134 lines
3.7 KiB
Nix
134 lines
3.7 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
|
|
let
|
|
gpg_test_wkd =
|
|
(pkgs.writeScriptBin "gpg_test_wkd" (builtins.readFile ./files/gpg_test_wkd.bash)).overrideAttrs
|
|
(old: {
|
|
buildCommand = "${old.buildCommand}\n patchShebangs $out";
|
|
|
|
});
|
|
in
|
|
{
|
|
imports = [ ];
|
|
|
|
options.me = {
|
|
gpg.enable = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = false;
|
|
example = true;
|
|
description = "Whether we want to install gpg.";
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf config.me.gpg.enable (
|
|
lib.mkMerge [
|
|
{
|
|
# Fetch public keys:
|
|
# gpg --locate-external-keys tom@fizz.buzz
|
|
|
|
hardware.gpgSmartcards.enable = true;
|
|
services.udev.packages = [
|
|
pkgs.yubikey-personalization
|
|
pkgs.libfido2
|
|
(pkgs.writeTextFile {
|
|
name = "my-rules";
|
|
text = ''
|
|
ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0406", MODE="660", GROUP="wheel"
|
|
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0406", TAG+="uaccess", GROUP="wheel", MODE="0660"
|
|
'';
|
|
destination = "/etc/udev/rules.d/50-yubikey.rules";
|
|
})
|
|
];
|
|
services.pcscd.enable = true;
|
|
|
|
me.install.user.talexander.file = {
|
|
".gnupg/scdaemon.conf" = {
|
|
source = ./files/scdaemon.conf;
|
|
};
|
|
};
|
|
|
|
programs.gnupg.agent = {
|
|
enable = true;
|
|
enableSSHSupport = true;
|
|
pinentryPackage = pkgs.pinentry-qt;
|
|
# Settings block populates /etc/gnupg/gpg-agent.conf
|
|
# settings = {
|
|
# };
|
|
};
|
|
|
|
# Disabled because it breaks signing git commits because gpg wants to copy pubring.kbx. Unfortunately, this makes the install of scdaemon.conf do nothing since this mount of the full .gnupg directory goes over it.
|
|
#
|
|
# environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
|
|
# hideMounts = true;
|
|
# users.talexander = {
|
|
# files = [
|
|
# {
|
|
# file = ".gnupg/trustdb.gpg";
|
|
# parentDirectory = {
|
|
# mode = "u=rwx,g=,o=";
|
|
# };
|
|
# }
|
|
# {
|
|
# file = ".gnupg/pubring.kbx";
|
|
# parentDirectory = {
|
|
# mode = "u=rwx,g=,o=";
|
|
# };
|
|
# }
|
|
# {
|
|
# file = ".gnupg/tofu.db";
|
|
# parentDirectory = {
|
|
# mode = "u=rwx,g=,o=";
|
|
# };
|
|
# }
|
|
# ];
|
|
# directories = [
|
|
# {
|
|
# directory = ".gnupg/crls.d";
|
|
# user = "talexander";
|
|
# group = "talexander";
|
|
# mode = "0700";
|
|
# }
|
|
# {
|
|
# directory = ".gnupg/private-keys-v1.d";
|
|
# user = "talexander";
|
|
# group = "talexander";
|
|
# mode = "0700";
|
|
# }
|
|
# ];
|
|
# };
|
|
# };
|
|
|
|
environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
|
|
hideMounts = true;
|
|
users.talexander = {
|
|
directories = [
|
|
{
|
|
directory = ".gnupg";
|
|
user = "talexander";
|
|
group = "talexander";
|
|
mode = "0700";
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
pcsclite
|
|
pcsctools
|
|
glibcLocales
|
|
ccid
|
|
libusb-compat-0_1
|
|
gpg_test_wkd
|
|
];
|
|
|
|
programs.gnupg.agent.enableExtraSocket = true;
|
|
}
|
|
]
|
|
);
|
|
}
|