From d02c6a56cc8af61825625943ff38e469154a91d6 Mon Sep 17 00:00:00 2001 From: Michael Weiss Date: Sat, 8 Sep 2018 14:14:01 +0200 Subject: [PATCH 1/5] sks: Copy the web examples to $webSamples for the module --- pkgs/servers/sks/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/servers/sks/default.nix b/pkgs/servers/sks/default.nix index fe4029db1c14..e4f5ea1f57c9 100644 --- a/pkgs/servers/sks/default.nix +++ b/pkgs/servers/sks/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "00q5ma5rvl10rkc6cdw8d69bddgrmvy0ckqj3hbisy65l4idj2zm"; }; + outputs = [ "out" "webSamples" ]; + buildInputs = [ ocaml zlib db perl camlp4 ]; makeFlags = [ "PREFIX=$(out)" "MANDIR=$(out)/share/man" ]; @@ -26,6 +28,9 @@ stdenv.mkDerivation rec { doCheck = true; checkPhase = "./sks unit_test"; + # Copy the web examples for the NixOS module + postInstall = "cp -R sampleWeb $webSamples"; + meta = with stdenv.lib; { description = "An easily deployable & decentralized OpenPGP keyserver"; longDescription = '' From a0d3d098ffd027a4a6a0b3d7db7edd59dcfb78af Mon Sep 17 00:00:00 2001 From: Michael Weiss Date: Sat, 8 Sep 2018 15:19:40 +0200 Subject: [PATCH 2/5] nixos/sks: Add a webroot option The module will now, by default, serve a simple webpage via the built-in web server (instead of displaying an error message). --- nixos/modules/services/security/sks.nix | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/nixos/modules/services/security/sks.nix b/nixos/modules/services/security/sks.nix index 5e4b1a71fdd9..009b5980813f 100644 --- a/nixos/modules/services/security/sks.nix +++ b/nixos/modules/services/security/sks.nix @@ -53,6 +53,21 @@ in { type = types.ints.u16; description = "HKP port to listen on."; }; + + webroot = mkOption { + type = types.path; + default = "${sksPkg.webSamples}/OpenPKG"; + defaultText = "\${pkgs.sks.webSamples}/OpenPKG"; + description = '' + Source directory (will be symlinked) for the files the built-in + webserver should serve. SKS (''${pkgs.sks.webSamples}) provides the + following examples: "HTML5", "OpenPKG", and "XHTML+ES". The index + file can be named index.html, index.htm, index.xhtm, or index.xhtml. + Files with the extensions .css, .es, .js, .jpg, .jpeg, .png, or .gif + are supported. Subdirectories and filenames with anything other than + alphanumeric characters and the '.' character will be ignored. + ''; + }; }; }; @@ -78,6 +93,7 @@ in { after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; preStart = '' + ln -sfT "${cfg.webroot}" web mkdir -p ${home}/dump ${sksPkg}/bin/sks build ${home}/dump/*.gpg -n 10 -cache 100 || true #*/ ${sksPkg}/bin/sks cleandb || true From a6934b2389f9e2bb55675fc93498d949adb3bb40 Mon Sep 17 00:00:00 2001 From: Michael Weiss Date: Sat, 8 Sep 2018 16:08:37 +0200 Subject: [PATCH 3/5] sks: Adapt the package to NixOS (pkgs.db provides only "db_stat") --- pkgs/servers/sks/adapt-to-nixos.patch | 27 +++++++++++++++++++++++++++ pkgs/servers/sks/default.nix | 3 +++ 2 files changed, 30 insertions(+) create mode 100644 pkgs/servers/sks/adapt-to-nixos.patch diff --git a/pkgs/servers/sks/adapt-to-nixos.patch b/pkgs/servers/sks/adapt-to-nixos.patch new file mode 100644 index 000000000000..b4403e8c7bc7 --- /dev/null +++ b/pkgs/servers/sks/adapt-to-nixos.patch @@ -0,0 +1,27 @@ +--- a/version.ml 2018-09-08 15:56:18.919154257 +0200 ++++ b/version.ml 2018-09-08 15:56:07.544028575 +0200 +@@ -24,16 +24,6 @@ + + let run () = + let bdb_version = Bdb.version () in +- let dbstats_dir = +- let split = Str.regexp_string "." in +- let major_minor_string major minor = +- sprintf "Further details about the BDB environment can be seen by \ +- executing\ndb%s.%s_stat -x in the KDB and Ptree directories\n" major minor +- in +- match Str.split split bdb_version with +- | major :: minor :: _ -> major_minor_string major minor +- | [] | _ :: [] -> major_minor_string "X" "Y" +- in + printf "SKS version %s%s\n" + Common.version Common.version_suffix; + +@@ -44,5 +34,6 @@ + requirement for recon of SKS %s\n" + Common.compatible_version_string; + +- printf "%s" dbstats_dir ++ printf "Further details about the BDB environment can be seen by executing\n\ ++ db_stat -x in the KDB and PTree directories\n" + diff --git a/pkgs/servers/sks/default.nix b/pkgs/servers/sks/default.nix index e4f5ea1f57c9..deeeabda7451 100644 --- a/pkgs/servers/sks/default.nix +++ b/pkgs/servers/sks/default.nix @@ -11,6 +11,9 @@ stdenv.mkDerivation rec { sha256 = "00q5ma5rvl10rkc6cdw8d69bddgrmvy0ckqj3hbisy65l4idj2zm"; }; + # pkgs.db provides db_stat, not db$major.$minor_stat + patches = [ ./adapt-to-nixos.patch ]; + outputs = [ "out" "webSamples" ]; buildInputs = [ ocaml zlib db perl camlp4 ]; From eb0050ca458870deb17e0bedfdf1eeda3c67bf9e Mon Sep 17 00:00:00 2001 From: Michael Weiss Date: Sat, 8 Sep 2018 16:10:29 +0200 Subject: [PATCH 4/5] nixos/sks: Use a group and don't add sks to systemPackages Without a group the gid will default to 65534 (2^16 - 2) which maps to "nogroup". IMO it makes more sense to explicitly set a valid group. Adding pkgs.sks to environment.systemPackages is not required (IIRC we want to avoid bloating environment.systemPackages). Instead it seems like a better idea to make the relevant binaries available to the user sks and enable useDefaultShell so that "su -l sks" can be used for manual interaction (that way the files will always have the correct owner). --- nixos/modules/services/security/sks.nix | 29 ++++++++++++++----------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/nixos/modules/services/security/sks.nix b/nixos/modules/services/security/sks.nix index 009b5980813f..e285b94b170a 100644 --- a/nixos/modules/services/security/sks.nix +++ b/nixos/modules/services/security/sks.nix @@ -73,20 +73,22 @@ in { config = mkIf cfg.enable { - environment.systemPackages = [ sksPkg ]; - - users.users.sks = { - createHome = true; - home = cfg.dataDir; - isSystemUser = true; - shell = "${pkgs.coreutils}/bin/true"; + users = { + users.sks = { + isSystemUser = true; + description = "SKS user"; + home = cfg.dataDir; + createHome = true; + group = "sks"; + useDefaultShell = true; + packages = [ sksPkg pkgs.db ]; + }; + groups.sks = { }; }; systemd.services = let hkpAddress = "'" + (builtins.concatStringsSep " " cfg.hkpAddress) + "'" ; hkpPort = builtins.toString cfg.hkpPort; - home = config.users.users.sks.home; - user = config.users.users.sks.name; in { "sks-db" = { description = "SKS database server"; @@ -94,14 +96,15 @@ in { wantedBy = [ "multi-user.target" ]; preStart = '' ln -sfT "${cfg.webroot}" web - mkdir -p ${home}/dump - ${sksPkg}/bin/sks build ${home}/dump/*.gpg -n 10 -cache 100 || true #*/ + mkdir -p dump + ${sksPkg}/bin/sks build dump/*.gpg -n 10 -cache 100 || true #*/ ${sksPkg}/bin/sks cleandb || true ${sksPkg}/bin/sks pbuild -cache 20 -ptree_cache 70 || true ''; serviceConfig = { - WorkingDirectory = home; - User = user; + WorkingDirectory = "~"; + User = "sks"; + Group = "sks"; Restart = "always"; ExecStart = "${sksPkg}/bin/sks db -hkp_address ${hkpAddress} -hkp_port ${hkpPort}"; }; From 53ef5441bb261bcb52b5ffe7cab77ba46114e7e9 Mon Sep 17 00:00:00 2001 From: Michael Weiss Date: Sat, 8 Sep 2018 16:45:58 +0200 Subject: [PATCH 5/5] nixos/sks: Make the webroot option optional That way the built-in web server is usable by default but users can use $HOME/web directly (instead of having to use a symlink), if they want to customize the webpage. --- nixos/modules/services/security/sks.nix | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/nixos/modules/services/security/sks.nix b/nixos/modules/services/security/sks.nix index e285b94b170a..9f0261038d5b 100644 --- a/nixos/modules/services/security/sks.nix +++ b/nixos/modules/services/security/sks.nix @@ -55,17 +55,18 @@ in { }; webroot = mkOption { - type = types.path; + type = types.nullOr types.path; default = "${sksPkg.webSamples}/OpenPKG"; defaultText = "\${pkgs.sks.webSamples}/OpenPKG"; description = '' - Source directory (will be symlinked) for the files the built-in - webserver should serve. SKS (''${pkgs.sks.webSamples}) provides the - following examples: "HTML5", "OpenPKG", and "XHTML+ES". The index - file can be named index.html, index.htm, index.xhtm, or index.xhtml. - Files with the extensions .css, .es, .js, .jpg, .jpeg, .png, or .gif - are supported. Subdirectories and filenames with anything other than - alphanumeric characters and the '.' character will be ignored. + Source directory (will be symlinked, if not null) for the files the + built-in webserver should serve. SKS (''${pkgs.sks.webSamples}) + provides the following examples: "HTML5", "OpenPKG", and "XHTML+ES". + The index file can be named index.html, index.htm, index.xhtm, or + index.xhtml. Files with the extensions .css, .es, .js, .jpg, .jpeg, + .png, or .gif are supported. Subdirectories and filenames with + anything other than alphanumeric characters and the '.' character + will be ignored. ''; }; }; @@ -95,7 +96,8 @@ in { after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; preStart = '' - ln -sfT "${cfg.webroot}" web + ${lib.optionalString (cfg.webroot != null) + "ln -sfT \"${cfg.webroot}\" web"} mkdir -p dump ${sksPkg}/bin/sks build dump/*.gpg -n 10 -cache 100 || true #*/ ${sksPkg}/bin/sks cleandb || true