Commit 4cb20af

HPCesia <me@hpcesia.com>
2025-10-01 17:01:38
refactor: migrate gpg config
1 parent 9ed7ad7
Changed files (4)
home
base
modules
os-modules
nixos
home/base/tui/gpg/default.nix
@@ -1,71 +0,0 @@
-{config, ...}: {
-  programs.gpg = {
-    enable = true;
-    homedir = "${config.home.homeDirectory}/.gnupg";
-
-    mutableTrust = false;
-    mutableKeys = false;
-    publicKeys = [
-      {
-        source = ./public.asc;
-        trust = 5;
-      }
-    ];
-
-    # This configuration is based on the tutorial below, it allows for a robust setup
-    # https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1
-    # ~/.gnupg/gpg.conf
-    settings = {
-      # Get rid of the copyright notice
-      no-greeting = true;
-
-      # --- Avoid information leaked --- #
-      # Disable inclusion of the version string in ASCII armored output
-      no-emit-version = true;
-      # Do not write comment packets
-      no-comments = false;
-      # Export the smallest key possible
-      # This removes all signatures except the most recent self-signature on each user ID
-      export-options = "export-minimal";
-
-      # Display long key IDs
-      keyid-format = "0xlong";
-      # List all keys (or the specified ones) along with their fingerprints
-      with-fingerprint = true;
-
-      # Display the calculated validity of user IDs during key listings
-      list-options = "show-uid-validity";
-      verify-options = "show-uid-validity show-keyserver-urls";
-
-      # Select the strongest cipher
-      personal-cipher-preferences = "AES256";
-      # Select the strongest digest
-      personal-digest-preferences = "SHA512";
-      # This preference list is used for new keys and becomes the default for "setpref" in the edit menu
-      default-preference-list = "SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH BLOWFISH ZLIB BZIP2 ZIP Uncompressed";
-
-      # Use the strongest cipher algorithm
-      cipher-algo = "AES256";
-      # Use the strongest digest algorithm
-      digest-algo = "SHA512";
-      # Message digest algorithm used when signing a key
-      cert-digest-algo = "SHA512";
-      # Use RFC-1950 ZLIB compression
-      compress-algo = "ZLIB";
-
-      # Disable weak algorithm
-      disable-cipher-algo = "3DES";
-      # Treat the specified digest algorithm as weak
-      weak-digest = "SHA1";
-
-      # The cipher algorithm for symmetric encryption for symmetric encryption with a passphrase
-      s2k-cipher-algo = "AES256";
-      # The digest algorithm used to mangle the passphrases for symmetric encryption
-      s2k-digest-algo = "SHA512";
-      # Selects how passphrases for symmetric encryption are mangled
-      s2k-mode = "3";
-      # Specify how many times the passphrases mangling for symmetric encryption is repeated
-      s2k-count = "65011712";
-    };
-  };
-}
modules/desktop/gpg/default.nix
@@ -0,0 +1,82 @@
+{
+  flake.modules.nixos.desktop = {pkgs, ...}: {
+    programs.gnupg.agent = {
+      enable = true;
+      pinentryPackage = pkgs.pinentry-qt;
+      enableSSHSupport = false;
+      settings.default-cache-ttl = 4 * 60 * 60; # 4 hours
+    };
+  };
+
+  flake.modules.homeManager.desktop = {config, ...}: {
+    programs.gpg = {
+      enable = true;
+      homedir = "${config.home.homeDirectory}/.gnupg";
+
+      mutableTrust = false;
+      mutableKeys = false;
+      publicKeys = [
+        {
+          source = ./public.asc;
+          trust = 5;
+        }
+      ];
+
+      # This configuration is based on the tutorial below, it allows for a robust setup
+      # https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1
+      # ~/.gnupg/gpg.conf
+      settings = {
+        # Get rid of the copyright notice
+        no-greeting = true;
+
+        # --- Avoid information leaked --- #
+        # Disable inclusion of the version string in ASCII armored output
+        no-emit-version = true;
+        # Do not write comment packets
+        no-comments = false;
+        # Export the smallest key possible
+        # This removes all signatures except the most recent self-signature on each user ID
+        export-options = "export-minimal";
+
+        # Display long key IDs
+        keyid-format = "0xlong";
+        # List all keys (or the specified ones) along with their fingerprints
+        with-fingerprint = true;
+
+        # Display the calculated validity of user IDs during key listings
+        list-options = "show-uid-validity";
+        verify-options = "show-uid-validity show-keyserver-urls";
+
+        # Select the strongest cipher
+        personal-cipher-preferences = "AES256";
+        # Select the strongest digest
+        personal-digest-preferences = "SHA512";
+        # This preference list is used for new keys and becomes the default for "setpref" in the edit menu
+        default-preference-list = "SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH BLOWFISH ZLIB BZIP2 ZIP Uncompressed";
+
+        # Use the strongest cipher algorithm
+        cipher-algo = "AES256";
+        # Use the strongest digest algorithm
+        digest-algo = "SHA512";
+        # Message digest algorithm used when signing a key
+        cert-digest-algo = "SHA512";
+        # Use RFC-1950 ZLIB compression
+        compress-algo = "ZLIB";
+
+        # Disable weak algorithm
+        disable-cipher-algo = "3DES";
+        # Treat the specified digest algorithm as weak
+        weak-digest = "SHA1";
+
+        # The cipher algorithm for symmetric encryption for symmetric encryption with a passphrase
+        s2k-cipher-algo = "AES256";
+        # The digest algorithm used to mangle the passphrases for symmetric encryption
+        s2k-digest-algo = "SHA512";
+        # Selects how passphrases for symmetric encryption are mangled
+        s2k-mode = "3";
+        # Specify how many times the passphrases mangling for symmetric encryption is repeated
+        s2k-count = "65011712";
+      };
+    };
+  };
+}
home/base/tui/gpg/public.asc → modules/desktop/gpg/public.asc
File renamed without changes
os-modules/nixos/desktop/security.nix
@@ -1,12 +1,4 @@
 {pkgs, ...}: {
-  # gpg agent with pinentry
-  programs.gnupg.agent = {
-    enable = true;
-    pinentryPackage = pkgs.pinentry-qt;
-    enableSSHSupport = false;
-    settings.default-cache-ttl = 4 * 60 * 60; # 4 hours
-  };
-
   services.udev.packages = [pkgs.yubikey-personalization];
   # Locking the screen when a Yubikey is unplugged
   # https://nixos.wiki/wiki/Yubikey#Locking_the_screen_when_a_Yubikey_is_unplugged