From 4694b99dd0ce0a1de0360e8008290a88f919ae23 Mon Sep 17 00:00:00 2001 From: Frederick Muriuki Muriithi Date: Mon, 22 Apr 2024 14:41:40 +0300 Subject: Set up SSL keys for CI/CD for gn2 and gn-auth --- genenetwork-development.scm | 48 +++++++++++++++++++++++++++------------------ 1 file changed, 29 insertions(+), 19 deletions(-) diff --git a/genenetwork-development.scm b/genenetwork-development.scm index f770f97..a624819 100644 --- a/genenetwork-development.scm +++ b/genenetwork-development.scm @@ -126,11 +126,11 @@ be imported into G-expressions." (gn-auth-port genenetwork-configuration-gn-auth-port (default 8084)) (gn2-secrets genenetwork-configuration-gn2-secrets - (default "/etc/genenetwork/gn2-secrets.py")) + (default "/etc/genenetwork")) (gn3-secrets genenetwork-configuration-gn3-secrets (default "/etc/genenetwork/gn3-secrets.py")) (gn-auth-secrets genenetwork-configuration-gn-auth-secrets - (default "/etc/genenetwork/gn-auth-secrets.py")) + (default "/etc/genenetwork")) (genotype-files genenetwork-configuration-genotype-files (default "/var/genenetwork/genotype-files")) (sparql-endpoint genenetwork-configuration-sparql-endpoint @@ -477,15 +477,17 @@ server described by CONFIG, a object." (setenv "GN2_SETTINGS" - #$(mixed-text-file "gn2-staging.conf" - "GN2_SECRETS=\"" gn2-secrets "\"\n" + #$(mixed-text-file "gn2.conf" + "GN2_SECRETS=\"" gn2-secrets "/gn2-secrets.py\"\n" "GN3_LOCAL_URL=\"" (string-append "http://localhost:" (number->string gn3-port)) "\"\n" "GN_SERVER_URL=\"https://cd.genenetwork.org/api3/\"\n" "AUTH_SERVER_URL=\"https://auth-cd.genenetwork.org/\"\n" - "SQL_URI=\"mysql://webqtlout:webqtlout@localhost/db_webqtl\"\n")) + "SQL_URI=\"mysql://webqtlout:webqtlout@localhost/db_webqtl\"\n" + "SSL_PRIVATE_KEY=\"" gn2-secrets "/gn2-ssl-private-key.pem\"\n" + "AUTH_SERVER_SSL_PUBLIC_KEY=\"" gn2-secrets "/gn-auth-ssl-public-key.pem\"\n")) ;; Start genenetwork2. (with-directory-excursion "genenetwork2" @@ -566,8 +568,10 @@ server described by CONFIG, a object." ;; Configure gn-auth. (setenv "GN_AUTH_CONF" #$(mixed-text-file "gn-auth.conf" - "AUTH_DB=\"" auth-db-path "\"\n")) - (setenv "GN_AUTH_SECRETS" #$gn-auth-secrets) + "AUTH_DB=\"" auth-db-path "\"\n" + "GN_AUTH_SECRETS=\"" gn-auth-secrets "/gn-auth-secrets.py\"\n" + "CLIENTS_SSL_PUBLIC_KEYS_DIR=\"" gn-auth-secrets "/clients-public-keys\"\n" + "SSL_PRIVATE_KEY=\"" gn-auth-secrets "/gn-auth-ssl-private-key.pem\"\n")) (setenv "HOME" "/tmp") (setenv "AUTHLIB_INSECURE_TRANSPORT" "true") ;; Run gn-auth. @@ -582,7 +586,7 @@ server described by CONFIG, a object." "Return shepherd services to run the genenetwork development server described by CONFIG, a object." (match-record config - (gn2-port gn3-port gn-auth-port genotype-files data-directory xapian-db-path auth-db-path) + (gn2-port gn3-port gn-auth-port genotype-files data-directory xapian-db-path gn2-secrets auth-db-path gn-auth-secrets) (list (shepherd-service (documentation "Run GeneNetwork 2 development server.") (provision '(genenetwork2)) @@ -604,7 +608,7 @@ described by CONFIG, a object." (target source) (writable? #t)) (file-system-mapping - (source "/etc/genenetwork/conf/gn2") + (source gn2-secrets) (target source) (writable? #t))) #:namespaces (delq 'net %namespaces)) @@ -673,7 +677,7 @@ described by CONFIG, a object." (target source) (writable? #t)) (file-system-mapping - (source "/etc/genenetwork/conf/gn-auth") + (source gn-auth-secrets) (target source) (writable? #t))) #:namespaces (delq 'net %namespaces)) @@ -697,7 +701,7 @@ described by CONFIG, a object." (define (genenetwork-activation config) (match-record config - (gn2-secrets gn3-secrets auth-db-path) + (gn2-secrets gn3-secrets auth-db-path gn-auth-secrets) (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) @@ -707,15 +711,21 @@ described by CONFIG, a object." (chown file (passwd:uid (getpw "genenetwork")) (passwd:gid (getpw "genenetwork")))) - (cons* #$gn2-secrets - #$gn3-secrets - (find-files #$(dirname auth-db-path) - #:directories? #t))) + (cons* #$gn3-secrets + (append (find-files #$gn2-secrets + #:directories? #t) + (find-files #$(dirname auth-db-path) + #:directories? #t) + (find-files #$gn-auth-secrets + #:directories? #t)))) ;; Prevent other users from reading secret files. (for-each (lambda (file) (chmod file #o600)) - (list #$gn2-secrets - #$gn3-secrets)))))) + (append (list #$gn3-secrets) + (find-files #$gn2-secrets + #:directories? #f) + (find-files #$gn-auth-secrets + #:directories? #f))))))) (define genenetwork-service-type (service-type @@ -1170,9 +1180,9 @@ gn-auth." (gn2-port %genenetwork2-port) (gn3-port %genenetwork3-port) (gn-auth-port %gn-auth-port) - (gn2-secrets "/etc/genenetwork/conf/gn2/secrets.py") + (gn2-secrets "/etc/genenetwork/conf/gn2") (gn3-secrets "/etc/genenetwork/conf/gn3/secrets.py") - (gn-auth-secrets "/etc/genenetwork/conf/gn-auth/secrets.py") + (gn-auth-secrets "/etc/genenetwork/conf/gn-auth") (genotype-files "/export/data/genenetwork/genotype_files") (sparql-endpoint (string-append "http://localhost:" (number->string %virtuoso-sparql-port) -- cgit v1.2.3