diff options
author | aszlig <aszlig@redmoonstudios.org> | 2016-04-11 23:05:02 +0200 |
---|---|---|
committer | aszlig <aszlig@redmoonstudios.org> | 2016-04-11 23:07:58 +0200 |
commit | b6643102d61b466b0395c8f89eab3acfc2c2438d (patch) | |
tree | 458ab65661a383bca2bb2cf13e46744dcf3325a6 /nixos/modules/services/misc/taskserver | |
parent | d0ab6179746335e17e82b81e7056374834d54f57 (diff) | |
download | nixlib-b6643102d61b466b0395c8f89eab3acfc2c2438d.tar nixlib-b6643102d61b466b0395c8f89eab3acfc2c2438d.tar.gz nixlib-b6643102d61b466b0395c8f89eab3acfc2c2438d.tar.bz2 nixlib-b6643102d61b466b0395c8f89eab3acfc2c2438d.tar.lz nixlib-b6643102d61b466b0395c8f89eab3acfc2c2438d.tar.xz nixlib-b6643102d61b466b0395c8f89eab3acfc2c2438d.tar.zst nixlib-b6643102d61b466b0395c8f89eab3acfc2c2438d.zip |
nixos/taskserver: Generate a cert revocation list
If we want to revoke client certificates and want the server to actually notice the revocation, we need to have a valid certificate revocation list. Right now the expiration_days is set to 10 years, but that's merely to actually get certtool to actually generate the CRL without trying to prompt for user input. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Diffstat (limited to 'nixos/modules/services/misc/taskserver')
-rw-r--r-- | nixos/modules/services/misc/taskserver/default.nix | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix index b0e05340e3b7..e2a2b896ec6a 100644 --- a/nixos/modules/services/misc/taskserver/default.nix +++ b/nixos/modules/services/misc/taskserver/default.nix @@ -397,6 +397,19 @@ in { "${cfg.dataDir}/keys/server.cert" fi + if [ ! -e "${cfg.dataDir}/keys/server.crl" ]; then + ${pkgs.gnutls}/bin/certtool --generate-crl \ + --template "${pkgs.writeText "taskserver-crl.template" '' + expiration_days = 3650 + ''}" \ + --load-ca-privkey "${cfg.dataDir}/keys/ca.key" \ + --load-ca-certificate "${cfg.dataDir}/keys/ca.cert" \ + --outfile "${cfg.dataDir}/keys/server.crl" + + chgrp "${cfg.group}" "${cfg.dataDir}/keys/server.crl" + chmod g+r "${cfg.dataDir}/keys/server.crl" + fi + chmod go+x "${cfg.dataDir}/keys" ''; }; |