X-Git-Url: https://git.immae.eu/?p=perso%2FImmae%2FConfig%2FNix.git;a=blobdiff_plain;f=nixops%2Fmodules%2Ftask%2Fdefault.nix;h=1f5ddd2b2ad014ccac71cfe3514b95bbd920c206;hp=9671725b7f9f4d38f08a0ad35e134562ad0ad6ae;hb=2977fd8fdfc55dd42837e3dd56c77d36097ef607;hpb=598aaa373c359046ee08ab5e7576ebaa4f0331e0 diff --git a/nixops/modules/task/default.nix b/nixops/modules/task/default.nix index 9671725..1f5ddd2 100644 --- a/nixops/modules/task/default.nix +++ b/nixops/modules/task/default.nix @@ -1,7 +1,7 @@ { lib, pkgs, config, myconfig, mylibs, ... }: let cfg = config.services.myTasks; - vardir = config.services.taskserver.dataDir; + server_vardir = config.services.taskserver.dataDir; fqdn = "task.immae.eu"; user = config.services.taskserver.user; env = myconfig.env.tools.task; @@ -22,8 +22,8 @@ let silent_certtool -p \ --bits 4096 \ - --outfile "${vardir}/userkeys/$user.key.pem" - ${pkgs.gnused}/bin/sed -i -n -e '/^-----BEGIN RSA PRIVATE KEY-----$/,$p' "${vardir}/userkeys/$user.key.pem" + --outfile "${server_vardir}/userkeys/$user.key.pem" + ${pkgs.gnused}/bin/sed -i -n -e '/^-----BEGIN RSA PRIVATE KEY-----$/,$p' "${server_vardir}/userkeys/$user.key.pem" silent_certtool -c \ --template "${pkgs.writeText "taskserver-ca.template" '' @@ -32,18 +32,17 @@ let signing_key expiration_days = 3650 ''}" \ - --load-ca-certificate "${vardir}/keys/ca.cert" \ - --load-ca-privkey "${vardir}/keys/ca.key" \ - --load-privkey "${vardir}/userkeys/$user.key.pem" \ - --outfile "${vardir}/userkeys/$user.cert.pem" + --load-ca-certificate "${server_vardir}/keys/ca.cert" \ + --load-ca-privkey "${server_vardir}/keys/ca.key" \ + --load-privkey "${server_vardir}/userkeys/$user.key.pem" \ + --outfile "${server_vardir}/userkeys/$user.cert.pem" EOF chmod a+x $out/bin/taskserver-user-certs patchShebangs $out/bin/taskserver-user-certs ''; - taskwarrior-web = pkgs.callPackage ./taskwarrior-web.nix { - inherit (mylibs) fetchedGithub; - inherit env; - }; + taskwarrior-web = pkgs.webapps.taskwarrior-web; + socketsDir = "/run/taskwarrior-web"; + varDir = "/var/lib/taskwarrior-web"; taskwebPages = let uidPages = lib.attrsets.zipAttrs ( lib.lists.flatten @@ -94,7 +93,7 @@ in { permissions = "0400"; text = '' SetEnv TASKD_HOST "${fqdn}:${toString config.services.taskserver.listenPort}" - SetEnv TASKD_VARDIR "${vardir}" + SetEnv TASKD_VARDIR "${server_vardir}" SetEnv TASKD_LDAP_HOST "ldaps://${env.ldap.host}" SetEnv TASKD_LDAP_DN "${env.ldap.dn}" SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}" @@ -121,8 +120,8 @@ in { '' '' - ProxyPass "unix://${taskwarrior-web.socketsDir}/%{folderName}.sock|http://localhost-%{folderName}/" - ProxyPassReverse "unix://${taskwarrior-web.socketsDir}/%{folderName}.sock|http://localhost-%{folderName}/" + ProxyPass "unix://${socketsDir}/%{folderName}.sock|http://localhost-%{folderName}/" + ProxyPassReverse "unix://${socketsDir}/%{folderName}.sock|http://localhost-%{folderName}/" ProxyPassReverse http://${fqdn}/ SetOutputFilter Sed @@ -177,7 +176,7 @@ in { ; Needed to avoid clashes in browser cookies (same domain) env[PATH] = "/etc/profiles/per-user/${user}/bin" php_value[session.name] = TaskPHPSESSID - php_admin_value[open_basedir] = "${./www}:/tmp:${vardir}:/etc/profiles/per-user/${user}/bin/" + php_admin_value[open_basedir] = "${./www}:/tmp:${server_vardir}:/etc/profiles/per-user/${user}/bin/" ''; }; @@ -199,11 +198,11 @@ in { system.activationScripts.taskserver = { deps = [ "users" ]; text = '' - install -m 0750 -o ${user} -g ${group} -d ${vardir} - install -m 0750 -o ${user} -g ${group} -d ${vardir}/userkeys - install -m 0750 -o ${user} -g ${group} -d ${vardir}/keys + install -m 0750 -o ${user} -g ${group} -d ${server_vardir} + install -m 0750 -o ${user} -g ${group} -d ${server_vardir}/userkeys + install -m 0750 -o ${user} -g ${group} -d ${server_vardir}/keys - if [ ! -e "${vardir}/keys/ca.key" ]; then + if [ ! -e "${server_vardir}/keys/ca.key" ]; then silent_certtool() { if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then echo "GNUTLS certtool invocation failed with output:" >&2 @@ -213,7 +212,7 @@ in { silent_certtool -p \ --bits 4096 \ - --outfile "${vardir}/keys/ca.key" + --outfile "${server_vardir}/keys/ca.key" silent_certtool -s \ --template "${pkgs.writeText "taskserver-ca.template" '' @@ -222,11 +221,11 @@ in { cert_signing_key ca ''}" \ - --load-privkey "${vardir}/keys/ca.key" \ - --outfile "${vardir}/keys/ca.cert" + --load-privkey "${server_vardir}/keys/ca.key" \ + --outfile "${server_vardir}/keys/ca.cert" - chown :${group} "${vardir}/keys/ca.key" - chmod g+r "${vardir}/keys/ca.key" + chown :${group} "${server_vardir}/keys/ca.key" + chmod g+r "${server_vardir}/keys/ca.key" fi ''; }; @@ -236,7 +235,7 @@ in { allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ]; inherit fqdn; listenHost = "::"; - pki.manual.ca.cert = "${vardir}/keys/ca.cert"; + pki.manual.ca.cert = "${server_vardir}/keys/ca.cert"; pki.manual.server.cert = "/var/lib/acme/task/fullchain.pem"; pki.manual.server.crl = "/var/lib/acme/task/invalid.crl"; pki.manual.server.key = "/var/lib/acme/task/key.pem"; @@ -246,15 +245,15 @@ in { system.activationScripts.taskwarrior-web = { deps = [ "users" ]; text = '' - install -m 0755 -o ${user} -g ${group} -d ${taskwarrior-web.socketsDir} - install -m 0750 -o ${user} -g ${group} -d ${taskwarrior-web.varDir} + install -m 0755 -o ${user} -g ${group} -d ${socketsDir} + install -m 0750 -o ${user} -g ${group} -d ${varDir} ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList - (k: v: "install -m 0750 -o ${user} -g ${group} -d ${taskwarrior-web.varDir}/${k}") + (k: v: "install -m 0750 -o ${user} -g ${group} -d ${varDir}/${k}") env.taskwarrior-web )} - if [ ! -f ${vardir}/userkeys/taskwarrior-web.cert.pem ]; then + if [ ! -f ${server_vardir}/userkeys/taskwarrior-web.cert.pem ]; then ${taskserver-user-certs}/bin/taskserver-user-certs taskwarrior-web - chown taskd:taskd ${vardir}/userkeys/taskwarrior-web.cert.pem ${vardir}/userkeys/taskwarrior-web.key.pem + chown taskd:taskd ${server_vardir}/userkeys/taskwarrior-web.cert.pem ${server_vardir}/userkeys/taskwarrior-web.key.pem fi ''; }; @@ -264,9 +263,9 @@ in { credentials = "${userConfig.org}/${name}/${userConfig.key}"; dateFormat = userConfig.date; taskrc = pkgs.writeText "taskrc" '' - data.location=${taskwarrior-web.varDir}/${name} - taskd.certificate=${vardir}/userkeys/taskwarrior-web.cert.pem - taskd.key=${vardir}/userkeys/taskwarrior-web.key.pem + data.location=${varDir}/${name} + taskd.certificate=${server_vardir}/userkeys/taskwarrior-web.cert.pem + taskd.key=${server_vardir}/userkeys/taskwarrior-web.key.pem # IdenTrust DST Root CA X3 # obtained here: https://letsencrypt.org/fr/certificates/ taskd.ca=${pkgs.writeText "ca.cert" '' @@ -306,7 +305,7 @@ in { environment.LC_ALL = "fr_FR.UTF-8"; script = '' - exec ${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}/bin/bundle exec thin start -R config.ru -S ${taskwarrior-web.socketsDir}/${name}.sock + exec ${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}/bin/bundle exec thin start -R config.ru -S ${socketsDir}/${name}.sock ''; serviceConfig = { @@ -315,14 +314,14 @@ in { Restart = "always"; TimeoutSec = 60; Type = "simple"; - WorkingDirectory = taskwarrior-web.rubyRoot; + WorkingDirectory = taskwarrior-web; }; - unitConfig.RequiresMountsFor = taskwarrior-web.varDir; + unitConfig.RequiresMountsFor = varDir; }) env.taskwarrior-web) // { taskserver-ca.postStart = '' - chown :${group} "${vardir}/keys/ca.key" - chmod g+r "${vardir}/keys/ca.key" + chown :${group} "${server_vardir}/keys/ca.key" + chmod g+r "${server_vardir}/keys/ca.key" ''; };