1 { pkgs, lib, config, machineName, ... }:
3 inherit (config.security) gnupg;
5 keygrip = "9AA84E6F6D71F9163C46BF396B141A0806219077";
9 <nixpkgs/nixos/modules/profiles/hardened.nix>
11 security.gnupg.store = builtins.getEnv "PASSWORD_STORE_DIR" + "/machines/${machineName}";
12 services.openssh.extraConfig = ''
13 # This is for removing remote gpg-agent's socket
14 StreamLocalBindUnlink yes
16 installer.ssh-nixos = {
17 PATH = [pkgs.gnupg pkgs.openssh];
19 #"-R" "/var/lib/gnupg/S.gpg-agent.extra:/run/user/1000/gnupg/d.w1sj57hx3zfcwadyxpr6wko9/S.gpg-agent.extra"
20 #"-o" "StreamLocalBindUnlink=yes"
22 script = lib.mkBefore ''
23 ssh '${config.installer.ssh-nixos.target}' \
24 gpg-connect-agent --no-autostart --homedir /var/lib/gnupg "'keyinfo --list'" /bye 2>&1 |
25 grep -qx -e "gpg-connect-agent: no gpg-agent running in this session" \
26 -e "S KEYINFO ${keygrip} . . . 1 .*" || {
28 gpg --decrypt '${gnupg.store}/${rootKey}.pass.gpg' |
29 gpg --batch --pinentry-mode loopback --passphrase-fd 0 --export-secret-subkeys @root@${machineName} |
30 ssh '${config.installer.ssh-nixos.target}' \
31 gpg --no-autostart --homedir /var/lib/gnupg --no-autostart --batch --pinentry-mode loopback --import
33 # Send the rootKey's passphrase
34 gpg --decrypt '${gnupg.store}/${rootKey}.pass.gpg' |
35 ssh '${config.installer.ssh-nixos.target}' \
36 gpg-preset-passphrase --homedir /var/lib/gnupg --preset ${keygrip}
41 gpg --decrypt '${gnupg.store}/${rootKey}.pass.gpg' |
42 gpg --batch --pinentry-mode loopback --passphrase-fd 0 --export-secret-subkeys @root@${machineName} |
43 ssh '${config.installer.ssh-nixos.target}' \
44 gpg --homedir /var/lib/gnupg --no-autostart --batch --pinentry-mode loopback --import
46 gpg --batch --export @root@${machineName} |
47 ssh '${config.installer.ssh-nixos.target}' \
48 gpg --no-autostart --homedir /var/lib/gnupg --no-autostart --batch --pinentry-mode loopback --import
sourcephile / git / sourcephile-nix.git / blob