From b38e6a0ebcec88bd971bf6c5a87ace45436ceab3 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Sat, 30 Dec 2023 19:03:25 +0100 Subject: [PATCH] move the auamost.fish script into haccfiles This is our script to synchronise groups between uffd and mattermost, since there seems to be no better way to do that. It has long lived under /persist/magic/auamost since it contained sensitive data (both which groups are on our platform & access tokens to both uffd's and mattermost's API with admin-level permissions). This splits the script up into a non-sensitive part which lives in Nix, and a small snippet that just sets all the sensitive stuff into env vars in sops, so we can manage the entire thing with our usual setup. --- secrets.yaml | 8 ++++--- services/uffd.nix | 58 ++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 62 insertions(+), 4 deletions(-) diff --git a/secrets.yaml b/secrets.yaml index 1c33401..d7d5eb2 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -6,6 +6,8 @@ tracktrain: env: ENC[AES256_GCM,data:jaq039FNxBrsPfG/q+InYpiyl1LBdY++DlLM6UpSAwKlINucooTrHz51QrdRWhAZDqXhVTHM55Q/Zm4wazweCABiNjkXDFoZgxc5YJX+pvBct6M533xl109yD6KiYOXDqPY03u71aop8OmOAnKDp1JlzPS1otdlaN8Vd56G+,iv:nYU2rgMMG4QcJo5DnZpYZm1zr82idd7r1uTsqNiXLdA=,tag:9rdxAneYUREacXNunpTuHw==,type:str] vaultwarden: env: ENC[AES256_GCM,data:hdm91tI8WBd3es+IUbdBO69kh1pNZTNvZNFIdSZO8lm4yYMPE+Jm7EzVqwOaZRbpQaVDBg7uh5P4ODc=,iv:no7U0wQCwZOeL2pwXf2pUIgrEsEOYwqOT04LvpCl614=,tag:AGSu5M7H69x6pDM062bC6g==,type:str] +auamost: + secrets.fish: ENC[AES256_GCM,data:Dyb0Byigh4tmkmdz7KxkgvudO830x8+1qNQBOT+ohydOY3OeuJseJQ/rjaYhMTfh6tcKpu1aSarKRINbJp2u0yu+eazVV69CRzu9OlsXaMD6Rbvw4Cn0LttJhjK1za8+fXm7IZsAhErrV6WmU1/JryQkZf18hxMrO5EBmFy4ONHNj3lc4pApMUqXLiVL6xaW+Mix+jx4gT8r0/0lpAdT5oObPPBo+HIDJEGj+QPBvxNBJaURKVRX5+8fe4+hFzqBjU7QJ/LLPBo2lp2BLgo39qCeLaHogkWMXEYPb4/eaW0SZ8/Z56gh7dsO5X1r8kSAEMDoYVCC6KrXDh2M48/lYT+biid8iALCphatpZzH9CbV0FWIcZ5s0q8fApTZ1ubtiVqRNN1niGajgLGe5TSQcPAQs1yCBQ+9BJSDro9qNNXXlVpHO59Dfs2w+f2FBBQOnOIqhxQPbyhzIep3kRuIH42rowGG66uOJaC7g1W5fCwkdBNDZK8D01nj1+PA17j3xExqTT4+m1oUSlROhDRgxf+nYWkuxaAM1z+FsTswFHzdBJ8wtK56z+dpBH2f3SNW/5bwMif00uS1z+6U4yuCl0sdh0SF/yLjbIyvMwPiy7xzaBEZ+bve6ps0yh1sYvyLN7vxs7tRhtN0yLs28ZeT5BEwJAiKP1+KWhK86XbKh3fMtfl5V06xyW4aBkeYC4cg2wSNlvlDrbIrtPsJMHQt/swsHvIde4AfEyzhrTs8ezuVRbm/9glTVh1mzw==,iv:MpaFGYbcTXdFabV+vlGyGxexpfP7LUpYYBjF6GVEN7c=,tag:n8qTOhnbBT7Xxz21bU0bYQ==,type:str] sops: kms: [] gcp_kms: [] @@ -93,8 +95,8 @@ sops: bndBTXJhQVE2OVlKeGNTbzJlL0duUzAKIWdesesYvBIN/m36fhzxq30+IT8qp/pF S6i7QqZF75y2BpEoupRCqNIAsHrouUE+U9ZQJZO8m9J591mWvbVJIw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-03T20:47:22Z" - mac: ENC[AES256_GCM,data:5ks4oj4ILLZoJ8TAGLSktV+TZBt1igMOVTiRssr00xnMs1OpR4u0wqwbkM3e2vNP3Hk51AHn7J0W+Ex6f3/iuGdcpYmY/nmSuu+IRZkLL7UEulPm+FDUcw9wgifpNQ263LqvmtFmPURpx4jkTdvcKItWrN0ovV0Wk3jspQ4/QYA=,iv:Kp0cJCYSXBBD4nNetXs6XrFVEl77D7oPuJYAS91DEbU=,tag:b3KF/SFJf1TxDBJ+7KmFvg==,type:str] + lastmodified: "2023-12-30T17:53:03Z" + mac: ENC[AES256_GCM,data:TmAy6VSexktYaVlmZUPyvSIcByockQ/vf5evrZbgyVy80k1GqgU/sskELaJ6bpHZoo/xgSnepLugQYRazLFPIMSy2jGznco2enYtjgIRjl5SghEwYFPhc6jw+PlV/z9NLNOm+IzLf4YBesqGa2MLwOrT/1kHPFhVPZWA1Y/ccbw=,iv:wFvK0KWD2MRg/ap/5CGMeFr+zu21k7hMzO+4NCVpBbs=,tag:NPiSAj9g8rssqcrOBwVRVQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.7.3 + version: 3.8.1 diff --git a/services/uffd.nix b/services/uffd.nix index b51cde7..c7cbbef 100644 --- a/services/uffd.nix +++ b/services/uffd.nix @@ -53,9 +53,65 @@ after = [ "network.target" ]; serviceConfig.Type = "simple"; path = [ pkgs.fish pkgs.curl pkgs.jq ]; - script = "/persist/magic/mattermost-groupsync.fish"; + script = (pkgs.writeTextFile { + name = "auamost.fish"; + executable = true; + checkPhase = '' + ${lib.getExe pkgs.fish} -n $target + ''; + text = '' + #!${lib.getExe pkgs.fish} + source /run/secrets/auamost/secrets.fish + + for i in (seq 1 (count $groups)) + set team $teams[$i] + set group $groups[$i] + set users (curl -u $uffd_token --basic https://login.infra4future.de/api/v1/getusers -d group="$group") + set usernames (echo "$users" | jq -c "[.[] | .loginname]") + for user in (echo "$users" | jq -c ".[]") + set id (echo "$user" | jq .id) + set username (echo "$user" | jq .loginname) + set email (echo "$user" | jq .email) + curl -H $mattermost_token \ + -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users \ + -d '{"email": '"$email"', "username": '"$username"', "auth_service": "gitlab", "auth_data": "'"$id"'"}' + end + set userids (curl -H $mattermost_token \ + -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users/usernames \ + -d "$usernames" | jq '[.[] | {user_id: .id, team_id: "'$team'"} ]') + curl -H $mattermost_token \ + -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members/batch \ + -d "$userids" + + if test "$group" = "hacc" + continue + end + + set current_members (curl -H $mattermost_token \ + -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members | jq '[.[] | .user_id]') + + # membership relations don't contain e.g. usernames, so fetch those, too + set current_users (curl -H $mattermost_token \ + -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users/ids \ + -d "$current_members" | jq -c '.[]') + + set userids (echo "$userids" | jq -c ".[].user_id") + for member in $current_users + set id (echo $member | jq .id) + if not contains -i $id $userids > /dev/null then + set id_unquoted (echo $member | jq -r .id) + echo removing $id_unquoted (echo $member | jq '.email') from $team \($group\) + curl -X DELETE -H $mattermost_token \ + -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members/"$id_unquoted" + end + end + end + ''; + }).outPath; startAt = "*:0/15"; }; + sops.secrets."auamost/secrets.fish" = { }; + environment.systemPackages = with pkgs; [ curl jq ]; }