blob: 116218c852e45ff528254f000bee97672456713d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
pkgs:
{ lib, name, ... }:
let
inherit (lib)
mkOption ;
inherit (lib.types)
attrsOf listOf package path str ;
in {
options = {
user = mkOption {
description = ''
User to run as ang keyring owner. This option is required.
Note that this user is not created automatically.
'';
type = str;
};
home = mkOption {
description = ''
GnuPG home directory where keyrings and gpg-agent socket
will be located.
'';
type = path;
default = "/gnupg/${name}";
};
package = mkOption {
description = "GnuPG2 package";
type = package;
default = pkgs.gnupg21;
};
publicKeys = mkOption {
description = "Public GPG keys";
type = listOf path;
default = [];
};
secretKeys = mkOption {
description = "Secret GPG keys";
type = listOf path;
default = [];
};
passphrase = mkOption {
description = ''
Secret files with pass-phrase to unlock secret keys. Keys are
identified by cacheid, which is either a 40 character keygrip of
hexadecimal characters identifying the key or an arbitrary string
identifying a passphrase. Refer to the `gpg-preset-passphrase`
documentation, because it is what stays behind this mechanism.
Generally in unattended environments you need to use keygrip.
'';
type = attrsOf path;
default = {};
example = {
"ABCD...321" = "/run/keys/foo";
"myapp:mykey" = "/run/keys/bar";
};
};
};
}
|
