summary refs log tree commit diff
path: root/nixos/modules/services/misc/taskserver
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/modules/services/misc/taskserver')
-rw-r--r--nixos/modules/services/misc/taskserver/default.nix22
-rw-r--r--nixos/modules/services/misc/taskserver/helper-tool.py54
2 files changed, 51 insertions, 25 deletions
diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix
index 3a53431939b..dc73ad26eb6 100644
--- a/nixos/modules/services/misc/taskserver/default.nix
+++ b/nixos/modules/services/misc/taskserver/default.nix
@@ -118,6 +118,8 @@ let
 
   mkShellStr = val: "'${replaceStrings ["'"] ["'\\''"] val}'";
 
+  certtool = "${pkgs.gnutls}/bin/certtool";
+
   nixos-taskserver = pkgs.buildPythonPackage {
     name = "nixos-taskserver";
     namePrefix = "";
@@ -126,8 +128,7 @@ let
       mkdir -p "$out"
       cat "${pkgs.substituteAll {
         src = ./helper-tool.py;
-        certtool = "${pkgs.gnutls}/bin/certtool";
-        inherit taskd;
+        inherit taskd certtool;
         inherit (cfg) dataDir user group fqdn;
       }}" > "$out/main.py"
       cat > "$out/setup.py" <<EOF
@@ -351,14 +352,21 @@ in {
       serviceConfig.UMask = "0077";
 
       script = ''
+        silent_certtool() {
+          if ! output="$("${certtool}" "$@" 2>&1)"; then
+            echo "GNUTLS certtool invocation failed with output:" >&2
+            echo "$output" >&2
+          fi
+        }
+
         mkdir -m 0700 -p "${cfg.dataDir}/keys"
         chown root:root "${cfg.dataDir}/keys"
 
         if [ ! -e "${cfg.dataDir}/keys/ca.key" ]; then
-          ${pkgs.gnutls}/bin/certtool -p \
+          silent_certtool -p \
             --bits 2048 \
             --outfile "${cfg.dataDir}/keys/ca.key"
-          ${pkgs.gnutls}/bin/certtool -s \
+          silent_certtool -s \
             --template "${pkgs.writeText "taskserver-ca.template" ''
               cn = ${cfg.fqdn}
               cert_signing_key
@@ -372,11 +380,11 @@ in {
         fi
 
         if [ ! -e "${cfg.dataDir}/keys/server.key" ]; then
-          ${pkgs.gnutls}/bin/certtool -p \
+          silent_certtool -p \
             --bits 2048 \
             --outfile "${cfg.dataDir}/keys/server.key"
 
-          ${pkgs.gnutls}/bin/certtool -c \
+          silent_certtool -c \
             --template "${pkgs.writeText "taskserver-cert.template" ''
               cn = ${cfg.fqdn}
               tls_www_server
@@ -398,7 +406,7 @@ in {
         fi
 
         if [ ! -e "${cfg.dataDir}/keys/server.crl" ]; then
-          ${pkgs.gnutls}/bin/certtool --generate-crl \
+          silent_certtool --generate-crl \
             --template "${pkgs.writeText "taskserver-crl.template" ''
               expiration_days = 3650
             ''}" \
diff --git a/nixos/modules/services/misc/taskserver/helper-tool.py b/nixos/modules/services/misc/taskserver/helper-tool.py
index cd712332e03..30dcfe0a7a2 100644
--- a/nixos/modules/services/misc/taskserver/helper-tool.py
+++ b/nixos/modules/services/misc/taskserver/helper-tool.py
@@ -69,6 +69,24 @@ def taskd_cmd(cmd, *args, **kwargs):
     )
 
 
+def certtool_cmd(*args, **kwargs):
+    """
+    Invoke certtool from GNUTLS and return the output of the command.
+
+    The provided arguments are added to the certtool command and keyword
+    arguments are added to subprocess.check_output().
+
+    Note that this will suppress all output of certtool and it will only be
+    printed whenever there is an unsuccessful return code.
+    """
+    return subprocess.check_output(
+        [CERTTOOL_COMMAND] + list(args),
+        preexec_fn=lambda: os.umask(0077),
+        stderr=subprocess.STDOUT,
+        **kwargs
+    )
+
+
 def label(msg):
     if sys.stdout.isatty() or sys.stderr.isatty():
         sys.stderr.write(msg + "\n")
@@ -113,8 +131,7 @@ def generate_key(org, user):
     try:
         os.makedirs(basedir, mode=0700)
 
-        cmd = [CERTTOOL_COMMAND, "-p", "--bits", "2048", "--outfile", privkey]
-        subprocess.check_call(cmd, preexec_fn=lambda: os.umask(0077))
+        certtool_cmd("-p", "--bits", "2048", "--outfile", privkey)
 
         template_data = [
             "organization = {0}".format(org),
@@ -125,13 +142,14 @@ def generate_key(org, user):
         ]
 
         with create_template(template_data) as template:
-            cmd = [CERTTOOL_COMMAND, "-c",
-                   "--load-privkey", privkey,
-                   "--load-ca-privkey", cakey,
-                   "--load-ca-certificate", cacert,
-                   "--template", template,
-                   "--outfile", pubcert]
-            subprocess.check_call(cmd, preexec_fn=lambda: os.umask(0077))
+            certtool_cmd(
+                "-c",
+                "--load-privkey", privkey,
+                "--load-ca-privkey", cakey,
+                "--load-ca-certificate", cacert,
+                "--template", template,
+                "--outfile", pubcert
+            )
     except:
         rmtree(basedir)
         raise
@@ -152,15 +170,15 @@ def revoke_key(org, user):
         oldcrl = NamedTemporaryFile(mode="wb", prefix="old-crl")
         oldcrl.write(open(crl, "rb").read())
         oldcrl.flush()
-        cmd = [CERTTOOL_COMMAND,
-               "--generate-crl",
-               "--load-crl", oldcrl.name,
-               "--load-ca-privkey", cakey,
-               "--load-ca-certificate", cacert,
-               "--load-certificate", pubcert,
-               "--template", template,
-               "--outfile", crl]
-        subprocess.check_call(cmd, preexec_fn=lambda: os.umask(0077))
+        certtool_cmd(
+            "--generate-crl",
+            "--load-crl", oldcrl.name,
+            "--load-ca-privkey", cakey,
+            "--load-ca-certificate", cacert,
+            "--load-certificate", pubcert,
+            "--template", template,
+            "--outfile", crl
+        )
         oldcrl.close()
     rmtree(basedir)
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-06 23:34:20 +0000