Web service

How to setup web service

1. Install web service:

   yay -S ahriman-web
   

2. Configure service:

   [web]
   port = 8080
   

3. Start the web service systemctl enable --now ahriman-web.

How to enable basic authorization

1. Install dependencies 😊:

   yay -S --asdeps python-aiohttp-security python-aiohttp-session python-cryptography
   

2. Configure the service to enable authorization:

   [auth]
   target = configuration
   salt = somerandomstring
   

   The ${auth:salt} parameter is optional, but recommended, and can be set to any (random) string.

3. In order to provide access for reporting from application instances you can (the recommended way) use unix sockets by the following configuration (note, that it requires python-requests-unixsocket2 package to be installed):

   [web]
   unix_socket = /run/ahriman/ahriman-web.sock
   

   This socket path must be available for web service instance and must be available for all application instances (e.g. in case if you are using docker container - see above - you need to make sure that the socket is passed to the root filesystem).

   By the way, unix socket variable will be automatically set in case if --web-unix-socket argument is supplied to the service-setup subcommand.

   Alternatively, you need to create user for the service:

   sudo -u ahriman ahriman user-add -r full api
   

   This command will ask for the password, just type it in stdin; do not leave the field blank, user will not be able to authorize, and finally configure the application:

   [status]
   username = api
   password = pa55w0rd
   

4. Create end-user with password:

   sudo -u ahriman ahriman user-add -r full my-first-user
   

5. Restart web service systemctl restart ahriman-web.

Using PAM authentication

There is also ability to allow system users to log in. To do so, the following configuration have to be set:

[auth]
target = pam
full_access_group = wheel

With this setup, every user (except root) will be able to log in by using system password. If user belongs to the wheel group, the full access will be automatically granted. It is also possible to manually add, block user or change user rights via usual user management process.

How to enable OAuth authorization

1. Create OAuth web application, download its ${auth:client_id} and ${auth:client_secret}.

2. Guess what? Install dependencies:

   yay -S --asdeps python-aiohttp-security python-aiohttp-session python-cryptography python-aioauth-client
   

3. Configure the service:

   [auth]
   target = oauth
   client_id = ...
   client_secret = ...
   
   [web]
   address = https://example.com
   

   Configure ${auth:oauth_provider} and ${auth:oauth_scopes} in case if you would like to use different from Google provider. Scope must grant access to user email. ${web:address} is required to make callback URL available from internet.

4. If you are not going to use unix socket, you also need to create service user (remember to set ${auth:salt} option before if required):

   sudo -u ahriman ahriman user-add --as-service -r full api
   

5. Create end-user:

   sudo -u ahriman ahriman user-add -r full my-first-user
   

   When it will ask for the password leave it blank.

6. Restart web service systemctl restart ahriman-web.

How to implement own interface

You can write your own interface by using API which is provided by the web service. Full autogenerated API documentation is available at http://localhost:8080/api-docs.