tM6g07KPJn5l1wNJiOcyBQ0/Sv7ptCJ9+rTQNeVBMoXshaucYP/bKJbqH7dONrYDgz59C4+Kax"
];
aeddis = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILoFf9fMYwLOpmiXKgn4Rs99YCj94SU1V0gwGXR5N4Md"
];
boris = [
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPts/36UvMCFcx3anSMV8bQKGel4c4wCsdhDGWHzZHgg07DxMt+Wk9uv0hWkqLojkUbCl/bI5siftiEv6En0mHw="
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJaD6flgTLkKimMB1qukiLKLVqsN+gizgajETjTwbscXEP2Fajmqy+90v1eXTDcGivmTyi8wOqkJ0s4D7dWP7Ck="
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEIZKA/SIicXq7HPFJfumrMc1iARqA1TQWWuWLrguOlKgFPBVym/IVjtYGAQ/Xtv4wU9Ak0s+t9UKpQ/K38kVe0="
];
vincent = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEve02acr522psrPxeElkwIPw2pc6QWtsUVZoaigqwZZ"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL/h+rxR2o+vN0hUWQPdpO7YY9aaKxO3ZRnUh9QiKBE7"
];
armael = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOoPghSM72AVp1zATgQzeLkuoGuP9uUTTAtwliyWoix"
];
marion = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzOhSTEOudBWCHi5wHc6MP0xjJJhuIDZEcx+hP6kz9N"
];
darkgallium = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJX0A2P59or83EKhh32o8XumGz0ToTEsoq89hMbMtr7h"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB540H9kn+Ocs4Wjc1Y3f3OkHFYEqc5IM/FiCyoVVoh3"
];
kokakiwi = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPTsEgcOtb2bij+Ih8eg8ZqO7d3IMiWykv6deMzlSSS kokakiwi@kira"
];
};
# For Garage external communication

8
cluster/prod/known_hosts
View file

@ -7,10 +7,6 @@ df-ymf.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2el374ejNXqF+
celeri.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOuY1CvhxBP9BtKkTlmOUu6Hhy8OQTB3R8OCFXbHA/RA
concombre.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3N0QOFNGkCpVLuOHFdpnBaxIFH925KpdIHV/3F9+BR
courgette.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPCXJeo6yeQeTN7D7OZwLd8zbyU1jWywlhQ29yyk7x+G
192.168.1.115 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPhHUQtc5lukPMFkiWf/sTgaUpwNFXHCJoQKu4ooRFy+
192.168.1.41 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPhHUQtc5lukPMFkiWf/sTgaUpwNFXHCJoQKu4ooRFy+
abricot.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPhHUQtc5lukPMFkiWf/sTgaUpwNFXHCJoQKu4ooRFy+
ananas.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHs0zAyBy70oyV56qaMaMAKR7VjEDnsm5LEyZJbM95BL
onion.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjBQ67fxwuDDzRPveTko/Sgf0cev3tIvlr3CfAmhF0C
oseille.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAgQdQ5UVFFn+DXN90ut9+V7NtEopQJnES3r8soKTZW4
io.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIvgCJ7Jew7ou1RZuaT41Sd+ucZAgxUwtdieqNqoC3+T
ortie.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqtfIPLk8a5tM6Upj7GQwlIS16nBPrZYVXE2FVlO2Yn
pamplemousse.machine.deuxfleurs.fr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAI0M5qny9yQ6LNzWqPfSlOWwTYpvxQtuSpFiOb6aVtA

11
cluster/prod/node/abricot.nix
View file

@ -8,7 +8,12 @@
boot.loader.timeout = 20;
boot.loader.efi.canTouchEfiVariables = true;
deuxfleurs.hostName = "abricot";
deuxfleurs.staticIPv4.address = "192.168.1.41";
deuxfleurs.staticIPv6.address = "2a01:e0a:e4:2dd0::41";
networking.hostName = "abricot";
deuxfleurs.network_interface = "eno1";
deuxfleurs.lan_ip = "192.168.1.41";
deuxfleurs.ipv6 = "2a01:e0a:e4:2dd0::41";
deuxfleurs.cluster_ip = "10.83.4.1";
deuxfleurs.is_raft_server = false;
}

15
cluster/prod/node/ananas.nix
View file

@ -1,15 +0,0 @@
# Configuration file local to this node
{ config, pkgs, ... }:
{
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.timeout = 20;
boot.loader.efi.canTouchEfiVariables = true;
deuxfleurs.hostName = "ananas";
deuxfleurs.staticIPv4.address = "192.168.1.42";
deuxfleurs.staticIPv6.address = "2a01:e0a:e4:2dd0::42";
deuxfleurs.isRaftServer = true;
}

1
cluster/prod/node/ananas.site.nix
View file

@ -1 +0,0 @@
../site/scorpio.nix

11
cluster/prod/node/celeri.nix
View file

@ -8,7 +8,12 @@
boot.loader.timeout = 20;
boot.loader.efi.canTouchEfiVariables = true;
deuxfleurs.hostName = "celeri";
deuxfleurs.staticIPv4.address = "192.168.1.33";
deuxfleurs.staticIPv6.address = "2001:910:1204:1::33";
networking.hostName = "celeri";
deuxfleurs.network_interface = "enp0s31f6";
deuxfleurs.lan_ip = "192.168.1.33";
deuxfleurs.ipv6 = "2001:910:1204:1::33";
deuxfleurs.cluster_ip = "10.83.1.3";
deuxfleurs.is_raft_server = false;
}

12
cluster/prod/node/concombre.nix
View file

@ -8,8 +8,12 @@
boot.loader.timeout = 20;
boot.loader.efi.canTouchEfiVariables = true;
deuxfleurs.hostName = "concombre";
deuxfleurs.staticIPv4.address = "192.168.1.31";
deuxfleurs.staticIPv6.address = "2001:910:1204:1::31";
deuxfleurs.isRaftServer = true;
networking.hostName = "concombre";
deuxfleurs.network_interface = "enp0s31f6";
deuxfleurs.lan_ip = "192.168.1.31";
deuxfleurs.ipv6 = "2001:910:1204:1::31";
deuxfleurs.cluster_ip = "10.83.1.1";
deuxfleurs.is_raft_server = true;
}

11
cluster/prod/node/courgette.nix
View file

@ -8,7 +8,12 @@
boot.loader.timeout = 20;
boot.loader.efi.canTouchEfiVariables = true;
deuxfleurs.hostName = "courgette";
deuxfleurs.staticIPv4.address = "192.168.1.32";
deuxfleurs.staticIPv6.address = "2001:910:1204:1::32";
networking.hostName = "courgette";
deuxfleurs.network_interface = "enp0s31f6";
deuxfleurs.lan_ip = "192.168.1.32";
deuxfleurs.ipv6 = "2001:910:1204:1::32";
deuxfleurs.cluster_ip = "10.83.1.2";
deuxfleurs.is_raft_server = false;
}

11
cluster/prod/node/dahlia.nix
View file

@ -7,7 +7,12 @@
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
deuxfleurs.hostName = "dahlia";
deuxfleurs.staticIPv4.address = "192.168.1.11";
deuxfleurs.staticIPv6.address = "2a01:e0a:28f:5e60::11";
networking.hostName = "dahlia";
deuxfleurs.network_interface = "enp0s31f6";
deuxfleurs.lan_ip = "192.168.1.11";
deuxfleurs.ipv6 = "2a01:e0a:28f:5e60::11";
deuxfleurs.cluster_ip = "10.83.2.1";
deuxfleurs.is_raft_server = true;
}

12
cluster/prod/node/df-ykl.nix
View file

@ -7,10 +7,14 @@
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
deuxfleurs.hostName = "df-ykl";
deuxfleurs.staticIPv4.address = "192.168.5.117";
deuxfleurs.staticIPv6.address = "2a02:a03f:6510:5102:6e4b:90ff:fe3b:e86c";
deuxfleurs.isRaftServer = true;
networking.hostName = "df-ykl";
deuxfleurs.network_interface = "enp0s31f6";
deuxfleurs.lan_ip = "192.168.5.117";
deuxfleurs.ipv6 = "2a02:a03f:6510:5102:6e4b:90ff:fe3b:e86c";
deuxfleurs.cluster_ip = "10.83.3.1";
deuxfleurs.is_raft_server = true;
fileSystems."/mnt" = {
device = "/dev/disk/by-uuid/f7aa396f-23d0-44d3-89cf-3cb00bbb6c3b";

11
cluster/prod/node/df-ymf.nix
View file

@ -7,9 +7,14 @@
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
deuxfleurs.hostName = "df-ymf";
deuxfleurs.staticIPv4.address = "192.168.5.134";
deuxfleurs.staticIPv6.address = "2a02:a03f:6510:5102:6e4b:90ff:fe3a:6174";
networking.hostName = "df-ymf";
deuxfleurs.network_interface = "enp0s31f6";
deuxfleurs.lan_ip = "192.168.5.134";
deuxfleurs.ipv6 = "2a02:a03f:6510:5102:6e4b:90ff:fe3a:6174";
deuxfleurs.cluster_ip = "10.83.3.2";
deuxfleurs.is_raft_server = false;
fileSystems."/mnt" = {
device = "/dev/disk/by-uuid/fec20a7e-5019-4747-8f73-77f3f196c122";

11
cluster/prod/node/df-ymk.nix
View file

@ -7,9 +7,14 @@
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
deuxfleurs.hostName = "df-ymk";
deuxfleurs.staticIPv4.address = "192.168.5.116";
deuxfleurs.staticIPv6.address = "2a02:a03f:6510:5102:6e4b:90ff:fe3b:e939";
networking.hostName = "df-ymk";
deuxfleurs.network_interface = "enp0s31f6";
deuxfleurs.lan_ip = "192.168.5.116";
deuxfleurs.ipv6 = "2a02:a03f:6510:5102:6e4b:90ff:fe3b:e939";
deuxfleurs.cluster_ip = "10.83.3.3";
deuxfleurs.is_raft_server = false;
fileSystems."/mnt" = {
device = "/dev/disk/by-uuid/51d95b17-0e06-4a73-9e4e-ae5363cc4015";

11
cluster/prod/node/diplotaxis.nix
View file

@ -8,7 +8,12 @@
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/nvme0n1"; # or "nodev" for efi only
deuxfleurs.hostName = "diplotaxis";
deuxfleurs.staticIPv4.address = "192.168.1.12";
deuxfleurs.staticIPv6.address = "2a01:e0a:28f:5e60::12";
networking.hostName = "diplotaxis";
deuxfleurs.network_interface = "enp0s31f6";
deuxfleurs.lan_ip = "192.168.1.12";
deuxfleurs.ipv6 = "2a01:e0a:28f:5e60::12";
deuxfleurs.cluster_ip = "10.83.2.2";
deuxfleurs.is_raft_server = false;
}

11
cluster/prod/node/doradille.nix
View file

@ -8,7 +8,12 @@
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/nvme0n1"; # or "nodev" for efi only
deuxfleurs.hostName = "doradille";
deuxfleurs.staticIPv4.address = "192.168.1.13";
deuxfleurs.staticIPv6.address = "2a01:e0a:28f:5e60::13";
networking.hostName = "doradille";
deuxfleurs.network_interface = "enp0s31f6";
deuxfleurs.lan_ip = "192.168.1.13";
deuxfleurs.ipv6 = "2a01:e0a:28f:5e60::13";
deuxfleurs.cluster_ip = "10.83.2.3";
deuxfleurs.is_raft_server = false;
}

11
cluster/prod/node/io.nix
View file

@ -1,11 +0,0 @@
{ ... }:
{
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
services.openssh.ports = [ 22 33603 ];
deuxfleurs.hostName = "io";
deuxfleurs.staticIPv4.address = "192.168.1.36";
deuxfleurs.staticIPv6.address = "2a01:e0a:5e4:1d0:52e5:49ff:fe5c:5f35";
}

1
cluster/prod/node/io.site.nix
View file

@ -1 +0,0 @@
../site/dathomir.nix

12
cluster/prod/node/onion.nix
View file

@ -1,12 +0,0 @@
{ ... }:
{
boot.loader.systemd-boot.enable = true;
boot.loader.timeout = 20;
boot.loader.efi.canTouchEfiVariables = true;
services.openssh.ports = [ 22 33601 ];
deuxfleurs.hostName = "onion";
deuxfleurs.staticIPv4.address = "192.168.1.34";
deuxfleurs.staticIPv6.address = "2a01:e0a:5e4:1d0:223:24ff:feb0:e866";
}

1
cluster/prod/node/onion.site.nix
View file

@ -1 +0,0 @@
../site/dathomir.nix

12
cluster/prod/node/ortie.nix
View file

@ -1,12 +0,0 @@
{ ... }:
{
boot.loader.systemd-boot.enable = true;
boot.loader.timeout = 20;
boot.loader.efi.canTouchEfiVariables = true;
services.openssh.ports = [ 22 33604 ];
deuxfleurs.hostName = "ortie";
deuxfleurs.staticIPv4.address = "192.168.1.37";
deuxfleurs.staticIPv6.address = "2a01:e0a:5e4:1d0:223:24ff:feb0:1b9";
}

1
cluster/prod/node/ortie.site.nix
View file

@ -1 +0,0 @@
../site/dathomir.nix

12
cluster/prod/node/oseille.nix
View file

@ -1,12 +0,0 @@
{ ... }:
{
boot.loader.systemd-boot.enable = true;
boot.loader.timeout = 20;
boot.loader.efi.canTouchEfiVariables = true;
services.openssh.ports = [ 22 33602 ];
deuxfleurs.hostName = "oseille";
deuxfleurs.staticIPv4.address = "192.168.1.35";
deuxfleurs.staticIPv6.address = "2a01:e0a:5e4:1d0:223:24ff:feaf:f90b";
}

1
cluster/prod/node/oseille.site.nix
View file

@ -1 +0,0 @@
../site/dathomir.nix

14
cluster/prod/node/pamplemousse.nix
View file

@ -1,14 +0,0 @@
# Configuration file local to this node
{ config, pkgs, ... }:
{
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.timeout = 5;
boot.loader.efi.canTouchEfiVariables = true;
deuxfleurs.hostName = "pamplemousse";
deuxfleurs.staticIPv4.address = "192.168.5.201";
deuxfleurs.staticIPv6.address = "2001:912:1ac0:2200::201";
}

1
cluster/prod/node/pamplemousse.site.nix
View file

@ -1 +0,0 @@
../site/corrin.nix

44
cluster/prod/register_external_services.sh
View file

@ -1,44 +0,0 @@
#!/usr/bin/env bash
# Bruxelles (bespin): git forge at git.deuxfleurs.fr
curl -vv -X PUT http://localhost:8500/v1/catalog/register -H "Content-Type: application/json" --data @- <<EOF
{
"Datacenter": "prod",
"Node": "gitea",
"Address": "192.168.5.200",
"NodeMeta": {
"site": "bespin",
"cname_target": "bespin.site.deuxfleurs.fr."
},
"Service": {
"Service": "gitea",
"Tags": ["tricot git.deuxfleurs.fr"],
"Address": "192.168.5.200",
"Port": 3001
}
}
EOF
# Lille (scorpio): ADRN's personnal services under luxeylab.net
curl -vv -X PUT http://localhost:8500/v1/catalog/register -H "Content-Type: application/json" --data @- <<EOF
{
"Datacenter": "prod",
"Node": "spoutnik",
"Address": "192.168.1.51",
"NodeMeta": {
"site": "scorpio",
"cname_target": "scorpio.site.deuxfleurs.fr."
},
"Service": {
"Service": "adrien-nginx",
"Tags": [
"tricot-https *.luxeylab.net",
"tricot-https *.zinz.dev"
],
"Address": "192.168.1.51",
"Port": 443
}
}
EOF

17
cluster/prod/register_personal_services.sh Normal file
View file

@ -0,0 +1,17 @@
#!/usr/bin/env bash
curl -vv -X PUT http://localhost:8500/v1/catalog/register -H "Content-Type: application/json" --data @- <<EOF
{
"Datacenter": "prod",
"Node": "spoutnik",
"Address": "192.168.1.60",
"NodeMeta": { "somekey": "bidon" },
"Service": {
"Service": "adrien-nginx",
"Tags": ["tricot-https *.luxeylab.net"],
"Address": "192.168.1.60",
"Port": 443
}
}
EOF

20
cluster/prod/site/bespin.nix
View file

@ -1,17 +1,13 @@
{ config, pkgs, ... }:
{
deuxfleurs.siteName = "bespin";
deuxfleurs.staticIPv4.defaultGateway = "192.168.5.254";
deuxfleurs.cnameTarget = "bespin.site.deuxfleurs.fr.";
deuxfleurs.site_name = "bespin";
deuxfleurs.lan_default_gateway = "192.168.5.254";
deuxfleurs.ipv6_default_gateway = "2a02:a03f:6510:5102::1";
deuxfleurs.lan_ip_prefix_length = 24;
deuxfleurs.ipv6_prefix_length = 64;
deuxfleurs.nameservers = [ "192.168.5.254" ];
deuxfleurs.cname_target = "bespin.site.deuxfleurs.fr.";
# Allow all ports from gateway for janky UPnP/IGD daemon
# networking.firewall = {
# extraCommands = ''
# iptables -A INPUT -s ${cfg.staticIPv4.defaultGateway} -p udp -j ACCEPT
# '';
# extraStopCommands = ''
# iptables -D INPUT -s ${cfg.staticIPv4.defaultGateway} -p udp -j ACCEPT
# '';
# };
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

8
cluster/prod/site/corrin.nix
View file

@ -1,8 +0,0 @@
{ config, pkgs, ... }:
{
deuxfleurs.siteName = "corrin";
deuxfleurs.staticIPv4.defaultGateway = "192.168.5.1";
deuxfleurs.cnameTarget = "corrin.site.deuxfleurs.fr.";
deuxfleurs.publicIPv4 = "45.81.62.36";
}

7
cluster/prod/site/dathomir.nix
View file

@ -1,7 +0,0 @@
{ ... }:
{
deuxfleurs.siteName = "dathomir";
deuxfleurs.cnameTarget = "dathomir.site.deuxfleurs.fr";
deuxfleurs.publicIPv4 = "82.64.238.84";
deuxfleurs.staticIPv4.defaultGateway = "192.168.1.1";
}

14
cluster/prod/site/neptune.nix
View file

@ -1,8 +1,14 @@
{ config, pkgs, ... }:
{
deuxfleurs.siteName = "neptune";
deuxfleurs.staticIPv4.defaultGateway = "192.168.1.254";
deuxfleurs.cnameTarget = "neptune.site.deuxfleurs.fr.";
deuxfleurs.publicIPv4 = "82.67.87.112";
deuxfleurs.site_name = "neptune";
deuxfleurs.lan_default_gateway = "192.168.1.1";
deuxfleurs.ipv6_default_gateway = "2001:910:1204:1::1";
deuxfleurs.lan_ip_prefix_length = 24;
deuxfleurs.ipv6_prefix_length = 64;
deuxfleurs.nameservers = [ "192.168.1.1" ];
deuxfleurs.cname_target = "neptune.site.deuxfleurs.fr.";
deuxfleurs.public_ipv4 = "77.207.15.215";
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

14
cluster/prod/site/orion.nix
View file

@ -1,8 +1,14 @@
{ config, pkgs, ... }:
{
deuxfleurs.siteName = "orion";
deuxfleurs.staticIPv4.defaultGateway = "192.168.1.254";
deuxfleurs.cnameTarget = "orion.site.deuxfleurs.fr.";
deuxfleurs.publicIPv4 = "82.66.80.201";
deuxfleurs.site_name = "orion";
deuxfleurs.lan_default_gateway = "192.168.1.254";
deuxfleurs.ipv6_default_gateway = "2a01:e0a:28f:5e60::1";
deuxfleurs.lan_ip_prefix_length = 24;
deuxfleurs.ipv6_prefix_length = 64;
deuxfleurs.nameservers = [ "192.168.1.254" ];
deuxfleurs.cname_target = "orion.site.deuxfleurs.fr.";
deuxfleurs.public_ipv4 = "82.66.80.201";
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

14
cluster/prod/site/scorpio.nix
View file

@ -1,8 +1,14 @@
{ config, pkgs, ... }:
{
deuxfleurs.siteName = "scorpio";
deuxfleurs.staticIPv4.defaultGateway = "192.168.1.254";
deuxfleurs.cnameTarget = "scorpio.site.deuxfleurs.fr.";
deuxfleurs.publicIPv4 = "82.65.41.110";
deuxfleurs.site_name = "scorpio";
deuxfleurs.lan_default_gateway = "192.168.1.254";
deuxfleurs.ipv6_default_gateway = "2a01:e0a:e4:2dd0::1";
deuxfleurs.lan_ip_prefix_length = 24;
deuxfleurs.ipv6_prefix_length = 64;
deuxfleurs.nameservers = [ "192.168.1.254" ];
deuxfleurs.cname_target = "scorpio.site.deuxfleurs.fr.";
deuxfleurs.public_ipv4 = "82.65.41.110";
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

Some files were not shown because too many files have changed in this diff Show more