2024-12-20 22:37:44 -05:00
{
config ,
lib ,
pkgs ,
. . .
} :
2024-12-20 16:50:27 -05:00
2025-01-12 18:29:48 -05:00
let
gpg_test_wkd =
( pkgs . writeScriptBin " g p g _ t e s t _ w k d " ( builtins . readFile ./files/gpg_test_wkd.bash ) ) . overrideAttrs
( old : {
buildCommand = " ${ old . buildCommand } \n p a t c h S h e b a n g s $ o u t " ;
} ) ;
in
2024-12-20 16:50:27 -05:00
{
2024-12-20 22:37:44 -05:00
imports = [ ] ;
2024-12-20 16:50:27 -05:00
2025-01-25 19:35:05 -05:00
options . me = {
gpg . enable = lib . mkOption {
type = lib . types . bool ;
default = false ;
example = true ;
description = " W h e t h e r w e w a n t t o i n s t a l l g p g . " ;
2025-01-02 10:27:25 -05:00
} ;
} ;
2024-12-20 16:50:27 -05:00
2025-01-25 19:35:05 -05:00
config = lib . mkIf config . me . gpg . enable (
lib . mkMerge [
{
# Fetch public keys:
2025-09-23 21:45:29 -04:00
# gpg --locate-external-keys tom@fizz.buzz
2025-01-25 19:35:05 -05:00
hardware . gpgSmartcards . enable = true ;
services . udev . packages = [
pkgs . yubikey-personalization
pkgs . libfido2
( pkgs . writeTextFile {
name = " m y - r u l e s " ;
text = ''
ACTION = = " a d d " , SUBSYSTEM = = " u s b " , ENV { ID_VENDOR_ID } = = " 1 0 5 0 " , ENV { ID_MODEL_ID } = = " 0 4 0 6 " , MODE = " 6 6 0 " , GROUP = " w h e e l "
KERNEL = = " h i d r a w * " , SUBSYSTEM = = " h i d r a w " , ATTRS { idVendor } = = " 1 0 5 0 " , ATTRS { idProduct } = = " 0 4 0 6 " , TAG + = " u a c c e s s " , GROUP = " w h e e l " , MODE = " 0 6 6 0 "
'' ;
destination = " / e t c / u d e v / r u l e s . d / 5 0 - y u b i k e y . r u l e s " ;
} )
] ;
services . pcscd . enable = true ;
2025-08-10 15:34:29 -04:00
me . install . user . talexander . file = {
" . g n u p g / s c d a e m o n . c o n f " = {
source = ./files/scdaemon.conf ;
2025-01-25 19:35:05 -05:00
} ;
2025-08-10 15:34:29 -04:00
} ;
2025-01-25 19:35:05 -05:00
programs . gnupg . agent = {
enable = true ;
enableSSHSupport = true ;
pinentryPackage = pkgs . pinentry-qt ;
2025-09-23 21:45:29 -04:00
# Settings block populates /etc/gnupg/gpg-agent.conf
2025-01-25 19:35:05 -05:00
# settings = {
# };
} ;
2025-09-23 21:45:29 -04:00
# Disabled because it breaks signing git commits because gpg wants to copy pubring.kbx. Unfortunately, this makes the install of scdaemon.conf do nothing since this mount of the full .gnupg directory goes over it.
#
# environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
# hideMounts = true;
# users.talexander = {
# files = [
# {
# file = ".gnupg/trustdb.gpg";
# parentDirectory = {
# mode = "u=rwx,g=,o=";
# };
# }
# {
# file = ".gnupg/pubring.kbx";
# parentDirectory = {
# mode = "u=rwx,g=,o=";
# };
# }
# {
# file = ".gnupg/tofu.db";
# parentDirectory = {
# mode = "u=rwx,g=,o=";
# };
# }
# ];
# directories = [
# {
# directory = ".gnupg/crls.d";
# user = "talexander";
# group = "talexander";
# mode = "0700";
# }
# {
# directory = ".gnupg/private-keys-v1.d";
# user = "talexander";
# group = "talexander";
# mode = "0700";
# }
# ];
# };
# };
2025-01-25 19:35:05 -05:00
environment . persistence . " / p e r s i s t " = lib . mkIf ( ! config . me . buildingIso ) {
hideMounts = true ;
users . talexander = {
directories = [
{
directory = " . g n u p g " ;
user = " t a l e x a n d e r " ;
group = " t a l e x a n d e r " ;
mode = " 0 7 0 0 " ;
2025-09-23 21:45:29 -04:00
}
2025-01-25 19:35:05 -05:00
] ;
} ;
} ;
environment . systemPackages = with pkgs ; [
pcsclite
pcsctools
glibcLocales
ccid
libusb-compat-0_1
gpg_test_wkd
] ;
programs . gnupg . agent . enableExtraSocket = true ;
}
]
) ;
2024-12-20 16:50:27 -05:00
}
