+
+ system.activationScripts.taskwarrior-web = {
+ deps = [ "users" ];
+ text = ''
+ if [ ! -f ${server_vardir}/userkeys/taskwarrior-web.cert.pem ]; then
+ ${taskserver-user-certs}/bin/taskserver-user-certs taskwarrior-web
+ chown taskd:taskd ${server_vardir}/userkeys/taskwarrior-web.cert.pem ${server_vardir}/userkeys/taskwarrior-web.key.pem
+ fi
+ '';
+ };
+
+ systemd.services = (lib.attrsets.mapAttrs' (name: userConfig:
+ let
+ credentials = "${userConfig.org}/${name}/${userConfig.key}";
+ dateFormat = userConfig.date;
+ taskrc = pkgs.writeText "taskrc" ''
+ data.location=${varDir}/${name}
+ taskd.certificate=${server_vardir}/userkeys/taskwarrior-web.cert.pem
+ taskd.key=${server_vardir}/userkeys/taskwarrior-web.key.pem
+ # IdenTrust DST Root CA X3
+ # obtained here: https://letsencrypt.org/fr/certificates/
+ taskd.ca=${pkgs.writeText "ca.cert" ''
+ -----BEGIN CERTIFICATE-----
+ MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
+ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+ DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
+ PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+ Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
+ rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
+ OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
+ xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
+ 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
+ aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+ HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
+ SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
+ ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
+ AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
+ R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
+ JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
+ Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
+ -----END CERTIFICATE-----''}
+ taskd.server=${fqdn}:${toString config.services.taskserver.listenPort}
+ taskd.credentials=${credentials}
+ dateformat=${dateFormat}
+ '';
+ in lib.attrsets.nameValuePair "taskwarrior-web-${name}" {
+ description = "Taskwarrior webapp for ${name}";
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network.target" ];
+ path = [ pkgs.taskwarrior ];
+
+ environment.TASKRC = taskrc;
+ environment.BUNDLE_PATH = "${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}";
+ environment.BUNDLE_GEMFILE = "${taskwarrior-web.gems.confFiles}/Gemfile";
+ environment.LC_ALL = "fr_FR.UTF-8";
+
+ script = ''
+ exec ${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}/bin/bundle exec thin start -R config.ru -S ${socketsDir}/${name}.sock
+ '';
+
+ serviceConfig = {
+ User = user;
+ PrivateTmp = true;
+ Restart = "always";
+ TimeoutSec = 60;
+ Type = "simple";
+ WorkingDirectory = taskwarrior-web;
+ StateDirectoryMode = 0750;
+ StateDirectory = assert lib.strings.hasPrefix "/var/lib/" varDir;
+ (lib.strings.removePrefix "/var/lib/" varDir + "/${name}");
+ RuntimeDirectoryPreserve = "yes";
+ RuntimeDirectory = assert lib.strings.hasPrefix "/run/" socketsDir;
+ lib.strings.removePrefix "/run/" socketsDir;
+ };
+
+ unitConfig.RequiresMountsFor = varDir;
+ }) env.taskwarrior-web) // {
+ taskserver-ca.postStart = ''
+ chown :${group} "${server_vardir}/keys/ca.key"
+ chmod g+r "${server_vardir}/keys/ca.key"
+ '';
+ };
+