nixos/sks: Use a group and don't add sks to systemPackages

Without a group the gid will default to 65534 (2^16 - 2) which maps to "nogroup". IMO it makes more sense to explicitly set a valid group. Adding pkgs.sks to environment.systemPackages is not required (IIRC we want to avoid bloating environment.systemPackages). Instead it seems like a better idea to make the relevant binaries available to the user sks and enable useDefaultShell so that "su -l sks" can be used for manual interaction (that way the files will always have the correct owner).
2024-11-16 06:47:09 +03:00 · 2018-09-08 16:10:29 +02:00 · 2018-09-08 16:10:29 +02:00 · eb0050ca45
commit eb0050ca45
parent a6934b2389
1 changed files with 16 additions and 13 deletions
--- a/nixos/modules/services/security/sks.nix
+++ b/nixos/modules/services/security/sks.nix
@ -73,20 +73,22 @@ in {

  config = mkIf cfg.enable {

-    environment.systemPackages = [ sksPkg ];
-    
-    users.users.sks = {
-      createHome = true;
-      home = cfg.dataDir;
+    users = {
+      users.sks = {
        isSystemUser = true;
-      shell = "${pkgs.coreutils}/bin/true";
+        description = "SKS user";
+        home = cfg.dataDir;
+        createHome = true;
+        group = "sks";
+        useDefaultShell = true;
+        packages = [ sksPkg pkgs.db ];
+      };
+      groups.sks = { };
    };

    systemd.services = let
      hkpAddress = "'" + (builtins.concatStringsSep " " cfg.hkpAddress) + "'" ;
      hkpPort = builtins.toString cfg.hkpPort;
-      home = config.users.users.sks.home;
-      user = config.users.users.sks.name;
    in {
      "sks-db" = {
        description = "SKS database server";
@ -94,14 +96,15 @@ in {
        wantedBy = [ "multi-user.target" ];
        preStart = ''
          ln -sfT "${cfg.webroot}" web
-          mkdir -p ${home}/dump
-          ${sksPkg}/bin/sks build ${home}/dump/*.gpg -n 10 -cache 100 || true #*/
+          mkdir -p dump
+          ${sksPkg}/bin/sks build dump/*.gpg -n 10 -cache 100 || true #*/
          ${sksPkg}/bin/sks cleandb || true
          ${sksPkg}/bin/sks pbuild -cache 20 -ptree_cache 70 || true
        '';
        serviceConfig = {
-          WorkingDirectory = home;
-          User = user;
+          WorkingDirectory = "~";
+          User = "sks";
+          Group = "sks";
          Restart = "always";
          ExecStart = "${sksPkg}/bin/sks db -hkp_address ${hkpAddress} -hkp_port ${hkpPort}";
        };