nixos/users/malte/gpg.nix

{pkgs, ...}: let
  conf = import ./conf.nix;
  secret = pkgs.writeShellApplication {
    name = "secret";
    runtimeInputs = [
      pkgs.gnupg
    ];
    text = ''
      output=~/"$1.$(date +%s).enc"
      gpg --encrypt --armor --output "$output" -r 0x0000 -r 0x0001 -r 0x0002 "$1" && echo "$1"
    '';
  };

  reveal = pkgs.writeShellApplication {
    name = "reveal";
    runtimeInputs = [
      pkgs.gnupg
    ];
    text = ''
      output=$(echo "$1" | rev | cut -c16- | rev)
      gpg --decrypt --output "$output" "$1" && echo "$1 -> $output"
    '';
  };
in {
  home.packages = [pkgs.yubikey-personalization secret reveal];

  programs.gpg.enable = true;

  services.gpg-agent = {
    enable = true;
    enableScDaemon = true;
    enableSshSupport = true;
    sshKeys = [conf.gpg.grip];
    pinentryFlavor = "gnome3";
  };
}