From 93af99ec024b59b5a81ed698b67b36986bbe0a79 Mon Sep 17 00:00:00 2001 From: Benedikt Rips Date: Mon, 5 Jan 2026 17:17:00 +0100 Subject: [PATCH] gpg-agent: remove redundant platform checks --- modules/services/gpg-agent.nix | 214 ++++++++++++++++----------------- 1 file changed, 102 insertions(+), 112 deletions(-) diff --git a/modules/services/gpg-agent.nix b/modules/services/gpg-agent.nix index e2ef852f..9acc9c66 100644 --- a/modules/services/gpg-agent.nix +++ b/modules/services/gpg-agent.nix @@ -344,125 +344,115 @@ in }; }; - config = mkIf cfg.enable ( - lib.mkMerge [ - { - # Grab the default binary name and fallback to expected value if `meta.mainProgram` not set - services.gpg-agent.pinentry.program = lib.mkOptionDefault ( - cfg.pinentry.package.meta.mainProgram or "pinentry" - ); + config = mkIf cfg.enable { + # Grab the default binary name and fallback to expected value if `meta.mainProgram` not set + services.gpg-agent.pinentry.program = lib.mkOptionDefault ( + cfg.pinentry.package.meta.mainProgram or "pinentry" + ); - home.file."${homedir}/gpg-agent.conf".text = lib.concatStringsSep "\n" ( - optional cfg.enableSshSupport "enable-ssh-support" - ++ optional cfg.grabKeyboardAndMouse "grab" - ++ optional (!cfg.enableScDaemon) "disable-scdaemon" - ++ optional cfg.noAllowExternalCache "no-allow-external-cache" - ++ optional (cfg.defaultCacheTtl != null) "default-cache-ttl ${toString cfg.defaultCacheTtl}" - ++ optional ( - cfg.defaultCacheTtlSsh != null - ) "default-cache-ttl-ssh ${toString cfg.defaultCacheTtlSsh}" - ++ optional (cfg.maxCacheTtl != null) "max-cache-ttl ${toString cfg.maxCacheTtl}" - ++ optional (cfg.maxCacheTtlSsh != null) "max-cache-ttl-ssh ${toString cfg.maxCacheTtlSsh}" - ++ optional ( - cfg.pinentry.package != null - ) "pinentry-program ${lib.getExe' cfg.pinentry.package cfg.pinentry.program}" - ++ [ cfg.extraConfig ] - ); + home.file."${homedir}/gpg-agent.conf".text = lib.concatStringsSep "\n" ( + optional cfg.enableSshSupport "enable-ssh-support" + ++ optional cfg.grabKeyboardAndMouse "grab" + ++ optional (!cfg.enableScDaemon) "disable-scdaemon" + ++ optional cfg.noAllowExternalCache "no-allow-external-cache" + ++ optional (cfg.defaultCacheTtl != null) "default-cache-ttl ${toString cfg.defaultCacheTtl}" + ++ optional ( + cfg.defaultCacheTtlSsh != null + ) "default-cache-ttl-ssh ${toString cfg.defaultCacheTtlSsh}" + ++ optional (cfg.maxCacheTtl != null) "max-cache-ttl ${toString cfg.maxCacheTtl}" + ++ optional (cfg.maxCacheTtlSsh != null) "max-cache-ttl-ssh ${toString cfg.maxCacheTtlSsh}" + ++ optional ( + cfg.pinentry.package != null + ) "pinentry-program ${lib.getExe' cfg.pinentry.package cfg.pinentry.program}" + ++ [ cfg.extraConfig ] + ); - home.sessionVariablesExtra = optionalString cfg.enableSshSupport '' - unset SSH_AGENT_PID - if [ -z "$SSH_CONNECTION" -o -z "$SSH_AUTH_SOCK" ] && [ "''${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then - export SSH_AUTH_SOCK="$(${gpgPkg}/bin/gpgconf --list-dirs agent-ssh-socket)" - fi - ''; + home.sessionVariablesExtra = optionalString cfg.enableSshSupport '' + unset SSH_AGENT_PID + if [ -z "$SSH_CONNECTION" -o -z "$SSH_AUTH_SOCK" ] && [ "''${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then + export SSH_AUTH_SOCK="$(${gpgPkg}/bin/gpgconf --list-dirs agent-ssh-socket)" + fi + ''; - programs = { - bash.initExtra = mkIf cfg.enableBashIntegration gpgBashInitStr; - zsh.initContent = mkIf cfg.enableZshIntegration gpgZshInitStr; - fish.interactiveShellInit = mkIf cfg.enableFishIntegration gpgFishInitStr; - nushell.extraConfig = mkIf cfg.enableNushellIntegration gpgNushellInitStr; + programs = { + bash.initExtra = mkIf cfg.enableBashIntegration gpgBashInitStr; + zsh.initContent = mkIf cfg.enableZshIntegration gpgZshInitStr; + fish.interactiveShellInit = mkIf cfg.enableFishIntegration gpgFishInitStr; + nushell.extraConfig = mkIf cfg.enableNushellIntegration gpgNushellInitStr; + }; + + # Trailing newlines are important + home.file."${homedir}/sshcontrol" = mkIf (cfg.sshKeys != null) { + text = lib.concatMapStrings (s: '' + ${s} + '') cfg.sshKeys; + }; + + systemd.user = { + services.gpg-agent = { + Unit = { + Description = "GnuPG cryptographic agent and passphrase cache"; + Documentation = "man:gpg-agent(1)"; + Requires = "gpg-agent.socket"; + After = "gpg-agent.socket"; + # This is a socket-activated service: + RefuseManualStart = true; }; - } - (mkIf (cfg.sshKeys != null) { - # Trailing newlines are important - home.file."${homedir}/sshcontrol".text = lib.concatMapStrings (s: '' - ${s} - '') cfg.sshKeys; - }) + Service = { + ExecStart = "${gpgPkg}/bin/gpg-agent --supervised" + optionalString cfg.verbose " --verbose"; + ExecReload = "${gpgPkg}/bin/gpgconf --reload gpg-agent"; + Environment = [ "GNUPGHOME=${homedir}" ]; + }; + }; - (lib.mkMerge [ - (mkIf pkgs.stdenv.isLinux { - systemd.user = { - services.gpg-agent = { - Unit = { - Description = "GnuPG cryptographic agent and passphrase cache"; - Documentation = "man:gpg-agent(1)"; - Requires = "gpg-agent.socket"; - After = "gpg-agent.socket"; - # This is a socket-activated service: - RefuseManualStart = true; - }; + sockets = { + gpg-agent = mkSocket { + desc = "GnuPG cryptographic agent and passphrase cache"; + docs = "man:gpg-agent(1)"; + stream = "S.gpg-agent"; + fdName = "std"; + }; - Service = { - ExecStart = "${gpgPkg}/bin/gpg-agent --supervised" + optionalString cfg.verbose " --verbose"; - ExecReload = "${gpgPkg}/bin/gpgconf --reload gpg-agent"; - Environment = [ "GNUPGHOME=${homedir}" ]; - }; - }; + gpg-agent-ssh = mkIf cfg.enableSshSupport (mkSocket { + desc = "GnuPG cryptographic agent (ssh-agent emulation)"; + docs = "man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1)"; + stream = "S.gpg-agent.ssh"; + fdName = "ssh"; + }); - sockets = { - gpg-agent = mkSocket { - desc = "GnuPG cryptographic agent and passphrase cache"; - docs = "man:gpg-agent(1)"; - stream = "S.gpg-agent"; - fdName = "std"; - }; + gpg-agent-extra = mkIf cfg.enableExtraSocket (mkSocket { + desc = "GnuPG cryptographic agent and passphrase cache (restricted)"; + docs = "man:gpg-agent(1) man:ssh(1)"; + stream = "S.gpg-agent.extra"; + fdName = "extra"; + }); + }; + }; - gpg-agent-ssh = mkIf cfg.enableSshSupport (mkSocket { - desc = "GnuPG cryptographic agent (ssh-agent emulation)"; - docs = "man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1)"; - stream = "S.gpg-agent.ssh"; - fdName = "ssh"; - }); - - gpg-agent-extra = mkIf cfg.enableExtraSocket (mkSocket { - desc = "GnuPG cryptographic agent and passphrase cache (restricted)"; - docs = "man:gpg-agent(1) man:ssh(1)"; - stream = "S.gpg-agent.extra"; - fdName = "extra"; - }); - }; - }; - }) - - (mkIf pkgs.stdenv.isDarwin { - launchd.agents.gpg-agent = { - enable = true; - config = { - ProgramArguments = [ - "${gpgPkg}/bin/gpg-agent" - "--supervised" - ] - ++ optional cfg.verbose "--verbose"; - EnvironmentVariables = { - GNUPGHOME = homedir; - }; - KeepAlive = { - Crashed = true; - SuccessfulExit = false; - }; - ProcessType = "Background"; - RunAtLoad = cfg.enableSshSupport; - Sockets = { - Agent = mkAgentSock "S.gpg-agent"; - Ssh = mkIf cfg.enableSshSupport (mkAgentSock "S.gpg-agent.ssh"); - Extra = mkIf cfg.enableExtraSocket (mkAgentSock "S.gpg-agent.extra"); - }; - }; - }; - }) - ]) - ] - ); + launchd.agents.gpg-agent = { + enable = true; + config = { + ProgramArguments = [ + "${gpgPkg}/bin/gpg-agent" + "--supervised" + ] + ++ optional cfg.verbose "--verbose"; + EnvironmentVariables = { + GNUPGHOME = homedir; + }; + KeepAlive = { + Crashed = true; + SuccessfulExit = false; + }; + ProcessType = "Background"; + RunAtLoad = cfg.enableSshSupport; + Sockets = { + Agent = mkAgentSock "S.gpg-agent"; + Ssh = mkIf cfg.enableSshSupport (mkAgentSock "S.gpg-agent.ssh"); + Extra = mkIf cfg.enableExtraSocket (mkAgentSock "S.gpg-agent.extra"); + }; + }; + }; + }; }