services.xserver.startGnuPGAgent: remove obsolete NixOS option

GnuPG 2.1.x changed the way the gpg-agent works, and that new approach no
longer requires (or even supports) the "start everything as a child of the
agent" scheme we've implemented in NixOS for older versions.

To configure the gpg-agent for your X session, add the following code to
~/.xsession or some other appropriate place that's sourced at start-up:

    gpg-connect-agent /bye
    GPG_TTY=$(tty)
    export GPG_TTY

If you want to use gpg-agent for SSH, too, also add the settings

    unset SSH_AGENT_PID
    export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent.ssh"

and make sure that

    enable-ssh-support

is included in your ~/.gnupg/gpg-agent.conf.

The gpg-agent(1) man page has more details about this subject, i.e. in the
"EXAMPLES" section.
This commit is contained in:
Peter Simons 2016-03-18 10:31:40 +01:00
parent 9c10ac957d
commit 5391882ebd
4 changed files with 2 additions and 31 deletions

View file

@ -37,7 +37,6 @@ with lib;
services.openssh.enable = false;
services.lshd.enable = true;
programs.ssh.startAgent = false;
services.xserver.startGnuPGAgent = true;
# TODO: GNU dico.
# TODO: GNU Inetutils' inetd.

View file

@ -111,6 +111,7 @@ with lib;
(mkRemovedOptionModule [ "services" "openvpn" "enable" ])
(mkRemovedOptionModule [ "services" "printing" "cupsFilesConf" ])
(mkRemovedOptionModule [ "services" "printing" "cupsdConf" ])
(mkRemovedOptionModule [ "services" "xserver" "startGnuPGAgent" ])
];
}

View file

@ -49,17 +49,6 @@ let
fi
''}
${optionalString cfg.startGnuPGAgent ''
if test -z "$SSH_AUTH_SOCK"; then
# Restart this script as a child of the GnuPG agent.
exec "${pkgs.gnupg}/bin/gpg-agent" \
--enable-ssh-support --daemon \
--pinentry-program "${pkgs.pinentry}/bin/pinentry-gtk-2" \
--write-env-file "$HOME/.gpg-agent-info" \
"$0" "$sessionType"
fi
''}
# Handle being called by kdm.
if test "''${1:0:1}" = /; then eval exec "$1"; fi

View file

@ -219,17 +219,6 @@ in
'';
};
startGnuPGAgent = mkOption {
type = types.bool;
default = false;
description = ''
Whether to start the GnuPG agent when you log in. The GnuPG agent
remembers private keys for you so that you don't have to type in
passphrases every time you make an SSH connection or sign/encrypt
data. Use <command>ssh-add</command> to add a key to the agent.
'';
};
startDbusSession = mkOption {
type = types.bool;
default = true;
@ -444,14 +433,7 @@ in
in optional (driver != null) ({ inherit name; driverName = name; } // driver));
assertions =
[ { assertion = !(config.programs.ssh.startAgent && cfg.startGnuPGAgent);
message =
''
The OpenSSH agent and GnuPG agent cannot be started both. Please
choose between programs.ssh.startAgent and services.xserver.startGnuPGAgent.
'';
}
{ assertion = config.security.polkit.enable;
[ { assertion = config.security.polkit.enable;
message = "X11 requires Polkit to be enabled (security.polkit.enable = true).";
}
];