eeva/home-manager
1
0
Fork 0
mirror of https://github.com/nix-community/home-manager synced 2024-11-23 19:49:45 +01:00
Code Issues Releases Wiki Activity

gnome-keyring: add option to use security wrapper provided by nixos

Browse source
This commit is contained in:
aleksana 2024-01-18 19:40:09 +08:00
parent 33e12c94c8
commit 65e421bf17
1 changed files with 13 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
modules/services/gnome-keyring.nix
View file

@ -13,6 +13,14 @@ in {
services.gnome-keyring = {
enable = mkEnableOption "GNOME Keyring";
useSecurityWrapper = mkEnableOption ''
using gnome-keyring-daemon wrapped by NixOS security wrapper
(i.e. {file}`/run/wrappers/bin/gnome-keyring-daemon`) with
`CAP_IPC_LOCK` to enhance memory security. This option will
only work on NixOS with system-wide
{option}`services.gnome.gnome-keyring.enable` option enabled
'';
components = mkOption {
type = types.listOf (types.enum [ "pkcs11" "secrets" "ssh" "gpg" ]);
default = [ ];
@ -49,7 +57,11 @@ in {
args = concatStringsSep " " ([ "--start" "--foreground" ]
++ optional (cfg.components != [ ])
("--components=" + concatStringsSep "," cfg.components));
in "${pkgs.gnome.gnome-keyring}/bin/gnome-keyring-daemon ${args}";
executable = if cfg.useSecurityWrapper then
"/run/wrappers/bin/gnome-keyring-daemon"
else
"${pkgs.gnome.gnome-keyring}/bin/gnome-keyring-daemon";
in "${executable} ${args}";
Restart = "on-abort";
};