From 42b3d0a1c390901b1e0bb0bd0e72694d0b821090 Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Wed, 20 Mar 2024 13:11:47 +0100 Subject: [PATCH] remove gpg/yubikey external deps Signed-off-by: Harald Hoyer --- flake.lock | 19 +---- flake.nix | 13 --- modules/darwin/security/gpg/default.nix | 101 ++++++++++++++++-------- 3 files changed, 70 insertions(+), 63 deletions(-) diff --git a/flake.lock b/flake.lock index bdf1c3e..3bcd271 100644 --- a/flake.lock +++ b/flake.lock @@ -2018,8 +2018,7 @@ "nixsgx-flake": "nixsgx-flake", "snowfall-lib": "snowfall-lib_2", "sops-nix": "sops-nix", - "unstable": "unstable", - "yubikey-guide": "yubikey-guide" + "unstable": "unstable" } }, "rust-overlay": { @@ -2626,22 +2625,6 @@ "type": "github" } }, - "yubikey-guide": { - "flake": false, - "locked": { - "lastModified": 1710725874, - "narHash": "sha256-0COxYhs7VJGaO7mv23OEd7FjKRuTr+0zS9Ys9/exesI=", - "owner": "drduh", - "repo": "YubiKey-Guide", - "rev": "a7aa09bc80ccbcf13091e74fdf8e40701adee7f8", - "type": "github" - }, - "original": { - "owner": "drduh", - "repo": "YubiKey-Guide", - "type": "github" - } - }, "zig": { "inputs": { "flake-compat": "flake-compat_2", diff --git a/flake.nix b/flake.nix index c02c9a6..4b181f7 100644 --- a/flake.nix +++ b/flake.nix @@ -33,19 +33,6 @@ sops-nix.url = "github:Mic92/sops-nix"; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; - # GPG default configuration - gpg-base-conf = { - url = "github:drduh/config"; - flake = false; - }; - - # Yubikey Guide - yubikey-guide = { - url = "github:drduh/YubiKey-Guide"; - flake = false; - }; - - nixsgx-flake = { url = "github:matter-labs/nixsgx"; # inputs.nixpkgs.follows = "nixpkgs"; diff --git a/modules/darwin/security/gpg/default.nix b/modules/darwin/security/gpg/default.nix index 0b3248d..97984ba 100644 --- a/modules/darwin/security/gpg/default.nix +++ b/modules/darwin/security/gpg/default.nix @@ -5,8 +5,6 @@ let inherit (lib.metacfg) mkOpt; cfg = config.metacfg.security.gpg; - gpg = config.metacfg.security.gpg; - user = config.metacfg.user; gpgConf = "${inputs.gpg-base-conf}/gpg.conf"; gpgAgentConf = '' @@ -15,32 +13,6 @@ let max-cache-ttl 120 ''; - guide = "${inputs.yubikey-guide}/README.md"; - - theme = pkgs.fetchFromGitHub { - owner = "jez"; - repo = "pandoc-markdown-css-theme"; - rev = "019a4829242937761949274916022e9861ed0627"; - sha256 = "1h48yqffpaz437f3c9hfryf23r95rr319lrb3y79kxpxbc9hihxb"; - }; - - guideHTML = pkgs.runCommand "yubikey-guide" { } '' - ${pkgs.pandoc}/bin/pandoc \ - --standalone \ - --metadata title="Yubikey Guide" \ - --from markdown \ - --to html5+smart \ - --toc \ - --template ${theme}/template.html5 \ - --css ${theme}/docs/css/theme.css \ - --css ${theme}/docs/css/skylighting-solarized-theme.css \ - -o $out \ - ${guide} - ''; - - reload-yubikey = pkgs.writeShellScriptBin "reload-yubikey" '' - ${pkgs.gnupg}/bin/gpg-connect-agent "scd serialno" "learn --force" /bye - ''; in { options.metacfg.security.gpg = { @@ -75,10 +47,75 @@ in metacfg.home.file = { ".gnupg/.keep".text = ""; - ".gnupg/yubikey-guide.md".source = guide; - ".gnupg/yubikey-guide.html".source = guideHTML; - - ".gnupg/gpg.conf".source = gpgConf; + ".gnupg/gpg.conf".text = '' + # https://github.com/drduh/config/blob/master/gpg.conf + # https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html + # https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html + # 'gpg --version' to get capabilities + # Use AES256, 192, or 128 as cipher + personal-cipher-preferences AES256 AES192 AES + # Use SHA512, 384, or 256 as digest + personal-digest-preferences SHA512 SHA384 SHA256 + # Use ZLIB, BZIP2, ZIP, or no compression + personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed + # Default preferences for new keys + default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed + # SHA512 as digest to sign keys + cert-digest-algo SHA512 + # SHA512 as digest for symmetric ops + s2k-digest-algo SHA512 + # AES256 as cipher for symmetric ops + s2k-cipher-algo AES256 + # UTF-8 support for compatibility + charset utf-8 + # No comments in messages + no-comments + # No version in output + no-emit-version + # Disable banner + no-greeting + # Long key id format + keyid-format 0xlong + # Display UID validity + list-options show-uid-validity + verify-options show-uid-validity + # Display all keys and their fingerprints + with-fingerprint + # Display key origins and updates + #with-key-origin + # Cross-certify subkeys are present and valid + require-cross-certification + # Disable caching of passphrase for symmetrical ops + no-symkey-cache + # Enable smartcard + use-agent + # Disable recipient key ID in messages (breaks Mailvelope) + throw-keyids + # Default key ID to use (helpful with throw-keyids) + #default-key 0xFF3E7D88647EBCDB + #trusted-key 0xFF3E7D88647EBCDB + # Group recipient keys (preferred ID last) + #group keygroup = 0xFF00000000000001 0xFF00000000000002 0xFF3E7D88647EBCDB + # Keyserver URL + #keyserver hkps://keys.openpgp.org + #keyserver hkps://keys.mailvelope.com + #keyserver hkps://keyserver.ubuntu.com:443 + #keyserver hkps://pgpkeys.eu + #keyserver hkps://pgp.circl.lu + #keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion + # Keyserver proxy + #keyserver-options http-proxy=http://127.0.0.1:8118 + #keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050 + # Enable key retrieval using WKD and DANE + #auto-key-locate wkd,dane,local + #auto-key-retrieve + # Trust delegation mechanism + #trust-model tofu+pgp + # Show expired subkeys + #list-options show-unusable-subkeys + # Verbose output + #verbose + ''; ".gnupg/gpg-agent.conf".text = gpgAgentConf; }; };