diff --git a/flake.lock b/flake.lock index a243168..cd84898 100644 --- a/flake.lock +++ b/flake.lock @@ -359,6 +359,22 @@ "type": "github" } }, + "gpg-base-conf": { + "flake": false, + "locked": { + "lastModified": 1711321488, + "narHash": "sha256-UoPY3pr1EkQj0vTJdHtwG8UBEmsN5AVutYzZ/3R4t28=", + "owner": "drduh", + "repo": "config", + "rev": "3b1bd3925b3440f55902e0a386155c55fc97d147", + "type": "github" + }, + "original": { + "owner": "drduh", + "repo": "config", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -599,6 +615,7 @@ }, "root": { "inputs": { + "gpg-base-conf": "gpg-base-conf", "home-manager": "home-manager", "nix-ld": "nix-ld", "nixos-hardware": "nixos-hardware", diff --git a/flake.nix b/flake.nix index d4cd02a..93b0ba1 100644 --- a/flake.nix +++ b/flake.nix @@ -35,6 +35,12 @@ url = "github:Mic92/nix-ld"; inputs.nixpkgs.follows = "unstable"; }; + + # GPG default configuration + gpg-base-conf = { + url = "github:drduh/config"; + flake = false; + }; }; outputs = diff --git a/modules/home/tools/git/default.nix b/modules/home/tools/git/default.nix index 231762f..f4bf050 100644 --- a/modules/home/tools/git/default.nix +++ b/modules/home/tools/git/default.nix @@ -16,6 +16,8 @@ in enable = mkBoolOpt true "Enable Git (Default true)"; userName = mkOpt types.str user.fullName "The name to configure git with."; userEmail = mkOpt types.str user.email "The email to configure git with."; + signingKey = mkOpt types.str "A8185688CDE3921F" "The key ID to sign commits with."; + signByDefault = mkOpt types.bool true "Whether to sign commits by default."; }; config = mkIf cfg.enable { @@ -23,6 +25,10 @@ in enable = true; inherit (cfg) userName userEmail; lfs = enabled; + signing = { + key = cfg.signingKey; + inherit (cfg) signByDefault; + }; extraConfig = { init = { defaultBranch = "main"; @@ -33,6 +39,9 @@ in push = { autoSetupRemote = true; }; + safe = { + directory = "${user.home}/projects/config"; + }; }; }; }; diff --git a/modules/nixos/security/gpg/default.nix b/modules/nixos/security/gpg/default.nix new file mode 100644 index 0000000..dd56a48 --- /dev/null +++ b/modules/nixos/security/gpg/default.nix @@ -0,0 +1,56 @@ +{ + options, + config, + pkgs, + lib, + inputs, + ... +}: +with lib; +with lib.wyrdgard; +let + cfg = config.wyrdgard.security.gpg; + + gpgConf = "${inputs.gpg-base-conf}/gpg.conf"; + + gpgAgentConf = '' + enable-ssh-support + default-cache-ttl 60 + max-cache-ttl 120 + pinentry-program ${pkgs.pinentry-qt}/bin/pinentry-qt + ''; +in +{ + options.wyrdgard.security.gpg = with types; { + enable = mkBoolOpt false "Wether or not to enable GPG."; + agentTimeout = mkOpt int 5 "The amount of time to wait before continuing with shell init."; + }; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + paperkey + gnupg + pinentry-curses + pinentry-qt + ]; + + programs = { + ssh.startAgent = false; + + gnupg.agent = { + enable = true; + enableSSHSupport = true; + enableExtraSocket = true; + }; + }; + + wyrdgard = { + home.file = { + ".gnupg/.keep".text = ""; + + ".gnupg/gpg.conf".source = gpgConf; + ".gnupg/gpg-agent.conf".text = gpgAgentConf; + }; + }; + }; +} diff --git a/modules/nixos/submodules/basics/default.nix b/modules/nixos/submodules/basics/default.nix index a0ac111..b38b103 100644 --- a/modules/nixos/submodules/basics/default.nix +++ b/modules/nixos/submodules/basics/default.nix @@ -50,6 +50,10 @@ in time = enabled; xkb = enabled; }; + + security = { + gpg = enabled; + }; }; }; } diff --git a/modules/nixos/submodules/graphical-interface/default.nix b/modules/nixos/submodules/graphical-interface/default.nix index 93f2872..4b0de83 100644 --- a/modules/nixos/submodules/graphical-interface/default.nix +++ b/modules/nixos/submodules/graphical-interface/default.nix @@ -16,6 +16,8 @@ in }; config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ ]; + services.xserver = { enable = true; displayManager.sddm = { diff --git a/modules/nixos/tools/git/default.nix b/modules/nixos/tools/git/default.nix index 85c37bc..126feee 100644 --- a/modules/nixos/tools/git/default.nix +++ b/modules/nixos/tools/git/default.nix @@ -10,12 +10,14 @@ with lib.wyrdgard; let cfg = config.wyrdgard.tools.git; user = config.wyrdgard.user; + gpg = config.wyrdgard.security.gpg; in { options.wyrdgard.tools.git = with types; { enable = mkBoolOpt true "Wether or not to enable git (Default enabled)"; userName = mkOpt types.str user.fullName "The name to use git with"; userEmail = mkOpt types.str user.email "The email to use git with"; + signingKey = mkOpt types.str "A8185688CDE3921F" "The key ID to sign commits with."; }; config = mkIf cfg.enable { @@ -24,18 +26,28 @@ in gitAndTools.gh ]; - programs.git = { - enable = true; - lfs.enable = true; - config = { - init = { - defaultBranch = "main"; + wyrdgard.home.extraOptions = { + programs.git = { + enable = true; + inherit (cfg) userName userEmail; + lfs.enable = true; + signing = { + key = cfg.signingKey; + signByDefault = mkIf gpg.enable true; }; - pull = { - rebase = false; - }; - push = { - autoSetupRemote = true; + extraConfig = { + init = { + defaultBranch = "main"; + }; + pull = { + rebase = false; + }; + push = { + autoSetupRemote = true; + }; + safe = { + directory = "${config.users.users.${user.name}.home}/projects/config"; + }; }; }; };