1 files changed, 68 insertions, 0 deletions

diff --git a/modules/apps/gnupg/instance.nix b/modules/apps/gnupg/instance.nix
new file mode 100644
index 0000000..e421a1e
--- /dev/null
+++ b/modules/apps/gnupg/instance.nix
@@ -0,0 +1,68 @@
+pkgs:
+{ lib, name, ... }:
+
+let
+
+  inherit (lib)
+    mkOption ;
+
+  inherit (lib.types)
+    attrsOf listOf package path str ;
+
+in {
+  options = {
+
+    user = mkOption {
+      description = ''
+        User to run as ang keyring owner. This option is required.
+        Note that this user is not created automaically.
+      '';
+      type = str;
+    };
+
+    home = mkOption {
+      description = ''
+        GnuPG home directory where keyrings and gpg-agent socket
+        will be located.
+      '';
+      type = path;
+      default = "/gnupg/${name}";
+    };
+
+    package = mkOption {
+      description = "GnuPG2 package";
+      type = package;
+      default = pkgs.gnupg21;
+    };
+
+    publicKeys = mkOption {
+      description = "Public GPG keys";
+      type = listOf path;
+      default = [];
+    };
+
+    secretKeys = mkOption {
+      description = "Secret GPG keys";
+      type = listOf path;
+      default = [];
+    };
+
+    passphrase = mkOption {
+      description = ''
+        Secret files with pass-phrase to unlock secret keys.  Keys are
+        identified by cacheid, which is either a 40 character keygrip of
+        hexadecimal characters identifying the key or an arbitrary string
+        identifying a passphrase. Refer to the `gpg-preset-passphrase`
+        documentation, because it is what stays behind this mechanism.
+        Generally in unattended environments you need to use keygrip.
+      '';
+      type = attrsOf path;
+      default = {};
+      example = {
+        "ABCD...321" = "/run/keys/foo";
+        "myapp:mykey" = "/run/keys/bar";
+      };
+    };
+  };
+}
+