prepare fs.generated.script users to not assume a shell
This commit is contained in:
parent
3ce2716fbe
commit
558b35fee0
|
@ -1,10 +1,16 @@
|
|||
{ config, sane-lib, ... }:
|
||||
{ config, pkgs, sane-lib, ... }:
|
||||
|
||||
let
|
||||
init-keyring = pkgs.static-nix-shell.mkBash {
|
||||
pname = "init-keyring";
|
||||
src = ./.;
|
||||
};
|
||||
in
|
||||
{
|
||||
sane.user.persist.private = [ ".local/share/keyrings" ];
|
||||
|
||||
sane.user.fs."private/.local/share/keyrings/default" = {
|
||||
generated.script.script = builtins.readFile ./init-keyring;
|
||||
generated.script.script = "${init-keyring}/bin/init-keyring";
|
||||
# TODO: is this `wantedBy` needed? can we inherit it?
|
||||
wantedBy = [ config.sane.fs."/home/colin/private".unit ];
|
||||
wantedBeforeBy = [ ]; # don't created this as part of `multi-user.target`
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
#!/bin/sh
|
||||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash
|
||||
# initializes the default libsecret keyring (used by gnome-keyring) if not already initialized.
|
||||
# this initializes it to be plaintext/unencrypted.
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
{
|
||||
imports = [
|
||||
./derived-secrets.nix
|
||||
./derived-secrets
|
||||
./gui
|
||||
./hardware
|
||||
./hostnames.nix
|
||||
|
|
|
@ -1,8 +1,14 @@
|
|||
{ config, lib, ... }:
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
inherit (builtins) toString;
|
||||
inherit (lib) mapAttrs mkOption types;
|
||||
|
||||
hash-path-with-salt = pkgs.static-nix-shell.mkBash {
|
||||
pname = "hash-path-with-salt";
|
||||
src = ./.;
|
||||
};
|
||||
|
||||
cfg = config.sane.derived-secrets;
|
||||
secret = types.submodule {
|
||||
options = {
|
||||
|
@ -31,15 +37,7 @@ in
|
|||
|
||||
config = {
|
||||
sane.fs = mapAttrs (path: c: {
|
||||
generated.script.script = ''
|
||||
echo "$1" | cat /dev/stdin /etc/ssh/host_keys/ssh_host_ed25519_key \
|
||||
| sha512sum \
|
||||
| cut -c 1-${toString (c.len * 2)} \
|
||||
| tr a-z A-Z \
|
||||
| basenc -d --base16 \
|
||||
| basenc --${c.encoding} \
|
||||
> "$1"
|
||||
'';
|
||||
generated.script.script = ''${hash-path-with-salt}/bin/hash-path-with-salt "$@"'';
|
||||
generated.script.scriptArgs = [ path ];
|
||||
generated.acl.mode = "0600";
|
||||
}) cfg;
|
9
hosts/modules/derived-secrets/hash-path-with-salt
Executable file
9
hosts/modules/derived-secrets/hash-path-with-salt
Executable file
|
@ -0,0 +1,9 @@
|
|||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash
|
||||
echo "$1" | cat /dev/stdin /etc/ssh/host_keys/ssh_host_ed25519_key \
|
||||
| sha512sum \
|
||||
| cut -c 1-${toString (c.len * 2)} \
|
||||
| tr a-z A-Z \
|
||||
| basenc -d --base16 \
|
||||
| basenc --${c.encoding} \
|
||||
> "$1"
|
|
@ -15,11 +15,8 @@ in
|
|||
sane.fs."/var/lib/bluetooth".generated.acl.mode = "0700";
|
||||
sane.fs."/var/lib/bluetooth/.secrets.stamp" = {
|
||||
wantedBeforeBy = [ "bluetooth.service" ];
|
||||
generated.script.script = ''
|
||||
${install-bluetooth}/bin/install-bluetooth $@
|
||||
touch "/var/lib/bluetooth/.secrets.stamp"
|
||||
'';
|
||||
generated.script.scriptArgs = [ "/run/secrets/bt" ];
|
||||
generated.script.script = ''${install-bluetooth}/bin/install-bluetooth "$@"'';
|
||||
generated.script.scriptArgs = [ "/run/secrets/bt" "" "/var/lib/bluetooth/.secrets.stamp" ];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -12,6 +12,7 @@
|
|||
|
||||
srcdir="$1"
|
||||
destdir="$2"
|
||||
stamp="$3"
|
||||
|
||||
if [ "x$destdir" = "x" ]
|
||||
then
|
||||
|
@ -36,3 +37,8 @@ do
|
|||
touch "$condir/attributes"
|
||||
fi
|
||||
done
|
||||
|
||||
if [ "x$stamp" != "x" ]
|
||||
then
|
||||
touch "$stamp"
|
||||
fi
|
||||
|
|
|
@ -10,6 +10,7 @@
|
|||
|
||||
src_dir="$1"
|
||||
dest_dir="$2"
|
||||
stamp="$3"
|
||||
for f in $(ls "$src_dir")
|
||||
do
|
||||
if [ -f "$src_dir/$f" ]; then
|
||||
|
@ -21,3 +22,4 @@ do
|
|||
chmod 600 "$dest_dir/$ssid.psk"
|
||||
fi
|
||||
done
|
||||
touch "$stamp"
|
||||
|
|
|
@ -12,11 +12,8 @@ in
|
|||
sane.fs."/var/lib/iwd/.secrets.psk.stamp" = {
|
||||
wantedBeforeBy = [ "iwd.service" ];
|
||||
generated.acl.mode = "0600";
|
||||
generated.script.script = ''
|
||||
${install-iwd}/bin/install-iwd $@
|
||||
touch "/var/lib/iwd/.secrets.psk.stamp"
|
||||
'';
|
||||
generated.script.scriptArgs = [ "/run/secrets/net" "/var/lib/iwd" ];
|
||||
generated.script.script = ''${install-iwd}/bin/install-iwd "$@"'';
|
||||
generated.script.scriptArgs = [ "/run/secrets/net" "/var/lib/iwd" "/var/lib/iwd/.secrets.psk.stamp" ];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -41,8 +41,8 @@ lib.mkIf config.sane.persist.enable
|
|||
|
||||
# let sane.fs know how to initialize the gocryptfs store,
|
||||
# and that it MUST do so
|
||||
sane.fs."${underlying}/gocryptfs.conf".generated = {
|
||||
script.script = ''
|
||||
sane.fs."${underlying}/gocryptfs.conf".generated = let
|
||||
script = pkgs.writeShellScript "init-gocryptfs-store" ''
|
||||
backing="$1"
|
||||
passfile="$2"
|
||||
# clear the backing store
|
||||
|
@ -50,16 +50,20 @@ lib.mkIf config.sane.persist.enable
|
|||
rm -rf "''${backing:?}"/*
|
||||
${pkgs.gocryptfs}/bin/gocryptfs -quiet -passfile "$passfile" -init "$backing"
|
||||
'';
|
||||
in {
|
||||
script.script = ''${script} "$@"'';
|
||||
script.scriptArgs = [ underlying key ];
|
||||
# we need the key in order to initialize the store
|
||||
depends = [ config.sane.fs."${key}".unit ];
|
||||
};
|
||||
|
||||
# let sane.fs know how to generate the key for gocryptfs
|
||||
sane.fs."${key}".generated = {
|
||||
script.script = ''
|
||||
sane.fs."${key}".generated = let
|
||||
script = pkgs.writeShellScript "gen-random-gocryptfs-key" ''
|
||||
dd if=/dev/random bs=128 count=1 | base64 --wrap=0 > "$1"
|
||||
'';
|
||||
in {
|
||||
script.script = ''${script} "$@"'';
|
||||
script.scriptArgs = [ key ];
|
||||
# no need for anyone else to be able to read the key
|
||||
acl.mode = "0400";
|
||||
|
|
Loading…
Reference in New Issue
Block a user