Clean up experiments in the gpg role.

2025-01-25 19:35:05 -05:00 · 2025-01-25 19:35:05 -05:00 · e043320e5c
commit e043320e5c
parent 2f8c4fbfe8
2 changed files with 78 additions and 142 deletions
--- a/nix/configuration/hosts/odo/default.nix
+++ b/nix/configuration/hosts/odo/default.nix
@ -38,6 +38,7 @@
  me.emacs_flavor = "full";
  me.firefox.enable = true;
  me.git.config = ../../roles/git/files/gitconfig_home;
  me.gpg.enable = true;
  me.graphical = true;
  me.graphics_card_type = "amd";
  me.kanshi.enable = true;
--- a/nix/configuration/roles/gpg/default.nix
+++ b/nix/configuration/roles/gpg/default.nix
@ -16,158 +16,93 @@ in
 {
  imports = [ ];
-  # Fetch public keys:
+  options.me = {
-  # gpg --locate-keys tom@fizz.buzz
+    gpg.enable = lib.mkOption {
-  #
+      type = lib.types.bool;
-  # gpg -vvv --auto-key-locate local,wkd --locate-keys tom@fizz.buzz
+      default = false;
-
+      example = true;
-  hardware.gpgSmartcards.enable = true;
+      description = "Whether we want to install gpg.";
  services.udev.packages = [
    pkgs.yubikey-personalization
    pkgs.libfido2
    (pkgs.writeTextFile {
      name = "my-rules";
      text = ''
        ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0406", MODE="660", GROUP="wheel"
        KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0406", TAG+="uaccess", GROUP="wheel", MODE="0660"
      '';
      destination = "/etc/udev/rules.d/50-yubikey.rules";
    })
  ];
  services.pcscd.enable = true;
  # services.gnome.gnome-keyring.enable = true;
  # services.dbus.packages = [ pkgs.gcr ];
  # services.pcscd.plugins = lib.mkForce [ ];
  #   programs.gpg.scdaemonSettings = {
  #   disable-ccid = true;
  # };
  # .gnupg/scdaemon.conf
  home-manager.users.talexander =
    { pkgs, ... }:
    {
      home.file.".gnupg/scdaemon.conf" = {
        source = ./files/scdaemon.conf;
      };
    };
  # programs.gnupg.dirmngr.enable = true;
  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
    pinentryPackage = pkgs.pinentry-qt;
    # settings = {
    #   disable-ccid = true;
    # };
  };
  environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
    hideMounts = true;
    users.talexander = {
      directories = [
        {
          directory = ".gnupg";
          user = "talexander";
          group = "talexander";
          mode = "0700";
        } # Local keyring
      ];
    };
  };
-  nixpkgs.overlays = [
+  config = lib.mkIf config.me.gpg.enable (
-    (final: prev: {
+    lib.mkMerge [
-      # pcsclite = prev.pcsclite.overrideAttrs (old: {
+      {
-      #   postPatch = ''
+        # Fetch public keys:
-      #     substituteInPlace src/libredirect.c src/spy/libpcscspy.c \
+        # gpg --locate-keys tom@fizz.buzz
-      #       --replace-fail "libpcsclite_real.so.1" "$lib/lib/libpcsclite_real.so.1"
+        #
-      #   '';
+        # gpg -vvv --auto-key-locate local,wkd --locate-keys tom@fizz.buzz
      # });
-      # pcsclite = prev.pcsclite.overrideAttrs (old: {
+        hardware.gpgSmartcards.enable = true;
-      #   postPatch =
+        services.udev.packages = [
-      #     old.postPatch
+          pkgs.yubikey-personalization
-      #     + (lib.optionalString
+          pkgs.libfido2
-      #       (!(lib.strings.hasInfix ''--replace-fail "libpcsclite_real.so.1"'' old.postPatch))
+          (pkgs.writeTextFile {
-      #       ''
+            name = "my-rules";
-      #         substituteInPlace src/libredirect.c src/spy/libpcscspy.c \
+            text = ''
-      #           --replace-fail "libpcsclite_real.so.1" "$lib/lib/libpcsclite_real.so.1"
+              ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0406", MODE="660", GROUP="wheel"
-      #       ''
+              KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0406", TAG+="uaccess", GROUP="wheel", MODE="0660"
-      #     );
+            '';
-      # });
+            destination = "/etc/udev/rules.d/50-yubikey.rules";
          })
        ];
        services.pcscd.enable = true;
        # services.gnome.gnome-keyring.enable = true;
-      # pcsclite = prev.pcsclite.overrideAttrs (old: {
+        # services.dbus.packages = [ pkgs.gcr ];
      #   postPatch =
      #     old.postPatch
      #     + ''
      #       substituteInPlace src/libredirect.c src/spy/libpcscspy.c \
      #         --replace-fail "libpcsclite_real.so.1" "$lib/lib/libpcsclite_real.so.1"
      #     '';
      # });
-      # gnupg = prev.gnupg.override {
+        # services.pcscd.plugins = lib.mkForce [ ];
      #   pcsclite = pkgs.pcsclite.overrideAttrs (old: {
      #     postPatch =
      #       old.postPatch
      #       + (lib.optionalString
      #         (!(lib.strings.hasInfix ''--replace-fail "libpcsclite_real.so.1"'' old.postPatch))
      #         ''
      #           substituteInPlace src/libredirect.c src/spy/libpcscspy.c \
      #             --replace-fail "libpcsclite_real.so.1" "$lib/lib/libpcsclite_real.so.1"
      #         ''
      #       );
      #   });
      # };
    })
  ];
-  # security.polkit.extraConfig = ''
+        #   programs.gpg.scdaemonSettings = {
-  #   polkit.addRule(function(action, subject) {
+        #   disable-ccid = true;
-  #     if (action.id == "org.debian.pcsc-lite.access_card") {
+        # };
  #       return polkit.Result.YES;
  #     }
  #   });
-  #   polkit.addRule(function(action, subject) {
+        # .gnupg/scdaemon.conf
-  #     if (action.id == "org.debian.pcsc-lite.access_pcsc") {
+        home-manager.users.talexander =
-  #       return polkit.Result.YES;
+          { pkgs, ... }:
-  #     }
+          {
-  #   });
+            home.file.".gnupg/scdaemon.conf" = {
-  # '';
+              source = ./files/scdaemon.conf;
            };
          };
-  environment.systemPackages = with pkgs; [
+        # programs.gnupg.dirmngr.enable = true;
-    pcsclite
+        programs.gnupg.agent = {
-    pcsctools
+          enable = true;
-    yubikey-personalization
+          enableSSHSupport = true;
-    yubikey-manager
+          pinentryPackage = pkgs.pinentry-qt;
-    glibcLocales
+          # settings = {
-    ccid
+          #   disable-ccid = true;
-    libusb-compat-0_1
+          # };
-    gpg_test_wkd
+        };
  ];
-  # nixpkgs.overlays = [
+        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
-  #   (final: prev: {
+          hideMounts = true;
-  #     gnupg = pkgs-unstable.gnupg;
+          users.talexander = {
-  #     scdaemon = pkgs-unstable.scdaemon;
+            directories = [
-  #     libgcrypt = pkgs-unstable.libgcrypt;
+              {
-  #   })
+                directory = ".gnupg";
-  # ];
+                user = "talexander";
                group = "talexander";
                mode = "0700";
              } # Local keyring
            ];
          };
        };
-  # nixpkgs.overlays = [
+        environment.systemPackages = with pkgs; [
-  #   (final: prev: {
+          pcsclite
-  #     gnupg = prev.gnupg.overrideAttrs (old: rec {
+          pcsctools
-  #       version = "2.4.7";
+          yubikey-personalization
-  #       src = prev.fetchurl {
+          yubikey-manager
-  #         url = "https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-${version}.tar.bz2";
+          glibcLocales
-  #         hash = "sha256-eyRwbk2n4OOwbKBoIxAnQB8jgQLEHJCWMTSdzDuF60Y=";
+          ccid
-  #       };
+          libusb-compat-0_1
-  #     });
+          gpg_test_wkd
-  #   })
+        ];
  # ];
-  programs.gnupg.agent.enableExtraSocket = true;
+        programs.gnupg.agent.enableExtraSocket = true;
      }
    ]
  );
 }