{ lib, pkgs, config, myconfig, mylibs, ... }:
let
cfg = config.services.myTasks;
- vardir = config.services.taskserver.dataDir;
+ server_vardir = config.services.taskserver.dataDir;
fqdn = "task.immae.eu";
user = config.services.taskserver.user;
env = myconfig.env.tools.task;
silent_certtool -p \
--bits 4096 \
- --outfile "${vardir}/userkeys/$user.key.pem"
- ${pkgs.gnused}/bin/sed -i -n -e '/^-----BEGIN RSA PRIVATE KEY-----$/,$p' "${vardir}/userkeys/$user.key.pem"
+ --outfile "${server_vardir}/userkeys/$user.key.pem"
+ ${pkgs.gnused}/bin/sed -i -n -e '/^-----BEGIN RSA PRIVATE KEY-----$/,$p' "${server_vardir}/userkeys/$user.key.pem"
silent_certtool -c \
--template "${pkgs.writeText "taskserver-ca.template" ''
signing_key
expiration_days = 3650
''}" \
- --load-ca-certificate "${vardir}/keys/ca.cert" \
- --load-ca-privkey "${vardir}/keys/ca.key" \
- --load-privkey "${vardir}/userkeys/$user.key.pem" \
- --outfile "${vardir}/userkeys/$user.cert.pem"
+ --load-ca-certificate "${server_vardir}/keys/ca.cert" \
+ --load-ca-privkey "${server_vardir}/keys/ca.key" \
+ --load-privkey "${server_vardir}/userkeys/$user.key.pem" \
+ --outfile "${server_vardir}/userkeys/$user.cert.pem"
EOF
chmod a+x $out/bin/taskserver-user-certs
patchShebangs $out/bin/taskserver-user-certs
'';
- taskwarrior-web = pkgs.callPackage ./taskwarrior-web.nix {
- inherit (mylibs) fetchedGithub;
- inherit env;
- };
+ taskwarrior-web = pkgs.webapps.taskwarrior-web;
+ socketsDir = "/run/taskwarrior-web";
+ varDir = "/var/lib/taskwarrior-web";
taskwebPages = let
uidPages = lib.attrsets.zipAttrs (
lib.lists.flatten
permissions = "0400";
text = ''
SetEnv TASKD_HOST "${fqdn}:${toString config.services.taskserver.listenPort}"
- SetEnv TASKD_VARDIR "${vardir}"
+ SetEnv TASKD_VARDIR "${server_vardir}"
SetEnv TASKD_LDAP_HOST "ldaps://${env.ldap.host}"
SetEnv TASKD_LDAP_DN "${env.ldap.dn}"
SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}"
''
''
<Macro Taskwarrior %{folderName}>
- ProxyPass "unix://${taskwarrior-web.socketsDir}/%{folderName}.sock|http://localhost-%{folderName}/"
- ProxyPassReverse "unix://${taskwarrior-web.socketsDir}/%{folderName}.sock|http://localhost-%{folderName}/"
+ ProxyPass "unix://${socketsDir}/%{folderName}.sock|http://localhost-%{folderName}/"
+ ProxyPassReverse "unix://${socketsDir}/%{folderName}.sock|http://localhost-%{folderName}/"
ProxyPassReverse http://${fqdn}/
SetOutputFilter Sed
; Needed to avoid clashes in browser cookies (same domain)
env[PATH] = "/etc/profiles/per-user/${user}/bin"
php_value[session.name] = TaskPHPSESSID
- php_admin_value[open_basedir] = "${./www}:/tmp:${vardir}:/etc/profiles/per-user/${user}/bin/"
+ php_admin_value[open_basedir] = "${./www}:/tmp:${server_vardir}:/etc/profiles/per-user/${user}/bin/"
'';
};
system.activationScripts.taskserver = {
deps = [ "users" ];
text = ''
- install -m 0750 -o ${user} -g ${group} -d ${vardir}
- install -m 0750 -o ${user} -g ${group} -d ${vardir}/userkeys
- install -m 0750 -o ${user} -g ${group} -d ${vardir}/keys
+ install -m 0750 -o ${user} -g ${group} -d ${server_vardir}
+ install -m 0750 -o ${user} -g ${group} -d ${server_vardir}/userkeys
+ install -m 0750 -o ${user} -g ${group} -d ${server_vardir}/keys
- if [ ! -e "${vardir}/keys/ca.key" ]; then
+ if [ ! -e "${server_vardir}/keys/ca.key" ]; then
silent_certtool() {
if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then
echo "GNUTLS certtool invocation failed with output:" >&2
silent_certtool -p \
--bits 4096 \
- --outfile "${vardir}/keys/ca.key"
+ --outfile "${server_vardir}/keys/ca.key"
silent_certtool -s \
--template "${pkgs.writeText "taskserver-ca.template" ''
cert_signing_key
ca
''}" \
- --load-privkey "${vardir}/keys/ca.key" \
- --outfile "${vardir}/keys/ca.cert"
+ --load-privkey "${server_vardir}/keys/ca.key" \
+ --outfile "${server_vardir}/keys/ca.cert"
- chown :${group} "${vardir}/keys/ca.key"
- chmod g+r "${vardir}/keys/ca.key"
+ chown :${group} "${server_vardir}/keys/ca.key"
+ chmod g+r "${server_vardir}/keys/ca.key"
fi
'';
};
allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ];
inherit fqdn;
listenHost = "::";
- pki.manual.ca.cert = "${vardir}/keys/ca.cert";
+ pki.manual.ca.cert = "${server_vardir}/keys/ca.cert";
pki.manual.server.cert = "/var/lib/acme/task/fullchain.pem";
pki.manual.server.crl = "/var/lib/acme/task/invalid.crl";
pki.manual.server.key = "/var/lib/acme/task/key.pem";
system.activationScripts.taskwarrior-web = {
deps = [ "users" ];
text = ''
- install -m 0755 -o ${user} -g ${group} -d ${taskwarrior-web.socketsDir}
- install -m 0750 -o ${user} -g ${group} -d ${taskwarrior-web.varDir}
+ install -m 0755 -o ${user} -g ${group} -d ${socketsDir}
+ install -m 0750 -o ${user} -g ${group} -d ${varDir}
${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList
- (k: v: "install -m 0750 -o ${user} -g ${group} -d ${taskwarrior-web.varDir}/${k}")
+ (k: v: "install -m 0750 -o ${user} -g ${group} -d ${varDir}/${k}")
env.taskwarrior-web
)}
- if [ ! -f ${vardir}/userkeys/taskwarrior-web.cert.pem ]; then
+ if [ ! -f ${server_vardir}/userkeys/taskwarrior-web.cert.pem ]; then
${taskserver-user-certs}/bin/taskserver-user-certs taskwarrior-web
- chown taskd:taskd ${vardir}/userkeys/taskwarrior-web.cert.pem ${vardir}/userkeys/taskwarrior-web.key.pem
+ chown taskd:taskd ${server_vardir}/userkeys/taskwarrior-web.cert.pem ${server_vardir}/userkeys/taskwarrior-web.key.pem
fi
'';
};
credentials = "${userConfig.org}/${name}/${userConfig.key}";
dateFormat = userConfig.date;
taskrc = pkgs.writeText "taskrc" ''
- data.location=${taskwarrior-web.varDir}/${name}
- taskd.certificate=${vardir}/userkeys/taskwarrior-web.cert.pem
- taskd.key=${vardir}/userkeys/taskwarrior-web.key.pem
+ data.location=${varDir}/${name}
+ taskd.certificate=${server_vardir}/userkeys/taskwarrior-web.cert.pem
+ taskd.key=${server_vardir}/userkeys/taskwarrior-web.key.pem
# IdenTrust DST Root CA X3
# obtained here: https://letsencrypt.org/fr/certificates/
taskd.ca=${pkgs.writeText "ca.cert" ''
environment.LC_ALL = "fr_FR.UTF-8";
script = ''
- exec ${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}/bin/bundle exec thin start -R config.ru -S ${taskwarrior-web.socketsDir}/${name}.sock
+ exec ${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}/bin/bundle exec thin start -R config.ru -S ${socketsDir}/${name}.sock
'';
serviceConfig = {
Restart = "always";
TimeoutSec = 60;
Type = "simple";
- WorkingDirectory = taskwarrior-web.rubyRoot;
+ WorkingDirectory = taskwarrior-web;
};
- unitConfig.RequiresMountsFor = taskwarrior-web.varDir;
+ unitConfig.RequiresMountsFor = varDir;
}) env.taskwarrior-web) // {
taskserver-ca.postStart = ''
- chown :${group} "${vardir}/keys/ca.key"
- chmod g+r "${vardir}/keys/ca.key"
+ chown :${group} "${server_vardir}/keys/ca.key"
+ chmod g+r "${server_vardir}/keys/ca.key"
'';
};
projects / perso / Immae / Config / Nix.git / commitdiff
