federez/nix
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

indico: use systemd-creds

Browse source 
Signed-off-by: Jeltz <jeltz@federez.net>
This commit is contained in:
jeltz 2025-03-08 12:03:51 +01:00
parent 6c627daa51
commit 5d32735063
Signed by: jeltz
GPG key ID: 800882B66C0C3326
4 changed files with 27 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

28
modules/indico.nix
View file

@ -38,10 +38,15 @@ let
format = "%(levelname)s %(request_id)s %(user_id)s %(name)s %(message)s";
};
};
credPaths = {
bind-password = cfg.ldap.bindPasswordFile;
secret-key = cfg.secretKeyFile;
smtp-password = cfg.email.smtp.passwordFile;
};
ldapConfig = {
uri = cfg.ldap.uri;
bind_dn = cfg.ldap.bindDN;
bind_password = pythonFmt.mkReadFile cfg.ldap.bindPasswordFile;
bind_password = pythonFmt.mkReadCred "bind-password";
timeout = 30;
verify_cert = true;
page_size = 1500;
@ -72,7 +77,7 @@ let
CELERY_BROKER = cfg.celeryBrokerRedis;
USE_PROXY = true;
BASE_URL = cfg.baseUrl;
SECRET_KEY = pythonFmt.mkReadFile cfg.secretKeyFile;
SECRET_KEY = pythonFmt.mkReadCred "secret-key";
LOGGING_CONFIG_FILE = loggingFile;
NO_REPLY_EMAIL = cfg.email.noReply;
SUPPORT_EMAIL = cfg.email.support;
@ -80,7 +85,7 @@ let
PUBLIC_SUPPORT_EMAIL = cfg.email.publicSupport;
SMTP_SERVER = [ cfg.email.smtp.host cfg.email.smtp.port ];
SMTP_LOGIN = cfg.email.smtp.login;
SMTP_PASSWORD = pythonFmt.mkReadFile cfg.email.smtp.passwordFile;
SMTP_PASSWORD = pythonFmt.mkReadCred "smtp-password";
SMTP_USE_TLS = cfg.email.smtp.useTLS;
} // lib.optionalAttrs (cfg.ldap != null) {
AUTH_PROVIDERS = {
@ -383,14 +388,18 @@ in {
environment.systemPackages =
let
credArgs = lib.mapAttrsToList
(name: path:
"--property=LoadCredential=${lib.escapeShellArg name}:${lib.escapeShellArg path}")
credPaths;
indico = pkgs.writeScriptBin "indico" ''
#!${pkgs.runtimeShell}
sudo=exec
if [[ "$USER" != "indico" ]]; then
sudo='exec /run/wrappers/bin/sudo -u indico --preserve-env=INDICO_CONFIG'
fi
export INDICO_CONFIG=${configFile}
$sudo ${lib.getExe' pythonEnv "indico"} "$@"
systemd-run --quiet --wait --collect --pipe --pty \
--service-type=exec \
--uid=${cfg.user} --gid=${cfg.group} \
--property=Environment=INDICO_CONFIG=${configFile} \
${lib.strings.concatStringsSep " " credArgs} -- \
${lib.getExe' pythonEnv "indico"} "$@"
'';
in
[ indico ];
@ -419,6 +428,7 @@ in {
environment.INDICO_CONFIG = configFile;
wantedBy = [ "multi-user.target" ];
serviceConfig = {
LoadCredential = lib.mapAttrsToList (name: path: "${name}:${path}") credPaths;
Group = cfg.group;
User = cfg.user;
};

10
pkgs/python-vars-with-env/codegen.py
View file

@ -8,8 +8,10 @@ from json import load
PROLOGUE = (
"import functools as _functools\n"
"@_functools.cache\n"
"def _read_file(name):\n"
" with open(name) as fd:\n"
"def _read_cred(name):\n"
" import os\n"
" dir = os.environ['CREDENTIALS_DIRECTORY']\n"
" with open(os.path.join(dir, name)) as fd:\n"
" return fd.read()\n"
)
@ -27,8 +29,8 @@ def make_value(value):
for k, v in value["_value"].items()
]
return f"{{{','.join(items)}}}"
case "read-file":
return f"_read_file({repr(value['_value'])})"
case "read-cred":
return f"_read_cred({repr(value['_value'])})"
case _:
raise ValueError("Unknown data type")

4
pkgs/python-vars-with-env/default.nix
View file

@ -32,8 +32,8 @@ rec {
_mkVars = lib.mapAttrs (_: _mkValue);
mkReadFile = path:
_mkPy "read-file" (if lib.isStringLike path then
mkReadCred = path:
_mkPy "read-cred" (if lib.isStringLike path then
path
else
abort "invalid path type");

6
profiles/indico.nix
View file

@ -15,20 +15,14 @@
age.secrets = {
indico-ldap-bind-password = {
file = ../secrets/indico-ldap-bind-password.age;
owner = config.services.indico.user;
group = config.services.indico.group;
};
indico-mail-password = {
file = ../secrets/indico-mail-password.age;
owner = config.services.indico.user;
group = config.services.indico.group;
};
indico-secret-key = {
file = ../secrets/indico-secret-key.age;
owner = config.services.indico.user;
group = config.services.indico.group;
};
};