Fixes for gnupg agent module

[danielfullmer]

Motivation for this change

1b6176e caused a few problems for me with the gnupg agent module in nixos.
With programs.gnupg.agent.enable and programs.gnupg.agent.enableSSHSupport both set to true, logging in freezes for me while running gpg-connect-agent.

Additionally, I get the following messages in the journal:

machine# [ 6.342172] gpg-agent[837]: gpg-agent (GnuPG) 2.1.21 starting in supervised mode.
machine# [ 6.343164] gpg-agent[837]: using fd 3 for std socket (/run/user/1000/gnupg/S.gpg-agent)
machine# [ 6.344159] gpg-agent[837]: cannot listen on more than one std socket
machine# [ 6.345041] gpg-agent[837]: using fd 5 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
machine# [ 6.346120] gpg-agent[837]: cannot listen on more than one ssh socket
machine# [ 6.347068] gpg-agent[837]: listening on: std=3 extra=-1 browser=-1 ssh=5

It appears that duplicating the systemd units in both systemd.packages as well as systemd.user.{sockets,services} causes gpg-agent to try to bind to multiple sockets. Perhaps this causes gpg-connect-agent to freeze? In any case, I don't see why we can't just use the upstream systemd units, which fixes the problem for me anyway.

In case it's useful, I'll mention that I also wrote some nixos tests to ensure the gpg agent config is working properly, since this seems to break for me frequently. These tests ensure pinentry displays properly when invoked through gpg-agent, both for console and x11 usage:
https://github.com/danielfullmer/nixos-config/blob/master/tests/gpg-agent.nix
https://github.com/danielfullmer/nixos-config/blob/master/tests/gpg-agent-x11.nix

While writing these tests, I also noticed that the nixos test driver fails with:

machine# [ 3.697077] backdoor-start[669]: gpg-connect-agent: failed to create temporary file '/root/.gnupg/.#lk0x0000000001795470.machine.675': No such file or directory

I can't think of any reason why noninteractive shells would need to call gpg-connect-agent, so I restricted that to interactiveShellInit, but I might be overlooking something by doing so.

Things done

• Tested using sandboxing
  (nix.useSandbox on NixOS,
  or option build-use-sandbox in nix.conf
  on non-NixOS)
• Built on platform(s)
  • NixOS
  • macOS
  • Linux
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Fits CONTRIBUTING.md.

---

CC @CMCDragonkai @fpletz

[CMCDragonkai]

Does systemd.packages = [ pkgs.gnupg ]; place the sockets and services as systemd user-services and user-sockets as well (this is apparently because gnupg services are user-specific and not whole-system)? I'm not entirely sure how systemd.packages = [ pkgs.gnupg ]; is interacting with the systemd.user nix code. This is because my configuration had only the systemd.user config and not the that specific line. Also if the upstream systemd units supplied by gnupg package works, why bother specifying any systemd.user config at all, then they should not be needed.

Also there's a bit of a balance between reifying configuration as nix code, or leaving config as upstream. In some places of nixos, we've been moving configuration to use the nix language, this makes it somewhat more flexible when working in a nix configuration since overrides are possible. In other cases, porting the configuration takes too long and we have just left them as raw text that gets substituted into the relevant locations. I'm not sure whether it's better to have the systemd config for gnupg reified as nix config, or left as just systemd unit files.

[0xABAB]

I am not convinced, since @danielfullmer is not convinced of himself. I would like to delegate to CMCDragonkai the final decision.

[mdorman]

I'll mention that the programs.gnupg.agent material doesn't work for me without these packages---as @danielfullmer observes, I just get a hang on login. With the changes, it works great!

[fpletz]

I think the preferred solution is to just override the upstream units. Putting gnupg in systemd.packages works just fine for user units. We're just not reloading the systemd user instances on a system switch.

[fpletz]

Thanks a lot! 🍻

[globin]

Reverted the interactiveShellInit in b8d92a7 as that caused software using the gpg-agent, started from dmenu, to stop working correctly. (virt-manager using the ssh keys)
That is now fixed.