colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

sops-gpg-adapter: port to nix-shell

Browse Source
This commit is contained in:
Colin
2024-07-24 07:40:29 +00:00
parent 225c8de7a2
commit 6f1173e45a
5 changed files with 43 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
hosts/common/programs/firefox.nix
View File

@@ -263,7 +263,7 @@ in
# TODO: find a way to not expose ~/.ssh to firefox
# - unlock sops at login (or before firefox launch)?
# - see if ssh has a more formal type of subkey system?
".ssh/id_ed25519"
# ".ssh/id_ed25519"
# ".config/sops"
"knowledge/secrets/accounts"
];

10
hosts/common/programs/sane-scripts.nix
View File

@@ -175,6 +175,16 @@ in
];
};
"sane-scripts.secrets-unlock".fs.".config/sops".dir = {};
# automatically unlock the secrets at login.
# the alternative is to do it on-demand, which means giving lots of stuff access to my ssh key.
"sane-scripts.secrets-unlock".fs.".profile".symlink.text = ''
maybeUnlockSecrets() {
if test -f ~/.ssh/id_ed25519; then
sane-secrets-unlock
fi
}
sessionCommands+=('maybeUnlockSecrets')
'';
# sane-secrets-dump is a thin wrapper around sops + some utilities.
# really i should sandbox just the utilities

8
pkgs/additional/sane-scripts/src/sane-secrets-unlock
View File

@@ -1,7 +1,13 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p bash -p coreutils-full -p openssh -p ssh-to-age
# unlocks the SOPS store (i.e. populate a SOPS key from the user's SSH key)
set -ex
set -e
if test -f ~/.config/sops/age/keys.txt; then
exit
fi
set -x
mkdir -p ~/.config/sops/age

44
pkgs/patched/browserpass/default.nix
View File

@@ -1,29 +1,25 @@
{ lib
, browserpass
, bash
, fetchFromGitea
, gnused
, sane-scripts
, sops
, stdenv
, substituteAll
{
bash,
browserpass,
fetchFromGitea,
gnused,
lib,
sane-scripts,
sops,
static-nix-shell,
stdenv,
substituteAll,
}:
let
sane-browserpass-gpg = stdenv.mkDerivation {
pname = "sane-browserpass-gpg";
version = "0.1.0";
src = ./.;
inherit bash gnused sops;
sane_secrets_unlock = sane-scripts.secrets-unlock; # XXX: must be snake_case
installPhase = ''
mkdir -p $out/bin
substituteAll ${./sops-gpg-adapter} $out/bin/gpg
chmod +x $out/bin/gpg
ln -s $out/bin/gpg $out/bin/gpg2
sops-gpg-adapter = static-nix-shell.mkBash {
pname = "sops-gpg-adapter";
srcRoot = ./.;
pkgs = [ "gnused" "sane-scripts.secrets-unlock" "sops" ];
postInstall = ''
ln -s sops-gpg-adapter $out/bin/gpg
ln -s sops-gpg-adapter $out/bin/gpg2
'';
};
in
browserpass.overrideAttrs (upstream: {
@@ -39,7 +35,7 @@ in
make install
wrapProgram $out/bin/browserpass \
--prefix PATH : ${lib.makeBinPath [ sane-browserpass-gpg ]}
--prefix PATH : ${lib.makeBinPath [ sops-gpg-adapter ]}
# This path is used by our firefox wrapper for finding native messaging hosts
mkdir -p $out/lib/mozilla/native-messaging-hosts
@@ -47,6 +43,6 @@ in
'';
passthru = (upstream.passthru or {}) // {
inherit sane-browserpass-gpg;
inherit sops-gpg-adapter;
};
})

9
pkgs/patched/browserpass/sops-gpg-adapter Normal file → Executable file
View File

@@ -1,14 +1,15 @@
#! @bash@/bin/sh
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p bash -p gnused -p sane-scripts.secrets-unlock -p sops
# browserpass "validates" the gpg binary by invoking it with --version
if [ "$1" = "--version" ]
then
echo "sane-browserpass-gpg @version@";
echo "sops-gpg-adapter 0.1";
exit 0
fi
# ensure the secret store is unlocked
@sane_secrets_unlock@/bin/sane-secrets-unlock
sane-secrets-unlock
# using exec here forwards our stdin
# browserpass parses the response in
@@ -16,4 +17,4 @@ fi
# it cares about `key:value`, and ignores whatever doesn't fit that (or has an unknown key)
# browserpass understands the `totp` field to hold either secret tokens, or full URLs.
# i use totp-b32 for the base-32-encoded secrets. renaming that field works OOTB.
exec @sops@/bin/sops --input-type yaml -d --output-type yaml --config /dev/null /dev/stdin | @gnused@/bin/sed s/\^totp-b32:/totp:/
exec sops --input-type yaml -d --output-type yaml --config /dev/null /dev/stdin | sed s/\^totp-b32:/totp:/