nixos/taskserver: Generate a cert revocation list

If we want to revoke client certificates and want the server to actually
notice the revocation, we need to have a valid certificate revocation
list.

Right now the expiration_days is set to 10 years, but that's merely to
actually get certtool to actually generate the CRL without trying to
prompt for user input.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>

1 files changed, 13 insertions, 0 deletions

diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix
index b0e05340e3b7..e2a2b896ec6a 100644
--- a/nixos/modules/services/misc/taskserver/default.nix
+++ b/nixos/modules/services/misc/taskserver/default.nix
@@ -397,6 +397,19 @@ in {
             "${cfg.dataDir}/keys/server.cert"
         fi
 
+        if [ ! -e "${cfg.dataDir}/keys/server.crl" ]; then
+          ${pkgs.gnutls}/bin/certtool --generate-crl \
+            --template "${pkgs.writeText "taskserver-crl.template" ''
+              expiration_days = 3650
+            ''}" \
+            --load-ca-privkey "${cfg.dataDir}/keys/ca.key" \
+            --load-ca-certificate "${cfg.dataDir}/keys/ca.cert" \
+            --outfile "${cfg.dataDir}/keys/server.crl"
+
+          chgrp "${cfg.group}" "${cfg.dataDir}/keys/server.crl"
+          chmod g+r "${cfg.dataDir}/keys/server.crl"
+        fi
+
         chmod go+x "${cfg.dataDir}/keys"
       '';
     };