Commit 0a55169

HPCesia <me@hpcesia.com>
2025-06-03 16:43:18
feat(apps): add encryption utils and gpg
1 parent df9a2e4
Changed files (3)
home
modules
nixos
home/base/tui/encryption.nix
@@ -0,0 +1,11 @@
+{
+  pkgs,
+  pkgs-unstable,
+  ...
+}: {
+  home.packages = with pkgs; [
+    age
+    pkgs-unstable.sops
+    rclone
+  ];
+}
home/base/tui/gpg.nix
@@ -0,0 +1,62 @@
+{config, ...}: {
+  programs.gpg = {
+    enable = true;
+    homedir = "${config.home.homeDirectory}/.gnupg";
+
+    # This configuration is based on the tutorial below, it allows for a robust setup
+    # https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1
+    # ~/.gnupg/gpg.conf
+    settings = {
+      # Get rid of the copyright notice
+      no-greeting = true;
+
+      # --- Avoid information leaked --- #
+      # Disable inclusion of the version string in ASCII armored output
+      no-emit-version = true;
+      # Do not write comment packets
+      no-comments = false;
+      # Export the smallest key possible
+      # This removes all signatures except the most recent self-signature on each user ID
+      export-options = "export-minimal";
+
+      # Display long key IDs
+      keyid-format = "0xlong";
+      # List all keys (or the specified ones) along with their fingerprints
+      with-fingerprint = true;
+
+      # Display the calculated validity of user IDs during key listings
+      list-options = "show-uid-validity";
+      verify-options = "show-uid-validity show-keyserver-urls";
+
+      # Select the strongest cipher
+      personal-cipher-preferences = "AES256";
+      # Select the strongest digest
+      personal-digest-preferences = "SHA512";
+      # This preference list is used for new keys and becomes the default for "setpref" in the edit menu
+      default-preference-list = "SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH BLOWFISH ZLIB BZIP2 ZIP Uncompressed";
+
+      # Use the strongest cipher algorithm
+      cipher-algo = "AES256";
+      # Use the strongest digest algorithm
+      digest-algo = "SHA512";
+      # Message digest algorithm used when signing a key
+      cert-digest-algo = "SHA512";
+      # Use RFC-1950 ZLIB compression
+      compress-algo = "ZLIB";
+
+      # Disable weak algorithm
+      disable-cipher-algo = "3DES";
+      # Treat the specified digest algorithm as weak
+      weak-digest = "SHA1";
+
+      # The cipher algorithm for symmetric encryption for symmetric encryption with a passphrase
+      s2k-cipher-algo = "AES256";
+      # The digest algorithm used to mangle the passphrases for symmetric encryption
+      s2k-digest-algo = "SHA512";
+      # Selects how passphrases for symmetric encryption are mangled
+      s2k-mode = "3";
+      # Specify how many times the passphrases mangling for symmetric encryption is repeated
+      s2k-count = "65011712";
+    };
+  };
+}
modules/nixos/desktop/security.nix
@@ -0,0 +1,9 @@
+{pkgs, ...}: {
+  # gpg agent with pinentry
+  programs.gnupg.agent = {
+    enable = true;
+    pinentryPackage = pkgs.pinentry-qt;
+    enableSSHSupport = false;
+    settings.default-cache-ttl = 4 * 60 * 60; # 4 hours
+  };
+}