Crypto Change

luks for xps ssh via ssh sops via age gpg backbone, but not removed gpg-agent removed
2025-10-04 22:53:18 +02:00
parent 21fee7056a
commit 6809a6494f
8 changed files with 144 additions and 137 deletions
--- a/home-modules/gpg.nix
+++ b/home-modules/gpg.nix
@@ -2,52 +2,35 @@
 {
  # there also is a system module
  home.packages = with pkgs; [
-    gnupg
    gpg-tui
    pinentry-all
  ];

-  services.gpg-agent = let 
-    min2sec = min: (min * 60); 
-  in {
+  programs.gpg = {
    enable = true;
-    verbose = true;
-    sshKeys = [
-      "97081264F7FD72D890D496E839AA9A4C7892A7D8" # Keygrip (not Fingerprint!) of [A] Subkey
-    ];
-    enableSshSupport = true;
-    enableFishIntegration = true;
-    defaultCacheTtlSsh = min2sec 60;
-    defaultCacheTtl = min2sec 30;
-    pinentry = {
-      package = pkgs.pinentry;
-      program = "pinentry";
+    package = pkgs.gnupg;
+    homedir = if hyper.host == "NxXPS" then "${hyper.home}/vault/gnupg" else "${hyper.home}/.gnupg";
+    settings = {
+      armor = true;
+      cert-digest-algo = "SHA512";
+      charset = "utf-8";
+      default-preference-list = "SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed";
+      keyid-format = "0xlong";
+      list-options = "show-uid-validity";
+      no-comments = true;
+      no-emit-version = true;
+      no-greeting = true;
+      no-symkey-cache = true;
+      personal-cipher-preferences = "AES256 AES192 AES";
+      personal-compress-preferences = "ZLIB BZIP2 ZIP Uncompressed";
+      personal-digest-preferences = "SHA512 SHA384 SHA256";
+      pinentry-mode = "loopback";
+      require-cross-certification = true;
+      s2k-cipher-algo = "AES256";
+      s2k-digest-algo = "SHA512";
+      use-agent = true;
+      verify-options = "show-uid-validity";
+      with-fingerprint = true;
    };
-    extraConfig = ''
-      allow-loopback-pinentry
-    '';
  };
-
-  home.file.".gnupg/gpg.conf".text = ''
-    personal-cipher-preferences AES256 AES192 AES
-    personal-digest-preferences SHA512 SHA384 SHA256
-    personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
-    default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
-    cert-digest-algo SHA512
-    s2k-digest-algo SHA512
-    s2k-cipher-algo AES256
-    charset utf-8
-    no-comments
-    no-emit-version
-    no-greeting
-    keyid-format 0xlong
-    list-options show-uid-validity
-    verify-options show-uid-validity
-    with-fingerprint
-    require-cross-certification
-    no-symkey-cache
-    armor
-    use-agent
-    pinentry-mode loopback
-  '';
 }
--- a/home-modules/sops.nix
+++ b/home-modules/sops.nix
@@ -1,22 +1,18 @@
-{ pkgs, ... }@all: with all;
-{
-  imports = [
-    inputs.sops-nix.homeManagerModules.sops
-  ];
-  
+{ pkgs, ... }@all: with all; {
+  imports = [ inputs.sops-nix.homeManagerModules.sops ];
  sops = {
-    age.keyFile = "${hyper.home}.age_nx2_key_13.txt";
+    age.keyFile = if (hyper.host == "NxXPS") then
+      "${hyper.home}/vault/age/sops-xps-home.key"
+    else if (hyper.host == "NxACE") then
+      "${hyper.home}/.age_nx2_key_13.txt"
+    else if (hyper.host == "NxNORTH") then
+      "${hyper.home}/.age_nx2_key_13.txt"
+    else "unkown host in sops.nix";
    defaultSopsFile = ../sops-secrets.yaml;
-
-    # %r is $XDG_RUNTIME_DIR
    secrets = {
      "example" = {
        path = "%r/secrets/example"; 
      };
-      # "sops-age-private-key" = { # Bootstrapping doens't work
-      #   mode = "0400";
-      #   path = "/home/${user}/.config/sops/age/keys.txt";
-      # };
    };
  };
 }
--- a/home-modules/ssh.nix
+++ b/home-modules/ssh.nix
@@ -2,16 +2,18 @@
 {
  home = {
    packages = with pkgs; [ sshfs ];
-    file.".ssh/config".text = ''
+    file."vault/ssh/config".text = /* ssh */ ''
      HOST nxace
          HostName ssh.${hyper.domain}
          User ${hyper.user}
          Port 50022
+          IdentityFile ~/vault/ssh/nxace-nx2-${hyper.host}

      HOST nxacel
          HostName 10.0.1.1
          User ${hyper.user}
          Port 50022
+          IdentityFile ~/vault/ssh/nxace-nx2-${hyper.host}

      HOST nxrpil
          HostName 10.0.1.31
@@ -22,6 +24,27 @@
          HostName ssh.${hyper.domain}
          User git
          Port 50022
+          IdentityFile ~/vault/ssh/nxgit-nx2-${hyper.host}
    '';
  };
+  # services.gpg-agent = let 
+  #   min2sec = min: (min * 60); 
+  # in {
+  #   enable = true;
+  #   verbose = true;
+  #   sshKeys = [
+  #     "97081264F7FD72D890D496E839AA9A4C7892A7D8" # Keygrip (not Fingerprint!) of [A] Subkey
+  #   ];
+  #   enableSshSupport = true;
+  #   enableFishIntegration = true;
+  #   defaultCacheTtlSsh = min2sec 60;
+  #   defaultCacheTtl = min2sec 30;
+  #   pinentry = {
+  #     package = pkgs.pinentry;
+  #     program = "pinentry";
+  #   };
+  #   extraConfig = ''
+  #     allow-loopback-pinentry
+  #   '';
+  # };
 }