szalotka: deploy pretix

configuration.nix

@@ -17,6 +17,7 @@
       ./backups.nix
       ./site.nix
       ./dns.nix
+      ./pretix.nix
     ];
 
   boot.loader.systemd-boot.enable = true;

pretix.nix

@@ -0,0 +1,98 @@
+{ config, pkgs, lib, ...}:
+
+let
+  pretixOverrideAttrs = _oa: {
+    # The tests seem to fail when building on szalotka. Just, uh, ignore that.
+    doCheck = false;
+    patches = [
+      # Needed for pretix-ldap, otherwise because it imports settings twice we
+      # will end up with duplicate app labels and cause Django to freak out.
+      ./pretix/plugin-build.patch
+      # Fix up translations issues.
+      ./pretix/translations.patch
+    ];
+  };
+  pretix = (pkgs.pretix.overridePythonAttrs pretixOverrideAttrs) // {
+      # services.pretix attempts to .override the given package, but
+      # .overridePythonArgs actually removes that overridability :/
+      #
+      # This might fix it some day:
+      #  https://github.com/NixOS/nixpkgs/pull/267296
+      #
+      # The following is a terrible hack to allow the configuration to build.
+      override = args: (pkgs.pretix.override args).overridePythonAttrs pretixOverrideAttrs;
+  };
+
+in {
+  services.pretix = {
+    enable = true;
+    package = pretix;
+    plugins = with pretix.plugins; [
+      (pretix.python.pkgs.buildPythonPackage rec {
+        pname = "pretix-ldap";
+        version = "0.2.5";
+        src = pkgs.fetchFromGitHub {
+          owner = "Sohalt";
+          repo = "pretix-ldap";
+          rev = "v${version}";
+          hash = "sha256-+BD+rqLTjcpoNPiwZD4Z6+QhzGRiDbPJLPjSyisNLkw=";
+        };
+        patches = [
+          # authentik ldap compat, see
+          # https://github.com/Sohalt/pretix-ldap/pull/18. Also adds
+          # mailRoutingAddress to the used-but-not-typechecked fields.
+          ./pretix/ldap-attrs.patch ];
+
+        propagatedBuildInputs = with pretix.python.pkgs; [
+          ldap3
+        ];
+
+        build-system = with pretix.python.pkgs; [
+          pretix-plugin-build
+          setuptools
+
+          # for import check
+          pretix
+        ];
+
+        pythonImportsCheck = [
+          "pretix_ldap"
+        ];
+      })
+    ];
+    environmentFile = "/var/secrets/pretix";
+    settings = {
+      pretix = {
+        url = "https://tickets.cebula.camp";
+        instance_name = "tickets.cebula.camp";
+        auth_backends = "pretix_ldap.LDAPAuthBackend";
+      };
+      ldap = {
+        bind_url = "ldap://10.88.0.1:389";
+        bind_dn = "cn=ldap-access,ou=users,dc=cebula,dc=camp";
+        search_base = "ou=users,dc=cebula,dc=camp";
+        search_filter = "(&(memberOf=cn=orga-core,ou=groups,dc=cebula,dc=camp)(cn={username}))";
+        email_attr = "mailRoutingAddress";
+        # Seemingly nothing else works because of a bug in pretix-ldap (this
+        # value should be added to the list of fetched attrs, but is not, and
+        # dn is special cased).
+        unique_attr = "dn";
+      };
+      mail = {
+        host = "mail.orga.cebula.camp";
+        from = "pretix@cebula.camp";
+        user = "pretix";
+        ssl = true;
+        port = 465;
+      };
+    };
+    nginx = {
+      enable = true;
+      domain = "tickets.cebula.camp";
+    };
+  };
+  services.nginx.virtualHosts."tickets.cebula.camp" = {
+    forceSSL = true;
+    enableACME = true;
+  };
+}

pretix/ldap-attrs.patch

@@ -0,0 +1,25 @@
+diff --git a/pretix_ldap/ldap_connector.py b/pretix_ldap/ldap_connector.py
+index aa0047b..3b974f8 100644
+--- a/pretix_ldap/ldap_connector.py
++++ b/pretix_ldap/ldap_connector.py
+@@ -1,5 +1,6 @@
+ from ldap3 import Server, Connection
+ from ldap3.utils.conv import escape_filter_chars
++from ldap3.utils.config import set_config_parameter, get_config_parameter
+ import re
+ import logging
+ from django import forms
+@@ -15,6 +16,12 @@ logger = logging.getLogger(__name__)
+ class LDAPAuthBackend(BaseAuthBackend):
+     def __init__(self):
+         try:
++            self.excluded_attributes = get_config_parameter("ATTRIBUTES_EXCLUDED_FROM_CHECK")
++            self.excluded_attributes.append("createTimestamp")
++            self.excluded_attributes.append("modifyTimestamp")
++            self.excluded_attributes.append("mailRoutingAddress")
++            set_config_parameter("ATTRIBUTES_EXCLUDED_FROM_CHECK", self.excluded_attributes)
++
+             self.config = config
+             self.server = Server(self.config.get("ldap", "bind_url"))
+             self.connection = Connection(
+

pretix/plugin-build.patch

@@ -0,0 +1,22 @@
+diff --git a/src/pretix/_build_settings.py b/src/pretix/_build_settings.py
+index c03f56a1a..d1ea73b84 100644
+--- a/src/pretix/_build_settings.py
++++ b/src/pretix/_build_settings.py
+@@ -24,6 +24,8 @@
+ This file contains settings that we need at wheel require time. All settings that we only need at runtime are set
+ in settings.py.
+ """
++from importlib_metadata import entry_points
++
+ from ._base_settings import *  # NOQA
+ 
+ ENTROPY = {
+@@ -47,3 +49,6 @@ HAS_MEMCACHED = False
+ HAS_CELERY = False
+ HAS_GEOIP = False
+ SENTRY_ENABLED = False
++
++for entry_point in entry_points(group='pretix.plugin'):
++    module = entry_point.module
++    if module not in INSTALLED_APPS:
++        INSTALLED_APPS.append(entry_point.module) # noqa: F405

pretix/translations.patch

@@ -0,0 +1,14 @@
+diff --git a/src/pretix/locale/pl/LC_MESSAGES/django.po b/src/pretix/locale/pl/LC_MESSAGES/django.po
+index d142646df..673d64b5f 100644
+--- a/src/pretix/locale/pl/LC_MESSAGES/django.po
++++ b/src/pretix/locale/pl/LC_MESSAGES/django.po
+@@ -2224,7 +2224,7 @@ msgstr "Produkt"
+ #: pretix/presale/templates/pretixpresale/organizers/customer_membership.html:26
+ #: pretix/presale/templates/pretixpresale/organizers/customer_profile.html:133
+ msgid "Attendee name"
+-msgstr "Imię i nazwisko uczestnika"
++msgstr "Imię uczestnika"
+ 
+ #: pretix/base/exporters/orderlist.py:602 pretix/base/forms/questions.py:661
+ #: pretix/base/models/customers.py:307 pretix/base/models/orders.py:1508
+