From 2ae649af8042acfd8d155816a2783e12035186c8 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Mon, 15 Apr 2024 08:44:09 +0200
Subject: [PATCH 1/6] configuration/gpg-ssh: Move GPG and SSH integration to
 seperate module

---
 configuration/desktop/ssh.nix     | 13 ++++---------
 configuration/gpg-ssh/default.nix | 21 +++++++++++++++++++++
 hosts/_iso/configuration.nix      |  1 +
 3 files changed, 26 insertions(+), 9 deletions(-)
 create mode 100644 configuration/gpg-ssh/default.nix

diff --git a/configuration/desktop/ssh.nix b/configuration/desktop/ssh.nix
index 87e4cd2..63deb0d 100644
--- a/configuration/desktop/ssh.nix
+++ b/configuration/desktop/ssh.nix
@@ -1,19 +1,14 @@
 { pkgs, ... }:
 
 {
+
+  imports = [
+    ../../configuration/gpg-ssh
+  ];
   programs.gnupg.agent = {
-    enable = true;
-    enableSSHSupport = true;
     pinentryPackage = pkgs.pinentry-gtk2;
   };
 
-  # Add wrapper around ssh that takes the gnupg ssh-agent
-  # instead of gnome-keyring
-  environment.systemPackages = with pkgs; [
-    ssh-gpg
-  ];
-
-
   # Do not disable ssh-agent of gnome-keyring, because
   # gnupg ssh-agent can't handle normal SSH keys properly
   /*
diff --git a/configuration/gpg-ssh/default.nix b/configuration/gpg-ssh/default.nix
new file mode 100644
index 0000000..e3daea7
--- /dev/null
+++ b/configuration/gpg-ssh/default.nix
@@ -0,0 +1,21 @@
+{ pkgs, lib, ... }:
+
+{
+
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+    pinentryPackage = lib.mkDefault pkgs.pinentry-curses;
+  };
+
+  environment.systemPackages = with pkgs; [
+    gnupg
+
+    # Add wrapper around ssh that takes the gnupg ssh-agent
+    # instead of gnome-keyring
+    ssh-gpg
+  ];
+
+  services.pcscd.enable = true;
+
+}
diff --git a/hosts/_iso/configuration.nix b/hosts/_iso/configuration.nix
index 88ccf9c..4db915c 100644
--- a/hosts/_iso/configuration.nix
+++ b/hosts/_iso/configuration.nix
@@ -3,6 +3,7 @@
 {
   imports = [
     (modulesPath + "/installer/cd-dvd/installation-cd-base.nix")
+    ../../configuration/gpg-ssh
   ];
 
   networking.hostName = "isowo";

From 823d700f1fe75785008afdd5a8c6625c3a10efd6 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Mon, 15 Apr 2024 09:13:57 +0200
Subject: [PATCH 2/6] configuration/gpg-ssh: Enable YubiKey support

---
 configuration/gpg-ssh/default.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/configuration/gpg-ssh/default.nix b/configuration/gpg-ssh/default.nix
index e3daea7..1c29905 100644
--- a/configuration/gpg-ssh/default.nix
+++ b/configuration/gpg-ssh/default.nix
@@ -10,6 +10,7 @@
 
   environment.systemPackages = with pkgs; [
     gnupg
+    yubikey-personalization
 
     # Add wrapper around ssh that takes the gnupg ssh-agent
     # instead of gnome-keyring
@@ -18,4 +19,7 @@
 
   services.pcscd.enable = true;
 
+  services.udev.packages = with pkgs; [
+    yubikey-personalization
+  ];
 }

From 1e54967cfd61a0c7d5a4143eebccfcb2c21424cb Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Mon, 15 Apr 2024 19:09:55 +0200
Subject: [PATCH 3/6] flake.lock: Update nixpkgs

---
 flake.lock | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/flake.lock b/flake.lock
index fd1421d..3248487 100644
--- a/flake.lock
+++ b/flake.lock
@@ -232,11 +232,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1708118438,
-        "narHash": "sha256-kk9/0nuVgA220FcqH/D2xaN6uGyHp/zoxPNUmPCMmEE=",
+        "lastModified": 1712963716,
+        "narHash": "sha256-WKm9CvgCldeIVvRz87iOMi8CFVB1apJlkUT4GGvA0iM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5863c27340ba4de8f83e7e3c023b9599c3cb3c80",
+        "rev": "cfd6b5fc90b15709b780a5a1619695a88505a176",
         "type": "github"
       },
       "original": {

From 699fc69bd3999aed5f73237765438ea4e56f169d Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Mon, 15 Apr 2024 19:11:07 +0200
Subject: [PATCH 4/6] flake.nix: Rollback nixpkgs for chaosevents input because
 of broken python deps in newer versions

---
 flake.lock | 30 ++++++++++++++++++++++--------
 flake.nix  |  2 +-
 2 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index 3248487..ab28d6c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -43,9 +43,7 @@
     },
     "chaosevents": {
       "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
+        "nixpkgs": "nixpkgs"
       },
       "locked": {
         "lastModified": 1708189846,
@@ -107,7 +105,7 @@
     "fieldpoc": {
       "inputs": {
         "mitel-ommclient2": "mitel-ommclient2",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs_2"
       },
       "locked": {
         "lastModified": 1711287766,
@@ -200,11 +198,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1665732960,
-        "narHash": "sha256-WBZ+uSHKFyjvd0w4inbm0cNExYTn8lpYFcHEes8tmec=",
+        "lastModified": 1686501370,
+        "narHash": "sha256-G0WuM9fqTPRc2URKP9Lgi5nhZMqsfHGrdEbrLvAPJcg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4428e23312933a196724da2df7ab78eb5e67a88e",
+        "rev": "75a5ebf473cd60148ba9aec0d219f72e5cf52519",
         "type": "github"
       },
       "original": {
@@ -231,6 +229,22 @@
       }
     },
     "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1665732960,
+        "narHash": "sha256-WBZ+uSHKFyjvd0w4inbm0cNExYTn8lpYFcHEes8tmec=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "4428e23312933a196724da2df7ab78eb5e67a88e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
       "locked": {
         "lastModified": 1712963716,
         "narHash": "sha256-WKm9CvgCldeIVvRz87iOMi8CFVB1apJlkUT4GGvA0iM=",
@@ -255,7 +269,7 @@
         "fieldpoc": "fieldpoc",
         "nixos-exporter": "nixos-exporter",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs_3",
         "nixpkgs-krypton": "nixpkgs-krypton",
         "solid-xmpp-alarm": "solid-xmpp-alarm"
       }
diff --git a/flake.nix b/flake.nix
index 194db60..5d23a91 100644
--- a/flake.nix
+++ b/flake.nix
@@ -13,7 +13,7 @@
     };
     chaosevents = {
       url = "git+https://git.clerie.de/clerie/chaosevents.git";
-      inputs.nixpkgs.follows = "nixpkgs";
+      #inputs.nixpkgs.follows = "nixpkgs";
     };
     fernglas = {
       url = "github:wobcom/fernglas";

From a7dbbba01d48a795d59d7663939315a0b04d7373 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Mon, 15 Apr 2024 19:28:01 +0200
Subject: [PATCH 5/6] users/clerie: Add new SSH key for clerie

---
 users/clerie/clerie_id-2024.pub | 1 +
 users/clerie/default.nix        | 1 +
 2 files changed, 2 insertions(+)
 create mode 100644 users/clerie/clerie_id-2024.pub

diff --git a/users/clerie/clerie_id-2024.pub b/users/clerie/clerie_id-2024.pub
new file mode 100644
index 0000000..a541ea0
--- /dev/null
+++ b/users/clerie/clerie_id-2024.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC17V4z147CtKGMvnAEC8BATO2Dttut9T8q0eIxGwmCVO96s/E2ZbxQSjqp9FOuAhD7xJH4kUf4uwlM8yU6sFnWPLbawFxlbyLChTurv2GV5polkqP7awHU7WP2DpO8vhPYcoo5w2GI/q/IfL1+6KHqAuqenQw6H/fERllMkYnqyLcJqfoyfFXD6r/TJfhpB5ryoIeX45sakZvjtrIYpGjjHMjlHu8RG8zuad6UHTg7NqLnYCk2aGcvvA8H1OP/vfuAElhwwVEekKD2VvDcARmXyRyzKl7qCoqXZLRHrlDH+oqKzQLctTjDmGJtETW2Oca3NM6fp6xuuI8NHQhNq1SghoIQDu4LcdHQtclc5a8oOV3C6O6fpgTZI99gp6OcvRGuyAO43uKOg/BmegRDs7AapVsm1+um5hwLdI5wFzMvhpWJw7j7D9hfIS9K8VmLULKy6q+G4fg4s9QklxOg5ExgxUnWnANsgXvct6k8dr0IkZtcVzLGc86XPP0Qd5Rgtcb6JYITSezssL7Gn+rLnNhvKQZVoeOCJ4vyB9OFwcv0ESs9Cx8tg2ZDZpYSkVMoIhoi3LUCinozineRypy3+ItrMRm+PD8wEPZGlwcAaFhDSAML+xpKSCt0c1EqLsF8CtadbXuyNn3DsNaOzWWQha+47HiVl8QipSfF751hVtTH9Q== openpgp:0xDEC2998F
diff --git a/users/clerie/default.nix b/users/clerie/default.nix
index a119be6..9b86587 100644
--- a/users/clerie/default.nix
+++ b/users/clerie/default.nix
@@ -9,6 +9,7 @@
     ];
     openssh.authorizedKeys.keys = [
       (builtins.readFile ./ssh.pub)
+      (builtins.readFile ./clerie_id-2024.pub)
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnUBblmmVoMMBftn4EnwnzqR12m9zill51LpO124hHb10K2rqxNoq8tYSc2pMkV/3briZovffpe5SzB+m2MnXbtOBstIEXkrPZQ78vaZ/nLh7+eWg30lCmMPwjf2wIjlTXkcbxbsi7FbPW7FsolGkU/0mqGhqK1Xft/g7SnCXIoGPSSrHMXEv5dPPofCa1Z0Un+98wQTVfOSKek6TnIsfLbG01UFQVkN7afE4dqSmMiWwEm2PK9l+OiBA2/QzDpbtu9wsfTol4c192vFEWR9crB2YZ1JlMbjVWHjYmB7NFsS0A6lUOikss0Y+LUWS2/QuM/kqybSo4rasZMAIazM6D clerie"
     ];
   };

From e2795716c1b1794ed752dc119d20ac5bdb8cf7c4 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Mon, 15 Apr 2024 20:01:20 +0200
Subject: [PATCH 6/6] pkgs/ssh-gpg: Execute arbitrary commands with ssh-gpg

---
 pkgs/ssh-gpg/ssh-gpg.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/ssh-gpg/ssh-gpg.sh b/pkgs/ssh-gpg/ssh-gpg.sh
index dff8b71..50121be 100755
--- a/pkgs/ssh-gpg/ssh-gpg.sh
+++ b/pkgs/ssh-gpg/ssh-gpg.sh
@@ -3,4 +3,4 @@
 SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
 export SSH_AUTH_SOCK
 
-exec ssh "$@"
+exec "$@"