9bf9e7ac5c
This option enables a GPG Agent restricted socket (aka "extra-socket"), which can be used to forward GPG Agent over SSH. Additionally `verbose` option enables verbose output of an `gpg-agent.service` unit for easier debugging. See: https://wiki.gnupg.org/AgentForwarding
202 lines
5.4 KiB
Nix
202 lines
5.4 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
cfg = config.services.gpg-agent;
|
|
|
|
gpgInitStr = ''
|
|
GPG_TTY="$(tty)"
|
|
export GPG_TTY
|
|
''
|
|
+ optionalString cfg.enableSshSupport
|
|
"${pkgs.gnupg}/bin/gpg-connect-agent updatestartuptty /bye > /dev/null";
|
|
|
|
in
|
|
|
|
{
|
|
meta.maintainers = [ maintainers.rycee ];
|
|
|
|
options = {
|
|
services.gpg-agent = {
|
|
enable = mkEnableOption "GnuPG private key agent";
|
|
|
|
defaultCacheTtl = mkOption {
|
|
type = types.nullOr types.int;
|
|
default = null;
|
|
description = ''
|
|
Set the time a cache entry is valid to the given number of
|
|
seconds.
|
|
'';
|
|
};
|
|
|
|
defaultCacheTtlSsh = mkOption {
|
|
type = types.nullOr types.int;
|
|
default = null;
|
|
description = ''
|
|
Set the time a cache entry used for SSH keys is valid to the
|
|
given number of seconds.
|
|
'';
|
|
};
|
|
|
|
enableSshSupport = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Whether to use the GnuPG key agent for SSH keys.
|
|
'';
|
|
};
|
|
|
|
enableExtraSocket = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Whether to enable extra socket of the GnuPG key agent (useful for GPG
|
|
Agent forwarding).
|
|
'';
|
|
};
|
|
|
|
verbose = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Whether to produce verbose output.
|
|
'';
|
|
};
|
|
|
|
grabKeyboardAndMouse = mkOption {
|
|
type = types.bool;
|
|
default = true;
|
|
description = ''
|
|
Tell the pinentry to grab the keyboard and mouse. This
|
|
option should in general be used to avoid X-sniffing
|
|
attacks. When disabled, this option passes
|
|
<option>no-grab</option> setting to gpg-agent.
|
|
'';
|
|
};
|
|
|
|
enableScDaemon = mkOption {
|
|
type = types.bool;
|
|
default = true;
|
|
description = ''
|
|
Make use of the scdaemon tool. This option has the effect of
|
|
enabling the ability to do smartcard operations. When
|
|
disabled, this option passes
|
|
<option>disable-scdaemon</option> setting to gpg-agent.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable (mkMerge [
|
|
{
|
|
home.file.".gnupg/gpg-agent.conf".text = concatStringsSep "\n" (
|
|
optional (cfg.enableSshSupport) "enable-ssh-support"
|
|
++
|
|
optional (!cfg.grabKeyboardAndMouse) "no-grab"
|
|
++
|
|
optional (!cfg.enableScDaemon) "disable-scdaemon"
|
|
++
|
|
optional (cfg.defaultCacheTtl != null)
|
|
"default-cache-ttl ${toString cfg.defaultCacheTtl}"
|
|
++
|
|
optional (cfg.defaultCacheTtlSsh != null)
|
|
"default-cache-ttl-ssh ${toString cfg.defaultCacheTtlSsh}"
|
|
);
|
|
|
|
home.sessionVariables =
|
|
optionalAttrs cfg.enableSshSupport {
|
|
SSH_AUTH_SOCK = "$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket)";
|
|
};
|
|
|
|
programs.bash.initExtra = gpgInitStr;
|
|
programs.zsh.initExtra = gpgInitStr;
|
|
}
|
|
|
|
# The systemd units below are direct translations of the
|
|
# descriptions in the
|
|
#
|
|
# ${pkgs.gnupg}/share/doc/gnupg/examples/systemd-user
|
|
#
|
|
# directory.
|
|
{
|
|
systemd.user.services.gpg-agent = {
|
|
Unit = {
|
|
Description = "GnuPG cryptographic agent and passphrase cache";
|
|
Documentation = "man:gpg-agent(1)";
|
|
Requires = "gpg-agent.socket";
|
|
After = "gpg-agent.socket";
|
|
# This is a socket-activated service:
|
|
RefuseManualStart = true;
|
|
};
|
|
|
|
Service = {
|
|
ExecStart = "${pkgs.gnupg}/bin/gpg-agent --supervised"
|
|
+ optionalString cfg.verbose " --verbose";
|
|
ExecReload = "${pkgs.gnupg}/bin/gpgconf --reload gpg-agent";
|
|
};
|
|
};
|
|
|
|
systemd.user.sockets.gpg-agent = {
|
|
Unit = {
|
|
Description = "GnuPG cryptographic agent and passphrase cache";
|
|
Documentation = "man:gpg-agent(1)";
|
|
};
|
|
|
|
Socket = {
|
|
ListenStream = "%t/gnupg/S.gpg-agent";
|
|
FileDescriptorName = "std";
|
|
SocketMode = "0600";
|
|
DirectoryMode = "0700";
|
|
};
|
|
|
|
Install = {
|
|
WantedBy = [ "sockets.target" ];
|
|
};
|
|
};
|
|
}
|
|
|
|
(mkIf cfg.enableSshSupport {
|
|
systemd.user.sockets.gpg-agent-ssh = {
|
|
Unit = {
|
|
Description = "GnuPG cryptographic agent (ssh-agent emulation)";
|
|
Documentation = "man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1)";
|
|
};
|
|
|
|
Socket = {
|
|
ListenStream = "%t/gnupg/S.gpg-agent.ssh";
|
|
FileDescriptorName = "ssh";
|
|
Service = "gpg-agent.service";
|
|
SocketMode = "0600";
|
|
DirectoryMode = "0700";
|
|
};
|
|
|
|
Install = {
|
|
WantedBy = [ "sockets.target" ];
|
|
};
|
|
};
|
|
})
|
|
|
|
(mkIf cfg.enableExtraSocket {
|
|
systemd.user.sockets.gpg-agent-extra = {
|
|
Unit = {
|
|
Description = "GnuPG cryptographic agent and passphrase cache (restricted)";
|
|
Documentation = "man:gpg-agent(1) man:ssh(1)";
|
|
};
|
|
|
|
Socket = {
|
|
ListenStream = "%t/gnupg/S.gpg-agent.extra";
|
|
FileDescriptorName = "extra";
|
|
Service = "gpg-agent.service";
|
|
SocketMode = "0600";
|
|
DirectoryMode = "0700";
|
|
};
|
|
|
|
Install = {
|
|
WantedBy = [ "sockets.target" ];
|
|
};
|
|
};
|
|
})
|
|
]);
|
|
}
|