From b6643102d61b466b0395c8f89eab3acfc2c2438d Mon Sep 17 00:00:00 2001 From: aszlig Date: Mon, 11 Apr 2016 23:05:02 +0200 Subject: [PATCH] nixos/taskserver: Generate a cert revocation list If we want to revoke client certificates and want the server to actually notice the revocation, we need to have a valid certificate revocation list. Right now the expiration_days is set to 10 years, but that's merely to actually get certtool to actually generate the CRL without trying to prompt for user input. Signed-off-by: aszlig --- nixos/modules/services/misc/taskserver/default.nix | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix index b0e05340e3b..e2a2b896ec6 100644 --- a/nixos/modules/services/misc/taskserver/default.nix +++ b/nixos/modules/services/misc/taskserver/default.nix @@ -397,6 +397,19 @@ in { "${cfg.dataDir}/keys/server.cert" fi + if [ ! -e "${cfg.dataDir}/keys/server.crl" ]; then + ${pkgs.gnutls}/bin/certtool --generate-crl \ + --template "${pkgs.writeText "taskserver-crl.template" '' + expiration_days = 3650 + ''}" \ + --load-ca-privkey "${cfg.dataDir}/keys/ca.key" \ + --load-ca-certificate "${cfg.dataDir}/keys/ca.cert" \ + --outfile "${cfg.dataDir}/keys/server.crl" + + chgrp "${cfg.group}" "${cfg.dataDir}/keys/server.crl" + chmod g+r "${cfg.dataDir}/keys/server.crl" + fi + chmod go+x "${cfg.dataDir}/keys" ''; };