nix-config/hosts/uranus/stateful-jupyter.nix

{ pkgs, config, lib, ... }:
let
  jupyterUsers = [
    {
      username = "0xa";
      userPasswordFile = config.sops.secrets.hashed-password-0xa.path;
      isAdmin = true;
    }
    {
      username = "tassilo";
      userPasswordFile = config.sops.secrets.hashed-password-tassilo.path;
      isAdmin = true;
    }
    {
      username = "marenz";
      userPasswordFile = config.sops.secrets.hashed-password-marenz.path;
      isAdmin = true;
    }
  ];

  # move the secrets to the volume
  secret-setup = (lib.strings.concatStringsSep "\n" (builtins.map (u: "cp --force --dereference ${u.userPasswordFile} /var/lib/pw/") jupyterUsers));
in
{
  sops.secrets = {
    hashed-password-0xa = { };
    hashed-password-tassilo = { };
    hashed-password-marenz = { };
  };

  virtualisation.docker = {
    enable = true;
    # magic from marenz to make it work on ceph
    storageDriver = "devicemapper";
    extraOptions = "--storage-opt dm.basesize=40G --storage-opt dm.fs=xfs";
  };
  systemd.enableUnifiedCgroupHierarchy = false;

  # user to run the thing
  # jupyterlab container
  virtualisation.oci-containers = {
    backend = "docker";
    containers."jupyterlab-stateful" = {
      autoStart = true;
      ports = [ "8080:8080" ];
      volumes = [
        "/var/lib/jupyter-volume:/workdir"
        "/var/lib/root-home:/root"
        "/var/lib/pw:/pw"
      ];
      imageFile =
        let
          packages = lib.concatStringsSep " " [
            # alphabetically `:sort`ed plz
            "geojson"
            "matplotlib"
            "numpy"
            "pandas"
            "pip"
            "psycopg"
            "scipy"
            "seaborn"
            "bitstring"
          ];
        in
        (import ./jupyter-container.nix {
          inherit pkgs lib jupyterUsers packages;
        });
      image = "stateful-jupyterlab";
    };
  };

  systemd.services = {
    setup-docker-pws = {
      description = "copy the user passwords to docker volume";
      wantedBy = [ "jupyterlab-stateful.service" ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
      };
      script = secret-setup;
    };
    docker-jupyterlab-stateful = {
      after = [ "setup-docker-pws.service" ];
      requires = [ "setup-docker-pws.service" ];
    };
  };

}
proper secrets handling 2023-06-09 22:32:39 +02:00			`{ pkgs, config, lib, ... }:`
			`let`
			`jupyterUsers = [`
			`{`
			`username = "0xa";`
			`userPasswordFile = config.sops.secrets.hashed-password-0xa.path;`
			`isAdmin = true;`
			`}`
add users 2023-06-10 23:35:13 +02:00			`{`
			`username = "tassilo";`
			`userPasswordFile = config.sops.secrets.hashed-password-tassilo.path;`
			`isAdmin = true;`
			`}`
			`{`
			`username = "marenz";`
			`userPasswordFile = config.sops.secrets.hashed-password-marenz.path;`
			`isAdmin = true;`
			`}`
proper secrets handling 2023-06-09 22:32:39 +02:00			`];`
copy passwords to the volume 2023-06-09 23:37:18 +02:00
			`# move the secrets to the volume`
force pw update 2023-06-10 13:43:46 +02:00			`secret-setup = (lib.strings.concatStringsSep "\n" (builtins.map (u: "cp --force --dereference ${u.userPasswordFile} /var/lib/pw/") jupyterUsers));`
proper secrets handling 2023-06-09 22:32:39 +02:00			`in`
add uranus 2023-05-30 16:00:35 +02:00			`{`
add users 2023-06-10 23:35:13 +02:00			`sops.secrets = {`
			`hashed-password-0xa = { };`
			`hashed-password-tassilo = { };`
			`hashed-password-marenz = { };`
			`};`
proper secrets handling 2023-06-09 22:32:39 +02:00
add uranus 2023-05-30 16:00:35 +02:00			`virtualisation.docker = {`
			`enable = true;`
			`# magic from marenz to make it work on ceph`
			`storageDriver = "devicemapper";`
			`extraOptions = "--storage-opt dm.basesize=40G --storage-opt dm.fs=xfs";`
			`};`
			`systemd.enableUnifiedCgroupHierarchy = false;`

			`# user to run the thing`
			`# jupyterlab container`
			`virtualisation.oci-containers = {`
			`backend = "docker";`
			`containers."jupyterlab-stateful" = {`
			`autoStart = true;`
			`ports = [ "8080:8080" ];`
persist root home folder 2023-05-30 17:44:15 +02:00			`volumes = [`
			`"/var/lib/jupyter-volume:/workdir"`
			`"/var/lib/root-home:/root"`
link sops secrets through the volume 2023-06-09 22:39:38 +02:00			`"/var/lib/pw:/pw"`
persist root home folder 2023-05-30 17:44:15 +02:00			`];`
more python packages and nixpkgs-fmt 2023-05-30 20:10:59 +02:00			`imageFile =`
			`let`
test new jupyter config 2023-06-09 19:47:15 +02:00			`packages = lib.concatStringsSep " " [`
more python packages and nixpkgs-fmt 2023-05-30 20:10:59 +02:00			# alphabetically `:sort`ed plz
add conda packages to uranus 2023-06-01 12:43:29 +02:00			`"geojson"`
more python packages and nixpkgs-fmt 2023-05-30 20:10:59 +02:00			`"matplotlib"`
			`"numpy"`
			`"pandas"`
add conda packages to uranus 2023-06-01 12:43:29 +02:00			`"pip"`
			`"psycopg"`
more python packages and nixpkgs-fmt 2023-05-30 20:10:59 +02:00			`"scipy"`
			`"seaborn"`
adding bitstring to jupyter 2023-06-08 19:12:52 +02:00			`"bitstring"`
more python packages and nixpkgs-fmt 2023-05-30 20:10:59 +02:00			`];`
			`in`
			`(import ./jupyter-container.nix {`
test new jupyter config 2023-06-09 19:47:15 +02:00			`inherit pkgs lib jupyterUsers packages;`
more python packages and nixpkgs-fmt 2023-05-30 20:10:59 +02:00			`});`
add uranus 2023-05-30 16:00:35 +02:00			`image = "stateful-jupyterlab";`
			`};`
			`};`

hard depend on passwords 2023-06-10 23:27:19 +02:00			`systemd.services = {`
			`setup-docker-pws = {`
			`description = "copy the user passwords to docker volume";`
			`wantedBy = [ "jupyterlab-stateful.service" ];`
			`serviceConfig = {`
			`Type = "oneshot";`
			`RemainAfterExit = true;`
			`};`
			`script = secret-setup;`
			`};`
			`docker-jupyterlab-stateful = {`
forgot the ".service" 2023-06-10 23:28:49 +02:00			`after = [ "setup-docker-pws.service" ];`
			`requires = [ "setup-docker-pws.service" ];`
hard depend on passwords 2023-06-10 23:27:19 +02:00			`};`
copy passwords to the volume 2023-06-09 23:37:18 +02:00			`};`

add uranus 2023-05-30 16:00:35 +02:00			`}`