From 8a6045d6ceaec5330453289022bf077497dc7b1b Mon Sep 17 00:00:00 2001 From: Nikolaos Karaolidis Date: Wed, 19 Jun 2024 17:49:37 +0300 Subject: [PATCH] Add git and gpg configs Signed-off-by: Nikolaos Karaolidis --- users/common/configs/git/default.nix | 17 ++++++++ users/common/configs/gpg-agent/default.nix | 45 ++++++++++++++++++++++ users/common/default.nix | 6 ++- users/nick/default.nix | 9 +++++ 4 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 users/common/configs/gpg-agent/default.nix diff --git a/users/common/configs/git/default.nix b/users/common/configs/git/default.nix index d8ac829..a601f38 100644 --- a/users/common/configs/git/default.nix +++ b/users/common/configs/git/default.nix @@ -1,6 +1,23 @@ +{ pkgs, ... }: + { programs.git = { enable = true; lfs.enable = true; + signing = { + signByDefault = true; + key = null; + }; + extraConfig.credential.helper = "store"; + hooks = { + commit-msg = pkgs.writeScript "git-commit-msg" '' + #!${pkgs.runtimeShell} + + git interpret-trailers --if-exists doNothing --trailer \ + "Signed-off-by: $(git config user.name) <$(git config user.email)>" \ + --in-place "$1" + ''; + }; }; } + diff --git a/users/common/configs/gpg-agent/default.nix b/users/common/configs/gpg-agent/default.nix new file mode 100644 index 0000000..99b1759 --- /dev/null +++ b/users/common/configs/gpg-agent/default.nix @@ -0,0 +1,45 @@ +{ pkgs, ... }: + +{ + services.gpg-agent = { + enable = true; + defaultCacheTtl = 31536000; + maxCacheTtl = 31536000; + }; + + systemd.user.services.gpg-agent-import = { + Unit = { + Description = "Auto-import GPG keys"; + After = [ "gpg-agent.socket" "sops-nix.service" ]; + }; + + Service = { + Type = "oneshot"; + ExecStart = pkgs.writeScript "import-gpg-keys" '' + #!${pkgs.runtimeShell} + + find "$HOME"/.gnupg -type f -exec chmod 600 {} \; + find "$HOME"/.gnupg -type d -exec chmod 700 {} \; + + for keyfile in "$HOME"/.config/sops-nix/secrets/gpg-agent/*.key; do + passfile="''${keyfile%.key}.pass" + + if [ -f "$passfile" ]; then + gpg --batch --yes --pinentry-mode loopback --passphrase-file "$passfile" --import "$keyfile" + else + gpg --batch --yes --import "$keyfile" + fi + + gpg --with-colons --import-options show-only --import "$keyfile" | grep '^fpr' | cut -d: -f10 | while read -r KEY_ID; do + echo "$KEY_ID:6:" >> "$HOME"/.gnupg/otrust.txt + done + done + + gpg --import-ownertrust "$HOME"/.gnupg/otrust.txt + rm "$HOME"/.gnupg/otrust.txt + ''; + }; + + Install = { WantedBy = [ "default.target" ]; }; + }; +} diff --git a/users/common/default.nix b/users/common/default.nix index 2cc70a3..a3acb8c 100644 --- a/users/common/default.nix +++ b/users/common/default.nix @@ -15,7 +15,10 @@ in dconf.enable = true; }; - environment.sessionVariables.NIXOS_OZONE_WL = "1"; + environment.sessionVariables = { + NIXOS_OZONE_WL = "1"; + SOPS_AGE_KEY_FILE = "$HOME/.config/sops-nix/key.txt"; + }; home-manager = { extraSpecialArgs = { inherit inputs; }; @@ -33,6 +36,7 @@ in ./configs/neovim ./configs/kitty ./configs/firefox + ./configs/gpg-agent ]; home = { diff --git a/users/nick/default.nix b/users/nick/default.nix index 1290812..749b946 100644 --- a/users/nick/default.nix +++ b/users/nick/default.nix @@ -9,6 +9,15 @@ neededForUsers = true; }; + home-manager.users.nick.sops = { + defaultSopsFile = ./secrets/secrets.yaml; + secrets = { + "git" = { path = "/home/nick/.git-credentials"; }; + "gpg-agent/pgp.key" = { }; + "gpg-agent/pgp.pass" = { }; + }; + }; + users.users.nick = { isNormalUser = true; home = "/home/nick";