./modules/mail
./modules/ftp
./modules/pub
+ ./modules/task
];
services.myGitolite.enable = true;
services.myDatabases.enable = true;
services.myWebsites.tools.enable = true;
services.pure-ftpd.enable = true;
services.pub.enable = true;
+ services.myTasks.enable = true;
services.journald.extraConfig = ''
MaxLevelStore="warning"
MUST ( immaePuppetJson )
)
+attributetype (ImmaeattributeType:19 NAME 'immaeTaskId'
+ DESC 'Taskwarrior server Org:Name:Key'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+objectclass ( ImmaeobjectClass:9 NAME 'immaeTaskClass'
+ DESC 'Expansion of the existing object classes for Task'
+ SUP top AUXILIARY
+ MUST ( immaeTaskId )
+ )
+
# Last:
-# attributetype (ImmaeattributeType:18 NAME 'immaeAccessReadSubtree'
-# objectclass ( ImmaeobjectClass:8 NAME 'immaePuppetClass'
+# attributetype (ImmaeattributeType:19 NAME 'immaeTaskId'
+# objectclass ( ImmaeobjectClass:9 NAME 'immaeTaskClass'
--- /dev/null
+{ lib, pkgs, config, myconfig, mylibs, ... }:
+let
+ cfg = config.services.myTasks;
+ vardir = config.services.taskserver.dataDir;
+ fqdn = "task.immae.eu";
+ user = config.services.taskserver.user;
+ env = myconfig.env.tools.task;
+ group = config.services.taskserver.group;
+in {
+ options.services.myTasks = {
+ enable = lib.mkEnableOption "my tasks service";
+ };
+
+ config = lib.mkIf cfg.enable {
+ security.acme.certs."eldiron".extraDomains.${fqdn} = null;
+ services.myWebsites.tools.modules = [ "proxy_fcgi" ];
+ services.myWebsites.tools.vhostConfs.task = {
+ certName = "eldiron";
+ hosts = [ "task.immae.eu" ];
+ root = "/run/current-system/webapps/_task";
+ extraConfig = [ ''
+ <Directory /run/current-system/webapps/_task>
+ DirectoryIndex index.php
+ Use LDAPConnect
+ Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu
+ <FilesMatch "\.php$">
+ SetHandler "proxy:unix:/var/run/phpfpm/task.sock|fcgi://localhost"
+ </FilesMatch>
+ SetEnv TASKD_HOST "${fqdn}:${toString config.services.taskserver.listenPort}"
+ SetEnv TASKD_VARDIR "${vardir}"
+ SetEnv TASKD_LDAP_HOST "ldaps://${env.ldap.host}"
+ SetEnv TASKD_LDAP_DN "${env.ldap.dn}"
+ SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}"
+ SetEnv TASKD_LDAP_BASE "${env.ldap.base}"
+ SetEnv TASKD_LDAP_FILTER "${env.ldap.search}"
+ </Directory>
+ '' ];
+ };
+ services.myPhpfpm.poolConfigs = {
+ tasks = ''
+ listen = /var/run/phpfpm/task.sock
+ user = ${user}
+ group = ${group}
+ listen.owner = wwwrun
+ listen.group = wwwrun
+ pm = dynamic
+ pm.max_children = 60
+ pm.start_servers = 2
+ pm.min_spare_servers = 1
+ pm.max_spare_servers = 10
+
+ ; Needed to avoid clashes in browser cookies (same domain)
+ env[PATH] = "/etc/profiles/per-user/${user}/bin"
+ php_value[session.name] = TaskPHPSESSID
+ php_admin_value[open_basedir] = "${./www}:/tmp:${vardir}:/etc/profiles/per-user/${user}/bin/"
+ '';
+ };
+
+ system.extraSystemBuilderCmds = ''
+ ln -s ${./www} $out/webapps/_task
+ '';
+
+ security.acme.certs."task" = config.services.myCertificates.certConfig // {
+ inherit user group;
+ plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
+ domain = fqdn;
+ postRun = ''
+ systemctl restart taskserver.service
+ '';
+ };
+
+ users.users.${user}.packages = [
+ (pkgs.runCommand "taskserver-user-certs" {} ''
+ mkdir -p $out/bin
+ cat > $out/bin/taskserver-user-certs <<"EOF"
+ #!/usr/bin/env bash
+
+ user=$1
+
+ silent_certtool() {
+ if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then
+ echo "GNUTLS certtool invocation failed with output:" >&2
+ echo "$output" >&2
+ fi
+ }
+
+ silent_certtool -p \
+ --bits 4096 \
+ --outfile "${vardir}/userkeys/$user.key.pem"
+ ${pkgs.gnused}/bin/sed -i -n -e '/^-----BEGIN RSA PRIVATE KEY-----$/,$p' "${vardir}/userkeys/$user.key.pem"
+
+ silent_certtool -c \
+ --template "${pkgs.writeText "taskserver-ca.template" ''
+ tls_www_client
+ encryption_key
+ signing_key
+ expiration_days = 3650
+ ''}" \
+ --load-ca-certificate "${vardir}/keys/ca.cert" \
+ --load-ca-privkey "${vardir}/keys/ca.key" \
+ --load-privkey "${vardir}/userkeys/$user.key.pem" \
+ --outfile "${vardir}/userkeys/$user.cert.pem"
+ EOF
+ chmod a+x $out/bin/taskserver-user-certs
+ patchShebangs $out/bin/taskserver-user-certs
+ '')
+ ];
+
+ systemd.services.taskserver-ca.postStart = ''
+ chown :${group} "${vardir}/keys/ca.key"
+ chmod g+r "${vardir}/keys/ca.key"
+ '';
+
+ system.activationScripts.taskserver = {
+ deps = [ "users" ];
+ text = ''
+ install -m 0750 -o ${user} -g ${group} -d ${vardir}
+ install -m 0750 -o ${user} -g ${group} -d ${vardir}/userkeys
+ install -m 0750 -o ${user} -g ${group} -d ${vardir}/keys
+ '';
+ };
+
+ services.taskserver = {
+ enable = true;
+ allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ];
+ inherit fqdn;
+ listenHost = "::";
+ requestLimit = 104857600;
+ };
+ };
+}
--- /dev/null
+<?php
+if (!isset($_SERVER["REMOTE_USER"])) {
+ die("please login");
+}
+$ldap_user = $_SERVER["REMOTE_USER"];
+$ldap_host = getenv("TASKD_LDAP_HOST");
+$ldap_dn = getenv('TASKD_LDAP_DN');
+$ldap_password = getenv('TASKD_LDAP_PASSWORD');
+$ldap_base = getenv('TASKD_LDAP_BASE');
+$ldap_filter = getenv('TASKD_LDAP_FILTER');
+$host = getenv('TASKD_HOST');
+$vardir = getenv('TASKD_VARDIR');
+
+$connect = ldap_connect($ldap_host);
+ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
+if (!$connect || !ldap_bind($connect, $ldap_dn, $ldap_password)) {
+ die("impossible to connect to LDAP");
+}
+
+$search_query = str_replace('%login%', ldap_escape($ldap_user), $ldap_filter);
+
+$search = ldap_search($connect, $ldap_base, $search_query);
+$info = ldap_get_entries($connect, $search);
+
+if (ldap_count_entries($connect, $search) != 1) {
+ die("Impossible to find user in LDAP");
+}
+
+$entries = [];
+foreach($info[0]["immaetaskid"] as $key => $value) {
+ if ($key !== "count") {
+ $entries[] = explode(":", $value);
+ }
+}
+
+if (isset($_GET["file"])) {
+ $basecert = $vardir . "/userkeys/" . $ldap_user;
+ if (!file_exists($basecert . ".cert.pem")) {
+ exec("taskserver-user-certs $ldap_user");
+ }
+ $certificate = file_get_contents($basecert . ".cert.pem");
+ $cert_key = file_get_contents($basecert . ".key.pem");
+ $server_cert = file_get_contents($vardir . "/keys/server.cert");
+
+ $file = $_GET["file"];
+ switch($file) {
+ case "ca.cert.pem":
+ $content = $server_cert;
+ $name = "ca.cert.pem";
+ $type = "application/x-x509-ca-cert";
+ break;
+ case "cert.pem":
+ $content = $certificate;
+ $name = $ldap_user . ".cert.pem";
+ $type = "application/x-x509-ca-cert";
+ break;
+ case "key.pem":
+ $content = $cert_key;
+ $name = $ldap_user . ".key.pem";
+ $type = "application/x-x509-ca-cert";
+ break;
+ case "mirakel";
+ foreach ($entries as $entry) {
+ list($org, $user, $key) = $entry;
+ if ($key == $_GET["key"]) { break; }
+ }
+ $name = $user . ".mirakel";
+ $type = "text/plain";
+ $content = "username: $user
+org: $org
+user key: $key
+server: $host
+client.cert:
+$certificate
+Client.key:
+$cert_key
+ca.cert:
+$server_cert
+";
+ break;
+ default:
+ die("invalid file name");
+ break;
+ }
+
+ header("Content-Type: $type");
+ header('Content-Disposition: attachment; filename="' . $name . '"');
+ header('Content-Transfer-Encoding: binary');
+ header('Accept-Ranges: bytes');
+ header('Cache-Control: private');
+ header('Pragma: private');
+ echo $content;
+ exit;
+}
+?>
+<html>
+<header>
+ <title>Taskwarrior configuration</title>
+</header>
+<body>
+<ul>
+ <li><a href="?file=ca.cert.pem">ca.cert.pem</a></li>
+ <li><a href="?file=cert.pem"><?php echo $ldap_user; ?>.cert.pem</a></li>
+ <li><a href="?file=key.pem"><?php echo $ldap_user; ?>.key.pem</a></li>
+</ul>
+For command line interface, download the files, put them near your Taskwarrior
+configuration files, and add that to your Taskwarrior configuration:
+<pre>
+taskd.certificate=/path/to/<?php echo $ldap_user; ?>.cert.pem
+taskd.key=/path/to/<?php echo $ldap_user; ?>.key.pem
+taskd.server=<?php echo $host ."\n"; ?>
+<?php if (count($entries) > 1) {
+ echo "# Chose one of them\n";
+ foreach($entries as $entry) {
+ list($org, $user, $key) = $entry;
+ echo "# taskd.credentials=$org/$user/$key\n";
+ }
+} else { ?>
+taskd.credentials=<?php echo $entries[0][0]; ?>/<?php echo $entries[0][1]; ?>/<?php echo $entries[0][2]; ?>
+<?php } ?>
+taskd.ca=/path/to/ca.cert.pem
+</pre>
+For Mirakel, download and import the file:
+<ul>
+<?php
+foreach ($entries as $entry) {
+ list($org, $user, $key) = $entry;
+ echo '<li><a href="?file=mirakel&key='.$key.'">' . $user . '.mirakel</a></li>';
+}
+?>
+</ul>
+For Android Taskwarrior app, see instructions <a href="https://bitbucket.org/kvorobyev/taskwarriorandroid/wiki/Configuration">here</a>.
+</body>
+</html>
+
projects / perso / Immae / Config / Nix.git / commitdiff
