From 3d811fa7fda1d6f05c184350b3b77841f95293dc Mon Sep 17 00:00:00 2001
From: Valentin Gagarin <valentin.gagarin@tweag.io>
Date: Tue, 13 May 2025 13:56:11 +0200
Subject: [PATCH] refactor: structured config for STATIC_ROOT

---
 default.nix                     |  1 +
 nix/web-security-tracker.nix    | 14 ++++++++++----
 src/website/tracker/settings.py |  5 +++++
 3 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/default.nix b/default.nix
index 6e0834dd..bd4c8adc 100644
--- a/default.nix
+++ b/default.nix
@@ -137,6 +137,7 @@ rec {
           GH_ISSUES_REPO = "sectracker-testing";
           GH_SECURITY_TEAM = "setracker-testing-security";
           GH_COMMITTERS_TEAM = "sectracker-testing-committers";
+          STATIC_ROOT = "${toString ./src/website/static}";
         };
       };
 
diff --git a/nix/web-security-tracker.nix b/nix/web-security-tracker.nix
index 65ee7252..f1a9b809 100644
--- a/nix/web-security-tracker.nix
+++ b/nix/web-security-tracker.nix
@@ -108,9 +108,16 @@ in
       type = types.nullOr types.str;
       default = null;
     };
-    env = mkOption {
+    env = mkOption rec {
+      description = ''
+        Django configuration via environment variables, see `settings.py` for options.
+      '';
       type = types.attrsOf types.anything;
-      default = { };
+      default = {
+        STATIC_ROOT = "/var/lib/web-security-tracker/static/"; # trailing slash is required!
+      };
+      # only override defaults with explicit values
+      apply = lib.recursiveUpdate default;
     };
     settings = mkOption {
       type = types.attrsOf types.anything;
@@ -152,7 +159,6 @@ in
     services = {
       # TODO(@fricklerhandwerk): move all configuration over to pydantic-settings
       web-security-tracker.settings = {
-        STATIC_ROOT = mkDefault "/var/lib/web-security-tracker/static";
         DEBUG = mkDefault false;
         ALLOWED_HOSTS = mkDefault [
           (with cfg; if production then domain else "*")
@@ -174,7 +180,7 @@ in
           {
             locations = {
               "/".proxyPass = "http://localhost:${toString cfg.wsgi-port}";
-              "/static/".alias = "/var/lib/web-security-tracker/static/";
+              "/static/".alias = cfg.env.STATIC_ROOT;
             };
           }
           // lib.optionalAttrs cfg.production {
diff --git a/src/website/tracker/settings.py b/src/website/tracker/settings.py
index 6b9c76d2..909df086 100644
--- a/src/website/tracker/settings.py
+++ b/src/website/tracker/settings.py
@@ -38,6 +38,11 @@ class Settings(BaseSettings):
     class DjangoSettings(BaseModel):
         # SECURITY WARNING: don't run with debug turned on in production!
         DEBUG: bool = False
+        STATIC_ROOT: Path = Field(
+            description="""
+            Writeable directory for compilimg static files, such as stylesheets, when running `manage collectstatic`.
+            """
+        )
         SYNC_GITHUB_STATE_AT_STARTUP: bool = Field(
             description="""
             Connect to GitHub when the service is started and update