3
0
Fork 0
forked from mirrors/nixpkgs

nixos/taskserver: Rename .server options to .pki

After moving out the PKI-unrelated options, let's name this a bit more
appropriate, so we can finally get rid of the taskserver.server thing.

This also moves taskserver.caCert to taskserver.pki.caCert, because that
clearly belongs to the PKI options.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit is contained in:
aszlig 2016-04-11 12:38:16 +02:00
parent d6bd457d1f
commit 6de94e7d24
No known key found for this signature in database
GPG key ID: D0EBD0EC8C2DC961
2 changed files with 19 additions and 20 deletions

View file

@ -17,9 +17,7 @@ let
result = "${key} = ${mkVal val}";
in optionalString (val != null && val != []) result;
needToCreateCA = all isNull (with cfg; [
server.key server.cert server.crl caCert
]);
needToCreateCA = all isNull (with cfg.pki; [ key cert crl caCert ]);
configFile = pkgs.writeText "taskdrc" ''
# systemd related
@ -43,18 +41,18 @@ let
# server
server = ${cfg.listenHost}:${toString cfg.listenPort}
${mkConfLine "server.crl" cfg.server.crl}
${mkConfLine "server.crl" cfg.pki.crl}
# certificates
${mkConfLine "trust" cfg.server.trust}
${mkConfLine "trust" cfg.pki.trust}
${if needToCreateCA then ''
ca.cert = ${cfg.dataDir}/keys/ca.cert
server.cert = ${cfg.dataDir}/keys/server.cert
server.key = ${cfg.dataDir}/keys/server.key
'' else ''
ca.cert = ${cfg.caCert}
server.cert = ${cfg.server.cert}
server.key = ${cfg.server.key}
ca.cert = ${cfg.pki.caCert}
server.cert = ${cfg.pki.cert}
server.key = ${cfg.pki.key}
''}
'';
@ -91,7 +89,7 @@ let
certtool = "${pkgs.gnutls}/bin/certtool";
inherit taskd;
inherit (cfg) dataDir user group;
inherit (cfg.server) fqdn;
inherit (cfg.pki) fqdn;
}}" > "$out/main.py"
cat > "$out/setup.py" <<EOF
from setuptools import setup
@ -134,12 +132,6 @@ in {
description = "Data directory for Taskserver.";
};
caCert = mkOption {
type = types.nullOr types.path;
default = null;
description = "Fully qualified path to the CA certificate.";
};
ciphers = mkOption {
type = types.nullOr (types.separatedString ":");
default = null;
@ -261,12 +253,13 @@ in {
'';
};
server = {
pki = {
fqdn = mkOption {
type = types.str;
default = "localhost";
description = ''
The fully qualified domain name of this server.
The fully qualified domain name of this server, which is used as the
common name in the certificates.
'';
};
@ -276,6 +269,12 @@ in {
description = "Fully qualified path to the server certificate";
};
caCert = mkOption {
type = types.nullOr types.path;
default = null;
description = "Fully qualified path to the CA certificate.";
};
crl = mkOption {
type = types.nullOr types.path;
default = null;
@ -346,7 +345,7 @@ in {
--outfile "${cfg.dataDir}/keys/ca.key"
${pkgs.gnutls}/bin/certtool -s \
--template "${pkgs.writeText "taskserver-ca.template" ''
cn = ${cfg.server.fqdn}
cn = ${cfg.pki.fqdn}
cert_signing_key
ca
''}" \
@ -364,7 +363,7 @@ in {
${pkgs.gnutls}/bin/certtool -c \
--template "${pkgs.writeText "taskserver-cert.template" ''
cn = ${cfg.server.fqdn}
cn = ${cfg.pki.fqdn}
tls_www_server
encryption_key
signing_key

View file

@ -6,7 +6,7 @@ import ./make-test.nix {
networking.firewall.enable = false;
services.taskserver.enable = true;
services.taskserver.listenHost = "::";
services.taskserver.server.fqdn = "server";
services.taskserver.pki.fqdn = "server";
services.taskserver.organisations = {
testOrganisation.users = [ "alice" "foo" ];
anotherOrganisation.users = [ "bob" ];