oysteikt/nix-dotfiles
oysteikt
/
nix-dotfiles
2
1
Fork 0
Code Issues Pull Requests Activity

home/gpg: add key fetcher unit

This commit is contained in:
Oystein Kristoffer Tveit 2024-08-02 18:06:40 +02:00
parent 58d4b66637
commit eb28a1bebb
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
2 changed files with 117 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

107
home/programs/gpg/declarative-key-fetcher.nix Normal file
View File

@ -0,0 +1,107 @@
{ config, pkgs, lib, ... }:
let
cfg = config.programs.gpg;
in
{
# TODO: Create proper descriptions
options = {
programs.gpg.fetch-keys = {
enable = lib.mkEnableOption "auto fetching of gpg keys by fingerprint";
keys = lib.mkOption {
description = "";
default = { };
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
options = {
id = lib.mkOption {
description = "";
default = name;
example = "";
type = lib.types.str;
};
keyserver = lib.mkOption {
description = "If marked as null, use config";
default = null;
example = "hkps://keys.openpgp.org";
type = with lib.types; nullOr str;
apply = v: if v == null then "@NULL@" else v;
};
trust = lib.mkOption {
description = "If marked as null, it's mutable";
default = null;
example = 4;
type = with lib.types; nullOr (ints.between 1 5);
};
};
}));
};
};
};
config = {
# TODO: Fix the module so that this unit runs whenever something changes
systemd.user.services.gpg-fetch-keys = let
fetchKeysApplication = let
recvKeysByKeyserver = lib.pipe cfg.fetch-keys.keys [
lib.attrValues
(lib.foldl (acc: key: acc // {
${key.keyserver} = (acc.${key.keyserver} or []) ++ [ key.id ];
}) { })
(lib.mapAttrsToList (keyserver: ids:
if keyserver == "@NULL@"
then "gpg --recv-keys ${lib.escapeShellArgs ids}"
else "gpg --keyserver ${lib.escapeShellArg keyserver} --recv-keys ${lib.escapeShellArgs ids}"))
(lib.concatStringsSep "\n")
];
# Taken from modules/programs/gpg.nix
# Slightly modified in order not to read files
importTrustBashFunctions = let
gpg = "${cfg.package}/bin/gpg";
in ''
function importTrust() {
local keyId trust
keyId="$1"
trust="$2"
{ echo trust; echo "$trust"; (( trust == 5 )) && echo y; echo quit; } \
| ${gpg} --no-tty --command-fd 0 --edit-key "$keyId"
}
'';
trustKeys = lib.pipe cfg.fetch-keys.keys [
lib.attrValues
(lib.filter (key: key.trust != null))
(map ({ id, trust, ... }: "importTrust '${id}' '${toString trust}'"))
(lib.concatStringsSep "\n")
];
in pkgs.writeShellApplication {
name = "fetch-gpg-keys";
runtimeInputs = [ cfg.package ];
text = lib.concatStringsSep "\n" [
recvKeysByKeyserver
importTrustBashFunctions
trustKeys
];
};
in lib.mkIf cfg.fetch-keys.enable {
Unit = {
Description = "Fetch declaratively listed gpg keys";
Documentation = [ "man:gpg(1)" ];
X-Restart-Triggers = [ "${fetchKeysApplication}" ];
X-SwitchMethod = "restart";
};
Service = {
Type = "oneshot";
CPUSchedulingPolicy = "idle";
IOSchedulingClass = "idle";
ExecStart = "${lib.getExe fetchKeysApplication}";
Environment = [
"GNUPGHOME=${cfg.homedir}"
];
};
};
};
}

10
home/programs/gpg/default.nix
View File

@ -2,6 +2,7 @@
{ {
imports = [ imports = [
./auto-refresh-keys.nix ./auto-refresh-keys.nix
./declarative-key-fetcher.nix
]; ];
programs.gpg = { programs.gpg = {
@ -17,6 +18,15 @@
"hkps://pgp.mit.edu" "hkps://pgp.mit.edu"
]; ];
}; };
fetch-keys = {
enable = true;
keys = {
"495A898FC1A0276F51EA3155355E5D82B18F4E71" = { trust = 4; };
"490872D2A1D6451C9A3AA544D33368A59745C2F0" = { };
"D231FBC3E4C3B668103982D8BC9E348039A74F7F" = { };
};
};
}; };
services.gpg-agent = { services.gpg-agent = {