first attempt at setting up yubikey and commit signing using it (secondary key)

modules/home/tools/git/default.nix

@@ -17,8 +17,7 @@ in
     userName = mkOpt types.str user.fullName "The name to configure git with.";
     userEmail = mkOpt types.str user.email "The email to configure git with.";
     signingKey =
-      mkOpt types.str "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4iH29edivUi+k94apb6pasWq8qphfhYo0d6B2GhISf"
-        "The pub key to sign commits with.";
+      mkOpt types.str "6995A5FF33791B7B" "The pub key to sign commits with.";
     signByDefault = mkOpt types.bool true "Whether to sign commits by default.";
   };
 
@@ -44,10 +43,6 @@ in
         safe = {
           directory = "${user.home}/projects/config";
         };
-        gpg = {
-          format = "ssh";
-          "ssh".program = "${pkgs._1password-gui}/bin/op-ssh-sign";
-        };
       };
     };
   };

modules/nixos/graphical-interface/desktop-manager/hyprland/default.nix

@@ -0,0 +1,27 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib;
+with lib.wyrdgard;
+let
+  cfg = config.wyrdgard.graphical-interface.desktop-manager.hyprland;
+in
+{
+  options.wyrdgard.graphical-interface.desktop-manager.hyprland = with types; {
+    enable = mkEnableOption "Whether to enable hyprland";
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [ polkit xdg-desktop-portal-hyprland dconf ];
+
+    services.xserver = enabled;
+
+    programs.hyprland = {
+      enable = true;
+      xwayland.enable = true;
+    };
+  };
+}

modules/nixos/security/gpg/default.nix

@@ -19,6 +19,10 @@ let
     max-cache-ttl 120
     pinentry-program ${pkgs.pinentry-qt}/bin/pinentry-qt
   '';
+
+    reload-yubikey = pkgs.writeShellScriptBin "reload-yubikey" ''
+    ${pkgs.gnupg}/bin/gpg-connect-agent "scd serialno" "learn --force" /bye
+  '';
 in
 {
   options.wyrdgard.security.gpg = with types; {
@@ -27,11 +31,19 @@ in
   };
 
   config = mkIf cfg.enable {
+    services.pcscd.enable = true;
+    services.udev.packages = with pkgs; [ yubikey-personalization ];
+
     environment.systemPackages = with pkgs; [
+      cryptsetup
       paperkey
       gnupg
       pinentry-curses
       pinentry-qt
+
+      yubikey-manager
+      yubikey-manager-qt
+      reload-yubikey
     ];
 
     programs = {
@@ -50,6 +62,8 @@ in
 
         ".gnupg/gpg.conf".source = gpgConf;
         ".gnupg/gpg-agent.conf".text = gpgAgentConf;
+        ".gnupg/scdeamon.conf".text = "disable-ccid";
+        # YUBIKEYCERTIFYPASSWORD
       };
     };
   };

modules/nixos/tools/git/default.nix

@@ -17,8 +17,7 @@ in
     userName = mkOpt types.str user.fullName "The name to use git with";
     userEmail = mkOpt types.str user.email "The email to use git with";
     signingKey =
-      mkOpt types.str "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4iH29edivUi+k94apb6pasWq8qphfhYo0d6B2GhISf"
-        "The key ID to sign commits with.";
+      mkOpt types.str "6995A5FF33791B7B" "The key ID to sign commits with.";
   };
 
   config = mkIf cfg.enable {
@@ -34,7 +33,7 @@ in
         lfs.enable = true;
         signing = {
           key = cfg.signingKey;
-          signByDefault = mkIf _1password.enable true;
+          signByDefault = mkIf gpg.enable true;
         };
         extraConfig = {
           init = {
@@ -49,10 +48,6 @@ in
           safe = {
             directory = "${config.users.users.${user.name}.home}/projects/config";
           };
-          gpg = {
-            format = "ssh";
-            "ssh".program = "${pkgs._1password-gui}/bin/op-ssh-sign";
-          };
         };
       };
     };

systems/x86_64-linux/yggdrasil/default.nix

@@ -36,6 +36,8 @@ with lib.wyrdgard;
         gpu.nvidia = enabled;
       };
     };
+
+    security.gpg = enabled;
   };
 
   system.stateVersion = "23.11";