nixpkgs/nixos/modules/services/misc/taskserver/doc.xml

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

136 lines
4.9 KiB
XML
Raw Normal View History

<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="module-services-taskserver">
2018-09-30 02:51:11 +02:00
<title>Taskserver</title>
<para>
Taskserver is the server component of
<link xlink:href="https://taskwarrior.org/">Taskwarrior</link>, a free and
open source todo list application.
2018-09-30 02:51:11 +02:00
</para>
<para>
<emphasis>Upstream documentation:</emphasis>
<link xlink:href="https://taskwarrior.org/docs/#taskd"/>
2018-09-30 02:51:11 +02:00
</para>
<section xml:id="module-services-taskserver-configuration">
<title>Configuration</title>
<para>
Taskserver does all of its authentication via TLS using client certificates,
so you either need to roll your own CA or purchase a certificate from a
known CA, which allows creation of client certificates. These certificates
are usually advertised as <quote>server certificates</quote>.
</para>
<para>
So in order to make it easier to handle your own CA, there is a helper tool
called <command>nixos-taskserver</command> which manages the custom CA along
with Taskserver organisations, users and groups.
</para>
2018-09-30 02:51:11 +02:00
<para>
While the client certificates in Taskserver only authenticate whether a user
is allowed to connect, every user has its own UUID which identifies it as an
entity.
2018-09-30 02:51:11 +02:00
</para>
2018-09-30 02:51:11 +02:00
<para>
With <command>nixos-taskserver</command> the client certificate is created
along with the UUID of the user, so it handles all of the credentials needed
in order to setup the Taskwarrior client to work with a Taskserver.
2018-09-30 02:51:11 +02:00
</para>
</section>
<section xml:id="module-services-taskserver-nixos-taskserver-tool">
<title>The nixos-taskserver tool</title>
2018-09-30 02:51:11 +02:00
<para>
Because Taskserver by default only provides scripts to setup users
imperatively, the <command>nixos-taskserver</command> tool is used for
addition and deletion of organisations along with users and groups defined
by <xref linkend="opt-services.taskserver.organisations"/> and as well for
imperative set up.
2018-09-30 02:51:11 +02:00
</para>
2018-09-30 02:51:11 +02:00
<para>
The tool is designed to not interfere if the command is used to manually set
up some organisations, users or groups.
2018-09-30 02:51:11 +02:00
</para>
2018-09-30 02:51:11 +02:00
<para>
For example if you add a new organisation using <command>nixos-taskserver
org add foo</command>, the organisation is not modified and deleted no
matter what you define in
<option>services.taskserver.organisations</option>, even if you're adding
the same organisation in that option.
2018-09-30 02:51:11 +02:00
</para>
2018-09-30 02:51:11 +02:00
<para>
The tool is modelled to imitate the official <command>taskd</command>
command, documentation for each subcommand can be shown by using the
<option>--help</option> switch.
2018-09-30 02:51:11 +02:00
</para>
</section>
<section xml:id="module-services-taskserver-declarative-ca-management">
<title>Declarative/automatic CA management</title>
2018-09-30 02:51:11 +02:00
<para>
Everything is done according to what you specify in the module options,
however in order to set up a Taskwarrior client for synchronisation with a
Taskserver instance, you have to transfer the keys and certificates to the
client machine.
2018-09-30 02:51:11 +02:00
</para>
2018-09-30 02:51:11 +02:00
<para>
This is done using <command>nixos-taskserver user export $orgname
$username</command> which is printing a shell script fragment to stdout
which can either be used verbatim or adjusted to import the user on the
client machine.
2018-09-30 02:51:11 +02:00
</para>
2018-09-30 02:51:11 +02:00
<para>
For example, let's say you have the following configuration:
<screen>
{
2018-04-05 10:43:56 +02:00
<xref linkend="opt-services.taskserver.enable"/> = true;
<xref linkend="opt-services.taskserver.fqdn"/> = "server";
<xref linkend="opt-services.taskserver.listenHost"/> = "::";
<link linkend="opt-services.taskserver.organisations._name_.users">services.taskserver.organisations.my-company.users</link> = [ "alice" ];
}
</screen>
This creates an organisation called <literal>my-company</literal> with the
user <literal>alice</literal>.
2018-09-30 02:51:11 +02:00
</para>
2018-09-30 02:51:11 +02:00
<para>
Now in order to import the <literal>alice</literal> user to another machine
<literal>alicebox</literal>, all we need to do is something like this:
<screen>
2019-06-17 13:25:50 +02:00
<prompt>$ </prompt>ssh server nixos-taskserver user export my-company alice | sh
</screen>
Of course, if no SSH daemon is available on the server you can also copy
&amp; paste it directly into a shell.
2018-09-30 02:51:11 +02:00
</para>
2018-09-30 02:51:11 +02:00
<para>
After this step the user should be set up and you can start synchronising
your tasks for the first time with <command>task sync init</command> on
<literal>alicebox</literal>.
2018-09-30 02:51:11 +02:00
</para>
2018-09-30 02:51:11 +02:00
<para>
Subsequent synchronisation requests merely require the command <command>task
sync</command> after that stage.
2018-09-30 02:51:11 +02:00
</para>
</section>
<section xml:id="module-services-taskserver-manual-ca-management">
<title>Manual CA management</title>
2018-09-30 02:51:11 +02:00
<para>
If you set any options within
<link linkend="opt-services.taskserver.pki.manual.ca.cert">service.taskserver.pki.manual</link>.*,
<command>nixos-taskserver</command> won't issue certificates, but you can
still use it for adding or removing user accounts.
2018-09-30 02:51:11 +02:00
</para>
</section>
</chapter>