{ lib, config, pkgs, inputs, ... }: let inherit (lib) types mkEnableOption mkIf; inherit (lib.metacfg) mkOpt; cfg = config.metacfg.security.gpg; gpgConf = "${inputs.gpg-base-conf}/gpg.conf"; gpgAgentConf = '' enable-ssh-support default-cache-ttl 60 max-cache-ttl 120 ''; in { options.metacfg.security.gpg = { enable = mkEnableOption "GPG"; agentTimeout = mkOpt types.int 5 "The amount of time to wait before continuing with shell init."; }; config = mkIf cfg.enable { environment.systemPackages = with pkgs; [ gnupg ]; environment.shellInit = '' export GPG_TTY="$(tty)" export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket) ${pkgs.coreutils}/bin/timeout ${builtins.toString cfg.agentTimeout} ${pkgs.gnupg}/bin/gpgconf --launch gpg-agent gpg_agent_timeout_status=$? if [ "$gpg_agent_timeout_status" = 124 ]; then # Command timed out... echo "GPG Agent timed out..." echo 'Run "gpgconf --launch gpg-agent" to try and launch it again.' fi ''; programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; metacfg.home.file = { ".gnupg/.keep".text = ""; ".gnupg/gpg.conf".text = '' # https://github.com/drduh/config/blob/master/gpg.conf # https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html # https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html # 'gpg --version' to get capabilities # Use AES256, 192, or 128 as cipher personal-cipher-preferences AES256 AES192 AES # Use SHA512, 384, or 256 as digest personal-digest-preferences SHA512 SHA384 SHA256 # Use ZLIB, BZIP2, ZIP, or no compression personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed # Default preferences for new keys default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed # SHA512 as digest to sign keys cert-digest-algo SHA512 # SHA512 as digest for symmetric ops s2k-digest-algo SHA512 # AES256 as cipher for symmetric ops s2k-cipher-algo AES256 # UTF-8 support for compatibility charset utf-8 # No comments in messages no-comments # No version in output no-emit-version # Disable banner no-greeting # Long key id format keyid-format 0xlong # Display UID validity list-options show-uid-validity verify-options show-uid-validity # Display all keys and their fingerprints with-fingerprint # Display key origins and updates #with-key-origin # Cross-certify subkeys are present and valid require-cross-certification # Disable caching of passphrase for symmetrical ops no-symkey-cache # Enable smartcard use-agent # Disable recipient key ID in messages (breaks Mailvelope) throw-keyids # Default key ID to use (helpful with throw-keyids) #default-key 0xFF3E7D88647EBCDB #trusted-key 0xFF3E7D88647EBCDB # Group recipient keys (preferred ID last) #group keygroup = 0xFF00000000000001 0xFF00000000000002 0xFF3E7D88647EBCDB # Keyserver URL #keyserver hkps://keys.openpgp.org #keyserver hkps://keys.mailvelope.com #keyserver hkps://keyserver.ubuntu.com:443 #keyserver hkps://pgpkeys.eu #keyserver hkps://pgp.circl.lu #keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion # Keyserver proxy #keyserver-options http-proxy=http://127.0.0.1:8118 #keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050 # Enable key retrieval using WKD and DANE #auto-key-locate wkd,dane,local #auto-key-retrieve # Trust delegation mechanism #trust-model tofu+pgp # Show expired subkeys #list-options show-unusable-subkeys # Verbose output #verbose ''; ".gnupg/gpg-agent.conf".text = gpgAgentConf; }; }; }