-
Notifications
You must be signed in to change notification settings - Fork 3
/
gpg.nix
89 lines (67 loc) · 2.56 KB
/
gpg.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
{ pkgs, ... }:
{
services.udev.packages = with pkgs; [ yubikey-personalization ];
services.pcscd.enable = true;
services.dbus.packages = [ pkgs.gcr ];
home-manager.users.jan = { pkgs, lib, ... }: {
home.activation = {
getGPGkey = lib.hm.dag.entryAfter ["writeBoundary"]
''
$DRY_RUN_CMD gpg --keyserver keys.openpgp.org --recv-keys 0x366572be7d6c78a2 && gpgconf --reload gpg-agent || true
'';
};
services.gpg-agent = {
enable = true;
pinentryPackage = pkgs.pinentry-gnome3;
};
programs.gpg = {
enable = true;
settings = {
# https://github.com/drduh/config/blob/master/gpg.conf
# https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html
# https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html
# Use AES256, 192, or 128 as cipher
personal-cipher-preferences = "AES256 AES192 AES";
# Use SHA512, 384, or 256 as digest
personal-digest-preferences = "SHA512 SHA384 SHA256";
# Use ZLIB, BZIP2, ZIP, or no compression
personal-compress-preferences = "ZLIB BZIP2 ZIP Uncompressed";
# Default preferences for new keys
default-preference-list = "SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed";
# SHA512 as digest to sign keys
cert-digest-algo = "SHA512";
# SHA512 as digest for symmetric ops
s2k-digest-algo = "SHA512";
# AES256 as cipher for symmetric ops
s2k-cipher-algo = "AES256";
# UTF-8 support for compatibility
charset = "utf-8";
# Show Unix timestamps
fixed-list-mode = true;
# No comments in signature
no-comments = true;
# No version in signature
no-emit-version = true;
# Long hexidecimal key format
keyid-format = "0xlong";
# Display UID validity
list-options = "show-uid-validity";
verify-options = "show-uid-validity";
# Display all keys and their fingerprints
with-fingerprint = true;
# Cross-certify subkeys are present and valid
require-cross-certification = true;
# Disable caching of passphrase for symmetrical ops
no-symkey-cache = true;
# Enable smartcard
use-agent = true;
# Disable recipient key ID in messages
# Disabled because it breaks OpenKeyChain
# throw-keyids
keyserver = "hkp://keyserver.ubuntu.com";
ignore-time-conflict = true;
allow-freeform-uid = true;
};
};
};
}