From 111c4d065dd320f47f4e0e078c6f62c84cf3f378 Mon Sep 17 00:00:00 2001 From: Dmitriy Kholkin Date: Sat, 20 Nov 2021 01:35:09 +0300 Subject: [PATCH] update secrets module --- modules/secrets.nix | 71 +++++++++++++++++++++++++------------ profiles/overlay.nix | 4 +-- profiles/workspace/misc.nix | 16 +++++++++ 3 files changed, 66 insertions(+), 25 deletions(-) diff --git a/modules/secrets.nix b/modules/secrets.nix index fa33053..b58638e 100644 --- a/modules/secrets.nix +++ b/modules/secrets.nix @@ -45,6 +45,20 @@ let }; }; + activate-secrets = pkgs.writeShellScriptBin "activate-secrets" '' + set -euo pipefail + export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" + if [ -d "${password-store}/.git" ]; then + cd "${password-store}"; ${pkgs.git}/bin/git pull + else + ${pkgs.git}/bin/git clone ${ + lib.escapeShellArg config.secretsConfig.repo + } "${password-store}" + fi + cat ${password-store}/spotify.gpg | ${pkgs.gnupg}/bin/gpg --decrypt > /dev/null + sudo systemctl restart ${allServices} + ''; + decrypt = name: cfg: with cfg; { "${name}-secrets" = rec { @@ -95,23 +109,6 @@ let (builtins.attrNames config.secrets-envsubst) ++ map (name: "${name}-secrets.service") (builtins.attrNames config.secrets)); - - activate-secrets = pkgs.writeShellScriptBin "activate-secrets" '' - set -euo pipefail - # Make sure card is available and unlocked - # echo fetch | gpg --card-edit --no-tty --command-fd=0 - # ${pkgs.gnupg}/bin/gpg --card-status - if [ -d "${password-store}/.git" ]; then - cd "${password-store}"; ${pkgs.git}/bin/git pull - else - ${pkgs.git}/bin/git clone ${lib.escapeShellArg config.secretsConfig.repo} "${password-store}" - fi - ln -sf ${ - pkgs.writeShellScript "push" "${pkgs.git}/bin/git push origin master" - } "${password-store}/.git/hooks/post-commit" - cat ${password-store}/spotify.gpg | ${pkgs.gnupg}/bin/gpg --decrypt > /dev/null - sudo systemctl restart ${allServices} - ''; in { options.secrets = lib.mkOption { type = attrsOf (submodule secret); @@ -121,15 +118,13 @@ in { options.secretsConfig = { repo = lib.mkOption { type = str; - default = "ssh://git@github.com/AlukardBF/pass"; + default = "ssh://gitea@gitea.ataraxiadev.com:AtaraxiaDev/pass.git"; }; }; config.systemd.services = mkMerge (concatLists (mapAttrsToList mkServices config.secrets)); - config.environment.systemPackages = [ activate-secrets ]; - config.security.sudo.extraRules = [{ users = [ "alukard" ]; commands = [{ @@ -139,8 +134,38 @@ in { }]; config.home-manager.users.alukard = { - xsession.windowManager.i3 = { - config.startup = [{ command = "activate-secrets"; }]; + systemd.user.services.activate-secrets = { + Service = { + ExecStart = "${activate-secrets}/bin/activate-secrets"; + Type = "oneshot"; + }; + Unit = { + PartOf = [ "graphical-session-pre.target" ]; + }; + Install.WantedBy = [ "graphical-session-pre.target" ]; + }; + systemd.user.services.pass-store-sync = { + Service = { + Environment = [ + "PASSWORD_STORE_DIR=${password-store}" + "PATH=${lib.makeBinPath [ pkgs.pass pkgs.inotify-tools pkgs.gnupg ]}" + ]; + ExecStart = toString (pkgs.writeShellScript "pass-store-sync" '' + export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" + while inotifywait "$PASSWORD_STORE_DIR" -r -e move -e close_write -e create -e delete --exclude .git; do + sleep 0.1 + pass git add --all + pass git commit -m "$(date +%F)_$(date+%T)" + pass git pull --rebase + pass git push + done + ''); + }; + Unit = rec { + After = [ "activate-secrets.service" ]; + Wants = After; + }; + Install.WantedBy = [ "graphical-session-pre.target" ]; }; programs.password-store = { enable = true; @@ -148,4 +173,4 @@ in { settings.PASSWORD_STORE_DIR = password-store; }; }; -} +} \ No newline at end of file diff --git a/profiles/overlay.nix b/profiles/overlay.nix index 462847f..45914a7 100644 --- a/profiles/overlay.nix +++ b/profiles/overlay.nix @@ -1,6 +1,6 @@ { pkgs, config, lib, inputs, ... }: let - system = "x86_64-linux"; + inherit (pkgs) system; stable = import inputs.nixpkgs-stable ({ config = config.nixpkgs.config; localSystem = { inherit system; }; @@ -12,7 +12,6 @@ let in with lib; { nixpkgs.overlays = [ - inputs.android-nixpkgs.overlay inputs.nixpkgs-wayland.overlay (self: super: rec { @@ -33,6 +32,7 @@ with lib; { youtube-to-mpv = pkgs.callPackage ./packages/youtube-to-mpv.nix { term = config.defaultApplications.term.cmd; }; vivaldi = master.vivaldi; wine = super.wineWowPackages.staging; + pass-secret-service = super.pass-secret-service.overrideAttrs (_: { installCheckPhase = null; }); qbittorrent = super.qbittorrent.overrideAttrs (old: rec { version = "enchanced-edition"; src = inputs.qbittorrent-ee; diff --git a/profiles/workspace/misc.nix b/profiles/workspace/misc.nix index 19f735b..a7764f8 100644 --- a/profiles/workspace/misc.nix +++ b/profiles/workspace/misc.nix @@ -11,6 +11,22 @@ news.display = "silent"; systemd.user.startServices = true; home.stateVersion = "21.11"; + + #TODO: Move to another file + services.pass-secret-service.enable = true; + systemd.user.services.pass-secret-service = { + Service = { + ExecStart = lib.mkForce + "${pkgs.pass-secret-service}/bin/pass_secret_service --path ${config.environment.variables.PASSWORD_STORE_DIR}"; + Type = "dbus"; + BusName = "org.freedesktop.secrets"; + }; + Unit = rec { + Wants = [ "gpg-agent.service" "activate-secrets.service" ]; + After = Wants; + PartOf = [ "graphical-session-pre.target" ]; + }; + }; }; system.stateVersion = "21.11";