crans
/
nixos
mirror of https://gitlab.crans.org/nounous/nixos
19
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adding old configuration and documenting the service

belenios
Lyes Saadi 2026-03-21 17:02:15 +01:00
parent 06279968e2
commit 1c0c29b862
No known key found for this signature in database
GPG Key ID: 55A1D803917CF39A
2 changed files with 211 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
hosts/vm/belenios/belenios.nix
View File

@ -1,4 +1,95 @@
{ ... }: { ... }:
let
domain = "belenios.crans.org";
email.from = "root@crans.org";
email.contact = "contact@crans.org";
cas.name = "CAS Cr@ns";
cas.server = "https://cas.crans.org/";
in
{ {
services.belenios = {
enable = true;
config = ''
<!-- -*- Mode: Xml -*- -->
<ocsigen>
<server>
<port>8001</port>
<logdir>/var/log/belenios</logdir>
<datadir>/var/lib/belenios/data</datadir>
<uploaddir>/var/lib/belenios/upload</uploaddir>
<!--
The following limits are there to avoid flooding the server.
<maxuploadfilesize> might need to be increased for handling large
elections.
<maxconnected> is related to the number of simultaneous voters
visiting the server.
-->
<maxuploadfilesize>1024kB</maxuploadfilesize>
<maxconnected>500</maxconnected>
<commandpipe>/var/run/ocsigenserver_command</commandpipe>
<charset>utf-8</charset>
<findlib path="/usr/lib/ocaml"/>
<extension findlib-package="ocsigenserver.ext.staticmod"/>
<extension findlib-package="ocsigenserver.ext.redirectmod"/>
<extension findlib-package="ocsigenserver.ext.ocsipersist-sqlite">
<database file="/var/lib/belenios/data/ocsidb"/>
</extension>
<extension findlib-package="eliom.server"/>
<extension findlib-package="belenios-platform-native"/>
<host charset="utf-8" hostfilter="*" defaulthostname="${domain}">
<!-- <redirect suburl="^$" dest="http://www.example.org"/> -->
<site path="static" charset="utf-8">
<static dir="/usr/share/belenios-server" cache="0"/>
</site>
<site path="monitor">
<eliom findlib-package="eliom.server.monitor.start"/>
</site>
<eliom findlib-package="belenios-server">
<!-- Domain name used in Message-ID -->
<domain name="https://${domain}/"/>
<!--
The following can be adjusted to the capacity of your system.
If <maxrequestbodysizeinmemory> is too small, large elections
might fail, in particular with so-called alternative questions
with many voters.
<maxmailsatonce> depends heavily on how sending emails is
handled by your system.
-->
<maxrequestbodysizeinmemory value="1048576"/>
<maxmailsatonce value="1000"/>
<uuid length="14"/>
<gdpr uri="https://www.belenios.org/rgpd.html"/>
<contact uri="mailto:${email.contact}"/>
<server mail="${email.from}" return-path="${email.contact}"/>
<auth-export name="builtin-cas"/>
<auth-export name="builtin-password"/>
<auth name="${cas.name}"><cas server="${cas.server}"/></auth>
<source file="/usr/share/belenios-server/belenios.tar.gz"/>
<default-group file="/usr/share/belenios-server/groups/default.json"/>
<nh-group file="/usr/share/belenios-server/groups/rfc3526-2048.json"/>
<log file="/var/log/belenios/security.log"/>
<locales dir="/usr/share/belenios-server/locales"/>
<spool dir="/var/lib/belenios/spool"/>
<!-- <warning file="/var/local/belenios/belenios/_run/warning.html"/> -->
</eliom>
</host>
</server>
</ocsigen>
'';
};
} }

123
pkgs/belenios/services.nix
View File

@ -3,10 +3,127 @@
let let
cfg = config.belenios; cfg = config.belenios;
inherit (lib) mkEnableOption mkIf; inherit (lib) mkEnableOption mkOption mkIf;
in in
{ {
options.belenios = { options.services.belenios = {
enable = mkEnableOption "Whether to enable Belenios Web server"; enable = mkEnableOption "Whether to enable the Belenios Web server.";
config = mkOption {
types = lib.types.str;
description = ''
The Belenios Web server configuration.
See
<https://gitlab.inria.fr/belenios/belenios/-/blob/stable/doc/web.md>
for documentation.
'';
example = ''
<!-- -*- Mode: Xml -*- -->
<ocsigen>
<server>
<port>127.0.0.1:8001</port>
<mimefile>_SHAREDIR_/mime.types</mimefile>
<logdir>_VARDIR_/log</logdir>
<datadir>_VARDIR_/lib</datadir>
<uploaddir>_VARDIR_/upload</uploaddir>
<!--
The following limits are there to avoid flooding the server.
<maxuploadfilesize> might need to be increased for handling large
elections.
<maxconnected> is related to the number of simultaneous voters
visiting the server.
-->
<maxuploadfilesize>5120kB</maxuploadfilesize>
<maxconnected>500</maxconnected>
<commandpipe>_RUNDIR_/ocsigenserver_command</commandpipe>
<charset>utf-8</charset>
<extension name="staticmod"/>
<extension name="redirectmod"/>
<extension name="ocsipersist">
<database file="_VARDIR_/lib/ocsidb"/>
</extension>
<extension name="eliom"/>
<host charset="utf-8" hostfilter="*" defaulthostname="localhost">
<!-- <redirect suburl="^$" dest="http://www.example.org"/> -->
<site path="static" charset="utf-8">
<static dir="_SHAREDIR_/static" cache="0"/>
</site>
<eliom name="belenios">
<public-url prefix="http://127.0.0.1:8001"/>
<!-- Domain name used in Message-ID -->
<domain name="belenios.example.org"/>
<!--
The following can be adjusted to the capacity of your system.
If <maxrequestbodysizeinmemory> is too small, large elections
might fail, in particular with so-called alternative questions
with many voters.
<maxmailsatonce> depends heavily on how sending emails is
handled by your system.
-->
<maxrequestbodysizeinmemory value="1048576"/>
<maxmailsatonce value="1000"/>
<tos uri="http://www.example.org/terms-of-service.html"/>
<!-- <contact uri="mailto:contact@example.org"/> -->
<server mail="noreply@example.org" return-path="bounces@example.org" name="Belenios public server"/>
<auth-export name="builtin-password"/>
<auth-export name="builtin-cas"/>
<auth-export name="demo"><dummy/></auth-export> <!-- DEMO -->
<auth-export name="email"><email/></auth-export> <!-- DEMO -->
<auth name="demo"><dummy allowlist="demo_allowlist"/></auth> <!-- DEMO -->
<auth name="local"><password db="local_passwords"/></auth> <!-- DEMO -->
<auth name="public"><password db="public_passwords" allowsignups="true"/></auth>
<auth name="email"><email/></auth> <!-- DEMO -->
<auth name="captcha"><email use_captcha="true"/></auth> <!-- DEMO -->
<!-- <auth name="google"><oidc server="https://accounts.google.com" client_id="client-id" client_secret="client-secret"/></auth> -->
<source file="_SHAREDIR_/belenios.tar.gz"/>
<logo file="_SHAREDIR_/static/placeholder.png" mime-type="image/png"/>
<favicon file="_VARDIR_/favicon.ico" mime-type="image/png"/>
<sealing file="demo/sealing.txt" mime-type="text/plain"/>
<default-group group="Ed25519"/>
<nh-group group="Ed25519"/>
<share dir="_SHAREDIR_"/>
<storage backend="filesystem">
<uuid length="14"/>
<spool dir="_VARDIR_/spool"/>
<accounts dir="_VARDIR_/accounts"/>
<map from="demo_allowlist" to="demo/dummy_logins.txt"/>
<map from="local_passwords" to="demo/password_db.csv"/>
<map from="public_passwords" to="_VARDIR_/password_db.csv"/>
</storage>
<admin-home file="_VARDIR_/admin-home.html"/>
<success-snippet file="_VARDIR_/success-snippet.html"/>
<warning file="_VARDIR_/warning.html"/>
<footer file="_VARDIR_/footer.html"/>
<!-- <deny-newelection/> -->
<!--
Uncomment the following line to disable revoting. Note that
the ability to revote is important as a (light) measure
against coercion.
-->
<!-- <deny-revote/> -->
</eliom>
</host>
</server>
</ocsigen>
'';
#
};
};
config = mkIf cfg.enable {
systemd.services.belenios = {};
}; };
} }