diff options
| author | Roger Qiu <roger.qiu@polyhack.io> | 2017-06-16 03:40:09 +1000 |
|---|---|---|
| committer | Franz Pletz <fpletz@fnordicwalking.de> | 2017-06-15 19:40:09 +0200 |
| commit | 1b6176e45b05cbb89cac49359ba15a15c9187f68 (patch) | |
| tree | d4026a8461145e37ce6d7372a84bf868f64c3ecd /nixos/modules | |
| parent | 2a24fdaee091903a1cd2dcc15872d0be1ee153b6 (diff) | |
| download | nixlib-1b6176e45b05cbb89cac49359ba15a15c9187f68.tar nixlib-1b6176e45b05cbb89cac49359ba15a15c9187f68.tar.gz nixlib-1b6176e45b05cbb89cac49359ba15a15c9187f68.tar.bz2 nixlib-1b6176e45b05cbb89cac49359ba15a15c9187f68.tar.lz nixlib-1b6176e45b05cbb89cac49359ba15a15c9187f68.tar.xz nixlib-1b6176e45b05cbb89cac49359ba15a15c9187f68.tar.zst nixlib-1b6176e45b05cbb89cac49359ba15a15c9187f68.zip | |
gnupg module: Added extra and browser sockets (#26295)
Also added dirmngr and made SSH support false by default due to programs.ssh.startAgent defaulting to true.
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/programs/gnupg.nix | 83 |
1 files changed, 82 insertions, 1 deletions
diff --git a/nixos/modules/programs/gnupg.nix b/nixos/modules/programs/gnupg.nix index c5277f40d260..68adee94f79e 100644 --- a/nixos/modules/programs/gnupg.nix +++ b/nixos/modules/programs/gnupg.nix @@ -21,13 +21,37 @@ in agent.enableSSHSupport = mkOption { type = types.bool; - default = true; + default = false; description = '' Enable SSH agent support in GnuPG agent. Also sets SSH_AUTH_SOCK environment variable correctly. This will disable socket-activation and thus always start a GnuPG agent per user session. ''; }; + + agent.enableExtraSocket = mkOption { + type = types.bool; + default = false; + description = '' + Enable extra socket for GnuPG agent. + ''; + }; + + agent.enableBrowserSocket = mkOption { + type = types.bool; + default = false; + description = '' + Enable browser socket for GnuPG agent. + ''; + }; + + dirmngr.enable = mkOption { + type = types.bool; + default = false; + description = '' + Enables GnuPG network certificate management daemon with socket-activation for every user session. + ''; + }; }; config = mkIf cfg.agent.enable { @@ -38,15 +62,72 @@ in ("${pkgs.gnupg}/bin/gpg-agent --supervised " + optionalString cfg.agent.enableSSHSupport "--enable-ssh-support") ]; + ExecReload = "${pkgs.gnupg}/bin/gpgconf --reload gpg-agent"; }; }; systemd.user.sockets.gpg-agent = { wantedBy = [ "sockets.target" ]; + listenStreams = [ "%t/gnupg/S.gpg-agent" ]; + socketConfig = { + FileDescriptorName = "std"; + SocketMode = "0600"; + DirectoryMode = "0700"; + }; }; systemd.user.sockets.gpg-agent-ssh = mkIf cfg.agent.enableSSHSupport { wantedBy = [ "sockets.target" ]; + listenStreams = [ "%t/gnupg/S.gpg-agent.ssh" ]; + socketConfig = { + FileDescriptorName = "ssh"; + Service = "gpg-agent.service"; + SocketMode = "0600"; + DirectoryMode = "0700"; + }; + }; + + systemd.user.sockets.gpg-agent-extra = mkIf cfg.agent.enableExtraSocket { + wantedBy = [ "sockets.target" ]; + listenStreams = [ "%t/gnupg/S.gpg-agent.extra" ]; + socketConfig = { + FileDescriptorName = "extra"; + Service = "gpg-agent.service"; + SocketMode = "0600"; + DirectoryMode = "0700"; + }; + }; + + systemd.user.sockets.gpg-agent-browser = mkIf cfg.agent.enableBrowserSocket { + wantedBy = [ "sockets.target" ]; + listenStreams = [ "%t/gnupg/S.gpg-agent.browser" ]; + socketConfig = { + FileDescriptorName = "browser"; + Service = "gpg-agent.service"; + SocketMode = "0600"; + DirectoryMode = "0700"; + }; + }; + + systemd.user.services.dirmngr = { + requires = [ "dirmngr.socket" ]; + after = [ "dirmngr.socket" ]; + unitConfig = { + RefuseManualStart = "true"; + }; + serviceConfig = { + ExecStart = "${pkgs.gnupg}/bin/dirmngr --supervised"; + ExecReload = "${pkgs.gnupg}/bin/gpgconf --reload dirmngr"; + }; + }; + + systemd.user.sockets.dirmngr = { + wantedBy = [ "sockets.target" ]; + listenStreams = [ "%t/gnupg/S.dirmngr" ]; + socketConfig = { + SocketMode = "0600"; + DirectoryMode = "0700"; + }; }; systemd.packages = [ pkgs.gnupg ]; |