*: deployment fixes

2020-06-22 17:25:45 +02:00 · 2020-06-22 17:25:45 +02:00 · 56df3a536f
parent 2b8d5529f7
commit 56df3a536f
6 changed files with 62 additions and 12 deletions
--- a/default.nix
+++ b/default.nix
@ -17,6 +17,7 @@ let
    inherit prometheus_client;
    inherit pyjwt;
    inherit pytest;
+    inherit pyserial;
    inherit qrcode;
    inherit raspberrypi-tools;
    inherit requests;
@ -106,19 +107,11 @@ in with upstream; let
    propagatedBuildInputs = [ raspberrypi-tools ];
  };

-  cygpio = buildPythonPackage {
-    pname = "cygpio";
-    version = "1.0.0";
-    src = ./cygpio;
-    propagatedBuildInputs = [ pigpio cython ];
-  };
-
 in buildPythonPackage rec {
  name = "bitvend";
  src = ./.;
  doCheck = false;
  propagatedBuildInputs = [
-    cygpio
    flask
    flask_sqlalchemy
    websocket_client
@ -127,5 +120,6 @@ in buildPythonPackage rec {
    prometheus_client
    spaceauth
    qrcode
+    pyserial
  ];
 }
--- a/lego-hook.sh
+++ b/lego-hook.sh
@ -0,0 +1,14 @@
+#!/bin/sh
+
+# lego generates proper absolute fqdn with trailing dot. API expects one without it
+FQDN="${2::-1}"
+CHALLENGE="$3"
+
+case $1 in
+    present)
+    curl "$API_URL/api/1/add?token=$API_TOKEN&record=$FQDN:TXT&value=\"$CHALLENGE\"" ;;
+    cleanup)
+    curl "$API_URL/api/1/delete?token=$API_TOKEN&record=$FQDN:TXT" ;;
+    timeout)
+    echo '{"timeout": 240, "interval": 5}' ;;
+esac
--- a/mdb/backend.py
+++ b/mdb/backend.py
@ -87,10 +87,21 @@ class SerialBackend(Backend):
        import serial
        self.ser = serial.Serial(device)

+        # FIXME clear buffer
+        self.ser.timeout = 0.2
+        while self.ser.read(1):
+            pass
+        self.ser.timeout = None
+
    def read(self):
        buf = b''
        while len(buf) < 2:
            buf += self.ser.read(1)
+
+            # FIXME drop if 9th bit byte is invalid (desync)
+            if len(buf) >= 2 and buf[1] not in [0, 1]:
+                buf = buf[1:]
+
        return buf

    def write(self, data):
--- a/mdb/device.py
+++ b/mdb/device.py
@ -10,7 +10,6 @@ except ImportError:
 try:
    import cygpio
 except ImportError:
-    raise
    cygpio = None

 from mdb.utils import compute_checksum, compute_chk, bcd_decode
@ -219,7 +218,7 @@ class CashlessMDBDevice(MDBDevice):
                self.logger.info('VEND: request %r', req)
                value, product_bcd = struct.unpack('>xhhx', req.data)
                product = bcd_decode(product_bcd)
-                self.logger.info('VEND: requested %d for %d', product, value)
+                self.logger.info('VEND: requested %d (%04x) for %d', product, product_bcd, value)
                if self.vend_request(product, value):
                    # accept. two latter bytes are value subtracted from balance
                    # displayed after purchase FIXME
--- a/mdb/utils.py
+++ b/mdb/utils.py
@ -7,4 +7,8 @@ def compute_checksum(cmd, data):
    return compute_chk(bytearray([cmd]) + data)

 def bcd_decode(b):
-    return 10 * ((b & 0xf0) >> 4) + (b & 0x0f)
+    return \
+        1000 * ((b & 0xf000) >> 12) + \
+        100 * ((b & 0xf00) >> 8) + \
+        10 * ((b & 0xf0) >> 4) + \
+        (b & 0x0f)
--- a/module.nix
+++ b/module.nix
@ -17,7 +17,12 @@ let
      BLOCKCYPHER_TOKEN = '${cfg.blockcypherToken}'
      SECRET_KEY = '${cfg.secretKey}'
    '';
-
+  legoHook = pkgs.runCommand "lego-hook-wrapped" {
+    buildInputs = [ pkgs.makeWrapper ];
+  } ''
+    makeWrapper ${./lego-hook.sh} $out \
+      --prefix PATH : ${lib.makeBinPath [ pkgs.curl pkgs.bash ]}
+  '';

 in {
  options.services.bitvend = {
@ -56,6 +61,11 @@ in {
      default = "vending.waw.hackerspace.pl";
      description = "hostname";
    };
+    acmeToken = mkOption {
+      type = types.str;
+      default = "";
+      description = "Let's Encrypt proxy API authentication token";
+    };
  };
  config = mkIf cfg.enable {
    ids.uids.bitvend = 2137;
@ -67,6 +77,7 @@ in {
      uid = config.ids.uids.bitvend;
      description = "Bitvend daemon user";
      home = cfg.stateDir;
+      extraGroups = [ "dialout" ];
    };
    users.groups.bitvend = {
      name = bitvendGroup;
@ -88,12 +99,29 @@ in {
      "d '${cfg.stateDir}' 0750 '${bitvendUser}' '${bitvendGroup}' - -"
    ];
    networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+    security.acme.acceptTerms = true;
+    security.acme.email = "informatic@hackerspace.pl";
+    security.acme.certs."${cfg.hostName}" = {
+      dnsProvider = "exec";
+      dnsPropagationCheck = false;
+      webroot = lib.mkForce null;
+      credentialsFile = pkgs.writeText "acme-creds" ''
+EXEC_PATH=${legoHook}
+API_URL=https://ns1-waw.hackerspace.pl
+API_TOKEN=${cfg.acmeToken}
+      '';
+    };
+
    services.nginx = {
      enable = true;
+      recommendedProxySettings = true;
      appendHttpConfig = ''
        proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=qrcode_cache:10m max_size=50m inactive=60m;
      '';
      virtualHosts."${cfg.hostName}" = {
+        forceSSL = true;
+        enableACME = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:5000";
        };