diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-06-19 17:57:23 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-06-19 17:57:23 +0100 |
| commit | cf5a2f46f0167c8495d28de5b1364c8bc460b6d0 (patch) | |
| tree | 9c46279f71aab9757abef8af927a75b198690bf3 /run_onchange_after_deploy-pteid-pkcs11.sh.tmpl | |
| parent | 259a3b989513f47f6cc5d36eaaf9e5fbef9b4d9a (diff) | |
| download | dotfiles-cf5a2f46f0167c8495d28de5b1364c8bc460b6d0.tar.gz dotfiles-cf5a2f46f0167c8495d28de5b1364c8bc460b6d0.tar.bz2 dotfiles-cf5a2f46f0167c8495d28de5b1364c8bc460b6d0.zip | |
Move VM dotfile deployment out of Home Manager and into chezmoi with a machineRole guard.
Add VM recipes for applying chezmoi state and restarting the Nix GnuPG agent.
Make host-only hooks no-op on the VM and render container storage per role.
Diffstat (limited to 'run_onchange_after_deploy-pteid-pkcs11.sh.tmpl')
| -rw-r--r-- | run_onchange_after_deploy-pteid-pkcs11.sh.tmpl | 73 |
1 files changed, 37 insertions, 36 deletions
diff --git a/run_onchange_after_deploy-pteid-pkcs11.sh.tmpl b/run_onchange_after_deploy-pteid-pkcs11.sh.tmpl index 4f57757..504fc4d 100644 --- a/run_onchange_after_deploy-pteid-pkcs11.sh.tmpl +++ b/run_onchange_after_deploy-pteid-pkcs11.sh.tmpl @@ -8,6 +8,7 @@ # # pteid entry hash: {{ output "sh" "-c" (printf "grep '^pt\\.gov\\.autenticacao' %q/meta/flatpak.txt 2>/dev/null || true" .chezmoi.sourceDir) | sha256sum }} set -eu +command -v flatpak >/dev/null 2>&1 || exit 0 PTEID_APP=pt.gov.autenticacao MODULE_NAME=pteid-mw @@ -26,36 +27,36 @@ SO_IN_SANDBOX="/run/host$SO" SO_DIR_IN_SANDBOX="/run/host$SO_DIR" if ! command -v modutil >/dev/null 2>&1 || ! command -v certutil >/dev/null 2>&1; then - echo "pteid-pkcs11: modutil/certutil not found (install nss); skipping NSS registration." >&2 - exit 0 + echo "pteid-pkcs11: modutil/certutil not found (install nss); skipping NSS registration." >&2 + exit 0 fi apply_override() { - flatpak info --user "$1" >/dev/null 2>&1 || return 1 - flatpak override --user \ - --filesystem="$PTEID_LOC/files:ro" \ - --socket=pcsc \ - --env="LD_LIBRARY_PATH=$SO_DIR_IN_SANDBOX" \ - "$1" + flatpak info --user "$1" >/dev/null 2>&1 || return 1 + flatpak override --user \ + --filesystem="$PTEID_LOC/files:ro" \ + --socket=pcsc \ + --env="LD_LIBRARY_PATH=$SO_DIR_IN_SANDBOX" \ + "$1" } register_in_profile() { - prof="$1" - proc_name="$2" - [ -d "$prof" ] || return 0 - if [ ! -f "$prof/cert9.db" ]; then - certutil -N -d "sql:$prof" --empty-password >/dev/null 2>&1 || return 0 - fi - [ -f "$prof/cert9.db" ] || return 0 - if modutil -list -dbdir "sql:$prof" 2>/dev/null | grep -q "^[[:space:]]*Name:[[:space:]]*$MODULE_NAME$"; then - return 0 - fi - if pgrep -u "$(id -u)" -x "$proc_name" >/dev/null 2>&1; then - echo "pteid-pkcs11: $proc_name is running; close it and re-run 'chezmoi apply' to register the PKCS#11 module." >&2 - return 0 - fi - modutil -add "$MODULE_NAME" -libfile "$SO_IN_SANDBOX" -dbdir "sql:$prof" -force >/dev/null - echo "pteid-pkcs11: registered $MODULE_NAME in ${prof#"$HOME/"}" + prof="$1" + proc_name="$2" + [ -d "$prof" ] || return 0 + if [ ! -f "$prof/cert9.db" ]; then + certutil -N -d "sql:$prof" --empty-password >/dev/null 2>&1 || return 0 + fi + [ -f "$prof/cert9.db" ] || return 0 + if modutil -list -dbdir "sql:$prof" 2>/dev/null | grep -q "^[[:space:]]*Name:[[:space:]]*$MODULE_NAME$"; then + return 0 + fi + if pgrep -u "$(id -u)" -x "$proc_name" >/dev/null 2>&1; then + echo "pteid-pkcs11: $proc_name is running; close it and re-run 'chezmoi apply' to register the PKCS#11 module." >&2 + return 0 + fi + modutil -add "$MODULE_NAME" -libfile "$SO_IN_SANDBOX" -dbdir "sql:$prof" -force >/dev/null + echo "pteid-pkcs11: registered $MODULE_NAME in ${prof#"$HOME/"}" } # Mozilla-family flatpaks: per-profile NSS DBs under ~/.var/app/<id>/<profile_subdir>/<profile>/ @@ -65,13 +66,13 @@ io.gitlab.librewolf-community .librewolf librewolf org.mozilla.thunderbird .thunderbird thunderbird" echo "$MOZILLA_APPS" | while IFS=' ' read -r app profile_subdir proc_name; do - [ -n "$app" ] || continue - apply_override "$app" || continue - profiles_dir="$HOME/.var/app/$app/$profile_subdir" - [ -d "$profiles_dir" ] || continue - for prof in "$profiles_dir"/*/; do - register_in_profile "$prof" "$proc_name" - done + [ -n "$app" ] || continue + apply_override "$app" || continue + profiles_dir="$HOME/.var/app/$app/$profile_subdir" + [ -d "$profiles_dir" ] || continue + for prof in "$profiles_dir"/*/; do + register_in_profile "$prof" "$proc_name" + done done # Shared-NSS flatpaks (Poppler/LibreOffice): single ~/.pki/nssdb inside the sandbox. @@ -81,9 +82,9 @@ org.kde.okular okular org.libreoffice.LibreOffice soffice.bin" echo "$SHARED_NSS_APPS" | while IFS=' ' read -r app proc_name; do - [ -n "$app" ] || continue - apply_override "$app" || continue - prof="$HOME/.var/app/$app/.pki/nssdb" - mkdir -p "$prof" - register_in_profile "$prof/" "$proc_name" + [ -n "$app" ] || continue + apply_override "$app" || continue + prof="$HOME/.var/app/$app/.pki/nssdb" + mkdir -p "$prof" + register_in_profile "$prof/" "$proc_name" done |