oysteikt/nix-dotfiles
oysteikt/nix-dotfiles
1
1
Fork 0
Code Issues129 Pull Requests Activity

home: move gpg automation to modules

Browse Source
This commit is contained in:
Oystein Kristoffer Tveit 2025-03-24 13:44:59 +01:00
parent e32051c662
commit a36869282a
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
10 changed files with 114 additions and 15 deletions

1
flake.nix

@ -144,6 +144,7 @@
uidGid = ./home/modules/uidGid.nix;
shellAliases = ./home/modules/shellAliases.nix;
colors = ./home/modules/colors.nix;
gpg = ./home/modules/programs/gpg;
};
homeConfigurations = {

3
home/home.nix

@ -22,7 +22,7 @@ in {
./programs/gh-dash.nix
./programs/gh.nix
./programs/git
./programs/gpg
./programs/gpg.nix
./programs/home-manager.nix
./programs/jq.nix
./programs/less.nix
@ -49,6 +49,7 @@ in {
./modules/colors.nix
./modules/shellAliases.nix
./modules/uidGid.nix
./modules/programs/gpg
] ++ (optionals graphics [
./config/gtk.nix

0
home/programs/gpg/auto-refresh-keys.nix → home/modules/programs/gpg/auto-refresh-keys.nix

0
home/programs/gpg/auto-update-trust-db.nix → home/modules/programs/gpg/auto-update-trust-db.nix

10
home/modules/programs/gpg/default.nix Normal file

@ -0,0 +1,10 @@
{ ... }:
{
imports = [
./auto-refresh-keys.nix
./auto-update-trust-db.nix
# ./key-fetchers/declarative-github-key-fetcher.nix # WIP
./key-fetchers/declarative-keyserver-key-fetcher.nix
];
}

93
home/modules/programs/gpg/key-fetchers/declarative-github-key-fetcher.nix Normal file

@ -0,0 +1,93 @@
{ config, pkgs, lib, ... }:
let
cfg = config.programs.gpg;
in
{
# TODO: Create proper descriptions
options = {
programs.gpg.key-fetchers.github = {
enable = lib.mkEnableOption "auto fetching of gpg keys by github username";
useGh = lib.mkEnableOption "" // {
description = "Whether to use the GitHub API through the gh tools to fetch GPG keys";
default = config.programs.gh.enable;
defaultText = lib.literalExpression "config.programs.gh.enable";
};
keys = lib.mkOption {
description = "";
default = { };
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
options = {
# id = lib.mkOption {
# description = "";
# default = name;
# example = "";
# type = lib.types.str;
# };
username = lib.mkOption {
description = "";
default = name;
type = lib.types.nonEmptyStr;
};
trust = lib.mkOption {
description = "If marked as null, it's mutable";
default = null;
example = 4;
type = with lib.types; nullOr (ints.between 1 5);
};
};
}));
};
};
};
config = lib.mkIf cfg.key-fetchers.github.enable {
systemd.user.services."gpg-fetch-github-key@" = {
description = "Fetch GPG keys for GitHub user %i";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
CPUSchedulingPolicy = "idle";
IOSchedulingClass = "idle";
# TODO: warn if user or key does not exist
ExecStart = let
ghScript = pkgs.writeShellApplication {
name = "fetch-github-gpg-keys";
runtimeInputs = [
config.programs.gh.package
pkgs.jq
cfg.package
];
text = ''
gh api users/''${1}/gpg_keys | jq -r '.[].raw_key' | gpg --import
'';
};
curlScript = pkgs.writeShellApplication {
name = "fetch-github-gpg-keys";
runtimeInputs = [
pkgs.curl
pkgs.jq
cfg.package
];
text = ''
curl -s https://api.github.com/users/''${1}/gpg_keys | jq -r '.[].raw_key' | gpg --import
'';
};
in if cfg.key-fetchers.github.useGh then ghScript else curlScript;
Restart = "on-failure";
RestartSec = "10s";
Environment = [
"GNUPGHOME=${cfg.homedir}"
];
};
};
# systemd.user.timers =
};
}

0
home/modules/programs/gpg/key-fetchers/declarative-http-key-fetcher.nix Normal file

12
home/programs/gpg/declarative-key-fetcher.nix → home/modules/programs/gpg/key-fetchers/declarative-keyserver-key-fetcher.nix

@ -3,9 +3,10 @@ let
cfg = config.programs.gpg;
in
{
# TODO: per-key timers
# TODO: Create proper descriptions
options = {
programs.gpg.fetch-keys = {
programs.gpg.key-fetchers.keyserver = {
enable = lib.mkEnableOption "auto fetching of gpg keys by fingerprint";
keys = lib.mkOption {
description = "";
@ -23,8 +24,7 @@ in
description = "If marked as null, use config";
default = null;
example = "hkps://keys.openpgp.org";
type = with lib.types; nullOr str;
apply = v: if v == null then "@NULL@" else v;
type = with lib.types; coercedTo (nullOr str) (v: if v == null then "@NULL@" else v) str;
};
trust = lib.mkOption {
@ -43,7 +43,7 @@ in
# TODO: Fix the module so that this unit runs whenever something changes
systemd.user.services.gpg-fetch-keys = let
fetchKeysApplication = let
recvKeysByKeyserver = lib.pipe cfg.fetch-keys.keys [
recvKeysByKeyserver = lib.pipe cfg.key-fetchers.keyserver.keys [
lib.attrValues
(lib.foldl (acc: key: acc // {
${key.keyserver} = (acc.${key.keyserver} or []) ++ [ key.id ];
@ -69,7 +69,7 @@ in
}
'';
trustKeys = lib.pipe cfg.fetch-keys.keys [
trustKeys = lib.pipe cfg.key-fetchers.keyserver.keys [
lib.attrValues
(lib.filter (key: key.trust != null))
(map ({ id, trust, ... }: "importTrust '${id}' '${toString trust}'"))
@ -84,7 +84,7 @@ in
trustKeys
];
};
in lib.mkIf cfg.fetch-keys.enable {
in lib.mkIf cfg.key-fetchers.keyserver.enable {
Unit = {
Description = "Fetch declaratively listed gpg keys";
Documentation = [ "man:gpg(1)" ];

0
home/modules/programs/gpg/key-fetchers/declarative-wkd-key-fetcher.nix Normal file

10
home/programs/gpg/default.nix → home/programs/gpg.nix

@ -1,11 +1,5 @@
{ pkgs, config, ... }:
{ config, pkgs, ... }:
{
imports = [
./auto-refresh-keys.nix
./auto-update-trust-db.nix
./declarative-key-fetcher.nix
];
programs.gpg = {
enable = true;
homedir = "${config.xdg.configHome}/gnupg";
@ -20,7 +14,7 @@
];
};
fetch-keys = {
key-fetchers.keyserver = {
enable = true;
keys = {
"495A898FC1A0276F51EA3155355E5D82B18F4E71" = { trust = 4; };