How to full git setup in home-manager or else

I want to setup my git config declaratively but I struggle to find how to do it.
I manage to find example how to sign my commits which is nice but I want to use github and that mean that I need to config ssh key and I don’t know how to do that

I also look at this to find some clues how to do it but didn’t find anything

Can you elaborate on what exactly you want to do?

Show an equivalent git config that we can help to translate in HM style git configuration.

For example If I was using regular distro I would do that

  1. generate ssh public/private key
  2. The I would start ssh agent
 eval "$(ssh-agent -s)"
  1. Then I would add my private key to the agent
 ssh-add ~/.ssh/id_ed25519

And after add the public key to github that would allow me to push my own repos in github

None of this can be done declaratively. You do not do anything different with NixOS and/or Home Manager.

Are you sure because it’s seems that I can setup signing commits with ssh declaretively


But you can not create the key declaratively, not can you load it into your agent, nor can you push it to GitHub.

You might be able to start the agent service as a service though…

I don’t want to create it I just want to add it to ssh-agent

ssh-add ~/.ssh/id_ed25519

I just describe the full algorithm how you do it on regular distro

If the key is not password protected, you could have oneshot that adds the key to the agent, given it was started by another service before.

If it is password protected though stuff becomes more covoluted.

I am aware that there are users who have a pam.d based setup to unlock their keys, as well as emptying the agent when they lock their screen and filling back all keys in after unlocking again.

I do not remember whether it was @tejing or @viperML who talked about this recently…

I have a setup like that, but using gpg-agent/pam-gnupg rather than ssh-agent, so it’s probably not directly applicable. I’m not sure if the tools to do it with ssh-agent are readily available.

1 Like

Are you able to push to github with your setup ?
Can you share that part of your config ?

Yes, I can push to github, since gpg-agent is able to provide ssh-agent emulation.

The majority of the settings are set in home-manager here. pam-gnupg is enabled in nixos config here.

1 Like

Thanks, I will need some time to comprehend it.
Isn’t it dangerous to share thous keys in public repo ?

The keys aren’t in the repo. Only their fingerprints are. Those are intended to be publicly shared.

I looked here for reference what are the possible keys, their values and for what they are used but I spot key that you are using but it’s not present there

You mean the things under programs.gpg.settings? (In the future, please be specific about what you’re asking about.)

That attrset gets turned into the gpg.conf file. Any option that would be correct in that file can be put there.

Simply put, programs.gpg.settings is the option, in and of itself. The attrs under it are part of the option value.

Exactly. Here is yours

    programs.gpg.settings = {
      default-key = "963D 3AFB 8AA4 D693 153C  1500 46E9 6F6F F44F 3D74";
      default-recipient-self = true;
      auto-key-locate = "local,wkd,keyserver";
      keyserver = "hkps://";
      auto-key-retrieve = true;
      auto-key-import = true;
      keyserver-options = "honor-keyserver-url";
      no-autostart = true;

Here is the supposed home-manager implementation from the link that I provide

    programs.gpg.settings = {
      personal-cipher-preferences = mkDefault "AES256 AES192 AES";
      personal-digest-preferences = mkDefault "SHA512 SHA384 SHA256";
      personal-compress-preferences = mkDefault "ZLIB BZIP2 ZIP Uncompressed";
      default-preference-list = mkDefault
        "SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed";
      cert-digest-algo = mkDefault "SHA512";
      s2k-digest-algo = mkDefault "SHA512";
      s2k-cipher-algo = mkDefault "AES256";
      charset = mkDefault "utf-8";
      fixed-list-mode = mkDefault true;
      no-comments = mkDefault true;
      no-emit-version = mkDefault true;
      keyid-format = mkDefault "0xlong";
      list-options = mkDefault "show-uid-validity";
      verify-options = mkDefault "show-uid-validity";
      with-fingerprint = mkDefault true;
      require-cross-certification = mkDefault true;
      no-symkey-cache = mkDefault true;
      use-agent = mkDefault true;

For example you have keyserver-options but there is no such thing in home-manager implementation

Those are the options home-manager sets by default, not the options that exist to set.

For those, you need to look at gpg documentation.

There has been a convention that settings is just whatever the program itself recognized, just in the format of a nix attrset:

1 Like

It will take me a lot more time to understand how to configure my git ssh with gpg. I fill some of my gaps but I still have questions

    programs.gpg.enable = true;
    programs.gpg.settings = {
      default-key = "963D 3AFB 8AA4 D693 153C  1500 46E9 6F6F F44F 3D74";
      default-recipient-self = true;
      auto-key-locate = "local,wkd,keyserver";
      keyserver = "hkps://";
      auto-key-retrieve = true;
      auto-key-import = true;
      keyserver-options = "honor-keyserver-url";
      no-autostart = true;

@tejing it seems that you use keyserver. I’m not sure what keyserver exactly do but I prefer my keys to be locally available. In that case I believe that I don’t need gpg-agent at all.
What I want is to have one primary key that have only cert capabilities and 3 subkeys with respectively sign, crypt and decrypt capabilities.
I believe that default-key should point to sign subkey
I still can’t find proper documentation that explain which option do what . Hopefully tomorrow I will find more info

The keyserver stuff just pertains to how to look up public keys you don’t have locally. I basically never use it.

You do need a gpg-agent to use gpg at all. gpg will not function without an agent since a while back, though it will start one on the fly if it doesn’t find one already running (which I turn off with no-autostart since it can muck up my systemd-started instance).

You can set the main key to have only cert capabilities if you want. However the other 3 roles are en/decrypt, sign, and authenticate. Encrypt and decrypt happen with the same subkey, though obviously one happens with the public key and one with the private. “Authenticate” is used if you set up ssh-agent emulation. It’s fundamentally also a kind of signing, but since the intended use has different security properties it gets its own category.

default-key always points to the main key, not subkeys. As a rule, you basically never refer to subkeys directly in gpg stuff. The subkey marked with the appropriate role will still be used.