;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2023 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2023 Efraim Flashner <efraim@flashner.co.il> ;;; ;;; This file is part of GNU Guix. ;;; ;;; GNU Guix is free software; you can redistribute it and/or modify it ;;; under the terms of the GNU General Public License as published by ;;; the Free Software Foundation; either version 3 of the License, or (at ;;; your option) any later version. ;;; ;;; GNU Guix is distributed in the hope that it will be useful, but ;;; WITHOUT ANY WARRANTY; without even the implied warranty of ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;;; GNU General Public License for more details. ;;; ;;; You should have received a copy of the GNU General Public License ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. (define-module (gnu home services gnupg) #:use-module (guix gexp) #:use-module (guix modules) #:use-module ((guix records) #:select (match-record)) #:use-module (gnu services) #:use-module (gnu services configuration) #:use-module (gnu home services) #:use-module (gnu home services shepherd) #:autoload (gnu packages gnupg) (gnupg pinentry parcimonie) #:export (home-gpg-agent-configuration home-gpg-agent-configuration? home-gpg-agent-configuration-gnupg home-gpg-agent-configuration-pinentry-program home-gpg-agent-configuration-ssh-support? home-gpg-agent-configuration-default-cache-ttl home-gpg-agent-configuration-max-cache-ttl home-gpg-agent-configuration-max-cache-ttl-ssh home-gpg-agent-configuration-extra-content home-gpg-agent-service-type home-parcimonie-configuration home-parcimonie-configuration? home-parcimonie-configuration-parcimonie home-parcimonie-configuration-gnupg-already-torified? home-parcimonie-configuration-refresh-guix-keyrings? home-parcimonie-configuration-extra-content home-parcimonie-service-type)) (define raw-configuration-string? string?) ;; Configuration of 'gpg-agent'. (define-configuration/no-serialization home-gpg-agent-configuration (gnupg (file-like gnupg) "The GnuPG package to use.") (pinentry-program (file-like (file-append pinentry "/bin/pinentry-curses")) "Pinentry program to use. Pinentry is a small user interface that @command{gpg-agent} delegates to anytime it needs user input for a passphrase or @acronym{PIN, personal identification number} (@pxref{Top,,, pinentry, Using the PIN-Entry}).") (ssh-support? (boolean #f) "Whether to enable @acronym{SSH, secure shell} support. When true, @command{gpg-agent} acts as a drop-in replacement for OpenSSH's @command{ssh-agent} program, taking care of OpenSSH secret keys and directing passphrase requests to the chosen Pinentry program.") (default-cache-ttl (integer 600) "Time a cache entry is valid, in seconds.") (max-cache-ttl (integer 7200) "Maximum time a cache entry is valid, in seconds. After this time a cache entry will be expired even if it has been accessed recently.") (default-cache-ttl-ssh (integer 1800) "Time a cache entry for SSH keys is valid, in seconds.") (max-cache-ttl-ssh (integer 7200) "Maximum time a cache entry for SSH keys is valid, in seconds.") (extra-content (raw-configuration-string "") "Raw content to add to the end of @file{~/.gnupg/gpg-agent.conf}.")) (define (home-gpg-agent-configuration-file config) "Return the @file{gpg-agent.conf} file for @var{config}." (match-record config <home-gpg-agent-configuration> (pinentry-program default-cache-ttl max-cache-ttl default-cache-ttl-ssh max-cache-ttl-ssh extra-content) (mixed-text-file "gpg-agent.conf" "pinentry-program " pinentry-program "\n" "default-cache-ttl " (number->string default-cache-ttl) "\n" "max-cache-ttl " (number->string max-cache-ttl) "\n" "default-cache-ttl-ssh " (number->string default-cache-ttl-ssh) "\n" "max-cache-ttl-ssh " (number->string max-cache-ttl-ssh) "\n" extra-content))) (define (home-gpg-agent-shepherd-services config) "Return the possibly-empty list of Shepherd services for @var{config}." (match-record config <home-gpg-agent-configuration> (gnupg ssh-support?) ;; 'gpg-agent' is started on demand by GnuPG's programs, but it has to be ;; started explicitly when OpenSSH support is enabled (info "(gnupg) Agent ;; Options"). (if ssh-support? (let ((endpoint (lambda (name socket) #~(endpoint (make-socket-address AF_UNIX (string-append %user-runtime-dir "/gnupg/" #$socket)) #:name #$name #:socket-directory-permissions #o700)))) (list (shepherd-service (provision '(gpg-agent ssh-agent)) (modules '((shepherd support))) ;for '%user-runtime-dir' (start #~(make-systemd-constructor (list #$(file-append gnupg "/bin/gpg-agent") "--supervised" "--enable-ssh-support") (list #$(endpoint "ssh" "S.gpg-agent.ssh") #$(endpoint "browser" "S.gpg-agent.browser") #$(endpoint "extra" "S.gpg-agent.extra") ;; #$(endpoint "scdaemon" "S.scdaemon") #$(endpoint "std" "S.gpg-agent")))) (stop #~(make-systemd-destructor)) (documentation "Start 'gpg-agent', the GnuPG passphrase agent, with support for handling OpenSSH material.")))) '()))) (define (home-gpg-agent-files config) `((".gnupg/gpg-agent.conf" ,(home-gpg-agent-configuration-file config)))) (define (home-gpg-agent-environment-variables config) "Return GnuPG environment variables needed for @var{config}." (if (home-gpg-agent-configuration-ssh-support? config) `(("SSH_AUTH_SOCK" . "$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh")) '())) (define gpg-agent-activation (with-imported-modules (source-module-closure '((gnu build activation))) #~(begin (use-modules (gnu build activation)) ;; Make sure ~/.gnupg is #o700. (let* ((home (getenv "HOME")) (dot-ssh (string-append home "/.gnupg"))) (mkdir-p/perms dot-ssh (getpw (getuid)) #o700))))) (define home-gpg-agent-service-type (service-type (name 'home-gpg-agent) (extensions (list (service-extension home-files-service-type home-gpg-agent-files) (service-extension home-shepherd-service-type home-gpg-agent-shepherd-services) (service-extension home-activation-service-type (const gpg-agent-activation)) (service-extension home-environment-variables-service-type home-gpg-agent-environment-variables))) (default-value (home-gpg-agent-configuration)) (description "Configure GnuPG's agent, @command{gpg-agent}, which is responsible for managing OpenPGP and optionally SSH private keys. When SSH support is enabled, @command{gpg-agent} acts as a drop-in replacement for OpenSSH's @command{ssh-agent}."))) (define-configuration/no-serialization home-parcimonie-configuration (parcimonie (file-like parcimonie) "The parcimonie package to use.") (verbose? (boolean #f) "Provide extra output to the log file.") (gnupg-already-torified? (boolean #f) "GnuPG is already configured to use tor and parcimonie won't attempt to use tor directly.") (refresh-guix-keyrings? (boolean #f) "Also refresh any Guix keyrings found in the XDG_CONFIG_DIR.") (extra-content (raw-configuration-string "") "Raw content to add to the parcimonie service.")) (define (home-parcimonie-shepherd-service config) "Return a user service to run parcimonie." (match-record config <home-parcimonie-configuration> (parcimonie verbose? gnupg-already-torified? refresh-guix-keyrings? extra-content) (let ((log-file #~(string-append %user-log-dir "/parcimonie.log"))) (list (shepherd-service (provision '(parcimonie)) (modules '((shepherd support) ;for '%user-log-dir' (guix build utils) (srfi srfi-1))) (start #~(make-forkexec-constructor (cons* #$(file-append parcimonie "/bin/parcimonie") #$@(if verbose? '("--verbose") '()) #$@(if gnupg-already-torified? '("--gnupg_already_torified") '()) #$@(if (not (string=? extra-content "")) (list extra-content) '()) #$@(if refresh-guix-keyrings? '((append-map (lambda (item) (list (string-append "--gnupg_extra_args=" "--keyring=" item))) (find-files (string-append (getenv "XDG_CONFIG_HOME") "/guix") "^trustedkeys\\.kbx$"))) '((list)))) #:log-file #$log-file)) (stop #~(make-kill-destructor)) (respawn? #t) (documentation "Incrementally refresh gnupg keyring over Tor")))))) (define home-parcimonie-service-type (service-type (name 'home-parcimonie) (extensions (list (service-extension home-shepherd-service-type home-parcimonie-shepherd-service))) (default-value (home-parcimonie-configuration)) (description "Incrementally refresh GnuPG keyrings over Tor.")))