]> git.immae.eu Git - perso/Immae/Config/Nix.git/blobdiff - flakes/openarc/flake.nix
projects / perso / Immae / Config / Nix.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add OpenARC flake
[perso/Immae/Config/Nix.git] / flakes / openarc / flake.nix
diff --git a/flakes/openarc/flake.nix b/flakes/openarc/flake.nix
new file mode 100644 (file)
index 0000000..6110b2d
--- /dev/null
+++ b/flakes/openarc/flake.nix
@@ -0,0 +1,147 @@
+{
+  description = "Open source ARC implementation";
+
+  inputs.myuids = {
+    url = "https://git.immae.eu/perso/Immae/Config/Nix.git";
+    type = "git";
+    dir = "flakes/myuids";
+  };
+  inputs.flake-utils.url = "github:numtide/flake-utils";
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs";
+  inputs.openarc = {
+    url = "github:trusteddomainproject/OpenARC";
+    flake = false;
+  };
+
+  outputs = { self, myuids, openarc, flake-utils, nixpkgs }: flake-utils.lib.eachDefaultSystem (system:
+    let
+      lock = builtins.fromJSON (builtins.readFile ./flake.lock);
+      pkgs = import nixpkgs { inherit system; overlays = []; };
+      inherit (pkgs) stdenv automake autoconf libbsd libtool openssl pkg-config libmilter file;
+    in rec {
+      packages.openarc = stdenv.mkDerivation rec {
+        pname = "openarc";
+        version = "master-${builtins.substring 0 7 lock.nodes.openarc.locked.rev}";
+        src = openarc;
+        buildInputs = [ automake autoconf libbsd libtool openssl pkg-config libmilter ];
+
+        configureFlags = [
+          "--with-milter=${libmilter}"
+        ];
+        preConfigure = ''
+        autoreconf --force --install
+        sed -i -e "s@/usr/bin/file@${file}/bin/file@" ./configure
+        '';
+        meta = {
+          description = "Open source ARC implementation";
+          homepage = "https://github.com/trusteddomainproject/OpenARC";
+          platforms = stdenv.lib.platforms.unix;
+        };
+      };
+
+      defaultPackage = packages.openarc;
+      legacyPackages.openarc = packages.openarc;
+      apps.openarc = flake-utils.lib.mkApp { drv = packages.openarc; };
+      defaultApp = apps.openarc;
+      checks = {
+        build = defaultPackage;
+      } // pkgs.lib.optionalAttrs (builtins.elem system pkgs.lib.systems.doubles.linux) {
+        test =
+          let testing = import (nixpkgs + "/nixos/lib/testing-python.nix") { inherit system; };
+          in testing.makeTest {
+            nodes = {
+              server = { pkgs, ... }: {
+                imports = [ self.nixosModule ];
+                config.services.openarc.enable = true;
+                config.services.openarc.configFile = pkgs.writeText "openarc.conf" ''
+                  Domain    foo.example.org
+                  KeyFile   /etc/openarc/foo.key
+                  Selector  foo
+                '';
+              };
+            };
+            testScript = ''
+              start_all()
+              server.wait_until_fails("openarc.service")
+              server.execute("install -m 0700 -o openarc -g openarc -d /etc/openarc")
+              server.execute("echo some_key > /etc/openarc/foo.key")
+              server.execute("chown openarc:openarc /etc/openarc/foo.key")
+              server.execute("chmod 400 /etc/openarc/foo.key")
+              server.systemctl("restart openarc")
+              server.wait_for_unit("openarc.service")
+              server.succeed("[ -S /run/openarc/openarc.sock ]")
+            '';
+          };
+        };
+    }) // {
+      hydraJobs.build = nixpkgs.lib.genAttrs flake-utils.lib.defaultSystems (system: self.defaultPackage."${system}");
+      nixosModule = { config, lib, pkgs, ... }:
+        let
+          cfg = config.services.openarc;
+          defaultSock = "local:/run/openarc/openarc.sock";
+          args = [ "-f" "-p" cfg.socket ] ++ lib.optionals (cfg.configFile != null) [ "-c" cfg.configFile ];
+        in {
+          options = {
+            services.openarc = {
+              enable = lib.mkOption {
+                type = lib.types.bool;
+                default = false;
+                description = "Whether to enable the OpenARC sender authentication system.";
+              };
+
+              socket = lib.mkOption {
+                type = lib.types.str;
+                default = defaultSock;
+                description = "Socket which is used for communication with OpenARC.";
+              };
+
+              user = lib.mkOption {
+                type = lib.types.str;
+                default = "openarc";
+                description = "User for the daemon.";
+              };
+
+              group = lib.mkOption {
+                type = lib.types.str;
+                default = "openarc";
+                description = "Group for the daemon.";
+              };
+
+              configFile = lib.mkOption {
+                type = lib.types.nullOr lib.types.path;
+                default = null;
+                description = "Additional OpenARC configuration.";
+              };
+
+            };
+          };
+
+          config = lib.mkIf cfg.enable {
+            users.users.openarc = lib.optionalAttrs (cfg.user == "openarc") {
+              group = cfg.group;
+              uid = myuids.lib.uids.openarc;
+            };
+
+            users.groups.openarc = lib.optionalAttrs (cfg.group == "openarc") {
+              gid = myuids.lib.gids.openarc;
+            };
+
+            environment.systemPackages = [ self.defaultPackage."${pkgs.system}" ];
+
+            systemd.services.openarc = {
+              description = "OpenARC daemon";
+              after = [ "network.target" ];
+              wantedBy = [ "multi-user.target" ];
+
+              serviceConfig = {
+                ExecStart = "${self.defaultApp."${pkgs.system}".program} ${lib.escapeShellArgs args}";
+                User = cfg.user;
+                Group = cfg.group;
+                RuntimeDirectory = lib.optional (cfg.socket == defaultSock) "openarc";
+                PermissionsStartOnly = true;
+              };
+            };
+          };
+        };
+    };
+  }
My infrastructure configuration