};
config = lib.mkIf cfg.enable {
+ mySecrets.keys = [{
+ dest = "webapps/tools-taskwarrior-web";
+ user = "wwwrun";
+ group = "wwwrun";
+ permissions = "0400";
+ text = ''
+ SetEnv TASKD_HOST "${fqdn}:${toString config.services.taskserver.listenPort}"
+ SetEnv TASKD_VARDIR "${vardir}"
+ SetEnv TASKD_LDAP_HOST "ldaps://${env.ldap.host}"
+ SetEnv TASKD_LDAP_DN "${env.ldap.dn}"
+ SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}"
+ SetEnv TASKD_LDAP_BASE "${env.ldap.base}"
+ SetEnv TASKD_LDAP_FILTER "${env.ldap.search}"
+ '';
+ }];
security.acme.certs."eldiron".extraDomains.${fqdn} = null;
services.myWebsites.tools.modules = [ "proxy_fcgi" "sed" ];
services.myWebsites.tools.vhostConfs.task = {
<FilesMatch "\.php$">
SetHandler "proxy:unix:/var/run/phpfpm/task.sock|fcgi://localhost"
</FilesMatch>
- SetEnv TASKD_HOST "${fqdn}:${toString config.services.taskserver.listenPort}"
- SetEnv TASKD_VARDIR "${vardir}"
- SetEnv TASKD_LDAP_HOST "ldaps://${env.ldap.host}"
- SetEnv TASKD_LDAP_DN "${env.ldap.dn}"
- SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}"
- SetEnv TASKD_LDAP_BASE "${env.ldap.base}"
- SetEnv TASKD_LDAP_FILTER "${env.ldap.search}"
+ Include /var/secrets/webapps/tools-taskwarrior-web
</Directory>
''
''
install -m 0750 -o ${user} -g ${group} -d ${vardir}
install -m 0750 -o ${user} -g ${group} -d ${vardir}/userkeys
install -m 0750 -o ${user} -g ${group} -d ${vardir}/keys
+
+ if [ ! -e "${vardir}/keys/ca.key" ]; then
+ silent_certtool() {
+ if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then
+ echo "GNUTLS certtool invocation failed with output:" >&2
+ echo "$output" >&2
+ fi
+ }
+
+ silent_certtool -p \
+ --bits 4096 \
+ --outfile "${vardir}/keys/ca.key"
+
+ silent_certtool -s \
+ --template "${pkgs.writeText "taskserver-ca.template" ''
+ cn = ${fqdn}
+ expiration_days = -1
+ cert_signing_key
+ ca
+ ''}" \
+ --load-privkey "${vardir}/keys/ca.key" \
+ --outfile "${vardir}/keys/ca.cert"
+
+ chown :${group} "${vardir}/keys/ca.key"
+ chmod g+r "${vardir}/keys/ca.key"
+ fi
'';
};
allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ];
inherit fqdn;
listenHost = "::";
+ pki.manual.ca.cert = "${vardir}/keys/ca.cert";
+ pki.manual.server.cert = "/var/lib/acme/task/fullchain.pem";
+ pki.manual.server.crl = "/var/lib/acme/task/invalid.crl";
+ pki.manual.server.key = "/var/lib/acme/task/key.pem";
requestLimit = 104857600;
};
data.location=${taskwarrior-web.varDir}/${name}
taskd.certificate=${vardir}/userkeys/taskwarrior-web.cert.pem
taskd.key=${vardir}/userkeys/taskwarrior-web.key.pem
- taskd.ca=${vardir}/keys/server.cert
+ # IdenTrust DST Root CA X3
+ # obtained here: https://letsencrypt.org/fr/certificates/
+ taskd.ca=${pkgs.writeText "ca.cert" ''
+ -----BEGIN CERTIFICATE-----
+ MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
+ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+ DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
+ PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+ Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
+ rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
+ OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
+ xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
+ 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
+ aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+ HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
+ SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
+ ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
+ AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
+ R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
+ JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
+ Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
+ -----END CERTIFICATE-----''}
taskd.server=${fqdn}:${toString config.services.taskserver.listenPort}
taskd.credentials=${credentials}
dateformat=${dateFormat}
path = [ pkgs.taskwarrior ];
environment.TASKRC = taskrc;
- environment.BUNDLE_PATH = "${taskwarrior-web.gems}/lib/ruby/gems/2.5.0";
+ environment.BUNDLE_PATH = "${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}";
environment.BUNDLE_GEMFILE = "${taskwarrior-web.gems.confFiles}/Gemfile";
environment.LC_ALL = "fr_FR.UTF-8";
script = ''
- exec ${taskwarrior-web.gems}/lib/ruby/gems/2.5.0/bin/bundle exec thin start -R config.ru -S ${taskwarrior-web.socketsDir}/${name}.sock
+ exec ${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}/bin/bundle exec thin start -R config.ru -S ${taskwarrior-web.socketsDir}/${name}.sock
'';
serviceConfig = {