nixpkgs/nixos/modules/programs/gnupg.nix

{ config, lib, pkgs, ... }:

with lib;

let

  cfg = config.programs.gnupg;

  xserverCfg = config.services.xserver;

  defaultPinentryFlavor =
    if xserverCfg.desktopManager.lxqt.enable
    || xserverCfg.desktopManager.plasma5.enable then
      "qt"
    else if xserverCfg.desktopManager.xfce.enable then
      "gtk2"
    else if xserverCfg.enable || config.programs.sway.enable then
      "gnome3"
    else
      null;

in

{

  options.programs.gnupg = {
    package = mkOption {
      type = types.package;
      default = pkgs.gnupg;
      defaultText = "pkgs.gnupg";
      description = ''
        The gpg package that should be used.
      '';
    };

    agent.enable = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Enables GnuPG agent with socket-activation for every user session.
      '';
    };

    agent.enableSSHSupport = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Enable SSH agent support in GnuPG agent. Also sets SSH_AUTH_SOCK
        environment variable correctly. This will disable socket-activation
        and thus always start a GnuPG agent per user session.
      '';
    };

    agent.enableExtraSocket = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Enable extra socket for GnuPG agent.
      '';
    };

    agent.enableBrowserSocket = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Enable browser socket for GnuPG agent.
      '';
    };

    agent.pinentryFlavor = mkOption {
      type = types.nullOr (types.enum pkgs.pinentry.flavors);
      example = "gnome3";
      description = ''
        Which pinentry interface to use. If not null, the path to the
        pinentry binary will be passed to gpg-agent via commandline and
        thus overrides the pinentry option in gpg-agent.conf in the user's
        home directory.
        If not set at all, it'll pick an appropriate flavor depending on the
        system configuration (qt flavor for lxqt and plasma5, gtk2 for xfce
        4.12, gnome3 on all other systems with X enabled, ncurses otherwise).
      '';
    };

    dirmngr.enable = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Enables GnuPG network certificate management daemon with socket-activation for every user session.
      '';
    };
  };

  config = mkIf cfg.agent.enable {
    programs.gnupg.agent.pinentryFlavor = mkDefault defaultPinentryFlavor;

    # This overrides the systemd user unit shipped with the gnupg package
    systemd.user.services.gpg-agent = mkIf (cfg.agent.pinentryFlavor != null) {
      serviceConfig.ExecStart = [ "" ''
        ${cfg.package}/bin/gpg-agent --supervised \
          --pinentry-program ${pkgs.pinentry.${cfg.agent.pinentryFlavor}}/bin/pinentry
      '' ];
    };

    systemd.user.sockets.gpg-agent = {
      wantedBy = [ "sockets.target" ];
    };

    systemd.user.sockets.gpg-agent-ssh = mkIf cfg.agent.enableSSHSupport {
      wantedBy = [ "sockets.target" ];
    };

    systemd.user.sockets.gpg-agent-extra = mkIf cfg.agent.enableExtraSocket {
      wantedBy = [ "sockets.target" ];
    };

    systemd.user.sockets.gpg-agent-browser = mkIf cfg.agent.enableBrowserSocket {
      wantedBy = [ "sockets.target" ];
    };

    systemd.user.sockets.dirmngr = mkIf cfg.dirmngr.enable {
      wantedBy = [ "sockets.target" ];
    };

    services.dbus.packages = mkIf (cfg.agent.pinentryFlavor == "gnome3") [ pkgs.gcr ];

    environment.systemPackages = with pkgs; [ cfg.package ];
    systemd.packages = [ cfg.package ];

    environment.interactiveShellInit = ''
      # Bind gpg-agent to this TTY if gpg commands are used.
      export GPG_TTY=$(tty)

    '' + (optionalString cfg.agent.enableSSHSupport ''
      # SSH agent protocol doesn't support changing TTYs, so bind the agent
      # to every new TTY.
      ${cfg.package}/bin/gpg-connect-agent --quiet updatestartuptty /bye > /dev/null
    '');

    environment.extraInit = mkIf cfg.agent.enableSSHSupport ''
      if [ -z "$SSH_AUTH_SOCK" ]; then
        export SSH_AUTH_SOCK=$(${cfg.package}/bin/gpgconf --list-dirs agent-ssh-socket)
      fi
    '';

    assertions = [
      { assertion = cfg.agent.enableSSHSupport -> !config.programs.ssh.startAgent;
        message = "You can't use ssh-agent and GnuPG agent with SSH support enabled at the same time!";
      }
    ];
  };

}
gnupg agent module: init Creates a systemd user service and updates the tty on new logins so that gpg-agent may find the current tty even if the SSH agent mode is used. 2017-05-25 21:14:39 +02:00			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`

			`cfg = config.programs.gnupg;`

nixos/gnupg: add option for setting pinentry flavours Co-authored-by: Florian Klink <flokli@flokli.de> 2018-10-27 16:02:16 +02:00			`xserverCfg = config.services.xserver;`

			`defaultPinentryFlavor =`
			`if xserverCfg.desktopManager.lxqt.enable`
			`\|\| xserverCfg.desktopManager.plasma5.enable then`
			`"qt"`
			`else if xserverCfg.desktopManager.xfce.enable then`
			`"gtk2"`
gnupg: fix pinentry in sway (fix a typo in 3c39093c0d1) 2019-10-30 02:00:39 -04:00			`else if xserverCfg.enable \|\| config.programs.sway.enable then`
nixos/gnupg: add option for setting pinentry flavours Co-authored-by: Florian Klink <flokli@flokli.de> 2018-10-27 16:02:16 +02:00			`"gnome3"`
			`else`
			`null;`

gnupg agent module: init Creates a systemd user service and updates the tty on new logins so that gpg-agent may find the current tty even if the SSH agent mode is used. 2017-05-25 21:14:39 +02:00			`in`

			`{`

			`options.programs.gnupg = {`
programs.gnupg: Support setting the gnupg package 2019-03-17 09:49:50 +01:00			`package = mkOption {`
			`type = types.package;`
			`default = pkgs.gnupg;`
			`defaultText = "pkgs.gnupg";`
			`description = ''`
			`The gpg package that should be used.`
			`'';`
			`};`

gnupg agent module: init Creates a systemd user service and updates the tty on new logins so that gpg-agent may find the current tty even if the SSH agent mode is used. 2017-05-25 21:14:39 +02:00			`agent.enable = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = ''`
			`Enables GnuPG agent with socket-activation for every user session.`
			`'';`
			`};`

			`agent.enableSSHSupport = mkOption {`
			`type = types.bool;`
gnupg module: Added extra and browser sockets (#26295) Also added dirmngr and made SSH support false by default due to programs.ssh.startAgent defaulting to true. 2017-06-16 03:40:09 +10:00			`default = false;`
gnupg agent module: init Creates a systemd user service and updates the tty on new logins so that gpg-agent may find the current tty even if the SSH agent mode is used. 2017-05-25 21:14:39 +02:00			`description = ''`
			`Enable SSH agent support in GnuPG agent. Also sets SSH_AUTH_SOCK`
			`environment variable correctly. This will disable socket-activation`
			`and thus always start a GnuPG agent per user session.`
			`'';`
			`};`
gnupg module: Added extra and browser sockets (#26295) Also added dirmngr and made SSH support false by default due to programs.ssh.startAgent defaulting to true. 2017-06-16 03:40:09 +10:00
			`agent.enableExtraSocket = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = ''`
			`Enable extra socket for GnuPG agent.`
			`'';`
			`};`

			`agent.enableBrowserSocket = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = ''`
			`Enable browser socket for GnuPG agent.`
			`'';`
			`};`

nixos/gnupg: add option for setting pinentry flavours Co-authored-by: Florian Klink <flokli@flokli.de> 2018-10-27 16:02:16 +02:00			`agent.pinentryFlavor = mkOption {`
			`type = types.nullOr (types.enum pkgs.pinentry.flavors);`
			`example = "gnome3";`
			`description = ''`
			`Which pinentry interface to use. If not null, the path to the`
			`pinentry binary will be passed to gpg-agent via commandline and`
			`thus overrides the pinentry option in gpg-agent.conf in the user's`
			`home directory.`
			`If not set at all, it'll pick an appropriate flavor depending on the`
gnupg: disable gui/pinentry support by default This solves the dependency cycle in gcr alternatively so there won't be two gnupg store paths in a standard NixOS system which has udisks2 enabled by default. NixOS users are expected to use the gpg-agent user service to pull in the appropriate pinentry flavour or install it on their systemPackages and set it in their local gnupg agent config instead. Co-authored-by: Florian Klink <flokli@flokli.de> 2018-10-27 16:03:13 +02:00			`system configuration (qt flavor for lxqt and plasma5, gtk2 for xfce`
nixos/gnupg: add option for setting pinentry flavours Co-authored-by: Florian Klink <flokli@flokli.de> 2018-10-27 16:02:16 +02:00			`4.12, gnome3 on all other systems with X enabled, ncurses otherwise).`
			`'';`
			`};`

gnupg module: Added extra and browser sockets (#26295) Also added dirmngr and made SSH support false by default due to programs.ssh.startAgent defaulting to true. 2017-06-16 03:40:09 +10:00			`dirmngr.enable = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = ''`
			`Enables GnuPG network certificate management daemon with socket-activation for every user session.`
			`'';`
			`};`
gnupg agent module: init Creates a systemd user service and updates the tty on new logins so that gpg-agent may find the current tty even if the SSH agent mode is used. 2017-05-25 21:14:39 +02:00			`};`

			`config = mkIf cfg.agent.enable {`
nixos/gnupg: add option for setting pinentry flavours Co-authored-by: Florian Klink <flokli@flokli.de> 2018-10-27 16:02:16 +02:00			`programs.gnupg.agent.pinentryFlavor = mkDefault defaultPinentryFlavor;`

			`# This overrides the systemd user unit shipped with the gnupg package`
			`systemd.user.services.gpg-agent = mkIf (cfg.agent.pinentryFlavor != null) {`
			`serviceConfig.ExecStart = [ "" ''`
nixos/gnupg: actually use the configured gpg package Previously, this would ignore the `package` option if `pinentryFlavor` was set. 2020-01-13 19:10:32 +00:00			`${cfg.package}/bin/gpg-agent --supervised \`
nixos/gnupg: add option for setting pinentry flavours Co-authored-by: Florian Klink <flokli@flokli.de> 2018-10-27 16:02:16 +02:00			`--pinentry-program ${pkgs.pinentry.${cfg.agent.pinentryFlavor}}/bin/pinentry`
			`'' ];`
			`};`

gnupg agent module: init Creates a systemd user service and updates the tty on new logins so that gpg-agent may find the current tty even if the SSH agent mode is used. 2017-05-25 21:14:39 +02:00			`systemd.user.sockets.gpg-agent = {`
			`wantedBy = [ "sockets.target" ];`
			`};`

			`systemd.user.sockets.gpg-agent-ssh = mkIf cfg.agent.enableSSHSupport {`
			`wantedBy = [ "sockets.target" ];`
gnupg module: Added extra and browser sockets (#26295) Also added dirmngr and made SSH support false by default due to programs.ssh.startAgent defaulting to true. 2017-06-16 03:40:09 +10:00			`};`

			`systemd.user.sockets.gpg-agent-extra = mkIf cfg.agent.enableExtraSocket {`
			`wantedBy = [ "sockets.target" ];`
			`};`

			`systemd.user.sockets.gpg-agent-browser = mkIf cfg.agent.enableBrowserSocket {`
			`wantedBy = [ "sockets.target" ];`
			`};`

gnupg agent module: Fix dirmngr.enable option 2017-06-26 19:33:23 -04:00			`systemd.user.sockets.dirmngr = mkIf cfg.dirmngr.enable {`
gnupg module: Added extra and browser sockets (#26295) Also added dirmngr and made SSH support false by default due to programs.ssh.startAgent defaulting to true. 2017-06-16 03:40:09 +10:00			`wantedBy = [ "sockets.target" ];`
gnupg agent module: init Creates a systemd user service and updates the tty on new logins so that gpg-agent may find the current tty even if the SSH agent mode is used. 2017-05-25 21:14:39 +02:00			`};`
nixos/gnupg: add option for setting pinentry flavours Co-authored-by: Florian Klink <flokli@flokli.de> 2018-10-27 16:02:16 +02:00
nixos/gnupg: add dbus dependencies for gnome3 pinentry 2019-10-31 16:15:59 -04:00			`services.dbus.packages = mkIf (cfg.agent.pinentryFlavor == "gnome3") [ pkgs.gcr ];`

nixos/gnupg: Add gpg to systemPackages 2019-08-24 20:56:52 +02:00			`environment.systemPackages = with pkgs; [ cfg.package ];`
programs.gnupg: Support setting the gnupg package 2019-03-17 09:49:50 +01:00			`systemd.packages = [ cfg.package ];`
gnupg agent module: init Creates a systemd user service and updates the tty on new logins so that gpg-agent may find the current tty even if the SSH agent mode is used. 2017-05-25 21:14:39 +02:00
gnupg: Fix, set current tty in interactive shell GPG_TTY was not being set to the current tty, breaking pinentry-tty/pinentry-curses. 2018-10-21 10:19:04 +01:00			`environment.interactiveShellInit = ''`
gnupg agent module: init Creates a systemd user service and updates the tty on new logins so that gpg-agent may find the current tty even if the SSH agent mode is used. 2017-05-25 21:14:39 +02:00			`# Bind gpg-agent to this TTY if gpg commands are used.`
			`export GPG_TTY=$(tty)`

			`'' + (optionalString cfg.agent.enableSSHSupport ''`
			`# SSH agent protocol doesn't support changing TTYs, so bind the agent`
			`# to every new TTY.`
programs.gnupg: Support setting the gnupg package 2019-03-17 09:49:50 +01:00			`${cfg.package}/bin/gpg-connect-agent --quiet updatestartuptty /bye > /dev/null`
nixos/gnupg: set SSH_AUTH_SOCK in non-interactive settings `SSH_AUTH_SOCK` is useful in some non-interactive settings, for instance daemonized Emacs. Fixes #55733. 2019-02-23 10:20:12 -08:00			`'');`
gnupg agent module: init Creates a systemd user service and updates the tty on new logins so that gpg-agent may find the current tty even if the SSH agent mode is used. 2017-05-25 21:14:39 +02:00
nixos/gnupg: set SSH_AUTH_SOCK in non-interactive settings `SSH_AUTH_SOCK` is useful in some non-interactive settings, for instance daemonized Emacs. Fixes #55733. 2019-02-23 10:20:12 -08:00			`environment.extraInit = mkIf cfg.agent.enableSSHSupport ''`
gnupg agent module: init Creates a systemd user service and updates the tty on new logins so that gpg-agent may find the current tty even if the SSH agent mode is used. 2017-05-25 21:14:39 +02:00			`if [ -z "$SSH_AUTH_SOCK" ]; then`
programs.gnupg: Support setting the gnupg package 2019-03-17 09:49:50 +01:00			`export SSH_AUTH_SOCK=$(${cfg.package}/bin/gpgconf --list-dirs agent-ssh-socket)`
gnupg agent module: init Creates a systemd user service and updates the tty on new logins so that gpg-agent may find the current tty even if the SSH agent mode is used. 2017-05-25 21:14:39 +02:00			`fi`
nixos/gnupg: set SSH_AUTH_SOCK in non-interactive settings `SSH_AUTH_SOCK` is useful in some non-interactive settings, for instance daemonized Emacs. Fixes #55733. 2019-02-23 10:20:12 -08:00			`'';`
gnupg agent module: init Creates a systemd user service and updates the tty on new logins so that gpg-agent may find the current tty even if the SSH agent mode is used. 2017-05-25 21:14:39 +02:00
			`assertions = [`
gnupg agent module: fix ssh agent assertion logic 2017-07-11 01:24:13 +02:00			`{ assertion = cfg.agent.enableSSHSupport -> !config.programs.ssh.startAgent;`
gnupg agent module: init Creates a systemd user service and updates the tty on new logins so that gpg-agent may find the current tty even if the SSH agent mode is used. 2017-05-25 21:14:39 +02:00			`message = "You can't use ssh-agent and GnuPG agent with SSH support enabled at the same time!";`
			`}`
			`];`
			`};`

			`}`