Commit graph

54 commits

Author SHA1 Message Date
aszlig
b618843860
nixos/taskserver: Fix manual PKI management
The helper tool had a very early check whether the automatically created
CA key/cert are available and thus it would abort if the key was
unavailable even though we don't need or even want to have the CA key.

Unfortunately our NixOS test didn't catch this, because it was just
switching from a configuration with an automatically created CA to a
manual configuration without deleting the generated keys and certs.

This is done now in the tests and it's also fixed in the helper tool.

Reported-by: @jpotier
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-07-16 20:38:15 +02:00
Peter Simons
71ae259627 nixos: revert changes from 3ab45f4b36 in taskserver module
See 3ab45f4b36 (commitcomment-22029298).

Fixes https://github.com/NixOS/nixpkgs/issues/25529 (I hope).
2017-05-06 19:50:02 +02:00
Franz Pletz
3ab45f4b36
treewide: use boolToString function 2017-04-11 18:18:53 +02:00
Franz Pletz
9536169074
nixos/treewide: remove boolean examples for options
They contain no useful information and increase the length of the
autogenerated options documentation.

See discussion in #18816.
2017-03-17 23:36:19 +01:00
aszlig
08881b8cbe
taskserver: Remove taskserver from systemPackages
This is deliberate because using the taskd binary to configure
Taskserver has a good chance of messing up permissions.

The nixos-taskserver tool now can manage even manual configurations, so
there really is no need anymore to expose the taskd binary.

If people still want to use the taskd binary at their own risk they can
still add taskserver to systemPackages themselves.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-02-17 19:46:05 +01:00
aszlig
c7bbb93878
taskserver: Pass configuration via command line
Putting an include directive in the configuration file referencing a
store path with the real configuration file has the disavantage that
once we change the real configuration file the store path is also a
different one.

So we would have to replace that include directive with the new
configuration file, which is very much error-prone, because whenever
taskd modifies the configuration file on its own it generates a new one
with *only* the key/value options and without any include directives.

Another problem is that we only added the include directive on the first
initalization, so whenever there is *any* configuration change, it won't
affect anything.

We're now passing all the configuration options via command line,
because taskd treats everything in the form of --<name>=<value> to be a
configuration directive.

This also has the effect that we now no longer have extraConfig, because
configuration isn't a file anymore.

Instead we now have an attribute set that is mapped down to
configuration options.

Unfortunately this isn't so easy with the way taskd is configured,
because there is an option called "server" and also other options like
"server.cert", "server.key" and so on, which do not map very well to
attribute sets.

So we have an exception for the "server" option, which is now called
"server.listen", because it specifies the listening address.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #22705
2017-02-17 19:45:58 +01:00
aszlig
78fe00da7c
taskserver: Allow helper tool in manual config
The helper tool so far was only intended for use in automatic PKI
handling, but it also is very useful if you have an existing CA.

One of the main advantages is that you don't need to specify the data
directory anymore and the right permissions are also handled as well.

Another advantage is that we now have an uniform management tool for
both automatic and manual config, so the documentation in the NixOS
manual now applies to the manual PKI config as well.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-02-17 19:45:55 +01:00
aszlig
32c2e8f4ae
taskserver/helpertool: Fix error message on export
The error message displays that a specific user doesn't exist in an
organisation, but uses the User object's name attribute to show which
user it was.

This is basically a very stupid chicken and egg problem and easily fixed
by using the user name provided on the command line.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-02-17 19:45:52 +01:00
Peter Simons
bfd7fe8ba5 nixos: fix taskserver module to evaluate properly when keys are managed manually 2017-02-07 18:35:41 +01:00
Eric Sagnes
1fe1cdecb2 types: loeOf -> listOf 2016-11-05 21:46:42 +01:00
regnat
f697486122 taskserver : use pythonPackage.buildPythonPackage 2016-10-12 18:09:13 +02:00
Eric Sagnes
4cdfeb78f9 modules: move meta at top level 2016-08-11 00:29:48 +09:00
Eric Sagnes
898435d16e manual: automatically generate modules entries 2016-08-11 00:24:41 +09:00
zimbatm
28fa4a2f03 Escape all shell arguments uniformly 2016-06-12 18:11:37 +01:00
Tuomas Tynkkynen
de0847c731 taskserver service: Really check that it is enabled 2016-04-28 01:14:17 +03:00
aszlig
1f46decba7
nixos/taskserver: Fix reference to certtool.
With the merge of the closure-size branch, most packages now have
multiple outputs. One of these packages is gnutls, so previously
everything that we needed was to reference "${gnutls}/bin/..." and now
we need to use "${gnutls.bin}/bin/...".

So it's not a very big issue to fix.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-15 00:28:57 +02:00
aszlig
940120a711
nixos/taskserver/doc: Improve example org name
Suggested by @nbp:

"Choose a better organization name in this example, such that it is less
confusing. Maybe something like my-company"

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-14 21:16:14 +02:00
aszlig
394e64e4fb
nixos/taskserver/helper: Fix docstring of add_user
We have already revamped the CLI subcommands in commit
e2383b84f8.

This was just an artifact that was left because of this.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 07:13:43 +02:00
aszlig
e06dd999f7
nixos/taskserver: Fix wrong option doc references
The options client.allow and client.deny are gone since the commit
8b793d1916, so let's fix that.

No feature changes, only fixes the descriptions of allowedClientIDs and
disallowedClientIDs.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 07:03:19 +02:00
aszlig
980f557c46
nixos/taskserver: Restart service on failure
This is the recommended way for long-running services and ensures that
Taskserver will keep running until it has been stopped manually.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 06:43:21 +02:00
aszlig
cf46256bbb
nixos/taskserver: Improve service dependencies
Using requiredBy is a bad idea for the initialisation units, because
whenever the Taskserver service is restarted the initialisation units
get restarted as well.

Also, make sure taskserver-init.service will be ordered *before*
taskserver.service.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 06:33:04 +02:00
aszlig
bb7a819735
nixos/taskserver: Set up service namespaces
The Taskserver doesn't need access to the full /dev nor does it need a
shared /tmp. In addition, the initialisation services don't need network
access, so let's constrain them to the loopback device.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 06:30:05 +02:00
aszlig
dd0d64afea
nixos/taskserver: Finish module documentation
Apart from the options manual, this should cover the basics for setting
up a Taskserver. I am not a native speaker so this can and (probably)
should be improved, especially the wording/grammar.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 06:19:59 +02:00
aszlig
e2383b84f8
nixos/taskserver/helper: Improve CLI subcommands
Try to match the subcommands to act more like the subcommands from the
taskd binary and also add a subcommand to list groups.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 05:38:37 +02:00
aszlig
ce0954020c
nixos/taskserver: Set allowedTCPPorts accordingly
As suggested by @matthiasbeyer:

"We might add a short note that this port has to be opened in the
firewall, or is this done by the service automatically?"

This commit now adds the listenPort to
networking.firewall.allowedTCPPorts as soon as the listenHost is not
"localhost".

In addition to that, this is now also documented in the listenHost
option declaration and I have removed disabling of the firewall from the
VM test.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 05:16:15 +02:00
aszlig
5be76d0b55
nixos/taskserver: Reorder into one mkMerge
No changes in functionality but rather just restructuring the module
definitions to be one mkMerge, which now uses mkIf from the top-level
scope of the CA initialization service so we can better abstract
additional options we might need there.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 05:07:52 +02:00
aszlig
5062bf1b84
nixos/taskserver/helper: Assert CA existence
We want to make sure that the helper tool won't work if the automatic CA
wasn't properly set up. This not only avoids race conditions if the tool
is started before the actual service is running but it also fails if
something during CA setup has failed so the user can investigate what
went wrong.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 04:57:03 +02:00
aszlig
2ced6fcc75
nixos/taskserver: Setup CA before main service
We need to explicitly make sure the CA is created before we actually
launch the main Taskserver service in order to avoid race conditions
where the preStart phase of the main service could possibly corrupt
certificates if it would be started in parallel.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 04:53:53 +02:00
aszlig
9279ec732b
nixos/taskserver: Introduce an extraConfig option
This is simply to add configuration lines to the generated configuration
file. The reason why I didn't went for an attribute set is that the
taskdrc file format doesn't map very well on Nix attributes, for example
the following can be set in taskdrc:

server = somestring
server.key = anotherstring

In order to use a Nix attribute set for that, it would be way too
complicated, for example if we want to represent the mentioned example
we'd have to do something like this:

{ server._top = somestring;
  server.key = anotherstring;
}

Of course, this would work as well but nothing is more simple than just
appending raw strings.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 04:21:55 +02:00
aszlig
9f1e536948
nixos/taskserver: Allow to specify expiration/bits
At least this should allow for some customisation of how the
certificates and keys are created. We now have two sub-namespaces within
PKI so it should be more clear which options you have to set if you want
to either manage your own CA or let the module create it automatically.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 04:14:33 +02:00
aszlig
a41b109bc1
nixos/taskserver: Don't change imperative users
Whenever the nixos-taskserver tool was invoked manually for creating an
organisation/group/user we now add an empty file called .imperative to
the data directory.

During the preStart of the Taskserver service, we use process-json which
in turn now checks whether those .imperative files exist and if so, it
doesn't do anything with it.

This should now ensure that whenever there is a manually created user,
it doesn't get killed off by the declarative configuration in case it
shouldn't exist within that configuration.

In addition, we also add a small subtest to check whether this is
happening or not and fail if the imperatively created user got deleted
by process-json.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 03:42:13 +02:00
aszlig
9586795ef2
nixos/taskserver: Silence certtool everywhere
We only print the output whenever there is an error, otherwise let's
shut it up because it only shows information the user can gather through
other means. For example by invoking certtool manually, or by just
looking at private key files (the whole blurb it's outputting is in
there as well).

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 02:16:35 +02:00
aszlig
7889fcfa41
nixos/taskserver/helper: Implement deletion
Now we finally can delete organisations, groups and users along with
certificate revocation. The new subtests now make sure that the client
certificate is also revoked (both when removing the whole organisation
and just a single user).

If we use the imperative way to add and delete users, we have to restart
the Taskserver in order for the CRL to be effective.

However, by using the declarative configuration we now get this for
free, because removing a user will also restart the service and thus its
client certificate will end up in the CRL.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 01:41:41 +02:00
aszlig
3008836fee
nixos/taskserver: Add a command to reload service
Unfortunately we don't have a better way to check whether the reload has
been done successfully, but at least we now *can* reload it without
figuring out the exact signal to send to the process.

Note that on reload, Taskserver will not reload the CRL file. For that
to work, a full restart needs to be done.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 01:04:34 +02:00
aszlig
b6643102d6
nixos/taskserver: Generate a cert revocation list
If we want to revoke client certificates and want the server to actually
notice the revocation, we need to have a valid certificate revocation
list.

Right now the expiration_days is set to 10 years, but that's merely to
actually get certtool to actually generate the CRL without trying to
prompt for user input.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 23:07:58 +02:00
aszlig
d0ab617974
nixos/taskserver: Constrain server cert perms
It doesn't do much harm to make the server certificate world readable,
because even though it's not accessible anymore via the file system,
someone can still get it by simply doing a TLS handshake with the
server.

So this is solely for consistency.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 22:59:30 +02:00
aszlig
6e10705754
nixos/taskserver: Handle declarative conf via JSON
We now no longer have the stupid --service-helper option, which silences
messages about already existing organisations, users or groups.

Instead of that option, we now have a new subcommand called
"process-json", which accepts a JSON file directly from the specified
NixOS module options and creates/deletes the users accordingly.

Note that this still has a two issues left to solve in this area:

 * Deletion is not supported yet.
 * If a user is created imperatively, the next run of process-json will
   delete it once deletion is supported.

So we need to implement deletion and a way to mark organisations, users
and groups as "imperatively managed".

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 22:24:58 +02:00
aszlig
cf0501600a
nixos/taskserver/helper: Factor out program logic
The Click functions really are for the command line and should be solely
used for that.

What I have in mind is that instead of that crappy --service-helper
argument, we should really have a new subcommand that is expecting JSON
which is directly coming from the services.taskserver.organisations
module option.

That way we can decrease even more boilerplate and we can also ensure
that organisations, users and groups get properly deleted if they're
removed from the NixOS configuration.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 22:19:50 +02:00
aszlig
7875885fb2
nixos/taskserver: Link to manual within .enable
With <olink/> support in place, we can now reference the Taskserver
section within the NixOS manual, so that users reading the manpage of
configuration.nix(5) won't miss this information.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 18:45:09 +02:00
aszlig
b19fdc9ec9
nixos/taskserver: Set server.crl for automatic CA
Currently, we don't handle this yet, but let's set it so that we cover
all the options.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 13:38:33 +02:00
aszlig
05a7cd17fc
nixos/taskserver: Rename .pki options
We're now using .pki.server.* and .pki.ca.* so that it's entirely clear
what these keys/certificates are for. For example we had just .pki.key
before, which doesn't really tell very much about what it's for except
if you look at the option description.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 13:33:48 +02:00
aszlig
6395c87d07
nixos/taskserver: Improve doc for PKI options
The improvement here is just that we're adding a big <note/> here so
that users of these options are aware that whenever they're setting one
of these the certificates and keys are _not_ created automatically.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:58:29 +02:00
aszlig
6df374910f
nixos/taskserver: Move .trust out of .pki
This is clearly a server configuration option and has nothing to do with
certificate creation and signing, so let's move it away from the .pki
namespace.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:47:39 +02:00
aszlig
3affead91b
nixos/taskserver: Move .pki.fqdn to .fqdn
It's not necessarily related to the PKI options, because this is also
used for setting the server address on the Taskwarrior client.

So if someone doesn't have his/her own certificates from another CA, all
options that need to be adjusted are in .pki. And if someone doesn't
want to bother with getting certificates from another CA, (s)he just
doesn't set anything in .pki.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:42:20 +02:00
aszlig
6de94e7d24
nixos/taskserver: Rename .server options to .pki
After moving out the PKI-unrelated options, let's name this a bit more
appropriate, so we can finally get rid of the taskserver.server thing.

This also moves taskserver.caCert to taskserver.pki.caCert, because that
clearly belongs to the PKI options.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:38:16 +02:00
aszlig
d6bd457d1f
nixos/taskserver: Rename server.{host,port}
Having an option called services.taskserver.server.host is quite
confusing because we already have "server" in the service name, so let's
first get rid of the listening options before we rename the rest of the
options in that .server attribute.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:26:34 +02:00
aszlig
2acf8677fa
nixos/taskserver: Rewrite helper-tool in Python
In the comments of the pull request @nbp wrote:

"Why is it implemented in 3 different languages: Nix, Bash and C?"

And he's right, it doesn't make sense, because we were using C as a
runuser replacement and used Nix to generate the shellscript
boilerplates.

Writing this in Python gets rid of all of this and we also don't need
the boilerplate as well, because we're using Click to handle all the
command line stuff.

Note that this currently is a 1:1 implementation of what we had before.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-11 12:02:52 +02:00
aszlig
85832de2e8
nixos/taskserver: Remove client.cert option
The option is solely for debugging purposes (particularly the unit tests
of the project itself) and doesn't make sense to include it in the NixOS
module options.

If people want to use this, we might want to introduce another option so
that we can insert arbitrary configuration lines.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-10 21:37:12 +02:00
aszlig
64e566a49c
nixos/taskserver: Add module documentation
It's not by any means exhaustive, but we're still going to change the
implementation, so let's just use this as a starting point.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-07 14:26:12 +02:00
aszlig
8b793d1916
nixos/taskserver: Rename client.{allow,deny}
These values match against the client IDs only, so let's rename it to
something that actually reflects that. Having client.cert in the same
namespace also could lead to confusion, because the client.cert setting
is for the *debugging* client only.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-07 14:26:11 +02:00