JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

privacyidea: address reviews

Browse Source
This commit is contained in:
Robin Gloster 2020-05-08 14:09:10 +02:00
parent 134c66b584
commit f1f0e82c50
No known key found for this signature in database
GPG Key ID: D5C458DF6DD97EDF
6 changed files with 24 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
nixos/modules/services/security/privacyidea.nix
View File

@ -40,7 +40,7 @@ let
piCfgFile = pkgs.writeText "privacyidea.cfg" '' piCfgFile = pkgs.writeText "privacyidea.cfg" ''
SUPERUSER_REALM = [ '${concatStringsSep "', '" cfg.superuserRealm}' ] SUPERUSER_REALM = [ '${concatStringsSep "', '" cfg.superuserRealm}' ]
SQLALCHEMY_DATABASE_URI = '${cfg.databaseURI}' SQLALCHEMY_DATABASE_URI = 'postgresql:///privacyidea'
SECRET_KEY = '${cfg.secretKey}' SECRET_KEY = '${cfg.secretKey}'
PI_PEPPER = '${cfg.pepper}' PI_PEPPER = '${cfg.pepper}'
PI_ENCFILE = '${cfg.encFile}' PI_ENCFILE = '${cfg.encFile}'
@ -65,14 +65,6 @@ in
''; '';
}; };
runDir = mkOption {
type = types.str;
default = "/run/privacyidea";
description = ''
Directory where all PrivacyIDEA files will be placed by default.
'';
};
superuserRealm = mkOption { superuserRealm = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ "super" "administrators" ]; default = [ "super" "administrators" ];
@ -81,14 +73,6 @@ in
''; '';
}; };
databaseURI = mkOption {
type = types.str;
default = "postgresql:///privacyidea";
description = ''
Database as SQLAlchemy URI to use for PrivacyIDEA.
'';
};
secretKey = mkOption { secretKey = mkOption {
type = types.str; type = types.str;
example = "t0p s3cr3t"; example = "t0p s3cr3t";
@ -129,9 +113,9 @@ in
''; '';
}; };
adminPassword = mkOption { adminPasswordFile = mkOption {
type = types.str; type = types.path;
description = "Password for the admin user"; description = "File containing password for the admin user";
}; };
adminEmail = mkOption { adminEmail = mkOption {
@ -199,7 +183,7 @@ in
uwsgi = { uwsgi = {
plugins = [ "python3" ]; plugins = [ "python3" ];
pythonpath = "${penv}/${uwsgi.python3.sitePackages}"; pythonpath = "${penv}/${uwsgi.python3.sitePackages}";
socket = "${cfg.runDir}/socket"; socket = "/run/privacyidea/socket";
uid = cfg.user; uid = cfg.user;
gid = cfg.group; gid = cfg.group;
chmod-socket = 770; chmod-socket = 770;
@ -209,7 +193,7 @@ in
processes = 4; processes = 4;
harakiri = 60; harakiri = 60;
reload-mercy = 8; reload-mercy = 8;
stats = "${cfg.runDir}/stats.socket"; stats = "/run/privacyidea/stats.socket";
max-requests = 2000; max-requests = 2000;
limit-as = 1024; limit-as = 1024;
reload-on-as = 512; reload-on-as = 512;
@ -224,20 +208,19 @@ in
path = with pkgs; [ openssl ]; path = with pkgs; [ openssl ];
environment.PRIVACYIDEA_CONFIGFILE = piCfgFile; environment.PRIVACYIDEA_CONFIGFILE = piCfgFile;
preStart = let preStart = let
pi-manage = "${pkgs.sudo}/bin/sudo -u privacyidea -H PRIVACYIDEA_CONFIGFILE=${piCfgFile} ${penv}/bin/pi-manage"; pi-manage = "${pkgs.sudo}/bin/sudo -u privacyidea -HE ${penv}/bin/pi-manage";
pgsu = config.services.postgresql.superUser; pgsu = config.services.postgresql.superUser;
psql = config.services.postgresql.package; psql = config.services.postgresql.package;
in '' in ''
mkdir -p ${cfg.stateDir} ${cfg.runDir} mkdir -p ${cfg.stateDir} /run/privacyidea
chown ${cfg.user}:${cfg.group} -R ${cfg.stateDir} ${cfg.runDir} chown ${cfg.user}:${cfg.group} -R ${cfg.stateDir} /run/privacyidea
ln -sf ${piCfgFile} ${cfg.stateDir}/privacyidea.cfg
if ! test -e "${cfg.stateDir}/db-created"; then if ! test -e "${cfg.stateDir}/db-created"; then
${pkgs.sudo}/bin/sudo -u ${pgsu} ${psql}/bin/createuser --no-superuser --no-createdb --no-createrole ${cfg.user} ${pkgs.sudo}/bin/sudo -u ${pgsu} ${psql}/bin/createuser --no-superuser --no-createdb --no-createrole ${cfg.user}
${pkgs.sudo}/bin/sudo -u ${pgsu} ${psql}/bin/createdb --owner ${cfg.user} privacyidea ${pkgs.sudo}/bin/sudo -u ${pgsu} ${psql}/bin/createdb --owner ${cfg.user} privacyidea
${pi-manage} create_enckey ${pi-manage} create_enckey
${pi-manage} create_audit_keys ${pi-manage} create_audit_keys
${pi-manage} createdb ${pi-manage} createdb
${pi-manage} admin add admin -e ${cfg.adminEmail} -p ${cfg.adminPassword} ${pi-manage} admin add admin -e ${cfg.adminEmail} -p "$(cat ${cfg.adminPasswordFile})"
${pi-manage} db stamp head -d ${penv}/lib/privacyidea/migrations ${pi-manage} db stamp head -d ${penv}/lib/privacyidea/migrations
touch "${cfg.stateDir}/db-created" touch "${cfg.stateDir}/db-created"
chmod g+r "${cfg.stateDir}/enckey" "${cfg.stateDir}/private.pem" chmod g+r "${cfg.stateDir}/enckey" "${cfg.stateDir}/private.pem"
@ -255,11 +238,11 @@ in
}; };
}; };
users.extraUsers.privacyidea = mkIf (cfg.user == "privacyidea") { users.users.privacyidea = mkIf (cfg.user == "privacyidea") {
group = cfg.group; group = cfg.group;
}; };
users.extraGroups.privacyidea = mkIf (cfg.group == "privacyidea") {}; users.groups.privacyidea = mkIf (cfg.group == "privacyidea") {};
}) })
(mkIf cfg.ldap-proxy.enable { (mkIf cfg.ldap-proxy.enable {
@ -285,11 +268,11 @@ in
}; };
}; };
users.extraUsers.pi-ldap-proxy = mkIf (cfg.ldap-proxy.user == "pi-ldap-proxy") { users.users.pi-ldap-proxy = mkIf (cfg.ldap-proxy.user == "pi-ldap-proxy") {
group = cfg.ldap-proxy.group; group = cfg.ldap-proxy.group;
}; };
users.extraGroups.pi-ldap-proxy = mkIf (cfg.ldap-proxy.group == "pi-ldap-proxy") {}; users.groups.pi-ldap-proxy = mkIf (cfg.ldap-proxy.group == "pi-ldap-proxy") {};
}) })
]; ];

2
nixos/tests/privacyidea.nix
View File

@ -14,7 +14,7 @@ import ./make-test-python.nix ({ pkgs, ...} : rec {
enable = true; enable = true;
secretKey = "testing"; secretKey = "testing";
pepper = "testing"; pepper = "testing";
adminPassword = "testing"; adminPasswordFile = pkgs.writeText "admin-password" "testing";
adminEmail = "root@localhost"; adminEmail = "root@localhost";
}; };
services.nginx = { services.nginx = {

2
pkgs/development/python-modules/flask-versioned/default.nix
View File

@ -15,7 +15,7 @@ buildPythonPackage rec {
meta = with stdenv.lib; { meta = with stdenv.lib; {
description = "Flask plugin to rewrite file paths to add version info"; description = "Flask plugin to rewrite file paths to add version info";
homepage = https://github.com/pilt/flask-versioned; homepage = "https://github.com/pilt/flask-versioned";
license = licenses.bsd3; license = licenses.bsd3;
maintainers = with maintainers; [ globin ]; maintainers = with maintainers; [ globin ];
}; };

2
pkgs/servers/privacyidea/default.nix → pkgs/development/python-modules/privacyidea/default.nix
View File

@ -30,6 +30,8 @@ buildPythonPackage rec {
# issues with hardware token tests # issues with hardware token tests
doCheck = false; doCheck = false;
pythonImportsCheck = [ "privacyidea" ];
postPatch = '' postPatch = ''
substituteInPlace privacyidea/lib/resolvers/LDAPIdResolver.py --replace \ substituteInPlace privacyidea/lib/resolvers/LDAPIdResolver.py --replace \
"/etc/privacyidea/ldap-ca.crt" \ "/etc/privacyidea/ldap-ca.crt" \

4
pkgs/servers/privacyidea/ldap-proxy.nix → pkgs/development/python-modules/privacyidea/ldap-proxy.nix
View File

@ -12,8 +12,12 @@ buildPythonPackage rec {
}; };
propagatedBuildInputs = [ twisted ldaptor configobj ]; propagatedBuildInputs = [ twisted ldaptor configobj ];
# python 2 zope.interface test import path issues
doCheck = false; doCheck = false;
pythonImportsCheck = [ "pi_ldapproxy" ];
meta = with lib; { meta = with lib; {
description = "LDAP Proxy to intercept LDAP binds and authenticate against privacyIDEA"; description = "LDAP Proxy to intercept LDAP binds and authenticate against privacyIDEA";
homepage = "https://github.com/privacyidea/privacyidea-ldap-proxy"; homepage = "https://github.com/privacyidea/privacyidea-ldap-proxy";

4
pkgs/top-level/python-packages.nix
View File

@ -3197,8 +3197,8 @@ in {
priority = callPackage ../development/python-modules/priority { }; priority = callPackage ../development/python-modules/priority { };
privacyidea = callPackage ../servers/privacyidea { }; privacyidea = callPackage ../development/python-modules/privacyidea { };
privacyidea-ldap-proxy = callPackage ../servers/privacyidea/ldap-proxy.nix { }; privacyidea-ldap-proxy = callPackage ../development/python-modules/privacyidea/ldap-proxy.nix { };
prov = callPackage ../development/python-modules/prov { }; prov = callPackage ../development/python-modules/prov { };