diff options
author | Philip Potter <philip.g.potter@gmail.com> | 2020-07-09 22:18:24 +0100 |
---|---|---|
committer | Philip Potter <philip.g.potter@gmail.com> | 2020-07-16 15:29:33 +0100 |
commit | e4029c34fcf274d22fc42e6933c0cc0029888bee (patch) | |
tree | 1dbc74d6527544dacc45e63d93276a2edaee27d5 /nixos/modules/services/security | |
parent | af5accfa96c23a9a649e19321abb5e0ae24c259f (diff) | |
download | nixpkgs-e4029c34fcf274d22fc42e6933c0cc0029888bee.tar nixpkgs-e4029c34fcf274d22fc42e6933c0cc0029888bee.tar.gz nixpkgs-e4029c34fcf274d22fc42e6933c0cc0029888bee.tar.bz2 nixpkgs-e4029c34fcf274d22fc42e6933c0cc0029888bee.tar.lz nixpkgs-e4029c34fcf274d22fc42e6933c0cc0029888bee.tar.xz nixpkgs-e4029c34fcf274d22fc42e6933c0cc0029888bee.tar.zst nixpkgs-e4029c34fcf274d22fc42e6933c0cc0029888bee.zip |
yubikey-agent: init at 0.1.3
This adds yubikey-agent as a package and a nixos module. On macOS, we use `wrapProgram` to set pinentry_mac as default in PATH; on Linux we rely on the user to set their preferred pinentry in PATH. In particular, we use a systemd override to prefix PATH to select a chosen pinentry program if specified. On Linux, we need libnotify to provide the notify-send utility for desktop notifications (such as "Waiting for Yubikey touch..."). This might work on other flavors of unix, but I haven't tested. We reuse the programs.gnupg.agent.pinentryFlavor option for yubikey-agent, but in doing so I hit a problem: pinentryFlavour's default value is specified in a mkDefault, but only conditionally. We ought to be able to pick up the pinentryFlavour whether or not gpg-agent is running. As a result, this commit moves the default value to the definition of programs.gnupg.agent.enable.
Diffstat (limited to 'nixos/modules/services/security')
-rw-r--r-- | nixos/modules/services/security/yubikey-agent.nix | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/nixos/modules/services/security/yubikey-agent.nix b/nixos/modules/services/security/yubikey-agent.nix new file mode 100644 index 00000000000..ac5d7054b2b --- /dev/null +++ b/nixos/modules/services/security/yubikey-agent.nix @@ -0,0 +1,61 @@ +# Global configuration for yubikey-agent. + +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.yubikey-agent; + + # reuse the pinentryFlavor option from the gnupg module + pinentryFlavor = config.programs.gnupg.agent.pinentryFlavor; +in +{ + ###### interface + + meta.maintainers = with maintainers; [ philandstuff rawkode ]; + + options = { + + services.yubikey-agent = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to start yubikey-agent when you log in. Also sets + SSH_AUTH_SOCK to point at yubikey-agent. + + Note that yubikey-agent will use whatever pinentry is + specified in programs.gnupg.agent.pinentryFlavor. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.yubikey-agent; + defaultText = "pkgs.yubikey-agent"; + description = '' + The package used for the yubikey-agent daemon. + ''; + }; + }; + }; + + config = { + environment.systemPackages = [ cfg.package ]; + systemd.packages = [ cfg.package ]; + + # This overrides the systemd user unit shipped with the + # yubikey-agent package + systemd.user.services.yubikey-agent = mkIf (pinentryFlavor != null) { + path = [ pkgs.pinentry.${pinentryFlavor} ]; + }; + + environment.extraInit = optionalString cfg.enable + '' + if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then + export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/yubikey-agent/yubikey-agent.sock" + fi + ''; + }; +} |