In order to store and use my SSH host keys in a PGP format I’m trying the following approach inspired by home-manager’s gpg-agent.nix:
{ config, lib, ... }:
with lib;
let
cfg = config.services.host-gpg-agent;
agent-ssh-socket = "${cfg.homedir}/S.gpg-agent.ssh";
in {
options.services.host-gpg-agent = with types; {
enable = mkOption {
type = bool;
default = true;
};
homedir = mkOption {
type = path;
default = "/etc/gnupg";
};
package = mkOption {
type = package;
default = config.programs.gnupg.package;
};
verbose = mkOption {
type = bool;
default = true;
};
};
config = mkIf cfg.enable {
environment = {
etc."gnupg/gpg-agent.conf".text = ''
disable-scdaemon
enable-ssh-support
'';
sessionVariables.GNUPGHOME = cfg.homedir;
sessionVariables.SSH_AUTH_SOCK = agent-ssh-socket;
};
services.openssh.extraConfig = mkAfter "HostKeyAgent ${agent-ssh-socket}";
systemd = {
services.host-gpg-agent = rec {
environment.GNUPGHOME = cfg.homedir;
after = requires;
requires = [ "host-gpg-agent-ssh.socket" "host-gpg-agent.socket" ];
serviceConfig = {
ExecReload = "${cfg.package}/bin/gpgconf --reload gpg-agent";
ExecStart = "${cfg.package}/bin/gpg-agent --supervised"
+ optionalString cfg.verbose " --verbose";
};
unitConfig.RefuseManualStart = true;
};
sockets = {
host-gpg-agent = {
partOf = [ "host-gpg-agent.service" ];
wantedBy = [ "sockets.target" ];
socketConfig = {
DirectoryMode = "0700";
FileDescriptorName = "std";
ListenStream = "${cfg.homedir}/S.gpg-agent";
SocketMode = "0600";
};
};
host-gpg-agent-ssh = {
partOf = [ "host-gpg-agent.service" ];
wantedBy = [ "sockets.target" ];
socketConfig = {
DirectoryMode = "0700";
FileDescriptorName = "ssh";
ListenStream = agent-ssh-socket;
Service = "host-gpg-agent.service";
SocketMode = "0600";
};
};
};
};
};
}
The problem is that the socket files are not created automatically on startup. I have to restart the socket or service manually to get the files to appear where they should be.
Just restarted:
sudo ls -la /etc/gnupg/
total 14
drwx------ 4 root root 9 May 14 14:32 .
drwxr-xr-x 7 root root 8 May 14 13:31 ..
drwx------ 2 root root 3 Apr 29 17:18 crls.d
lrwxrwxrwx 1 root root 32 May 14 14:32 gpg-agent.conf -> /etc/static/gnupg/gpg-agent.conf
drwx------ 2 root root 8 May 14 10:46 private-keys-v1.d
-rw-r--r-- 1 root root 851 Apr 29 16:58 pubring.kbx
-rw------- 1 root root 32 Apr 29 16:58 pubring.kbx~
-rw-r----- 1 root root 719 May 14 10:51 sshcontrol
-rw------- 1 root root 1280 Apr 29 17:12 trustdb.gpg
After sudo gpg-connect-agent --homedir /etc/gnupg reloadagent /bye:
sudo ls -la /etc/gnupg/
total 16
drwx------ 4 root root 13 May 14 14:44 .
drwxr-xr-x 7 root root 8 May 14 13:31 ..
drwx------ 2 root root 3 Apr 29 17:18 crls.d
lrwxrwxrwx 1 root root 32 May 14 14:32 gpg-agent.conf -> /etc/static/gnupg/gpg-agent.conf
drwx------ 2 root root 8 May 14 10:46 private-keys-v1.d
-rw-r--r-- 1 root root 851 Apr 29 16:58 pubring.kbx
-rw------- 1 root root 32 Apr 29 16:58 pubring.kbx~
srwx------ 1 root root 0 May 14 14:44 S.gpg-agent
srwx------ 1 root root 0 May 14 14:44 S.gpg-agent.ssh
-rw-r----- 1 root root 719 May 14 10:51 sshcontrol
-rw------- 1 root root 1280 Apr 29 17:12 trustdb.gpg
Can anybody spot what I’m doing wrong?