haccfiles/parsons/uffd.nix

{ config, lib, pkgs, ... }:

{
  hacc.containers.uffd = {
    config = { config, lib, pkgs, ... }: {
      services.uwsgi = {
        enable = true;
        plugins = [ "python3" ];
        instance = {
          type = "normal";
          pythonPackages = _: [ pkgs.uffd ];
          module = "uffd:create_app()";
          # socket = "${config.services.uwsgi.runDir}/uwsgi.sock";
          http = ":8080";
          env = [
            "CONFIG_PATH=/persist/uffd/uffd.conf"
          ];
          hook-pre-app = "exec:FLASK_APP=${pkgs.uffd}/lib/python3.10/site-packages/uffd flask db upgrade";
        };
      };
    };
  };
  services.nginx.virtualHosts."login.infra4future.de" = {
    enableACME = true;
    forceSSL = true;
    locations = {
      "/".proxyPass = "http://${config.containers.uffd.localAddress}:8080";
      "/static".root = "${pkgs.uffd}/lib/python3.10/site-packages/uffd";
      "/static/hacc.png".return = "302 https://infra4future.de/assets/img/logo_vernetzung.png";
      "/static/infra4future.svg".return = "302 https://infra4future.de/assets/img/infra4future.svg";
      "/static/hedgedoc.svg".return = "302 https://infra4future.de/assets/img/icons/hedgedoc.svg";
      "/static/mattermost.svg".return = "302 https://infra4future.de/assets/img/icons/mattermost.svg";
      "/static/nextcloud.svg".return = "302 https://infra4future.de/assets/img/icons/nextcloud.svg";
      "/static/hot_shit.svg".return = "302 https://infra4future.de/assets/img/icons/hot_shit.svg";
    };
  };

  systemd.services.auamost = {
    enable = true;

    description = "mattermost aua gruppensync";
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];
    serviceConfig.Type = "simple";
    path = [ pkgs.fish pkgs.curl pkgs.jq ];
    script = (pkgs.writeTextFile {
      name = "auamost.fish";
      executable = true;
      checkPhase = ''
        ${lib.getExe pkgs.fish} -n $target
      '';
      text = ''
        #!${lib.getExe pkgs.fish}
        source /run/secrets/auamost/secrets.fish

        for i in (seq 1 (count $groups))
            set team $teams[$i]
            set group $groups[$i]
            set users (curl -u $uffd_token --basic https://login.infra4future.de/api/v1/getusers -d group="$group")
            set usernames (echo "$users" | jq -c "[.[] | .loginname]")
            for user in (echo "$users" | jq -c ".[]")
              set id (echo "$user" | jq .id)
              set username (echo "$user" | jq .loginname)
              set email (echo "$user" | jq .email)
              curl -H $mattermost_token \
                   -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users \
                   -d '{"email": '"$email"', "username": '"$username"', "auth_service": "gitlab", "auth_data": "'"$id"'"}'
            end
            set userids (curl -H $mattermost_token \
                -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users/usernames \
                -d "$usernames" | jq '[.[] | {user_id: .id, team_id: "'$team'"} ]')
            curl -H $mattermost_token \
                -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members/batch \
                -d "$userids"

            if test "$group" = "hacc"
              continue
            end

            set current_members (curl -H $mattermost_token \
                -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members | jq '[.[] | .user_id]')

            # membership relations don't contain e.g. usernames, so fetch those, too
            set current_users (curl -H $mattermost_token \
                -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users/ids \
                -d "$current_members" | jq -c '.[]')

            set userids (echo "$userids" | jq -c ".[].user_id")
            for member in $current_users
                set id (echo $member | jq .id)
                if not contains -i $id $userids > /dev/null then
                  set id_unquoted (echo $member | jq -r .id)
                  echo removing $id_unquoted (echo $member | jq '.email') from $team \($group\)
                  curl -X DELETE -H $mattermost_token \
                    -H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members/"$id_unquoted"
                end
            end
        end
      '';
    }).outPath;
    startAt = "*:0/15";
  };

  sops.secrets."auamost/secrets.fish" = { };

  environment.systemPackages = with pkgs; [ curl jq ];
}