Switch to using rbw
This commit is contained in:
parent
95c4e434bc
commit
37ea7c2e39
|
@ -62,11 +62,6 @@
|
|||
set -g allow-rename on
|
||||
'';
|
||||
};
|
||||
password-store = {
|
||||
package = pkgs.pass-wayland.withExtensions (exts: [exts.pass-update exts.pass-otp]);
|
||||
enable = true;
|
||||
settings.PASSWORD_STORE_DIR = "${config.home.homeDirectory}/git/password-store";
|
||||
};
|
||||
git = {
|
||||
aliases = {
|
||||
sync = "!git pull -r && git push";
|
||||
|
@ -173,7 +168,7 @@
|
|||
)
|
||||
(
|
||||
pkgs.writeShellScriptBin "print-ssh-pw"
|
||||
"pass show eu/m-0/${config.m-0.hostName}.m-0.eu/ssh-key"
|
||||
"rbw ${config.m-0.hostName}.m-0.eu ssh-key"
|
||||
)
|
||||
(
|
||||
pkgs.writeShellScriptBin "dingdingding" (builtins.readFile ./signal.sh)
|
||||
|
|
|
@ -1,4 +1,8 @@
|
|||
{pkgs, ...}: {
|
||||
{
|
||||
pkgs,
|
||||
config,
|
||||
...
|
||||
}: {
|
||||
home = {
|
||||
packages = builtins.attrValues {
|
||||
zoom = pkgs.zoom-us.overrideAttrs (old: {
|
||||
|
@ -84,6 +88,11 @@
|
|||
|
||||
file.".zprofile".text = ". $HOME/.nix-profile/etc/profile.d/hm-session-vars.sh";
|
||||
};
|
||||
programs.password-store = {
|
||||
package = pkgs.pass-wayland.withExtensions (exts: [exts.pass-otp]);
|
||||
enable = true;
|
||||
settings.PASSWORD_STORE_DIR = "${config.home.homeDirectory}/git/password-store";
|
||||
};
|
||||
gtk = {
|
||||
enable = true;
|
||||
iconTheme = {
|
||||
|
|
|
@ -1,8 +1,4 @@
|
|||
{pkgs, ...}: {
|
||||
programs.browserpass = {
|
||||
browsers = ["firefox"];
|
||||
enable = true;
|
||||
};
|
||||
home.packages = [pkgs.firefox];
|
||||
home.sessionVariables = {
|
||||
# So that electron can open firefox links. See
|
||||
|
|
|
@ -22,19 +22,6 @@ in { backends =
|
|||
}
|
||||
}
|
||||
}
|
||||
, { name = "tasks.maralorn.de"
|
||||
, backend =
|
||||
types.StandaloneAccount.RemoteAccount
|
||||
{ backend = Some
|
||||
{ url = "https://tasks.maralorn.de"
|
||||
, user = "maralorn"
|
||||
, password =
|
||||
types.PasswordConfig.PasswordCommand
|
||||
{ command = "pass de/maralorn/tasks.maralorn.de/maralorn"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
, { name = "Dynamic Backend"
|
||||
, backend =
|
||||
types.StandaloneAccount.RemoteAccount
|
||||
|
|
|
@ -63,14 +63,6 @@
|
|||
"exec:${serien}"
|
||||
];
|
||||
};
|
||||
news = {
|
||||
config = ''
|
||||
urls-source "ocnews"
|
||||
ocnews-url "https://cloud.maralorn.de"
|
||||
ocnews-login "maralorn"
|
||||
ocnews-password "${(pkgs.privateValue {adminpass = "";} "nextcloud-admin").adminpass}"
|
||||
'';
|
||||
};
|
||||
software-updates = {
|
||||
feeds =
|
||||
[
|
||||
|
|
|
@ -54,7 +54,7 @@ in {
|
|||
lib.mapAttrs' mkWatchService (lib.filterAttrs hasImapHost config.accounts.email.accounts)
|
||||
// {
|
||||
mbsync.Service = {
|
||||
Environment = "PATH=${lib.makeBinPath [pkgs.pass pkgs.gnupg pkgs.coreutils]}";
|
||||
Environment = "PATH=${lib.makeBinPath [pkgs.rbw pkgs.gnupg pkgs.coreutils]}";
|
||||
Restart = "on-failure";
|
||||
RestartSec = "30s";
|
||||
};
|
||||
|
@ -127,7 +127,7 @@ in {
|
|||
${move-message-macro "l" "Move/readlater" "readlater list"}
|
||||
macro attach 'V' "<pipe-entry>iconv -c --to-code=UTF8 > ~/.cache/mutt/mail.html<enter><shell-escape>firefox ~/.cache/mutt/mail.html<enter>"
|
||||
|
||||
macro index,pager <F6> "<shell-escape>${pkgs.zsh}/bin/zsh -c '${pkgs.sieve-connect}/bin/sieve-connect -s ${config.accounts.email.accounts.hera.imap.host or ""} -u ${config.accounts.email.accounts.hera.userName or ""} --passwordfd 3 --edit --remotesieve filter 3<<(pass eu/m-0/hera/mail.hera.m-0.eu/maralorn)'\n"
|
||||
macro index,pager <F6> "<shell-escape>${pkgs.zsh}/bin/zsh -c '${pkgs.sieve-connect}/bin/sieve-connect -s ${config.accounts.email.accounts.hera.imap.host or ""} -u ${config.accounts.email.accounts.hera.userName or ""} --passwordfd 3 --edit --remotesieve filter 3<<(cat /run/agenix/mail-password)'\n"
|
||||
macro index,pager A "<pipe-message>${pkgs.khard}/bin/khard add-email<return>" "add sender to to khard"
|
||||
|
||||
set query_format="%4c %t %-70.70a %-70.70n %?e?(%e)?"
|
||||
|
|
|
@ -33,7 +33,7 @@ in {
|
|||
mail2rss = {
|
||||
Unit.Description = "Mail to rss exporter";
|
||||
Service = {
|
||||
Environment = "PATH=${lib.makeBinPath [pkgs.coreutils pkgs.pass]}";
|
||||
Environment = "PATH=${lib.makeBinPath [pkgs.coreutils config.programs.rbw.packages]}";
|
||||
ExecStart = "${mail2rss}/bin/mail2rss";
|
||||
Type = "oneshot";
|
||||
};
|
||||
|
|
|
@ -1,28 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
## Adapted from https://gist.github.com/heywoodlh/4c1e27f477a896bc3b0f6d55e2748d26
|
||||
|
||||
## Assumes that the user is using otp plugin
|
||||
## Install fzf and make sure pass is configured beforehand
|
||||
|
||||
## If you want to grab the otp code, use like so: `pass-fzf.sh otp`, otherwise script will assume you want password
|
||||
|
||||
cd ~/.password-store || exit
|
||||
|
||||
if [[ $1 == 'otp' ]]
|
||||
then
|
||||
type="otp"
|
||||
else
|
||||
type="password"
|
||||
fi
|
||||
|
||||
selection="$(find -L . -name '*.gpg' | sed -e 's/.\///' -e 's/.gpg//' | fzf)"
|
||||
|
||||
if [ ${type} == "otp" ]
|
||||
then
|
||||
pass otp "${selection}" -c
|
||||
|
||||
else
|
||||
pass "${selection}" -c
|
||||
fi
|
||||
|
|
@ -30,7 +30,7 @@
|
|||
url: http://hackage.haskell.org/
|
||||
|
||||
username: maralorn
|
||||
password-command: pass org/haskell/hackage.haskell.org/maralorn
|
||||
password-command: rbw get hackage.haskell.org
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,9 +1,13 @@
|
|||
{pkgs, ...}: let
|
||||
{
|
||||
pkgs,
|
||||
config,
|
||||
...
|
||||
}: let
|
||||
makeUnlocker = {
|
||||
name,
|
||||
hostName,
|
||||
pubKey,
|
||||
passPath,
|
||||
passwordName,
|
||||
}: let
|
||||
knownHosts = pkgs.writeText "KnownBootHosts" "${hostName} ${pubKey}";
|
||||
in
|
||||
|
@ -16,14 +20,14 @@
|
|||
done;
|
||||
echo
|
||||
echo "Ping successful; Entering disk encryption password"
|
||||
${pkgs.pass}/bin/pass ${passPath} | ssh -4 root@${hostName} -o UserKnownHostsFile=${knownHosts} cryptsetup-askpass && echo "Unlocking of ${name} successful" || echo "Unlocking of ${name} failed"
|
||||
${config.programs.rbw.package}/bin/rbw get ${passwordName} | (ssh -4 root@${hostName} -o UserKnownHostsFile=${knownHosts} cryptsetup-askpass && echo "Unlocking of ${name} successful" || echo "Unlocking of ${name} failed")
|
||||
'';
|
||||
unlocker = [
|
||||
{
|
||||
name = "hera";
|
||||
hostName = "hera-v4";
|
||||
pubKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCHkqWlFLtmIlTSKahr2PcL++K75YgfsSU6jwVYW5df3JCkowu/M16SIBxABxYSQrKej5uIz/OFCjqSxHJQ8D5wSYBvn2gYr/BbBcz4rfIJmZ55Od2jckaqlj/M8TtkuPPhsQG7S730vXxK5hbMT8iW5WWv8sIKY/WtaRbZOFMX/53WCLEHtnMu5zFJFWf92+mjIHSLyW8ggl1m525RUiaAfCge2vnuzIFq4kUqJxaWzxIvEWIncKWN10K/HMvdI+yOtbSen41uKedwSFhUFs3xHy1mJddYOrlcJQPt5zuuffZ/nTDVXMZoh5QNwg8ZlkkueVChaS1Y5STjb7cem1Mt";
|
||||
passPath = "eu/m-0/hera.m-0.eu/disk";
|
||||
passwordName = "hera.m-0.eu disk";
|
||||
}
|
||||
];
|
||||
in {config = {home.packages = map makeUnlocker unlocker;};}
|
||||
|
|
|
@ -48,7 +48,7 @@
|
|||
if (type == "caldav")
|
||||
then {
|
||||
inherit username;
|
||||
"password.fetch" = ["command" "${pkgs.pass}/bin/pass" passwordPath];
|
||||
"password.fetch" = ["command" (lib.getExe config.programs.rbw.package) passwordPath];
|
||||
read_only = readOnly;
|
||||
}
|
||||
else {}
|
||||
|
|
|
@ -41,7 +41,8 @@ alias nixpkgs-review-pr-remote='nixpkgs-review pr --build-args "--builders @$(bu
|
|||
alias nixpkgs-review-rev-remote='nixpkgs-review rev --build-args "--builders @$(builders-configurator --force)"'
|
||||
alias accounting='f() { if [[ "$1" == "" ]]; then year="buchhaltung" else year="$1" fi; hledger -f ~/git/buchhaltung/$year.journal ui -- --watch --theme=terminal -X€ -t -E}; f'
|
||||
alias o=xdg-open
|
||||
alias s='sudo systemctl'
|
||||
alias sudo='sudo -A'
|
||||
alias s='sudo -A systemctl'
|
||||
alias g='lazygit'
|
||||
alias u='systemctl --user'
|
||||
alias m=man
|
||||
|
|
|
@ -15,6 +15,7 @@ in {
|
|||
../../roles/fonts.nix
|
||||
../../roles/metal.nix
|
||||
../../roles/standalone
|
||||
../../roles/server
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
|
|
|
@ -28,6 +28,7 @@ in {
|
|||
../../roles/miniflux.nix
|
||||
../../roles/monitoring
|
||||
../../roles/nixpkgs-bot.nix
|
||||
../../roles/server
|
||||
../../roles/server/init_ssh.nix
|
||||
../../roles/standalone
|
||||
../../roles/unbound.nix
|
||||
|
|
|
@ -19,8 +19,6 @@ in {
|
|||
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
security.sudo.wheelNeedsPassword = false; # If my user account is pwned all is lost anyway.
|
||||
|
||||
networking = {
|
||||
resolvconf.dnsExtensionMechanism = false; # this breaks dnssec but is necessary for certain bad-behaved hotspots
|
||||
firewall = {
|
||||
|
|
3
nixos/roles/server/default.nix
Normal file
3
nixos/roles/server/default.nix
Normal file
|
@ -0,0 +1,3 @@
|
|||
{
|
||||
security.sudo.wheelNeedsPassword = false;
|
||||
}
|
|
@ -86,7 +86,7 @@ final: _: let
|
|||
output=$(nom build --builders @$(builders-configurator) $HOME/git/config#nixosConfigurations.$host.config.system.build.toplevel --no-link --print-out-paths)
|
||||
if [[ -z "$remote_host" ]]; then
|
||||
on_target() {
|
||||
/run/wrappers/bin/sudo $@
|
||||
/run/wrappers/bin/sudo -A $@
|
||||
}
|
||||
else
|
||||
on_target() {
|
||||
|
|
Loading…
Reference in a new issue