{ config, lib, pkgs, pkgs-unstable, ... }: { imports = [ ]; # Fetch public keys: # gpg --locate-keys tom@fizz.buzz # # gpg -vvv --auto-key-locate local,wkd --locate-keys tom@fizz.buzz hardware.gpgSmartcards.enable = true; services.udev.packages = [ pkgs.yubikey-personalization pkgs.libfido2 (pkgs.writeTextFile { name = "my-rules"; text = '' ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0406", MODE="660", GROUP="wheel" KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0406", TAG+="uaccess", GROUP="wheel", MODE="0660" ''; destination = "/etc/udev/rules.d/50-yubikey.rules"; }) ]; services.pcscd.enable = true; # services.gnome.gnome-keyring.enable = true; # services.dbus.packages = [ pkgs.gcr ]; # services.pcscd.plugins = lib.mkForce [ ]; # programs.gpg.scdaemonSettings = { # disable-ccid = true; # }; # .gnupg/scdaemon.conf home-manager.users.talexander = { pkgs, ... }: { # home.file.".gnupg/scdaemon.conf" = { # source = ./files/scdaemon.conf; # }; programs.gpg = { enable = true; # does this install a user-specific version of gnupg in addition to the system-wide package installed in configuration.nix? # homedir = "${config.home.homeDirectory}/.gnupg"; publicKeys = [ { source = ./files/gpg.asc; trust = 5; } ]; settings = { use-agent = true; # what relation does this have to the settings in configuration.nix and also to the home-manager gpg-agent settings below? }; scdaemonSettings = { disable-ccid = true; # disable gnupg's built-in smartcard reader function in order to default to system's smartcard reader (pcsclite package) }; }; services.gpg-agent = { enable = true; enableSshSupport = true; enableZshIntegration = true; enableScDaemon = true; # what relation does this have with the scdaemon setting above and/or in configuration.nix? pinentryPackage = pkgs.pinentry-qt; defaultCacheTtl = 60; maxCacheTtl = 120; extraConfig = '' ttyname $GPG_TTY ''; }; }; # environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { # hideMounts = true; # users.talexander = { # directories = [ # { # directory = ".gnupg"; # user = "talexander"; # group = "talexander"; # mode = "0700"; # } # Local keyring # ]; # }; # }; # nixpkgs.overlays = [ # (final: prev: { # pcsclite = prev.pcsclite.overrideAttrs (old: { # postPatch = '' # substituteInPlace src/libredirect.c src/spy/libpcscspy.c \ # --replace-fail "libpcsclite_real.so.1" "$lib/lib/libpcsclite_real.so.1" # ''; # }); # }) # ]; # security.polkit.extraConfig = '' # polkit.addRule(function(action, subject) { # if (action.id == "org.debian.pcsc-lite.access_card") { # return polkit.Result.YES; # } # }); # polkit.addRule(function(action, subject) { # if (action.id == "org.debian.pcsc-lite.access_pcsc") { # return polkit.Result.YES; # } # }); # ''; environment.systemPackages = with pkgs; [ pcsctools yubikey-personalization yubikey-manager ]; # nixpkgs.overlays = [ # (final: prev: { # gnupg = pkgs-unstable.gnupg; # scdaemon = pkgs-unstable.scdaemon; # libgcrypt = pkgs-unstable.libgcrypt; # }) # ]; # nixpkgs.overlays = [ # (final: prev: { # gnupg = prev.gnupg.overrideAttrs (old: rec { # version = "2.4.7"; # src = prev.fetchurl { # url = "https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-${version}.tar.bz2"; # hash = "sha256-eyRwbk2n4OOwbKBoIxAnQB8jgQLEHJCWMTSdzDuF60Y="; # }; # }); # }) # ]; }