summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorvuko <vuko@hackerspace.pl>2020-10-27 17:45:23 +0100
committervuko <vuko@hackerspace.pl>2020-10-27 17:45:23 +0100
commitf2dc2687552bb4516715d58e956ba1bcb7186c59 (patch)
tree789d5e963f509e57289081826a8d3b59ea79c136
parent366456e537a9c93c05c90d9ec0a639caa4fe79e6 (diff)
downloadcheckinator-f2dc2687552bb4516715d58e956ba1bcb7186c59.tar.gz
checkinator-f2dc2687552bb4516715d58e956ba1bcb7186c59.tar.bz2
checkinator-f2dc2687552bb4516715d58e956ba1bcb7186c59.zip
extract secrets from web config file
-rw-r--r--at/tracker.py2
-rw-r--r--at/webapp.py13
-rw-r--r--web-config.dist.yaml7
-rw-r--r--web-secrets.dist.yaml3
4 files changed, 14 insertions, 11 deletions
diff --git a/at/tracker.py b/at/tracker.py
index bfc4290..01fa05b 100644
--- a/at/tracker.py
+++ b/at/tracker.py
@@ -79,7 +79,7 @@ def server():
unix_socket = config.get('GRPC_UNIX_SOCKET', False)
if unix_socket:
- server.add_insecure_port(unix_socket)
+ server.add_insecure_port(f'unix://{unix_socket}')
if tls_address or unix_socket:
print('starting grpc server ...')
diff --git a/at/webapp.py b/at/webapp.py
index d1ac968..520e563 100644
--- a/at/webapp.py
+++ b/at/webapp.py
@@ -44,12 +44,12 @@ class DevicesApi:
config_path = Path(os.environ.get("CHECKINATOR_WEB_CONFIG", 'web-config.yaml'))
config = yaml.safe_load(config_path.read_text())
+config.update(yaml.safe_load(Path(config["SECRETS_FILE"]).read_text()))
-#updater = DhcpdUpdater(config['LEASE_FILE'], config['TIMEOUT'])
-#updater.start()
-
-if 'GRPC_TLS_ADDRESS' in config:
+tls_address = config.get("GRPC_TLS_ADDRESS", False)
+unix_socket = config.get('GRPC_UNIX_SOCKET', False)
+if tls_address:
print("using secure channel")
ca_cert = Path(config.get('GRPC_TLS_CA_CERT')).read_bytes()
cert_dir = Path(config.get('GRPC_TLS_CERT_DIR'))
@@ -64,8 +64,9 @@ if 'GRPC_TLS_ADDRESS' in config:
('grpc.ssl_target_name_override', 'at.customs.hackerspace.pl')
]
channel = grpc.secure_channel(config.get('GRPC_TLS_ADDRESS'), channel_credential, options=options)
+elif unix_socket:
+ channel = grpc.insecure_channel(f'unix://{unix_socket}')
else:
- print("using insecure channel")
- channel = grpc.insecure_channel('unix:///tmp/checkinator.sock')
+ raise Exception("no GRPC_TLS_ADDRESS or GRPC_UNIX_SOCKET set in config file")
app = at.web.app(Path(__file__).parent, DevicesApi(channel), config)
diff --git a/web-config.dist.yaml b/web-config.dist.yaml
index ad481e8..12ef918 100644
--- a/web-config.dist.yaml
+++ b/web-config.dist.yaml
@@ -11,10 +11,7 @@ WIKI_URL: 'https://wiki.hackerspace.pl/people:%(login)s:start'
CLAIMABLE_PREFIX: '10.8.0.'
CLAIMABLE_EXCLUDE: [ ]
-SECRET_KEY: 'CHANGEME'
-
-SPACEAUTH_CONSUMER_KEY: 'checkinator'
-SPACEAUTH_CONSUMER_SECRET: 'CHANGEME'
+SECRETS_FILE: "web-secrets.yaml"
SPECIAL_DEVICES:
'kektops':
@@ -45,6 +42,8 @@ SPECIAL_DEVICES:
PROXY_FIX: true
+#GRPC_UNIX_SOCKET: "./checkinator.sock"
+
GRPC_TLS_CERT_DIR: "./cert-webapp"
GRPC_TLS_CA_CERT: "./ca.pem"
GRPC_TLS_ADDRESS: '[::1]:2847'
diff --git a/web-secrets.dist.yaml b/web-secrets.dist.yaml
new file mode 100644
index 0000000..3e2f281
--- /dev/null
+++ b/web-secrets.dist.yaml
@@ -0,0 +1,3 @@
+SECRET_KEY: 'CHANGEME'
+SPACEAUTH_CONSUMER_KEY: 'checkinator'
+SPACEAUTH_CONSUMER_SECRET: 'CHANGEME'