nixos/taskserver: Use nixos-taskdctl in preStart

Finally, this is where we declaratively set up our organisations and
users/groups, which looks like this in the system configuration:

services.taskserver.organisations.NixOS.users = [ "alice" "bob" ];

This automatically sets up "alice" and "bob" for the "NixOS"
organisation, generates the required client keys and signs it via the
CA.

However, we still need to use nixos-taskdctl export-user in order to
import these certificates on the client.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>

nixos/modules/services/misc/taskserver.nix

@@ -719,8 +719,24 @@ in {
 
       environment.TASKDDATA = cfg.dataDir;
 
+      preStart = ''
+        ${concatStrings (mapAttrsToList (orgName: attrs: ''
+          ${ctlcmd} add-org ${mkShellStr orgName}
+
+          ${concatMapStrings (user: ''
+            echo Creating ${user} >&2
+            ${ctlcmd} add-user ${mkShellStr orgName} ${mkShellStr user}
+          '') attrs.users}
+
+          ${concatMapStrings (group: ''
+            ${ctlcmd} add-group ${mkShellStr orgName} ${mkShellStr user}
+          '') attrs.groups}
+        '') cfg.organisations)}
+      '';
+
       serviceConfig = {
         ExecStart = "@${taskd} taskd server";
+        PermissionsStartOnly = true;
         User = cfg.user;
         Group = cfg.group;
       };