nixos/modules/services/security/sks.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / security / sks.nix
at 25.11-pre 5.1 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7let
  8  cfg = config.services.sks;
  9  sksPkg = cfg.package;
 10  dbConfig = pkgs.writeText "DB_CONFIG" ''
 11    ${cfg.extraDbConfig}
 12  '';
 13
 14in
 15{
 16  meta.maintainers = with lib.maintainers; [
 17    calbrecht
 18    jcumming
 19  ];
 20
 21  options = {
 22
 23    services.sks = {
 24
 25      enable = lib.mkEnableOption ''
 26        SKS (synchronizing key server for OpenPGP) and start the database
 27        server. You need to create "''${dataDir}/dump/*.gpg" for the initial
 28        import'';
 29
 30      package = lib.mkPackageOption pkgs "sks" { };
 31
 32      dataDir = lib.mkOption {
 33        type = lib.types.path;
 34        default = "/var/db/sks";
 35        example = "/var/lib/sks";
 36        # TODO: The default might change to "/var/lib/sks" as this is more
 37        # common. There's also https://github.com/NixOS/nixpkgs/issues/26256
 38        # and "/var/db" is not FHS compliant (seems to come from BSD).
 39        description = ''
 40          Data directory (-basedir) for SKS, where the database and all
 41          configuration files are located (e.g. KDB, PTree, membership and
 42          sksconf).
 43        '';
 44      };
 45
 46      extraDbConfig = lib.mkOption {
 47        type = lib.types.str;
 48        default = "";
 49        description = ''
 50          Set contents of the files "KDB/DB_CONFIG" and "PTree/DB_CONFIG" within
 51          the ''${dataDir} directory. This is used to configure options for the
 52          database for the sks key server.
 53
 54          Documentation of available options are available in the file named
 55          "sampleConfig/DB_CONFIG" in the following repository:
 56          https://bitbucket.org/skskeyserver/sks-keyserver/src
 57        '';
 58      };
 59
 60      hkpAddress = lib.mkOption {
 61        default = [
 62          "127.0.0.1"
 63          "::1"
 64        ];
 65        type = lib.types.listOf lib.types.str;
 66        description = ''
 67          Domain names, IPv4 and/or IPv6 addresses to listen on for HKP
 68          requests.
 69        '';
 70      };
 71
 72      hkpPort = lib.mkOption {
 73        default = 11371;
 74        type = lib.types.ints.u16;
 75        description = "HKP port to listen on.";
 76      };
 77
 78      webroot = lib.mkOption {
 79        type = lib.types.nullOr lib.types.path;
 80        default = "${sksPkg.webSamples}/OpenPKG";
 81        defaultText = lib.literalExpression ''"''${package.webSamples}/OpenPKG"'';
 82        description = ''
 83          Source directory (will be symlinked, if not null) for the files the
 84          built-in webserver should serve. SKS (''${pkgs.sks.webSamples})
 85          provides the following examples: "HTML5", "OpenPKG", and "XHTML+ES".
 86          The index file can be named index.html, index.htm, index.xhtm, or
 87          index.xhtml. Files with the extensions .css, .es, .js, .jpg, .jpeg,
 88          .png, or .gif are supported. Subdirectories and filenames with
 89          anything other than alphanumeric characters and the '.' character
 90          will be ignored.
 91        '';
 92      };
 93    };
 94  };
 95
 96  config = lib.mkIf cfg.enable {
 97
 98    users = {
 99      users.sks = {
100        isSystemUser = true;
101        description = "SKS user";
102        home = cfg.dataDir;
103        createHome = true;
104        group = "sks";
105        useDefaultShell = true;
106        packages = [
107          sksPkg
108          pkgs.db
109        ];
110      };
111      groups.sks = { };
112    };
113
114    systemd.services =
115      let
116        hkpAddress = "'" + (builtins.concatStringsSep " " cfg.hkpAddress) + "'";
117        hkpPort = builtins.toString cfg.hkpPort;
118      in
119      {
120        sks-db = {
121          description = "SKS database server";
122          documentation = [ "man:sks(8)" ];
123          after = [ "network.target" ];
124          wantedBy = [ "multi-user.target" ];
125          preStart = ''
126            ${lib.optionalString (cfg.webroot != null) "ln -sfT \"${cfg.webroot}\" web"}
127            mkdir -p dump
128            ${sksPkg}/bin/sks build dump/*.gpg -n 10 -cache 100 || true #*/
129            ${sksPkg}/bin/sks cleandb || true
130            ${sksPkg}/bin/sks pbuild -cache 20 -ptree_cache 70 || true
131            # Check that both database configs are symlinks before overwriting them
132            # TODO: The initial build will be without DB_CONFIG, but this will
133            # hopefully not cause any significant problems. It might be better to
134            # create both directories manually but we have to check that this does
135            # not affect the initial build of the DB.
136            for CONFIG_FILE in KDB/DB_CONFIG PTree/DB_CONFIG; do
137              if [ -e $CONFIG_FILE ] && [ ! -L $CONFIG_FILE ]; then
138                echo "$CONFIG_FILE exists but is not a symlink." >&2
139                echo "Please remove $PWD/$CONFIG_FILE manually to continue." >&2
140                exit 1
141              fi
142              ln -sf ${dbConfig} $CONFIG_FILE
143            done
144          '';
145          serviceConfig = {
146            WorkingDirectory = "~";
147            User = "sks";
148            Group = "sks";
149            Restart = "always";
150            ExecStart = "${sksPkg}/bin/sks db -hkp_address ${hkpAddress} -hkp_port ${hkpPort}";
151          };
152        };
153      };
154  };
155}