diff --git a/configuration/desktop/ssh.nix b/configuration/desktop/ssh.nix index 63deb0d..ca528bc 100644 --- a/configuration/desktop/ssh.nix +++ b/configuration/desktop/ssh.nix @@ -2,9 +2,8 @@ { - imports = [ - ../../configuration/gpg-ssh - ]; + profiles.clerie.gpg-ssh.enable = true; + programs.gnupg.agent = { pinentryPackage = pkgs.pinentry-gtk2; }; diff --git a/configuration/gpg-ssh/default.nix b/configuration/gpg-ssh/default.nix deleted file mode 100644 index 497c280..0000000 --- a/configuration/gpg-ssh/default.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ pkgs, lib, ... }: - -let - - custom_gnupg = pkgs.gnupg.overrideAttrs (final: prev: { - configureFlags = prev.configureFlags ++ [ - # Make sure scdaemon never ever again tries to use its own ccid driver - "--disable-ccid-driver" - ]; - }); - -in { - - programs.gnupg.package = custom_gnupg; - programs.gnupg.agent = { - enable = true; - enableSSHSupport = true; - pinentryPackage = lib.mkDefault pkgs.pinentry-curses; - }; - - environment.systemPackages = with pkgs; [ - custom_gnupg - yubikey-personalization - openpgp-card-tools - - # Add wrapper around ssh that takes the gnupg ssh-agent - # instead of gnome-keyring - ssh-gpg - ]; - - services.pcscd.enable = true; - - # pcscd sometimes breaks and seem to need a manual restart - # so we allow users to restart that service themself - security.polkit.extraConfig = '' - polkit.addRule(function(action, subject) { - if ( - action.id == "org.freedesktop.systemd1.manage-units" - && action.lookup("unit") == "pcscd.service" - && action.lookup("verb") == "restart" - && subject.isInGroup("users") - ) { - return polkit.Result.YES; - } - }); - ''; - - services.udev.packages = with pkgs; [ - yubikey-personalization - ]; -} diff --git a/hosts/_iso/configuration.nix b/hosts/_iso/configuration.nix index 9d267aa..b5e54d5 100644 --- a/hosts/_iso/configuration.nix +++ b/hosts/_iso/configuration.nix @@ -3,9 +3,9 @@ { imports = [ (modulesPath + "/installer/cd-dvd/installation-cd-base.nix") - ../../configuration/gpg-ssh ]; + profiles.clerie.gpg-ssh.enable = true; profiles.clerie.network-fallback-dhcp.enable = true; # systemd in initrd is broken with ISOs diff --git a/profiles/default.nix b/profiles/default.nix index 1570ea9..b385ca1 100644 --- a/profiles/default.nix +++ b/profiles/default.nix @@ -12,6 +12,7 @@ ./dn42-router ./fem-net ./firefox + ./gpg-ssh ./hetzner-cloud ./hydra-build-machine ./mercury-vm diff --git a/profiles/gpg-ssh/default.nix b/profiles/gpg-ssh/default.nix new file mode 100644 index 0000000..ba2da69 --- /dev/null +++ b/profiles/gpg-ssh/default.nix @@ -0,0 +1,64 @@ +{ pkgs, lib, config, ... }: + +with lib; + +let + + cfg = config.profiles.clerie.gpg-ssh; + + custom_gnupg = pkgs.gnupg.overrideAttrs (final: prev: { + configureFlags = prev.configureFlags ++ [ + # Make sure scdaemon never ever again tries to use its own ccid driver + "--disable-ccid-driver" + ]; + }); + +in { + + options.profiles.clerie.gpg-ssh = { + enable = mkEnableOption "SSH integration for GPG"; + }; + + config = mkIf config.profiles.clerie.gpg-ssh.enable { + + programs.gnupg.package = custom_gnupg; + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + pinentryPackage = lib.mkDefault pkgs.pinentry-curses; + }; + + environment.systemPackages = with pkgs; [ + custom_gnupg + yubikey-personalization + openpgp-card-tools + + # Add wrapper around ssh that takes the gnupg ssh-agent + # instead of gnome-keyring + ssh-gpg + ]; + + services.pcscd.enable = true; + + # pcscd sometimes breaks and seem to need a manual restart + # so we allow users to restart that service themself + security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + if ( + action.id == "org.freedesktop.systemd1.manage-units" + && action.lookup("unit") == "pcscd.service" + && action.lookup("verb") == "restart" + && subject.isInGroup("users") + ) { + return polkit.Result.YES; + } + }); + ''; + + services.udev.packages = with pkgs; [ + yubikey-personalization + ]; + + }; + +}