234 lines
9.5 KiB
YAML
234 lines
9.5 KiB
YAML
# services/health/wger-admin-ensure-cronjob.yaml
|
|
apiVersion: batch/v1
|
|
kind: CronJob
|
|
metadata:
|
|
name: wger-admin-ensure
|
|
namespace: health
|
|
labels:
|
|
atlas.bstein.dev/glue: "true"
|
|
spec:
|
|
schedule: "15 3 * * *"
|
|
suspend: true
|
|
concurrencyPolicy: Forbid
|
|
successfulJobsHistoryLimit: 1
|
|
failedJobsHistoryLimit: 3
|
|
jobTemplate:
|
|
spec:
|
|
backoffLimit: 1
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
vault.hashicorp.com/agent-inject: "true"
|
|
vault.hashicorp.com/agent-pre-populate-only: "true"
|
|
vault.hashicorp.com/role: "health"
|
|
vault.hashicorp.com/agent-inject-secret-wger-env: "kv/data/atlas/health/wger-db"
|
|
vault.hashicorp.com/agent-inject-template-wger-env: |
|
|
{{ with secret "kv/data/atlas/health/wger-db" }}
|
|
export DJANGO_DB_HOST="{{ .Data.data.DJANGO_DB_HOST }}"
|
|
export DJANGO_DB_PORT="{{ .Data.data.DJANGO_DB_PORT }}"
|
|
export DJANGO_DB_DATABASE="{{ .Data.data.DJANGO_DB_DATABASE }}"
|
|
export DJANGO_DB_USER="{{ .Data.data.DJANGO_DB_USER }}"
|
|
export DJANGO_DB_PASSWORD="$(cat /vault/secrets/wger-db-password)"
|
|
{{ end }}
|
|
{{ with secret "kv/data/atlas/health/wger-secrets" }}
|
|
export SECRET_KEY="$(cat /vault/secrets/wger-secret-key)"
|
|
export SIGNING_KEY="$(cat /vault/secrets/wger-signing-key)"
|
|
{{ end }}
|
|
{{ with secret "kv/data/atlas/health/wger-admin" }}
|
|
export WGER_ADMIN_USERNAME="$(cat /vault/secrets/wger-admin-username)"
|
|
export WGER_ADMIN_PASSWORD="$(cat /vault/secrets/wger-admin-password)"
|
|
{{ end }}
|
|
vault.hashicorp.com/agent-inject-secret-wger-db-password: "kv/data/atlas/health/wger-db"
|
|
vault.hashicorp.com/agent-inject-template-wger-db-password: |
|
|
{{- with secret "kv/data/atlas/health/wger-db" -}}
|
|
{{ .Data.data.DJANGO_DB_PASSWORD }}
|
|
{{- end -}}
|
|
vault.hashicorp.com/agent-inject-secret-wger-secret-key: "kv/data/atlas/health/wger-secrets"
|
|
vault.hashicorp.com/agent-inject-template-wger-secret-key: |
|
|
{{- with secret "kv/data/atlas/health/wger-secrets" -}}
|
|
{{ .Data.data.SECRET_KEY }}
|
|
{{- end -}}
|
|
vault.hashicorp.com/agent-inject-secret-wger-signing-key: "kv/data/atlas/health/wger-secrets"
|
|
vault.hashicorp.com/agent-inject-template-wger-signing-key: |
|
|
{{- with secret "kv/data/atlas/health/wger-secrets" -}}
|
|
{{ .Data.data.SIGNING_KEY }}
|
|
{{- end -}}
|
|
vault.hashicorp.com/agent-inject-secret-wger-admin-username: "kv/data/atlas/health/wger-admin"
|
|
vault.hashicorp.com/agent-inject-template-wger-admin-username: |
|
|
{{- with secret "kv/data/atlas/health/wger-admin" -}}
|
|
{{ .Data.data.username }}
|
|
{{- end -}}
|
|
vault.hashicorp.com/agent-inject-secret-wger-admin-password: "kv/data/atlas/health/wger-admin"
|
|
vault.hashicorp.com/agent-inject-template-wger-admin-password: |
|
|
{{- with secret "kv/data/atlas/health/wger-admin" -}}
|
|
{{ .Data.data.password }}
|
|
{{- end -}}
|
|
spec:
|
|
serviceAccountName: health-vault-sync
|
|
restartPolicy: Never
|
|
affinity:
|
|
nodeAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- weight: 100
|
|
preference:
|
|
matchExpressions:
|
|
- key: hardware
|
|
operator: In
|
|
values: ["rpi5"]
|
|
- weight: 70
|
|
preference:
|
|
matchExpressions:
|
|
- key: hardware
|
|
operator: In
|
|
values: ["rpi4"]
|
|
nodeSelector:
|
|
kubernetes.io/arch: arm64
|
|
node-role.kubernetes.io/worker: "true"
|
|
containers:
|
|
- name: ensure
|
|
image: wger/server@sha256:710588b78af4e0aa0b4d8a8061e4563e16eae80eeaccfe7f9e0d9cbdd7f0cbc5
|
|
imagePullPolicy: IfNotPresent
|
|
command: ["/bin/sh", "-c"]
|
|
args:
|
|
- |
|
|
set -eu
|
|
. /vault/secrets/wger-env
|
|
cat <<'PY' > /tmp/wger_user_sync.py
|
|
#!/usr/bin/env python3
|
|
|
|
from __future__ import annotations
|
|
|
|
import os
|
|
import sys
|
|
|
|
import django
|
|
|
|
|
|
def _env(name: str, default: str = "") -> str:
|
|
value = os.getenv(name, default)
|
|
return value.strip() if isinstance(value, str) else ""
|
|
|
|
|
|
def _setup_django() -> None:
|
|
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "settings.main")
|
|
django.setup()
|
|
|
|
|
|
def _set_default_gym(user) -> None:
|
|
try:
|
|
from wger.gym.models import GymConfig
|
|
except Exception:
|
|
return
|
|
|
|
try:
|
|
config = GymConfig.objects.first()
|
|
except Exception:
|
|
return
|
|
|
|
if not config or not getattr(config, "default_gym", None):
|
|
return
|
|
|
|
profile = getattr(user, "userprofile", None)
|
|
if not profile or getattr(profile, "gym", None):
|
|
return
|
|
|
|
profile.gym = config.default_gym
|
|
profile.save()
|
|
|
|
|
|
def _ensure_profile(user) -> None:
|
|
profile = getattr(user, "userprofile", None)
|
|
if not profile:
|
|
return
|
|
if hasattr(profile, "email_verified") and not profile.email_verified:
|
|
profile.email_verified = True
|
|
if hasattr(profile, "is_temporary") and profile.is_temporary:
|
|
profile.is_temporary = False
|
|
profile.save()
|
|
|
|
|
|
def _ensure_admin(username: str, password: str, email: str) -> None:
|
|
from django.contrib.auth.models import User
|
|
|
|
if not username or not password:
|
|
raise RuntimeError("admin username/password missing")
|
|
|
|
user, created = User.objects.get_or_create(username=username)
|
|
if created:
|
|
user.is_active = True
|
|
if not user.is_staff:
|
|
user.is_staff = True
|
|
if email:
|
|
user.email = email
|
|
user.set_password(password)
|
|
user.save()
|
|
|
|
_ensure_profile(user)
|
|
_set_default_gym(user)
|
|
print(f"ensured admin user {username}")
|
|
|
|
|
|
def _ensure_user(username: str, password: str, email: str) -> None:
|
|
from django.contrib.auth.models import User
|
|
|
|
if not username or not password:
|
|
raise RuntimeError("username/password missing")
|
|
|
|
user, created = User.objects.get_or_create(username=username)
|
|
if created:
|
|
user.is_active = True
|
|
if email and user.email != email:
|
|
user.email = email
|
|
user.set_password(password)
|
|
user.save()
|
|
|
|
_ensure_profile(user)
|
|
_set_default_gym(user)
|
|
action = "created" if created else "updated"
|
|
print(f"{action} user {username}")
|
|
|
|
|
|
def main() -> int:
|
|
admin_user = _env("WGER_ADMIN_USERNAME")
|
|
admin_password = _env("WGER_ADMIN_PASSWORD")
|
|
admin_email = _env("WGER_ADMIN_EMAIL")
|
|
|
|
username = _env("WGER_USERNAME") or _env("ONLY_USERNAME")
|
|
password = _env("WGER_PASSWORD")
|
|
email = _env("WGER_EMAIL")
|
|
|
|
if not any([admin_user and admin_password, username and password]):
|
|
print("no admin or user payload provided; exiting")
|
|
return 0
|
|
|
|
_setup_django()
|
|
|
|
if admin_user and admin_password:
|
|
_ensure_admin(admin_user, admin_password, admin_email)
|
|
|
|
if username and password:
|
|
_ensure_user(username, password, email)
|
|
|
|
return 0
|
|
|
|
|
|
if __name__ == "__main__":
|
|
sys.exit(main())
|
|
PY
|
|
exec python3 /tmp/wger_user_sync.py
|
|
env:
|
|
- name: SITE_URL
|
|
value: https://health.bstein.dev
|
|
- name: TIME_ZONE
|
|
value: Etc/UTC
|
|
- name: TZ
|
|
value: Etc/UTC
|
|
- name: DJANGO_DEBUG
|
|
value: "False"
|
|
- name: DJANGO_DB_ENGINE
|
|
value: django.db.backends.postgresql
|
|
- name: DJANGO_CACHE_BACKEND
|
|
value: django.core.cache.backends.locmem.LocMemCache
|
|
- name: DJANGO_CACHE_LOCATION
|
|
value: wger-cache
|