diff options
author | Aaron Andersen <aaron@fosslib.net> | 2022-02-04 16:42:24 -0500 |
---|---|---|
committer | Aaron Andersen <aaron@fosslib.net> | 2022-02-05 18:53:28 -0500 |
commit | 67abfde6110bab513bcebccb894b38a0cc920150 (patch) | |
tree | 974c21faefb996a27a05ab963a530e8854f99428 /nixos/modules/services/security/cfssl.nix | |
parent | b9393b0c8276367da703c331204acd10d96b2ace (diff) | |
download | nixpkgs-67abfde6110bab513bcebccb894b38a0cc920150.tar nixpkgs-67abfde6110bab513bcebccb894b38a0cc920150.tar.gz nixpkgs-67abfde6110bab513bcebccb894b38a0cc920150.tar.bz2 nixpkgs-67abfde6110bab513bcebccb894b38a0cc920150.tar.lz nixpkgs-67abfde6110bab513bcebccb894b38a0cc920150.tar.xz nixpkgs-67abfde6110bab513bcebccb894b38a0cc920150.tar.zst nixpkgs-67abfde6110bab513bcebccb894b38a0cc920150.zip |
nixos/cfssl: use systemd StateDirectory to provision the data directory
Diffstat (limited to 'nixos/modules/services/security/cfssl.nix')
-rw-r--r-- | nixos/modules/services/security/cfssl.nix | 88 |
1 files changed, 50 insertions, 38 deletions
diff --git a/nixos/modules/services/security/cfssl.nix b/nixos/modules/services/security/cfssl.nix index e5bed0a9987..9d4092d8814 100644 --- a/nixos/modules/services/security/cfssl.nix +++ b/nixos/modules/services/security/cfssl.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, options, lib, pkgs, ... }: with lib; @@ -11,7 +11,16 @@ in { dataDir = mkOption { default = "/var/lib/cfssl"; type = types.path; - description = "Cfssl work directory."; + description = '' + The work directory for CFSSL. + + <note><para> + If left as the default value this directory will automatically be + created before the CFSSL server starts, otherwise you are + responsible for ensuring the directory exists with appropriate + ownership and permissions. + </para></note> + ''; }; address = mkOption { @@ -153,7 +162,6 @@ in { users.extraUsers.cfssl = { description = "cfssl user"; - createHome = true; home = cfg.dataDir; group = "cfssl"; uid = config.ids.uids.cfssl; @@ -164,41 +172,45 @@ in { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - serviceConfig = { - WorkingDirectory = cfg.dataDir; - StateDirectory = cfg.dataDir; - StateDirectoryMode = 700; - Restart = "always"; - User = "cfssl"; - - ExecStart = with cfg; let - opt = n: v: optionalString (v != null) ''-${n}="${v}"''; - in - lib.concatStringsSep " \\\n" [ - "${pkgs.cfssl}/bin/cfssl serve" - (opt "address" address) - (opt "port" (toString port)) - (opt "ca" ca) - (opt "ca-key" caKey) - (opt "ca-bundle" caBundle) - (opt "int-bundle" intBundle) - (opt "int-dir" intDir) - (opt "metadata" metadata) - (opt "remote" remote) - (opt "config" configFile) - (opt "responder" responder) - (opt "responder-key" responderKey) - (opt "tls-key" tlsKey) - (opt "tls-cert" tlsCert) - (opt "mutual-tls-ca" mutualTlsCa) - (opt "mutual-tls-cn" mutualTlsCn) - (opt "mutual-tls-client-key" mutualTlsClientKey) - (opt "mutual-tls-client-cert" mutualTlsClientCert) - (opt "tls-remote-ca" tlsRemoteCa) - (opt "db-config" dbConfig) - (opt "loglevel" (toString logLevel)) - ]; - }; + serviceConfig = lib.mkMerge [ + { + WorkingDirectory = cfg.dataDir; + Restart = "always"; + User = "cfssl"; + + ExecStart = with cfg; let + opt = n: v: optionalString (v != null) ''-${n}="${v}"''; + in + lib.concatStringsSep " \\\n" [ + "${pkgs.cfssl}/bin/cfssl serve" + (opt "address" address) + (opt "port" (toString port)) + (opt "ca" ca) + (opt "ca-key" caKey) + (opt "ca-bundle" caBundle) + (opt "int-bundle" intBundle) + (opt "int-dir" intDir) + (opt "metadata" metadata) + (opt "remote" remote) + (opt "config" configFile) + (opt "responder" responder) + (opt "responder-key" responderKey) + (opt "tls-key" tlsKey) + (opt "tls-cert" tlsCert) + (opt "mutual-tls-ca" mutualTlsCa) + (opt "mutual-tls-cn" mutualTlsCn) + (opt "mutual-tls-client-key" mutualTlsClientKey) + (opt "mutual-tls-client-cert" mutualTlsClientCert) + (opt "tls-remote-ca" tlsRemoteCa) + (opt "db-config" dbConfig) + (opt "loglevel" (toString logLevel)) + ]; + } + (mkIf (cfg.dataDir == options.services.cfssl.dataDir.default) { + StateDirectory = baseNameOf cfg.dataDir; + StateDirectoryMode = 700; + }) + ]; }; services.cfssl = { |