Update

deploy-nodes

@@ -0,0 +1,5 @@
+bakersfield-rpi4
+piaware-rpi4
+backups-rpi4
+osaka-linode-01
+milan-linode-01

home-manager/common/software/cli/default.nix

@@ -6,6 +6,7 @@
       ./btop.nix
       ./starship.nix
       ./git.nix
+      ./gpg.nix
       ./neofetch.nix
       ./ranger.nix
       ./ssh.nix

home-manager/common/software/cli/gpg.nix

@@ -0,0 +1,75 @@
+{ ... }: {
+  programs.gpg = {
+    enable = true;
+    settings = {
+      # https://github.com/drduh/config/blob/master/gpg.conf
+      # https://www.gnupg.org/documentation/manuals/gnupg/GPG-Options.html
+      # 'gpg --version' to get capabilities
+      # Use AES256, 192, or 128 as cipher
+      personal-cipher-preferences = "AES256 AES192 AES";
+      # Use SHA512, 384, or 256 as digest
+      personal-digest-preferences = "SHA512 SHA384 SHA256";
+      # Use ZLIB, BZIP2, ZIP, or no compression
+      personal-compress-preferences = "ZLIB BZIP2 ZIP Uncompressed";
+      # Default preferences for new keys
+      default-preference-list = "SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed";
+      # SHA512 as digest to sign keys
+      cert-digest-algo = "SHA512";
+      # SHA512 as digest for symmetric ops
+      s2k-digest-algo = "SHA512";
+      # AES256 as cipher for symmetric ops
+      s2k-cipher-algo = "AES256";
+      # UTF-8 support for compatibility
+      charset = "utf-8";
+      # No comments in messages
+      no-comments = true;
+      # No version in output
+      no-emit-version = true;
+      # Disable banner
+      no-greeting = true;
+      # Long key id format
+      keyid-format "0xlong";
+      # Display UID validity
+      list-options = "show-uid-validity";
+      verify-options = "show-uid-validity";
+      # Display all keys and their fingerprints
+      with-fingerprint = true;
+      # Display key origins and updates
+      #with-key-origin
+      # Cross-certify subkeys are present and valid
+      require-cross-certification = true;
+      # Disable caching of passphrase for symmetrical ops
+      no-symkey-cache = true;
+      # Output ASCII instead of binary
+      armor = true;
+      # Enable smartcard
+      use-agent = true;
+      # Disable recipient key ID in messages (breaks Mailvelope)
+      throw-keyids = true;
+      # Default key ID to use (helpful with throw-keyids)
+      #default-key 0xFF3E7D88647EBCDB
+      #trusted-key 0xFF3E7D88647EBCDB
+      # Group recipient keys (preferred ID last)
+      #group keygroup = 0xFF00000000000001 0xFF00000000000002 0xFF3E7D88647EBCDB
+      # Keyserver URL
+      #keyserver hkps://keys.openpgp.org
+      #keyserver hkps://keys.mailvelope.com
+      #keyserver hkps://keyserver.ubuntu.com:443
+      #keyserver hkps://pgpkeys.eu
+      #keyserver hkps://pgp.circl.lu
+      #keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion
+      # Keyserver proxy
+      #keyserver-options http-proxy=http://127.0.0.1:8118
+      #keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050
+      # Enable key retrieval using WKD and DANE
+      #auto-key-locate wkd,dane,local
+      #auto-key-retrieve
+      # Trust delegation mechanism
+      #trust-model tofu+pgp
+      # Show expired subkeys
+      #list-options show-unusable-subkeys
+      # Verbose output
+      #verbose
+    };
+  };
+}

home-manager/small.nix

@@ -10,6 +10,7 @@
     ./common/software/cli/starship.nix
     ./common/software/cli/tmux.nix
     ./common/software/cli/atuin.nix
+    ./common/software/cli/gpg.nix
       
     # User configs
     ./users/${username}

nixos/hosts/osaka-linode-01/firewall.nix

@@ -87,7 +87,7 @@
         mode tcp 
         option forwarded
         option forwardfor if-none 
-        server mailserver-wg 10.100.1.3
+        server mailserver-wg 10.100.0.2
 
       backend backend_tcp
         mode tcp