sane-secrets-unlock: remove from ~/.profile and make it an s6 service
more reliable, in practice
This commit is contained in:
@@ -160,6 +160,7 @@ in
|
|||||||
"rsync"
|
"rsync"
|
||||||
"sane-scripts.bittorrent"
|
"sane-scripts.bittorrent"
|
||||||
"sane-scripts.cli"
|
"sane-scripts.cli"
|
||||||
|
"sane-secrets-unlock"
|
||||||
"sc-im"
|
"sc-im"
|
||||||
# "snapper"
|
# "snapper"
|
||||||
"sops" # for manually viewing secrets; outside `sane-secrets` (TODO: improve sane-secrets!)
|
"sops" # for manually viewing secrets; outside `sane-secrets` (TODO: improve sane-secrets!)
|
||||||
|
@@ -133,6 +133,7 @@
|
|||||||
./sane-private-unlock-remote.nix
|
./sane-private-unlock-remote.nix
|
||||||
./sane-screenshot.nix
|
./sane-screenshot.nix
|
||||||
./sane-scripts.nix
|
./sane-scripts.nix
|
||||||
|
./sane-secrets-unlock.nix
|
||||||
./sane-sysload.nix
|
./sane-sysload.nix
|
||||||
./sane-theme.nix
|
./sane-theme.nix
|
||||||
./sanebox.nix
|
./sanebox.nix
|
||||||
|
@@ -34,7 +34,6 @@ in
|
|||||||
"sane-scripts.reclaim-boot-space"
|
"sane-scripts.reclaim-boot-space"
|
||||||
"sane-scripts.reclaim-disk-space"
|
"sane-scripts.reclaim-disk-space"
|
||||||
"sane-scripts.secrets-dump"
|
"sane-scripts.secrets-dump"
|
||||||
"sane-scripts.secrets-unlock"
|
|
||||||
"sane-scripts.secrets-update-keys"
|
"sane-scripts.secrets-update-keys"
|
||||||
"sane-scripts.shutdown"
|
"sane-scripts.shutdown"
|
||||||
"sane-scripts.sudo-redirect"
|
"sane-scripts.sudo-redirect"
|
||||||
@@ -166,26 +165,6 @@ in
|
|||||||
extraPaths = [ "/nix/var/nix" ];
|
extraPaths = [ "/nix/var/nix" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
"sane-scripts.secrets-unlock".sandbox = {
|
|
||||||
method = "bwrap";
|
|
||||||
extraHomePaths = [
|
|
||||||
".ssh/id_ed25519"
|
|
||||||
".ssh/id_ed25519.pub"
|
|
||||||
".config/sops"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
"sane-scripts.secrets-unlock".fs.".config/sops".dir = {};
|
|
||||||
# automatically unlock the secrets at login.
|
|
||||||
# the alternative is to do it on-demand, which means giving lots of stuff access to my ssh key.
|
|
||||||
"sane-scripts.secrets-unlock".fs.".profile".symlink.text = ''
|
|
||||||
maybeUnlockSecrets() {
|
|
||||||
if test -f ~/.ssh/id_ed25519; then
|
|
||||||
sane-secrets-unlock
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
sessionCommands+=('maybeUnlockSecrets')
|
|
||||||
'';
|
|
||||||
|
|
||||||
"sane-scripts.secrets-dump".sandbox.method = "bwrap";
|
"sane-scripts.secrets-dump".sandbox.method = "bwrap";
|
||||||
"sane-scripts.secrets-dump".sandbox.extraHomePaths = [
|
"sane-scripts.secrets-dump".sandbox.extraHomePaths = [
|
||||||
".config/sops"
|
".config/sops"
|
||||||
|
22
hosts/common/programs/sane-secrets-unlock.nix
Normal file
22
hosts/common/programs/sane-secrets-unlock.nix
Normal file
@@ -0,0 +1,22 @@
|
|||||||
|
{ pkgs, ... }:
|
||||||
|
{
|
||||||
|
sane.programs."sane-secrets-unlock" = {
|
||||||
|
packageUnwrapped = pkgs.sane-scripts.secrets-unlock;
|
||||||
|
sandbox.method = "bwrap";
|
||||||
|
sandbox.extraHomePaths = [
|
||||||
|
".ssh/id_ed25519"
|
||||||
|
".ssh/id_ed25519.pub"
|
||||||
|
".config/sops"
|
||||||
|
];
|
||||||
|
fs.".config/sops".dir = {};
|
||||||
|
|
||||||
|
# automatically unlock the secrets at login.
|
||||||
|
services.sane-secrets-unlock = {
|
||||||
|
description = "sane-secrets-unlock: make secrets in ~/knowledge readable";
|
||||||
|
startCommand = "sane-secrets-unlock";
|
||||||
|
cleanupCommand = "rm -f ~/.config/sops/age/keys.txt";
|
||||||
|
depends = [ "gocryptfs-private" ];
|
||||||
|
partOf = [ "private-storage" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Reference in New Issue
Block a user