From 7276d8e6ae494bb7ab85c1cdfa2917e3b889468d Mon Sep 17 00:00:00 2001
From: Wojtek Kosior <koszko@koszko.org>
Date: Fri, 8 Sep 2023 17:04:38 +0200
Subject: Make TLS functional

Enable letsencrypt certificates in httpd while making all daemons fall back to
self-issued certs when /etc/letsencrypt/live is unpopulated.
---
 Makefile | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

(limited to 'Makefile')

diff --git a/Makefile b/Makefile
index 4f5ef58..9b91cfa 100644
--- a/Makefile
+++ b/Makefile
@@ -28,6 +28,8 @@ GUIX_SYS_CONTAINER = $(GUIX_TM) system container $(GUIX_LOAD_PATHS)
 
 GUIX_SHELL = $(GUIX_TM) shell
 
+GUIX_OPENSSL = $(GUIX_SHELL) openssl -- openssl
+
 KOSZKO_ORG_WEBSITE_INFO = \
 	subrepos/koszko-org-website/src/koszko_org_website.egg-info/PKG-INFO
 HYDRILLA_WEBSITE_INFO = \
@@ -40,7 +42,7 @@ ALL_EGG_INFOS =                    \
 	$(HYDRILLA_INFO)
 
 CONTAINER_PREREQUISITES = container.scm $(ALL_EGG_INFOS) hydrilla-wsgi.py \
-	exim.conf Makefile.local
+	exim.conf Makefile.local test-ca-key.pem test-ca-cert.pem
 
 PWD_DERIVED_DIRECTORY_NAME != pwd | sed 's|[/'\'']|!|g'
 TEST_ROOT_DIR = '/tmp/$(PWD_DERIVED_DIRECTORY_NAME)!!test-root/current'
@@ -57,6 +59,17 @@ $(HYDRILLA_INFO):
 Makefile.local:
 	touch $@
 
+test-ca-key.pem:
+	$(GUIX_OPENSSL) genrsa -out $@ 4096
+
+test-ca-cert.pem: test-ca-key.pem
+	$(GUIX_OPENSSL) req -x509 -new -nodes -key $< -sha256 -days 3650       \
+		-out $@ -subj '/CN=Self-signed CA/C=PL/ST=PL/L=Krakow/O=Koszko'
+
+test-ca-certificates.crt: /etc/ssl/certs/ca-certificates.crt \
+		test-ca-cert.pem
+	cat $^ > $@
+
 container-runner: | $(CONTAINER_PREREQUISITES)
 container-runner.touchfile: $(CONTAINER_PREREQUISITES)
 
@@ -197,7 +210,7 @@ enter-container: pidfile
 	nsenter -a -t "$$(cat pidfile)" \
 		/run/current-system/profile/bin/bash --login
 
-fake-client: fake-client-setup-mounts.sh hosts
+fake-client: fake-client-setup-mounts.sh hosts test-ca-certificates.crt
 	unshare --map-root-user --mount ./$< "$${SHELL:-/bin/sh}"
 
 install: $(CONTAINER_PREREQUISITES)
@@ -223,7 +236,8 @@ clean: clean-runner
 	for SUBREPO in $(SUBREPOS_WITH_MAKEFILE); do   \
 		$(MAKE) -C subrepos/"$$SUBREPO" clean; \
 	done
-	rm -rf log test-root hosts schemas sample-malcontent
+	rm -rf log test-root hosts test-ca-key.pem test-ca-cert.pem \
+		test-ca-certificates.crt schemas sample-malcontent
 
 .PHONY: all                                              \
 	clean-runner clean                               \
-- 
cgit v1.2.3