stuebinm
f654b33a56
this started with emily pointing out to me that it's possible to generate IP addresses for containers in Nix (hence no need to worry about ever having collisions, as we had before), but then I thought, hey, while I'm at it, I can also write a little container module so we have a little less repetition in our configs in general (and a more reasonable place for our custom evalConfig than just keeping it around in flake.nix). See the option descriptions in modules/containers.nix for further details. Apart from giving all containers a new IP address (and also shiny new IPv6 addresses), this should be a no-op for the actual built system.
107 lines
4.5 KiB
Nix
107 lines
4.5 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
{
|
|
hacc.containers.uffd = {
|
|
config = { config, lib, pkgs, ... }: {
|
|
services.uwsgi = {
|
|
enable = true;
|
|
plugins = [ "python3" ];
|
|
instance = {
|
|
type = "normal";
|
|
pythonPackages = _: [ pkgs.uffd ];
|
|
module = "uffd:create_app()";
|
|
# socket = "${config.services.uwsgi.runDir}/uwsgi.sock";
|
|
http = ":8080";
|
|
env = [
|
|
"CONFIG_PATH=/persist/uffd/uffd.conf"
|
|
];
|
|
hook-pre-app = "exec:FLASK_APP=${pkgs.uffd}/lib/python3.10/site-packages/uffd flask db upgrade";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
services.nginx.virtualHosts."login.infra4future.de" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations = {
|
|
"/".proxyPass = "http://${config.containers.uffd.localAddress}:8080";
|
|
"/static".root = "${pkgs.uffd}/lib/python3.10/site-packages/uffd";
|
|
"/static/hacc.png".return = "302 https://infra4future.de/assets/img/logo_vernetzung.png";
|
|
"/static/infra4future.svg".return = "302 https://infra4future.de/assets/img/infra4future.svg";
|
|
"/static/hedgedoc.svg".return = "302 https://infra4future.de/assets/img/icons/hedgedoc.svg";
|
|
"/static/mattermost.svg".return = "302 https://infra4future.de/assets/img/icons/mattermost.svg";
|
|
"/static/nextcloud.svg".return = "302 https://infra4future.de/assets/img/icons/nextcloud.svg";
|
|
"/static/hot_shit.svg".return = "302 https://infra4future.de/assets/img/icons/hot_shit.svg";
|
|
};
|
|
};
|
|
|
|
systemd.services.auamost = {
|
|
enable = true;
|
|
|
|
description = "mattermost aua gruppensync";
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network.target" ];
|
|
serviceConfig.Type = "simple";
|
|
path = [ pkgs.fish pkgs.curl pkgs.jq ];
|
|
script = (pkgs.writeTextFile {
|
|
name = "auamost.fish";
|
|
executable = true;
|
|
checkPhase = ''
|
|
${lib.getExe pkgs.fish} -n $target
|
|
'';
|
|
text = ''
|
|
#!${lib.getExe pkgs.fish}
|
|
source /run/secrets/auamost/secrets.fish
|
|
|
|
for i in (seq 1 (count $groups))
|
|
set team $teams[$i]
|
|
set group $groups[$i]
|
|
set users (curl -u $uffd_token --basic https://login.infra4future.de/api/v1/getusers -d group="$group")
|
|
set usernames (echo "$users" | jq -c "[.[] | .loginname]")
|
|
for user in (echo "$users" | jq -c ".[]")
|
|
set id (echo "$user" | jq .id)
|
|
set username (echo "$user" | jq .loginname)
|
|
set email (echo "$user" | jq .email)
|
|
curl -H $mattermost_token \
|
|
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users \
|
|
-d '{"email": '"$email"', "username": '"$username"', "auth_service": "gitlab", "auth_data": "'"$id"'"}'
|
|
end
|
|
set userids (curl -H $mattermost_token \
|
|
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users/usernames \
|
|
-d "$usernames" | jq '[.[] | {user_id: .id, team_id: "'$team'"} ]')
|
|
curl -H $mattermost_token \
|
|
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members/batch \
|
|
-d "$userids"
|
|
|
|
if test "$group" = "hacc"
|
|
continue
|
|
end
|
|
|
|
set current_members (curl -H $mattermost_token \
|
|
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members | jq '[.[] | .user_id]')
|
|
|
|
# membership relations don't contain e.g. usernames, so fetch those, too
|
|
set current_users (curl -H $mattermost_token \
|
|
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users/ids \
|
|
-d "$current_members" | jq -c '.[]')
|
|
|
|
set userids (echo "$userids" | jq -c ".[].user_id")
|
|
for member in $current_users
|
|
set id (echo $member | jq .id)
|
|
if not contains -i $id $userids > /dev/null then
|
|
set id_unquoted (echo $member | jq -r .id)
|
|
echo removing $id_unquoted (echo $member | jq '.email') from $team \($group\)
|
|
curl -X DELETE -H $mattermost_token \
|
|
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members/"$id_unquoted"
|
|
end
|
|
end
|
|
end
|
|
'';
|
|
}).outPath;
|
|
startAt = "*:0/15";
|
|
};
|
|
|
|
sops.secrets."auamost/secrets.fish" = { };
|
|
|
|
environment.systemPackages = with pkgs; [ curl jq ];
|
|
}
|