home: Add parcimonie service.
* gnu/home/services/gnupg.scm (home-parcimonie-service-type, home-parcimonie-configuration): New variables. * doc/guix.texi (GNU Privacy Guard): Document it.
parent
209cdc81fd
commit
1af35bbb25
|
@ -43944,6 +43944,62 @@ Extra content appended as-is to this @code{Host} block in
|
|||
|
||||
@end deftp
|
||||
|
||||
@cindex Parcimonie, Home service
|
||||
The @code{parcimonie} service runs a daemon that slowly refreshes a GnuPG
|
||||
public key from a keyserver. It refreshes one key at a time; between every
|
||||
key update parcimonie sleeps a random amount of time, long enough for the
|
||||
previously used Tor circuit to expire. This process is meant to make it hard
|
||||
for an attacker to correlate the multiple key update.
|
||||
|
||||
As an example, here is how you would configure @code{parcimonie} to refresh the
|
||||
keys in your GnuPG keyring, as well as those keyrings created by Guix, such as
|
||||
when running @code{guix import}:
|
||||
|
||||
@lisp
|
||||
(service home-parcimonie-service-type
|
||||
(home-parcimonie-configuration
|
||||
(refresh-guix-keyrings? #t)))
|
||||
@end lisp
|
||||
|
||||
This assumes that the Tor anonymous routing daemon is already running on your
|
||||
system. On Guix System, this can be achieved by setting up
|
||||
@code{tor-service-type} (@pxref{Networking Services, @code{tor-service-type}}).
|
||||
|
||||
The service reference is given below.
|
||||
|
||||
@defvar parcimonie-service-type
|
||||
This is the service type for @command{parcimonie}
|
||||
(@uref{https://salsa.debian.org/intrigeri/parcimonie, Parcimonie's web site}).
|
||||
Its value must be a @code{home-parcimonie-configuration}, as shown below.
|
||||
@end defvar
|
||||
|
||||
@c %start of fragment
|
||||
|
||||
@deftp {Data Table} home-parcimonie-configuration
|
||||
Available @code{home-parcimonie-configuration} fields are:
|
||||
|
||||
@table @asis
|
||||
@item @code{parcimonie} (default: @code{parcimonie}) (type: file-like)
|
||||
The parcimonie package to use.
|
||||
|
||||
@item @code{verbose?} (default: @code{#f}) (type: boolean)
|
||||
Whether to have more verbose logging from the service.
|
||||
|
||||
@item @code{gnupg-already-torified?} (default: @code{#f}) (type: boolean)
|
||||
Whether GnuPG is already configured to pass all traffic through
|
||||
@uref{https://torproject.org, Tor}.
|
||||
|
||||
@item @code{refresh-guix-keyrings?} (default: @code{#f}) (type: boolean)
|
||||
Guix creates a few keyrings in the @var{$XDG_CONFIG_DIR}, such as when running
|
||||
@code{guix import} (@pxref{Invoking guix import}). Setting this to @code{#t}
|
||||
will also refresh any keyrings which Guix has created.
|
||||
|
||||
@item @code{extra-content} (default: @code{#f}) (type: raw-configuration-string)
|
||||
Raw content to add to the parcimonie command.
|
||||
|
||||
@end table
|
||||
|
||||
@end deftp
|
||||
|
||||
@c %end of fragment
|
||||
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
;;; GNU Guix --- Functional package management for GNU
|
||||
;;; Copyright © 2023 Ludovic Courtès <ludo@gnu.org>
|
||||
;;; Copyright © 2023 Efraim Flashner <efraim@flashner.co.il>
|
||||
;;;
|
||||
;;; This file is part of GNU Guix.
|
||||
;;;
|
||||
|
@ -23,7 +24,7 @@
|
|||
#:use-module (gnu services configuration)
|
||||
#:use-module (gnu home services)
|
||||
#:use-module (gnu home services shepherd)
|
||||
#:autoload (gnu packages gnupg) (gnupg pinentry)
|
||||
#:autoload (gnu packages gnupg) (gnupg pinentry parcimonie)
|
||||
#:export (home-gpg-agent-configuration
|
||||
home-gpg-agent-configuration?
|
||||
home-gpg-agent-configuration-gnupg
|
||||
|
@ -34,7 +35,16 @@
|
|||
home-gpg-agent-configuration-max-cache-ttl-ssh
|
||||
home-gpg-agent-configuration-extra-content
|
||||
|
||||
home-gpg-agent-service-type))
|
||||
home-gpg-agent-service-type
|
||||
|
||||
home-parcimonie-configuration
|
||||
home-parcimonie-configuration?
|
||||
home-parcimonie-configuration-parcimonie
|
||||
home-parcimonie-configuration-gnupg-already-torified?
|
||||
home-parcimonie-configuration-refresh-guix-keyrings?
|
||||
home-parcimonie-configuration-extra-content
|
||||
|
||||
home-parcimonie-service-type))
|
||||
|
||||
(define raw-configuration-string? string?)
|
||||
|
||||
|
@ -148,3 +158,68 @@ agent, with support for handling OpenSSH material."))))
|
|||
managing OpenPGP and optionally SSH private keys. When SSH support is
|
||||
enabled, @command{gpg-agent} acts as a drop-in replacement for OpenSSH's
|
||||
@command{ssh-agent}.")))
|
||||
|
||||
(define-configuration/no-serialization home-parcimonie-configuration
|
||||
(parcimonie
|
||||
(file-like parcimonie)
|
||||
"The parcimonie package to use.")
|
||||
(verbose?
|
||||
(boolean #f)
|
||||
"Provide extra output to the log file.")
|
||||
(gnupg-aleady-torified?
|
||||
(boolean #f)
|
||||
"GnuPG is already configured to use tor and parcimonie won't attempt to use
|
||||
tor directly.")
|
||||
(refresh-guix-keyrings?
|
||||
(boolean #f)
|
||||
"Also refresh any Guix keyrings found in the XDG_CONFIG_DIR.")
|
||||
(extra-content
|
||||
(raw-configuration-string "")
|
||||
"Raw content to add to the parcimonie service."))
|
||||
|
||||
(define (home-parcimonie-shepherd-service config)
|
||||
"Return a user service to run parcimonie."
|
||||
(match-record config <home-parcimonie-configuration>
|
||||
(parcimonie verbose? gnupg-aleady-torified?
|
||||
refresh-guix-keyrings? extra-content)
|
||||
(let ((log-file #~(string-append %user-log-dir "/parcimonie.log")))
|
||||
(list (shepherd-service
|
||||
(provision '(parcimonie))
|
||||
(modules '((shepherd support) ;for '%user-log-dir'
|
||||
(guix build utils)
|
||||
(srfi srfi-1)))
|
||||
(start #~(make-forkexec-constructor
|
||||
(cons*
|
||||
#$(file-append parcimonie "/bin/parcimonie")
|
||||
#$@(if verbose?
|
||||
'("--verbose")
|
||||
'())
|
||||
#$@(if gnupg-aleady-torified?
|
||||
'("--gnupg_already_torified")
|
||||
'())
|
||||
#$@(if (not (string=? extra-content ""))
|
||||
(list extra-content)
|
||||
'())
|
||||
#$@(if refresh-guix-keyrings?
|
||||
'((append-map
|
||||
(lambda (item)
|
||||
(list (string-append "--gnupg_extra_args="
|
||||
"--keyring=" item)))
|
||||
(find-files
|
||||
(string-append (getenv "XDG_CONFIG_HOME") "/guix")
|
||||
"^trustedkeys\\.kbx$")))
|
||||
'((list))))
|
||||
#:log-file #$log-file))
|
||||
(stop #~(make-kill-destructor))
|
||||
(respawn? #t)
|
||||
(documentation "Incrementally refresh gnupg keyring over Tor"))))))
|
||||
|
||||
(define home-parcimonie-service-type
|
||||
(service-type
|
||||
(name 'home-parcimonie)
|
||||
(extensions
|
||||
(list (service-extension home-shepherd-service-type
|
||||
home-parcimonie-shepherd-service)))
|
||||
(default-value (home-parcimonie-configuration))
|
||||
(description
|
||||
"Incrementally refresh GnuPG keyrings over Tor.")))
|
||||
|
|
Reference in New Issue