sane-secrets-unlock: remove from ~/.profile and make it an s6 service

more reliable, in practice
2024-07-26 22:18:32 +00:00
parent ace03bb0e9
commit 19fd45211f
4 changed files with 24 additions and 21 deletions
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -160,6 +160,7 @@ in
      "rsync"
      "sane-scripts.bittorrent"
      "sane-scripts.cli"
+      "sane-secrets-unlock"
      "sc-im"
      # "snapper"
      "sops"  # for manually viewing secrets; outside `sane-secrets` (TODO: improve sane-secrets!)
--- a/hosts/common/programs/default.nix
+++ b/hosts/common/programs/default.nix
@@ -133,6 +133,7 @@
    ./sane-private-unlock-remote.nix
    ./sane-screenshot.nix
    ./sane-scripts.nix
+    ./sane-secrets-unlock.nix
    ./sane-sysload.nix
    ./sane-theme.nix
    ./sanebox.nix
--- a/hosts/common/programs/sane-scripts.nix
+++ b/hosts/common/programs/sane-scripts.nix
@@ -34,7 +34,6 @@ in
      "sane-scripts.reclaim-boot-space"
      "sane-scripts.reclaim-disk-space"
      "sane-scripts.secrets-dump"
-      "sane-scripts.secrets-unlock"
      "sane-scripts.secrets-update-keys"
      "sane-scripts.shutdown"
      "sane-scripts.sudo-redirect"
@@ -166,26 +165,6 @@ in
      extraPaths = [ "/nix/var/nix" ];
    };

-    "sane-scripts.secrets-unlock".sandbox = {
-      method = "bwrap";
-      extraHomePaths = [
-        ".ssh/id_ed25519"
-        ".ssh/id_ed25519.pub"
-        ".config/sops"
-      ];
-    };
-    "sane-scripts.secrets-unlock".fs.".config/sops".dir = {};
-    # automatically unlock the secrets at login.
-    # the alternative is to do it on-demand, which means giving lots of stuff access to my ssh key.
-    "sane-scripts.secrets-unlock".fs.".profile".symlink.text = ''
-      maybeUnlockSecrets() {
-        if test -f ~/.ssh/id_ed25519; then
-          sane-secrets-unlock
-        fi
-      }
-      sessionCommands+=('maybeUnlockSecrets')
-    '';
-
    "sane-scripts.secrets-dump".sandbox.method = "bwrap";
    "sane-scripts.secrets-dump".sandbox.extraHomePaths = [
      ".config/sops"
--- a/hosts/common/programs/sane-secrets-unlock.nix
+++ b/hosts/common/programs/sane-secrets-unlock.nix
@@ -0,0 +1,22 @@
+{ pkgs, ... }:
+{
+  sane.programs."sane-secrets-unlock" = {
+    packageUnwrapped = pkgs.sane-scripts.secrets-unlock;
+    sandbox.method = "bwrap";
+    sandbox.extraHomePaths = [
+      ".ssh/id_ed25519"
+      ".ssh/id_ed25519.pub"
+      ".config/sops"
+    ];
+    fs.".config/sops".dir = {};
+
+    # automatically unlock the secrets at login.
+    services.sane-secrets-unlock = {
+      description = "sane-secrets-unlock: make secrets in ~/knowledge readable";
+      startCommand = "sane-secrets-unlock";
+      cleanupCommand = "rm -f ~/.config/sops/age/keys.txt";
+      depends = [ "gocryptfs-private" ];
+      partOf = [ "private-storage" ];
+    };
+  };
+}