tsuki/jupyter: remove
This commit is contained in:
parent
3b736e4c61
commit
a20bb288aa
|
@ -13,7 +13,6 @@
|
||||||
./services/headscale.nix
|
./services/headscale.nix
|
||||||
./services/hedgedoc.nix
|
./services/hedgedoc.nix
|
||||||
./services/invidious.nix
|
./services/invidious.nix
|
||||||
./services/jupyter.nix
|
|
||||||
./services/kanidm.nix
|
./services/kanidm.nix
|
||||||
./services/matrix
|
./services/matrix
|
||||||
./services/minecraft
|
./services/minecraft
|
||||||
|
|
|
@ -1,119 +0,0 @@
|
||||||
{ config, pkgs, lib, ... }: let
|
|
||||||
cfg = config.services.jupyter;
|
|
||||||
in {
|
|
||||||
sops.secrets."jupyter/password" = {
|
|
||||||
restartUnits = [ "jupyter.service" ];
|
|
||||||
owner = cfg.user;
|
|
||||||
inherit (cfg) group;
|
|
||||||
};
|
|
||||||
|
|
||||||
users.users."jupyter".group = "jupyter";
|
|
||||||
|
|
||||||
services.jupyter = {
|
|
||||||
enable = true;
|
|
||||||
group = "jupyter";
|
|
||||||
password = let
|
|
||||||
readFile = f: "open('${f}', 'r', encoding='utf8').read().strip()";
|
|
||||||
in
|
|
||||||
readFile config.sops.secrets."jupyter/password".path;
|
|
||||||
|
|
||||||
kernels = {
|
|
||||||
pythonDS = let
|
|
||||||
env = (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [
|
|
||||||
numpy
|
|
||||||
matplotlib
|
|
||||||
ipykernel
|
|
||||||
]));
|
|
||||||
in {
|
|
||||||
displayName = "Python for data science";
|
|
||||||
argv = [
|
|
||||||
"${env.interpreter}"
|
|
||||||
"-m"
|
|
||||||
"ipykernel_launcher"
|
|
||||||
"-f"
|
|
||||||
"{connection_file}"
|
|
||||||
];
|
|
||||||
language = "python";
|
|
||||||
logo32 = "${env}/${env.sitePackages}/ipykernel/resources/logo-32x32.png";
|
|
||||||
logo64 = "${env}/${env.sitePackages}/ipykernel/resources/logo-64x64.png";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.tmpfiles.settings."10-jupyter" = {
|
|
||||||
"/var/lib/jupyter/notebooks".d = {
|
|
||||||
mode = "0700";
|
|
||||||
user = "jupyter";
|
|
||||||
group = "jupyter";
|
|
||||||
};
|
|
||||||
"/var/lib/jupyter/data".d = {
|
|
||||||
mode = "0700";
|
|
||||||
user = "jupyter";
|
|
||||||
group = "jupyter";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.jupyter = let
|
|
||||||
notebookConfig = pkgs.writeText "jupyter_config.py" ''
|
|
||||||
c.NotebookApp.notebook_dir = 'notebooks'
|
|
||||||
c.NotebookApp.open_browser = False
|
|
||||||
c.NotebookApp.password = ${cfg.password}
|
|
||||||
c.NotebookApp.password_required = True
|
|
||||||
|
|
||||||
c.NotebookApp.sock = '/run/jupyter/jupyter.sock'
|
|
||||||
c.NotebookApp.sock_mode = '0660'
|
|
||||||
c.NotebookApp.local_hostnames = ['py.nani.wtf']
|
|
||||||
|
|
||||||
c.ConnectionFileMixin.transport = 'ipc'
|
|
||||||
|
|
||||||
${cfg.notebookConfig}
|
|
||||||
'';
|
|
||||||
in {
|
|
||||||
environment = {
|
|
||||||
JUPYTER_DATA_DIR = "%S/${config.systemd.services.jupyter.serviceConfig.StateDirectory}/data";
|
|
||||||
JUPYTER_RUNTIME_DIR = "%t/${config.systemd.services.jupyter.serviceConfig.RuntimeDirectory}";
|
|
||||||
};
|
|
||||||
serviceConfig = {
|
|
||||||
RuntimeDirectory = "jupyter";
|
|
||||||
StateDirectory = "jupyter";
|
|
||||||
|
|
||||||
# Hardening
|
|
||||||
CapabilityBoundingSet = "";
|
|
||||||
LockPersonality = true;
|
|
||||||
NoNewPrivileges = true;
|
|
||||||
PrivateDevices = true;
|
|
||||||
PrivateMounts = true;
|
|
||||||
PrivateTmp = true;
|
|
||||||
PrivateUsers = true;
|
|
||||||
ProtectClock = true;
|
|
||||||
ProtectHome = true;
|
|
||||||
ProtectHostname = true;
|
|
||||||
ProtectKernelLogs = true;
|
|
||||||
ProtectKernelModules = true;
|
|
||||||
ProtectKernelTunables = true;
|
|
||||||
ProtectProc = "invisible";
|
|
||||||
ProtectSystem = "strict";
|
|
||||||
RemoveIPC = true;
|
|
||||||
RestrictSUIDSGID = true;
|
|
||||||
UMask = "0007";
|
|
||||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
|
|
||||||
SystemCallArchitectures = "native";
|
|
||||||
|
|
||||||
ExecStart = lib.mkForce ''
|
|
||||||
${cfg.package}/bin/${cfg.command} --NotebookApp.config_file=${notebookConfig}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
local.socketActivation.jupyter = {
|
|
||||||
enable = cfg.enable;
|
|
||||||
originalSocketAddress = "/run/jupyter/jupyter.sock";
|
|
||||||
newSocketAddress = "/run/jupyter.sock";
|
|
||||||
privateNamespace = false;
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.jupyter-proxy.serviceConfig = {
|
|
||||||
User = "jupyter";
|
|
||||||
Group = "jupyter";
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -49,7 +49,6 @@
|
||||||
"hedgedoc".servers."unix:${srv.hedgedoc.settings.path}" = { };
|
"hedgedoc".servers."unix:${srv.hedgedoc.settings.path}" = { };
|
||||||
"idrac".servers."${ips.idrac}" = { };
|
"idrac".servers."${ips.idrac}" = { };
|
||||||
"invidious".servers."unix:${sa.invidious.newSocketAddress}" = { };
|
"invidious".servers."unix:${sa.invidious.newSocketAddress}" = { };
|
||||||
"jupyter".servers."unix:${sa.jupyter.newSocketAddress}" = { };
|
|
||||||
"kanidm".servers."localhost:8300" = { };
|
"kanidm".servers."localhost:8300" = { };
|
||||||
"navidrome".servers."unix:${sa.navidrome.newSocketAddress}" = { };
|
"navidrome".servers."unix:${sa.navidrome.newSocketAddress}" = { };
|
||||||
"osuchan".servers."localhost:${s ports.osuchan}" = { };
|
"osuchan".servers."localhost:${s ports.osuchan}" = { };
|
||||||
|
@ -143,7 +142,6 @@
|
||||||
(proxy ["osu"] "http://osuchan" {})
|
(proxy ["osu"] "http://osuchan" {})
|
||||||
(proxy ["plex"] "http://plex" {})
|
(proxy ["plex"] "http://plex" {})
|
||||||
(proxy ["mus"] "http://navidrome" enableWebsockets)
|
(proxy ["mus"] "http://navidrome" enableWebsockets)
|
||||||
(proxy ["py"] "http://jupyter" enableWebsockets)
|
|
||||||
(proxy ["vpn"] "http://headscale" enableWebsockets)
|
(proxy ["vpn"] "http://headscale" enableWebsockets)
|
||||||
(proxy ["yt"] "http://invidious" {})
|
(proxy ["yt"] "http://invidious" {})
|
||||||
|
|
||||||
|
|
|
@ -5,8 +5,6 @@ gitea:
|
||||||
runners:
|
runners:
|
||||||
ping: ENC[AES256_GCM,data:DRyw59+KE0n/qEr+Az7r8ulZr3dk1u6hVT1SVqKywW4DgtUr1eLj7DGOXvHxug==,iv:W49dNY/V+6KPuQeN5rdWw6Ed+w/oOy9ey+hRRz7Oxdc=,tag:ILzIKgvLs+8RVpHsSuMHrA==,type:str]
|
ping: ENC[AES256_GCM,data:DRyw59+KE0n/qEr+Az7r8ulZr3dk1u6hVT1SVqKywW4DgtUr1eLj7DGOXvHxug==,iv:W49dNY/V+6KPuQeN5rdWw6Ed+w/oOy9ey+hRRz7Oxdc=,tag:ILzIKgvLs+8RVpHsSuMHrA==,type:str]
|
||||||
pong: ENC[AES256_GCM,data:VwpNj/FRSkc5/s6aZPaiBwIaj9VBfp6wcnDFkWmTWC6xRWevMUYKv3jHPhD/ZA==,iv:0uVgjmrF4jIa+Eg3Gofb+2eFa1MdZHb9eR4BcWBpkeQ=,tag:YsXjKqeksU9JcXl+5REXFQ==,type:str]
|
pong: ENC[AES256_GCM,data:VwpNj/FRSkc5/s6aZPaiBwIaj9VBfp6wcnDFkWmTWC6xRWevMUYKv3jHPhD/ZA==,iv:0uVgjmrF4jIa+Eg3Gofb+2eFa1MdZHb9eR4BcWBpkeQ=,tag:YsXjKqeksU9JcXl+5REXFQ==,type:str]
|
||||||
jupyter:
|
|
||||||
password: ENC[AES256_GCM,data:mm0EHzhK9AqErfsoWWJ5+3ym+VXgEcZ+qadTy3f+NtA=,iv:ntGxklA5oDbGbo3j3ffbAvzGE4c9Ay/SfCWdA6bqzP4=,tag:KG1luMcSjBFm0LVKnoTvGA==,type:str]
|
|
||||||
grafana:
|
grafana:
|
||||||
oauth2_secret: ENC[AES256_GCM,data:zxfPtiB/o5cC27O9uQzPvQV1qWcp3xxnIi7/P84I2lJ/X4ovAwXuiEqnc7BDAE4E,iv:ZY8BDTMEvR2JiFHKM8iM90UQbmTqH/DoVklWno6Xa4U=,tag:E8GTGk9IJauCgjaoToShBg==,type:str]
|
oauth2_secret: ENC[AES256_GCM,data:zxfPtiB/o5cC27O9uQzPvQV1qWcp3xxnIi7/P84I2lJ/X4ovAwXuiEqnc7BDAE4E,iv:ZY8BDTMEvR2JiFHKM8iM90UQbmTqH/DoVklWno6Xa4U=,tag:E8GTGk9IJauCgjaoToShBg==,type:str]
|
||||||
secretkey: ENC[AES256_GCM,data:aVzqZqwFfm3FcYJE8USxsDbZVwtnF5NJXTAqshv9av4ZeR5YrDfDzLYHHztXMZt2Q7p/6A==,iv:A7x7oRUVvfxqSXRfi9+15z9pE6xX+GZrGU7gXrSKyXE=,tag:2uatRT0XePk2dqZj2ZlM3A==,type:str]
|
secretkey: ENC[AES256_GCM,data:aVzqZqwFfm3FcYJE8USxsDbZVwtnF5NJXTAqshv9av4ZeR5YrDfDzLYHHztXMZt2Q7p/6A==,iv:A7x7oRUVvfxqSXRfi9+15z9pE6xX+GZrGU7gXrSKyXE=,tag:2uatRT0XePk2dqZj2ZlM3A==,type:str]
|
||||||
|
@ -71,8 +69,8 @@ sops:
|
||||||
cElPYm5qK2lkTWZ1UGd6TU1NV2h4OTgK8Ecv58Ybnc6iYMjtSKTT1fYbNf4yyFgX
|
cElPYm5qK2lkTWZ1UGd6TU1NV2h4OTgK8Ecv58Ybnc6iYMjtSKTT1fYbNf4yyFgX
|
||||||
rjQ2sU8Rqc04MqixnAkF2zSDaaJ0vqwf22MvbO3bYhpqOHwiTMbRLg==
|
rjQ2sU8Rqc04MqixnAkF2zSDaaJ0vqwf22MvbO3bYhpqOHwiTMbRLg==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-06-09T13:31:53Z"
|
lastmodified: "2024-06-09T13:40:50Z"
|
||||||
mac: ENC[AES256_GCM,data:8fdE/+Z0C7YSljHWtYaX4ceg+MJNKC1FZXnfEZhfMo5EB57OKc6CInMuVpxI1b9CP7Ka+3rr6bZQaa6djD0VAOjVOWaJPW79S8ee0iuxrm9a7ZI/tbM/7GFDF6j80ZkJW1+SUdjc6MneA4EKht6VwwO4RvAL94NwxbEfjFXo1wc=,iv:WDmESFjOr8uIiX//zDsQHDOB7cG7wmbmEhypIE/2hPM=,tag:0jGHxIr0f2iMfgrKBKStLQ==,type:str]
|
mac: ENC[AES256_GCM,data:dMMYtUSNPB8wq/HnFYctRhpU4uHbQfA7k/EkP4pGU0RJUfvcnAtU5KCN+WpcWPNN3xBESJ3mjDGlYp2GrdoGPfj/f/+sJd2OdgPDAagb8yRCTBmQyvnv72WCxZTcV4BkBAJJQKSiTIxZ5q/t83LxzgXJ0mQnpDXFEBNf7sLJr84=,iv:Ga9URI5SbT456/LfFAlYlRu+/TAYTC+k/AKKCL2bHMM=,tag:2lqME8FFL5/BK/vN5FA1GA==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2023-05-08T00:49:52Z"
|
- created_at: "2023-05-08T00:49:52Z"
|
||||||
enc: |
|
enc: |
|
||||||
|
|
Loading…
Reference in New Issue