From 5be76d0b552ae5222cc8748baef2138c7acd91d4 Mon Sep 17 00:00:00 2001 From: aszlig Date: Tue, 12 Apr 2016 05:07:52 +0200 Subject: [PATCH] nixos/taskserver: Reorder into one mkMerge No changes in functionality but rather just restructuring the module definitions to be one mkMerge, which now uses mkIf from the top-level scope of the CA initialization service so we can better abstract additional options we might need there. Signed-off-by: aszlig --- .../services/misc/taskserver/default.nix | 292 +++++++++--------- 1 file changed, 146 insertions(+), 146 deletions(-) diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix index c06287fe3b7..520a9c2ee1e 100644 --- a/nixos/modules/services/misc/taskserver/default.nix +++ b/nixos/modules/services/misc/taskserver/default.nix @@ -182,8 +182,6 @@ let propagatedBuildInputs = [ pkgs.pythonPackages.click ]; }; - withMeta = meta: defs: mkMerge [ defs { inherit meta; } ]; - in { options = { services.taskserver = { @@ -375,150 +373,152 @@ in { }; }; - config = withMeta { - doc = ./taskserver.xml; - } (mkIf cfg.enable { + config = mkMerge [ + (mkIf cfg.enable { + environment.systemPackages = [ pkgs.taskserver nixos-taskserver ]; - environment.systemPackages = [ pkgs.taskserver nixos-taskserver ]; - - users.users = optional (cfg.user == "taskd") { - name = "taskd"; - uid = config.ids.uids.taskd; - description = "Taskserver user"; - group = cfg.group; - }; - - users.groups = optional (cfg.group == "taskd") { - name = "taskd"; - gid = config.ids.gids.taskd; - }; - - systemd.services.taskserver-ca = mkIf needToCreateCA { - requiredBy = [ "taskserver.service" ]; - after = [ "taskserver-init.service" ]; - before = [ "taskserver.service" ]; - description = "Initialize CA for TaskServer"; - serviceConfig.Type = "oneshot"; - serviceConfig.UMask = "0077"; - - script = '' - silent_certtool() { - if ! output="$("${certtool}" "$@" 2>&1)"; then - echo "GNUTLS certtool invocation failed with output:" >&2 - echo "$output" >&2 - fi - } - - mkdir -m 0700 -p "${cfg.dataDir}/keys" - chown root:root "${cfg.dataDir}/keys" - - if [ ! -e "${cfg.dataDir}/keys/ca.key" ]; then - silent_certtool -p \ - --bits ${toString cfg.pki.auto.bits} \ - --outfile "${cfg.dataDir}/keys/ca.key" - silent_certtool -s \ - --template "${pkgs.writeText "taskserver-ca.template" '' - cn = ${cfg.fqdn} - expiration_days = ${toString cfg.pki.auto.expiration.ca} - cert_signing_key - ca - ''}" \ - --load-privkey "${cfg.dataDir}/keys/ca.key" \ - --outfile "${cfg.dataDir}/keys/ca.cert" - - chgrp "${cfg.group}" "${cfg.dataDir}/keys/ca.cert" - chmod g+r "${cfg.dataDir}/keys/ca.cert" - fi - - if [ ! -e "${cfg.dataDir}/keys/server.key" ]; then - silent_certtool -p \ - --bits ${toString cfg.pki.auto.bits} \ - --outfile "${cfg.dataDir}/keys/server.key" - - silent_certtool -c \ - --template "${pkgs.writeText "taskserver-cert.template" '' - cn = ${cfg.fqdn} - expiration_days = ${toString cfg.pki.auto.expiration.server} - tls_www_server - encryption_key - signing_key - ''}" \ - --load-ca-privkey "${cfg.dataDir}/keys/ca.key" \ - --load-ca-certificate "${cfg.dataDir}/keys/ca.cert" \ - --load-privkey "${cfg.dataDir}/keys/server.key" \ - --outfile "${cfg.dataDir}/keys/server.cert" - - chgrp "${cfg.group}" \ - "${cfg.dataDir}/keys/server.key" \ - "${cfg.dataDir}/keys/server.cert" - - chmod g+r \ - "${cfg.dataDir}/keys/server.key" \ - "${cfg.dataDir}/keys/server.cert" - fi - - if [ ! -e "${cfg.dataDir}/keys/server.crl" ]; then - silent_certtool --generate-crl \ - --template "${pkgs.writeText "taskserver-crl.template" '' - expiration_days = ${toString cfg.pki.auto.expiration.crl} - ''}" \ - --load-ca-privkey "${cfg.dataDir}/keys/ca.key" \ - --load-ca-certificate "${cfg.dataDir}/keys/ca.cert" \ - --outfile "${cfg.dataDir}/keys/server.crl" - - chgrp "${cfg.group}" "${cfg.dataDir}/keys/server.crl" - chmod g+r "${cfg.dataDir}/keys/server.crl" - fi - - chmod go+x "${cfg.dataDir}/keys" - ''; - }; - - systemd.services.taskserver-init = { - requiredBy = [ "taskserver.service" ]; - description = "Initialize Taskserver Data Directory"; - - preStart = '' - mkdir -m 0770 -p "${cfg.dataDir}" - chown "${cfg.user}:${cfg.group}" "${cfg.dataDir}" - ''; - - script = '' - ${taskd} init - echo "include ${configFile}" > "${cfg.dataDir}/config" - touch "${cfg.dataDir}/.is_initialized" - ''; - - environment.TASKDDATA = cfg.dataDir; - - unitConfig.ConditionPathExists = "!${cfg.dataDir}/.is_initialized"; - - serviceConfig.Type = "oneshot"; - serviceConfig.User = cfg.user; - serviceConfig.Group = cfg.group; - serviceConfig.PermissionsStartOnly = true; - }; - - systemd.services.taskserver = { - description = "Taskwarrior Server"; - - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - - environment.TASKDDATA = cfg.dataDir; - - preStart = let - jsonOrgs = builtins.toJSON cfg.organisations; - jsonFile = pkgs.writeText "orgs.json" jsonOrgs; - in "${nixos-taskserver}/bin/nixos-taskserver process-json '${jsonFile}'"; - - serviceConfig = { - ExecStart = "@${taskd} taskd server"; - ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID"; - PermissionsStartOnly = true; - User = cfg.user; - Group = cfg.group; + users.users = optional (cfg.user == "taskd") { + name = "taskd"; + uid = config.ids.uids.taskd; + description = "Taskserver user"; + group = cfg.group; }; - }; - }); + + users.groups = optional (cfg.group == "taskd") { + name = "taskd"; + gid = config.ids.gids.taskd; + }; + + systemd.services.taskserver-init = { + requiredBy = [ "taskserver.service" ]; + description = "Initialize Taskserver Data Directory"; + + preStart = '' + mkdir -m 0770 -p "${cfg.dataDir}" + chown "${cfg.user}:${cfg.group}" "${cfg.dataDir}" + ''; + + script = '' + ${taskd} init + echo "include ${configFile}" > "${cfg.dataDir}/config" + touch "${cfg.dataDir}/.is_initialized" + ''; + + environment.TASKDDATA = cfg.dataDir; + + unitConfig.ConditionPathExists = "!${cfg.dataDir}/.is_initialized"; + + serviceConfig.Type = "oneshot"; + serviceConfig.User = cfg.user; + serviceConfig.Group = cfg.group; + serviceConfig.PermissionsStartOnly = true; + }; + + systemd.services.taskserver = { + description = "Taskwarrior Server"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + environment.TASKDDATA = cfg.dataDir; + + preStart = let + jsonOrgs = builtins.toJSON cfg.organisations; + jsonFile = pkgs.writeText "orgs.json" jsonOrgs; + helperTool = "${nixos-taskserver}/bin/nixos-taskserver"; + in "${helperTool} process-json '${jsonFile}'"; + + serviceConfig = { + ExecStart = "@${taskd} taskd server"; + ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID"; + PermissionsStartOnly = true; + User = cfg.user; + Group = cfg.group; + }; + }; + }) + (mkIf needToCreateCA { + systemd.services.taskserver-ca = { + requiredBy = [ "taskserver.service" ]; + after = [ "taskserver-init.service" ]; + before = [ "taskserver.service" ]; + description = "Initialize CA for TaskServer"; + serviceConfig.Type = "oneshot"; + serviceConfig.UMask = "0077"; + + script = '' + silent_certtool() { + if ! output="$("${certtool}" "$@" 2>&1)"; then + echo "GNUTLS certtool invocation failed with output:" >&2 + echo "$output" >&2 + fi + } + + mkdir -m 0700 -p "${cfg.dataDir}/keys" + chown root:root "${cfg.dataDir}/keys" + + if [ ! -e "${cfg.dataDir}/keys/ca.key" ]; then + silent_certtool -p \ + --bits ${toString cfg.pki.auto.bits} \ + --outfile "${cfg.dataDir}/keys/ca.key" + silent_certtool -s \ + --template "${pkgs.writeText "taskserver-ca.template" '' + cn = ${cfg.fqdn} + expiration_days = ${toString cfg.pki.auto.expiration.ca} + cert_signing_key + ca + ''}" \ + --load-privkey "${cfg.dataDir}/keys/ca.key" \ + --outfile "${cfg.dataDir}/keys/ca.cert" + + chgrp "${cfg.group}" "${cfg.dataDir}/keys/ca.cert" + chmod g+r "${cfg.dataDir}/keys/ca.cert" + fi + + if [ ! -e "${cfg.dataDir}/keys/server.key" ]; then + silent_certtool -p \ + --bits ${toString cfg.pki.auto.bits} \ + --outfile "${cfg.dataDir}/keys/server.key" + + silent_certtool -c \ + --template "${pkgs.writeText "taskserver-cert.template" '' + cn = ${cfg.fqdn} + expiration_days = ${toString cfg.pki.auto.expiration.server} + tls_www_server + encryption_key + signing_key + ''}" \ + --load-ca-privkey "${cfg.dataDir}/keys/ca.key" \ + --load-ca-certificate "${cfg.dataDir}/keys/ca.cert" \ + --load-privkey "${cfg.dataDir}/keys/server.key" \ + --outfile "${cfg.dataDir}/keys/server.cert" + + chgrp "${cfg.group}" \ + "${cfg.dataDir}/keys/server.key" \ + "${cfg.dataDir}/keys/server.cert" + + chmod g+r \ + "${cfg.dataDir}/keys/server.key" \ + "${cfg.dataDir}/keys/server.cert" + fi + + if [ ! -e "${cfg.dataDir}/keys/server.crl" ]; then + silent_certtool --generate-crl \ + --template "${pkgs.writeText "taskserver-crl.template" '' + expiration_days = ${toString cfg.pki.auto.expiration.crl} + ''}" \ + --load-ca-privkey "${cfg.dataDir}/keys/ca.key" \ + --load-ca-certificate "${cfg.dataDir}/keys/ca.cert" \ + --outfile "${cfg.dataDir}/keys/server.crl" + + chgrp "${cfg.group}" "${cfg.dataDir}/keys/server.crl" + chmod g+r "${cfg.dataDir}/keys/server.crl" + fi + + chmod go+x "${cfg.dataDir}/keys" + ''; + }; + }) + { meta.doc = ./taskserver.xml; } + ]; }