nix/configuration/hosts/odo/default.nix

@@ -38,7 +38,6 @@
   me.emacs_flavor = "full";
   me.firefox.enable = true;
   me.git.config = ../../roles/git/files/gitconfig_home;
-  me.gpg.enable = true;
   me.graphical = true;
   me.graphics_card_type = "amd";
   me.kanshi.enable = true;

nix/configuration/roles/gpg/default.nix

@@ -16,93 +16,158 @@ in
 {
   imports = [ ];
 
-  options.me = {
+  # Fetch public keys:
-    gpg.enable = lib.mkOption {
+  # gpg --locate-keys tom@fizz.buzz
-      type = lib.types.bool;
+  #
-      default = false;
+  # gpg -vvv --auto-key-locate local,wkd --locate-keys tom@fizz.buzz
-      example = true;
+
-      description = "Whether we want to install gpg.";
+  hardware.gpgSmartcards.enable = true;
+  services.udev.packages = [
+    pkgs.yubikey-personalization
+    pkgs.libfido2
+    (pkgs.writeTextFile {
+      name = "my-rules";
+      text = ''
+        ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0406", MODE="660", GROUP="wheel"
+        KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0406", TAG+="uaccess", GROUP="wheel", MODE="0660"
+      '';
+      destination = "/etc/udev/rules.d/50-yubikey.rules";
+    })
+  ];
+  services.pcscd.enable = true;
+  # services.gnome.gnome-keyring.enable = true;
+
+  # services.dbus.packages = [ pkgs.gcr ];
+
+  # services.pcscd.plugins = lib.mkForce [ ];
+
+  #   programs.gpg.scdaemonSettings = {
+  #   disable-ccid = true;
+  # };
+
+  # .gnupg/scdaemon.conf
+  home-manager.users.talexander =
+    { pkgs, ... }:
+    {
+      home.file.".gnupg/scdaemon.conf" = {
+        source = ./files/scdaemon.conf;
+      };
+    };
+
+  # programs.gnupg.dirmngr.enable = true;
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+    pinentryPackage = pkgs.pinentry-qt;
+    # settings = {
+    #   disable-ccid = true;
+    # };
+  };
+
+  environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
+    hideMounts = true;
+    users.talexander = {
+      directories = [
+        {
+          directory = ".gnupg";
+          user = "talexander";
+          group = "talexander";
+          mode = "0700";
+        } # Local keyring
+      ];
     };
   };
 
-  config = lib.mkIf config.me.gpg.enable (
+  nixpkgs.overlays = [
-    lib.mkMerge [
+    (final: prev: {
-      {
+      # pcsclite = prev.pcsclite.overrideAttrs (old: {
-        # Fetch public keys:
+      #   postPatch = ''
-        # gpg --locate-keys tom@fizz.buzz
+      #     substituteInPlace src/libredirect.c src/spy/libpcscspy.c \
-        #
+      #       --replace-fail "libpcsclite_real.so.1" "$lib/lib/libpcsclite_real.so.1"
-        # gpg -vvv --auto-key-locate local,wkd --locate-keys tom@fizz.buzz
+      #   '';
+      # });
 
-        hardware.gpgSmartcards.enable = true;
+      # pcsclite = prev.pcsclite.overrideAttrs (old: {
-        services.udev.packages = [
+      #   postPatch =
-          pkgs.yubikey-personalization
+      #     old.postPatch
-          pkgs.libfido2
+      #     + (lib.optionalString
-          (pkgs.writeTextFile {
+      #       (!(lib.strings.hasInfix ''--replace-fail "libpcsclite_real.so.1"'' old.postPatch))
-            name = "my-rules";
+      #       ''
-            text = ''
+      #         substituteInPlace src/libredirect.c src/spy/libpcscspy.c \
-              ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0406", MODE="660", GROUP="wheel"
+      #           --replace-fail "libpcsclite_real.so.1" "$lib/lib/libpcsclite_real.so.1"
-              KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0406", TAG+="uaccess", GROUP="wheel", MODE="0660"
+      #       ''
-            '';
+      #     );
-            destination = "/etc/udev/rules.d/50-yubikey.rules";
+      # });
-          })
-        ];
-        services.pcscd.enable = true;
-        # services.gnome.gnome-keyring.enable = true;
 
-        # services.dbus.packages = [ pkgs.gcr ];
+      # pcsclite = prev.pcsclite.overrideAttrs (old: {
+      #   postPatch =
+      #     old.postPatch
+      #     + ''
+      #       substituteInPlace src/libredirect.c src/spy/libpcscspy.c \
+      #         --replace-fail "libpcsclite_real.so.1" "$lib/lib/libpcsclite_real.so.1"
+      #     '';
+      # });
 
-        # services.pcscd.plugins = lib.mkForce [ ];
+      # gnupg = prev.gnupg.override {
+      #   pcsclite = pkgs.pcsclite.overrideAttrs (old: {
+      #     postPatch =
+      #       old.postPatch
+      #       + (lib.optionalString
+      #         (!(lib.strings.hasInfix ''--replace-fail "libpcsclite_real.so.1"'' old.postPatch))
+      #         ''
+      #           substituteInPlace src/libredirect.c src/spy/libpcscspy.c \
+      #             --replace-fail "libpcsclite_real.so.1" "$lib/lib/libpcsclite_real.so.1"
+      #         ''
+      #       );
+      #   });
+      # };
+    })
+  ];
 
-        #   programs.gpg.scdaemonSettings = {
+  # security.polkit.extraConfig = ''
-        #   disable-ccid = true;
+  #   polkit.addRule(function(action, subject) {
-        # };
+  #     if (action.id == "org.debian.pcsc-lite.access_card") {
+  #       return polkit.Result.YES;
+  #     }
+  #   });
 
-        # .gnupg/scdaemon.conf
+  #   polkit.addRule(function(action, subject) {
-        home-manager.users.talexander =
+  #     if (action.id == "org.debian.pcsc-lite.access_pcsc") {
-          { pkgs, ... }:
+  #       return polkit.Result.YES;
-          {
+  #     }
-            home.file.".gnupg/scdaemon.conf" = {
+  #   });
-              source = ./files/scdaemon.conf;
+  # '';
-            };
-          };
 
-        # programs.gnupg.dirmngr.enable = true;
+  environment.systemPackages = with pkgs; [
-        programs.gnupg.agent = {
+    pcsclite
-          enable = true;
+    pcsctools
-          enableSSHSupport = true;
+    yubikey-personalization
-          pinentryPackage = pkgs.pinentry-qt;
+    yubikey-manager
-          # settings = {
+    glibcLocales
-          #   disable-ccid = true;
+    ccid
-          # };
+    libusb-compat-0_1
-        };
+    gpg_test_wkd
+  ];
 
-        environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
+  # nixpkgs.overlays = [
-          hideMounts = true;
+  #   (final: prev: {
-          users.talexander = {
+  #     gnupg = pkgs-unstable.gnupg;
-            directories = [
+  #     scdaemon = pkgs-unstable.scdaemon;
-              {
+  #     libgcrypt = pkgs-unstable.libgcrypt;
-                directory = ".gnupg";
+  #   })
-                user = "talexander";
+  # ];
-                group = "talexander";
-                mode = "0700";
-              } # Local keyring
-            ];
-          };
-        };
 
-        environment.systemPackages = with pkgs; [
+  # nixpkgs.overlays = [
-          pcsclite
+  #   (final: prev: {
-          pcsctools
+  #     gnupg = prev.gnupg.overrideAttrs (old: rec {
-          yubikey-personalization
+  #       version = "2.4.7";
-          yubikey-manager
+  #       src = prev.fetchurl {
-          glibcLocales
+  #         url = "https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-${version}.tar.bz2";
-          ccid
+  #         hash = "sha256-eyRwbk2n4OOwbKBoIxAnQB8jgQLEHJCWMTSdzDuF60Y=";
-          libusb-compat-0_1
+  #       };
-          gpg_test_wkd
+  #     });
-        ];
+  #   })
+  # ];
 
-        programs.gnupg.agent.enableExtraSocket = true;
+  programs.gnupg.agent.enableExtraSocket = true;
-      }
-    ]
-  );
 }

nix/configuration/roles/gpg/files/scdaemon.conf

@@ -1,7 +1,7 @@
-#reader-port Yubico Yubi
+reader-port Yubico Yubi
 disable-ccid
 
-#log-file /home/talexander/scd.log
+log-file /home/talexander/scd.log
-#verbose
+verbose
-#debug cardio
+debug cardio
-#debug-level 5
+debug-level 5