]> git.sev.monster Git - dotfiles.git/blame_incremental - base/.zprofile
flatten setopt in zshrc
[dotfiles.git] / base / .zprofile
... / ...
CommitLineData
1# NOTE:
2# our .zprofile is expensive, so we keep track of what has been run already,
3# and only set up what is necessary. additionally, we want to ensure that our
4# environment is set up as early as possible, so we also source .zprofile in
5# .zshenv for new non-login shells.
6#
7# these issues are handled by using these methods:
8# * the parent shell that starts the user's session after logging in to some
9# graphical environments may not be a login shell—due to misconfiguration
10# or otherwise—which means .zprofile is not ran and the environment is not
11# properly configured for any child processes.
12# * some desktop environments/graphical terminal emulators will start new
13# terminal windows with login shells, which runs .zprofile every time and
14# leads to noticably slow startup times.
15# * switching users without wiping the environment will result in paths and
16# variables intended for the old user being used for the new user. while
17# this may be considered an edge-case that should not be supported, there
18# are legitimate reasons to want to do this, and in any case the shell
19# should not choke or cause unexpected problems should it happen anyway.
20
21### cleanup
22# XXX: only call after relevant vars have been set up, defined early so that
23# below code can utilize it after they do so
24function _sev_zcleanup {
25 ## gpg forwarding
26 if [[ -d $_sev_gpg_forward_dir && ( -z $1 || $1 == 'gpg-forward' ) ]] {
27 # clean up forward dirs if its session is dead or we ask for it
28 find $_sev_gpg_forward_dir -mindepth 1 -maxdepth 1 -type d |
29 while {read -r x} {
30 # NOTE: the only way we can get here is if we have not been
31 # forwarded before, if the user asks for it, or during
32 # logout. if our own pid already has a dir, it is most likely
33 # stale, the user wants it removed, or something is very
34 # broken—in all 3 of these cases the best choice is remove it.
35 p=$(basename $x)
36 if {[[ -v _sev_gpg_forward_clean || $$ == $p ]] ||
37 ! kill -0 $p 2>/dev/null} {
38 find $x -mindepth 1 -maxdepth 1 | while {read -r y} {
39 # XXX: real dirs will stop unlink, consider it a feature
40 unlink $y
41 }
42 # don't force in case something important is still there
43 rmdir $x
44 }
45 }
46 # reset GNUPGHOME if we removed our own dir
47 if [[ $GNUPGHOME =~ '/.ssh_forward/\d+/*$' && ! -e $GNUPGHOME ]]
48 GNUPGHOME=${GNUPGHOME%$MATCH}
49 }
50
51 ## tmp
52 # NOTE: _sev_tmp is not unset so session dirs will not be recreated
53 # NOTE: XDG dirs that use our tmp are not unset here, they are in zlogout
54 if [[ -d $_sev_tmp && ( -z $1 || $1 == 'tmp' ) ]] {
55 # clean up tmp dirs if its session is dead or we ask for it
56 find $_sev_tmp -mindepth 1 -maxdepth 1 -name '.session.*' -type d |
57 while {read -r x} {
58 # NOTE: same rationale as above
59 p=${$(basename $x)#.session.}
60 if {[[ -v _sev_tmp_clean || $$ == $p ]] ||
61 ! kill -0 $p 2>/dev/null} {
62 rm -rf $x
63 }
64 }
65 }
66
67 unset x p y
68}
69
70### lang
71export CHARSET=${CHARSET:-UTF-8}
72export LANG=${LANG:-en_US.UTF-8}
73export LC_CTYPE=${LC_TYPE:-$LANG}
74
75### path
76# NOTE: we utilize the fact that unique arrays keep the first occurrence and
77# remove any further occurences to capture elements from the old PATH
78# that we did not anticipate and shift them to the front, since they are
79# probably important to the system
80if [[ ! -v _sev_setup_path || -o login ]] {
81 typeset -U path fpath
82 # add as many generic paths as possible to keep the order we want
83 # NOTE: /usr/{local,pkg,games} are unix/bsdisms
84 # XXX: PREFIX not validated, non-posix but Termux uses it
85 syspath=("$path[@]")
86 path=({~,~/.local,{$PREFIX,}{,/opt,/usr{,/local,pkg}}}/sbin
87 {~,~/.local,{$PREFIX,}{,/opt,/usr{,/local,pkg}}}/bin
88 /usr/{X11R{7,6}/bin,games})
89 ((len=$#path))
90 path=("$path[@]" "$syspath[@]")
91 # remove nonexistent and duplicate paths
92 for (( i = 1; i <= $#path; i++ )) {
93 if [[ ! -e $path[$i] ]] {
94 path[$i]=()
95 ((i <= len)) && ((len--))
96 ((i--))
97 continue
98 }
99 }
100 # shift valid system paths to the front if there are any left
101 ((len > 0 && len < $#path)) && path=("${(@)path[len + 1, -1]}" "${(@)path[1, len]}")
102 unset syspath len i j
103 # include our zsh dir in fpath. unlike above, we always prefer our paths
104 fpath=(${ZDOTDIR:-~/.zsh}/functions/{*,Completions/*}(N) "$fpath[@]")
105 # FPATH is not exported by default
106 export FPATH
107 typeset +U path fpath
108 export _sev_setup_path=
109}
110
111### tmp
112# NOTE: specs say that POSIX tmp and XDG runtime directories should exist
113# until the last session is logged out (POSIX can exist for longer).
114# since we can't reliably keep track of sessions in a cross-platform
115# manner, the current implementation should use a separate directory per
116# toplevel session (i.e. SHLVL=1). this should placate most applications,
117# though it is not expressly spec compliant.
118if [[ ! -v _sev_tmp ]] {
119 _sev_tmp=~/tmp
120 # create personal tmp dir
121 t=${TMPDIR:-${TEMP:-${TMP:-/tmp}}}/.home-$LOGNAME
122 [[ ! -e $t ]] && mkdir -m700 $t 2>/dev/null
123 if [[ ! -d $t ]] {
124 [[ -o interactive ]] &&
125 print -P "%F{red}!!! Can't create tmpdir $t%f"
126 # fallback bare directories
127 [[ -h $_sev_tmp ]] && unlink $_sev_tmp 2>/dev/null
128 [[ ! -e $_sev_tmp ]] && mkdir -m700 $_sev_tmp 2>/dev/null
129 }
130 # link home tmp for convenience if there isn't anything meaningful there
131 [[ -h $_sev_tmp || ! -e $_sev_tmp ]] && ln -sfn $t $_sev_tmp 2>/dev/null
132 export _sev_tmp=$(realpath $_sev_tmp)
133 # ensure dir is clean
134 _sev_zcleanup tmp
135 # finally create our subdir for this session
136 h=$_sev_tmp/.session.$$
137 mkdir -m700 $h 2>/dev/null
138 export TMPDIR=$h TEMP=$h TMP=$h
139 unset t h
140}
141
142### xdg
143if [[ ! -v _sev_setup_xdg ]] {
144 # merge with any existing dirs and remove duplicates using unique arrays
145 # NOTE: include and then remove CONFIG_HOME and DATA_HOME to ensure they
146 # are not present in the array if it was added before we got to it
147 typeset -UT XDG_CONFIG_DIRS xdg_config_dirs
148 export XDG_CONFIG_HOME=~/etc
149 mkdir $XDG_CONFIG_HOME 2>/dev/null
150 xdg_config_dirs=($XDG_CONFIG_HOME ~/.config
151 {/opt,/usr/local,/usr/pkg,}/etc/xdg
152 "${XDG_CONFIG_DIRS:+${xdg_config_dirs[@]}}")
153 export XDG_CONFIG_DIRS=${XDG_CONFIG_DIRS#$XDG_CONFIG_HOME}
154
155 typeset -UT XDG_DATA_DIRS xdg_data_dirs
156 export XDG_DATA_HOME=~/share
157 mkdir $XDG_DATA_HOME 2>/dev/null
158 xdg_data_dirs=($XDG_DATA_HOME ~/.local/share
159 /{opt,usr/local,usr/pkg,usr}/share
160 "${XDG_DATA_DIRS:+${xdg_data_dirs[@]}}")
161 export XDG_DATA_DIRS=${XDG_DATA_DIRS#$XDG_DATA_HOME}
162
163 mkdir ~/var 2>/dev/null
164 export XDG_STATE_HOME=~/var/lib
165 mkdir $XDG_STATE_HOME 2>/dev/null
166
167 if [[ -v _sev_tmp ]] {
168 export XDG_CACHE_HOME=$_sev_tmp/.xdg.cache
169 mkdir $XDG_CACHE_HOME 2>/dev/null
170
171 export XDG_RUNTIME_DIR=$TMPDIR/.xdg.runtime
172 # same as in tmpdir creation, ensure it doesn't exist
173 if [[ -h $XDG_RUNTIME_DIR ]]; then
174 unlink $XDG_RUNTIME_DIR 2>/dev/null
175 elif [[ -e $XDG_RUNTIME_DIR ]]; then
176 rm -rf $XDG_RUNTIME_DIR 2>/dev/null
177 fi
178 mkdir -m700 $XDG_RUNTIME_DIR 2>/dev/null
179 }
180
181 # source user dirs after other vars
182 [[ -e $XDG_CONFIG_HOME/user-dirs.dirs ]] &&
183 emulate sh -c "source $XDG_CONFIG_HOME/user-dirs.dirs"
184 export _sev_setup_xdg=
185}
186
187### dbus
188if [[ ! -v DBUS_SESSION_BUS_ADDRESS && -v commands[dbus-launch] ]] {
189 eval $(dbus-launch)
190 export DBUS_SESSION_BUS_ADDRESS DBUS_SESSION_BUS_PID
191}
192
193### gpg home
194if [[ ! -v GNUPGHOME ]] {
195 export GNUPGHOME=~/etc/gnupg
196 if [[ -d ~/.gnupg ]] {
197 mv ~/.gnupg ~/etc/gnupg
198 }
199}
200
201### gpg agent + forwarding
202# NOTE: while ssh manages its auth sock in its protocol when ForwardSsh is
203# enabled, GPG must be forwarded manually over Unix socket. to support
204# this, we forward the restricted gpg-agent extra socket to the remote
205# host with a RemoteForward rule in ~/.ssh/config that uses the
206# _GNUPG_SOCK_* env vars. to avoid conflicts with other ssh sessions
207# where the same user is connecting to the same host from different
208# machines, gpg in each environment should utilize its own forwarded
209# socket, rather than replace the sockets in GNUPGHOME which will be
210# overridden on the next connection. previously, you could provide a path
211# to the agent socket in GPG_AGENT_INFO, but that was deprecated in GPG
212# v2.1. instead, we must clone GNUPGHOME with links and replace the agent
213# sockets there with the forwarded one.
214# NOTE: since Unix sockets are not supported under Windows, this will not work
215# under msys, cygwin, mingw, etc., but may work under wsl2.
216# HACK: without SendEnv, which is disabled by default in most sshd configs,
217# there is no foolproof way to prevent race conditions via filename
218# collisions or to pass the desired forward path to the remote host
219# environment. we just have to guess the path we choose is good on the
220# desination, and assume the newest matching socket is the correct one
221# after connecting. in theory, we could occlude the ssh binary on PATH
222# with an alias or script that would allow us to communicate with the
223# remote host before opening a shell, so that we can have the host
224# communicate back to the client where it wants a socket created or ask
225# the host if the path the client wants to use is writable. however, this
226# would open up too many edge cases where it wouldn't work or be clunky
227# (e.g. asking for password twice) to make it worth it.
228function _gpg_socketpath {
229 # dirs are percent-encoded: https://stackoverflow.com/a/64312099
230 echo ${1//(#b)%([[:xdigit:]](#c2))/${(#):-0x$match[1]}}
231}
232if [[ ! -v _sev_setup_gpg_forward && -v commands[gpg] ]] {
233 export _GNUPG_SOCK_DEST_BASE=/tmp/.gpg-agent-forward
234 export _GNUPG_SOCK_DEST_EXT=$(date +%s).$RANDOM
235 export _GNUPG_SOCK_DEST=$_GNUPG_SOCK_DEST_BASE.$_GNUPG_SOCK_DEST_EXT
236 export _sev_gpg_forward_dir=${GNUPGHOME:-~/.gnupg}/.ssh_forward
237 _sev_zcleanup gpg-forward
238
239 # find our forwarded socket
240 s=($_GNUPG_SOCK_DEST_BASE*(N=oc[1]))
241 if [[ -n $s && -v SSH_CLIENT ]] {
242 # create new forward dir
243 export _sev_setup_gpg_forward=
244 h=$_sev_gpg_forward_dir/$$
245 mkdir -pm700 $h
246 # XXX: is it safe to link scdaemon socket? can its name be changed?
247 for x (S.scdaemon gpg.conf gpg-agent.conf sshcontrol random_seed
248 pubring.kbx{,~} trustdb.gpg private-keys-v1.d crls.d) {
249 ln -s ${GNUPGHOME:-~/.gnupg}/$x $h
250 }
251 export GNUPGHOME=$h
252 unset h
253 for x in $(gpgconf --list-dirs | grep 'agent-.*-\?socket:'); do
254 x=$(_gpg_socketpath ${x/#agent-*socket:})
255 if [[ ! -v orig ]] {
256 # move forwarded socket to first valid agent socket path
257 # XXX: if tmp is on different filesystem this may not work
258 mv $s $x
259 orig=$x
260 } else {
261 # make links to forwarded socket for any others
262 ln -s $orig $x
263 }
264 done
265 unset x orig
266 }
267 unset s
268
269 # what we will forward if we start a new ssh connection
270 # NOTE: do this after setting up GNUPGHOME to pick up new socket path;
271 # if already connected over SSH, extra should be the remote one
272 export _GNUPG_SOCK_SRC=$(_gpg_socketpath \
273 $(gpgconf --list-dirs agent-extra-socket))
274} elif [[ ! -v _sev_setup_gpg_forward ]] {
275 # required for RemoteForward to not error out if the vars are unset
276 [[ ! -v _GNUPG_SOCK_SRC ]] && export _GNUPG_SOCK_SRC=/nonexistent
277 [[ ! -v _GNUPG_SOCK_DEST ]] && export _GNUPG_SOCK_DEST=/nonexistent
278}
279
280### gpg agent
281if [[ -v commands[gpg-connect-agent] && ( ! -v _sev_setup_gpgagent ||
282 ( -v _sev_first_display && -z $_sev_first_display ) ) ]] {
283 # avoid printing if we have already set up tty before
284 [[ ! -v _sev_setup_gpgagent && -o interactive ]] && p=true || p=false
285 if {$p} {
286 print -nP '%F{blue}>>>%f GPG: '
287 if [[ -v _sev_setup_gpg_forward ]] {
288 print -nP '%F{yellow}Forwarded agent '
289 } else {
290 print -nP '%F{green}Agent '
291 }
292 }
293 gpg-connect-agent /bye >/dev/null 2>&1
294 if [[ $? -ne 0 ]] {
295 $p && print -P '%F{red}communication error'
296 } else {
297 if [[ ! -v _sev_setup_gpg_forward ]] {
298 if [[ ${+GPG_TTY} -eq 0 && -o interactive ]]
299 export GPG_TTY=$(tty)
300 if [[ ( -v DISPLAY || -v WAYLAND_DISPLAY ) &&
301 ${PINENTRY_USER_DATA/USE_TTY=0} == $PINENTRY_USER_DATA ]]
302 export PINENTRY_USER_DATA=USE_TTY=$((
303 ${+DISPLAY} + ${+WAYLAND_DISPLAY} == 0))
304 # XXX: don't know if gpg-agent supports comments after directives
305 # XXX: path could have #
306 sed -Ei 's#^([[:space:]]*pinentry-program[[:space:]]).*$#\1'${commands[pinentry]:-/dev/null}'#' \
307 ${GNUPGHOME:-~/.gnupg}/gpg-agent.conf
308 # XXX: could check for changes before doing this to save perf
309 gpg-connect-agent RELOADAGENT UPDATESTARTUPTTY /bye >/dev/null 2>&1
310 if {$p} {
311 gpg-connect-agent /subst /serverpid \
312 "/echo pid \${get serverpid} on $GPG_TTY" /bye 2>/dev/null
313 print -nP '%f'
314 }
315 } elif {$p} {
316 print -P '%f'
317 }
318 export _sev_setup_gpgagent=
319 }
320 unset p
321}
322
323### ssh agent
324if [[ ! -v _sev_setup_ssh ]] {
325 # NOTE: preferred order of agents to check: okcagent, gnupg, openssh
326 # first block takes care of okcagent and openssh, second gnupg
327 # XXX: doesn't actually check if ssh is enabled in gpg
328 [[ -o interactive ]] && print -nP '%F{blue}>>>%f SSH: %F{green}'
329 if [[ ! -v SSH_AUTH_SOCK && ( -v commands[okc-ssh-agent] ||
330 ( -v commands[ssh-agent] && ! -v commands[gpg] ) ) ]] {
331 okc=${commands[okc-ssh-agent]:+okc-}
332 t=${_sev_tmp:-${TMPDIR:-${TEMP:-${TMP:-/tmp}}}}
333 e=$t/${okc}ssh-agent-exports
334 typeset sock=
335 typeset -i pid=
336 if [[ -f $e ]] {
337 IFS=$'\0' read -r sock pid <$e
338 }
339 if [[ -S $sock && $pid > 0 ]] && kill -0 $pid; then
340 [[ -o interactive ]] && print -P "Reusing agent PID $pid%f"
341 export SSH_AUTH_SOCK=$sock
342 export SSH_AGENT_PID=$pid
343 else
344 e='TMPDIR=$t ${okc}ssh-agent'
345 # TODO: ensure ssh-agent path looks legit to avoid unsafe eval?
346 # XXX: doesn't appear to be any other way to handle redirection.
347 # because eval needs to write to current scope environment
348 # subshells can't be used to capture output and print.
349 if [[ -o interactive ]] {
350 eval $(eval $=e)
351 print -nP '%f'
352 } else {
353 eval $(eval $=e) >/dev/null 2>&1
354 }
355 echo -n $SSH_AUTH_SOCK$'\0'$SSH_AGENT_PID >!$e
356 fi
357 unset okc t e sock pid
358 } elif [[ ! -v SSH_AUTH_SOCK && -v commands[gpg] ]] {
359 # since gpg should have been started above, just export and notify
360 if [[ -o interactive ]] {
361 if [[ -v _sev_setup_gpg_forward ]] {
362 echo 'Forwarded GPG agent'
363 } else {
364 gpg-connect-agent /subst /serverpid \
365 '/echo GPG agent pid ${get serverpid}' /bye
366 }
367 print -nP '%f'
368 }
369 export SSH_AUTH_SOCK=$(_gpg_socketpath \
370 $(gpgconf --list-dirs agent-ssh-socket))
371 } elif [[ -v SSH_AUTH_SOCK ]] {
372 [[ -o interactive ]] && print -P 'Preconfigured agent%f'
373 } else {
374 [[ -o interactive ]] && print -P '%F{red}No agent available%f'
375 }
376
377 export _sev_setup_ssh=
378}
379unfunction _gpg_socketpath
380
381### perl local lib
382[[ -v commands[perl] && -d $XDG_DATA_HOME/perl5/lib/perl5 &&
383 ! -v PERL_LOCAL_LIB_ROOT ]] &&
384 eval $(perl -I$XDG_DATA_HOME/perl5/lib/perl5 \
385 -Mlocal::lib=$XDG_DATA_HOME/perl5 2>/dev/null)
386
387
388### load site-specific
389if [[ -f ~/.zprofile.local ]] { source ~/.zprofile.local }
390
391# vim: et sts=4 sw=4 ts=8 tw=79
This page took 0.031866 seconds and 4 git commands to generate.