# create gnupg key for gopass
# TODO: edit identity string
gpg --quick-generate-key "Surname Lastname <${USER}@kit.edu> (gopass)" ed25519 cert never

# get fingerprint (only works when there is exactly one key in the keychain)
FPR="$(gpg -K --with-colon | grep fpr | head -1 | cut -d: -f10)"
echo $FPR

# add encryption subkey (auth and sign shown for completeness)
gpg --quick-add-key "${FPR}" cv25519 encr never
#gpg --quick-add-key "${FPR}" ed25519 sign never
#gpg --quick-add-key "${FPR}" ed25519 auth never

# run gpg-agent and dirmngr in session
systemctl --user enable gpg-agent.socket
systemctl --user enable dirmngr.socket

cat <<'EOF' >> ~/.bashrc

export GPG_TTY=$(tty)
gpg-connect-agent updatestartuptty /bye >/dev/null
EOF

# create sensible gnupg config
mkdir -p -m 0700 ~/.gnupg/

cat <<EOF > ~/.gnupg/gpg.conf
# TOFU + Web of Trust
trust-model tofu+pgp
# crypto preferences
personal-cipher-preferences AES256 AES192 AES
personal-digest-preferences SHA512 SHA384 SHA256
personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
# SHA512 as digest to sign keys
cert-digest-algo SHA512
# SHA512 as digest for symmetric ops
s2k-digest-algo SHA512
# AES256 as cipher for symmetric ops
s2k-cipher-algo AES256
# UTF-8 support for compatibility
charset utf-8
# No comments in messages
no-comments
# No version in output
no-emit-version
# Disable banner
no-greeting
# Long key id format
keyid-format 0xlong
# Display UID validity
list-options show-uid-validity
verify-options show-uid-validity
# Display all keys and their fingerprints
with-fingerprint
# Output ASCII instead of binary
armor
# Default key ID to use
default-key ${FPR}
trusted-key ${FPR}
EOF

# set up credential caching
cat <<EOF > ~/.gnupg/gpg-agent.conf
default-cache-ttl 34560000
max-cache-ttl 34560000
EOF

# initialize gopass
gopass init $FPR