diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2021-07-19 06:01:30 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-07-19 06:01:30 +0000 |
commit | 9c688591fcae1c2c812c9929b399f1f08054f8b5 (patch) | |
tree | edff73102bdf014962cee7ac248c7c8bc90b8f66 /nixos | |
parent | dc802b2e196f95ce42daa7591e475bba34047331 (diff) | |
parent | bfef28861df7a97533e9b9b04ef66019edb390fb (diff) | |
download | nixlib-9c688591fcae1c2c812c9929b399f1f08054f8b5.tar nixlib-9c688591fcae1c2c812c9929b399f1f08054f8b5.tar.gz nixlib-9c688591fcae1c2c812c9929b399f1f08054f8b5.tar.bz2 nixlib-9c688591fcae1c2c812c9929b399f1f08054f8b5.tar.lz nixlib-9c688591fcae1c2c812c9929b399f1f08054f8b5.tar.xz nixlib-9c688591fcae1c2c812c9929b399f1f08054f8b5.tar.zst nixlib-9c688591fcae1c2c812c9929b399f1f08054f8b5.zip |
Merge master into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2111.section.xml | 7 | ||||
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2111.section.md | 2 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/security/hockeypuck.nix | 104 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixos/tests/hockeypuck.nix | 63 |
6 files changed, 178 insertions, 0 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index b5d99a15e021..b8e996ed9e03 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -98,6 +98,13 @@ <link linkend="opt-snapraid.enable">snapraid</link>. </para> </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/hockeypuck/hockeypuck">Hockeypuck</link>, + a OpenPGP Key Server. Available as + <link linkend="opt-services.hockeypuck.enable">services.hockeypuck</link>. + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-21.11-incompatibilities"> diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index 9a0e5eda1289..ef9c8ce3cea8 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -30,6 +30,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [snapraid](https://www.snapraid.it/), a backup program for disk arrays. Available as [snapraid](#opt-snapraid.enable). +- [Hockeypuck](https://github.com/hockeypuck/hockeypuck), a OpenPGP Key Server. Available as [services.hockeypuck](#opt-services.hockeypuck.enable). + ## Backward Incompatibilities {#sec-release-21.11-incompatibilities} diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index ad1bccd54289..13463359a66e 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -886,6 +886,7 @@ ./services/security/fprot.nix ./services/security/haka.nix ./services/security/haveged.nix + ./services/security/hockeypuck.nix ./services/security/hologram-server.nix ./services/security/hologram-agent.nix ./services/security/munge.nix diff --git a/nixos/modules/services/security/hockeypuck.nix b/nixos/modules/services/security/hockeypuck.nix new file mode 100644 index 000000000000..686634c8add8 --- /dev/null +++ b/nixos/modules/services/security/hockeypuck.nix @@ -0,0 +1,104 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.hockeypuck; + settingsFormat = pkgs.formats.toml { }; +in { + meta.maintainers = with lib.maintainers; [ etu ]; + + options.services.hockeypuck = { + enable = lib.mkEnableOption "Hockeypuck OpenPGP Key Server"; + + port = lib.mkOption { + default = 11371; + type = lib.types.port; + description = "HKP port to listen on."; + }; + + settings = lib.mkOption { + type = settingsFormat.type; + default = { }; + example = lib.literalExample '' + { + hockeypuck = { + loglevel = "INFO"; + logfile = "/var/log/hockeypuck/hockeypuck.log"; + indexTemplate = "''${pkgs.hockeypuck-web}/share/templates/index.html.tmpl"; + vindexTemplate = "''${pkgs.hockeypuck-web}/share/templates/index.html.tmpl"; + statsTemplate = "''${pkgs.hockeypuck-web}/share/templates/stats.html.tmpl"; + webroot = "''${pkgs.hockeypuck-web}/share/webroot"; + + hkp.bind = ":''${toString cfg.port}"; + + openpgp.db = { + driver = "postgres-jsonb"; + dsn = "database=hockeypuck host=/var/run/postgresql sslmode=disable"; + }; + }; + } + ''; + description = '' + Configuration file for hockeypuck, here you can override + certain settings (<literal>loglevel</literal> and + <literal>openpgp.db.dsn</literal>) by just setting those values. + + For other settings you need to use lib.mkForce to override them. + + This service doesn't provision or enable postgres on your + system, it rather assumes that you enable postgres and create + the database yourself. + + Example: + <literal> + services.postgresql = { + enable = true; + ensureDatabases = [ "hockeypuck" ]; + ensureUsers = [{ + name = "hockeypuck"; + ensurePermissions."DATABASE hockeypuck" = "ALL PRIVILEGES"; + }]; + }; + </literal> + ''; + }; + }; + + config = lib.mkIf cfg.enable { + services.hockeypuck.settings.hockeypuck = { + loglevel = lib.mkDefault "INFO"; + logfile = "/var/log/hockeypuck/hockeypuck.log"; + indexTemplate = "${pkgs.hockeypuck-web}/share/templates/index.html.tmpl"; + vindexTemplate = "${pkgs.hockeypuck-web}/share/templates/index.html.tmpl"; + statsTemplate = "${pkgs.hockeypuck-web}/share/templates/stats.html.tmpl"; + webroot = "${pkgs.hockeypuck-web}/share/webroot"; + + hkp.bind = ":${toString cfg.port}"; + + openpgp.db = { + driver = "postgres-jsonb"; + dsn = lib.mkDefault "database=hockeypuck host=/var/run/postgresql sslmode=disable"; + }; + }; + + users.users.hockeypuck = { + isSystemUser = true; + description = "Hockeypuck user"; + }; + + systemd.services.hockeypuck = { + description = "Hockeypuck OpenPGP Key Server"; + after = [ "network.target" "postgresql.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + WorkingDirectory = "/var/lib/hockeypuck"; + User = "hockeypuck"; + ExecStart = "${pkgs.hockeypuck}/bin/hockeypuck -config ${settingsFormat.generate "config.toml" cfg.settings}"; + Restart = "always"; + RestartSec = "5s"; + LogsDirectory = "hockeypuck"; + LogsDirectoryMode = "0755"; + StateDirectory = "hockeypuck"; + }; + }; + }; +} diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index fd502a473b10..746139c48169 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -174,6 +174,7 @@ in hitch = handleTest ./hitch {}; hledger-web = handleTest ./hledger-web.nix {}; hocker-fetchdocker = handleTest ./hocker-fetchdocker {}; + hockeypuck = handleTest ./hockeypuck.nix { }; home-assistant = handleTest ./home-assistant.nix {}; hostname = handleTest ./hostname.nix {}; hound = handleTest ./hound.nix {}; diff --git a/nixos/tests/hockeypuck.nix b/nixos/tests/hockeypuck.nix new file mode 100644 index 000000000000..79313f314fd2 --- /dev/null +++ b/nixos/tests/hockeypuck.nix @@ -0,0 +1,63 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: +let + gpgKeyring = (pkgs.runCommandNoCC "gpg-keyring" { buildInputs = [ pkgs.gnupg ]; } '' + mkdir -p $out + export GNUPGHOME=$out + cat > foo <<EOF + %echo Generating a basic OpenPGP key + %no-protection + Key-Type: DSA + Key-Length: 1024 + Subkey-Type: ELG-E + Subkey-Length: 1024 + Name-Real: Foo Example + Name-Email: foo@example.org + Expire-Date: 0 + # Do a commit here, so that we can later print "done" + %commit + %echo done + EOF + gpg --batch --generate-key foo + rm $out/S.gpg-agent $out/S.gpg-agent.* + ''); +in { + name = "hockeypuck"; + meta.maintainers = with lib.maintainers; [ etu ]; + + machine = { ... }: { + # Used for test + environment.systemPackages = [ pkgs.gnupg ]; + + services.hockeypuck.enable = true; + + services.postgresql = { + enable = true; + ensureDatabases = [ "hockeypuck" ]; + ensureUsers = [{ + name = "hockeypuck"; + ensurePermissions."DATABASE hockeypuck" = "ALL PRIVILEGES"; + }]; + }; + }; + + testScript = '' + machine.wait_for_unit("hockeypuck.service") + machine.wait_for_open_port(11371) + + response = machine.succeed("curl -vvv -s http://127.0.0.1:11371/") + + assert "<title>OpenPGP Keyserver</title>" in response, "HTML title not found" + + # Copy the keyring + machine.succeed("cp -R ${gpgKeyring} /tmp/GNUPGHOME") + + # Extract our GPG key id + keyId = machine.succeed("GNUPGHOME=/tmp/GNUPGHOME gpg --list-keys | grep dsa1024 --after-context=1 | grep -v dsa1024").strip() + + # Send the key to our local keyserver + machine.succeed("GNUPGHOME=/tmp/GNUPGHOME gpg --keyserver hkp://127.0.0.1:11371 --send-keys " + keyId) + + # Recieve the key from our local keyserver to a separate directory + machine.succeed("GNUPGHOME=$(mktemp -d) gpg --keyserver hkp://127.0.0.1:11371 --recv-keys " + keyId) + ''; +}) |