diff options
| author | Soispha <soispha@vhack.eu> | 2023-10-04 20:11:42 +0200 |
|---|---|---|
| committer | Soispha <soispha@vhack.eu> | 2023-10-16 17:20:00 +0200 |
| commit | 1dd6f8d3b4d7dc93095e662aaca190d3fe1be264 (patch) | |
| tree | a6b06ec7b3a400f22f41627f8497258fb6b8d6f1 /system/services/taskserver/default.nix | |
| parent | fix(system/services/taskserver): declare certs/keys in pki.manual (diff) | |
| download | nixos-server-1dd6f8d3b4d7dc93095e662aaca190d3fe1be264.tar.gz nixos-server-1dd6f8d3b4d7dc93095e662aaca190d3fe1be264.zip | |
feat(system/services/taskserver): Integrate Let's Encrypt certificates
The current setup now runs the `taskserver.vhack.eu` domain with a Let's Encrypt certificate and additionally uses a self-signed CA certificate to validate clients. The shell scripts used to generate the CA certificate and the derived client certificate (and keys) are taken nearly unmodified from the upstream repository [1]. [1]: https://github.com/GothenburgBitFactory/taskserver/tree/9794cff61e56bdfb193c6aa4cebb57970ac68aef/pki
Diffstat (limited to 'system/services/taskserver/default.nix')
| -rw-r--r-- | system/services/taskserver/default.nix | 30 |
1 files changed, 6 insertions, 24 deletions
diff --git a/system/services/taskserver/default.nix b/system/services/taskserver/default.nix index afbd09c..7595700 100644 --- a/system/services/taskserver/default.nix +++ b/system/services/taskserver/default.nix @@ -3,28 +3,13 @@ in { services.taskserver = { enable = true; - config = { + pki.manual = { + ca.cert = ./ca.cert.pem; server = { - cert = "${taskStore}/fullchain.pem"; - key = "${taskStore}/privkey.pem"; - }; - }; - pki = { - auto = { - expiration = { - server = 365; - crl = 365; - client = 365; - ca = 365; - }; - bits = 4096; - }; - manual = { - ca.cert = builtins.toPath "${taskStore}/cert.pem"; - server = { - cert = builtins.toPath "${taskStore}/fullchain.pem"; - key = builtins.toPath "${taskStore}/privkey.pem"; - }; + # FIXME(@soispha): These are put _world-readable_ in the nix store, which is + # obviously very bad. These values should be strings <2023-10-04> + cert = /. + "${taskStore}/fullchain.pem"; + key = /. + "${taskStore}/privkey.pem"; }; }; organisations = import ./organisations.nix; @@ -43,15 +28,12 @@ in { set -x rm "${taskStore}/key.pem" rm "${taskStore}/fullchain.pem" - rm "${taskStore}/cert.pem" cp key.pem "${taskStore}"; cp fullchain.pem "${taskStore}"; - cp cert.pem "${taskStore}"; chown taskd:taskd "${taskStore}/key.pem" chown taskd:taskd "${taskStore}/fullchain.pem" - chown taskd:taskd "${taskStore}/cert.pem" ''; }; } |