modules/workstation/gnupg/default.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

{ config, pkgs, ... }:

let
  gnupgHome = "${config.users.users.qyliss.home}/state/gnupg";

  pinentryProgram =
    if pkgs.stdenv.isDarwin then
      "/Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac"
    else
      "${pkgs.pinentry.qt}/bin/pinentry";

  gpg-agent-conf = pkgs.writeText "gpg-agent.conf" ''
    pinentry-program ${pinentryProgram}
  '';
in

{
  systemd.tmpfiles.rules = [
    "d ${gnupgHome} 0700 qyliss qyliss"
    "L+ ${gnupgHome}/dirmngr.conf   - - - - ${./dirmngr.conf}"
    "L+ ${gnupgHome}/gpg.conf       - - - - ${./gpg.conf}"
    "L+ ${gnupgHome}/gpg-agent.conf - - - - ${gpg-agent-conf}"
  ];

  environment.systemPackages = with pkgs; [ gnupg pinentry ];

  environment.extraInit = ''
    export GNUPGHOME="$HOME/state/gnupg"

    if [ -z "$SSH_AUTH_SOCK" ]; then
        export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
    fi
  '';

  programs.sway.extraConfig = ''
    exec gpg-connect-agent /bye
  '';
}