From 9bf9e7ac5c60ba442f4f0dbc3fea27c09a999ab3 Mon Sep 17 00:00:00 2001 From: Gleb Peregud Date: Sun, 11 Mar 2018 22:46:41 +0100 Subject: [PATCH] gpg-agent: add `enableExtraSocket` and `verbose` options. This option enables a GPG Agent restricted socket (aka "extra-socket"), which can be used to forward GPG Agent over SSH. Additionally `verbose` option enables verbose output of an `gpg-agent.service` unit for easier debugging. See: https://wiki.gnupg.org/AgentForwarding --- modules/services/gpg-agent.nix | 41 +++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/modules/services/gpg-agent.nix b/modules/services/gpg-agent.nix index ea96312f3..aa2ecdb7e 100644 --- a/modules/services/gpg-agent.nix +++ b/modules/services/gpg-agent.nix @@ -48,6 +48,23 @@ in ''; }; + enableExtraSocket = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable extra socket of the GnuPG key agent (useful for GPG + Agent forwarding). + ''; + }; + + verbose = mkOption { + type = types.bool; + default = false; + description = '' + Whether to produce verbose output. + ''; + }; + grabKeyboardAndMouse = mkOption { type = types.bool; default = true; @@ -115,7 +132,8 @@ in }; Service = { - ExecStart = "${pkgs.gnupg}/bin/gpg-agent --supervised"; + ExecStart = "${pkgs.gnupg}/bin/gpg-agent --supervised" + + optionalString cfg.verbose " --verbose"; ExecReload = "${pkgs.gnupg}/bin/gpgconf --reload gpg-agent"; }; }; @@ -159,5 +177,26 @@ in }; }; }) + + (mkIf cfg.enableExtraSocket { + systemd.user.sockets.gpg-agent-extra = { + Unit = { + Description = "GnuPG cryptographic agent and passphrase cache (restricted)"; + Documentation = "man:gpg-agent(1) man:ssh(1)"; + }; + + Socket = { + ListenStream = "%t/gnupg/S.gpg-agent.extra"; + FileDescriptorName = "extra"; + Service = "gpg-agent.service"; + SocketMode = "0600"; + DirectoryMode = "0700"; + }; + + Install = { + WantedBy = [ "sockets.target" ]; + }; + }; + }) ]); }