diff options
author | aszlig <aszlig@redmoonstudios.org> | 2017-02-17 19:03:49 +0100 |
---|---|---|
committer | aszlig <aszlig@redmoonstudios.org> | 2017-02-17 19:45:55 +0100 |
commit | 78fe00da7c2d6c4e5746558f366e1c8fbf97fb47 (patch) | |
tree | 45de61ba7e23b9354ae8dd2e8221af0cb3441486 /nixos/modules/services/misc/taskserver | |
parent | 32c2e8f4aeea5a35302b450ed4233dd1af6b22c8 (diff) | |
download | nixlib-78fe00da7c2d6c4e5746558f366e1c8fbf97fb47.tar nixlib-78fe00da7c2d6c4e5746558f366e1c8fbf97fb47.tar.gz nixlib-78fe00da7c2d6c4e5746558f366e1c8fbf97fb47.tar.bz2 nixlib-78fe00da7c2d6c4e5746558f366e1c8fbf97fb47.tar.lz nixlib-78fe00da7c2d6c4e5746558f366e1c8fbf97fb47.tar.xz nixlib-78fe00da7c2d6c4e5746558f366e1c8fbf97fb47.tar.zst nixlib-78fe00da7c2d6c4e5746558f366e1c8fbf97fb47.zip |
taskserver: Allow helper tool in manual config
The helper tool so far was only intended for use in automatic PKI handling, but it also is very useful if you have an existing CA. One of the main advantages is that you don't need to specify the data directory anymore and the right permissions are also handled as well. Another advantage is that we now have an uniform management tool for both automatic and manual config, so the documentation in the NixOS manual now applies to the manual PKI config as well. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Diffstat (limited to 'nixos/modules/services/misc/taskserver')
-rw-r--r-- | nixos/modules/services/misc/taskserver/default.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/misc/taskserver/doc.xml | 6 | ||||
-rw-r--r-- | nixos/modules/services/misc/taskserver/helper-tool.py | 41 |
3 files changed, 32 insertions, 19 deletions
diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix index d28c5dc7af85..88331a56fb0b 100644 --- a/nixos/modules/services/misc/taskserver/default.nix +++ b/nixos/modules/services/misc/taskserver/default.nix @@ -154,9 +154,8 @@ let certtool = "${pkgs.gnutls.bin}/bin/certtool"; - nixos-taskserver = pkgs.pythonPackages.buildPythonPackage { + nixos-taskserver = pkgs.pythonPackages.buildPythonApplication { name = "nixos-taskserver"; - namePrefix = ""; src = pkgs.runCommand "nixos-taskserver-src" {} '' mkdir -p "$out" @@ -167,6 +166,7 @@ let certBits = cfg.pki.auto.bits; clientExpiration = cfg.pki.auto.expiration.client; crlExpiration = cfg.pki.auto.expiration.crl; + isAutoConfig = if needToCreateCA then "True" else "False"; }}" > "$out/main.py" cat > "$out/setup.py" <<EOF from setuptools import setup diff --git a/nixos/modules/services/misc/taskserver/doc.xml b/nixos/modules/services/misc/taskserver/doc.xml index 48591129264a..6d4d2a9b488c 100644 --- a/nixos/modules/services/misc/taskserver/doc.xml +++ b/nixos/modules/services/misc/taskserver/doc.xml @@ -136,9 +136,9 @@ $ ssh server nixos-taskserver user export my-company alice | sh <para> If you set any options within - <option>service.taskserver.pki.manual.*</option>, the automatic user and - CA management by the <command>nixos-taskserver</command> is disabled and - you need to create certificates and keys by yourself. + <option>service.taskserver.pki.manual.*</option>, + <command>nixos-taskserver</command> won't issue certificates, but you can + still use it for adding or removing user accounts. </para> </section> </chapter> diff --git a/nixos/modules/services/misc/taskserver/helper-tool.py b/nixos/modules/services/misc/taskserver/helper-tool.py index 9c662ef047c1..b97bc1df74f7 100644 --- a/nixos/modules/services/misc/taskserver/helper-tool.py +++ b/nixos/modules/services/misc/taskserver/helper-tool.py @@ -13,6 +13,7 @@ from tempfile import NamedTemporaryFile import click +IS_AUTO_CONFIG = @isAutoConfig@ # NOQA CERTTOOL_COMMAND = "@certtool@" CERT_BITS = "@certBits@" CLIENT_EXPIRATION = "@clientExpiration@" @@ -149,6 +150,12 @@ def create_template(contents): def generate_key(org, user): + if not IS_AUTO_CONFIG: + msg = "Automatic PKI handling is disabled, you need to " \ + "manually issue a client certificate for user {}.\n" + sys.stderr.write(msg.format(user)) + return + basedir = os.path.join(TASKD_DATA_DIR, "keys", org, user) if os.path.exists(basedir): raise OSError("Keyfile directory for {} already exists.".format(user)) @@ -243,26 +250,32 @@ class User(object): self.key = key def export(self): - pubcert = getkey(self.__org, self.name, "public.cert") - privkey = getkey(self.__org, self.name, "private.key") - cacert = getkey("ca.cert") - - keydir = "${TASKDATA:-$HOME/.task}/keys" - credentials = '/'.join([self.__org, self.name, self.key]) allow_unquoted = string.ascii_letters + string.digits + "/-_." if not all((c in allow_unquoted) for c in credentials): credentials = "'" + credentials.replace("'", r"'\''") + "'" - script = [ - "umask 0077", - 'mkdir -p "{}"'.format(keydir), - mktaskkey("certificate", os.path.join(keydir, "public.cert"), - pubcert), - mktaskkey("key", os.path.join(keydir, "private.key"), privkey), - mktaskkey("ca", os.path.join(keydir, "ca.cert"), cacert), + script = [] + + if IS_AUTO_CONFIG: + pubcert = getkey(self.__org, self.name, "public.cert") + privkey = getkey(self.__org, self.name, "private.key") + cacert = getkey("ca.cert") + + keydir = "${TASKDATA:-$HOME/.task}/keys" + + script += [ + "umask 0077", + 'mkdir -p "{}"'.format(keydir), + mktaskkey("certificate", os.path.join(keydir, "public.cert"), + pubcert), + mktaskkey("key", os.path.join(keydir, "private.key"), privkey), + mktaskkey("ca", os.path.join(keydir, "ca.cert"), cacert) + ] + + script.append( "task config taskd.credentials -- {}".format(credentials) - ] + ) return "\n".join(script) + "\n" |