From 0141b4887d5db012ca231f4e907ffe617f3617a6 Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@redmoonstudios.org>
Date: Tue, 5 Apr 2016 17:47:27 +0200
Subject: [PATCH] nixos/taskserver: Use nixos-taskdctl in preStart

Finally, this is where we declaratively set up our organisations and
users/groups, which looks like this in the system configuration:

services.taskserver.organisations.NixOS.users = [ "alice" "bob" ];

This automatically sets up "alice" and "bob" for the "NixOS"
organisation, generates the required client keys and signs it via the
CA.

However, we still need to use nixos-taskdctl export-user in order to
import these certificates on the client.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
---
 nixos/modules/services/misc/taskserver.nix | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/nixos/modules/services/misc/taskserver.nix b/nixos/modules/services/misc/taskserver.nix
index 00cde305efa5..992c13401e50 100644
--- a/nixos/modules/services/misc/taskserver.nix
+++ b/nixos/modules/services/misc/taskserver.nix
@@ -719,8 +719,24 @@ in {
 
       environment.TASKDDATA = cfg.dataDir;
 
+      preStart = ''
+        ${concatStrings (mapAttrsToList (orgName: attrs: ''
+          ${ctlcmd} add-org ${mkShellStr orgName}
+
+          ${concatMapStrings (user: ''
+            echo Creating ${user} >&2
+            ${ctlcmd} add-user ${mkShellStr orgName} ${mkShellStr user}
+          '') attrs.users}
+
+          ${concatMapStrings (group: ''
+            ${ctlcmd} add-group ${mkShellStr orgName} ${mkShellStr user}
+          '') attrs.groups}
+        '') cfg.organisations)}
+      '';
+
       serviceConfig = {
         ExecStart = "@${taskd} taskd server";
+        PermissionsStartOnly = true;
         User = cfg.user;
         Group = cfg.group;
       };