From 5dea52f0f87dc640274e0f3ecb38b96ac9293f44 Mon Sep 17 00:00:00 2001
From: June Clementine Strawberry <june@3.dog>
Date: Tue, 11 Mar 2025 23:45:53 -0400
Subject: [PATCH] stop doing complement cert gen and just use self-signed cert

Signed-off-by: June Clementine Strawberry <june@3.dog>
---
 bin/complement                          |  2 +-
 flake.lock                              |  6 +++---
 nix/pkgs/complement/certificate.crt     | 21 +++++++++++++++++++
 nix/pkgs/complement/default.nix         | 19 +----------------
 nix/pkgs/complement/signing_request.csr | 28 ++++++++++++-------------
 nix/pkgs/complement/v3.ext              |  6 ++++++
 6 files changed, 46 insertions(+), 36 deletions(-)
 create mode 100644 nix/pkgs/complement/certificate.crt

diff --git a/bin/complement b/bin/complement
index 92539f97..3aa5a6f5 100755
--- a/bin/complement
+++ b/bin/complement
@@ -68,7 +68,7 @@ set +o pipefail
 env \
     -C "$COMPLEMENT_SRC" \
     COMPLEMENT_BASE_IMAGE="$COMPLEMENT_BASE_IMAGE" \
-    go test -tags="conduwuit_blacklist" -timeout 1h -json ./tests/... | tee "$LOG_FILE"
+    go test -tags="conduwuit_blacklist" -v -timeout 1h -json ./tests/... | tee "$LOG_FILE"
 set -o pipefail
 
 # Post-process the results into an easy-to-compare format, sorted by Test name for reproducible results
diff --git a/flake.lock b/flake.lock
index 03fc205c..63cc2787 100644
--- a/flake.lock
+++ b/flake.lock
@@ -80,11 +80,11 @@
     "complement": {
       "flake": false,
       "locked": {
-        "lastModified": 1741378155,
-        "narHash": "sha256-rJSfqf3q4oWxcAwENtAowLZeCi8lktwKVH9XQvvZR64=",
+        "lastModified": 1741757487,
+        "narHash": "sha256-Fkx/krwI3h6wJ6Mj199KlXUNJNEwl7h1pR4/d2ncmKw=",
         "owner": "girlbossceo",
         "repo": "complement",
-        "rev": "1502a00d8551d0f6e8954a23e43868877c3e57d9",
+        "rev": "40982a261cfc36650f74967f99fb1a049b13e065",
         "type": "github"
       },
       "original": {
diff --git a/nix/pkgs/complement/certificate.crt b/nix/pkgs/complement/certificate.crt
new file mode 100644
index 00000000..5dd4fdea
--- /dev/null
+++ b/nix/pkgs/complement/certificate.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDfzCCAmegAwIBAgIUcrZdSPmCh33Evys/U6mTPpShqdcwDQYJKoZIhvcNAQEL
+BQAwPzELMAkGA1UEBhMCNjkxCzAJBgNVBAgMAjQyMRUwEwYDVQQKDAx3b29mZXJz
+IGluYy4xDDAKBgNVBAMMA2hzMTAgFw0yNTAzMTMxMjU4NTFaGA8yMDUyMDcyODEy
+NTg1MVowPzELMAkGA1UEBhMCNjkxCzAJBgNVBAgMAjQyMRUwEwYDVQQKDAx3b29m
+ZXJzIGluYy4xDDAKBgNVBAMMA2hzMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBANL+h2ZmK/FqN5uLJPtIy6Feqcyb6EX7MQBEtxuJ56bTAbjHuCLZLpYt
+/wOWJ91drHqZ7Xd5iTisGdMu8YS803HSnHkzngf4VXKhVrdzW2YDrpZRxmOhtp88
+awOHmP7mqlJyBbCOQw8aDVrT0KmEIWzA7g+nFRQ5Ff85MaP+sQrHGKZbo61q8HBp
+L0XuaqNckruUKtxnEqrm5xx5sYyYKg7rrSFE5JMFoWKB1FNWJxyWT42BhGtnJZsK
+K5c+NDSOU4TatxoN6mpNSBpCz/a11PiQHMEfqRk6JA4g3911dqPTfZBevUdBh8gl
+8maIzqeZGhvyeKTmull1Y0781yyuj98CAwEAAaNxMG8wCQYDVR0TBAIwADALBgNV
+HQ8EBAMCBPAwNgYDVR0RBC8wLYIRKi5kb2NrZXIuaW50ZXJuYWyCA2hzMYIDaHMy
+ggNoczOCA2hzNIcEfwAAATAdBgNVHQ4EFgQUr4VYrmW1d+vjBTJewvy7fJYhLDYw
+DQYJKoZIhvcNAQELBQADggEBADkYqkjNYxjWX8hUUAmFHNdCwzT1CpYe/5qzLiyJ
+irDSdMlC5g6QqMUSrpu7nZxo1lRe1dXGroFVfWpoDxyCjSQhplQZgtYqtyLfOIx+
+HQ7cPE/tUU/KsTGc0aL61cETB6u8fj+rQKUGdfbSlm0Rpu4v0gC8RnDj06X/hZ7e
+VkWU+dOBzxlqHuLlwFFtVDgCyyTatIROx5V+GpMHrVqBPO7HcHhwqZ30k2kMM8J3
+y1CWaliQM85jqtSZV+yUHKQV8EksSowCFJuguf+Ahz0i0/koaI3i8m4MRN/1j13d
+jbTaX5a11Ynm3A27jioZdtMRty6AJ88oCp18jxVzqTxNNO4=
+-----END CERTIFICATE-----
diff --git a/nix/pkgs/complement/default.nix b/nix/pkgs/complement/default.nix
index bbd1bd74..9b010e14 100644
--- a/nix/pkgs/complement/default.nix
+++ b/nix/pkgs/complement/default.nix
@@ -3,10 +3,8 @@
 , buildEnv
 , coreutils
 , dockerTools
-, gawk
 , lib
 , main
-, openssl
 , stdenv
 , tini
 , writeShellScriptBin
@@ -42,21 +40,6 @@ let
   start = writeShellScriptBin "start" ''
     set -euxo pipefail
 
-    cp ${./v3.ext} /complement/v3.ext
-    echo "DNS.1 = $SERVER_NAME" >> /complement/v3.ext
-    echo "IP.1 = $(${lib.getExe gawk} 'END{print $1}' /etc/hosts)" \
-      >> /complement/v3.ext
-    ${lib.getExe openssl} x509 \
-      -req \
-      -extfile /complement/v3.ext \
-      -in ${./signing_request.csr} \
-      -CA /complement/ca/ca.crt \
-      -CAkey /complement/ca/ca.key \
-      -CAcreateserial \
-      -out /complement/certificate.crt \
-      -days 1 \
-      -sha256
-
     ${lib.getExe' coreutils "env"} \
       CONDUWUIT_SERVER_NAME="$SERVER_NAME" \
       ${lib.getExe main'}
@@ -93,7 +76,7 @@ dockerTools.buildImage {
 
     Env = [
       "CONDUWUIT_TLS__KEY=${./private_key.key}"
-      "CONDUWUIT_TLS__CERTS=/complement/certificate.crt"
+      "CONDUWUIT_TLS__CERTS=${./certificate.crt}"
       "CONDUWUIT_CONFIG=${./config.toml}"
       "RUST_BACKTRACE=full"
     ];
diff --git a/nix/pkgs/complement/signing_request.csr b/nix/pkgs/complement/signing_request.csr
index 707e73b4..e2aa658e 100644
--- a/nix/pkgs/complement/signing_request.csr
+++ b/nix/pkgs/complement/signing_request.csr
@@ -1,16 +1,16 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIICkTCCAXkCAQAwTDELMAkGA1UEBhMCNjkxCzAJBgNVBAgMAjQyMRYwFAYDVQQK
-DA13b29mZXJzLCBpbmMuMRgwFgYDVQQDDA9jb21wbGVtZW50LW9ubHkwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDS/odmZivxajebiyT7SMuhXqnMm+hF
-+zEARLcbieem0wG4x7gi2S6WLf8DlifdXax6me13eYk4rBnTLvGEvNNx0px5M54H
-+FVyoVa3c1tmA66WUcZjobafPGsDh5j+5qpScgWwjkMPGg1a09CphCFswO4PpxUU
-ORX/OTGj/rEKxximW6OtavBwaS9F7mqjXJK7lCrcZxKq5uccebGMmCoO660hROST
-BaFigdRTVicclk+NgYRrZyWbCiuXPjQ0jlOE2rcaDepqTUgaQs/2tdT4kBzBH6kZ
-OiQOIN/ddXaj032QXr1HQYfIJfJmiM6nmRob8nik5rpZdWNO/Ncsro/fAgMBAAGg
-ADANBgkqhkiG9w0BAQsFAAOCAQEAjW+aD4E0phtRT5b2RyedY1uiSe7LQECsQnIO
-wUSyGGG1GXYlJscyxxyzE9W9+QIALrxZkmc/+e02u+bFb1zQXW/uB/7u7FgXzrj6
-2YSDiWYXiYKvgGWEfCi3lpcTJK9x6WWkR+iREaoKRjcl0ynhhGuR7YwP38TNyu+z
-FN6B1Lo398fvJkaTCiiHngWiwztXZ2d0MxkicuwZ1LJhIQA72OTl3QoRb5uiqbze
-T9QJfU6W3v8cB8c8PuKMv5gl1QsGNtlfyQB56/X0cMxWl25vWXd2ankLkAGRTDJ8
-9YZHxP1ki4/yh75AknFq02nCOsmxYrAazCYgP2TzIPhQwBurKQ==
+MIIChDCCAWwCAQAwPzELMAkGA1UEBhMCNjkxCzAJBgNVBAgMAjQyMRUwEwYDVQQK
+DAx3b29mZXJzIGluYy4xDDAKBgNVBAMMA2hzMTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBANL+h2ZmK/FqN5uLJPtIy6Feqcyb6EX7MQBEtxuJ56bTAbjH
+uCLZLpYt/wOWJ91drHqZ7Xd5iTisGdMu8YS803HSnHkzngf4VXKhVrdzW2YDrpZR
+xmOhtp88awOHmP7mqlJyBbCOQw8aDVrT0KmEIWzA7g+nFRQ5Ff85MaP+sQrHGKZb
+o61q8HBpL0XuaqNckruUKtxnEqrm5xx5sYyYKg7rrSFE5JMFoWKB1FNWJxyWT42B
+hGtnJZsKK5c+NDSOU4TatxoN6mpNSBpCz/a11PiQHMEfqRk6JA4g3911dqPTfZBe
+vUdBh8gl8maIzqeZGhvyeKTmull1Y0781yyuj98CAwEAAaAAMA0GCSqGSIb3DQEB
+CwUAA4IBAQDR/gjfxN0IID1MidyhZB4qpdWn3m6qZnEQqoTyHHdWalbfNXcALC79
+ffS+Smx40N5hEPvqy6euR89N5YuYvt8Hs+j7aWNBn7Wus5Favixcm2JcfCTJn2R3
+r8FefuSs2xGkoyGsPFFcXE13SP/9zrZiwvOgSIuTdz/Pbh6GtEx7aV4DqHJsrXnb
+XuPxpQleoBqKvQgSlmaEBsJg13TQB+Fl2foBVUtqAFDQiv+RIuircf0yesMCKJaK
+MPH4Oo+r3pR8lI8ewfJPreRhCoV+XrGYMubaakz003TJ1xlOW8M+N9a6eFyMVh76
+U1nY/KP8Ua6Lgaj9PRz7JCRzNoshZID/
 -----END CERTIFICATE REQUEST-----
diff --git a/nix/pkgs/complement/v3.ext b/nix/pkgs/complement/v3.ext
index 6083d960..0deaa48a 100644
--- a/nix/pkgs/complement/v3.ext
+++ b/nix/pkgs/complement/v3.ext
@@ -4,3 +4,9 @@ keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
 subjectAltName = @alt_names
 
 [alt_names]
+DNS.1 = *.docker.internal
+DNS.2 = hs1
+DNS.3 = hs2
+DNS.4 = hs3
+DNS.5 = hs4
+IP.1 = 127.0.0.1