diff --git a/secrets/rekeyed/kroma/a1521242c47417b049e18b81f06498e6-my-gpg-yubikey-keygrip.tar.age b/secrets/rekeyed/kroma/a1521242c47417b049e18b81f06498e6-my-gpg-yubikey-keygrip.tar.age new file mode 100644 index 0000000..f0cf24a Binary files /dev/null and b/secrets/rekeyed/kroma/a1521242c47417b049e18b81f06498e6-my-gpg-yubikey-keygrip.tar.age differ diff --git a/secrets/rekeyed/nom/d6734261cd825f4bc6c76eb0d5756086-my-gpg-yubikey-keygrip.tar.age b/secrets/rekeyed/nom/d6734261cd825f4bc6c76eb0d5756086-my-gpg-yubikey-keygrip.tar.age new file mode 100644 index 0000000..7aecab0 Binary files /dev/null and b/secrets/rekeyed/nom/d6734261cd825f4bc6c76eb0d5756086-my-gpg-yubikey-keygrip.tar.age differ diff --git a/users/myuser/default.nix b/users/myuser/default.nix index 94b57d9..87cf265 100644 --- a/users/myuser/default.nix +++ b/users/myuser/default.nix @@ -28,6 +28,12 @@ in mode = "640"; }; + age.secrets."my-gpg-yubikey-keygrip.tar" = { + rekeyFile = ./secrets/gpg-keygrip.tar.age; + group = myuser; + mode = "640"; + }; + home-manager.users.${myuser} = { imports = [ ../config diff --git a/users/myuser/gpg.nix b/users/myuser/gpg.nix index 4a24ac4..9fdd578 100644 --- a/users/myuser/gpg.nix +++ b/users/myuser/gpg.nix @@ -1,8 +1,16 @@ { + lib, nixosConfig, pkgs, ... }: { + # Make sure the keygrips exist, otherwise we'd need to run `gpg --card-status` + # before being able to use the yubikey. + home.activation.installKeygrips = lib.hm.dag.entryAfter ["writeBoundary"] '' + run mkdir -p "$HOME/.gnupg/private-keys-v1.d" + run ${lib.getExe pkgs.gnutar} xvf ${lib.escapeShellArg nixosConfig.age.secrets."my-gpg-yubikey-keygrip.tar".path} -C "$HOME/.gnupg/private-keys-v1.d/" + ''; + programs.gpg = { enable = true; scdaemonSettings.disable-ccid = true; diff --git a/users/myuser/secrets/gpg-keygrip.tar.age b/users/myuser/secrets/gpg-keygrip.tar.age new file mode 100644 index 0000000..ced5d1a Binary files /dev/null and b/users/myuser/secrets/gpg-keygrip.tar.age differ