feat(dgsi): Update, with SAML provisional auth

2024-10-06 16:19:36 +02:00 · 2024-10-06 16:19:36 +02:00 · 7d24e2dfc1
commit 7d24e2dfc1
parent 38231eb6e0
5 changed files with 39 additions and 29 deletions
--- a/machines/compute01/dgsi/default.nix
+++ b/machines/compute01/dgsi/default.nix
@ -8,7 +8,7 @@
 }:

 let
-  inherit (lib) mapAttrsToList;
+  inherit (lib) toLower;

  python =
    let
@ -33,25 +33,29 @@ let
      };
    };

-  pythonEnv = python.withPackages (ps: [
-    ps.django
-    ps.gunicorn
-    ps.psycopg
-    ps.django-compressor
-    ps.django-import-export
+  pythonEnv = python.withPackages (
+    ps:
+    [
+      ps.django
+      ps.gunicorn
+      ps.psycopg
+      ps.django-compressor
+      ps.django-import-export

-    # Local packages
-    ps.django-allauth
-    ps.django-allauth-cas
-    ps.django-browser-reload
-    ps.django-bulma-forms
-    ps.django-sass-processor
-    ps.django-sass-processor-dart-sass
-    ps.django-unfold
-    ps.loadcredential
-    ps.pykanidm
-    ps.python-cas
-  ]);
+      # Local packages
+      ps.django-allauth
+      ps.django-allauth-cas
+      ps.django-browser-reload
+      ps.django-bulma-forms
+      ps.django-sass-processor
+      ps.django-sass-processor-dart-sass
+      ps.django-unfold
+      ps.loadcredential
+      ps.pykanidm
+      ps.python-cas
+    ]
+    ++ ps.django-allauth.optional-dependencies.saml
+  );

  staticDrv = pkgs.stdenv.mkDerivation {
    name = "dgsi-static";
@ -67,8 +71,10 @@ let
    configurePhase = ''
      export DGSI_STATIC_ROOT=$out/static
      export CREDENTIALS_DIRECTORY=$(pwd)/../.credentials
-      export DGSI_KANIDM_CLIENT="dgsi_test";
-      export DGSI_KANIDM_AUTH_TOKEN="fake.token";
+      export DGSI_KANIDM_CLIENT="dgsi_test"
+      export DGSI_KANIDM_AUTH_TOKEN="fake.token"
+      export DGSI_X509_KEY=""
+      export DGSI_X509_CERT=""
    '';

    doBuild = false;
@ -101,12 +107,14 @@ in

        serviceConfig = {
          DynamicUser = true;
-          LoadCredential = mapAttrsToList (name: value: "${name}:${value}") {
-            SECRET_KEY = config.age.secrets."dgsi-secret_key_file".path;
-            KANIDM_AUTH_TOKEN = config.age.secrets."dgsi-kanidm_auth_token_file".path;
-            KANIDM_SECRET = config.age.secrets."dgsi-kanidm_secret_file".path;
-            EMAIL_HOST_PASSWORD = config.age.secrets."dgsi-email_host_password_file".path;
-          };
+          LoadCredential = map (name: "${name}:${config.age.secrets."dgsi-${toLower name}_file".path}") [
+            "EMAIL_HOST_PASSWORD"
+            "KANIDM_AUTH_TOKEN"
+            "KANIDM_SECRET"
+            "SECRET_KEY"
+            "X509_CERT"
+            "X509_KEY"
+          ];
          RuntimeDirectory = "django-apps/dgsi";
          StateDirectory = "django-apps/dgsi";
          UMask = "0027";
--- a/machines/compute01/secrets/dgsi-x509_cert_file
+++ b/machines/compute01/secrets/dgsi-x509_cert_file
--- a/machines/compute01/secrets/dgsi-x509_key_file
+++ b/machines/compute01/secrets/dgsi-x509_key_file
--- a/machines/compute01/secrets/secrets.nix
+++ b/machines/compute01/secrets/secrets.nix
@ -10,6 +10,8 @@ lib.setDefault { inherit publicKeys; } [
  "dgsi-kanidm_auth_token_file"
  "dgsi-kanidm_secret_file"
  "dgsi-secret_key_file"
+  "dgsi-x509_cert_file"
+  "dgsi-x509_key_file"
  "ds-fr-secret_file"
  "grafana-oauth_client_secret_file"
  "grafana-smtp_password_file"
--- a/npins/sources.json
+++ b/npins/sources.json
@ -45,9 +45,9 @@
        "url": "https://git.dgnum.eu/DGNum/dgsi.git"
      },
      "branch": "main",
-      "revision": "a88d31541cfd836ba2bd4bb3c8ec8142e4cd8aa2",
+      "revision": "9c4413faa1610167d65b5c6110cdbc714eb14887",
      "url": null,
-      "hash": "0z31ib1xjdyzpwdnbj4j7r9nb5baiab3nbx0wg55dh2ifkxp2vqb"
+      "hash": "0pn684dc1s5v3nqiy6jpxpr26mv5z6pq1i5cvza9d2hi7lddp3wb"
    },
    "disko": {
      "type": "GitRelease",