1 { pkgs, lib, config, options, ... }:
4 home.activation.gnupg = lib.hm.dag.entryAfter ["writeBoundary"] ''
5 install -d -m700 ${lib.escapeShellArg config.home.homeDirectory}/.gnupg
7 home.file.".gnupg/dirmngr.conf".text = ''
9 hkp-cacert ${gnupg/keyserver.pem}
10 keyserver hkps://keys.mayfirst.org
15 services.gpg-agent = {
16 enableSshSupport = true;
17 pinentryFlavor = if config.host.desktop then "gtk2" else "curses";
19 programs.gpg.settings = {
20 #auto-key-locate = "keyserver";
21 auto-key-locate = false;
22 cert-digest-algo = "SHA512";
24 default-keyring = false;
25 default-preference-list = "SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 TWOFISH BZIP2 ZLIB ZIP Uncompressed";
27 fixed-list-mode = true;
28 keyid-format = "0xlong";
29 keyserver-options = "no-honor-keyserver-url";
30 personal-cipher-preferences = "AES256 AES CAST5";
31 personal-digest-preferences = "SHA512";
33 s2k-cipher-algo = "AES256";
35 s2k-digest-algo = "SHA512";
37 tofu-default-policy = "unknown";
38 trust-model = "tofu+pgp";
39 #with-fingerprint = [ true true ];
43 } // lib.optionalAttrs (options ? "nixpkgs") {
44 nixpkgs.overlays = [ (self: super: {
45 # Avoid rebuilding graphical dependencies
46 # when using Nixpkgs PRs rebuilding them.
47 # See https://github.com/NixOS/nixpkgs/issues/96306#issuecomment-722140002
48 pinentry = super.pinentry.override {
49 enabledFlavors = [ "curses" "tty" ] ++ lib.optional config.host.desktop "gtk2";