Use Let’s encrypt for taskwarrior

diff --git a/nixops/modules/task/default.nix b/nixops/modules/task/default.nix
index 2fd61aab0c48b9a4b53b0230aed8b589495a55e1..ac16c627c08a24857fb99a46546831274c58b5ee 100644 (file)
--- a/nixops/modules/task/default.nix
+++ b/nixops/modules/task/default.nix
@@ -193,6 +193,32 @@ in {
         install -m 0750 -o ${user} -g ${group} -d ${vardir}
         install -m 0750 -o ${user} -g ${group} -d ${vardir}/userkeys
         install -m 0750 -o ${user} -g ${group} -d ${vardir}/keys
+
+        if [ ! -e "${vardir}/keys/ca.key" ]; then
+          silent_certtool() {
+            if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then
+              echo "GNUTLS certtool invocation failed with output:" >&2
+              echo "$output" >&2
+            fi
+          }
+
+          silent_certtool -p \
+            --bits 4096 \
+            --outfile "${vardir}/keys/ca.key"
+
+          silent_certtool -s \
+            --template "${pkgs.writeText "taskserver-ca.template" ''
+              cn = ${fqdn}
+              expiration_days = -1
+              cert_signing_key
+              ca
+            ''}" \
+            --load-privkey "${vardir}/keys/ca.key" \
+            --outfile "${vardir}/keys/ca.cert"
+
+          chown :${group} "${vardir}/keys/ca.key"
+          chmod g+r "${vardir}/keys/ca.key"
+        fi
       '';
     };
 
@@ -201,6 +227,10 @@ in {
       allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ];
       inherit fqdn;
       listenHost = "::";
+      pki.manual.ca.cert = "${vardir}/keys/ca.cert";
+      pki.manual.server.cert = "/var/lib/acme/task/fullchain.pem";
+      pki.manual.server.crl = "/var/lib/acme/task/invalid.crl";
+      pki.manual.server.key = "/var/lib/acme/task/key.pem";
       requestLimit = 104857600;
     };
 
@@ -228,7 +258,29 @@ in {
           data.location=${taskwarrior-web.varDir}/${name}
           taskd.certificate=${vardir}/userkeys/taskwarrior-web.cert.pem
           taskd.key=${vardir}/userkeys/taskwarrior-web.key.pem
-          taskd.ca=${vardir}/keys/server.cert
+          # IdenTrust DST Root CA X3
+          # obtained here: https://letsencrypt.org/fr/certificates/
+          taskd.ca=${pkgs.writeText "ca.cert" ''
+            -----BEGIN CERTIFICATE-----
+            MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
+            MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+            DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
+            PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+            Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+            AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
+            rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
+            OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
+            xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
+            7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
+            aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+            HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
+            SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
+            ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
+            AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
+            R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
+            JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
+            Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
+            -----END CERTIFICATE-----''}
           taskd.server=${fqdn}:${toString config.services.taskserver.listenPort}
           taskd.credentials=${credentials}
           dateformat=${dateFormat}

diff --git a/nixops/modules/task/www/index.php b/nixops/modules/task/www/index.php
index 829cdd04b67bdb30d9a6a19b767a3bdd86673ca5..deaf8af1d05f3087140e2eaa462d9aa13eee9c22 100644 (file)
--- a/nixops/modules/task/www/index.php
+++ b/nixops/modules/task/www/index.php
@@ -40,7 +40,29 @@ if (isset($_GET["file"])) {
   }
   $certificate = file_get_contents($basecert . ".cert.pem");
   $cert_key    = file_get_contents($basecert . ".key.pem");
-  $server_cert = file_get_contents($vardir . "/keys/server.cert");
+
+  // IdenTrust DST Root CA X3
+  // obtained here: https://letsencrypt.org/fr/certificates/
+  $server_cert = "-----BEGIN CERTIFICATE-----
+MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
+PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
+rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
+OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
+xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
+7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
+aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
+SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
+ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
+AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
+R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
+JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
+Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
+-----END CERTIFICATE-----";
 
   $file = $_GET["file"];
   switch($file) {