sks and pgpkeyserver-lite modules: init (#27515)
* modules sks and pgpkeyserver-lite: runs the sks keyserver with optional nginx proxy for webgui. * Add calbrecht to maintainers * module sks: fix default hkpAddress value * module pgpkeyserver-lite: make hkpAddress a string type option and use (builtins.head services.sks.hkpAddress) as default value * module sks: remove leftover service dependencies
This commit is contained in:
parent
d837d88f3b
commit
964799e556
@ -89,6 +89,7 @@
|
||||
bstrik = "Berno Strik <dutchman55@gmx.com>";
|
||||
bzizou = "Bruno Bzeznik <Bruno@bzizou.net>";
|
||||
c0dehero = "CodeHero <codehero@nerdpol.ch>";
|
||||
calbrecht = "Christian Albrecht <christian.albrecht@mayflower.de>";
|
||||
calrama = "Moritz Maxeiner <moritz@ucworks.org>";
|
||||
calvertvl = "Victor Calvert <calvertvl@gmail.com>";
|
||||
campadrenalin = "Philip Horger <campadrenalin@gmail.com>";
|
||||
|
@ -556,6 +556,7 @@
|
||||
./services/security/oauth2_proxy.nix
|
||||
./services/security/physlock.nix
|
||||
./services/security/shibboleth-sp.nix
|
||||
./services/security/sks.nix
|
||||
./services/security/sshguard.nix
|
||||
./services/security/tor.nix
|
||||
./services/security/torify.nix
|
||||
@ -583,6 +584,7 @@
|
||||
./services/web-apps/frab.nix
|
||||
./services/web-apps/mattermost.nix
|
||||
./services/web-apps/nixbot.nix
|
||||
./services/web-apps/pgpkeyserver-lite.nix
|
||||
./services/web-apps/piwik.nix
|
||||
./services/web-apps/pump.io.nix
|
||||
./services/web-apps/tt-rss.nix
|
||||
|
82
nixos/modules/services/security/sks.nix
Normal file
82
nixos/modules/services/security/sks.nix
Normal file
@ -0,0 +1,82 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
cfg = config.services.sks;
|
||||
|
||||
sksPkg = cfg.package;
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
|
||||
options = {
|
||||
|
||||
services.sks = {
|
||||
|
||||
enable = mkEnableOption "sks";
|
||||
|
||||
package = mkOption {
|
||||
default = pkgs.sks;
|
||||
defaultText = "pkgs.sks";
|
||||
type = types.package;
|
||||
description = "
|
||||
Which sks derivation to use.
|
||||
";
|
||||
};
|
||||
|
||||
hkpAddress = mkOption {
|
||||
default = [ "127.0.0.1" "::1" ];
|
||||
type = types.listOf types.str;
|
||||
description = "
|
||||
Wich ip addresses the sks-keyserver is listening on.
|
||||
";
|
||||
};
|
||||
|
||||
hkpPort = mkOption {
|
||||
default = 11371;
|
||||
type = types.int;
|
||||
description = "
|
||||
Which port the sks-keyserver is listening on.
|
||||
";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
environment.systemPackages = [ sksPkg ];
|
||||
|
||||
users.users.sks = {
|
||||
createHome = true;
|
||||
home = "/var/db/sks";
|
||||
isSystemUser = true;
|
||||
shell = "${pkgs.coreutils}/bin/true";
|
||||
};
|
||||
|
||||
systemd.services = let
|
||||
hkpAddress = "'" + (builtins.concatStringsSep " " cfg.hkpAddress) + "'" ;
|
||||
hkpPort = builtins.toString cfg.hkpPort;
|
||||
home = config.users.users.sks.home;
|
||||
user = config.users.users.sks.name;
|
||||
in {
|
||||
sks-keyserver = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
preStart = ''
|
||||
mkdir -p ${home}/dump
|
||||
${pkgs.sks}/bin/sks build ${home}/dump/*.gpg -n 10 -cache 100 || true #*/
|
||||
${pkgs.sks}/bin/sks cleandb || true
|
||||
${pkgs.sks}/bin/sks pbuild -cache 20 -ptree_cache 70 || true
|
||||
'';
|
||||
serviceConfig = {
|
||||
WorkingDirectory = home;
|
||||
User = user;
|
||||
Restart = "always";
|
||||
ExecStart = "${pkgs.sks}/bin/sks db -hkp_address ${hkpAddress} -hkp_port ${hkpPort}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
75
nixos/modules/services/web-apps/pgpkeyserver-lite.nix
Normal file
75
nixos/modules/services/web-apps/pgpkeyserver-lite.nix
Normal file
@ -0,0 +1,75 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
cfg = config.services.pgpkeyserver-lite;
|
||||
sksCfg = config.services.sks;
|
||||
|
||||
webPkg = cfg.package;
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
|
||||
options = {
|
||||
|
||||
services.pgpkeyserver-lite = {
|
||||
|
||||
enable = mkEnableOption "pgpkeyserver-lite on a nginx vHost proxying to a gpg keyserver";
|
||||
|
||||
package = mkOption {
|
||||
default = pkgs.pgpkeyserver-lite;
|
||||
defaultText = "pkgs.pgpkeyserver-lite";
|
||||
type = types.package;
|
||||
description = "
|
||||
Which webgui derivation to use.
|
||||
";
|
||||
};
|
||||
|
||||
hostname = mkOption {
|
||||
type = types.str;
|
||||
description = "
|
||||
Which hostname to set the vHost to that is proxying to sks.
|
||||
";
|
||||
};
|
||||
|
||||
hkpAddress = mkOption {
|
||||
default = builtins.head sksCfg.hkpAddress;
|
||||
type = types.str;
|
||||
description = "
|
||||
Wich ip address the sks-keyserver is listening on.
|
||||
";
|
||||
};
|
||||
|
||||
hkpPort = mkOption {
|
||||
default = sksCfg.hkpPort;
|
||||
type = types.int;
|
||||
description = "
|
||||
Which port the sks-keyserver is listening on.
|
||||
";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
services.nginx.enable = true;
|
||||
|
||||
services.nginx.virtualHosts = let
|
||||
hkpPort = builtins.toString cfg.hkpPort;
|
||||
in {
|
||||
"${cfg.hostname}" = {
|
||||
root = webPkg;
|
||||
locations = {
|
||||
"/pks".extraConfig = ''
|
||||
proxy_pass http://${cfg.hkpAddress}:${hkpPort};
|
||||
proxy_pass_header Server;
|
||||
add_header Via "1.1 ${cfg.hostname}";
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
25
pkgs/servers/web-apps/pgpkeyserver-lite/default.nix
Normal file
25
pkgs/servers/web-apps/pgpkeyserver-lite/default.nix
Normal file
@ -0,0 +1,25 @@
|
||||
{ stdenv, fetchFromGitHub, lib } :
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
name = "pgpkeyserver-lite-${version}";
|
||||
version = "2017-07-18";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "mattrude";
|
||||
repo = "pgpkeyserver-lite";
|
||||
rev = "a038cb7";
|
||||
sha256 = "12pn92pcpv38b2gmamppn9yzdn7x52pgxnzpal22gqsxwimhs2rx";
|
||||
};
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out
|
||||
cp -R 404.html assets favicon.ico index.html robots.txt $out
|
||||
'';
|
||||
|
||||
meta = {
|
||||
homepage = https://github.com/mattrude/pgpkeyserver-lite;
|
||||
description = "A lightweight static front-end for a sks keyserver.";
|
||||
license = lib.licenses.gpl3;
|
||||
maintainers = [ lib.maintainers.calbrecht ];
|
||||
};
|
||||
}
|
@ -8154,6 +8154,8 @@ with pkgs;
|
||||
|
||||
pgpdump = callPackage ../tools/security/pgpdump { };
|
||||
|
||||
pgpkeyserver-lite = callPackage ../servers/web-apps/pgpkeyserver-lite {};
|
||||
|
||||
gpgstats = callPackage ../tools/security/gpgstats { };
|
||||
|
||||
gpshell = callPackage ../development/tools/misc/gpshell { };
|
||||
|
Loading…
Reference in New Issue
Block a user