-
Notifications
You must be signed in to change notification settings - Fork 114
Node: Added TLS trust modes and workdir option; misc refactoring #57
Conversation
Nice -- GHC gives no warnings except to complain about deprecated |
Odd -- I get this error when testing (
|
Ah. I'm using stack only. I guess new cabal compiles that module even if it's not actually imported? |
Try now. Migrating EitherT to ExceptT should be easy... just need a replacement for hoistEither in Util.Either. |
@patrickmn I'll replace |
I put the two commits on the send-payload-refactor branch. Feel free to pull them into this PR |
Send payload refactor
@bts This (with the default settings) could be another reason to use different loopback addresses when spinning up local clusters since |
Think this is mergeable. Any objections? |
@patrickmn not from me |
The main feature of this is a hybrid CA/tofu (openssh) TLS model that works out of the box with existing setups (even without Letsencrypt or other CAs in the mix), and uses only reasonably secure defaults for TLS (1.2+, mutually authenticated, only AEAD ciphersuites).
From CHANGELOG.md:
Node API: The
from
parameter to/send
is now optional. If unset,the first public key listed in
publickeys
will be used.Argon2id is now the default for password-based key locking.
workdir
command line and configuration option to set the directoryin which files specified in other command-line arguments, as well as
auto-generated files, will be placed.
TLS certificate auto-generation and mutual authentication using a
whitelist, certificate authority, or trust-on-first-use model.
From sample.conf:
Resolves #24