Use Let’s encrypt for taskwarrior

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-03-04 23:52:30 +0100
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-03-09 02:07:42 +0100
commit: c92933bfa2d95533ea5c8650ff4d40b6621e600f (patch)
tree: 3273743b9d213fbabcd9e80855a9ab2cb14470cb
parent: f8dbac307b48e7ff4baea2b78ec08fa569b44e9d (diff)
download: Nix-c92933bfa2d95533ea5c8650ff4d40b6621e600f.tar.gz
Nix-c92933bfa2d95533ea5c8650ff4d40b6621e600f.tar.zst
Nix-c92933bfa2d95533ea5c8650ff4d40b6621e600f.zip
2 files changed, 76 insertions, 2 deletions
diff --git a/nixops/modules/task/default.nix b/nixops/modules/task/default.nix
index 2fd61aa..ac16c62 100644
--- a/nixops/modules/task/default.nix
+++ b/nixops/modules/task/default.nix
@@ -193,6 +193,32 @@ in {
        install -m 0750 -o ${user} -g ${group} -d ${vardir}
        install -m 0750 -o ${user} -g ${group} -d ${vardir}/userkeys
        install -m 0750 -o ${user} -g ${group} -d ${vardir}/keys
+        if [ ! -e "${vardir}/keys/ca.key" ]; then
+          silent_certtool() {
+            if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then
+              echo "GNUTLS certtool invocation failed with output:" >&2
+              echo "$output" >&2
+            fi
+          }
+          silent_certtool -p \
+            --bits 4096 \
+            --outfile "${vardir}/keys/ca.key"
+          silent_certtool -s \
+            --template "${pkgs.writeText "taskserver-ca.template" ''
+              cn = ${fqdn}
+              expiration_days = -1
+              cert_signing_key
+              ca
+            ''}" \
+            --load-privkey "${vardir}/keys/ca.key" \
+            --outfile "${vardir}/keys/ca.cert"
+          chown :${group} "${vardir}/keys/ca.key"
+          chmod g+r "${vardir}/keys/ca.key"
+        fi
      '';
    };
@@ -201,6 +227,10 @@ in {
      allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ];
      inherit fqdn;
      listenHost = "::";
+      pki.manual.ca.cert = "${vardir}/keys/ca.cert";
+      pki.manual.server.cert = "/var/lib/acme/task/fullchain.pem";
+      pki.manual.server.crl = "/var/lib/acme/task/invalid.crl";
+      pki.manual.server.key = "/var/lib/acme/task/key.pem";
      requestLimit = 104857600;
    };
@@ -228,7 +258,29 @@ in {
          data.location=${taskwarrior-web.varDir}/${name}
          taskd.certificate=${vardir}/userkeys/taskwarrior-web.cert.pem
          taskd.key=${vardir}/userkeys/taskwarrior-web.key.pem
-          taskd.ca=${vardir}/keys/server.cert
+          # IdenTrust DST Root CA X3
+          # obtained here: https://letsencrypt.org/fr/certificates/
+          taskd.ca=${pkgs.writeText "ca.cert" ''
+            -----BEGIN CERTIFICATE-----
+            MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
+            MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+            DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
+            PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+            Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+            AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
+            rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
+            OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
+            xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
+            7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
+            aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+            HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
+            SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
+            ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
+            AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
+            R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
+            JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
+            Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
+            -----END CERTIFICATE-----''}
          taskd.server=${fqdn}:${toString config.services.taskserver.listenPort}
          taskd.credentials=${credentials}
          dateformat=${dateFormat}
diff --git a/nixops/modules/task/www/index.php b/nixops/modules/task/www/index.php
index 829cdd0..deaf8af 100644
--- a/nixops/modules/task/www/index.php
+++ b/nixops/modules/task/www/index.php
@@ -40,7 +40,29 @@ if (isset($_GET["file"])) {
  }
  $certificate = file_get_contents($basecert . ".cert.pem");
  $cert_key    = file_get_contents($basecert . ".key.pem");
-  $server_cert = file_get_contents($vardir . "/keys/server.cert");
+  // IdenTrust DST Root CA X3
+  // obtained here: https://letsencrypt.org/fr/certificates/
+  $server_cert = "-----BEGIN CERTIFICATE-----
+MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
+PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
+rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
+OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
+xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
+7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
+aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
+SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
+ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
+AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
+R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
+JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
+Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
+-----END CERTIFICATE-----";
  $file = $_GET["file"];
  switch($file) {
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-03-04 23:52:30 +0100
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-03-09 02:07:42 +0100
commit	c92933bfa2d95533ea5c8650ff4d40b6621e600f (patch)
tree	3273743b9d213fbabcd9e80855a9ab2cb14470cb
parent	f8dbac307b48e7ff4baea2b78ec08fa569b44e9d (diff)
download	Nix-c92933bfa2d95533ea5c8650ff4d40b6621e600f.tar.gz Nix-c92933bfa2d95533ea5c8650ff4d40b6621e600f.tar.zst Nix-c92933bfa2d95533ea5c8650ff4d40b6621e600f.zip

diff --git a/nixops/modules/task/default.nix b/nixops/modules/task/default.nix index 2fd61aa..ac16c62 100644 --- a/nixops/modules/task/default.nix +++ b/nixops/modules/task/default.nix
@@ -193,6 +193,32 @@ in {
193	install -m 0750 -o ${user} -g ${group} -d ${vardir}	193	install -m 0750 -o ${user} -g ${group} -d ${vardir}
194	install -m 0750 -o ${user} -g ${group} -d ${vardir}/userkeys	194	install -m 0750 -o ${user} -g ${group} -d ${vardir}/userkeys
195	install -m 0750 -o ${user} -g ${group} -d ${vardir}/keys	195	install -m 0750 -o ${user} -g ${group} -d ${vardir}/keys
		196
		197	if [ ! -e "${vardir}/keys/ca.key" ]; then
		198	silent_certtool() {
		199	if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then
		200	echo "GNUTLS certtool invocation failed with output:" >&2
		201	echo "$output" >&2
		202	fi
		203	}
		204
		205	silent_certtool -p \
		206	--bits 4096 \
		207	--outfile "${vardir}/keys/ca.key"
		208
		209	silent_certtool -s \
		210	--template "${pkgs.writeText "taskserver-ca.template" ''
		211	cn = ${fqdn}
		212	expiration_days = -1
		213	cert_signing_key
		214	ca
		215	''}" \
		216	--load-privkey "${vardir}/keys/ca.key" \
		217	--outfile "${vardir}/keys/ca.cert"
		218
		219	chown :${group} "${vardir}/keys/ca.key"
		220	chmod g+r "${vardir}/keys/ca.key"
		221	fi
196	'';	222	'';
197	};	223	};
198		224
@@ -201,6 +227,10 @@ in {
201	allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ];	227	allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ];
202	inherit fqdn;	228	inherit fqdn;
203	listenHost = "::";	229	listenHost = "::";
		230	pki.manual.ca.cert = "${vardir}/keys/ca.cert";
		231	pki.manual.server.cert = "/var/lib/acme/task/fullchain.pem";
		232	pki.manual.server.crl = "/var/lib/acme/task/invalid.crl";
		233	pki.manual.server.key = "/var/lib/acme/task/key.pem";
204	requestLimit = 104857600;	234	requestLimit = 104857600;
205	};	235	};
206		236
@@ -228,7 +258,29 @@ in {
228	data.location=${taskwarrior-web.varDir}/${name}	258	data.location=${taskwarrior-web.varDir}/${name}
229	taskd.certificate=${vardir}/userkeys/taskwarrior-web.cert.pem	259	taskd.certificate=${vardir}/userkeys/taskwarrior-web.cert.pem
230	taskd.key=${vardir}/userkeys/taskwarrior-web.key.pem	260	taskd.key=${vardir}/userkeys/taskwarrior-web.key.pem
231	taskd.ca=${vardir}/keys/server.cert	261	# IdenTrust DST Root CA X3
		262	# obtained here: https://letsencrypt.org/fr/certificates/
		263	taskd.ca=${pkgs.writeText "ca.cert" ''
		264	-----BEGIN CERTIFICATE-----
		265	MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
		266	MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
		267	DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
		268	PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
		269	Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
		270	AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
		271	rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
		272	OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
		273	xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
		274	7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
		275	aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
		276	HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
		277	SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
		278	ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
		279	AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
		280	R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
		281	JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
		282	Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
		283	-----END CERTIFICATE-----''}
232	taskd.server=${fqdn}:${toString config.services.taskserver.listenPort}	284	taskd.server=${fqdn}:${toString config.services.taskserver.listenPort}
233	taskd.credentials=${credentials}	285	taskd.credentials=${credentials}
234	dateformat=${dateFormat}	286	dateformat=${dateFormat}


diff --git a/nixops/modules/task/www/index.php b/nixops/modules/task/www/index.php index 829cdd0..deaf8af 100644 --- a/nixops/modules/task/www/index.php +++ b/nixops/modules/task/www/index.php
@@ -40,7 +40,29 @@ if (isset($_GET["file"])) {
40	}	40	}
41	$certificate = file_get_contents($basecert . ".cert.pem");	41	$certificate = file_get_contents($basecert . ".cert.pem");
42	$cert_key = file_get_contents($basecert . ".key.pem");	42	$cert_key = file_get_contents($basecert . ".key.pem");
43	$server_cert = file_get_contents($vardir . "/keys/server.cert");	43
		44	// IdenTrust DST Root CA X3
		45	// obtained here: https://letsencrypt.org/fr/certificates/
		46	$server_cert = "-----BEGIN CERTIFICATE-----
		47	MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
		48	MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
		49	DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
		50	PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
		51	Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
		52	AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
		53	rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
		54	OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
		55	xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
		56	7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
		57	aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
		58	HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
		59	SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
		60	ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
		61	AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
		62	R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
		63	JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
		64	Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
		65	-----END CERTIFICATE-----";
44		66
45	$file = $_GET["file"];	67	$file = $_GET["file"];
46	switch($file) {	68	switch($file) {