home/gpg/default.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

{ pkgs, config, lib, ... }:
let cfg = config.my.home.gpg;
in
{
  options.my.home.gpg = with lib; {
    enable = mkEnableOption "gpg configuration";
    pinentry = mkOption {
      type = types.str;
      default = "tty";
      example = "gnome3";
      description = "Which pinentry interface to use";
    };
    defaultKey = mkOption {
      type = types.str;
      default = null;
      description = "Default GPG key";
    };
  };

  config = lib.mkIf cfg.enable {
    home.packages = with pkgs; [ yubikey-manager ];

    programs.gpg = {
      enable = true;
      homedir = "${config.xdg.configHome}/gnupg";
      settings = {
        default-key = cfg.defaultKey;
        personal-cipher-preferences = "AES256 AES192 AES";
        personal-digest-preferences = "SHA512 SHA384 SHA256";
        personal-compress-preferences = "ZLIB BZIP2 ZIP Uncompressed";
        keyid-format = "long";
        with-fingerprint = true;
      };
    };
    services.gpg-agent = {
      enable = false;
      enableSshSupport = false; # ensure we're not defaulting to GPG
      pinentryFlavor = cfg.pinentry;
      extraConfig = ''
        allow-loopback-pinentry
      '';
    };
  };
}