nixos/cfssl: Add new module for cfssl #44127
Conversation
|
@GrahamcOfBorg test cfssl |
|
@johanot You need to have privileges in OfBorg for that. @GrahamcOfBorg test cfssl |
|
Success on aarch64-linux Attempted: tests.cfssl No partial log is available. |
|
Success on x86_64-linux (full log) Attempted: tests.cfssl Partial log (click to expand)
|
|
|
||
| dataDir = mkOption { | ||
| default = "/var/lib/cfssl"; | ||
| type = types.str; |
| in { | ||
| options.services.cfssl = { | ||
| enable = mkEnableOption '' | ||
| Whether to enable the CFSSL CA api-server. |
There was a problem hiding this comment.
Only use mkEnableOption "the CFSSL CA api-server" here, mkEnableOption adds the "Whether to enable" thing.
|
|
||
| port = mkOption { | ||
| default = 8888; | ||
| type = types.int; |
There was a problem hiding this comment.
You could use the newish types.ints.u16 to prevent users trying to assign an invalid port (have seen people do this)
| dataDir = mkOption { | ||
| default = "/var/lib/cfssl"; | ||
| type = types.str; | ||
| description = "cfssl work directory"; |
There was a problem hiding this comment.
All descriptions should end with a colon.
| }; | ||
|
|
||
| ca = mkOption { | ||
| default = "file:${cfg.dataDir}/ca.pem"; |
There was a problem hiding this comment.
I think doing it like this would make the module system rebuild the man pages and stuff when somebody changes cfg.dataDir. Using defaultText = "file:\${cfg.dataDir}/ca.pem", removing the default = , and setting services.cfssl.ca = "file:${cfg.dataDir}/ca.pem"` in the config section at the bottom should fix that.
Same with the caKey option.
|
|
||
| configFile = mkOption { | ||
| default = null; | ||
| type = types.nullOr types.str; # FIXME: types.nonStorePath, may contain secrets |
There was a problem hiding this comment.
I think it's the user's responsibility to know when secrets would end up in the nix store. There are also a lot of users for which that isn't much of a problem anyways because they encrypt their nix store and are the only users.
A warning in the description would be appropriate though. Same for the other options that have a FIXME.
|
|
||
| responderKey = mkOption { | ||
| default = null; | ||
| type = types.nullOr types.str; # FIXME: types.nonStorePath, secret |
There was a problem hiding this comment.
types.path, same for tlsKey and dbConfig.
| }; | ||
|
|
||
| config = { | ||
| users.extraGroups."cfssl" = { |
There was a problem hiding this comment.
Nit: cfssl doesn't need to be quoted, same with the one in users.extraUsers below.
| systemd.services.cfssl = mkIf cfg.enable { | ||
| description = "CFSSL CA API server"; | ||
| wantedBy = [ "multi-user.target" ]; | ||
|
|
There was a problem hiding this comment.
Add after = [ "network.target" ]; here to prevent it from starting before the basic network stuff is working.
|
@infinisil Thanks for feedback! Will do the necessary changes Monday. |
|
@infinisil please review: 16a3ed4 .. Keeping the commit separate for your convenience for now. Will squash if you approve the changes. |
| (opt "int-dir" intDir) | ||
| (opt "metadata" metadata) | ||
| (opt "remote" remote) | ||
| (opt "config" configFile) |
There was a problem hiding this comment.
I only just saw this, how does this config option interact with the other args? Because if it can provide all these values, then it would make sense to have a configFile option allowing you to pass your own config file (which would be passed via --config if it's set), and fall back to a generated config file from all the other options. Only the --config arg would need to be passed in both cases.
Edit: This also allows the user to not store secrets in the store, as they can provide their own config somewhere out of /nix/store.
There was a problem hiding this comment.
@infinisil I hear what you say. But the config file does not have the same options as the cmdline options. Ref: https://github.com/cloudflare/cfssl/blob/80d5f5b4cfe73f5a918b851f03d468eb28499131/config/config.go#L74
Unfortunately it's not well documented, but the config file contains an optional list of different profiles for CA-signing. While some flags overlap - like AuthConfig (remotes) and CN-constraints - others do not. Like Bind Address (only cmdline) and Cert content (expirty, constraints etc.) (only configfile).
|
@GrahamcOfBorg test cfssl |
|
Success on aarch64-linux Attempted: tests.cfssl No partial log is available. |
|
Success on x86_64-linux (full log) Attempted: tests.cfssl Partial log (click to expand)
|
|
@infinisil Thanks! Squash done. |
|
Oh wait, one minor thing: can you change the commit message to "nixos/cfssl: init"? |
- based on module originally written by @srhb - complies with available options in cfssl v1.3.2 - uid and gid 299 reserved in ids.nix - added simple nixos test case
|
Done :) |
|
Awesome, thanks :) |
|
The user creation is not guarded by the |
|
@lopsided98 I confirm seen them on my system. Can you open a separate issue so we can track it and fix it in a separate PR? Thx! |
|
On it. |
|
I'm writing a PR right now, the fix is pretty simple. |
|
@lopsided98 Oh, okay. |
|
See #45441 |
|
Whoops, totally missed that! |
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)nix path-info -Sbefore and after)