aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-03-04 23:52:30 +0100
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-03-09 02:07:42 +0100
commitc92933bfa2d95533ea5c8650ff4d40b6621e600f (patch)
tree3273743b9d213fbabcd9e80855a9ab2cb14470cb
parentf8dbac307b48e7ff4baea2b78ec08fa569b44e9d (diff)
downloadNix-c92933bfa2d95533ea5c8650ff4d40b6621e600f.tar.gz
Nix-c92933bfa2d95533ea5c8650ff4d40b6621e600f.tar.zst
Nix-c92933bfa2d95533ea5c8650ff4d40b6621e600f.zip
Use Let’s encrypt for taskwarrior
-rw-r--r--nixops/modules/task/default.nix54
-rw-r--r--nixops/modules/task/www/index.php24
2 files changed, 76 insertions, 2 deletions
diff --git a/nixops/modules/task/default.nix b/nixops/modules/task/default.nix
index 2fd61aa..ac16c62 100644
--- a/nixops/modules/task/default.nix
+++ b/nixops/modules/task/default.nix
@@ -193,6 +193,32 @@ in {
193 install -m 0750 -o ${user} -g ${group} -d ${vardir} 193 install -m 0750 -o ${user} -g ${group} -d ${vardir}
194 install -m 0750 -o ${user} -g ${group} -d ${vardir}/userkeys 194 install -m 0750 -o ${user} -g ${group} -d ${vardir}/userkeys
195 install -m 0750 -o ${user} -g ${group} -d ${vardir}/keys 195 install -m 0750 -o ${user} -g ${group} -d ${vardir}/keys
196
197 if [ ! -e "${vardir}/keys/ca.key" ]; then
198 silent_certtool() {
199 if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then
200 echo "GNUTLS certtool invocation failed with output:" >&2
201 echo "$output" >&2
202 fi
203 }
204
205 silent_certtool -p \
206 --bits 4096 \
207 --outfile "${vardir}/keys/ca.key"
208
209 silent_certtool -s \
210 --template "${pkgs.writeText "taskserver-ca.template" ''
211 cn = ${fqdn}
212 expiration_days = -1
213 cert_signing_key
214 ca
215 ''}" \
216 --load-privkey "${vardir}/keys/ca.key" \
217 --outfile "${vardir}/keys/ca.cert"
218
219 chown :${group} "${vardir}/keys/ca.key"
220 chmod g+r "${vardir}/keys/ca.key"
221 fi
196 ''; 222 '';
197 }; 223 };
198 224
@@ -201,6 +227,10 @@ in {
201 allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ]; 227 allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ];
202 inherit fqdn; 228 inherit fqdn;
203 listenHost = "::"; 229 listenHost = "::";
230 pki.manual.ca.cert = "${vardir}/keys/ca.cert";
231 pki.manual.server.cert = "/var/lib/acme/task/fullchain.pem";
232 pki.manual.server.crl = "/var/lib/acme/task/invalid.crl";
233 pki.manual.server.key = "/var/lib/acme/task/key.pem";
204 requestLimit = 104857600; 234 requestLimit = 104857600;
205 }; 235 };
206 236
@@ -228,7 +258,29 @@ in {
228 data.location=${taskwarrior-web.varDir}/${name} 258 data.location=${taskwarrior-web.varDir}/${name}
229 taskd.certificate=${vardir}/userkeys/taskwarrior-web.cert.pem 259 taskd.certificate=${vardir}/userkeys/taskwarrior-web.cert.pem
230 taskd.key=${vardir}/userkeys/taskwarrior-web.key.pem 260 taskd.key=${vardir}/userkeys/taskwarrior-web.key.pem
231 taskd.ca=${vardir}/keys/server.cert 261 # IdenTrust DST Root CA X3
262 # obtained here: https://letsencrypt.org/fr/certificates/
263 taskd.ca=${pkgs.writeText "ca.cert" ''
264 -----BEGIN CERTIFICATE-----
265 MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
266 MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
267 DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
268 PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
269 Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
270 AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
271 rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
272 OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
273 xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
274 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
275 aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
276 HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
277 SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
278 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
279 AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
280 R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
281 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
282 Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
283 -----END CERTIFICATE-----''}
232 taskd.server=${fqdn}:${toString config.services.taskserver.listenPort} 284 taskd.server=${fqdn}:${toString config.services.taskserver.listenPort}
233 taskd.credentials=${credentials} 285 taskd.credentials=${credentials}
234 dateformat=${dateFormat} 286 dateformat=${dateFormat}
diff --git a/nixops/modules/task/www/index.php b/nixops/modules/task/www/index.php
index 829cdd0..deaf8af 100644
--- a/nixops/modules/task/www/index.php
+++ b/nixops/modules/task/www/index.php
@@ -40,7 +40,29 @@ if (isset($_GET["file"])) {
40 } 40 }
41 $certificate = file_get_contents($basecert . ".cert.pem"); 41 $certificate = file_get_contents($basecert . ".cert.pem");
42 $cert_key = file_get_contents($basecert . ".key.pem"); 42 $cert_key = file_get_contents($basecert . ".key.pem");
43 $server_cert = file_get_contents($vardir . "/keys/server.cert"); 43
44 // IdenTrust DST Root CA X3
45 // obtained here: https://letsencrypt.org/fr/certificates/
46 $server_cert = "-----BEGIN CERTIFICATE-----
47MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
48MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
49DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
50PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
51Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
52AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
53rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
54OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
55xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
567BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
57aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
58HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
59SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
60ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
61AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
62R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
63JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
64Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
65-----END CERTIFICATE-----";
44 66
45 $file = $_GET["file"]; 67 $file = $_GET["file"];
46 switch($file) { 68 switch($file) {