Mirror GnuPG config on VM

3 files changed, 19 insertions, 16 deletions

diff --git a/nix/README.md b/nix/README.md
index 4a27ae1..26699d0 100644
--- a/nix/README.md
+++ b/nix/README.md
@@ -102,8 +102,9 @@ gpg --edit-key 3298945F717C85F8 trust quit
 gpg --list-secret-keys --with-keygrip 3298945F717C85F8
 ```
 
-Add the authentication subkey keygrip to `~/.gnupg/sshcontrol`. The
-tracked git config already uses normal OpenPGP signing, so no
+The VM profile symlinks the repo-owned `gpg.conf`, `gpg-agent.conf`,
+and `sshcontrol` into `~/.gnupg`. The tracked git config already uses
+normal OpenPGP signing, so no
 `~/.config/git/config.local` override is needed for SSH-format signing.
 If `~/.config/git/config.local` only contains the old SSH-format
 signing override, remove it too.
@@ -119,9 +120,9 @@ git log --show-signature -1
 ## Caveats
 
 - **GPG / pass**: HM installs `gnupg` and `pass` but does _not_ import
-  any private key. On the VM, import the work key manually and add the
-  authentication subkey keygrip to `~/.gnupg/sshcontrol`. On the host,
-  smartcard access via `pcscd` is configured in `host.nix`
+  any private key. On the VM, import the work key manually; repo-owned
+  `gpg.conf`, `gpg-agent.conf`, and `sshcontrol` are symlinked by
+  `vm.nix`. On the host, smartcard access via `pcscd` is configured in `host.nix`
   (`~/.gnupg/scdaemon.conf`).
 - **Disk usage**: Nix store + nvim plugins consumes ~3-5 GB. Check
   partition size first on the VM.
diff --git a/nix/common.nix b/nix/common.nix
index c1cf551..f9a7042 100644
--- a/nix/common.nix
+++ b/nix/common.nix
@@ -126,6 +126,7 @@
     # Secrets — `pass-otp` is wired as an extension so `pass otp ...`
     # works against the same store. `pass` from pacman is removed.
     gnupg
+    pinentry-curses
     (pass.withExtensions (exts: [ exts.pass-otp ]))
 
     # C/C++ source tooling (no compiler driver in PATH).
diff --git a/nix/vm.nix b/nix/vm.nix
index 44b5b5f..4465732 100644
--- a/nix/vm.nix
+++ b/nix/vm.nix
@@ -8,11 +8,6 @@
 let
   dotfiles = "${builtins.getEnv "HOME"}/.local/share/dotfiles";
   link = path: config.lib.file.mkOutOfStoreSymlink "${dotfiles}/${path}";
-  vmGpgAgentConf = pkgs.writeText "gpg-agent.conf" ''
-    enable-ssh-support
-    pinentry-program ${pkgs.pinentry-curses}/bin/pinentry-curses
-    allow-loopback-pinentry
-  '';
 in
 {
   imports = [ ./common.nix ];
@@ -120,6 +115,14 @@ in
   home.file.".claude/skills/tuicr/tuicr-wrapper.sh".source =
     link "dot_claude/skills/tuicr/executable_tuicr-wrapper.sh";
 
+  # GnuPG config is repo-owned like on the host. Private key material stays in
+  # ~/.gnupg/private-keys-v1.d and is never tracked.
+  home.file.".gnupg/gpg.conf".source = link "private_dot_gnupg/gpg.conf";
+  home.file.".gnupg/gpg-agent.conf".source =
+    link "private_dot_gnupg/gpg-agent.conf";
+  home.file.".gnupg/sshcontrol".source =
+    link "private_dot_gnupg/sshcontrol";
+
   # ~/.ssh/config from the dotfiles tree (read-only); keys + known_hosts
   # stay machine-local. We can't symlink via home.file because
   # mkOutOfStoreSymlink exposes the working-tree perms (0664 under a
@@ -130,13 +133,11 @@ in
       "${dotfiles}/private_dot_ssh/config" "$HOME/.ssh/config"
   '';
 
-  # GnuPG needs strict file modes and a VM-local pinentry path. Private
-  # keys and sshcontrol stay machine-local; import/add the work key manually.
-  home.activation.gnupgConfig = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
+  # GnuPG cares about the homedir mode; the linked config files themselves
+  # contain no secrets and are repo-owned.
+  home.activation.gnupgDirectory = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
     run install -d -m 700 "$HOME/.gnupg"
-    run install -m 600 \
-      "${dotfiles}/private_dot_gnupg/gpg.conf" "$HOME/.gnupg/gpg.conf"
-    run install -m 600 "${vmGpgAgentConf}" "$HOME/.gnupg/gpg-agent.conf"
+    run chmod 700 "$HOME/.gnupg"
   '';
 
   # ZDOTDIR redirect so login shells find ~/.config/zsh/.zprofile etc.