From 67abfde6110bab513bcebccb894b38a0cc920150 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Fri, 4 Feb 2022 16:42:24 -0500 Subject: nixos/cfssl: use systemd StateDirectory to provision the data directory --- nixos/modules/services/security/cfssl.nix | 88 ++++++++++++++++++------------- 1 file changed, 50 insertions(+), 38 deletions(-) (limited to 'nixos/modules/services/security/cfssl.nix') diff --git a/nixos/modules/services/security/cfssl.nix b/nixos/modules/services/security/cfssl.nix index e5bed0a9987..9d4092d8814 100644 --- a/nixos/modules/services/security/cfssl.nix +++ b/nixos/modules/services/security/cfssl.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, options, lib, pkgs, ... }: with lib; @@ -11,7 +11,16 @@ in { dataDir = mkOption { default = "/var/lib/cfssl"; type = types.path; - description = "Cfssl work directory."; + description = '' + The work directory for CFSSL. + + + If left as the default value this directory will automatically be + created before the CFSSL server starts, otherwise you are + responsible for ensuring the directory exists with appropriate + ownership and permissions. + + ''; }; address = mkOption { @@ -153,7 +162,6 @@ in { users.extraUsers.cfssl = { description = "cfssl user"; - createHome = true; home = cfg.dataDir; group = "cfssl"; uid = config.ids.uids.cfssl; @@ -164,41 +172,45 @@ in { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - serviceConfig = { - WorkingDirectory = cfg.dataDir; - StateDirectory = cfg.dataDir; - StateDirectoryMode = 700; - Restart = "always"; - User = "cfssl"; - - ExecStart = with cfg; let - opt = n: v: optionalString (v != null) ''-${n}="${v}"''; - in - lib.concatStringsSep " \\\n" [ - "${pkgs.cfssl}/bin/cfssl serve" - (opt "address" address) - (opt "port" (toString port)) - (opt "ca" ca) - (opt "ca-key" caKey) - (opt "ca-bundle" caBundle) - (opt "int-bundle" intBundle) - (opt "int-dir" intDir) - (opt "metadata" metadata) - (opt "remote" remote) - (opt "config" configFile) - (opt "responder" responder) - (opt "responder-key" responderKey) - (opt "tls-key" tlsKey) - (opt "tls-cert" tlsCert) - (opt "mutual-tls-ca" mutualTlsCa) - (opt "mutual-tls-cn" mutualTlsCn) - (opt "mutual-tls-client-key" mutualTlsClientKey) - (opt "mutual-tls-client-cert" mutualTlsClientCert) - (opt "tls-remote-ca" tlsRemoteCa) - (opt "db-config" dbConfig) - (opt "loglevel" (toString logLevel)) - ]; - }; + serviceConfig = lib.mkMerge [ + { + WorkingDirectory = cfg.dataDir; + Restart = "always"; + User = "cfssl"; + + ExecStart = with cfg; let + opt = n: v: optionalString (v != null) ''-${n}="${v}"''; + in + lib.concatStringsSep " \\\n" [ + "${pkgs.cfssl}/bin/cfssl serve" + (opt "address" address) + (opt "port" (toString port)) + (opt "ca" ca) + (opt "ca-key" caKey) + (opt "ca-bundle" caBundle) + (opt "int-bundle" intBundle) + (opt "int-dir" intDir) + (opt "metadata" metadata) + (opt "remote" remote) + (opt "config" configFile) + (opt "responder" responder) + (opt "responder-key" responderKey) + (opt "tls-key" tlsKey) + (opt "tls-cert" tlsCert) + (opt "mutual-tls-ca" mutualTlsCa) + (opt "mutual-tls-cn" mutualTlsCn) + (opt "mutual-tls-client-key" mutualTlsClientKey) + (opt "mutual-tls-client-cert" mutualTlsClientCert) + (opt "tls-remote-ca" tlsRemoteCa) + (opt "db-config" dbConfig) + (opt "loglevel" (toString logLevel)) + ]; + } + (mkIf (cfg.dataDir == options.services.cfssl.dataDir.default) { + StateDirectory = baseNameOf cfg.dataDir; + StateDirectoryMode = 700; + }) + ]; }; services.cfssl = { -- cgit 1.4.1