1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
|
diff --git a/gale-install.in b/gale-install.in
index 50e8ad8..eec0ed2 100644
--- a/gale-install.in
+++ b/gale-install.in
@@ -29,22 +29,78 @@ testkey_stdin() {
gkinfo -x 2>/dev/null | qgrep "^Public key: <$1>"
}
-if [ -n "$GALE_SYS_DIR" ]; then
- SYS_DIR="$GALE_SYS_DIR"
-elif [ -n "$sysconfdir" ]; then
- SYS_DIR="$sysconfdir/gale"
+INST_SYS_DIR="$sysconfdir/gale"
+
+if [ `id -u` -eq 0 ]; then
+ is_root=yes
+ SYS_DIR=/etc/gale
+else
+ is_root=no
+ SYS_DIR="$HOME/.gale"
+fi
+
+if [ -f /etc/NIXOS ]; then
+ is_nixos=yes
+else
+ is_nixos=no
+fi
+
+if [ -u /run/wrappers/gksign ]; then
+ cat <<EOM
+
+Gale appears to have already been set up via the NixOS module system (check
+/etc/nixos/configuration.nix).
+
+EOM
+
+ exit 0
+fi
+
+if [ $is_root = yes ]; then
+ cat <<EOM
+
+You are running gale-install as root, so I'm going to assume you want to set up
+Gale for system-wide use. Unfortunately, Gale expects to be able to run the
+"gksign" program via setuid, and we can't change gksign's permissions once it's
+already been installed because the Nix store is immutable by design.
+
+EOM
+
+ if [ $is_nixos = no ]; then
+ cat <<EOM
+
+This isn't a NixOS system. Gale can only be installed for a single user on
+non-NixOS systems. If you want a system-wide installation, you'll have to
+install Gale the old-fashioned way. Sorry.
+
+EOM
+
+ exit 1
+ fi
+ cat <<EOM
+
+This script will generate a domain key for you, and after you get it signed, you
+can finish the setup process by configuring Gale via the NixOS module system
+(i.e. /etc/nixos/configuration.nix).
+
+EOM
+
else
- echo "Error: cannot locate Gale system configuration directory."
- exit 1
+ cat <<EOM
+
+Hi. You are running gale-install as a normal user, so I'm going to assume you
+want to set up Gale for your own (i.e. non-system-wide) use.
+
+EOM
+
fi
-CONF="$SYS_DIR/conf"
umask 022
-PATH="$bindir:$sbindir:$PATH:/usr/ucb"
+PATH="$bindir:$sbindir:$PATH"
export PATH
-if [ -f "$CONF" ]; then
- exec 3<"$CONF"
+if [ -n "$SYS_DIR" ] && [ -f "$SYS_DIR/conf" ]; then
+ exec 3<"$SYS_DIR/conf"
while read var value <&3 ; do
case "$var" in
@@ -58,52 +114,14 @@ if [ -f "$CONF" ]; then
exec 3<&-
fi
-USER="`whoami`"
-if [ -z "$USER" ]; then
- echo "Error: cannot determine your username."
- exit 1
-fi
-
-# -----------------------------------------------------------------------------
-# check directory structure
-
-if [ ! -d "$SYS_DIR" ]; then
- echo "Error: Invalid SYS_DIR: \"$SYS_DIR\"."
- exit 1
-fi
-
# -----------------------------------------------------------------------------
-# get settings for important variables: user, domain, server
+# get settings for important variables: domain, server
-[ -n "$CONF_GALE_USER" ] && GALE_USER="$CONF_GALE_USER"
[ -n "$CONF_GALE_DOMAIN" ] && GALE_DOMAIN="$CONF_GALE_DOMAIN"
[ -n "$CONF_GALE_SERVER" ] && GALE_SERVER="$CONF_GALE_SERVER"
-if [ -z "$GALE_USER" ]; then
-cat << EOM
-
-Hi. You need to denote a user to own the Gale domain secret key. You must
-trust this user with Gale authentication for your domain; the "gksign" program
-will run as this user. I recommend using a special "gale" user; if you don't
-have administrative privileges here, you'll probably have to use your own
-account. I do not recommend the use of "root".
-
-No harm done if you stop this script now to set up such a user.
-
-EOM
-
- printf "Enter the Gale username: "
- read GALE_USER
- if [ -z "$GALE_USER" ]; then
- echo "Error: Invalid username or no home dir: \"$GALE_USER\"."
- exit 1
- fi
-else
- echo "Using \"$GALE_USER\" as the Gale owner."
-fi
-
if [ -z "$GALE_DOMAIN" ] ; then
-cat << EOM
+ cat << EOM
You need to identify the name of your Gale domain for two purposes:
@@ -140,97 +158,56 @@ else
fi
# -----------------------------------------------------------------------------
-# create configuration file
-
-if [ ! -f "$CONF" ]; then
-cat > "$CONF" <<EOM
-# $CONF -- created by Gale installer; edit to suit.
-EOM
+# create configuration file (if this is a single-user setup)
+
+if [ $is_root = no ]; then
+ CONF="$SYS_DIR/conf"
+
+ if [ ! -d "$SYS_DIR" ]; then
+ run mkdir -m 0700 -p "$SYS_DIR"
+ run mkdir -m 0700 -p "$SYS_DIR/auth"
+ run mkdir -m 0755 -p "$SYS_DIR/auth/trusted"
+ run cp -f "$INST_SYS_DIR/auth/trusted/ROOT" "$SYS_DIR/auth/trusted"
+ run mkdir -m 0700 -p "$SYS_DIR/auth/private"
+ run mkdir -p "$SYS_DIR/auth/local" "$SYS_DIR/auth/cache"
+ fi
-cat <<EOM
+ if [ ! -f "$CONF" ]; then
+ cat <<EOM
*** Creating "$CONF".
Examine and edit this file to your taste and local needs.
If you want to recreate it from scratch, remove it and re-run this.
-EOM
-fi
-
-[ -n "$CONF_GALE_USER" ] || cat >> "$CONF" <<EOM
-# The user who owns the domain secret key. (Used in installation and upgrade)
-GALE_USER $GALE_USER
EOM
-[ -n "$CONF_GALE_DOMAIN" ] || cat >> "$CONF" << EOM
+ cat > "$CONF" <<EOF
+# $CONF -- created by Gale installer; edit to suit.
# The authentication domain to use. (Mandatory)
GALE_DOMAIN $GALE_DOMAIN
-EOM
-
-# -----------------------------------------------------------------------------
-# make gksign setuid
+EOF
-gksign="$sbindir/gksign"
-readlink="`which readlink 2>/dev/null`"
-[ -x "$readlink" ] && gksignlink="`"$readlink" "$gksign" 2>/dev/null`"
-[ -f "$gksignlink" ] && gksign="$gksignlink"
-
-echo ""
-if copy chown "$GALE_USER" "$gksign" ; then
- :
-else
- echo "*** We need to chown $GALE_USER '$gksign'."
- echo " Please run this script as a user that can do so,"
- echo " or do so yourself and re-run this script."
- exit 1
+ fi
fi
-run chmod 4755 "$gksign"
-# -----------------------------------------------------------------------------
-# create a domain, if necessary
+if [ $is_root = no ]; then
+ GALE_SYS_DIR="$SYS_DIR"
+ export GALE_SYS_DIR
-echo ""
-if test -u "$gksign" || copy chmod u+s "$gksign" ; then
- :
+ testkey "$GALE_DOMAIN" && exit 0
+ echo "*** You lack a signed key for your domain, \"$GALE_DOMAIN\"."
+ GALE="$SYS_DIR"
else
- echo "*** We need to chmod u+s '$gksign'."
- echo " Please run this script as a user that can do so,"
- echo " or do so yourself and re-run this script."
- exit 1
-fi
-
-testkey "$GALE_DOMAIN" && exit 0
-echo "*** You lack a signed key for your domain, \"$GALE_DOMAIN\"."
-
-if [ "x$GALE_USER" != "x$USER" ]; then
-cat <<EOM
-Become user "$GALE_USER" (you are now "$USER") and run this script again
-to create a new domain; contact your domain administrator if you wish to
-become part of an existing domain.
-EOM
- exit 1
-fi
-
-if [ -z "$HOME" ]; then
- cd
- HOME="`pwd`"
- echo "Warning: \$HOME not set, assuming \"$HOME\"."
-fi
-
-GALE="$HOME/.gale"
-mkdir -p "$GALE"
-if [ ! -w "$GALE" ]; then
- echo "Error: Cannot create \"$GALE\"."
- exit 1
+ GALE="`pwd`"
fi
unsigned="$GALE/$GALE_DOMAIN.unsigned"
signer="`echo "$GALE_DOMAIN" | sed 's%^[^.@:/]*[.@:/]%%'`"
[ -z "$signer" ] && signer="ROOT"
-if [ -f "$unsigned" ]; then
-
-cat << EOM
+if [ $is_root = no ] && [ -f "$unsigned" ]; then
+ cat << EOM
Okay, so we've already been here. Last time, I created the file
"$unsigned" for you to have signed.
@@ -275,16 +252,12 @@ EOM
exit 1
fi
-cat << EOM
-
-The domain should be properly configured now. Assuming users can access a
-version of "gksign" setuid to "$GALE_USER" (this user), they should be
-able to start running clients and generating IDs for themselves.
+ cat << EOM
-The installation process is complete!
+The domain should be properly configured now. The installation process is
+complete!
EOM
-
exit 0
fi
@@ -300,7 +273,10 @@ printf "Enter the description: "
read descr
echo "We will generate the key now. Have patience."
-gkgen -r "$GALE/auth/private/$GALE_DOMAIN.gpri" \
+if [ $is_root = no ]; then
+ install_gpri=auth/private/
+fi
+gkgen -r "$GALE/${install_gpri}$GALE_DOMAIN.gpri" \
-u "$unsigned" "$GALE_DOMAIN" /"$descr" || exit 1
cat << EOM
@@ -311,8 +284,29 @@ the owner of the "$signer" domain through appropriate means.
Take care to preseve the file's binary data; you may need to uuencode it.
Assuming they trust you with your subdomain, they should pass the key through
-"gksign" as a filter, returning the signed output to you. When you have this
-signed key file available, re-run this script, and we will move on to the
-next step.
+"gksign" as a filter, returning the signed output to you.
+
+EOM
+
+if [ $is_nixos = yes ]; then
+ cat <<EOM
+
+When you have this signed key file available, you can finish the setup process
+by placing the private key and signed public key in a directory (they will be
+copied) and setting "services.gale.keyPath" in /etc/nixos/configuration.nix.
EOM
+else
+ cat <<EOM
+
+When you have this signed key file available, re-run this script, and we will
+move on to the next step.
+
+*** IMPORTANT ***
+You must set GALE_SYS_DIR="$GALE_SYS_DIR" in your environment before re-running
+this script and before running any Gale programs once setup is finished! Make
+sure to set it now, and consider setting it via your shell initialization files
+so that you don't forget to do it next login.
+
+EOM
+fi
|