nixos/modules/services/misc/taskserver/default.xml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128

<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="module-services-taskserver">
  <title>Taskserver</title>
  <para>
    Taskserver is the server component of
    <link xlink:href="https://taskwarrior.org/">Taskwarrior</link>, a
    free and open source todo list application.
  </para>
  <para>
    <emphasis>Upstream documentation:</emphasis>
    <link xlink:href="https://taskwarrior.org/docs/#taskd">https://taskwarrior.org/docs/#taskd</link>
  </para>
  <section xml:id="module-services-taskserver-configuration">
    <title>Configuration</title>
    <para>
      Taskserver does all of its authentication via TLS using client
      certificates, so you either need to roll your own CA or purchase a
      certificate from a known CA, which allows creation of client
      certificates. These certificates are usually advertised as
      <quote>server certificates</quote>.
    </para>
    <para>
      So in order to make it easier to handle your own CA, there is a
      helper tool called <command>nixos-taskserver</command> which
      manages the custom CA along with Taskserver organisations, users
      and groups.
    </para>
    <para>
      While the client certificates in Taskserver only authenticate
      whether a user is allowed to connect, every user has its own UUID
      which identifies it as an entity.
    </para>
    <para>
      With <command>nixos-taskserver</command> the client certificate is
      created along with the UUID of the user, so it handles all of the
      credentials needed in order to setup the Taskwarrior client to
      work with a Taskserver.
    </para>
  </section>
  <section xml:id="module-services-taskserver-nixos-taskserver-tool">
    <title>The nixos-taskserver tool</title>
    <para>
      Because Taskserver by default only provides scripts to setup users
      imperatively, the <command>nixos-taskserver</command> tool is used
      for addition and deletion of organisations along with users and
      groups defined by
      <xref linkend="opt-services.taskserver.organisations" /> and as
      well for imperative set up.
    </para>
    <para>
      The tool is designed to not interfere if the command is used to
      manually set up some organisations, users or groups.
    </para>
    <para>
      For example if you add a new organisation using
      <command>nixos-taskserver org add foo</command>, the organisation
      is not modified and deleted no matter what you define in
      <option>services.taskserver.organisations</option>, even if you’re
      adding the same organisation in that option.
    </para>
    <para>
      The tool is modelled to imitate the official
      <command>taskd</command> command, documentation for each
      subcommand can be shown by using the <option>--help</option>
      switch.
    </para>
  </section>
  <section xml:id="module-services-taskserver-declarative-ca-management">
    <title>Declarative/automatic CA management</title>
    <para>
      Everything is done according to what you specify in the module
      options, however in order to set up a Taskwarrior client for
      synchronisation with a Taskserver instance, you have to transfer
      the keys and certificates to the client machine.
    </para>
    <para>
      This is done using
      <command>nixos-taskserver user export $orgname $username</command>
      which is printing a shell script fragment to stdout which can
      either be used verbatim or adjusted to import the user on the
      client machine.
    </para>
    <para>
      For example, let’s say you have the following configuration:
    </para>
    <programlisting>
{
  services.taskserver.enable = true;
  services.taskserver.fqdn = &quot;server&quot;;
  services.taskserver.listenHost = &quot;::&quot;;
  services.taskserver.organisations.my-company.users = [ &quot;alice&quot; ];
}
</programlisting>
    <para>
      This creates an organisation called <literal>my-company</literal>
      with the user <literal>alice</literal>.
    </para>
    <para>
      Now in order to import the <literal>alice</literal> user to
      another machine <literal>alicebox</literal>, all we need to do is
      something like this:
    </para>
    <programlisting>
$ ssh server nixos-taskserver user export my-company alice | sh
</programlisting>
    <para>
      Of course, if no SSH daemon is available on the server you can
      also copy &amp; paste it directly into a shell.
    </para>
    <para>
      After this step the user should be set up and you can start
      synchronising your tasks for the first time with
      <command>task sync init</command> on <literal>alicebox</literal>.
    </para>
    <para>
      Subsequent synchronisation requests merely require the command
      <command>task sync</command> after that stage.
    </para>
  </section>
  <section xml:id="module-services-taskserver-manual-ca-management">
    <title>Manual CA management</title>
    <para>
      If you set any options within
      <link linkend="opt-services.taskserver.pki.manual.ca.cert">service.taskserver.pki.manual</link>.*,
      <command>nixos-taskserver</command> won’t issue certificates, but
      you can still use it for adding or removing user accounts.
    </para>
  </section>
</chapter>