Crypto Change

luks for xps ssh via ssh sops via age gpg backbone, but not removed gpg-agent removed
2025-10-04 22:53:18 +02:00
parent 21fee7056a
commit 6809a6494f
8 changed files with 144 additions and 137 deletions
--- a/home-modules/gpg.nix
+++ b/home-modules/gpg.nix
@@ -2,52 +2,35 @@
 {
  # there also is a system module
  home.packages = with pkgs; [
-    gnupg
    gpg-tui
    pinentry-all
  ];

-  services.gpg-agent = let 
-    min2sec = min: (min * 60); 
-  in {
+  programs.gpg = {
    enable = true;
-    verbose = true;
-    sshKeys = [
-      "97081264F7FD72D890D496E839AA9A4C7892A7D8" # Keygrip (not Fingerprint!) of [A] Subkey
-    ];
-    enableSshSupport = true;
-    enableFishIntegration = true;
-    defaultCacheTtlSsh = min2sec 60;
-    defaultCacheTtl = min2sec 30;
-    pinentry = {
-      package = pkgs.pinentry;
-      program = "pinentry";
+    package = pkgs.gnupg;
+    homedir = if hyper.host == "NxXPS" then "${hyper.home}/vault/gnupg" else "${hyper.home}/.gnupg";
+    settings = {
+      armor = true;
+      cert-digest-algo = "SHA512";
+      charset = "utf-8";
+      default-preference-list = "SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed";
+      keyid-format = "0xlong";
+      list-options = "show-uid-validity";
+      no-comments = true;
+      no-emit-version = true;
+      no-greeting = true;
+      no-symkey-cache = true;
+      personal-cipher-preferences = "AES256 AES192 AES";
+      personal-compress-preferences = "ZLIB BZIP2 ZIP Uncompressed";
+      personal-digest-preferences = "SHA512 SHA384 SHA256";
+      pinentry-mode = "loopback";
+      require-cross-certification = true;
+      s2k-cipher-algo = "AES256";
+      s2k-digest-algo = "SHA512";
+      use-agent = true;
+      verify-options = "show-uid-validity";
+      with-fingerprint = true;
    };
-    extraConfig = ''
-      allow-loopback-pinentry
-    '';
  };
-
-  home.file.".gnupg/gpg.conf".text = ''
-    personal-cipher-preferences AES256 AES192 AES
-    personal-digest-preferences SHA512 SHA384 SHA256
-    personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
-    default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
-    cert-digest-algo SHA512
-    s2k-digest-algo SHA512
-    s2k-cipher-algo AES256
-    charset utf-8
-    no-comments
-    no-emit-version
-    no-greeting
-    keyid-format 0xlong
-    list-options show-uid-validity
-    verify-options show-uid-validity
-    with-fingerprint
-    require-cross-certification
-    no-symkey-cache
-    armor
-    use-agent
-    pinentry-mode loopback
-  '';
 }