nixos/modules/services/security/sks.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / security / sks.nix
at 23.11-pre 5.0 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3with lib;
  4
  5let
  6  cfg = config.services.sks;
  7  sksPkg = cfg.package;
  8  dbConfig = pkgs.writeText "DB_CONFIG" ''
  9    ${cfg.extraDbConfig}
 10  '';
 11
 12in {
 13  meta.maintainers = with maintainers; [ primeos calbrecht jcumming ];
 14
 15  options = {
 16
 17    services.sks = {
 18
 19      enable = mkEnableOption (lib.mdDoc ''
 20        SKS (synchronizing key server for OpenPGP) and start the database
 21        server. You need to create "''${dataDir}/dump/*.gpg" for the initial
 22        import'');
 23
 24      package = mkOption {
 25        default = pkgs.sks;
 26        defaultText = literalExpression "pkgs.sks";
 27        type = types.package;
 28        description = lib.mdDoc "Which SKS derivation to use.";
 29      };
 30
 31      dataDir = mkOption {
 32        type = types.path;
 33        default = "/var/db/sks";
 34        example = "/var/lib/sks";
 35        # TODO: The default might change to "/var/lib/sks" as this is more
 36        # common. There's also https://github.com/NixOS/nixpkgs/issues/26256
 37        # and "/var/db" is not FHS compliant (seems to come from BSD).
 38        description = lib.mdDoc ''
 39          Data directory (-basedir) for SKS, where the database and all
 40          configuration files are located (e.g. KDB, PTree, membership and
 41          sksconf).
 42        '';
 43      };
 44
 45      extraDbConfig = mkOption {
 46        type = types.str;
 47        default = "";
 48        description = lib.mdDoc ''
 49          Set contents of the files "KDB/DB_CONFIG" and "PTree/DB_CONFIG" within
 50          the ''${dataDir} directory. This is used to configure options for the
 51          database for the sks key server.
 52
 53          Documentation of available options are available in the file named
 54          "sampleConfig/DB_CONFIG" in the following repository:
 55          https://bitbucket.org/skskeyserver/sks-keyserver/src
 56        '';
 57      };
 58
 59      hkpAddress = mkOption {
 60        default = [ "127.0.0.1" "::1" ];
 61        type = types.listOf types.str;
 62        description = lib.mdDoc ''
 63          Domain names, IPv4 and/or IPv6 addresses to listen on for HKP
 64          requests.
 65        '';
 66      };
 67
 68      hkpPort = mkOption {
 69        default = 11371;
 70        type = types.ints.u16;
 71        description = lib.mdDoc "HKP port to listen on.";
 72      };
 73
 74      webroot = mkOption {
 75        type = types.nullOr types.path;
 76        default = "${sksPkg.webSamples}/OpenPKG";
 77        defaultText = literalExpression ''"''${package.webSamples}/OpenPKG"'';
 78        description = lib.mdDoc ''
 79          Source directory (will be symlinked, if not null) for the files the
 80          built-in webserver should serve. SKS (''${pkgs.sks.webSamples})
 81          provides the following examples: "HTML5", "OpenPKG", and "XHTML+ES".
 82          The index file can be named index.html, index.htm, index.xhtm, or
 83          index.xhtml. Files with the extensions .css, .es, .js, .jpg, .jpeg,
 84          .png, or .gif are supported. Subdirectories and filenames with
 85          anything other than alphanumeric characters and the '.' character
 86          will be ignored.
 87        '';
 88      };
 89    };
 90  };
 91
 92  config = mkIf cfg.enable {
 93
 94    users = {
 95      users.sks = {
 96        isSystemUser = true;
 97        description = "SKS user";
 98        home = cfg.dataDir;
 99        createHome = true;
100        group = "sks";
101        useDefaultShell = true;
102        packages = [ sksPkg pkgs.db ];
103      };
104      groups.sks = { };
105    };
106
107    systemd.services = let
108      hkpAddress = "'" + (builtins.concatStringsSep " " cfg.hkpAddress) + "'" ;
109      hkpPort = builtins.toString cfg.hkpPort;
110    in {
111      sks-db = {
112        description = "SKS database server";
113        after = [ "network.target" ];
114        wantedBy = [ "multi-user.target" ];
115        preStart = ''
116          ${lib.optionalString (cfg.webroot != null)
117            "ln -sfT \"${cfg.webroot}\" web"}
118          mkdir -p dump
119          ${sksPkg}/bin/sks build dump/*.gpg -n 10 -cache 100 || true #*/
120          ${sksPkg}/bin/sks cleandb || true
121          ${sksPkg}/bin/sks pbuild -cache 20 -ptree_cache 70 || true
122          # Check that both database configs are symlinks before overwriting them
123          # TODO: The initial build will be without DB_CONFIG, but this will
124          # hopefully not cause any significant problems. It might be better to
125          # create both directories manually but we have to check that this does
126          # not affect the initial build of the DB.
127          for CONFIG_FILE in KDB/DB_CONFIG PTree/DB_CONFIG; do
128            if [ -e $CONFIG_FILE ] && [ ! -L $CONFIG_FILE ]; then
129              echo "$CONFIG_FILE exists but is not a symlink." >&2
130              echo "Please remove $PWD/$CONFIG_FILE manually to continue." >&2
131              exit 1
132            fi
133            ln -sf ${dbConfig} $CONFIG_FILE
134          done
135        '';
136        serviceConfig = {
137          WorkingDirectory = "~";
138          User = "sks";
139          Group = "sks";
140          Restart = "always";
141          ExecStart = "${sksPkg}/bin/sks db -hkp_address ${hkpAddress} -hkp_port ${hkpPort}";
142        };
143      };
144    };
145  };
146}