commit
5a29c4d3bf
@ -252,7 +252,7 @@ in
|
||||
postsrsd = 220;
|
||||
opendkim = 221;
|
||||
dspam = 222;
|
||||
gale = 223;
|
||||
# gale = 223; removed 2021-06-10
|
||||
matrix-synapse = 224;
|
||||
rspamd = 225;
|
||||
# rmilter = 226; # unused, removed 2019-08-22
|
||||
@ -562,7 +562,7 @@ in
|
||||
postsrsd = 220;
|
||||
opendkim = 221;
|
||||
dspam = 222;
|
||||
gale = 223;
|
||||
# gale = 223; removed 2021-06-10
|
||||
matrix-synapse = 224;
|
||||
rspamd = 225;
|
||||
# rmilter = 226; # unused, removed 2019-08-22
|
||||
|
@ -692,7 +692,6 @@
|
||||
./services/networking/flannel.nix
|
||||
./services/networking/freenet.nix
|
||||
./services/networking/freeradius.nix
|
||||
./services/networking/gale.nix
|
||||
./services/networking/gateone.nix
|
||||
./services/networking/gdomap.nix
|
||||
./services/networking/ghostunnel.nix
|
||||
|
@ -1,181 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.gale;
|
||||
# we convert the path to a string to avoid it being copied to the nix store,
|
||||
# otherwise users could read the private key as all files in the store are
|
||||
# world-readable
|
||||
keyPath = toString cfg.keyPath;
|
||||
# ...but we refer to the pubkey file using a path so that we can ensure the
|
||||
# config gets rebuilt if the public key changes (we can assume the private key
|
||||
# will never change without the public key having changed)
|
||||
gpubFile = cfg.keyPath + "/${cfg.domain}.gpub";
|
||||
home = "/var/lib/gale";
|
||||
keysPrepared = cfg.keyPath != null && lib.pathExists cfg.keyPath;
|
||||
in
|
||||
{
|
||||
options = {
|
||||
services.gale = {
|
||||
enable = mkEnableOption "the Gale messaging daemon";
|
||||
|
||||
user = mkOption {
|
||||
default = "gale";
|
||||
type = types.str;
|
||||
description = "Username for the Gale daemon.";
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
default = "gale";
|
||||
type = types.str;
|
||||
description = "Group name for the Gale daemon.";
|
||||
};
|
||||
|
||||
setuidWrapper = mkOption {
|
||||
default = null;
|
||||
description = "Configuration for the Gale gksign setuid wrapper.";
|
||||
};
|
||||
|
||||
domain = mkOption {
|
||||
default = "";
|
||||
type = types.str;
|
||||
description = "Domain name for the Gale system.";
|
||||
};
|
||||
|
||||
keyPath = mkOption {
|
||||
default = null;
|
||||
type = types.nullOr types.path;
|
||||
description = ''
|
||||
Directory containing the key pair for this Gale domain. The expected
|
||||
filename will be taken from the domain option with ".gpri" and ".gpub"
|
||||
appended.
|
||||
'';
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
description = ''
|
||||
Additional text to be added to <filename>/etc/gale/conf</filename>.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkMerge [
|
||||
(mkIf cfg.enable {
|
||||
assertions = [{
|
||||
assertion = cfg.domain != "";
|
||||
message = "A domain must be set for Gale.";
|
||||
}];
|
||||
|
||||
warnings = mkIf (!keysPrepared) [
|
||||
"You must run gale-install in order to generate a domain key."
|
||||
];
|
||||
|
||||
system.activationScripts.gale = mkIf cfg.enable (
|
||||
stringAfter [ "users" "groups" ] ''
|
||||
chmod 755 ${home}
|
||||
mkdir -m 0777 -p ${home}/auth/cache
|
||||
mkdir -m 1777 -p ${home}/auth/local # GALE_DOMAIN.gpub
|
||||
mkdir -m 0700 -p ${home}/auth/private # ROOT.gpub
|
||||
mkdir -m 0755 -p ${home}/auth/trusted # ROOT
|
||||
mkdir -m 0700 -p ${home}/.gale
|
||||
mkdir -m 0700 -p ${home}/.gale/auth
|
||||
mkdir -m 0700 -p ${home}/.gale/auth/private # GALE_DOMAIN.gpri
|
||||
|
||||
ln -sf ${pkgs.gale}/etc/gale/auth/trusted/ROOT "${home}/auth/trusted/ROOT"
|
||||
chown ${cfg.user}:${cfg.group} ${home} ${home}/auth ${home}/auth/*
|
||||
chown ${cfg.user}:${cfg.group} ${home}/.gale ${home}/.gale/auth ${home}/.gale/auth/private
|
||||
''
|
||||
);
|
||||
|
||||
environment = {
|
||||
etc = {
|
||||
"gale/auth".source = home + "/auth"; # symlink /var/lib/gale/auth
|
||||
"gale/conf".text = ''
|
||||
GALE_USER ${cfg.user}
|
||||
GALE_DOMAIN ${cfg.domain}
|
||||
${cfg.extraConfig}
|
||||
'';
|
||||
};
|
||||
|
||||
systemPackages = [ pkgs.gale ];
|
||||
};
|
||||
|
||||
users.users.${cfg.user} = {
|
||||
description = "Gale daemon";
|
||||
uid = config.ids.uids.gale;
|
||||
group = cfg.group;
|
||||
home = home;
|
||||
createHome = true;
|
||||
};
|
||||
|
||||
users.groups = [{
|
||||
name = cfg.group;
|
||||
gid = config.ids.gids.gale;
|
||||
}];
|
||||
})
|
||||
(mkIf (cfg.enable && keysPrepared) {
|
||||
assertions = [
|
||||
{
|
||||
assertion = cfg.keyPath != null
|
||||
&& lib.pathExists (cfg.keyPath + "/${cfg.domain}.gpub");
|
||||
message = "Couldn't find a Gale public key for ${cfg.domain}.";
|
||||
}
|
||||
{
|
||||
assertion = cfg.keyPath != null
|
||||
&& lib.pathExists (cfg.keyPath + "/${cfg.domain}.gpri");
|
||||
message = "Couldn't find a Gale private key for ${cfg.domain}.";
|
||||
}
|
||||
];
|
||||
|
||||
services.gale.setuidWrapper = {
|
||||
program = "gksign";
|
||||
source = "${pkgs.gale}/bin/gksign";
|
||||
owner = cfg.user;
|
||||
group = cfg.group;
|
||||
setuid = true;
|
||||
setgid = false;
|
||||
};
|
||||
|
||||
security.wrappers.gksign = cfg.setuidWrapper;
|
||||
|
||||
systemd.services.gale-galed = {
|
||||
description = "Gale messaging daemon";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
wants = [ "gale-gdomain.service" ];
|
||||
after = [ "network.target" ];
|
||||
|
||||
preStart = ''
|
||||
install -m 0640 -o ${cfg.user} -g ${cfg.group} ${keyPath}/${cfg.domain}.gpri "${home}/.gale/auth/private/"
|
||||
install -m 0644 -o ${cfg.user} -g ${cfg.group} ${gpubFile} "${home}/.gale/auth/private/${cfg.domain}.gpub"
|
||||
install -m 0644 -o ${cfg.user} -g ${cfg.group} ${gpubFile} "${home}/auth/local/${cfg.domain}.gpub"
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
Type = "forking";
|
||||
ExecStart = "@${pkgs.gale}/bin/galed galed";
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
PermissionsStartOnly = true;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.gale-gdomain = {
|
||||
description = "Gale AKD daemon";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
requires = [ "gale-galed.service" ];
|
||||
after = [ "gale-galed.service" ];
|
||||
|
||||
serviceConfig = {
|
||||
Type = "forking";
|
||||
ExecStart = "@${pkgs.gale}/bin/gdomain gdomain";
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
};
|
||||
};
|
||||
})
|
||||
];
|
||||
}
|
Loading…
Reference in New Issue
Block a user