From f166761af71b5bf8f4513345841bb5ccfa55a03f Mon Sep 17 00:00:00 2001
From: Ryan Yin <xiaoyin_c@qq.com>
Date: Wed, 10 Jan 2024 13:21:05 +0800
Subject: [PATCH] fix: programs.gpg-agent do not support darwin, running gnupg
 agent at system level

---
 home/base/desktop/gpg/default.nix  | 27 +++++++++++----------------
 modules/darwin/security.nix        |  7 +++++++
 modules/nixos/desktop/security.nix |  7 +++++++
 3 files changed, 25 insertions(+), 16 deletions(-)
 create mode 100644 modules/darwin/security.nix

diff --git a/home/base/desktop/gpg/default.nix b/home/base/desktop/gpg/default.nix
index 930ad1a0..f399b81c 100644
--- a/home/base/desktop/gpg/default.nix
+++ b/home/base/desktop/gpg/default.nix
@@ -1,35 +1,30 @@
-{pkgs, config, mysecrets, ...}: {
+{
+  config,
+  mysecrets,
+  ...
+}: {
   programs.gpg = {
     enable = true;
     homedir = "${config.home.homeDirectory}/.gnupg";
     #  $GNUPGHOME/trustdb.gpg stores all the trust level you specified in `programs.gpg.publicKeys` option.
-    # 
+    #
     # If set `mutableTrust` to false, the path $GNUPGHOME/trustdb.gpg will be overwritten on each activation.
     # Thus we can only update trsutedb.gpg via home-manager.
     mutableTrust = true;
 
     # $GNUPGHOME/pubring.kbx stores all the public keys you specified in `programs.gpg.publicKeys` option.
-    #  
+    #
     # If set `mutableKeys` to false, the path $GNUPGHOME/pubring.kbx will become an immutable link to the Nix store, denying modifications.
     # Thus we can only update pubring.kbx via home-manager
     mutableKeys = true;
     publicKeys = [
       # https://www.gnupg.org/gph/en/manual/x334.html
-      { source = "${mysecrets}/public/ryan4yin-gpg-keys.pub"; trust = 5; }  # ultimate trust, my own keys.
+      {
+        source = "${mysecrets}/public/ryan4yin-gpg-keys.pub";
+        trust = 5;
+      } # ultimate trust, my own keys.
     ];
     settings = {
-      
     };
   };
-
-  home.packages = with pkgs; [
-    pinentry-curses
-  ];
-  services.gpg-agent = {
-    enable = true;
-    pinentryFlavor =  "curses";
-    enableSshSupport = false;
-    grabKeyboardAndMouse = true;
-    enableScDaemon = false; # enable Smartcard daemon for the GnuPG system 
-  };
 }
diff --git a/modules/darwin/security.nix b/modules/darwin/security.nix
new file mode 100644
index 00000000..2e3e7555
--- /dev/null
+++ b/modules/darwin/security.nix
@@ -0,0 +1,7 @@
+{
+  # https://github.com/LnL7/nix-darwin/blob/master/modules/programs/gnupg.nix
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = false;
+  };
+}
diff --git a/modules/nixos/desktop/security.nix b/modules/nixos/desktop/security.nix
index 9083db4f..743d5ef4 100644
--- a/modules/nixos/desktop/security.nix
+++ b/modules/nixos/desktop/security.nix
@@ -11,4 +11,11 @@
   # security with gnome-kering
   services.gnome.gnome-keyring.enable = true;
   security.pam.services.greetd.enableGnomeKeyring = true;
+
+  # gpg agent with pinentry
+  programs.gnupg.agent = {
+    eanble = true;
+    pinentryFlavor =  "curses";
+    enableSSHSupport = false;
+  };
 }