X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=nixops%2Fmodules%2Ftask%2Fdefault.nix;h=e1c933f3e435dd4cc36bdaf6b574f1daff14136d;hb=9ade8f6eb774dc7d19d82a070199b5024786b819;hp=8454c4b8008d8b4e0509c1a6b9c51040f2b6567c;hpb=8a964143a4173fcbd6f398fffee727f228f952fa;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/nixops/modules/task/default.nix b/nixops/modules/task/default.nix
index 8454c4b..e1c933f 100644
--- a/nixops/modules/task/default.nix
+++ b/nixops/modules/task/default.nix
@@ -101,10 +101,10 @@ in {
           SetEnv TASKD_LDAP_FILTER   "${env.ldap.search}"
         '';
     }];
-    security.acme.certs."eldiron".extraDomains.${fqdn} = null;
-    services.myWebsites.tools.modules = [ "proxy_fcgi" "sed" ];
-    services.myWebsites.tools.vhostConfs.task = {
+    services.websites.tools.modules = [ "proxy_fcgi" "sed" ];
+    services.websites.tools.vhostConfs.task = {
       certName    = "eldiron";
+      addToCerts  = true;
       hosts       = [ "task.immae.eu" ];
       root        = "/run/current-system/webapps/_task";
       extraConfig = [ ''
@@ -236,21 +236,15 @@ in {
       inherit fqdn;
       listenHost = "::";
       pki.manual.ca.cert = "${server_vardir}/keys/ca.cert";
-      pki.manual.server.cert = "/var/lib/acme/task/fullchain.pem";
-      pki.manual.server.crl = "/var/lib/acme/task/invalid.crl";
-      pki.manual.server.key = "/var/lib/acme/task/key.pem";
+      pki.manual.server.cert = "${config.security.acme.directory}/task/fullchain.pem";
+      pki.manual.server.crl = "${config.security.acme.directory}/task/invalid.crl";
+      pki.manual.server.key = "${config.security.acme.directory}/task/key.pem";
       requestLimit = 104857600;
     };
 
     system.activationScripts.taskwarrior-web = {
       deps = [ "users" ];
       text = ''
-        install -m 0755 -o ${user} -g ${group} -d ${socketsDir}
-        install -m 0750 -o ${user} -g ${group} -d ${varDir}
-        ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList
-          (k: v: "install -m 0750 -o ${user} -g ${group} -d ${varDir}/${k}")
-          env.taskwarrior-web
-        )}
         if [ ! -f ${server_vardir}/userkeys/taskwarrior-web.cert.pem ]; then
           ${taskserver-user-certs}/bin/taskserver-user-certs taskwarrior-web
           chown taskd:taskd ${server_vardir}/userkeys/taskwarrior-web.cert.pem ${server_vardir}/userkeys/taskwarrior-web.key.pem
@@ -315,6 +309,12 @@ in {
           TimeoutSec = 60;
           Type = "simple";
           WorkingDirectory = taskwarrior-web;
+          StateDirectoryMode = 0750;
+          StateDirectory = assert lib.strings.hasPrefix "/var/lib/" varDir;
+            (lib.strings.removePrefix "/var/lib/" varDir + "/${name}");
+          RuntimeDirectoryPreserve = "yes";
+          RuntimeDirectory = assert lib.strings.hasPrefix "/run/" socketsDir;
+            lib.strings.removePrefix "/run/" socketsDir;
         };
 
         unitConfig.RequiresMountsFor = varDir;