3
0
Fork 0
forked from mirrors/nixpkgs

taskserver: Allow helper tool in manual config

The helper tool so far was only intended for use in automatic PKI
handling, but it also is very useful if you have an existing CA.

One of the main advantages is that you don't need to specify the data
directory anymore and the right permissions are also handled as well.

Another advantage is that we now have an uniform management tool for
both automatic and manual config, so the documentation in the NixOS
manual now applies to the manual PKI config as well.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit is contained in:
aszlig 2017-02-17 19:03:49 +01:00
parent 32c2e8f4ae
commit 78fe00da7c
No known key found for this signature in database
GPG key ID: 1DE8E48E57DB5436
3 changed files with 32 additions and 19 deletions

View file

@ -154,9 +154,8 @@ let
certtool = "${pkgs.gnutls.bin}/bin/certtool";
nixos-taskserver = pkgs.pythonPackages.buildPythonPackage {
nixos-taskserver = pkgs.pythonPackages.buildPythonApplication {
name = "nixos-taskserver";
namePrefix = "";
src = pkgs.runCommand "nixos-taskserver-src" {} ''
mkdir -p "$out"
@ -167,6 +166,7 @@ let
certBits = cfg.pki.auto.bits;
clientExpiration = cfg.pki.auto.expiration.client;
crlExpiration = cfg.pki.auto.expiration.crl;
isAutoConfig = if needToCreateCA then "True" else "False";
}}" > "$out/main.py"
cat > "$out/setup.py" <<EOF
from setuptools import setup

View file

@ -136,9 +136,9 @@ $ ssh server nixos-taskserver user export my-company alice | sh
<para>
If you set any options within
<option>service.taskserver.pki.manual.*</option>, the automatic user and
CA management by the <command>nixos-taskserver</command> is disabled and
you need to create certificates and keys by yourself.
<option>service.taskserver.pki.manual.*</option>,
<command>nixos-taskserver</command> won't issue certificates, but you can
still use it for adding or removing user accounts.
</para>
</section>
</chapter>

View file

@ -13,6 +13,7 @@ from tempfile import NamedTemporaryFile
import click
IS_AUTO_CONFIG = @isAutoConfig@ # NOQA
CERTTOOL_COMMAND = "@certtool@"
CERT_BITS = "@certBits@"
CLIENT_EXPIRATION = "@clientExpiration@"
@ -149,6 +150,12 @@ def create_template(contents):
def generate_key(org, user):
if not IS_AUTO_CONFIG:
msg = "Automatic PKI handling is disabled, you need to " \
"manually issue a client certificate for user {}.\n"
sys.stderr.write(msg.format(user))
return
basedir = os.path.join(TASKD_DATA_DIR, "keys", org, user)
if os.path.exists(basedir):
raise OSError("Keyfile directory for {} already exists.".format(user))
@ -243,26 +250,32 @@ class User(object):
self.key = key
def export(self):
pubcert = getkey(self.__org, self.name, "public.cert")
privkey = getkey(self.__org, self.name, "private.key")
cacert = getkey("ca.cert")
keydir = "${TASKDATA:-$HOME/.task}/keys"
credentials = '/'.join([self.__org, self.name, self.key])
allow_unquoted = string.ascii_letters + string.digits + "/-_."
if not all((c in allow_unquoted) for c in credentials):
credentials = "'" + credentials.replace("'", r"'\''") + "'"
script = [
"umask 0077",
'mkdir -p "{}"'.format(keydir),
mktaskkey("certificate", os.path.join(keydir, "public.cert"),
pubcert),
mktaskkey("key", os.path.join(keydir, "private.key"), privkey),
mktaskkey("ca", os.path.join(keydir, "ca.cert"), cacert),
script = []
if IS_AUTO_CONFIG:
pubcert = getkey(self.__org, self.name, "public.cert")
privkey = getkey(self.__org, self.name, "private.key")
cacert = getkey("ca.cert")
keydir = "${TASKDATA:-$HOME/.task}/keys"
script += [
"umask 0077",
'mkdir -p "{}"'.format(keydir),
mktaskkey("certificate", os.path.join(keydir, "public.cert"),
pubcert),
mktaskkey("key", os.path.join(keydir, "private.key"), privkey),
mktaskkey("ca", os.path.join(keydir, "ca.cert"), cacert)
]
script.append(
"task config taskd.credentials -- {}".format(credentials)
]
)
return "\n".join(script) + "\n"