hockeypuck
OpenPGP keyserver
Declared in: projects/hockeypuck/default.nix
Try the service in a VM
-
Install Nix
- Bash
-
$ apt install --yes curl git jq nix
- Bash
-
$ apt install --yes curl git jq nix
- Bash
-
$ pacman --sync --refresh --noconfirm curl git jq nix
-
Download a configuration file
# default.nix { ngipkgs ? import (fetchTarball "https://github.com/ngi-nix/ngipkgs/tarball/main") { }, }: ngipkgs.demo-vm ( { pkgs, ... }: let servicePort = 11371; in { services.hockeypuck = { enable = true; port = servicePort; }; services.postgresql = { enable = true; ensureDatabases = [ "hockeypuck" ]; ensureUsers = [ { name = "hockeypuck"; ensureDBOwnership = true; } ]; }; environment.systemPackages = with pkgs; [ gnupg ]; # example gpg key environment.etc.gpg-key-foo.text = '' %echo Generating a basic OpenPGP key %no-protection Key-Type: DSA Key-Length: 1024 Subkey-Type: ELG-E Subkey-Length: 1024 Name-Real: Foo Example Name-Email: foo@example.org Expire-Date: 0 # Do a commit here, so that we can later print "done" %commit %echo done ''; networking.firewall.allowedTCPPorts = [ servicePort ]; } )
-
Enable binary substituters
- Bash
-
$ export NIX_CONFIG='substituters = https://cache.nixos.org/ https://ngi.cachix.org/ trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= ngi.cachix.org-1:n+CAL72ROC3qQuLxIHpV+Tw5t42WhXmMhprAGkRSrOw='
-
Build and run a virtual machine
- Bash
-
$ nix-build ./default.nix && ./result
- Bash
-
$ nix-build ./default.nix && ./result
- Bash
-
$ rev=$(nix-instantiate --eval --attr sources.nixpkgs.rev https://github.com/ngi-nix/ngipkgs/archive/master.tar.gz | jq --raw-output)$ nix-shell -I nixpkgs=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz --packages nix --run "nix-build ./default.nix && ./result"
- Bash
-
$ nix-build ./default.nix && ./result
-
Usage Instructions
-
Generate GPG keyring from basic key:
$ gpg --batch --generate-key /etc/gpg-key-foo $ KEY_ID=$(gpg --list-keys | grep dsa1024 --after-context=1 | grep -v dsa1024) -
Send the key to the local hockeypuck keyserver:
$ gpg --keyserver hkp://127.0.0.1:11371 --send-keys "$KEY_ID" -
Receive the key from the local keyserver to a separate directory:
$ GNUPGHOME=$(mktemp -d) gpg --keyserver hkp://127.0.0.1:11371 --recv-keys "$KEY_ID" -
Visit http://127.0.0.1:11371 in your browser
-
Options
services.hockeypuck
-
Whether to enable Hockeypuck OpenPGP Key Server.
- Type:
boolean- Default:
false- Declared in:
- nixos/modules/services/security/hockeypuck.nix
-
HKP port to listen on.
- Type:
16 bit unsigned integer; between 0 and 65535 (both inclusive)- Default:
11371- Declared in:
- nixos/modules/services/security/hockeypuck.nix
-
Configuration file for hockeypuck, here you can override certain settings (
loglevelandopenpgp.db.dsn) by just setting those values.For other settings you need to use lib.mkForce to override them.
This service doesn't provision or enable postgres on your system, it rather assumes that you enable postgres and create the database yourself.
Example:
services.postgresql = { enable = true; ensureDatabases = [ "hockeypuck" ]; ensureUsers = [{ name = "hockeypuck"; ensureDBOwnership = true; }]; };- Type:
TOML value- Default:
{ }- Declared in:
- nixos/modules/services/security/hockeypuck.nix
services.hockeypuck.enable
services.hockeypuck.port
services.hockeypuck.settings
Examples
Enable hockeypuck
{ ... }: let servicePort = 11371; in { services.hockeypuck = { enable = true; port = servicePort; }; services.postgresql = { enable = true; ensureDatabases = [ "hockeypuck" ]; ensureUsers = [ { name = "hockeypuck"; ensureDBOwnership = true; } ]; }; networking.firewall.allowedTCPPorts = [ servicePort ]; }
Declared in: projects/hockeypuck/services/hockeypuck/examples/basic.nix
Metadata
This project is funded by NLnet through these subgrants:
- Core
- Hockeypuck
Related links: