better oauth secret management

flake.nix

@@ -63,7 +63,6 @@
               public_domain = "public-hydra.local";
               extra_args = ["--dev"];
               settings = {
-                dev = true;
                 urls.self = {
                   issuer = "http://127.0.0.1:8082";
                   public = "http://127.0.0.1:8082";

lenticular_cloud/config_development.toml

@@ -23,6 +23,7 @@ HYDRA_PUBLIC_URL = 'http://127.0.0.1:8082'
 SUBJECT_PREFIX = 'something random'
 
 OAUTH_ID = 'identiy_provider'
+OAUTH_SECRET = 'thisIsNotSecure'
 
 
 [LENTICULAR_CLOUD_SERVICES.jabber]

lenticular_cloud/hydra.py

@@ -23,7 +23,7 @@ class HydraService:
         self.set_hydra_client(Client(base_url=app.config['HYDRA_ADMIN_URL']))
 
         client_name = app.config['OAUTH_ID']
-        client_secret = token_hex(16)
+        client_secret = app.config['OAUTH_SECRET']
 
         clients = list_o_auth_2_clients.sync_detailed(_client=self.hydra_client).parsed
         if clients is None:
@@ -48,12 +48,12 @@ class HydraService:
             )
             ret = create_o_auth_2_client.sync(json_body=client, _client=self.hydra_client)
             if ret is None:
-                raise RuntimeError("could not crate account")
+                raise RuntimeError("could not create account")
         else:
             client.client_secret = client_secret
             ret = set_o_auth_2_client.sync(id=client.client_id, json_body=client, _client=self.hydra_client)
             if ret is None:
-                raise RuntimeError("could not crate account")
+                raise RuntimeError("could not update account")
         if type(client.client_id) is not str:
             raise RuntimeError("could not parse client_id from ory-hydra")
         self.client_id = client.client_id

module.nix

@@ -4,6 +4,7 @@ let
   python = pkgs.python3;
   format = pkgs.formats.json {};
   types = lib.types;
+  config_oauth_secret = "${cfg.settings.DATA_FOLDER}/lenticular_oauth_secret.toml";
 in
 {
   options = with lib.options; {
@@ -130,16 +131,19 @@ in
 
       environment = let
         python_path = with python.pkgs; makePythonPath [ pkgs.lenticular-cloud gevent setuptools ];
+        config_file = format.generate "lenticular-cloud.json" cfg.settings;
       in {
         # CONFIG_FILE = "/etc/lenticular_cloud/production.conf";
-        CONFIG_FILE = format.generate "lenticular-cloud.json" cfg.settings;
+        CONFIG_FILE = "${config_file}:${config_oauth_secret}";
         PYTHONPATH = "${python_path}";
         # PYTHONPATH =  "${lenticular-pkg.pythonPath}:${lenticular-pkg}/lib/python3.10/site-packages:${python_path}";
       };
       preStart = ''
-        #cat > ${cfg.settings.DATA_FOLDER}/foobar.conf <<EOF
+        if [[ ! -e "${config_oauth_secret}" ]]; then
-        #SECRET_KEY=""
+          SECRET_KEY=`${pkgs.openssl}/bin/openssl rand --hex 16`
-        #EOF
+          echo 'OAUTH_SECRET="$${SECRET_KEY}"' > ${config_oauth_secret}
+          echo "oauth secreted generated"
+        fi
         ${pkgs.lenticular-cloud}/bin/lenticular_cloud-cli db_upgrade
       '';
 
@@ -148,7 +152,7 @@ in
         WorkingDirectory = cfg.settings.DATA_FOLDER;
         User = cfg.username;
         ExecStart = ''${python.pkgs.gunicorn}/bin/gunicorn lenticular_cloud.wsgi --name lenticular_cloud \
-              --workers 1 --log-level=info \
+              --workers 2 --log-level=info \
               --bind=unix:/run/${cfg.username}/web.sock \
               -k gevent'';
         Restart = "on-failure";