From 979f1a6f0b6d180a1c6b70f2dd22650020068344 Mon Sep 17 00:00:00 2001 From: Andreas Zweili Date: Fri, 4 Nov 2022 19:06:14 +0100 Subject: [PATCH] Encrypt the email secrets --- home-manager/desktop.nix | 1 - home-manager/software/email/default.nix | 37 -------------------- modules/email/default.nix | 46 +++++++++++++++++++++++++ scrts/personal_email.key.age | 31 +++++++++++++++++ scrts/secrets.nix | 1 + systems/gwyn/default.nix | 1 + 6 files changed, 79 insertions(+), 38 deletions(-) delete mode 100644 home-manager/software/email/default.nix create mode 100644 modules/email/default.nix create mode 100644 scrts/personal_email.key.age diff --git a/home-manager/desktop.nix b/home-manager/desktop.nix index b0b68f9..0829823 100644 --- a/home-manager/desktop.nix +++ b/home-manager/desktop.nix @@ -7,7 +7,6 @@ "${inputs.self}/home-manager/software/czkawka" "${inputs.self}/home-manager/software/dunst" "${inputs.self}/home-manager/software/emacs" - "${inputs.self}/home-manager/software/email" "${inputs.self}/home-manager/software/evince" "${inputs.self}/home-manager/software/fzf" "${inputs.self}/home-manager/software/git" diff --git a/home-manager/software/email/default.nix b/home-manager/software/email/default.nix deleted file mode 100644 index 8f4ae38..0000000 --- a/home-manager/software/email/default.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ ... }: -{ - accounts.email.accounts."personal" = { - address = "andreas@zweili.ch"; - realName = "Andreas Zweili"; - userName = "andreas@zweili.ch"; - primary = true; - # TODO: encrypt with agenix - passwordCommand = "cat /home/andreas/.nixos/secrets/passwords/personal_email.key"; - aliases = [ - "andreas.zweili@gmail.com" - "andreas@2li.ch" - ]; - msmtp.enable = true; - mu.enable = true; - offlineimap = { - enable = true; - extraConfig = { - account = { autorefresh = 15; }; - local = { sync_deletes = true; }; - }; - }; - imap = { - host = "mail.zweili.org"; - port = 993; - tls.enable = true; - }; - smtp = { - host = "mail.zweili.org"; - port = 465; - tls.enable = true; - }; - }; - programs.mu.enable = true; - programs.offlineimap.enable = true; - programs.msmtp.enable = true; -} diff --git a/modules/email/default.nix b/modules/email/default.nix new file mode 100644 index 0000000..40b2398 --- /dev/null +++ b/modules/email/default.nix @@ -0,0 +1,46 @@ +{ custom, inputs }: { config, ... }: +{ + age.secrets.personalEmailKey = + { + file = "${inputs.self}/scrts/personal_email.key.age"; + mode = "600"; + owner = custom.username; + group = "users"; + }; + + home-manager.users.${custom.username} = { + accounts.email.accounts."personal" = { + address = "andreas@zweili.ch"; + realName = "Andreas Zweili"; + userName = "andreas@zweili.ch"; + primary = true; + passwordCommand = "cat ${config.age.secrets.personalEmailKey.path}"; + aliases = [ + "andreas.zweili@gmail.com" + "andreas@2li.ch" + ]; + msmtp.enable = true; + mu.enable = true; + offlineimap = { + enable = true; + extraConfig = { + account = { autorefresh = 15; }; + local = { sync_deletes = true; }; + }; + }; + imap = { + host = "mail.zweili.org"; + port = 993; + tls.enable = true; + }; + smtp = { + host = "mail.zweili.org"; + port = 465; + tls.enable = true; + }; + }; + programs.mu.enable = true; + programs.offlineimap.enable = true; + programs.msmtp.enable = true; + }; +} diff --git a/scrts/personal_email.key.age b/scrts/personal_email.key.age new file mode 100644 index 0000000..a67f88e --- /dev/null +++ b/scrts/personal_email.key.age @@ -0,0 +1,31 @@ +age-encryption.org/v1 +-> ssh-rsa 7S8lxw +V6036PaCKhBVJ/IDknAx9NAfUbkHgi3puse24+nQrI+zU6e6ayVI/etbji3Kn/5Q +r5nOHGMbgKQOxth/gy+ZklFeuKjD5TNLFrga7Jh3as96GH4hUD0sHlLOexXz7SLB +o73kiKONOVzMR338xHfI8L2vsUrL4fIUmb5aAOD1RwMJkfa+ubThErTrT824tKzp ++QSpl11cUs2IgjsznocMTC/vTMoTu5MlvUeh5iQfFtfLNLV8czyUwXPkn8lQK2Ep +3ELBy3mU5bHKeE2RKGbbzVZ1LXzXKufOy/U/V7SOH/Y9ZkRw7p67ykyAJq9J/Bgc +lt0Xg5h300ul5ZhTId9Ec+6gTyhrJ93C1Hq1JFtyXvWjgpE3XI0vyFBZ8VzCzPV8 +vGPwJiYEGRTpGWK0nFdHCC2s4PODfZTueCSycXvgmg+v5WMbZdLRwcgoH2TnMVuL +LESg9qyDtMSm+DRLOrmmlM/J53yzPUCVD/bCJt99Q4Nv79risckWXkMd5v6QhZ2U + +-> ssh-rsa Ws+JZA +OguhPBP9phPhKveo2d06OSpqde+xTBY53KbvWCHUnomQHf8h+pYFJKWPCLs4C6kz +6HZ8TujGo6kEpi0eFwk3AKRojVaicu8h/ks/zu/5ZO4vmTdh1AEBM3CwubnTJN5J +c/jc0pZO34J3J1Q84n0nDiHTXhd6vAzuPPW3nC9eAIPdlsjiVCL5NsRPchC+NqzE +wwr5aHXu9rfaqdumqi6VS9F3VfxtCyb3xnij9YBiuk57Y8agKd/SING1GIlKtOlb +Q+tcEW0AZs/DrzS/DmNGDGG4KRUlrcqbBLztgU/SsptIEdWSy2aYMyctkltgly4e +5v2QVwUO4vWRzxCOs3ky2mcWkjF5YAsngwO12kANGpWFgzKSHuIxq84QLLSMfVro +zhfiRDM20ejdznQnlusuonH5q9ch0gtbNGMt5qDNtSo0rytvWCdayTvBBb+XjSDr +StQDZkuGqW3OJiDO6jB9xaYoefxZyWoDVTF0zVCkaHZtZI+FvKrvNdg63D8JTFio + +-> ssh-ed25519 skmU/w f3CXnwxPd0EYnH47v5edS81yhHu95tROVPcwGQtfLiQ +2XzA7YpThQOj6qvADOCsSq+/C3lWbh8E5BH3Na05CN0 +-> ssh-ed25519 MpFwoA 6WyGoFcW1FQNOPMjh7EKlVnVVH26z7xwYT3WbePFZ2U +L97BTdJ0baPDWMWzH01gh760m1Ft7HzNSqjcelSfJOY +-> ssh-ed25519 KXqA9w AgScCBkFH1idk+pIzQ5ZmyFGATxwOGODXIN0SrjapyU +wDbYnfopVIt1IFOsHnodEHmjVnF8JWlk9ow8x0KQc3I +-> jJg-grease ,o0,V_,Y # +8dXYOAMc6HiaDQQldIMQJ2k +--- CYIwI6/JyZmHlBBDbZamOzqGHE7mZh7DJhBaExYQUko +.„î¢ÞŽJÆÀLJ¶×Y¡T»ÈXÛŠÆ ­ÇÍíî«Ñ QQœØRQ_¿áñ$õ¤á \ No newline at end of file diff --git a/scrts/secrets.nix b/scrts/secrets.nix index df891cf..70044b4 100644 --- a/scrts/secrets.nix +++ b/scrts/secrets.nix @@ -36,6 +36,7 @@ in "gitea_env.age".publicKeys = defaultKeys ++ [ git ]; "infomaniak_env.age".publicKeys = all; "pihole_env.age".publicKeys = defaultKeys ++ [ pihole ]; + "personal_email.key.age".publicKeys = defaultKeys; "plex_claim.age".publicKeys = defaultKeys ++ [ plex ]; "restic.key.age".publicKeys = all; "telegram_notify_env.age".publicKeys = all; diff --git a/systems/gwyn/default.nix b/systems/gwyn/default.nix index ca27726..caca1de 100644 --- a/systems/gwyn/default.nix +++ b/systems/gwyn/default.nix @@ -11,6 +11,7 @@ (import "${inputs.self}/modules/desktop" { inherit custom inputs; }) (import "${inputs.self}/modules/docker" { inherit custom; }) (import "${inputs.self}/modules/droidcam" { inherit custom; }) + (import "${inputs.self}/modules/email" { inherit custom inputs; }) (import "${inputs.self}/modules/eog" { inherit custom; }) (import "${inputs.self}/modules/espanso" { inherit custom; }) "${inputs.self}/modules/lockscreen"