summary refs log tree commit diff stats
path: root/system/services/taskserver/default.nix
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--system/services/taskserver/default.nix30
1 files changed, 6 insertions, 24 deletions
diff --git a/system/services/taskserver/default.nix b/system/services/taskserver/default.nix
index afbd09c..7595700 100644
--- a/system/services/taskserver/default.nix
+++ b/system/services/taskserver/default.nix
@@ -3,28 +3,13 @@
 in {
   services.taskserver = {
     enable = true;
-    config = {
+    pki.manual = {
+      ca.cert = ./ca.cert.pem;
       server = {
-        cert = "${taskStore}/fullchain.pem";
-        key = "${taskStore}/privkey.pem";
-      };
-    };
-    pki = {
-      auto = {
-        expiration = {
-          server = 365;
-          crl = 365;
-          client = 365;
-          ca = 365;
-        };
-        bits = 4096;
-      };
-      manual = {
-        ca.cert = builtins.toPath "${taskStore}/cert.pem";
-        server = {
-          cert = builtins.toPath "${taskStore}/fullchain.pem";
-          key = builtins.toPath "${taskStore}/privkey.pem";
-        };
+        # FIXME(@soispha): These are put _world-readable_ in the nix store, which is
+        # obviously very bad. These values should be strings <2023-10-04>
+        cert = /. + "${taskStore}/fullchain.pem";
+        key = /. + "${taskStore}/privkey.pem";
       };
     };
     organisations = import ./organisations.nix;
@@ -43,15 +28,12 @@ in {
         set -x
         rm "${taskStore}/key.pem"
         rm "${taskStore}/fullchain.pem"
-        rm "${taskStore}/cert.pem"
 
         cp key.pem "${taskStore}";
         cp fullchain.pem "${taskStore}";
-        cp cert.pem "${taskStore}";
 
         chown taskd:taskd "${taskStore}/key.pem"
         chown taskd:taskd "${taskStore}/fullchain.pem"
-        chown taskd:taskd "${taskStore}/cert.pem"
       '';
   };
 }
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-11-29 22:00:33 +0000