summary refs log tree commit diff
path: root/nixos/modules/services/security
diff options
context:
space:
mode:
authorMichael Weiss <dev.primeos@gmail.com>2018-09-08 16:10:29 +0200
committerMichael Weiss <dev.primeos@gmail.com>2018-09-08 16:24:05 +0200
commiteb0050ca458870deb17e0bedfdf1eeda3c67bf9e (patch)
treeaedaecbe99de62c4b29a062ef78d2be6cc62eee1 /nixos/modules/services/security
parenta6934b2389f9e2bb55675fc93498d949adb3bb40 (diff)
downloadnixlib-eb0050ca458870deb17e0bedfdf1eeda3c67bf9e.tar
nixlib-eb0050ca458870deb17e0bedfdf1eeda3c67bf9e.tar.gz
nixlib-eb0050ca458870deb17e0bedfdf1eeda3c67bf9e.tar.bz2
nixlib-eb0050ca458870deb17e0bedfdf1eeda3c67bf9e.tar.lz
nixlib-eb0050ca458870deb17e0bedfdf1eeda3c67bf9e.tar.xz
nixlib-eb0050ca458870deb17e0bedfdf1eeda3c67bf9e.tar.zst
nixlib-eb0050ca458870deb17e0bedfdf1eeda3c67bf9e.zip
nixos/sks: Use a group and don't add sks to systemPackages
Without a group the gid will default to 65534 (2^16 - 2) which maps to
"nogroup". IMO it makes more sense to explicitly set a valid group.

Adding pkgs.sks to environment.systemPackages is not required (IIRC we
want to avoid bloating environment.systemPackages). Instead it seems
like a better idea to make the relevant binaries available to the user
sks and enable useDefaultShell so that "su -l sks" can be used for
manual interaction (that way the files will always have the correct
owner).
Diffstat (limited to 'nixos/modules/services/security')
-rw-r--r--nixos/modules/services/security/sks.nix29
1 files changed, 16 insertions, 13 deletions
diff --git a/nixos/modules/services/security/sks.nix b/nixos/modules/services/security/sks.nix
index 009b5980813f..e285b94b170a 100644
--- a/nixos/modules/services/security/sks.nix
+++ b/nixos/modules/services/security/sks.nix
@@ -73,20 +73,22 @@ in {
 
   config = mkIf cfg.enable {
 
-    environment.systemPackages = [ sksPkg ];
-    
-    users.users.sks = {
-      createHome = true;
-      home = cfg.dataDir;
-      isSystemUser = true;
-      shell = "${pkgs.coreutils}/bin/true";
+    users = {
+      users.sks = {
+        isSystemUser = true;
+        description = "SKS user";
+        home = cfg.dataDir;
+        createHome = true;
+        group = "sks";
+        useDefaultShell = true;
+        packages = [ sksPkg pkgs.db ];
+      };
+      groups.sks = { };
     };
 
     systemd.services = let
       hkpAddress = "'" + (builtins.concatStringsSep " " cfg.hkpAddress) + "'" ;
       hkpPort = builtins.toString cfg.hkpPort;
-      home = config.users.users.sks.home;
-      user = config.users.users.sks.name;
     in {
       "sks-db" = {
         description = "SKS database server";
@@ -94,14 +96,15 @@ in {
         wantedBy = [ "multi-user.target" ];
         preStart = ''
           ln -sfT "${cfg.webroot}" web
-          mkdir -p ${home}/dump
-          ${sksPkg}/bin/sks build ${home}/dump/*.gpg -n 10 -cache 100 || true #*/
+          mkdir -p dump
+          ${sksPkg}/bin/sks build dump/*.gpg -n 10 -cache 100 || true #*/
           ${sksPkg}/bin/sks cleandb || true
           ${sksPkg}/bin/sks pbuild -cache 20 -ptree_cache 70 || true
         '';
         serviceConfig = {
-          WorkingDirectory = home;
-          User = user;
+          WorkingDirectory = "~";
+          User = "sks";
+          Group = "sks";
           Restart = "always";
           ExecStart = "${sksPkg}/bin/sks db -hkp_address ${hkpAddress} -hkp_port ${hkpPort}";
         };
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-04 08:50:22 +0000