gnupg module: Added extra and browser sockets (#26295)

CMCDragonkai · fpletz · commit 1b6176e45b05 · 2017-06-15T19:40:09.000+02:00
Also added dirmngr and made SSH support false by default
due to programs.ssh.startAgent defaulting to true.
diff --git a/nixos/modules/programs/gnupg.nix b/nixos/modules/programs/gnupg.nix
@@ -21,13 +21,37 @@ in
 
     agent.enableSSHSupport = mkOption {
       type = types.bool;
-      default = true;
+      default = false;
       description = ''
         Enable SSH agent support in GnuPG agent. Also sets SSH_AUTH_SOCK
         environment variable correctly. This will disable socket-activation
         and thus always start a GnuPG agent per user session.
       '';
     };
+
+    agent.enableExtraSocket = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Enable extra socket for GnuPG agent.
+      '';
+    };
+
+    agent.enableBrowserSocket = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Enable browser socket for GnuPG agent.
+      '';
+    };
+
+    dirmngr.enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Enables GnuPG network certificate management daemon with socket-activation for every user session.
+      '';
+    };
   };
 
   config = mkIf cfg.agent.enable {
@@ -38,15 +62,72 @@ in
           ("${pkgs.gnupg}/bin/gpg-agent --supervised "
             + optionalString cfg.agent.enableSSHSupport "--enable-ssh-support")
         ];
+        ExecReload = "${pkgs.gnupg}/bin/gpgconf --reload gpg-agent";
       };
     };
 
     systemd.user.sockets.gpg-agent = {
       wantedBy = [ "sockets.target" ];
+      listenStreams = [ "%t/gnupg/S.gpg-agent" ];
+      socketConfig = {
+        FileDescriptorName = "std";
+        SocketMode = "0600";
+        DirectoryMode = "0700";
+      };
     };
 
     systemd.user.sockets.gpg-agent-ssh = mkIf cfg.agent.enableSSHSupport {
       wantedBy = [ "sockets.target" ];
+      listenStreams = [ "%t/gnupg/S.gpg-agent.ssh" ];
+      socketConfig = {
+        FileDescriptorName = "ssh";
+        Service = "gpg-agent.service";
+        SocketMode = "0600";
+        DirectoryMode = "0700";
+      };
+    };
+
+    systemd.user.sockets.gpg-agent-extra = mkIf cfg.agent.enableExtraSocket {
+      wantedBy = [ "sockets.target" ];
+      listenStreams = [ "%t/gnupg/S.gpg-agent.extra" ];
+      socketConfig = {
+        FileDescriptorName = "extra";
+        Service = "gpg-agent.service";
+        SocketMode = "0600";
+        DirectoryMode = "0700";
+      };
+    };
+
+    systemd.user.sockets.gpg-agent-browser = mkIf cfg.agent.enableBrowserSocket {
+      wantedBy = [ "sockets.target" ];
+      listenStreams = [ "%t/gnupg/S.gpg-agent.browser" ];
+      socketConfig = {
+        FileDescriptorName = "browser";
+        Service = "gpg-agent.service";
+        SocketMode = "0600";
+        DirectoryMode = "0700";
+      };
+    };
+
+    systemd.user.services.dirmngr = {
+      requires = [ "dirmngr.socket" ];
+      after = [ "dirmngr.socket" ];
+      unitConfig = {
+        RefuseManualStart = "true";
+      };
+      serviceConfig = {
+        ExecStart = "${pkgs.gnupg}/bin/dirmngr --supervised";
+        ExecReload = "${pkgs.gnupg}/bin/gpgconf --reload dirmngr";
+      };
+    };
+
+    systemd.user.sockets.dirmngr = {
+      wantedBy = [ "sockets.target" ];
+      listenStreams = [ "%t/gnupg/S.dirmngr" ];
+      socketConfig = {
+        SocketMode = "0600";
+        DirectoryMode = "0700";
+      };
     };
 
     systemd.packages = [ pkgs.gnupg ];
