Encrypt the email secrets

2022-11-04 19:06:14 +01:00 · 2022-11-04 19:06:14 +01:00 · 979f1a6f0b
parent 97a32af14d
commit 979f1a6f0b
6 changed files with 79 additions and 38 deletions
--- a/home-manager/desktop.nix
+++ b/home-manager/desktop.nix
@ -7,7 +7,6 @@
    "${inputs.self}/home-manager/software/czkawka"
    "${inputs.self}/home-manager/software/dunst"
    "${inputs.self}/home-manager/software/emacs"
-    "${inputs.self}/home-manager/software/email"
    "${inputs.self}/home-manager/software/evince"
    "${inputs.self}/home-manager/software/fzf"
    "${inputs.self}/home-manager/software/git"
--- a/home-manager/software/email/default.nix
+++ b/home-manager/software/email/default.nix
@ -1,37 +0,0 @@
-{ ... }:
-{
-  accounts.email.accounts."personal" = {
-    address = "andreas@zweili.ch";
-    realName = "Andreas Zweili";
-    userName = "andreas@zweili.ch";
-    primary = true;
-    # TODO: encrypt with agenix
-    passwordCommand = "cat /home/andreas/.nixos/secrets/passwords/personal_email.key";
-    aliases = [
-      "andreas.zweili@gmail.com"
-      "andreas@2li.ch"
-    ];
-    msmtp.enable = true;
-    mu.enable = true;
-    offlineimap = {
-      enable = true;
-      extraConfig = {
-        account = { autorefresh = 15; };
-        local = { sync_deletes = true; };
-      };
-    };
-    imap = {
-      host = "mail.zweili.org";
-      port = 993;
-      tls.enable = true;
-    };
-    smtp = {
-      host = "mail.zweili.org";
-      port = 465;
-      tls.enable = true;
-    };
-  };
-  programs.mu.enable = true;
-  programs.offlineimap.enable = true;
-  programs.msmtp.enable = true;
-}
--- a/modules/email/default.nix
+++ b/modules/email/default.nix
@ -0,0 +1,46 @@
+{ custom, inputs }: { config, ... }:
+{
+  age.secrets.personalEmailKey =
+    {
+      file = "${inputs.self}/scrts/personal_email.key.age";
+      mode = "600";
+      owner = custom.username;
+      group = "users";
+    };
+
+  home-manager.users.${custom.username} = {
+    accounts.email.accounts."personal" = {
+      address = "andreas@zweili.ch";
+      realName = "Andreas Zweili";
+      userName = "andreas@zweili.ch";
+      primary = true;
+      passwordCommand = "cat ${config.age.secrets.personalEmailKey.path}";
+      aliases = [
+        "andreas.zweili@gmail.com"
+        "andreas@2li.ch"
+      ];
+      msmtp.enable = true;
+      mu.enable = true;
+      offlineimap = {
+        enable = true;
+        extraConfig = {
+          account = { autorefresh = 15; };
+          local = { sync_deletes = true; };
+        };
+      };
+      imap = {
+        host = "mail.zweili.org";
+        port = 993;
+        tls.enable = true;
+      };
+      smtp = {
+        host = "mail.zweili.org";
+        port = 465;
+        tls.enable = true;
+      };
+    };
+    programs.mu.enable = true;
+    programs.offlineimap.enable = true;
+    programs.msmtp.enable = true;
+  };
+}
--- a/scrts/personal_email.key.age
+++ b/scrts/personal_email.key.age
@ -0,0 +1,31 @@
+age-encryption.org/v1
+-> ssh-rsa 7S8lxw
+V6036PaCKhBVJ/IDknAx9NAfUbkHgi3puse24+nQrI+zU6e6ayVI/etbji3Kn/5Q
+r5nOHGMbgKQOxth/gy+ZklFeuKjD5TNLFrga7Jh3as96GH4hUD0sHlLOexXz7SLB
+o73kiKONOVzMR338xHfI8L2vsUrL4fIUmb5aAOD1RwMJkfa+ubThErTrT824tKzp
+QSpl11cUs2IgjsznocMTC/vTMoTu5MlvUeh5iQfFtfLNLV8czyUwXPkn8lQK2Ep
+3ELBy3mU5bHKeE2RKGbbzVZ1LXzXKufOy/U/V7SOH/Y9ZkRw7p67ykyAJq9J/Bgc
+lt0Xg5h300ul5ZhTId9Ec+6gTyhrJ93C1Hq1JFtyXvWjgpE3XI0vyFBZ8VzCzPV8
+vGPwJiYEGRTpGWK0nFdHCC2s4PODfZTueCSycXvgmg+v5WMbZdLRwcgoH2TnMVuL
+LESg9qyDtMSm+DRLOrmmlM/J53yzPUCVD/bCJt99Q4Nv79risckWXkMd5v6QhZ2U
+
+-> ssh-rsa Ws+JZA
+OguhPBP9phPhKveo2d06OSpqde+xTBY53KbvWCHUnomQHf8h+pYFJKWPCLs4C6kz
+6HZ8TujGo6kEpi0eFwk3AKRojVaicu8h/ks/zu/5ZO4vmTdh1AEBM3CwubnTJN5J
+c/jc0pZO34J3J1Q84n0nDiHTXhd6vAzuPPW3nC9eAIPdlsjiVCL5NsRPchC+NqzE
+wwr5aHXu9rfaqdumqi6VS9F3VfxtCyb3xnij9YBiuk57Y8agKd/SING1GIlKtOlb
+Q+tcEW0AZs/DrzS/DmNGDGG4KRUlrcqbBLztgU/SsptIEdWSy2aYMyctkltgly4e
+5v2QVwUO4vWRzxCOs3ky2mcWkjF5YAsngwO12kANGpWFgzKSHuIxq84QLLSMfVro
+zhfiRDM20ejdznQnlusuonH5q9ch0gtbNGMt5qDNtSo0rytvWCdayTvBBb+XjSDr
+StQDZkuGqW3OJiDO6jB9xaYoefxZyWoDVTF0zVCkaHZtZI+FvKrvNdg63D8JTFio
+
+-> ssh-ed25519 skmU/w f3CXnwxPd0EYnH47v5edS81yhHu95tROVPcwGQtfLiQ
+2XzA7YpThQOj6qvADOCsSq+/C3lWbh8E5BH3Na05CN0
+-> ssh-ed25519 MpFwoA 6WyGoFcW1FQNOPMjh7EKlVnVVH26z7xwYT3WbePFZ2U
+L97BTdJ0baPDWMWzH01gh760m1Ft7HzNSqjcelSfJOY
+-> ssh-ed25519 KXqA9w AgScCBkFH1idk+pIzQ5ZmyFGATxwOGODXIN0SrjapyU
+wDbYnfopVIt1IFOsHnodEHmjVnF8JWlk9ow8x0KQc3I
+-> jJg-grease ,o0,V_,Y #
+8dXYOAMc6HiaDQQldIMQJ2k
+--- CYIwI6/JyZmHlBBDbZamOzqGHE7mZh7DJhBaExYQUko
+.<2E>｢ﾞ捌ﾆﾀﾇ<EFBE80>ﾗY｡TｻﾈXﾛ竿<EFBE9B>ｭﾇﾍ濵ｫﾑ
QQ憙RQ_ｿ碵$<24><>
--- a/scrts/secrets.nix
+++ b/scrts/secrets.nix
@ -36,6 +36,7 @@ in
  "gitea_env.age".publicKeys = defaultKeys ++ [ git ];
  "infomaniak_env.age".publicKeys = all;
  "pihole_env.age".publicKeys = defaultKeys ++ [ pihole ];
+  "personal_email.key.age".publicKeys = defaultKeys;
  "plex_claim.age".publicKeys = defaultKeys ++ [ plex ];
  "restic.key.age".publicKeys = all;
  "telegram_notify_env.age".publicKeys = all;
--- a/systems/gwyn/default.nix
+++ b/systems/gwyn/default.nix
@ -11,6 +11,7 @@
    (import "${inputs.self}/modules/desktop" { inherit custom inputs; })
    (import "${inputs.self}/modules/docker" { inherit custom; })
    (import "${inputs.self}/modules/droidcam" { inherit custom; })
+    (import "${inputs.self}/modules/email" { inherit custom inputs; })
    (import "${inputs.self}/modules/eog" { inherit custom; })
    (import "${inputs.self}/modules/espanso" { inherit custom; })
    "${inputs.self}/modules/lockscreen"