From 7f1f6eeffb2b18ed9b2a03f2ae91727e1e615241 Mon Sep 17 00:00:00 2001 From: Savanni D'Gerinel Date: Wed, 16 Mar 2022 14:09:37 -0400 Subject: [PATCH] nixos/1password-gui: init at 8.6.0 Browser Integration requires setgid and setuid programs, which needs to be done in the system configuration. This is cleaner than the ad-hoc ways we have to set things up for platforms without a global configuration file. --- nixos/modules/module-list.nix | 1 + nixos/modules/programs/_1password-gui.nix | 69 +++++++++++++++++++ .../misc/1password-gui/default.nix | 1 + 3 files changed, 71 insertions(+) create mode 100644 nixos/modules/programs/_1password-gui.nix diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index e80c6cf90f54..c6a4627c34f7 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -118,6 +118,7 @@ ./misc/version.nix ./misc/wordlist.nix ./misc/nixops-autoluks.nix + ./programs/_1password-gui.nix ./programs/adb.nix ./programs/appgate-sdp.nix ./programs/atop.nix diff --git a/nixos/modules/programs/_1password-gui.nix b/nixos/modules/programs/_1password-gui.nix new file mode 100644 index 000000000000..f57de44bb9e2 --- /dev/null +++ b/nixos/modules/programs/_1password-gui.nix @@ -0,0 +1,69 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.programs._1password-gui; + +in { + options = { + programs._1password-gui = { + enable = mkEnableOption "The 1Password Desktop application with browser integration"; + + groupId = mkOption { + type = types.int; + example = literalExpression "5000"; + description = '' + The GroupID to assign to the onepassword group, which is needed for browser integration. The group ID must be 1000 or greater. + ''; + }; + + polkitPolicyOwners = mkOption { + type = types.listOf types.str; + default = []; + example = literalExpression "[\"user1\" \"user2\" \"user3\"]"; + description = '' + A list of users who should be able to integrate 1Password with polkit-based authentication mechanisms. By default, no users will have such access. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs._1password-gui; + defaultText = literalExpression "pkgs._1password-gui"; + example = literalExpression "pkgs._1password-gui"; + description = '' + The 1Password derivation to use. This can be used to upgrade from the stable release that we keep in nixpkgs to the betas. + ''; + }; + }; + }; + + config = let + package = cfg.package.override { + polkitPolicyOwners = cfg.polkitPolicyOwners; + }; + in mkIf cfg.enable { + environment.systemPackages = [ package ]; + users.groups.onepassword.gid = cfg.groupId; + + security.wrappers = { + "1Password-BrowserSupport" = + { source = "${cfg.package}/share/1password/1Password-BrowserSupport"; + owner = "root"; + group = "onepassword"; + setuid = false; + setgid = true; + }; + + "1Password-KeyringHelper" = + { source = "${cfg.package}/share/1password/1Password-KeyringHelper"; + owner = "root"; + group = "onepassword"; + setuid = true; + setgid = true; + }; + }; + + }; +} diff --git a/pkgs/applications/misc/1password-gui/default.nix b/pkgs/applications/misc/1password-gui/default.nix index 15622d799a40..311ef3037bb8 100644 --- a/pkgs/applications/misc/1password-gui/default.nix +++ b/pkgs/applications/misc/1password-gui/default.nix @@ -101,6 +101,7 @@ in stdenv.mkDerivation rec { mkdir -p $out/share/polkit-1/actions substitute com.1password.1Password.policy.tpl $out/share/polkit-1/actions/com.1password.1Password.policy --replace "\''${POLICY_OWNERS}" "${policyOwners}" '') + '' + # Icons cp -a resources/icons $out/share