Browse Source

auto import of gpg key

rework-profiles
parent
commit
21cf80c932
10 changed files with 32 additions and 6 deletions
  1. +1
    -0
      .gitattributes
  2. +1
    -1
      README.md
  3. +2
    -5
      common/default.nix
  4. +9
    -0
      common/graphical.nix
  5. +19
    -0
      common/headfull.nix
  6. BIN
      dotfiles/gnupg/.#lk0x00000000005bb060.xanadu.29732
  7. BIN
      dotfiles/gnupg/.#lk0x000000000064d100.xanadu.7397
  8. BIN
      dotfiles/gnupg/.#lk0x000000000179d060.xanadu.21357
  9. BIN
      dotfiles/gnupg/key.gpg
  10. BIN
      dotfiles/gnupg/trust.txt

+ 1
- 0
.gitattributes View File

@ -1,3 +1,4 @@
secrets/* filter=git-crypt diff=git-crypt
dotfiles/mail/msmtp/* filter=git-crypt diff=git-crypt
dotfiles/mail/mbsync/* filter=git-crypt diff=git-crypt
dotfiles/gnupg/* filter=git-crypt diff=git-crypt

+ 1
- 1
README.md View File

@ -12,7 +12,7 @@ Features in need of development are:
* redirect IPv6 through tor
* weechat-matrix and vim-prosession !!!
* switch to pass in dotfiles
* auto import my gpg secret key
* auto import my pass passwords
* fix ibus daemon
* security hardening through sandboxing


+ 2
- 5
common/default.nix View File

@ -29,8 +29,8 @@ in
# basic set of tools & ssh
environment.systemPackages = with pkgs; [
wget neovim tmux git git-crypt pinentry-curses
rsync imagemagick python-pkgs pass mosh gnupg
wget neovim tmux git git-crypt
rsync imagemagick python-pkgs mosh gnupg
];
programs.mosh.enable = true;
@ -65,8 +65,5 @@ in
networking.domain = "govanify.com";
# we do not use gpg agent as all gpg keys used are available _without_ a
# password, if someone is able to snoop into my user files they will sooner
# or later get the password anyways
}

+ 9
- 0
common/graphical.nix View File

@ -63,7 +63,16 @@
# ACTUALLY WORKS for a reason that is beyond me. I'm as confused as you are,
# so let's just keep it this way shall we? worst case scenario i login into
# another shell
# the gpg thing should be done in headfull but we need to do that before it
# execs sway because sway obviously never returns
environment.interactiveShellInit = ''
if [ ! -f ~/.config/gnupg/trustdb.gpg ] && [[ $(tty) = /dev/tty1 ]]; then
find ~/.config/gnupg -type f -exec chmod 600 {} \;
find ~/.config/gnupg -type d -exec chmod 700 {} \;
gpg --import ~/.config/gnupg/key.gpg
gpg --import-ownertrust ~/.config/gnupg/trust.txt
fi
if [[ -z $DISPLAY ]] && [[ $(tty) = /dev/tty1 ]]; then
exec sway
fi


+ 19
- 0
common/headfull.nix View File

@ -1,16 +1,19 @@
{ config, pkgs, lib, ... }: {
imports =
[
./graphical.nix
./mail.nix
];
# TODO: make weechat work out better
environment.systemPackages = with pkgs; [
weechat cmus # dev
cargo python clang meson ninja
asciinema
texlive.combined.scheme-medium
pass pinentry-curses
];
@ -32,6 +35,22 @@
# uneeded in most cases and create an ~/.esd_auth file
hardware.pulseaudio.extraConfig = "unload-module module-esound-protocol-unix";
# we do not use gpg agent as all gpg keys used are available _without_ a
# password, if someone is able to snoop into my user files they will sooner
# or later get the password anyways
# this adds 2 files on top of the gpg install handled by the system, but this
# is a single user system so nobody cares
home-manager.users.govanify = {
home.file.".config/gnupg/key.gpg".source = ./../dotfiles/gnupg/key.gpg;
home.file.".config/gnupg/trust.txt".source = ./../dotfiles/gnupg/trust.txt;
};
}

BIN
dotfiles/gnupg/.#lk0x00000000005bb060.xanadu.29732 View File


BIN
dotfiles/gnupg/.#lk0x000000000064d100.xanadu.7397 View File


BIN
dotfiles/gnupg/.#lk0x000000000179d060.xanadu.21357 View File


BIN
dotfiles/gnupg/key.gpg View File


BIN
dotfiles/gnupg/trust.txt View File


Loading…
Cancel
Save