nixpkgs/nixos/modules/programs/gnupg.nix
Emanuel Evans ddabdc0a1e
nixos/gnupg: set SSH_AUTH_SOCK in non-interactive settings
`SSH_AUTH_SOCK` is useful in some non-interactive settings, for instance
daemonized Emacs. Fixes #55733.
2019-02-23 10:49:32 -08:00

103 lines
2.6 KiB
Nix

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.programs.gnupg;
in
{
options.programs.gnupg = {
agent.enable = mkOption {
type = types.bool;
default = false;
description = ''
Enables GnuPG agent with socket-activation for every user session.
'';
};
agent.enableSSHSupport = mkOption {
type = types.bool;
default = false;
description = ''
Enable SSH agent support in GnuPG agent. Also sets SSH_AUTH_SOCK
environment variable correctly. This will disable socket-activation
and thus always start a GnuPG agent per user session.
'';
};
agent.enableExtraSocket = mkOption {
type = types.bool;
default = false;
description = ''
Enable extra socket for GnuPG agent.
'';
};
agent.enableBrowserSocket = mkOption {
type = types.bool;
default = false;
description = ''
Enable browser socket for GnuPG agent.
'';
};
dirmngr.enable = mkOption {
type = types.bool;
default = false;
description = ''
Enables GnuPG network certificate management daemon with socket-activation for every user session.
'';
};
};
config = mkIf cfg.agent.enable {
systemd.user.sockets.gpg-agent = {
wantedBy = [ "sockets.target" ];
};
systemd.user.sockets.gpg-agent-ssh = mkIf cfg.agent.enableSSHSupport {
wantedBy = [ "sockets.target" ];
};
systemd.user.sockets.gpg-agent-extra = mkIf cfg.agent.enableExtraSocket {
wantedBy = [ "sockets.target" ];
};
systemd.user.sockets.gpg-agent-browser = mkIf cfg.agent.enableBrowserSocket {
wantedBy = [ "sockets.target" ];
};
systemd.user.sockets.dirmngr = mkIf cfg.dirmngr.enable {
wantedBy = [ "sockets.target" ];
};
systemd.packages = [ pkgs.gnupg ];
environment.interactiveShellInit = ''
# Bind gpg-agent to this TTY if gpg commands are used.
export GPG_TTY=$(tty)
'' + (optionalString cfg.agent.enableSSHSupport ''
# SSH agent protocol doesn't support changing TTYs, so bind the agent
# to every new TTY.
${pkgs.gnupg}/bin/gpg-connect-agent --quiet updatestartuptty /bye > /dev/null
'');
environment.extraInit = mkIf cfg.agent.enableSSHSupport ''
if [ -z "$SSH_AUTH_SOCK" ]; then
export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket)
fi
'';
assertions = [
{ assertion = cfg.agent.enableSSHSupport -> !config.programs.ssh.startAgent;
message = "You can't use ssh-agent and GnuPG agent with SSH support enabled at the same time!";
}
];
};
}