nix-git/modules/nitrokey-gpg-smartcard.nix
2023-09-11 14:13:13 +02:00

138 lines
4.5 KiB
Nix

{ config, pkgs, ... }:
{
# Use NitroKey USB smartcard with SSH.
# https://nixos.wiki/wiki/Nitrokey
# Test suite. TODO: Check all of this after config changes!
# - pinentry should be in $PATH
# echo GETPIN | pinentry
# - smartcard should be listed
# gpg --card-status
# - ssh should work
# export SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh
# ssh nas
# - signed git commits should work in IntelliJ
# IntelliJ IDE -> git commit -> graphical pinentry should pop-up
# Restart gpg-agent after config change.
# Otherwise there might be a gpg error about "no pinentry".
# https://discourse.nixos.org/t/cant-get-gnupg-to-work-no-pinentry/15373/19
# But how to restart it? Maybe this?
# killall gpg-agent
# systemctl --user restart gpg-agent
# Not sure if this is needed: Reload udev rules.
# sudo -- udevadm control --reload-rules && udevadm trigger
# TODO: gpg-agent pinentry problem
# https://github.com/NixOS/nixpkgs/issues/97861
#
# gpgconf --check-programs
#=> gpgconf: error running '/nix/store/lvsbmqy4dmlri22145hbr6799hgbnpnf-gnupg-2.4.0/bin/pinentry': probably not installed
#
# ssh -v nas
#=> OpenSSH_9.3p2, OpenSSL 3.0.10 1 Aug 2023
#=> debug1: Reading configuration data /home/yoda/.ssh/config
#=> debug1: /home/yoda/.ssh/config line 67: Applying options for nas
#=> debug1: /home/yoda/.ssh/config line 180: Applying options for *
#=> debug1: Reading configuration data /etc/ssh/ssh_config
#=> debug1: Executing command: '/nix/store/8fv91097mbh5049i9rglc73dx6kjg3qk-bash-5.2-p15/bin/bash -c '/nix/store/lvsbmqy4dmlri22145hbr6799hgbnpnf-gnupg-2.4.0/bin/gpg-connect-agent --quiet updatestartuptty /bye >/dev/null 2>&1''
#
#=> USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
#=> yoda 2752 0.0 0.0 444812 3040 ? SLsl 16:09 0:00 /nix/store/lvsbmqy4dmlri22145hbr6799hgbnpnf-gnupg-2.4.0/bin/gpg-agent --supervised --pinentry-program /nix/store/8cvidvpwnwyxixlhqfaa5jlfndh2vir5-pinentry-1.2.1-curses/bin/pinentry
# NITROKEY SSH WORKAROUND (I): Do all of this in one shell!
# CREDITS: https://unix.stackexchange.com/a/250045/315162
#
# BEFORE: SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
# AFTER: SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh
#
# systemctl --user stop gpg-agent
# systemctl --user stop gpg-agent.socket
# systemctl --user stop gpg-agent-ssh.socket
# ps -aux | grep -v grep | grep gpg-agent
# => NONE
# eval $(gpg-agent --daemon --pinentry-program /nix/store/5j87jnmfh19xlq9ij0v3rh7cwssr4586-pinentry-1.2.1-curses/bin/pinentry --enable-ssh-support --sh)
# echo $SSH_AUTH_SOCK
#=> /run/user/1000/gnupg/S.gpg-agent.ssh
# gpg -d ./passphrase.txt.gpg
#=> Works!
# ssh nas
#=> Works!
# NITROKEY SSH WORKAROUND (II)
#
# export SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh
# ssh nas
#=> Works!
# TODO:
# What is the difference between programs.gnupg.agent.enableSSHSupport and
# services.gpg-agent.enableSshSupport = true;
services.udev.packages = [ pkgs.nitrokey-udev-rules ];
programs = {
ssh.startAgent = false;
gnupg.agent = {
enable = true;
# ... Also sets SSH_AUTH_SOCK environment variable correctly.
enableSSHSupport = true;
#pinentryFlavor = "curses";
pinentryFlavor = "gnome3";
};
};
# Adds the pinentry binary to the PATH so that e.g.
# echo GETPIN | pinentry
# works.
# This is not required for
# - gpg --card-status
# - ssh nas
# - signed git commits in IntelliJ
#environment.systemPackages = with pkgs; [
# #pinentry-curses
# pinentry-gnome
#];
#users.users.yoda = {
# packages = with pkgs; [
# #pinentry-curses
# pinentry-gnome
# ];
#};
# Smartcard daemon.
services.pcscd.enable = true;
home-manager.users.yoda = { osConfig, config, pkgs, ... }: {
# GnuPG configuration.
# Examples:
# https://github.com/ioerror/duraconf
# https://gist.github.com/graffen/37eaa2332ee7e584bfda
programs.gpg = {
enable = true;
settings = {
# Display long key IDs
keyid-format = "0xlong";
# List all keys (or the specified ones) along with their fingerprints
with-fingerprint = true;
# Display the calculated validity of user IDs during key listings.
list-options = "show-uid-validity";
verify-options = "show-uid-validity";
};
publicKeys = [
{
source = "${../assets/gpg/pubkey_nitrokey.asc}";
# ultimate
trust = 5;
}
];
};
};
}