1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
{ config, pkgs, lib, ... }:
{
xdg = lib.mkIf pkgs.stdenv.isLinux {
desktopEntries = {
gscriptor = {
name = "gscriptor";
settings = {
NoDisplay = "true";
};
};
};
};
home = {
packages = lib.mkIf pkgs.stdenv.isLinux [ pkgs.pcsctools ];
sessionVariables = {
GNUPGHOME = lib.mkForce "$HOME/.gnupg";
};
shellAliases = {
gpg-card-relearn = "gpg-connect-agent 'scd serialno' 'learn --force' /bye";
};
file = lib.mkIf pkgs.stdenv.isDarwin {
".gnupg/gpg-agent.conf".text = ''
enable-ssh-support
pinentry-program ${pkgs.pinentry_mac}/Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac
'';
};
};
wayland.windowManager.sway.extraConfig = ''
exec_always 'gpgconf --kill gpg-agent'
'';
programs = {
gpg = {
enable = true;
mutableTrust = true;
mutableKeys = true;
publicKeys = [
# my own key
{
trust = "ultimate";
source = "${pkgs.ctucx-website}/gpg_pubkey.asc";
}
{
trust = "ultimate";
source = "${pkgs.ctucx-website}/gpg_pubkey_leah.asc";
}
# f2k1de's key
{
trust = "full";
source = (pkgs.fetchurl {
url = "https://f2k1.de/gpg-key.asc";
sha256 = "sha256-GvrsMDokWphfIAiabJTzNNzbHP7QtWkt2cn3piGBdzc";
});
}
# governikus german eid verificaion pubkey
{
trust = "full";
source = (pkgs.fetchurl {
url = "https://www.governikus.de/wp-content/uploads/2023/06/governikusPubKey.asc";
sha256 = "sha256-eU7g+c2CAYGLxHCRb0qsnL3CvKgK3lWcKcgrS1WFwz0=";
});
}
];
settings = {
keyserver = "hkps://keyserver.ubuntu.com:443";
};
scdaemonSettings = {
disable-ccid = true;
};
};
bash.initExtra = ''
export GPG_TTY=$(tty)
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent
'';
git.signing = {
key = "4F1D8CCB";
signByDefault = true;
};
};
services = lib.mkIf pkgs.stdenv.isLinux {
gpg-agent = {
enable = true;
enableSshSupport = true;
enableExtraSocket = true;
pinentryPackage = pkgs.pinentry-gnome3;
defaultCacheTtl = 600;
defaultCacheTtlSsh = 600;
sshKeys = [
"8C11B9BF8B535049F6C87A9CF0C595421E6B8798"
"29FA1059F28D2ED1C6398F7CFA918605F53786C0"
];
};
};
}