balsoft/nixos-config
1
0
Fork 0
Code Issues Releases Wiki Activity

Finally make pass-secret-service somewhat work

Browse Source
This commit is contained in:
Alexander Bantyev 2021-10-23 19:48:36 +03:00
parent 3b5b7e3d74
commit 4d7cd32b71
Signed by: balsoft
GPG Key ID: E081FF12ADCB4AD5
4 changed files with 50 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
modules/secrets.nix
View File

@ -45,6 +45,26 @@ let
}; };
}; };
activate-secrets = pkgs.writeShellScriptBin "activate-secrets" ''
set -euo pipefail
# Make sure card is available and unlocked
echo fetch | gpg --card-edit --no-tty --command-fd=0
${pkgs.gnupg}/bin/gpg --card-status
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
if [ -d "${password-store}/.git" ]; then
cd "${password-store}"; ${pkgs.git}/bin/git pull
else
${pkgs.git}/bin/git clone ${
lib.escapeShellArg config.secretsConfig.repo
} "${password-store}"
fi
ln -sf ${
pkgs.writeShellScript "push" "${pkgs.git}/bin/git push origin master"
} "${password-store}/.git/hooks/post-commit"
cat ${password-store}/email/balsoft@balsoft.ru.gpg | ${pkgs.gnupg}/bin/gpg --decrypt > /dev/null
sudo systemctl restart ${allServices}
'';
decrypt = name: cfg: decrypt = name: cfg:
with cfg; { with cfg; {
"${name}-secrets" = rec { "${name}-secrets" = rec {
@ -111,25 +131,6 @@ in {
config.systemd.services = config.systemd.services =
mkMerge (concatLists (mapAttrsToList mkServices config.secrets)); mkMerge (concatLists (mapAttrsToList mkServices config.secrets));
config.environment.systemPackages = [
(pkgs.writeShellScriptBin "activate-secrets" ''
set -euo pipefail
# Make sure card is available and unlocked
echo fetch | gpg --card-edit --no-tty --command-fd=0
${pkgs.gnupg}/bin/gpg --card-status
if [ -d "${password-store}/.git" ]; then
cd "${password-store}"; ${pkgs.git}/bin/git pull
else
${pkgs.git}/bin/git clone ${lib.escapeShellArg config.secretsConfig.repo} "${password-store}"
fi
ln -sf ${
pkgs.writeShellScript "push" "${pkgs.git}/bin/git push origin master"
} "${password-store}/.git/hooks/post-commit"
cat ${password-store}/email/balsoft@balsoft.ru.gpg | ${pkgs.gnupg}/bin/gpg --decrypt > /dev/null
sudo systemctl restart ${allServices}
'')
];
config.security.sudo.extraRules = [{ config.security.sudo.extraRules = [{
users = [ "balsoft" ]; users = [ "balsoft" ];
commands = [{ commands = [{
@ -138,12 +139,18 @@ in {
}]; }];
}]; }];
config.persist.derivative.directories = config.persist.derivative.directories = [ "/var/secrets" password-store ];
[ "/var/secrets" password-store ];
config.home-manager.users.balsoft = { config.home-manager.users.balsoft = {
wayland.windowManager.sway = { systemd.user.services.activate-secrets = {
config.startup = [{ command = "activate-secrets"; }]; Service = {
ExecStart = "${activate-secrets}/bin/activate-secrets";
Type = "oneshot";
};
Unit = {
PartOf = [ "graphical-session-pre.target" ];
};
Install.WantedBy = [ "graphical-session-pre.target" ];
}; };
programs.password-store = { programs.password-store = {
enable = true; enable = true;

2
profiles/applications/emacs/default.nix
View File

@ -92,8 +92,8 @@ in {
Environment = Environment =
"PATH=/run/current-system/sw/bin:/etc/profiles/per-user/balsoft/bin"; "PATH=/run/current-system/sw/bin:/etc/profiles/per-user/balsoft/bin";
}; };
Unit.After = [ "sway-session.target" ];
Install = { Install = {
After = [ "sway-session.target" ];
WantedBy = lib.mkForce [ "sway-session.target" ]; WantedBy = lib.mkForce [ "sway-session.target" ];
}; };
}; };

13
profiles/workspace/gnome3/default.nix
View File

@ -8,6 +8,7 @@
tracker-miners.enable = true; tracker-miners.enable = true;
gnome-settings-daemon.enable = true; gnome-settings-daemon.enable = true;
glib-networking.enable = true; glib-networking.enable = true;
# pass-secret-service is used instead
gnome-keyring.enable = true; gnome-keyring.enable = true;
gnome-online-accounts.enable = true; gnome-online-accounts.enable = true;
gnome-online-miners.enable = true; gnome-online-miners.enable = true;
@ -40,6 +41,18 @@
home-manager.users.balsoft = { home-manager.users.balsoft = {
services.pass-secret-service.enable = true; services.pass-secret-service.enable = true;
systemd.user.services.pass-secret-service = {
Service = {
Type = "dbus";
BusName = "org.freedesktop.secrets";
};
Unit = rec {
Wants = [ "gpg-agent.service" "activate-secrets.service" ];
After = Wants;
PartOf = [ "graphical-session-pre.target" ];
};
};
home.activation.gnome = '' home.activation.gnome = ''
$DRY_RUN_CMD mkdir -p "$XDG_CONFIG_HOME/goa-1.0" $DRY_RUN_CMD mkdir -p "$XDG_CONFIG_HOME/goa-1.0"
$DRY_RUN_CMD ln -sf ${ $DRY_RUN_CMD ln -sf ${

7
profiles/workspace/sway/default.nix
View File

@ -22,7 +22,12 @@ in {
users.users.balsoft.extraGroups = [ "sway" ]; users.users.balsoft.extraGroups = [ "sway" ];
environment.loginShellInit = lib.mkAfter ''[[ "$(tty)" == /dev/tty1 ]] && sway''; environment.loginShellInit = lib.mkAfter ''
[[ "$(tty)" == /dev/tty1 ]] && {
pass unlock
sway
}
'';
home-manager.users.balsoft.wayland.windowManager.sway = { home-manager.users.balsoft.wayland.windowManager.sway = {
enable = true; enable = true;