nixos/1password-gui: init at 8.6.0

Browser Integration requires setgid and setuid programs, which needs to be done in the system configuration. This is cleaner than the ad-hoc ways we have to set things up for platforms without a global configuration file.
2022-03-16 14:09:37 -04:00 · 2022-03-16 14:09:37 -04:00 · 7f1f6eeffb
commit 7f1f6eeffb
parent f4aabde858
3 changed files with 71 additions and 0 deletions
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -118,6 +118,7 @@
  ./misc/version.nix
  ./misc/wordlist.nix
  ./misc/nixops-autoluks.nix
+  ./programs/_1password-gui.nix
  ./programs/adb.nix
  ./programs/appgate-sdp.nix
  ./programs/atop.nix
--- a/nixos/modules/programs/_1password-gui.nix
+++ b/nixos/modules/programs/_1password-gui.nix
@ -0,0 +1,69 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.programs._1password-gui;
+
+in {
+  options = {
+    programs._1password-gui = {
+      enable = mkEnableOption "The 1Password Desktop application with browser integration";
+
+      groupId = mkOption {
+        type = types.int;
+        example = literalExpression "5000";
+        description = ''
+          The GroupID to assign to the onepassword group, which is needed for browser integration. The group ID must be 1000 or greater.
+          '';
+      };
+
+      polkitPolicyOwners = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        example = literalExpression "[\"user1\" \"user2\" \"user3\"]";
+        description = ''
+          A list of users who should be able to integrate 1Password with polkit-based authentication mechanisms. By default, no users will have such access.
+          '';
+      };
+
+      package = mkOption {
+        type = types.package;
+        default = pkgs._1password-gui;
+        defaultText = literalExpression "pkgs._1password-gui";
+        example = literalExpression "pkgs._1password-gui";
+        description = ''
+          The 1Password derivation to use. This can be used to upgrade from the stable release that we keep in nixpkgs to the betas.
+          '';
+      };
+    };
+  };
+
+  config = let
+    package = cfg.package.override {
+      polkitPolicyOwners = cfg.polkitPolicyOwners;
+    };
+  in mkIf cfg.enable {
+    environment.systemPackages = [ package ];
+    users.groups.onepassword.gid = cfg.groupId;
+
+    security.wrappers = {
+      "1Password-BrowserSupport" =
+        { source = "${cfg.package}/share/1password/1Password-BrowserSupport";
+          owner = "root";
+          group = "onepassword";
+          setuid = false;
+          setgid = true;
+        };
+
+      "1Password-KeyringHelper" =
+        { source = "${cfg.package}/share/1password/1Password-KeyringHelper";
+          owner = "root";
+          group = "onepassword";
+          setuid = true;
+          setgid = true;
+        };
+    };
+
+  };
+}
--- a/pkgs/applications/misc/1password-gui/default.nix
+++ b/pkgs/applications/misc/1password-gui/default.nix
@ -101,6 +101,7 @@ in stdenv.mkDerivation rec {
        mkdir -p $out/share/polkit-1/actions
        substitute com.1password.1Password.policy.tpl $out/share/polkit-1/actions/com.1password.1Password.policy --replace "\''${POLICY_OWNERS}" "${policyOwners}"
        '') + ''
+
      # Icons
      cp -a resources/icons $out/share