diff options
| -rw-r--r-- | nix/README.md | 11 | ||||
| -rw-r--r-- | nix/common.nix | 1 | ||||
| -rw-r--r-- | nix/vm.nix | 23 | ||||
| -rw-r--r-- | private_dot_gnupg/gpg-agent.conf | 2 |
4 files changed, 20 insertions, 17 deletions
diff --git a/nix/README.md b/nix/README.md index 4a27ae1..26699d0 100644 --- a/nix/README.md +++ b/nix/README.md @@ -102,8 +102,9 @@ gpg --edit-key 3298945F717C85F8 trust quit gpg --list-secret-keys --with-keygrip 3298945F717C85F8 ``` -Add the authentication subkey keygrip to `~/.gnupg/sshcontrol`. The -tracked git config already uses normal OpenPGP signing, so no +The VM profile symlinks the repo-owned `gpg.conf`, `gpg-agent.conf`, +and `sshcontrol` into `~/.gnupg`. The tracked git config already uses +normal OpenPGP signing, so no `~/.config/git/config.local` override is needed for SSH-format signing. If `~/.config/git/config.local` only contains the old SSH-format signing override, remove it too. @@ -119,9 +120,9 @@ git log --show-signature -1 ## Caveats - **GPG / pass**: HM installs `gnupg` and `pass` but does _not_ import - any private key. On the VM, import the work key manually and add the - authentication subkey keygrip to `~/.gnupg/sshcontrol`. On the host, - smartcard access via `pcscd` is configured in `host.nix` + any private key. On the VM, import the work key manually; repo-owned + `gpg.conf`, `gpg-agent.conf`, and `sshcontrol` are symlinked by + `vm.nix`. On the host, smartcard access via `pcscd` is configured in `host.nix` (`~/.gnupg/scdaemon.conf`). - **Disk usage**: Nix store + nvim plugins consumes ~3-5 GB. Check partition size first on the VM. diff --git a/nix/common.nix b/nix/common.nix index c1cf551..f9a7042 100644 --- a/nix/common.nix +++ b/nix/common.nix @@ -126,6 +126,7 @@ # Secrets — `pass-otp` is wired as an extension so `pass otp ...` # works against the same store. `pass` from pacman is removed. gnupg + pinentry-curses (pass.withExtensions (exts: [ exts.pass-otp ])) # C/C++ source tooling (no compiler driver in PATH). @@ -8,11 +8,6 @@ let dotfiles = "${builtins.getEnv "HOME"}/.local/share/dotfiles"; link = path: config.lib.file.mkOutOfStoreSymlink "${dotfiles}/${path}"; - vmGpgAgentConf = pkgs.writeText "gpg-agent.conf" '' - enable-ssh-support - pinentry-program ${pkgs.pinentry-curses}/bin/pinentry-curses - allow-loopback-pinentry - ''; in { imports = [ ./common.nix ]; @@ -120,6 +115,14 @@ in home.file.".claude/skills/tuicr/tuicr-wrapper.sh".source = link "dot_claude/skills/tuicr/executable_tuicr-wrapper.sh"; + # GnuPG config is repo-owned like on the host. Private key material stays in + # ~/.gnupg/private-keys-v1.d and is never tracked. + home.file.".gnupg/gpg.conf".source = link "private_dot_gnupg/gpg.conf"; + home.file.".gnupg/gpg-agent.conf".source = + link "private_dot_gnupg/gpg-agent.conf"; + home.file.".gnupg/sshcontrol".source = + link "private_dot_gnupg/sshcontrol"; + # ~/.ssh/config from the dotfiles tree (read-only); keys + known_hosts # stay machine-local. We can't symlink via home.file because # mkOutOfStoreSymlink exposes the working-tree perms (0664 under a @@ -130,13 +133,11 @@ in "${dotfiles}/private_dot_ssh/config" "$HOME/.ssh/config" ''; - # GnuPG needs strict file modes and a VM-local pinentry path. Private - # keys and sshcontrol stay machine-local; import/add the work key manually. - home.activation.gnupgConfig = lib.hm.dag.entryAfter [ "writeBoundary" ] '' + # GnuPG cares about the homedir mode; the linked config files themselves + # contain no secrets and are repo-owned. + home.activation.gnupgDirectory = lib.hm.dag.entryAfter [ "writeBoundary" ] '' run install -d -m 700 "$HOME/.gnupg" - run install -m 600 \ - "${dotfiles}/private_dot_gnupg/gpg.conf" "$HOME/.gnupg/gpg.conf" - run install -m 600 "${vmGpgAgentConf}" "$HOME/.gnupg/gpg-agent.conf" + run chmod 700 "$HOME/.gnupg" ''; # ZDOTDIR redirect so login shells find ~/.config/zsh/.zprofile etc. diff --git a/private_dot_gnupg/gpg-agent.conf b/private_dot_gnupg/gpg-agent.conf index 6c27318..46879fd 100644 --- a/private_dot_gnupg/gpg-agent.conf +++ b/private_dot_gnupg/gpg-agent.conf @@ -1,3 +1,3 @@ enable-ssh-support -pinentry-program /usr/bin/pinentry-curses +pinentry-program /home/sommerfeld/.nix-profile/bin/pinentry-curses allow-loopback-pinentry |