feat(shell): Add age and ssh commit signing

And use Yubikey
edmundmiller · Jan 3, 2024 · 2f62980 · 2f62980
1 parent a330a93
commit 2f62980
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 21 deletions.
diff --git a/config/git/config b/config/git/config
@@ -1,11 +1,17 @@
 [user]
 	name = Edmund Miller
-	email = edmund.a.miller@protonmail.com
-	signingkey = BD387FF7BC10AA9D
+	email = git@edmundmiller.dev
+	signingkey = ~/.ssh/id_ed25519_sk.pub
 [commit]
 	gpgsign = true
+[tag]
+	gpgSign = true
+[gpg]
+	format = ssh
 [core]
 	whitespace = trailing-space
+[init]
+	defaultBranch = main
 [github]
 	user = edmundmiller
 [gitlab]
@@ -41,5 +47,3 @@
     insteadOf = gist:
 [url "https://bitbucket.org/"]
     insteadOf = bb:
-[init]
-  defaultBranch = main
diff --git a/hosts/framework/default.nix b/hosts/framework/default.nix
@@ -67,6 +67,7 @@
     };
 
     shell = {
+      age.enable = true;
       bitwarden.enable = true;
       direnv.enable = true;
       nushell.enable = true;
@@ -75,6 +76,7 @@
       pass.enable = true;
       tmux.enable = true;
       zsh.enable = true;
+      yubikey.enable = true;
     };
 
     services = {

diff --git a/modules/services/ssh.nix b/modules/services/ssh.nix
@@ -21,6 +21,7 @@ in {
     };
 
     user.openssh.authorizedKeys.keys = [
+      "no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIULtYtRuaMWDs4DvMe7NnpK6TeG0qKQ4QMkHowPzPzkAAAABHNzaDo= edmundmiller"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFr8iZah3mwOy5QmDA/loQYBRspXooF2Fqaoq9kTAfuX edmuna.a.miller@gmail.com"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK3EVc3A55QHe83NXfqrClVohWz2DscDgx0pr4PSlcGO edmund.a.miller@protonmail.com"
     ];

diff --git a/modules/shell/age.nix b/modules/shell/age.nix
@@ -0,0 +1,19 @@
+{
+  config,
+  options,
+  lib,
+  pkgs,
+  ...
+}:
+with lib;
+with lib.my; let
+  cfg = config.modules.shell.age;
+in {
+  options.modules.shell.age = with types; {
+    enable = mkBoolOpt false;
+  };
+
+  config = mkIf cfg.enable {
+    user.packages = [pkgs.rage];
+  };
+}
diff --git a/modules/shell/gnupg.nix b/modules/shell/gnupg.nix
@@ -19,7 +19,7 @@ in {
 
     programs.gnupg.agent.enable = true;
 
-    user.packages = [pkgs.tomb pkgs.rage];
+    user.packages = [pkgs.tomb];
 
     # HACK Without this config file you get "No pinentry program" on 20.03.
     #      programs.gnupg.agent.pinentryFlavor doesn't appear to work, and this

diff --git a/modules/shell/yubikey.nix b/modules/shell/yubikey.nix
@@ -13,7 +13,7 @@ in {
 
   config = mkIf cfg.enable {
     user.packages = with pkgs; [
-      gnupg
+      age-plugin-yubikey
       yubikey-manager-qt
       yubikey-manager
       yubikey-personalization
@@ -23,20 +23,5 @@ in {
     # According to https://github.com/NixOS/nixpkgs/issues/85127
     # This is no longer necessary
     # services.pcscd.enable = true;
-
-    # FIXME
-    environment.shellInit = ''
-      export GPG_TTY="$(tty)"
-      gpg-connect-agent /bye
-      export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
-    '';
-
-    programs = {
-      ssh.startAgent = false;
-      gnupg.agent = {
-        enable = true;
-        enableSSHSupport = true;
-      };
-    };
   };
 }