1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
{ config, pkgs, lib, ... }:
let
cfg = config.ctucxConfig.programs.gpg;
in {
options = {
ctucxConfig.programs.gpg = {
enable = lib.mkEnableOption "gpg";
};
};
config = lib.mkIf cfg.enable {
services = {
pcscd.enable = (if pkgs.stdenv.isLinux then true else false);
udev.packages = (if pkgs.stdenv.isLinux then (with pkgs; [ libu2f-host yubikey-personalization ]) else []);
dbus.packages = (if pkgs.stdenv.isLinux then (with pkgs; [ gcr ]) else []);
};
home-manager.users.katja = {
xdg = lib.mkIf pkgs.stdenv.isLinux {
desktopEntries = {
gscriptor = {
name = "gscriptor";
settings = {
NoDisplay = "true";
};
};
};
};
home = {
packages = lib.mkIf pkgs.stdenv.isLinux [ pkgs.pcsctools ];
sessionVariables = {
GNUPGHOME = lib.mkForce "$HOME/.gnupg";
};
shellAliases = {
gpg-card-relearn = "gpg-connect-agent 'scd serialno' 'learn --force' /bye";
};
file = lib.mkIf pkgs.stdenv.isDarwin {
".gnupg/gpg-agent.conf".text = ''
enable-ssh-support
pinentry-program ${pkgs.pinentry_mac}/Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac
'';
};
};
wayland.windowManager.sway.extraConfig = ''
exec_always 'gpgconf --kill gpg-agent'
'';
programs = {
gpg = {
enable = true;
mutableTrust = true;
mutableKeys = true;
publicKeys = [
# my own key
{
trust = "ultimate";
source = "${pkgs.ctucx-website}/gpg_pubkey.asc";
}
{
trust = "ultimate";
source = "${pkgs.ctucx-website}/gpg_pubkey_leah.asc";
}
# f2k1de's key
{
trust = "full";
source = (pkgs.fetchurl {
url = "https://f2k1.de/gpg-key.asc";
sha256 = "sha256-GvrsMDokWphfIAiabJTzNNzbHP7QtWkt2cn3piGBdzc";
});
}
];
settings = {
keyserver = "hkps://keyserver.ubuntu.com:443";
};
scdaemonSettings = {
disable-ccid = true;
};
};
bash.initExtra = ''
export GPG_TTY=$(tty)
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent
'';
git.signing = {
key = "4F1D8CCB";
signByDefault = true;
};
};
services = lib.mkIf pkgs.stdenv.isLinux {
gpg-agent = {
enable = true;
enableSshSupport = true;
enableExtraSocket = true;
pinentryPackage = pkgs.pinentry-gnome3;
defaultCacheTtl = 600;
defaultCacheTtlSsh = 600;
sshKeys = [
"8C11B9BF8B535049F6C87A9CF0C595421E6B8798"
"29FA1059F28D2ED1C6398F7CFA918605F53786C0"
];
};
};
};
};
}