{ config, pkgs, lib, ... }:
{
# Use NitroKey USB smartcard with SSH.
# https://nixos.wiki/wiki/Nitrokey
# Test suite. TODO: Check all of this after config changes!
# - pinentry should be in $PATH.
# Note: Since NixOS 23.11 (and maybe earlier) this is no longer the case.
# Yet, all other tests still work!
# echo GETPIN | pinentry
# - smartcard should be listed
# gpg --card-status
# - encryption should work (graphical pinentry should pop-up)
# gpg -d ./passphrase.txt.gpg
# - ssh should work (graphical pinentry should pop-up)
# ssh yodaNas
# - signed git commits should work in IntelliJ
# IntelliJ IDE -> Make a Git commit -> Graphical pinentry should pop-up
# Restart gpg-agent after config change.
# Otherwise there might be a gpg error about "no pinentry".
# https://discourse.nixos.org/t/cant-get-gnupg-to-work-no-pinentry/15373/19
#
# But how to restart it?
# https://superuser.com/a/1150399
# gpgconf --kill gpg-agent
# killall gpg-agent
# systemctl --user restart gpg-agent
# Not sure if this is needed: Reload udev rules.
# sudo -- udevadm control --reload-rules && udevadm trigger
# TODO: gpg-agent pinentry problem
# https://github.com/NixOS/nixpkgs/issues/97861
#
# gpgconf --check-programs
#=> gpgconf: error running '/nix/store/lvsbmqy4dmlri22145hbr6799hgbnpnf-gnupg-2.4.0/bin/pinentry': probably not installed
#
# ssh -v nas
#=> OpenSSH_9.3p2, OpenSSL 3.0.10 1 Aug 2023
#=> debug1: Reading configuration data /home/yoda/.ssh/config
#=> debug1: /home/yoda/.ssh/config line 67: Applying options for nas
#=> debug1: /home/yoda/.ssh/config line 180: Applying options for *
#=> debug1: Reading configuration data /etc/ssh/ssh_config
#=> debug1: Executing command: '/nix/store/8fv91097mbh5049i9rglc73dx6kjg3qk-bash-5.2-p15/bin/bash -c '/nix/store/lvsbmqy4dmlri22145hbr6799hgbnpnf-gnupg-2.4.0/bin/gpg-connect-agent --quiet updatestartuptty /bye >/dev/null 2>&1''
#
#=> USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
#=> yoda 2752 0.0 0.0 444812 3040 ? SLsl 16:09 0:00 /nix/store/lvsbmqy4dmlri22145hbr6799hgbnpnf-gnupg-2.4.0/bin/gpg-agent --supervised --pinentry-program /nix/store/8cvidvpwnwyxixlhqfaa5jlfndh2vir5-pinentry-1.2.1-curses/bin/pinentry
# NITROKEY SSH WORKAROUND (I): Do all of this in one shell!
# CREDITS: https://unix.stackexchange.com/a/250045/315162
#
# BEFORE: SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
# AFTER: SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh
#
# systemctl --user stop gpg-agent
# systemctl --user stop gpg-agent.socket
# systemctl --user stop gpg-agent-ssh.socket
# ps -aux | grep -v grep | grep gpg-agent
# => NONE
# eval $(gpg-agent --daemon --pinentry-program /nix/store/5j87jnmfh19xlq9ij0v3rh7cwssr4586-pinentry-1.2.1-curses/bin/pinentry --enable-ssh-support --sh)
# echo $SSH_AUTH_SOCK
#=> /run/user/1000/gnupg/S.gpg-agent.ssh
# gpg -d ./passphrase.txt.gpg
#=> Works!
# ssh nas
#=> Works!
# NITROKEY SSH WORKAROUND (II)
#
# export SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh
# ssh nas
#=> Works!
# TODO:
# What is the difference between programs.gnupg.agent.enableSSHSupport and
# services.gpg-agent.enableSshSupport = true;
services.udev.packages = [ pkgs.nitrokey-udev-rules ];
programs = {
ssh.startAgent = false;
gnupg.agent = {
enable = true;
# Sets SSH_AUTH_SOCK environment variable.
enableSSHSupport = true;
#pinentryPackage = pkgs.pinentry-curses;
pinentryPackage = pkgs.pinentry-gnome3;
};
};
# GNOME Keyring: Disable SSH agent.
#
# Without this,
# export SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh
# is required before ssh can use the smartcard (through gpg-agent).
#
# GNOME Keyring will override the SSH_AUTH_SOCK variable
# if it starts its own SSH agent. The docs suggest to disable
# SSH agent support in GNOME Keyring if using another SSH agent:
# https://wiki.gnome.org/Projects/GnomeKeyring/Ssh
#
# Here are related issues:
# https://github.com/NixOS/nixpkgs/issues/8356
# https://github.com/NixOS/nixpkgs/issues/42291
# https://wiki.archlinux.org/title/GnuPG#GNOME_on_Wayland_overrides_SSH_agent_socket
#
# Solution 1: https://github.com/NixOS/nixpkgs/issues/42291#issuecomment-399630199
# Works for me.
# Solution 2: https://github.com/NixOS/nixpkgs/issues/42291#issuecomment-687979733
# Works for me, but on each login, nextcloud-desktop asks for credentials ...
# Adds the pinentry binary to the PATH so that e.g.
# echo GETPIN | pinentry
# works.
# This is not required for
# - gpg --card-status
# - ssh nas
# - signed git commits in IntelliJ
#environment.systemPackages = with pkgs; [
# #pinentry-curses
# pinentry-gnome
#];
#users.users.yoda = {
# packages = with pkgs; [
# #pinentry-curses
# pinentry-gnome
# ];
#};
# https://docs.nitrokey.com/nitrokey3/windows/troubleshooting.html#gnupg-openpgp-card-not-available
#
# There are two common smartcard services on Linux systems
# - scdaemon (gpg) with two drivers:
# - ccid: directly accesses smartcard
# - pcsc: uses the pcscd daemon to access smartcard
# - pcscd (generic smartcard daemon)
#
# `pcscd` might lock the card before `scdaemon` tries to access it
# using the internal `ccid` driver
#
# Either uninstall `pcscd` **or**
# use the `pcscd` driver for `scdaemon`
# by adding `disable-ccid` to `~/.gnupg/scdaemon.conf`
# Smartcard daemon.
services.pcscd.enable = true;
home-manager.users.yoda = { osConfig, config, pkgs, ... }: {
# Disable GNOME Keyring. See comment above.
#
# Prevent clobbering SSH_AUTH_SOCK
home.sessionVariables.GSM_SKIP_SSH_AGENT_WORKAROUND = "1";
# Disable gnome-keyring ssh-agent
xdg.configFile."autostart/gnome-keyring-ssh.desktop".text = ''
${lib.fileContents "${pkgs.gnome-keyring}/etc/xdg/autostart/gnome-keyring-ssh.desktop"}
Hidden=true
'';
# GnuPG configuration.
programs.gpg = {
enable = true;
scdaemonSettings = {
disable-ccid = true;
};
publicKeys = [{
source = "${../assets/gpg/pubkey_nitrokey.asc}";
# ultimate
trust = 5;
}];
# Examples:
# https://github.com/ioerror/duraconf
# https://gist.github.com/graffen/37eaa2332ee7e584bfda
settings = {
# Display long key IDs
keyid-format = "0xlong";
# List all keys (or the specified ones) along with their fingerprints
with-fingerprint = true;
# Display the calculated validity of user IDs during key listings.
list-options = "show-uid-validity";
verify-options = "show-uid-validity";
};
};
};
}