feat: add pass-secret-service and password-store modules

2025-06-07 18:08:27 +03:00 · 2025-06-07 18:08:27 +03:00 · fc2638152d
commit fc2638152d
parent 26d72ea190
3 changed files with 104 additions and 0 deletions
--- a/modules/home/roles/default.nix
+++ b/modules/home/roles/default.nix
@ -36,6 +36,9 @@ in
  config =
    let
      baseRole = {
        ataraxia.security.pass-secret-service.enable = mkDefault true;
        ataraxia.security.password-store.enable = mkDefault true;
        programs.nix-index.enable = mkDefault true;
        programs.nix-index-database.comma.enable = mkDefault true;
--- a/modules/home/security/pass-secret-service.nix
+++ b/modules/home/security/pass-secret-service.nix
@ -0,0 +1,34 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  inherit (lib) mkEnableOption mkIf;
  cfg = config.ataraxia.security.pass-secret-service;
 in
 {
  options.ataraxia.security.pass-secret-service = {
    enable = mkEnableOption "Whether to enable pass-secret-service";
  };
  config = mkIf cfg.enable {
    home.packages = [ pkgs.pass-secret-service ];
    dbus.packages = [ pkgs.pass-secret-service ];
    xdg.portal.extraPortals = [ pkgs.pass-secret-service ];
    services.pass-secret-service.enable = true;
    systemd.user.services.pass-secret-service = {
      Service.Environment = [
        "GPG_TTY=/dev/tty1"
        "DISPLAY=:0"
      ];
      Unit = rec {
        Wants = [ "gpg-agent.service" ];
        After = Wants;
        PartOf = [ "graphical-session-pre.target" ];
      };
    };
  };
 }
--- a/modules/home/security/password-store.nix
+++ b/modules/home/security/password-store.nix
@ -0,0 +1,67 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  inherit (lib)
    mkEnableOption
    mkIf
    mkOption
    ;
  inherit (lib.types) nullOr path str;
  cfg = config.ataraxia.security.password-store;
 in
 {
  options.ataraxia.security.password-store = {
    enable = mkEnableOption "Whether to enable password store";
    autoSync = mkEnableOption "Whether to enable automatic sync of password store";
    store = mkOption {
      type = path;
      default = "${config.xdg.dataHome}/password-store";
    };
    gnupgHome = mkOption {
      type = path;
      default =
        if config.programs.gpg.enable then config.programs.gpg.homedir else "${config.xdg.dataHome}/gnupg";
    };
    repo = mkOption {
      default = null;
      description = "Git repository to sync with";
      type = nullOr str;
    };
    sshKey = mkOption {
      default = null;
      description = "Ssh key to use for private repository";
      type = nullOr str;
    };
  };
  config = mkIf cfg.enable {
    assertions = [
      {
        assertion = !(cfg.autoSync && cfg.repo == null);
        message = "If autoSync enabled, you must set repo to sync";
      }
      {
        assertion = !(cfg.autoSync && cfg.sskKey == null);
        message = "If autoSync enabled, you must set sshKey for connection to repo";
      }
    ];
    # TODO: autosync with git
    programs.password-store = {
      enable = true;
      package =
        if config.ataraxia.wayland.enable then
          pkgs.pass.withExtensions (exts: [ exts.pass-otp ])
        else
          pkgs.pass-wayland.withExtensions (exts: [ exts.pass-otp ]);
      settings.PASSWORD_STORE_DIR = cfg.store;
    };
    persist.state.directories = [ cfg.store ];
  };
 }