diff options
Diffstat (limited to 'nixos/modules/services/security/cfssl.nix')
-rw-r--r-- | nixos/modules/services/security/cfssl.nix | 95 |
1 files changed, 54 insertions, 41 deletions
diff --git a/nixos/modules/services/security/cfssl.nix b/nixos/modules/services/security/cfssl.nix index e5bed0a9987c0..6df2343b84d22 100644 --- a/nixos/modules/services/security/cfssl.nix +++ b/nixos/modules/services/security/cfssl.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, options, lib, pkgs, ... }: with lib; @@ -11,7 +11,16 @@ in { dataDir = mkOption { default = "/var/lib/cfssl"; type = types.path; - description = "Cfssl work directory."; + description = '' + The work directory for CFSSL. + + <note><para> + If left as the default value this directory will automatically be + created before the CFSSL server starts, otherwise you are + responsible for ensuring the directory exists with appropriate + ownership and permissions. + </para></note> + ''; }; address = mkOption { @@ -22,7 +31,7 @@ in { port = mkOption { default = 8888; - type = types.ints.u16; + type = types.port; description = "Port to bind."; }; @@ -147,13 +156,12 @@ in { }; config = mkIf cfg.enable { - users.extraGroups.cfssl = { + users.groups.cfssl = { gid = config.ids.gids.cfssl; }; - users.extraUsers.cfssl = { + users.users.cfssl = { description = "cfssl user"; - createHome = true; home = cfg.dataDir; group = "cfssl"; uid = config.ids.uids.cfssl; @@ -164,41 +172,46 @@ in { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - serviceConfig = { - WorkingDirectory = cfg.dataDir; - StateDirectory = cfg.dataDir; - StateDirectoryMode = 700; - Restart = "always"; - User = "cfssl"; - - ExecStart = with cfg; let - opt = n: v: optionalString (v != null) ''-${n}="${v}"''; - in - lib.concatStringsSep " \\\n" [ - "${pkgs.cfssl}/bin/cfssl serve" - (opt "address" address) - (opt "port" (toString port)) - (opt "ca" ca) - (opt "ca-key" caKey) - (opt "ca-bundle" caBundle) - (opt "int-bundle" intBundle) - (opt "int-dir" intDir) - (opt "metadata" metadata) - (opt "remote" remote) - (opt "config" configFile) - (opt "responder" responder) - (opt "responder-key" responderKey) - (opt "tls-key" tlsKey) - (opt "tls-cert" tlsCert) - (opt "mutual-tls-ca" mutualTlsCa) - (opt "mutual-tls-cn" mutualTlsCn) - (opt "mutual-tls-client-key" mutualTlsClientKey) - (opt "mutual-tls-client-cert" mutualTlsClientCert) - (opt "tls-remote-ca" tlsRemoteCa) - (opt "db-config" dbConfig) - (opt "loglevel" (toString logLevel)) - ]; - }; + serviceConfig = lib.mkMerge [ + { + WorkingDirectory = cfg.dataDir; + Restart = "always"; + User = "cfssl"; + Group = "cfssl"; + + ExecStart = with cfg; let + opt = n: v: optionalString (v != null) ''-${n}="${v}"''; + in + lib.concatStringsSep " \\\n" [ + "${pkgs.cfssl}/bin/cfssl serve" + (opt "address" address) + (opt "port" (toString port)) + (opt "ca" ca) + (opt "ca-key" caKey) + (opt "ca-bundle" caBundle) + (opt "int-bundle" intBundle) + (opt "int-dir" intDir) + (opt "metadata" metadata) + (opt "remote" remote) + (opt "config" configFile) + (opt "responder" responder) + (opt "responder-key" responderKey) + (opt "tls-key" tlsKey) + (opt "tls-cert" tlsCert) + (opt "mutual-tls-ca" mutualTlsCa) + (opt "mutual-tls-cn" mutualTlsCn) + (opt "mutual-tls-client-key" mutualTlsClientKey) + (opt "mutual-tls-client-cert" mutualTlsClientCert) + (opt "tls-remote-ca" tlsRemoteCa) + (opt "db-config" dbConfig) + (opt "loglevel" (toString logLevel)) + ]; + } + (mkIf (cfg.dataDir == options.services.cfssl.dataDir.default) { + StateDirectory = baseNameOf cfg.dataDir; + StateDirectoryMode = 700; + }) + ]; }; services.cfssl = { |