'';
};
- secrets.keys = [{
- dest = "webapps/tools-taskwarrior-web";
- user = "wwwrun";
- group = "wwwrun";
+ secrets.keys = [
+ {
+ dest = "webapps/tools-taskwarrior-web";
+ user = "wwwrun";
+ group = "wwwrun";
+ permissions = "0400";
+ text = ''
+ SetEnv TASKD_HOST "${fqdn}:${toString config.services.taskserver.listenPort}"
+ SetEnv TASKD_VARDIR "${server_vardir}"
+ SetEnv TASKD_LDAP_HOST "ldaps://${env.ldap.host}"
+ SetEnv TASKD_LDAP_DN "${env.ldap.dn}"
+ SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}"
+ SetEnv TASKD_LDAP_BASE "${env.ldap.base}"
+ SetEnv TASKD_LDAP_FILTER "${env.ldap.filter}"
+ '';
+ }
+ ] ++ (lib.mapAttrsToList (name: userConfig: {
+ dest = "webapps/tools-taskwarrior/${name}-taskrc";
+ inherit user group;
permissions = "0400";
- text = ''
- SetEnv TASKD_HOST "${fqdn}:${toString config.services.taskserver.listenPort}"
- SetEnv TASKD_VARDIR "${server_vardir}"
- SetEnv TASKD_LDAP_HOST "ldaps://${env.ldap.host}"
- SetEnv TASKD_LDAP_DN "${env.ldap.dn}"
- SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}"
- SetEnv TASKD_LDAP_BASE "${env.ldap.base}"
- SetEnv TASKD_LDAP_FILTER "${env.ldap.filter}"
- '';
- }];
+ text = let
+ credentials = "${userConfig.org}/${name}/${userConfig.key}";
+ dateFormat = userConfig.date;
+ in ''
+ data.location=${varDir}/${name}
+ taskd.certificate=${server_vardir}/userkeys/taskwarrior-web.cert.pem
+ taskd.key=${server_vardir}/userkeys/taskwarrior-web.key.pem
+ # IdenTrust DST Root CA X3
+ # obtained here: https://letsencrypt.org/fr/certificates/
+ taskd.ca=${pkgs.writeText "ca.cert" ''
+ -----BEGIN CERTIFICATE-----
+ MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
+ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+ DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
+ PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+ Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
+ rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
+ OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
+ xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
+ 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
+ aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+ HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
+ SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
+ ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
+ AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
+ R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
+ JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
+ Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
+ -----END CERTIFICATE-----''}
+ taskd.server=${fqdn}:${toString config.services.taskserver.listenPort}
+ taskd.credentials=${credentials}
+ dateformat=${dateFormat}
+ '';
+ }) env.taskwarrior-web);
services.websites.env.tools.watchPaths = [ "/var/secrets/webapps/tools-taskwarrior-web" ];
services.websites.env.tools.modules = [ "proxy_fcgi" "sed" ];
services.websites.env.tools.vhostConfs.task = {
'';
};
- users.users.${user}.packages = [ taskserver-user-certs ];
+ users.users.${user} = {
+ extraGroups = [ "keys" ];
+ packages = [ taskserver-user-certs ];
+ };
system.activationScripts.taskserver = {
deps = [ "users" ];
};
systemd.services = (lib.attrsets.mapAttrs' (name: userConfig:
- let
- credentials = "${userConfig.org}/${name}/${userConfig.key}";
- dateFormat = userConfig.date;
- taskrc = pkgs.writeText "taskrc" ''
- data.location=${varDir}/${name}
- taskd.certificate=${server_vardir}/userkeys/taskwarrior-web.cert.pem
- taskd.key=${server_vardir}/userkeys/taskwarrior-web.key.pem
- # IdenTrust DST Root CA X3
- # obtained here: https://letsencrypt.org/fr/certificates/
- taskd.ca=${pkgs.writeText "ca.cert" ''
- -----BEGIN CERTIFICATE-----
- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
- MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
- DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
- PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
- Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
- AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
- rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
- OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
- xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
- 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
- aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
- HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
- SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
- ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
- AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
- R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
- JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
- Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
- -----END CERTIFICATE-----''}
- taskd.server=${fqdn}:${toString config.services.taskserver.listenPort}
- taskd.credentials=${credentials}
- dateformat=${dateFormat}
- '';
- in lib.attrsets.nameValuePair "taskwarrior-web-${name}" {
+ lib.attrsets.nameValuePair "taskwarrior-web-${name}" {
description = "Taskwarrior webapp for ${name}";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
path = [ pkgs.taskwarrior ];
- environment.TASKRC = taskrc;
+ environment.TASKRC = "/var/secrets/webapps/tools-taskwarrior/${name}-taskrc";
environment.BUNDLE_PATH = "${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}";
environment.BUNDLE_GEMFILE = "${taskwarrior-web.gems.confFiles}/Gemfile";
environment.LC_ALL = "fr_FR.UTF-8";
projects / perso / Immae / Config / Nix.git / commitdiff
