first attempt at setting up yubikey and commit signing using it (secondary key)

2024-06-05 23:14:18 +02:00 · 2024-06-05 23:14:18 +02:00 · bd949ce723
commit bd949ce723
parent cdd702a656
5 changed files with 46 additions and 13 deletions
--- a/modules/nixos/graphical-interface/desktop-manager/hyprland/default.nix
+++ b/modules/nixos/graphical-interface/desktop-manager/hyprland/default.nix
@ -0,0 +1,27 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib;
+with lib.wyrdgard;
+let
+  cfg = config.wyrdgard.graphical-interface.desktop-manager.hyprland;
+in
+{
+  options.wyrdgard.graphical-interface.desktop-manager.hyprland = with types; {
+    enable = mkEnableOption "Whether to enable hyprland";
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [ polkit xdg-desktop-portal-hyprland dconf ];
+
+    services.xserver = enabled;
+
+    programs.hyprland = {
+      enable = true;
+      xwayland.enable = true;
+    };
+  };
+}
--- a/modules/nixos/security/gpg/default.nix
+++ b/modules/nixos/security/gpg/default.nix
@ -19,6 +19,10 @@ let
    max-cache-ttl 120
    pinentry-program ${pkgs.pinentry-qt}/bin/pinentry-qt
  '';
+
+    reload-yubikey = pkgs.writeShellScriptBin "reload-yubikey" ''
+    ${pkgs.gnupg}/bin/gpg-connect-agent "scd serialno" "learn --force" /bye
+  '';
 in
 {
  options.wyrdgard.security.gpg = with types; {
@ -27,11 +31,19 @@ in
  };

  config = mkIf cfg.enable {
+    services.pcscd.enable = true;
+    services.udev.packages = with pkgs; [ yubikey-personalization ];
+
    environment.systemPackages = with pkgs; [
+      cryptsetup
      paperkey
      gnupg
      pinentry-curses
      pinentry-qt
+
+      yubikey-manager
+      yubikey-manager-qt
+      reload-yubikey
    ];

    programs = {
@ -50,6 +62,8 @@ in

        ".gnupg/gpg.conf".source = gpgConf;
        ".gnupg/gpg-agent.conf".text = gpgAgentConf;
+        ".gnupg/scdeamon.conf".text = "disable-ccid";
+        # YUBIKEYCERTIFYPASSWORD
      };
    };
  };
--- a/modules/nixos/tools/git/default.nix
+++ b/modules/nixos/tools/git/default.nix
@ -17,8 +17,7 @@ in
    userName = mkOpt types.str user.fullName "The name to use git with";
    userEmail = mkOpt types.str user.email "The email to use git with";
    signingKey =
-      mkOpt types.str "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4iH29edivUi+k94apb6pasWq8qphfhYo0d6B2GhISf"
-        "The key ID to sign commits with.";
+      mkOpt types.str "6995A5FF33791B7B" "The key ID to sign commits with.";
  };

  config = mkIf cfg.enable {
@ -34,7 +33,7 @@ in
        lfs.enable = true;
        signing = {
          key = cfg.signingKey;
-          signByDefault = mkIf _1password.enable true;
+          signByDefault = mkIf gpg.enable true;
        };
        extraConfig = {
          init = {
@ -49,10 +48,6 @@ in
          safe = {
            directory = "${config.users.users.${user.name}.home}/projects/config";
          };
-          gpg = {
-            format = "ssh";
-            "ssh".program = "${pkgs._1password-gui}/bin/op-ssh-sign";
-          };
        };
      };
    };