-
Notifications
You must be signed in to change notification settings - Fork 9
/
gpg-agent.nix
94 lines (84 loc) · 2.58 KB
/
gpg-agent.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
{ pkgs, ... }:
let
def = {
gnupgPkg = pkgs.gnupg23;
};
config1 = def // {
enableGpgRules = true;
enableYubikeyRules = false;
enablePcscd = false;
disableCcid = false;
};
config2 = def // {
enableGpgRules = false;
enableYubikeyRules = true;
enablePcscd = false;
disableCcid = false;
};
config3 = def // {
enableGpgRules = false;
enableYubikeyRules = false;
enablePcscd = true;
disableCcid = true;
};
config4 = config3 // {
enableGpgRules = false;
enableYubikeyRules = false;
enablePcscd = true;
disableCcid = false;
gnupgPkg = pkgs.gnupg22; # old gpg falls back to pc/sc automatically
};
ecfg = config3;
in {
config = {
# okay yikes, since some of this is dependent on scdaemon
# conf and state, let's make sure we reset (kill) scdaemon each time
system.activationScripts.step-gpg-reset = {
text = ''
${pkgs.procps}/bin/pkill -9 scdaemon || true
'';
deps = [];
};
system.userActivationScripts.step-gpg-reset = {
text = ''
${pkgs.systemd}/bin/systemctl --user stop gpg-agent || true
${pkgs.systemd}/bin/systemctl --user start gpg-agent || true
${pkgs.procps}/bin/pkill -9 gpg-agent || true
'';
deps = [];
};
######################
# try to enable gnupg's udev rules
# to allow it to do ccid stuffs
hardware.gpgSmartcards.enable = ecfg.enableGpgRules;
# this allows gpg to see yubikey/openpgp with ccid (I think, no pcscd anyway)
services.udev.packages =
if ecfg.enableYubikeyRules
then [ pkgs.yubikey-personalization ]
else [];
# using this requires use of `disable-ccid` in scdaemon.conf!
services.pcscd.enable = ecfg.enablePcscd;
# bring pcsclite's polkit rules into the environment, I guess
environment.systemPackages = if ecfg.enablePcscd then [ pkgs.pcsclite ] else [];
# if all three are disable then shit just don't work
# neither ccid or pc/sc are able to work
home-manager.users.cole = { pkgs, ... }: {
programs.gpg.enable = true;
programs.gpg.package = ecfg.gnupgPkg;
programs.gpg.scdaemonSettings =
if ecfg.disableCcid
then { disable-ccid = true; }
else {};
services.gpg-agent = {
# this has the SAME problem as above^, or rather is the same thing!
#enableSshSupport = true;
enable = true;
enableExtraSocket = true;
defaultCacheTtl = 34560000;
defaultCacheTtlSsh = 34560000;
maxCacheTtl = 34560000;
maxCacheTtlSsh = 34560000;
};
};
};
}