1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
(define-module (tw services gnupg)
#:use-module (gnu)
#:use-module (gnu home services)
#:use-module (gnu home services shepherd)
#:use-module (gnu packages gnupg)
#:use-module ((gnu packages image-viewers)
#:select (imv))
#:use-module (gnu services configuration)
#:use-module (guix gexp)
#:use-module (guix packages)
#:use-module ((guix records) #:select (match-record))
#:export (home-gnupg-configuration
home-gnupg-service-type))
(define-configuration/no-serialization home-gnupg-configuration
(default-key string "The user's own key. Always encrypt to this key, and
use it by default.")
(gui-pinentry? boolean "Use pinentry-rofi if true, else pinentry-tty.")
(keyserver (string "hkps://keys.openpgp.org") "The default keyserver to use.")
(gnupg (package gnupg) "The GnuPG package to use.")
(image-viewer (file-like (file-append imv "/bin/imv")) "A gexp returning a
string, specifying the command to call in order to view images.")
(gnupghome (string "$XDG_DATA_HOME/gnupg") "The value of $GNUPGHOME in the
environment."))
(define (gnupg-xdg config)
`(("GNUPGHOME" . ,(home-gnupg-configuration-gnupghome config))))
(define (gnupg-files config)
(match-record config <home-gnupg-configuration>
(default-key gui-pinentry? keyserver image-viewer)
`(;; GnuPG config files must be in ~/.local/share/gnupg, not ~/.config,
;; so we can't use `home-xdg-configuration-files-service-type'.
(".local/share/gnupg/dirmngr.conf"
,(mixed-text-file "dirmngr.conf"
"keyserver " keyserver "\n"))
(".local/share/gnupg/gpg.conf"
,(mixed-text-file "gpg.conf" "\
# This options file can contain any long options to GnuPG.
# See the gpg man page for a list of options.
# Comments can only be at the start of a line, not after options.
default-key " default-key "
default-recipient-self
use-agent
# Get rid of the copyright notice.
no-greeting
# Always encrypt to my key as well, in addition to any recipient.
encrypt-to " default-key "
auto-key-import
auto-key-retrieve
photo-viewer \"" image-viewer " %i\"
# Because some mailers change lines starting with 'From ' to '>From '
# it is good to handle such lines in a special way when creating
# cleartext signatures; all other PGP versions do it this way too.
# To enable full OpenPGP compliance you may want to use this option.
#no-escape-from-lines
"))
(".local/share/gnupg/gpg-agent.conf"
,(mixed-text-file "gpg-agent.conf" "\
pinentry-program " (if gui-pinentry?
(file-append pinentry-rofi "/bin/pinentry-rofi")
(file-append pinentry-tty "/bin/pinentry-tty")) "
# Keep passphrase cached for longer, so that mcron jobs (e.g. restic,
# vdirsyncer) can access the password store. Vdirsyncer should run every half
# hour to extend the default-cache-ttl.
default-cache-ttl 2100 # 35 min
max-cache-ttl 43200 # 12 h
# Needed if spawning lots of parallel gpg --decrypt processes. https://dev.gnupg.org/T3530
auto-expand-secmem
")))))
(define (gnupg-shepherd config)
(match-record config <home-gnupg-configuration> (gnupg)
(list (shepherd-service
(documentation "GPG agent; caches key passwords.")
(provision '(gpg-agent))
(start #~(lambda _
(invoke #$(file-append gnupg "/bin/gpg-agent")
"--daemon" "--no-detach")))
(stop #~(lambda _
(invoke #$(file-append gnupg "/bin/gpg-connect-agent")
"killagent" "/bye")))))))
(define home-gnupg-service-type
(service-type
(name 'gnupg)
(extensions
(list (service-extension home-shepherd-service-type gnupg-shepherd)
(service-extension home-files-service-type gnupg-files)
(service-extension home-environment-variables-service-type gnupg-xdg)))
(description
"Install GnuPG configuration files and run the agent.")))
|