diff options
Diffstat (limited to '')
| -rw-r--r-- | system/services/taskserver/certs/README.md | 42 | ||||
| -rw-r--r-- | system/services/taskserver/certs/ca.cert.pem | 83 | ||||
| -rw-r--r-- | system/services/taskserver/certs/ca.key.pem.gpg | bin | 13506 -> 0 bytes | |||
| -rwxr-xr-x | system/services/taskserver/certs/check_expire | 13 | ||||
| -rwxr-xr-x | system/services/taskserver/certs/generate | 75 | ||||
| -rwxr-xr-x | system/services/taskserver/certs/generate.ca | 43 | ||||
| -rwxr-xr-x | system/services/taskserver/certs/generate.crl | 42 | ||||
| -rw-r--r-- | system/services/taskserver/certs/isrgrootx1.pem | 31 | ||||
| -rw-r--r-- | system/services/taskserver/certs/vars | 7 | ||||
| -rw-r--r-- | system/services/taskserver/default.nix | 56 | ||||
| -rw-r--r-- | system/services/taskserver/organisations.nix | 14 | ||||
| -rwxr-xr-x | tests/common/acme/certs/generate.client (renamed from system/services/taskserver/certs/generate.client) | 46 |
12 files changed, 18 insertions, 434 deletions
diff --git a/system/services/taskserver/certs/README.md b/system/services/taskserver/certs/README.md deleted file mode 100644 index 8ff0e44..0000000 --- a/system/services/taskserver/certs/README.md +++ /dev/null @@ -1,42 +0,0 @@ -> This is taken from: https://github.com/GothenburgBitFactory/taskserver/blob/9794cff61e56bdfb193c6aa4cebb57970ac68aef/pki/README - -PKI is a complex subject. These scripts and this description are not intended -to be a complete and accurate example of PKI. - -Ideally you would purchase a server cert signed by a known CA, such as one of -the following: - -- Symantec -- Comodo -- GoDaddy -- GlobalSign -- (Let's Encrypt) - -That cert would need the 'encryption_key' and 'signing_key' attributes. -Using that server cert, you would then issue a server CRL and client keys. - -If you are developing, testing, or running your own private server, you may -choose instead to generate the above yourself. In this case you would generate -a CA key and cert, then use that to generate a server key, cert, and CRL. Then -you would use the server key and cert to create a client key and cert. But as -there is no trusted CA in this example, just yourself, the resultant client key -and cert will not be trusted by anyone, for good reasons. - -Note, you can inspect any cert with the command: - -``` -$ gnutls-certtool -i --infile $CERT -``` - -There is a 'generate' script here that will perform the above steps. Take a -look at it to see the individual steps it takes to generate the proper set of -keys and certs. - -Note that you need to modify the 'vars' file to provide your own identity and -chosen parameters. - -Validate a certificate with: - -``` -$ gnutls-certtool --verify --infile client.cert.pem --load-ca-certificate ca.cert.pem -``` diff --git a/system/services/taskserver/certs/ca.cert.pem b/system/services/taskserver/certs/ca.cert.pem deleted file mode 100644 index 76c0435..0000000 --- a/system/services/taskserver/certs/ca.cert.pem +++ /dev/null @@ -1,83 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIJPDCCBSSgAwIBAgIULsm+i5JWHG1LDMw4/OaUA1yiNGcwDQYJKoZIhvcNAQEM -BQAwPjELMAkGA1UEBhMCRVUxDjAMBgNVBAoTBVZoYWNrMR8wHQYDVQQDExZ0YXNr -c2VydmVyLnZoYWNrLmV1IENBMB4XDTI0MTAwNTE5MTA0NloXDTI1MTAwNTE5MTA0 -NlowPjELMAkGA1UEBhMCRVUxDjAMBgNVBAoTBVZoYWNrMR8wHQYDVQQDExZ0YXNr -c2VydmVyLnZoYWNrLmV1IENBMIIEIjANBgkqhkiG9w0BAQEFAAOCBA8AMIIECgKC -BAEAvqK+cCSMRS4QXagPcIHHkdc2mr7DLqqvDSisybD6CFJYH+7YgDP/reqLRCpL -3J1VmBYlthK6EzsGf7v/rdkgoMEL9pLTgguNS8FWIHybn9X/diYX/hp6CGV4hfn1 -eJFjV78o9dWAFwWrZzGDOW/lbXnqaB+EFbbV/R+lNxwwSXWpxyRjygYVJhiKX5Pt -u1eN10MPOuX6afdaduag383rHXe6wcOOF+Af+F2mZmvdySBAkjHaL+VvS3ounj8q -PSC/HoYzDWa4fHnhcgfLJq2ngmLnSQFtDDTq3xd/MBVk17qExD6efIrcGoLSG/L9 -CQJaV/DdfdZwCNNnGz2nm+Whx3MIvlI2cWBM2jxFsfPEiNqPWyaBOBN6JVnE4Xfd -odfzAvgRPDipansnFvwbYbfmq/sUQbN21tYYpi28EPQMGNkJ5XYf21wLCSo2QCLe -n8KttXKp2dBi9ykFKRpVUVxalIunco1lBxccXILz0aRILdcoTMCyOAiAZ11QJ+Ij -vV+gLyBzq2+IMBflsWx0BWZ+yXQJbmMkxJ+wkc26oNG6ZcklckZYkbKKLqmVo2wc -UW+NODIuwcaKQrqXqzxM/pFuW0eeBKymMg77u7NN3mkUI5sx9F3djQ6RuFFI5KYM -AGlQB1dlFyj9qtMrqNLi7GSnTCSbeoJq6Tl1NEKELbjIYvAUIYA5O0rAZHMWqNog -30IaAL8GZaTf4l78ueJeIdGve1Zl+FXka+Clj0d/B4pVqkIu7/pk4Vldc/Bzm5mm -JIReQZz6NRn8m0szAmeK9ucxx6jzshXnRQrVBUntYYWZzCWQgHjNPF3vXdFrfZgl -ar/0whmRap7uM7TiMSHRgJjPd7iG27RKXd3dRr51KYaeHSjhnK/26oelBIQDVA6V -nK69GpD2AFkWpgkUfqD89rLBOxWxdKZgC6ucTtmprwg5pRkfRCgV32fzJkBAoMkN -erg8uQGjT/EnTSxEK72XK2MRDpUpKZvB2GoG69dOYs1L9mtIbxgdexeBlw2UNF1l -JDlPQUEmlY/QptWCro7H0HcdP/iXCadTZcxIf+ln0cfMwlVYgTn+4NWWvRNskWx2 -c8RqynsrjM/7PIuWltVizlcAp7WIQtbBHcTs9lNBRSQrtxEaSuLoZ2cLiw9qBN7j -2goLCEKvRI/KqsVj9/NirMpVg4g3t/ZQSEh56w6seKPynzEF1KKdA+2tCzwuSmDs -UT0hHpzepoTXJoix/eRWl4yVsUD1zz1HdL+WJL0vWNZax92Q1afq5icjtEty4/Ng -Ek35dWGQI21usyVHKH+jsFFioj+3pm5jPUb7tCZ/sptYlXOL6MtSWmpOzMqjiDQK -pZizY/mseUHQOyz9MBdZ3Vv8GQIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0G -A1UdDgQWBBQiVaWbtkt9aYDBbPhXAGtpi6HxAzANBgkqhkiG9w0BAQwFAAOCBAEA -hCfUJVB75LF+z0A02vdfg0aQGHokLVejqFkCZ8kZvDNC7kkRepO0EkYO7YMYxHX6 -R+IU4mtiSq7ubtgLuGcQmz/Q9UbxUxX/bIZ5tP5lNOZZqoZ4xqfj/ROMtT5xo5c0 -2ZUXWOBTtqLEzOIaPxjvjW8WU0sVPrjeC1il4dTSNRQZdTFj6nJXmebBG3FWakEi -l8Nzx85DFqtyMdfyCaJPzwDSsYJx6a15wLX3nLzHNln4E5skzYgV9qxdqDBDsi99 -h4SYaktETciTxnkVLKNyILfA5DjN6uacU3a79KCrwhQmMze6P3cXl06gFGIl2HBM -CQ5zrz5bIfG7Msi98Qj0FAOfRDF4Qx1UrwMp727Vlj2oL2MmZXfVS7dLYT6bi2z0 -xf74Z4mTitETXWhLayfJuuoNBSC8dmlsLOUVgtppoy8eqze6S0JDIjLl04aHg9ja -yE9WQI8nq9pMEAF7O63Od7lfIsvEmAcbjU1GCHmzCf8qedvmEXhgpuCNFGtNgxKh -V1Wc0WMKh1ql3ETsK37+c2gJu2hTHX7LTS/mkMtEkEQcruDAppwDfkX+gSrPDRvG -riGmk4AttTmK7PvesVI9riXfw0iAo/ydsUckqanntiX9uZvQWsClHVamR8wjL3JK -PMErm6/SrAelH0vLCQkYm2NSFApX6GBDSmvbKSZvmqutnApDUKcu+36GFZHqC+Wz -gIQzhvOL4AO2jyPRRByscNyWc5Zu5yN78x7UKfwxLOMnRK1ZxZ18N0OdAmmDXN6e -TBYoCoenjaqIYbtFUMSqOJEW+nAZbTINO4Sf/ouPg+kBg/uDKvGUbKP29GnhQL2o -PFwvBBYlXqn9AuPiXwCUUinBYR260rzuzfKyP6HmXOaxMOJxU3jM38+3vDpC5Kb0 -MMY6+lYo42/rGeRMvkm+aM1zZcPHAIgZ6M/LaUrrLTX5zLqsNfx5gUddEfqRrZTK -Z4ivJwqTrI/e1iZ/grLUjHWPV/PflBOQc7NmPdvEv3uRampRPfBwtC1KMae/Y6se -hx9TbJQGdoK90dCe9LzdUHEdGyZT5cKDSCd9ffmWwORbN8+xqRFZ8/tRyxgSA58Z -MSTmqkNM+udO/Zn2oOmAwpXhrwc75ezGXvwNH3YMdyVDqZrlfLgv7KMyhuhOnP1z -T8+ZgLOfy8hxeZwObL821lAIhKxQux0LQFYoYrOUmP9kDw+gRg1AnIi3n8Tgeisk -DmIYgmB/9vgEDqBO9vhcg/qdevhjkfeiOfKRdpxpg9mCh57hHfM1CHq5ulFttbwc -JjT/BiQzCmzJPXAlRuxVPHCaF1qyp6Pf4seLRy0qyWyOWVxVx2BKKGV7cX/IUbXV -53Nn1zkqWwd9Ws9D7zQwog== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw -TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 -WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu -ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY -MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc -h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ -0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U -A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW -T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH -B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC -B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv -KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn -OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn -jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw -qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI -rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV -HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq -hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL -ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ -3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK -NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 -ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur -TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC -jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc -oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq -4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA -mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d -emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= ------END CERTIFICATE----- diff --git a/system/services/taskserver/certs/ca.key.pem.gpg b/system/services/taskserver/certs/ca.key.pem.gpg Binary files differdeleted file mode 100644 index 8abd59a..0000000 --- a/system/services/taskserver/certs/ca.key.pem.gpg +++ /dev/null diff --git a/system/services/taskserver/certs/check_expire b/system/services/taskserver/certs/check_expire deleted file mode 100755 index 39f3291..0000000 --- a/system/services/taskserver/certs/check_expire +++ /dev/null @@ -1,13 +0,0 @@ -#!/usr/bin/env nix -#! nix shell nixpkgs#openssl nixpkgs#dash --command dash - -cd "$(dirname "$0")" || { - echo "No dir name?!" - exit 1 -} - -for cert in *.cert.pem; do - echo "$cert" - openssl x509 -noout -in "$cert" -dates - echo -done diff --git a/system/services/taskserver/certs/generate b/system/services/taskserver/certs/generate deleted file mode 100755 index c3b58ae..0000000 --- a/system/services/taskserver/certs/generate +++ /dev/null @@ -1,75 +0,0 @@ -#!/usr/bin/env nix-shell -#! nix-shell -i dash --packages openssl gnutls dash -#! nix-shell --impure - -# For a public or production server, purchase a cert from a known CA, and skip -# the next step. - -# For development, testing and personal server management, create a CA key and -# cert, and use that to generate a server key and cert. Creates: -# ca.key.pem -# ca.cert.pem -# server.key.pem -# server.cert.pem - -GENERATION_LOCATION="/run/user/$(id -u)/taskserver/certs" -BASEDIR="$(dirname "$0")" -cd "$BASEDIR" || { - echo "(BUG?) No basedir ('$BASEDIR')" 1>&2 - exit 1 -} - -ca=false -crl=false -clients=false - -for arg in "$@"; do - case "$arg" in - "--ca") - ca=true - ;; - "--crl") - crl=true - ;; - "--clients") - clients=true - ;; - esac -done - -# `ca.cert.pem` is not on this list, as it would otherwise get deleted in the `rm` on the -# second-to last line -set -- ./vars ./generate.ca ./generate.crl ./generate.client ./ca.key.pem.gpg ./isrgrootx1.pem - -mkdir --parents "$GENERATION_LOCATION" -cp "$@" ./ca.cert.pem "$GENERATION_LOCATION" -cd "$GENERATION_LOCATION" || echo "(BUG?) No possible location fould!" 1>&2 - -gpg --decrypt ca.key.pem.gpg >ca.key.pem - -[ "$ca" = true ] && ./generate.ca -cat ./isrgrootx1.pem >>./ca.cert.pem - -# Generate a certificate revocation list (CRL). The initial CRL is empty, but -# can grow over time. Creates: -# server.crl.pem - -[ "$crl" = true ] && ./generate.crl - -# The above is sufficient to operate a server. You now need to run a client cert creation -# process per client; Add the required client names and uncomment -# ./generate.client <client_name> -# -# -# Creates: -# <client_name>.key.pem -# <client_name>.cert.pem -# -[ "$clients" = true ] && ./generate.client soispha -[ "$clients" = true ] && ./generate.client android-mobile -[ "$clients" = true ] && ./generate.client android-tab - -rm "$@" "./ca.key.pem" -echo "(INFO) Look for the keys at: $GENERATION_LOCATION" - -# vim: ft=sh diff --git a/system/services/taskserver/certs/generate.ca b/system/services/taskserver/certs/generate.ca deleted file mode 100755 index eb0dd5c..0000000 --- a/system/services/taskserver/certs/generate.ca +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/sh - -# Take the correct binary to create the certificates -CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null) -if [ -z "$CERTTOOL" ]; then - echo "ERROR: No certtool found" >&2 - exit 1 -fi - -. ./vars - -if ! [ -f ca.key.pem ]; then - # Create a CA key. - $CERTTOOL \ - --generate-privkey \ - --sec-param $SEC_PARAM \ - --outfile ca.key.pem -fi - -chmod 600 ca.key.pem - -if ! [ -f ca.template ]; then - # Sign a CA cert. - cat <<EOF >ca.template -organization = $ORGANIZATION -cn = $CN CA -country = $COUNTRY -expiration_days = $EXPIRATION_DAYS -ca -EOF -#state = $STATE -#locality = $LOCALITY -fi - -if ! [ -f ca.cert.pem ]; then - $CERTTOOL \ - --generate-self-signed \ - --load-privkey ca.key.pem \ - --template ca.template \ - --outfile ca.cert.pem -fi - -chmod 600 ca.cert.pem diff --git a/system/services/taskserver/certs/generate.crl b/system/services/taskserver/certs/generate.crl deleted file mode 100755 index e9f6715..0000000 --- a/system/services/taskserver/certs/generate.crl +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/sh - -# Take the correct binary to create the certificates -CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null) -if [ -z "$CERTTOOL" ] -then - echo "ERROR: No certtool found" >&2 - exit 1 -fi - -. ./vars - -if ! [ -f crl.template ] -then - # CRL - Certificate Revocation List - cat <<EOF >crl.template -expiration_days = $EXPIRATION_DAYS -EOF -fi - -if ! [ -f server.crl.pem ] -then - $CERTTOOL \ - --generate-crl \ - --load-ca-privkey ca.key.pem \ - --load-ca-certificate ca.cert.pem \ - --template crl.template \ - --outfile server.crl.pem -fi - -chmod 600 server.crl.pem - -# To create a CRL that contains some revoked certificates, place the -# certificates in a file and use --load-certificate as follows: -# $CERTTOOL \ -# --generate-crl \ -# --load-ca-privkey ca.key.pem \ -# --load-ca-certificate ca.cert.pem \ -# --load-certificate revoked-certs.pem - -# To verify a CRL: -# $CERTTOOL --verify-crl --load-ca-certificate ca.cert.pem --infile server.crl.pem diff --git a/system/services/taskserver/certs/isrgrootx1.pem b/system/services/taskserver/certs/isrgrootx1.pem deleted file mode 100644 index b85c803..0000000 --- a/system/services/taskserver/certs/isrgrootx1.pem +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw -TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 -WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu -ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY -MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc -h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ -0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U -A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW -T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH -B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC -B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv -KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn -OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn -jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw -qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI -rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV -HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq -hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL -ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ -3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK -NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 -ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur -TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC -jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc -oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq -4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA -mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d -emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= ------END CERTIFICATE----- diff --git a/system/services/taskserver/certs/vars b/system/services/taskserver/certs/vars deleted file mode 100644 index 50d753a..0000000 --- a/system/services/taskserver/certs/vars +++ /dev/null @@ -1,7 +0,0 @@ -SEC_PARAM=ultra -EXPIRATION_DAYS=365 -ORGANIZATION="Vhack" -CN=taskserver.vhack.eu -COUNTRY=EU -#STATE="Germany" -#LOCALITY="Göteborg" diff --git a/system/services/taskserver/default.nix b/system/services/taskserver/default.nix deleted file mode 100644 index 04b6a8b..0000000 --- a/system/services/taskserver/default.nix +++ /dev/null @@ -1,56 +0,0 @@ -{config, ...}: let - taskStore = "/var/lib/taskserver"; -in { - environment.etc = { - "tmpfiles.d/taskserver.conf".source = config.age.secrets.taskserverSystemdTmpfiles.path; - }; - - vhack.persist.directories = [ - "/var/lib/taskserver" - ]; - - services.taskserver = { - enable = true; - pki.manual = { - ca.cert = ./certs/ca.cert.pem; - server = { - cert = "${taskStore}/fullchain.pem"; - key = "${taskStore}/key.pem"; - }; - }; - - debug = false; - ipLog = false; - trust = "strict"; - - organisations = import ./organisations.nix; - openFirewall = true; - fqdn = "taskserver.vhack.eu"; - - # This should tell taskd to bind to both ipv6 and ipv4 domains: - # This will ONLY work when the kernel option `sys.net.ipv6.bindv6only` is false - listenHost = "::"; - }; - boot.kernelParams = [ - "sys.net.ipv6.bindv6only=0" - ]; - - security.acme.certs.taskserver = { - domain = "taskserver.vhack.eu"; - postRun = - /* - bash - */ - '' - set -x - rm "${taskStore}/key.pem" - rm "${taskStore}/fullchain.pem" - - cp key.pem "${taskStore}"; - cp fullchain.pem "${taskStore}"; - - chown taskd:taskd "${taskStore}/key.pem" - chown taskd:taskd "${taskStore}/fullchain.pem" - ''; - }; -} diff --git a/system/services/taskserver/organisations.nix b/system/services/taskserver/organisations.nix deleted file mode 100644 index c3ad966..0000000 --- a/system/services/taskserver/organisations.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ - vhack = { - users = [ - "soispha" - ]; - }; - soispha = { - users = [ - "soispha" - "android-mobile" - "android-tab" - ]; - }; -} diff --git a/system/services/taskserver/certs/generate.client b/tests/common/acme/certs/generate.client index 4f0e503..5930298 100755 --- a/system/services/taskserver/certs/generate.client +++ b/tests/common/acme/certs/generate.client @@ -1,54 +1,44 @@ -#!/bin/sh +#! /usr/bin/env sh # Take the correct binary to create the certificates CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null) -if [ -z "$CERTTOOL" ] -then - echo "ERROR: No certtool found" >&2 - exit 1 +if [ -z "$CERTTOOL" ]; then + echo "ERROR: No certtool found" >&2 + exit 1 fi -. ./vars - NAME=client -if [ $# -gt 0 ] -then - NAME=$1 +if [ $# -gt 0 ]; then + NAME="$1" fi -if ! [ -f "$NAME".key.pem ] -then - # Create a client key. - $CERTTOOL \ +# Create a client key. +$CERTTOOL \ --generate-privkey \ - --sec-param $SEC_PARAM \ + --sec-param "$SEC_PARAM" \ + --key-type "$KEY_TYPE" \ --outfile "$NAME".key.pem -fi chmod 600 "$NAME".key.pem -if ! [ -f "$NAME".template ] -then - # Sign a client cert with the key. - cat <<EOF >"$NAME".template -organization = $ORGANIZATION -cn = $CN +# Sign a client cert with the key. +cat <<EOF >"$NAME".template +dns_name = "$NAME" +dns_name = "$SAN" expiration_days = $EXPIRATION_DAYS -tls_www_client +organization = $ORGANIZATION encryption_key signing_key EOF -fi -if ! [ -f "$NAME".cert.pem ] -then - $CERTTOOL \ +$CERTTOOL \ --generate-certificate \ --load-privkey "$NAME".key.pem \ --load-ca-certificate ca.cert.pem \ --load-ca-privkey ca.key.pem \ --template "$NAME".template \ --outfile "$NAME".cert.pem -fi chmod 600 "$NAME".cert.pem + +# vim: ft=sh |