gpg-agent: add enableExtraSocket and verbose options.

This option enables a GPG Agent restricted socket (aka "extra-socket"), which
can be used to forward GPG Agent over SSH.

Additionally `verbose` option enables verbose output of an `gpg-agent.service`
unit for easier debugging.

See: https://wiki.gnupg.org/AgentForwarding
This commit is contained in:
Gleb Peregud 2018-03-11 22:46:41 +01:00
parent fa7d63d9d1
commit 033c27bc37

View file

@ -48,6 +48,23 @@ in
'';
};
enableExtraSocket = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable extra socket of the GnuPG key agent (useful for GPG
Agent forwarding).
'';
};
verbose = mkOption {
type = types.bool;
default = false;
description = ''
Whether to produce verbose output.
'';
};
grabKeyboardAndMouse = mkOption {
type = types.bool;
default = true;
@ -115,7 +132,8 @@ in
};
Service = {
ExecStart = "${pkgs.gnupg}/bin/gpg-agent --supervised";
ExecStart = "${pkgs.gnupg}/bin/gpg-agent --supervised"
+ optionalString cfg.verbose " --verbose";
ExecReload = "${pkgs.gnupg}/bin/gpgconf --reload gpg-agent";
};
};
@ -159,5 +177,26 @@ in
};
};
})
(mkIf cfg.enableExtraSocket {
systemd.user.sockets.gpg-agent-extra = {
Unit = {
Description = "GnuPG cryptographic agent and passphrase cache (restricted)";
Documentation = "man:gpg-agent(1) man:ssh(1)";
};
Socket = {
ListenStream = "%t/gnupg/S.gpg-agent.extra";
FileDescriptorName = "extra";
Service = "gpg-agent.service";
SocketMode = "0600";
DirectoryMode = "0700";
};
Install = {
WantedBy = [ "sockets.target" ];
};
};
})
]);
}