{ pkgs, lib, config, nixosConfig, ... }:
{
/*
home.activation.gnupg = lib.hm.dag.entryAfter ["writeBoundary"] ''
  install -d -m700 ${lib.escapeShellArg config.programs.gpg.homedir}
'';
*/
services.gpg-agent = {
  enable = true;
  enableSshSupport = true;
  enableExtraSocket = true;
  pinentryFlavor = lib.mkDefault (if nixosConfig.services.xserver.enable then "gtk2" else "curses");
};
programs.gpg.enable = true;
programs.gpg.settings = {
  #auto-key-locate = "keyserver";
  auto-key-locate = false;
  cert-digest-algo = "SHA512";
  charset = "utf-8";
  default-keyring = false;
  default-preference-list = "SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 TWOFISH BZIP2 ZLIB ZIP Uncompressed";
  emit-version = false;
  fixed-list-mode = true;
  keyid-format = "0xlong";
  keyserver-options = "no-honor-keyserver-url";
  personal-cipher-preferences = "AES256 AES CAST5";
  personal-digest-preferences = "SHA512";
  quiet = true;
  s2k-cipher-algo = "AES256";
  s2k-count = "65536";
  s2k-digest-algo = "SHA512";
  s2k-mode = "3";
  tofu-default-policy = "unknown";
  trust-model = "tofu+pgp";
  #with-fingerprint = [ true true ];
  use-agent = true;
  utf8-strings = true;
};
home.file."${config.programs.gpg.homedir}/dirmngr.conf".text = ''
  allow-ocsp
  hkp-cacert ${gnupg/keyserver.pem}
  keyserver hkps://keys.mayfirst.org
  #use-tor
  #log-file dirmngr.log
  #standard-resolver
'';
}