add yubikey + gpg config

modules/home/default.nix

@@ -1,58 +1,61 @@
 { inputs, lib, config, pkgs, ... }:
   # This is your home-manager configuration file
   # Use this to configure your home environment (it replaces ~/.config/nixpkgs/home.nix)
-let
-  primary_user = "djinn";  # TODO: make dynamic
-in
-{
-  imports = [
-    ./firefox
-    ./neovim
-  ];
-
-  home = {
-    username = "${primary_user}";
-    homeDirectory = "/home/${primary_user}";
-
-    keyboard = {
-      layout = "us";
-      variant = "dvorak";
-      options = [
-        "caps: swapescape"  # use caps lock as escape key
-        "ctrl: swap_ralt_rctl"
-      ];
-    };
+  let
+    primary_user = "djinn";  # TODO: make dynamic
+  in
+  {
+    imports = [
+      ./firefox
+      ./neovim
+    ];
+
+    home = {
+      username = "${primary_user}";
+      homeDirectory = "/home/${primary_user}";
+
+      keyboard = {
+        layout = "us";
+        variant = "dvorak";
+        options = [
+          "caps: swapescape"  # use caps lock as escape key
+          "ctrl: swap_ralt_rctl"
+        ];
+      };
 
-    sessionVariables = {
-      EDITOR = "nvim";
-      VISUAL = "nvim";
-      TERMINAL = "foot";
-      WLR_NO_HARDWARE_CURSORS = "1";
-    };
+      sessionVariables = {
+        EDITOR = "nvim";
+        VISUAL = "nvim";
+        TERMINAL = "foot";
+        WLR_NO_HARDWARE_CURSORS = "1";
+        GPG_TTY= "$(tty)";
+      };
 
     # add user packages here!
     packages = with pkgs;
-      let
-        python-linters = python-packages: with python-packages; [
-          flake8
-          flake8-bugbear
-          bandit
-          black
-        ];
-        python-with-linters = python3.withPackages python-linters;
-      in
-      [
-        brightnessctl
-        curl
-        gh
-        jq
-        obsidian # TODO: add overlay to include plugins & vault already connected
-        pfetch
-        protonvpn-cli
-        python-with-linters
-        ripgrep
-        zenith
+    let
+      python-linters = python-packages: with python-packages; [
+        flake8
+        flake8-bugbear
+        bandit
+        black
       ];
+      python-with-linters = python3.withPackages python-linters;
+    in
+    [
+      brightnessctl
+      chatgpt-cli
+      curl
+      gh
+      gnupg
+      jq
+      obsidian # TODO: add overlay to include plugins & vault already connected
+      pfetch
+      protonvpn-cli
+      python-with-linters
+      ripgrep
+      zenith
+    ];
   };
 
   fonts.fontconfig.enable = true;  # access fonts in home.packages
@@ -88,12 +91,16 @@ in
       enable = true;
       userName = "data-djinn";
       userEmail = "[email protected]";
+      signing = {
+        signByDefault = true;
+        key = "A974448D85A49F02";
+      };
       diff-so-fancy.enable = true;
       aliases = {
         a = "add";
-        c = "commit -m";
-        ca = "commit --amend";
-        can = "commit --amend --no-edit";
+        c = "commit -Sm";
+        ca = "commit -S --amend";
+        can = "commit -S --amend --no-edit";
         co = "checkout";
         d = "diff";
         f = "fetch";
@@ -116,12 +123,34 @@ in
         pull = {
           rebase = true;
         };
-        gpg.format = "ssh";
-        user.signingkey = "$/home/{primary_user}/.ssh/id_ed255519.pub";
       };
     };
 
-    gpg.enable = true;
+    gpg = {
+      enable = true;
+      settings = {  # copied from dr duh
+        personal-cipher-preferences = "AES256 AES192 AES";
+        personal-digest-preferences = "SHA512 SHA384 SHA256";
+        personal-compress-preferences = "ZLIB BZIP2 ZIP Uncompressed";
+        default-preference-list = "SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed";
+        cert-digest-algo = "SHA512";
+        s2k-digest-algo = "SHA512";
+        s2k-cipher-algo = "AES256";
+        charset = "utf-8";
+        fixed-list-mode = true;  # show unix timestamps
+        no-comments = true;
+        no-emit-version = true;
+        no-greeting = true;
+        keyid-format = "0xlong";  # long hexadecimal key format
+        list-options = "show-uid-validity";
+        verify-options = "show-uid-validity";
+        with-fingerprint = true;
+        require-cross-certification = true;
+        no-symkey-cache = true;
+        use-agent = true;  # enable smartcard
+        throw-keyids = true;
+      };
+    };
 
     home-manager = {
       enable = true;
@@ -138,6 +167,13 @@ in
     };
   };
 
+  services.gpg-agent = {
+    enable = true;
+    enableSshSupport = true;
+    pinentryFlavor = "curses";
+  };
+
+
   # ===== Sway (Wayland Tiling Window Manager) =====
   wayland.windowManager.sway = {
     enable = true;

modules/profiles/common/default.nix

@@ -3,18 +3,36 @@
   #======== SECURITY =========
   networking.firewall.enable = true;
 
+  programs.ssh.startAgent = false;
   services.openssh = {
     enable = true;
-    PermitRootLogin = "no"; # Forbid root login through SSH.
-    PasswordAuthentication = false; # Use keys only
+    permitRootLogin = "no"; # Forbid root login through SSH.
+    passwordAuthentication = false; # Use keys only
   };
 
+  # enable gpg agent with terminal pinentry
+  services.pcscd.enable = true;
+  programs.gnupg.agent = {
+    enable = true;
+    pinentryFlavor = "curses";
+    enableSSHSupport = true;
+  };
+  environment.systemPackages = with pkgs; [
+    pinentry-curses
+  ];
+
   security.sudo = {
     enable = true;
     execWheelOnly = true; # patch for CVE-2021-3156
     # TODO: "logfile=/persist/var/log/sudo.log lecture=\"never\""
   };
 
+  # pluggable auth module for universal 2FA
+  security.pam.services = {
+    login.u2fAuth = true;
+    sudo.u2fAuth = true;
+  };
+
   security.audit = {
     enable = true;
     rules = [ "-a exit,always -F arch=b64 -S execve" ];
@@ -26,6 +44,9 @@
   #======== NETWORK =========
   services.tlp.enable = true;
 
+  #======== GUI =========
+  hardware.opengl.enable = true;
+
   #======== DEFAULTS =========
   i18n.defaultLocale = "en_US.utf8";
   console.keyMap = "dvorak";