diff options
| author | Franz Pletz <fpletz@fnordicwalking.de> | 2017-05-25 21:14:39 +0200 |
|---|---|---|
| committer | Franz Pletz <fpletz@fnordicwalking.de> | 2017-05-29 15:05:29 +0200 |
| commit | 04158d9aba1d8b98e49770702922b63ba075728b (patch) | |
| tree | b6200f9a724ec837e4cc78aa2e2848674ba32839 /nixos/modules | |
| parent | 1e95e114e5eefdb0f792f9f7a620c9472e6d7da3 (diff) | |
| download | nixlib-04158d9aba1d8b98e49770702922b63ba075728b.tar nixlib-04158d9aba1d8b98e49770702922b63ba075728b.tar.gz nixlib-04158d9aba1d8b98e49770702922b63ba075728b.tar.bz2 nixlib-04158d9aba1d8b98e49770702922b63ba075728b.tar.lz nixlib-04158d9aba1d8b98e49770702922b63ba075728b.tar.xz nixlib-04158d9aba1d8b98e49770702922b63ba075728b.tar.zst nixlib-04158d9aba1d8b98e49770702922b63ba075728b.zip | |
gnupg agent module: init
Creates a systemd user service and updates the tty on new logins so that gpg-agent may find the current tty even if the SSH agent mode is used.
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/programs/gnupg.nix | 75 |
2 files changed, 76 insertions, 0 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 5e1ff91acab4..7afcb9051bd7 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -80,6 +80,7 @@ ./programs/environment.nix ./programs/fish.nix ./programs/freetds.nix + ./programs/gnupg.nix ./programs/gphoto2.nix ./programs/info.nix ./programs/java.nix diff --git a/nixos/modules/programs/gnupg.nix b/nixos/modules/programs/gnupg.nix new file mode 100644 index 000000000000..c5277f40d260 --- /dev/null +++ b/nixos/modules/programs/gnupg.nix @@ -0,0 +1,75 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.programs.gnupg; + +in + +{ + + options.programs.gnupg = { + agent.enable = mkOption { + type = types.bool; + default = false; + description = '' + Enables GnuPG agent with socket-activation for every user session. + ''; + }; + + agent.enableSSHSupport = mkOption { + type = types.bool; + default = true; + description = '' + Enable SSH agent support in GnuPG agent. Also sets SSH_AUTH_SOCK + environment variable correctly. This will disable socket-activation + and thus always start a GnuPG agent per user session. + ''; + }; + }; + + config = mkIf cfg.agent.enable { + systemd.user.services.gpg-agent = { + serviceConfig = { + ExecStart = [ + "" + ("${pkgs.gnupg}/bin/gpg-agent --supervised " + + optionalString cfg.agent.enableSSHSupport "--enable-ssh-support") + ]; + }; + }; + + systemd.user.sockets.gpg-agent = { + wantedBy = [ "sockets.target" ]; + }; + + systemd.user.sockets.gpg-agent-ssh = mkIf cfg.agent.enableSSHSupport { + wantedBy = [ "sockets.target" ]; + }; + + systemd.packages = [ pkgs.gnupg ]; + + environment.extraInit = '' + # Bind gpg-agent to this TTY if gpg commands are used. + export GPG_TTY=$(tty) + + '' + (optionalString cfg.agent.enableSSHSupport '' + # SSH agent protocol doesn't support changing TTYs, so bind the agent + # to every new TTY. + ${pkgs.gnupg}/bin/gpg-connect-agent --quiet updatestartuptty /bye > /dev/null + + if [ -z "$SSH_AUTH_SOCK" ]; then + export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket) + fi + ''); + + assertions = [ + { assertion = cfg.agent.enableSSHSupport && !config.programs.ssh.startAgent; + message = "You can't use ssh-agent and GnuPG agent with SSH support enabled at the same time!"; + } + ]; + }; + +} |