From 446a2b6dea34a560300439642a628fc169b918ad Mon Sep 17 00:00:00 2001
From: teutat3s <teutates@mailbox.org>
Date: Mon, 17 Jul 2023 21:06:45 +0200
Subject: [PATCH] module: final fixes and cleanup

---
 README.md                          |  46 ++++++++++++++++++++++-------
 modules/erpnext.nix                |  46 ++++++++++++++++-------------
 secrets/admin-password.age         | Bin 726 -> 570 bytes
 secrets/database-root-password.age |  26 ++++++++--------
 secrets/database-user-password.age |  26 ++++++++--------
 secrets/secrets.nix                |   2 +-
 test-vm/configuration.nix          |  12 +++++++-
 7 files changed, 98 insertions(+), 60 deletions(-)

diff --git a/README.md b/README.md
index 15d92be..bd54b6c 100644
--- a/README.md
+++ b/README.md
@@ -21,26 +21,29 @@ nix build --json .#run-erpnext \
 ```
 
 ### NixOS VM
+Initial setup:
 ```
 # Build the test VM
 nix build '.#nixosConfigurations.test-vm.config.system.build.vm'
 # Start the VM, to generate SSH host key files required for secrets
 ./result/bin/run-nixos-vm
 
-# Get the ed25519 SSH hostkey
-ssh-keyscan -p 2222 127.0.0.1
+# In another terminal, get the ed25519 SSH hostkey, then stop the VM with CTRL-c
+ssh-keyscan -p 2222 127.0.0.1 | grep ssh-ed25519
+...
+[127.0.0.1]:2222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdCOs16W731ftPDqO+X6RZVSdwVVNw2Xfmcpk5pzbeO
 
-# Edit secrets.nix and add the SSH hostkey to machine 'test-vm'
-vim secrets/secrets.nix
+# Edit secrets.nix and add the SSH hostkey to machine 'test-vm', starting with 'ssh-ed25519 ...'
+sed --in-place \
+  's|test-vm = .*|test-vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdCOs16W731ftPDqO+X6RZVSdwVVNw2Xfmcpk5pzbeO host@test-vm";|' \
+  secrets/secrets.nix
 
 # Rekey the secrets with agenix
-cd secrets
-agenix --rekey
-cd ..
+cd secrets && agenix --rekey && cd ..
 
-# Stop with CTRL-c & build the test VM again
+# Build the test VM again
 nix build '.#nixosConfigurations.test-vm.config.system.build.vm'
-# Start the VM
+# Start the VM once more
 ./result/bin/run-nixos-vm
 
 # Access the VM via SSH, use an empty password (Enter) to login
@@ -50,13 +53,34 @@ ssh root@localhost -p 2222
 # The initial startup can take a few minutes
 journalctl -fu erpnext-web.service
 
-# Open http://localhost:8081 in your browser
+# Open https://localhost:8081 in your browser and follow the setup wizard
 # User: Administrator
 # Password: admin
+```
 
-# To reset all data for the VM
+After the initial setup, make changes, build and run the VM again to test the changes.
+```
+# Build the test VM
+nix build '.#nixosConfigurations.test-vm.config.system.build.vm'
+# Start the VM
+./result/bin/run-nixos-vm
+```
+
+Useful for debugging, you can delete a special file in the VM to force the
+ERPNext init script to run again. It will then try to initialize the DB again
+and create a new site directory.
+```
+ssh root@localhost -p 2222
+rm /var/lib/erpnext/.db-created
+systemctl restart erpnext-web
+```
+
+To reset the VM's data and start fresh, run:
+```
 rm nixos.qcow2
 ```
+Note that this will re-generate SSH host keys and you will need to do the
+initial setup again.
 
 ### Docker
 ```
diff --git a/modules/erpnext.nix b/modules/erpnext.nix
index afa3b88..0cff248 100644
--- a/modules/erpnext.nix
+++ b/modules/erpnext.nix
@@ -90,6 +90,10 @@ in
         default = true;
         description = lib.mdDoc "Create the database and database user locally.";
       };
+      automaticMigrations = mkEnableOption
+        (lib.mdDoc "automatic migrations for database schema and data") // {
+          default = true;
+        };
     };
 
     redis = {
@@ -116,15 +120,6 @@ in
       description = lib.mdDoc "Local socket.io HTTP server port.";
     };
 
-    #configJsonFile = mkOption {
-    #  type = types.nullOr types.path;
-    #  default = null;
-    #  example = "/run/secrets/erpnext-config.json";
-    #  description = lib.mdDoc ''
-    #    A file containing the ERPNext config.
-    #  '';
-    #};
-
     webserver = {
       bindAddress = mkOption {
         type = types.str;
@@ -144,19 +139,27 @@ in
       example = lib.literalExpression ''
         {
           serverAliases = [
-            "erpnext.''${config.networking.domain}"
-            "erp.''${config.networking.domain}"
+            "erpnext.your.domain"
+            "erp.your.domain"
           ];
-          enableACME = false;
+          # Disable access logs
+          logFormat = ''
+            output discard
+          '';
         }
       '';
       description = lib.mdDoc ''
           With this option, you can customize a caddy virtual host.
           Set to {} if you do not need any customization to the virtual host.
-          If enabled, then by default, the {option}`serverName` is
+          If enabled, then by default, the {option}`hostName` is
           `''${domain}`,
-          SSL is active, and certificates are acquired via ACME.
-          If this is set to null (the default), no caddy virtualHost will be configured.
+          TLS is active by default, and handled by caddy.
+
+          Additionally, you probably want to set the caddy email option, when
+          enabling this: {option}`services.caddy.email
+
+          If this is set to null (the default), no caddy virtualHost will be
+          configured.
       '';
     };
 
@@ -298,11 +301,7 @@ in
     };
 
     services.caddy.enable = mkIf (cfg.caddy != null) true;
-    services.caddy.email = "admins@pub.solar";
-    services.caddy.globalConfig = ''
-        local_certs
-      '';
-    services.caddy.virtualHosts."${cfg.domain}:8081" = mkIf (cfg.caddy != null) (lib.mkMerge [
+    services.caddy.virtualHosts."${cfg.domain}" = mkIf (cfg.caddy != null) (lib.mkMerge [
       cfg.caddy
       ({
         extraConfig = ''
@@ -356,13 +355,18 @@ in
             DB_ROOT_PASSWORD="$(cat "${cfg.database.rootPasswordFile}")"
 
             # Upstream initializes the database with this command
-            ${penv}/bin/bench new-site localhost \
+            ${penv}/bin/bench new-site ${cfg.domain} \
               --mariadb-root-password "$DB_ROOT_PASSWORD" \
               --admin-password "$ADMIN_PASSWORD" \
               --install-app erpnext
 
             touch ${escapeShellArg "${cfg.workDir}/.db-created"}
           fi
+
+          ${lib.optionalString cfg.database.automaticMigrations ''
+            # Migrate the database
+            ${penv}/bin/bench --site ${cfg.domain} migrate
+        ''}
         '';
         ExecStart = ''
           ${penv}/bin/gunicorn \
diff --git a/secrets/admin-password.age b/secrets/admin-password.age
index d1dc9e8abff932b3ef4a56c37ae8861c11a19351..9b4139c95a199a74bfee74d67f89371575c00c92 100644
GIT binary patch
literal 570
zcmZ|IJFk;a003ZPoJjl+-3juz1<If|h0-UbJrp>=#`6?tIZ(<4nw#9j)j_xW3p8<d
z(ZtnX;o|0MV&dYWt~YW0md{5q6&K;DFV871p5YUsZ&-qQF{tZ36-OM;v(f;Tv_pe|
z-cH(pE9`1fTaC|g0bm#1;ZUhVHH?{3uTAW$Nibz5E)fK*?1Vs_85?Os%8@!WoU3y=
zhM?mbGWYu!CRqV@jz4<1C7PQsU=Z>msWr}tV|B$sv$)NcnTapKMFXf`Php=k*1Vus
z7C^+v)V8@N43T}_qiCh_kf}siMQs;adAf<t8eE5~nOY+7aFgx2H^&1yjB{tSX5)4v
z9S)`2?5BpfgQ!+TP6A4ajz%g(wKqKgf>AFL*79-3llhE;_O9M)2__Y|(?u3`**2Oq
zNHtt^ga5OgQeSYoBI4ad37Dh1_8W+uGj|CTIg1o~vzXgevd;xr6X}GHdf;UiC#;OQ
zE-Wz@2i0ZbnSm2xeLVI?f`Vm~2E%__`uv(gr`WG!VzfK5Y5G?wY5=<R+#C63j8(%(
z#Sml>3HOtPy_#}%Eep~TS*eEl6po2kkDpp^?|y!$Y3=iucdc~${r96EUtfO=US8kB
OPv7q4_iyfgJ^2Hm`Mvi5

literal 726
zcmZ|IOOBIZ007{PZip)v&X#0iGD%aRrBF!J1Pc5-3KU9tRLu;-yD&UkDCkLy3**l1
zB<@_y9Xx|aaBtjB;&*}1i^FMH_{~rq)3SI~HZju8py^w<ZIfvj%yE21!FGi>hz_qZ
zhbnPw=z2hyHW)~vKa8Y|k|`(qtevlTz#@%S9{>r7Gs&flNv{|zi>j`q<7XGRPRJ<(
zGsa7a;3f=hjk$T}KHm7^)Nf<h6zwq(YEi5JAV6)lRZkrGtsRR|pccDLYWVg_8fc@Z
zp|h)qk;9rfD*GPiO?-XBqw4^#hK0}5vA$CiZ?SI9wTC|57^@vj8U`p^2y$gPj<nH~
zRvIY)cFx35Ii2E#4yVVRo}+Y@jWnd~+SC_px=h)VrUOA|{kUKpoCE<cZ_rhxr_3bc
zm-43l&$iW<$GF1{(owmND)wGIU%E4-XOq|*0Wl}Jla!!?pn(kX2ga(`_yH}&)+$9o
z87VQMTB$SY<)}6c>22$rAHu=y|7}HcdGl!+H=);tux2Rlt)mE|mpNRt`c3yngRys`
z(!A8JpnW?lnFX5wyyWJ(>*NSISUW%PB6BO{GQK`CSZupVI;-NLJQLU^#mhbFRO48y
zB#uK!81sE4QM#y9yJdI;)WTUGIH^W5)Ld>b^+XW+MFma<YYw;ddPU3mZRYnjI4fr^
z6CgK+rqe0x86p-PwtzkG*dib$d7|}15Zx8NNY-7BG2wB{{aMmlKJ@+D{m+kogx?5}
gZ67XveSY%7zsR5e_!?fLPahtxzkGQ8EV;V>3pYmU#sB~S

diff --git a/secrets/database-root-password.age b/secrets/database-root-password.age
index 5137ec4..598651a 100644
--- a/secrets/database-root-password.age
+++ b/secrets/database-root-password.age
@@ -1,14 +1,14 @@
 age-encryption.org/v1
--> ssh-ed25519 Wp/X/Q uMcrhm3fS+M/P2uaEJvdRab5G4Nk6zZNAlHyRISlGg0
-9QNitHuuKYzn99Hr76+yOa51/4qfTlhUwf5cD/Px/FI
--> ssh-ed25519 FnuwSg ukuZCjWTcyC4LiHWmrunskAk3WbNZsdAXzHi3fydJwI
-k3N3F4hxw55E6C68jLoaIQfuDUaOILxbw8BYwIcI2e8
--> ssh-ed25519 BVsyTA q+2w2O+4c8NahzHuo2KLDxa8RHB79+L+h9KOY9GdGkA
-eWRM4yyQtefZ6tnozqg37eLLMz7rQYl3eem2jxGThwo
--> ssh-ed25519 BVsyTA 6qkLU9OPuBv6KlgaILTkeFsyNgm8uW2PgZvsIQ8pGwM
-kXBSETY11ZCJs5HZ2jH9LAw0ntrsSW2J5ES97X7FkpI
--> }6jwb-grease ,2 {su
-Yypdzw8GT6HmlqgBxHAuEiKDWsH+wSYK2rMxketTP6OlWJHfmV9jc/YBMXwWNkhh
-jcQfjmwx2Wjcn0mjiv6RUYi3tulpbkB+jctRW+vstPHTIptEMhOfs5FM
---- WPd5tG8HvNuhMZfqvzaCeDz2tavijgWewAuLV+5wFuE
-9��ԯ��Y�%"|V`WV%l�''oK�$W`�!�)�Bؘ�N�p
\ No newline at end of file
+-> ssh-ed25519 Wp/X/Q J/XqDE9oquq8xyPyMXcYtWVEeIczShbr2WZ6zpXVDFk
+qsmZSC59mm8HUG72aqSdaVU2XaNMk5PumaE/r1+5Fzc
+-> ssh-ed25519 fLYf0Q +zjc/bQDGBgWSd3O2BugQBMx2Iq4UEUG5XauQMqzvmY
+9TGVQ02H4Ofdwgju7zbRpfxanAUEbIb44nUZkFESLt4
+-> ssh-ed25519 BVsyTA QE7uZCFJjDbhiQqvDgJeJevPqhYSEs6rswLdR/dU/gA
++B37NmGCNFnnDtkLkMbb9mRSvR7/6ohQTRN/VK6HCGE
+-> ssh-ed25519 BVsyTA QG+2eoqCbQzzQLF8uNX8Oj68SILAeWIUqcK0rtGT8nM
+3NUYU+9Bv88r1VNDeZFNMnc3l9lsiWjzsYTczyntRac
+-> EMr"yt-grease
+GNRgoRN98JvtS4Vc1CE1I0RXSwvt5RGiwxwPBVCHtU9NaBNxY7enwQKHN0cRcvku
+oiA
+--- lAr6xIM5wIjraqiC78485o9Od6N4ky54dCrcVc+ZECE
+?b�Tg5'���@��v�&��4\�����1��JZ��ea
\ No newline at end of file
diff --git a/secrets/database-user-password.age b/secrets/database-user-password.age
index 92bf5b8..079a004 100644
--- a/secrets/database-user-password.age
+++ b/secrets/database-user-password.age
@@ -1,14 +1,14 @@
 age-encryption.org/v1
--> ssh-ed25519 Wp/X/Q 3hW/8PTjCcRN4cj1OJlmKgGrupW/At/XcZP9mX5relM
-DrYHHxhA6DDj5tkUwMEP1Diedo5ZRtdaDaytodWcRlU
--> ssh-ed25519 FnuwSg 7szTuXVOxA1gEKvXFDDpPBak5Eh2CwUGnL52wGLmogw
-J/no4LHtQ5FR43r6evCk4n6V/6gQ5navfvVGOc6Mnl0
--> ssh-ed25519 BVsyTA cGS0ASOgef9VUxNQF0h70h9aJnctBZRc6FBQgahLn0c
-b35sRRi+yNu2arU7yipZctcie0itomjJtc3Nr4i2nss
--> ssh-ed25519 BVsyTA VG8SwHZkdvGwmbx/kOT5oabV+WpO5QGIJXtse4CtKgE
-WiEuIMlsaW98kPB6pChEZhCNWo0pVbDMEIwfRtuKNnY
--> 2IOJi1-grease s^`TsZL %{ &~L*
-TU4AdoaLUEYR8YQRMcUdFho/WOs9IpwM1z4t36FbM3GPFqz0IY5MCC9shj+oxhh1
-aW5/FKRXoTLG5A
---- 9HuacZ7Sr0o0XKFkdT4qIQSdx8Idymsb/jc3QxLOwg0
-M�0H��{�˻��;�c��*$�6d�(��1��D����3O�e�
\ No newline at end of file
+-> ssh-ed25519 Wp/X/Q XnUGBSLYyTTUjTiqQg4zZGeVvMqPocTk7uZRBhPguGk
+TFf2vCef46WGwSSL9eQoWJw74fiUfymxaUxNf+Ty32Y
+-> ssh-ed25519 fLYf0Q rtQ/LRlEPw+V/71ptxLfhbjjKUKD3M/FitHxuIfb61I
+iWDj8TXCJOf73MUcHZWhnhQjnuKqykxQ8UYYzeFs7FA
+-> ssh-ed25519 BVsyTA /5BemxhsClGZQAAF4apL2g37qjHjJ0VjPC1352NniFk
+LCKyRK+JbZW1YFpZknB+HVCVjS2xxPwsbitJ3pztYO0
+-> ssh-ed25519 BVsyTA r0UHDzJx01z6u5tC+KWvp/TrpvFaTAP6Nn2z9vv7kVU
+/L+0zAITksGzHkdGneaEWgUGHcBfXUROCS8fQh1fAPg
+-> [>kC]3-grease
+ZAw4x/KwujI8DlxyGsgjk8yu
+--- LA8ePveqZ7SKE7WsfrX/dD37bU4VRgivUfSRDOpc14A
+��p>��Y�x�nP�׺D>F�v!
+��~ᨀ�:���w�
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index e7cbbbf..e514c6b 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -2,7 +2,7 @@ let
   # set ssh public keys here for your system and user
   machines = {
     dumpyourvms = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILDATEWAgDZFfYs1ZPh33Kg4sqQ9tWMVKyk8XqFu3Koe host@dumpyourvms";
-    test-vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILD8RziyMKgRj6MLkRjdHnNwG2+VolUl8ejjeteehVnw host@test-vm";
+    test-vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB7EsR4wT+bOaC/rafTZUqsR7z9SFM57Oabv+I0ar454 host@test-vm";
   };
   users = {
     teutat3s = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
diff --git a/test-vm/configuration.nix b/test-vm/configuration.nix
index c410354..da35146 100644
--- a/test-vm/configuration.nix
+++ b/test-vm/configuration.nix
@@ -37,7 +37,7 @@
         guest.port = 9090;
         host.port = 9090;
       } {
-        guest.port = 8081;
+        guest.port = 443;
         host.port = 8081;
       }];
     };
@@ -53,6 +53,9 @@
     ];
     users.mutableUsers = false;
     networking.firewall.enable = false;
+    networking.hosts = {
+      "127.0.0.1" = [ "erp.momo.koeln" ];
+    };
 
     environment.systemPackages = with pkgs; [
       git
@@ -78,10 +81,17 @@
 
     services.erpnext = {
       enable = true;
+      domain = "localhost";
       adminPasswordFile = config.age.secrets.erpnext-admin-password.path;
       database.rootPasswordFile = config.age.secrets.erpnext-db-root-password.path;
       database.userPasswordFile = config.age.secrets.erpnext-db-user-password.path;
       caddy = {};
     };
+    services.caddy = {
+      email = "admins@pub.solar";
+      globalConfig = ''
+        local_certs
+      '';
+    };
   };
 }