refactor

modules/nixos/security/acme/default.nix

@@ -0,0 +1,31 @@
+{ lib, pkgs, config, virtual, ... }:
+
+let
+  inherit (lib) mkIf mkEnableOption optional;
+  inherit (lib.plusultra) mkOpt;
+
+  cfg = config.plusultra.security.acme;
+in
+{
+  options.plusultra.security.acme = with lib.types; {
+    enable = mkEnableOption "default ACME configuration";
+    email = mkOpt str config.plusultra.user.email "The email to use.";
+    staging = mkOpt bool virtual "Whether to use the staging server or not.";
+  };
+
+  config = mkIf cfg.enable {
+    security.acme = {
+      acceptTerms = true;
+
+      defaults = {
+        inherit (cfg) email;
+
+        group = mkIf config.services.nginx.enable "nginx";
+        server = mkIf cfg.staging "https://acme-staging-v02.api.letsencrypt.org/directory";
+
+        # Reload nginx when certs change.
+        reloadServices = optional config.services.nginx.enable "nginx.service";
+      };
+    };
+  };
+}

modules/nixos/security/doas/default.nix

@@ -0,0 +1,29 @@
+{ options, config, pkgs, lib, ... }:
+
+with lib;
+with lib.plusultra;
+let cfg = config.plusultra.security.doas;
+in
+{
+  options.plusultra.security.doas = {
+    enable = mkBoolOpt false "Whether or not to replace sudo with doas.";
+  };
+
+  config = mkIf cfg.enable {
+    # Disable sudo
+    security.sudo.enable = false;
+
+    # Enable and configure `doas`.
+    security.doas = {
+      enable = true;
+      extraRules = [{
+        users = [ config.plusultra.user.name ];
+        noPass = true;
+        keepEnv = true;
+      }];
+    };
+
+    # Add an alias to the shell for backward-compat and convenience.
+    environment.shellAliases = { sudo = "doas"; };
+  };
+}

modules/nixos/security/gpg/default.nix

@@ -0,0 +1,118 @@
+{ options
+, config
+, pkgs
+, lib
+, inputs
+, ...
+}:
+with lib;
+with lib.plusultra; let
+  cfg = config.plusultra.security.gpg;
+
+  gpgConf = "${inputs.gpg-base-conf}/gpg.conf";
+
+  gpgAgentConf = ''
+    enable-ssh-support
+    default-cache-ttl 60
+    max-cache-ttl 120
+    pinentry-program ${pkgs.pinentry-gnome}/bin/pinentry-gnome3
+  '';
+
+  guide = "${inputs.yubikey-guide}/README.md";
+
+  theme = pkgs.fetchFromGitHub {
+    owner = "jez";
+    repo = "pandoc-markdown-css-theme";
+    rev = "019a4829242937761949274916022e9861ed0627";
+    sha256 = "1h48yqffpaz437f3c9hfryf23r95rr319lrb3y79kxpxbc9hihxb";
+  };
+
+  guideHTML = pkgs.runCommand "yubikey-guide" { } ''
+    ${pkgs.pandoc}/bin/pandoc \
+      --standalone \
+      --metadata title="Yubikey Guide" \
+      --from markdown \
+      --to html5+smart \
+      --toc \
+      --template ${theme}/template.html5 \
+      --css ${theme}/docs/css/theme.css \
+      --css ${theme}/docs/css/skylighting-solarized-theme.css \
+      -o $out \
+      ${guide}
+  '';
+
+  guideDesktopItem = pkgs.makeDesktopItem {
+    name = "yubikey-guide";
+    desktopName = "Yubikey Guide";
+    genericName = "View Yubikey Guide in a web browser";
+    exec = "${pkgs.xdg-utils}/bin/xdg-open ${guideHTML}";
+    icon = ./yubico-icon.svg;
+    categories = [ "System" ];
+  };
+
+  reload-yubikey = pkgs.writeShellScriptBin "reload-yubikey" ''
+    ${pkgs.gnupg}/bin/gpg-connect-agent "scd serialno" "learn --force" /bye
+  '';
+in
+{
+  options.plusultra.security.gpg = with types; {
+    enable = mkBoolOpt false "Whether or not to enable GPG.";
+    agentTimeout = mkOpt int 5 "The amount of time to wait before continuing with shell init.";
+  };
+
+  config = mkIf cfg.enable {
+    services.pcscd.enable = true;
+    services.udev.packages = with pkgs; [ yubikey-personalization ];
+
+    # NOTE: This should already have been added by programs.gpg, but
+    # keeping it here for now just in case.
+    environment.shellInit = ''
+      export GPG_TTY="$(tty)"
+      export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket)
+
+      ${pkgs.coreutils}/bin/timeout ${builtins.toString cfg.agentTimeout} ${pkgs.gnupg}/bin/gpgconf --launch gpg-agent
+      gpg_agent_timeout_status=$?
+
+      if [ "$gpg_agent_timeout_status" = 124 ]; then
+        # Command timed out...
+        echo "GPG Agent timed out..."
+        echo 'Run "gpgconf --launch gpg-agent" to try and launch it again.'
+      fi
+    '';
+
+    environment.systemPackages = with pkgs; [
+      cryptsetup
+      paperkey
+      gnupg
+      pinentry-curses
+      pinentry-qt
+      pinentry-gnome
+      paperkey
+      guideDesktopItem
+      reload-yubikey
+    ];
+
+    programs = {
+      ssh.startAgent = false;
+
+      gnupg.agent = {
+        enable = true;
+        enableSSHSupport = true;
+        enableExtraSocket = true;
+        pinentryFlavor = "gnome3";
+      };
+    };
+
+    plusultra = {
+      home.file = {
+        ".gnupg/.keep".text = "";
+
+        ".gnupg/yubikey-guide.md".source = guide;
+        ".gnupg/yubikey-guide.html".source = guideHTML;
+
+        ".gnupg/gpg.conf".source = gpgConf;
+        ".gnupg/gpg-agent.conf".text = gpgAgentConf;
+      };
+    };
+  };
+}

modules/nixos/security/gpg/yubico-icon.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="64" height="64"><path d="M32.225 31.1l5.52-15.663h7.985l-13.46 33.126h-8.435l3.862-9.075-9.43-24.027h8.15z" fill="#98c93c"/><circle cx="32" cy="32" r="29.091" fill-opacity="0" stroke="#98c93c" stroke-width="5.818"/></svg>

modules/nixos/security/keyring/default.nix

@@ -0,0 +1,19 @@
+{ options, config, lib, pkgs, ... }:
+
+with lib;
+with lib.plusultra;
+let
+  cfg = config.plusultra.security.keyring;
+in
+{
+  options.plusultra.security.keyring = with types; {
+    enable = mkBoolOpt false "Whether to enable gnome keyring.";
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      gnome.gnome-keyring
+      gnome.libgnome-keyring
+    ];
+  };
+}