3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

51 commits

Author SHA1 Message Date
Pamplemousse 5148813e17 modules/taskserver: Minor update
* documentation
    - update link
    - minor consistency update
  * make tests pass
2022-01-26 21:56:11 +01:00
rnhmjoj 1d61efb7f1 treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
arcnmx c604b38791 nixos/taskserver: crl file is optional 2019-07-27 15:49:46 -07:00
Daniel Schaefer 786f02f7a4 treewide: Remove usage of isNull
isNull "is deprecated; just write e == null instead" says the Nix manual
2019-04-29 14:05:50 +02:00
Symphorien Gibol a915b33315 nixos: add preferLocalBuild=true; on derivations for config files 2019-02-22 20:11:27 +01:00
volth 2e979e8ceb [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
volth 87f5930c3f [bot]: remove unreferenced code 2018-07-20 18:48:37 +00:00
Peter Simons 71ae259627 nixos: revert changes from 3ab45f4b36 in taskserver module
See 3ab45f4b36 (commitcomment-22029298).

Fixes https://github.com/NixOS/nixpkgs/issues/25529 (I hope).
2017-05-06 19:50:02 +02:00
Franz Pletz 3ab45f4b36
treewide: use boolToString function 2017-04-11 18:18:53 +02:00
Franz Pletz 9536169074
nixos/treewide: remove boolean examples for options
They contain no useful information and increase the length of the
autogenerated options documentation.

See discussion in #18816.
2017-03-17 23:36:19 +01:00
aszlig 08881b8cbe
taskserver: Remove taskserver from systemPackages
This is deliberate because using the taskd binary to configure
Taskserver has a good chance of messing up permissions.

The nixos-taskserver tool now can manage even manual configurations, so
there really is no need anymore to expose the taskd binary.

If people still want to use the taskd binary at their own risk they can
still add taskserver to systemPackages themselves.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-02-17 19:46:05 +01:00
aszlig c7bbb93878
taskserver: Pass configuration via command line
Putting an include directive in the configuration file referencing a
store path with the real configuration file has the disavantage that
once we change the real configuration file the store path is also a
different one.

So we would have to replace that include directive with the new
configuration file, which is very much error-prone, because whenever
taskd modifies the configuration file on its own it generates a new one
with *only* the key/value options and without any include directives.

Another problem is that we only added the include directive on the first
initalization, so whenever there is *any* configuration change, it won't
affect anything.

We're now passing all the configuration options via command line,
because taskd treats everything in the form of --<name>=<value> to be a
configuration directive.

This also has the effect that we now no longer have extraConfig, because
configuration isn't a file anymore.

Instead we now have an attribute set that is mapped down to
configuration options.

Unfortunately this isn't so easy with the way taskd is configured,
because there is an option called "server" and also other options like
"server.cert", "server.key" and so on, which do not map very well to
attribute sets.

So we have an exception for the "server" option, which is now called
"server.listen", because it specifies the listening address.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #22705
2017-02-17 19:45:58 +01:00
aszlig 78fe00da7c
taskserver: Allow helper tool in manual config
The helper tool so far was only intended for use in automatic PKI
handling, but it also is very useful if you have an existing CA.

One of the main advantages is that you don't need to specify the data
directory anymore and the right permissions are also handled as well.

Another advantage is that we now have an uniform management tool for
both automatic and manual config, so the documentation in the NixOS
manual now applies to the manual PKI config as well.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-02-17 19:45:55 +01:00
Peter Simons bfd7fe8ba5 nixos: fix taskserver module to evaluate properly when keys are managed manually 2017-02-07 18:35:41 +01:00
Eric Sagnes 1fe1cdecb2 types: loeOf -> listOf 2016-11-05 21:46:42 +01:00
regnat f697486122 taskserver : use pythonPackage.buildPythonPackage 2016-10-12 18:09:13 +02:00
Eric Sagnes 4cdfeb78f9 modules: move meta at top level 2016-08-11 00:29:48 +09:00
Eric Sagnes 898435d16e manual: automatically generate modules entries 2016-08-11 00:24:41 +09:00
zimbatm 28fa4a2f03 Escape all shell arguments uniformly 2016-06-12 18:11:37 +01:00
Tuomas Tynkkynen de0847c731 taskserver service: Really check that it is enabled 2016-04-28 01:14:17 +03:00
aszlig 1f46decba7
nixos/taskserver: Fix reference to certtool.
With the merge of the closure-size branch, most packages now have
multiple outputs. One of these packages is gnutls, so previously
everything that we needed was to reference "${gnutls}/bin/..." and now
we need to use "${gnutls.bin}/bin/...".

So it's not a very big issue to fix.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-15 00:28:57 +02:00
aszlig e06dd999f7
nixos/taskserver: Fix wrong option doc references
The options client.allow and client.deny are gone since the commit
8b793d1916, so let's fix that.

No feature changes, only fixes the descriptions of allowedClientIDs and
disallowedClientIDs.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 07:03:19 +02:00
aszlig 980f557c46
nixos/taskserver: Restart service on failure
This is the recommended way for long-running services and ensures that
Taskserver will keep running until it has been stopped manually.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 06:43:21 +02:00
aszlig cf46256bbb
nixos/taskserver: Improve service dependencies
Using requiredBy is a bad idea for the initialisation units, because
whenever the Taskserver service is restarted the initialisation units
get restarted as well.

Also, make sure taskserver-init.service will be ordered *before*
taskserver.service.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 06:33:04 +02:00
aszlig bb7a819735
nixos/taskserver: Set up service namespaces
The Taskserver doesn't need access to the full /dev nor does it need a
shared /tmp. In addition, the initialisation services don't need network
access, so let's constrain them to the loopback device.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 06:30:05 +02:00
aszlig ce0954020c
nixos/taskserver: Set allowedTCPPorts accordingly
As suggested by @matthiasbeyer:

"We might add a short note that this port has to be opened in the
firewall, or is this done by the service automatically?"

This commit now adds the listenPort to
networking.firewall.allowedTCPPorts as soon as the listenHost is not
"localhost".

In addition to that, this is now also documented in the listenHost
option declaration and I have removed disabling of the firewall from the
VM test.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 05:16:15 +02:00
aszlig 5be76d0b55
nixos/taskserver: Reorder into one mkMerge
No changes in functionality but rather just restructuring the module
definitions to be one mkMerge, which now uses mkIf from the top-level
scope of the CA initialization service so we can better abstract
additional options we might need there.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 05:07:52 +02:00
aszlig 2ced6fcc75
nixos/taskserver: Setup CA before main service
We need to explicitly make sure the CA is created before we actually
launch the main Taskserver service in order to avoid race conditions
where the preStart phase of the main service could possibly corrupt
certificates if it would be started in parallel.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 04:53:53 +02:00
aszlig 9279ec732b
nixos/taskserver: Introduce an extraConfig option
This is simply to add configuration lines to the generated configuration
file. The reason why I didn't went for an attribute set is that the
taskdrc file format doesn't map very well on Nix attributes, for example
the following can be set in taskdrc:

server = somestring
server.key = anotherstring

In order to use a Nix attribute set for that, it would be way too
complicated, for example if we want to represent the mentioned example
we'd have to do something like this:

{ server._top = somestring;
  server.key = anotherstring;
}

Of course, this would work as well but nothing is more simple than just
appending raw strings.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 04:21:55 +02:00
aszlig 9f1e536948
nixos/taskserver: Allow to specify expiration/bits
At least this should allow for some customisation of how the
certificates and keys are created. We now have two sub-namespaces within
PKI so it should be more clear which options you have to set if you want
to either manage your own CA or let the module create it automatically.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 04:14:33 +02:00
aszlig 9586795ef2
nixos/taskserver: Silence certtool everywhere
We only print the output whenever there is an error, otherwise let's
shut it up because it only shows information the user can gather through
other means. For example by invoking certtool manually, or by just
looking at private key files (the whole blurb it's outputting is in
there as well).

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 02:16:35 +02:00
aszlig 3008836fee
nixos/taskserver: Add a command to reload service
Unfortunately we don't have a better way to check whether the reload has
been done successfully, but at least we now *can* reload it without
figuring out the exact signal to send to the process.

Note that on reload, Taskserver will not reload the CRL file. For that
to work, a full restart needs to be done.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 01:04:34 +02:00
aszlig b6643102d6
nixos/taskserver: Generate a cert revocation list
If we want to revoke client certificates and want the server to actually
notice the revocation, we need to have a valid certificate revocation
list.

Right now the expiration_days is set to 10 years, but that's merely to
actually get certtool to actually generate the CRL without trying to
prompt for user input.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 23:07:58 +02:00
aszlig d0ab617974
nixos/taskserver: Constrain server cert perms
It doesn't do much harm to make the server certificate world readable,
because even though it's not accessible anymore via the file system,
someone can still get it by simply doing a TLS handshake with the
server.

So this is solely for consistency.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 22:59:30 +02:00
aszlig 6e10705754
nixos/taskserver: Handle declarative conf via JSON
We now no longer have the stupid --service-helper option, which silences
messages about already existing organisations, users or groups.

Instead of that option, we now have a new subcommand called
"process-json", which accepts a JSON file directly from the specified
NixOS module options and creates/deletes the users accordingly.

Note that this still has a two issues left to solve in this area:

 * Deletion is not supported yet.
 * If a user is created imperatively, the next run of process-json will
   delete it once deletion is supported.

So we need to implement deletion and a way to mark organisations, users
and groups as "imperatively managed".

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 22:24:58 +02:00
aszlig 7875885fb2
nixos/taskserver: Link to manual within .enable
With <olink/> support in place, we can now reference the Taskserver
section within the NixOS manual, so that users reading the manpage of
configuration.nix(5) won't miss this information.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 18:45:09 +02:00
aszlig b19fdc9ec9
nixos/taskserver: Set server.crl for automatic CA
Currently, we don't handle this yet, but let's set it so that we cover
all the options.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 13:38:33 +02:00
aszlig 05a7cd17fc
nixos/taskserver: Rename .pki options
We're now using .pki.server.* and .pki.ca.* so that it's entirely clear
what these keys/certificates are for. For example we had just .pki.key
before, which doesn't really tell very much about what it's for except
if you look at the option description.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 13:33:48 +02:00
aszlig 6395c87d07
nixos/taskserver: Improve doc for PKI options
The improvement here is just that we're adding a big <note/> here so
that users of these options are aware that whenever they're setting one
of these the certificates and keys are _not_ created automatically.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:58:29 +02:00
aszlig 6df374910f
nixos/taskserver: Move .trust out of .pki
This is clearly a server configuration option and has nothing to do with
certificate creation and signing, so let's move it away from the .pki
namespace.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:47:39 +02:00
aszlig 3affead91b
nixos/taskserver: Move .pki.fqdn to .fqdn
It's not necessarily related to the PKI options, because this is also
used for setting the server address on the Taskwarrior client.

So if someone doesn't have his/her own certificates from another CA, all
options that need to be adjusted are in .pki. And if someone doesn't
want to bother with getting certificates from another CA, (s)he just
doesn't set anything in .pki.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:42:20 +02:00
aszlig 6de94e7d24
nixos/taskserver: Rename .server options to .pki
After moving out the PKI-unrelated options, let's name this a bit more
appropriate, so we can finally get rid of the taskserver.server thing.

This also moves taskserver.caCert to taskserver.pki.caCert, because that
clearly belongs to the PKI options.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:38:16 +02:00
aszlig d6bd457d1f
nixos/taskserver: Rename server.{host,port}
Having an option called services.taskserver.server.host is quite
confusing because we already have "server" in the service name, so let's
first get rid of the listening options before we rename the rest of the
options in that .server attribute.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:26:34 +02:00
aszlig 2acf8677fa
nixos/taskserver: Rewrite helper-tool in Python
In the comments of the pull request @nbp wrote:

"Why is it implemented in 3 different languages: Nix, Bash and C?"

And he's right, it doesn't make sense, because we were using C as a
runuser replacement and used Nix to generate the shellscript
boilerplates.

Writing this in Python gets rid of all of this and we also don't need
the boilerplate as well, because we're using Click to handle all the
command line stuff.

Note that this currently is a 1:1 implementation of what we had before.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:02:52 +02:00
aszlig 85832de2e8
nixos/taskserver: Remove client.cert option
The option is solely for debugging purposes (particularly the unit tests
of the project itself) and doesn't make sense to include it in the NixOS
module options.

If people want to use this, we might want to introduce another option so
that we can insert arbitrary configuration lines.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-10 21:37:12 +02:00
aszlig 64e566a49c
nixos/taskserver: Add module documentation
It's not by any means exhaustive, but we're still going to change the
implementation, so let's just use this as a starting point.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-07 14:26:12 +02:00
aszlig 8b793d1916
nixos/taskserver: Rename client.{allow,deny}
These values match against the client IDs only, so let's rename it to
something that actually reflects that. Having client.cert in the same
namespace also could lead to confusion, because the client.cert setting
is for the *debugging* client only.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-07 14:26:11 +02:00
aszlig 04fa5dcdb8
nixos/taskserver: Fix type/description for ciphers
Referring to the GnuTLS documentation isn't very nice if the user has to
use a search engine to find that documentation. So let's directly link
to it.

The type was "str" before, but it's actually a colon-separated string,
so if we set options in multiple modules, the result is one concatenated
string.

I know there is types.envVar, which does the same as separatedString ":"
but I found that it could confuse the reader of the Taskserver module.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-07 14:22:25 +02:00
aszlig 33f948c88b
nixos/taskserver: Fix type for client.{allow,deny}
We already document that we allow special values such as "all" and
"none", but the type doesn't represent that. So let's use an enum in
conjuction with a loeOf type so that this becomes clear.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-07 14:21:42 +02:00
aszlig 2d89617052
nixos/taskserver: Rename nixos-taskdctl
Using nixos-taskserver is more verbose but less cryptic and I think it
fits the purpose better because it can't be confused to be a wrapper
around the taskdctl command from the upstream project as
nixos-taskserver shares no commonalities with it.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-05 18:53:31 +02:00