Add git and gpg configs

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2024-06-19 17:49:37 +03:00
parent e8cbbe07b2
commit 8a6045d6ce
4 changed files with 76 additions and 1 deletions
--- a/users/common/configs/git/default.nix
+++ b/users/common/configs/git/default.nix
@@ -1,6 +1,23 @@
+{ pkgs, ... }:
+
 {
  programs.git = {
    enable = true;
    lfs.enable = true;
+    signing = {
+      signByDefault = true;
+      key = null;
+    };
+    extraConfig.credential.helper = "store";
+    hooks = {
+      commit-msg = pkgs.writeScript "git-commit-msg" ''
+        #!${pkgs.runtimeShell}
+
+        git interpret-trailers --if-exists doNothing --trailer \
+          "Signed-off-by: $(git config user.name) <$(git config user.email)>" \
+          --in-place "$1"
+      '';
+    };
  };
 }
+
--- a/users/common/configs/gpg-agent/default.nix
+++ b/users/common/configs/gpg-agent/default.nix
@@ -0,0 +1,45 @@
+{ pkgs, ... }:
+
+{
+  services.gpg-agent = {
+    enable = true;
+    defaultCacheTtl = 31536000;
+    maxCacheTtl = 31536000;
+  };
+
+  systemd.user.services.gpg-agent-import = {
+    Unit = {
+      Description = "Auto-import GPG keys";
+      After = [ "gpg-agent.socket" "sops-nix.service" ];
+    };
+
+    Service = {
+      Type = "oneshot";
+      ExecStart = pkgs.writeScript "import-gpg-keys" ''
+        #!${pkgs.runtimeShell}
+
+        find "$HOME"/.gnupg -type f -exec chmod 600 {} \;
+        find "$HOME"/.gnupg -type d -exec chmod 700 {} \;
+
+        for keyfile in "$HOME"/.config/sops-nix/secrets/gpg-agent/*.key; do
+          passfile="''${keyfile%.key}.pass"
+
+          if [ -f "$passfile" ]; then
+            gpg --batch --yes --pinentry-mode loopback --passphrase-file "$passfile" --import "$keyfile"
+          else
+            gpg --batch --yes --import "$keyfile"
+          fi
+
+          gpg --with-colons --import-options show-only --import "$keyfile" | grep '^fpr' | cut -d: -f10 | while read -r KEY_ID; do
+            echo "$KEY_ID:6:" >> "$HOME"/.gnupg/otrust.txt
+          done
+        done
+
+        gpg --import-ownertrust "$HOME"/.gnupg/otrust.txt
+        rm "$HOME"/.gnupg/otrust.txt
+      '';
+    };
+
+    Install = { WantedBy = [ "default.target" ]; };
+  };
+}
--- a/users/common/default.nix
+++ b/users/common/default.nix
@@ -15,7 +15,10 @@ in
    dconf.enable = true;
  };

-  environment.sessionVariables.NIXOS_OZONE_WL = "1";
+  environment.sessionVariables = {
+    NIXOS_OZONE_WL = "1";
+    SOPS_AGE_KEY_FILE = "$HOME/.config/sops-nix/key.txt";
+  };

  home-manager = {
    extraSpecialArgs = { inherit inputs; };
@@ -33,6 +36,7 @@ in
        ./configs/neovim
        ./configs/kitty
        ./configs/firefox
+        ./configs/gpg-agent
      ];

      home = {
--- a/users/nick/default.nix
+++ b/users/nick/default.nix
@@ -9,6 +9,15 @@
    neededForUsers = true;
  };

+  home-manager.users.nick.sops = {
+    defaultSopsFile = ./secrets/secrets.yaml;
+    secrets = {
+      "git" = { path = "/home/nick/.git-credentials"; };
+      "gpg-agent/pgp.key" = { };
+      "gpg-agent/pgp.pass" = { };
+    };
+  };
+
  users.users.nick = {
    isNormalUser = true;
    home = "/home/nick";