sks and pgpkeyserver-lite modules: init (#27515)

* modules sks and pgpkeyserver-lite:
  runs the sks keyserver with optional nginx proxy for webgui.
* Add calbrecht to maintainers
* module sks: fix default hkpAddress value
* module pgpkeyserver-lite: make hkpAddress a string type option
  and use (builtins.head services.sks.hkpAddress) as default value
* module sks: remove leftover service dependencies
This commit is contained in:
Christian Albrecht 2017-08-22 12:27:00 +02:00 committed by Robin Gloster
parent d837d88f3b
commit 964799e556
6 changed files with 187 additions and 0 deletions

View File

@ -89,6 +89,7 @@
bstrik = "Berno Strik <dutchman55@gmx.com>";
bzizou = "Bruno Bzeznik <Bruno@bzizou.net>";
c0dehero = "CodeHero <codehero@nerdpol.ch>";
calbrecht = "Christian Albrecht <christian.albrecht@mayflower.de>";
calrama = "Moritz Maxeiner <moritz@ucworks.org>";
calvertvl = "Victor Calvert <calvertvl@gmail.com>";
campadrenalin = "Philip Horger <campadrenalin@gmail.com>";

View File

@ -556,6 +556,7 @@
./services/security/oauth2_proxy.nix
./services/security/physlock.nix
./services/security/shibboleth-sp.nix
./services/security/sks.nix
./services/security/sshguard.nix
./services/security/tor.nix
./services/security/torify.nix
@ -583,6 +584,7 @@
./services/web-apps/frab.nix
./services/web-apps/mattermost.nix
./services/web-apps/nixbot.nix
./services/web-apps/pgpkeyserver-lite.nix
./services/web-apps/piwik.nix
./services/web-apps/pump.io.nix
./services/web-apps/tt-rss.nix

View File

@ -0,0 +1,82 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.sks;
sksPkg = cfg.package;
in
{
options = {
services.sks = {
enable = mkEnableOption "sks";
package = mkOption {
default = pkgs.sks;
defaultText = "pkgs.sks";
type = types.package;
description = "
Which sks derivation to use.
";
};
hkpAddress = mkOption {
default = [ "127.0.0.1" "::1" ];
type = types.listOf types.str;
description = "
Wich ip addresses the sks-keyserver is listening on.
";
};
hkpPort = mkOption {
default = 11371;
type = types.int;
description = "
Which port the sks-keyserver is listening on.
";
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ sksPkg ];
users.users.sks = {
createHome = true;
home = "/var/db/sks";
isSystemUser = true;
shell = "${pkgs.coreutils}/bin/true";
};
systemd.services = let
hkpAddress = "'" + (builtins.concatStringsSep " " cfg.hkpAddress) + "'" ;
hkpPort = builtins.toString cfg.hkpPort;
home = config.users.users.sks.home;
user = config.users.users.sks.name;
in {
sks-keyserver = {
wantedBy = [ "multi-user.target" ];
preStart = ''
mkdir -p ${home}/dump
${pkgs.sks}/bin/sks build ${home}/dump/*.gpg -n 10 -cache 100 || true #*/
${pkgs.sks}/bin/sks cleandb || true
${pkgs.sks}/bin/sks pbuild -cache 20 -ptree_cache 70 || true
'';
serviceConfig = {
WorkingDirectory = home;
User = user;
Restart = "always";
ExecStart = "${pkgs.sks}/bin/sks db -hkp_address ${hkpAddress} -hkp_port ${hkpPort}";
};
};
};
};
}

View File

@ -0,0 +1,75 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.pgpkeyserver-lite;
sksCfg = config.services.sks;
webPkg = cfg.package;
in
{
options = {
services.pgpkeyserver-lite = {
enable = mkEnableOption "pgpkeyserver-lite on a nginx vHost proxying to a gpg keyserver";
package = mkOption {
default = pkgs.pgpkeyserver-lite;
defaultText = "pkgs.pgpkeyserver-lite";
type = types.package;
description = "
Which webgui derivation to use.
";
};
hostname = mkOption {
type = types.str;
description = "
Which hostname to set the vHost to that is proxying to sks.
";
};
hkpAddress = mkOption {
default = builtins.head sksCfg.hkpAddress;
type = types.str;
description = "
Wich ip address the sks-keyserver is listening on.
";
};
hkpPort = mkOption {
default = sksCfg.hkpPort;
type = types.int;
description = "
Which port the sks-keyserver is listening on.
";
};
};
};
config = mkIf cfg.enable {
services.nginx.enable = true;
services.nginx.virtualHosts = let
hkpPort = builtins.toString cfg.hkpPort;
in {
"${cfg.hostname}" = {
root = webPkg;
locations = {
"/pks".extraConfig = ''
proxy_pass http://${cfg.hkpAddress}:${hkpPort};
proxy_pass_header Server;
add_header Via "1.1 ${cfg.hostname}";
'';
};
};
};
};
}

View File

@ -0,0 +1,25 @@
{ stdenv, fetchFromGitHub, lib } :
stdenv.mkDerivation rec {
name = "pgpkeyserver-lite-${version}";
version = "2017-07-18";
src = fetchFromGitHub {
owner = "mattrude";
repo = "pgpkeyserver-lite";
rev = "a038cb7";
sha256 = "12pn92pcpv38b2gmamppn9yzdn7x52pgxnzpal22gqsxwimhs2rx";
};
installPhase = ''
mkdir -p $out
cp -R 404.html assets favicon.ico index.html robots.txt $out
'';
meta = {
homepage = https://github.com/mattrude/pgpkeyserver-lite;
description = "A lightweight static front-end for a sks keyserver.";
license = lib.licenses.gpl3;
maintainers = [ lib.maintainers.calbrecht ];
};
}

View File

@ -8154,6 +8154,8 @@ with pkgs;
pgpdump = callPackage ../tools/security/pgpdump { };
pgpkeyserver-lite = callPackage ../servers/web-apps/pgpkeyserver-lite {};
gpgstats = callPackage ../tools/security/gpgstats { };
gpshell = callPackage ../development/tools/misc/gpshell { };