feat(home/messaging): use sops for mail secret

8 files changed, 45 insertions, 18 deletions

diff --git a/home/.sops.yaml b/home/.sops.yaml
new file mode 100644
index 0000000..7bfe113
--- /dev/null
+++ b/home/.sops.yaml
@@ -0,0 +1,9 @@
+keys:
+  - &sefidel 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2
+  - &host_alpha c62b0336ff6e444e5f2041e8074ca855641a5b7f
+  - &host_kompakt e6a9ee28ea91e2dbf24d817d0c5936391be59DC0
+creation_rules:
+  - path_regex: secrets/[^/]+\.yaml$
+    key_groups:
+      - pgp:
+        - *sefidel
diff --git a/home/alpha/zach.nix b/home/alpha/zach.nix
index 126ac6b..336217c 100644
--- a/home/alpha/zach.nix
+++ b/home/alpha/zach.nix
@@ -5,5 +5,8 @@
     activeProfiles = [ "base" "browsing" "development" "messaging" "multimedia" "research" ];
 
     programs.htop.settings.detailed_cpu_time = true;
+
+    sops.defaultSopsFile = ../secrets/secrets.yaml;
+    sops.gnupg.home = "/home/zach/.gnupg";
   };
 }
diff --git a/home/default.nix b/home/default.nix
index c264ac2..f13678e 100644
--- a/home/default.nix
+++ b/home/default.nix
@@ -16,6 +16,9 @@
       ./profiles/messaging
       ./profiles/multimedia
       ./profiles/research
+
+
+      inputs.sops-nix.homeManagerModules.sops
     ];
 
     version = "22.05";
diff --git a/home/kompakt/sefidel.nix b/home/kompakt/sefidel.nix
index 126ac6b..333e62f 100644
--- a/home/kompakt/sefidel.nix
+++ b/home/kompakt/sefidel.nix
@@ -5,5 +5,8 @@
     activeProfiles = [ "base" "browsing" "development" "messaging" "multimedia" "research" ];
 
     programs.htop.settings.detailed_cpu_time = true;
+
+    sops.defaultSopsFile = ../secrets/secrets.yaml;
+    sops.gnupg.home = "/home/sefidel/.gnupg";
   };
 }
diff --git a/home/profiles/base/default.nix b/home/profiles/base/default.nix
index 98f767f..530c8e6 100644
--- a/home/profiles/base/default.nix
+++ b/home/profiles/base/default.nix
@@ -292,9 +292,5 @@ in
         longitude = "127.2";
       };
     };
-
-    home.file.".pam-gnupg".text = ''
-      77FE99210D6D1175076B284229CE8818A7112C9B
-    '';
   };
 }
diff --git a/home/profiles/messaging/default.nix b/home/profiles/messaging/default.nix
index 14b31a1..d0978a0 100644
--- a/home/profiles/messaging/default.nix
+++ b/home/profiles/messaging/default.nix
@@ -12,7 +12,6 @@ let
       key = lib.elemAt x' 1;
       action = lib.last x';
     });
-  mailPass = x: if pkgs.stdenv.isLinux then "${pkgs.pass}/bin/pass show emails/${x}" else "";
   mbsyncCmd = if pkgs.stdenv.isLinux then "${config.programs.mbsync.package}/bin/mbsync" else "";
 in
 {
@@ -25,6 +24,9 @@ in
 
   config = lib.mkIf cfg.enable (lib.mkMerge [
     (lib.mkIf pkgs.stdenv.isLinux {
+
+      sops.secrets.sef-imap-password = { };
+
       accounts.email = {
         maildirBasePath = "${config.home.homeDirectory}/mail";
 
@@ -74,7 +76,7 @@ in
           primary = true;
           realName = "***REMOVED***";
           userName = poorObfuscation "sefidel.com" "contact";
-          passwordCommand = mailPass "sef";
+          passwordCommand = "cat ${config.sops.secrets.sef-imap-password.path}";
         };
 
         accounts.zach = {
diff --git a/home/secrets/secrets.yaml b/home/secrets/secrets.yaml
new file mode 100644
index 0000000..4a492de
--- /dev/null
+++ b/home/secrets/secrets.yaml
@@ -0,0 +1,23 @@
+sef-imap-password: ENC[AES256_GCM,data:HsdWSqGe3JrpeUzYNGzYKlpimu12QjTD1ENCV4ke,iv:Rl+wtmBKj4uyN1WWljncZf0g9QAbRhqdOY0gR4MPb5w=,tag:YCPZQHKa6sK5YQPj9oearg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-02-15T14:11:59Z"
+    mac: ENC[AES256_GCM,data:haJT0zXhCUXrHajLWvdpNRyD9mvudMvmxwDittd1MDxk6ShkPLgp4gWJOvaKMhlzfA38BImTLsD18TSu4LsyywGSIEJWtl+yvWx8oPnSM3ag6qVosR+lFZscExIfVHLl3TlpDqwQjYhEI+zJ/4CUHYMx47CiVJ8Pv3gNS1gPCik=,iv:QmfmrDTPy9ccm5phCN3MEyMUM89NfYtFLz1rCnTzEbU=,tag:SksJursT3QY/plT/mWF78Q==,type:str]
+    pgp:
+        - created_at: "2023-02-15T14:09:50Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4Dr9flwPWa1q8SAQdA74x1F2fT6BMnBcQn3vlRxNrbjpWVm4/iSxvQvcBFvBsw
+            J080DN3DqgU7EQyE5Tp+NgsNnntusf37gdObzzday9W9kRU5tTTdKdjPwKyCOzbP
+            0l4BM90zEP36xz5v+w3H4kGNbRmI7KRNJn5objmt7s+vRiS9JKJEmeyZ7ZyfCBnC
+            S7HkR8w1XyBCS5D/MPoCb1cQObrS2seJqF3jYxGMkK/8kE3E5BFIsIGP55dlNO6g
+            =+RWr
+            -----END PGP MESSAGE-----
+          fp: 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/nixos/alpha/configuration.nix b/nixos/alpha/configuration.nix
index 3abc636..42675bd 100644
--- a/nixos/alpha/configuration.nix
+++ b/nixos/alpha/configuration.nix
@@ -8,18 +8,6 @@
     doas.enable = true;
     doas.wheelNeedsPassword = false;
     sudo.wheelNeedsPassword = false;
-
-    pam.services = {
-      login.gnupg.enable = true;
-      login.gnupg.storeOnly = true;
-
-      greetd.gnupg.enable = true;
-      greetd.gnupg.storeOnly = true;
-
-      swaylock.gnupg.enable = true;
-      i3lock.gnupg.enable = true;
-      i3lock-color.gnupg.enable = true;
-    };
   };
 
   boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;