From 4694b99dd0ce0a1de0360e8008290a88f919ae23 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 22 Apr 2024 14:41:40 +0300
Subject: Set up SSL keys for CI/CD for gn2 and gn-auth

---
 genenetwork-development.scm | 48 +++++++++++++++++++++++++++------------------
 1 file changed, 29 insertions(+), 19 deletions(-)

diff --git a/genenetwork-development.scm b/genenetwork-development.scm
index f770f97..a624819 100644
--- a/genenetwork-development.scm
+++ b/genenetwork-development.scm
@@ -126,11 +126,11 @@ be imported into G-expressions."
   (gn-auth-port genenetwork-configuration-gn-auth-port
             (default 8084))
   (gn2-secrets genenetwork-configuration-gn2-secrets
-               (default "/etc/genenetwork/gn2-secrets.py"))
+               (default "/etc/genenetwork"))
   (gn3-secrets genenetwork-configuration-gn3-secrets
                (default "/etc/genenetwork/gn3-secrets.py"))
   (gn-auth-secrets genenetwork-configuration-gn-auth-secrets
-                   (default "/etc/genenetwork/gn-auth-secrets.py"))
+                   (default "/etc/genenetwork"))
   (genotype-files genenetwork-configuration-genotype-files
                   (default "/var/genenetwork/genotype-files"))
   (sparql-endpoint genenetwork-configuration-sparql-endpoint
@@ -477,15 +477,17 @@ server described by CONFIG, a <genenetwork-configuration> object."
 
 	    (setenv
 	     "GN2_SETTINGS"
-	     #$(mixed-text-file "gn2-staging.conf"
-				"GN2_SECRETS=\"" gn2-secrets "\"\n"
+	     #$(mixed-text-file "gn2.conf"
+				"GN2_SECRETS=\"" gn2-secrets "/gn2-secrets.py\"\n"
 				"GN3_LOCAL_URL=\""
 				(string-append "http://localhost:"
 					       (number->string gn3-port))
 				"\"\n"
 				"GN_SERVER_URL=\"https://cd.genenetwork.org/api3/\"\n"
 				"AUTH_SERVER_URL=\"https://auth-cd.genenetwork.org/\"\n"
-				"SQL_URI=\"mysql://webqtlout:webqtlout@localhost/db_webqtl\"\n"))
+				"SQL_URI=\"mysql://webqtlout:webqtlout@localhost/db_webqtl\"\n"
+                                "SSL_PRIVATE_KEY=\"" gn2-secrets "/gn2-ssl-private-key.pem\"\n"
+                                "AUTH_SERVER_SSL_PUBLIC_KEY=\"" gn2-secrets "/gn-auth-ssl-public-key.pem\"\n"))
 
             ;; Start genenetwork2.
             (with-directory-excursion "genenetwork2"
@@ -566,8 +568,10 @@ server described by CONFIG, a <genenetwork-configuration> object."
               ;; Configure gn-auth.
               (setenv "GN_AUTH_CONF"
                       #$(mixed-text-file "gn-auth.conf"
-					 "AUTH_DB=\"" auth-db-path "\"\n"))
-	      (setenv "GN_AUTH_SECRETS" #$gn-auth-secrets)
+					 "AUTH_DB=\"" auth-db-path "\"\n"
+                                         "GN_AUTH_SECRETS=\"" gn-auth-secrets "/gn-auth-secrets.py\"\n"
+                                         "CLIENTS_SSL_PUBLIC_KEYS_DIR=\"" gn-auth-secrets "/clients-public-keys\"\n"
+                                         "SSL_PRIVATE_KEY=\"" gn-auth-secrets "/gn-auth-ssl-private-key.pem\"\n"))
               (setenv "HOME" "/tmp")
 	      (setenv "AUTHLIB_INSECURE_TRANSPORT" "true")
               ;; Run gn-auth.
@@ -582,7 +586,7 @@ server described by CONFIG, a <genenetwork-configuration> object."
   "Return shepherd services to run the genenetwork development server
 described by CONFIG, a <genenetwork-configuration> object."
   (match-record config <genenetwork-configuration>
-    (gn2-port gn3-port gn-auth-port genotype-files data-directory xapian-db-path auth-db-path)
+    (gn2-port gn3-port gn-auth-port genotype-files data-directory xapian-db-path gn2-secrets auth-db-path gn-auth-secrets)
     (list (shepherd-service
            (documentation "Run GeneNetwork 2 development server.")
            (provision '(genenetwork2))
@@ -604,7 +608,7 @@ described by CONFIG, a <genenetwork-configuration> object."
                                                 (target source)
                                                 (writable? #t))
 					       (file-system-mapping
-                                                (source "/etc/genenetwork/conf/gn2")
+                                                (source gn2-secrets)
                                                 (target source)
                                                 (writable? #t)))
                               #:namespaces (delq 'net %namespaces))
@@ -673,7 +677,7 @@ described by CONFIG, a <genenetwork-configuration> object."
                                                 (target source)
                                                 (writable? #t))
 					       (file-system-mapping
-                                                (source "/etc/genenetwork/conf/gn-auth")
+                                                (source gn-auth-secrets)
                                                 (target source)
                                                 (writable? #t)))
                               #:namespaces (delq 'net %namespaces))
@@ -697,7 +701,7 @@ described by CONFIG, a <genenetwork-configuration> object."
 
 (define (genenetwork-activation config)
   (match-record config <genenetwork-configuration>
-    (gn2-secrets gn3-secrets auth-db-path)
+    (gn2-secrets gn3-secrets auth-db-path gn-auth-secrets)
     (with-imported-modules '((guix build utils))
       #~(begin
           (use-modules (guix build utils))
@@ -707,15 +711,21 @@ described by CONFIG, a <genenetwork-configuration> object."
                       (chown file
                              (passwd:uid (getpw "genenetwork"))
                              (passwd:gid (getpw "genenetwork"))))
-                    (cons* #$gn2-secrets
-                           #$gn3-secrets
-                           (find-files #$(dirname auth-db-path)
-                                       #:directories? #t)))
+                    (cons* #$gn3-secrets
+                           (append (find-files #$gn2-secrets
+                                               #:directories? #t)
+                                   (find-files #$(dirname auth-db-path)
+                                               #:directories? #t)
+                                   (find-files #$gn-auth-secrets
+                                               #:directories? #t))))
           ;; Prevent other users from reading secret files.
           (for-each (lambda (file)
                       (chmod file #o600))
-                    (list #$gn2-secrets
-                          #$gn3-secrets))))))
+                    (append (list #$gn3-secrets)
+                            (find-files #$gn2-secrets
+                                        #:directories? #f)
+                            (find-files #$gn-auth-secrets
+                                        #:directories? #f)))))))
 
 (define genenetwork-service-type
   (service-type
@@ -1170,9 +1180,9 @@ gn-auth."
                              (gn2-port %genenetwork2-port)
                              (gn3-port %genenetwork3-port)
 			     (gn-auth-port %gn-auth-port)
-                             (gn2-secrets "/etc/genenetwork/conf/gn2/secrets.py")
+                             (gn2-secrets "/etc/genenetwork/conf/gn2")
                              (gn3-secrets "/etc/genenetwork/conf/gn3/secrets.py")
-                             (gn-auth-secrets "/etc/genenetwork/conf/gn-auth/secrets.py")
+                             (gn-auth-secrets "/etc/genenetwork/conf/gn-auth")
                              (genotype-files "/export/data/genenetwork/genotype_files")
                              (sparql-endpoint (string-append "http://localhost:"
                                                              (number->string %virtuoso-sparql-port)
-- 
cgit v1.2.3