colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

sops-gpg-adapter: port to nix-shell

Browse Source
This commit is contained in:
Colin
2024-07-24 07:40:29 +00:00
parent 225c8de7a2
commit 6f1173e45a
5 changed files with 43 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
hosts/common/programs/firefox.nix
View File

@@ -263,7 +263,7 @@ in
# TODO: find a way to not expose ~/.ssh to firefox # TODO: find a way to not expose ~/.ssh to firefox
# - unlock sops at login (or before firefox launch)? # - unlock sops at login (or before firefox launch)?
# - see if ssh has a more formal type of subkey system? # - see if ssh has a more formal type of subkey system?
".ssh/id_ed25519" # ".ssh/id_ed25519"
# ".config/sops" # ".config/sops"
"knowledge/secrets/accounts" "knowledge/secrets/accounts"
]; ];

10
hosts/common/programs/sane-scripts.nix
View File

@@ -175,6 +175,16 @@ in
]; ];
}; };
"sane-scripts.secrets-unlock".fs.".config/sops".dir = {}; "sane-scripts.secrets-unlock".fs.".config/sops".dir = {};
# automatically unlock the secrets at login.
# the alternative is to do it on-demand, which means giving lots of stuff access to my ssh key.
"sane-scripts.secrets-unlock".fs.".profile".symlink.text = ''
maybeUnlockSecrets() {
if test -f ~/.ssh/id_ed25519; then
sane-secrets-unlock
fi
}
sessionCommands+=('maybeUnlockSecrets')
'';
# sane-secrets-dump is a thin wrapper around sops + some utilities. # sane-secrets-dump is a thin wrapper around sops + some utilities.
# really i should sandbox just the utilities # really i should sandbox just the utilities

8
pkgs/additional/sane-scripts/src/sane-secrets-unlock
View File

@@ -1,7 +1,13 @@
#!/usr/bin/env nix-shell #!/usr/bin/env nix-shell
#!nix-shell -i bash -p bash -p coreutils-full -p openssh -p ssh-to-age #!nix-shell -i bash -p bash -p coreutils-full -p openssh -p ssh-to-age
# unlocks the SOPS store (i.e. populate a SOPS key from the user's SSH key) # unlocks the SOPS store (i.e. populate a SOPS key from the user's SSH key)
set -ex set -e
if test -f ~/.config/sops/age/keys.txt; then
exit
fi
set -x
mkdir -p ~/.config/sops/age mkdir -p ~/.config/sops/age

44
pkgs/patched/browserpass/default.nix
View File

@@ -1,29 +1,25 @@
{ lib {
, browserpass bash,
, bash browserpass,
, fetchFromGitea fetchFromGitea,
, gnused gnused,
, sane-scripts lib,
, sops sane-scripts,
, stdenv sops,
, substituteAll static-nix-shell,
stdenv,
substituteAll,
}: }:
let let
sane-browserpass-gpg = stdenv.mkDerivation { sops-gpg-adapter = static-nix-shell.mkBash {
pname = "sane-browserpass-gpg"; pname = "sops-gpg-adapter";
version = "0.1.0"; srcRoot = ./.;
src = ./.; pkgs = [ "gnused" "sane-scripts.secrets-unlock" "sops" ];
postInstall = ''
inherit bash gnused sops; ln -s sops-gpg-adapter $out/bin/gpg
sane_secrets_unlock = sane-scripts.secrets-unlock; # XXX: must be snake_case ln -s sops-gpg-adapter $out/bin/gpg2
installPhase = ''
mkdir -p $out/bin
substituteAll ${./sops-gpg-adapter} $out/bin/gpg
chmod +x $out/bin/gpg
ln -s $out/bin/gpg $out/bin/gpg2
''; '';
}; };
in in
browserpass.overrideAttrs (upstream: { browserpass.overrideAttrs (upstream: {
@@ -39,7 +35,7 @@ in
make install make install
wrapProgram $out/bin/browserpass \ wrapProgram $out/bin/browserpass \
--prefix PATH : ${lib.makeBinPath [ sane-browserpass-gpg ]} --prefix PATH : ${lib.makeBinPath [ sops-gpg-adapter ]}
# This path is used by our firefox wrapper for finding native messaging hosts # This path is used by our firefox wrapper for finding native messaging hosts
mkdir -p $out/lib/mozilla/native-messaging-hosts mkdir -p $out/lib/mozilla/native-messaging-hosts
@@ -47,6 +43,6 @@ in
''; '';
passthru = (upstream.passthru or {}) // { passthru = (upstream.passthru or {}) // {
inherit sane-browserpass-gpg; inherit sops-gpg-adapter;
}; };
}) })

9
pkgs/patched/browserpass/sops-gpg-adapter Normal file → Executable file
View File

@@ -1,14 +1,15 @@
#! @bash@/bin/sh #!/usr/bin/env nix-shell
#!nix-shell -i bash -p bash -p gnused -p sane-scripts.secrets-unlock -p sops
# browserpass "validates" the gpg binary by invoking it with --version # browserpass "validates" the gpg binary by invoking it with --version
if [ "$1" = "--version" ] if [ "$1" = "--version" ]
then then
echo "sane-browserpass-gpg @version@"; echo "sops-gpg-adapter 0.1";
exit 0 exit 0
fi fi
# ensure the secret store is unlocked # ensure the secret store is unlocked
@sane_secrets_unlock@/bin/sane-secrets-unlock sane-secrets-unlock
# using exec here forwards our stdin # using exec here forwards our stdin
# browserpass parses the response in # browserpass parses the response in
@@ -16,4 +17,4 @@ fi
# it cares about `key:value`, and ignores whatever doesn't fit that (or has an unknown key) # it cares about `key:value`, and ignores whatever doesn't fit that (or has an unknown key)
# browserpass understands the `totp` field to hold either secret tokens, or full URLs. # browserpass understands the `totp` field to hold either secret tokens, or full URLs.
# i use totp-b32 for the base-32-encoded secrets. renaming that field works OOTB. # i use totp-b32 for the base-32-encoded secrets. renaming that field works OOTB.
exec @sops@/bin/sops --input-type yaml -d --output-type yaml --config /dev/null /dev/stdin | @gnused@/bin/sed s/\^totp-b32:/totp:/ exec sops --input-type yaml -d --output-type yaml --config /dev/null /dev/stdin | sed s/\^totp-b32:/totp:/