nixos-config/modules/pass-store.nix

{ pkgs, config, lib, ... }:
let
  cfg = config.services.password-store;
  inherit (lib) mkEnableOption mkOption types escapeShellArg mkIf makeBinPath;
in {
  options.services.password-store = {
    enable = mkEnableOption "password-store";
    store = mkOption {
      type = types.path;
      default = "${config.home-manager.users.${config.mainuser}.xdg.dataHome}/password-store";
    };
    gnupgHome = mkOption {
      type = types.path;
      default = "${config.home-manager.users.${config.mainuser}.xdg.dataHome}/gnupg";
    };
    repo = mkOption {
      type = types.str;
    };
    sshKey = mkOption {
      type = types.str;
    };
  };

  config = mkIf (cfg.enable) {
    home-manager.users.${config.mainuser} = {
      systemd.user.services.activate-secrets = {
        Service = {
          Environment = [
            "GIT_SSH_COMMAND='ssh -i ${cfg.sshKey} -o IdentitiesOnly=yes'"
            "PATH=${makeBinPath [ pkgs.git pkgs.openssh ]}"
          ];
          ExecStart = pkgs.writeShellScript "activate-secrets" ''
            set -euo pipefail
            if [ -d "${cfg.store}/.git" ]; then
              git -C "${cfg.store}" pull
            else
              echo "Pulling ${escapeShellArg cfg.repo}"
              git clone ${escapeShellArg cfg.repo} "${cfg.store}"
            fi
          '';
          Type = "oneshot";
        };
        Unit.PartOf = [ "graphical-session-pre.target" ];
        Install.WantedBy = [ "graphical-session-pre.target" ];
      };
      systemd.user.services.pass-store-sync = {
        Service = {
          Environment = [
            "PASSWORD_STORE_DIR=${cfg.store}"
            "GIT_SSH_COMMAND='ssh -i ${cfg.sshKey} -o IdentitiesOnly=yes'"
            "PATH=${with pkgs; makeBinPath [ pass-wayland inotify-tools ]}"
          ];
          ExecStart = pkgs.writeShellScript "pass-store-sync" ''
            set -euo pipefail
            while inotifywait "$PASSWORD_STORE_DIR" -r -e move -e close_write -e create -e delete --exclude .git; do
              sleep 0.1
              pass git add --all
              pass git commit -m "$(date +%F)_$(date +%T)"
              pass git pull --rebase
              pass git push
            done
          '';
        };
        Unit = rec {
          After = [ "activate-secrets.service" ];
          Wants = After;
        };
        Install.WantedBy = [ "graphical-session-pre.target" ];
      };
      programs.password-store = {
        enable = true;
        package = pkgs.pass-wayland;
        settings.PASSWORD_STORE_DIR = cfg.store;
      };
    };
  };
}