diff options
| author | aszlig <aszlig@redmoonstudios.org> | 2016-04-12 02:16:35 +0200 |
|---|---|---|
| committer | aszlig <aszlig@redmoonstudios.org> | 2016-04-12 02:16:35 +0200 |
| commit | 9586795ef27ac4d406c10c12f92fc735b5f4ff24 (patch) | |
| tree | 71a7cfba816e7d27c301368686d5ed91453267c9 /nixos/modules | |
| parent | cfb6ce2abed2c96d0f5af268e2d22322f47831ed (diff) | |
| download | nixpkgs-9586795ef27ac4d406c10c12f92fc735b5f4ff24.tar nixpkgs-9586795ef27ac4d406c10c12f92fc735b5f4ff24.tar.gz nixpkgs-9586795ef27ac4d406c10c12f92fc735b5f4ff24.tar.bz2 nixpkgs-9586795ef27ac4d406c10c12f92fc735b5f4ff24.tar.lz nixpkgs-9586795ef27ac4d406c10c12f92fc735b5f4ff24.tar.xz nixpkgs-9586795ef27ac4d406c10c12f92fc735b5f4ff24.tar.zst nixpkgs-9586795ef27ac4d406c10c12f92fc735b5f4ff24.zip | |
nixos/taskserver: Silence certtool everywhere
We only print the output whenever there is an error, otherwise let's shut it up because it only shows information the user can gather through other means. For example by invoking certtool manually, or by just looking at private key files (the whole blurb it's outputting is in there as well). Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/services/misc/taskserver/default.nix | 22 | ||||
| -rw-r--r-- | nixos/modules/services/misc/taskserver/helper-tool.py | 54 |
2 files changed, 51 insertions, 25 deletions
diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix index 3a53431939b..dc73ad26eb6 100644 --- a/nixos/modules/services/misc/taskserver/default.nix +++ b/nixos/modules/services/misc/taskserver/default.nix @@ -118,6 +118,8 @@ let mkShellStr = val: "'${replaceStrings ["'"] ["'\\''"] val}'"; + certtool = "${pkgs.gnutls}/bin/certtool"; + nixos-taskserver = pkgs.buildPythonPackage { name = "nixos-taskserver"; namePrefix = ""; @@ -126,8 +128,7 @@ let mkdir -p "$out" cat "${pkgs.substituteAll { src = ./helper-tool.py; - certtool = "${pkgs.gnutls}/bin/certtool"; - inherit taskd; + inherit taskd certtool; inherit (cfg) dataDir user group fqdn; }}" > "$out/main.py" cat > "$out/setup.py" <<EOF @@ -351,14 +352,21 @@ in { serviceConfig.UMask = "0077"; script = '' + silent_certtool() { + if ! output="$("${certtool}" "$@" 2>&1)"; then + echo "GNUTLS certtool invocation failed with output:" >&2 + echo "$output" >&2 + fi + } + mkdir -m 0700 -p "${cfg.dataDir}/keys" chown root:root "${cfg.dataDir}/keys" if [ ! -e "${cfg.dataDir}/keys/ca.key" ]; then - ${pkgs.gnutls}/bin/certtool -p \ + silent_certtool -p \ --bits 2048 \ --outfile "${cfg.dataDir}/keys/ca.key" - ${pkgs.gnutls}/bin/certtool -s \ + silent_certtool -s \ --template "${pkgs.writeText "taskserver-ca.template" '' cn = ${cfg.fqdn} cert_signing_key @@ -372,11 +380,11 @@ in { fi if [ ! -e "${cfg.dataDir}/keys/server.key" ]; then - ${pkgs.gnutls}/bin/certtool -p \ + silent_certtool -p \ --bits 2048 \ --outfile "${cfg.dataDir}/keys/server.key" - ${pkgs.gnutls}/bin/certtool -c \ + silent_certtool -c \ --template "${pkgs.writeText "taskserver-cert.template" '' cn = ${cfg.fqdn} tls_www_server @@ -398,7 +406,7 @@ in { fi if [ ! -e "${cfg.dataDir}/keys/server.crl" ]; then - ${pkgs.gnutls}/bin/certtool --generate-crl \ + silent_certtool --generate-crl \ --template "${pkgs.writeText "taskserver-crl.template" '' expiration_days = 3650 ''}" \ diff --git a/nixos/modules/services/misc/taskserver/helper-tool.py b/nixos/modules/services/misc/taskserver/helper-tool.py index cd712332e03..30dcfe0a7a2 100644 --- a/nixos/modules/services/misc/taskserver/helper-tool.py +++ b/nixos/modules/services/misc/taskserver/helper-tool.py @@ -69,6 +69,24 @@ def taskd_cmd(cmd, *args, **kwargs): ) +def certtool_cmd(*args, **kwargs): + """ + Invoke certtool from GNUTLS and return the output of the command. + + The provided arguments are added to the certtool command and keyword + arguments are added to subprocess.check_output(). + + Note that this will suppress all output of certtool and it will only be + printed whenever there is an unsuccessful return code. + """ + return subprocess.check_output( + [CERTTOOL_COMMAND] + list(args), + preexec_fn=lambda: os.umask(0077), + stderr=subprocess.STDOUT, + **kwargs + ) + + def label(msg): if sys.stdout.isatty() or sys.stderr.isatty(): sys.stderr.write(msg + "\n") @@ -113,8 +131,7 @@ def generate_key(org, user): try: os.makedirs(basedir, mode=0700) - cmd = [CERTTOOL_COMMAND, "-p", "--bits", "2048", "--outfile", privkey] - subprocess.check_call(cmd, preexec_fn=lambda: os.umask(0077)) + certtool_cmd("-p", "--bits", "2048", "--outfile", privkey) template_data = [ "organization = {0}".format(org), @@ -125,13 +142,14 @@ def generate_key(org, user): ] with create_template(template_data) as template: - cmd = [CERTTOOL_COMMAND, "-c", - "--load-privkey", privkey, - "--load-ca-privkey", cakey, - "--load-ca-certificate", cacert, - "--template", template, - "--outfile", pubcert] - subprocess.check_call(cmd, preexec_fn=lambda: os.umask(0077)) + certtool_cmd( + "-c", + "--load-privkey", privkey, + "--load-ca-privkey", cakey, + "--load-ca-certificate", cacert, + "--template", template, + "--outfile", pubcert + ) except: rmtree(basedir) raise @@ -152,15 +170,15 @@ def revoke_key(org, user): oldcrl = NamedTemporaryFile(mode="wb", prefix="old-crl") oldcrl.write(open(crl, "rb").read()) oldcrl.flush() - cmd = [CERTTOOL_COMMAND, - "--generate-crl", - "--load-crl", oldcrl.name, - "--load-ca-privkey", cakey, - "--load-ca-certificate", cacert, - "--load-certificate", pubcert, - "--template", template, - "--outfile", crl] - subprocess.check_call(cmd, preexec_fn=lambda: os.umask(0077)) + certtool_cmd( + "--generate-crl", + "--load-crl", oldcrl.name, + "--load-ca-privkey", cakey, + "--load-ca-certificate", cacert, + "--load-certificate", pubcert, + "--template", template, + "--outfile", crl + ) oldcrl.close() rmtree(basedir) |