tsuki/pgadmin: misc

- The pgadmin config has grown, and as a result, it has been split from
    the postgres file.
- Setup OAuth
- Setup uWSGI and forward to nginx via socket
  (This last part is still a little borked, and the service is not
  functioning entirely just yet)

hosts/tsuki/configuration.nix

@@ -18,6 +18,7 @@
     ./services/minecraft
     ./services/nginx
     ./services/osuchan.nix
+    ./services/pgadmin.nix
     ./services/plex.nix
     ./services/postgres.nix
     ./services/vscode-server.nix

hosts/tsuki/services/nginx/default.nix

@@ -111,7 +111,19 @@
       (proxy ["log"] "http://localhost:${s ports.grafana}" {
         locations."/".proxyWebsockets = true;
       })
-      (proxy ["pg"] "http://localhost:${s ports.pgadmin}" {})
+      (host ["pg"] {
+        locations."/" = {
+        extraConfig = ''
+          include ${pkgs.nginx}/conf/uwsgi_params;
+          uwsgi_pass unix:${config.services.uwsgi.instance.vassals.pgadmin.socket};
+        '';
+        };
+      })
+      # (proxy ["pg"] "http://localhost:${s ports.pgadmin}" {
+      #   extraConfig = ''
+      #     proxy_set_header X-CSRF-Token $http_x_pga_csrftoken;
+      #   '';
+      # })
       (proxy ["py"] "http://localhost:${s ports.jupyterhub}" {
         locations."/".proxyWebsockets = true;
       })

hosts/tsuki/services/pgadmin.nix

@@ -0,0 +1,111 @@
+{ config, pkgs, lib, secrets, ... }: let
+  pgadmin-user = let
+    username = config.systemd.services.pgadmin.serviceConfig.User;
+  in config.users.users.${username};
+in {
+
+  sops.secrets = {
+    "pgadmin/oauth2_secret" = rec {
+      restartUnits = [ "pgadmin.service" ];
+      owner = pgadmin-user.name;
+      group = pgadmin-user.group;
+    };
+    "pgadmin/initialPassword" = rec {
+      restartUnits = [ "pgadmin.service" ];
+      owner = pgadmin-user.name;
+      group = pgadmin-user.group;
+    };
+  };
+
+  services.pgadmin = {
+    enable = true;
+    openFirewall = true;
+    initialEmail = "h7x4@nani.wtf";
+    initialPasswordFile = config.sops.secrets."pgadmin/initialPassword".path;
+    port = secrets.ports.pgadmin;
+    settings = let
+      authServerUrl = config.services.kanidm.serverSettings.origin;
+    in {
+      # FIXME: pgadmin does not work with NFS by default, because it uses
+      #        some kind of metafiles in its data directory.
+      # DATA_DIR = "${config.machineVars.dataDrives.default}/var/pgadmin";
+      DATA_DIR = "/var/lib/pgadmin";
+
+      WTF_CSRF_HEADERS = [
+        "X-pgA-CSRFToken"
+        "X-CSRFToken"
+        "X-CSRF-Token"
+      ];
+
+      PROXY_X_FOR_COUNT = 1;
+      PROXY_X_PROTO_COUNT = 1;
+      PROXY_X_HOST_COUNT = 1;
+      PROXY_X_PORT_COUNT = 1;
+      PROXY_X_PREFIX_COUNT = 1;
+
+      SESSION_COOKIE_HTTPONLY = false;
+      SESSION_COOKIE_SECURE = true;
+
+      AUTHENTICATION_SOURCES = [ "oauth2" ];
+      OAUTH2_AUTO_CREATE_USER = true;
+      OAUTH2_CONFIG = [ rec {
+        OAUTH2_NAME = "KaniDM";
+        OAUTH2_DISPLAY_NAME = "KaniDM";
+        OAUTH2_CLIENT_ID = "pgadmin";
+        OAUTH2_API_BASE_URL = "${authServerUrl}/oauth2";
+        OAUTH2_TOKEN_URL = "${authServerUrl}/oauth2/token";
+        OAUTH2_AUTHORIZATION_URL = "${authServerUrl}/ui/oauth2";
+        OAUTH2_USERINFO_ENDPOINT = "${authServerUrl}/oauth2/openid/${OAUTH2_CLIENT_ID}/userinfo";
+        OAUTH2_SERVER_METADATA_URL = "${authServerUrl}/oauth2/openid/${OAUTH2_CLIENT_ID}/.well-known/openid-configuration";
+        OAUTH2_SCOPE = "openid email profile";
+        OAUTH2_ICON = "fa-lock";
+        OAUTH2_BUTTON_COLOR = "#ff6600";
+      }];
+    };
+  };
+
+  environment.etc."pgadmin/config_system.py".text = let
+  in ''
+    with open("${config.sops.secrets."pgadmin/oauth2_secret".path}") as f:
+      OAUTH2_CONFIG[0]['OAUTH2_CLIENT_SECRET'] = f.read()
+  '';
+
+  systemd.services."pgadmin".enable = false;
+
+  users = {
+    users."pgadmin".uid = 985;
+    groups = {
+      "pgadmin" = {
+        gid = 984;
+        members = [
+          "nginx"
+          "uwsgi"
+        ];
+      };
+      "uwsgi".members = [ pgadmin-user.name ];
+    };
+  };
+
+  services.uwsgi = {
+    enable = false;
+    plugins = [ "python3" ];
+    instance = {
+      type = "emperor";
+      pidfile = "${config.services.uwsgi.runDir}/uwsgi.pid";
+      stats = "${config.services.uwsgi.runDir}/stats.sock";
+      vassals."pgadmin" = rec {
+        type = "normal";
+        pythonPackages = _: with pkgs; ([ pgadmin4 ] ++ pgadmin4.propagatedBuildInputs);
+        strict = true;
+        immediate-uid = pgadmin-user.name;
+        immediate-gid = pgadmin-user.group;
+        lazy-apps = true;
+        enable-threads = true;
+        # chdir = "${pkgs.pgadmin4}/lib/python3.10/site-packages/pgadmin4";
+        module = "pgAdmin4:app";
+        socket = "/run/user/${toString pgadmin-user.uid}/pgadmin.sock";
+        chmod-socket = 664;
+      };
+    };
+  };
+}

hosts/tsuki/services/postgres.nix

@@ -14,56 +14,6 @@
     # settings = {};
   };
 
-  sops.secrets = {
-    "pgadmin/oauth2_secret" = rec {
-      restartUnits = [ "pgadmin.service" ];
-      owner = config.systemd.services.pgadmin.serviceConfig.User;
-      group = config.users.users.${owner}.group;
-    };
-    "pgadmin/initialPassword" = rec {
-      restartUnits = [ "pgadmin.service" ];
-      owner = config.systemd.services.pgadmin.serviceConfig.User;
-      group = config.users.users.${owner}.group;
-    };
-  };
-
-  services.pgadmin = {
-    enable = true;
-    openFirewall = true;
-    initialEmail = "h7x4@nani.wtf";
-    initialPasswordFile = config.sops.secrets."pgadmin/initialPassword".path;
-    port = secrets.ports.pgadmin;
-    settings = let
-      authServerUrl = config.services.kanidm.serverSettings.origin;
-    in {
-      # FIXME: pgadmin does not work with NFS by default, because it uses
-      #        some kind of metafiles in its data directory.
-      # DATA_DIR = "${config.machineVars.dataDrives.default}/var/pgadmin";
-      DATA_DIR = "/var/lib/pgadmin";
-      AUTHENTICATION_SOURCES = [ "oauth2" ];
-      OAUTH2_AUTO_CREATE_USER = true;
-      OAUTH2_CONFIG = [ rec {
-        OAUTH2_NAME = "KaniDM";
-        OAUTH2_DISPLAY_NAME = "KaniDM";
-        OAUTH2_CLIENT_ID = "pgadmin";
-        OAUTH2_API_BASE_URL = "${authServerUrl}/oauth2";
-        OAUTH2_TOKEN_URL = "${authServerUrl}/oauth2/token";
-        OAUTH2_AUTHORIZATION_URL = "${authServerUrl}/ui/oauth2";
-        OAUTH2_USERINFO_ENDPOINT = "${authServerUrl}/oauth2/openid/${OAUTH2_CLIENT_ID}/userinfo";
-        OAUTH2_SERVER_METADATA_URL = "${authServerUrl}/oauth2/openid/${OAUTH2_CLIENT_ID}/.well-known/openid-configuration";
-        OAUTH2_SCOPE = "openid email profile";
-        OAUTH2_ICON = "fa-lock";
-        OAUTH2_BUTTON_COLOR = "#ff6600";
-      }];
-    };
-  };
-
-  environment.etc."pgadmin/config_system.py".text = let
-  in ''
-    with open("${config.sops.secrets."pgadmin/oauth2_secret".path}") as f:
-      OAUTH2_CONFIG[0]['OAUTH2_CLIENT_SECRET'] = f.read()
-  '';
-
   services.postgresqlBackup = {
     enable = true;
     location = "${config.machineVars.dataDrives.drives.backup}/postgres";