feat: add pass-secret-service and password-store modules

2025-06-07 18:08:27 +03:00 · 2025-06-07 18:08:27 +03:00 · fc2638152d
commit fc2638152d
parent 26d72ea190
3 changed files with 104 additions and 0 deletions
--- a/modules/home/roles/default.nix
+++ b/modules/home/roles/default.nix
@ -36,6 +36,9 @@ in
  config =
    let
      baseRole = {
+        ataraxia.security.pass-secret-service.enable = mkDefault true;
+        ataraxia.security.password-store.enable = mkDefault true;
+
        programs.nix-index.enable = mkDefault true;
        programs.nix-index-database.comma.enable = mkDefault true;

--- a/modules/home/security/pass-secret-service.nix
+++ b/modules/home/security/pass-secret-service.nix
@ -0,0 +1,34 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib) mkEnableOption mkIf;
+  cfg = config.ataraxia.security.pass-secret-service;
+in
+{
+  options.ataraxia.security.pass-secret-service = {
+    enable = mkEnableOption "Whether to enable pass-secret-service";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = [ pkgs.pass-secret-service ];
+    dbus.packages = [ pkgs.pass-secret-service ];
+    xdg.portal.extraPortals = [ pkgs.pass-secret-service ];
+
+    services.pass-secret-service.enable = true;
+    systemd.user.services.pass-secret-service = {
+      Service.Environment = [
+        "GPG_TTY=/dev/tty1"
+        "DISPLAY=:0"
+      ];
+      Unit = rec {
+        Wants = [ "gpg-agent.service" ];
+        After = Wants;
+        PartOf = [ "graphical-session-pre.target" ];
+      };
+    };
+  };
+}
--- a/modules/home/security/password-store.nix
+++ b/modules/home/security/password-store.nix
@ -0,0 +1,67 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib)
+    mkEnableOption
+    mkIf
+    mkOption
+    ;
+  inherit (lib.types) nullOr path str;
+  cfg = config.ataraxia.security.password-store;
+in
+{
+  options.ataraxia.security.password-store = {
+    enable = mkEnableOption "Whether to enable password store";
+    autoSync = mkEnableOption "Whether to enable automatic sync of password store";
+    store = mkOption {
+      type = path;
+      default = "${config.xdg.dataHome}/password-store";
+    };
+    gnupgHome = mkOption {
+      type = path;
+      default =
+        if config.programs.gpg.enable then config.programs.gpg.homedir else "${config.xdg.dataHome}/gnupg";
+    };
+    repo = mkOption {
+      default = null;
+      description = "Git repository to sync with";
+      type = nullOr str;
+    };
+    sshKey = mkOption {
+      default = null;
+      description = "Ssh key to use for private repository";
+      type = nullOr str;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = !(cfg.autoSync && cfg.repo == null);
+        message = "If autoSync enabled, you must set repo to sync";
+      }
+      {
+        assertion = !(cfg.autoSync && cfg.sskKey == null);
+        message = "If autoSync enabled, you must set sshKey for connection to repo";
+      }
+    ];
+
+    # TODO: autosync with git
+
+    programs.password-store = {
+      enable = true;
+      package =
+        if config.ataraxia.wayland.enable then
+          pkgs.pass.withExtensions (exts: [ exts.pass-otp ])
+        else
+          pkgs.pass-wayland.withExtensions (exts: [ exts.pass-otp ]);
+      settings.PASSWORD_STORE_DIR = cfg.store;
+    };
+
+    persist.state.directories = [ cfg.store ];
+  };
+}