init

user/modules/security/gpg/default.nix

@@ -0,0 +1,50 @@
+{ pkgs, lib, config, osConfig, ... }:
+
+with lib;
+let
+  cfg = config.modules.user.security.gpg;
+  wm = config.modules.user.gui.wm;
+  gui = {
+    enable = builtins.any (mod: mod.enable or false) (builtins.attrValues wm);
+  };
+
+in
+{ options.modules.user.security.gpg = { enable = mkEnableOption "Enable GPG module"; };
+  config = mkIf cfg.enable {
+    programs.gpg = {
+      enable = true;
+      # Use pcscd instead of direct CCID access (avoids conflicts with age-plugin-yubikey)
+      scdaemonSettings = mkIf osConfig.services.pcscd.enable {
+        disable-ccid = true;
+      };
+      publicKeys = [
+        {
+          text = "${config.user.keys.pgp.yubikey}";
+          trust = 5;
+        }
+      ] ++ optionals (osConfig.networking.hostName == "workstation") [
+        {
+          text = "${config.user.keys.pgp.work}";
+          trust = 5;
+        }
+        {
+          text = "${config.user.keys.pgp.ccur}";
+          trust = 5;
+        }
+      ];
+    };
+
+    services.gpg-agent = {
+      enable = true;
+      enableSshSupport = true;
+      enableBashIntegration = true;
+      enableScDaemon = true;
+
+      pinentry.package =
+      if gui.enable then
+        pkgs.pinentry-gnome3
+      else
+        pkgs.pinentry-tty;
+    };
+  };
+}