Switch to using rbw

2023-03-15 20:41:13 +01:00 · 2023-03-15 20:41:13 +01:00 · 37ea7c2e39
parent 95c4e434bc
commit 37ea7c2e39
17 changed files with 32 additions and 73 deletions
--- a/home-manager/roles/default.nix
+++ b/home-manager/roles/default.nix
@ -62,11 +62,6 @@
        set -g allow-rename on
      '';
    };
-    password-store = {
-      package = pkgs.pass-wayland.withExtensions (exts: [exts.pass-update exts.pass-otp]);
-      enable = true;
-      settings.PASSWORD_STORE_DIR = "${config.home.homeDirectory}/git/password-store";
-    };
    git = {
      aliases = {
        sync = "!git pull -r && git push";
@ -173,7 +168,7 @@
        )
        (
          pkgs.writeShellScriptBin "print-ssh-pw"
-          "pass show eu/m-0/${config.m-0.hostName}.m-0.eu/ssh-key"
+          "rbw ${config.m-0.hostName}.m-0.eu ssh-key"
        )
        (
          pkgs.writeShellScriptBin "dingdingding" (builtins.readFile ./signal.sh)
--- a/home-manager/roles/desktop.nix
+++ b/home-manager/roles/desktop.nix
@ -1,4 +1,8 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  config,
+  ...
+}: {
  home = {
    packages = builtins.attrValues {
      zoom = pkgs.zoom-us.overrideAttrs (old: {
@ -84,6 +88,11 @@

    file.".zprofile".text = ". $HOME/.nix-profile/etc/profile.d/hm-session-vars.sh";
  };
+  programs.password-store = {
+    package = pkgs.pass-wayland.withExtensions (exts: [exts.pass-otp]);
+    enable = true;
+    settings.PASSWORD_STORE_DIR = "${config.home.homeDirectory}/git/password-store";
+  };
  gtk = {
    enable = true;
    iconTheme = {
--- a/home-manager/roles/firefox.nix
+++ b/home-manager/roles/firefox.nix
@ -1,8 +1,4 @@
 {pkgs, ...}: {
-  programs.browserpass = {
-    browsers = ["firefox"];
-    enable = true;
-  };
  home.packages = [pkgs.firefox];
  home.sessionVariables = {
    # So that electron can open firefox links. See
--- a/home-manager/roles/kassandra/config.dhall
+++ b/home-manager/roles/kassandra/config.dhall
@ -22,19 +22,6 @@ in  { backends =
                }
              }
        }
-      , { name = "tasks.maralorn.de"
-        , backend =
-            types.StandaloneAccount.RemoteAccount
-              { backend = Some
-                { url = "https://tasks.maralorn.de"
-                , user = "maralorn"
-                , password =
-                    types.PasswordConfig.PasswordCommand
-                      { command = "pass de/maralorn/tasks.maralorn.de/maralorn"
-                      }
-                }
-              }
-        }
      , { name = "Dynamic Backend"
        , backend =
            types.StandaloneAccount.RemoteAccount
--- a/home-manager/roles/leisure.nix
+++ b/home-manager/roles/leisure.nix
@ -63,14 +63,6 @@
        "exec:${serien}"
      ];
    };
-    news = {
-      config = ''
-        urls-source "ocnews"
-        ocnews-url "https://cloud.maralorn.de"
-        ocnews-login "maralorn"
-        ocnews-password "${(pkgs.privateValue {adminpass = "";} "nextcloud-admin").adminpass}"
-      '';
-    };
    software-updates = {
      feeds =
        [
--- a/home-manager/roles/mail.nix
+++ b/home-manager/roles/mail.nix
@ -54,7 +54,7 @@ in {
    lib.mapAttrs' mkWatchService (lib.filterAttrs hasImapHost config.accounts.email.accounts)
    // {
      mbsync.Service = {
-        Environment = "PATH=${lib.makeBinPath [pkgs.pass pkgs.gnupg pkgs.coreutils]}";
+        Environment = "PATH=${lib.makeBinPath [pkgs.rbw pkgs.gnupg pkgs.coreutils]}";
        Restart = "on-failure";
        RestartSec = "30s";
      };
@ -127,7 +127,7 @@ in {
        ${move-message-macro "l" "Move/readlater" "readlater list"}
        macro attach 'V' "<pipe-entry>iconv -c --to-code=UTF8 > ~/.cache/mutt/mail.html<enter><shell-escape>firefox ~/.cache/mutt/mail.html<enter>"

-        macro index,pager <F6> "<shell-escape>${pkgs.zsh}/bin/zsh -c '${pkgs.sieve-connect}/bin/sieve-connect -s ${config.accounts.email.accounts.hera.imap.host or ""} -u ${config.accounts.email.accounts.hera.userName or ""} --passwordfd 3 --edit --remotesieve filter 3<<(pass eu/m-0/hera/mail.hera.m-0.eu/maralorn)'\n"
+        macro index,pager <F6> "<shell-escape>${pkgs.zsh}/bin/zsh -c '${pkgs.sieve-connect}/bin/sieve-connect -s ${config.accounts.email.accounts.hera.imap.host or ""} -u ${config.accounts.email.accounts.hera.userName or ""} --passwordfd 3 --edit --remotesieve filter 3<<(cat /run/agenix/mail-password)'\n"
        macro index,pager A "<pipe-message>${pkgs.khard}/bin/khard add-email<return>" "add sender to to khard"

        set query_format="%4c %t %-70.70a %-70.70n %?e?(%e)?"
--- a/home-manager/roles/mail2rss.nix
+++ b/home-manager/roles/mail2rss.nix
@ -33,7 +33,7 @@ in {
      mail2rss = {
        Unit.Description = "Mail to rss exporter";
        Service = {
-          Environment = "PATH=${lib.makeBinPath [pkgs.coreutils pkgs.pass]}";
+          Environment = "PATH=${lib.makeBinPath [pkgs.coreutils config.programs.rbw.packages]}";
          ExecStart = "${mail2rss}/bin/mail2rss";
          Type = "oneshot";
        };
--- a/home-manager/roles/pass-fzf.sh
+++ b/home-manager/roles/pass-fzf.sh
@ -1,28 +0,0 @@
-#!/usr/bin/env bash
-
-## Adapted from https://gist.github.com/heywoodlh/4c1e27f477a896bc3b0f6d55e2748d26
-
-## Assumes that the user is using otp plugin
-## Install fzf and make sure pass is configured beforehand
-
-## If you want to grab the otp code, use like so: `pass-fzf.sh otp`, otherwise script will assume you want password
-
-cd ~/.password-store || exit
-
-if [[ $1 == 'otp' ]]
-then
-	type="otp"
-else
-	type="password"
-fi
-
-selection="$(find -L . -name '*.gpg' | sed -e 's/.\///' -e 's/.gpg//' | fzf)"
-
-if [ ${type} == "otp" ]
-then
-	pass otp "${selection}" -c
-
-else
-	pass "${selection}" -c
-fi
-
--- a/home-manager/roles/tinkering.nix
+++ b/home-manager/roles/tinkering.nix
@ -30,7 +30,7 @@
        url: http://hackage.haskell.org/

      username: maralorn
-      password-command: pass org/haskell/hackage.haskell.org/maralorn
+      password-command: rbw get hackage.haskell.org
    '';
  };
 }
--- a/home-manager/roles/unlock.nix
+++ b/home-manager/roles/unlock.nix
@ -1,9 +1,13 @@
-{pkgs, ...}: let
+{
+  pkgs,
+  config,
+  ...
+}: let
  makeUnlocker = {
    name,
    hostName,
    pubKey,
-    passPath,
+    passwordName,
  }: let
    knownHosts = pkgs.writeText "KnownBootHosts" "${hostName} ${pubKey}";
  in
@ -16,14 +20,14 @@
      done;
      echo
      echo "Ping successful; Entering disk encryption password"
-      ${pkgs.pass}/bin/pass ${passPath} | ssh -4 root@${hostName} -o UserKnownHostsFile=${knownHosts} cryptsetup-askpass && echo "Unlocking of ${name} successful" || echo "Unlocking of ${name} failed"
+      ${config.programs.rbw.package}/bin/rbw get ${passwordName} | (ssh -4 root@${hostName} -o UserKnownHostsFile=${knownHosts} cryptsetup-askpass && echo "Unlocking of ${name} successful" || echo "Unlocking of ${name} failed")
    '';
  unlocker = [
    {
      name = "hera";
      hostName = "hera-v4";
      pubKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCHkqWlFLtmIlTSKahr2PcL++K75YgfsSU6jwVYW5df3JCkowu/M16SIBxABxYSQrKej5uIz/OFCjqSxHJQ8D5wSYBvn2gYr/BbBcz4rfIJmZ55Od2jckaqlj/M8TtkuPPhsQG7S730vXxK5hbMT8iW5WWv8sIKY/WtaRbZOFMX/53WCLEHtnMu5zFJFWf92+mjIHSLyW8ggl1m525RUiaAfCge2vnuzIFq4kUqJxaWzxIvEWIncKWN10K/HMvdI+yOtbSen41uKedwSFhUFs3xHy1mJddYOrlcJQPt5zuuffZ/nTDVXMZoh5QNwg8ZlkkueVChaS1Y5STjb7cem1Mt";
-      passPath = "eu/m-0/hera.m-0.eu/disk";
+      passwordName = "hera.m-0.eu disk";
    }
  ];
 in {config = {home.packages = map makeUnlocker unlocker;};}
--- a/home-manager/roles/vdirsyncer.nix
+++ b/home-manager/roles/vdirsyncer.nix
@ -48,7 +48,7 @@
        if (type == "caldav")
        then {
          inherit username;
-          "password.fetch" = ["command" "${pkgs.pass}/bin/pass" passwordPath];
+          "password.fetch" = ["command" (lib.getExe config.programs.rbw.package) passwordPath];
          read_only = readOnly;
        }
        else {}
--- a/home-manager/roles/zsh/zshrc
+++ b/home-manager/roles/zsh/zshrc
@ -41,7 +41,8 @@ alias nixpkgs-review-pr-remote='nixpkgs-review pr --build-args "--builders @$(bu
 alias nixpkgs-review-rev-remote='nixpkgs-review rev --build-args "--builders @$(builders-configurator --force)"'
 alias accounting='f() { if [[ "$1" == "" ]]; then year="buchhaltung" else year="$1" fi; hledger -f ~/git/buchhaltung/$year.journal ui -- --watch --theme=terminal -X€ -t -E}; f'
 alias o=xdg-open
-alias s='sudo systemctl'
+alias sudo='sudo -A'
+alias s='sudo -A systemctl'
 alias g='lazygit'
 alias u='systemctl --user'
 alias m=man
--- a/nixos/machines/fluffy/configuration.nix
+++ b/nixos/machines/fluffy/configuration.nix
@ -15,6 +15,7 @@ in {
    ../../roles/fonts.nix
    ../../roles/metal.nix
    ../../roles/standalone
+    ../../roles/server
    ./hardware-configuration.nix
  ];

--- a/nixos/machines/hera/configuration.nix
+++ b/nixos/machines/hera/configuration.nix
@ -28,6 +28,7 @@ in {
    ../../roles/miniflux.nix
    ../../roles/monitoring
    ../../roles/nixpkgs-bot.nix
+    ../../roles/server
    ../../roles/server/init_ssh.nix
    ../../roles/standalone
    ../../roles/unbound.nix
--- a/nixos/roles/default.nix
+++ b/nixos/roles/default.nix
@ -19,8 +19,6 @@ in {

  time.timeZone = "Europe/Berlin";

-  security.sudo.wheelNeedsPassword = false; # If my user account is pwned all is lost anyway.
-
  networking = {
    resolvconf.dnsExtensionMechanism = false; # this breaks dnssec but is necessary for certain bad-behaved hotspots
    firewall = {
--- a/nixos/roles/server/default.nix
+++ b/nixos/roles/server/default.nix
@ -0,0 +1,3 @@
+{
+  security.sudo.wheelNeedsPassword = false;
+}
--- a/overlays/update-system.nix
+++ b/overlays/update-system.nix
@ -86,7 +86,7 @@ final: _: let
      output=$(nom build --builders @$(builders-configurator) $HOME/git/config#nixosConfigurations.$host.config.system.build.toplevel --no-link --print-out-paths)
      if [[ -z "$remote_host" ]]; then
        on_target() {
-          /run/wrappers/bin/sudo $@
+          /run/wrappers/bin/sudo -A $@
        }
      else
        on_target() {