hswaw/customs: disable DynamicUser for dhcpd / checkinator
Change-Id: I9c7feccf8eb908bf3808afb2ffc5adac50d7abd9
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1455
Reviewed-by: q3k <q3k@hackerspace.pl>
diff --git a/hswaw/machines/customs.hackerspace.pl/checkinator-web.nix b/hswaw/machines/customs.hackerspace.pl/checkinator-web.nix
index b117c63..356064e 100644
--- a/hswaw/machines/customs.hackerspace.pl/checkinator-web.nix
+++ b/hswaw/machines/customs.hackerspace.pl/checkinator-web.nix
@@ -35,23 +35,23 @@
config = builtins.toFile "${name}-config.yaml" (pkgs.lib.generators.toYAML {} {
# local sqlite db for storing user and MAC
DB = "/var/checkinator-web/at.db";
-
+
# debug option interpreted by flask app
DEBUG = false;
-
+
# url to member wiki page
# "${login}" string is replaced by member login (uid)
WIKI_URL = "https://wiki.hackerspace.pl/people:\${login}:start";
-
+
CLAIMABLE_PREFIXES = [
"10.8.0."
"2a0d:eb00:4242:0:"
];
CLAIMABLE_EXCLUDE = [ ];
-
+
SPACEAUTH_CONSUMER_KEY = "checkinator";
SECRETS_FILE = "/mnt/secrets/checkinator-web/secrets.yaml";
-
+
SPECIAL_DEVICES = {
kektops = [ "90:e6:ba:84" ];
esps = [
@@ -64,9 +64,9 @@
"52:54:00" # craptrap VMs
];
};
-
+
PROXY_FIX = true;
-
+
GRPC_TLS_CERT_DIR = "/mnt/secrets/checkinator-web";
GRPC_TLS_CA_CERT = "/mnt/secrets/checkinator-web/ca.pem";
GRPC_TLS_ADDRESS = "[::1]:2847";
@@ -85,7 +85,7 @@
serviceConfig.User = "${user}";
serviceConfig.Type = "simple";
-
+
environment = {
CHECKINATOR_WEB_CONFIG=config;
};
@@ -99,12 +99,14 @@
fi
''}"
];
- serviceConfig.workingDirectory = checkinator;
+ serviceConfig.WorkingDirectory = checkinator;
serviceConfig.ExecStart = "${python}/bin/gunicorn -b unix:${socket_dir}/web.sock at.webapp:app";
serviceConfig.ExecStopPost = [
''!${pkgs.coreutils}/bin/rm -rf /mnt/secrets/${name}''
];
+ serviceConfig.DynamicUser = false;
+
};
services.nginx.virtualHosts."at.hackerspace.pl" = {
@@ -120,9 +122,9 @@
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Host $host:$server_port;
- proxy_set_header X-Forwarded-Server $host;
- proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-Host $host:$server_port;
+ proxy_set_header X-Forwarded-Server $host;
+ proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};