Cradicle Explorer
my-little-flake
/ home-manager / gpg.nix
gpg.nix
  1  { pkgs, ... }:
  2  {
  3    home.packages = with pkgs; [
  4      yubico-piv-tool
  5      yubikey-manager
  6      yubikey-personalization
  7      yubioath-flutter
  8      yubikey-touch-detector
  9      yubico-pam
 10      gnupg
 11      libfido2
 12      libnotify
 13      age
 14    ];
 15    programs.gpg = {
 16      scdaemonSettings.disable-ccid = true;
 17      settings = {
 18        # https://github.com/drduh/config/blob/master/gpg.conf
 19        # https://www.gnupg.org/documentation/manuals/gnupg/GPG-Options.html
 20        # 'gpg --version' to get capabilities
 21        # Use AES256, 192, or 128 as cipher
 22        personal-cipher-preferences = "AES256 AES192 AES";
 23        # Use SHA512, 384, or 256 as digest
 24        personal-digest-preferences = "SHA512 SHA384 SHA256";
 25        # Use ZLIB, BZIP2, ZIP, or no compression
 26        personal-compress-preferences = "ZLIB BZIP2 ZIP Uncompressed";
 27        # Default preferences for new keys
 28        default-preference-list = "SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed";
 29        # SHA512 as digest to sign keys
 30        cert-digest-algo = "SHA512";
 31        # SHA512 as digest for symmetric ops
 32        s2k-digest-algo = "SHA512";
 33        # AES256 as cipher for symmetric ops
 34        s2k-cipher-algo = "AES256";
 35        # UTF-8 support for compatibility
 36        charset = "utf-8";
 37        # No comments in messages
 38        no-comments = true;
 39        # No version in output
 40        no-emit-version = true;
 41        # Disable banner
 42        no-greeting = true;
 43        # Long key id format
 44        keyid-format = "0xlong";
 45        # Display UID validity
 46        list-options = "show-uid-validity";
 47        verify-options = "show-uid-validity";
 48        # Display all keys and their fingerprints
 49        with-fingerprint = true;
 50        # Display key origins and updates
 51        #with-key-origin
 52        # Cross-certify subkeys are present and valid
 53        require-cross-certification = true;
 54        # Disable caching of passphrase for symmetrical ops
 55        no-symkey-cache = true;
 56        # Output ASCII instead of binary
 57        armor = true;
 58        # Enable smartcard
 59        use-agent = true;
 60        # Disable recipient key ID in messages (breaks Mailvelope)
 61        throw-keyids = true;
 62        # Default key ID to use (helpful with throw-keyids)
 63        #default-key 0xFF3E7D88647EBCDB
 64        #trusted-key 0xFF3E7D88647EBCDB
 65        # Group recipient keys (preferred ID last)
 66        #group keygroup = 0xFF00000000000001 0xFF00000000000002 0xFF3E7D88647EBCDB
 67        # Keyserver URL
 68        #keyserver hkps://keys.openpgp.org
 69        #keyserver hkps://keys.mailvelope.com
 70        #keyserver hkps://keyserver.ubuntu.com:443
 71        #keyserver hkps://pgpkeys.eu
 72        #keyserver hkps://pgp.circl.lu
 73        #keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion
 74        # Keyserver proxy
 75        #keyserver-options http-proxy=http://127.0.0.1:8118
 76        #keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050
 77        # Enable key retrieval using WKD and DANE
 78        #auto-key-locate wkd,dane,local
 79        #auto-key-retrieve
 80        # Trust delegation mechanism
 81        #trust-model tofu+pgp
 82        # Show expired subkeys
 83        #list-options show-unusable-subkeys
 84        # Verbose output
 85        #verbose
 86      };
 87    };
 88    services.gpg-agent = {
 89      enable = true;
 90      enableSshSupport = true;
 91      defaultCacheTtl = 60;
 92      maxCacheTtl = 120;
 93      enableZshIntegration = true;
 94      enableScDaemon = true;
 95      extraConfig = ''
 96        ttyname $GPG_TTY
 97      '';
 98      pinentry.package = pkgs.pinentry-gnome3;
 99    };
100  }