diff options
| author | aszlig <aszlig@redmoonstudios.org> | 2016-04-12 05:07:52 +0200 |
|---|---|---|
| committer | aszlig <aszlig@redmoonstudios.org> | 2016-04-12 05:07:52 +0200 |
| commit | 5be76d0b552ae5222cc8748baef2138c7acd91d4 (patch) | |
| tree | 59b75000486fdeb837e13c5fb6ff589e5bf23686 /nixos/modules/services/misc/taskserver/default.nix | |
| parent | 5062bf1b841495f5aa69b76fae3054f75a169227 (diff) | |
| download | nixlib-5be76d0b552ae5222cc8748baef2138c7acd91d4.tar nixlib-5be76d0b552ae5222cc8748baef2138c7acd91d4.tar.gz nixlib-5be76d0b552ae5222cc8748baef2138c7acd91d4.tar.bz2 nixlib-5be76d0b552ae5222cc8748baef2138c7acd91d4.tar.lz nixlib-5be76d0b552ae5222cc8748baef2138c7acd91d4.tar.xz nixlib-5be76d0b552ae5222cc8748baef2138c7acd91d4.tar.zst nixlib-5be76d0b552ae5222cc8748baef2138c7acd91d4.zip | |
nixos/taskserver: Reorder into one mkMerge
No changes in functionality but rather just restructuring the module definitions to be one mkMerge, which now uses mkIf from the top-level scope of the CA initialization service so we can better abstract additional options we might need there. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Diffstat (limited to 'nixos/modules/services/misc/taskserver/default.nix')
| -rw-r--r-- | nixos/modules/services/misc/taskserver/default.nix | 264 |
1 files changed, 132 insertions, 132 deletions
diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix index c06287fe3b7e..520a9c2ee1e5 100644 --- a/nixos/modules/services/misc/taskserver/default.nix +++ b/nixos/modules/services/misc/taskserver/default.nix @@ -182,8 +182,6 @@ let propagatedBuildInputs = [ pkgs.pythonPackages.click ]; }; - withMeta = meta: defs: mkMerge [ defs { inherit meta; } ]; - in { options = { services.taskserver = { @@ -375,150 +373,152 @@ in { }; }; - config = withMeta { - doc = ./taskserver.xml; - } (mkIf cfg.enable { + config = mkMerge [ + (mkIf cfg.enable { + environment.systemPackages = [ pkgs.taskserver nixos-taskserver ]; - environment.systemPackages = [ pkgs.taskserver nixos-taskserver ]; + users.users = optional (cfg.user == "taskd") { + name = "taskd"; + uid = config.ids.uids.taskd; + description = "Taskserver user"; + group = cfg.group; + }; - users.users = optional (cfg.user == "taskd") { - name = "taskd"; - uid = config.ids.uids.taskd; - description = "Taskserver user"; - group = cfg.group; - }; + users.groups = optional (cfg.group == "taskd") { + name = "taskd"; + gid = config.ids.gids.taskd; + }; - users.groups = optional (cfg.group == "taskd") { - name = "taskd"; - gid = config.ids.gids.taskd; - }; + systemd.services.taskserver-init = { + requiredBy = [ "taskserver.service" ]; + description = "Initialize Taskserver Data Directory"; - systemd.services.taskserver-ca = mkIf needToCreateCA { - requiredBy = [ "taskserver.service" ]; - after = [ "taskserver-init.service" ]; - before = [ "taskserver.service" ]; - description = "Initialize CA for TaskServer"; - serviceConfig.Type = "oneshot"; - serviceConfig.UMask = "0077"; - - script = '' - silent_certtool() { - if ! output="$("${certtool}" "$@" 2>&1)"; then - echo "GNUTLS certtool invocation failed with output:" >&2 - echo "$output" >&2 - fi - } - - mkdir -m 0700 -p "${cfg.dataDir}/keys" - chown root:root "${cfg.dataDir}/keys" - - if [ ! -e "${cfg.dataDir}/keys/ca.key" ]; then - silent_certtool -p \ - --bits ${toString cfg.pki.auto.bits} \ - --outfile "${cfg.dataDir}/keys/ca.key" - silent_certtool -s \ - --template "${pkgs.writeText "taskserver-ca.template" '' - cn = ${cfg.fqdn} - expiration_days = ${toString cfg.pki.auto.expiration.ca} - cert_signing_key - ca - ''}" \ - --load-privkey "${cfg.dataDir}/keys/ca.key" \ - --outfile "${cfg.dataDir}/keys/ca.cert" - - chgrp "${cfg.group}" "${cfg.dataDir}/keys/ca.cert" - chmod g+r "${cfg.dataDir}/keys/ca.cert" - fi - - if [ ! -e "${cfg.dataDir}/keys/server.key" ]; then - silent_certtool -p \ - --bits ${toString cfg.pki.auto.bits} \ - --outfile "${cfg.dataDir}/keys/server.key" - - silent_certtool -c \ - --template "${pkgs.writeText "taskserver-cert.template" '' - cn = ${cfg.fqdn} - expiration_days = ${toString cfg.pki.auto.expiration.server} - tls_www_server - encryption_key - signing_key - ''}" \ - --load-ca-privkey "${cfg.dataDir}/keys/ca.key" \ - --load-ca-certificate "${cfg.dataDir}/keys/ca.cert" \ - --load-privkey "${cfg.dataDir}/keys/server.key" \ - --outfile "${cfg.dataDir}/keys/server.cert" - - chgrp "${cfg.group}" \ - "${cfg.dataDir}/keys/server.key" \ - "${cfg.dataDir}/keys/server.cert" - - chmod g+r \ - "${cfg.dataDir}/keys/server.key" \ - "${cfg.dataDir}/keys/server.cert" - fi - - if [ ! -e "${cfg.dataDir}/keys/server.crl" ]; then - silent_certtool --generate-crl \ - --template "${pkgs.writeText "taskserver-crl.template" '' - expiration_days = ${toString cfg.pki.auto.expiration.crl} - ''}" \ - --load-ca-privkey "${cfg.dataDir}/keys/ca.key" \ - --load-ca-certificate "${cfg.dataDir}/keys/ca.cert" \ - --outfile "${cfg.dataDir}/keys/server.crl" - - chgrp "${cfg.group}" "${cfg.dataDir}/keys/server.crl" - chmod g+r "${cfg.dataDir}/keys/server.crl" - fi - - chmod go+x "${cfg.dataDir}/keys" - ''; - }; + preStart = '' + mkdir -m 0770 -p "${cfg.dataDir}" + chown "${cfg.user}:${cfg.group}" "${cfg.dataDir}" + ''; - systemd.services.taskserver-init = { - requiredBy = [ "taskserver.service" ]; - description = "Initialize Taskserver Data Directory"; + script = '' + ${taskd} init + echo "include ${configFile}" > "${cfg.dataDir}/config" + touch "${cfg.dataDir}/.is_initialized" + ''; - preStart = '' - mkdir -m 0770 -p "${cfg.dataDir}" - chown "${cfg.user}:${cfg.group}" "${cfg.dataDir}" - ''; + environment.TASKDDATA = cfg.dataDir; - script = '' - ${taskd} init - echo "include ${configFile}" > "${cfg.dataDir}/config" - touch "${cfg.dataDir}/.is_initialized" - ''; + unitConfig.ConditionPathExists = "!${cfg.dataDir}/.is_initialized"; - environment.TASKDDATA = cfg.dataDir; + serviceConfig.Type = "oneshot"; + serviceConfig.User = cfg.user; + serviceConfig.Group = cfg.group; + serviceConfig.PermissionsStartOnly = true; + }; - unitConfig.ConditionPathExists = "!${cfg.dataDir}/.is_initialized"; + systemd.services.taskserver = { + description = "Taskwarrior Server"; - serviceConfig.Type = "oneshot"; - serviceConfig.User = cfg.user; - serviceConfig.Group = cfg.group; - serviceConfig.PermissionsStartOnly = true; - }; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; - systemd.services.taskserver = { - description = "Taskwarrior Server"; + environment.TASKDDATA = cfg.dataDir; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; + preStart = let + jsonOrgs = builtins.toJSON cfg.organisations; + jsonFile = pkgs.writeText "orgs.json" jsonOrgs; + helperTool = "${nixos-taskserver}/bin/nixos-taskserver"; + in "${helperTool} process-json '${jsonFile}'"; + + serviceConfig = { + ExecStart = "@${taskd} taskd server"; + ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID"; + PermissionsStartOnly = true; + User = cfg.user; + Group = cfg.group; + }; + }; + }) + (mkIf needToCreateCA { + systemd.services.taskserver-ca = { + requiredBy = [ "taskserver.service" ]; + after = [ "taskserver-init.service" ]; + before = [ "taskserver.service" ]; + description = "Initialize CA for TaskServer"; + serviceConfig.Type = "oneshot"; + serviceConfig.UMask = "0077"; + + script = '' + silent_certtool() { + if ! output="$("${certtool}" "$@" 2>&1)"; then + echo "GNUTLS certtool invocation failed with output:" >&2 + echo "$output" >&2 + fi + } + + mkdir -m 0700 -p "${cfg.dataDir}/keys" + chown root:root "${cfg.dataDir}/keys" + + if [ ! -e "${cfg.dataDir}/keys/ca.key" ]; then + silent_certtool -p \ + --bits ${toString cfg.pki.auto.bits} \ + --outfile "${cfg.dataDir}/keys/ca.key" + silent_certtool -s \ + --template "${pkgs.writeText "taskserver-ca.template" '' + cn = ${cfg.fqdn} + expiration_days = ${toString cfg.pki.auto.expiration.ca} + cert_signing_key + ca + ''}" \ + --load-privkey "${cfg.dataDir}/keys/ca.key" \ + --outfile "${cfg.dataDir}/keys/ca.cert" + + chgrp "${cfg.group}" "${cfg.dataDir}/keys/ca.cert" + chmod g+r "${cfg.dataDir}/keys/ca.cert" + fi - environment.TASKDDATA = cfg.dataDir; + if [ ! -e "${cfg.dataDir}/keys/server.key" ]; then + silent_certtool -p \ + --bits ${toString cfg.pki.auto.bits} \ + --outfile "${cfg.dataDir}/keys/server.key" + + silent_certtool -c \ + --template "${pkgs.writeText "taskserver-cert.template" '' + cn = ${cfg.fqdn} + expiration_days = ${toString cfg.pki.auto.expiration.server} + tls_www_server + encryption_key + signing_key + ''}" \ + --load-ca-privkey "${cfg.dataDir}/keys/ca.key" \ + --load-ca-certificate "${cfg.dataDir}/keys/ca.cert" \ + --load-privkey "${cfg.dataDir}/keys/server.key" \ + --outfile "${cfg.dataDir}/keys/server.cert" + + chgrp "${cfg.group}" \ + "${cfg.dataDir}/keys/server.key" \ + "${cfg.dataDir}/keys/server.cert" + + chmod g+r \ + "${cfg.dataDir}/keys/server.key" \ + "${cfg.dataDir}/keys/server.cert" + fi - preStart = let - jsonOrgs = builtins.toJSON cfg.organisations; - jsonFile = pkgs.writeText "orgs.json" jsonOrgs; - in "${nixos-taskserver}/bin/nixos-taskserver process-json '${jsonFile}'"; + if [ ! -e "${cfg.dataDir}/keys/server.crl" ]; then + silent_certtool --generate-crl \ + --template "${pkgs.writeText "taskserver-crl.template" '' + expiration_days = ${toString cfg.pki.auto.expiration.crl} + ''}" \ + --load-ca-privkey "${cfg.dataDir}/keys/ca.key" \ + --load-ca-certificate "${cfg.dataDir}/keys/ca.cert" \ + --outfile "${cfg.dataDir}/keys/server.crl" + + chgrp "${cfg.group}" "${cfg.dataDir}/keys/server.crl" + chmod g+r "${cfg.dataDir}/keys/server.crl" + fi - serviceConfig = { - ExecStart = "@${taskd} taskd server"; - ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID"; - PermissionsStartOnly = true; - User = cfg.user; - Group = cfg.group; + chmod go+x "${cfg.dataDir}/keys" + ''; }; - }; - }); + }) + { meta.doc = ./taskserver.xml; } + ]; } |