From 1b6176e45b05cbb89cac49359ba15a15c9187f68 Mon Sep 17 00:00:00 2001 From: Roger Qiu Date: Fri, 16 Jun 2017 03:40:09 +1000 Subject: gnupg module: Added extra and browser sockets (#26295) Also added dirmngr and made SSH support false by default due to programs.ssh.startAgent defaulting to true. --- nixos/modules/programs/gnupg.nix | 83 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 82 insertions(+), 1 deletion(-) (limited to 'nixos/modules') diff --git a/nixos/modules/programs/gnupg.nix b/nixos/modules/programs/gnupg.nix index c5277f40d260..68adee94f79e 100644 --- a/nixos/modules/programs/gnupg.nix +++ b/nixos/modules/programs/gnupg.nix @@ -21,13 +21,37 @@ in agent.enableSSHSupport = mkOption { type = types.bool; - default = true; + default = false; description = '' Enable SSH agent support in GnuPG agent. Also sets SSH_AUTH_SOCK environment variable correctly. This will disable socket-activation and thus always start a GnuPG agent per user session. ''; }; + + agent.enableExtraSocket = mkOption { + type = types.bool; + default = false; + description = '' + Enable extra socket for GnuPG agent. + ''; + }; + + agent.enableBrowserSocket = mkOption { + type = types.bool; + default = false; + description = '' + Enable browser socket for GnuPG agent. + ''; + }; + + dirmngr.enable = mkOption { + type = types.bool; + default = false; + description = '' + Enables GnuPG network certificate management daemon with socket-activation for every user session. + ''; + }; }; config = mkIf cfg.agent.enable { @@ -38,15 +62,72 @@ in ("${pkgs.gnupg}/bin/gpg-agent --supervised " + optionalString cfg.agent.enableSSHSupport "--enable-ssh-support") ]; + ExecReload = "${pkgs.gnupg}/bin/gpgconf --reload gpg-agent"; }; }; systemd.user.sockets.gpg-agent = { wantedBy = [ "sockets.target" ]; + listenStreams = [ "%t/gnupg/S.gpg-agent" ]; + socketConfig = { + FileDescriptorName = "std"; + SocketMode = "0600"; + DirectoryMode = "0700"; + }; }; systemd.user.sockets.gpg-agent-ssh = mkIf cfg.agent.enableSSHSupport { wantedBy = [ "sockets.target" ]; + listenStreams = [ "%t/gnupg/S.gpg-agent.ssh" ]; + socketConfig = { + FileDescriptorName = "ssh"; + Service = "gpg-agent.service"; + SocketMode = "0600"; + DirectoryMode = "0700"; + }; + }; + + systemd.user.sockets.gpg-agent-extra = mkIf cfg.agent.enableExtraSocket { + wantedBy = [ "sockets.target" ]; + listenStreams = [ "%t/gnupg/S.gpg-agent.extra" ]; + socketConfig = { + FileDescriptorName = "extra"; + Service = "gpg-agent.service"; + SocketMode = "0600"; + DirectoryMode = "0700"; + }; + }; + + systemd.user.sockets.gpg-agent-browser = mkIf cfg.agent.enableBrowserSocket { + wantedBy = [ "sockets.target" ]; + listenStreams = [ "%t/gnupg/S.gpg-agent.browser" ]; + socketConfig = { + FileDescriptorName = "browser"; + Service = "gpg-agent.service"; + SocketMode = "0600"; + DirectoryMode = "0700"; + }; + }; + + systemd.user.services.dirmngr = { + requires = [ "dirmngr.socket" ]; + after = [ "dirmngr.socket" ]; + unitConfig = { + RefuseManualStart = "true"; + }; + serviceConfig = { + ExecStart = "${pkgs.gnupg}/bin/dirmngr --supervised"; + ExecReload = "${pkgs.gnupg}/bin/gpgconf --reload dirmngr"; + }; + }; + + systemd.user.sockets.dirmngr = { + wantedBy = [ "sockets.target" ]; + listenStreams = [ "%t/gnupg/S.dirmngr" ]; + socketConfig = { + SocketMode = "0600"; + DirectoryMode = "0700"; + }; }; systemd.packages = [ pkgs.gnupg ]; -- cgit 1.4.1