Localhost HTTPS and domains

[zimbatm]

Related to #74 and #75 .

This is not directly a responsibility of devshell but is related to making a comfortable development environment.

Oftentimes, developers want to be able to test one or more services locally, with HTTPS enabled, in order to replicate the production environment as much as possible. This ticket contains some notes on what I think is the ideal setup.

Localhost HTTPS interface

We need the cooperation of the host on two fronts:

• dynamic hostnames that point to localhost
• TLS certificate acquisition

*.test TLD for localhost

The .test TLD is reserved and is therefore guaranteed to never be clashing with external domains. https://en.wikipedia.org/wiki/.test

The developer can either edit their /etc/hosts, or have a local DNS resolver that maps all the *.test domains to localhost.

Open question: how to handle port-mapping so that multiple services can bind? On Linux, 127.X.X.X is all reserved for localhost so each service could technically get their own IPs. Maybe we can use a dictionary to IP mapping or something like that.

Let's encrypt for localhost

Ideally, a localhost service is running that talks ACME protocol.

The CA public certificate would be installed in the computer's trust cert.

The CA private certificate is installed in the ACME service and used to issue new certificates.

The services themselves would query the ACME protocol to acquire new certs and use http01 for validation.

Ideally, the CA can be pinned to it can only issue certs for the .test top-level. That way if the private certificate gets leaked, the impact would still be limited.