{ config, lib, pkgs, ... }: { hacc.containers.uffd = { config = { config, lib, pkgs, ... }: { services.uwsgi = { enable = true; plugins = [ "python3" ]; instance = { type = "normal"; pythonPackages = _: [ pkgs.uffd ]; module = "uffd:create_app()"; # socket = "${config.services.uwsgi.runDir}/uwsgi.sock"; http = ":8080"; env = [ "CONFIG_PATH=/persist/uffd/uffd.conf" ]; hook-pre-app = "exec:FLASK_APP=${pkgs.uffd}/lib/python3.10/site-packages/uffd flask db upgrade"; }; }; }; }; services.nginx.virtualHosts."login.infra4future.de" = { enableACME = true; forceSSL = true; locations = { "/".proxyPass = "http://${config.containers.uffd.localAddress}:8080"; "/static".root = "${pkgs.uffd}/lib/python3.10/site-packages/uffd"; "/static/hacc.png".return = "302 https://infra4future.de/assets/img/logo_vernetzung.png"; "/static/infra4future.svg".return = "302 https://infra4future.de/assets/img/infra4future.svg"; "/static/hedgedoc.svg".return = "302 https://infra4future.de/assets/img/icons/hedgedoc.svg"; "/static/mattermost.svg".return = "302 https://infra4future.de/assets/img/icons/mattermost.svg"; "/static/nextcloud.svg".return = "302 https://infra4future.de/assets/img/icons/nextcloud.svg"; "/static/hot_shit.svg".return = "302 https://infra4future.de/assets/img/icons/hot_shit.svg"; }; }; systemd.services.auamost = { enable = true; description = "mattermost aua gruppensync"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig.Type = "simple"; path = [ pkgs.fish pkgs.curl pkgs.jq ]; script = (pkgs.writeTextFile { name = "auamost.fish"; executable = true; checkPhase = '' ${lib.getExe pkgs.fish} -n $target ''; text = '' #!${lib.getExe pkgs.fish} source /run/secrets/auamost/secrets.fish for i in (seq 1 (count $groups)) set team $teams[$i] set group $groups[$i] set users (curl -u $uffd_token --basic https://login.infra4future.de/api/v1/getusers -d group="$group") set usernames (echo "$users" | jq -c "[.[] | .loginname]") for user in (echo "$users" | jq -c ".[]") set id (echo "$user" | jq .id) set username (echo "$user" | jq .loginname) set email (echo "$user" | jq .email) curl -H $mattermost_token \ -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users \ -d '{"email": '"$email"', "username": '"$username"', "auth_service": "gitlab", "auth_data": "'"$id"'"}' end set userids (curl -H $mattermost_token \ -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users/usernames \ -d "$usernames" | jq '[.[] | {user_id: .id, team_id: "'$team'"} ]') curl -H $mattermost_token \ -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members/batch \ -d "$userids" if test "$group" = "hacc" continue end set current_members (curl -H $mattermost_token \ -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members | jq '[.[] | .user_id]') # membership relations don't contain e.g. usernames, so fetch those, too set current_users (curl -H $mattermost_token \ -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users/ids \ -d "$current_members" | jq -c '.[]') set userids (echo "$userids" | jq -c ".[].user_id") for member in $current_users set id (echo $member | jq .id) if not contains -i $id $userids > /dev/null then set id_unquoted (echo $member | jq -r .id) echo removing $id_unquoted (echo $member | jq '.email') from $team \($group\) curl -X DELETE -H $mattermost_token \ -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members/"$id_unquoted" end end end ''; }).outPath; startAt = "*:0/15"; }; systemd.services.uffd-account-expiry-notification = { enable = true; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig.Type = "simple"; path = [ pkgs.hacc-scripts pkgs.sqlite-interactive pkgs.postfix ]; script = '' uffd-unused-accounts-notification.scm -v admin ''; startAt = "weekly"; restartIfChanged = false; }; sops.secrets."auamost/secrets.fish" = { }; environment.systemPackages = with pkgs; [ curl jq ]; }