mirror of
https://github.com/ryan4yin/nix-config.git
synced 2026-07-12 15:42:39 +02:00
feat: add develop environment for ruby
This commit is contained in:
@@ -0,0 +1,47 @@
|
||||
# Password Manager
|
||||
|
||||
- https://www.passwordstore.org/
|
||||
- [awesome-password-store](https://github.com/tijn/awesome-password-store)
|
||||
- <https://github.com/gopasspw/gopass>: reimplement in go, with more features.
|
||||
- Clients
|
||||
- Android: <https://github.com/android-password-store/Android-Password-Store>
|
||||
- Brosers(Chrome/Firefox): <https://github.com/browserpass/browserpass-extension>
|
||||
|
||||
## How to change the gpg key of the pass password store?
|
||||
|
||||
To ensure security, we should change the GPG key every two or three years. Here is how to do this.
|
||||
|
||||
1. Create a new GPG key pair and backup it to a safe place.
|
||||
2. Ensure you can access both the old and new GPG keys.
|
||||
3. Update `./default.nix` to use the new GPG sub keys.
|
||||
4. Check which Key `pass` currently uses:
|
||||
|
||||
```bash
|
||||
cd ~/.local/share/password-store/
|
||||
# check which key is used by pass
|
||||
cat .gpg-id
|
||||
# check which key is really used to encrypt the password
|
||||
gpg --list-packets path/to/any/password.gpg
|
||||
```
|
||||
4. Change the key used by `pass`:
|
||||
```bash
|
||||
# change the key used by pass, see `man pass` for more details
|
||||
# you will be asked to enter the password of both the new and old keys
|
||||
# then pass will re-encrypt all the passwords with the new key
|
||||
pass init <new-key-id>
|
||||
```
|
||||
5. Check if the key is changed:
|
||||
```bash
|
||||
# check which key is used by pass
|
||||
cat .gpg-id
|
||||
# check which key is really used to encrypt the password
|
||||
gpg --list-packets path/to/any/password.gpg
|
||||
```
|
||||
6. Delete the old GPG key pair:
|
||||
```bash
|
||||
# delete the old key pair
|
||||
gpg --delete-secret-keys <old-key-id>
|
||||
gpg --delete-keys <old-key-id>
|
||||
```
|
||||
|
||||
|
||||
@@ -0,0 +1,52 @@
|
||||
{
|
||||
pkgs,
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}: let
|
||||
passwordStoreDir = "${config.xdg.dataHome}/password-store";
|
||||
in {
|
||||
programs.password-store = {
|
||||
enable = true;
|
||||
package = pkgs.pass.withExtensions (exts: [
|
||||
# support for one-time-password (OTP) tokens
|
||||
# NOTE: Saving the password and OTP together runs counter to the purpose of secondary verification!
|
||||
# exts.pass-otp
|
||||
|
||||
exts.pass-import # a generic importer tool from other password managers
|
||||
exts.pass-update # an easy flow for updating passwords
|
||||
]);
|
||||
# See the “Environment variables” section of pass(1) and the extension man pages for more information about the available keys.
|
||||
settings = {
|
||||
PASSWORD_STORE_DIR = passwordStoreDir;
|
||||
# Overrides the default gpg key identification set by init.
|
||||
# Hexadecimal key signature is recommended.
|
||||
# Multiple keys may be specified separated by spaces.
|
||||
PASSWORD_STORE_KEY = lib.strings.concatStringsSep " " [
|
||||
"EF824EB73CFD6CC7" # E - Ryan Yin (For pass & ssh only) <ryan4yin@linux.com>
|
||||
];
|
||||
# all .gpg-id files and non-system extension files must be signed using a detached signature using the GPG key specified by
|
||||
# the full 40 character upper-case fingerprint in this variable.
|
||||
# If multiple fingerprints are specified, each separated by a whitespace character, then signatures must match at least one.
|
||||
# The init command will keep signatures of .gpg-id files up to date.
|
||||
PASSWORD_STORE_SIGNING_KEY = lib.strings.concatStringsSep " " [
|
||||
"C2A313F98166C942" # S - Ryan Yin (For pass & ssh only) <ryan4yin@linux.com>
|
||||
];
|
||||
PASSWORD_STORE_CLIP_TIME = "60";
|
||||
PASSWORD_STORE_GENERATED_LENGTH = "15";
|
||||
PASSWORD_STORE_ENABLE_EXTENSIONS = "true";
|
||||
};
|
||||
};
|
||||
|
||||
# password-store extensions for browsers
|
||||
# you need to install the browser extension for this to work
|
||||
# https://github.com/browserpass/browserpass-extension
|
||||
programs.browserpass = {
|
||||
enable = true;
|
||||
browsers = [
|
||||
"chrome"
|
||||
"chromium"
|
||||
"firefox"
|
||||
];
|
||||
};
|
||||
}
|
||||
Reference in New Issue
Block a user