From 5d3273506384c55423d335b877d465fbe73dd6f7 Mon Sep 17 00:00:00 2001
From: Jeltz <jeltz@federez.net>
Date: Sat, 8 Mar 2025 12:03:51 +0100
Subject: [PATCH] indico: use systemd-creds

Signed-off-by: Jeltz <jeltz@federez.net>
---
 modules/indico.nix                    | 28 ++++++++++++++++++---------
 pkgs/python-vars-with-env/codegen.py  | 10 ++++++----
 pkgs/python-vars-with-env/default.nix |  4 ++--
 profiles/indico.nix                   |  6 ------
 4 files changed, 27 insertions(+), 21 deletions(-)

diff --git a/modules/indico.nix b/modules/indico.nix
index 6070090..c3dcb16 100644
--- a/modules/indico.nix
+++ b/modules/indico.nix
@@ -38,10 +38,15 @@ let
       format = "%(levelname)s %(request_id)s %(user_id)s %(name)s %(message)s";
     };
   };
+  credPaths = {
+    bind-password = cfg.ldap.bindPasswordFile;
+    secret-key = cfg.secretKeyFile;
+    smtp-password = cfg.email.smtp.passwordFile;
+  };
   ldapConfig = {
     uri = cfg.ldap.uri;
     bind_dn = cfg.ldap.bindDN;
-    bind_password = pythonFmt.mkReadFile cfg.ldap.bindPasswordFile;
+    bind_password = pythonFmt.mkReadCred "bind-password";
     timeout = 30;
     verify_cert = true;
     page_size = 1500;
@@ -72,7 +77,7 @@ let
     CELERY_BROKER = cfg.celeryBrokerRedis;
     USE_PROXY = true;
     BASE_URL = cfg.baseUrl;
-    SECRET_KEY = pythonFmt.mkReadFile cfg.secretKeyFile;
+    SECRET_KEY = pythonFmt.mkReadCred "secret-key";
     LOGGING_CONFIG_FILE = loggingFile;
     NO_REPLY_EMAIL = cfg.email.noReply;
     SUPPORT_EMAIL = cfg.email.support;
@@ -80,7 +85,7 @@ let
     PUBLIC_SUPPORT_EMAIL = cfg.email.publicSupport;
     SMTP_SERVER = [ cfg.email.smtp.host cfg.email.smtp.port ];
     SMTP_LOGIN = cfg.email.smtp.login;
-    SMTP_PASSWORD = pythonFmt.mkReadFile cfg.email.smtp.passwordFile;
+    SMTP_PASSWORD = pythonFmt.mkReadCred "smtp-password";
     SMTP_USE_TLS = cfg.email.smtp.useTLS;
   } // lib.optionalAttrs (cfg.ldap != null) {
     AUTH_PROVIDERS = {
@@ -383,14 +388,18 @@ in {
 
     environment.systemPackages =
       let
+        credArgs = lib.mapAttrsToList
+          (name: path:
+            "--property=LoadCredential=${lib.escapeShellArg name}:${lib.escapeShellArg path}")
+          credPaths;
         indico = pkgs.writeScriptBin "indico" ''
           #!${pkgs.runtimeShell}
-          sudo=exec
-          if [[ "$USER" != "indico" ]]; then
-            sudo='exec /run/wrappers/bin/sudo -u indico --preserve-env=INDICO_CONFIG'
-          fi
-          export INDICO_CONFIG=${configFile}
-          $sudo ${lib.getExe' pythonEnv "indico"} "$@"
+          systemd-run --quiet --wait --collect --pipe --pty \
+            --service-type=exec \
+            --uid=${cfg.user} --gid=${cfg.group} \
+            --property=Environment=INDICO_CONFIG=${configFile} \
+            ${lib.strings.concatStringsSep " " credArgs} -- \
+            ${lib.getExe' pythonEnv "indico"} "$@"
         '';
       in
       [ indico ];
@@ -419,6 +428,7 @@ in {
           environment.INDICO_CONFIG = configFile;
           wantedBy = [ "multi-user.target" ];
           serviceConfig = {
+            LoadCredential = lib.mapAttrsToList (name: path: "${name}:${path}") credPaths;
             Group = cfg.group;
             User = cfg.user;
           };
diff --git a/pkgs/python-vars-with-env/codegen.py b/pkgs/python-vars-with-env/codegen.py
index 07f5b05..51f8aca 100755
--- a/pkgs/python-vars-with-env/codegen.py
+++ b/pkgs/python-vars-with-env/codegen.py
@@ -8,8 +8,10 @@ from json import load
 PROLOGUE = (
     "import functools as _functools\n"
     "@_functools.cache\n"
-    "def _read_file(name):\n"
-    "    with open(name) as fd:\n"
+    "def _read_cred(name):\n"
+    "    import os\n"
+    "    dir = os.environ['CREDENTIALS_DIRECTORY']\n"
+    "    with open(os.path.join(dir, name)) as fd:\n"
     "        return fd.read()\n"
 )
 
@@ -27,8 +29,8 @@ def make_value(value):
                 for k, v in value["_value"].items()
             ]
             return f"{{{','.join(items)}}}"
-        case "read-file":
-            return f"_read_file({repr(value['_value'])})"
+        case "read-cred":
+            return f"_read_cred({repr(value['_value'])})"
         case _:
             raise ValueError("Unknown data type")
 
diff --git a/pkgs/python-vars-with-env/default.nix b/pkgs/python-vars-with-env/default.nix
index 3bfd25d..c65feaf 100644
--- a/pkgs/python-vars-with-env/default.nix
+++ b/pkgs/python-vars-with-env/default.nix
@@ -32,8 +32,8 @@ rec {
 
   _mkVars = lib.mapAttrs (_: _mkValue);
 
-  mkReadFile = path:
-    _mkPy "read-file" (if lib.isStringLike path then
+  mkReadCred = path:
+    _mkPy "read-cred" (if lib.isStringLike path then
       path
     else
       abort "invalid path type");
diff --git a/profiles/indico.nix b/profiles/indico.nix
index 9189718..cbd4021 100644
--- a/profiles/indico.nix
+++ b/profiles/indico.nix
@@ -15,20 +15,14 @@
   age.secrets = {
     indico-ldap-bind-password = {
       file = ../secrets/indico-ldap-bind-password.age;
-      owner = config.services.indico.user;
-      group = config.services.indico.group;
     };
 
     indico-mail-password = {
       file = ../secrets/indico-mail-password.age;
-      owner = config.services.indico.user;
-      group = config.services.indico.group;
     };
 
     indico-secret-key = {
       file = ../secrets/indico-secret-key.age;
-      owner = config.services.indico.user;
-      group = config.services.indico.group;
     };
   };