colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

sane-secrets-unlock: remove from ~/.profile and make it an s6 service

Browse Source 
more reliable, in practice
This commit is contained in:
Colin
2024-07-26 22:18:32 +00:00
parent ace03bb0e9
commit 19fd45211f
4 changed files with 24 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
hosts/common/programs/assorted.nix
View File

@@ -160,6 +160,7 @@ in
"rsync" "rsync"
"sane-scripts.bittorrent" "sane-scripts.bittorrent"
"sane-scripts.cli" "sane-scripts.cli"
"sane-secrets-unlock"
"sc-im" "sc-im"
# "snapper" # "snapper"
"sops" # for manually viewing secrets; outside `sane-secrets` (TODO: improve sane-secrets!) "sops" # for manually viewing secrets; outside `sane-secrets` (TODO: improve sane-secrets!)

1
hosts/common/programs/default.nix
View File

@@ -133,6 +133,7 @@
./sane-private-unlock-remote.nix ./sane-private-unlock-remote.nix
./sane-screenshot.nix ./sane-screenshot.nix
./sane-scripts.nix ./sane-scripts.nix
./sane-secrets-unlock.nix
./sane-sysload.nix ./sane-sysload.nix
./sane-theme.nix ./sane-theme.nix
./sanebox.nix ./sanebox.nix

21
hosts/common/programs/sane-scripts.nix
View File

@@ -34,7 +34,6 @@ in
"sane-scripts.reclaim-boot-space" "sane-scripts.reclaim-boot-space"
"sane-scripts.reclaim-disk-space" "sane-scripts.reclaim-disk-space"
"sane-scripts.secrets-dump" "sane-scripts.secrets-dump"
"sane-scripts.secrets-unlock"
"sane-scripts.secrets-update-keys" "sane-scripts.secrets-update-keys"
"sane-scripts.shutdown" "sane-scripts.shutdown"
"sane-scripts.sudo-redirect" "sane-scripts.sudo-redirect"
@@ -166,26 +165,6 @@ in
extraPaths = [ "/nix/var/nix" ]; extraPaths = [ "/nix/var/nix" ];
}; };
"sane-scripts.secrets-unlock".sandbox = {
method = "bwrap";
extraHomePaths = [
".ssh/id_ed25519"
".ssh/id_ed25519.pub"
".config/sops"
];
};
"sane-scripts.secrets-unlock".fs.".config/sops".dir = {};
# automatically unlock the secrets at login.
# the alternative is to do it on-demand, which means giving lots of stuff access to my ssh key.
"sane-scripts.secrets-unlock".fs.".profile".symlink.text = ''
maybeUnlockSecrets() {
if test -f ~/.ssh/id_ed25519; then
sane-secrets-unlock
fi
}
sessionCommands+=('maybeUnlockSecrets')
'';
"sane-scripts.secrets-dump".sandbox.method = "bwrap"; "sane-scripts.secrets-dump".sandbox.method = "bwrap";
"sane-scripts.secrets-dump".sandbox.extraHomePaths = [ "sane-scripts.secrets-dump".sandbox.extraHomePaths = [
".config/sops" ".config/sops"

22
hosts/common/programs/sane-secrets-unlock.nix Normal file
View File

@@ -0,0 +1,22 @@
{ pkgs, ... }:
{
sane.programs."sane-secrets-unlock" = {
packageUnwrapped = pkgs.sane-scripts.secrets-unlock;
sandbox.method = "bwrap";
sandbox.extraHomePaths = [
".ssh/id_ed25519"
".ssh/id_ed25519.pub"
".config/sops"
];
fs.".config/sops".dir = {};
# automatically unlock the secrets at login.
services.sane-secrets-unlock = {
description = "sane-secrets-unlock: make secrets in ~/knowledge readable";
startCommand = "sane-secrets-unlock";
cleanupCommand = "rm -f ~/.config/sops/age/keys.txt";
depends = [ "gocryptfs-private" ];
partOf = [ "private-storage" ];
};
};
}