Mirror/nix-git
Mirror/nix-git
1
0
Fork 0
mirror of https://codeberg.org/privacy1st/nix-git synced 2024-11-22 22:09:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: ssh smartcard gpg-agent

Browse Source
This commit is contained in:
Daniel Langbein 2023-10-19 15:10:05 +02:00
parent 6882839903
commit 9acf99366a
Signed by: langfingaz
GPG Key ID: 6C47C753F0823002
1 changed files with 22 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
modules/nitrokey-gpg-smartcard.nix
View File

@ -9,8 +9,7 @@
# - smartcard should be listed # - smartcard should be listed
# gpg --card-status # gpg --card-status
# - ssh should work # - ssh should work
# export SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh # ssh yodaNas
# ssh nas
# - signed git commits should work in IntelliJ # - signed git commits should work in IntelliJ
# IntelliJ IDE -> git commit -> graphical pinentry should pop-up # IntelliJ IDE -> git commit -> graphical pinentry should pop-up
@ -29,8 +28,6 @@
# TODO: gpg-agent pinentry problem # TODO: gpg-agent pinentry problem
# https://github.com/NixOS/nixpkgs/issues/97861 # https://github.com/NixOS/nixpkgs/issues/97861
# TODO: Maybe GNOME is overriding the SSH agent socket that is set elswhere by NixOS?
# https://wiki.archlinux.org/title/GnuPG#GNOME_on_Wayland_overrides_SSH_agent_socket
# #
# gpgconf --check-programs # gpgconf --check-programs
#=> gpgconf: error running '/nix/store/lvsbmqy4dmlri22145hbr6799hgbnpnf-gnupg-2.4.0/bin/pinentry': probably not installed #=> gpgconf: error running '/nix/store/lvsbmqy4dmlri22145hbr6799hgbnpnf-gnupg-2.4.0/bin/pinentry': probably not installed
@ -80,13 +77,33 @@
ssh.startAgent = false; ssh.startAgent = false;
gnupg.agent = { gnupg.agent = {
enable = true; enable = true;
# ... Also sets SSH_AUTH_SOCK environment variable correctly. # Sets SSH_AUTH_SOCK environment variable.
enableSSHSupport = true; enableSSHSupport = true;
#pinentryFlavor = "curses"; #pinentryFlavor = "curses";
pinentryFlavor = "gnome3"; pinentryFlavor = "gnome3";
}; };
}; };
# GNOME Keyring: Disable SSH agent.
#
# Without this,
# export SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh
# is required before ssh can use the smartcard (through gpg-agent).
#
# GNOME Keyring will override the SSH_AUTH_SOCK variable
# if it starts its own SSH agent. The docs suggest to disable
# SSH agent support in GNOME Keyring if using another SSH agent:
# https://wiki.gnome.org/Projects/GnomeKeyring/Ssh
#
# Here are related issues:
# https://github.com/NixOS/nixpkgs/issues/8356
# https://github.com/NixOS/nixpkgs/issues/42291
# https://wiki.archlinux.org/title/GnuPG#GNOME_on_Wayland_overrides_SSH_agent_socket
#
# Solution 1: https://github.com/NixOS/nixpkgs/issues/42291#issuecomment-399630199
# Solution 2: https://github.com/NixOS/nixpkgs/issues/42291#issuecomment-687979733
services.gnome.gnome-keyring.enable = pkgs.lib.mkForce false;
# Adds the pinentry binary to the PATH so that e.g. # Adds the pinentry binary to the PATH so that e.g.
# echo GETPIN | pinentry # echo GETPIN | pinentry
# works. # works.