From 784ac3fd221a477cccc168e90baea2a22509d7c2 Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Sat, 11 Mar 2023 13:24:35 -0800 Subject: secrets: use homeage to manage secrets for home-manager Instead of using agenix for all the secrets, I can use homeage for secrets that are related to my user sessions. Secrets by default will be store under `~/.secrets'. They are encrypted using `age' and to decrypt them, a key is expected to be located under `~/.age/key.txt'. The last place where I was using `pass' (and so GPG too) was for the secrets for `mbsync': this change adds a secret for fastmail to the repository and update `mbsync' configuration to use it. --- flake.lock | 21 +++++++++++++++++++++ flake.nix | 5 +++++ home/mail/accounts/default.nix | 13 ++++++++----- home/secrets/fastmail/imap.age | 5 +++++ nix/mkHomeManagerConfiguration.nix | 8 ++++++++ 5 files changed, 47 insertions(+), 5 deletions(-) create mode 100644 home/secrets/fastmail/imap.age diff --git a/flake.lock b/flake.lock index 97d2059..3fb2155 100644 --- a/flake.lock +++ b/flake.lock @@ -168,6 +168,26 @@ "type": "github" } }, + "homeage": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1669234151, + "narHash": "sha256-TwT87E3m2TZLgwYJESlype14HxUOrRGojPM5C2akrMg=", + "owner": "jordanisaacs", + "repo": "homeage", + "rev": "02bfe4ca06962d222e522fff0240c93946b20278", + "type": "github" + }, + "original": { + "owner": "jordanisaacs", + "repo": "homeage", + "type": "github" + } + }, "naersk": { "inputs": { "nixpkgs": "nixpkgs_2" @@ -282,6 +302,7 @@ "emacs-overlay": "emacs-overlay", "futils": "futils", "home-manager": "home-manager", + "homeage": "homeage", "naersk": "naersk", "nixpkgs": "nixpkgs_3", "nur": "nur", diff --git a/flake.nix b/flake.nix index d82a782..f08ceb7 100644 --- a/flake.nix +++ b/flake.nix @@ -33,6 +33,11 @@ }; }; + homeage = { + url = "github:jordanisaacs/homeage"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + rust = { url = "github:oxalica/rust-overlay"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/home/mail/accounts/default.nix b/home/mail/accounts/default.nix index 5ebba2c..de735b5 100644 --- a/home/mail/accounts/default.nix +++ b/home/mail/accounts/default.nix @@ -1,8 +1,14 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, self, ... }: let cfg = config.my.home.mail; in { config = lib.mkIf cfg.enable { + # to replace the secret go to + # https://app.fastmail.com/settings/security/devicekeys + homeage.file."fastmail-imap" = { + source = "${self}/home/secrets/fastmail/imap.age"; + }; + accounts.email = { accounts = { Fastmail = rec { @@ -11,7 +17,7 @@ in userName = address; realName = "Franck Cuny"; aliases = [ "franck.cuny@gmail.com" ]; - passwordCommand = "pass email/imap.fastmail.com"; + passwordCommand = "${pkgs.coreutils}/bin/cat '${config.homeage.mount}/fastmail-imap'"; imap.host = "imap.fastmail.com"; smtp.host = "smtp.fastmail.com"; mbsync = { @@ -66,9 +72,6 @@ in Unit = { Description = "mbsync synchronization"; }; Service = { Type = "oneshot"; - Environment = [ - "PASSWORD_STORE_DIR=${config.programs.password-store.settings.PASSWORD_STORE_DIR}" - ]; ExecStartPre = [ "${pkgs.notmuch}/bin/notmuch tag '-inbox' 'tag:inbox AND tag:archive'" "${pkgs.afew}/bin/afew -m -v --notmuch-config=${config.xdg.configHome}/notmuch/default/config" diff --git a/home/secrets/fastmail/imap.age b/home/secrets/fastmail/imap.age new file mode 100644 index 0000000..07dfdd1 --- /dev/null +++ b/home/secrets/fastmail/imap.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> X25519 f/Opj/dLP20YsybwZwwfCBRcb4wWVSMv4P9tuVQUNDA +9xBaFHWpO15X2nt1urk5f59K5x7oRHxIi5q7B8UvM+Q +--- huYSJRJfQnxoHH5APR9tm+NS/xtyw56bRImLdcwiY3Q +xk>w:lR+i[oVZL? \ No newline at end of file diff --git a/nix/mkHomeManagerConfiguration.nix b/nix/mkHomeManagerConfiguration.nix index cdd25bd..fc98c7c 100644 --- a/nix/mkHomeManagerConfiguration.nix +++ b/nix/mkHomeManagerConfiguration.nix @@ -18,9 +18,17 @@ inputs.home-manager.lib.homeManagerConfiguration { homeDirectory = "/home/${username}"; stateVersion = stateVersion; }; + homeage = { + identityPaths = [ "~/.age/key.txt" ]; + installationType = "activation"; + mount = "/home/${username}/.secrets"; + }; + imports = [ inputs.homeage.homeManagerModules.homeage ]; } ]; + extraSpecialArgs = { inherit inputs self; }; + pkgs = import inputs.nixpkgs { inherit system; config.allowUnfree = true; -- cgit 1.4.1