forward gpg and ssh agent

2024-11-21 09:44:10 +01:00 · 2024-11-21 09:44:10 +01:00 · e48c086eb6
commit e48c086eb6
parent 3b6838cb08
2 changed files with 24 additions and 0 deletions
--- a/programs/ssh/home-manager.nix
+++ b/programs/ssh/home-manager.nix
@ -18,6 +18,7 @@
          "build-rainbow-resort"
          "build-aarch64"
          "build-riscv"
+          "rainbow-resort.int.chir.rs"
        ]
        {
          identityFile =
@ -26,6 +27,15 @@
            else
              config.sops.secrets.".ssh/id_ed25519_sk".path;
        };
+    matchBlocks."rainbow-resort.int.chir.rs" = {
+      forwardAgent = true;
+      remoteForwards = [
+        {
+          bind.address = "/%d/.local/state/gnupg/S.gpg-agent";
+          host.address = "/%d/.local/state/gnupg/S.gpg-agent.extra";
+        }
+      ];
+    };
    enable = true;
  };
  sops.secrets = lib.mkIf (config.home.username != "root") {
--- a/services/desktop/gpg/default.nix
+++ b/services/desktop/gpg/default.nix
@ -22,6 +22,7 @@
    enable = true;
    enableSshSupport = true;
    pinentryPackage = pkgs.pinentry-qt;
+    enableExtraSocket = true;
  };
  sops.secrets."pgp/0xB4E3D4801C49EC5E.asc".sopsFile = ./privkey.yaml;
  home.activation.import-gpg-privkey =
@ -36,4 +37,17 @@
          config.sops.secrets."pgp/0xB4E3D4801C49EC5E.asc".path
        }
      '';
+  programs.fish.loginShellInit = "gpgconf --launch gpg-agent";
+  systemd.user.services.link-gnupg-sockets = {
+    Unit = {
+      Description = "link gnupg sockets from /run to /home";
+    };
+    Service = {
+      Type = "oneshot";
+      ExecStart = "${pkgs.coreutils}/bin/ln -Tfs /run/user/%U/gnupg %h/.local/state/gnupg";
+      ExecStop = "${pkgs.coreutils}/bin/rm $HOME/.local/state/gnupg";
+      RemainAfterExit = true;
+    };
+    Install.WantedBy = [ "default.target" ];
+  };
 }