gpg-agent: use systemd socket activation

1 files changed, 78 insertions, 30 deletions

diff --git a/modules/services/gpg-agent.nix b/modules/services/gpg-agent.nix
index 872b69b20d6..1d015397c5c 100644
--- a/modules/services/gpg-agent.nix
+++ b/modules/services/gpg-agent.nix
@@ -29,41 +29,89 @@ in
     };
   };
 
-  config = mkIf cfg.enable {
-    home.file.".gnupg/gpg-agent.conf".text = concatStringsSep "\n" (
-      optional cfg.enableSshSupport
-        "enable-ssh-support"
-      ++
-      optional (cfg.defaultCacheTtl != null)
-        "default-cache-ttl ${toString cfg.defaultCacheTtl}"
-    );
-
-    home.sessionVariables =
-      optionalAttrs cfg.enableSshSupport {
-        SSH_AUTH_SOCK = "\${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh";
-      };
+  config = mkIf cfg.enable (mkMerge [
+    {
+      home.file.".gnupg/gpg-agent.conf".text = concatStringsSep "\n" (
+        optional cfg.enableSshSupport
+          "enable-ssh-support"
+        ++
+        optional (cfg.defaultCacheTtl != null)
+          "default-cache-ttl ${toString cfg.defaultCacheTtl}"
+      );
+
+      home.sessionVariables =
+        optionalAttrs cfg.enableSshSupport {
+          SSH_AUTH_SOCK = "\${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh";
+        };
+
+      programs.bash.initExtra = ''
+        GPG_TTY="$(tty)"
+        export GPG_TTY
+        gpg-connect-agent updatestartuptty /bye > /dev/null
+      '';
+    }
 
-    programs.bash.initExtra = ''
-      GPG_TTY="$(tty)"
-      export GPG_TTY
-      gpg-connect-agent updatestartuptty /bye > /dev/null
-    '';
+    # The systemd units below are direct translations of the
+    # descriptions in the
+    #
+    #   ${pkgs.gnupg}/share/doc/gnupg/examples/systemd-user
+    #
+    # directory.
+    {
+      systemd.user.services.gpg-agent = {
+        Unit = {
+          Description = "GnuPG cryptographic agent and passphrase cache";
+          Documentation = "man:gpg-agent(1)";
+          Requires = "gpg-agent.socket";
+          After = "gpg-agent.socket";
+          # This is a socket-activated service:
+          RefuseManualStart = true;
+        };
 
-    systemd.user.services.gpg-agent = {
-      Unit = {
-        Description = "GnuPG private key agent";
-        IgnoreOnIsolate = true;
+        Service = {
+          ExecStart = "${pkgs.gnupg}/bin/gpg-agent --supervised";
+          ExecReload = "${pkgs.gnupg}/bin/gpgconf --reload gpg-agent";
+        };
       };
 
-      Service = {
-        Type = "forking";
-        ExecStart = "${pkgs.gnupg}/bin/gpg-agent --daemon";
-        Restart = "on-abort";
+      systemd.user.sockets.gpg-agent = {
+        Unit = {
+          Description = "GnuPG cryptographic agent and passphrase cache";
+          Documentation = "man:gpg-agent(1)";
+        };
+
+        Socket = {
+          ListenStream = "%t/gnupg/S.gpg-agent";
+          FileDescriptorName = "std";
+          SocketMode = "0600";
+          DirectoryMode = "0700";
+        };
+
+        Install = {
+          WantedBy = [ "sockets.target" ];
+        };
       };
+    }
 
-      Install = {
-        WantedBy = [ "default.target" ];
+    (mkIf cfg.enableSshSupport {
+      systemd.user.sockets.gpg-agent-ssh = {
+        Unit = {
+          Description = "GnuPG cryptographic agent (ssh-agent emulation)";
+          Documentation = "man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1)";
+        };
+
+        Socket = {
+          ListenStream = "%t/gnupg/S.gpg-agent.ssh";
+          FileDescriptorName = "ssh";
+          Service = "gpg-agent.service";
+          SocketMode = "0600";
+          DirectoryMode = "0700";
+        };
+
+        Install = {
+          WantedBy = [ "sockets.target" ];
+        };
       };
-    };
-  };
+    })
+  ]);
 }