diff options
author | Michael Weiss <dev.primeos@gmail.com> | 2018-09-08 16:10:29 +0200 |
---|---|---|
committer | Michael Weiss <dev.primeos@gmail.com> | 2018-09-08 16:24:05 +0200 |
commit | eb0050ca458870deb17e0bedfdf1eeda3c67bf9e (patch) | |
tree | aedaecbe99de62c4b29a062ef78d2be6cc62eee1 /nixos | |
parent | a6934b2389f9e2bb55675fc93498d949adb3bb40 (diff) | |
download | nixpkgs-eb0050ca458870deb17e0bedfdf1eeda3c67bf9e.tar nixpkgs-eb0050ca458870deb17e0bedfdf1eeda3c67bf9e.tar.gz nixpkgs-eb0050ca458870deb17e0bedfdf1eeda3c67bf9e.tar.bz2 nixpkgs-eb0050ca458870deb17e0bedfdf1eeda3c67bf9e.tar.lz nixpkgs-eb0050ca458870deb17e0bedfdf1eeda3c67bf9e.tar.xz nixpkgs-eb0050ca458870deb17e0bedfdf1eeda3c67bf9e.tar.zst nixpkgs-eb0050ca458870deb17e0bedfdf1eeda3c67bf9e.zip |
nixos/sks: Use a group and don't add sks to systemPackages
Without a group the gid will default to 65534 (2^16 - 2) which maps to "nogroup". IMO it makes more sense to explicitly set a valid group. Adding pkgs.sks to environment.systemPackages is not required (IIRC we want to avoid bloating environment.systemPackages). Instead it seems like a better idea to make the relevant binaries available to the user sks and enable useDefaultShell so that "su -l sks" can be used for manual interaction (that way the files will always have the correct owner).
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/security/sks.nix | 29 |
1 files changed, 16 insertions, 13 deletions
diff --git a/nixos/modules/services/security/sks.nix b/nixos/modules/services/security/sks.nix index 009b5980813..e285b94b170 100644 --- a/nixos/modules/services/security/sks.nix +++ b/nixos/modules/services/security/sks.nix @@ -73,20 +73,22 @@ in { config = mkIf cfg.enable { - environment.systemPackages = [ sksPkg ]; - - users.users.sks = { - createHome = true; - home = cfg.dataDir; - isSystemUser = true; - shell = "${pkgs.coreutils}/bin/true"; + users = { + users.sks = { + isSystemUser = true; + description = "SKS user"; + home = cfg.dataDir; + createHome = true; + group = "sks"; + useDefaultShell = true; + packages = [ sksPkg pkgs.db ]; + }; + groups.sks = { }; }; systemd.services = let hkpAddress = "'" + (builtins.concatStringsSep " " cfg.hkpAddress) + "'" ; hkpPort = builtins.toString cfg.hkpPort; - home = config.users.users.sks.home; - user = config.users.users.sks.name; in { "sks-db" = { description = "SKS database server"; @@ -94,14 +96,15 @@ in { wantedBy = [ "multi-user.target" ]; preStart = '' ln -sfT "${cfg.webroot}" web - mkdir -p ${home}/dump - ${sksPkg}/bin/sks build ${home}/dump/*.gpg -n 10 -cache 100 || true #*/ + mkdir -p dump + ${sksPkg}/bin/sks build dump/*.gpg -n 10 -cache 100 || true #*/ ${sksPkg}/bin/sks cleandb || true ${sksPkg}/bin/sks pbuild -cache 20 -ptree_cache 70 || true ''; serviceConfig = { - WorkingDirectory = home; - User = user; + WorkingDirectory = "~"; + User = "sks"; + Group = "sks"; Restart = "always"; ExecStart = "${sksPkg}/bin/sks db -hkp_address ${hkpAddress} -hkp_port ${hkpPort}"; }; |