add gpg auto-unlock

2022-08-08 21:16:45 -03:00 · 2022-08-08 21:16:45 -03:00 · c5e919a2dc
commit c5e919a2dc
parent a8a8be5a59
4 changed files with 75 additions and 0 deletions
--- a/scripts/_gpg-unlock.nix
+++ b/scripts/_gpg-unlock.nix
@ -0,0 +1,30 @@
+{ config, pkgs, lib, ... }:
+pkgs.writeShellScriptBin "_gpg-unlock" ''
+  ${pkgs.gnupg}/bin/gpg-connect-agent reloadagent /bye
+
+  set -xe
+
+  test -f "$HOME/.config/.preset-password" || {
+    notify-send "No preset password found"
+    exit 0;
+  }
+
+  get_keygrip() {
+    ${pkgs.gnupg}/bin/gpg --list-secret-keys --with-keygrip |
+    awk '
+    /^ssb/ {
+        ssb=1
+    }
+    /Keygrip/{
+        if (ssb) print $3
+    }'
+  }
+
+  keygrip=$(get_keygrip)
+
+  test -n "$keygrip" || exit 0
+
+  cat "$HOME/.config/.preset-password" |
+      base64 -d |
+      ${pkgs.gnupg}/libexec/gpg-preset-passphrase --preset "$keygrip"
+''
--- a/scripts/default.nix
+++ b/scripts/default.nix
@ -6,4 +6,5 @@
  terminal = import ./terminal.nix { inherit config pkgs lib; };
  wpass = import ./wpass.nix { inherit config pkgs lib; };
  screenshotsh = import ./screenshotsh.nix { inherit config pkgs lib; };
+  _gpg-unlock = import ./_gpg-unlock.nix { inherit config pkgs lib; };
 })
--- a/user/gpg.nix
+++ b/user/gpg.nix
@ -0,0 +1,42 @@
+{ config, pkgs, lib, ... }: {
+  config = {
+    services.gpg-agent = {
+      enable = true;
+      defaultCacheTtl = 604800;
+      maxCacheTtl = 604800;
+      pinentryFlavor = "gtk2";
+      extraConfig = ''
+        allow-preset-passphrase
+        allow-loopback-pinentry
+        pinentry-mode loopback
+      '';
+    };
+    systemd.user.services = {
+      gpg_unlock = {
+        Unit = {
+          Description = "Unlock gpg keyring";
+          PartOf = [ "graphical-session.target" ];
+          After = [ "graphical-session.target" ];
+        };
+        Service = {
+          ExecStart = "${pkgs._gpg-unlock}/bin/_gpg-unlock";
+        };
+      };
+    };
+    systemd.user.timers = {
+      gpg_unlock = {
+        Unit = {
+          Description = "Unlock gpg keyring";
+          PartOf = [ "graphical-session.target" ];
+          After = [ "graphical-session.target" ];
+        };
+        Timer = {
+          OnBootSec = "30";
+          OnUnitActiveSec = "30";
+          Unit = "gpg_unlock.service";
+        };
+      };
+    };
+
+  };
+}
--- a/user/home.nix
+++ b/user/home.nix
@ -17,6 +17,7 @@ in {
    ./sway.nix
    ./git.nix
    ./qutebrowser
+    ./gpg.nix
  ];
  # Home Manager needs a bit of information about you and the
  # paths it should manage.
@ -54,6 +55,7 @@ in {
    libnotify
    wpass
    screenshotsh
+    _gpg-unlock
    # media
    yt-dlp
    ffmpeg