Skip to content

Takeover ssh-agent role by gpg-agent #814

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kachick merged 8 commits into from
Oct 3, 2024
Merged

Takeover ssh-agent role by gpg-agent #814

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
3819e4b
Takeover ssh-agent role by gpg-agent
kachick Oct 2, 2024
00f32f8
Disable gnome-keyring with gnupg recomendation
kachick Oct 2, 2024
47d8274
Force disable gnome-keyring
kachick Oct 2, 2024
50c4c46
Merge branch 'main' into gpg-ssh-agent
kachick Oct 3, 2024
2ea56ab
Disable goldwarden ssh-agent integration to prefer gpg-agent
kachick Oct 3, 2024
7fc33cc
Suppress nixf lint error
kachick Oct 3, 2024
3bfa007
Refactor and add defaultCacheTtlSsh in gpg-agent
kachick Oct 3, 2024
a6e7911
Update comments and usage
kachick Oct 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,8 @@ Check [traps](./windows/Multi-booting.md)
```bash
touch ~/.ssh/id_ed25519 && chmod 400 ~/.ssh/id_ed25519
hx ~/.ssh/id_ed25519
echo UPDATESTARTUPTTY | gpg-connect-agent # https://unix.stackexchange.com/a/371910
ssh-add ~/.ssh/id_ed25519
```

1. [Restore encrypted rclone.conf from STDIN](config/rclone.md)
Expand Down
15 changes: 13 additions & 2 deletions home-manager/gpg.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,18 +18,29 @@
# - `gpg --armor --export PUBKEY | clip.exe`
# - How to backup private key?
# - `gpg --export-secret-keys --armor > gpg-private.keys.bak`
let
# All gpg-agent timeouts numbers should be specified with the `seconds`
day = 60 * 60 * 24;
in
{
# https://github.com/nix-community/home-manager/blob/release-24.05/modules/services/gpg-agent.nix
services.gpg-agent = {
enable = pkgs.stdenv.isLinux;

# Update [darwin.nix](darwin.nix) if changed this section
#
# TODO: Reconsider the ttls with recent use
#
# https://superuser.com/questions/624343/keep-gnupg-credentials-cached-for-entire-user-session
defaultCacheTtl = 60480000; # 700 days
maxCacheTtl = 60480000; # 700 days
defaultCacheTtl = day * 700;
# https://github.com/openbsd/src/blob/862f3f2587ccb85ac6d8602dd1601a861ae5a3e8/usr.bin/ssh/ssh-agent.1#L167-L173
# ssh-agent sets it as infinite by default. So I can relax here (maybe)
defaultCacheTtlSsh = day * 30;
maxCacheTtl = day * 700;

pinentryPackage = pkgs.pinentry-tty;

enableSshSupport = true;
};

# https://github.com/nix-community/home-manager/blob/release-24.05/modules/programs/gpg.nix
Expand Down
5 changes: 3 additions & 2 deletions home-manager/ssh.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ config, ... }:

let
# SSH files cannot use XDG Base Directory.
Expand All @@ -16,7 +16,8 @@ in
# - id_*.pub: I CAN register them for different services.
{
# https://github.com/nix-community/home-manager/blob/release-24.05/modules/services/ssh-agent.nix
services.ssh-agent.enable = pkgs.stdenv.isLinux;
# Prefer gpg-agent for SSH agent role
services.ssh-agent.enable = false;

# https://github.com/nix-community/home-manager/blob/release-24.05/modules/programs/ssh.nix
programs.ssh = {
Expand Down
1 change: 1 addition & 0 deletions nixos/configuration.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,7 @@
programs.goldwarden = {
package = edge-pkgs.goldwarden;
enable = true;
useSshAgent = false;
};

# https://nixos.wiki/wiki/Podman
Expand Down
9 changes: 9 additions & 0 deletions nixos/desktop/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,15 @@
gnome-music # does not support flac by defaults
]);

# Recommended to be uninstalled by gnupg.
# https://wiki.gnupg.org/GnomeKeyring
#
# And enabling this makes $SSH_AUTH_SOCK overriding even through enabled gpg-agent in home-manager
# https://github.com/NixOS/nixpkgs/issues/101616
#
# Using mkforce for https://discourse.nixos.org/t/gpg-smartcard-for-ssh/33689/3
services.gnome.gnome-keyring.enable = lib.mkForce false;

# Enable touchpad support (enabled default in most desktopManager).
services.libinput = {
enable = true;
Expand Down