nixos/modules/services/security/sks.nix at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / security / sks.nix
at 24.11-pre 4.8 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3with lib;
  4
  5let
  6  cfg = config.services.sks;
  7  sksPkg = cfg.package;
  8  dbConfig = pkgs.writeText "DB_CONFIG" ''
  9    ${cfg.extraDbConfig}
 10  '';
 11
 12in {
 13  meta.maintainers = with maintainers; [ primeos calbrecht jcumming ];
 14
 15  options = {
 16
 17    services.sks = {
 18
 19      enable = mkEnableOption ''
 20        SKS (synchronizing key server for OpenPGP) and start the database
 21        server. You need to create "''${dataDir}/dump/*.gpg" for the initial
 22        import'';
 23
 24      package = mkPackageOption pkgs "sks" { };
 25
 26      dataDir = mkOption {
 27        type = types.path;
 28        default = "/var/db/sks";
 29        example = "/var/lib/sks";
 30        # TODO: The default might change to "/var/lib/sks" as this is more
 31        # common. There's also https://github.com/NixOS/nixpkgs/issues/26256
 32        # and "/var/db" is not FHS compliant (seems to come from BSD).
 33        description = ''
 34          Data directory (-basedir) for SKS, where the database and all
 35          configuration files are located (e.g. KDB, PTree, membership and
 36          sksconf).
 37        '';
 38      };
 39
 40      extraDbConfig = mkOption {
 41        type = types.str;
 42        default = "";
 43        description = ''
 44          Set contents of the files "KDB/DB_CONFIG" and "PTree/DB_CONFIG" within
 45          the ''${dataDir} directory. This is used to configure options for the
 46          database for the sks key server.
 47
 48          Documentation of available options are available in the file named
 49          "sampleConfig/DB_CONFIG" in the following repository:
 50          https://bitbucket.org/skskeyserver/sks-keyserver/src
 51        '';
 52      };
 53
 54      hkpAddress = mkOption {
 55        default = [ "127.0.0.1" "::1" ];
 56        type = types.listOf types.str;
 57        description = ''
 58          Domain names, IPv4 and/or IPv6 addresses to listen on for HKP
 59          requests.
 60        '';
 61      };
 62
 63      hkpPort = mkOption {
 64        default = 11371;
 65        type = types.ints.u16;
 66        description = "HKP port to listen on.";
 67      };
 68
 69      webroot = mkOption {
 70        type = types.nullOr types.path;
 71        default = "${sksPkg.webSamples}/OpenPKG";
 72        defaultText = literalExpression ''"''${package.webSamples}/OpenPKG"'';
 73        description = ''
 74          Source directory (will be symlinked, if not null) for the files the
 75          built-in webserver should serve. SKS (''${pkgs.sks.webSamples})
 76          provides the following examples: "HTML5", "OpenPKG", and "XHTML+ES".
 77          The index file can be named index.html, index.htm, index.xhtm, or
 78          index.xhtml. Files with the extensions .css, .es, .js, .jpg, .jpeg,
 79          .png, or .gif are supported. Subdirectories and filenames with
 80          anything other than alphanumeric characters and the '.' character
 81          will be ignored.
 82        '';
 83      };
 84    };
 85  };
 86
 87  config = mkIf cfg.enable {
 88
 89    users = {
 90      users.sks = {
 91        isSystemUser = true;
 92        description = "SKS user";
 93        home = cfg.dataDir;
 94        createHome = true;
 95        group = "sks";
 96        useDefaultShell = true;
 97        packages = [ sksPkg pkgs.db ];
 98      };
 99      groups.sks = { };
100    };
101
102    systemd.services = let
103      hkpAddress = "'" + (builtins.concatStringsSep " " cfg.hkpAddress) + "'" ;
104      hkpPort = builtins.toString cfg.hkpPort;
105    in {
106      sks-db = {
107        description = "SKS database server";
108        after = [ "network.target" ];
109        wantedBy = [ "multi-user.target" ];
110        preStart = ''
111          ${lib.optionalString (cfg.webroot != null)
112            "ln -sfT \"${cfg.webroot}\" web"}
113          mkdir -p dump
114          ${sksPkg}/bin/sks build dump/*.gpg -n 10 -cache 100 || true #*/
115          ${sksPkg}/bin/sks cleandb || true
116          ${sksPkg}/bin/sks pbuild -cache 20 -ptree_cache 70 || true
117          # Check that both database configs are symlinks before overwriting them
118          # TODO: The initial build will be without DB_CONFIG, but this will
119          # hopefully not cause any significant problems. It might be better to
120          # create both directories manually but we have to check that this does
121          # not affect the initial build of the DB.
122          for CONFIG_FILE in KDB/DB_CONFIG PTree/DB_CONFIG; do
123            if [ -e $CONFIG_FILE ] && [ ! -L $CONFIG_FILE ]; then
124              echo "$CONFIG_FILE exists but is not a symlink." >&2
125              echo "Please remove $PWD/$CONFIG_FILE manually to continue." >&2
126              exit 1
127            fi
128            ln -sf ${dbConfig} $CONFIG_FILE
129          done
130        '';
131        serviceConfig = {
132          WorkingDirectory = "~";
133          User = "sks";
134          Group = "sks";
135          Restart = "always";
136          ExecStart = "${sksPkg}/bin/sks db -hkp_address ${hkpAddress} -hkp_port ${hkpPort}";
137        };
138      };
139    };
140  };
141}