shell/modules/tools/security/gnupg.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (lib) types;
   4   inherit (config) gnupg;
   5   unlines = builtins.concatStringsSep "\n";
   6   unwords = builtins.concatStringsSep " ";
   7
   8   generateKeys = keys: unlines (lib.mapAttrsToList generateKey keys);
   9   generateKey =
  10     _uid:
  11     { uid ? uid
  12     , algo ? "future-default"
  13     , usage ? [ "default" ]
  14     , expire ? "-"
  15     , passPath
  16     , subKeys ? { }
  17     , postRun ? ""
  18     , ...
  19     }@primary:
  20     ''
  21       info "generateKey uid=\"${uid}\""
  22       if ! ${gpg-with-home}/bin/gpg-with-home --list-secret-keys -- "=${uid}" >/dev/null 2>/dev/null
  23        then
  24         ${if passPath != "" then "${pkgs.pass}/bin/pass '${passPath}'" else "cat /dev/null"} |
  25         ${gpg-with-home}/bin/gpg-with-home \
  26           --batch --pinentry-mode loopback --passphrase-fd 0 \
  27           --quick-generate-key "${uid}" "${algo}" "${unwords usage}" "${expire}"
  28        fi
  29       ${head1}
  30       fpr=$(${gpg-fingerprint}/bin/gpg-fingerprint -- "=${uid}" | head1)
  31       caps=$(${gpg-with-home}/bin/gpg-with-home \
  32               --with-colons --with-fingerprint \
  33               --list-secret-keys -- "=${uid}" |
  34              ${pkgs.gnugrep}/bin/grep '^ssb:' |
  35              ${pkgs.coreutils}/bin/cut -d : -f 12 || true)
  36     ''
  37     + unlines (map (generateSubKey primary) subKeys)
  38     + generateBackupKey "$fpr" primary
  39     + postRun
  40   ;
  41   generateSubKey =
  42     primary:
  43     { expire ? primary.expire
  44     , algo ? primary.algo
  45     , usage
  46     , ...
  47     }:
  48     ''
  49       info "  generateSubKey usage=[${unwords usage}]"
  50       if ! printf '%s\n' "$caps" | ${pkgs.gnugrep}/bin/grep -Fqx "${lettersKeyUsage usage}"
  51        then
  52         ${if primary.passPath != "" then "${pkgs.pass}/bin/pass '${primary.passPath}'" else "cat /dev/null"} |
  53         ${gpg-with-home}/bin/gpg-with-home \
  54           --batch --pinentry-mode loopback --passphrase-fd 0 \
  55           --quick-add-key "$fpr" "${algo}" "${unwords usage}" "${expire}"
  56        fi
  57     '';
  58   generateBackupKey =
  59     fpr:
  60     { passPath
  61     , backupRecipients ? [ ]
  62     , uid
  63     , ...
  64     }:
  65     lib.optionalString (backupRecipients != [ ])
  66       ''
  67         info "  generateBackupKey backupRecipients=[${unwords (map (s: "\\\"${s}\\\"") backupRecipients)}]"
  68         mkdir -p "${gnupg.gnupgHome}/backup/${uid}/"
  69         if ! test -s "${gnupg.gnupgHome}/backup/${uid}/${fpr}.pubkey.asc"
  70          then
  71           ${gpg-with-home}/bin/gpg-with-home \
  72             --batch \
  73             --armor --yes --output "${gnupg.gnupgHome}/backup/${uid}/${fpr}.pubkey.asc" \
  74             --export-options export-backup \
  75             --export "${fpr}"
  76          fi
  77       '' + (if backupRecipients == [ "" ] then
  78       ''
  79         if ! test -s "${gnupg.gnupgHome}/backup/${uid}/${fpr}.revoke.asc" &&
  80          ${gpg-with-home}/bin/gpg-with-home --list-secret-keys "${fpr}" | grep -q "sec "
  81          then
  82           ${if passPath != "" then "${pkgs.pass}/bin/pass '${passPath}'" else "cat /dev/null"} |
  83           ${gpg-with-home}/bin/gpg-with-home \
  84             --pinentry-mode loopback --passphrase-fd 0 \
  85             --armor --yes --output "${gnupg.gnupgHome}/backup/${uid}/${fpr}.revoke.asc" \
  86             --gen-revoke "${fpr}"
  87          fi
  88         if ! test -s "${gnupg.gnupgHome}/backup/${uid}/${fpr}.privkey.sec"
  89          then
  90           ${if passPath != "" then "${pkgs.pass}/bin/pass '${passPath}'" else "cat /dev/null"} |
  91           ${gpg-with-home}/bin/gpg-with-home \
  92             --batch --pinentry-mode loopback --passphrase-fd 0 \
  93             --armor --yes --output "${gnupg.gnupgHome}/backup/${uid}/${fpr}.privkey.sec" \
  94             --export-options export-backup \
  95             --export-secret-key "${fpr}"
  96          fi
  97         if ! test -s "${gnupg.gnupgHome}/backup/${uid}/${fpr}.subkeys.sec"
  98          then
  99           ${if passPath != "" then "${pkgs.pass}/bin/pass '${passPath}'" else "cat /dev/null"} |
 100           ${gpg-with-home}/bin/gpg-with-home \
 101             --batch --pinentry-mode loopback --passphrase-fd 0 \
 102             --armor --yes --output "${gnupg.gnupgHome}/backup/${uid}/${fpr}.subkeys.sec" \
 103             --export-options export-backup \
 104             --export-secret-subkeys "${fpr}"
 105          fi
 106       '' else ''
 107       if ! test -s "${gnupg.gnupgHome}/backup/${uid}/${fpr}.revoke.asc.gpg"
 108        then
 109         ${if passPath != "" then "${pkgs.pass}/bin/pass '${passPath}'" else "cat /dev/null"} |
 110         ${gpg-with-home}/bin/gpg-with-home \
 111           --pinentry-mode loopback --passphrase-fd 0 \
 112           --armor --gen-revoke "${fpr}" |
 113         gpg --encrypt ${recipients backupRecipients} \
 114             --armor --yes --output "${gnupg.gnupgHome}/backup/${uid}/${fpr}.revoke.asc.gpg"
 115        fi
 116       if ! test -s "${gnupg.gnupgHome}/backup/${uid}/${fpr}.privkey.sec.gpg"
 117        then
 118         ${if passPath != "" then "${pkgs.pass}/bin/pass '${passPath}'" else "cat /dev/null"} |
 119         ${gpg-with-home}/bin/gpg-with-home \
 120           --batch --pinentry-mode loopback --passphrase-fd 0 \
 121           --armor --export-options export-backup \
 122           --export-secret-key "${fpr}" |
 123         gpg --encrypt ${recipients backupRecipients} \
 124             --armor --yes --output "${gnupg.gnupgHome}/backup/${uid}/${fpr}.privkey.sec.gpg"
 125        fi
 126       if ! test -s "${gnupg.gnupgHome}/backup/${uid}/${fpr}.subkeys.sec.gpg"
 127        then
 128         ${if passPath != "" then "${pkgs.pass}/bin/pass '${passPath}'" else "cat /dev/null"} |
 129         ${gpg-with-home}/bin/gpg-with-home \
 130           --batch --pinentry-mode loopback --passphrase-fd 0 \
 131           --armor --export-options export-backup \
 132           --export-secret-subkeys "${fpr}" |
 133         gpg --encrypt ${recipients backupRecipients} \
 134             --armor --yes --output "${gnupg.gnupgHome}/backup/${uid}/${fpr}.subkeys.sec.gpg"
 135        fi
 136     '');
 137   recipients = rs: unwords (map (r: ''--recipient "${refKey r}"'') rs);
 138   refKey = key: if builtins.typeOf key == "string" then key else "=${key.uid}";
 139   lettersKeyUsage = usage:
 140     (if builtins.elem "encrypt" usage then "e" else "") +
 141     (if builtins.elem "sign" usage then "s" else "") +
 142     (if builtins.elem "cert" usage then "c" else "") +
 143     (if builtins.elem "auth" usage then "a" else "");
 144
 145   # Initialize the keyring according to gnupg.keys.
 146   gpg-init = pkgs.writeShellScriptBin "gpg-init" (''
 147     set -eu
 148     set -o pipefail
 149     ${info}
 150   '' +
 151   generateKeys gnupg.keys
 152   );
 153
 154   # A wrapper around gpg to set GNUPGHOME.
 155   gpg-with-home = pkgs.writeScriptBin "gpg-with-home" ''
 156     GNUPGHOME=${gnupg.gnupgHome} \
 157     exec ${pkgs.gnupg}/bin/gpg "$@"
 158   '';
 159
 160   # A wrapper around gpg to get fingerprints.
 161   gpg-fingerprint = pkgs.writeScriptBin "gpg-fingerprint" ''
 162     set -eu
 163     ${gpg-with-home}/bin/gpg-with-home \
 164      --with-colons --with-fingerprint --with-subkey-fingerprint \
 165      --list-public-keys "$@" |
 166     while IFS=: read -r t x x x key x x x x uid x
 167      do case $t in
 168        (pub|sub|sec|ssb)
 169         while IFS=: read -r t x x x x x x x x fpr x
 170          do case $t in (fpr) printf '%s\n' "$fpr"; break;;
 171          esac done
 172         ;;
 173      esac done
 174   '';
 175
 176   # A wrapper around gpg to get keygrips.
 177   gpg-keygrip = pkgs.writeScriptBin "gpg-keygrip" ''
 178     set -eu
 179     ${gpg-with-home}/bin/gpg-with-home \
 180      --with-colons --with-keygrip \
 181      --list-public-keys "$@" |
 182     while IFS=: read -r t x x x key x x x x uid x do case $t in (pub|sub|sec|ssb) while IFS=: read -r t x x x x x x x x grp x do case $t in (grp) printf '%s\n' "$grp"; break;; esac done ;; esac done
 183   '';
 184
 185   # A wrapper around gpg to get uids.
 186   gpg-uid = pkgs.writeScriptBin "gpg-uid" ''
 187     set -eu
 188     ${gpg-with-home}/bin/gpg-with-home \
 189      --with-colons \
 190      --list-public-keys "$@" |
 191     while IFS=: read -r t st x x x x x id x uid x
 192      do case $t in
 193        (uid)
 194         case $st in
 195          (u) printf '%s\n' "$uid";;
 196          esac
 197         ;;
 198      esac done
 199   '';
 200
 201   head1 = ''
 202     head1(){
 203       IFS= read -r line
 204       cat >/dev/null # NOTE: consuming all the input avoids useless triggering of pipefail
 205       printf %s "$line"
 206     }
 207   '';
 208   info = ''
 209     info(){
 210       echo >&2 "gpg-init: $*"
 211     }
 212   '';
 213 in
 214 {
 215   options.gnupg = {
 216     enable = lib.mkEnableOption "GnuPG shell utilities";
 217     gnupgHome = lib.mkOption {
 218       type = types.str;
 219       default = "sec/gnupg";
 220       description = ''
 221     '';
 222     };
 223     keys = lib.mkOption {
 224       default = { };
 225       example =
 226         {
 227           "John Doe. <contact@example.coop>" = {
 228             algo = "rsa4096";
 229             expire = "1y";
 230             usage = [ "cert" "sign" ];
 231             passPath = "example.coop/gpg/contact";
 232             subKeys = [
 233               { algo = "rsa4096"; expire = "1y"; usage = [ "sign" ]; }
 234               { algo = "rsa4096"; expire = "1y"; usage = [ "encrypt" ]; }
 235               { algo = "rsa4096"; expire = "1y"; usage = [ "auth" ]; }
 236             ];
 237             backupRecipients = [ "@john@doe.pro" ];
 238           };
 239         };
 240       type = types.attrsOf (types.submodule ({ name, ... }: {
 241         options = {
 242           uid = lib.mkOption {
 243             type = types.str;
 244             example = "John Doe <john.doe@example.coop>";
 245             default = name;
 246             description = ''
 247               User ID.
 248             '';
 249           };
 250           algo = lib.mkOption {
 251             type = types.enum [ "rsa4096" ];
 252             default = "future-default";
 253             example = "rsa4096";
 254             description = ''
 255               Cryptographic algorithm.
 256             '';
 257           };
 258           expire = lib.mkOption {
 259             type = types.str;
 260             default = "0";
 261             example = "1y";
 262             description = ''
 263               Expiration timeout.
 264             '';
 265           };
 266           usage = lib.mkOption {
 267             type = with types; listOf (enum [ "cert" "sign" "encrypt" "auth" "default" ]);
 268             default = [ "default" ];
 269             example = [ "cert" "sign" "encrypt" "auth" ];
 270             description = ''
 271               Cryptographic usage.
 272             '';
 273           };
 274           passPath = lib.mkOption {
 275             type = types.str;
 276             example = "gnupg/coop/example/contact@";
 277             description = ''
 278               Password path.
 279             '';
 280           };
 281           subKeys = lib.mkOption {
 282             type = types.listOf (types.submodule {
 283               options = {
 284                 algo = lib.mkOption {
 285                   type = types.enum [ "rsa4096" ];
 286                   default = "default";
 287                   example = "rsa4096";
 288                   description = ''
 289                     Cryptographic algorithm.
 290                   '';
 291                 };
 292                 expire = lib.mkOption {
 293                   type = types.str;
 294                   default = "0";
 295                   example = "1y";
 296                   description = ''
 297                     Expiration timeout.
 298                   '';
 299                 };
 300                 usage = lib.mkOption {
 301                   type = with types; listOf (enum [ "sign" "encrypt" "auth" "default" ]);
 302                   default = [ "default" ];
 303                   example = [ "sign" "encrypt" "auth" ];
 304                   description = ''
 305                     Cryptographic usage.
 306                   '';
 307                 };
 308               };
 309             });
 310           };
 311           backupRecipients = lib.mkOption {
 312             type = with types; listOf str;
 313             default = [ ];
 314             example = [ "@john@doe.pro" ];
 315             description = ''
 316               Backup keys used to encrypt the a backup copy of the secret keys.
 317             '';
 318           };
 319           postRun = lib.mkOption {
 320             type = types.lines;
 321             default = "";
 322             description = ''
 323               Shell code to run after the key has been generated or tested to exist.
 324             '';
 325           };
 326         };
 327       }));
 328     };
 329     dirmngrConf = lib.mkOption {
 330       type = types.lines;
 331       apply = s: pkgs.writeText "dirmngr.conf" s;
 332       default = ''
 333         allow-ocsp
 334         hkp-cacert ${gnupg.keyserverPEM}
 335         keyserver hkps://keys.mayfirst.org
 336         #use-tor
 337         #log-file ${gnupg.gnupgHome}/dirmngr.log
 338         #standard-resolver
 339       '';
 340       description = ''
 341         GnuPG's dirmngr.conf content.
 342       '';
 343     };
 344     keyserverPEM = lib.mkOption {
 345       type = types.lines;
 346       apply = s: pkgs.writeText "keyserver.pem" s;
 347       default = builtins.readFile gnupg/keyserver.pem;
 348       description = ''
 349         dirmngr's hkp-cacert content.
 350       '';
 351     };
 352     gpgAgentConf = lib.mkOption {
 353       type = types.lines;
 354       apply = s: pkgs.writeText "gpg-agent.conf" (s + "\n" + gnupg.gpgAgentExtraConf);
 355       default =
 356         let
 357           pinentry = pkgs.writeShellScript "pinentry" ''
 358             #!${pkgs.runtimeShell}
 359             # choose pinentry depending on PINENTRY_USER_DATA
 360             # this *only works* with gpg2
 361             # see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802020
 362             case "''${PINENTRY_USER_DATA:-curses}" in
 363             curses) exec ${pkgs.pinentry.curses}/bin/pinentry-curses "$@";;
 364             #emacs)  exec ''${pkgs.pinentry.emacs}/bin/pinentry-emacs "$@";;
 365             #gnome3) exec ''${pkgs.pinentry.gnome3}/bin/pinentry-gnome3 "$@";;
 366             gtk-2)  exec ''${pkgs.pinentry.gtk2}/bin/pinentry-gtk-2 "$@";;
 367             none)   exit 1;; # do not ask for passphrase
 368             #qt)     exec ''${pkgs.pinentry.qt}/bin/pinentry-qt "$@";;
 369             tty)    exec ${pkgs.pinentry.tty}/bin/pinentry-tty "$@";;
 370             esac
 371           '';
 372         in
 373         ''
 374           allow-loopback-pinentry
 375           allow-preset-passphrase
 376           default-cache-ttl 17200
 377           default-cache-ttl-ssh 17200
 378           enable-ssh-support
 379           max-cache-ttl 17200
 380           max-cache-ttl-ssh 17200
 381           no-allow-external-cache
 382           pinentry-program ${pinentry}
 383         '';
 384       description = ''
 385         GnuPG's gpg-agent.conf content.
 386       '';
 387     };
 388     gpgConf = lib.mkOption {
 389       type = types.lines;
 390       apply = s: pkgs.writeText "gpg.conf" (s + "\n" + gnupg.gpgExtraConf);
 391       default = ''
 392         auto-key-locate keyserver
 393         cert-digest-algo SHA512
 394         charset utf-8
 395         default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 TWOFISH BZIP2 ZLIB ZIP Uncompressed
 396         keyid-format 0xlong
 397         keyserver-options no-honor-keyserver-url
 398         no-auto-key-locate
 399         no-default-keyring
 400         no-emit-version
 401         personal-cipher-preferences AES256 AES CAST5
 402         personal-digest-preferences SHA512
 403         quiet
 404         s2k-cipher-algo AES256
 405         s2k-count 65536
 406         s2k-digest-algo SHA512
 407         s2k-mode 3
 408         tofu-default-policy unknown
 409         trust-model tofu+pgp
 410         use-agent
 411         utf8-strings
 412       '';
 413       description = ''
 414         GnuPG's gpg.conf content.
 415       '';
 416     };
 417     gpgExtraConf = lib.mkOption {
 418       type = types.lines;
 419       default = "";
 420       description = ''
 421         GnuPG's gpg.conf extra content.
 422       '';
 423     };
 424     gpgAgentExtraConf = lib.mkOption {
 425       type = types.lines;
 426       default = "";
 427       description = ''
 428         GnuPG's gpg-agent.conf extra content.
 429       '';
 430     };
 431   };
 432   config = lib.mkIf gnupg.enable {
 433     nix-shell.buildInputs = [
 434       gpg-with-home
 435       gpg-fingerprint
 436       gpg-keygrip
 437       gpg-uid
 438       gpg-init
 439     ];
 440     nix-shell.shellHook = ''
 441       # gnupg
 442       ${pkgs.coreutils}/bin/install -dm0700 -D ${gnupg.gnupgHome}
 443       ${pkgs.coreutils}/bin/ln -snf ${gnupg.gpgConf}      ${gnupg.gnupgHome}/gpg.conf
 444       ${pkgs.coreutils}/bin/ln -snf ${gnupg.gpgAgentConf} ${gnupg.gnupgHome}/gpg-agent.conf
 445       ${pkgs.coreutils}/bin/ln -snf ${gnupg.dirmngrConf}  ${gnupg.gnupgHome}/dirmngr.conf
 446       export GNUPGHOME=${gnupg.gnupgHome}
 447       install -dm700 "$GNUPGHOME"
 448       export GPG_TTY=$(${pkgs.coreutils}/bin/tty)
 449       ${pkgs.gnupg}/bin/gpgconf --launch gpg-agent
 450       export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket)
 451     '';
 452   };
 453 }