home/gpg: create key refresh timer and add keyservers

2024-08-02 17:24:25 +02:00 · 2024-08-02 17:24:25 +02:00 · 227c710265
parent 773cfc9dab
commit 227c710265
3 changed files with 75 additions and 7 deletions
--- a/home/home.nix
+++ b/home/home.nix
@ -15,7 +15,7 @@ in {
    ./programs/gdb.nix
    ./programs/gh.nix
    ./programs/git
-    ./programs/gpg.nix
+    ./programs/gpg
    ./programs/less.nix
    ./programs/neovim.nix
    ./programs/tmux.nix
--- a/home/programs/gpg/auto-refresh-keys.nix
+++ b/home/programs/gpg/auto-refresh-keys.nix
@ -0,0 +1,61 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.programs.gpg;
+in
+{
+  options = {
+    programs.gpg.auto-refresh-keys = {
+      enable = lib.mkEnableOption "a timer that automatically refreshes your gpg keys";
+      frequency = lib.mkOption {
+        default = "daily";
+        type = lib.types.str;
+        description = ''
+          How often to refresh keys.
+
+          :::{.note}
+            This value is passed to the systemd
+            timer configuration as the onCalendar option.  See
+            {manpage}`systemd.time(7)`
+            for more information about the format.
+          :::
+        '';
+      };
+    };
+  };
+
+  config = {
+    systemd.user.services.gpg-refresh-keys = lib.mkIf cfg.auto-refresh-keys.enable {
+      Unit = {
+        Description = "Refresh gpg keys";
+        Documentation = [ "man:gpg(1)" ];
+      };
+
+      Service = {
+        Type = "oneshot";
+        CPUSchedulingPolicy = "idle";
+        IOSchedulingClass = "idle";
+        ExecStart = "${lib.getExe cfg.package} --refresh-keys";
+        Environment = [
+          "GNUPGHOME=${cfg.homedir}"
+        ];
+      };
+    };
+
+    systemd.user.timers.gpg-refresh-keys = lib.mkIf cfg.auto-refresh-keys.enable {
+      Unit = {
+        Description = "Refresh gpg keys";
+        Documentation = [ "man:gpg(1)" ];
+      };
+
+      Timer = {
+        Unit = "gpg-refresh-keys.service";
+        OnCalendar = cfg.auto-refresh-keys.frequency;
+        Persistent = true;
+      };
+
+      Install = {
+        WantedBy = [ "timers.target" ];
+      };
+    };
+  };
+}
--- a/home/programs/gpg/default.nix
+++ b/home/programs/gpg/default.nix
@ -1,15 +1,22 @@
 { pkgs, config, ... }:
 {
+  imports = [
+    ./auto-refresh-keys.nix
+  ];
+
  programs.gpg = {
    enable = true;
    homedir = "${config.xdg.configHome}/gnupg";
-    # TODO: declare public keys and trust declaratively
-    # mutableKeys = false;
-    # mutableTrust = false;
-    # publicKeys = [];
-    # settings = {

-    # };
+    auto-refresh-keys.enable = true;
+
+    settings = {
+      keyserver = [
+        "hkps://keys.openpgp.org"
+        "hkps://keyserver.ubuntu.com"
+        "hkps://pgp.mit.edu"
+      ];
+    };
  };

  services.gpg-agent = {