X-Git-Url: https://git.sev.monster/~sev/dotfiles.git/blobdiff_plain/1f8bf10667234911d96ec1f6c88b43d5b49f90f5..c51966c07c364efb607d48bdb84a78d0509c4cfe:/base/.zprofile diff --git a/base/.zprofile b/base/.zprofile index a129213..1abd5b5 100644 --- a/base/.zprofile +++ b/base/.zprofile @@ -1,5 +1,331 @@ -case "`uname`" in *BSD*) - mkdir -m 700 "/tmp/home-$LOGNAME" - unlink "$HOME/tmp" - ln -sFh "/tmp/home-$LOGNAME" "$HOME/tmp";; -esac +# NOTE: +# our .zprofile is expensive, so we keep track of what has been run already, +# and only set up what is necessary. additionally, we want to ensure that our +# environment is set up as early as possible, so we also source .zprofile in +# .zshenv for new non-login shells. +# +# these issues are handled by using these methods: +# * the parent shell that starts the user's session after logging in to some +# graphical environments may not be a login shell—due to misconfiguration +# or otherwise—which means .zprofile is not ran and the environment is not +# properly configured for any child processes. +# * some desktop environments/graphical terminal emulators will start new +# terminal windows with login shells, which runs .zprofile every time and +# leads to noticably slow startup times. +# * switching users without wiping the environment will result in paths and +# variables intended for the old user being used for the new user. while +# this may be considered an edge-case that should not be supported, there +# are legitimate reasons to want to do this, and in any case the shell +# should not choke or cause unexpected problems should it happen anyway. + +### lang +export CHARSET=UTF-8 +export LANG=en_US.UTF-8 +export LC_CTYPE=$LANG +### path +# NOTE: we utilize the fact that unique arrays keep the first occurrence and +# remove any further occurences to capture elements from the old PATH +# that we did not anticipate and shift them to the front, since they are +# probably important to the system +if [[ ! -v _sev_setup_path || -o login ]] { + typeset -U path fpath + # add as many generic paths as possible to keep the order we want + # NOTE: /usr/{local,pkg,games} are unix/bsdisms + syspath=("$path[@]") + path=({~,~/.local,,/usr,/opt,/usr/local,/usr/pkg}/sbin + {~,~/.local,,/usr,/opt,/usr/local,/usr/pkg}/bin + /usr/X11R{7,6}/bin /usr/games) + ((len=$#path)) + path=("$path[@]" "$syspath[@]") + # remove nonexistent and duplicate paths + for (( i = 1; i <= $#path; i++ )) { + if [[ ! -e $path[$i] ]] { + path[$i]=() + ((i <= len)) && ((len--)) + ((i--)) + continue + } + } + # shift valid system paths to the front if there are any left + ((len > 0 && len < $#path)) && path=("${(@)path[len + 1, -1]}" "${(@)path[1, len]}") + unset syspath len i j + # include our zsh dir in fpath. unlike above, we always prefer our paths + fpath=(${ZDOTDIR:-~/.zsh}/functions/{*,Completions/*}(N) "$fpath[@]") + # FPATH is not exported by default + export FPATH + typeset +U path fpath + export _sev_setup_path= +} + +### temp +# NOTE: it's intentional to separate POSIX tmp for each session (spec says +# programs should not expect data there to be long-lived) and to keep the +# same runtime dir and not create a new one if a new login shell is +# spawned, since the XDG spec calls for the same dir to be utilized for +# each "session". +if [[ ! -v _sev_setup_tmp ]] { + t=${TMPDIR:-${TEMP:-${TMP:-/tmp}}}/.home-$LOGNAME + h=~/tmp + [[ ! -e $t ]] && mkdir -pm700 $t 2>/dev/null + if [[ ! -d $t ]] { + [[ -o interactive ]] && + print -P "%F{red}!!! Can't create temp dir $t%f" + # fallback bare directories + [[ -h $h ]] && unlink $h 2>/dev/null + [[ ! -e $h ]] && mkdir -m700 $h 2>/dev/null + } + # [re-]create link to our tmp + [[ -h $h || ! -e $h ]] && ln -sfn $t $h 2>/dev/null + # finally create our subdir for this session + export _sev_tmp=$h/.session.$$ + # ensure dir doesn't exist. if there is already something there it is + # likely a stale directory or something is very broken—assume the former. + # the user could also want dirs recreated by unsetting the var. + if [[ -h $_sev_tmp ]] { + unlink $_sev_tmp 2>/dev/null + } elif [[ -e $_sev_tmp ]] { + rm -rf $_sev_tmp 2>/dev/null + } + mkdir -m700 $_sev_tmp 2>/dev/null + export TMPDIR=$_sev_tmp TEMP=$_sev_tmp TMP=$_sev_tmp + unset t h + export _sev_setup_tmp= +} + +### xdg +if [[ ! -v _sev_setup_xdg ]] { + # merge with any existing dirs and remove duplicates using unique arrays + # NOTE: include and then remove CONFIG_HOME and DATA_HOME to ensure they + # are not present in the array if it was added before we got to it + typeset -UT XDG_CONFIG_DIRS xdg_config_dirs + export XDG_CONFIG_HOME=~/etc + mkdir -p $XDG_CONFIG_HOME + xdg_config_dirs=($XDG_CONFIG_HOME ~/.config + {/opt,/usr/local,/usr/pkg,}/etc/xdg + "${XDG_CONFIG_DIRS:+${xdg_config_dirs[@]}}") + export XDG_CONFIG_DIRS=${XDG_CONFIG_DIRS#$XDG_CONFIG_HOME} + + typeset -UT XDG_DATA_DIRS xdg_data_dirs + export XDG_DATA_HOME=~/share + mkdir -p $XDG_DATA_HOME + xdg_data_dirs=($XDG_DATA_HOME ~/.local/share + /{opt,usr/local,usr/pkg,usr}/share + "${XDG_DATA_DIRS:+${xdg_data_dirs[@]}}") + export XDG_DATA_DIRS=${XDG_DATA_DIRS#$XDG_DATA_HOME} + + export XDG_STATE_HOME=~/var/lib + mkdir -p $XDG_STATE_HOME + + # use our custom tmp for cache and runtime + export XDG_CACHE_HOME=$_sev_tmp/.xdg.cache + export XDG_RUNTIME_DIR=$_sev_tmp/.xdg.runtime + # create xdg tmp dirs + for x in $XDG_CACHE_HOME $XDG_RUNTIME_DIR; do + # same as in temp creation, ensure it doesn't exist + if [[ -h $x ]]; then + unlink $x 2>/dev/null + elif [[ -e $x ]]; then + rm -rf $x 2>/dev/null + fi + # XXX: cache does not have to be 700 according to spec + mkdir -m700 $x 2>/dev/null + done + + # source user dirs after other vars + [[ -e $XDG_CONFIG_HOME/user-dirs.dirs ]] && + emulate sh -c "source $XDG_CONFIG_HOME/user-dirs.dirs" + export _sev_setup_xdg= +} + +### gpg + ssh + forwarding +# NOTE: while ssh manages its auth sock in its protocol when ForwardSsh is +# enabled, GPG must be forwarded manually over Unix socket. to support +# this, we forward the restricted gpg-agent extra socket to the remote +# host with a RemoteForward rule in ~/.ssh/config that uses the +# _GNUPG_SOCK_* env vars. to avoid conflicts with other ssh sessions +# where the same user is connecting to the same host from different +# machines, gpg in each environment should utilize its own forwarded +# socket, rather than replace the sockets in GNUPGHOME which will be +# overridden on the next connection. previously, you could provide a path +# to the agent socket in GPG_AGENT_INFO, but that was deprecated in GPG +# v2.1. instead, we must clone GNUPGHOME with links and replace the agent +# sockets there with the forwarded one. +# NOTE: since Unix sockets are not supported under Windows, this will not work +# under msys, cygwin, mingw, etc., but may work under wsl2. +# HACK: without SendEnv, which is disabled by default in most sshd configs, +# there is no foolproof way to prevent race conditions via filename +# collisions or to pass the desired forward path to the remote host +# environment. we just have to guess the path we choose is good on the +# desination, and assume the newest matching socket is the correct one +# after connecting. in theory, we could occlude the ssh binary on PATH +# with an alias or script that would allow us to communicate with the +# remote host before opening a shell, so that we can have the host +# communicate back to the client where it wants a socket created or ask +# the host if the path the client wants to use is writable. however, this +# would open up too many edge cases where it wouldn't work or be clunky +# (e.g. asking for password twice) to make it worth it. +if [[ ! -v _sev_setup_agents ]] { + export GNUPGHOME=~/etc/gnupg + + function _socketpath { + # dirs are percent-encoded: https://stackoverflow.com/a/64312099 + echo ${1//(#b)%([[:xdigit:]](#c2))/${(#):-0x$match[1]}} + } + + ## gpg forwarding + if [[ ! -v _sev_gpg_forwarded && -v commands[gpg] ]] { + export _GNUPG_SOCK_DEST_BASE=/tmp/.gpg-agent-forward + export _GNUPG_SOCK_DEST_EXT=$(date +%s).$RANDOM + export _GNUPG_SOCK_DEST=$_GNUPG_SOCK_DEST_BASE.$_GNUPG_SOCK_DEST_EXT + export _sev_gpg_forward_dir=${GNUPGHOME:-~/.gnupg}/.ssh_forward + # clean up forward dirs if its session is dead or we ask for it + if [[ -d $_sev_gpg_forward_dir ]] { + find $_sev_gpg_forward_dir -type d -mindepth 1 -maxdepth 1 | + while read -r x; do + # NOTE: the only way we can get here is if we have not been + # forwarded before or if the user asks for it. if our own + # pid already has a dir, it is most likely stale, or + # something is very broken—assume the former. + p=$(basename $x) + if [[ -v _sev_gpg_forward_clean || $$ == $p ]] || + ! kill -0 $p 2>/dev/null; then + find $x -mindepth 1 -maxdepth 1 | while read -r y; do + unlink $y + done + rmdir $x + fi + done + unset x p y + } + + # find our forwarded socket + s=($_GNUPG_SOCK_DEST_BASE*(N=oc[1])) + if [[ -n $s && -v SSH_CLIENT ]] { + # create new forward dir + export _sev_gpg_forwarded= + mkdir -pm700 $_sev_gpg_forward_dir + h=$_sev_gpg_forward_dir/$$ + mkdir -pm700 $h + # XXX: is it safe to link scdaemon socket? can its name be changed? + for x in S.scdaemon gpg.conf gpg-agent.conf sshcontrol \ + pubring.kbx trustdb.gpg private-keys-v1.d crls.d; do + ln -s ${GNUPGHOME:-~/.gnupg}/$x $h + done + export GNUPGHOME=$h + unset h + for x in $(gpgconf --list-dirs | grep 'agent-.*-\?socket:'); do + x=$(_socketpath ${x/#agent-*socket:}) + if [[ ! -v orig ]] { + # move forwarded socket to first valid agent socket path + # XXX: if tmp is on different filesystem this may not work + mv $s $x + orig=$x + } else { + # make links to forwarded socket for any others + ln -s $orig $x + } + done + unset x orig + } + unset s + + # what we will forward if we start a new ssh connection + # NOTE: do this after setting up GNUPGHOME to pick up new socket path; + # if already connected over SSH, extra should be the remote one + export _GNUPG_SOCK_SRC=$(_socketpath \ + $(gpgconf --list-dirs agent-extra-socket)) + } else { + # required for RemoteForward to not error out if the vars are unset + [[ ! -v _GNUPG_SOCK_SRC ]] && export _GNUPG_SOCK_SRC=/nonexistent + [[ ! -v _GNUPG_SOCK_DEST ]] && export _GNUPG_SOCK_DEST=/nonexistent + } + + ## gpg agent + if [[ -v commands[gpg-connect-agent] ]] { + [[ -o interactive ]] && print -nP '%F{blue}>>>%f GPG agent: %F{green}' + gpg-connect-agent /bye >/dev/null 2>&1 + if [[ $? -ne 0 ]] { + [[ -o interactive ]] && + print -P '%F{red}Error communicating with GPG agent%f' + } elif [[ ! -v _sev_gpg_forward && ! -v GPG_TTY && + ( -o interactive || -v DISPLAY ) ]] { + # if we aren't forwarded, set up tty if it isn't and we're + # in an interactive session + export GPG_TTY=$(tty) + export PINENTRY_USER_DATA=USE_TTY=$((!${+DISPLAY})) + gpg-connect-agent UPDATESTARTUPTTY /bye >/dev/null 2>&1 + [[ -o interactive ]] && + print -P "Updated TTY%f" + } else { + [[ -o interactive ]] && + print -P 'Ready%f' + } + } + + ## ssh agent + # NOTE: preferred order of agents to check: okcagent, gnupg, openssh + # first block takes care of okcagent and openssh, second gnupg + [[ -o interactive ]] && print -nP '%F{blue}>>>%f SSH: %F{green}' + if [[ ! -v SSH_AUTH_SOCK && ( -v commands[okc-ssh-agent] || + ( -v commands[ssh-agent] && ! -v commands[gpg] ) ) ]] { + okc=${commands[okc-ssh-agent]:+okc-} + agentfile=~/tmp/${okc}ssh-agent-exports + typeset sock= + typeset -i pid= + if [[ -f $agentfile ]] { + IFS=$'\0' read -r sock pid <$agentfile + } + if [[ -S $sock && $pid > 0 ]] && kill -0 $pid; then + [[ -o interactive ]] && print -P "Reusing agent PID $pid%f" + export SSH_AUTH_SOCK=$sock + export SSH_AGENT_PID=$pid + else + e=${okc}ssh-agent + # TODO: ensure ssh-agent path looks legit to avoid unsafe eval? + # XXX: doesn't appear to be any other way to handle redirection. + # because eval needs to write to current scope environment + # subshells can't be used to capture output and print. + if [[ -o interactive ]] { + eval `$e` + print -nP '%f' + } else { + eval `$e` >/dev/null 2>&1 + } + echo -n $SSH_AUTH_SOCK$'\0'$SSH_AGENT_PID >!$agentfile + fi + unset okc agentfile sock pid + } elif [[ ! -v SSH_AUTH_SOCK && -v commands[gpg] ]] { + # since gpg agent was started above, we just have to export and notify + if [[ -o interactive ]] { + if [[ -v _sev_gpg_forwarded ]] { + echo 'Remote GPG agent' + } else { + gpg-connect-agent /subst /serverpid \ + '/echo GPG agent PID ${get serverpid}' /bye + } + print -nP '%f' + } + export SSH_AUTH_SOCK=$(_socketpath \ + $(gpgconf --list-dirs agent-ssh-socket)) + } elif [[ -v SSH_AUTH_SOCK ]] { + [[ -o interactive ]] && print -P 'Preconfigured agent%f' + } else { + [[ -o interactive ]] && print -P '%F{red}No agent available%f' + } + + ## cleanup + unfunction _socketpath + + export _sev_setup_agents= +} + +## perl local lib +# TODO: debounce this +[[ -v commands[perl] && -d $XDG_DATA_HOME/perl5/lib/perl5 ]] && + eval $(perl -I$XDG_DATA_HOME/perl5/lib/perl5 + -Mlocal::lib=$XDG_DATA_HOME/perl5 2>/dev/null) + +### load site-specific +if [[ -f ~/.zprofile.local ]] { source ~/.zprofile.local } + +# vim: et sts=4 sw=4 ts=8 tw=79