federez/nix
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

indico: use systemd-creds

Browse source 
Signed-off-by: Jeltz <jeltz@federez.net>
This commit is contained in:
jeltz 2025-03-08 12:03:51 +01:00
parent 6c627daa51
commit 5d32735063
Signed by: jeltz
GPG key ID: 800882B66C0C3326
4 changed files with 27 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

28
modules/indico.nix
View file

@ -38,10 +38,15 @@ let
format = "%(levelname)s %(request_id)s %(user_id)s %(name)s %(message)s"; format = "%(levelname)s %(request_id)s %(user_id)s %(name)s %(message)s";
}; };
}; };
credPaths = {
bind-password = cfg.ldap.bindPasswordFile;
secret-key = cfg.secretKeyFile;
smtp-password = cfg.email.smtp.passwordFile;
};
ldapConfig = { ldapConfig = {
uri = cfg.ldap.uri; uri = cfg.ldap.uri;
bind_dn = cfg.ldap.bindDN; bind_dn = cfg.ldap.bindDN;
bind_password = pythonFmt.mkReadFile cfg.ldap.bindPasswordFile; bind_password = pythonFmt.mkReadCred "bind-password";
timeout = 30; timeout = 30;
verify_cert = true; verify_cert = true;
page_size = 1500; page_size = 1500;
@ -72,7 +77,7 @@ let
CELERY_BROKER = cfg.celeryBrokerRedis; CELERY_BROKER = cfg.celeryBrokerRedis;
USE_PROXY = true; USE_PROXY = true;
BASE_URL = cfg.baseUrl; BASE_URL = cfg.baseUrl;
SECRET_KEY = pythonFmt.mkReadFile cfg.secretKeyFile; SECRET_KEY = pythonFmt.mkReadCred "secret-key";
LOGGING_CONFIG_FILE = loggingFile; LOGGING_CONFIG_FILE = loggingFile;
NO_REPLY_EMAIL = cfg.email.noReply; NO_REPLY_EMAIL = cfg.email.noReply;
SUPPORT_EMAIL = cfg.email.support; SUPPORT_EMAIL = cfg.email.support;
@ -80,7 +85,7 @@ let
PUBLIC_SUPPORT_EMAIL = cfg.email.publicSupport; PUBLIC_SUPPORT_EMAIL = cfg.email.publicSupport;
SMTP_SERVER = [ cfg.email.smtp.host cfg.email.smtp.port ]; SMTP_SERVER = [ cfg.email.smtp.host cfg.email.smtp.port ];
SMTP_LOGIN = cfg.email.smtp.login; SMTP_LOGIN = cfg.email.smtp.login;
SMTP_PASSWORD = pythonFmt.mkReadFile cfg.email.smtp.passwordFile; SMTP_PASSWORD = pythonFmt.mkReadCred "smtp-password";
SMTP_USE_TLS = cfg.email.smtp.useTLS; SMTP_USE_TLS = cfg.email.smtp.useTLS;
} // lib.optionalAttrs (cfg.ldap != null) { } // lib.optionalAttrs (cfg.ldap != null) {
AUTH_PROVIDERS = { AUTH_PROVIDERS = {
@ -383,14 +388,18 @@ in {
environment.systemPackages = environment.systemPackages =
let let
credArgs = lib.mapAttrsToList
(name: path:
"--property=LoadCredential=${lib.escapeShellArg name}:${lib.escapeShellArg path}")
credPaths;
indico = pkgs.writeScriptBin "indico" '' indico = pkgs.writeScriptBin "indico" ''
#!${pkgs.runtimeShell} #!${pkgs.runtimeShell}
sudo=exec systemd-run --quiet --wait --collect --pipe --pty \
if [[ "$USER" != "indico" ]]; then --service-type=exec \
sudo='exec /run/wrappers/bin/sudo -u indico --preserve-env=INDICO_CONFIG' --uid=${cfg.user} --gid=${cfg.group} \
fi --property=Environment=INDICO_CONFIG=${configFile} \
export INDICO_CONFIG=${configFile} ${lib.strings.concatStringsSep " " credArgs} -- \
$sudo ${lib.getExe' pythonEnv "indico"} "$@" ${lib.getExe' pythonEnv "indico"} "$@"
''; '';
in in
[ indico ]; [ indico ];
@ -419,6 +428,7 @@ in {
environment.INDICO_CONFIG = configFile; environment.INDICO_CONFIG = configFile;
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
serviceConfig = { serviceConfig = {
LoadCredential = lib.mapAttrsToList (name: path: "${name}:${path}") credPaths;
Group = cfg.group; Group = cfg.group;
User = cfg.user; User = cfg.user;
}; };

10
pkgs/python-vars-with-env/codegen.py
View file

@ -8,8 +8,10 @@ from json import load
PROLOGUE = ( PROLOGUE = (
"import functools as _functools\n" "import functools as _functools\n"
"@_functools.cache\n" "@_functools.cache\n"
"def _read_file(name):\n" "def _read_cred(name):\n"
" with open(name) as fd:\n" " import os\n"
" dir = os.environ['CREDENTIALS_DIRECTORY']\n"
" with open(os.path.join(dir, name)) as fd:\n"
" return fd.read()\n" " return fd.read()\n"
) )
@ -27,8 +29,8 @@ def make_value(value):
for k, v in value["_value"].items() for k, v in value["_value"].items()
] ]
return f"{{{','.join(items)}}}" return f"{{{','.join(items)}}}"
case "read-file": case "read-cred":
return f"_read_file({repr(value['_value'])})" return f"_read_cred({repr(value['_value'])})"
case _: case _:
raise ValueError("Unknown data type") raise ValueError("Unknown data type")

4
pkgs/python-vars-with-env/default.nix
View file

@ -32,8 +32,8 @@ rec {
_mkVars = lib.mapAttrs (_: _mkValue); _mkVars = lib.mapAttrs (_: _mkValue);
mkReadFile = path: mkReadCred = path:
_mkPy "read-file" (if lib.isStringLike path then _mkPy "read-cred" (if lib.isStringLike path then
path path
else else
abort "invalid path type"); abort "invalid path type");

6
profiles/indico.nix
View file

@ -15,20 +15,14 @@
age.secrets = { age.secrets = {
indico-ldap-bind-password = { indico-ldap-bind-password = {
file = ../secrets/indico-ldap-bind-password.age; file = ../secrets/indico-ldap-bind-password.age;
owner = config.services.indico.user;
group = config.services.indico.group;
}; };
indico-mail-password = { indico-mail-password = {
file = ../secrets/indico-mail-password.age; file = ../secrets/indico-mail-password.age;
owner = config.services.indico.user;
group = config.services.indico.group;
}; };
indico-secret-key = { indico-secret-key = {
file = ../secrets/indico-secret-key.age; file = ../secrets/indico-secret-key.age;
owner = config.services.indico.user;
group = config.services.indico.group;
}; };
}; };