X-Git-Url: https://git.sev.monster/~sev/dotfiles.git/blobdiff_plain/c7e3e126ca2bfe463d344260b73b8c044e203ea0..49c6c14fed5169940a4a0f0e37f2e2567358feb2:/base/.zprofile diff --git a/base/.zprofile b/base/.zprofile index 1131a98..2a26dbb 100644 --- a/base/.zprofile +++ b/base/.zprofile @@ -18,10 +18,60 @@ # are legitimate reasons to want to do this, and in any case the shell # should not choke or cause unexpected problems should it happen anyway. +### cleanup +# XXX: only call after relevant vars have been set up, defined early so that +# below code can utilize it after they do so +function _sev_zcleanup { + ## gpg forwarding + if [[ -d $_sev_gpg_forward_dir && ( -z $1 || $1 == 'gpg-forward' ) ]] { + # clean up forward dirs if its session is dead or we ask for it + find $_sev_gpg_forward_dir -mindepth 1 -maxdepth 1 -type d | + while {read -r x} { + # NOTE: the only way we can get here is if we have not been + # forwarded before, if the user asks for it, or during + # logout. if our own pid already has a dir, it is most likely + # stale, the user wants it removed, or something is very + # broken—in all 3 of these cases the best choice is remove it. + p=$(basename $x) + if {[[ -v _sev_gpg_forward_clean || $$ == $p ]] || + ! kill -0 $p 2>/dev/null} { + find $x -mindepth 1 -maxdepth 1 | while {read -r y} { + # XXX: real dirs will stop unlink, consider it a feature + unlink $y + } + # don't force in case something important is still there + rmdir $x + } + } + # reset GNUPGHOME if we removed our own dir + if [[ $GNUPGHOME =~ '/.ssh_forward/\d+/*$' && ! -e $GNUPGHOME ]] + GNUPGHOME=${GNUPGHOME%$MATCH} + } + + ## tmp + # NOTE: _sev_tmp is not unset so session dirs will not be recreated + # NOTE: XDG dirs that use our tmp are not unset here, they are in zlogout + if [[ -d $_sev_tmp && ( -z $1 || $1 == 'tmp' ) ]] { + # clean up tmp dirs if its session is dead or we ask for it + find $_sev_tmp -mindepth 1 -maxdepth 1 -name '.session.*' -type d | + while {read -r x} { + # NOTE: same rationale as above + p=${$(basename $x)#.session.} + if {[[ -v _sev_tmp_clean || $$ == $p ]] || + ! kill -0 $p 2>/dev/null} { + rm -rf $x + } + } + } + + unset x p y +} + ### lang -export CHARSET=UTF-8 -export LANG=en_US.UTF-8 -export LC_CTYPE=$LANG +export CHARSET=${CHARSET:-UTF-8} +export LANG=${LANG:-en_US.UTF-8} +export LC_CTYPE=${LC_TYPE:-$LANG} + ### path # NOTE: we utilize the fact that unique arrays keep the first occurrence and # remove any further occurences to capture elements from the old PATH @@ -31,9 +81,12 @@ if [[ ! -v _sev_setup_path || -o login ]] { typeset -U path fpath # add as many generic paths as possible to keep the order we want # NOTE: /usr/{local,pkg,games} are unix/bsdisms + # XXX: PREFIX not validated, non-posix but Termux uses it syspath=("$path[@]") - path=({~/,/,/usr/}sbin /opt/{s,}bin /usr/local/{s,}bin /usr/pkg/{s,}bin - /usr/X11R{7,6}/bin /usr/games {~/,/,/usr/}bin) + path=(~/{s,}bin + {~/.local,{$PREFIX,}{,/opt,/usr{,/local,pkg}}}/sbin + {~/.local,{$PREFIX,}{,/opt,/usr{,/local,pkg}}}/bin + /usr/{X11R{7,6}/bin,games}) ((len=$#path)) path=("$path[@]" "$syspath[@]") # remove nonexistent and duplicate paths @@ -47,7 +100,7 @@ if [[ ! -v _sev_setup_path || -o login ]] { } # shift valid system paths to the front if there are any left ((len > 0 && len < $#path)) && path=("${(@)path[len + 1, -1]}" "${(@)path[1, len]}") - unset syspath len i j + unset syspath len i # include our zsh dir in fpath. unlike above, we always prefer our paths fpath=(${ZDOTDIR:-~/.zsh}/functions/{*,Completions/*}(N) "$fpath[@]") # FPATH is not exported by default @@ -56,39 +109,35 @@ if [[ ! -v _sev_setup_path || -o login ]] { export _sev_setup_path= } -### temp -# NOTE: it's intentional to separate POSIX tmp for each session (spec says -# programs should not expect data there to be long-lived) and to keep the -# same runtime dir and not create a new one if a new login shell is -# spawned, since the XDG spec calls for the same dir to be utilized for -# each "session". -if [[ ! -v _sev_setup_tmp ]] { +### tmp +# NOTE: specs say that POSIX tmp and XDG runtime directories should exist +# until the last session is logged out (POSIX can exist for longer). +# since we can't reliably keep track of sessions in a cross-platform +# manner, the current implementation should use a separate directory per +# toplevel session (i.e. SHLVL=1). this should placate most applications, +# though it is not expressly spec compliant. +if [[ ! -v _sev_tmp ]] { + _sev_tmp=~/tmp + # create personal tmp dir t=${TMPDIR:-${TEMP:-${TMP:-/tmp}}}/.home-$LOGNAME - h=~/tmp - [[ ! -e $t ]] && mkdir -pm700 $t 2>/dev/null + [[ ! -e $t ]] && mkdir -m700 $t 2>/dev/null if [[ ! -d $t ]] { [[ -o interactive ]] && - print -P "%F{red}!!! Can't create temp dir $t%f" + print -P "%F{red}!!! Can't create tmpdir $t%f" # fallback bare directories - [[ -h $h ]] && unlink $h 2>/dev/null - [[ ! -e $h ]] && mkdir -m700 $h 2>/dev/null + [[ -h $_sev_tmp ]] && unlink $_sev_tmp 2>/dev/null + [[ ! -e $_sev_tmp ]] && mkdir -m700 $_sev_tmp 2>/dev/null } - # [re-]create link to our tmp - [[ -h $h || ! -e $h ]] && ln -sfn $t $h 2>/dev/null + # link home tmp for convenience if there isn't anything meaningful there + [[ -h $_sev_tmp || ! -e $_sev_tmp ]] && ln -sfn $t $_sev_tmp 2>/dev/null + export _sev_tmp=$(realpath $_sev_tmp) + # ensure dir is clean + _sev_zcleanup tmp # finally create our subdir for this session - export _sev_tmp=$h/.session.$$ - # ensure dir doesn't exist. if there is already something there it is - # likely a stale directory or something is very broken—assume the former. - # the user could also want dirs recreated by unsetting the var. - if [[ -h $_sev_tmp ]] { - unlink $_sev_tmp 2>/dev/null - } elif [[ -e $_sev_tmp ]] { - rm -rf $_sev_tmp 2>/dev/null - } - mkdir -m700 $_sev_tmp 2>/dev/null - export TMPDIR=$_sev_tmp TEMP=$_sev_tmp TMP=$_sev_tmp + h=$_sev_tmp/.session.$$ + mkdir -m700 $h 2>/dev/null + export TMPDIR=$h TEMP=$h TMP=$h unset t h - export _sev_setup_tmp= } ### xdg @@ -97,37 +146,60 @@ if [[ ! -v _sev_setup_xdg ]] { # NOTE: include and then remove CONFIG_HOME and DATA_HOME to ensure they # are not present in the array if it was added before we got to it typeset -UT XDG_CONFIG_DIRS xdg_config_dirs - typeset -UT XDG_DATA_DIRS xdg_data_dirs - export XDG_CONFIG_HOME=$HOME/etc - xdg_config_dirs=($XDG_CONFIG_HOME $HOME/.config + export XDG_CONFIG_HOME=~/etc + mkdir $XDG_CONFIG_HOME 2>/dev/null + xdg_config_dirs=($XDG_CONFIG_HOME ~/.config {/opt,/usr/local,/usr/pkg,}/etc/xdg "${XDG_CONFIG_DIRS:+${xdg_config_dirs[@]}}") export XDG_CONFIG_DIRS=${XDG_CONFIG_DIRS#$XDG_CONFIG_HOME} - export XDG_DATA_HOME=$HOME/share - xdg_data_dirs=($XDG_DATA_HOME $HOME/.local/share + + typeset -UT XDG_DATA_DIRS xdg_data_dirs + export XDG_DATA_HOME=~/share + mkdir $XDG_DATA_HOME 2>/dev/null + xdg_data_dirs=($XDG_DATA_HOME ~/.local/share /{opt,usr/local,usr/pkg,usr}/share "${XDG_DATA_DIRS:+${xdg_data_dirs[@]}}") export XDG_DATA_DIRS=${XDG_DATA_DIRS#$XDG_DATA_HOME} - # use our custom tmp for cache and runtime - export XDG_CACHE_HOME=$_sev_tmp/.xdg.cache - export XDG_RUNTIME_DIR=$_sev_tmp/.xdg.runtime - # create xdg tmp dirs - for x in $XDG_CACHE_HOME $XDG_RUNTIME_DIR; do - # same as in temp creation, ensure it doesn't exist - if [[ -h $x ]]; then - unlink $x 2>/dev/null - elif [[ -e $x ]]; then - rm -rf $x 2>/dev/null + + mkdir ~/var 2>/dev/null + export XDG_STATE_HOME=~/var/lib + mkdir $XDG_STATE_HOME 2>/dev/null + + if [[ -v _sev_tmp ]] { + export XDG_CACHE_HOME=$_sev_tmp/.xdg.cache + mkdir $XDG_CACHE_HOME 2>/dev/null + + export XDG_RUNTIME_DIR=$TMPDIR/.xdg.runtime + # same as in tmpdir creation, ensure it doesn't exist + if [[ -h $XDG_RUNTIME_DIR ]]; then + unlink $XDG_RUNTIME_DIR 2>/dev/null + elif [[ -e $XDG_RUNTIME_DIR ]]; then + rm -rf $XDG_RUNTIME_DIR 2>/dev/null fi - mkdir -m700 $x 2>/dev/null - done + mkdir -m700 $XDG_RUNTIME_DIR 2>/dev/null + } + # source user dirs after other vars [[ -e $XDG_CONFIG_HOME/user-dirs.dirs ]] && emulate sh -c "source $XDG_CONFIG_HOME/user-dirs.dirs" export _sev_setup_xdg= } -### gpg + ssh + forwarding +### dbus +if [[ ! -v DBUS_SESSION_BUS_ADDRESS && -v commands[dbus-launch] ]] { + eval $(dbus-launch) + export DBUS_SESSION_BUS_ADDRESS DBUS_SESSION_BUS_PID +} + +### gpg home +if [[ ! -v GNUPGHOME ]] { + export GNUPGHOME=~/etc/gnupg + if [[ -d ~/.gnupg ]] { + mv ~/.gnupg ~/etc/gnupg + } +} + +### gpg agent + forwarding # NOTE: while ssh manages its auth sock in its protocol when ForwardSsh is # enabled, GPG must be forwarded manually over Unix socket. to support # this, we forward the restricted gpg-agent extra socket to the remote @@ -154,146 +226,148 @@ if [[ ! -v _sev_setup_xdg ]] { # the host if the path the client wants to use is writable. however, this # would open up too many edge cases where it wouldn't work or be clunky # (e.g. asking for password twice) to make it worth it. -if [[ ! -v _sev_setup_agents ]] { - function _socketpath { - # dirs are percent-encoded: https://stackoverflow.com/a/64312099 - echo ${1//(#b)%([[:xdigit:]](#c2))/${(#):-0x$match[1]}} - } - - ## gpg forwarding - if [[ ! -v _sev_gpg_forwarded && -v commands[gpg] ]] { - export _GNUPG_SOCK_DEST_BASE=/tmp/.gpg-agent-forward - export _GNUPG_SOCK_DEST_EXT=$(date +%s).$RANDOM - export _GNUPG_SOCK_DEST=$_GNUPG_SOCK_DEST_BASE.$_GNUPG_SOCK_DEST_EXT - export _sev_gpg_forward_dir=${GNUPGHOME:-~/.gnupg}/.ssh_forward - # clean up forward dirs if its session is dead or we ask for it - if [[ -d $_sev_gpg_forward_dir ]] { - find $_sev_gpg_forward_dir -type d -mindepth 1 -maxdepth 1 | - while read -r x; do - # NOTE: the only way we can get here is if we have not been - # forwarded before or if the user asks for it. if our own - # pid already has a dir, it is most likely stale, or - # something is very broken—assume the former. - p=$(basename $x) - if [[ -v _sev_gpg_forward_clean || $$ == $p ]] || - ! kill -0 $p 2>/dev/null; then - find $x -mindepth 1 -maxdepth 1 | while read -r y; do - unlink $y - done - rmdir $x - fi - done - unset x p y - } +function _gpg_socketpath { + # dirs are percent-encoded: https://stackoverflow.com/a/64312099 + echo ${1//(#b)%([[:xdigit:]](#c2))/${(#):-0x$match[1]}} +} +if [[ ! -v _sev_setup_gpg_forward && -v commands[gpg] ]] { + export _GNUPG_SOCK_DEST_BASE=/tmp/.gpg-agent-forward + export _GNUPG_SOCK_DEST_EXT=$(date +%s).$RANDOM + export _GNUPG_SOCK_DEST=$_GNUPG_SOCK_DEST_BASE.$_GNUPG_SOCK_DEST_EXT + export _sev_gpg_forward_dir=${GNUPGHOME:-~/.gnupg}/.ssh_forward + _sev_zcleanup gpg-forward - # find our forwarded socket - s=($_GNUPG_SOCK_DEST_BASE*(N=oc[1])) - if [[ -n $s && -v SSH_CLIENT ]] { - # create new forward dir - export _sev_gpg_forwarded= - mkdir -pm700 $_sev_gpg_forward_dir - h=$_sev_gpg_forward_dir/$$ - mkdir -pm700 $h - # XXX: is it safe to link scdaemon socket? can its name be changed? - for x in S.scdaemon gpg.conf gpg-agent.conf sshcontrol \ - pubring.kbx trustdb.gpg private-keys-v1.d crls.d; do - ln -s ${GNUPGHOME:-~/.gnupg}/$x $h - done - export GNUPGHOME=$h - unset h - for x in $(gpgconf --list-dirs | grep 'agent-.*-\?socket:'); do - x=$(_socketpath ${x/#agent-*socket:}) - if [[ ! -v orig ]] { - # move forwarded socket to first valid agent socket path - # XXX: if tmp is on different filesystem this may not work - mv $s $x - orig=$x - } else { - # make links to forwarded socket for any others - ln -s $orig $x - } - done - unset x orig + # find our forwarded socket + s=($_GNUPG_SOCK_DEST_BASE*(N=oc[1])) + if [[ -n $s && -v SSH_CLIENT ]] { + # create new forward dir + export _sev_setup_gpg_forward= + h=$_sev_gpg_forward_dir/$$ + mkdir -pm700 $h + # XXX: is it safe to link scdaemon socket? can its name be changed? + for x (S.scdaemon gpg.conf gpg-agent.conf sshcontrol random_seed + pubring.kbx{,~} trustdb.gpg private-keys-v1.d crls.d) { + ln -s ${GNUPGHOME:-~/.gnupg}/$x $h } - unset s - - # what we will forward if we start a new ssh connection - # NOTE: do this after setting up GNUPGHOME to pick up new socket path; - # if already connected over SSH, extra should be the remote one - export _GNUPG_SOCK_SRC=$(_socketpath \ - $(gpgconf --list-dirs agent-extra-socket)) - } else { - # required for RemoteForward to not error out if the vars are unset - [[ ! -v _GNUPG_SOCK_SRC ]] && export _GNUPG_SOCK_SRC=/nonexistent - [[ ! -v _GNUPG_SOCK_DEST ]] && export _GNUPG_SOCK_DEST=/nonexistent + export GNUPGHOME=$h + unset h + for x in $(gpgconf --list-dirs | grep 'agent-.*-\?socket:'); do + x=$(_gpg_socketpath ${x/#agent-*socket:}) + if [[ ! -v orig ]] { + # move forwarded socket to first valid agent socket path + # XXX: if tmp is on different filesystem this may not work + mv $s $x + orig=$x + } else { + # make links to forwarded socket for any others + ln -s $orig $x + } + done + unset x orig } + unset s + + # what we will forward if we start a new ssh connection + # NOTE: do this after setting up GNUPGHOME to pick up new socket path; + # if already connected over SSH, extra should be the remote one + export _GNUPG_SOCK_SRC=$(_gpg_socketpath \ + $(gpgconf --list-dirs agent-extra-socket)) +} elif [[ ! -v _sev_setup_gpg_forward ]] { + # required for RemoteForward to not error out if the vars are unset + [[ ! -v _GNUPG_SOCK_SRC ]] && export _GNUPG_SOCK_SRC=/nonexistent + [[ ! -v _GNUPG_SOCK_DEST ]] && export _GNUPG_SOCK_DEST=/nonexistent +} - ## gpg agent - if [[ -v commands[gpg-connect-agent] ]] { - [[ -o interactive ]] && print -nP '%F{blue}>>>%f GPG agent: %F{green}' - gpg-connect-agent /bye >/dev/null 2>&1 - if [[ $? -ne 0 ]] { - [[ -o interactive ]] && - print -P '%F{red}Error communicating with GPG agent%f' - } elif [[ ! -v _sev_gpg_forward && ! -v GPG_TTY && - ( -o interactive || -v DISPLAY ) ]] { - # if we aren't forwarded, set up tty if it isn't and we're - # in an interactive session - export GPG_TTY=$(tty) - export PINENTRY_USER_DATA=USE_TTY=$((!${+DISPLAY})) - gpg-connect-agent UPDATESTARTUPTTY /bye >/dev/null 2>&1 - [[ -o interactive ]] && - print -P "Updated TTY%f" +### gpg agent +if [[ -v commands[gpg-connect-agent] && ( ! -v _sev_setup_gpgagent || + ( -v _sev_first_display && -z $_sev_first_display ) ) ]] { + # avoid printing if we have already set up tty before + [[ ! -v _sev_setup_gpgagent && -o interactive ]] && p=true || p=false + if {$p} { + print -nP '%F{blue}>>>%f GPG: ' + if [[ -v _sev_setup_gpg_forward ]] { + print -nP '%F{yellow}Forwarded agent ' } else { - [[ -o interactive ]] && - print -P 'Ready%f' + print -nP '%F{green}Agent ' + } + } + gpg-connect-agent /bye >/dev/null 2>&1 + if [[ $? -ne 0 ]] { + $p && print -P '%F{red}communication error' + } else { + if [[ ! -v _sev_setup_gpg_forward ]] { + if [[ ${+GPG_TTY} -eq 0 && -o interactive ]] + export GPG_TTY=$(tty) + if [[ ( -v DISPLAY || -v WAYLAND_DISPLAY ) && + ${PINENTRY_USER_DATA/USE_TTY=0} == $PINENTRY_USER_DATA ]] + export PINENTRY_USER_DATA=USE_TTY=$(( + ${+DISPLAY} + ${+WAYLAND_DISPLAY} == 0)) + # XXX: don't know if gpg-agent supports comments after directives + # XXX: path could have # + sed -Ei 's#^([[:space:]]*pinentry-program[[:space:]]).*$#\1'${commands[pinentry]:-/dev/null}'#' \ + ${GNUPGHOME:-~/.gnupg}/gpg-agent.conf + # XXX: could check for changes before doing this to save perf + gpg-connect-agent RELOADAGENT UPDATESTARTUPTTY /bye >/dev/null 2>&1 + if {$p} { + gpg-connect-agent /subst /serverpid \ + "/echo pid \${get serverpid} on $GPG_TTY" /bye 2>/dev/null + print -nP '%f' + } + } elif {$p} { + print -P '%f' } + export _sev_setup_gpgagent= } + unset p +} - ## ssh agent +### ssh agent +if [[ ! -v _sev_setup_ssh ]] { # NOTE: preferred order of agents to check: okcagent, gnupg, openssh # first block takes care of okcagent and openssh, second gnupg + # XXX: doesn't actually check if ssh is enabled in gpg [[ -o interactive ]] && print -nP '%F{blue}>>>%f SSH: %F{green}' if [[ ! -v SSH_AUTH_SOCK && ( -v commands[okc-ssh-agent] || ( -v commands[ssh-agent] && ! -v commands[gpg] ) ) ]] { okc=${commands[okc-ssh-agent]:+okc-} - agentfile=~/tmp/${okc}ssh-agent-exports + e=$_sev_tmp/${okc}ssh-agent-exports typeset sock= typeset -i pid= - if [[ -f $agentfile ]] { - IFS=$'\0' read -r sock pid <$agentfile + if [[ -f $e ]] { + IFS=$'\0' read -r sock pid <$e } if [[ -S $sock && $pid > 0 ]] && kill -0 $pid; then [[ -o interactive ]] && print -P "Reusing agent PID $pid%f" export SSH_AUTH_SOCK=$sock export SSH_AGENT_PID=$pid else - e=${okc}ssh-agent # TODO: ensure ssh-agent path looks legit to avoid unsafe eval? # XXX: doesn't appear to be any other way to handle redirection. # because eval needs to write to current scope environment # subshells can't be used to capture output and print. + c='TMPDIR=$_sev_tmp ${okc}ssh-agent' if [[ -o interactive ]] { - eval `$e` + eval $(eval $=c) print -nP '%f' } else { - eval `$e` >/dev/null 2>&1 + eval $(eval $=c) >/dev/null 2>&1 } - echo -n $SSH_AUTH_SOCK$'\0'$SSH_AGENT_PID >!$agentfile + echo -n $SSH_AUTH_SOCK$'\0'$SSH_AGENT_PID >!$e + unset c fi - unset okc agentfile sock pid + unset okc e sock pid } elif [[ ! -v SSH_AUTH_SOCK && -v commands[gpg] ]] { - # since gpg agent was started above, we just have to export and notify + # since gpg should have been started above, just export and notify if [[ -o interactive ]] { - if [[ -v _sev_gpg_forwarded ]] { - echo 'Remote GPG agent' + if [[ -v _sev_setup_gpg_forward ]] { + echo 'Forwarded GPG agent' } else { gpg-connect-agent /subst /serverpid \ - '/echo GPG agent PID ${get serverpid}' /bye + '/echo GPG agent pid ${get serverpid}' /bye } print -nP '%f' } - export SSH_AUTH_SOCK=$(_socketpath \ + export SSH_AUTH_SOCK=$(_gpg_socketpath \ $(gpgconf --list-dirs agent-ssh-socket)) } elif [[ -v SSH_AUTH_SOCK ]] { [[ -o interactive ]] && print -P 'Preconfigured agent%f' @@ -301,18 +375,17 @@ if [[ ! -v _sev_setup_agents ]] { [[ -o interactive ]] && print -P '%F{red}No agent available%f' } - ## cleanup - unfunction _socketpath - - export _sev_setup_agents= + export _sev_setup_ssh= } +unfunction _gpg_socketpath -## perl local lib -# TODO: debounce this -[[ -v commands[perl] && -d $XDG_DATA_HOME/perl5/lib/perl5 ]] && - eval $(perl -I$XDG_DATA_HOME/perl5/lib/perl5 +### perl local lib +[[ -v commands[perl] && -d $XDG_DATA_HOME/perl5/lib/perl5 && + ! -v PERL_LOCAL_LIB_ROOT ]] && + eval $(perl -I$XDG_DATA_HOME/perl5/lib/perl5 \ -Mlocal::lib=$XDG_DATA_HOME/perl5 2>/dev/null) + ### load site-specific if [[ -f ~/.zprofile.local ]] { source ~/.zprofile.local }