Switch to using rbw
This commit is contained in:
parent
95c4e434bc
commit
37ea7c2e39
|
@ -62,11 +62,6 @@
|
||||||
set -g allow-rename on
|
set -g allow-rename on
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
password-store = {
|
|
||||||
package = pkgs.pass-wayland.withExtensions (exts: [exts.pass-update exts.pass-otp]);
|
|
||||||
enable = true;
|
|
||||||
settings.PASSWORD_STORE_DIR = "${config.home.homeDirectory}/git/password-store";
|
|
||||||
};
|
|
||||||
git = {
|
git = {
|
||||||
aliases = {
|
aliases = {
|
||||||
sync = "!git pull -r && git push";
|
sync = "!git pull -r && git push";
|
||||||
|
@ -173,7 +168,7 @@
|
||||||
)
|
)
|
||||||
(
|
(
|
||||||
pkgs.writeShellScriptBin "print-ssh-pw"
|
pkgs.writeShellScriptBin "print-ssh-pw"
|
||||||
"pass show eu/m-0/${config.m-0.hostName}.m-0.eu/ssh-key"
|
"rbw ${config.m-0.hostName}.m-0.eu ssh-key"
|
||||||
)
|
)
|
||||||
(
|
(
|
||||||
pkgs.writeShellScriptBin "dingdingding" (builtins.readFile ./signal.sh)
|
pkgs.writeShellScriptBin "dingdingding" (builtins.readFile ./signal.sh)
|
||||||
|
|
|
@ -1,4 +1,8 @@
|
||||||
{pkgs, ...}: {
|
{
|
||||||
|
pkgs,
|
||||||
|
config,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
home = {
|
home = {
|
||||||
packages = builtins.attrValues {
|
packages = builtins.attrValues {
|
||||||
zoom = pkgs.zoom-us.overrideAttrs (old: {
|
zoom = pkgs.zoom-us.overrideAttrs (old: {
|
||||||
|
@ -84,6 +88,11 @@
|
||||||
|
|
||||||
file.".zprofile".text = ". $HOME/.nix-profile/etc/profile.d/hm-session-vars.sh";
|
file.".zprofile".text = ". $HOME/.nix-profile/etc/profile.d/hm-session-vars.sh";
|
||||||
};
|
};
|
||||||
|
programs.password-store = {
|
||||||
|
package = pkgs.pass-wayland.withExtensions (exts: [exts.pass-otp]);
|
||||||
|
enable = true;
|
||||||
|
settings.PASSWORD_STORE_DIR = "${config.home.homeDirectory}/git/password-store";
|
||||||
|
};
|
||||||
gtk = {
|
gtk = {
|
||||||
enable = true;
|
enable = true;
|
||||||
iconTheme = {
|
iconTheme = {
|
||||||
|
|
|
@ -1,8 +1,4 @@
|
||||||
{pkgs, ...}: {
|
{pkgs, ...}: {
|
||||||
programs.browserpass = {
|
|
||||||
browsers = ["firefox"];
|
|
||||||
enable = true;
|
|
||||||
};
|
|
||||||
home.packages = [pkgs.firefox];
|
home.packages = [pkgs.firefox];
|
||||||
home.sessionVariables = {
|
home.sessionVariables = {
|
||||||
# So that electron can open firefox links. See
|
# So that electron can open firefox links. See
|
||||||
|
|
|
@ -22,19 +22,6 @@ in { backends =
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
, { name = "tasks.maralorn.de"
|
|
||||||
, backend =
|
|
||||||
types.StandaloneAccount.RemoteAccount
|
|
||||||
{ backend = Some
|
|
||||||
{ url = "https://tasks.maralorn.de"
|
|
||||||
, user = "maralorn"
|
|
||||||
, password =
|
|
||||||
types.PasswordConfig.PasswordCommand
|
|
||||||
{ command = "pass de/maralorn/tasks.maralorn.de/maralorn"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
, { name = "Dynamic Backend"
|
, { name = "Dynamic Backend"
|
||||||
, backend =
|
, backend =
|
||||||
types.StandaloneAccount.RemoteAccount
|
types.StandaloneAccount.RemoteAccount
|
||||||
|
|
|
@ -63,14 +63,6 @@
|
||||||
"exec:${serien}"
|
"exec:${serien}"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
news = {
|
|
||||||
config = ''
|
|
||||||
urls-source "ocnews"
|
|
||||||
ocnews-url "https://cloud.maralorn.de"
|
|
||||||
ocnews-login "maralorn"
|
|
||||||
ocnews-password "${(pkgs.privateValue {adminpass = "";} "nextcloud-admin").adminpass}"
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
software-updates = {
|
software-updates = {
|
||||||
feeds =
|
feeds =
|
||||||
[
|
[
|
||||||
|
|
|
@ -54,7 +54,7 @@ in {
|
||||||
lib.mapAttrs' mkWatchService (lib.filterAttrs hasImapHost config.accounts.email.accounts)
|
lib.mapAttrs' mkWatchService (lib.filterAttrs hasImapHost config.accounts.email.accounts)
|
||||||
// {
|
// {
|
||||||
mbsync.Service = {
|
mbsync.Service = {
|
||||||
Environment = "PATH=${lib.makeBinPath [pkgs.pass pkgs.gnupg pkgs.coreutils]}";
|
Environment = "PATH=${lib.makeBinPath [pkgs.rbw pkgs.gnupg pkgs.coreutils]}";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "30s";
|
RestartSec = "30s";
|
||||||
};
|
};
|
||||||
|
@ -127,7 +127,7 @@ in {
|
||||||
${move-message-macro "l" "Move/readlater" "readlater list"}
|
${move-message-macro "l" "Move/readlater" "readlater list"}
|
||||||
macro attach 'V' "<pipe-entry>iconv -c --to-code=UTF8 > ~/.cache/mutt/mail.html<enter><shell-escape>firefox ~/.cache/mutt/mail.html<enter>"
|
macro attach 'V' "<pipe-entry>iconv -c --to-code=UTF8 > ~/.cache/mutt/mail.html<enter><shell-escape>firefox ~/.cache/mutt/mail.html<enter>"
|
||||||
|
|
||||||
macro index,pager <F6> "<shell-escape>${pkgs.zsh}/bin/zsh -c '${pkgs.sieve-connect}/bin/sieve-connect -s ${config.accounts.email.accounts.hera.imap.host or ""} -u ${config.accounts.email.accounts.hera.userName or ""} --passwordfd 3 --edit --remotesieve filter 3<<(pass eu/m-0/hera/mail.hera.m-0.eu/maralorn)'\n"
|
macro index,pager <F6> "<shell-escape>${pkgs.zsh}/bin/zsh -c '${pkgs.sieve-connect}/bin/sieve-connect -s ${config.accounts.email.accounts.hera.imap.host or ""} -u ${config.accounts.email.accounts.hera.userName or ""} --passwordfd 3 --edit --remotesieve filter 3<<(cat /run/agenix/mail-password)'\n"
|
||||||
macro index,pager A "<pipe-message>${pkgs.khard}/bin/khard add-email<return>" "add sender to to khard"
|
macro index,pager A "<pipe-message>${pkgs.khard}/bin/khard add-email<return>" "add sender to to khard"
|
||||||
|
|
||||||
set query_format="%4c %t %-70.70a %-70.70n %?e?(%e)?"
|
set query_format="%4c %t %-70.70a %-70.70n %?e?(%e)?"
|
||||||
|
|
|
@ -33,7 +33,7 @@ in {
|
||||||
mail2rss = {
|
mail2rss = {
|
||||||
Unit.Description = "Mail to rss exporter";
|
Unit.Description = "Mail to rss exporter";
|
||||||
Service = {
|
Service = {
|
||||||
Environment = "PATH=${lib.makeBinPath [pkgs.coreutils pkgs.pass]}";
|
Environment = "PATH=${lib.makeBinPath [pkgs.coreutils config.programs.rbw.packages]}";
|
||||||
ExecStart = "${mail2rss}/bin/mail2rss";
|
ExecStart = "${mail2rss}/bin/mail2rss";
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,28 +0,0 @@
|
||||||
#!/usr/bin/env bash
|
|
||||||
|
|
||||||
## Adapted from https://gist.github.com/heywoodlh/4c1e27f477a896bc3b0f6d55e2748d26
|
|
||||||
|
|
||||||
## Assumes that the user is using otp plugin
|
|
||||||
## Install fzf and make sure pass is configured beforehand
|
|
||||||
|
|
||||||
## If you want to grab the otp code, use like so: `pass-fzf.sh otp`, otherwise script will assume you want password
|
|
||||||
|
|
||||||
cd ~/.password-store || exit
|
|
||||||
|
|
||||||
if [[ $1 == 'otp' ]]
|
|
||||||
then
|
|
||||||
type="otp"
|
|
||||||
else
|
|
||||||
type="password"
|
|
||||||
fi
|
|
||||||
|
|
||||||
selection="$(find -L . -name '*.gpg' | sed -e 's/.\///' -e 's/.gpg//' | fzf)"
|
|
||||||
|
|
||||||
if [ ${type} == "otp" ]
|
|
||||||
then
|
|
||||||
pass otp "${selection}" -c
|
|
||||||
|
|
||||||
else
|
|
||||||
pass "${selection}" -c
|
|
||||||
fi
|
|
||||||
|
|
|
@ -30,7 +30,7 @@
|
||||||
url: http://hackage.haskell.org/
|
url: http://hackage.haskell.org/
|
||||||
|
|
||||||
username: maralorn
|
username: maralorn
|
||||||
password-command: pass org/haskell/hackage.haskell.org/maralorn
|
password-command: rbw get hackage.haskell.org
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,9 +1,13 @@
|
||||||
{pkgs, ...}: let
|
{
|
||||||
|
pkgs,
|
||||||
|
config,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
makeUnlocker = {
|
makeUnlocker = {
|
||||||
name,
|
name,
|
||||||
hostName,
|
hostName,
|
||||||
pubKey,
|
pubKey,
|
||||||
passPath,
|
passwordName,
|
||||||
}: let
|
}: let
|
||||||
knownHosts = pkgs.writeText "KnownBootHosts" "${hostName} ${pubKey}";
|
knownHosts = pkgs.writeText "KnownBootHosts" "${hostName} ${pubKey}";
|
||||||
in
|
in
|
||||||
|
@ -16,14 +20,14 @@
|
||||||
done;
|
done;
|
||||||
echo
|
echo
|
||||||
echo "Ping successful; Entering disk encryption password"
|
echo "Ping successful; Entering disk encryption password"
|
||||||
${pkgs.pass}/bin/pass ${passPath} | ssh -4 root@${hostName} -o UserKnownHostsFile=${knownHosts} cryptsetup-askpass && echo "Unlocking of ${name} successful" || echo "Unlocking of ${name} failed"
|
${config.programs.rbw.package}/bin/rbw get ${passwordName} | (ssh -4 root@${hostName} -o UserKnownHostsFile=${knownHosts} cryptsetup-askpass && echo "Unlocking of ${name} successful" || echo "Unlocking of ${name} failed")
|
||||||
'';
|
'';
|
||||||
unlocker = [
|
unlocker = [
|
||||||
{
|
{
|
||||||
name = "hera";
|
name = "hera";
|
||||||
hostName = "hera-v4";
|
hostName = "hera-v4";
|
||||||
pubKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCHkqWlFLtmIlTSKahr2PcL++K75YgfsSU6jwVYW5df3JCkowu/M16SIBxABxYSQrKej5uIz/OFCjqSxHJQ8D5wSYBvn2gYr/BbBcz4rfIJmZ55Od2jckaqlj/M8TtkuPPhsQG7S730vXxK5hbMT8iW5WWv8sIKY/WtaRbZOFMX/53WCLEHtnMu5zFJFWf92+mjIHSLyW8ggl1m525RUiaAfCge2vnuzIFq4kUqJxaWzxIvEWIncKWN10K/HMvdI+yOtbSen41uKedwSFhUFs3xHy1mJddYOrlcJQPt5zuuffZ/nTDVXMZoh5QNwg8ZlkkueVChaS1Y5STjb7cem1Mt";
|
pubKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCHkqWlFLtmIlTSKahr2PcL++K75YgfsSU6jwVYW5df3JCkowu/M16SIBxABxYSQrKej5uIz/OFCjqSxHJQ8D5wSYBvn2gYr/BbBcz4rfIJmZ55Od2jckaqlj/M8TtkuPPhsQG7S730vXxK5hbMT8iW5WWv8sIKY/WtaRbZOFMX/53WCLEHtnMu5zFJFWf92+mjIHSLyW8ggl1m525RUiaAfCge2vnuzIFq4kUqJxaWzxIvEWIncKWN10K/HMvdI+yOtbSen41uKedwSFhUFs3xHy1mJddYOrlcJQPt5zuuffZ/nTDVXMZoh5QNwg8ZlkkueVChaS1Y5STjb7cem1Mt";
|
||||||
passPath = "eu/m-0/hera.m-0.eu/disk";
|
passwordName = "hera.m-0.eu disk";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
in {config = {home.packages = map makeUnlocker unlocker;};}
|
in {config = {home.packages = map makeUnlocker unlocker;};}
|
||||||
|
|
|
@ -48,7 +48,7 @@
|
||||||
if (type == "caldav")
|
if (type == "caldav")
|
||||||
then {
|
then {
|
||||||
inherit username;
|
inherit username;
|
||||||
"password.fetch" = ["command" "${pkgs.pass}/bin/pass" passwordPath];
|
"password.fetch" = ["command" (lib.getExe config.programs.rbw.package) passwordPath];
|
||||||
read_only = readOnly;
|
read_only = readOnly;
|
||||||
}
|
}
|
||||||
else {}
|
else {}
|
||||||
|
|
|
@ -41,7 +41,8 @@ alias nixpkgs-review-pr-remote='nixpkgs-review pr --build-args "--builders @$(bu
|
||||||
alias nixpkgs-review-rev-remote='nixpkgs-review rev --build-args "--builders @$(builders-configurator --force)"'
|
alias nixpkgs-review-rev-remote='nixpkgs-review rev --build-args "--builders @$(builders-configurator --force)"'
|
||||||
alias accounting='f() { if [[ "$1" == "" ]]; then year="buchhaltung" else year="$1" fi; hledger -f ~/git/buchhaltung/$year.journal ui -- --watch --theme=terminal -X€ -t -E}; f'
|
alias accounting='f() { if [[ "$1" == "" ]]; then year="buchhaltung" else year="$1" fi; hledger -f ~/git/buchhaltung/$year.journal ui -- --watch --theme=terminal -X€ -t -E}; f'
|
||||||
alias o=xdg-open
|
alias o=xdg-open
|
||||||
alias s='sudo systemctl'
|
alias sudo='sudo -A'
|
||||||
|
alias s='sudo -A systemctl'
|
||||||
alias g='lazygit'
|
alias g='lazygit'
|
||||||
alias u='systemctl --user'
|
alias u='systemctl --user'
|
||||||
alias m=man
|
alias m=man
|
||||||
|
|
|
@ -15,6 +15,7 @@ in {
|
||||||
../../roles/fonts.nix
|
../../roles/fonts.nix
|
||||||
../../roles/metal.nix
|
../../roles/metal.nix
|
||||||
../../roles/standalone
|
../../roles/standalone
|
||||||
|
../../roles/server
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
|
@ -28,6 +28,7 @@ in {
|
||||||
../../roles/miniflux.nix
|
../../roles/miniflux.nix
|
||||||
../../roles/monitoring
|
../../roles/monitoring
|
||||||
../../roles/nixpkgs-bot.nix
|
../../roles/nixpkgs-bot.nix
|
||||||
|
../../roles/server
|
||||||
../../roles/server/init_ssh.nix
|
../../roles/server/init_ssh.nix
|
||||||
../../roles/standalone
|
../../roles/standalone
|
||||||
../../roles/unbound.nix
|
../../roles/unbound.nix
|
||||||
|
|
|
@ -19,8 +19,6 @@ in {
|
||||||
|
|
||||||
time.timeZone = "Europe/Berlin";
|
time.timeZone = "Europe/Berlin";
|
||||||
|
|
||||||
security.sudo.wheelNeedsPassword = false; # If my user account is pwned all is lost anyway.
|
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
resolvconf.dnsExtensionMechanism = false; # this breaks dnssec but is necessary for certain bad-behaved hotspots
|
resolvconf.dnsExtensionMechanism = false; # this breaks dnssec but is necessary for certain bad-behaved hotspots
|
||||||
firewall = {
|
firewall = {
|
||||||
|
|
3
nixos/roles/server/default.nix
Normal file
3
nixos/roles/server/default.nix
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
{
|
||||||
|
security.sudo.wheelNeedsPassword = false;
|
||||||
|
}
|
|
@ -86,7 +86,7 @@ final: _: let
|
||||||
output=$(nom build --builders @$(builders-configurator) $HOME/git/config#nixosConfigurations.$host.config.system.build.toplevel --no-link --print-out-paths)
|
output=$(nom build --builders @$(builders-configurator) $HOME/git/config#nixosConfigurations.$host.config.system.build.toplevel --no-link --print-out-paths)
|
||||||
if [[ -z "$remote_host" ]]; then
|
if [[ -z "$remote_host" ]]; then
|
||||||
on_target() {
|
on_target() {
|
||||||
/run/wrappers/bin/sudo $@
|
/run/wrappers/bin/sudo -A $@
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
on_target() {
|
on_target() {
|
||||||
|
|
Loading…
Reference in a new issue