diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix
index dc73ad26eb6..70e162904e9 100644
--- a/nixos/modules/services/misc/taskserver/default.nix
+++ b/nixos/modules/services/misc/taskserver/default.nix
@@ -17,7 +17,7 @@ let
result = "${key} = ${mkVal val}";
in optionalString (val != null && val != []) result;
- mkPkiOption = desc: mkOption {
+ mkManualPkiOption = desc: mkOption {
type = types.nullOr types.path;
default = null;
description = desc + ''
@@ -27,24 +27,60 @@ let
'';
};
- pkiOptions = {
- ca.cert = mkPkiOption ''
+ manualPkiOptions = {
+ ca.cert = mkManualPkiOption ''
Fully qualified path to the CA certificate.
'';
- server.cert = mkPkiOption ''
+ server.cert = mkManualPkiOption ''
Fully qualified path to the server certificate.
'';
- server.crl = mkPkiOption ''
+ server.crl = mkManualPkiOption ''
Fully qualified path to the server certificate revocation list.
'';
- server.key = mkPkiOption ''
+ server.key = mkManualPkiOption ''
Fully qualified path to the server key.
'';
};
+ mkAutoDesc = preamble: ''
+ ${preamble}
+
+
+ This option is for the automatically handled CA and will be ignored if any
+ of the options are set.
+
+ '';
+
+ mkExpireOption = desc: mkOption {
+ type = types.nullOr types.int;
+ default = null;
+ example = 365;
+ apply = val: if isNull val then -1 else val;
+ description = mkAutoDesc ''
+ The expiration time of ${desc} in days or null for no
+ expiration time.
+ '';
+ };
+
+ autoPkiOptions = {
+ bits = mkOption {
+ type = types.int;
+ default = 4096;
+ example = 2048;
+ description = mkAutoDesc "The bit size for generated keys.";
+ };
+
+ expiration = {
+ ca = mkExpireOption "the CA certificate";
+ server = mkExpireOption "the server certificate";
+ client = mkExpireOption "client certificates";
+ crl = mkExpireOption "the certificate revocation list (CRL)";
+ };
+ };
+
needToCreateCA = let
notFound = path: let
dotted = concatStringsSep "." path;
@@ -53,10 +89,10 @@ let
mkSublist = key: val: let
newPath = path ++ singleton key;
in if isOption val
- then attrByPath newPath (notFound newPath) cfg.pki
+ then attrByPath newPath (notFound newPath) cfg.pki.manual
else findPkiDefinitions newPath val;
in flatten (mapAttrsToList mkSublist attrs);
- in all isNull (findPkiDefinitions [] pkiOptions);
+ in all isNull (findPkiDefinitions [] manualPkiOptions);
configFile = pkgs.writeText "taskdrc" ''
# systemd related
@@ -130,6 +166,9 @@ let
src = ./helper-tool.py;
inherit taskd certtool;
inherit (cfg) dataDir user group fqdn;
+ certBits = cfg.pki.auto.bits;
+ clientExpiration = cfg.pki.auto.expiration.client;
+ crlExpiration = cfg.pki.auto.expiration.crl;
}}" > "$out/main.py"
cat > "$out/setup.py" <