bluetooth: accept that LinkKeys are device/host-specific and stop trying to share them across machines

2023-01-07 11:31:35 +00:00 · 2023-01-07 11:31:35 +00:00 · ea5552daa7
parent fb7d94209c
commit ea5552daa7
3 changed files with 16 additions and 10 deletions
--- a/hosts/common/bluetooth.nix
+++ b/hosts/common/bluetooth.nix
@ -1,8 +1,8 @@
 { lib, pkgs, ... }:

 {
-  # optionally: persist handshakes. can be useful when debugging, but might disrupt other keys
-  # sane.persist.sys.plaintext = [ "/var/lib/bluetooth" ];
+  # persist external pairings by default
+  sane.persist.sys.plaintext = [ "/var/lib/bluetooth" ];

  sane.fs."/var/lib/bluetooth".generated.acl.mode = "0700";
  sane.fs."/var/lib/bluetooth/.secrets.stamp" = {
--- a/scripts/install-bluetooth
+++ b/scripts/install-bluetooth
@ -7,6 +7,7 @@
 # bluetooth connection structure is /var/lib/bluetooth/<HOST_MAC>/<DEVICE_MAX>/{attributes,info}
 # bluetoothd/main.conf options can be found here:
 # - <https://pythonhosted.org/BT-Manager/config.html>
+# can be set via nixos' `hardware.bluetooth.settings`

 srcdir="$1"
 destdir="$2"
@ -23,9 +24,14 @@ for f in $(ls "$srcdir")
 do
  mac=$(sed -rn 's/# MAC=(.*)/\1/p' "$srcdir/$f")
  condir="$destdir/$mac"
-  test -d "$condir" || mkdir "$condir" || test -d "$condir"
-  # bluetoothd just converts my symlinks into plain files anyway, so may as well cp directly
-  cp "$srcdir/$f" "$condir/info"
-  # ln -sf --no-dereference "$srcdir/$f" "$condir/info"
-  touch "$condir/attributes"
+  if ! test -f "$condir/info"
+  then
+    # don't *overwrite* pairings. instead, only copy the device data if the host doesn't yet know about it.
+    # unfortunately, it seems that for most BT devices i can't share link keys across hosts.
+    # perhaps i could using `bdaddr` to force a shared host MAC across all hosts, but that doesn't work for all manufacturers.
+    # instead, my bluetooth "secrets" are mostly just a list of MACs i want a host to trust.
+    mkdir "$condir"
+    cp "$srcdir/$f" "$condir/info"
+    touch "$condir/attributes"
+  fi
 done
--- a/secrets/universal/bt/portable-speaker.bin
+++ b/secrets/universal/bt/portable-speaker.bin
@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:GIq5+OrFh6wG8pFt0inBaJDlBLet9NndAl1CHQ1OpWXDc0yk7Pu2qUdqEZbJoWWpUW4yYQUYSvx5ub/LS+u4NWkK7qWkDa7VgoGhyOPF7T54HLUtKXbUVh7Sy4a7EVtPz2xhpeKpyfShq3IDUIGS0Usl+my36qdnOlZgWHpPlhhKgX1nXTLP+KMD3WShfDpJxt0ZP+bCJUvVKDA/ABHQt6n+rO1nlR235RmBmc7bE/3lCzMzh63lRYfJWCchzZGdJoxEup8GB6Sm7Svc56VEikz9XnOEZWIWB7aijdBe7ZmroOdEVS0sDYhed722rwAQ/nE1L/2Lc8/baqC1ip6n/MzpOKCCGRp69ED1DktDvwS7t9w94WOS3hx/fG7Rzx7hGuylieQ7ykVfcWYhpnYb97K3EsG2b4IlgkfS0Pahdu3RHC3CJtlhYNGKwbGuuYrc/FXtJmcABlxHe+Dd5XCn8KyJc2A9Htl4aySaJkH4MiQz3PbfTi4qCsmmYtCcJBxCBwBbEEu1yLzIDCr24uG42S6jypH5hWBjUuOTH+MGYDou/HeTf7EgvEzqqZKs4ZeDMwRvDGWbdA8EQiBhAYmUpQY8I2vS17r2FfvrNQANeEQebaes8bjsFjKQOiBXm5Fp,iv:BPxUV5791usFMAir3ewjLlZok5HD2D6AEYKZ/TSFIsM=,tag:oVVAcBSOOgaslHof7ZZxeQ==,type:str]",
+	"data": "ENC[AES256_GCM,data:WbIbrAEaBV1ye3Vzxt5DybxNzsQgqsGmRRG8GWibq3DTv8zeJ0hBAWKJHA6BZvK3gxoAOCr+jEsKq/hIcaZkth0G+otQI8UWd8aUC0O+MQMT7bXXu7g+uI/VwofZTu/+AwceBfnyPdfWcmORobbzWABaNxT0OC4tZ+369u37QRmp9Nny9sQALaXW5cUS2kK2ajouWhXaXUt0hVhDTYULDWm7tNaqEFG1sTpg75AGlXfDcvRUNP+FHs1ISfNPgHf2QrPDD48xOCT/weNAy1xIMqS8Ecns5XGRt2sitTz0O5Lz2B5b436GdlsxcGfFv+RATpLGY7DtEirmfPyNybRbxdIrV3oceJO8op2TRmaDR9D0zhF2vtPb470z8lCrU7uyooc+b9mUx2tX3b3FLQy9ukSS2QG6TleVGxznrqO2XYFvse1OZMVDFdXjhn0CaiCHc0f51SNEunS5gLMFpcBvI20FHntT9uj7nwV4yCOGVlWAziyUtK7w/mbcACvOWhwjrN3D4LXQ9QPGSuWBqni9Dsk7de+uArqYP//zqSotJbv1qS1TpB7QYrlJf9VaJ/eLxwAAM7AxEt2So5sNbreh+zZi5cAhaudyEb1fNSf7suACqnHk1BhXoQtRh93ngetMmneQlsXMZGM=,iv:6kYaqB/TMZdvns3Gv0nO0yp+LQBGSS2xn979FfXffvc=,tag:QzfQi4YXhGWLjPIWng1HAg==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
@ -39,8 +39,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzYnMxbDNUR2xyV3B5VzFQ\nM1IxQzV5OXM5L1VYdFRYWUt0cWl4ZUdsQVNJCmRjUjdPMmhoaEFmUUxrVmJCRlFl\nNzZqY3p0YUF3T2lYdysvakx4WVg0bFUKLS0tIFFlazJzb3hmVXNyUU5leUFKL3p0\nNlN0TGxVbGtoUHFtK3hBS2RiYUViVFEKii4w04zeDD6HWURzmAhJdxNdNmQgsPw/\nawI6HSVbbmEGXyL23Pe0oultY8k/ZVE4oHRKBkHh00XoCZM/Ye6neA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2023-01-07T09:24:09Z",
-		"mac": "ENC[AES256_GCM,data:TSIhuvZdO8C+2ETT2m4pw5NJwpXfB9kK7kyIZOR70Ivy//gtcY8CTsZ+/xl8IUF/iK/wmPWdd9PcJDZGYjWtRKFZNTgliJJZfz9gwtYCYRks3tcvF6I8FtOem98VRHBQzq9exAWoTsMKAZqfHzUqofgd1dpDlk4JMkb40lzNndY=,iv:v+76adlqVwHnKgcs5+PK7d0BBC4FflkOEvquTn3me4A=,tag:wUFfqIX52CgLH/aK4NjbWQ==,type:str]",
+		"lastmodified": "2023-01-07T11:04:42Z",
+		"mac": "ENC[AES256_GCM,data:QiNqZSB5WIVroTQKWxt73NLGvv13waePyMcQ3OJaecaOZQiXGhuq9Ojwnk+I2DSs7X8Nv10VilHk97kYNgTjsNdWmXHqtSY0LKbbMoJpzPoF42MCPSv8g5tLOnIR095Ihu8Ntw+FdOsl0rqa9ipqJFFswOpGI/xamcsLtpRnQnQ=,iv:i4YCULu9YJR5zLomeAYpzvFG7SB9x+4wWPhaiFGlTQQ=,tag:xLbmIhg7hPZnHvQVhbgDpQ==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"