From 77d7545fac317e76a04d631c6565d2ef60c5c4d5 Mon Sep 17 00:00:00 2001 From: aszlig Date: Tue, 5 Apr 2016 16:16:14 +0200 Subject: [PATCH] nixos/taskserver: Introduce a new fqdn option Using just the host for the common name *and* for listening on the port is quite a bad idea if you want to listen on something like :: or an internal IP address which is proxied/tunneled to the outside. Hence this separates host and fqdn. Signed-off-by: aszlig --- nixos/modules/services/misc/taskserver.nix | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/misc/taskserver.nix b/nixos/modules/services/misc/taskserver.nix index ba52f2d4cd8..7e67f2f6232 100644 --- a/nixos/modules/services/misc/taskserver.nix +++ b/nixos/modules/services/misc/taskserver.nix @@ -198,7 +198,7 @@ in { type = types.str; default = "localhost"; description = '' - The address (IPv4, IPv6 or DNS) of the Taskserver. + The address (IPv4, IPv6 or DNS) to listen on. ''; }; @@ -210,6 +210,14 @@ in { ''; }; + fqdn = mkOption { + type = types.str; + default = "localhost"; + description = '' + The fully qualified domain name of this server. + ''; + }; + cert = mkOption { type = types.nullOr types.path; default = null; @@ -284,7 +292,7 @@ in { --outfile "${cfg.dataDir}/keys/ca.key" ${pkgs.gnutls}/bin/certtool -s \ --template "${pkgs.writeText "taskserver-ca.template" '' - cn = ${cfg.server.host} + cn = ${cfg.server.fqdn} cert_signing_key ca ''}" \ @@ -302,7 +310,7 @@ in { ${pkgs.gnutls}/bin/certtool -s \ --template "${pkgs.writeText "taskserver-cert.template" '' - cn = ${cfg.server.host} + cn = ${cfg.server.fqdn} tls_www_server encryption_key signing_key