commit 5be76d0b552ae5222cc8748baef2138c7acd91d4

pyrox.dev / nixpkgs

lol

nixos/taskserver: Reorder into one mkMerge

No changes in functionality but rather just restructuring the module
definitions to be one mkMerge, which now uses mkIf from the top-level
scope of the CA initialization service so we can better abstract
additional options we might need there.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>

aszlig 9 years ago 5be76d0b 5062bf1b

+123 -123

1 changed file

expand all

unified split

nixos

modules

services

misc

taskserver

default.nix

+123 -123

nixos/modules/services/misc/taskserver/default.nix

··· 182 182 propagatedBuildInputs = [ pkgs.pythonPackages.click ]; 183 183 }; 184 184 185 - withMeta = meta: defs: mkMerge [ defs { inherit meta; } ]; 186 - 187 185 in { 188 186 options = { 189 187 services.taskserver = { ··· 375 373 }; 376 374 }; 377 375 378 - config = withMeta { 379 - doc = ./taskserver.xml; 380 - } (mkIf cfg.enable { 376 + config = mkMerge [ 377 + (mkIf cfg.enable { 378 + environment.systemPackages = [ pkgs.taskserver nixos-taskserver ]; 381 379 382 - environment.systemPackages = [ pkgs.taskserver nixos-taskserver ]; 380 + users.users = optional (cfg.user == "taskd") { 381 + name = "taskd"; 382 + uid = config.ids.uids.taskd; 383 + description = "Taskserver user"; 384 + group = cfg.group; 385 + }; 383 386 384 - users.users = optional (cfg.user == "taskd") { 385 - name = "taskd"; 386 - uid = config.ids.uids.taskd; 387 - description = "Taskserver user"; 388 - group = cfg.group; 389 - }; 387 + users.groups = optional (cfg.group == "taskd") { 388 + name = "taskd"; 389 + gid = config.ids.gids.taskd; 390 + }; 390 391 391 - users.groups = optional (cfg.group == "taskd") { 392 - name = "taskd"; 393 - gid = config.ids.gids.taskd; 394 - }; 392 + systemd.services.taskserver-init = { 393 + requiredBy = [ "taskserver.service" ]; 394 + description = "Initialize Taskserver Data Directory"; 395 395 396 - systemd.services.taskserver-ca = mkIf needToCreateCA { 397 - requiredBy = [ "taskserver.service" ]; 398 - after = [ "taskserver-init.service" ]; 399 - before = [ "taskserver.service" ]; 400 - description = "Initialize CA for TaskServer"; 401 - serviceConfig.Type = "oneshot"; 402 - serviceConfig.UMask = "0077"; 403 - 404 - script = '' 405 - silent_certtool() { 406 - if ! output="$("${certtool}" "$@" 2>&1)"; then 407 - echo "GNUTLS certtool invocation failed with output:" >&2 408 - echo "$output" >&2 409 - fi 410 - } 411 - 412 - mkdir -m 0700 -p "${cfg.dataDir}/keys" 413 - chown root:root "${cfg.dataDir}/keys" 396 + preStart = '' 397 + mkdir -m 0770 -p "${cfg.dataDir}" 398 + chown "${cfg.user}:${cfg.group}" "${cfg.dataDir}" 399 + ''; 414 400 415 - if [ ! -e "${cfg.dataDir}/keys/ca.key" ]; then 416 - silent_certtool -p \ 417 - --bits ${toString cfg.pki.auto.bits} \ 418 - --outfile "${cfg.dataDir}/keys/ca.key" 419 - silent_certtool -s \ 420 - --template "${pkgs.writeText "taskserver-ca.template" '' 421 - cn = ${cfg.fqdn} 422 - expiration_days = ${toString cfg.pki.auto.expiration.ca} 423 - cert_signing_key 424 - ca 425 - ''}" \ 426 - --load-privkey "${cfg.dataDir}/keys/ca.key" \ 427 - --outfile "${cfg.dataDir}/keys/ca.cert" 401 + script = '' 402 + ${taskd} init 403 + echo "include ${configFile}" > "${cfg.dataDir}/config" 404 + touch "${cfg.dataDir}/.is_initialized" 405 + ''; 428 406 429 - chgrp "${cfg.group}" "${cfg.dataDir}/keys/ca.cert" 430 - chmod g+r "${cfg.dataDir}/keys/ca.cert" 431 - fi 407 + environment.TASKDDATA = cfg.dataDir; 432 408 433 - if [ ! -e "${cfg.dataDir}/keys/server.key" ]; then 434 - silent_certtool -p \ 435 - --bits ${toString cfg.pki.auto.bits} \ 436 - --outfile "${cfg.dataDir}/keys/server.key" 409 + unitConfig.ConditionPathExists = "!${cfg.dataDir}/.is_initialized"; 437 410 438 - silent_certtool -c \ 439 - --template "${pkgs.writeText "taskserver-cert.template" '' 440 - cn = ${cfg.fqdn} 441 - expiration_days = ${toString cfg.pki.auto.expiration.server} 442 - tls_www_server 443 - encryption_key 444 - signing_key 445 - ''}" \ 446 - --load-ca-privkey "${cfg.dataDir}/keys/ca.key" \ 447 - --load-ca-certificate "${cfg.dataDir}/keys/ca.cert" \ 448 - --load-privkey "${cfg.dataDir}/keys/server.key" \ 449 - --outfile "${cfg.dataDir}/keys/server.cert" 411 + serviceConfig.Type = "oneshot"; 412 + serviceConfig.User = cfg.user; 413 + serviceConfig.Group = cfg.group; 414 + serviceConfig.PermissionsStartOnly = true; 415 + }; 450 416 451 - chgrp "${cfg.group}" \ 452 - "${cfg.dataDir}/keys/server.key" \ 453 - "${cfg.dataDir}/keys/server.cert" 417 + systemd.services.taskserver = { 418 + description = "Taskwarrior Server"; 454 419 455 - chmod g+r \ 456 - "${cfg.dataDir}/keys/server.key" \ 457 - "${cfg.dataDir}/keys/server.cert" 458 - fi 420 + wantedBy = [ "multi-user.target" ]; 421 + after = [ "network.target" ]; 459 422 460 - if [ ! -e "${cfg.dataDir}/keys/server.crl" ]; then 461 - silent_certtool --generate-crl \ 462 - --template "${pkgs.writeText "taskserver-crl.template" '' 463 - expiration_days = ${toString cfg.pki.auto.expiration.crl} 464 - ''}" \ 465 - --load-ca-privkey "${cfg.dataDir}/keys/ca.key" \ 466 - --load-ca-certificate "${cfg.dataDir}/keys/ca.cert" \ 467 - --outfile "${cfg.dataDir}/keys/server.crl" 423 + environment.TASKDDATA = cfg.dataDir; 468 424 469 - chgrp "${cfg.group}" "${cfg.dataDir}/keys/server.crl" 470 - chmod g+r "${cfg.dataDir}/keys/server.crl" 471 - fi 425 + preStart = let 426 + jsonOrgs = builtins.toJSON cfg.organisations; 427 + jsonFile = pkgs.writeText "orgs.json" jsonOrgs; 428 + helperTool = "${nixos-taskserver}/bin/nixos-taskserver"; 429 + in "${helperTool} process-json '${jsonFile}'"; 472 430 473 - chmod go+x "${cfg.dataDir}/keys" 474 - ''; 475 - }; 431 + serviceConfig = { 432 + ExecStart = "@${taskd} taskd server"; 433 + ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID"; 434 + PermissionsStartOnly = true; 435 + User = cfg.user; 436 + Group = cfg.group; 437 + }; 438 + }; 439 + }) 440 + (mkIf needToCreateCA { 441 + systemd.services.taskserver-ca = { 442 + requiredBy = [ "taskserver.service" ]; 443 + after = [ "taskserver-init.service" ]; 444 + before = [ "taskserver.service" ]; 445 + description = "Initialize CA for TaskServer"; 446 + serviceConfig.Type = "oneshot"; 447 + serviceConfig.UMask = "0077"; 476 448 477 - systemd.services.taskserver-init = { 478 - requiredBy = [ "taskserver.service" ]; 479 - description = "Initialize Taskserver Data Directory"; 449 + script = '' 450 + silent_certtool() { 451 + if ! output="$("${certtool}" "$@" 2>&1)"; then 452 + echo "GNUTLS certtool invocation failed with output:" >&2 453 + echo "$output" >&2 454 + fi 455 + } 480 456 481 - preStart = '' 482 - mkdir -m 0770 -p "${cfg.dataDir}" 483 - chown "${cfg.user}:${cfg.group}" "${cfg.dataDir}" 484 - ''; 457 + mkdir -m 0700 -p "${cfg.dataDir}/keys" 458 + chown root:root "${cfg.dataDir}/keys" 485 459 486 - script = '' 487 - ${taskd} init 488 - echo "include ${configFile}" > "${cfg.dataDir}/config" 489 - touch "${cfg.dataDir}/.is_initialized" 490 - ''; 460 + if [ ! -e "${cfg.dataDir}/keys/ca.key" ]; then 461 + silent_certtool -p \ 462 + --bits ${toString cfg.pki.auto.bits} \ 463 + --outfile "${cfg.dataDir}/keys/ca.key" 464 + silent_certtool -s \ 465 + --template "${pkgs.writeText "taskserver-ca.template" '' 466 + cn = ${cfg.fqdn} 467 + expiration_days = ${toString cfg.pki.auto.expiration.ca} 468 + cert_signing_key 469 + ca 470 + ''}" \ 471 + --load-privkey "${cfg.dataDir}/keys/ca.key" \ 472 + --outfile "${cfg.dataDir}/keys/ca.cert" 491 473 492 - environment.TASKDDATA = cfg.dataDir; 474 + chgrp "${cfg.group}" "${cfg.dataDir}/keys/ca.cert" 475 + chmod g+r "${cfg.dataDir}/keys/ca.cert" 476 + fi 493 477 494 - unitConfig.ConditionPathExists = "!${cfg.dataDir}/.is_initialized"; 478 + if [ ! -e "${cfg.dataDir}/keys/server.key" ]; then 479 + silent_certtool -p \ 480 + --bits ${toString cfg.pki.auto.bits} \ 481 + --outfile "${cfg.dataDir}/keys/server.key" 495 482 496 - serviceConfig.Type = "oneshot"; 497 - serviceConfig.User = cfg.user; 498 - serviceConfig.Group = cfg.group; 499 - serviceConfig.PermissionsStartOnly = true; 500 - }; 483 + silent_certtool -c \ 484 + --template "${pkgs.writeText "taskserver-cert.template" '' 485 + cn = ${cfg.fqdn} 486 + expiration_days = ${toString cfg.pki.auto.expiration.server} 487 + tls_www_server 488 + encryption_key 489 + signing_key 490 + ''}" \ 491 + --load-ca-privkey "${cfg.dataDir}/keys/ca.key" \ 492 + --load-ca-certificate "${cfg.dataDir}/keys/ca.cert" \ 493 + --load-privkey "${cfg.dataDir}/keys/server.key" \ 494 + --outfile "${cfg.dataDir}/keys/server.cert" 501 495 502 - systemd.services.taskserver = { 503 - description = "Taskwarrior Server"; 496 + chgrp "${cfg.group}" \ 497 + "${cfg.dataDir}/keys/server.key" \ 498 + "${cfg.dataDir}/keys/server.cert" 504 499 505 - wantedBy = [ "multi-user.target" ]; 506 - after = [ "network.target" ]; 500 + chmod g+r \ 501 + "${cfg.dataDir}/keys/server.key" \ 502 + "${cfg.dataDir}/keys/server.cert" 503 + fi 507 504 508 - environment.TASKDDATA = cfg.dataDir; 505 + if [ ! -e "${cfg.dataDir}/keys/server.crl" ]; then 506 + silent_certtool --generate-crl \ 507 + --template "${pkgs.writeText "taskserver-crl.template" '' 508 + expiration_days = ${toString cfg.pki.auto.expiration.crl} 509 + ''}" \ 510 + --load-ca-privkey "${cfg.dataDir}/keys/ca.key" \ 511 + --load-ca-certificate "${cfg.dataDir}/keys/ca.cert" \ 512 + --outfile "${cfg.dataDir}/keys/server.crl" 509 513 510 - preStart = let 511 - jsonOrgs = builtins.toJSON cfg.organisations; 512 - jsonFile = pkgs.writeText "orgs.json" jsonOrgs; 513 - in "${nixos-taskserver}/bin/nixos-taskserver process-json '${jsonFile}'"; 514 + chgrp "${cfg.group}" "${cfg.dataDir}/keys/server.crl" 515 + chmod g+r "${cfg.dataDir}/keys/server.crl" 516 + fi 514 517 515 - serviceConfig = { 516 - ExecStart = "@${taskd} taskd server"; 517 - ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID"; 518 - PermissionsStartOnly = true; 519 - User = cfg.user; 520 - Group = cfg.group; 518 + chmod go+x "${cfg.dataDir}/keys" 519 + ''; 521 520 }; 522 - }; 523 - }); 521 + }) 522 + { meta.doc = ./taskserver.xml; } 523 + ]; 524 524 }