From 6de94e7d2449eefccdb99100426759472e4b14a4 Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@redmoonstudios.org>
Date: Mon, 11 Apr 2016 12:38:16 +0200
Subject: [PATCH] nixos/taskserver: Rename .server options to .pki

After moving out the PKI-unrelated options, let's name this a bit more
appropriate, so we can finally get rid of the taskserver.server thing.

This also moves taskserver.caCert to taskserver.pki.caCert, because that
clearly belongs to the PKI options.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
---
 .../services/misc/taskserver/default.nix      | 37 +++++++++----------
 nixos/tests/taskserver.nix                    |  2 +-
 2 files changed, 19 insertions(+), 20 deletions(-)

diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix
index 8f760a4579d4..063002167cf5 100644
--- a/nixos/modules/services/misc/taskserver/default.nix
+++ b/nixos/modules/services/misc/taskserver/default.nix
@@ -17,9 +17,7 @@ let
     result = "${key} = ${mkVal val}";
   in optionalString (val != null && val != []) result;
 
-  needToCreateCA = all isNull (with cfg; [
-    server.key server.cert server.crl caCert
-  ]);
+  needToCreateCA = all isNull (with cfg.pki; [ key cert crl caCert ]);
 
   configFile = pkgs.writeText "taskdrc" ''
     # systemd related
@@ -43,18 +41,18 @@ let
 
     # server
     server = ${cfg.listenHost}:${toString cfg.listenPort}
-    ${mkConfLine "server.crl" cfg.server.crl}
+    ${mkConfLine "server.crl" cfg.pki.crl}
 
     # certificates
-    ${mkConfLine "trust" cfg.server.trust}
+    ${mkConfLine "trust" cfg.pki.trust}
     ${if needToCreateCA then ''
       ca.cert = ${cfg.dataDir}/keys/ca.cert
       server.cert = ${cfg.dataDir}/keys/server.cert
       server.key = ${cfg.dataDir}/keys/server.key
     '' else ''
-      ca.cert = ${cfg.caCert}
-      server.cert = ${cfg.server.cert}
-      server.key = ${cfg.server.key}
+      ca.cert = ${cfg.pki.caCert}
+      server.cert = ${cfg.pki.cert}
+      server.key = ${cfg.pki.key}
     ''}
   '';
 
@@ -91,7 +89,7 @@ let
         certtool = "${pkgs.gnutls}/bin/certtool";
         inherit taskd;
         inherit (cfg) dataDir user group;
-        inherit (cfg.server) fqdn;
+        inherit (cfg.pki) fqdn;
       }}" > "$out/main.py"
       cat > "$out/setup.py" <<EOF
       from setuptools import setup
@@ -134,12 +132,6 @@ in {
         description = "Data directory for Taskserver.";
       };
 
-      caCert = mkOption {
-        type = types.nullOr types.path;
-        default = null;
-        description = "Fully qualified path to the CA certificate.";
-      };
-
       ciphers = mkOption {
         type = types.nullOr (types.separatedString ":");
         default = null;
@@ -261,12 +253,13 @@ in {
         '';
       };
 
-      server = {
+      pki = {
         fqdn = mkOption {
           type = types.str;
           default = "localhost";
           description = ''
-            The fully qualified domain name of this server.
+            The fully qualified domain name of this server, which is used as the
+            common name in the certificates.
           '';
         };
 
@@ -276,6 +269,12 @@ in {
           description = "Fully qualified path to the server certificate";
         };
 
+        caCert = mkOption {
+          type = types.nullOr types.path;
+          default = null;
+          description = "Fully qualified path to the CA certificate.";
+        };
+
         crl = mkOption {
           type = types.nullOr types.path;
           default = null;
@@ -346,7 +345,7 @@ in {
             --outfile "${cfg.dataDir}/keys/ca.key"
           ${pkgs.gnutls}/bin/certtool -s \
             --template "${pkgs.writeText "taskserver-ca.template" ''
-              cn = ${cfg.server.fqdn}
+              cn = ${cfg.pki.fqdn}
               cert_signing_key
               ca
             ''}" \
@@ -364,7 +363,7 @@ in {
 
           ${pkgs.gnutls}/bin/certtool -c \
             --template "${pkgs.writeText "taskserver-cert.template" ''
-              cn = ${cfg.server.fqdn}
+              cn = ${cfg.pki.fqdn}
               tls_www_server
               encryption_key
               signing_key
diff --git a/nixos/tests/taskserver.nix b/nixos/tests/taskserver.nix
index d588b178aae8..ad8347a3987e 100644
--- a/nixos/tests/taskserver.nix
+++ b/nixos/tests/taskserver.nix
@@ -6,7 +6,7 @@ import ./make-test.nix {
       networking.firewall.enable = false;
       services.taskserver.enable = true;
       services.taskserver.listenHost = "::";
-      services.taskserver.server.fqdn = "server";
+      services.taskserver.pki.fqdn = "server";
       services.taskserver.organisations = {
         testOrganisation.users = [ "alice" "foo" ];
         anotherOrganisation.users = [ "bob" ];