summary refs log tree commit diff stats
path: root/system/services
diff options
context:
space:
mode:
Diffstat (limited to 'system/services')
-rw-r--r--system/services/default.nix1
-rw-r--r--system/services/etebase/default.nix42
-rw-r--r--system/services/nix/default.nix1
-rw-r--r--system/services/taskserver/certs/ca.cert.pem (renamed from system/services/taskserver/ca.cert.pem)0
-rw-r--r--system/services/taskserver/certs/ca.key.pem.gpgbin0 -> 13824 bytes
-rwxr-xr-xsystem/services/taskserver/certs/check_expire6
-rwxr-xr-xsystem/services/taskserver/certs/generate21
-rwxr-xr-xsystem/services/taskserver/certs/generate.ca2
-rwxr-xr-xsystem/services/taskserver/certs/generate.client20
-rwxr-xr-xsystem/services/taskserver/certs/generate.crl2
-rw-r--r--system/services/taskserver/certs/isrgrootx1.pem31
-rw-r--r--system/services/taskserver/default.nix7
12 files changed, 109 insertions, 24 deletions
diff --git a/system/services/default.nix b/system/services/default.nix
index 9998e43..e269dbc 100644
--- a/system/services/default.nix
+++ b/system/services/default.nix
@@ -1,5 +1,6 @@
 {...}: {
   imports = [
+    ./etebase
     ./fail2ban
     ./invidious
     ./keycloak
diff --git a/system/services/etebase/default.nix b/system/services/etebase/default.nix
new file mode 100644
index 0000000..65cc435
--- /dev/null
+++ b/system/services/etebase/default.nix
@@ -0,0 +1,42 @@
+{config, ...}: {
+  services.etebase-server = {
+    enable = true;
+    port = 8001;
+    settings = {
+      global.secret_file = "${config.age.secrets.etebase-server.path}";
+      allowed_hosts = {
+        allowed_host1 = "etebase.vhack.eu";
+        allowed_host2 = "dav.vhack.eu";
+      };
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+
+    virtualHosts = {
+      "etebase.vhack.eu" = {
+        enableACME = true;
+        forceSSL = true;
+
+        locations = {
+          # TODO: Maybe fix permissions to use pregenerated static files which would
+          # improve performance.
+          #"/static" = {
+          #  root = config.services.etebase-server.settings.global.static_root;
+          #};
+          "/" = {
+            proxyPass = "http://127.0.0.1:${builtins.toString config.services.etebase-server.port}";
+          };
+        };
+        serverAliases = [
+          "dav.vhack.eu"
+        ];
+      };
+    };
+  };
+}
diff --git a/system/services/nix/default.nix b/system/services/nix/default.nix
index ec5fe5d..13be0f0 100644
--- a/system/services/nix/default.nix
+++ b/system/services/nix/default.nix
@@ -15,6 +15,7 @@
       experimental-features = ["nix-command" "flakes"];
       trusted-users = [
         "root"
+        "nixremote"
         "@wheel"
       ];
     };
diff --git a/system/services/taskserver/ca.cert.pem b/system/services/taskserver/certs/ca.cert.pem
index d6e5513..d6e5513 100644
--- a/system/services/taskserver/ca.cert.pem
+++ b/system/services/taskserver/certs/ca.cert.pem
diff --git a/system/services/taskserver/certs/ca.key.pem.gpg b/system/services/taskserver/certs/ca.key.pem.gpg
new file mode 100644
index 0000000..f52482d
--- /dev/null
+++ b/system/services/taskserver/certs/ca.key.pem.gpg
Binary files differdiff --git a/system/services/taskserver/certs/check_expire b/system/services/taskserver/certs/check_expire
index 59f9dc6..89969cc 100755
--- a/system/services/taskserver/certs/check_expire
+++ b/system/services/taskserver/certs/check_expire
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 for cert in *.cert.pem; do
-	echo $cert
-	openssl x509 -noout -in $cert -dates
-	echo
+    echo "$cert"
+    openssl x509 -noout -in "$cert" -dates
+    echo
 done
diff --git a/system/services/taskserver/certs/generate b/system/services/taskserver/certs/generate
index 253e4bb..283697f 100755
--- a/system/services/taskserver/certs/generate
+++ b/system/services/taskserver/certs/generate
@@ -10,13 +10,19 @@
 #   server.key.pem
 #   server.cert.pem
 
-GENERATION_LOCATION="/run/user/$(id -u)/taskserver/keys";
+GENERATION_LOCATION="/run/user/$(id -u)/taskserver/certs";
+BASEDIR="$(dirname "$0")"
+cd "$BASEDIR" || echo "(BUG?) No basedir ('$BASEDIR')" 1>&2
+
+set -- ./vars ./generate.ca ./generate.crl ./generate.client ./ca.key.pem.gpg ./isrgrootx1.pem
 
 mkdir -p "$GENERATION_LOCATION"
-cp ./vars ./generate.ca ./generate.crl ./generate.client "$GENERATION_LOCATION"
+cp "$@" "./ca.cert.pem" "$GENERATION_LOCATION"
 cd "$GENERATION_LOCATION" || echo "(BUG?) No possible location fould!" 1>&2
 
-./generate.ca
+gpg --decrypt ca.key.pem.gpg > ca.key.pem
+cat ./isrgrootx1.pem >> ./ca.cert.pem
+[ -f ./ca.key.pem ] || ./generate.ca
 
 # Generate a certificate revocation list (CRL).  The initial CRL is empty, but
 # can grow over time.  Creates:
@@ -28,14 +34,15 @@ cd "$GENERATION_LOCATION" || echo "(BUG?) No possible location fould!" 1>&2
 # process per client; Add the required client names and uncomment
 # ./generate.client <client_name>
 #
-./generate.client soispha
-./generate.client android-mobile
-./generate.client android-tab
 #
 # Creates:
 #   <client_name>.key.pem
 #   <client_name>.cert.pem
+#
+./generate.client soispha
+./generate.client android-mobile
+./generate.client android-tab
 
 
-rm ./vars ./generate.ca ./generate.crl ./generate.client
+rm "$@" "./ca.key.pem"
 echo "(INFO) Look for the keys at: $GENERATION_LOCATION"
diff --git a/system/services/taskserver/certs/generate.ca b/system/services/taskserver/certs/generate.ca
index 4ffc6e9..a9fbc0c 100755
--- a/system/services/taskserver/certs/generate.ca
+++ b/system/services/taskserver/certs/generate.ca
@@ -35,7 +35,7 @@ EOF
 #locality = $LOCALITY
 fi
 
-if ! [ -f ca.cert.pem ] || [ ca.template -nt ca.cert.pem ]
+if ! [ -f ca.cert.pem ]
 then
   $CERTTOOL \
     --generate-self-signed \
diff --git a/system/services/taskserver/certs/generate.client b/system/services/taskserver/certs/generate.client
index 976cb82..4f0e503 100755
--- a/system/services/taskserver/certs/generate.client
+++ b/system/services/taskserver/certs/generate.client
@@ -16,21 +16,21 @@ then
   NAME=$1
 fi
 
-if ! [ -f ${NAME}.key.pem ]
+if ! [ -f "$NAME".key.pem ]
 then
   # Create a client key.
   $CERTTOOL \
     --generate-privkey \
     --sec-param $SEC_PARAM \
-    --outfile ${NAME}.key.pem
+    --outfile "$NAME".key.pem
 fi
 
-chmod 600 ${NAME}.key.pem
+chmod 600 "$NAME".key.pem
 
-if ! [ -f ${NAME}.template ]
+if ! [ -f "$NAME".template ]
 then
   # Sign a client cert with the key.
-  cat <<EOF >${NAME}.template
+  cat <<EOF >"$NAME".template
 organization = $ORGANIZATION
 cn = $CN
 expiration_days = $EXPIRATION_DAYS
@@ -40,15 +40,15 @@ signing_key
 EOF
 fi
 
-if ! [ -f ${NAME}.cert.pem ] || [ ${NAME}.template -nt ${NAME}.cert.pem ]
+if ! [ -f "$NAME".cert.pem ]
 then
   $CERTTOOL \
     --generate-certificate \
-    --load-privkey ${NAME}.key.pem \
+    --load-privkey "$NAME".key.pem \
     --load-ca-certificate ca.cert.pem \
     --load-ca-privkey ca.key.pem \
-    --template ${NAME}.template \
-    --outfile ${NAME}.cert.pem
+    --template "$NAME".template \
+    --outfile "$NAME".cert.pem
 fi
 
-chmod 600 ${NAME}.cert.pem
+chmod 600 "$NAME".cert.pem
diff --git a/system/services/taskserver/certs/generate.crl b/system/services/taskserver/certs/generate.crl
index 6a9daa8..e9f6715 100755
--- a/system/services/taskserver/certs/generate.crl
+++ b/system/services/taskserver/certs/generate.crl
@@ -18,7 +18,7 @@ expiration_days = $EXPIRATION_DAYS
 EOF
 fi
 
-if ! [ -f server.crl.pem ] || [ crl.template -nt server.crl.pem ]
+if ! [ -f server.crl.pem ]
 then
   $CERTTOOL \
     --generate-crl \
diff --git a/system/services/taskserver/certs/isrgrootx1.pem b/system/services/taskserver/certs/isrgrootx1.pem
new file mode 100644
index 0000000..b85c803
--- /dev/null
+++ b/system/services/taskserver/certs/isrgrootx1.pem
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+-----END CERTIFICATE-----
diff --git a/system/services/taskserver/default.nix b/system/services/taskserver/default.nix
index cd842a1..79ba8ab 100644
--- a/system/services/taskserver/default.nix
+++ b/system/services/taskserver/default.nix
@@ -7,7 +7,7 @@ in {
   services.taskserver = {
     enable = true;
     pki.manual = {
-      ca.cert = ./ca.cert.pem;
+      ca.cert = ./certs/ca.cert.pem;
       server = {
         cert = "${taskStore}/fullchain.pem";
         key = "${taskStore}/key.pem";
@@ -21,7 +21,10 @@ in {
     organisations = import ./organisations.nix;
     openFirewall = true;
     fqdn = "taskserver.vhack.eu";
-    listenHost = "taskserver.vhack.eu";
+
+    # This should tell taskd to bind to both ipv6 and ipv4 domains:
+    # This will ONLY work when the kernel option `sys.net.ipv6.bindv6only` is false
+    listenHost = "::";
   };
   security.acme.certs.taskserver = {
     domain = "taskserver.vhack.eu";