indico: use systemd-creds
Signed-off-by: Jeltz <jeltz@federez.net>
This commit is contained in:
parent
6c627daa51
commit
5d32735063
GPG key ID:
800882B66C0C3326
4 changed files with 27 additions and 21 deletions
|
|
@ -38,10 +38,15 @@ let
|
|||
format = "%(levelname)s %(request_id)s %(user_id)s %(name)s %(message)s";
|
||||
};
|
||||
};
|
||||
credPaths = {
|
||||
bind-password = cfg.ldap.bindPasswordFile;
|
||||
secret-key = cfg.secretKeyFile;
|
||||
smtp-password = cfg.email.smtp.passwordFile;
|
||||
};
|
||||
ldapConfig = {
|
||||
uri = cfg.ldap.uri;
|
||||
bind_dn = cfg.ldap.bindDN;
|
||||
bind_password = pythonFmt.mkReadFile cfg.ldap.bindPasswordFile;
|
||||
bind_password = pythonFmt.mkReadCred "bind-password";
|
||||
timeout = 30;
|
||||
verify_cert = true;
|
||||
page_size = 1500;
|
||||
|
|
@ -72,7 +77,7 @@ let
|
|||
CELERY_BROKER = cfg.celeryBrokerRedis;
|
||||
USE_PROXY = true;
|
||||
BASE_URL = cfg.baseUrl;
|
||||
SECRET_KEY = pythonFmt.mkReadFile cfg.secretKeyFile;
|
||||
SECRET_KEY = pythonFmt.mkReadCred "secret-key";
|
||||
LOGGING_CONFIG_FILE = loggingFile;
|
||||
NO_REPLY_EMAIL = cfg.email.noReply;
|
||||
SUPPORT_EMAIL = cfg.email.support;
|
||||
|
|
@ -80,7 +85,7 @@ let
|
|||
PUBLIC_SUPPORT_EMAIL = cfg.email.publicSupport;
|
||||
SMTP_SERVER = [ cfg.email.smtp.host cfg.email.smtp.port ];
|
||||
SMTP_LOGIN = cfg.email.smtp.login;
|
||||
SMTP_PASSWORD = pythonFmt.mkReadFile cfg.email.smtp.passwordFile;
|
||||
SMTP_PASSWORD = pythonFmt.mkReadCred "smtp-password";
|
||||
SMTP_USE_TLS = cfg.email.smtp.useTLS;
|
||||
} // lib.optionalAttrs (cfg.ldap != null) {
|
||||
AUTH_PROVIDERS = {
|
||||
|
|
@ -383,14 +388,18 @@ in {
|
|||
|
||||
environment.systemPackages =
|
||||
let
|
||||
credArgs = lib.mapAttrsToList
|
||||
(name: path:
|
||||
"--property=LoadCredential=${lib.escapeShellArg name}:${lib.escapeShellArg path}")
|
||||
credPaths;
|
||||
indico = pkgs.writeScriptBin "indico" ''
|
||||
#!${pkgs.runtimeShell}
|
||||
sudo=exec
|
||||
if [[ "$USER" != "indico" ]]; then
|
||||
sudo='exec /run/wrappers/bin/sudo -u indico --preserve-env=INDICO_CONFIG'
|
||||
fi
|
||||
export INDICO_CONFIG=${configFile}
|
||||
$sudo ${lib.getExe' pythonEnv "indico"} "$@"
|
||||
systemd-run --quiet --wait --collect --pipe --pty \
|
||||
--service-type=exec \
|
||||
--uid=${cfg.user} --gid=${cfg.group} \
|
||||
--property=Environment=INDICO_CONFIG=${configFile} \
|
||||
${lib.strings.concatStringsSep " " credArgs} -- \
|
||||
${lib.getExe' pythonEnv "indico"} "$@"
|
||||
'';
|
||||
in
|
||||
[ indico ];
|
||||
|
|
@ -419,6 +428,7 @@ in {
|
|||
environment.INDICO_CONFIG = configFile;
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
LoadCredential = lib.mapAttrsToList (name: path: "${name}:${path}") credPaths;
|
||||
Group = cfg.group;
|
||||
User = cfg.user;
|
||||
};
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue