current
1{
2 flake.modules.nixos.desktop = {pkgs, ...}: {
3 programs.gnupg.agent = {
4 enable = true;
5 pinentryPackage = pkgs.pinentry-gnome3;
6 enableSSHSupport = false;
7 settings.default-cache-ttl = 4 * 60 * 60; # 4 hours
8 };
9 };
10
11 flake.modules.homeManager.desktop = {config, ...}: {
12 programs.gpg = {
13 enable = true;
14 homedir = "${config.home.homeDirectory}/.gnupg";
15
16 mutableTrust = false;
17 mutableKeys = false;
18 publicKeys = [
19 {
20 source = ./public.asc;
21 trust = 5;
22 }
23 ];
24
25 # This configuration is based on the tutorial below, it allows for a robust setup
26 # https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1
27 # ~/.gnupg/gpg.conf
28 settings = {
29 # Get rid of the copyright notice
30 no-greeting = true;
31
32 # --- Avoid information leaked --- #
33 # Disable inclusion of the version string in ASCII armored output
34 no-emit-version = true;
35 # Do not write comment packets
36 no-comments = false;
37 # Export the smallest key possible
38 # This removes all signatures except the most recent self-signature on each user ID
39 export-options = "export-minimal";
40
41 # Display long key IDs
42 keyid-format = "0xlong";
43 # List all keys (or the specified ones) along with their fingerprints
44 with-fingerprint = true;
45
46 # Display the calculated validity of user IDs during key listings
47 list-options = "show-uid-validity";
48 verify-options = "show-uid-validity show-keyserver-urls";
49
50 # Select the strongest cipher
51 personal-cipher-preferences = "AES256";
52 # Select the strongest digest
53 personal-digest-preferences = "SHA512";
54 # This preference list is used for new keys and becomes the default for "setpref" in the edit menu
55 default-preference-list = "SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH BLOWFISH ZLIB BZIP2 ZIP Uncompressed";
56
57 # Use the strongest cipher algorithm
58 cipher-algo = "AES256";
59 # Use the strongest digest algorithm
60 digest-algo = "SHA512";
61 # Message digest algorithm used when signing a key
62 cert-digest-algo = "SHA512";
63 # Use RFC-1950 ZLIB compression
64 compress-algo = "ZLIB";
65
66 # Disable weak algorithm
67 disable-cipher-algo = "3DES";
68 # Treat the specified digest algorithm as weak
69 weak-digest = "SHA1";
70
71 # The cipher algorithm for symmetric encryption for symmetric encryption with a passphrase
72 s2k-cipher-algo = "AES256";
73 # The digest algorithm used to mangle the passphrases for symmetric encryption
74 s2k-digest-algo = "SHA512";
75 # Selects how passphrases for symmetric encryption are mangled
76 s2k-mode = "3";
77 # Specify how many times the passphrases mangling for symmetric encryption is repeated
78 s2k-count = "65011712";
79 };
80 };
81 };
82}