diff options
author | Savanni D'Gerinel <savanni@luminescent-dreams.com> | 2022-03-16 14:09:37 -0400 |
---|---|---|
committer | Savanni D'Gerinel <savanni@luminescent-dreams.com> | 2022-03-24 10:13:43 -0400 |
commit | 7f1f6eeffb2b18ed9b2a03f2ae91727e1e615241 (patch) | |
tree | 0ac302a63926444e26d50427843b8736af294c6e /nixos | |
parent | f4aabde8580957e93118e45f3ad467bb5d9f131f (diff) | |
download | nixlib-7f1f6eeffb2b18ed9b2a03f2ae91727e1e615241.tar nixlib-7f1f6eeffb2b18ed9b2a03f2ae91727e1e615241.tar.gz nixlib-7f1f6eeffb2b18ed9b2a03f2ae91727e1e615241.tar.bz2 nixlib-7f1f6eeffb2b18ed9b2a03f2ae91727e1e615241.tar.lz nixlib-7f1f6eeffb2b18ed9b2a03f2ae91727e1e615241.tar.xz nixlib-7f1f6eeffb2b18ed9b2a03f2ae91727e1e615241.tar.zst nixlib-7f1f6eeffb2b18ed9b2a03f2ae91727e1e615241.zip |
nixos/1password-gui: init at 8.6.0
Browser Integration requires setgid and setuid programs, which needs to be done in the system configuration. This is cleaner than the ad-hoc ways we have to set things up for platforms without a global configuration file.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/programs/_1password-gui.nix | 69 |
2 files changed, 70 insertions, 0 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index e80c6cf90f54..c6a4627c34f7 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -118,6 +118,7 @@ ./misc/version.nix ./misc/wordlist.nix ./misc/nixops-autoluks.nix + ./programs/_1password-gui.nix ./programs/adb.nix ./programs/appgate-sdp.nix ./programs/atop.nix diff --git a/nixos/modules/programs/_1password-gui.nix b/nixos/modules/programs/_1password-gui.nix new file mode 100644 index 000000000000..f57de44bb9e2 --- /dev/null +++ b/nixos/modules/programs/_1password-gui.nix @@ -0,0 +1,69 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.programs._1password-gui; + +in { + options = { + programs._1password-gui = { + enable = mkEnableOption "The 1Password Desktop application with browser integration"; + + groupId = mkOption { + type = types.int; + example = literalExpression "5000"; + description = '' + The GroupID to assign to the onepassword group, which is needed for browser integration. The group ID must be 1000 or greater. + ''; + }; + + polkitPolicyOwners = mkOption { + type = types.listOf types.str; + default = []; + example = literalExpression "[\"user1\" \"user2\" \"user3\"]"; + description = '' + A list of users who should be able to integrate 1Password with polkit-based authentication mechanisms. By default, no users will have such access. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs._1password-gui; + defaultText = literalExpression "pkgs._1password-gui"; + example = literalExpression "pkgs._1password-gui"; + description = '' + The 1Password derivation to use. This can be used to upgrade from the stable release that we keep in nixpkgs to the betas. + ''; + }; + }; + }; + + config = let + package = cfg.package.override { + polkitPolicyOwners = cfg.polkitPolicyOwners; + }; + in mkIf cfg.enable { + environment.systemPackages = [ package ]; + users.groups.onepassword.gid = cfg.groupId; + + security.wrappers = { + "1Password-BrowserSupport" = + { source = "${cfg.package}/share/1password/1Password-BrowserSupport"; + owner = "root"; + group = "onepassword"; + setuid = false; + setgid = true; + }; + + "1Password-KeyringHelper" = + { source = "${cfg.package}/share/1password/1Password-KeyringHelper"; + owner = "root"; + group = "onepassword"; + setuid = true; + setgid = true; + }; + }; + + }; +} |