remove gpg/yubikey external deps

Signed-off-by: Harald Hoyer <harald@hoyer.xyz>
This commit is contained in:
Harald Hoyer 2024-03-20 13:11:47 +01:00
parent 04f08d679e
commit 42b3d0a1c3
3 changed files with 70 additions and 63 deletions

View file

@ -2018,8 +2018,7 @@
"nixsgx-flake": "nixsgx-flake",
"snowfall-lib": "snowfall-lib_2",
"sops-nix": "sops-nix",
"unstable": "unstable",
"yubikey-guide": "yubikey-guide"
"unstable": "unstable"
}
},
"rust-overlay": {
@ -2626,22 +2625,6 @@
"type": "github"
}
},
"yubikey-guide": {
"flake": false,
"locked": {
"lastModified": 1710725874,
"narHash": "sha256-0COxYhs7VJGaO7mv23OEd7FjKRuTr+0zS9Ys9/exesI=",
"owner": "drduh",
"repo": "YubiKey-Guide",
"rev": "a7aa09bc80ccbcf13091e74fdf8e40701adee7f8",
"type": "github"
},
"original": {
"owner": "drduh",
"repo": "YubiKey-Guide",
"type": "github"
}
},
"zig": {
"inputs": {
"flake-compat": "flake-compat_2",

View file

@ -33,19 +33,6 @@
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
# GPG default configuration
gpg-base-conf = {
url = "github:drduh/config";
flake = false;
};
# Yubikey Guide
yubikey-guide = {
url = "github:drduh/YubiKey-Guide";
flake = false;
};
nixsgx-flake = {
url = "github:matter-labs/nixsgx";
# inputs.nixpkgs.follows = "nixpkgs";

View file

@ -5,8 +5,6 @@ let
inherit (lib.metacfg) mkOpt;
cfg = config.metacfg.security.gpg;
gpg = config.metacfg.security.gpg;
user = config.metacfg.user;
gpgConf = "${inputs.gpg-base-conf}/gpg.conf";
gpgAgentConf = ''
@ -15,32 +13,6 @@ let
max-cache-ttl 120
'';
guide = "${inputs.yubikey-guide}/README.md";
theme = pkgs.fetchFromGitHub {
owner = "jez";
repo = "pandoc-markdown-css-theme";
rev = "019a4829242937761949274916022e9861ed0627";
sha256 = "1h48yqffpaz437f3c9hfryf23r95rr319lrb3y79kxpxbc9hihxb";
};
guideHTML = pkgs.runCommand "yubikey-guide" { } ''
${pkgs.pandoc}/bin/pandoc \
--standalone \
--metadata title="Yubikey Guide" \
--from markdown \
--to html5+smart \
--toc \
--template ${theme}/template.html5 \
--css ${theme}/docs/css/theme.css \
--css ${theme}/docs/css/skylighting-solarized-theme.css \
-o $out \
${guide}
'';
reload-yubikey = pkgs.writeShellScriptBin "reload-yubikey" ''
${pkgs.gnupg}/bin/gpg-connect-agent "scd serialno" "learn --force" /bye
'';
in
{
options.metacfg.security.gpg = {
@ -75,10 +47,75 @@ in
metacfg.home.file = {
".gnupg/.keep".text = "";
".gnupg/yubikey-guide.md".source = guide;
".gnupg/yubikey-guide.html".source = guideHTML;
".gnupg/gpg.conf".source = gpgConf;
".gnupg/gpg.conf".text = ''
# https://github.com/drduh/config/blob/master/gpg.conf
# https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html
# https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html
# 'gpg --version' to get capabilities
# Use AES256, 192, or 128 as cipher
personal-cipher-preferences AES256 AES192 AES
# Use SHA512, 384, or 256 as digest
personal-digest-preferences SHA512 SHA384 SHA256
# Use ZLIB, BZIP2, ZIP, or no compression
personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
# Default preferences for new keys
default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
# SHA512 as digest to sign keys
cert-digest-algo SHA512
# SHA512 as digest for symmetric ops
s2k-digest-algo SHA512
# AES256 as cipher for symmetric ops
s2k-cipher-algo AES256
# UTF-8 support for compatibility
charset utf-8
# No comments in messages
no-comments
# No version in output
no-emit-version
# Disable banner
no-greeting
# Long key id format
keyid-format 0xlong
# Display UID validity
list-options show-uid-validity
verify-options show-uid-validity
# Display all keys and their fingerprints
with-fingerprint
# Display key origins and updates
#with-key-origin
# Cross-certify subkeys are present and valid
require-cross-certification
# Disable caching of passphrase for symmetrical ops
no-symkey-cache
# Enable smartcard
use-agent
# Disable recipient key ID in messages (breaks Mailvelope)
throw-keyids
# Default key ID to use (helpful with throw-keyids)
#default-key 0xFF3E7D88647EBCDB
#trusted-key 0xFF3E7D88647EBCDB
# Group recipient keys (preferred ID last)
#group keygroup = 0xFF00000000000001 0xFF00000000000002 0xFF3E7D88647EBCDB
# Keyserver URL
#keyserver hkps://keys.openpgp.org
#keyserver hkps://keys.mailvelope.com
#keyserver hkps://keyserver.ubuntu.com:443
#keyserver hkps://pgpkeys.eu
#keyserver hkps://pgp.circl.lu
#keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion
# Keyserver proxy
#keyserver-options http-proxy=http://127.0.0.1:8118
#keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050
# Enable key retrieval using WKD and DANE
#auto-key-locate wkd,dane,local
#auto-key-retrieve
# Trust delegation mechanism
#trust-model tofu+pgp
# Show expired subkeys
#list-options show-unusable-subkeys
# Verbose output
#verbose
'';
".gnupg/gpg-agent.conf".text = gpgAgentConf;
};
};