From 3f861ebe8e156d9ba7a24ee1a256a28be4cca56f Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Sat, 5 Mar 2022 13:16:27 -0800
Subject: git: sign with GPG only when one desktop

Move the configuration for git that requires the signing to pass, and
use the `pass-git-helper` to manage the secrets.
---
 users/fcuny/cli/git.nix                        | 14 ++++----------
 users/fcuny/desktop/trust/git-pass-mapping.ini |  9 +++++++++
 users/fcuny/desktop/trust/pass.nix             | 17 +++++++++++++++++
 3 files changed, 30 insertions(+), 10 deletions(-)
 create mode 100644 users/fcuny/desktop/trust/git-pass-mapping.ini

diff --git a/users/fcuny/cli/git.nix b/users/fcuny/cli/git.nix
index 30ee841..8afb7ec 100644
--- a/users/fcuny/cli/git.nix
+++ b/users/fcuny/cli/git.nix
@@ -1,6 +1,7 @@
-{ config, ... }:
+{ lib, config, ... }:
 
-{
+let inherit (lib) mkIf;
+in {
   programs.git = {
     enable = true;
     aliases = {
@@ -17,16 +18,9 @@
     };
     userName = "Franck Cuny";
     userEmail = "franck@fcuny.net";
-    signing = {
-      key = config.programs.gpg.settings.default-key;
-      signByDefault = true;
-    };
     extraConfig = {
       "credential \"https://github.com\"" = { username = "fcuny"; };
-      "credential \"https://git.fcuny.net\"" = {
-        username = "fcuny";
-        helper = "!echo -n 'password='; pass git/git.fcuny.net";
-      };
+      "credential \"https://git.fcuny.net\"" = { username = "fcuny"; };
     };
     ignores = [
       "*.elc"
diff --git a/users/fcuny/desktop/trust/git-pass-mapping.ini b/users/fcuny/desktop/trust/git-pass-mapping.ini
new file mode 100644
index 0000000..5c5177b
--- /dev/null
+++ b/users/fcuny/desktop/trust/git-pass-mapping.ini
@@ -0,0 +1,9 @@
+[DEFAULT]
+line_username=1
+skip_username=10
+
+[github.com/*]
+target=git/github.com
+
+[git.fcuny.net*]
+target=git/git.fcuny.net
diff --git a/users/fcuny/desktop/trust/pass.nix b/users/fcuny/desktop/trust/pass.nix
index 6ed346c..a552318 100644
--- a/users/fcuny/desktop/trust/pass.nix
+++ b/users/fcuny/desktop/trust/pass.nix
@@ -11,6 +11,23 @@
     };
   };
 
+  programs.git = {
+    signing = {
+      key = config.programs.gpg.settings.default-key;
+      signByDefault = true;
+    };
+    extraConfig = {
+      credential = {
+        helper = "${pkgs.gitAndTools.pass-git-helper}/bin/pass-git-helper";
+        useHttpPath = true;
+      };
+    };
+  };
+
+  xdg.configFile."pass-git-helper/git-pass-mapping.ini" = {
+    source = ./git-pass-mapping.ini;
+  };
+
   services.password-store-sync.enable = true;
 
   # Ensure the password store things are in the systemd session
-- 
cgit 1.4.1