diff --git a/docs/TODO b/docs/TODO index f8d509b..25f0232 100644 --- a/docs/TODO +++ b/docs/TODO @@ -6,6 +6,7 @@ -- https://github.com/akopytov/sysbench -- (http://blog.due.io/2014/linode-digitalocean-and-vultr-comparison/ etc.) -package in AUR +-base rewrite in python. pyalpm may come in handy here. ## NETWORKING ## diff --git a/extra/pre-build.d/32/etc/pacman.conf b/extra/pre-build.d/32/etc/pacman.conf index 696061c..308a2ee 100644 --- a/extra/pre-build.d/32/etc/pacman.conf +++ b/extra/pre-build.d/32/etc/pacman.conf @@ -37,7 +37,8 @@ VerbosePkgLists # By default, pacman accepts packages signed by keys that its local keyring # trusts (see pacman-key and its man page), as well as unsigned packages. -SigLevel = Required DatabaseOptional +#SigLevel = Required DatabaseOptional #RE-ENABLE ME WHEN A NEW SNAPSHOT IS RELEASED WITH FIXED GPG +SigLevel = Never LocalFileSigLevel = Optional #RemoteFileSigLevel = Required diff --git a/extra/pre-build.d/64/etc/pacman.conf b/extra/pre-build.d/64/etc/pacman.conf index a46395b..6cfaeb0 100644 --- a/extra/pre-build.d/64/etc/pacman.conf +++ b/extra/pre-build.d/64/etc/pacman.conf @@ -37,7 +37,8 @@ VerbosePkgLists # By default, pacman accepts packages signed by keys that its local keyring # trusts (see pacman-key and its man page), as well as unsigned packages. -SigLevel = Required DatabaseOptional +#SigLevel = Required DatabaseOptional #RE-ENABLE ME WHEN A NEW SNAPSHOT IS RELEASED WITH FIXED GPG +SigLevel = Never LocalFileSigLevel = Optional #RemoteFileSigLevel = Required diff --git a/lib/10-yo_dj.func.sh b/lib/10-yo_dj.func.sh index be1dfe1..ec07190 100644 --- a/lib/10-yo_dj.func.sh +++ b/lib/10-yo_dj.func.sh @@ -316,9 +316,9 @@ EOF echo 01 > ${SSLDIR}/txt/ca.srl fi touch ${SSLDIR}/txt/ca.idx - openssl req -subj "/CN=${IPXE_DOMAIN}/O=${PNAME}/C=NA" -x509 -newkey rsa:4096 -nodes -out ${IPXE_SSL_CA} -keyout ${IPXE_SSL_CAKEY} -sha512 - openssl req -subj "/CN=${IPXE_DOMAIN}/O=${PNAME}/C=NA" -newkey rsa:4096 -keyout ${SSLDIR}/keys/server.key -nodes -out ${SSLDIR}/crts/server.csr -sha512 - openssl ca -batch -config ${SSLDIR}/openssl.cnf -keyfile ${IPXE_SSL_CAKEY} -in ${SSLDIR}/crts/server.csr -out ${SSLDIR}/crts/server.crt + openssl req -days 3650 -subj "/CN=${IPXE_DOMAIN}/O=${PNAME}/C=NA" -x509 -newkey rsa:4096 -nodes -out ${IPXE_SSL_CA} -keyout ${IPXE_SSL_CAKEY} -sha512 + openssl req -days 3650 -subj "/CN=${IPXE_DOMAIN}/O=${PNAME}/C=NA" -newkey rsa:4096 -keyout ${SSLDIR}/keys/server.key -nodes -out ${SSLDIR}/crts/server.csr -sha512 + openssl ca -days 3650 -batch -config ${SSLDIR}/openssl.cnf -keyfile ${IPXE_SSL_CAKEY} -in ${SSLDIR}/crts/server.csr -out ${SSLDIR}/crts/server.crt #cat crts/server.crt crts/ca.crt > crts/server_chained.crt elif [[ -z "${IPXE_SSL_CA}" && -e "${IPXE_SSL_CAKEY}" ]]; then @@ -339,9 +339,9 @@ EOF IPXE_SSL_CRT="${SSLDIR}/crts/client.crt" IPXE_DOMAIN=$(echo ${IPXE_URI} | sed -re 's/^(f|ht)tps?:\/\/// ; s/\/.*//') # Generate SSL client key. - openssl req -subj "/CN=${IPXE_DOMAIN}/O=${PNAME}/C=NA" -newkey rsa:4096 -keyout ${IPXE_SSL_KEY} -nodes -out ${SSLDIR}/crts/client.csr -sha512 + openssl req -days 3650 -subj "/CN=${IPXE_DOMAIN}/O=${PNAME}/C=NA" -newkey rsa:4096 -keyout ${IPXE_SSL_KEY} -nodes -out ${SSLDIR}/crts/client.csr -sha512 # Sign the crt. - openssl ca -batch -config ${SSLDIR}/openssl.cnf -keyfile ${IPXE_SSL_CAKEY} -in ${SSLDIR}/crts/client.csr -out ${IPXE_SSL_CRT} + openssl ca -days 3650 -batch -config ${SSLDIR}/openssl.cnf -keyfile ${IPXE_SSL_CAKEY} -in ${SSLDIR}/crts/client.csr -out ${IPXE_SSL_CRT} elif [[ -z "${IPXE_SSL_CRT}" && -e "${IPXE_SSL_KEY}" ]]; then echo "ERROR: You specified IPXE_SSL_KEY but not IPXE_SSL_CRT. If one is specified, the other must be also."