58 lines
1.9 KiB
Nix
58 lines
1.9 KiB
Nix
{
|
|
pkgs,
|
|
lib,
|
|
config,
|
|
...
|
|
}:
|
|
{
|
|
config = lib.mkIf config.programs.gpg.enable {
|
|
frogeye.hooks.lock = ''
|
|
echo RELOADAGENT | ${pkgs.gnupg}/bin/gpg-connect-agent
|
|
'';
|
|
programs.gpg = {
|
|
homedir = "${config.xdg.stateHome}/gnupg";
|
|
settings = {
|
|
# Remove fluff
|
|
no-greeting = true;
|
|
no-emit-version = true;
|
|
no-comments = true;
|
|
# Output format that I prefer
|
|
keyid-format = "0xlong";
|
|
# Show fingerprints
|
|
with-fingerprint = true;
|
|
# Make sure to show if key is invalid
|
|
# (should be default on most platform,
|
|
# but just to be sure)
|
|
list-options = "show-uid-validity";
|
|
verify-options = "show-uid-validity";
|
|
# Stronger algorithm (https://wiki.archlinux.org/title/GnuPG#Different_algorithm)
|
|
personal-digest-preferences = "SHA512";
|
|
cert-digest-algo = "SHA512";
|
|
default-preference-list = "SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed";
|
|
personal-cipher-preferences = "TWOFISH CAMELLIA256 AES 3DES";
|
|
};
|
|
publicKeys = [
|
|
{
|
|
source = builtins.fetchurl {
|
|
url = "https://keys.openpgp.org/vks/v1/by-fingerprint/4FBA930D314A03215E2CDB0A8312C8CAC1BAC289";
|
|
sha256 = "sha256:10y9xqcy1vyk2p8baay14p3vwdnlwynk0fvfbika65hz2z8yw2cm";
|
|
};
|
|
trust = "ultimate";
|
|
}
|
|
];
|
|
};
|
|
services.gpg-agent = rec {
|
|
enableBashIntegration = true;
|
|
enableZshIntegration = true;
|
|
pinentryPackage = pkgs.pinentry-gnome3;
|
|
# gnome3 is nicer, but requires gcr as a dbus package.
|
|
# Which is in my NixOS config, and on non-NixOS too.
|
|
# It will fall back to ncurses when running in non-graphics mode.
|
|
defaultCacheTtl = 3600;
|
|
defaultCacheTtlSsh = defaultCacheTtl;
|
|
maxCacheTtl = 3 * 3600;
|
|
maxCacheTtlSsh = maxCacheTtl;
|
|
};
|
|
};
|
|
}
|