dotfiles/nix-conf/home-manager/base/keepass.nix

62 lines
2.0 KiB
Nix

{ config, proj_root, pkgs, lib, ... }:
let
cfg = config.base.keepass;
trimNull = lib.filterAttrsRecursive (name: value: value != null);
in
{
imports = [ ./graphics.nix ];
options.base.keepass = {
enable = lib.mkEnableOption "keepass";
use_gui = lib.mkOption {
type = lib.types.bool;
description = "Whether to enable keepass GUI (the original one)";
default = false;
example = "true";
};
path = lib.mkOption {
type = lib.types.path;
description = "Path to kdbx file";
default = null;
example = "/media/homelab/f/PersistentHotStorage/keepass.kdbx";
};
keyfile_path = lib.mkOption {
type = lib.types.nullOr lib.types.path;
description = ''
Path to key file for the database
If null, then the field is unset
'';
default = null;
example = "/path/to/mykeyfile.key";
};
store_encrypted_password = lib.mkOption {
type = lib.types.bool;
description = "Whether to store encrypted password for 24 hrs before re-prompt";
default = true;
example = "false";
};
copy_timeout_secs = lib.mkOption {
type = lib.types.int;
description = "Timeout (seconds) before the password is expired from clipboard";
default = 12;
example = "60";
};
};
config = lib.mkIf cfg.enable {
home.packages = [
pkgs.kpcli-py # kp but is in cli
] ++ (if cfg.use_gui or config.base.graphics._enable then [
pkgs.keepass # Personal secret management
] else [ ]);
# TODO: an alternative is to symlink safely-stored password onto here
home.file.".kp/config.ini".text = lib.generators.toINI { } (trimNull {
default = {
KEEPASSDB = cfg.path;
KEEPASSDB_KEYFILE = cfg.keyfile_path;
STORE_ENCRYPTED_PASSWORD = cfg.store_encrypted_password;
KEEPASSDB_PASSWORD = null; # TODO: There is no way to store via file. This field expects plain-text
KEEPASSDB_TIMEOUT = cfg.copy_timeout_secs;
};
});
};
}