nix-config/home/gpg/macos.nix

{ config, pkgs, ... }:

let
  pinentry =
    "${pkgs.pinentry_mac}/Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac";

in {
  home.packages = [ pkgs.gnupg pkgs.pinentry_mac ];

  home.file.".gnupg/gpg-agent.conf".text = ''
    enable-ssh-support
    default-cache-ttl 60
    max-cache-ttl 120
    display :0
    pinentry-program ${pinentry}
    log-file ${config.home.homeDirectory}/.local/var/log/gpg-agent.log
  '';

  home.file.".gnupg/gpg.conf".text = ''
    personal-cipher-preferences AES256 AES192 AES
    personal-digest-preferences SHA512 SHA384 SHA256
    personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
    default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
    cert-digest-algo SHA512
    s2k-digest-algo SHA512
    s2k-cipher-algo AES256
    charset utf-8
    fixed-list-mode
    no-comments
    no-emit-version
    keyid-format 0xlong
    list-options show-uid-validity
    verify-options show-uid-validity
    with-fingerprint
    require-cross-certification
    use-agent
  '';

  home.file.".gnupg/scdaemon.conf".text = ''
    disable-ccid
    reader-port "Yubico YubiKey OTP+FIDO+CCID"
  '';
}