From 964859d8f3fce94c1195a33b0b87bd89a4321e58 Mon Sep 17 00:00:00 2001 From: Kenichi Kamiya Date: Fri, 10 Jan 2025 18:49:21 +0900 Subject: [PATCH 1/9] Enable gnome-keyring again --- home-manager/desktop.nix | 8 -------- nixos/desktop/default.nix | 2 +- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/home-manager/desktop.nix b/home-manager/desktop.nix index 4cf574fb..73b8ffc8 100644 --- a/home-manager/desktop.nix +++ b/home-manager/desktop.nix @@ -26,12 +26,4 @@ }; }; }; - - # Extracted from encryption.nix to avoid dbus error in GitHub hosted runner - # - # https://github.com/nix-community/home-manager/blob/release-24.11/modules/services/pass-secret-service.nix - # Make it possible to use libsecret which is required in vscode GitHub authentication(--password-store="gnome-libsecret"), without gnome-keyring(GH-814). - # - # Alternative candidates: https://github.com/grimsteel/pass-secret-service - services.pass-secret-service.enable = true; } diff --git a/nixos/desktop/default.nix b/nixos/desktop/default.nix index ce5b11c0..af55023f 100644 --- a/nixos/desktop/default.nix +++ b/nixos/desktop/default.nix @@ -102,7 +102,7 @@ # https://github.com/NixOS/nixpkgs/issues/101616 # # Using mkforce for https://discourse.nixos.org/t/gpg-smartcard-for-ssh/33689/3 - services.gnome.gnome-keyring.enable = lib.mkForce false; + # services.gnome.gnome-keyring.enable = lib.mkForce false; # Enable touchpad support (enabled default in most desktopManager). services.libinput = { From 0241e232e2d051206744f53cf23fd00c1214975f Mon Sep 17 00:00:00 2001 From: Kenichi Kamiya Date: Fri, 10 Jan 2025 19:50:29 +0900 Subject: [PATCH 2/9] Attempt to skip setting SSH_AUTH_SOCK by gnome-keyring --- config/rclone.md | 2 +- nixos/desktop/default.nix | 13 +++++++------ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/config/rclone.md b/config/rclone.md index 7d770621..34e9c30d 100644 --- a/config/rclone.md +++ b/config/rclone.md @@ -1,7 +1,7 @@ # Rclone Rclone enables an OSS vault on several Cloud Storages.\ -And it makes it possible to use [Google Drive on Linux](https://abevoelker.github.io/how-long-since-google-said-a-google-drive-linux-client-is-coming/). +And it makes it possible to use [Google Drive on Linux](https://abevoelker.github.io/how-long-since-google-said-a-google-drive-linux-client-is-coming/) without gnome-online-accounts. ## Setup diff --git a/nixos/desktop/default.nix b/nixos/desktop/default.nix index af55023f..ca98a464 100644 --- a/nixos/desktop/default.nix +++ b/nixos/desktop/default.nix @@ -95,14 +95,15 @@ gnome-online-accounts # See GH-1015 ]; - # Recommended to be uninstalled by gnupg. I prefer this way, even though disabling gpg-agent ssh integrations. + # I need gnome-keyring to use gnome-online-accounts even though recommended to be uninstalled by gnupg. pass-secret families didn't work on goa. See GH-1034 and GH-1036 # https://wiki.gnupg.org/GnomeKeyring # - # And enabling this makes $SSH_AUTH_SOCK overriding even through enabled gpg-agent in home-manager - # https://github.com/NixOS/nixpkgs/issues/101616 - # - # Using mkforce for https://discourse.nixos.org/t/gpg-smartcard-for-ssh/33689/3 - # services.gnome.gnome-keyring.enable = lib.mkForce false; + # Require mkforce if you want to disable. See https://discourse.nixos.org/t/gpg-smartcard-for-ssh/33689/3 + services.gnome.gnome-keyring.enable = true; + # On the otherhand, I should avoid deprecated gnome-keyring for ssh integrations even if it looks working. + # gnome-keyring enables pam.sshAgentAuth, and it sets the $SSH_AUTH_SOCK, and following modules skips to override this variable. So I should stop the first flag here. + # This workaround might be updated with https://github.com/NixOS/nixpkgs/issues/140824 + security.pam.sshAgentAuth.enable = false; # Enable touchpad support (enabled default in most desktopManager). services.libinput = { From 6f69d131ef6c4fa4d530546d80db98029ad31673 Mon Sep 17 00:00:00 2001 From: Kenichi Kamiya Date: Fri, 10 Jan 2025 19:55:13 +0900 Subject: [PATCH 3/9] Also require mkForce here --- nixos/desktop/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/desktop/default.nix b/nixos/desktop/default.nix index ca98a464..613c63f7 100644 --- a/nixos/desktop/default.nix +++ b/nixos/desktop/default.nix @@ -103,7 +103,7 @@ # On the otherhand, I should avoid deprecated gnome-keyring for ssh integrations even if it looks working. # gnome-keyring enables pam.sshAgentAuth, and it sets the $SSH_AUTH_SOCK, and following modules skips to override this variable. So I should stop the first flag here. # This workaround might be updated with https://github.com/NixOS/nixpkgs/issues/140824 - security.pam.sshAgentAuth.enable = false; + security.pam.sshAgentAuth.enable = lib.mkForce false; # Require mkforce if you want to disable. # Enable touchpad support (enabled default in most desktopManager). services.libinput = { From 508168df145e6e2c9de2c1b0362886decaaa0a66 Mon Sep 17 00:00:00 2001 From: Kenichi Kamiya Date: Fri, 10 Jan 2025 20:06:37 +0900 Subject: [PATCH 4/9] Drop enable-ssh-agent flag when building gnome-keyring package --- overlays/default.nix | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/overlays/default.nix b/overlays/default.nix index ba86a546..0f46c1cc 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -16,10 +16,26 @@ }; }) - # Pacthed packages + # Keep minimum patches as possible. Because of they can not use official binary cache. See GH-754 + + # Patched and override existing name because of it is not cofigurable + (final: prev: { + # https://github.com/NixOS/nixpkgs/blob/nixos-24.11/pkgs/by-name/gn/gnome-keyring/package.nix + # To disable SSH_AUTH_SOCK by gnome-keyring + # + # And it should be override the package it self, the module is not configurable for the package. https://github.com/NixOS/nixpkgs/blob/nixos-24.11/nixos/modules/services/desktops/gnome/gnome-keyring.nix + gnome-keyring = prev.gnome-keyring.overrideAttrs ( + finalAttrs: previousAttrs: { + # https://github.com/NixOS/nixpkgs/issues/140824#issuecomment-2573660493 + configureFlags = final.lib.lists.remove "--enable-ssh-agent" previousAttrs.configureFlags; + } + ); + }) + # Pacthed packages (final: prev: { patched = { + # TODO: Replace to stable since nixos-25.05, stable 24.11 does not include https://github.com/NixOS/nixpkgs/pull/361378 lima = prev.unstable.lima.overrideAttrs ( finalAttrs: previousAttrs: From d88379001dee504274ef62edc691c8807f1fff5a Mon Sep 17 00:00:00 2001 From: Kenichi Kamiya Date: Fri, 10 Jan 2025 20:28:26 +0900 Subject: [PATCH 5/9] Skip ubuntuforums.org in link checker --- .lycheeignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.lycheeignore b/.lycheeignore index 2fc1b675..80233c93 100644 --- a/.lycheeignore +++ b/.lycheeignore @@ -6,3 +6,6 @@ user:password # reddit often rejects request from GitHub Actions www.reddit.com/ + +# The server is unstable +ubuntuforums.org From da54e947ecd4f2a79862ac2c2ed2c8a7193e6816 Mon Sep 17 00:00:00 2001 From: Kenichi Kamiya Date: Fri, 10 Jan 2025 20:28:44 +0900 Subject: [PATCH 6/9] Add more reason in patch --- overlays/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/overlays/default.nix b/overlays/default.nix index 0f46c1cc..f0f23348 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -21,7 +21,7 @@ # Patched and override existing name because of it is not cofigurable (final: prev: { # https://github.com/NixOS/nixpkgs/blob/nixos-24.11/pkgs/by-name/gn/gnome-keyring/package.nix - # To disable SSH_AUTH_SOCK by gnome-keyring + # To disable SSH_AUTH_SOCK by gnome-keyring. This is required because of I should avoid GH-714 but realize GH-1015 # # And it should be override the package it self, the module is not configurable for the package. https://github.com/NixOS/nixpkgs/blob/nixos-24.11/nixos/modules/services/desktops/gnome/gnome-keyring.nix gnome-keyring = prev.gnome-keyring.overrideAttrs ( From 3059d487d0015dbbc1a6deb5aae0bcd6a6fd8a03 Mon Sep 17 00:00:00 2001 From: Kenichi Kamiya Date: Fri, 10 Jan 2025 20:31:17 +0900 Subject: [PATCH 7/9] Revert the security.pam.sshAgentAuth --- nixos/desktop/default.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/nixos/desktop/default.nix b/nixos/desktop/default.nix index 613c63f7..94c26443 100644 --- a/nixos/desktop/default.nix +++ b/nixos/desktop/default.nix @@ -101,9 +101,8 @@ # Require mkforce if you want to disable. See https://discourse.nixos.org/t/gpg-smartcard-for-ssh/33689/3 services.gnome.gnome-keyring.enable = true; # On the otherhand, I should avoid deprecated gnome-keyring for ssh integrations even if it looks working. - # gnome-keyring enables pam.sshAgentAuth, and it sets the $SSH_AUTH_SOCK, and following modules skips to override this variable. So I should stop the first flag here. - # This workaround might be updated with https://github.com/NixOS/nixpkgs/issues/140824 - security.pam.sshAgentAuth.enable = lib.mkForce false; # Require mkforce if you want to disable. + # gnome-keyring enables pam.sshAgentAuth, and it sets the $SSH_AUTH_SOCK, and following modules skips to override this variable. But just disabling security.pam.sshAgentAuth does not resolve it. It should be done in package build phase. + # The workaround might be updated with https://github.com/NixOS/nixpkgs/issues/140824 # Enable touchpad support (enabled default in most desktopManager). services.libinput = { From 1ffc083f40ed27d4a9b38b5a3706cd7d4df8ea07 Mon Sep 17 00:00:00 2001 From: Kenichi Kamiya Date: Fri, 10 Jan 2025 20:36:19 +0900 Subject: [PATCH 8/9] Remove unexpected blank line --- overlays/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/overlays/default.nix b/overlays/default.nix index f0f23348..d3b9c599 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -35,7 +35,6 @@ # Pacthed packages (final: prev: { patched = { - # TODO: Replace to stable since nixos-25.05, stable 24.11 does not include https://github.com/NixOS/nixpkgs/pull/361378 lima = prev.unstable.lima.overrideAttrs ( finalAttrs: previousAttrs: From 7e6c5c1674cd47bab894566d8c3cf977a4c4f243 Mon Sep 17 00:00:00 2001 From: Kenichi Kamiya Date: Fri, 10 Jan 2025 20:41:07 +0900 Subject: [PATCH 9/9] Should now exclude --- nixos/desktop/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/nixos/desktop/default.nix b/nixos/desktop/default.nix index 94c26443..c12c7d8e 100644 --- a/nixos/desktop/default.nix +++ b/nixos/desktop/default.nix @@ -92,7 +92,6 @@ evince # document viewer gnome-calendar gnome-music # does not support flac by defaults - gnome-online-accounts # See GH-1015 ]; # I need gnome-keyring to use gnome-online-accounts even though recommended to be uninstalled by gnupg. pass-secret families didn't work on goa. See GH-1034 and GH-1036