feat(system/services/taskserver): Integrate Let's Encrypt certificates

The current setup now runs the `taskserver.vhack.eu` domain with a
Let's Encrypt certificate and additionally uses a self-signed CA
certificate to validate clients.

The shell scripts used to generate the CA certificate and the derived
client certificate (and keys) are taken nearly unmodified from the
upstream repository [1].

[1]: https://github.com/GothenburgBitFactory/taskserver/tree/9794cff61e56bdfb193c6aa4cebb57970ac68aef/pki

1 files changed, 41 insertions, 0 deletions

diff --git a/system/services/taskserver/certs/generate b/system/services/taskserver/certs/generate
new file mode 100755
index 0000000..253e4bb
--- /dev/null
+++ b/system/services/taskserver/certs/generate
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+# For a public or production server, purchase a cert from a known CA, and skip
+# the next step.
+
+# For development, testing and personal server management, create a CA key and
+# cert, and use that to generate a server key and cert.  Creates:
+#   ca.key.pem
+#   ca.cert.pem
+#   server.key.pem
+#   server.cert.pem
+
+GENERATION_LOCATION="/run/user/$(id -u)/taskserver/keys";
+
+mkdir -p "$GENERATION_LOCATION"
+cp ./vars ./generate.ca ./generate.crl ./generate.client "$GENERATION_LOCATION"
+cd "$GENERATION_LOCATION" || echo "(BUG?) No possible location fould!" 1>&2
+
+./generate.ca
+
+# Generate a certificate revocation list (CRL).  The initial CRL is empty, but
+# can grow over time.  Creates:
+#   server.crl.pem
+
+./generate.crl
+
+# The above is sufficient to operate a server. You now need to run a client cert creation
+# process per client; Add the required client names and uncomment
+# ./generate.client <client_name>
+#
+./generate.client soispha
+./generate.client android-mobile
+./generate.client android-tab
+#
+# Creates:
+#   <client_name>.key.pem
+#   <client_name>.cert.pem
+
+
+rm ./vars ./generate.ca ./generate.crl ./generate.client
+echo "(INFO) Look for the keys at: $GENERATION_LOCATION"