about summary refs log tree commit diff
diff options
context:
space:
mode:
authorFranck Cuny <franck@fcuny.net>2023-02-12 08:17:17 -0800
committerFranck Cuny <franck@fcuny.net>2023-02-20 13:48:41 -0800
commit9732caf01cf8202da137145401cb7a74c8123ead (patch)
treeef1489c55d6131e0997a9d9c19b05e2ee3417c3f
parentref(modules/users): move ssh keys to a separate file (diff)
downloadworld-9732caf01cf8202da137145401cb7a74c8123ead.tar.gz
ref(home/git): sign commits and tags properly
The configuration can be simplified by using the `signing' directive.
For some reason it was also set in the configuration for `pass' which,
while it was correct, was in the wrong location.
Diffstat (limited to '')
-rw-r--r--home/git/default.nix23
-rw-r--r--home/pass/default.nix4
2 files changed, 16 insertions, 11 deletions
diff --git a/home/git/default.nix b/home/git/default.nix
index f5fd924..557485b 100644
--- a/home/git/default.nix
+++ b/home/git/default.nix
@@ -1,9 +1,8 @@
 { lib, config, pkgs, ... }:
 
 let
-  inherit (builtins) readFile fromTOML;
   cfg = config.my.home.git;
-  sshPub = fromTOML (readFile ./../../../configs/ssh-pubkeys.toml);
+  sshPub = builtins.fromTOML (builtins.readFile ../../configs/ssh-pubkeys.toml);
 in
 {
   options.my.home.git = with lib; {
@@ -11,19 +10,31 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    home.file.".ssh/allowed_signers".text = lib.concatMapStrings (x: "franck@fcuny.net ${x}\n") (with sshPub; [ aptos work git ykey-laptop ]);
+
     programs.git = {
       enable = true;
       aliases = {
         s = "status --short --branch";
         amend = "commit --amend --no-edit";
-        review = "push origin HEAD:refs/for/main";
+      };
+      signing = {
+        key = "key::${sshPub.ykey-laptop}";
+        signByDefault = true;
       };
       extraConfig = {
         core.whitespace = "trailing-space,space-before-tab";
         color.ui = "true";
+
+        gpg = {
+          format = "ssh";
+          ssh.allowedSignersFile = "~/.ssh/allowed_signers";
+        };
         # abort if the remote branch does not match the local one
         push.default = "simple";
+
         init.defaultBranch = "main";
+
         pull.rebase = true;
         rebase = {
           # Automatically create a temporary stash entry before the
@@ -32,13 +43,11 @@ in
           # Print a warning if some commits are removed
           missingCommitsCheck = "warn";
         };
+
         branch.autosetuprebase = "remote";
         branch.sort = "authordate";
+
         commit.template = "${config.xdg.dataHome}/git/commit.template";
-        commit.gpgsign = true;
-        gpg.format = "ssh";
-        user.signingkey = "~/.ssh/fcuny_id_ed25519.pub";
-        gpg.ssh.allowedSignersFile = "${config.xdg.dataHome}/git/allowed_signers";
       };
       userName = "Franck Cuny";
       userEmail = "franck@fcuny.net";
diff --git a/home/pass/default.nix b/home/pass/default.nix
index d79d486..c3e06f6 100644
--- a/home/pass/default.nix
+++ b/home/pass/default.nix
@@ -17,10 +17,6 @@ in
     };
 
     programs.git = {
-      signing = {
-        key = config.programs.gpg.settings.default-key;
-        signByDefault = true;
-      };
       extraConfig = {
         credential = {
           helper = "${pkgs.gitAndTools.pass-git-helper}/bin/pass-git-helper";