OIDC Support for Peering Manager

Hi, I’m trying to implement the peering-manager options to configure oidc, which requires the python module mozilla-django-oidc (see github.com/NixOS/nixpkgs/pull/278982).

For some reason, openssl is not being installed on the system, even though it should be added by josepy / pyopenssl which results in the following runtime error:

...
  File "/nix/store/2x272drmdsldbzqb7p1qhm0k3g13ybgn-python3.11-mozilla-django-oidc-2.0.0/lib/python3.11/site-packages/mozilla_django_oidc/middleware.py", line 12, in <module>
    from mozilla_django_oidc.auth import OIDCAuthenticationBackend
  File "/nix/store/2x272drmdsldbzqb7p1qhm0k3g13ybgn-python3.11-mozilla-django-oidc-2.0.0/lib/python3.11/site-packages/mozilla_django_oidc/auth.py", line 15, in <module>
    from josepy.b64 import b64decode
  File "/nix/store/bb2ah9gvjpv7fdn4hdacfvigh9j1vmc7-python3.11-josepy-1.13.0/lib/python3.11/site-packages/josepy/__init__.py", line 40, in <module>
    from josepy.json_util import (
  File "/nix/store/bb2ah9gvjpv7fdn4hdacfvigh9j1vmc7-python3.11-josepy-1.13.0/lib/python3.11/site-packages/josepy/json_util.py", line 14, in <module>
    from OpenSSL import crypto
ModuleNotFoundError: No module named 'OpenSSL'

I’m new to nixos, so I’m not sure what to look out for, can someone give me a tip?

Hi. I recently tried to solve similar problem with authentik and found out the solution but I dont sure that it is the good one.
According to peering-manager service in nixos it launched with gunicorn and I believe that OpenSSL required by gunicorn itself (or by its environment) and it is not prepared properly or it PYTHONPATH overrided in launch command with --pythonpath argument.

This is example how I solved this problem in my authentik setup.

  config = lib.mkIf config.services.authentik.enable {
    nixpkgs.overlays = [ (import ./overlay.nix) ];
    systemd.services.authentik = let 
      djangoEnv = pkgs.python3.withPackages (ps: with ps; [
        pkgs.authentik-django
        gunicorn
        pyopenssl
      ]);
      pkg = pkgs.authentik-django;
    in {
      script = "${cfg.package}/bin/authentik";
      path = with pkgs; [ djangoEnv ]; # adds binaries from djangoEnv to service's PATH
      environment = {
        PYTHONPATH = "${djangoEnv}/${djangoEnv.sitePackages}";
        AUTHENTIK_POSTGRESQL__NAME = cfg.pgDbName;
        AUTHENTIK_POSTGRESQL__HOST = cfg.pgHost;
        AUTHENTIK_POSTGRESQL__USER = cfg.pgUser;
        AUTHENTIK_POSTGRESQL__PASSWORD = builtins.readFile cfg.pgPassFile;
        AUTHENTIK_SECRET_KEY = builtins.readFile cfg.secretKeyFile;
      };
      serviceConfig = {
        Restart = "on-failure";
        RestartSec = "5s";
      };
    };
  };

At least this configuration solves openssl import problem. So probably “pyopenssl does not propagating properly from josepy” have nothing to do with your problem too.

And sorry for bad english.

For additional context authentik binary launches gunicorn so we just provide correct environment and I dont have gunicorn binary in service script.