diff options
Diffstat (limited to '')
26 files changed, 18 insertions, 1089 deletions
diff --git a/system/services/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch b/modules/by-name/ma/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch index 35dc809..35dc809 100644 --- a/system/services/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch +++ b/modules/by-name/ma/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch diff --git a/system/services/default.nix b/system/services/default.nix deleted file mode 100644 index db7ca4f..0000000 --- a/system/services/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{...}: { - imports = [ - ./invidious - ./invidious-router - ./mail - ./mastodon - ./matrix - ./minecraft - ./miniflux - ./murmur - ./nix - ./restic - ./taskserver - ]; -} diff --git a/system/services/invidious-router/default.nix b/system/services/invidious-router/default.nix deleted file mode 100644 index 8829d3b..0000000 --- a/system/services/invidious-router/default.nix +++ /dev/null @@ -1,51 +0,0 @@ -{pkgsUnstable, ...}: { - services.invidious-router = { - enable = true; - package = pkgsUnstable.invidious-router; - settings = { - app = { - listen = "127.0.0.1:8050"; - enable_youtube_fallback = false; - reload_instance_list_interval = "60s"; - not_available_message = '' - No available invidious instance found! - [link]View this video on YouTube[/link], a proprietary - platform that collects and uses your data without respecting - your privacy. - ''; - }; - api = { - enabled = true; - url = "https://api.invidious.io/instances.json"; - filter_regions = false; - allowed_regions = [ - "AT" - "DE" - "CH" - ]; - }; - healthcheck = { - path = "/watch?v=uSvJaYxRoB4"; - allowed_status_codes = [ - 200 - ]; - timeout = "1s"; - interval = "10s"; - filter_by_response_time = { - enabled = true; - qty_of_top_results = 4; - }; - minimum_ratio = 0.2; - remove_no_ratio = false; - text_not_present = "YouTube is currently trying to block Invidious instances"; - }; - }; - nginx = { - enable = true; - domain = "invidious-router.sils.li"; - extraDomains = [ - "video.fosswelt.org" - ]; - }; - }; -} diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix deleted file mode 100644 index 6c587b3..0000000 --- a/system/services/invidious/default.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: let - cfg = config.services.invidious; -in { - services.invidious = { - enable = true; - database = { - createLocally = true; - }; - domain = "invidious.vhack.eu"; - nginx.enable = true; - extraSettingsFile = "$CREDENTIALS_DIRECTORY/hmac"; - - settings = { - check_tables = true; - db = { - dbname = "invidious"; - user = "invidious"; - }; - }; - }; - systemd.services.invidious.serviceConfig = { - LoadCredential = "hmac:${config.age.secrets.invidiousHmac.path}"; - - ExecStart = let - # taken from the invidious module - settingsFormat = pkgs.formats.json {}; - settingsFile = settingsFormat.generate "invidious-settings" cfg.settings; - - jqFilter = - "." - + lib.optionalString (cfg.database.host != null) "[0].db.password = \"'\"'\"$(cat ${lib.escapeShellArg cfg.database.passwordFile})\"'\"'\"" - + " | .[0]" - + lib.optionalString (cfg.extraSettingsFile != null) " * .[1]"; - - # don't escape extraSettingsFile, to allow variable substitution - jqFiles = - settingsFile - + lib.optionalString (cfg.extraSettingsFile != null) " \"${cfg.extraSettingsFile}\""; - in - lib.mkForce (pkgs.writeScript "start-invidious" '' - #! ${pkgs.dash}/bin/dash - - export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s "${jqFilter}" ${jqFiles})" - exec ${cfg.package}/bin/invidious - ''); - }; -} diff --git a/system/services/mail/default.nix b/system/services/mail/default.nix deleted file mode 100644 index c69e6bd..0000000 --- a/system/services/mail/default.nix +++ /dev/null @@ -1,45 +0,0 @@ -{lib, ...}: let - all_admins = [ - "sils@vhack.eu" - "soispha@vhack.eu" - "nightingale@vhack.eu" - ]; - users = import ./users.nix {}; -in { - imports = [ - ./impermanence.nix - ]; - - mailserver = - lib.recursiveUpdate { - enable = true; - fqdn = "server1.vhack.eu"; - - useFsLayout = true; - - extraVirtualAliases = { - "abuse@vhack.eu" = all_admins; - "postmaster@vhack.eu" = all_admins; - "admin@vhack.eu" = all_admins; - }; - - mailDirectory = "/var/lib/mail/vmail"; - dkimKeyDirectory = "/var/lib/mail/dkim"; - sieveDirectory = "/var/lib/mail/sieve"; - backup.snapshotRoot = "/var/lib/mail/backup"; - - enableImap = false; - enableImapSsl = true; - enablePop3 = false; - enablePop3Ssl = true; - # SMTP - enableSubmission = false; - enableSubmissionSsl = true; - openFirewall = true; - - keyFile = "/var/lib/acme/server1.vhack.eu/key.pem"; - certificateScheme = "acme"; - certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem"; - } - users; -} diff --git a/system/services/mail/impermanence.nix b/system/services/mail/impermanence.nix deleted file mode 100644 index 22a5318..0000000 --- a/system/services/mail/impermanence.nix +++ /dev/null @@ -1,46 +0,0 @@ -{...}: { - vhack.persist.directories = [ - { - directory = "/var/lib/mail/backup"; - user = "virtualMail"; - group = "virtualMail"; - mode = "0700"; - } - { - directory = "/var/lib/mail/sieve"; - user = "virtualMail"; - group = "virtualMail"; - mode = "0700"; - } - { - directory = "/var/lib/mail/vmail"; - user = "virtualMail"; - group = "virtualMail"; - mode = "0700"; - } - { - directory = "/var/lib/mail/dkim"; - user = "opendkim"; - group = "opendkim"; - mode = "0700"; - } - { - directory = "/var/lib/postfix/data"; - user = "postfix"; - group = "postfix"; - mode = "0700"; - } - { - directory = "/var/lib/postfix/queue"; - user = "postfix"; - group = "postfix"; - mode = "0700"; - } - { - directory = "/var/lib/rspamd"; - user = "rspamd"; - group = "rspamd"; - mode = "0700"; - } - ]; -} diff --git a/system/services/mail/users.nix b/system/services/mail/users.nix deleted file mode 100644 index 0bae1a7..0000000 --- a/system/services/mail/users.nix +++ /dev/null @@ -1,52 +0,0 @@ -{...}: { - domains = [ - "vhack.eu" - - "s-schoeffel.de" - "b-peetz.de" - - "sils.li" - "nightingale.sils.li" - "sils.sils.li" - ]; - - loginAccounts = { - "sils@vhack.eu" = { - hashedPassword = "$2b$05$RW/Svgk7iGxvP5W7ZwUZ1e.a3fj4fteevb2MtfFYYD0d1DQ17y9Fm"; - }; - "soispha@vhack.eu" = { - hashedPassword = "$2b$05$XX36sJuHNbTFvi8DFldscOeQBHahluSkiUqD9QGzQaET7NJusSuQW"; - }; - - "benedikt.peetz@b-peetz.de" = { - hashedPassword = "$2b$05$MfET8utot2OolPZNASqoDe4VXNoG2chnEWhdfQ2E92mit0TvI2gBy"; - aliases = ["@b-peetz.de"]; - }; - "silas.schoeffel@s-schoeffel.de" = { - hashedPassword = "$2b$05$Qb8rl7ncpCcTbsSdsduJBuOITp8RTD6sfOTjuxJsVtD9vjAYY9n8e"; - aliases = ["@s-schoeffel.de"]; - }; - - "nightingale@vhack.eu" = { - hashedPassword = "$2b$05$nDKVVq1EktKXWqGFhnOLP.plLovXFyvWSuptK9GIkxA5DScKFx6YS"; - aliases = [ - "@nightingale.sils.li" - ]; - }; - "sils@sils.li" = { - hashedPassword = "$2b$05$Ebzh2ZhuWkz1p4tqJ172IejNZg10FtCxPDY4k6umYrpirXg7ezIRq"; - aliases = [ - "@sils.sils.li" - "@sils.li" - ]; - }; - - # Mail-Account used by hosted software - "mastodon@vhack.eu" = { - hashedPassword = "$2b$05$pSby3x2p3cHg0FyAE8IiJ.nYUqtAIR10JA8HNpHwMAiLXqc.ltSK."; - }; - "peertube@vhack.eu" = { - hashedPassword = "$y$j9T$hyWQ8Awd2Xrc6qsK.2hwE1$LxACfaeW.yHGbkQL95dWtID9.zXL/aMwT6lp.yU/0g0"; - }; - }; -} diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix deleted file mode 100644 index 15b8609..0000000 --- a/system/services/mastodon/default.nix +++ /dev/null @@ -1,79 +0,0 @@ -{ - config, - pkgs, - ... -}: let - emailAddress = "mastodon@vhack.eu"; - applyPatches = pkg: - pkg.overrideAttrs (attrs: { - patches = (attrs.patches or []) ++ [./patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch]; - }); -in { - vhack.persist.directories = [ - { - directory = "/var/lib/mastodon"; - user = "mastodon"; - group = "mastodon"; - mode = "0700"; - } - ]; - - services.mastodon = { - enable = true; - - package = applyPatches pkgs.mastodon; - - # Unstable Mastodon package, used if - # security updates aren't backported. - #package = applyPatches pkgs-unstable.mastodon; - - localDomain = "vhack.eu"; - smtp = { - authenticate = true; - createLocally = false; - fromAddress = emailAddress; - user = emailAddress; - host = "server1.vhack.eu"; - passwordFile = config.age.secrets.mastodonMail.path; - }; - streamingProcesses = 5; # Number of Cores - 1 - extraConfig = { - WEB_DOMAIN = "mastodon.vhack.eu"; - EMAIL_DOMAIN_ALLOWLIST = "vhack.eu|sils.li"; - }; - }; - - services.nginx = { - enable = true; - recommendedProxySettings = true; # required for redirections to work - virtualHosts = { - ${config.services.mastodon.extraConfig.WEB_DOMAIN} = { - root = "${config.services.mastodon.package}/public/"; - # mastodon only supports https, but you can override this if you offload tls elsewhere. - forceSSL = true; - enableACME = true; - - locations = { - "/system/".alias = "/var/lib/mastodon/public-system/"; - "/".tryFiles = "$uri @proxy"; - "@proxy" = { - proxyPass = "http://unix:/run/mastodon-web/web.socket"; - proxyWebsockets = true; - }; - "/api/v1/streaming/" = { - proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket"; - proxyWebsockets = true; - }; - }; - }; - - "vhack.eu" = { - locations."/.well-known/webfinger".return = "301 https://${config.services.mastodon.extraConfig.WEB_DOMAIN}$request_uri"; - }; - }; - }; - - users.groups.${config.services.mastodon.group}.members = [ - config.services.nginx.user - ]; -} diff --git a/system/services/matrix/default.nix b/system/services/matrix/default.nix deleted file mode 100644 index 043d9c0..0000000 --- a/system/services/matrix/default.nix +++ /dev/null @@ -1,133 +0,0 @@ -{ - config, - pkgs, - ... -}: let - fqdn = "matrix.vhack.eu"; - clientConfig."m.homeserver".base_url = "https://${fqdn}"; - serverConfig."m.server" = "${fqdn}:443"; - mkWellKnown = data: '' - add_header Content-Type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON data}'; - ''; -in { - networking.firewall.allowedTCPPorts = [80 443]; - - vhack.persist.directories = [ - { - directory = "/var/lib/matrix"; - user = "matrix-synapse"; - group = "matrix-synapse"; - mode = "0700"; - } - { - directory = "/var/lib/mautrix-whatsapp"; - user = "mautrix-whatsapp"; - group = "matrix-synapse"; - mode = "0750"; - } - ]; - systemd.tmpfiles.rules = [ - "d /etc/matrix 0755 matrix-synapse matrix-synapse" - ]; - - services = { - postgresql = { - enable = true; - initialScript = pkgs.writeText "synapse-init.sql" '' - --Matrix: - CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; - CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - - --Whatsapp-bridge: - CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; - CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - ''; - }; - - nginx = { - enable = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - virtualHosts = { - "vhack.eu" = { - enableACME = true; - forceSSL = true; - locations = { - "/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; - "/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; - }; - }; - "matrix.vhack.eu" = { - enableACME = true; - forceSSL = true; - locations = { - "/".return = "404"; - "/_matrix".proxyPass = "http://[::1]:8008"; - "/_synapse/client".proxyPass = "http://[::1]:8008"; - }; - }; - }; - }; - - mautrix-whatsapp = { - # FIXME(@bpeetz): This was disabled because `mautrix-whatsapp` dependends on libolm. - # Re-enable it, when this has changed. <2024-09-06> - enable = false; - settings = { - appservice = { - database = { - type = "postgres"; - uri = "postgres:///mautrix-whatsapp?host=/run/postgresql"; - }; - whatsapp = { - # TODO: See https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64 for a list. - # This also determines the WhatsApp icon - browser_name = "unknown"; - }; - }; - homeserver.address = "https://matrix.vhack.eu"; - bridge.permissions = { - "@soispha:vhack.eu" = "admin"; - "@sils:vhack.eu" = "admin"; - "@nightingale:vhack.eu" = "admin"; - }; - }; - }; - - matrix-synapse = { - enable = true; - dataDir = "/var/lib/matrix"; - configFile = "/etc/matrix/matrix.conf"; - settings = { - media_store_path = "/var/lib/matrix/media_store"; - registration_shared_secret_path = "${config.age.secrets.matrix-synapse_registration_shared_secret.path}"; - server_name = "vhack.eu"; - listeners = [ - { - port = 8008; - bind_addresses = ["::1"]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = ["client" "federation"]; - compress = true; - } - ]; - } - ]; - }; - }; - }; -} diff --git a/system/services/minecraft/default.nix b/system/services/minecraft/default.nix deleted file mode 100644 index 9bc98b9..0000000 --- a/system/services/minecraft/default.nix +++ /dev/null @@ -1,37 +0,0 @@ -{lib, ...}: { - vhack.persist.directories = [ - { - directory = "/var/lib/minecraft"; - user = "minecraft"; - group = "minecraft"; - mode = "0700"; - } - ]; - - nixpkgs.config.allowUnfreePredicate = pkg: - builtins.elem (lib.getName pkg) [ - "minecraft-server" - ]; - services.minecraft-server = { - enable = true; - declarative = true; - eula = true; - dataDir = "/var/lib/minecraft"; - openFirewall = true; - jvmOpts = "-Xmx8192M -Xms8192M"; - whitelist = { - ShadyCraft = "7995eea5-b648-41c4-9b0f-7fc082565952"; - Nightingale768 = "1125d077-6709-44b2-9be0-587aec772e7a"; - Sirius_Black123 = "f5f66fc5-f287-434e-a03f-2480f998e76f"; - DerDaHalt = "09c72cb7-cab9-444f-af55-616fcf93822c"; - }; - serverProperties = { - player-idle-timeout = 30; - white-list = true; - difficulty = 3; - gamemode = "survival"; - enforce-whitelist = true; - simulation-distance = 10; - }; - }; -} diff --git a/system/services/miniflux/default.nix b/system/services/miniflux/default.nix deleted file mode 100644 index 9a0f2bc..0000000 --- a/system/services/miniflux/default.nix +++ /dev/null @@ -1,22 +0,0 @@ -{config, ...}: { - services.miniflux = { - enable = true; - config = { - LISTEN_ADDR = "127.0.0.1:5892"; - }; - adminCredentialsFile = config.age.secrets.minifluxAdmin.path; - }; - - services.nginx = { - enable = true; - virtualHosts."miniflux.vhack.eu" = { - locations."/".proxyPass = "http://${config.services.miniflux.config.LISTEN_ADDR}"; - - enableACME = true; - forceSSL = true; - serverAliases = [ - "rss.vhack.eu" - ]; - }; - }; -} diff --git a/system/services/murmur/default.nix b/system/services/murmur/default.nix deleted file mode 100644 index dec79ba..0000000 --- a/system/services/murmur/default.nix +++ /dev/null @@ -1,50 +0,0 @@ -{...}: let - murmurStore = "/var/lib/murmur"; -in { - vhack.persist.directories = [ - { - directory = "/var/lib/murmur"; - user = "murmur"; - group = "murmur"; - mode = "0700"; - } - ]; - - services.murmur = { - enable = true; - openFirewall = true; - welcometext = '' - <b>You never get a second chance to make a first impression</b><br> - - The entire team of [name of the company] is thrilled to welcome you on board. We hope you’ll do some amazing work here! - ''; - sslKey = "${murmurStore}/key.pem"; - sslCert = "${murmurStore}/fullchain.pem"; - - registerUrl = "vhack.eu"; - registerName = "vhack"; - registerHostname = "mumble.vhack.eu"; - hostName = "mumble.vhack.eu"; - clientCertRequired = true; - bandwidth = 7200000; - }; - - security.acme.certs.murmur = { - domain = "mumble.vhack.eu"; - postRun = - /* - bash - */ - '' - set -x - rm "${murmurStore}/key.pem" - rm "${murmurStore}/fullchain.pem" - - cp key.pem "${murmurStore}"; - cp fullchain.pem "${murmurStore}"; - - chown murmur:murmur "${murmurStore}/key.pem" - chown murmur:murmur "${murmurStore}/fullchain.pem" - ''; - }; -} diff --git a/system/services/nix/default.nix b/system/services/nix/default.nix deleted file mode 100644 index 13be0f0..0000000 --- a/system/services/nix/default.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: { - nix = { - # gc = { - # automatic = true; - # dates = "daily"; - # options = "--delete-older-than 3"; - # }; - settings = { - auto-optimise-store = true; - experimental-features = ["nix-command" "flakes"]; - trusted-users = [ - "root" - "nixremote" - "@wheel" - ]; - }; - }; -} diff --git a/system/services/restic/default.nix b/system/services/restic/default.nix deleted file mode 100644 index cfeaca3..0000000 --- a/system/services/restic/default.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ - config, - pkgs, - ... -}: { - services.restic.backups = let - snapshots = "/srv/snapshots"; - boxUser = "u384702-sub2"; - postgresUser = "postgres"; - in { - storagebox = { - initialize = true; - backupPrepareCommand = '' - ${pkgs.sudo}/bin/sudo -u ${postgresUser} ${pkgs.postgresql}/bin/pg_dumpall --clean --if-exists --quote-all-identifiers > /srv/db_backup.sql - - [ -d /srv/snapshots ] || ${pkgs.btrfs-progs}/bin/btrfs subvolume create /srv/snapshots; - [ -d /srv/snapshots/srv ] && ${pkgs.btrfs-progs}/bin/btrfs subvolume delete /srv/snapshots/srv; - ${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot -r /srv /srv/snapshots/srv; - - # dump() { - # # compression: - # # pg_dump -F t -v "$1" | xz -z -9 -e -T0 > "db_$1.tar.xz" - # pg_dump -v "$1" > "db_$1.tar.xz" - # } - # # List all databases, and dump each of them in its own file - # # psql --list --csv | while read -r line; do echo "$line" | grep ','; done | while IFS=, read -r name _; do echo "$name"; done | sed '1d' | while read -r db_name; do dump "$db_name"; done - ''; - paths = [ - snapshots - ]; - exclude = [ - ".snapshots" - "/var/lib/postgresql" # included in the db dump - ]; - extraBackupArgs = [ - "--verbose" # spam log - ]; - passwordFile = config.age.secrets.resticpass.path; - extraOptions = [ - "rclone.program='ssh -p 23 ${boxUser}@${boxUser}.your-storagebox.de -i ${config.age.secrets.resticssh.path}'" - ]; - repository = "rclone: "; # There is only one repository served - timerConfig = { - Requires = "network-online.target"; - OnCalendar = "daily"; - Persistent = true; - }; - }; - }; -} diff --git a/system/services/taskserver/certs/README.md b/system/services/taskserver/certs/README.md deleted file mode 100644 index 8ff0e44..0000000 --- a/system/services/taskserver/certs/README.md +++ /dev/null @@ -1,42 +0,0 @@ -> This is taken from: https://github.com/GothenburgBitFactory/taskserver/blob/9794cff61e56bdfb193c6aa4cebb57970ac68aef/pki/README - -PKI is a complex subject. These scripts and this description are not intended -to be a complete and accurate example of PKI. - -Ideally you would purchase a server cert signed by a known CA, such as one of -the following: - -- Symantec -- Comodo -- GoDaddy -- GlobalSign -- (Let's Encrypt) - -That cert would need the 'encryption_key' and 'signing_key' attributes. -Using that server cert, you would then issue a server CRL and client keys. - -If you are developing, testing, or running your own private server, you may -choose instead to generate the above yourself. In this case you would generate -a CA key and cert, then use that to generate a server key, cert, and CRL. Then -you would use the server key and cert to create a client key and cert. But as -there is no trusted CA in this example, just yourself, the resultant client key -and cert will not be trusted by anyone, for good reasons. - -Note, you can inspect any cert with the command: - -``` -$ gnutls-certtool -i --infile $CERT -``` - -There is a 'generate' script here that will perform the above steps. Take a -look at it to see the individual steps it takes to generate the proper set of -keys and certs. - -Note that you need to modify the 'vars' file to provide your own identity and -chosen parameters. - -Validate a certificate with: - -``` -$ gnutls-certtool --verify --infile client.cert.pem --load-ca-certificate ca.cert.pem -``` diff --git a/system/services/taskserver/certs/ca.cert.pem b/system/services/taskserver/certs/ca.cert.pem deleted file mode 100644 index 76c0435..0000000 --- a/system/services/taskserver/certs/ca.cert.pem +++ /dev/null @@ -1,83 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIJPDCCBSSgAwIBAgIULsm+i5JWHG1LDMw4/OaUA1yiNGcwDQYJKoZIhvcNAQEM -BQAwPjELMAkGA1UEBhMCRVUxDjAMBgNVBAoTBVZoYWNrMR8wHQYDVQQDExZ0YXNr -c2VydmVyLnZoYWNrLmV1IENBMB4XDTI0MTAwNTE5MTA0NloXDTI1MTAwNTE5MTA0 -NlowPjELMAkGA1UEBhMCRVUxDjAMBgNVBAoTBVZoYWNrMR8wHQYDVQQDExZ0YXNr -c2VydmVyLnZoYWNrLmV1IENBMIIEIjANBgkqhkiG9w0BAQEFAAOCBA8AMIIECgKC -BAEAvqK+cCSMRS4QXagPcIHHkdc2mr7DLqqvDSisybD6CFJYH+7YgDP/reqLRCpL -3J1VmBYlthK6EzsGf7v/rdkgoMEL9pLTgguNS8FWIHybn9X/diYX/hp6CGV4hfn1 -eJFjV78o9dWAFwWrZzGDOW/lbXnqaB+EFbbV/R+lNxwwSXWpxyRjygYVJhiKX5Pt -u1eN10MPOuX6afdaduag383rHXe6wcOOF+Af+F2mZmvdySBAkjHaL+VvS3ounj8q -PSC/HoYzDWa4fHnhcgfLJq2ngmLnSQFtDDTq3xd/MBVk17qExD6efIrcGoLSG/L9 -CQJaV/DdfdZwCNNnGz2nm+Whx3MIvlI2cWBM2jxFsfPEiNqPWyaBOBN6JVnE4Xfd -odfzAvgRPDipansnFvwbYbfmq/sUQbN21tYYpi28EPQMGNkJ5XYf21wLCSo2QCLe -n8KttXKp2dBi9ykFKRpVUVxalIunco1lBxccXILz0aRILdcoTMCyOAiAZ11QJ+Ij -vV+gLyBzq2+IMBflsWx0BWZ+yXQJbmMkxJ+wkc26oNG6ZcklckZYkbKKLqmVo2wc -UW+NODIuwcaKQrqXqzxM/pFuW0eeBKymMg77u7NN3mkUI5sx9F3djQ6RuFFI5KYM -AGlQB1dlFyj9qtMrqNLi7GSnTCSbeoJq6Tl1NEKELbjIYvAUIYA5O0rAZHMWqNog -30IaAL8GZaTf4l78ueJeIdGve1Zl+FXka+Clj0d/B4pVqkIu7/pk4Vldc/Bzm5mm -JIReQZz6NRn8m0szAmeK9ucxx6jzshXnRQrVBUntYYWZzCWQgHjNPF3vXdFrfZgl -ar/0whmRap7uM7TiMSHRgJjPd7iG27RKXd3dRr51KYaeHSjhnK/26oelBIQDVA6V -nK69GpD2AFkWpgkUfqD89rLBOxWxdKZgC6ucTtmprwg5pRkfRCgV32fzJkBAoMkN -erg8uQGjT/EnTSxEK72XK2MRDpUpKZvB2GoG69dOYs1L9mtIbxgdexeBlw2UNF1l -JDlPQUEmlY/QptWCro7H0HcdP/iXCadTZcxIf+ln0cfMwlVYgTn+4NWWvRNskWx2 -c8RqynsrjM/7PIuWltVizlcAp7WIQtbBHcTs9lNBRSQrtxEaSuLoZ2cLiw9qBN7j -2goLCEKvRI/KqsVj9/NirMpVg4g3t/ZQSEh56w6seKPynzEF1KKdA+2tCzwuSmDs -UT0hHpzepoTXJoix/eRWl4yVsUD1zz1HdL+WJL0vWNZax92Q1afq5icjtEty4/Ng -Ek35dWGQI21usyVHKH+jsFFioj+3pm5jPUb7tCZ/sptYlXOL6MtSWmpOzMqjiDQK -pZizY/mseUHQOyz9MBdZ3Vv8GQIDAQABozIwMDAPBgNVHRMBAf8EBTADAQH/MB0G -A1UdDgQWBBQiVaWbtkt9aYDBbPhXAGtpi6HxAzANBgkqhkiG9w0BAQwFAAOCBAEA -hCfUJVB75LF+z0A02vdfg0aQGHokLVejqFkCZ8kZvDNC7kkRepO0EkYO7YMYxHX6 -R+IU4mtiSq7ubtgLuGcQmz/Q9UbxUxX/bIZ5tP5lNOZZqoZ4xqfj/ROMtT5xo5c0 -2ZUXWOBTtqLEzOIaPxjvjW8WU0sVPrjeC1il4dTSNRQZdTFj6nJXmebBG3FWakEi -l8Nzx85DFqtyMdfyCaJPzwDSsYJx6a15wLX3nLzHNln4E5skzYgV9qxdqDBDsi99 -h4SYaktETciTxnkVLKNyILfA5DjN6uacU3a79KCrwhQmMze6P3cXl06gFGIl2HBM -CQ5zrz5bIfG7Msi98Qj0FAOfRDF4Qx1UrwMp727Vlj2oL2MmZXfVS7dLYT6bi2z0 -xf74Z4mTitETXWhLayfJuuoNBSC8dmlsLOUVgtppoy8eqze6S0JDIjLl04aHg9ja -yE9WQI8nq9pMEAF7O63Od7lfIsvEmAcbjU1GCHmzCf8qedvmEXhgpuCNFGtNgxKh -V1Wc0WMKh1ql3ETsK37+c2gJu2hTHX7LTS/mkMtEkEQcruDAppwDfkX+gSrPDRvG -riGmk4AttTmK7PvesVI9riXfw0iAo/ydsUckqanntiX9uZvQWsClHVamR8wjL3JK -PMErm6/SrAelH0vLCQkYm2NSFApX6GBDSmvbKSZvmqutnApDUKcu+36GFZHqC+Wz -gIQzhvOL4AO2jyPRRByscNyWc5Zu5yN78x7UKfwxLOMnRK1ZxZ18N0OdAmmDXN6e -TBYoCoenjaqIYbtFUMSqOJEW+nAZbTINO4Sf/ouPg+kBg/uDKvGUbKP29GnhQL2o -PFwvBBYlXqn9AuPiXwCUUinBYR260rzuzfKyP6HmXOaxMOJxU3jM38+3vDpC5Kb0 -MMY6+lYo42/rGeRMvkm+aM1zZcPHAIgZ6M/LaUrrLTX5zLqsNfx5gUddEfqRrZTK -Z4ivJwqTrI/e1iZ/grLUjHWPV/PflBOQc7NmPdvEv3uRampRPfBwtC1KMae/Y6se -hx9TbJQGdoK90dCe9LzdUHEdGyZT5cKDSCd9ffmWwORbN8+xqRFZ8/tRyxgSA58Z -MSTmqkNM+udO/Zn2oOmAwpXhrwc75ezGXvwNH3YMdyVDqZrlfLgv7KMyhuhOnP1z -T8+ZgLOfy8hxeZwObL821lAIhKxQux0LQFYoYrOUmP9kDw+gRg1AnIi3n8Tgeisk -DmIYgmB/9vgEDqBO9vhcg/qdevhjkfeiOfKRdpxpg9mCh57hHfM1CHq5ulFttbwc -JjT/BiQzCmzJPXAlRuxVPHCaF1qyp6Pf4seLRy0qyWyOWVxVx2BKKGV7cX/IUbXV -53Nn1zkqWwd9Ws9D7zQwog== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw -TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 -WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu -ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY -MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc -h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ -0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U -A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW -T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH -B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC -B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv -KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn -OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn -jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw -qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI -rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV -HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq -hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL -ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ -3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK -NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 -ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur -TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC -jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc -oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq -4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA -mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d -emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= ------END CERTIFICATE----- diff --git a/system/services/taskserver/certs/ca.key.pem.gpg b/system/services/taskserver/certs/ca.key.pem.gpg Binary files differdeleted file mode 100644 index 8abd59a..0000000 --- a/system/services/taskserver/certs/ca.key.pem.gpg +++ /dev/null diff --git a/system/services/taskserver/certs/check_expire b/system/services/taskserver/certs/check_expire deleted file mode 100755 index 39f3291..0000000 --- a/system/services/taskserver/certs/check_expire +++ /dev/null @@ -1,13 +0,0 @@ -#!/usr/bin/env nix -#! nix shell nixpkgs#openssl nixpkgs#dash --command dash - -cd "$(dirname "$0")" || { - echo "No dir name?!" - exit 1 -} - -for cert in *.cert.pem; do - echo "$cert" - openssl x509 -noout -in "$cert" -dates - echo -done diff --git a/system/services/taskserver/certs/generate b/system/services/taskserver/certs/generate deleted file mode 100755 index c3b58ae..0000000 --- a/system/services/taskserver/certs/generate +++ /dev/null @@ -1,75 +0,0 @@ -#!/usr/bin/env nix-shell -#! nix-shell -i dash --packages openssl gnutls dash -#! nix-shell --impure - -# For a public or production server, purchase a cert from a known CA, and skip -# the next step. - -# For development, testing and personal server management, create a CA key and -# cert, and use that to generate a server key and cert. Creates: -# ca.key.pem -# ca.cert.pem -# server.key.pem -# server.cert.pem - -GENERATION_LOCATION="/run/user/$(id -u)/taskserver/certs" -BASEDIR="$(dirname "$0")" -cd "$BASEDIR" || { - echo "(BUG?) No basedir ('$BASEDIR')" 1>&2 - exit 1 -} - -ca=false -crl=false -clients=false - -for arg in "$@"; do - case "$arg" in - "--ca") - ca=true - ;; - "--crl") - crl=true - ;; - "--clients") - clients=true - ;; - esac -done - -# `ca.cert.pem` is not on this list, as it would otherwise get deleted in the `rm` on the -# second-to last line -set -- ./vars ./generate.ca ./generate.crl ./generate.client ./ca.key.pem.gpg ./isrgrootx1.pem - -mkdir --parents "$GENERATION_LOCATION" -cp "$@" ./ca.cert.pem "$GENERATION_LOCATION" -cd "$GENERATION_LOCATION" || echo "(BUG?) No possible location fould!" 1>&2 - -gpg --decrypt ca.key.pem.gpg >ca.key.pem - -[ "$ca" = true ] && ./generate.ca -cat ./isrgrootx1.pem >>./ca.cert.pem - -# Generate a certificate revocation list (CRL). The initial CRL is empty, but -# can grow over time. Creates: -# server.crl.pem - -[ "$crl" = true ] && ./generate.crl - -# The above is sufficient to operate a server. You now need to run a client cert creation -# process per client; Add the required client names and uncomment -# ./generate.client <client_name> -# -# -# Creates: -# <client_name>.key.pem -# <client_name>.cert.pem -# -[ "$clients" = true ] && ./generate.client soispha -[ "$clients" = true ] && ./generate.client android-mobile -[ "$clients" = true ] && ./generate.client android-tab - -rm "$@" "./ca.key.pem" -echo "(INFO) Look for the keys at: $GENERATION_LOCATION" - -# vim: ft=sh diff --git a/system/services/taskserver/certs/generate.ca b/system/services/taskserver/certs/generate.ca deleted file mode 100755 index eb0dd5c..0000000 --- a/system/services/taskserver/certs/generate.ca +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/sh - -# Take the correct binary to create the certificates -CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null) -if [ -z "$CERTTOOL" ]; then - echo "ERROR: No certtool found" >&2 - exit 1 -fi - -. ./vars - -if ! [ -f ca.key.pem ]; then - # Create a CA key. - $CERTTOOL \ - --generate-privkey \ - --sec-param $SEC_PARAM \ - --outfile ca.key.pem -fi - -chmod 600 ca.key.pem - -if ! [ -f ca.template ]; then - # Sign a CA cert. - cat <<EOF >ca.template -organization = $ORGANIZATION -cn = $CN CA -country = $COUNTRY -expiration_days = $EXPIRATION_DAYS -ca -EOF -#state = $STATE -#locality = $LOCALITY -fi - -if ! [ -f ca.cert.pem ]; then - $CERTTOOL \ - --generate-self-signed \ - --load-privkey ca.key.pem \ - --template ca.template \ - --outfile ca.cert.pem -fi - -chmod 600 ca.cert.pem diff --git a/system/services/taskserver/certs/generate.crl b/system/services/taskserver/certs/generate.crl deleted file mode 100755 index e9f6715..0000000 --- a/system/services/taskserver/certs/generate.crl +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/sh - -# Take the correct binary to create the certificates -CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null) -if [ -z "$CERTTOOL" ] -then - echo "ERROR: No certtool found" >&2 - exit 1 -fi - -. ./vars - -if ! [ -f crl.template ] -then - # CRL - Certificate Revocation List - cat <<EOF >crl.template -expiration_days = $EXPIRATION_DAYS -EOF -fi - -if ! [ -f server.crl.pem ] -then - $CERTTOOL \ - --generate-crl \ - --load-ca-privkey ca.key.pem \ - --load-ca-certificate ca.cert.pem \ - --template crl.template \ - --outfile server.crl.pem -fi - -chmod 600 server.crl.pem - -# To create a CRL that contains some revoked certificates, place the -# certificates in a file and use --load-certificate as follows: -# $CERTTOOL \ -# --generate-crl \ -# --load-ca-privkey ca.key.pem \ -# --load-ca-certificate ca.cert.pem \ -# --load-certificate revoked-certs.pem - -# To verify a CRL: -# $CERTTOOL --verify-crl --load-ca-certificate ca.cert.pem --infile server.crl.pem diff --git a/system/services/taskserver/certs/isrgrootx1.pem b/system/services/taskserver/certs/isrgrootx1.pem deleted file mode 100644 index b85c803..0000000 --- a/system/services/taskserver/certs/isrgrootx1.pem +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw -TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 -WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu -ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY -MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc -h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ -0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U -A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW -T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH -B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC -B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv -KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn -OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn -jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw -qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI -rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV -HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq -hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL -ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ -3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK -NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 -ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur -TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC -jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc -oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq -4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA -mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d -emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= ------END CERTIFICATE----- diff --git a/system/services/taskserver/certs/vars b/system/services/taskserver/certs/vars deleted file mode 100644 index 50d753a..0000000 --- a/system/services/taskserver/certs/vars +++ /dev/null @@ -1,7 +0,0 @@ -SEC_PARAM=ultra -EXPIRATION_DAYS=365 -ORGANIZATION="Vhack" -CN=taskserver.vhack.eu -COUNTRY=EU -#STATE="Germany" -#LOCALITY="Göteborg" diff --git a/system/services/taskserver/default.nix b/system/services/taskserver/default.nix deleted file mode 100644 index 04b6a8b..0000000 --- a/system/services/taskserver/default.nix +++ /dev/null @@ -1,56 +0,0 @@ -{config, ...}: let - taskStore = "/var/lib/taskserver"; -in { - environment.etc = { - "tmpfiles.d/taskserver.conf".source = config.age.secrets.taskserverSystemdTmpfiles.path; - }; - - vhack.persist.directories = [ - "/var/lib/taskserver" - ]; - - services.taskserver = { - enable = true; - pki.manual = { - ca.cert = ./certs/ca.cert.pem; - server = { - cert = "${taskStore}/fullchain.pem"; - key = "${taskStore}/key.pem"; - }; - }; - - debug = false; - ipLog = false; - trust = "strict"; - - organisations = import ./organisations.nix; - openFirewall = true; - fqdn = "taskserver.vhack.eu"; - - # This should tell taskd to bind to both ipv6 and ipv4 domains: - # This will ONLY work when the kernel option `sys.net.ipv6.bindv6only` is false - listenHost = "::"; - }; - boot.kernelParams = [ - "sys.net.ipv6.bindv6only=0" - ]; - - security.acme.certs.taskserver = { - domain = "taskserver.vhack.eu"; - postRun = - /* - bash - */ - '' - set -x - rm "${taskStore}/key.pem" - rm "${taskStore}/fullchain.pem" - - cp key.pem "${taskStore}"; - cp fullchain.pem "${taskStore}"; - - chown taskd:taskd "${taskStore}/key.pem" - chown taskd:taskd "${taskStore}/fullchain.pem" - ''; - }; -} diff --git a/system/services/taskserver/organisations.nix b/system/services/taskserver/organisations.nix deleted file mode 100644 index c3ad966..0000000 --- a/system/services/taskserver/organisations.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ - vhack = { - users = [ - "soispha" - ]; - }; - soispha = { - users = [ - "soispha" - "android-mobile" - "android-tab" - ]; - }; -} diff --git a/system/services/taskserver/certs/generate.client b/tests/common/acme/certs/generate.client index 4f0e503..5930298 100755 --- a/system/services/taskserver/certs/generate.client +++ b/tests/common/acme/certs/generate.client @@ -1,54 +1,44 @@ -#!/bin/sh +#! /usr/bin/env sh # Take the correct binary to create the certificates CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null) -if [ -z "$CERTTOOL" ] -then - echo "ERROR: No certtool found" >&2 - exit 1 +if [ -z "$CERTTOOL" ]; then + echo "ERROR: No certtool found" >&2 + exit 1 fi -. ./vars - NAME=client -if [ $# -gt 0 ] -then - NAME=$1 +if [ $# -gt 0 ]; then + NAME="$1" fi -if ! [ -f "$NAME".key.pem ] -then - # Create a client key. - $CERTTOOL \ +# Create a client key. +$CERTTOOL \ --generate-privkey \ - --sec-param $SEC_PARAM \ + --sec-param "$SEC_PARAM" \ + --key-type "$KEY_TYPE" \ --outfile "$NAME".key.pem -fi chmod 600 "$NAME".key.pem -if ! [ -f "$NAME".template ] -then - # Sign a client cert with the key. - cat <<EOF >"$NAME".template -organization = $ORGANIZATION -cn = $CN +# Sign a client cert with the key. +cat <<EOF >"$NAME".template +dns_name = "$NAME" +dns_name = "$SAN" expiration_days = $EXPIRATION_DAYS -tls_www_client +organization = $ORGANIZATION encryption_key signing_key EOF -fi -if ! [ -f "$NAME".cert.pem ] -then - $CERTTOOL \ +$CERTTOOL \ --generate-certificate \ --load-privkey "$NAME".key.pem \ --load-ca-certificate ca.cert.pem \ --load-ca-privkey ca.key.pem \ --template "$NAME".template \ --outfile "$NAME".cert.pem -fi chmod 600 "$NAME".cert.pem + +# vim: ft=sh |