kitten.sh
1{ lib, helpers, config, pkgs, ... }:
2
3with lib;
4let
5 cfg = config.modules.gpg;
6 home = "${config.xdg.dataHome}/gnupg";
7in {
8 options.modules.gpg = {
9 enable = mkOption {
10 default = true;
11 description = "GnuPG";
12 type = types.bool;
13 };
14 };
15
16 config = mkIf cfg.enable {
17 programs.gpg = {
18 enable = true;
19 homedir = home;
20 mutableKeys = true;
21 mutableTrust = true;
22 publicKeys = [
23 # gpg -a --export
24 { source = ./assets/pubring.asc; trust = "ultimate"; }
25 ];
26 scdaemonSettings = {
27 disable-ccid = true;
28 };
29 };
30
31 services.gpg-agent = {
32 enable = true;
33 enableSshSupport = true;
34 enableScDaemon = false;
35 verbose = true;
36 defaultCacheTtl = 10;
37 defaultCacheTtlSsh = 10;
38 maxCacheTtl = 60;
39 maxCacheTtlSsh = 60;
40 pinentry = mkMerge [
41 (helpers.mkIfDarwin {
42 package = pkgs.pinentry-touchid;
43 program = "pinentry-touchid";
44 })
45 (helpers.mkIfLinux {
46 package = pkgs.pinentry-all;
47 program = "pinentry";
48 })
49 ];
50 };
51
52 systemd.user.services.gpg-agent.Service.Slice = "session.slice";
53
54 modules.git.signingKey = mkDefault "4EAF3D43CDBB01C9";
55
56 # ed25519 2025-09-06 [C]
57 age.secrets."147CBD801C5E0D0C27DD006653D3D96FF952F652.key" = {
58 symlink = true;
59 path = "${home}/private-keys-v1.d/147CBD801C5E0D0C27DD006653D3D96FF952F652.key";
60 file = ./encrypt/147CBD801C5E0D0C27DD006653D3D96FF952F652.key.age;
61 };
62 # ed25519 2025-09-06 [SA]
63 age.secrets."DDA4674BEB2FBE8A1EFB6F542FA66EDC2BFD54F5.key" = {
64 symlink = true;
65 path = "${home}/private-keys-v1.d/DDA4674BEB2FBE8A1EFB6F542FA66EDC2BFD54F5.key";
66 file = ./encrypt/DDA4674BEB2FBE8A1EFB6F542FA66EDC2BFD54F5.key.age;
67 };
68 # cv25519 2025-09-06 [E]
69 age.secrets."F6BECEF8FA360886C588883F90AD03CBE7B6450A.key" = {
70 symlink = true;
71 path = "${home}/private-keys-v1.d/F6BECEF8FA360886C588883F90AD03CBE7B6450A.key";
72 file = ./encrypt/F6BECEF8FA360886C588883F90AD03CBE7B6450A.key.age;
73 };
74 };
75}