nixos/gnupg: add systemd configuration

[corngood]

This depended on the systemd user configuration provided upstream in doc/examples. However, this was all removed in:

gpg/gnupg@eae28f1

Description of changes

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.05 Release Notes (or backporting 22.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[corngood]

The use of systemd is deprecated because of additional complexity and the race between systemd based autolaunching and the explicit gnupg based and lockfile protected autolaunching.

I'm not sure this is something we should be worried about, but without this change gpg-agent doesn't start under systemd, and doesn't have pinentry set.

[rnhmjoj]

Yes, there is a race and I think the solution is for gnupg to just stop trying to manage the agent itself and let systemd (or any init system, for that matter) do its job. Unfortunately upstream went the other way.

This PR is a reasonable solution, however they officially dropped systemd and already hinted that --pinentry-program should not be used and may be removed. So, I would save ourselves some future troubles by configuring pinentry-program with /etc/gnupg/gpg.conf and let gnupg start the agent.

[corngood]

That sounds reasonable. I'll set it up that way instead...

…

On 10 May 2023 16:52:12 GMT-03:00, Michele Guerini Rocco ***@***.***> wrote: Yes, there is a race and I think the solution is for gnupg to just stop trying to manage the agent itself and let systemd (or any init system, for that matter) do its job. Unfortunately upstream went the other way. This PR is a reasonable solution, however they officially dropped systemd and already hinted that `--pinentry-program` should not be used and may be removed. So, I would save ourselves some future troubles by configuring `pinentry-program` with /etc/gnupg.conf and let gnupg start the agent. -- Reply to this email directly or view it on GitHub: #231108 (comment) You are receiving this because you authored the thread. Message ID: ***@***.***>

[corngood]

I added a commit to fix the existing reference to nixosTests.gnupg. This test actually caught the problem by getting stuck on pinentry, and now passes.

I also got it passing tests without systemd, but I'm worried the lack of socket activation will cause regressions.

For example, SSH_AUTH_SOCK should allow ssh to start gpg-agent with socket activation, but I'm not sure if this actually works in practice. The test mentions:

          # Note: apparently this must be run before using the OpenSSH agent
          # socket for the first time in a tty. It's not needed for `ssh`
          # because there's a hook that calls it automatically (only in NixOS).
          machine.send_chars("gpg-connect-agent updatestartuptty /bye\n")

[corngood]

I think my recommendation would be to get this change in while we consider the consequences of dropping the systemd units. Then it'll be in the history in case people want to revert to it in the future, and we may even want to support both methods.

[rnhmjoj]

As I already said, I'm ok with keeping the unit files provided pinentry-program is set from /etc/gnupg/gpg.conf, not the command line because that is too brittle.

[corngood]

@rnhmjoj sorry, I misunderstood. I'll make that change.

[corngood]

Updated with:

• moved pinentry-program to /etc/gnupg/gpg-agent.conf
• removed the doc/examples stuff from gnupg

The later is needed for gnupg < 2.4.1, and it's been reverted to 2.4.0 in master. Perhaps this should go in staging?

[rnhmjoj]

Looks good. You can probably remove this line:

    systemd.packages = [ cfg.package ];

as we don't rely on (potential, at this point) upstream units anymore.

[corngood]

@rnhmjoj Good catch, now we can leave:

4bc7ddc

until we upgrade gpg again, which will reduce the number of rebuilds here drastically.

Updated with that change.

[rnhmjoj]

I checked the definitions against the previously supplied units and it seems ok.
The test is passing, so let's not delay the update any longer and merge this now.

[corngood]

I updated #231110 to include merging this into staging, and reverting the 2.4.1 rollback.

I'm not sure if that's the right approach to take, but if so, it's there.