pkgs: add bw-pass

Until `rbw` gets support for Yubikey 2FA, I still need a decent way to
query for my passwords on the command line...

This wrapper program should be good enough for basic usage with programs
that need a password command.

pkgs/bw-pass/bw-pass

@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+
+AUTO_LOCK=900 # 15min timeout by default
+
+usage() {
+    printf '%s\n' "Usage: bw-pass [directory name] <account name>" >&2
+}
+
+prompt_pass() {
+    rofi -dmenu -password -no-fixed-num-lines -p "$1"
+}
+
+error_out() {
+    rofi -dmenu -no-fixed-num-lines -p "$1"
+    exit 1
+}
+
+login() {
+    local PASSWORD
+    PASSWORD="$(prompt_pass "Password")" || error_out "Cannot prompt password"
+    export BW_SESSION
+    BW_SESSION="$(bw unlock "$PASSWORD" --raw)" || error_out "Cannot unlock"
+}
+
+ensure_logged_in() {
+    # Use the same keyring as bitwarden-rofi for this
+
+    local KEY_ID
+    keyctl link @u @s
+    if ! KEY_ID="$(keyctl request user bw_session 2>/dev/null)"; then
+        login
+        KEY_ID="$(keyctl add user bw_session "$BW_SESSION" @u)"
+    fi
+
+    if [ "$AUTO_LOCK" -gt 0 ]; then
+        keyctl timeout "$KEY_ID" "$AUTO_LOCK"
+    fi
+    export BW_SESSION
+    BW_SESSION="$(keyctl pipe "$KEY_ID")"
+    keyctl unlink @u @s
+}
+
+query_password() {
+    # Either use with `query_password <directory> <account name>
+    # Or `query_password <account name>` when the account has no directory
+
+    local FOLDER_ID
+    local PASSWORD
+
+    if [ $# -eq 2 ]; then
+        FOLDER_ID="$(bw list folders |
+            jq '.[] | select(.name == "'"$1"'") | .id' |
+            cut -d'"' -f2)"
+        shift
+    else
+        FOLDER_ID=null
+    fi
+    PASSWORD="$(bw list items --folderid "$FOLDER_ID" |
+        jq '.[] | select(.name == "'"$1"'") | .login.password' |
+        cut -d'"' -f2)"
+
+    if [ -z "$PASSWORD" ]; then
+        error_out "Did not find password for '$1'"
+    fi
+    printf '%s\n' "$PASSWORD"
+}
+
+if [ $# -lt 1  ] || [ $# -gt 2 ]; then
+    usage
+    exit 1
+fi
+
+ensure_logged_in
+query_password "$@"

pkgs/bw-pass/default.nix

@@ -0,0 +1,45 @@
+{ bitwarden-cli, coreutils, jq, keyutils, lib, makeWrapper, rofi, shellcheck, stdenvNoCC }:
+stdenvNoCC.mkDerivation rec {
+  pname = "bw-pass";
+  version = "0.1.0";
+
+  src = ./bw-pass;
+
+  phases = [ "buildPhase" "installPhase" "fixupPhase" ];
+
+  buildInputs = [
+    makeWrapper
+    shellcheck
+  ];
+
+  buildPhase = ''
+    shellcheck $src
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp $src $out/bin/${pname}
+    chmod a+x $out/bin/${pname}
+  '';
+
+  wrapperPath = lib.makeBinPath [
+    bitwarden-cli
+    coreutils
+    jq
+    keyutils
+    rofi
+  ];
+
+  fixupPhase = ''
+    patchShebangs $out/bin/${pname}
+    wrapProgram $out/bin/${pname} --prefix PATH : "${wrapperPath}"
+  '';
+
+  meta = with lib; {
+    description = "A simple script to query a password from bitwarden";
+    homepage = "https://gitea.belanyi.fr/ambroisie/nix-config";
+    license = with licenses; [ mit ];
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ ambroisie ];
+  };
+}

pkgs/default.nix

@@ -1,5 +1,7 @@
 { pkgs }:
 rec {
+  bw-pass = pkgs.callPackage ./bw-pass { };
+
   comma = pkgs.callPackage ./comma { };
 
   diff-flake = pkgs.callPackage ./diff-flake { };