colonelpanic/dotfiles
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(nixos): normalize GPG key imports

Browse Source
This commit is contained in:
Ivan Malison
2026-03-31 16:27:16 -07:00
committed by Kat Huang
parent eb4e3b236a
commit e8f2842805
1 changed files with 34 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
nixos/secrets.nix
View File

@@ -20,12 +20,41 @@
Service = { Service = {
Type = "oneshot"; Type = "oneshot";
RestartSec = 5; RestartSec = 5;
Restart = "onfailure"; Restart = "on-failure";
ExecStart = ExecStart =
let replace = builtins.replaceStrings [ "$XDG_RUNTIME_DIR" ] [ "\${XDG_RUNTIME_DIR}" ]; let
path = replace config.age.secrets.gpg-keys.path; replace = builtins.replaceStrings [ "$XDG_RUNTIME_DIR" ] [ "\${XDG_RUNTIME_DIR}" ];
passphrasePath = replace config.age.secrets.gpg-passphrase.path; path = replace config.age.secrets.gpg-keys.path;
in "${pkgs.gnupg}/bin/gpg --pinentry-mode loopback --passphrase-file ${passphrasePath} --import ${path}"; passphrasePath = replace config.age.secrets.gpg-passphrase.path;
importScript = pkgs.writeShellScript "import-gpg-key" ''
set -eu
normalized_key_file="$(mktemp)"
trap 'rm -f "$normalized_key_file"' EXIT
# Some historical exports omitted the required blank line after the
# armor header. GnuPG imports the keys but exits non-zero, which
# leaves the unit in a failed state.
awk '
pending_blank {
if ($0 != "") {
print ""
}
pending_blank = 0
}
{ print }
/^-----BEGIN PGP PRIVATE KEY BLOCK-----$/ {
pending_blank = 1
}
' ${path} > "$normalized_key_file"
exec ${pkgs.gnupg}/bin/gpg \
--batch \
--pinentry-mode loopback \
--passphrase-file ${passphrasePath} \
--import "$normalized_key_file"
'';
in "${importScript}";
}; };
}; };
}); });