colonelpanic/dotfiles
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Set up GPG key import on nix-darwin

Browse Source
This commit is contained in:
Kat Huang
2026-04-21 12:17:25 -07:00
committed by Ivan Anthony Malison
parent 06cde76b84
commit ab2f057dd2
1 changed files with 68 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
nix-darwin/home/common.nix
View File

@@ -1,5 +1,6 @@
{ {
config, config,
inputs,
libDir, libDir,
lib, lib,
pkgs, pkgs,
@@ -7,6 +8,53 @@
}: let }: let
dotfilesDir = builtins.dirOf (toString libDir); dotfilesDir = builtins.dirOf (toString libDir);
outOfStore = config.lib.file.mkOutOfStoreSymlink; outOfStore = config.lib.file.mkOutOfStoreSymlink;
replaceRuntimeDir = builtins.replaceStrings ["$XDG_RUNTIME_DIR"] ["\${XDG_RUNTIME_DIR}"];
gpgKeyPath = replaceRuntimeDir config.age.secrets.gpg-keys.path;
gpgPassphrasePath = replaceRuntimeDir config.age.secrets.gpg-passphrase.path;
importGpgKeyScript = pkgs.writeShellScript "import-gpg-key" ''
set -eu
key_path=${gpgKeyPath}
passphrase_path=${gpgPassphrasePath}
attempts=0
while [ "$attempts" -lt 30 ]; do
if [ -r "$key_path" ] && [ -r "$passphrase_path" ]; then
break
fi
attempts=$((attempts + 1))
sleep 1
done
if [ ! -r "$key_path" ] || [ ! -r "$passphrase_path" ]; then
echo "Timed out waiting for agenix GPG secrets" >&2
exit 1
fi
normalized_key_file="$(mktemp)"
trap 'rm -f "$normalized_key_file"' EXIT
# Some historical exports omitted the required blank line after the
# armor header. GnuPG imports the keys but exits non-zero in that case.
awk '
pending_blank {
if ($0 != "") {
print ""
}
pending_blank = 0
}
{ print }
/^-----BEGIN PGP PRIVATE KEY BLOCK-----$/ {
pending_blank = 1
}
' "$key_path" > "$normalized_key_file"
exec ${pkgs.gnupg}/bin/gpg \
--batch \
--pinentry-mode loopback \
--passphrase-file "$passphrase_path" \
--import "$normalized_key_file"
'';
excludedTopLevelEntries = [ excludedTopLevelEntries = [
"agents" "agents"
@@ -40,6 +88,11 @@
in { in {
programs.home-manager.enable = true; programs.home-manager.enable = true;
imports = [inputs.agenix.homeManagerModules.default];
age.identityPaths = ["${config.home.homeDirectory}/.ssh/id_ed25519"];
age.secrets.gpg-keys.file = ../../nixos/secrets/gpg-keys.age;
age.secrets.gpg-passphrase.file = ../../nixos/secrets/gpg-passphrase.age;
home.file = dotfilesLinks; home.file = dotfilesLinks;
home.activation.linkEmacsDotdir = lib.hm.dag.entryAfter ["writeBoundary"] '' home.activation.linkEmacsDotdir = lib.hm.dag.entryAfter ["writeBoundary"] ''
@@ -96,6 +149,21 @@ in {
''; '';
}; };
launchd.agents.import-gpg-key = {
enable = true;
config = {
ProgramArguments = ["${importGpgKeyScript}"];
KeepAlive = {
Crashed = false;
SuccessfulExit = false;
};
ProcessType = "Background";
RunAtLoad = true;
StandardOutPath = "${config.home.homeDirectory}/Library/Logs/import-gpg-key.log";
StandardErrorPath = "${config.home.homeDirectory}/Library/Logs/import-gpg-key.err.log";
};
};
programs.starship = { programs.starship = {
enable = true; enable = true;
}; };