diff options
Diffstat (limited to 'nixos/modules/services/misc')
-rw-r--r-- | nixos/modules/services/misc/taskserver/default.nix | 22 | ||||
-rw-r--r-- | nixos/modules/services/misc/taskserver/helper-tool.py | 54 |
2 files changed, 51 insertions, 25 deletions
diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix index 3a53431939b..dc73ad26eb6 100644 --- a/nixos/modules/services/misc/taskserver/default.nix +++ b/nixos/modules/services/misc/taskserver/default.nix @@ -118,6 +118,8 @@ let mkShellStr = val: "'${replaceStrings ["'"] ["'\\''"] val}'"; + certtool = "${pkgs.gnutls}/bin/certtool"; + nixos-taskserver = pkgs.buildPythonPackage { name = "nixos-taskserver"; namePrefix = ""; @@ -126,8 +128,7 @@ let mkdir -p "$out" cat "${pkgs.substituteAll { src = ./helper-tool.py; - certtool = "${pkgs.gnutls}/bin/certtool"; - inherit taskd; + inherit taskd certtool; inherit (cfg) dataDir user group fqdn; }}" > "$out/main.py" cat > "$out/setup.py" <<EOF @@ -351,14 +352,21 @@ in { serviceConfig.UMask = "0077"; script = '' + silent_certtool() { + if ! output="$("${certtool}" "$@" 2>&1)"; then + echo "GNUTLS certtool invocation failed with output:" >&2 + echo "$output" >&2 + fi + } + mkdir -m 0700 -p "${cfg.dataDir}/keys" chown root:root "${cfg.dataDir}/keys" if [ ! -e "${cfg.dataDir}/keys/ca.key" ]; then - ${pkgs.gnutls}/bin/certtool -p \ + silent_certtool -p \ --bits 2048 \ --outfile "${cfg.dataDir}/keys/ca.key" - ${pkgs.gnutls}/bin/certtool -s \ + silent_certtool -s \ --template "${pkgs.writeText "taskserver-ca.template" '' cn = ${cfg.fqdn} cert_signing_key @@ -372,11 +380,11 @@ in { fi if [ ! -e "${cfg.dataDir}/keys/server.key" ]; then - ${pkgs.gnutls}/bin/certtool -p \ + silent_certtool -p \ --bits 2048 \ --outfile "${cfg.dataDir}/keys/server.key" - ${pkgs.gnutls}/bin/certtool -c \ + silent_certtool -c \ --template "${pkgs.writeText "taskserver-cert.template" '' cn = ${cfg.fqdn} tls_www_server @@ -398,7 +406,7 @@ in { fi if [ ! -e "${cfg.dataDir}/keys/server.crl" ]; then - ${pkgs.gnutls}/bin/certtool --generate-crl \ + silent_certtool --generate-crl \ --template "${pkgs.writeText "taskserver-crl.template" '' expiration_days = 3650 ''}" \ diff --git a/nixos/modules/services/misc/taskserver/helper-tool.py b/nixos/modules/services/misc/taskserver/helper-tool.py index cd712332e03..30dcfe0a7a2 100644 --- a/nixos/modules/services/misc/taskserver/helper-tool.py +++ b/nixos/modules/services/misc/taskserver/helper-tool.py @@ -69,6 +69,24 @@ def taskd_cmd(cmd, *args, **kwargs): ) +def certtool_cmd(*args, **kwargs): + """ + Invoke certtool from GNUTLS and return the output of the command. + + The provided arguments are added to the certtool command and keyword + arguments are added to subprocess.check_output(). + + Note that this will suppress all output of certtool and it will only be + printed whenever there is an unsuccessful return code. + """ + return subprocess.check_output( + [CERTTOOL_COMMAND] + list(args), + preexec_fn=lambda: os.umask(0077), + stderr=subprocess.STDOUT, + **kwargs + ) + + def label(msg): if sys.stdout.isatty() or sys.stderr.isatty(): sys.stderr.write(msg + "\n") @@ -113,8 +131,7 @@ def generate_key(org, user): try: os.makedirs(basedir, mode=0700) - cmd = [CERTTOOL_COMMAND, "-p", "--bits", "2048", "--outfile", privkey] - subprocess.check_call(cmd, preexec_fn=lambda: os.umask(0077)) + certtool_cmd("-p", "--bits", "2048", "--outfile", privkey) template_data = [ "organization = {0}".format(org), @@ -125,13 +142,14 @@ def generate_key(org, user): ] with create_template(template_data) as template: - cmd = [CERTTOOL_COMMAND, "-c", - "--load-privkey", privkey, - "--load-ca-privkey", cakey, - "--load-ca-certificate", cacert, - "--template", template, - "--outfile", pubcert] - subprocess.check_call(cmd, preexec_fn=lambda: os.umask(0077)) + certtool_cmd( + "-c", + "--load-privkey", privkey, + "--load-ca-privkey", cakey, + "--load-ca-certificate", cacert, + "--template", template, + "--outfile", pubcert + ) except: rmtree(basedir) raise @@ -152,15 +170,15 @@ def revoke_key(org, user): oldcrl = NamedTemporaryFile(mode="wb", prefix="old-crl") oldcrl.write(open(crl, "rb").read()) oldcrl.flush() - cmd = [CERTTOOL_COMMAND, - "--generate-crl", - "--load-crl", oldcrl.name, - "--load-ca-privkey", cakey, - "--load-ca-certificate", cacert, - "--load-certificate", pubcert, - "--template", template, - "--outfile", crl] - subprocess.check_call(cmd, preexec_fn=lambda: os.umask(0077)) + certtool_cmd( + "--generate-crl", + "--load-crl", oldcrl.name, + "--load-ca-privkey", cakey, + "--load-ca-certificate", cacert, + "--load-certificate", pubcert, + "--template", template, + "--outfile", crl + ) oldcrl.close() rmtree(basedir) |