From e4e051052d269495b1336ddb17e07c4861673b4e Mon Sep 17 00:00:00 2001
From: "Andrew J. Hesford" <ajh@sideband.org>
Date: Sun, 5 Jan 2020 21:18:50 -0500
Subject: [PATCH 1/3] pam_gnupg: init at fbd75b7 nixos/pam: add support for new
 pam_gnupg package in pam configs

---
 nixos/modules/security/pam.nix               | 12 +++++++++
 pkgs/os-specific/linux/pam_gnupg/default.nix | 28 ++++++++++++++++++++
 pkgs/top-level/all-packages.nix              |  2 ++
 3 files changed, 42 insertions(+)
 create mode 100644 pkgs/os-specific/linux/pam_gnupg/default.nix

diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index ee37c18d980dac..207d7ac4d75798 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -361,12 +361,15 @@ let
           # We use try_first_pass the second time to avoid prompting password twice
           (optionalString (cfg.unixAuth &&
           (config.security.pam.enableEcryptfs
+	    || config.security.pam.enableGnupg
             || cfg.pamMount
             || cfg.enableKwallet
             || cfg.enableGnomeKeyring
             || cfg.googleAuthenticator.enable
             || cfg.duoSecurity.enable)) ''
               auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth
+	      ${optionalString config.security.pam.enableGnupg
+	        "auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"}
               ${optionalString config.security.pam.enableEcryptfs
                 "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
               ${optionalString cfg.pamMount
@@ -438,6 +441,8 @@ let
               "session optional ${pkgs.otpw}/lib/security/pam_otpw.so"}
           ${optionalString cfg.startSession
               "session optional ${pkgs.systemd}/lib/security/pam_systemd.so"}
+	  ${optionalString config.security.pam.enableGnupg
+	      "session optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"}
           ${optionalString cfg.forwardXAuth
               "session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
           ${optionalString (cfg.limits != [])
@@ -726,6 +731,13 @@ in
       '';
     };
 
+    security.pam.enableGnupg = mkOption {
+      default = false;
+      description = ''
+        Enable pam_gnupg module to unlock GPG agent on login.
+      '';
+    };
+
     users.motd = mkOption {
       default = null;
       example = "Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3178.";
diff --git a/pkgs/os-specific/linux/pam_gnupg/default.nix b/pkgs/os-specific/linux/pam_gnupg/default.nix
new file mode 100644
index 00000000000000..c14ee2910970fb
--- /dev/null
+++ b/pkgs/os-specific/linux/pam_gnupg/default.nix
@@ -0,0 +1,28 @@
+{ stdenv, fetchgit, autoreconfHook, gnupg, pam } :
+
+stdenv.mkDerivation rec {
+  name = "pam_gnupg-fbd75b7";
+  src = fetchgit {
+    url = https://github.com/cruegge/pam-gnupg;
+    rev = "fbd75b720877e4cf94e852ce7e2b811feb330bb5";
+    sha256 = "0kqn6xb85jfmhvvbd2lasnci46p2pcwy0wq233za9h7xwfr49f7d";
+  };
+
+  nativeBuildInputs = [ autoreconfHook ];
+  buildInputs = [ gnupg pam ];
+
+  preAutoreconf = ''
+    mkdir m4
+  '';
+
+  configurePhase = ''
+    ./configure --prefix=$out --with-moduledir=$out/lib/security
+  '';
+
+  meta = with stdenv.lib; {
+    description = "A PAM plugin to preset GPG passphrases on login";
+    homepage = "https://github.com/cruegge/pam-gnupg/";
+    license = licenses.gpl3;
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index d64fd48197b69e..444633c2563c2e 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -16837,6 +16837,8 @@ in
 
   pam_ccreds = callPackage ../os-specific/linux/pam_ccreds { };
 
+  pam_gnupg = callPackage ../os-specific/linux/pam_gnupg { };
+
   pam_krb5 = callPackage ../os-specific/linux/pam_krb5 { };
 
   pam_ldap = callPackage ../os-specific/linux/pam_ldap { };

From 12faef6c34dbdefe76cf1e8b3e4fc3fa0285a34b Mon Sep 17 00:00:00 2001
From: "Andrew J. Hesford" <ajh@sideband.org>
Date: Thu, 9 Jan 2020 08:11:40 -0500
Subject: [PATCH 2/3] pam_gnupg: fbd75b7 -> unstable-2019-12-06

Replace tabs with spaces and change unstable version numbering
---
 nixos/modules/security/pam.nix               | 10 +++++-----
 pkgs/os-specific/linux/pam_gnupg/default.nix |  4 +++-
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index 207d7ac4d75798..e85119b0e459dd 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -361,15 +361,15 @@ let
           # We use try_first_pass the second time to avoid prompting password twice
           (optionalString (cfg.unixAuth &&
           (config.security.pam.enableEcryptfs
-	    || config.security.pam.enableGnupg
+            || config.security.pam.enableGnupg
             || cfg.pamMount
             || cfg.enableKwallet
             || cfg.enableGnomeKeyring
             || cfg.googleAuthenticator.enable
             || cfg.duoSecurity.enable)) ''
               auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth
-	      ${optionalString config.security.pam.enableGnupg
-	        "auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"}
+              ${optionalString config.security.pam.enableGnupg
+                "auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"}
               ${optionalString config.security.pam.enableEcryptfs
                 "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
               ${optionalString cfg.pamMount
@@ -441,8 +441,8 @@ let
               "session optional ${pkgs.otpw}/lib/security/pam_otpw.so"}
           ${optionalString cfg.startSession
               "session optional ${pkgs.systemd}/lib/security/pam_systemd.so"}
-	  ${optionalString config.security.pam.enableGnupg
-	      "session optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"}
+          ${optionalString config.security.pam.enableGnupg
+              "session optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"}
           ${optionalString cfg.forwardXAuth
               "session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
           ${optionalString (cfg.limits != [])
diff --git a/pkgs/os-specific/linux/pam_gnupg/default.nix b/pkgs/os-specific/linux/pam_gnupg/default.nix
index c14ee2910970fb..229ccbf1ffc1da 100644
--- a/pkgs/os-specific/linux/pam_gnupg/default.nix
+++ b/pkgs/os-specific/linux/pam_gnupg/default.nix
@@ -1,7 +1,9 @@
 { stdenv, fetchgit, autoreconfHook, gnupg, pam } :
 
 stdenv.mkDerivation rec {
-  name = "pam_gnupg-fbd75b7";
+  pname = "pam_gnupg";
+  version = "unstable-2019-12-06";
+
   src = fetchgit {
     url = https://github.com/cruegge/pam-gnupg;
     rev = "fbd75b720877e4cf94e852ce7e2b811feb330bb5";

From 796a6d6cf0a66d32097fd9a45aa6d6ac7fdec63b Mon Sep 17 00:00:00 2001
From: "Andrew J. Hesford" <ajh@sideband.org>
Date: Thu, 9 Jan 2020 10:23:02 -0500
Subject: [PATCH 3/3] pam_gnupg: refactor configure phase

---
 pkgs/os-specific/linux/pam_gnupg/default.nix | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/pkgs/os-specific/linux/pam_gnupg/default.nix b/pkgs/os-specific/linux/pam_gnupg/default.nix
index 229ccbf1ffc1da..1b42a6250d0de6 100644
--- a/pkgs/os-specific/linux/pam_gnupg/default.nix
+++ b/pkgs/os-specific/linux/pam_gnupg/default.nix
@@ -13,13 +13,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ autoreconfHook ];
   buildInputs = [ gnupg pam ];
 
-  preAutoreconf = ''
-    mkdir m4
-  '';
-
-  configurePhase = ''
-    ./configure --prefix=$out --with-moduledir=$out/lib/security
-  '';
+  configureFlags = [ "--with-moduledir=$\{out\}/lib/security" ];
 
   meta = with stdenv.lib; {
     description = "A PAM plugin to preset GPG passphrases on login";