4d19ca4703
GitOrigin-RevId: a7117efb3725e6197dd95424136f79147aa35e5b
321 lines
9.2 KiB
Nix
321 lines
9.2 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.programs.gpg;
|
|
|
|
mkKeyValue = key: value:
|
|
if isString value then "${key} ${value}" else optionalString value key;
|
|
|
|
cfgText = generators.toKeyValue {
|
|
inherit mkKeyValue;
|
|
listsAsDuplicateKeys = true;
|
|
} cfg.settings;
|
|
|
|
scdaemonCfgText = generators.toKeyValue {
|
|
inherit mkKeyValue;
|
|
listsAsDuplicateKeys = true;
|
|
} cfg.scdaemonSettings;
|
|
|
|
primitiveType = types.oneOf [ types.str types.bool ];
|
|
|
|
publicKeyOpts = { config, ... }: {
|
|
options = {
|
|
text = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = null;
|
|
description = ''
|
|
Text of an OpenPGP public key.
|
|
'';
|
|
};
|
|
|
|
source = mkOption {
|
|
type = types.path;
|
|
description = ''
|
|
Path of an OpenPGP public key file.
|
|
'';
|
|
};
|
|
|
|
trust = mkOption {
|
|
type = types.nullOr (types.enum [
|
|
"unknown"
|
|
1
|
|
"never"
|
|
2
|
|
"marginal"
|
|
3
|
|
"full"
|
|
4
|
|
"ultimate"
|
|
5
|
|
]);
|
|
default = null;
|
|
apply = v:
|
|
if isString v then
|
|
{
|
|
unknown = 1;
|
|
never = 2;
|
|
marginal = 3;
|
|
full = 4;
|
|
ultimate = 5;
|
|
}.${v}
|
|
else
|
|
v;
|
|
description = ''
|
|
The amount of trust you have in the key ownership and the care the
|
|
owner puts into signing other keys. The available levels are
|
|
|
|
`unknown` or `1`
|
|
: I don't know or won't say.
|
|
|
|
`never` or `2`
|
|
: I do **not** trust.
|
|
|
|
`marginal` or `3`
|
|
: I trust marginally.
|
|
|
|
`full` or `4`
|
|
: I trust fully.
|
|
|
|
`ultimate` or `5`
|
|
: I trust ultimately.
|
|
|
|
See the [Key Management chapter](https://www.gnupg.org/gph/en/manual/x334.html)
|
|
of the GNU Privacy Handbook for more.
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = {
|
|
source =
|
|
mkIf (config.text != null) (pkgs.writeText "gpg-pubkey" config.text);
|
|
};
|
|
};
|
|
|
|
importTrustBashFunctions = let gpg = "${cfg.package}/bin/gpg";
|
|
in ''
|
|
function gpgKeyId() {
|
|
${gpg} --show-key --with-colons "$1" \
|
|
| grep ^pub: \
|
|
| cut -d: -f5
|
|
}
|
|
|
|
function importTrust() {
|
|
local keyIds trust
|
|
IFS='\n' read -ra keyIds <<< "$(gpgKeyId "$1")"
|
|
trust="$2"
|
|
for id in "''${keyIds[@]}" ; do
|
|
{ echo trust; echo "$trust"; (( trust == 5 )) && echo y; echo quit; } \
|
|
| ${gpg} --no-tty --command-fd 0 --edit-key "$id"
|
|
done
|
|
}
|
|
|
|
'';
|
|
|
|
keyringFiles = let
|
|
gpg = "${cfg.package}/bin/gpg";
|
|
|
|
importKey = { source, trust, ... }: ''
|
|
${gpg} --import ${source}
|
|
${optionalString (trust != null)
|
|
''importTrust "${source}" ${toString trust}''}
|
|
'';
|
|
|
|
importKeys = concatMapStringsSep "\n" importKey cfg.publicKeys;
|
|
in pkgs.runCommand "gpg-pubring" { buildInputs = [ cfg.package ]; } ''
|
|
export GNUPGHOME
|
|
GNUPGHOME=$(mktemp -d)
|
|
|
|
${importTrustBashFunctions}
|
|
${importKeys}
|
|
|
|
mkdir $out
|
|
cp $GNUPGHOME/pubring.kbx $out/pubring.kbx
|
|
if [[ -e $GNUPGHOME/trustdb.gpg ]] ; then
|
|
cp $GNUPGHOME/trustdb.gpg $out/trustdb.gpg
|
|
fi
|
|
'';
|
|
|
|
in {
|
|
options.programs.gpg = {
|
|
enable = mkEnableOption "GnuPG";
|
|
|
|
package = mkOption {
|
|
type = types.package;
|
|
default = pkgs.gnupg;
|
|
defaultText = literalExpression "pkgs.gnupg";
|
|
example = literalExpression "pkgs.gnupg23";
|
|
description =
|
|
"The Gnupg package to use (also used by the gpg-agent service).";
|
|
};
|
|
|
|
settings = mkOption {
|
|
type =
|
|
types.attrsOf (types.either primitiveType (types.listOf types.str));
|
|
example = literalExpression ''
|
|
{
|
|
no-comments = false;
|
|
s2k-cipher-algo = "AES128";
|
|
}
|
|
'';
|
|
description = ''
|
|
GnuPG configuration options. Available options are described
|
|
in
|
|
[
|
|
{manpage}`gpg(1)`
|
|
](https://gnupg.org/documentation/manpage.html).
|
|
|
|
Note that lists are converted to duplicate keys.
|
|
'';
|
|
};
|
|
|
|
scdaemonSettings = mkOption {
|
|
type =
|
|
types.attrsOf (types.either primitiveType (types.listOf types.str));
|
|
example = literalExpression ''
|
|
{
|
|
disable-ccid = true;
|
|
}
|
|
'';
|
|
description = ''
|
|
SCdaemon configuration options. Available options are described
|
|
in
|
|
[
|
|
{manpage}`scdaemon(1)`
|
|
](https://www.gnupg.org/documentation/manuals/gnupg/Scdaemon-Options.html).
|
|
'';
|
|
};
|
|
|
|
homedir = mkOption {
|
|
type = types.path;
|
|
example = literalExpression ''"''${config.xdg.dataHome}/gnupg"'';
|
|
default = "${config.home.homeDirectory}/.gnupg";
|
|
defaultText =
|
|
literalExpression ''"''${config.home.homeDirectory}/.gnupg"'';
|
|
description = "Directory to store keychains and configuration.";
|
|
};
|
|
|
|
mutableKeys = mkOption {
|
|
type = types.bool;
|
|
default = true;
|
|
description = ''
|
|
If set to `true`, you may manage your keyring as a user
|
|
using the `gpg` command. Upon activation, the keyring
|
|
will have managed keys added without overwriting unmanaged keys.
|
|
|
|
If set to `false`, the path
|
|
{file}`$GNUPGHOME/pubring.kbx` will become an immutable
|
|
link to the Nix store, denying modifications.
|
|
'';
|
|
};
|
|
|
|
mutableTrust = mkOption {
|
|
type = types.bool;
|
|
default = true;
|
|
description = ''
|
|
If set to `true`, you may manage trust as a user using
|
|
the {command}`gpg` command. Upon activation, trusted keys have
|
|
their trust set without overwriting unmanaged keys.
|
|
|
|
If set to `false`, the path
|
|
{file}`$GNUPGHOME/trustdb.gpg` will be
|
|
*overwritten* on each activation, removing trust for
|
|
any unmanaged keys. Be careful to make a backup of your old
|
|
{file}`trustdb.gpg` before switching to immutable trust!
|
|
'';
|
|
};
|
|
|
|
publicKeys = mkOption {
|
|
type = types.listOf (types.submodule publicKeyOpts);
|
|
example = literalExpression ''
|
|
[ { source = ./pubkeys.txt; } ]
|
|
'';
|
|
default = [ ];
|
|
description = ''
|
|
A list of public keys to be imported into GnuPG. Note, these key files
|
|
will be copied into the world-readable Nix store.
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
programs.gpg.settings = {
|
|
personal-cipher-preferences = mkDefault "AES256 AES192 AES";
|
|
personal-digest-preferences = mkDefault "SHA512 SHA384 SHA256";
|
|
personal-compress-preferences = mkDefault "ZLIB BZIP2 ZIP Uncompressed";
|
|
default-preference-list = mkDefault
|
|
"SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed";
|
|
cert-digest-algo = mkDefault "SHA512";
|
|
s2k-digest-algo = mkDefault "SHA512";
|
|
s2k-cipher-algo = mkDefault "AES256";
|
|
charset = mkDefault "utf-8";
|
|
fixed-list-mode = mkDefault true;
|
|
no-comments = mkDefault true;
|
|
no-emit-version = mkDefault true;
|
|
keyid-format = mkDefault "0xlong";
|
|
list-options = mkDefault "show-uid-validity";
|
|
verify-options = mkDefault "show-uid-validity";
|
|
with-fingerprint = mkDefault true;
|
|
require-cross-certification = mkDefault true;
|
|
no-symkey-cache = mkDefault true;
|
|
use-agent = mkDefault true;
|
|
};
|
|
|
|
programs.gpg.scdaemonSettings = {
|
|
# no defaults for scdaemon
|
|
};
|
|
|
|
home.packages = [ cfg.package ];
|
|
home.sessionVariables = { GNUPGHOME = cfg.homedir; };
|
|
|
|
home.file."${cfg.homedir}/gpg.conf".text = cfgText;
|
|
|
|
home.file."${cfg.homedir}/scdaemon.conf".text = scdaemonCfgText;
|
|
|
|
# Link keyring if keys are not mutable
|
|
home.file."${cfg.homedir}/pubring.kbx" =
|
|
mkIf (!cfg.mutableKeys && cfg.publicKeys != [ ]) {
|
|
source = "${keyringFiles}/pubring.kbx";
|
|
};
|
|
|
|
home.activation = {
|
|
createGpgHomedir =
|
|
hm.dag.entryBetween [ "linkGeneration" ] [ "writeBoundary" ] ''
|
|
run mkdir -m700 -p $VERBOSE_ARG ${escapeShellArg cfg.homedir}
|
|
'';
|
|
|
|
importGpgKeys = let
|
|
gpg = "${cfg.package}/bin/gpg";
|
|
|
|
importKey = { source, trust, ... }:
|
|
# Import mutable keys
|
|
optional cfg.mutableKeys "run ${gpg} $QUIET_ARG --import ${source}"
|
|
|
|
# Import mutable trust
|
|
++ optional (trust != null && cfg.mutableTrust)
|
|
''run importTrust "${source}" ${toString trust}'';
|
|
|
|
anyTrust = any (k: k.trust != null) cfg.publicKeys;
|
|
|
|
importKeys = concatStringsSep "\n" (concatMap importKey cfg.publicKeys);
|
|
|
|
# If any key/trust should be imported then create the block. Otherwise
|
|
# leave it empty.
|
|
block = concatStringsSep "\n" (optional (importKeys != "") ''
|
|
export GNUPGHOME=${escapeShellArg cfg.homedir}
|
|
if [[ ! -v VERBOSE ]]; then
|
|
QUIET_ARG="--quiet"
|
|
else
|
|
QUIET_ARG=""
|
|
fi
|
|
${importTrustBashFunctions}
|
|
${importKeys}
|
|
unset GNUPGHOME QUIET_ARG keyId importTrust
|
|
'' ++ optional (!cfg.mutableTrust && anyTrust) ''
|
|
install -m 0700 ${keyringFiles}/trustdb.gpg "${cfg.homedir}/trustdb.gpg"'');
|
|
in mkIf (cfg.publicKeys != [ ])
|
|
(lib.hm.dag.entryAfter [ "linkGeneration" ] block);
|
|
};
|
|
};
|
|
}
|