Use local gpg-agent on VM

2 files changed, 33 insertions, 36 deletions

diff --git a/nix/README.md b/nix/README.md
index 2bf3383..4a27ae1 100644
--- a/nix/README.md
+++ b/nix/README.md
@@ -87,49 +87,31 @@ If a project needs a newer build toolchain, drop a `flake.nix` +
 `.envrc` in that project tree (direnv + nix-direnv is already wired
 up). Don't add it to `common.nix`/`host.nix`/`vm.nix`.
 
-## Commit signing on the VM (SSH-format, no GPG secrets)
+## Commit signing and SSH auth on the VM (GPG)
 
-GPG private keys never leave the host. Commits on the VM are signed
-with the **forwarded SSH agent** in SSH-signature format, using the
-authentication subkey gpg-agent already exposes via `ssh-add -L`.
+The VM uses its own local `gpg-agent`, like the host. Import the work
+GPG private key manually on the VM; do not use SSH agent forwarding for
+commit signing or SSH auth.
 
 One-time setup on the VM:
 
 ```sh
-mkdir -p ~/.config/git
-
-# allowed_signers: maps your committer email to the SSH pubkey of the
-# auth subkey. Adjust the grep if you have multiple keys.
-printf '%s %s\n' \
-  "$(git config user.email)" \
-  "$(ssh-add -L | head -n1)" \
-  > ~/.config/git/allowed_signers
-
-# Machine-local git override (NOT tracked in dotfiles).
-cat > ~/.config/git/config.local <<EOF
-[gpg]
-    format = ssh
-[gpg "ssh"]
-    allowedSignersFile = ~/.config/git/allowed_signers
-[user]
-    signingkey = $(ssh-add -L | head -n1 | awk '{print $1" "$2}')
-EOF
+rm -f ~/.ssh/agent.sock ~/.config/git/allowed_signers
+gpg --import /path/to/work-private-key.asc
+gpg --edit-key 3298945F717C85F8 trust quit
+gpg --list-secret-keys --with-keygrip 3298945F717C85F8
 ```
 
-The tracked `dot_config/git/config` ends with `[include] path =
-~/.config/git/config.local`, so the override is picked up
-automatically (and silently ignored on machines that don't have it).
-
-Required on the **host's** `~/.ssh/config` for the VM `Host` block:
-
-```
-ForwardAgent yes
-```
+Add the authentication subkey keygrip to `~/.gnupg/sshcontrol`. The
+tracked git config already uses normal OpenPGP signing, so no
+`~/.config/git/config.local` override is needed for SSH-format signing.
+If `~/.config/git/config.local` only contains the old SSH-format
+signing override, remove it too.
 
-Verify on the VM after SSH-ing in:
+Verify on the VM:
 
 ```sh
-ssh-add -L                 # should list your auth pubkey(s)
+ssh-add -L
 git commit --allow-empty -m test
 git log --show-signature -1
 ```
@@ -137,9 +119,10 @@ git log --show-signature -1
 ## Caveats
 
 - **GPG / pass**: HM installs `gnupg` and `pass` but does _not_ import
-  any private key. On the VM, use SSH-format signing via the forwarded
-  agent instead (see above). On the host, smartcard access via
-  `pcscd` is configured in `host.nix` (`~/.gnupg/scdaemon.conf`).
+  any private key. On the VM, import the work key manually and add the
+  authentication subkey keygrip to `~/.gnupg/sshcontrol`. On the host,
+  smartcard access via `pcscd` is configured in `host.nix`
+  (`~/.gnupg/scdaemon.conf`).
 - **Disk usage**: Nix store + nvim plugins consumes ~3-5 GB. Check
   partition size first on the VM.
 - **Network for first nvim launch**: `vim.pack.add` fetches plugins
diff --git a/nix/vm.nix b/nix/vm.nix
index fe3cdcb..44b5b5f 100644
--- a/nix/vm.nix
+++ b/nix/vm.nix
@@ -8,6 +8,11 @@
 let
   dotfiles = "${builtins.getEnv "HOME"}/.local/share/dotfiles";
   link = path: config.lib.file.mkOutOfStoreSymlink "${dotfiles}/${path}";
+  vmGpgAgentConf = pkgs.writeText "gpg-agent.conf" ''
+    enable-ssh-support
+    pinentry-program ${pkgs.pinentry-curses}/bin/pinentry-curses
+    allow-loopback-pinentry
+  '';
 in
 {
   imports = [ ./common.nix ];
@@ -125,6 +130,15 @@ in
       "${dotfiles}/private_dot_ssh/config" "$HOME/.ssh/config"
   '';
 
+  # GnuPG needs strict file modes and a VM-local pinentry path. Private
+  # keys and sshcontrol stay machine-local; import/add the work key manually.
+  home.activation.gnupgConfig = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
+    run install -d -m 700 "$HOME/.gnupg"
+    run install -m 600 \
+      "${dotfiles}/private_dot_gnupg/gpg.conf" "$HOME/.gnupg/gpg.conf"
+    run install -m 600 "${vmGpgAgentConf}" "$HOME/.gnupg/gpg-agent.conf"
+  '';
+
   # ZDOTDIR redirect so login shells find ~/.config/zsh/.zprofile etc.
   # Also source HM's session-vars — HM normally drops these into
   # ~/.profile, but zsh login shells don't read .profile, and we don't