-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathsecret-service.nix
78 lines (69 loc) · 2.91 KB
/
secret-service.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# Use KeePassXC to provide the Secret Service API (which is over D-Bus). It's better for that
# because: it can confirm and show notifications when an entry is accessed via that API; and
# entries integrate with its other features. Also, configure some more things to use the Secret
# Service API.
{ config, pkgs, lib, is, ...}:
let
inherit (lib) mkEnableOption mkIf mkForce;
in
{
options.my.secret-service = {
enable = mkEnableOption "my custom way of providing and using the Secret Service API";
};
config = let
cfg = config.my.secret-service;
in
mkIf cfg.enable {
assertions = [ {
assertion = is.MATE;
message = "Only designed for use with MATE Desktop.";
} {
assertion = ! is.KDE;
message = "Don't know how to disable KDE's provider of the Secret Service.";
} {
assertion = is.GUI;
message = "Don't know how to only install `keepassxc-cli` without GUI dependencies.";
}];
# Don't start GNOME Keyring, because it's unneeded and would conflict (in the D-Bus), with
# KeePassXC being the provider.
services.gnome.gnome-keyring.enable = mkForce false;
environment.systemPackages = let
secret-tool = assert ! pkgs ? secret-tool;
pkgs.libsecret.out; # As var, in case it's elsewhere in the future.
in with pkgs; [
# Install KeePassXC system-wide for all users.
(if is.GUI then
keepassxc
else
keepassxc-cli # Invalid: Too bad there's not this w/o needing GUI desktop.
)
# A CLI to the general Secret Service API. Not necessary for things to use the API, but
# is a useful CLI for doing scripted access and management of entries.
secret-tool
];
programs = {
# A GUI to the general Secret Service API (and to SSH & GPG keys). Not necessary for
# things to use the API, but is a useful GUI for seeing what entries are offered by the
# provider of it and for doing light management tasks of entries.
seahorse.enable = is.GUI;
git = {
package = pkgs.git.override { withLibsecret = true; };
config = {
credential = {
helper = "libsecret"; # My default. Users can override in their config.
useHttpPath = true; # Needed to differentiate repo URLs. Users could override.
};
};
};
};
# Prevent using `gnome-keyring` for XDG Desktop Portal stuff. This only has an effect if
# `xdg.portal.enable` is true. Unsure if or how well this would work-out, but we'd
# certainly want this stuff to use KeePassXC instead.
xdg.portal.config = {
common = {
default = [ "*" ]; # This means: Use the first portal implementation found.
"org.freedesktop.impl.portal.Secret" = [ "keepassxc" ]; # TODO: What would impl this?
};
};
};
}