update secrets module
This commit is contained in:
Dmitriy Kholkin
parent
b58d393394
commit
111c4d065d
@ -45,6 +45,20 @@ let
|
||||
};
|
||||
};
|
||||
|
||||
activate-secrets = pkgs.writeShellScriptBin "activate-secrets" ''
|
||||
set -euo pipefail
|
||||
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
|
||||
if [ -d "${password-store}/.git" ]; then
|
||||
cd "${password-store}"; ${pkgs.git}/bin/git pull
|
||||
else
|
||||
${pkgs.git}/bin/git clone ${
|
||||
lib.escapeShellArg config.secretsConfig.repo
|
||||
} "${password-store}"
|
||||
fi
|
||||
cat ${password-store}/spotify.gpg | ${pkgs.gnupg}/bin/gpg --decrypt > /dev/null
|
||||
sudo systemctl restart ${allServices}
|
||||
'';
|
||||
|
||||
decrypt = name: cfg:
|
||||
with cfg; {
|
||||
"${name}-secrets" = rec {
|
||||
@ -95,23 +109,6 @@ let
|
||||
(builtins.attrNames config.secrets-envsubst)
|
||||
++ map (name: "${name}-secrets.service")
|
||||
(builtins.attrNames config.secrets));
|
||||
|
||||
activate-secrets = pkgs.writeShellScriptBin "activate-secrets" ''
|
||||
set -euo pipefail
|
||||
# Make sure card is available and unlocked
|
||||
# echo fetch | gpg --card-edit --no-tty --command-fd=0
|
||||
# ${pkgs.gnupg}/bin/gpg --card-status
|
||||
if [ -d "${password-store}/.git" ]; then
|
||||
cd "${password-store}"; ${pkgs.git}/bin/git pull
|
||||
else
|
||||
${pkgs.git}/bin/git clone ${lib.escapeShellArg config.secretsConfig.repo} "${password-store}"
|
||||
fi
|
||||
ln -sf ${
|
||||
pkgs.writeShellScript "push" "${pkgs.git}/bin/git push origin master"
|
||||
} "${password-store}/.git/hooks/post-commit"
|
||||
cat ${password-store}/spotify.gpg | ${pkgs.gnupg}/bin/gpg --decrypt > /dev/null
|
||||
sudo systemctl restart ${allServices}
|
||||
'';
|
||||
in {
|
||||
options.secrets = lib.mkOption {
|
||||
type = attrsOf (submodule secret);
|
||||
@ -121,15 +118,13 @@ in {
|
||||
options.secretsConfig = {
|
||||
repo = lib.mkOption {
|
||||
type = str;
|
||||
default = "ssh://git@github.com/AlukardBF/pass";
|
||||
default = "ssh://gitea@gitea.ataraxiadev.com:AtaraxiaDev/pass.git";
|
||||
};
|
||||
};
|
||||
|
||||
config.systemd.services =
|
||||
mkMerge (concatLists (mapAttrsToList mkServices config.secrets));
|
||||
|
||||
config.environment.systemPackages = [ activate-secrets ];
|
||||
|
||||
config.security.sudo.extraRules = [{
|
||||
users = [ "alukard" ];
|
||||
commands = [{
|
||||
@ -139,8 +134,38 @@ in {
|
||||
}];
|
||||
|
||||
config.home-manager.users.alukard = {
|
||||
xsession.windowManager.i3 = {
|
||||
config.startup = [{ command = "activate-secrets"; }];
|
||||
systemd.user.services.activate-secrets = {
|
||||
Service = {
|
||||
ExecStart = "${activate-secrets}/bin/activate-secrets";
|
||||
Type = "oneshot";
|
||||
};
|
||||
Unit = {
|
||||
PartOf = [ "graphical-session-pre.target" ];
|
||||
};
|
||||
Install.WantedBy = [ "graphical-session-pre.target" ];
|
||||
};
|
||||
systemd.user.services.pass-store-sync = {
|
||||
Service = {
|
||||
Environment = [
|
||||
"PASSWORD_STORE_DIR=${password-store}"
|
||||
"PATH=${lib.makeBinPath [ pkgs.pass pkgs.inotify-tools pkgs.gnupg ]}"
|
||||
];
|
||||
ExecStart = toString (pkgs.writeShellScript "pass-store-sync" ''
|
||||
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
|
||||
while inotifywait "$PASSWORD_STORE_DIR" -r -e move -e close_write -e create -e delete --exclude .git; do
|
||||
sleep 0.1
|
||||
pass git add --all
|
||||
pass git commit -m "$(date +%F)_$(date+%T)"
|
||||
pass git pull --rebase
|
||||
pass git push
|
||||
done
|
||||
'');
|
||||
};
|
||||
Unit = rec {
|
||||
After = [ "activate-secrets.service" ];
|
||||
Wants = After;
|
||||
};
|
||||
Install.WantedBy = [ "graphical-session-pre.target" ];
|
||||
};
|
||||
programs.password-store = {
|
||||
enable = true;
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
{ pkgs, config, lib, inputs, ... }:
|
||||
let
|
||||
system = "x86_64-linux";
|
||||
inherit (pkgs) system;
|
||||
stable = import inputs.nixpkgs-stable ({
|
||||
config = config.nixpkgs.config;
|
||||
localSystem = { inherit system; };
|
||||
@ -12,7 +12,6 @@ let
|
||||
in
|
||||
with lib; {
|
||||
nixpkgs.overlays = [
|
||||
inputs.android-nixpkgs.overlay
|
||||
inputs.nixpkgs-wayland.overlay
|
||||
(self: super:
|
||||
rec {
|
||||
@ -33,6 +32,7 @@ with lib; {
|
||||
youtube-to-mpv = pkgs.callPackage ./packages/youtube-to-mpv.nix { term = config.defaultApplications.term.cmd; };
|
||||
vivaldi = master.vivaldi;
|
||||
wine = super.wineWowPackages.staging;
|
||||
pass-secret-service = super.pass-secret-service.overrideAttrs (_: { installCheckPhase = null; });
|
||||
qbittorrent = super.qbittorrent.overrideAttrs (old: rec {
|
||||
version = "enchanced-edition";
|
||||
src = inputs.qbittorrent-ee;
|
||||
|
||||
@ -11,6 +11,22 @@
|
||||
news.display = "silent";
|
||||
systemd.user.startServices = true;
|
||||
home.stateVersion = "21.11";
|
||||
|
||||
#TODO: Move to another file
|
||||
services.pass-secret-service.enable = true;
|
||||
systemd.user.services.pass-secret-service = {
|
||||
Service = {
|
||||
ExecStart = lib.mkForce
|
||||
"${pkgs.pass-secret-service}/bin/pass_secret_service --path ${config.environment.variables.PASSWORD_STORE_DIR}";
|
||||
Type = "dbus";
|
||||
BusName = "org.freedesktop.secrets";
|
||||
};
|
||||
Unit = rec {
|
||||
Wants = [ "gpg-agent.service" "activate-secrets.service" ];
|
||||
After = Wants;
|
||||
PartOf = [ "graphical-session-pre.target" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "21.11";
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user