szalotka: deploy pretix

*: make rebuild script use remote substitutes for faster builds
szalotka: pull mewp-nixos as a tarball to avoid spurious rebuilds
2025-02-09 17:08:54 +01:00 · 2025-02-09 17:08:39 +01:00 · 2025-02-09 17:08:24 +01:00
7 changed files with 164 additions and 3 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -17,6 +17,7 @@
      ./backups.nix
      ./site.nix
      ./dns.nix
+      ./pretix.nix
    ];

  boot.loader.systemd-boot.enable = true;
--- a/dns.nix
+++ b/dns.nix
@ -1,7 +1,7 @@
 { pkgs, config, ... }: let
-  mewp-nixos = builtins.fetchGit {
-    url = "https://gitlab.com/mewp/mewp-nixos";
-    rev = "7927ac83f90d82f894877ac1ede04a54ed4e6d24";
+  mewp-nixos = builtins.fetchTarball {
+    url = "https://gitlab.com/mewp/mewp-nixos/-/archive/7927ac83f90d82f894877ac1ede04a54ed4e6d24/mewp-nixos-7927ac83f90d82f894877ac1ede04a54ed4e6d24.tar.gz";
+    sha256 = "sha256:1qi0qfibcvs4fk5m842fkfd413bh7rhmx396223afhj9v6wb1fvn";
  };
 in {
  imports = [
--- a/pretix.nix
+++ b/pretix.nix
@ -0,0 +1,98 @@
+{ config, pkgs, lib, ...}:
+
+let
+  pretixOverrideAttrs = _oa: {
+    # The tests seem to fail when building on szalotka. Just, uh, ignore that.
+    doCheck = false;
+    patches = [
+      # Needed for pretix-ldap, otherwise because it imports settings twice we
+      # will end up with duplicate app labels and cause Django to freak out.
+      ./pretix/plugin-build.patch
+      # Fix up translations issues.
+      ./pretix/translations.patch
+    ];
+  };
+  pretix = (pkgs.pretix.overridePythonAttrs pretixOverrideAttrs) // {
+      # services.pretix attempts to .override the given package, but
+      # .overridePythonArgs actually removes that overridability :/
+      #
+      # This might fix it some day:
+      #  https://github.com/NixOS/nixpkgs/pull/267296
+      #
+      # The following is a terrible hack to allow the configuration to build.
+      override = args: (pkgs.pretix.override args).overridePythonAttrs pretixOverrideAttrs;
+  };
+
+in {
+  services.pretix = {
+    enable = true;
+    package = pretix;
+    plugins = with pretix.plugins; [
+      (pretix.python.pkgs.buildPythonPackage rec {
+        pname = "pretix-ldap";
+        version = "0.2.5";
+        src = pkgs.fetchFromGitHub {
+          owner = "Sohalt";
+          repo = "pretix-ldap";
+          rev = "v${version}";
+          hash = "sha256-+BD+rqLTjcpoNPiwZD4Z6+QhzGRiDbPJLPjSyisNLkw=";
+        };
+        patches = [
+          # authentik ldap compat, see
+          # https://github.com/Sohalt/pretix-ldap/pull/18. Also adds
+          # mailRoutingAddress to the used-but-not-typechecked fields.
+          ./pretix/ldap-attrs.patch ];
+
+        propagatedBuildInputs = with pretix.python.pkgs; [
+          ldap3
+        ];
+
+        build-system = with pretix.python.pkgs; [
+          pretix-plugin-build
+          setuptools
+
+          # for import check
+          pretix
+        ];
+
+        pythonImportsCheck = [
+          "pretix_ldap"
+        ];
+      })
+    ];
+    environmentFile = "/var/secrets/pretix";
+    settings = {
+      pretix = {
+        url = "https://tickets.cebula.camp";
+        instance_name = "tickets.cebula.camp";
+        auth_backends = "pretix_ldap.LDAPAuthBackend";
+      };
+      ldap = {
+        bind_url = "ldap://10.88.0.1:389";
+        bind_dn = "cn=ldap-access,ou=users,dc=cebula,dc=camp";
+        search_base = "ou=users,dc=cebula,dc=camp";
+        search_filter = "(&(memberOf=cn=orga-core,ou=groups,dc=cebula,dc=camp)(cn={username}))";
+        email_attr = "mailRoutingAddress";
+        # Seemingly nothing else works because of a bug in pretix-ldap (this
+        # value should be added to the list of fetched attrs, but is not, and
+        # dn is special cased).
+        unique_attr = "dn";
+      };
+      mail = {
+        host = "mail.orga.cebula.camp";
+        from = "pretix@cebula.camp";
+        user = "pretix";
+        ssl = true;
+        port = 465;
+      };
+    };
+    nginx = {
+      enable = true;
+      domain = "tickets.cebula.camp";
+    };
+  };
+  services.nginx.virtualHosts."tickets.cebula.camp" = {
+    forceSSL = true;
+    enableACME = true;
+  };
+}
--- a/pretix/ldap-attrs.patch
+++ b/pretix/ldap-attrs.patch
@ -0,0 +1,25 @@
+diff --git a/pretix_ldap/ldap_connector.py b/pretix_ldap/ldap_connector.py
+index aa0047b..3b974f8 100644
+--- a/pretix_ldap/ldap_connector.py
+++ b/pretix_ldap/ldap_connector.py
+@@ -1,5 +1,6 @@
+ from ldap3 import Server, Connection
+ from ldap3.utils.conv import escape_filter_chars
+from ldap3.utils.config import set_config_parameter, get_config_parameter
+ import re
+ import logging
+ from django import forms
+@@ -15,6 +16,12 @@ logger = logging.getLogger(__name__)
+ class LDAPAuthBackend(BaseAuthBackend):
+     def __init__(self):
+         try:
+            self.excluded_attributes = get_config_parameter("ATTRIBUTES_EXCLUDED_FROM_CHECK")
+            self.excluded_attributes.append("createTimestamp")
+            self.excluded_attributes.append("modifyTimestamp")
+            self.excluded_attributes.append("mailRoutingAddress")
+            set_config_parameter("ATTRIBUTES_EXCLUDED_FROM_CHECK", self.excluded_attributes)
+
+             self.config = config
+             self.server = Server(self.config.get("ldap", "bind_url"))
+             self.connection = Connection(
+
--- a/pretix/plugin-build.patch
+++ b/pretix/plugin-build.patch
@ -0,0 +1,22 @@
+diff --git a/src/pretix/_build_settings.py b/src/pretix/_build_settings.py
+index c03f56a1a..d1ea73b84 100644
+--- a/src/pretix/_build_settings.py
+++ b/src/pretix/_build_settings.py
+@@ -24,6 +24,8 @@
+ This file contains settings that we need at wheel require time. All settings that we only need at runtime are set
+ in settings.py.
+ """
+from importlib_metadata import entry_points
+
+ from ._base_settings import *  # NOQA
+ 
+ ENTROPY = {
+@@ -47,3 +49,6 @@ HAS_MEMCACHED = False
+ HAS_CELERY = False
+ HAS_GEOIP = False
+ SENTRY_ENABLED = False
+
+for entry_point in entry_points(group='pretix.plugin'):
+    module = entry_point.module
+    if module not in INSTALLED_APPS:
+        INSTALLED_APPS.append(entry_point.module) # noqa: F405
--- a/pretix/translations.patch
+++ b/pretix/translations.patch
@ -0,0 +1,14 @@
+diff --git a/src/pretix/locale/pl/LC_MESSAGES/django.po b/src/pretix/locale/pl/LC_MESSAGES/django.po
+index d142646df..673d64b5f 100644
+--- a/src/pretix/locale/pl/LC_MESSAGES/django.po
+++ b/src/pretix/locale/pl/LC_MESSAGES/django.po
+@@ -2224,7 +2224,7 @@ msgstr "Produkt"
+ #: pretix/presale/templates/pretixpresale/organizers/customer_membership.html:26
+ #: pretix/presale/templates/pretixpresale/organizers/customer_profile.html:133
+ msgid "Attendee name"
+-msgstr "Imię i nazwisko uczestnika"
+msgstr "Imię uczestnika"
+ 
+ #: pretix/base/exporters/orderlist.py:602 pretix/base/forms/questions.py:661
+ #: pretix/base/models/customers.py:307 pretix/base/models/orders.py:1508
+
--- a/1
+++ b/1
@ -6,6 +6,7 @@ if [ $(hostname -f) != "szalotka.cebula.camp" ]; then
    args="--build-host szalotka.cebula.camp"
    args="$args --target-host szalotka.cebula.camp"
    args="$args --use-remote-sudo"
+    args="$args --use-substitutes"
 fi

 nixos-rebuild \
Author	SHA1	Message	Date
q3k	6df10e744e	szalotka: deploy pretix	2025-02-09 17:08:54 +01:00
q3k	9c6f3bbe69	*: make rebuild script use remote substitutes for faster builds	2025-02-09 17:08:39 +01:00
q3k	25e0c3040e	szalotka: pull mewp-nixos as a tarball to avoid spurious rebuilds	2025-02-09 17:08:24 +01:00