gpg-agent: no-allow-external-cache option (#6387)

This is a pretty common configuration option, and one that many people will find useful to discover, specially if they're not using a window manager. I thought I would add it. It is also useful to have for pass-secret-service in the future, since you'd likely want to avoid DE keyrings. Signed-off-by: Christina Sørensen <ces@fem.gg>
2025-03-06 16:57:03 +00:00 · 2025-02-04 22:31:42 +01:00 · 2025-02-04 22:31:42 +01:00 · 1e47f7101f
commit 1e47f7101f
parent 78576b817f
1 changed files with 16 additions and 0 deletions
--- a/modules/services/gpg-agent.nix
+++ b/modules/services/gpg-agent.nix
@ -218,6 +218,21 @@ in {
        '';
      };

+      noAllowExternalCache = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Tell Pinentry not to enable features which use an external cache for
+          passphrases.
+
+          Some desktop environments prefer to unlock all credentials with one
+          master password and may have installed a Pinentry which employs an
+          additional external cache to implement such a policy. By using this
+          option the Pinentry is advised not to make use of such a cache and
+          instead always ask the user for the requested passphrase.
+        '';
+      };
+
      extraConfig = mkOption {
        type = types.lines;
        default = "";
@ -269,6 +284,7 @@ in {
        (optional (cfg.enableSshSupport) "enable-ssh-support"
          ++ optional cfg.grabKeyboardAndMouse "grab"
          ++ optional (!cfg.enableScDaemon) "disable-scdaemon"
+          ++ optional (cfg.noAllowExternalCache) "no-allow-external-cache"
          ++ optional (cfg.defaultCacheTtl != null)
          "default-cache-ttl ${toString cfg.defaultCacheTtl}"
          ++ optional (cfg.defaultCacheTtlSsh != null)