From 014216de6b0d2adb593e9d556c9449336dbae501 Mon Sep 17 00:00:00 2001
From: 0xWheatyz <wyatt@leeworks.dev>
Date: Tue, 31 Mar 2026 21:25:35 -0400
Subject: [PATCH] feat(yubikey): add GPG agent, pcscd, and YubiKey support

Enable gpg-agent with SSH support and pinentry-gnome3, add
yubikey-manager and pcscd service, configure GPG with hardened
preferences and scdaemon, disable gnome-keyring SSH agent, and
prepare git signing configuration.
---
 configuration.nix | 12 ++++++++----
 home.nix          | 25 +++++++++++++++++++++++++
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/configuration.nix b/configuration.nix
index f15252a..b842f08 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -104,15 +104,17 @@
     code-cursor
     adwaita-icon-theme
     pkgs-unstable.claude-code  # Use unstable for latest version
+    yubikey-manager
   ];
 
   # Some programs need SUID wrappers, can be configured further or are
   # started in user sessions.
   # programs.mtr.enable = true;
-  # programs.gnupg.agent = {
-  #   enable = true;
-  #   enableSSHSupport = true;
-  # };
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+    pinentryPackage = pkgs.pinentry-gnome3;
+  };
 
   # List services that you want to enable:
 
@@ -216,6 +218,8 @@
     enable = true;
   };
 
+  services.pcscd.enable = true;
+
   security.pam.services = {
     login.u2fAuth = true;
     sudo.u2fAuth = true;
diff --git a/home.nix b/home.nix
index 153a673..683e060 100644
--- a/home.nix
+++ b/home.nix
@@ -22,6 +22,8 @@
     minicom
     kicad
     ghostty
+    gnupg
+    pinentry-gnome3
     gnomeExtensions.blur-my-shell
     gnomeExtensions.just-perfection
     gnomeExtensions.arc-menu
@@ -114,11 +116,34 @@
       exec = "ghostty";
       exec-arg = "";
     };
+    "org/gnome/crypto/cache" = {
+      enable-ssh-agent = false;
+    };
+  };
+
+  # GPG configuration
+  programs.gpg = {
+    enable = true;
+    settings = {
+      keyserver = "hkps://keys.openpgp.org";
+      keyid-format = "0xlong";
+      with-fingerprint = true;
+      personal-cipher-preferences = "AES256 AES192 AES";
+      personal-digest-preferences = "SHA512 SHA384 SHA256";
+      personal-compress-preferences = "ZLIB BZIP2 ZIP Uncompressed";
+    };
+    scdaemonSettings = {
+      disable-ccid = true;
+    };
   };
 
   # Manage your git configuration declaratively
   programs.git = {
     enable = true;
+    signing = {
+      key = null; # Will be set after GPG key generation
+      signByDefault = true;
+    };
     settings = {
       user = {
         name = "0xWheatyz";