gitweb: patch gitweb directly
[sourcephile-nix.git] / shell / modules / tools / security / gnupg.nix
index 02e3da6074261afbf8d96976250ef14c578969a6..689792170870c88810df666033f9433884c252f3 100644 (file)
@@ -202,10 +202,6 @@ let
     set -eu
     set -o pipefail
     ${info}
-    ${pkgs.coreutils}/bin/install -dm0700 -D ${gnupg.gnupgHome}
-    ${pkgs.coreutils}/bin/ln -snf ${gnupg.gpgConf}      ${gnupg.gnupgHome}/gpg.conf
-    ${pkgs.coreutils}/bin/ln -snf ${gnupg.gpgAgentConf} ${gnupg.gnupgHome}/gpg-agent.conf
-    ${pkgs.coreutils}/bin/ln -snf ${gnupg.dirmngrConf}  ${gnupg.gnupgHome}/dirmngr.conf
     '' +
     generateKeys gnupg.keys
   );
@@ -411,14 +407,32 @@ options.gnupg = {
   gpgAgentConf = lib.mkOption {
     type = types.lines;
     apply = s: pkgs.writeText "gpg-agent.conf" s;
-    default = ''
+    default =
+      let pinentry = pkgs.writeShellScript "pinentry" ''
+        #!${pkgs.runtimeShell}
+        # choose pinentry depending on PINENTRY_USER_DATA
+        # this *only works* with gpg2
+        # see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802020
+        case "''${PINENTRY_USER_DATA:-tty}" in
+        curses) exec ${pkgs.pinentry.curses}/bin/pinentry-curses "$@";;
+        #emacs)  exec ''${pkgs.pinentry.emacs}/bin/pinentry-emacs "$@";;
+        #gnome3) exec ''${pkgs.pinentry.gnome3}/bin/pinentry-gnome3 "$@";;
+        gtk-2)  exec ${pkgs.pinentry.gtk2}/bin/pinentry-gtk-2 "$@";;
+        none)   exit 1;; # do not ask for passphrase
+        #qt)     exec ''${pkgs.pinentry.qt}/bin/pinentry-qt "$@";;
+        tty)    exec ${pkgs.pinentry.tty}/bin/pinentry-tty "$@";;
+        esac
+      '';
+    in ''
+      allow-loopback-pinentry
       allow-preset-passphrase
       default-cache-ttl 17200
       default-cache-ttl-ssh 17200
       enable-ssh-support
       max-cache-ttl 17200
       max-cache-ttl-ssh 17200
-      pinentry-program ${pkgs.pinentry}/bin/pinentry
+      no-allow-external-cache
+      pinentry-program ${pinentry}
     '';
     description = ''
       GnuPG's gpg-agent.conf content.
@@ -426,7 +440,7 @@ options.gnupg = {
   };
   gpgConf = lib.mkOption {
     type = types.lines;
-    apply = s: pkgs.writeText "gpg.conf" s;
+    apply = s: pkgs.writeText "gpg.conf" (s+"\n"+gnupg.gpgExtraConf);
     default = ''
       auto-key-locate keyserver
       cert-digest-algo SHA512
@@ -454,6 +468,13 @@ options.gnupg = {
       GnuPG's gpg.conf content.
     '';
   };
+  gpgExtraConf = lib.mkOption {
+    type = types.lines;
+    default = "";
+    description = ''
+      GnuPG's gpg.conf extra content.
+    '';
+  };
 };
 config = lib.mkIf gnupg.enable {
   nix-shell.buildInputs = [
@@ -465,6 +486,10 @@ config = lib.mkIf gnupg.enable {
   ];
   nix-shell.shellHook = ''
     # gnupg
+    ${pkgs.coreutils}/bin/install -dm0700 -D ${gnupg.gnupgHome}
+    ${pkgs.coreutils}/bin/ln -snf ${gnupg.gpgConf}      ${gnupg.gnupgHome}/gpg.conf
+    ${pkgs.coreutils}/bin/ln -snf ${gnupg.gpgAgentConf} ${gnupg.gnupgHome}/gpg-agent.conf
+    ${pkgs.coreutils}/bin/ln -snf ${gnupg.dirmngrConf}  ${gnupg.gnupgHome}/dirmngr.conf
     export GNUPGHOME=${gnupg.gnupgHome}
     install -dm700 "$GNUPGHOME"
     export GPG_TTY=$(${pkgs.coreutils}/bin/tty)