From a4916fdea5680452cb9fc5aac5ec350b52b3797c Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 27 Oct 2018 16:01:19 +0200 Subject: pinentry: build with multiple outputs in single drv Co-authored-by: Florian Klink Co-authored-by: worldofpeace --- nixos/modules/config/no-x-libs.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/config/no-x-libs.nix b/nixos/modules/config/no-x-libs.nix index 74cf74d74181..873b8073fed9 100644 --- a/nixos/modules/config/no-x-libs.nix +++ b/nixos/modules/config/no-x-libs.nix @@ -34,7 +34,6 @@ with lib; networkmanager-openvpn = super.networkmanager-openvpn.override { withGnome = false; }; networkmanager-vpnc = super.networkmanager-vpnc.override { withGnome = false; }; networkmanager-iodine = super.networkmanager-iodine.override { withGnome = false; }; - pinentry = super.pinentry.override { gtk2 = null; gcr = null; qt4 = null; qt5 = null; }; gobject-introspection = super.gobject-introspection.override { x11Support = false; }; })); }; -- cgit 1.4.1 From edea9fed725339a42f94f42139b8f9d2af0de5ee Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 27 Oct 2018 16:02:16 +0200 Subject: nixos/gnupg: add option for setting pinentry flavours Co-authored-by: Florian Klink --- nixos/modules/installer/tools/tools.nix | 6 ++++- nixos/modules/programs/gnupg.nix | 39 ++++++++++++++++++++++++++++++++- 2 files changed, 43 insertions(+), 2 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index 329260059598..9e6eead3c4d7 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -120,7 +120,11 @@ in # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; - # programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # flavour = "gnome3"; + # }; # List services that you want to enable: diff --git a/nixos/modules/programs/gnupg.nix b/nixos/modules/programs/gnupg.nix index bcbc994efe9b..dd3d74c26326 100644 --- a/nixos/modules/programs/gnupg.nix +++ b/nixos/modules/programs/gnupg.nix @@ -6,6 +6,19 @@ let cfg = config.programs.gnupg; + xserverCfg = config.services.xserver; + + defaultPinentryFlavor = + if xserverCfg.desktopManager.lxqt.enable + || xserverCfg.desktopManager.plasma5.enable then + "qt" + else if xserverCfg.desktopManager.xfce.enable then + "gtk2" + else if xserverCfg.enable then + "gnome3" + else + null; + in { @@ -54,6 +67,20 @@ in ''; }; + agent.pinentryFlavor = mkOption { + type = types.nullOr (types.enum pkgs.pinentry.flavors); + example = "gnome3"; + description = '' + Which pinentry interface to use. If not null, the path to the + pinentry binary will be passed to gpg-agent via commandline and + thus overrides the pinentry option in gpg-agent.conf in the user's + home directory. + If not set at all, it'll pick an appropriate flavor depending on the + system configuration (qt3 flavor for lxqt and plasma5, gtk2 for xfce + 4.12, gnome3 on all other systems with X enabled, ncurses otherwise). + ''; + }; + dirmngr.enable = mkOption { type = types.bool; default = false; @@ -64,6 +91,16 @@ in }; config = mkIf cfg.agent.enable { + programs.gnupg.agent.pinentryFlavor = mkDefault defaultPinentryFlavor; + + # This overrides the systemd user unit shipped with the gnupg package + systemd.user.services.gpg-agent = mkIf (cfg.agent.pinentryFlavor != null) { + serviceConfig.ExecStart = [ "" '' + ${pkgs.gnupg}/bin/gpg-agent --supervised \ + --pinentry-program ${pkgs.pinentry.${cfg.agent.pinentryFlavor}}/bin/pinentry + '' ]; + }; + systemd.user.sockets.gpg-agent = { wantedBy = [ "sockets.target" ]; }; @@ -83,7 +120,7 @@ in systemd.user.sockets.dirmngr = mkIf cfg.dirmngr.enable { wantedBy = [ "sockets.target" ]; }; - + environment.systemPackages = with pkgs; [ cfg.package ]; systemd.packages = [ cfg.package ]; -- cgit 1.4.1 From b5bea4ce32a26deb3b6d600893e37a4c347c66ab Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 27 Oct 2018 16:03:13 +0200 Subject: gnupg: disable gui/pinentry support by default This solves the dependency cycle in gcr alternatively so there won't be two gnupg store paths in a standard NixOS system which has udisks2 enabled by default. NixOS users are expected to use the gpg-agent user service to pull in the appropriate pinentry flavour or install it on their systemPackages and set it in their local gnupg agent config instead. Co-authored-by: Florian Klink --- nixos/doc/manual/release-notes/rl-2003.xml | 9 ++++++++- nixos/modules/programs/gnupg.nix | 2 +- pkgs/development/libraries/gcr/default.nix | 6 +----- pkgs/tools/security/gnupg/20.nix | 2 +- pkgs/tools/security/gnupg/22.nix | 2 +- pkgs/top-level/all-packages.nix | 6 ++++-- 6 files changed, 16 insertions(+), 11 deletions(-) (limited to 'nixos') diff --git a/nixos/doc/manual/release-notes/rl-2003.xml b/nixos/doc/manual/release-notes/rl-2003.xml index ab0951e831ce..49ffcd1c2d21 100644 --- a/nixos/doc/manual/release-notes/rl-2003.xml +++ b/nixos/doc/manual/release-notes/rl-2003.xml @@ -85,7 +85,14 @@ - + + GnuPG is now built without support for a graphical passphrase entry + by default. Please enable the gpg-agent user service + via the NixOS option programs.gnupg.agent.enable. + Note that upstream recommends using gpg-agent and + will spawn a gpg-agent on the first invocation of + GnuPG anyway. + diff --git a/nixos/modules/programs/gnupg.nix b/nixos/modules/programs/gnupg.nix index dd3d74c26326..4fb7c43c8b2e 100644 --- a/nixos/modules/programs/gnupg.nix +++ b/nixos/modules/programs/gnupg.nix @@ -76,7 +76,7 @@ in thus overrides the pinentry option in gpg-agent.conf in the user's home directory. If not set at all, it'll pick an appropriate flavor depending on the - system configuration (qt3 flavor for lxqt and plasma5, gtk2 for xfce + system configuration (qt flavor for lxqt and plasma5, gtk2 for xfce 4.12, gnome3 on all other systems with X enabled, ncurses otherwise). ''; }; diff --git a/pkgs/development/libraries/gcr/default.nix b/pkgs/development/libraries/gcr/default.nix index 18b568b0f6c6..1947d40dc85d 100644 --- a/pkgs/development/libraries/gcr/default.nix +++ b/pkgs/development/libraries/gcr/default.nix @@ -24,11 +24,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ pkgconfig gettext gobject-introspection libxslt makeWrapper vala ]; - buildInputs = let - gpg = gnupg.override { guiSupport = false; }; # prevent build cycle with pinentry_gnome - in [ - gpg libgcrypt libtasn1 dbus-glib pango gdk-pixbuf atk - ]; + buildInputs = [ gnupg libgcrypt libtasn1 dbus-glib pango gdk-pixbuf atk ]; propagatedBuildInputs = [ glib gtk3 p11-kit ]; diff --git a/pkgs/tools/security/gnupg/20.nix b/pkgs/tools/security/gnupg/20.nix index 6336d319997f..ef348e388342 100644 --- a/pkgs/tools/security/gnupg/20.nix +++ b/pkgs/tools/security/gnupg/20.nix @@ -3,7 +3,7 @@ # Each of the dependencies below are optional. # Gnupg can be built without them at the cost of reduced functionality. -, pinentry ? null, guiSupport ? true +, pinentry ? null, guiSupport ? false , openldap ? null, bzip2 ? null, libusb ? null, curl ? null }: diff --git a/pkgs/tools/security/gnupg/22.nix b/pkgs/tools/security/gnupg/22.nix index e2f460e7e308..f62f10c8cf9d 100644 --- a/pkgs/tools/security/gnupg/22.nix +++ b/pkgs/tools/security/gnupg/22.nix @@ -4,7 +4,7 @@ # Each of the dependencies below are optional. # Gnupg can be built without them at the cost of reduced functionality. -, pinentry ? null, guiSupport ? true +, pinentry ? null, guiSupport ? false , adns ? null, gnutls ? null, libusb ? null, openldap ? null , readline ? null, zlib ? null, bzip2 ? null }: diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index d1c5611d3892..56aa84bca7d3 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -3499,10 +3499,12 @@ in gnupg1compat = callPackage ../tools/security/gnupg/1compat.nix { }; gnupg1 = gnupg1compat; # use config.packageOverrides if you prefer original gnupg1 gnupg20 = callPackage ../tools/security/gnupg/20.nix { - pinentry = if stdenv.isDarwin then pinentry_mac else pinentry; + guiSupport = stdenv.isDarwin; + pinentry = if stdenv.isDarwin then pinentry_mac else pinentry_gtk2; }; gnupg22 = callPackage ../tools/security/gnupg/22.nix { - pinentry = if stdenv.isDarwin then pinentry_mac else pinentry; + guiSupport = stdenv.isDarwin; + pinentry = if stdenv.isDarwin then pinentry_mac else pinentry_gtk2; }; gnupg = gnupg22; -- cgit 1.4.1 From b04b354e2cee6248ba9871841e3d29d6f123ae56 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 27 Oct 2018 16:08:17 +0200 Subject: Revert "installer: Disable udisks" This reverts commit 571fb74f449aa173e231166515b41feb778524b8. The dependency on gtk2 was removed. Co-authored-by: Florian Klink --- nixos/modules/profiles/installation-device.nix | 3 --- nixos/tests/installer.nix | 4 ---- nixos/tests/os-prober.nix | 3 +-- 3 files changed, 1 insertion(+), 9 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix index fd30220ce1c9..4596e163404c 100644 --- a/nixos/modules/profiles/installation-device.nix +++ b/nixos/modules/profiles/installation-device.nix @@ -31,9 +31,6 @@ with lib; # Let the user play Rogue on TTY 8 during the installation. #services.rogue.enable = true; - # Disable some other stuff we don't need. - services.udisks2.enable = mkDefault false; - # Use less privileged nixos user users.users.nixos = { isNormalUser = true; diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index a136678c6eff..eb1f4f192dd1 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -54,8 +54,6 @@ let hardware.enableAllFirmware = lib.mkForce false; - services.udisks2.enable = lib.mkDefault false; - ${replaceChars ["\n"] ["\n "] extraConfig} } ''; @@ -295,8 +293,6 @@ let ++ optional (bootLoader == "grub" && grubVersion == 1) pkgs.grub ++ optionals (bootLoader == "grub" && grubVersion == 2) [ pkgs.grub2 pkgs.grub2_efi ]; - services.udisks2.enable = mkDefault false; - nix.binaryCaches = mkForce [ ]; nix.extraOptions = '' diff --git a/nixos/tests/os-prober.nix b/nixos/tests/os-prober.nix index 9cd9f4ecd150..5407a62339fe 100644 --- a/nixos/tests/os-prober.nix +++ b/nixos/tests/os-prober.nix @@ -51,12 +51,11 @@ let hashed-mirrors = connect-timeout = 1 ''; - services.udisks2.enable = lib.mkForce false; }; # /etc/nixos/configuration.nix for the vm configFile = pkgs.writeText "configuration.nix" '' {config, pkgs, ...}: ({ - imports = + imports = [ ./hardware-configuration.nix ]; -- cgit 1.4.1 From e397b949a9439e0df7ad77e72a12410efc61a930 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Wed, 16 Oct 2019 19:31:58 +0200 Subject: udisks2: use tmpfiles instead of activation script to create /var/lib/udisks2 --- nixos/modules/services/hardware/udisks2.nix | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/hardware/udisks2.nix b/nixos/modules/services/hardware/udisks2.nix index ed8703be921c..e898f3260585 100644 --- a/nixos/modules/services/hardware/udisks2.nix +++ b/nixos/modules/services/hardware/udisks2.nix @@ -34,10 +34,7 @@ with lib; services.dbus.packages = [ pkgs.udisks2 ]; - system.activationScripts.udisks2 = - '' - mkdir -m 0755 -p /var/lib/udisks2 - ''; + systemd.tmpfiles.rules = [ "d /var/lib/udisks2 0755 root root -" ]; services.udev.packages = [ pkgs.udisks2 ]; -- cgit 1.4.1