{ config, pkgs, lib, ... }: { programs.gpg = { enable = true; homedir = "${config.xdg.dataHome}/gnupg"; mutableKeys = true; mutableTrust = true; settings = { default-key = "Benedikt Peetz <benedikt.peetz@b-peetz.de>"; # TODO: add more }; publicKeys = [ { source = ./keys/key_1.asc; trust = "ultimate"; } { source = ./keys/key_2.asc; trust = "full"; } ]; }; services = { gpg-agent = { enable = true; enableZshIntegration = true; enableScDaemon = true; # smartcards and such things # Cache the key passwords defaultCacheTtl = 60 * 50; defaultCacheTtlSsh = 60 * 50; maxCacheTtl = 60 * 50; maxCacheTtlSsh = 60 * 50; pinentryPackage = pkgs.pinentry-curses; # pinentryPackage = pkgs.pinentry-tty; enableSshSupport = true; sshKeys = let removeSpace = str: builtins.replaceStrings [" "] [""] str; in [ (removeSpace "8321 ED3A 8DB9 99A5 1F3B F80F F268 2914 EA42 DE26") ]; }; }; programs.zsh.initExtraFirst = lib.mkBefore '' export GPG_TTY=$(tty) # Magic copied from the gpg-agent manual unset SSH_AGENT_PID if [ "''${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" fi # Ensure that get gpg agent is started (necessary because ssh does not start it # automatically and has it's tty updated) gpg-connect-agent /bye ''; }