talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity
machine_setup/nix/configuration/roles/gpg/default.nix
Tom Alexander 4599b38ebf
Switching to a home-manager config did not fix it.
2025-01-02 10:27:21 -05:00

145 lines
4.0 KiB
Nix
Raw Blame History

{
config,
lib,
pkgs,
pkgs-unstable,
...
}:
{
imports = [ ];
# Fetch public keys:
# gpg --locate-keys tom@fizz.buzz
#
# gpg -vvv --auto-key-locate local,wkd --locate-keys tom@fizz.buzz
hardware.gpgSmartcards.enable = true;
services.udev.packages = [
pkgs.yubikey-personalization
pkgs.libfido2
(pkgs.writeTextFile {
name = "my-rules";
text = ''
ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0406", MODE="660", GROUP="wheel"
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0406", TAG+="uaccess", GROUP="wheel", MODE="0660"
'';
destination = "/etc/udev/rules.d/50-yubikey.rules";
})
];
services.pcscd.enable = true;
# services.gnome.gnome-keyring.enable = true;
# services.dbus.packages = [ pkgs.gcr ];
# services.pcscd.plugins = lib.mkForce [ ];
# programs.gpg.scdaemonSettings = {
# disable-ccid = true;
# };
# .gnupg/scdaemon.conf
home-manager.users.talexander =
{ pkgs, ... }:
{
# home.file.".gnupg/scdaemon.conf" = {
# source = ./files/scdaemon.conf;
# };
programs.gpg = {
enable = true; # does this install a user-specific version of gnupg in addition to the system-wide package installed in configuration.nix?
# homedir = "${config.home.homeDirectory}/.gnupg";
publicKeys = [
{
source = ./files/gpg.asc;
trust = 5;
}
];
settings = {
use-agent = true; # what relation does this have to the settings in configuration.nix and also to the home-manager gpg-agent settings below?
};
scdaemonSettings = {
disable-ccid = true; # disable gnupg's built-in smartcard reader function in order to default to system's smartcard reader (pcsclite package)
};
};
services.gpg-agent = {
enable = true;
enableSshSupport = true;
enableZshIntegration = true;
enableScDaemon = true; # what relation does this have with the scdaemon setting above and/or in configuration.nix?
pinentryPackage = pkgs.pinentry-qt;
defaultCacheTtl = 60;
maxCacheTtl = 120;
extraConfig = ''
ttyname $GPG_TTY
'';
};
};
# environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
# hideMounts = true;
# users.talexander = {
# directories = [
# {
# directory = ".gnupg";
# user = "talexander";
# group = "talexander";
# mode = "0700";
# } # Local keyring
# ];
# };
# };
# nixpkgs.overlays = [
# (final: prev: {
# pcsclite = prev.pcsclite.overrideAttrs (old: {
# postPatch = ''
# substituteInPlace src/libredirect.c src/spy/libpcscspy.c \
# --replace-fail "libpcsclite_real.so.1" "$lib/lib/libpcsclite_real.so.1"
# '';
# });
# })
# ];
# security.polkit.extraConfig = ''
# polkit.addRule(function(action, subject) {
# if (action.id == "org.debian.pcsc-lite.access_card") {
# return polkit.Result.YES;
# }
# });
# polkit.addRule(function(action, subject) {
# if (action.id == "org.debian.pcsc-lite.access_pcsc") {
# return polkit.Result.YES;
# }
# });
# '';
environment.systemPackages = with pkgs; [
pcsctools
yubikey-personalization
yubikey-manager
];
# nixpkgs.overlays = [
# (final: prev: {
# gnupg = pkgs-unstable.gnupg;
# scdaemon = pkgs-unstable.scdaemon;
# libgcrypt = pkgs-unstable.libgcrypt;
# })
# ];
# nixpkgs.overlays = [
# (final: prev: {
# gnupg = prev.gnupg.overrideAttrs (old: rec {
# version = "2.4.7";
# src = prev.fetchurl {
# url = "https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-${version}.tar.bz2";
# hash = "sha256-eyRwbk2n4OOwbKBoIxAnQB8jgQLEHJCWMTSdzDuF60Y=";
# };
# });
# })
# ];
}
Reference in New Issue View Git Blame Copy Permalink