`yubikey-agent` is updated to a newer commit. It hasn't received an
official release in a while which is why the update is to an "unstable"
version.
Closes https://github.com/NixOS/nixpkgs/issues/145392
Co-authored-by: teutat3s <10206665+teutat3s@users.noreply.github.com>
Co-authored-by: hensoko <hensoko@gssws.de>
I was getting problems with the unit failing to start due to NAMESPACE
or CAPABILITIES permissions.
Upstream now provides a systemd unit file in the repo, we should use that
one, and that one works for me.
Mea culpa: in #92936, I did originally test on macOS but I forgot to
retest after adding the piv-go patch. Unfortunately, the piv-go patch
was broken on macOS. This pulls in the latest version of
go-piv/piv-go#75 which works on macOS now.
This adds yubikey-agent as a package and a nixos module.
On macOS, we use `wrapProgram` to set pinentry_mac as default in PATH;
on Linux we rely on the user to set their preferred pinentry in PATH.
In particular, we use a systemd override to prefix PATH to select a
chosen pinentry program if specified.
On Linux, we need libnotify to provide the notify-send utility for
desktop notifications (such as "Waiting for Yubikey touch...").
This might work on other flavors of unix, but I haven't tested.
We reuse the programs.gnupg.agent.pinentryFlavor option for
yubikey-agent, but in doing so I hit a problem: pinentryFlavour's
default value is specified in a mkDefault, but only conditionally. We
ought to be able to pick up the pinentryFlavour whether or not gpg-agent
is running. As a result, this commit moves the default value to the
definition of programs.gnupg.agent.enable.
