nix-config/home-manager/_mixins/cli/gpg.nix

69 lines
1.8 KiB
Nix
Raw Permalink Normal View History

2023-09-26 19:45:31 +00:00
{ pkgs, config, username, ... }:
let
pinentry =
if config.gtk.enable then {
2024-06-06 15:17:28 +00:00
packages = [ pkgs.pinentry-gnome3 pkgs.gcr ];
name = "gnome3";
} else {
packages = [ pkgs.pinentry-curses ];
name = "curses";
};
in
{
2023-09-26 19:56:21 +00:00
home.packages = pinentry.packages;
# home.packages = [ pkgs.pinentry-curses ];
services.gpg-agent = {
#TODO: gnupg vs gpg-agent ?
enable = true;
enableSshSupport = true;
2023-09-26 19:56:21 +00:00
# TODO: sshKeys = [ "149F16412997785363112F3DBD713BC91D51B831" ];
2024-06-06 15:17:28 +00:00
pinentryPackage = pkgs.pinentry-curses;
enableExtraSocket = true;
};
programs =
let
fixGpg = ''
gpgconf --launch gpg-agent
'';
in
{
# Start gpg-agent if it's not running or tunneled in
# SSH does not start it automatically, so this is needed to avoid having to use a gpg command at startup
# https://www.gnupg.org/faq/whats-new-in-2.1.html#autostart
bash.profileExtra = fixGpg;
fish.loginShellInit = fixGpg;
zsh.loginExtra = fixGpg;
gpg = {
enable = true;
settings = {
trust-model = "tofu+pgp";
};
publicKeys = [{
2023-09-26 19:45:31 +00:00
source = ../users/${username}/pgp.asc;
trust = 5;
}];
};
};
systemd.user.services = {
# Link /run/user/$UID/gnupg to ~/.gnupg-sockets
# So that SSH config does not have to know the UID
link-gnupg-sockets = {
Unit = {
Description = "link gnupg sockets from /run to /home";
};
Service = {
Type = "oneshot";
ExecStart = "${pkgs.coreutils}/bin/ln -Tfs /run/user/%U/gnupg %h/.gnupg-sockets";
ExecStop = "${pkgs.coreutils}/bin/rm $HOME/.gnupg-sockets";
RemainAfterExit = true;
};
Install.WantedBy = [ "default.target" ];
};
};
}
# vim: filetype=nix