diff --git a/flake.nix b/flake.nix index 7f35572..bce801e 100644 --- a/flake.nix +++ b/flake.nix @@ -19,10 +19,14 @@ outputs = inputs: let overlays = [ # Add our own local packages - (final: prev: rec { + (final: prev: { # Make my local packages available as pkgs.mypkgs. mypkgs = prev.callPackage ./pkgs {}; }) + # more up to date ssh-tpm-agent. Can probably ditch this post-24.05 + (final: prev: { + ssh-tpm-agent = (import inputs.nixpkgs-unstable { system = prev.system; }).ssh-tpm-agent; + }) ]; in (rec { profiles = import ./home/profiles.nix; diff --git a/home/profiles.nix b/home/profiles.nix index fa2a5ec..7a00274 100644 --- a/home/profiles.nix +++ b/home/profiles.nix @@ -10,6 +10,7 @@ dev-gui = {...}: { imports = [./vscode.nix]; }; + tpmssh = ./tpmssh.nix; # Sensitive stuff sensitive = {...}: { imports = [ diff --git a/home/tpmssh.nix b/home/tpmssh.nix new file mode 100644 index 0000000..be01990 --- /dev/null +++ b/home/tpmssh.nix @@ -0,0 +1,35 @@ +# Enable tpm-ssh-agent in a systemd user service +{pkgs, config, lib, ...}: { + home.packages = [ pkgs.ssh-tpm-agent ]; + home.sessionVariables = { + SSH_AUTH_SOCK = let + maybeProxy = lib.strings.optionalString config.services.gpg-agent.enableSshSupport "-A $(${config.programs.gpg.package}/bin/gpgconf --list-dirs agent-ssh-socket)"; + cmd = "${pkgs.ssh-tpm-agent} --print-socket${maybeProxy}"; + in "$(${cmd})"; + TESTIFICLES = "hello"; + }; + systemd.user.sockets.ssh-tpm-agent = { + Unit.WantedBy = [ "sockets.target" ]; + Socket = { + ListenStream = "%t/ssh-tpm-agent.sock"; + SocketMode = "0600"; + Service = "ssh-tpm-agent.service"; + }; + }; + + systemd.user.services.ssh-tpm-agent = { + Unit = { + Requires = [ "ssh-tpm-agent.socket" ]; + ConditionEnvironment = "!SSH_AGENT_PID"; + }; + Service = { + Environment = '' + SSH_AUTH_SOCK="%t/ssh-tpm-agent.sock" + ''; + ExecStart = "${pkgs.ssh-tpm-agent}"; + PassEnvironment = "SSH_AGENT_PID"; + SuccessExitStatus = 2; + Type = "simple"; + }; + }; +}