https://github.com/nix-community/home-manager/pull/7117#issuecomment-3018582819
noted that #7117 broke compatibility with forwarding ssh-agents using
`ssh -A`/`ForwardAgent`. In order to continue supporting the fix for
the issue raised in #5997 and address the compatibility problem
mentioned by @euank, this commit introduces the solution described in
https://github.com/nix-community/home-manager/pull/7117#issuecomment-3025001779.
The code now checks the following:
1. is this shell part of an SSH connection and is `SSH_AUTH_SOCK` set?
if so, assume the socket variable was set by sshd to point at a
forwarded socket; bail out to skip setting `SSH_AUTH_SOCK".
1. is the current process a child of `gpg-agent --daemon`? if so, then
bail out to skip setting `SSH_AUTH_SOCK`.
1. if we got this far, then set `SSH_AUTH_SOCK`.
I've tested this fix locally and can confirm that both #5997 as well as
the regression are fixed.
Signed-off-by: squat <lserven@gmail.com>
This commit addresses https://github.com/nix-community/home-manager/issues/5997
At the root, the gpg-agent SSH integration is not working on Darwin
because shells are started with `SSH_AUTH_SOCK` already set to something
like `/private/tmp/com.apple.launchd.ozLmoURHDC/Listeners`, which
prevents the hook from setting the variable to the gpg-agent's socket.
This commit fixes the issue using a different mechanism to detect if the
current shell has already had the `SSH_AUTH_SOCK` variable set to the
gpg-agent's socket, namely by checking for `gnupg_SSH_AUTH_SOCK_by` as
documented in
https://www.gnupg.org/documentation/manuals/gnupg/Agent-Examples.html#Agent-Examples.
This is essentially a simplified version of
https://github.com/nix-community/home-manager/pull/5901 that does not
attempt to migrate gpg-agent over to launchd.
Signed-off-by: squat <lserven@gmail.com>
Reduce maintenance burden and increase efficiency by automatically
importing modules following a specific convention.
Co-authored-by: awwpotato <awwpotato@voidq.com>
Signed-off-by: Austin Horstman <khaneliman12@gmail.com>
Alternative option for allowing a user to automatically configure what
binary to use from a `pinentry` package. Previously, we always used
`meta.mainProgram` but, there are packages that provide multiple
binaries and this would allow flexibility for a user to override the
default program used.
Standardize all 'programs.<PROGRAM>.enable<SHELL>Integration' options
with the following new functions:
- lib.hm.shell.mkBashIntegrationOption
- lib.hm.shell.mkFishIntegrationOption
- lib.hm.shell.mkIonIntegrationOption
- lib.hm.shell.mkNushellIntegrationOption
- lib.hm.shell.mkZshIntegrationOption
These functions should default to their corresponding global option:
- home.shell.enableBashIntegration
- home.shell.enableFishIntegration
- home.shell.enableIonIntegration
- home.shell.enableNushellIntegration
- home.shell.enableZshIntegration
All these global options default to the
'home.shell.enableShellIntegration' value.
This hierarchy standardizes the shell integration and increases end-user
flexibility.
BREAKING CHANGE: The following inconsistent default values change from
'false' to 'true':
- programs.zellij.enableBashIntegration
- programs.zellij.enableFishIntegration
- programs.zellij.enableZshIntegration
Link: https://github.com/nix-community/home-manager/pull/6358
Co-authored-by: Robert Helgesson <robert@rycee.net>
This is a pretty common configuration option, and one that many people
will find useful to discover, specially if they're not using a window
manager.
I thought I would add it. It is also useful to have for
pass-secret-service in the future, since you'd likely want to avoid DE
keyrings.
Signed-off-by: Christina Sørensen <ces@fem.gg>
`splitString "" "some string"` would throw exception `error: invalid
regular expression` on Darwin (or accurately, on Nix built against
libc++). Refer to https://github.com/NixOS/nix/issues/7208 for
details.
Before Nix handles that issue correctly, we should refrain from using
`splitString ""`, and luckliy `lib.stringAsChars` can do the same thing.
These (and the `*MD` functions apart from `literalMD`) are now no-ops
in nixpkgs and serve no purpose other than to add additional noise and
potentially mislead people into thinking unmarked DocBook documentation
will still be accepted.
Note that if backporting changes including documentation to 23.05,
the `mdDoc` calls will need to be re-added.
To reproduce this commit, run:
$ NIX_PATH=nixpkgs=flake:nixpkgs/e7e69199f0372364a6106a1e735f68604f4c5a25 \
nix shell nixpkgs#coreutils \
-c find . -name '*.nix' \
-exec nix run -- github:emilazy/nix-doc-munge/98dadf1f77351c2ba5dcb709a2a171d655f15099 \
--strip {} +
$ ./format
This process was automated by [my fork of `nix-doc-munge`]. All
conversions were automatically checked to produce the same DocBook
result when converted back, modulo minor typographical/formatting
differences on the acceptable-to-desirable spectrum.
To reproduce this commit, run:
$ NIX_PATH=nixpkgs=flake:nixpkgs/e7e69199f0372364a6106a1e735f68604f4c5a25 \
nix shell nixpkgs#coreutils \
-c find . -name '*.nix' \
-exec nix run -- github:emilazy/nix-doc-munge/98dadf1f77351c2ba5dcb709a2a171d655f15099 \
{} +
$ ./format
[my fork of `nix-doc-munge`]: https://github.com/emilazy/nix-doc-munge/tree/home-manager
The GNU Privacy Guard 2.3 man page for `gpg-agent` describes the
`--grab` and `--no-grab` options as follows:
> Tell the pinentry to grab the keyboard and mouse. This option should
> be used on X-Servers to avoid X-sniffing attacks. Any use of the
> option --grab overrides an used option --no-grab. The default is
> --no-grab.
Therefore Home Manager should explicitly output `grab` when
`cfg.grabKeyboardAndMouse` is true. Previously Home Manager emitted
`no-grab` when `cfg.grabKeyboardAndMouse` was false.
PR #3192
In esoteric setups, automatically setting GPG_TTY to current tty is not
desired on every shell startup. This change adds configuration options
to allow user to disable that if desired.
Make `gpgconf` only perform an import from derivation when the GPG
`homedir` is set to a non-default value, which probably isn't the case
for most users.
* gpg-agent: local agent acting as ssh-agent should yield
This happens commonly if someone using home manager with gpg-agent
acting as ssh-agent on both machines.
@rycee brought up how gpg-itself has some support for agents on both
ends, but in that case one is forwarding the gpg-agent socket rather
than forwardning the gpg-agent-as-ssh-agent socket. There is no need to
forward both.
So I think this is a good default:
- Forward just gpg-agent socket and this doesn't matter.
- Forward just the ssh-agent socket and this does the right thing.
- Forward both sockets and now the ssh one takes priority instead, but
forwarding both was always a silly thing to do.
Fix#667
* Update modules/services/gpg-agent.nix
Co-authored-by: Nicolas Berbiche <nic.berbiche@gmail.com>
Co-authored-by: Nicolas Berbiche <nic.berbiche@gmail.com>
This option enables a GPG Agent restricted socket (aka "extra-socket"), which
can be used to forward GPG Agent over SSH.
Additionally `verbose` option enables verbose output of an `gpg-agent.service`
unit for easier debugging.
See: https://wiki.gnupg.org/AgentForwarding
