pyrox.dev / nixpkgs
lol
fork atom

taskserver: Allow helper tool in manual config

The helper tool so far was only intended for use in automatic PKI
handling, but it also is very useful if you have an existing CA.

One of the main advantages is that you don't need to specify the data
directory anymore and the right permissions are also handled as well.

Another advantage is that we now have an uniform management tool for
both automatic and manual config, so the documentation in the NixOS
manual now applies to the manual PKI config as well.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>

aszlig 78fe00da 32c2e8f4

+32 -19
unified split
+2 -2
nixos/modules/services/misc/taskserver/default.nix
··· 154 154 155 155 certtool = "${pkgs.gnutls.bin}/bin/certtool"; 156 156 157 - nixos-taskserver = pkgs.pythonPackages.buildPythonPackage { 157 + nixos-taskserver = pkgs.pythonPackages.buildPythonApplication { 158 158 name = "nixos-taskserver"; 159 - namePrefix = ""; 160 159 161 160 src = pkgs.runCommand "nixos-taskserver-src" {} '' 162 161 mkdir -p "$out" ··· 167 166 certBits = cfg.pki.auto.bits; 168 167 clientExpiration = cfg.pki.auto.expiration.client; 169 168 crlExpiration = cfg.pki.auto.expiration.crl; 169 + isAutoConfig = if needToCreateCA then "True" else "False"; 170 170 }}" > "$out/main.py" 171 171 cat > "$out/setup.py" <<EOF 172 172 from setuptools import setup
+3 -3
nixos/modules/services/misc/taskserver/doc.xml
··· 136 136 137 137 <para> 138 138 If you set any options within 139 - <option>service.taskserver.pki.manual.*</option>, the automatic user and 140 - CA management by the <command>nixos-taskserver</command> is disabled and 141 - you need to create certificates and keys by yourself. 139 + <option>service.taskserver.pki.manual.*</option>, 140 + <command>nixos-taskserver</command> won't issue certificates, but you can 141 + still use it for adding or removing user accounts. 142 142 </para> 143 143 </section> 144 144 </chapter>
+27 -14
nixos/modules/services/misc/taskserver/helper-tool.py
··· 13 13 14 14 import click 15 15 16 + IS_AUTO_CONFIG = @isAutoConfig@ # NOQA 16 17 CERTTOOL_COMMAND = "@certtool@" 17 18 CERT_BITS = "@certBits@" 18 19 CLIENT_EXPIRATION = "@clientExpiration@" ··· 149 150 150 151 151 152 def generate_key(org, user): 153 + if not IS_AUTO_CONFIG: 154 + msg = "Automatic PKI handling is disabled, you need to " \ 155 + "manually issue a client certificate for user {}.\n" 156 + sys.stderr.write(msg.format(user)) 157 + return 158 + 152 159 basedir = os.path.join(TASKD_DATA_DIR, "keys", org, user) 153 160 if os.path.exists(basedir): 154 161 raise OSError("Keyfile directory for {} already exists.".format(user)) ··· 243 250 self.key = key 244 251 245 252 def export(self): 246 - pubcert = getkey(self.__org, self.name, "public.cert") 247 - privkey = getkey(self.__org, self.name, "private.key") 248 - cacert = getkey("ca.cert") 249 - 250 - keydir = "${TASKDATA:-$HOME/.task}/keys" 251 - 252 253 credentials = '/'.join([self.__org, self.name, self.key]) 253 254 allow_unquoted = string.ascii_letters + string.digits + "/-_." 254 255 if not all((c in allow_unquoted) for c in credentials): 255 256 credentials = "'" + credentials.replace("'", r"'\''") + "'" 256 257 257 - script = [ 258 - "umask 0077", 259 - 'mkdir -p "{}"'.format(keydir), 260 - mktaskkey("certificate", os.path.join(keydir, "public.cert"), 261 - pubcert), 262 - mktaskkey("key", os.path.join(keydir, "private.key"), privkey), 263 - mktaskkey("ca", os.path.join(keydir, "ca.cert"), cacert), 258 + script = [] 259 + 260 + if IS_AUTO_CONFIG: 261 + pubcert = getkey(self.__org, self.name, "public.cert") 262 + privkey = getkey(self.__org, self.name, "private.key") 263 + cacert = getkey("ca.cert") 264 + 265 + keydir = "${TASKDATA:-$HOME/.task}/keys" 266 + 267 + script += [ 268 + "umask 0077", 269 + 'mkdir -p "{}"'.format(keydir), 270 + mktaskkey("certificate", os.path.join(keydir, "public.cert"), 271 + pubcert), 272 + mktaskkey("key", os.path.join(keydir, "private.key"), privkey), 273 + mktaskkey("ca", os.path.join(keydir, "ca.cert"), cacert) 274 + ] 275 + 276 + script.append( 264 277 "task config taskd.credentials -- {}".format(credentials) 265 - ] 278 + ) 266 279 267 280 return "\n".join(script) + "\n" 268 281