1
0
Fork 0
mirror of https://github.com/nix-community/home-manager synced 2024-11-27 13:39:46 +01:00

gnome-keyring: add option to use security wrapper provided by nixos

This commit is contained in:
aleksana 2024-01-18 19:40:09 +08:00
parent 33e12c94c8
commit 65e421bf17

View file

@ -13,6 +13,14 @@ in {
services.gnome-keyring = { services.gnome-keyring = {
enable = mkEnableOption "GNOME Keyring"; enable = mkEnableOption "GNOME Keyring";
useSecurityWrapper = mkEnableOption ''
using gnome-keyring-daemon wrapped by NixOS security wrapper
(i.e. {file}`/run/wrappers/bin/gnome-keyring-daemon`) with
`CAP_IPC_LOCK` to enhance memory security. This option will
only work on NixOS with system-wide
{option}`services.gnome.gnome-keyring.enable` option enabled
'';
components = mkOption { components = mkOption {
type = types.listOf (types.enum [ "pkcs11" "secrets" "ssh" "gpg" ]); type = types.listOf (types.enum [ "pkcs11" "secrets" "ssh" "gpg" ]);
default = [ ]; default = [ ];
@ -49,7 +57,11 @@ in {
args = concatStringsSep " " ([ "--start" "--foreground" ] args = concatStringsSep " " ([ "--start" "--foreground" ]
++ optional (cfg.components != [ ]) ++ optional (cfg.components != [ ])
("--components=" + concatStringsSep "," cfg.components)); ("--components=" + concatStringsSep "," cfg.components));
in "${pkgs.gnome.gnome-keyring}/bin/gnome-keyring-daemon ${args}"; executable = if cfg.useSecurityWrapper then
"/run/wrappers/bin/gnome-keyring-daemon"
else
"${pkgs.gnome.gnome-keyring}/bin/gnome-keyring-daemon";
in "${executable} ${args}";
Restart = "on-abort"; Restart = "on-abort";
}; };