homes/programs/gnupg.nix

   1 { pkgs, lib, config, nixosConfig, ... }:
   2 {
   3 /*
   4 home.activation.gnupg = lib.hm.dag.entryAfter ["writeBoundary"] ''
   5   install -d -m700 ${lib.escapeShellArg config.programs.gpg.homedir}
   6 '';
   7 */
   8 services.gpg-agent = {
   9   enableSshSupport = true;
  10   enableExtraSocket = true;
  11   pinentryFlavor = lib.mkDefault (if nixosConfig.services.xserver.enable then "gtk2" else "curses");
  12 };
  13 programs.gpg.settings = {
  14   #auto-key-locate = "keyserver";
  15   auto-key-locate = false;
  16   cert-digest-algo = "SHA512";
  17   charset = "utf-8";
  18   default-keyring = false;
  19   default-preference-list = "SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 TWOFISH BZIP2 ZLIB ZIP Uncompressed";
  20   emit-version = false;
  21   fixed-list-mode = true;
  22   keyid-format = "0xlong";
  23   keyserver-options = "no-honor-keyserver-url";
  24   personal-cipher-preferences = "AES256 AES CAST5";
  25   personal-digest-preferences = "SHA512";
  26   quiet = true;
  27   s2k-cipher-algo = "AES256";
  28   s2k-count = "65536";
  29   s2k-digest-algo = "SHA512";
  30   s2k-mode = "3";
  31   tofu-default-policy = "unknown";
  32   trust-model = "tofu+pgp";
  33   #with-fingerprint = [ true true ];
  34   use-agent = true;
  35   utf8-strings = true;
  36 };
  37 home.file."${config.programs.gpg.homedir}/dirmngr.conf".text = ''
  38   allow-ocsp
  39   hkp-cacert ${gnupg/keyserver.pem}
  40   keyserver hkps://keys.mayfirst.org
  41   #use-tor
  42   #log-file dirmngr.log
  43   #standard-resolver
  44 '';
  45 }