Commit 4cb20af
Changed files (4)
home
base
tui
gpg
modules
desktop
os-modules
nixos
desktop
home/base/tui/gpg/default.nix
@@ -1,71 +0,0 @@
-{config, ...}: {
- programs.gpg = {
- enable = true;
- homedir = "${config.home.homeDirectory}/.gnupg";
-
- mutableTrust = false;
- mutableKeys = false;
- publicKeys = [
- {
- source = ./public.asc;
- trust = 5;
- }
- ];
-
- # This configuration is based on the tutorial below, it allows for a robust setup
- # https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1
- # ~/.gnupg/gpg.conf
- settings = {
- # Get rid of the copyright notice
- no-greeting = true;
-
- # --- Avoid information leaked --- #
- # Disable inclusion of the version string in ASCII armored output
- no-emit-version = true;
- # Do not write comment packets
- no-comments = false;
- # Export the smallest key possible
- # This removes all signatures except the most recent self-signature on each user ID
- export-options = "export-minimal";
-
- # Display long key IDs
- keyid-format = "0xlong";
- # List all keys (or the specified ones) along with their fingerprints
- with-fingerprint = true;
-
- # Display the calculated validity of user IDs during key listings
- list-options = "show-uid-validity";
- verify-options = "show-uid-validity show-keyserver-urls";
-
- # Select the strongest cipher
- personal-cipher-preferences = "AES256";
- # Select the strongest digest
- personal-digest-preferences = "SHA512";
- # This preference list is used for new keys and becomes the default for "setpref" in the edit menu
- default-preference-list = "SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH BLOWFISH ZLIB BZIP2 ZIP Uncompressed";
-
- # Use the strongest cipher algorithm
- cipher-algo = "AES256";
- # Use the strongest digest algorithm
- digest-algo = "SHA512";
- # Message digest algorithm used when signing a key
- cert-digest-algo = "SHA512";
- # Use RFC-1950 ZLIB compression
- compress-algo = "ZLIB";
-
- # Disable weak algorithm
- disable-cipher-algo = "3DES";
- # Treat the specified digest algorithm as weak
- weak-digest = "SHA1";
-
- # The cipher algorithm for symmetric encryption for symmetric encryption with a passphrase
- s2k-cipher-algo = "AES256";
- # The digest algorithm used to mangle the passphrases for symmetric encryption
- s2k-digest-algo = "SHA512";
- # Selects how passphrases for symmetric encryption are mangled
- s2k-mode = "3";
- # Specify how many times the passphrases mangling for symmetric encryption is repeated
- s2k-count = "65011712";
- };
- };
-}
modules/desktop/gpg/default.nix
@@ -0,0 +1,82 @@
+{
+ flake.modules.nixos.desktop = {pkgs, ...}: {
+ programs.gnupg.agent = {
+ enable = true;
+ pinentryPackage = pkgs.pinentry-qt;
+ enableSSHSupport = false;
+ settings.default-cache-ttl = 4 * 60 * 60; # 4 hours
+ };
+ };
+
+ flake.modules.homeManager.desktop = {config, ...}: {
+ programs.gpg = {
+ enable = true;
+ homedir = "${config.home.homeDirectory}/.gnupg";
+
+ mutableTrust = false;
+ mutableKeys = false;
+ publicKeys = [
+ {
+ source = ./public.asc;
+ trust = 5;
+ }
+ ];
+
+ # This configuration is based on the tutorial below, it allows for a robust setup
+ # https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1
+ # ~/.gnupg/gpg.conf
+ settings = {
+ # Get rid of the copyright notice
+ no-greeting = true;
+
+ # --- Avoid information leaked --- #
+ # Disable inclusion of the version string in ASCII armored output
+ no-emit-version = true;
+ # Do not write comment packets
+ no-comments = false;
+ # Export the smallest key possible
+ # This removes all signatures except the most recent self-signature on each user ID
+ export-options = "export-minimal";
+
+ # Display long key IDs
+ keyid-format = "0xlong";
+ # List all keys (or the specified ones) along with their fingerprints
+ with-fingerprint = true;
+
+ # Display the calculated validity of user IDs during key listings
+ list-options = "show-uid-validity";
+ verify-options = "show-uid-validity show-keyserver-urls";
+
+ # Select the strongest cipher
+ personal-cipher-preferences = "AES256";
+ # Select the strongest digest
+ personal-digest-preferences = "SHA512";
+ # This preference list is used for new keys and becomes the default for "setpref" in the edit menu
+ default-preference-list = "SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH BLOWFISH ZLIB BZIP2 ZIP Uncompressed";
+
+ # Use the strongest cipher algorithm
+ cipher-algo = "AES256";
+ # Use the strongest digest algorithm
+ digest-algo = "SHA512";
+ # Message digest algorithm used when signing a key
+ cert-digest-algo = "SHA512";
+ # Use RFC-1950 ZLIB compression
+ compress-algo = "ZLIB";
+
+ # Disable weak algorithm
+ disable-cipher-algo = "3DES";
+ # Treat the specified digest algorithm as weak
+ weak-digest = "SHA1";
+
+ # The cipher algorithm for symmetric encryption for symmetric encryption with a passphrase
+ s2k-cipher-algo = "AES256";
+ # The digest algorithm used to mangle the passphrases for symmetric encryption
+ s2k-digest-algo = "SHA512";
+ # Selects how passphrases for symmetric encryption are mangled
+ s2k-mode = "3";
+ # Specify how many times the passphrases mangling for symmetric encryption is repeated
+ s2k-count = "65011712";
+ };
+ };
+ };
+}
home/base/tui/gpg/public.asc → modules/desktop/gpg/public.asc
File renamed without changes
os-modules/nixos/desktop/security.nix
@@ -1,12 +1,4 @@
{pkgs, ...}: {
- # gpg agent with pinentry
- programs.gnupg.agent = {
- enable = true;
- pinentryPackage = pkgs.pinentry-qt;
- enableSSHSupport = false;
- settings.default-cache-ttl = 4 * 60 * 60; # 4 hours
- };
-
services.udev.packages = [pkgs.yubikey-personalization];
# Locking the screen when a Yubikey is unplugged
# https://nixos.wiki/wiki/Yubikey#Locking_the_screen_when_a_Yubikey_is_unplugged