module: final fixes and cleanup

README.md

@@ -21,26 +21,29 @@ nix build --json .#run-erpnext \
 ```
 
 ### NixOS VM
+Initial setup:
 ```
 # Build the test VM
 nix build '.#nixosConfigurations.test-vm.config.system.build.vm'
 # Start the VM, to generate SSH host key files required for secrets
 ./result/bin/run-nixos-vm
 
-# Get the ed25519 SSH hostkey
-ssh-keyscan -p 2222 127.0.0.1
+# In another terminal, get the ed25519 SSH hostkey, then stop the VM with CTRL-c
+ssh-keyscan -p 2222 127.0.0.1 | grep ssh-ed25519
+...
+[127.0.0.1]:2222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdCOs16W731ftPDqO+X6RZVSdwVVNw2Xfmcpk5pzbeO
 
-# Edit secrets.nix and add the SSH hostkey to machine 'test-vm'
-vim secrets/secrets.nix
+# Edit secrets.nix and add the SSH hostkey to machine 'test-vm', starting with 'ssh-ed25519 ...'
+sed --in-place \
+  's|test-vm = .*|test-vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdCOs16W731ftPDqO+X6RZVSdwVVNw2Xfmcpk5pzbeO host@test-vm";|' \
+  secrets/secrets.nix
 
 # Rekey the secrets with agenix
-cd secrets
-agenix --rekey
-cd ..
+cd secrets && agenix --rekey && cd ..
 
-# Stop with CTRL-c & build the test VM again
+# Build the test VM again
 nix build '.#nixosConfigurations.test-vm.config.system.build.vm'
-# Start the VM
+# Start the VM once more
 ./result/bin/run-nixos-vm
 
 # Access the VM via SSH, use an empty password (Enter) to login
@@ -50,13 +53,34 @@ ssh root@localhost -p 2222
 # The initial startup can take a few minutes
 journalctl -fu erpnext-web.service
 
-# Open http://localhost:8081 in your browser
+# Open https://localhost:8081 in your browser and follow the setup wizard
 # User: Administrator
 # Password: admin
+```
 
-# To reset all data for the VM
+After the initial setup, make changes, build and run the VM again to test the changes.
+```
+# Build the test VM
+nix build '.#nixosConfigurations.test-vm.config.system.build.vm'
+# Start the VM
+./result/bin/run-nixos-vm
+```
+
+Useful for debugging, you can delete a special file in the VM to force the
+ERPNext init script to run again. It will then try to initialize the DB again
+and create a new site directory.
+```
+ssh root@localhost -p 2222
+rm /var/lib/erpnext/.db-created
+systemctl restart erpnext-web
+```
+
+To reset the VM's data and start fresh, run:
+```
 rm nixos.qcow2
 ```
+Note that this will re-generate SSH host keys and you will need to do the
+initial setup again.
 
 ### Docker
 ```

modules/erpnext.nix

@@ -90,6 +90,10 @@ in
         default = true;
         description = lib.mdDoc "Create the database and database user locally.";
       };
+      automaticMigrations = mkEnableOption
+        (lib.mdDoc "automatic migrations for database schema and data") // {
+          default = true;
+        };
     };
 
     redis = {
@@ -116,15 +120,6 @@ in
       description = lib.mdDoc "Local socket.io HTTP server port.";
     };
 
-    #configJsonFile = mkOption {
-    #  type = types.nullOr types.path;
-    #  default = null;
-    #  example = "/run/secrets/erpnext-config.json";
-    #  description = lib.mdDoc ''
-    #    A file containing the ERPNext config.
-    #  '';
-    #};
-
     webserver = {
       bindAddress = mkOption {
         type = types.str;
@@ -144,19 +139,27 @@ in
       example = lib.literalExpression ''
         {
           serverAliases = [
-            "erpnext.''${config.networking.domain}"
-            "erp.''${config.networking.domain}"
+            "erpnext.your.domain"
+            "erp.your.domain"
           ];
-          enableACME = false;
+          # Disable access logs
+          logFormat = ''
+            output discard
+          '';
         }
       '';
       description = lib.mdDoc ''
           With this option, you can customize a caddy virtual host.
           Set to {} if you do not need any customization to the virtual host.
-          If enabled, then by default, the {option}`serverName` is
+          If enabled, then by default, the {option}`hostName` is
           `''${domain}`,
-          SSL is active, and certificates are acquired via ACME.
-          If this is set to null (the default), no caddy virtualHost will be configured.
+          TLS is active by default, and handled by caddy.
+
+          Additionally, you probably want to set the caddy email option, when
+          enabling this: {option}`services.caddy.email
+
+          If this is set to null (the default), no caddy virtualHost will be
+          configured.
       '';
     };
 
@@ -298,11 +301,7 @@ in
     };
 
     services.caddy.enable = mkIf (cfg.caddy != null) true;
-    services.caddy.email = "admins@pub.solar";
-    services.caddy.globalConfig = ''
-        local_certs
-      '';
-    services.caddy.virtualHosts."${cfg.domain}:8081" = mkIf (cfg.caddy != null) (lib.mkMerge [
+    services.caddy.virtualHosts."${cfg.domain}" = mkIf (cfg.caddy != null) (lib.mkMerge [
       cfg.caddy
       ({
         extraConfig = ''
@@ -356,13 +355,18 @@ in
             DB_ROOT_PASSWORD="$(cat "${cfg.database.rootPasswordFile}")"
 
             # Upstream initializes the database with this command
-            ${penv}/bin/bench new-site localhost \
+            ${penv}/bin/bench new-site ${cfg.domain} \
               --mariadb-root-password "$DB_ROOT_PASSWORD" \
               --admin-password "$ADMIN_PASSWORD" \
               --install-app erpnext
 
             touch ${escapeShellArg "${cfg.workDir}/.db-created"}
           fi
+
+          ${lib.optionalString cfg.database.automaticMigrations ''
+            # Migrate the database
+            ${penv}/bin/bench --site ${cfg.domain} migrate
+        ''}
         '';
         ExecStart = ''
           ${penv}/bin/gunicorn \

secrets/database-root-password.age

@@ -1,14 +1,14 @@
 age-encryption.org/v1
--> ssh-ed25519 Wp/X/Q uMcrhm3fS+M/P2uaEJvdRab5G4Nk6zZNAlHyRISlGg0
-9QNitHuuKYzn99Hr76+yOa51/4qfTlhUwf5cD/Px/FI
--> ssh-ed25519 FnuwSg ukuZCjWTcyC4LiHWmrunskAk3WbNZsdAXzHi3fydJwI
-k3N3F4hxw55E6C68jLoaIQfuDUaOILxbw8BYwIcI2e8
--> ssh-ed25519 BVsyTA q+2w2O+4c8NahzHuo2KLDxa8RHB79+L+h9KOY9GdGkA
-eWRM4yyQtefZ6tnozqg37eLLMz7rQYl3eem2jxGThwo
--> ssh-ed25519 BVsyTA 6qkLU9OPuBv6KlgaILTkeFsyNgm8uW2PgZvsIQ8pGwM
-kXBSETY11ZCJs5HZ2jH9LAw0ntrsSW2J5ES97X7FkpI
--> }6jwb-grease ,2 {su
-Yypdzw8GT6HmlqgBxHAuEiKDWsH+wSYK2rMxketTP6OlWJHfmV9jc/YBMXwWNkhh
-jcQfjmwx2Wjcn0mjiv6RUYi3tulpbkB+jctRW+vstPHTIptEMhOfs5FM
---- WPd5tG8HvNuhMZfqvzaCeDz2tavijgWewAuLV+5wFuE
-9öêÔ¯“áY÷%"|V`WV%l»''oKÀ$W`Ÿ!è)ŸBؘºN¥p
+-> ssh-ed25519 Wp/X/Q J/XqDE9oquq8xyPyMXcYtWVEeIczShbr2WZ6zpXVDFk
+qsmZSC59mm8HUG72aqSdaVU2XaNMk5PumaE/r1+5Fzc
+-> ssh-ed25519 fLYf0Q +zjc/bQDGBgWSd3O2BugQBMx2Iq4UEUG5XauQMqzvmY
+9TGVQ02H4Ofdwgju7zbRpfxanAUEbIb44nUZkFESLt4
+-> ssh-ed25519 BVsyTA QE7uZCFJjDbhiQqvDgJeJevPqhYSEs6rswLdR/dU/gA
++B37NmGCNFnnDtkLkMbb9mRSvR7/6ohQTRN/VK6HCGE
+-> ssh-ed25519 BVsyTA QG+2eoqCbQzzQLF8uNX8Oj68SILAeWIUqcK0rtGT8nM
+3NUYU+9Bv88r1VNDeZFNMnc3l9lsiWjzsYTczyntRac
+-> EMr"yt-grease
+GNRgoRN98JvtS4Vc1CE1I0RXSwvt5RGiwxwPBVCHtU9NaBNxY7enwQKHN0cRcvku
+oiA
+--- lAr6xIM5wIjraqiC78485o9Od6N4ky54dCrcVc+ZECE
+?bïTg5'ßõ˜@œ<>vë&¥‚4\¾¿ØŽ<>1€»JZ—±ea

secrets/database-user-password.age

@@ -1,14 +1,14 @@
 age-encryption.org/v1
--> ssh-ed25519 Wp/X/Q 3hW/8PTjCcRN4cj1OJlmKgGrupW/At/XcZP9mX5relM
-DrYHHxhA6DDj5tkUwMEP1Diedo5ZRtdaDaytodWcRlU
--> ssh-ed25519 FnuwSg 7szTuXVOxA1gEKvXFDDpPBak5Eh2CwUGnL52wGLmogw
-J/no4LHtQ5FR43r6evCk4n6V/6gQ5navfvVGOc6Mnl0
--> ssh-ed25519 BVsyTA cGS0ASOgef9VUxNQF0h70h9aJnctBZRc6FBQgahLn0c
-b35sRRi+yNu2arU7yipZctcie0itomjJtc3Nr4i2nss
--> ssh-ed25519 BVsyTA VG8SwHZkdvGwmbx/kOT5oabV+WpO5QGIJXtse4CtKgE
-WiEuIMlsaW98kPB6pChEZhCNWo0pVbDMEIwfRtuKNnY
--> 2IOJi1-grease s^`TsZL %{ &~L*
-TU4AdoaLUEYR8YQRMcUdFho/WOs9IpwM1z4t36FbM3GPFqz0IY5MCC9shj+oxhh1
-aW5/FKRXoTLG5A
---- 9HuacZ7Sr0o0XKFkdT4qIQSdx8Idymsb/jc3QxLOwg0
-MÄ0H±„{ÝË»—ˆ;Ÿc”ž*$½6dŒ(ÖÕ1ÏüDÍ÷<C38D>‹3OÂe†
+-> ssh-ed25519 Wp/X/Q XnUGBSLYyTTUjTiqQg4zZGeVvMqPocTk7uZRBhPguGk
+TFf2vCef46WGwSSL9eQoWJw74fiUfymxaUxNf+Ty32Y
+-> ssh-ed25519 fLYf0Q rtQ/LRlEPw+V/71ptxLfhbjjKUKD3M/FitHxuIfb61I
+iWDj8TXCJOf73MUcHZWhnhQjnuKqykxQ8UYYzeFs7FA
+-> ssh-ed25519 BVsyTA /5BemxhsClGZQAAF4apL2g37qjHjJ0VjPC1352NniFk
+LCKyRK+JbZW1YFpZknB+HVCVjS2xxPwsbitJ3pztYO0
+-> ssh-ed25519 BVsyTA r0UHDzJx01z6u5tC+KWvp/TrpvFaTAP6Nn2z9vv7kVU
+/L+0zAITksGzHkdGneaEWgUGHcBfXUROCS8fQh1fAPg
+-> [>kC]3-grease
+ZAw4x/KwujI8DlxyGsgjk8yu
+--- LA8ePveqZ7SKE7WsfrX/dD37bU4VRgivUfSRDOpc14A
+<EFBFBD><EFBFBD>p><3E><>Y<EFBFBD>x<>nP<>׺D>F<><46>v!
+<EFBFBD><EFBFBD>~ᨀ<>:<3A><><EFBFBD><EFBFBD>w<EFBFBD>

secrets/secrets.nix

@@ -2,7 +2,7 @@ let
   # set ssh public keys here for your system and user
   machines = {
     dumpyourvms = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILDATEWAgDZFfYs1ZPh33Kg4sqQ9tWMVKyk8XqFu3Koe host@dumpyourvms";
-    test-vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILD8RziyMKgRj6MLkRjdHnNwG2+VolUl8ejjeteehVnw host@test-vm";
+    test-vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB7EsR4wT+bOaC/rafTZUqsR7z9SFM57Oabv+I0ar454 host@test-vm";
   };
   users = {
     teutat3s = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";

test-vm/configuration.nix

@@ -37,7 +37,7 @@
         guest.port = 9090;
         host.port = 9090;
       } {
-        guest.port = 8081;
+        guest.port = 443;
         host.port = 8081;
       }];
     };
@@ -53,6 +53,9 @@
     ];
     users.mutableUsers = false;
     networking.firewall.enable = false;
+    networking.hosts = {
+      "127.0.0.1" = [ "erp.momo.koeln" ];
+    };
 
     environment.systemPackages = with pkgs; [
       git
@@ -78,10 +81,17 @@
 
     services.erpnext = {
       enable = true;
+      domain = "localhost";
       adminPasswordFile = config.age.secrets.erpnext-admin-password.path;
       database.rootPasswordFile = config.age.secrets.erpnext-db-root-password.path;
       database.userPasswordFile = config.age.secrets.erpnext-db-user-password.path;
       caddy = {};
     };
+    services.caddy = {
+      email = "admins@pub.solar";
+      globalConfig = ''
+        local_certs
+      '';
+    };
   };
 }