Jafner.net/dotfiles/home-manager/desktop/configuration/keys.nix

{ pkgs, vars, ... }: {
  home.packages = with pkgs; [
    ssh-to-age
    pinentry-all
    ( writeShellApplication {
      name = "keyman";
      runtimeInputs = [];
      text = ''
      #!/bin/bash

      # Fuck GPG. Miserable UX.

      id="joey@jafner.net"
      device="desktop"
      homedir="/home/${vars.user.username}/.gpg"
      backupdir="/home/${vars.user.username}/.keys"
      mkdir -p "$homedir" "$backupdir"

      getPrimaryKeyFingerprint() {
        return "$(gpg --list-keys | grep fingerprint | tr -s ' ' | cut -d'=' -f2 | xargs)"
      }

      bootstrap() {
        gpg --quick-generate-key 'Joey Hafner <joey@jafner.net>' ed25519 cert 0
        gpg --quick-add-key "$(getPrimaryKeyFingerprint)" ed25519 sign 0
        gpg --quick-add-key "$(getPrimaryKeyFingerprint)" cv25519 encrypt 0
      }

      lockPrimary() {
        gpg -a --export-secret-key "$(getPrimaryKeyFingerprint)" > "$backupdir/$id.primary.gpg"
        gpg -a --export "$(getPrimaryKeyFingerprint)" > "$backupdir/$id.primary.gpg.pub"
        gpg -a --export-secret-subkeys "$(getPrimaryKeyFingerprint)" > "/tmp/subkeys.gpg"
        gpg --delete-secret-subkeys "$(getPrimaryKeyFingerprint)"
        gpg --import "/tmp/subkeys.gpg" && rm "/tmp/subkeys.gpg"
      }

      unlockPrimary() {
        gpg --import "$backupdir/$id.primary.gpg"
        if gpg --list-secret-keys | grep -q sec#; then
          echo "Unlocked primary key $backupdir/$id.primary.gpg"
        else
          echo "Failed to unlock primary key $backupdir/$id.primary.gpg"
        fi
      }

      initNewDevice() {
        stty icrnl
        unlockPrimary
        gpg --quick-add-key "$(getPrimaryKeyFingerprint)" ed25519 sign 0
        if [[ $(gpg --list-keys | grep "$(date +%Y-%m-%d)" | grep "[S]") -gt 1 ]]; then
          echo "More than one loaded signing key is listed for today's date. Please select one:"
          while read -r key; do
            key_list+=( "$key" )
          done< <(gpg --list-keys | grep "$(date +%Y-%m-%d)" | grep "[S]")
          select key in "''$''\{key_list[@]}"; do
            SUBKEY_FINGERPRINT=$(echo "$key" | cut -d'/' -f2 | cut -d' ' -f1)
            export SUBKEY_FINGERPRINT
            echo "Subkey fingerprint: $SUBKEY_FINGERPRINT"
            break
          done
        else
          SUBKEY_FINGERPRINT=$(gpg --list-keys | grep "$(date +%Y-%m-%d)" | grep "[S]" | cut -d'/' -f2 | cut -d' ' -f1 | head -1)
          export SUBKEY_FINGERPRINT
        fi
        gpg --list-keys | grep "$(date +%Y-%m-%d)" | grep "[S]"
        gpg -a --export-secret-key "$SUBKEY_FINGERPRINT" > "$backupdir/$id.$device.gpg"
        gpg -a --export "$SUBKEY_FINGERPRINT" > "$backupdir/$id.$device.gpg.pub"

        lockPrimary
      }

      "$@" || declare -F

      '';
    } )
  ];

  programs.gpg = {
    enable = true;
    homedir = "/home/${vars.user.username}/.gpg";
    mutableKeys = true;
    mutableTrust = true;
    publicKeys = [  ];
  };
  services.gpg-agent = {
    enable = true;
    enableZshIntegration = true;
    enableScDaemon = false;
    pinentryPackage = pkgs.pinentry-qt;
  };

  home.file = {
    "profiles" = {
        target = ".ssh/profiles";
        text = ''
            admin@192.168.1.31
            admin@192.168.1.32
            admin@192.168.1.33
            admin@192.168.1.10
            admin@192.168.1.11
            admin@192.168.1.12
            vyos@192.168.1.1
            admin@192.168.1.23
            admin@143.110.151.123
        '';
    };
    "config" = {
        target = ".ssh/config";
        text = ''
        Host *
            ForwardAgent yes
            IdentityFile ~/.ssh/${vars.desktop.sshKey}
        '';
    };
    "authorized_keys" = {
        target = ".ssh/authorized_keys";
        text = ''
        ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB9guFiLtbnUn93C3fBggGFyPqR3/5pPKrVTtuGL/dcP joey@pixel
        ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzxkV2KZDEUKddI2sbgpQkYFazRSmt/XfzVhcHHDGso joey@joey-laptop
        '';
    };
  };

  # Configure Sops key
  home.sessionVariables = {
    SOPS_AGE_KEY_FILE = "/home/${vars.user.username}/Git/Jafner.net/.sops/${vars.user.username}.author.key";
  };
}
Update: - Add configs for git, ssh and keys. Defines authorized_keys, profiles, ssh config, signing for git commits. - Add kcalc. 2024-12-09 12:41:17 -08:00			`{ pkgs, vars, ... }: {`
			`home.packages = with pkgs; [`
			`ssh-to-age`
Init script to manage gpg keys. Pray never to manage GPG keys again. 2024-12-13 14:18:11 -08:00			`pinentry-all`
Fix script, add signing key to git & flake configs 2024-12-13 14:32:52 -08:00			`( writeShellApplication {`
			`name = "keyman";`
Init script to manage gpg keys. Pray never to manage GPG keys again. 2024-12-13 14:18:11 -08:00			`runtimeInputs = [];`
			`text = ''`
			`#!/bin/bash`

			`# Fuck GPG. Miserable UX.`
Refactor key var names 2024-12-31 10:46:17 -08:00
Init script to manage gpg keys. Pray never to manage GPG keys again. 2024-12-13 14:18:11 -08:00			`id="joey@jafner.net"`
Fix script, add signing key to git & flake configs 2024-12-13 14:32:52 -08:00			`device="desktop"`
Init script to manage gpg keys. Pray never to manage GPG keys again. 2024-12-13 14:18:11 -08:00			`homedir="/home/${vars.user.username}/.gpg"`
			`backupdir="/home/${vars.user.username}/.keys"`
			`mkdir -p "$homedir" "$backupdir"`

			`getPrimaryKeyFingerprint() {`
Fix script, add signing key to git & flake configs 2024-12-13 14:32:52 -08:00			`return "$(gpg --list-keys \| grep fingerprint \| tr -s ' ' \| cut -d'=' -f2 \| xargs)"`
Init script to manage gpg keys. Pray never to manage GPG keys again. 2024-12-13 14:18:11 -08:00			`}`

			`bootstrap() {`
			`gpg --quick-generate-key 'Joey Hafner <joey@jafner.net>' ed25519 cert 0`
			`gpg --quick-add-key "$(getPrimaryKeyFingerprint)" ed25519 sign 0`
			`gpg --quick-add-key "$(getPrimaryKeyFingerprint)" cv25519 encrypt 0`
			`}`

			`lockPrimary() {`
			`gpg -a --export-secret-key "$(getPrimaryKeyFingerprint)" > "$backupdir/$id.primary.gpg"`
			`gpg -a --export "$(getPrimaryKeyFingerprint)" > "$backupdir/$id.primary.gpg.pub"`
			`gpg -a --export-secret-subkeys "$(getPrimaryKeyFingerprint)" > "/tmp/subkeys.gpg"`
Refactor key var names 2024-12-31 10:46:17 -08:00			`gpg --delete-secret-subkeys "$(getPrimaryKeyFingerprint)"`
Init script to manage gpg keys. Pray never to manage GPG keys again. 2024-12-13 14:18:11 -08:00			`gpg --import "/tmp/subkeys.gpg" && rm "/tmp/subkeys.gpg"`
			`}`

			`unlockPrimary() {`
			`gpg --import "$backupdir/$id.primary.gpg"`
Refactor key var names 2024-12-31 10:46:17 -08:00			`if gpg --list-secret-keys \| grep -q sec#; then`
Init script to manage gpg keys. Pray never to manage GPG keys again. 2024-12-13 14:18:11 -08:00			`echo "Unlocked primary key $backupdir/$id.primary.gpg"`
			`else`
			`echo "Failed to unlock primary key $backupdir/$id.primary.gpg"`
			`fi`
			`}`

			`initNewDevice() {`
			`stty icrnl`
			`unlockPrimary`
			`gpg --quick-add-key "$(getPrimaryKeyFingerprint)" ed25519 sign 0`
Fix script, add signing key to git & flake configs 2024-12-13 14:32:52 -08:00			`if [[ $(gpg --list-keys \| grep "$(date +%Y-%m-%d)" \| grep "[S]") -gt 1 ]]; then`
Init script to manage gpg keys. Pray never to manage GPG keys again. 2024-12-13 14:18:11 -08:00			`echo "More than one loaded signing key is listed for today's date. Please select one:"`
Refactor key var names 2024-12-31 10:46:17 -08:00			`while read -r key; do`
Init script to manage gpg keys. Pray never to manage GPG keys again. 2024-12-13 14:18:11 -08:00			`key_list+=( "$key" )`
Fix script, add signing key to git & flake configs 2024-12-13 14:32:52 -08:00			`done< <(gpg --list-keys \| grep "$(date +%Y-%m-%d)" \| grep "[S]")`
Refactor key var names 2024-12-31 10:46:17 -08:00			`select key in "''$''\{key_list[@]}"; do`
Init script to manage gpg keys. Pray never to manage GPG keys again. 2024-12-13 14:18:11 -08:00			`SUBKEY_FINGERPRINT=$(echo "$key" \| cut -d'/' -f2 \| cut -d' ' -f1)`
			`export SUBKEY_FINGERPRINT`
			`echo "Subkey fingerprint: $SUBKEY_FINGERPRINT"`
			`break`
			`done`
			`else`
Fix script, add signing key to git & flake configs 2024-12-13 14:32:52 -08:00			`SUBKEY_FINGERPRINT=$(gpg --list-keys \| grep "$(date +%Y-%m-%d)" \| grep "[S]" \| cut -d'/' -f2 \| cut -d' ' -f1 \| head -1)`
Init script to manage gpg keys. Pray never to manage GPG keys again. 2024-12-13 14:18:11 -08:00			`export SUBKEY_FINGERPRINT`
			`fi`
Fix script, add signing key to git & flake configs 2024-12-13 14:32:52 -08:00			`gpg --list-keys \| grep "$(date +%Y-%m-%d)" \| grep "[S]"`
Init script to manage gpg keys. Pray never to manage GPG keys again. 2024-12-13 14:18:11 -08:00			`gpg -a --export-secret-key "$SUBKEY_FINGERPRINT" > "$backupdir/$id.$device.gpg"`
			`gpg -a --export "$SUBKEY_FINGERPRINT" > "$backupdir/$id.$device.gpg.pub"`

			`lockPrimary`
			`}`

			`"$@" \|\| declare -F`

			`'';`
			`} )`
Update: - Add configs for git, ssh and keys. Defines authorized_keys, profiles, ssh config, signing for git commits. - Add kcalc. 2024-12-09 12:41:17 -08:00			`];`
Init script to manage gpg keys. Pray never to manage GPG keys again. 2024-12-13 14:18:11 -08:00
			`programs.gpg = {`
			`enable = true;`
			`homedir = "/home/${vars.user.username}/.gpg";`
			`mutableKeys = true;`
			`mutableTrust = true;`
Refactor key var names 2024-12-31 10:46:17 -08:00			`publicKeys = [ ];`
Init script to manage gpg keys. Pray never to manage GPG keys again. 2024-12-13 14:18:11 -08:00			`};`
			`services.gpg-agent = {`
			`enable = true;`
			`enableZshIntegration = true;`
			`enableScDaemon = false;`
			`pinentryPackage = pkgs.pinentry-qt;`
			`};`

Refactor key var names 2024-12-31 10:46:17 -08:00			`home.file = {`
			`"profiles" = {`
			`target = ".ssh/profiles";`
			`text = ''`
			`admin@192.168.1.31`
			`admin@192.168.1.32`
			`admin@192.168.1.33`
			`admin@192.168.1.10`
			`admin@192.168.1.11`
			`admin@192.168.1.12`
			`vyos@192.168.1.1`
			`admin@192.168.1.23`
			`admin@143.110.151.123`
			`'';`
			`};`
			`"config" = {`
			`target = ".ssh/config";`
			`text = ''`
			`Host *`
			`ForwardAgent yes`
			`IdentityFile ~/.ssh/${vars.desktop.sshKey}`
			`'';`
			`};`
			`"authorized_keys" = {`
			`target = ".ssh/authorized_keys";`
			`text = ''`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB9guFiLtbnUn93C3fBggGFyPqR3/5pPKrVTtuGL/dcP joey@pixel`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzxkV2KZDEUKddI2sbgpQkYFazRSmt/XfzVhcHHDGso joey@joey-laptop`
			`'';`
			`};`
Update: - Add configs for git, ssh and keys. Defines authorized_keys, profiles, ssh config, signing for git commits. - Add kcalc. 2024-12-09 12:41:17 -08:00			`};`
Refactor key var names 2024-12-31 10:46:17 -08:00
			`# Configure Sops key`
			`home.sessionVariables = {`
			`SOPS_AGE_KEY_FILE = "/home/${vars.user.username}/Git/Jafner.net/.sops/${vars.user.username}.author.key";`
Update: - Add configs for git, ssh and keys. Defines authorized_keys, profiles, ssh config, signing for git commits. - Add kcalc. 2024-12-09 12:41:17 -08:00			`};`
Init script to manage gpg keys. Pray never to manage GPG keys again. 2024-12-13 14:18:11 -08:00			`}`