nixos/modules/programs/gnupg.nix at 18.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / programs / gnupg.nix
at 18.09-beta 2.6 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3with lib;
  4
  5let
  6
  7  cfg = config.programs.gnupg;
  8
  9in
 10
 11{
 12
 13  options.programs.gnupg = {
 14    agent.enable = mkOption {
 15      type = types.bool;
 16      default = false;
 17      description = ''
 18        Enables GnuPG agent with socket-activation for every user session.
 19      '';
 20    };
 21
 22    agent.enableSSHSupport = mkOption {
 23      type = types.bool;
 24      default = false;
 25      description = ''
 26        Enable SSH agent support in GnuPG agent. Also sets SSH_AUTH_SOCK
 27        environment variable correctly. This will disable socket-activation
 28        and thus always start a GnuPG agent per user session.
 29      '';
 30    };
 31
 32    agent.enableExtraSocket = mkOption {
 33      type = types.bool;
 34      default = false;
 35      description = ''
 36        Enable extra socket for GnuPG agent.
 37      '';
 38    };
 39
 40    agent.enableBrowserSocket = mkOption {
 41      type = types.bool;
 42      default = false;
 43      description = ''
 44        Enable browser socket for GnuPG agent.
 45      '';
 46    };
 47
 48    dirmngr.enable = mkOption {
 49      type = types.bool;
 50      default = false;
 51      description = ''
 52        Enables GnuPG network certificate management daemon with socket-activation for every user session.
 53      '';
 54    };
 55  };
 56
 57  config = mkIf cfg.agent.enable {
 58    systemd.user.sockets.gpg-agent = {
 59      wantedBy = [ "sockets.target" ];
 60    };
 61
 62    systemd.user.sockets.gpg-agent-ssh = mkIf cfg.agent.enableSSHSupport {
 63      wantedBy = [ "sockets.target" ];
 64    };
 65
 66    systemd.user.sockets.gpg-agent-extra = mkIf cfg.agent.enableExtraSocket {
 67      wantedBy = [ "sockets.target" ];
 68    };
 69
 70    systemd.user.sockets.gpg-agent-browser = mkIf cfg.agent.enableBrowserSocket {
 71      wantedBy = [ "sockets.target" ];
 72    };
 73
 74    systemd.user.sockets.dirmngr = mkIf cfg.dirmngr.enable {
 75      wantedBy = [ "sockets.target" ];
 76    };
 77
 78    systemd.packages = [ pkgs.gnupg ];
 79
 80    environment.extraInit = ''
 81      # Bind gpg-agent to this TTY if gpg commands are used.
 82      export GPG_TTY=$(tty)
 83
 84    '' + (optionalString cfg.agent.enableSSHSupport ''
 85      # SSH agent protocol doesn't support changing TTYs, so bind the agent
 86      # to every new TTY.
 87      ${pkgs.gnupg}/bin/gpg-connect-agent --quiet updatestartuptty /bye > /dev/null
 88
 89      if [ -z "$SSH_AUTH_SOCK" ]; then
 90        export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket)
 91      fi
 92    '');
 93
 94    assertions = [
 95      { assertion = cfg.agent.enableSSHSupport -> !config.programs.ssh.startAgent;
 96        message = "You can't use ssh-agent and GnuPG agent with SSH support enabled at the same time!";
 97      }
 98    ];
 99  };
100
101}