From bad4fe0e761460b7df84973b0b55fb8d51f7c1d2 Mon Sep 17 00:00:00 2001 From: colin Date: Mon, 31 Oct 2022 23:57:47 -0700 Subject: [PATCH] browserpass: add support for totp, and auto-unlock the secrets store on first run note that one needs to manually enable the TOTP setting in the browserpass settings for this to work -- TOTP parsing is disabled by default --- pkgs/browserpass/default.nix | 5 ++++- pkgs/browserpass/sops-gpg-adapter | 7 ++++++- pkgs/overlay.nix | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/pkgs/browserpass/default.nix b/pkgs/browserpass/default.nix index c3c8a26c..1e0001c4 100644 --- a/pkgs/browserpass/default.nix +++ b/pkgs/browserpass/default.nix @@ -1,7 +1,9 @@ { pkgs , bash , fetchFromGitea +, gnused , lib +, sane-scripts , sops , stdenv , substituteAll @@ -13,7 +15,8 @@ let version = "0.1.0"; src = ./.; - inherit bash sops; + inherit bash gnused sops; + sane_scripts = sane-scripts; installPhase = '' mkdir -p $out/bin substituteAll ${./sops-gpg-adapter} $out/bin/gpg diff --git a/pkgs/browserpass/sops-gpg-adapter b/pkgs/browserpass/sops-gpg-adapter index cdc112d4..3020380f 100644 --- a/pkgs/browserpass/sops-gpg-adapter +++ b/pkgs/browserpass/sops-gpg-adapter @@ -7,8 +7,13 @@ then exit 0 fi +# ensure the secret store is unlocked +@sane_scripts@/bin/sane-secrets-unlock + # using exec here forwards our stdin # browserpass parses the response in # # it cares about `key:value`, and ignores whatever doesn't fit that (or has an unknown key) -exec @sops@/bin/sops --input-type yaml -d --output-type yaml --config /dev/null /dev/stdin +# browserpass understands the `totp` field to hold either secret tokens, or full URLs. +# i use totp-b32 for the base-32-encoded secrets. renaming that field works OOTB. +exec @sops@/bin/sops --input-type yaml -d --output-type yaml --config /dev/null /dev/stdin | @gnused@/bin/sed s/\^totp-b32:/totp:/ diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix index 424846fb..4bc57075 100644 --- a/pkgs/overlay.nix +++ b/pkgs/overlay.nix @@ -37,7 +37,7 @@ gocryptfs = prev.callPackage ./gocryptfs { pkgs = prev; }; - browserpass = prev.callPackage ./browserpass { pkgs = prev; }; + browserpass = prev.callPackage ./browserpass { pkgs = prev; inherit sane-scripts; }; #### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED kaiteki = prev.callPackage ./kaiteki { };