home: move gpg automation to modules

flake.nix

@@ -144,6 +144,7 @@
       uidGid = ./home/modules/uidGid.nix;
       shellAliases = ./home/modules/shellAliases.nix;
       colors = ./home/modules/colors.nix;
+      gpg = ./home/modules/programs/gpg;
     };
 
     homeConfigurations = {

home/home.nix

@@ -22,7 +22,7 @@ in {
     ./programs/gh-dash.nix
     ./programs/gh.nix
     ./programs/git
-    ./programs/gpg
+    ./programs/gpg.nix
     ./programs/home-manager.nix
     ./programs/jq.nix
     ./programs/less.nix
@@ -49,6 +49,7 @@ in {
     ./modules/colors.nix
     ./modules/shellAliases.nix
     ./modules/uidGid.nix
+    ./modules/programs/gpg
   ] ++ (optionals graphics [
     ./config/gtk.nix
 

home/modules/programs/gpg/default.nix

@@ -0,0 +1,10 @@
+{ ... }:
+{
+  imports = [
+    ./auto-refresh-keys.nix
+    ./auto-update-trust-db.nix
+
+    # ./key-fetchers/declarative-github-key-fetcher.nix # WIP
+    ./key-fetchers/declarative-keyserver-key-fetcher.nix
+  ];
+}

home/modules/programs/gpg/key-fetchers/declarative-github-key-fetcher.nix

@@ -0,0 +1,93 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.programs.gpg;
+in
+{
+  # TODO: Create proper descriptions
+  options = {
+    programs.gpg.key-fetchers.github = {
+      enable = lib.mkEnableOption "auto fetching of gpg keys by github username";
+
+      useGh = lib.mkEnableOption "" // {
+        description = "Whether to use the GitHub API through the gh tools to fetch GPG keys";
+        default = config.programs.gh.enable;
+        defaultText = lib.literalExpression "config.programs.gh.enable";
+      };
+
+      keys = lib.mkOption {
+        description = "";
+        default = { };
+        type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
+          options = {
+            # id = lib.mkOption {
+            #   description = "";
+            #   default = name;
+            #   example = "";
+            #   type = lib.types.str;
+            # };
+
+            username = lib.mkOption {
+              description = "";
+              default = name;
+              type = lib.types.nonEmptyStr;
+            };
+
+            trust = lib.mkOption {
+              description = "If marked as null, it's mutable";
+              default = null;
+              example = 4;
+              type = with lib.types; nullOr (ints.between 1 5);
+            };
+          };
+        }));
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.key-fetchers.github.enable {
+    systemd.user.services."gpg-fetch-github-key@" = {
+      description = "Fetch GPG keys for GitHub user %i";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        CPUSchedulingPolicy = "idle";
+        IOSchedulingClass = "idle";
+
+        # TODO: warn if user or key does not exist
+        ExecStart = let
+          ghScript = pkgs.writeShellApplication {
+            name = "fetch-github-gpg-keys";
+            runtimeInputs = [
+              config.programs.gh.package
+              pkgs.jq
+              cfg.package
+            ];
+            text = ''
+              gh api users/''${1}/gpg_keys | jq -r '.[].raw_key' | gpg --import
+            '';
+          };
+
+          curlScript = pkgs.writeShellApplication {
+            name = "fetch-github-gpg-keys";
+            runtimeInputs = [
+              pkgs.curl
+              pkgs.jq
+              cfg.package
+            ];
+            text = ''
+              curl -s https://api.github.com/users/''${1}/gpg_keys | jq -r '.[].raw_key' | gpg --import
+            '';
+          };
+        in if cfg.key-fetchers.github.useGh then ghScript else curlScript;
+
+        Restart = "on-failure";
+        RestartSec = "10s";
+        Environment = [
+          "GNUPGHOME=${cfg.homedir}"
+        ];
+      };
+    };
+
+    # systemd.user.timers =
+  };
+}

home/modules/programs/gpg/key-fetchers/declarative-keyserver-key-fetcher.nix

@@ -3,9 +3,10 @@ let
   cfg = config.programs.gpg;
 in
 {
+  # TODO: per-key timers
   # TODO: Create proper descriptions
   options = {
-    programs.gpg.fetch-keys = {
+    programs.gpg.key-fetchers.keyserver = {
       enable = lib.mkEnableOption "auto fetching of gpg keys by fingerprint";
       keys = lib.mkOption {
         description = "";
@@ -23,8 +24,7 @@ in
               description = "If marked as null, use config";
               default = null;
               example = "hkps://keys.openpgp.org";
-              type = with lib.types; nullOr str;
+              type = with lib.types; coercedTo (nullOr str) (v: if v == null then "@NULL@" else v) str;
-              apply = v: if v == null then "@NULL@" else v;
             };
 
             trust = lib.mkOption {
@@ -43,7 +43,7 @@ in
     # TODO: Fix the module so that this unit runs whenever something changes
     systemd.user.services.gpg-fetch-keys = let
       fetchKeysApplication = let
-        recvKeysByKeyserver = lib.pipe cfg.fetch-keys.keys [
+        recvKeysByKeyserver = lib.pipe cfg.key-fetchers.keyserver.keys [
           lib.attrValues
           (lib.foldl (acc: key: acc // {
             ${key.keyserver} = (acc.${key.keyserver} or []) ++ [ key.id ];
@@ -69,7 +69,7 @@ in
           }
         '';
 
-        trustKeys = lib.pipe cfg.fetch-keys.keys [
+        trustKeys = lib.pipe cfg.key-fetchers.keyserver.keys [
           lib.attrValues
           (lib.filter (key: key.trust != null))
           (map ({ id, trust, ... }: "importTrust '${id}' '${toString trust}'"))
@@ -84,7 +84,7 @@ in
           trustKeys
         ];
       };
-    in lib.mkIf cfg.fetch-keys.enable {
+    in lib.mkIf cfg.key-fetchers.keyserver.enable {
       Unit = {
         Description = "Fetch declaratively listed gpg keys";
         Documentation = [ "man:gpg(1)" ];

home/programs/gpg.nix

@@ -1,11 +1,5 @@
-{ pkgs, config, ... }:
+{ config, pkgs, ... }:
 {
-  imports = [
-    ./auto-refresh-keys.nix
-    ./auto-update-trust-db.nix
-    ./declarative-key-fetcher.nix
-  ];
-
   programs.gpg = {
     enable = true;
     homedir = "${config.xdg.configHome}/gnupg";
@@ -20,7 +14,7 @@
       ];
     };
 
-    fetch-keys = {
+    key-fetchers.keyserver = {
       enable = true;
       keys = {
         "495A898FC1A0276F51EA3155355E5D82B18F4E71" = { trust = 4; };