diff --git a/machines/compute01/dgsi/default.nix b/machines/compute01/dgsi/default.nix index 1e972c3..f7fd9e2 100644 --- a/machines/compute01/dgsi/default.nix +++ b/machines/compute01/dgsi/default.nix @@ -8,7 +8,7 @@ }: let - inherit (lib) mapAttrsToList; + inherit (lib) toLower; python = let @@ -33,25 +33,29 @@ let }; }; - pythonEnv = python.withPackages (ps: [ - ps.django - ps.gunicorn - ps.psycopg - ps.django-compressor - ps.django-import-export + pythonEnv = python.withPackages ( + ps: + [ + ps.django + ps.gunicorn + ps.psycopg + ps.django-compressor + ps.django-import-export - # Local packages - ps.django-allauth - ps.django-allauth-cas - ps.django-browser-reload - ps.django-bulma-forms - ps.django-sass-processor - ps.django-sass-processor-dart-sass - ps.django-unfold - ps.loadcredential - ps.pykanidm - ps.python-cas - ]); + # Local packages + ps.django-allauth + ps.django-allauth-cas + ps.django-browser-reload + ps.django-bulma-forms + ps.django-sass-processor + ps.django-sass-processor-dart-sass + ps.django-unfold + ps.loadcredential + ps.pykanidm + ps.python-cas + ] + ++ ps.django-allauth.optional-dependencies.saml + ); staticDrv = pkgs.stdenv.mkDerivation { name = "dgsi-static"; @@ -67,8 +71,10 @@ let configurePhase = '' export DGSI_STATIC_ROOT=$out/static export CREDENTIALS_DIRECTORY=$(pwd)/../.credentials - export DGSI_KANIDM_CLIENT="dgsi_test"; - export DGSI_KANIDM_AUTH_TOKEN="fake.token"; + export DGSI_KANIDM_CLIENT="dgsi_test" + export DGSI_KANIDM_AUTH_TOKEN="fake.token" + export DGSI_X509_KEY="" + export DGSI_X509_CERT="" ''; doBuild = false; @@ -101,12 +107,14 @@ in serviceConfig = { DynamicUser = true; - LoadCredential = mapAttrsToList (name: value: "${name}:${value}") { - SECRET_KEY = config.age.secrets."dgsi-secret_key_file".path; - KANIDM_AUTH_TOKEN = config.age.secrets."dgsi-kanidm_auth_token_file".path; - KANIDM_SECRET = config.age.secrets."dgsi-kanidm_secret_file".path; - EMAIL_HOST_PASSWORD = config.age.secrets."dgsi-email_host_password_file".path; - }; + LoadCredential = map (name: "${name}:${config.age.secrets."dgsi-${toLower name}_file".path}") [ + "EMAIL_HOST_PASSWORD" + "KANIDM_AUTH_TOKEN" + "KANIDM_SECRET" + "SECRET_KEY" + "X509_CERT" + "X509_KEY" + ]; RuntimeDirectory = "django-apps/dgsi"; StateDirectory = "django-apps/dgsi"; UMask = "0027"; diff --git a/machines/compute01/secrets/dgsi-x509_cert_file b/machines/compute01/secrets/dgsi-x509_cert_file new file mode 100644 index 0000000..93b5ce6 Binary files /dev/null and b/machines/compute01/secrets/dgsi-x509_cert_file differ diff --git a/machines/compute01/secrets/dgsi-x509_key_file b/machines/compute01/secrets/dgsi-x509_key_file new file mode 100644 index 0000000..7d51f6f Binary files /dev/null and b/machines/compute01/secrets/dgsi-x509_key_file differ diff --git a/machines/compute01/secrets/secrets.nix b/machines/compute01/secrets/secrets.nix index f4737a6..c29f27f 100644 --- a/machines/compute01/secrets/secrets.nix +++ b/machines/compute01/secrets/secrets.nix @@ -10,6 +10,8 @@ lib.setDefault { inherit publicKeys; } [ "dgsi-kanidm_auth_token_file" "dgsi-kanidm_secret_file" "dgsi-secret_key_file" + "dgsi-x509_cert_file" + "dgsi-x509_key_file" "ds-fr-secret_file" "grafana-oauth_client_secret_file" "grafana-smtp_password_file" diff --git a/npins/sources.json b/npins/sources.json index 17ff5c7..c914b7f 100644 --- a/npins/sources.json +++ b/npins/sources.json @@ -45,9 +45,9 @@ "url": "https://git.dgnum.eu/DGNum/dgsi.git" }, "branch": "main", - "revision": "a88d31541cfd836ba2bd4bb3c8ec8142e4cd8aa2", + "revision": "9c4413faa1610167d65b5c6110cdbc714eb14887", "url": null, - "hash": "0z31ib1xjdyzpwdnbj4j7r9nb5baiab3nbx0wg55dh2ifkxp2vqb" + "hash": "0pn684dc1s5v3nqiy6jpxpr26mv5z6pq1i5cvza9d2hi7lddp3wb" }, "disko": { "type": "GitRelease",