From 411c6f77a356700bcfe2a0035f8709d750d014f8 Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@redmoonstudios.org>
Date: Tue, 5 Apr 2016 16:09:12 +0200
Subject: [PATCH] nixos/taskserver: Add trust option to config file

The server starts up without that option anyway, but it complains about
its value not being set. As we probably want to have access to that
configuration value anyway, let's expose this via the NixOS module as
well.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
---
 nixos/modules/services/misc/taskserver.nix | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/nixos/modules/services/misc/taskserver.nix b/nixos/modules/services/misc/taskserver.nix
index d3ab9c80e07..6d9cfdbfe4c 100644
--- a/nixos/modules/services/misc/taskserver.nix
+++ b/nixos/modules/services/misc/taskserver.nix
@@ -47,6 +47,7 @@ let
     ${mkConfLine "server.crl" cfg.server.crl}
 
     # certificates
+    ${mkConfLine "trust" cfg.server.trust}
     ${if needToCreateCA then ''
       ca.cert = ${cfg.dataDir}/keys/ca.cert
       server.cert = ${cfg.dataDir}/keys/server.cert
@@ -233,6 +234,19 @@ in {
             a configuration file reload before the next request is handled.
           '';
         };
+
+        trust = mkOption {
+          type = types.enum [ "allow all" "strict" ];
+          default = "strict";
+          description = ''
+            Determines how client certificates are validated.
+
+            The value <literal>allow all</literal> performs no client
+            certificate validation. This is not recommended. The value
+            <literal>strict</literal> causes the client certificate to be
+            validated against a CA.
+          '';
+        };
       };
     };
   };