1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

doc: Include config examples for socket-activated user services.

--

These configuration files and instructions enable clean and simple
daemon supervision on machines that run systemd.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

- Removed the detailed ChangeLog entry because that is not needed for
  doc changes.
- Added an entry to doc/examples/README.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Daniel Kahn Gillmor 2016-10-27 14:19:18 -04:00 committed by Werner Koch
parent e51912f467
commit 57e95f5413
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
10 changed files with 159 additions and 2 deletions

View File

@ -22,6 +22,13 @@ AM_CPPFLAGS =
include $(top_srcdir)/am/cmacros.am include $(top_srcdir)/am/cmacros.am
examples = examples/README examples/scd-event examples/trustlist.txt \ examples = examples/README examples/scd-event examples/trustlist.txt \
examples/systemd-user/README \
examples/systemd-user/dirmngr.service \
examples/systemd-user/dirmngr.socket \
examples/systemd-user/gpg-agent.service \
examples/systemd-user/gpg-agent.socket \
examples/systemd-user/gpg-agent-ssh.socket \
examples/systemd-user/gpg-agent-extra.socket \
examples/gpgconf.conf examples/pwpattern.list examples/gpgconf.conf examples/pwpattern.list
helpfiles = help.txt help.be.txt help.ca.txt help.cs.txt \ helpfiles = help.txt help.be.txt help.ca.txt help.cs.txt \

View File

@ -7,3 +7,5 @@ trustlist.txt A list of trustworthy root certificates
(Please check yourself whether you actually trust them) (Please check yourself whether you actually trust them)
gpgconf.conf A sample configuration file for gpgconf. gpgconf.conf A sample configuration file for gpgconf.
systemd-user Sample files for a Linux-only init system.

View File

@ -0,0 +1,66 @@
Socket-activated dirmngr and gpg-agent with systemd
===================================================
When used on a GNU/Linux system supervised by systemd, you can ensure
that the GnuPG daemons dirmngr and gpg-agent are launched
automatically the first time they're needed, and shut down cleanly at
session logout. This is done by enabling user services via
socket-activation.
System distributors
-------------------
The *.service and *.socket files (from this directory) should be
placed in /usr/lib/systemd/user/ alongside other user-session services
and sockets.
To enable socket-activated dirmngr for all accounts on the system,
use:
systemctl --user --global enable dirmngr.socket
To enable socket-activated gpg-agent for all accounts on the system,
use:
systemctl --user --global enable gpg-agent.socket
Additionally, you can enable socket-activated gpg-agent ssh-agent
emulation for all accounts on the system with:
systemctl --user --global enable gpg-agent-ssh.socket
You can also enable restricted ("--extra-socket"-style) gpg-agent
sockets for all accounts on the system with:
systemctl --user --global enable gpg-agent-extra.socket
Individual users
----------------
A user on a system with systemd where this has not been installed
system-wide can place these files in ~/.config/systemd/user/ to make
them available.
If a given service isn't installed system-wide, or if it's installed
system-wide but not globally enabled, individual users will still need
to enable them. For example, to enable socket-activated dirmngr for
all future sessions:
systemctl --user enable dirmngr.socket
To enable socket-activated gpg-agent with ssh support, do:
systemctl --user enable gpg-agent.socket gpg-agent-ssh.socket
These changes won't take effect until your next login after you've
fully logged out (be sure to terminate any running daemons before
logging out).
If you'd rather try a socket-activated GnuPG daemon in an
already-running session without logging out (with or without enabling
it for all future sessions), kill any existing daemon and start the
user socket directly. For example, to set up socket-activated dirmgnr
in the current session:
gpgconf --kill dirmngr
systemctl --user start dirmngr.socket

View File

@ -0,0 +1,10 @@
[Unit]
Description=GnuPG network certificate management daemon
Documentation=man:dirmngr(8)
Requires=dirmngr.socket
After=dirmngr.socket
## This is a socket-activated service:
RefuseManualStart=true
[Service]
ExecStart=/usr/bin/dirmngr --supervised

View File

@ -0,0 +1,11 @@
[Unit]
Description=GnuPG network certificate management daemon
Documentation=man:dirmngr(8)
[Socket]
ListenStream=%t/gnupg/S.dirmngr
SocketMode=0600
DirectoryMode=0700
[Install]
WantedBy=sockets.target

View File

@ -0,0 +1,13 @@
[Unit]
Description=GnuPG cryptographic agent and passphrase cache (access for web browsers)
Documentation=man:gpg-agent(1)
[Socket]
ListenStream=%t/gnupg/S.gpg-agent.browser
FileDescriptorName=browser
Service=gpg-agent.service
SocketMode=0600
DirectoryMode=0700
[Install]
WantedBy=sockets.target

View File

@ -0,0 +1,13 @@
[Unit]
Description=GnuPG cryptographic agent and passphrase cache (restricted)
Documentation=man:gpg-agent(1)
[Socket]
ListenStream=%t/gnupg/S.gpg-agent.extra
FileDescriptorName=extra
Service=gpg-agent.service
SocketMode=0600
DirectoryMode=0700
[Install]
WantedBy=sockets.target

View File

@ -0,0 +1,13 @@
[Unit]
Description=GnuPG cryptographic agent (ssh-agent emulation)
Documentation=man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1)
[Socket]
ListenStream=%t/gnupg/S.gpg-agent.ssh
FileDescriptorName=ssh
Service=gpg-agent.service
SocketMode=0600
DirectoryMode=0700
[Install]
WantedBy=sockets.target

View File

@ -0,0 +1,10 @@
[Unit]
Description=GnuPG cryptographic agent and passphrase cache
Documentation=man:gpg-agent(1)
Requires=gpg-agent.socket
After=gpg-agent.socket
## This is a socket-activated service:
RefuseManualStart=true
[Service]
ExecStart=/usr/bin/gpg-agent --supervised

View File

@ -0,0 +1,12 @@
[Unit]
Description=GnuPG cryptographic agent and passphrase cache
Documentation=man:gpg-agent(1)
[Socket]
ListenStream=%t/gnupg/S.gpg-agent
FileDescriptorName=std
SocketMode=0600
DirectoryMode=0700
[Install]
WantedBy=sockets.target