diff --git a/Containerfile b/Containerfile index 500db9eeb46..d47e011624d 100644 --- a/Containerfile +++ b/Containerfile @@ -173,7 +173,7 @@ RUN /tmp/bat.sh RUN /tmp/delta.sh ### add 1password -COPY --from=ghcr.io/briorg/bling:latest /modules/bling/installers/1password.sh /tmp/1password.sh +#COPY --from=ghcr.io/briorg/bling:latest /modules/bling/installers/1password.sh /tmp/1password.sh RUN chmod +x /tmp/1password.sh && \ ONEPASSWORD_RELEASE_CHANNEL=beta \ GID_ONEPASSWORD=1500 \ diff --git a/scripts/1password.sh b/scripts/1password.sh index 81864cc5423..943b2f569a2 100755 --- a/scripts/1password.sh +++ b/scripts/1password.sh @@ -1,6 +1,17 @@ -#!/usr/bin/env sh +#!/usr/bin/env bash -set -e +set -ouex pipefail + +#### Variables + +# Can be "beta" or "stable" +RELEASE_CHANNEL="${ONEPASSWORD_RELEASE_CHANNEL:-stable}" + +# Must be over 1000 +GID_ONEPASSWORD="${GID_ONEPASSWORD:-1500}" + +# Must be over 1000 +GID_ONEPASSWORDCLI="${GID_ONEPASSWORDCLI:-1600}" echo "Installing 1Password" @@ -12,14 +23,26 @@ echo "Installing 1Password" # symbolic link /opt/1Password => /usr/lib/1Password upon # boot. -ONEPASSWORD_RPM='https://downloads.1password.com/linux/rpm/beta/x86_64/1password-latest.rpm' - # Prepare staging directory mkdir -p /var/opt # -p just in case it exists # for some reason... -# Now let's install the package. -rpm-ostree install "${ONEPASSWORD_RPM}" +# Setup repo +cat << EOF > /etc/yum.repos.d/1password.repo +[1password] +name=1Password ${RELEASE_CHANNEL^} Channel +baseurl=https://downloads.1password.com/linux/rpm/${RELEASE_CHANNEL}/\$basearch +enabled=1 +gpgcheck=1 +repo_gpgcheck=1 +gpgkey=https://downloads.1password.com/linux/keys/1password.asc +EOF + +# Import signing key +rpm --import https://downloads.1password.com/linux/keys/1password.asc + +# Now let's install the packages. +rpm-ostree install 1password 1password-cli # Clean up the yum repo (updates are baked into new images) rm /etc/yum.repos.d/1password.repo -f @@ -55,8 +78,6 @@ chmod 4755 /usr/lib/1Password/chrome-sandbox # conflict with any real groups on the deployed system. # Normal user group GIDs on Fedora are sequential starting # at 1000, so let's skip ahead and set to something higher. -GID_ONEPASSWORD="1500" -GID_ONEPASSWORDCLI="1600" HELPER_PATH="/usr/lib/1Password/1Password-KeyringHelper" BROWSER_SUPPORT_PATH="/usr/lib/1Password/1Password-BrowserSupport" @@ -72,38 +93,26 @@ chmod g+s "${HELPER_PATH}" chgrp "${GID_ONEPASSWORD}" "${BROWSER_SUPPORT_PATH}" chmod g+s "${BROWSER_SUPPORT_PATH}" -# Dynamically create the required group via sysusers.d +# onepassword-cli also needs its own group and setgid, like the other helpers. +chgrp "${GID_ONEPASSWORDCLI}" /usr/bin/op +chmod g+s /usr/bin/op + +# Dynamically create the required groups via sysusers.d # and set the GID based on the files we just chgrp'd cat >/usr/lib/sysusers.d/onepassword.conf </usr/lib/sysusers.d/onepassword-cli.conf </usr/lib/tmpfiles.d/onepassword.conf </usr/lib/sysusers.d/onepassword-cli.conf <