Finally make pass-secret-service somewhat work

2021-10-23 19:48:36 +03:00 · 2021-10-23 19:48:36 +03:00 · 4d7cd32b71
commit 4d7cd32b71
parent 3b5b7e3d74
4 changed files with 50 additions and 25 deletions
--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@ -45,6 +45,26 @@ let
    };
  };

+  activate-secrets = pkgs.writeShellScriptBin "activate-secrets" ''
+    set -euo pipefail
+    # Make sure card is available and unlocked
+    echo fetch | gpg --card-edit --no-tty --command-fd=0
+    ${pkgs.gnupg}/bin/gpg --card-status
+    export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
+    if [ -d "${password-store}/.git" ]; then
+      cd "${password-store}"; ${pkgs.git}/bin/git pull
+    else
+      ${pkgs.git}/bin/git clone ${
+        lib.escapeShellArg config.secretsConfig.repo
+      } "${password-store}"
+    fi
+    ln -sf ${
+      pkgs.writeShellScript "push" "${pkgs.git}/bin/git push origin master"
+    } "${password-store}/.git/hooks/post-commit"
+    cat ${password-store}/email/balsoft@balsoft.ru.gpg | ${pkgs.gnupg}/bin/gpg --decrypt > /dev/null
+    sudo systemctl restart ${allServices}
+  '';
+
  decrypt = name: cfg:
    with cfg; {
      "${name}-secrets" = rec {
@ -111,25 +131,6 @@ in {
  config.systemd.services =
    mkMerge (concatLists (mapAttrsToList mkServices config.secrets));

-  config.environment.systemPackages = [
-    (pkgs.writeShellScriptBin "activate-secrets" ''
-      set -euo pipefail
-      # Make sure card is available and unlocked
-      echo fetch | gpg --card-edit --no-tty --command-fd=0
-      ${pkgs.gnupg}/bin/gpg --card-status
-      if [ -d "${password-store}/.git" ]; then
-        cd "${password-store}"; ${pkgs.git}/bin/git pull
-      else
-        ${pkgs.git}/bin/git clone ${lib.escapeShellArg config.secretsConfig.repo} "${password-store}"
-      fi
-      ln -sf ${
-        pkgs.writeShellScript "push" "${pkgs.git}/bin/git push origin master"
-      } "${password-store}/.git/hooks/post-commit"
-      cat ${password-store}/email/balsoft@balsoft.ru.gpg | ${pkgs.gnupg}/bin/gpg --decrypt > /dev/null
-      sudo systemctl restart ${allServices}
-    '')
-  ];
-
  config.security.sudo.extraRules = [{
    users = [ "balsoft" ];
    commands = [{
@ -138,12 +139,18 @@ in {
    }];
  }];

-  config.persist.derivative.directories =
-    [ "/var/secrets" password-store ];
+  config.persist.derivative.directories = [ "/var/secrets" password-store ];

  config.home-manager.users.balsoft = {
-    wayland.windowManager.sway = {
-      config.startup = [{ command = "activate-secrets"; }];
+    systemd.user.services.activate-secrets = {
+      Service = {
+        ExecStart = "${activate-secrets}/bin/activate-secrets";
+        Type = "oneshot";
+      };
+      Unit = {
+        PartOf = [ "graphical-session-pre.target" ];
+      };
+      Install.WantedBy = [ "graphical-session-pre.target" ];
    };
    programs.password-store = {
      enable = true;
--- a/profiles/applications/emacs/default.nix
+++ b/profiles/applications/emacs/default.nix
@ -92,8 +92,8 @@ in {
        Environment =
          "PATH=/run/current-system/sw/bin:/etc/profiles/per-user/balsoft/bin";
      };
+      Unit.After = [ "sway-session.target" ];
      Install = {
-        After = [ "sway-session.target" ];
        WantedBy = lib.mkForce [ "sway-session.target" ];
      };
    };
--- a/profiles/workspace/gnome3/default.nix
+++ b/profiles/workspace/gnome3/default.nix
@ -8,6 +8,7 @@
    tracker-miners.enable = true;
    gnome-settings-daemon.enable = true;
    glib-networking.enable = true;
+    # pass-secret-service is used instead
    gnome-keyring.enable = true;
    gnome-online-accounts.enable = true;
    gnome-online-miners.enable = true;
@ -40,6 +41,18 @@
  home-manager.users.balsoft = {
    services.pass-secret-service.enable = true;

+    systemd.user.services.pass-secret-service = {
+      Service = {
+        Type = "dbus";
+        BusName = "org.freedesktop.secrets";
+      };
+      Unit = rec {
+        Wants = [ "gpg-agent.service" "activate-secrets.service" ];
+        After = Wants;
+        PartOf = [ "graphical-session-pre.target" ];
+      };
+    };
+
    home.activation.gnome = ''
      $DRY_RUN_CMD mkdir -p "$XDG_CONFIG_HOME/goa-1.0"
      $DRY_RUN_CMD ln -sf ${
--- a/profiles/workspace/sway/default.nix
+++ b/profiles/workspace/sway/default.nix
@ -22,7 +22,12 @@ in {

  users.users.balsoft.extraGroups = [ "sway" ];

-  environment.loginShellInit = lib.mkAfter ''[[ "$(tty)" == /dev/tty1 ]] && sway'';
+  environment.loginShellInit = lib.mkAfter ''
+    [[ "$(tty)" == /dev/tty1 ]] && {
+      pass unlock
+      sway
+    }
+  '';

  home-manager.users.balsoft.wayland.windowManager.sway = {
    enable = true;