me
/
guix
Archived
1
0
Fork 0

home: Add parcimonie service.

* gnu/home/services/gnupg.scm (home-parcimonie-service-type,
home-parcimonie-configuration): New variables.
* doc/guix.texi (GNU Privacy Guard): Document it.
Efraim Flashner 2023-07-24 21:57:27 +03:00
parent 209cdc81fd
commit 1af35bbb25
No known key found for this signature in database
GPG Key ID: 41AAE7DCCA3D8351
2 changed files with 133 additions and 2 deletions

View File

@ -43944,6 +43944,62 @@ Extra content appended as-is to this @code{Host} block in
@end deftp
@cindex Parcimonie, Home service
The @code{parcimonie} service runs a daemon that slowly refreshes a GnuPG
public key from a keyserver. It refreshes one key at a time; between every
key update parcimonie sleeps a random amount of time, long enough for the
previously used Tor circuit to expire. This process is meant to make it hard
for an attacker to correlate the multiple key update.
As an example, here is how you would configure @code{parcimonie} to refresh the
keys in your GnuPG keyring, as well as those keyrings created by Guix, such as
when running @code{guix import}:
@lisp
(service home-parcimonie-service-type
(home-parcimonie-configuration
(refresh-guix-keyrings? #t)))
@end lisp
This assumes that the Tor anonymous routing daemon is already running on your
system. On Guix System, this can be achieved by setting up
@code{tor-service-type} (@pxref{Networking Services, @code{tor-service-type}}).
The service reference is given below.
@defvar parcimonie-service-type
This is the service type for @command{parcimonie}
(@uref{https://salsa.debian.org/intrigeri/parcimonie, Parcimonie's web site}).
Its value must be a @code{home-parcimonie-configuration}, as shown below.
@end defvar
@c %start of fragment
@deftp {Data Table} home-parcimonie-configuration
Available @code{home-parcimonie-configuration} fields are:
@table @asis
@item @code{parcimonie} (default: @code{parcimonie}) (type: file-like)
The parcimonie package to use.
@item @code{verbose?} (default: @code{#f}) (type: boolean)
Whether to have more verbose logging from the service.
@item @code{gnupg-already-torified?} (default: @code{#f}) (type: boolean)
Whether GnuPG is already configured to pass all traffic through
@uref{https://torproject.org, Tor}.
@item @code{refresh-guix-keyrings?} (default: @code{#f}) (type: boolean)
Guix creates a few keyrings in the @var{$XDG_CONFIG_DIR}, such as when running
@code{guix import} (@pxref{Invoking guix import}). Setting this to @code{#t}
will also refresh any keyrings which Guix has created.
@item @code{extra-content} (default: @code{#f}) (type: raw-configuration-string)
Raw content to add to the parcimonie command.
@end table
@end deftp
@c %end of fragment

View File

@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2023 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2023 Efraim Flashner <efraim@flashner.co.il>
;;;
;;; This file is part of GNU Guix.
;;;
@ -23,7 +24,7 @@
#:use-module (gnu services configuration)
#:use-module (gnu home services)
#:use-module (gnu home services shepherd)
#:autoload (gnu packages gnupg) (gnupg pinentry)
#:autoload (gnu packages gnupg) (gnupg pinentry parcimonie)
#:export (home-gpg-agent-configuration
home-gpg-agent-configuration?
home-gpg-agent-configuration-gnupg
@ -34,7 +35,16 @@
home-gpg-agent-configuration-max-cache-ttl-ssh
home-gpg-agent-configuration-extra-content
home-gpg-agent-service-type))
home-gpg-agent-service-type
home-parcimonie-configuration
home-parcimonie-configuration?
home-parcimonie-configuration-parcimonie
home-parcimonie-configuration-gnupg-already-torified?
home-parcimonie-configuration-refresh-guix-keyrings?
home-parcimonie-configuration-extra-content
home-parcimonie-service-type))
(define raw-configuration-string? string?)
@ -148,3 +158,68 @@ agent, with support for handling OpenSSH material."))))
managing OpenPGP and optionally SSH private keys. When SSH support is
enabled, @command{gpg-agent} acts as a drop-in replacement for OpenSSH's
@command{ssh-agent}.")))
(define-configuration/no-serialization home-parcimonie-configuration
(parcimonie
(file-like parcimonie)
"The parcimonie package to use.")
(verbose?
(boolean #f)
"Provide extra output to the log file.")
(gnupg-aleady-torified?
(boolean #f)
"GnuPG is already configured to use tor and parcimonie won't attempt to use
tor directly.")
(refresh-guix-keyrings?
(boolean #f)
"Also refresh any Guix keyrings found in the XDG_CONFIG_DIR.")
(extra-content
(raw-configuration-string "")
"Raw content to add to the parcimonie service."))
(define (home-parcimonie-shepherd-service config)
"Return a user service to run parcimonie."
(match-record config <home-parcimonie-configuration>
(parcimonie verbose? gnupg-aleady-torified?
refresh-guix-keyrings? extra-content)
(let ((log-file #~(string-append %user-log-dir "/parcimonie.log")))
(list (shepherd-service
(provision '(parcimonie))
(modules '((shepherd support) ;for '%user-log-dir'
(guix build utils)
(srfi srfi-1)))
(start #~(make-forkexec-constructor
(cons*
#$(file-append parcimonie "/bin/parcimonie")
#$@(if verbose?
'("--verbose")
'())
#$@(if gnupg-aleady-torified?
'("--gnupg_already_torified")
'())
#$@(if (not (string=? extra-content ""))
(list extra-content)
'())
#$@(if refresh-guix-keyrings?
'((append-map
(lambda (item)
(list (string-append "--gnupg_extra_args="
"--keyring=" item)))
(find-files
(string-append (getenv "XDG_CONFIG_HOME") "/guix")
"^trustedkeys\\.kbx$")))
'((list))))
#:log-file #$log-file))
(stop #~(make-kill-destructor))
(respawn? #t)
(documentation "Incrementally refresh gnupg keyring over Tor"))))))
(define home-parcimonie-service-type
(service-type
(name 'home-parcimonie)
(extensions
(list (service-extension home-shepherd-service-type
home-parcimonie-shepherd-service)))
(default-value (home-parcimonie-configuration))
(description
"Incrementally refresh GnuPG keyrings over Tor.")))