{
config,
lib,
pkgs,
...
}:
let
gpg_test_wkd =
(pkgs.writeScriptBin "gpg_test_wkd" (builtins.readFile ./files/gpg_test_wkd.bash)).overrideAttrs
(old: {
buildCommand = "${old.buildCommand}\n patchShebangs $out";
});
in
{
imports = [ ];
# Fetch public keys:
# gpg --locate-keys tom@fizz.buzz
#
# gpg -vvv --auto-key-locate local,wkd --locate-keys tom@fizz.buzz
hardware.gpgSmartcards.enable = true;
services.udev.packages = [
pkgs.yubikey-personalization
pkgs.libfido2
(pkgs.writeTextFile {
name = "my-rules";
text = ''
ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0406", MODE="660", GROUP="wheel"
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0406", TAG+="uaccess", GROUP="wheel", MODE="0660"
'';
destination = "/etc/udev/rules.d/50-yubikey.rules";
})
];
services.pcscd.enable = true;
# services.gnome.gnome-keyring.enable = true;
# services.dbus.packages = [ pkgs.gcr ];
# services.pcscd.plugins = lib.mkForce [ ];
# programs.gpg.scdaemonSettings = {
# disable-ccid = true;
# };
# .gnupg/scdaemon.conf
home-manager.users.talexander =
{ pkgs, ... }:
{
home.file.".gnupg/scdaemon.conf" = {
source = ./files/scdaemon.conf;
};
};
# programs.gnupg.dirmngr.enable = true;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryPackage = pkgs.pinentry-qt;
# settings = {
# disable-ccid = true;
# };
};
environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
hideMounts = true;
users.talexander = {
directories = [
{
directory = ".gnupg";
user = "talexander";
group = "talexander";
mode = "0700";
} # Local keyring
];
};
};
nixpkgs.overlays = [
(final: prev: {
# pcsclite = prev.pcsclite.overrideAttrs (old: {
# postPatch = ''
# substituteInPlace src/libredirect.c src/spy/libpcscspy.c \
# --replace-fail "libpcsclite_real.so.1" "$lib/lib/libpcsclite_real.so.1"
# '';
# });
# pcsclite = prev.pcsclite.overrideAttrs (old: {
# postPatch =
# old.postPatch
# + (lib.optionalString
# (!(lib.strings.hasInfix ''--replace-fail "libpcsclite_real.so.1"'' old.postPatch))
# ''
# substituteInPlace src/libredirect.c src/spy/libpcscspy.c \
# --replace-fail "libpcsclite_real.so.1" "$lib/lib/libpcsclite_real.so.1"
# ''
# );
# });
# pcsclite = prev.pcsclite.overrideAttrs (old: {
# postPatch =
# old.postPatch
# + ''
# substituteInPlace src/libredirect.c src/spy/libpcscspy.c \
# --replace-fail "libpcsclite_real.so.1" "$lib/lib/libpcsclite_real.so.1"
# '';
# });
# gnupg = prev.gnupg.override {
# pcsclite = pkgs.pcsclite.overrideAttrs (old: {
# postPatch =
# old.postPatch
# + (lib.optionalString
# (!(lib.strings.hasInfix ''--replace-fail "libpcsclite_real.so.1"'' old.postPatch))
# ''
# substituteInPlace src/libredirect.c src/spy/libpcscspy.c \
# --replace-fail "libpcsclite_real.so.1" "$lib/lib/libpcsclite_real.so.1"
# ''
# );
# });
# };
})
];
# security.polkit.extraConfig = ''
# polkit.addRule(function(action, subject) {
# if (action.id == "org.debian.pcsc-lite.access_card") {
# return polkit.Result.YES;
# }
# });
# polkit.addRule(function(action, subject) {
# if (action.id == "org.debian.pcsc-lite.access_pcsc") {
# return polkit.Result.YES;
# }
# });
# '';
environment.systemPackages = with pkgs; [
pcsclite
pcsctools
yubikey-personalization
yubikey-manager
glibcLocales
ccid
libusb-compat-0_1
gpg_test_wkd
];
# nixpkgs.overlays = [
# (final: prev: {
# gnupg = pkgs-unstable.gnupg;
# scdaemon = pkgs-unstable.scdaemon;
# libgcrypt = pkgs-unstable.libgcrypt;
# })
# ];
# nixpkgs.overlays = [
# (final: prev: {
# gnupg = prev.gnupg.overrideAttrs (old: rec {
# version = "2.4.7";
# src = prev.fetchurl {
# url = "https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-${version}.tar.bz2";
# hash = "sha256-eyRwbk2n4OOwbKBoIxAnQB8jgQLEHJCWMTSdzDuF60Y=";
# };
# });
# })
# ];
programs.gnupg.agent.enableExtraSocket = true;
}