diff options
author | aszlig <aszlig@redmoonstudios.org> | 2016-04-12 04:14:33 +0200 |
---|---|---|
committer | aszlig <aszlig@redmoonstudios.org> | 2016-04-12 04:14:33 +0200 |
commit | 9f1e536948ba2f7d87dc0919dc7f630f6723ab85 (patch) | |
tree | 78064524923bab590c4600e2772f95fad48c4c57 /nixos/modules/services/misc/taskserver/helper-tool.py | |
parent | a41b109bc10e66824af5e1f150cb741f9f9399c2 (diff) | |
download | nixlib-9f1e536948ba2f7d87dc0919dc7f630f6723ab85.tar nixlib-9f1e536948ba2f7d87dc0919dc7f630f6723ab85.tar.gz nixlib-9f1e536948ba2f7d87dc0919dc7f630f6723ab85.tar.bz2 nixlib-9f1e536948ba2f7d87dc0919dc7f630f6723ab85.tar.lz nixlib-9f1e536948ba2f7d87dc0919dc7f630f6723ab85.tar.xz nixlib-9f1e536948ba2f7d87dc0919dc7f630f6723ab85.tar.zst nixlib-9f1e536948ba2f7d87dc0919dc7f630f6723ab85.zip |
nixos/taskserver: Allow to specify expiration/bits
At least this should allow for some customisation of how the certificates and keys are created. We now have two sub-namespaces within PKI so it should be more clear which options you have to set if you want to either manage your own CA or let the module create it automatically. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Diffstat (limited to 'nixos/modules/services/misc/taskserver/helper-tool.py')
-rw-r--r-- | nixos/modules/services/misc/taskserver/helper-tool.py | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/nixos/modules/services/misc/taskserver/helper-tool.py b/nixos/modules/services/misc/taskserver/helper-tool.py index 512aaa4ab9f8..abc7362cf7c5 100644 --- a/nixos/modules/services/misc/taskserver/helper-tool.py +++ b/nixos/modules/services/misc/taskserver/helper-tool.py @@ -14,6 +14,10 @@ from tempfile import NamedTemporaryFile import click CERTTOOL_COMMAND = "@certtool@" +CERT_BITS = "@certBits@" +CLIENT_EXPIRATION = "@clientExpiration@" +CRL_EXPIRATION = "@crlExpiration@" + TASKD_COMMAND = "@taskd@" TASKD_DATA_DIR = "@dataDir@" TASKD_USER = "@user@" @@ -153,11 +157,12 @@ def generate_key(org, user): try: os.makedirs(basedir, mode=0700) - certtool_cmd("-p", "--bits", "2048", "--outfile", privkey) + certtool_cmd("-p", "--bits", CERT_BITS, "--outfile", privkey) template_data = [ "organization = {0}".format(org), "cn = {}".format(FQDN), + "expiration_days = {}".format(CLIENT_EXPIRATION), "tls_www_client", "encryption_key", "signing_key" @@ -188,7 +193,9 @@ def revoke_key(org, user): pubcert = os.path.join(basedir, "public.cert") - with create_template(["expiration_days = 3650"]) as template: + expiration = "expiration_days = {}".format(CRL_EXPIRATION) + + with create_template([expiration]) as template: oldcrl = NamedTemporaryFile(mode="wb", prefix="old-crl") oldcrl.write(open(crl, "rb").read()) oldcrl.flush() |