summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorAlan Pearce2024-06-05 14:22:28 +0200
committerAlan Pearce2024-06-05 14:22:28 +0200
commit41aa7cc366d2242c0dbf1e035f22e7118e2ca942 (patch)
treed3ff8dbcd7a4bd51f1cd6c89e6c3b13d5310c119
parentcd49be6796ebf629bb7de3590b30f08824ce70b8 (diff)
downloadnixfiles-41aa7cc366d2242c0dbf1e035f22e7118e2ca942.tar.lz
nixfiles-41aa7cc366d2242c0dbf1e035f22e7118e2ca942.tar.zst
nixfiles-41aa7cc366d2242c0dbf1e035f22e7118e2ca942.zip
overhaul gnupg/trezor setup
-rw-r--r--system/prefect.nix2
-rw-r--r--system/settings/hardware/trezor.nix6
-rw-r--r--system/settings/programs/gnupg.nix12
-rw-r--r--user/gnupg/dirmngr.conf3
-rw-r--r--user/gnupg/gpa.conf2
-rw-r--r--user/gnupg/gpg-agent.conf3
-rw-r--r--user/gnupg/gpg.conf83
-rw-r--r--user/gnupg/trezor/dirmngr.conf1
-rw-r--r--user/prefect.nix1
-rw-r--r--user/settings/base.nix1
-rw-r--r--user/settings/gnupg.nix16
-rw-r--r--user/settings/trezor.nix10
-rw-r--r--user/settings/user-interface.nix1
13 files changed, 15 insertions, 126 deletions
diff --git a/system/prefect.nix b/system/prefect.nix
index 1ee93fc1..8d90948d 100644
--- a/system/prefect.nix
+++ b/system/prefect.nix
@@ -15,11 +15,11 @@
     ./settings/hardware/nvidia-gpu.nix
     ./settings/hardware/keyboard.nix
     ./settings/hardware/keyboard-lofree.nix
+    ./settings/hardware/trezor.nix
     ./settings/services/syncthing.nix
     ./settings/services/virtualisation.nix
     ./settings/user-interface.nix
     ./settings/programs/base.nix
-    ./settings/programs/gnupg.nix
     ./settings/programs/kde.nix
     ./settings/programs/shell.nix
     ./settings/programs/docker.nix
diff --git a/system/settings/hardware/trezor.nix b/system/settings/hardware/trezor.nix
index 1004833a..3883d76f 100644
--- a/system/settings/hardware/trezor.nix
+++ b/system/settings/hardware/trezor.nix
@@ -5,13 +5,7 @@
 }: {
   services.trezord.enable = true;
   environment.systemPackages = with pkgs; [
-    gnupg
-    pinentry
     (python3.withPackages (ps: with ps; [ trezor_agent wheel ]))
     trezor-suite
   ];
-  programs.gnupg.agent = {
-    enable = lib.mkForce false;
-    enableSSHSupport = lib.mkForce false;
-  };
 }
diff --git a/system/settings/programs/gnupg.nix b/system/settings/programs/gnupg.nix
deleted file mode 100644
index f17263c9..00000000
--- a/system/settings/programs/gnupg.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{ config
-, pkgs
-, lib
-, ...
-}: {
-  environment.systemPackages = with pkgs; [
-    gnupg
-    pinentry
-    (python3.withPackages (ps: with ps; [ trezor_agent wheel ]))
-  ];
-  environment.variables.GNUPGHOME = "$HOME/.gnupg/trezor/";
-}
diff --git a/user/gnupg/dirmngr.conf b/user/gnupg/dirmngr.conf
deleted file mode 100644
index f69421d7..00000000
--- a/user/gnupg/dirmngr.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-keyserver hkps://keys.openpgp.org
-# keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion
-# use-tor
diff --git a/user/gnupg/gpa.conf b/user/gnupg/gpa.conf
deleted file mode 100644
index 2e33e80b..00000000
--- a/user/gnupg/gpa.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-default-key 5FA779613E2AB0EEFC6DD3056A56F2A314E23293
-detailed-view
diff --git a/user/gnupg/gpg-agent.conf b/user/gnupg/gpg-agent.conf
deleted file mode 100644
index 52eb1dca..00000000
--- a/user/gnupg/gpg-agent.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-enable-ssh-support
-default-cache-ttl 600
-max-cache-ttl 7200
diff --git a/user/gnupg/gpg.conf b/user/gnupg/gpg.conf
deleted file mode 100644
index 61df93cf..00000000
--- a/user/gnupg/gpg.conf
+++ /dev/null
@@ -1,83 +0,0 @@
-#
-# This is an implementation of the Riseup OpenPGP Best Practices
-# https://help.riseup.net/en/security/message-security/openpgp/best-practices
-#
-
-#-----------------------------
-# default key
-#-----------------------------
-
-# The default key to sign with. If this option is not used, the default key is
-# the first key found in the secret keyring
-
-# default-key 
-
-#-----------------------------
-# behavior
-#-----------------------------
-
-# Disable inclusion of the version string in ASCII armored output
-no-emit-version
-
-# Disable comment string in clear text signatures and ASCII armored messages
-no-comments
-
-# Display long key IDs
-keyid-format 0xlong
-
-# List all keys (or the specified ones) along with their fingerprints
-with-fingerprint
-
-# Display the calculated validity of user IDs during key listings
-list-options show-uid-validity
-verify-options show-uid-validity
-
-# Try to use the GnuPG-Agent. With this option, GnuPG first tries to connect to
-# the agent before it asks for a passphrase.
-use-agent
-
-#-----------------------------
-# keyserver
-#-----------------------------
-
-# This is the server that --recv-keys, --send-keys, and --search-keys will
-# communicate with to receive keys from, send keys to, and search for keys on
-keyserver hkps://keys.openpgp.org
-
-# Provide a certificate store to override the system default
-# Get this from https://sks-keyservers.net/sks-keyservers.netCA.pem
-# keyserver-options ca-cert-file=.gnupg/sks-keyservers.netCA.pem
-
-# Set the proxy to use for HTTP and HKP keyservers - default to the standard
-# local Tor socks proxy
-# It is encouraged to use Tor for improved anonymity. Preferrably use either a
-# dedicated SOCKSPort for GnuPG and/or enable IsolateDestPort and
-# IsolateDestAddr
-# keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050
-
-# When using --refresh-keys, if the key in question has a preferred keyserver
-# URL, then disable use of that preferred keyserver to refresh the key from
-keyserver-options no-honor-keyserver-url
-# When searching for a key with --search-keys, include keys that are marked on
-# the keyserver as revoked
-keyserver-options include-revoked
-
-
-#-----------------------------
-# algorithm and ciphers
-#-----------------------------
-
-# list of personal digest preferences. When multiple digests are supported by
-# all recipients, choose the strongest one
-personal-cipher-preferences AES256 AES192 AES CAST5
-
-# list of personal digest preferences. When multiple ciphers are supported by
-# all recipients, choose the strongest one
-personal-digest-preferences SHA512 SHA384 SHA256 SHA224
-
-# message digest algorithm used when signing a key
-cert-digest-algo SHA512
-
-# This preference list is used for new keys and becomes the default for
-# "setpref" in the edit menu
-default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
\ No newline at end of file
diff --git a/user/gnupg/trezor/dirmngr.conf b/user/gnupg/trezor/dirmngr.conf
deleted file mode 100644
index 17612d46..00000000
--- a/user/gnupg/trezor/dirmngr.conf
+++ /dev/null
@@ -1 +0,0 @@
-keyserver hkps://keys.openpgp.org
\ No newline at end of file
diff --git a/user/prefect.nix b/user/prefect.nix
index 2dcaa37f..ed8b77cf 100644
--- a/user/prefect.nix
+++ b/user/prefect.nix
@@ -19,7 +19,6 @@
     ./settings/passwords.nix
     ./settings/ssh.nix
     ./settings/tabnine.nix
-    ./settings/trezor.nix
     ./settings/user-interface.nix
     ./settings/xresources.nix
     <private>
diff --git a/user/settings/base.nix b/user/settings/base.nix
index 63780883..30d21aa9 100644
--- a/user/settings/base.nix
+++ b/user/settings/base.nix
@@ -27,7 +27,6 @@ args@{ config
       EMAIL = "alan@alanpearce.eu";
       MANPAGER = "bat -l man -p";
       ABDUCO_SOCKET_DIR = "${state}/abduco";
-      GNUPGHOME = "${data}/gnupg";
       SOLARGRAPH_CACHE = "${cache}/solargraph";
       ELECTRUMDIR = "${data}/electrum";
       DOCKER_CONFIG = "${conf}/docker";
diff --git a/user/settings/gnupg.nix b/user/settings/gnupg.nix
index 913b5d27..d719b618 100644
--- a/user/settings/gnupg.nix
+++ b/user/settings/gnupg.nix
@@ -2,8 +2,18 @@
 , pkgs
 , ...
 }: {
-  home.file.".gnupg" = {
-    recursive = true;
-    source = ../gnupg;
+  programs.gpg = {
+    enable = true;
+    homedir = "${config.xdg.dataHome}/gnupg";
+    settings = {
+      keyserver = "hkps://keys.openpgp.org";
+    };
+  };
+  services.gpg-agent = {
+    enable = true;
+    pinentryPackage = with pkgs;
+      if stdenv.isDarwin
+      then pinentry_mac
+      else pinentry-qt;
   };
 }
diff --git a/user/settings/trezor.nix b/user/settings/trezor.nix
deleted file mode 100644
index 6996d9b0..00000000
--- a/user/settings/trezor.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{ config
-, pkgs
-, ...
-}: {
-  home.file.".ssh/agent.config" = {
-    text = ''
-      ecdsa-curve-name = ed25519
-    '';
-  };
-}
diff --git a/user/settings/user-interface.nix b/user/settings/user-interface.nix
index dd02e9b0..df6e3263 100644
--- a/user/settings/user-interface.nix
+++ b/user/settings/user-interface.nix
@@ -51,6 +51,7 @@ in
       mu
       beeper
       kdePackages.neochat
+      kdePackages.kleopatra
     ]);
   services.lorri.enableNotifications = true;
 }