From b72274ab06b4c160fc8d3afe8e2d67863c893a58 Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Sun, 3 Apr 2022 15:12:16 -0700 Subject: home-manager: add `isTrusted` Install and configure some programs only on trusted machines. On trusted machines, my mails, GPG and a few other things are configured. A machine where this is not needed on a regular basis to get things done don't need that much information. Also rename `desktop/trust` to `trusted`, in case we want these packages on a host that is not a desktop, and `trusted` is a better description. --- users/fcuny/trusted/default.nix | 10 +++++ users/fcuny/trusted/email.nix | 70 ++++++++++++++++++++++++++++++++ users/fcuny/trusted/git-pass-mapping.ini | 9 ++++ users/fcuny/trusted/git.nix | 8 ++++ users/fcuny/trusted/pass.nix | 35 ++++++++++++++++ users/fcuny/trusted/pgp.nix | 17 ++++++++ 6 files changed, 149 insertions(+) create mode 100644 users/fcuny/trusted/default.nix create mode 100644 users/fcuny/trusted/email.nix create mode 100644 users/fcuny/trusted/git-pass-mapping.ini create mode 100644 users/fcuny/trusted/git.nix create mode 100644 users/fcuny/trusted/pass.nix create mode 100644 users/fcuny/trusted/pgp.nix (limited to 'users/fcuny/trusted') diff --git a/users/fcuny/trusted/default.nix b/users/fcuny/trusted/default.nix new file mode 100644 index 0000000..575d3e6 --- /dev/null +++ b/users/fcuny/trusted/default.nix @@ -0,0 +1,10 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ + ./email.nix + ./git.nix + ./pass.nix + ./pgp.nix + ]; +} diff --git a/users/fcuny/trusted/email.nix b/users/fcuny/trusted/email.nix new file mode 100644 index 0000000..3bb6bd2 --- /dev/null +++ b/users/fcuny/trusted/email.nix @@ -0,0 +1,70 @@ +{ pkgs, config, lib, ... }: + +{ + accounts.email = { + maildirBasePath = "${config.home.homeDirectory}/.mail"; + accounts = { + Fastmail = rec { + primary = true; + address = "franck@fcuny.net"; + userName = address; + realName = "Franck Cuny"; + aliases = [ "franck.cuny@gmail.com" ]; + passwordCommand = "pass email/imap.fastmail.com"; + imap.host = "imap.fastmail.com"; + mbsync = { + enable = true; + create = "maildir"; + expunge = "both"; + extraConfig.channel.CopyArrivalDate = "yes"; + }; + notmuch.enable = true; + }; + }; + }; + + programs.mbsync.enable = true; + + programs.afew = { + enable = true; + extraConfig = '' + [SpamFilter] + [KillThreadsFilter] + [ArchiveSentMailsFilter] + [InboxFilter] + ''; + }; + + programs.notmuch = { + enable = true; + maildir.synchronizeFlags = true; + new.tags = [ "unread" "inbox" ]; + new.ignore = [ "Trash" ]; + search.excludeTags = [ "spam" "deleted" ]; + hooks = { + postNew = "${config.home.profileDirectory}/bin/afew -v --tag --new"; + }; + }; + + systemd.user.services.mbsync = { + Unit = { Description = "mbsync synchronization"; }; + Service = { + Type = "oneshot"; + Environment = [ + "PASSWORD_STORE_DIR=${config.programs.password-store.settings.PASSWORD_STORE_DIR}" + "NOTMUCH_CONFIG=${config.xdg.configHome}/notmuch/notmuchrc" + ]; + ExecStart = "${pkgs.isync}/bin/mbsync -a"; + ExecStartPost = "${pkgs.notmuch}/bin/notmuch new --quiet"; + }; + }; + + systemd.user.timers.mbsync = { + Unit = { Description = "mbsync synchronization"; }; + Timer = { + OnBootSec = "30"; + OnUnitActiveSec = "5m"; + }; + Install = { WantedBy = [ "timers.target" ]; }; + }; +} diff --git a/users/fcuny/trusted/git-pass-mapping.ini b/users/fcuny/trusted/git-pass-mapping.ini new file mode 100644 index 0000000..5c5177b --- /dev/null +++ b/users/fcuny/trusted/git-pass-mapping.ini @@ -0,0 +1,9 @@ +[DEFAULT] +line_username=1 +skip_username=10 + +[github.com/*] +target=git/github.com + +[git.fcuny.net*] +target=git/git.fcuny.net diff --git a/users/fcuny/trusted/git.nix b/users/fcuny/trusted/git.nix new file mode 100644 index 0000000..52607a3 --- /dev/null +++ b/users/fcuny/trusted/git.nix @@ -0,0 +1,8 @@ +{ + programs.git = { + signing = { + signByDefault = true; + key = "23348B57F01D4234B5CFBA0923208AC01EB6EEA1"; + }; + }; +} diff --git a/users/fcuny/trusted/pass.nix b/users/fcuny/trusted/pass.nix new file mode 100644 index 0000000..a552318 --- /dev/null +++ b/users/fcuny/trusted/pass.nix @@ -0,0 +1,35 @@ +{ pkgs, config, ... }: + +{ + programs.password-store = { + enable = true; + settings = { + PASSWORD_STORE_DIR = "${config.xdg.dataHome}/password-store"; + PASSWORD_STORE_GENERATED_LENGTH = "30"; + PASSWORD_STORE_CHARACTER_SET = "a-zA-Z0-9~!@#$%^&*()-_=+[]{};:,.<>?"; + PASSWORD_STORE_KEY = config.programs.gpg.settings.default-key; + }; + }; + + programs.git = { + signing = { + key = config.programs.gpg.settings.default-key; + signByDefault = true; + }; + extraConfig = { + credential = { + helper = "${pkgs.gitAndTools.pass-git-helper}/bin/pass-git-helper"; + useHttpPath = true; + }; + }; + }; + + xdg.configFile."pass-git-helper/git-pass-mapping.ini" = { + source = ./git-pass-mapping.ini; + }; + + services.password-store-sync.enable = true; + + # Ensure the password store things are in the systemd session + systemd.user.sessionVariables = config.programs.password-store.settings; +} diff --git a/users/fcuny/trusted/pgp.nix b/users/fcuny/trusted/pgp.nix new file mode 100644 index 0000000..79ed7dd --- /dev/null +++ b/users/fcuny/trusted/pgp.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, ... }: + +{ + services.gpg-agent = { + enable = true; + enableSshSupport = true; + pinentryFlavor = "gnome3"; + }; + + programs.gpg = { + enable = true; + settings = { + default-key = "23348B57F01D4234B5CFBA0923208AC01EB6EEA1"; + }; + }; +} + -- cgit 1.4.1