diff options
| author | Michele Guerini Rocco <rnhmjoj@users.noreply.github.com> | 2023-06-26 16:22:41 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-06-26 16:22:41 +0200 |
| commit | 547cd96f10a3ac0126bc75d45b2337662df80f6a (patch) | |
| tree | 65c47ff51b79efa2ae56e16595954ae7dd5a2cb6 | |
| parent | 089fbf534b3d6fbcd3fad960bc919460ab44be21 (diff) | |
| parent | 8ea644997f7d92cac129ddbfab14b33997038dae (diff) | |
| download | nixpkgs-547cd96f10a3ac0126bc75d45b2337662df80f6a.tar nixpkgs-547cd96f10a3ac0126bc75d45b2337662df80f6a.tar.gz nixpkgs-547cd96f10a3ac0126bc75d45b2337662df80f6a.tar.bz2 nixpkgs-547cd96f10a3ac0126bc75d45b2337662df80f6a.tar.lz nixpkgs-547cd96f10a3ac0126bc75d45b2337662df80f6a.tar.xz nixpkgs-547cd96f10a3ac0126bc75d45b2337662df80f6a.tar.zst nixpkgs-547cd96f10a3ac0126bc75d45b2337662df80f6a.zip | |
Merge pull request #231108 from corngood/gpg-agent
nixos/gnupg: add systemd configuration
| -rw-r--r-- | nixos/modules/programs/gnupg.nix | 82 | ||||
| -rw-r--r-- | pkgs/tools/security/gnupg/22.nix | 2 | ||||
| -rw-r--r-- | pkgs/tools/security/gnupg/24.nix | 3 |
3 files changed, 80 insertions, 7 deletions
diff --git a/nixos/modules/programs/gnupg.nix b/nixos/modules/programs/gnupg.nix index 764a67a160c..3dfc53c5261 100644 --- a/nixos/modules/programs/gnupg.nix +++ b/nixos/modules/programs/gnupg.nix @@ -94,38 +94,110 @@ in }; config = mkIf cfg.agent.enable { + environment.etc."gnupg/gpg-agent.conf".text = '' + pinentry-program ${pkgs.pinentry.${cfg.agent.pinentryFlavor}}/bin/pinentry + ''; + # This overrides the systemd user unit shipped with the gnupg package systemd.user.services.gpg-agent = mkIf (cfg.agent.pinentryFlavor != null) { - serviceConfig.ExecStart = [ "" '' - ${cfg.package}/bin/gpg-agent --supervised \ - --pinentry-program ${pkgs.pinentry.${cfg.agent.pinentryFlavor}}/bin/pinentry - '' ]; + unitConfig = { + Description = "GnuPG cryptographic agent and passphrase cache"; + Documentation = "man:gpg-agent(1)"; + Requires = [ "gpg-agent.socket" ]; + }; + serviceConfig = { + ExecStart = "${cfg.package}/bin/gpg-agent --supervised"; + ExecReload = "${cfg.package}/bin/gpgconf --reload gpg-agent"; + }; }; systemd.user.sockets.gpg-agent = { + unitConfig = { + Description = "GnuPG cryptographic agent and passphrase cache"; + Documentation = "man:gpg-agent(1)"; + }; + socketConfig = { + ListenStream = "%t/gnupg/S.gpg-agent"; + FileDescriptorName = "std"; + SocketMode = "0600"; + DirectoryMode = "0700"; + }; wantedBy = [ "sockets.target" ]; }; systemd.user.sockets.gpg-agent-ssh = mkIf cfg.agent.enableSSHSupport { + unitConfig = { + Description = "GnuPG cryptographic agent (ssh-agent emulation)"; + Documentation = "man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1)"; + }; + socketConfig = { + ListenStream = "%t/gnupg/S.gpg-agent.ssh"; + FileDescriptorName = "ssh"; + Service = "gpg-agent.service"; + SocketMode = "0600"; + DirectoryMode = "0700"; + }; wantedBy = [ "sockets.target" ]; }; systemd.user.sockets.gpg-agent-extra = mkIf cfg.agent.enableExtraSocket { + unitConfig = { + Description = "GnuPG cryptographic agent and passphrase cache (restricted)"; + Documentation = "man:gpg-agent(1)"; + }; + socketConfig = { + ListenStream = "%t/gnupg/S.gpg-agent.extra"; + FileDescriptorName = "extra"; + Service = "gpg-agent.service"; + SocketMode = "0600"; + DirectoryMode = "0700"; + }; wantedBy = [ "sockets.target" ]; }; systemd.user.sockets.gpg-agent-browser = mkIf cfg.agent.enableBrowserSocket { + unitConfig = { + Description = "GnuPG cryptographic agent and passphrase cache (access for web browsers)"; + Documentation = "man:gpg-agent(1)"; + }; + socketConfig = { + ListenStream = "%t/gnupg/S.gpg-agent.browser"; + FileDescriptorName = "browser"; + Service = "gpg-agent.service"; + SocketMode = "0600"; + DirectoryMode = "0700"; + }; wantedBy = [ "sockets.target" ]; }; + systemd.user.services.dirmngr = mkIf cfg.dirmngr.enable { + unitConfig = { + Description = "GnuPG network certificate management daemon"; + Documentation = "man:dirmngr(8)"; + Requires = "dirmngr.socket"; + }; + serviceConfig = { + ExecStart = "${cfg.package}/bin/dirmngr --supervised"; + ExecReload = "${cfg.package}/bin/gpgconf --reload dirmngr"; + }; + }; + systemd.user.sockets.dirmngr = mkIf cfg.dirmngr.enable { + unitConfig = { + Description = "GnuPG network certificate management daemon"; + Documentation = "man:dirmngr(8)"; + }; + socketConfig = { + ListenStream = "%t/gnupg/S.dirmngr"; + SocketMode = "0600"; + DirectoryMode = "0700"; + }; wantedBy = [ "sockets.target" ]; }; services.dbus.packages = mkIf (cfg.agent.pinentryFlavor == "gnome3") [ pkgs.gcr ]; environment.systemPackages = with pkgs; [ cfg.package ]; - systemd.packages = [ cfg.package ]; environment.interactiveShellInit = '' # Bind gpg-agent to this TTY if gpg commands are used. diff --git a/pkgs/tools/security/gnupg/22.nix b/pkgs/tools/security/gnupg/22.nix index 6c2ffe12354..78f4af894a3 100644 --- a/pkgs/tools/security/gnupg/22.nix +++ b/pkgs/tools/security/gnupg/22.nix @@ -80,7 +80,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - passthru.tests.connman = lib.nixosTests.gnupg; + passthru.tests = lib.nixosTests.gnupg; meta = with lib; { homepage = "https://gnupg.org"; diff --git a/pkgs/tools/security/gnupg/24.nix b/pkgs/tools/security/gnupg/24.nix index c8e313cd9cf..de8fd8ce150 100644 --- a/pkgs/tools/security/gnupg/24.nix +++ b/pkgs/tools/security/gnupg/24.nix @@ -6,6 +6,7 @@ , withPcsc ? !enableMinimal, pcsclite , guiSupport ? stdenv.isDarwin, pinentry , withTpm2Tss ? !stdenv.isDarwin && !enableMinimal, tpm2-tss +, nixosTests }: assert guiSupport -> enableMinimal == false; @@ -85,7 +86,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - passthru.tests.connman = lib.nixosTests.gnupg; + passthru.tests = nixosTests.gnupg; meta = with lib; { homepage = "https://gnupg.org"; |