]> git.immae.eu Git - perso/Immae/Config/Nix.git/commitdiff
projects / perso / Immae / Config / Nix.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1be9e64)
Add OpenARC flake
authorIsmaël Bouya <ismael.bouya@normalesup.org>
Sun, 27 Dec 2020 14:55:48 +0000 (15:55 +0100)
committerIsmaël Bouya <ismael.bouya@normalesup.org>
Tue, 29 Dec 2020 22:50:56 +0000 (23:50 +0100)
flakes/openarc/flake.lock [new file with mode: 0644] patch | blob
flakes/openarc/flake.nix [new file with mode: 0644] patch | blob
modules/private/system/dilion.nix patch | blob | blame | history
shell.nix patch | blob | blame | history

diff --git a/flakes/openarc/flake.lock b/flakes/openarc/flake.lock
new file mode 100644 (file)
index 0000000..78c0fba
--- /dev/null
+++ b/flakes/openarc/flake.lock
@@ -0,0 +1,77 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1609246779,
+        "narHash": "sha256-eq6ZXE/VWo3EMC65jmIT6H/rrUc9UWOWVujkzav025k=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "08c7ad4a0844adc4a7f9f5bb3beae482e789afa4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "myuids": {
+      "locked": {
+        "dir": "flakes/myuids",
+        "lastModified": 1609281959,
+        "narHash": "sha256-SYNlHeobQAzTzK0pM5AqMn7M2WbTuzBeoD+Q3Mu+sho=",
+        "ref": "master",
+        "rev": "1be9e64bb4556676f65e6e5044e04426848849c0",
+        "revCount": 791,
+        "type": "git",
+        "url": "https://git.immae.eu/perso/Immae/Config/Nix.git"
+      },
+      "original": {
+        "dir": "flakes/myuids",
+        "type": "git",
+        "url": "https://git.immae.eu/perso/Immae/Config/Nix.git"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1597943282,
+        "narHash": "sha256-G/VQBlqO7YeFOSvn29RqdvABZxmQBtiRYVA6kjqWZ6o=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c59ea8b8a0e7f927e7291c14ea6cd1bd3a16ff38",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "openarc": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1537545083,
+        "narHash": "sha256-xUSRARC7875vFjtZ66t8KBlKmkEdIZblWHc4zqGZAQQ=",
+        "owner": "trusteddomainproject",
+        "repo": "OpenARC",
+        "rev": "355ee2a1ca85acccce494478991983b54f794f4e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "trusteddomainproject",
+        "repo": "OpenARC",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "myuids": "myuids",
+        "nixpkgs": "nixpkgs",
+        "openarc": "openarc"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flakes/openarc/flake.nix b/flakes/openarc/flake.nix
new file mode 100644 (file)
index 0000000..6110b2d
--- /dev/null
+++ b/flakes/openarc/flake.nix
@@ -0,0 +1,147 @@
+{
+  description = "Open source ARC implementation";
+
+  inputs.myuids = {
+    url = "https://git.immae.eu/perso/Immae/Config/Nix.git";
+    type = "git";
+    dir = "flakes/myuids";
+  };
+  inputs.flake-utils.url = "github:numtide/flake-utils";
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs";
+  inputs.openarc = {
+    url = "github:trusteddomainproject/OpenARC";
+    flake = false;
+  };
+
+  outputs = { self, myuids, openarc, flake-utils, nixpkgs }: flake-utils.lib.eachDefaultSystem (system:
+    let
+      lock = builtins.fromJSON (builtins.readFile ./flake.lock);
+      pkgs = import nixpkgs { inherit system; overlays = []; };
+      inherit (pkgs) stdenv automake autoconf libbsd libtool openssl pkg-config libmilter file;
+    in rec {
+      packages.openarc = stdenv.mkDerivation rec {
+        pname = "openarc";
+        version = "master-${builtins.substring 0 7 lock.nodes.openarc.locked.rev}";
+        src = openarc;
+        buildInputs = [ automake autoconf libbsd libtool openssl pkg-config libmilter ];
+
+        configureFlags = [
+          "--with-milter=${libmilter}"
+        ];
+        preConfigure = ''
+        autoreconf --force --install
+        sed -i -e "s@/usr/bin/file@${file}/bin/file@" ./configure
+        '';
+        meta = {
+          description = "Open source ARC implementation";
+          homepage = "https://github.com/trusteddomainproject/OpenARC";
+          platforms = stdenv.lib.platforms.unix;
+        };
+      };
+
+      defaultPackage = packages.openarc;
+      legacyPackages.openarc = packages.openarc;
+      apps.openarc = flake-utils.lib.mkApp { drv = packages.openarc; };
+      defaultApp = apps.openarc;
+      checks = {
+        build = defaultPackage;
+      } // pkgs.lib.optionalAttrs (builtins.elem system pkgs.lib.systems.doubles.linux) {
+        test =
+          let testing = import (nixpkgs + "/nixos/lib/testing-python.nix") { inherit system; };
+          in testing.makeTest {
+            nodes = {
+              server = { pkgs, ... }: {
+                imports = [ self.nixosModule ];
+                config.services.openarc.enable = true;
+                config.services.openarc.configFile = pkgs.writeText "openarc.conf" ''
+                  Domain    foo.example.org
+                  KeyFile   /etc/openarc/foo.key
+                  Selector  foo
+                '';
+              };
+            };
+            testScript = ''
+              start_all()
+              server.wait_until_fails("openarc.service")
+              server.execute("install -m 0700 -o openarc -g openarc -d /etc/openarc")
+              server.execute("echo some_key > /etc/openarc/foo.key")
+              server.execute("chown openarc:openarc /etc/openarc/foo.key")
+              server.execute("chmod 400 /etc/openarc/foo.key")
+              server.systemctl("restart openarc")
+              server.wait_for_unit("openarc.service")
+              server.succeed("[ -S /run/openarc/openarc.sock ]")
+            '';
+          };
+        };
+    }) // {
+      hydraJobs.build = nixpkgs.lib.genAttrs flake-utils.lib.defaultSystems (system: self.defaultPackage."${system}");
+      nixosModule = { config, lib, pkgs, ... }:
+        let
+          cfg = config.services.openarc;
+          defaultSock = "local:/run/openarc/openarc.sock";
+          args = [ "-f" "-p" cfg.socket ] ++ lib.optionals (cfg.configFile != null) [ "-c" cfg.configFile ];
+        in {
+          options = {
+            services.openarc = {
+              enable = lib.mkOption {
+                type = lib.types.bool;
+                default = false;
+                description = "Whether to enable the OpenARC sender authentication system.";
+              };
+
+              socket = lib.mkOption {
+                type = lib.types.str;
+                default = defaultSock;
+                description = "Socket which is used for communication with OpenARC.";
+              };
+
+              user = lib.mkOption {
+                type = lib.types.str;
+                default = "openarc";
+                description = "User for the daemon.";
+              };
+
+              group = lib.mkOption {
+                type = lib.types.str;
+                default = "openarc";
+                description = "Group for the daemon.";
+              };
+
+              configFile = lib.mkOption {
+                type = lib.types.nullOr lib.types.path;
+                default = null;
+                description = "Additional OpenARC configuration.";
+              };
+
+            };
+          };
+
+          config = lib.mkIf cfg.enable {
+            users.users.openarc = lib.optionalAttrs (cfg.user == "openarc") {
+              group = cfg.group;
+              uid = myuids.lib.uids.openarc;
+            };
+
+            users.groups.openarc = lib.optionalAttrs (cfg.group == "openarc") {
+              gid = myuids.lib.gids.openarc;
+            };
+
+            environment.systemPackages = [ self.defaultPackage."${pkgs.system}" ];
+
+            systemd.services.openarc = {
+              description = "OpenARC daemon";
+              after = [ "network.target" ];
+              wantedBy = [ "multi-user.target" ];
+
+              serviceConfig = {
+                ExecStart = "${self.defaultApp."${pkgs.system}".program} ${lib.escapeShellArgs args}";
+                User = cfg.user;
+                Group = cfg.group;
+                RuntimeDirectory = lib.optional (cfg.socket == defaultSock) "openarc";
+                PermissionsStartOnly = true;
+              };
+            };
+          };
+        };
+    };
+  }
diff --git a/modules/private/system/dilion.nix b/modules/private/system/dilion.nix
index b89b3649878b71e3592b41b5f25e6d00b99f4c75..3e01af3a53a0a55fa8f32c1227f6595637f55412 100644 (file)
--- a/modules/private/system/dilion.nix
+++ b/modules/private/system/dilion.nix
@@ -129,6 +129,7 @@
       keep-outputs = true
       keep-derivations = true
       allow-unsafe-native-code-during-evaluation = true
+      experimental-features = nix-command flakes
       #Assumed in NUR
       allow-import-from-derivation = true
     '';
diff --git a/shell.nix b/shell.nix
index 2a95658152d1b627770fb4fd548fb6c250e7145b..93caa0b097ff75e6df588f6202b24b62fec1edd0 100644 (file)
--- a/shell.nix
+++ b/shell.nix
@@ -1,4 +1,4 @@
 { pkgs ? import <nixpkgs> { overlays = builtins.attrValues (import ./overlays); } }:
 pkgs.mkShell {
-  buildInputs = [ pkgs.morph pkgs.niv pkgs.pass pkgs.curl pkgs.shellcheck pkgs.jq pkgs.gnumake ];
+  buildInputs = [ pkgs.nixUnstable pkgs.morph pkgs.niv pkgs.pass pkgs.curl pkgs.shellcheck pkgs.jq pkgs.gnumake ];
 }
My infrastructure configuration