colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #158167 from aanderse/nixos/cfssl

Browse Source 
nixos/cfssl: use systemd StateDirectory to provision the data directory
This commit is contained in:
Aaron Andersen 2022-02-07 08:02:52 -05:00 committed by GitHub
commit e85182268d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 53 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
nixos/modules/services/security/cfssl.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, options, lib, pkgs, ... }:
with lib;
@ -11,7 +11,16 @@ in {
dataDir = mkOption {
default = "/var/lib/cfssl";
type = types.path;
description = "Cfssl work directory.";
description = ''
The work directory for CFSSL.
<note><para>
If left as the default value this directory will automatically be
created before the CFSSL server starts, otherwise you are
responsible for ensuring the directory exists with appropriate
ownership and permissions.
</para></note>
'';
};
address = mkOption {
@ -22,7 +31,7 @@ in {
port = mkOption {
default = 8888;
type = types.ints.u16;
type = types.port;
description = "Port to bind.";
};
@ -147,13 +156,12 @@ in {
};
config = mkIf cfg.enable {
users.extraGroups.cfssl = {
users.groups.cfssl = {
gid = config.ids.gids.cfssl;
};
users.extraUsers.cfssl = {
users.users.cfssl = {
description = "cfssl user";
createHome = true;
home = cfg.dataDir;
group = "cfssl";
uid = config.ids.uids.cfssl;
@ -164,41 +172,46 @@ in {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
WorkingDirectory = cfg.dataDir;
StateDirectory = cfg.dataDir;
StateDirectoryMode = 700;
Restart = "always";
User = "cfssl";
serviceConfig = lib.mkMerge [
{
WorkingDirectory = cfg.dataDir;
Restart = "always";
User = "cfssl";
Group = "cfssl";
ExecStart = with cfg; let
opt = n: v: optionalString (v != null) ''-${n}="${v}"'';
in
lib.concatStringsSep " \\\n" [
"${pkgs.cfssl}/bin/cfssl serve"
(opt "address" address)
(opt "port" (toString port))
(opt "ca" ca)
(opt "ca-key" caKey)
(opt "ca-bundle" caBundle)
(opt "int-bundle" intBundle)
(opt "int-dir" intDir)
(opt "metadata" metadata)
(opt "remote" remote)
(opt "config" configFile)
(opt "responder" responder)
(opt "responder-key" responderKey)
(opt "tls-key" tlsKey)
(opt "tls-cert" tlsCert)
(opt "mutual-tls-ca" mutualTlsCa)
(opt "mutual-tls-cn" mutualTlsCn)
(opt "mutual-tls-client-key" mutualTlsClientKey)
(opt "mutual-tls-client-cert" mutualTlsClientCert)
(opt "tls-remote-ca" tlsRemoteCa)
(opt "db-config" dbConfig)
(opt "loglevel" (toString logLevel))
];
};
ExecStart = with cfg; let
opt = n: v: optionalString (v != null) ''-${n}="${v}"'';
in
lib.concatStringsSep " \\\n" [
"${pkgs.cfssl}/bin/cfssl serve"
(opt "address" address)
(opt "port" (toString port))
(opt "ca" ca)
(opt "ca-key" caKey)
(opt "ca-bundle" caBundle)
(opt "int-bundle" intBundle)
(opt "int-dir" intDir)
(opt "metadata" metadata)
(opt "remote" remote)
(opt "config" configFile)
(opt "responder" responder)
(opt "responder-key" responderKey)
(opt "tls-key" tlsKey)
(opt "tls-cert" tlsCert)
(opt "mutual-tls-ca" mutualTlsCa)
(opt "mutual-tls-cn" mutualTlsCn)
(opt "mutual-tls-client-key" mutualTlsClientKey)
(opt "mutual-tls-client-cert" mutualTlsClientCert)
(opt "tls-remote-ca" tlsRemoteCa)
(opt "db-config" dbConfig)
(opt "loglevel" (toString logLevel))
];
}
(mkIf (cfg.dataDir == options.services.cfssl.dataDir.default) {
StateDirectory = baseNameOf cfg.dataDir;
StateDirectoryMode = 700;
})
];
};
services.cfssl = {