1 { pkgs, lib, config, ... }:
4 inherit (config) gnupg;
5 unlines = builtins.concatStringsSep "\n";
6 unwords = builtins.concatStringsSep " ";
8 generateKeys = keys: unlines (lib.mapAttrsToList generateKey keys);
12 , algo ? "future-default"
20 info "generateKey uid=\"${uid}\""
21 if ! ${gpg-with-home}/bin/gpg-with-home --list-secret-keys -- "=${uid}" >/dev/null 2>/dev/null
23 ${pkgs.pass}/bin/pass "${passPath}" |
24 ${gpg-with-home}/bin/gpg-with-home \
25 --batch --pinentry-mode loopback --passphrase-fd 0 \
26 --quick-generate-key "${uid}" "${algo}" "${unwords usage}" "${expire}"
29 fpr=$(${gpg-fingerprint}/bin/gpg-fingerprint -- "=${uid}" | head1)
30 caps=$(${gpg-with-home}/bin/gpg-with-home \
31 --with-colons --fixed-list-mode --with-fingerprint \
32 --list-secret-keys -- "=${uid}" |
33 ${pkgs.gnugrep}/bin/grep '^ssb:' |
34 ${pkgs.coreutils}/bin/cut -d : -f 12 || true)
36 + unlines (map (generateSubKey primary) subKeys)
37 + generateBackupKey "$fpr" primary
41 { expire ? primary.expire
47 info " generateSubKey usage=[${unwords usage}]"
48 if ! printf '%s\n' "$caps" | ${pkgs.gnugrep}/bin/grep -Fqx "${lettersKeyUsage usage}"
50 ${pkgs.pass}/bin/pass "${primary.passPath}" |
51 ${gpg-with-home}/bin/gpg-with-home \
52 --batch --pinentry-mode loopback --passphrase-fd 0 \
53 --quick-add-key "$fpr" "${algo}" "${unwords usage}" "${expire}"
59 , backupRecipients ? []
63 lib.optionalString (backupRecipients != [])
65 info " generateBackupKey backupRecipients=[${unwords (map (s: "\\\"${s}\\\"") backupRecipients)}]"
66 mkdir -p "${gnupg.gnupgHome}/backup/${uid}/"
67 if ! test -s "${gnupg.gnupgHome}/backup/${uid}/${fpr}.pubkey.asc"
69 ${gpg-with-home}/bin/gpg-with-home \
71 --armor --yes --output "${gnupg.gnupgHome}/backup/${uid}/${fpr}.pubkey.asc" \
72 --export-options export-backup \
75 '' + (if backupRecipients == [""] then
77 if ! test -s "${gnupg.gnupgHome}/backup/${uid}/${fpr}.revoke.asc"
79 ${pkgs.pass}/bin/pass "${passPath}" |
80 ${gpg-with-home}/bin/gpg-with-home \
81 --pinentry-mode loopback --passphrase-fd 0 \
82 --armor --yes --output "${gnupg.gnupgHome}/backup/${uid}/${fpr}.revoke.asc" \
85 if ! test -s "${gnupg.gnupgHome}/backup/${uid}/${fpr}.privkey.sec"
87 ${pkgs.pass}/bin/pass "${passPath}" |
88 ${gpg-with-home}/bin/gpg-with-home \
89 --batch --pinentry-mode loopback --passphrase-fd 0 \
90 --armor --yes --output "${gnupg.gnupgHome}/backup/${uid}/${fpr}.privkey.sec" \
91 --export-options export-backup \
92 --export-secret-key "${fpr}"
94 if ! test -s "${gnupg.gnupgHome}/backup/${uid}/${fpr}.subkeys.sec"
96 ${pkgs.pass}/bin/pass "${passPath}" |
97 ${gpg-with-home}/bin/gpg-with-home \
98 --batch --pinentry-mode loopback --passphrase-fd 0 \
99 --armor --yes --output "${gnupg.gnupgHome}/backup/${uid}/${fpr}.subkeys.sec" \
100 --export-options export-backup \
101 --export-secret-subkeys "${fpr}"
104 if ! test -s "${gnupg.gnupgHome}/backup/${uid}/${fpr}.revoke.asc.gpg"
106 ${pkgs.pass}/bin/pass "${passPath}" |
107 ${gpg-with-home}/bin/gpg-with-home \
108 --pinentry-mode loopback --passphrase-fd 0 \
109 --armor --gen-revoke "${fpr}" |
110 gpg --encrypt ${recipients backupRecipients} \
111 --armor --yes --output "${gnupg.gnupgHome}/backup/${uid}/${fpr}.revoke.asc.gpg"
113 if ! test -s "${gnupg.gnupgHome}/backup/${uid}/${fpr}.privkey.sec.gpg"
115 ${pkgs.pass}/bin/pass "${passPath}" |
116 ${gpg-with-home}/bin/gpg-with-home \
117 --batch --pinentry-mode loopback --passphrase-fd 0 \
118 --armor --export-options export-backup \
119 --export-secret-key "${fpr}" |
120 gpg --encrypt ${recipients backupRecipients} \
121 --armor --yes --output "${gnupg.gnupgHome}/backup/${uid}/${fpr}.privkey.sec.gpg"
123 if ! test -s "${gnupg.gnupgHome}/backup/${uid}/${fpr}.subkeys.sec.gpg"
125 ${pkgs.pass}/bin/pass "${passPath}" |
126 ${gpg-with-home}/bin/gpg-with-home \
127 --batch --pinentry-mode loopback --passphrase-fd 0 \
128 --armor --export-options export-backup \
129 --export-secret-subkeys "${fpr}" |
130 gpg --encrypt ${recipients backupRecipients} \
131 --armor --yes --output "${gnupg.gnupgHome}/backup/${uid}/${fpr}.subkeys.sec.gpg"
134 recipients = rs: unwords (map (r: ''--recipient "${refKey r}"'') rs);
135 refKey = key: if builtins.typeOf key == "string" then key else "=${key.uid}";
136 signer = s: if s == null
138 else ''--sign --default-key "${refKey s}"'';
139 lettersKeyUsage = usage:
140 (if builtins.elem "encrypt" usage then "e" else "") +
141 (if builtins.elem "sign" usage then "s" else "") +
142 (if builtins.elem "cert" usage then "c" else "") +
143 (if builtins.elem "auth" usage then "a" else "");
145 passOfFingerprint = key:
147 # which fills a map from the fingerprints of the given key
148 # to its password file.
150 # shell.gnupg.pass.passOfFingerprint
151 for fpr in $(${gpg-fingerprint}/bin/gpg-fingerprint -- "=${key.uid}")
152 do eval "pass_$fpr=\"${key.passPath}\""
157 # which installs an exit and keyboard interruption (^C) trap
158 # removing any pass from gpg-agent
159 # whose keygrip is registered in $keygrips.
164 for keygrip in $keygrips
166 echo >&2 "gpg: forget: keygrip=$keygrip"
167 GNUPGHOME=${gnupg.gnupgHome} \
168 ${pkgs.gnupg}/bin/gpg-connect-agent </dev/null >&2 "CLEAR_PASSPHRASE $keygrip" ||
173 trap 'forgetPass' EXIT INT
175 presetPass = keys: uid:
177 # which preset the pass of given uid into gpg-agent,
178 # using keys to find where the pass is stored.
180 ${unlines (map passOfFingerprint keys)}
182 GNUPGHOME=${gnupg.gnupgHome} \
183 ${pkgs.gnupg}/bin/gpgconf --launch gpg-agent
185 fpr="$(${gpg-fingerprint}/bin/fingerprint -- "${uid}" | head1)"
186 eval pass="\''${pass_$fpr}"
189 for keygrip in $(${gnupg.gpg-keygrip}/bin/gpg-keygrip -- "$fpr")
191 keygrips="$keygrips $keygrip"
192 echo >&2 "gpg: preset: keygrip=$keygrip pass=$pass"
193 ${pkgs.pass}/bin/pass "$pass" |
194 GNUPGHOME=${gnupg.gnupgHome} \
195 ${pkgs.gnupg}/libexec/gpg-preset-passphrase --preset ''${XTRACE:+--verbose} $keygrip
200 # Initialize the keyring according to gnupg.keys.
201 gpg-init = pkgs.writeShellScriptBin "gpg-init" (''
206 generateKeys gnupg.keys
209 # A wrapper around gpg to set GNUPGHOME.
210 gpg-with-home = pkgs.writeScriptBin "gpg-with-home" ''
211 GNUPGHOME=${gnupg.gnupgHome} \
212 exec ${pkgs.gnupg}/bin/gpg "$@"
215 # A wrapper around gpg to get fingerprints.
216 gpg-fingerprint = pkgs.writeScriptBin "gpg-fingerprint" ''
218 ${gpg-with-home}/bin/gpg-with-home \
219 --with-colons --fixed-list-mode --with-fingerprint --with-subkey-fingerprint \
220 --list-public-keys "$@" |
221 while IFS=: read -r t x x x key x x x x uid x
224 while IFS=: read -r t x x x x x x x x fpr x
225 do case $t in (fpr) printf '%s\n' "$fpr"; break;;
231 # A wrapper around gpg to get keygrips.
232 gpg-keygrip = pkgs.writeScriptBin "gpg-keygrip" ''
234 ${gpg-with-home}/bin/gpg-with-home \
235 --with-colons --fixed-list-mode --with-keygrip \
236 --list-public-keys "$@" |
237 while IFS=: read -r t x x x key x x x x uid x
240 while IFS=: read -r t x x x x x x x x grp x
241 do case $t in (grp) printf '%s\n' "$grp"; break;;
247 # A wrapper around gpg to get uids.
248 gpg-uid = pkgs.writeScriptBin "gpg-uid" ''
250 ${gpg-with-home}/bin/gpg-with-home \
251 --with-colons --fixed-list-mode \
252 --list-public-keys "$@" |
253 while IFS=: read -r t st x x x x x id x uid x
257 (u) printf '%s\n' "$uid";;
266 cat >/dev/null # NOTE: consuming all the input avoids useless triggering of pipefail
272 echo >&2 "gpg-init: $*"
278 enable = lib.mkEnableOption "GnuPG shell utilities";
279 gnupgHome = lib.mkOption {
281 default = "sec/gnupg";
285 keys = lib.mkOption {
288 { "John Doe. <contact@example.coop>" = {
291 usage = ["cert" "sign"];
292 passPath = "example.coop/gpg/contact";
294 { algo = "rsa4096"; expire = "1y"; usage = ["sign"];}
295 { algo = "rsa4096"; expire = "1y"; usage = ["encrypt"];}
296 { algo = "rsa4096"; expire = "1y"; usage = ["auth"];}
298 backupRecipients = ["@john@doe.pro"];
301 type = types.attrsOf (types.submodule ({uid, ...}: {
302 #config.uid = lib.mkDefault uid;
306 example = "John Doe <john.doe@example.coop>";
312 algo = lib.mkOption {
313 type = types.enum [ "rsa4096" ];
314 default = "future-default";
317 Cryptographic algorithm.
320 expire = lib.mkOption {
328 usage = lib.mkOption {
329 type = with types; listOf (enum [ "cert" "sign" "encrypt" "auth" "default" ]);
330 default = ["default"];
331 example = ["cert" "sign" "encrypt" "auth"];
336 passPath = lib.mkOption {
338 example = "gnupg/coop/example/contact@";
343 subKeys = lib.mkOption {
344 type = types.listOf (types.submodule {
346 algo = lib.mkOption {
347 type = types.enum [ "rsa4096" ];
351 Cryptographic algorithm.
354 expire = lib.mkOption {
362 usage = lib.mkOption {
363 type = with types; listOf (enum [ "sign" "encrypt" "auth" "default" ]);
364 default = ["default"];
365 example = ["sign" "encrypt" "auth"];
373 backupRecipients = lib.mkOption {
374 type = with types; listOf str;
376 example = ["@john@doe.pro"];
378 Backup keys used to encrypt the a backup copy of the secret keys.
384 dirmngrConf = lib.mkOption {
386 apply = s: pkgs.writeText "dirmngr.conf" s;
389 hkp-cacert ${gnupg.keyserverPEM}
390 keyserver hkps://keys.mayfirst.org
392 #log-file ${gnupg.gnupgHome}/dirmngr.log
396 GnuPG's dirmngr.conf content.
399 keyserverPEM = lib.mkOption {
401 apply = s: pkgs.writeText "keyserver.pem" s;
402 default = builtins.readFile gnupg/keyserver.pem;
404 dirmngr's hkp-cacert content.
407 gpgAgentConf = lib.mkOption {
409 apply = s: pkgs.writeText "gpg-agent.conf" s;
411 let pinentry = pkgs.writeShellScript "pinentry" ''
412 #!${pkgs.runtimeShell}
413 # choose pinentry depending on PINENTRY_USER_DATA
414 # this *only works* with gpg2
415 # see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802020
416 case "''${PINENTRY_USER_DATA:-tty}" in
417 curses) exec ${pkgs.pinentry.curses}/bin/pinentry-curses "$@";;
418 #emacs) exec ''${pkgs.pinentry.emacs}/bin/pinentry-emacs "$@";;
419 #gnome3) exec ''${pkgs.pinentry.gnome3}/bin/pinentry-gnome3 "$@";;
420 gtk-2) exec ${pkgs.pinentry.gtk2}/bin/pinentry-gtk-2 "$@";;
421 none) exit 1;; # do not ask for passphrase
422 #qt) exec ''${pkgs.pinentry.qt}/bin/pinentry-qt "$@";;
423 tty) exec ${pkgs.pinentry.tty}/bin/pinentry-tty "$@";;
427 allow-loopback-pinentry
428 allow-preset-passphrase
429 default-cache-ttl 17200
430 default-cache-ttl-ssh 17200
433 max-cache-ttl-ssh 17200
434 no-allow-external-cache
435 pinentry-program ${pinentry}
438 GnuPG's gpg-agent.conf content.
441 gpgConf = lib.mkOption {
443 apply = s: pkgs.writeText "gpg.conf" (s+"\n"+gnupg.gpgExtraConf);
445 auto-key-locate keyserver
446 cert-digest-algo SHA512
448 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 TWOFISH BZIP2 ZLIB ZIP Uncompressed
451 keyserver-options no-honor-keyserver-url
455 personal-cipher-preferences AES256 AES CAST5
456 personal-digest-preferences SHA512
458 s2k-cipher-algo AES256
460 s2k-digest-algo SHA512
462 tofu-default-policy unknown
468 GnuPG's gpg.conf content.
471 gpgExtraConf = lib.mkOption {
475 GnuPG's gpg.conf extra content.
479 config = lib.mkIf gnupg.enable {
480 nix-shell.buildInputs = [
487 nix-shell.shellHook = ''
489 ${pkgs.coreutils}/bin/install -dm0700 -D ${gnupg.gnupgHome}
490 ${pkgs.coreutils}/bin/ln -snf ${gnupg.gpgConf} ${gnupg.gnupgHome}/gpg.conf
491 ${pkgs.coreutils}/bin/ln -snf ${gnupg.gpgAgentConf} ${gnupg.gnupgHome}/gpg-agent.conf
492 ${pkgs.coreutils}/bin/ln -snf ${gnupg.dirmngrConf} ${gnupg.gnupgHome}/dirmngr.conf
493 export GNUPGHOME=${gnupg.gnupgHome}
494 install -dm700 "$GNUPGHOME"
495 export GPG_TTY=$(${pkgs.coreutils}/bin/tty)
496 ${pkgs.gnupg}/bin/gpgconf --launch gpg-agent
497 export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket)