nixpkgs/nixos/modules/programs/gnupg.nix

{ config, lib, pkgs, ... }:

with lib;

let

  cfg = config.programs.gnupg;

in

{

  options.programs.gnupg = {
    agent.enable = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Enables GnuPG agent with socket-activation for every user session.
      '';
    };

    agent.enableSSHSupport = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Enable SSH agent support in GnuPG agent. Also sets SSH_AUTH_SOCK
        environment variable correctly. This will disable socket-activation
        and thus always start a GnuPG agent per user session.
      '';
    };

    agent.enableExtraSocket = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Enable extra socket for GnuPG agent.
      '';
    };

    agent.enableBrowserSocket = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Enable browser socket for GnuPG agent.
      '';
    };

    dirmngr.enable = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Enables GnuPG network certificate management daemon with socket-activation for every user session.
      '';
    };
  };

  config = mkIf cfg.agent.enable {
    systemd.user.sockets.gpg-agent = {
      wantedBy = [ "sockets.target" ];
    };

    systemd.user.sockets.gpg-agent-ssh = mkIf cfg.agent.enableSSHSupport {
      wantedBy = [ "sockets.target" ];
    };

    systemd.user.sockets.gpg-agent-extra = mkIf cfg.agent.enableExtraSocket {
      wantedBy = [ "sockets.target" ];
    };

    systemd.user.sockets.gpg-agent-browser = mkIf cfg.agent.enableBrowserSocket {
      wantedBy = [ "sockets.target" ];
    };

    systemd.user.sockets.dirmngr = mkIf cfg.dirmngr.enable {
      wantedBy = [ "sockets.target" ];
    };

    systemd.packages = [ pkgs.gnupg ];

    environment.extraInit = ''
      # Bind gpg-agent to this TTY if gpg commands are used.
      export GPG_TTY=$(tty)

    '' + (optionalString cfg.agent.enableSSHSupport ''
      # SSH agent protocol doesn't support changing TTYs, so bind the agent
      # to every new TTY.
      ${pkgs.gnupg}/bin/gpg-connect-agent --quiet updatestartuptty /bye > /dev/null

      if [ -z "$SSH_AUTH_SOCK" ]; then
        export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket)
      fi
    '');

    assertions = [
      { assertion = cfg.agent.enableSSHSupport -> !config.programs.ssh.startAgent;
        message = "You can't use ssh-agent and GnuPG agent with SSH support enabled at the same time!";
      }
    ];
  };

}
gnupg agent module: init Creates a systemd user service and updates the tty on new logins so that gpg-agent may find the current tty even if the SSH agent mode is used. 2017-05-25 21:14:39 +02:00			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`

			`cfg = config.programs.gnupg;`

			`in`

			`{`

			`options.programs.gnupg = {`
			`agent.enable = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = ''`
			`Enables GnuPG agent with socket-activation for every user session.`
			`'';`
			`};`

			`agent.enableSSHSupport = mkOption {`
			`type = types.bool;`
gnupg module: Added extra and browser sockets (#26295) Also added dirmngr and made SSH support false by default due to programs.ssh.startAgent defaulting to true. 2017-06-16 03:40:09 +10:00			`default = false;`
gnupg agent module: init Creates a systemd user service and updates the tty on new logins so that gpg-agent may find the current tty even if the SSH agent mode is used. 2017-05-25 21:14:39 +02:00			`description = ''`
			`Enable SSH agent support in GnuPG agent. Also sets SSH_AUTH_SOCK`
			`environment variable correctly. This will disable socket-activation`
			`and thus always start a GnuPG agent per user session.`
			`'';`
			`};`
gnupg module: Added extra and browser sockets (#26295) Also added dirmngr and made SSH support false by default due to programs.ssh.startAgent defaulting to true. 2017-06-16 03:40:09 +10:00
			`agent.enableExtraSocket = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = ''`
			`Enable extra socket for GnuPG agent.`
			`'';`
			`};`

			`agent.enableBrowserSocket = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = ''`
			`Enable browser socket for GnuPG agent.`
			`'';`
			`};`

			`dirmngr.enable = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = ''`
			`Enables GnuPG network certificate management daemon with socket-activation for every user session.`
			`'';`
			`};`
gnupg agent module: init Creates a systemd user service and updates the tty on new logins so that gpg-agent may find the current tty even if the SSH agent mode is used. 2017-05-25 21:14:39 +02:00			`};`

			`config = mkIf cfg.agent.enable {`
			`systemd.user.sockets.gpg-agent = {`
			`wantedBy = [ "sockets.target" ];`
			`};`

			`systemd.user.sockets.gpg-agent-ssh = mkIf cfg.agent.enableSSHSupport {`
			`wantedBy = [ "sockets.target" ];`
gnupg module: Added extra and browser sockets (#26295) Also added dirmngr and made SSH support false by default due to programs.ssh.startAgent defaulting to true. 2017-06-16 03:40:09 +10:00			`};`

			`systemd.user.sockets.gpg-agent-extra = mkIf cfg.agent.enableExtraSocket {`
			`wantedBy = [ "sockets.target" ];`
			`};`

			`systemd.user.sockets.gpg-agent-browser = mkIf cfg.agent.enableBrowserSocket {`
			`wantedBy = [ "sockets.target" ];`
			`};`

gnupg agent module: Fix dirmngr.enable option 2017-06-26 19:33:23 -04:00			`systemd.user.sockets.dirmngr = mkIf cfg.dirmngr.enable {`
gnupg module: Added extra and browser sockets (#26295) Also added dirmngr and made SSH support false by default due to programs.ssh.startAgent defaulting to true. 2017-06-16 03:40:09 +10:00			`wantedBy = [ "sockets.target" ];`
gnupg agent module: init Creates a systemd user service and updates the tty on new logins so that gpg-agent may find the current tty even if the SSH agent mode is used. 2017-05-25 21:14:39 +02:00			`};`

			`systemd.packages = [ pkgs.gnupg ];`

programs.gnupg: use extraInit instead of interactiveShellInit Otherwise some programmes cannot use the GPG agent, e.g. applications started from dmenu. Behaviour was changed in #26888, this reverts that part. 2017-07-17 18:43:05 +02:00			`environment.extraInit = ''`
gnupg agent module: init Creates a systemd user service and updates the tty on new logins so that gpg-agent may find the current tty even if the SSH agent mode is used. 2017-05-25 21:14:39 +02:00			`# Bind gpg-agent to this TTY if gpg commands are used.`
			`export GPG_TTY=$(tty)`

			`'' + (optionalString cfg.agent.enableSSHSupport ''`
			`# SSH agent protocol doesn't support changing TTYs, so bind the agent`
			`# to every new TTY.`
			`${pkgs.gnupg}/bin/gpg-connect-agent --quiet updatestartuptty /bye > /dev/null`

			`if [ -z "$SSH_AUTH_SOCK" ]; then`
			`export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket)`
			`fi`
			`'');`

			`assertions = [`
gnupg agent module: fix ssh agent assertion logic 2017-07-11 01:24:13 +02:00			`{ assertion = cfg.agent.enableSSHSupport -> !config.programs.ssh.startAgent;`
gnupg agent module: init Creates a systemd user service and updates the tty on new logins so that gpg-agent may find the current tty even if the SSH agent mode is used. 2017-05-25 21:14:39 +02:00			`message = "You can't use ssh-agent and GnuPG agent with SSH support enabled at the same time!";`
			`}`
			`];`
			`};`

			`}`