mirror of
https://github.com/gburd/nix-config.git
synced 2024-11-14 00:26:24 +00:00
66 lines
1.7 KiB
Nix
66 lines
1.7 KiB
Nix
{ pkgs, config, lib, ... }:
|
|
let
|
|
pinentry =
|
|
if config.gtk.enable then {
|
|
packages = [ pkgs.pinentry-gnome pkgs.gcr ];
|
|
name = "gnome3";
|
|
} else {
|
|
packages = [ pkgs.pinentry-curses ];
|
|
name = "curses";
|
|
};
|
|
in
|
|
{
|
|
home.packages = pinentry.packages;
|
|
|
|
services.gpg-agent = { #TODO: gnupg vs gpg-agent ?
|
|
enable = true;
|
|
enableSshSupport = true;
|
|
# sshKeys = [ "149F16412997785363112F3DBD713BC91D51B831" ];
|
|
pinentryFlavor = pinentry.name;
|
|
enableExtraSocket = true;
|
|
};
|
|
|
|
programs =
|
|
let
|
|
fixGpg = ''
|
|
gpgconf --launch gpg-agent
|
|
'';
|
|
in
|
|
{
|
|
# Start gpg-agent if it's not running or tunneled in
|
|
# SSH does not start it automatically, so this is needed to avoid having to use a gpg command at startup
|
|
# https://www.gnupg.org/faq/whats-new-in-2.1.html#autostart
|
|
bash.profileExtra = fixGpg;
|
|
fish.loginShellInit = fixGpg;
|
|
zsh.loginExtra = fixGpg;
|
|
|
|
gpg = {
|
|
enable = true;
|
|
settings = {
|
|
trust-model = "tofu+pgp";
|
|
};
|
|
publicKeys = [{
|
|
source = ../../pgp.asc;
|
|
trust = 5;
|
|
}];
|
|
};
|
|
};
|
|
|
|
systemd.user.services = {
|
|
# Link /run/user/$UID/gnupg to ~/.gnupg-sockets
|
|
# So that SSH config does not have to know the UID
|
|
link-gnupg-sockets = {
|
|
Unit = {
|
|
Description = "link gnupg sockets from /run to /home";
|
|
};
|
|
Service = {
|
|
Type = "oneshot";
|
|
ExecStart = "${pkgs.coreutils}/bin/ln -Tfs /run/user/%U/gnupg %h/.gnupg-sockets";
|
|
ExecStop = "${pkgs.coreutils}/bin/rm $HOME/.gnupg-sockets";
|
|
RemainAfterExit = true;
|
|
};
|
|
Install.WantedBy = [ "default.target" ];
|
|
};
|
|
};
|
|
}
|
|
# vim: filetype=nix
|