Restructure flake.nix for a simpler config for building different images off the same NixOS config.
This commit is contained in:
Tom Alexander
@@ -25,109 +25,105 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf config.me.gpg.enable (
|
||||
lib.mkMerge [
|
||||
{
|
||||
# Fetch public keys:
|
||||
# gpg --locate-external-keys tom@fizz.buzz
|
||||
config = lib.mkIf config.me.gpg.enable {
|
||||
# Fetch public keys:
|
||||
# gpg --locate-external-keys tom@fizz.buzz
|
||||
|
||||
hardware.gpgSmartcards.enable = true;
|
||||
services.udev.packages = [
|
||||
pkgs.yubikey-personalization
|
||||
pkgs.libfido2
|
||||
(pkgs.writeTextFile {
|
||||
name = "my-rules";
|
||||
text = ''
|
||||
ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0406", MODE="660", GROUP="wheel"
|
||||
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0406", TAG+="uaccess", GROUP="wheel", MODE="0660"
|
||||
'';
|
||||
destination = "/etc/udev/rules.d/50-yubikey.rules";
|
||||
})
|
||||
hardware.gpgSmartcards.enable = true;
|
||||
services.udev.packages = [
|
||||
pkgs.yubikey-personalization
|
||||
pkgs.libfido2
|
||||
(pkgs.writeTextFile {
|
||||
name = "my-rules";
|
||||
text = ''
|
||||
ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0406", MODE="660", GROUP="wheel"
|
||||
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0406", TAG+="uaccess", GROUP="wheel", MODE="0660"
|
||||
'';
|
||||
destination = "/etc/udev/rules.d/50-yubikey.rules";
|
||||
})
|
||||
];
|
||||
services.pcscd.enable = true;
|
||||
|
||||
me.install.user.talexander.file = {
|
||||
".gnupg/scdaemon.conf" = {
|
||||
source = ./files/scdaemon.conf;
|
||||
};
|
||||
};
|
||||
|
||||
programs.gnupg.agent = {
|
||||
enable = true;
|
||||
enableSSHSupport = true;
|
||||
pinentryPackage = pkgs.pinentry-qt;
|
||||
# Settings block populates /etc/gnupg/gpg-agent.conf
|
||||
# settings = {
|
||||
# };
|
||||
};
|
||||
|
||||
# Disabled because it breaks signing git commits because gpg wants to copy pubring.kbx. Unfortunately, this makes the install of scdaemon.conf do nothing since this mount of the full .gnupg directory goes over it.
|
||||
#
|
||||
# environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) {
|
||||
# hideMounts = true;
|
||||
# users.talexander = {
|
||||
# files = [
|
||||
# {
|
||||
# file = ".gnupg/trustdb.gpg";
|
||||
# parentDirectory = {
|
||||
# mode = "u=rwx,g=,o=";
|
||||
# };
|
||||
# }
|
||||
# {
|
||||
# file = ".gnupg/pubring.kbx";
|
||||
# parentDirectory = {
|
||||
# mode = "u=rwx,g=,o=";
|
||||
# };
|
||||
# }
|
||||
# {
|
||||
# file = ".gnupg/tofu.db";
|
||||
# parentDirectory = {
|
||||
# mode = "u=rwx,g=,o=";
|
||||
# };
|
||||
# }
|
||||
# ];
|
||||
# directories = [
|
||||
# {
|
||||
# directory = ".gnupg/crls.d";
|
||||
# user = "talexander";
|
||||
# group = "talexander";
|
||||
# mode = "0700";
|
||||
# }
|
||||
# {
|
||||
# directory = ".gnupg/private-keys-v1.d";
|
||||
# user = "talexander";
|
||||
# group = "talexander";
|
||||
# mode = "0700";
|
||||
# }
|
||||
# ];
|
||||
# };
|
||||
# };
|
||||
|
||||
environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) {
|
||||
hideMounts = true;
|
||||
users.talexander = {
|
||||
directories = [
|
||||
{
|
||||
directory = ".gnupg";
|
||||
user = "talexander";
|
||||
group = "talexander";
|
||||
mode = "0700";
|
||||
}
|
||||
];
|
||||
services.pcscd.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
me.install.user.talexander.file = {
|
||||
".gnupg/scdaemon.conf" = {
|
||||
source = ./files/scdaemon.conf;
|
||||
};
|
||||
};
|
||||
environment.systemPackages = with pkgs; [
|
||||
pcsclite
|
||||
pcsctools
|
||||
glibcLocales
|
||||
ccid
|
||||
libusb-compat-0_1
|
||||
gpg_test_wkd
|
||||
];
|
||||
|
||||
programs.gnupg.agent = {
|
||||
enable = true;
|
||||
enableSSHSupport = true;
|
||||
pinentryPackage = pkgs.pinentry-qt;
|
||||
# Settings block populates /etc/gnupg/gpg-agent.conf
|
||||
# settings = {
|
||||
# };
|
||||
};
|
||||
|
||||
# Disabled because it breaks signing git commits because gpg wants to copy pubring.kbx. Unfortunately, this makes the install of scdaemon.conf do nothing since this mount of the full .gnupg directory goes over it.
|
||||
#
|
||||
# environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
|
||||
# hideMounts = true;
|
||||
# users.talexander = {
|
||||
# files = [
|
||||
# {
|
||||
# file = ".gnupg/trustdb.gpg";
|
||||
# parentDirectory = {
|
||||
# mode = "u=rwx,g=,o=";
|
||||
# };
|
||||
# }
|
||||
# {
|
||||
# file = ".gnupg/pubring.kbx";
|
||||
# parentDirectory = {
|
||||
# mode = "u=rwx,g=,o=";
|
||||
# };
|
||||
# }
|
||||
# {
|
||||
# file = ".gnupg/tofu.db";
|
||||
# parentDirectory = {
|
||||
# mode = "u=rwx,g=,o=";
|
||||
# };
|
||||
# }
|
||||
# ];
|
||||
# directories = [
|
||||
# {
|
||||
# directory = ".gnupg/crls.d";
|
||||
# user = "talexander";
|
||||
# group = "talexander";
|
||||
# mode = "0700";
|
||||
# }
|
||||
# {
|
||||
# directory = ".gnupg/private-keys-v1.d";
|
||||
# user = "talexander";
|
||||
# group = "talexander";
|
||||
# mode = "0700";
|
||||
# }
|
||||
# ];
|
||||
# };
|
||||
# };
|
||||
|
||||
environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
|
||||
hideMounts = true;
|
||||
users.talexander = {
|
||||
directories = [
|
||||
{
|
||||
directory = ".gnupg";
|
||||
user = "talexander";
|
||||
group = "talexander";
|
||||
mode = "0700";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
pcsclite
|
||||
pcsctools
|
||||
glibcLocales
|
||||
ccid
|
||||
libusb-compat-0_1
|
||||
gpg_test_wkd
|
||||
];
|
||||
|
||||
programs.gnupg.agent.enableExtraSocket = true;
|
||||
}
|
||||
]
|
||||
);
|
||||
programs.gnupg.agent.enableExtraSocket = true;
|
||||
};
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user