public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/sks: Use a group and don't add sks to systemPackages

Browse Source 
Without a group the gid will default to 65534 (2^16 - 2) which maps to
"nogroup". IMO it makes more sense to explicitly set a valid group.

Adding pkgs.sks to environment.systemPackages is not required (IIRC we
want to avoid bloating environment.systemPackages). Instead it seems
like a better idea to make the relevant binaries available to the user
sks and enable useDefaultShell so that "su -l sks" can be used for
manual interaction (that way the files will always have the correct
owner).
This commit is contained in:
Michael Weiss 2018-09-08 16:10:29 +02:00
parent a6934b2389
commit eb0050ca45
1 changed files with 16 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
nixos/modules/services/security/sks.nix
View File

@ -73,20 +73,22 @@ in {
config = mkIf cfg.enable { config = mkIf cfg.enable {
environment.systemPackages = [ sksPkg ]; users = {
users.sks = {
users.users.sks = { isSystemUser = true;
createHome = true; description = "SKS user";
home = cfg.dataDir; home = cfg.dataDir;
isSystemUser = true; createHome = true;
shell = "${pkgs.coreutils}/bin/true"; group = "sks";
useDefaultShell = true;
packages = [ sksPkg pkgs.db ];
};
groups.sks = { };
}; };
systemd.services = let systemd.services = let
hkpAddress = "'" + (builtins.concatStringsSep " " cfg.hkpAddress) + "'" ; hkpAddress = "'" + (builtins.concatStringsSep " " cfg.hkpAddress) + "'" ;
hkpPort = builtins.toString cfg.hkpPort; hkpPort = builtins.toString cfg.hkpPort;
home = config.users.users.sks.home;
user = config.users.users.sks.name;
in { in {
"sks-db" = { "sks-db" = {
description = "SKS database server"; description = "SKS database server";
@ -94,14 +96,15 @@ in {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
preStart = '' preStart = ''
ln -sfT "${cfg.webroot}" web ln -sfT "${cfg.webroot}" web
mkdir -p ${home}/dump mkdir -p dump
${sksPkg}/bin/sks build ${home}/dump/*.gpg -n 10 -cache 100 || true #*/ ${sksPkg}/bin/sks build dump/*.gpg -n 10 -cache 100 || true #*/
${sksPkg}/bin/sks cleandb || true ${sksPkg}/bin/sks cleandb || true
${sksPkg}/bin/sks pbuild -cache 20 -ptree_cache 70 || true ${sksPkg}/bin/sks pbuild -cache 20 -ptree_cache 70 || true
''; '';
serviceConfig = { serviceConfig = {
WorkingDirectory = home; WorkingDirectory = "~";
User = user; User = "sks";
Group = "sks";
Restart = "always"; Restart = "always";
ExecStart = "${sksPkg}/bin/sks db -hkp_address ${hkpAddress} -hkp_port ${hkpPort}"; ExecStart = "${sksPkg}/bin/sks db -hkp_address ${hkpAddress} -hkp_port ${hkpPort}";
}; };