commit ee8f1d5e2cc47ab9b95a67dcb8d1ce18583e7e35
author vuko <vuko@hackerspace.pl> Sat Dec 31 01:04:42 2022 +0100
committer vuko <vuko@hackerspace.pl> Fri Mar 31 19:33:17 2023 +0000
tree ef4c11a58c126b5625603202727e25fd9177848a
parent 779727b39ef6f3f7f28522ce21e02b7a8b344ed5

hswaw/customs: disable DynamicUser for dhcpd / checkinator

Change-Id: I9c7feccf8eb908bf3808afb2ffc5adac50d7abd9
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1455
Reviewed-by: q3k <q3k@hackerspace.pl>

hswaw/machines/customs.hackerspace.pl/checkinator-web.nix

diff --git a/hswaw/machines/customs.hackerspace.pl/checkinator-web.nix b/hswaw/machines/customs.hackerspace.pl/checkinator-web.nix
index b117c63..356064e 100644
--- a/hswaw/machines/customs.hackerspace.pl/checkinator-web.nix
+++ b/hswaw/machines/customs.hackerspace.pl/checkinator-web.nix
@@ -35,23 +35,23 @@
   config = builtins.toFile "${name}-config.yaml" (pkgs.lib.generators.toYAML {} {
     # local sqlite db for storing user and MAC
     DB = "/var/checkinator-web/at.db";
-    
+
     # debug option interpreted by flask app
     DEBUG = false;
-    
+
     # url to member wiki page
     # "${login}" string is replaced by member login (uid)
     WIKI_URL = "https://wiki.hackerspace.pl/people:\${login}:start";
-    
+
     CLAIMABLE_PREFIXES = [
       "10.8.0."
       "2a0d:eb00:4242:0:"
     ];
     CLAIMABLE_EXCLUDE = [ ];
-    
+
     SPACEAUTH_CONSUMER_KEY = "checkinator";
     SECRETS_FILE = "/mnt/secrets/checkinator-web/secrets.yaml";
-    
+
     SPECIAL_DEVICES = {
       kektops = [ "90:e6:ba:84" ];
       esps = [
@@ -64,9 +64,9 @@
         "52:54:00" # craptrap VMs
       ];
     };
-    
+
     PROXY_FIX = true;
-    
+
     GRPC_TLS_CERT_DIR = "/mnt/secrets/checkinator-web";
     GRPC_TLS_CA_CERT = "/mnt/secrets/checkinator-web/ca.pem";
     GRPC_TLS_ADDRESS = "[::1]:2847";
@@ -85,7 +85,7 @@
 
     serviceConfig.User = "${user}";
     serviceConfig.Type = "simple";
-      
+
     environment = {
       CHECKINATOR_WEB_CONFIG=config;
     };
@@ -99,12 +99,14 @@
         fi
       ''}"
     ];
-    serviceConfig.workingDirectory = checkinator;
+    serviceConfig.WorkingDirectory = checkinator;
     serviceConfig.ExecStart = "${python}/bin/gunicorn -b unix:${socket_dir}/web.sock at.webapp:app";
     serviceConfig.ExecStopPost = [
       ''!${pkgs.coreutils}/bin/rm -rf /mnt/secrets/${name}''
     ];
 
+    serviceConfig.DynamicUser = false;
+
   };
 
   services.nginx.virtualHosts."at.hackerspace.pl" = {
@@ -120,9 +122,9 @@
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-	proxy_set_header X-Forwarded-Host $host:$server_port;
-	proxy_set_header X-Forwarded-Server $host;
-	proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host:$server_port;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-Proto $scheme;
       '';
     };
   };