From 1e47f7101fedd857e561782d00d4cb1f6b69e7df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christina=20S=C3=B8rensen?= Date: Tue, 4 Feb 2025 22:31:42 +0100 Subject: [PATCH] gpg-agent: no-allow-external-cache option (#6387) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is a pretty common configuration option, and one that many people will find useful to discover, specially if they're not using a window manager. I thought I would add it. It is also useful to have for pass-secret-service in the future, since you'd likely want to avoid DE keyrings. Signed-off-by: Christina Sørensen --- modules/services/gpg-agent.nix | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/modules/services/gpg-agent.nix b/modules/services/gpg-agent.nix index edb87a9d1..786a9f2e9 100644 --- a/modules/services/gpg-agent.nix +++ b/modules/services/gpg-agent.nix @@ -218,6 +218,21 @@ in { ''; }; + noAllowExternalCache = mkOption { + type = types.bool; + default = false; + description = '' + Tell Pinentry not to enable features which use an external cache for + passphrases. + + Some desktop environments prefer to unlock all credentials with one + master password and may have installed a Pinentry which employs an + additional external cache to implement such a policy. By using this + option the Pinentry is advised not to make use of such a cache and + instead always ask the user for the requested passphrase. + ''; + }; + extraConfig = mkOption { type = types.lines; default = ""; @@ -269,6 +284,7 @@ in { (optional (cfg.enableSshSupport) "enable-ssh-support" ++ optional cfg.grabKeyboardAndMouse "grab" ++ optional (!cfg.enableScDaemon) "disable-scdaemon" + ++ optional (cfg.noAllowExternalCache) "no-allow-external-cache" ++ optional (cfg.defaultCacheTtl != null) "default-cache-ttl ${toString cfg.defaultCacheTtl}" ++ optional (cfg.defaultCacheTtlSsh != null)