current
 1{
 2  flake.modules.nixos.desktop = {pkgs, ...}: {
 3    programs.gnupg.agent = {
 4      enable = true;
 5      pinentryPackage = pkgs.pinentry-gnome3;
 6      enableSSHSupport = false;
 7      settings.default-cache-ttl = 4 * 60 * 60; # 4 hours
 8    };
 9  };
10
11  flake.modules.homeManager.desktop = {config, ...}: {
12    programs.gpg = {
13      enable = true;
14      homedir = "${config.home.homeDirectory}/.gnupg";
15
16      mutableTrust = false;
17      mutableKeys = false;
18      publicKeys = [
19        {
20          source = ./public.asc;
21          trust = 5;
22        }
23      ];
24
25      # This configuration is based on the tutorial below, it allows for a robust setup
26      # https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1
27      # ~/.gnupg/gpg.conf
28      settings = {
29        # Get rid of the copyright notice
30        no-greeting = true;
31
32        # --- Avoid information leaked --- #
33        # Disable inclusion of the version string in ASCII armored output
34        no-emit-version = true;
35        # Do not write comment packets
36        no-comments = false;
37        # Export the smallest key possible
38        # This removes all signatures except the most recent self-signature on each user ID
39        export-options = "export-minimal";
40
41        # Display long key IDs
42        keyid-format = "0xlong";
43        # List all keys (or the specified ones) along with their fingerprints
44        with-fingerprint = true;
45
46        # Display the calculated validity of user IDs during key listings
47        list-options = "show-uid-validity";
48        verify-options = "show-uid-validity show-keyserver-urls";
49
50        # Select the strongest cipher
51        personal-cipher-preferences = "AES256";
52        # Select the strongest digest
53        personal-digest-preferences = "SHA512";
54        # This preference list is used for new keys and becomes the default for "setpref" in the edit menu
55        default-preference-list = "SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH BLOWFISH ZLIB BZIP2 ZIP Uncompressed";
56
57        # Use the strongest cipher algorithm
58        cipher-algo = "AES256";
59        # Use the strongest digest algorithm
60        digest-algo = "SHA512";
61        # Message digest algorithm used when signing a key
62        cert-digest-algo = "SHA512";
63        # Use RFC-1950 ZLIB compression
64        compress-algo = "ZLIB";
65
66        # Disable weak algorithm
67        disable-cipher-algo = "3DES";
68        # Treat the specified digest algorithm as weak
69        weak-digest = "SHA1";
70
71        # The cipher algorithm for symmetric encryption for symmetric encryption with a passphrase
72        s2k-cipher-algo = "AES256";
73        # The digest algorithm used to mangle the passphrases for symmetric encryption
74        s2k-digest-algo = "SHA512";
75        # Selects how passphrases for symmetric encryption are mangled
76        s2k-mode = "3";
77        # Specify how many times the passphrases mangling for symmetric encryption is repeated
78        s2k-count = "65011712";
79      };
80    };
81  };
82}