browserpass: add support for totp, and auto-unlock the secrets store on first run
note that one needs to manually enable the TOTP setting in the browserpass settings for this to work -- TOTP parsing is disabled by default
This commit is contained in:
parent
8b473ff88f
commit
bad4fe0e76
|
@ -1,7 +1,9 @@
|
|||
{ pkgs
|
||||
, bash
|
||||
, fetchFromGitea
|
||||
, gnused
|
||||
, lib
|
||||
, sane-scripts
|
||||
, sops
|
||||
, stdenv
|
||||
, substituteAll
|
||||
|
@ -13,7 +15,8 @@ let
|
|||
version = "0.1.0";
|
||||
src = ./.;
|
||||
|
||||
inherit bash sops;
|
||||
inherit bash gnused sops;
|
||||
sane_scripts = sane-scripts;
|
||||
installPhase = ''
|
||||
mkdir -p $out/bin
|
||||
substituteAll ${./sops-gpg-adapter} $out/bin/gpg
|
||||
|
|
|
@ -7,8 +7,13 @@ then
|
|||
exit 0
|
||||
fi
|
||||
|
||||
# ensure the secret store is unlocked
|
||||
@sane_scripts@/bin/sane-secrets-unlock
|
||||
|
||||
# using exec here forwards our stdin
|
||||
# browserpass parses the response in
|
||||
# <browserpass-extension/src/background.js#parseFields>
|
||||
# it cares about `key:value`, and ignores whatever doesn't fit that (or has an unknown key)
|
||||
exec @sops@/bin/sops --input-type yaml -d --output-type yaml --config /dev/null /dev/stdin
|
||||
# browserpass understands the `totp` field to hold either secret tokens, or full URLs.
|
||||
# i use totp-b32 for the base-32-encoded secrets. renaming that field works OOTB.
|
||||
exec @sops@/bin/sops --input-type yaml -d --output-type yaml --config /dev/null /dev/stdin | @gnused@/bin/sed s/\^totp-b32:/totp:/
|
||||
|
|
|
@ -37,7 +37,7 @@
|
|||
|
||||
gocryptfs = prev.callPackage ./gocryptfs { pkgs = prev; };
|
||||
|
||||
browserpass = prev.callPackage ./browserpass { pkgs = prev; };
|
||||
browserpass = prev.callPackage ./browserpass { pkgs = prev; inherit sane-scripts; };
|
||||
|
||||
#### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
|
||||
kaiteki = prev.callPackage ./kaiteki { };
|
||||
|
|
Loading…
Reference in New Issue
Block a user