From 3c1619c5988de22bb6fcd0854e2d0de0082ba069 Mon Sep 17 00:00:00 2001 From: Ivan Malison Date: Tue, 22 Aug 2023 19:14:08 -0600 Subject: [PATCH] [NixOS] Provide passphrase when importing gpg key --- nixos/secrets.nix | 4 ++- nixos/secrets/gpg-passphrase.age | 44 ++++++++++++++++++++++++++++++++ nixos/secrets/secrets.nix | 1 + 3 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 nixos/secrets/gpg-passphrase.age diff --git a/nixos/secrets.nix b/nixos/secrets.nix index 3d47525e..31238340 100644 --- a/nixos/secrets.nix +++ b/nixos/secrets.nix @@ -6,6 +6,7 @@ inputs.agenix.packages."${pkgs.system}".default ]; age.secrets.gpg-keys.file = ./secrets/gpg-keys.age; + age.secrets.gpg-passphrase.file = ./secrets/gpg-passphrase.age; systemd.user.services.import-gpg-key = { Unit = { @@ -23,7 +24,8 @@ Restart = "onfailure"; ExecStart = let path = config.age.secrets.gpg-keys.path; - in "${pkgs.gnupg}/bin/gpg --batch --import ${path}"; + passphrasePath = config.age.secrets.gpg-passphrase.path; + in "${pkgs.gnupg}/bin/gpg --pinentry-mode loopback --passphrase-file ${passphrasePath} --import ${path}"; }; }; }); diff --git a/nixos/secrets/gpg-passphrase.age b/nixos/secrets/gpg-passphrase.age new file mode 100644 index 00000000..a7a02666 --- /dev/null +++ b/nixos/secrets/gpg-passphrase.age @@ -0,0 +1,44 @@ +age-encryption.org/v1 +-> ssh-ed25519 ZgrTqA Crvk4lZGqUPHWFVHoMHL6wTXLqgOwfYWcQRI1GR8fCo +95KzRsEvEgK7KoBGB9V0XEHoMat3x+C5mU/HoaQmOBQ +-> ssh-ed25519 ZaBdSg TuQ9k+CyR2Fog+BxOmqP+hvqw63qzTkJTu0H2sBVZD0 +HeLbVIYN3gCKq1K212cAKqmdxwvRxl2kssRtoIKe8u0 +-> ssh-ed25519 MHZylw i91Etee30Plo+zKWe41RsPITr0yRsw3GmX9UTFgIB1w +QFf3/DS2/5AiyiXC9oiighxzdP/qsAN4A+JOo3CPPxc +-> ssh-rsa gwJx0Q +xLrGVWlIyyfj92zF2hthtntxY8mBFuPvb/rJyI2DJ3brG7gFIr8w5k4yZyicT/X2 +nbucLPwAbQ4SQUs0cadHcA4JI+2C3VUudMqAXMyC1Fkv/ql13DLuy9bPucgDHUU8 +nc8FDJ6iPxypnD7IgTSw+BcNlKcskOoL0zDxVyXcsq2js3W/9fc2P5D6lCZ1ZIWb +Z5P+k6ZwFpeRBrm4zrnLr5pPU/3cUBuEyR/EVEWh0kYXlg2VpvBOcHqrZfuxAVxE +eshb0TSZPhP+OaewXkWnS2slLEPS7QGeEVfQpwF1q50LAUiqw4Uwh8dIVQz5xAY9 +YZvOGGZkzFuVa9dJPA4X8w +-> ssh-ed25519 YFIoHA B/icDEIQH0u/GqDhO90QgUbP03UCnxpSPw6isfdcjRs +RndPZzM2yWqgrbALMbNsf2oxBCjgkNKcFl0FZd27n1w +-> ssh-ed25519 KQfiow 3Geq61Xd0m59b2FIIrgZP2wheXDiNiC/pVyId1fTDwY +m3c0/OZNR2nssBh8nAjlwVp6UpeDYaZphiBNdndpFG8 +-> ssh-ed25519 kScIxg mzfbaeTVFDX384nmohh3Nsht2uXIqHei3mlgaC2fm2w +/ERHHlPIHau33TMLqgL1EGcfOl87/ofN3PW/g0ysGNg +-> ssh-ed25519 HzX1zw hYappU4Fqrb1x8ZDlOQXCilsArhFwlFkJxNoygF4jQ0 +hTeadEzZ6F+I9d2bXidBRNfbQgcGsSePtb+HzWqHfBI +-> ssh-ed25519 KQfiow /LRG537/z+OHDhK5Fl1i3uJZO8Y1KY+3x9hn0zIVTTo +dfulMIkTSg35STjGPXmqNJ0ATM8rgJAuVpexBcOo2kI +-> ssh-ed25519 1o2X0w WTK2J/tOSMm/tW7wHQrQla2HH4cdj+j9rM7CMVZZoCk +bEtjp3iXkD6tanBS6tvsBQ85Yd3MQOXWgjsf0KCeWKw +-> ssh-ed25519 KQ5iUA r7eMLpwOF+PfvP0Z8CtC1y8tz2XCL6chBID2s9n5Vg8 +WiNsSDcafBCnYXR51fjNe1AqWzQexLwZGhEwITYFzso +-> ssh-ed25519 0eS5+A xHVBjsGS8jX6DNiYen0mUJe4dUi9ayYjqwxnIRAjDls +wQUPdJmf5s7RtygtcSaCPHHqC24dZGxyM0HJVqSTheQ +-> ssh-ed25519 9/4Prw vYEnPBSo0LfS6L0oUVgbFVhfE2RFCnbFUWYDPS6UlhU +U5lw/k/G/KX4JzD7zUohVGnERfeh/wJu9B9Q7OSiE8w +-> ssh-ed25519 gAk3+Q LSVYDdzb/X7yw4U0wi4v1w2hnhCKiqxMFol1DwsioGA +TwOQRpeYWtcuF/SCf4IhvapkXt3IzKbL+6TYSwMYZj8 +-> ssh-ed25519 X6eGtQ 7AkAvWIx9b6NTZadb6c9Y+OsyLIYhtilCrXNqJObEg0 +Sf347ATzrPaf4bch3H3TPNbCiBNewTuDrk8ap9dZipU +-> ssh-ed25519 0ma8Cw oXWdHur4lg5biytTl1ixUv5P40nHHg31NNoxfzGJUTo +Q4nNfFnXiOhLVrLZIWsIIH9QB1T3v9qIyYH5bTa7hWk +-> QbL-grease t1 K-' +0rLMhdyodWAFmH1zD9QKXLcxfJaSp4Ud1qiPDHzenbzE0C5bqDP9PjvVTL85Tgkh +MY0D7KlIw79dN3t0drnuLR3Y2GmWFmA4wsgU2/nTU5nw5izYuYw +--- PLCCiAtKWcacH4p370GCBv2qUPQkQR6h4is8eorrfOQ +^Noj4C H1r5„ +|+ 3z82 }]0 \ No newline at end of file diff --git a/nixos/secrets/secrets.nix b/nixos/secrets/secrets.nix index e4a449e0..d168712b 100644 --- a/nixos/secrets/secrets.nix +++ b/nixos/secrets/secrets.nix @@ -2,5 +2,6 @@ let keys = (import ../keys.nix); in { "gpg-keys.age".publicKeys = keys.agenixKeys; + "gpg-passphrase.age".publicKeys = keys.agenixKeys; "cache-priv-key.pem.age".publicKeys = keys.agenixKeys; }