diff options
author | sefidel <contact@sefidel.net> | 2023-03-09 20:48:14 +0900 |
---|---|---|
committer | sefidel <contact@sefidel.net> | 2023-03-09 20:48:14 +0900 |
commit | 5cd528f7e109bb1bca84efc2a1ec44f067516aeb (patch) | |
tree | 6bfa15f8c9072a797ba964136ea55d5a788833fb | |
parent | fed1f04b1ee97aa44855bce2f15c42563d5775cc (diff) | |
download | nixrc-5cd528f7e109bb1bca84efc2a1ec44f067516aeb.tar.gz nixrc-5cd528f7e109bb1bca84efc2a1ec44f067516aeb.zip |
feat(home/communication): use sops for email secret
-rw-r--r-- | home/profiles/communication/default.nix | 14 | ||||
-rw-r--r-- | home/secrets/secrets.yaml | 30 |
2 files changed, 37 insertions, 7 deletions
diff --git a/home/profiles/communication/default.nix b/home/profiles/communication/default.nix index 03f1f3c..1e65cc3 100644 --- a/home/profiles/communication/default.nix +++ b/home/profiles/communication/default.nix @@ -13,6 +13,8 @@ let action = lib.last x'; }); mbsyncCmd = if pkgs.stdenv.isLinux then "${config.programs.mbsync.package}/bin/mbsync" else ""; + # https://github.com/Mic92/sops-nix/issues/284 + fixSopsPrefix = x: y: builtins.replaceStrings ["%r"] ["/run/user/${toString x}"] y; in { imports = [ ../../modules/programs/nixpkgs ]; @@ -23,8 +25,10 @@ in }; config = lib.mkIf cfg.enable (lib.mkMerge [ + # TODO: is this needed? (lib.mkIf pkgs.stdenv.isLinux { - # TODO: is this needed? + sops.secrets.sef-email-password = { }; + accounts.email = { maildirBasePath = "${config.home.homeDirectory}/mail"; @@ -71,7 +75,7 @@ in primary = true; realName = "***REMOVED***"; userName = poorObfuscation "sefidel.com" "contact"; - passwordCommand = "${pkgs.passage}/bin/passage show email/sef"; + passwordCommand = "${pkgs.coreutils}/bin/cat ${fixSopsPrefix 1000 config.sops.secrets.sef-email-password.path}"; }; }; @@ -265,13 +269,9 @@ in Service = { Type = "oneshot"; ExecStart = "${mbsyncCmd} -Va"; + After = [ "sops-nix.service" ]; RemainAfterExit = true; TimeoutStartSec = "5min"; - Environment = "PATH=${lib.makeBinPath [ - # passage dependencies - pkgs.util-linux - pkgs.coreutils - ]}"; }; Install.WantedBy = [ "default.target" ]; }; diff --git a/home/secrets/secrets.yaml b/home/secrets/secrets.yaml new file mode 100644 index 0000000..5149b59 --- /dev/null +++ b/home/secrets/secrets.yaml @@ -0,0 +1,30 @@ +sef-email-password: ENC[AES256_GCM,data:K1D+d8nly3POMLM1qHQPr0emF4qScEb1UjAyhaUd,iv:odkiOVPxckfsfcY5ZRuQ++L35kZ8cemnuRKWTUpjNWs=,tag:QwOs2oOxGTyy2kdIWyzSRA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1jt8xg0lvzj5q4f7fn7nw670qsszm3kv3caa654eh62azra4x44zss4fad8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzN3lSWWs3c3Y1RmsxTk9u + NEpURnBUV204MUpmZEFwQnIySStLMUV2TmxRClZOUFRoc1g0LytSTTN3eUJkRlV2 + U0lkcFZEaWR3OHZqNDZFNWlFU0RVUVUKLS0tIHhONW9UMldKSVBIYk9UcGQxRnpZ + UDJVc1U0bllGMlA2eGJWL0ZWVWJVOFkKA0zG+7HcAeEUfINt9WpdHkxl+wl9bwOa + WGBGRJBJOIJv5GJs/rJCSgmZ1vLQBvqUpFiHs7XvKWGJPQh+Zn8SrQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1k585l9d34j77htwmzk79ms0wcfyltz5d3v87pnjkvrzru85vke4q2q0qjd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzRFh0VVJKNHFyMmhvejJ2 + M3RBS3ZwZE5BdDBSbFBjOWpoRUl1TUUvNERJCmljSTdxUlVDQS95dUU5ZmV5Rm1n + MUpVcHI0MWFMVVQxMUFsNEkvRHltRG8KLS0tIFZtVmhLb0E4ZUg2R2V5dWhISFB1 + SDl5RTUvUXVSdmc0aEc0aFd2akdkY0UKJFEvPFe2xalBb5Y2fxSbCeB6vHf15OXw + LzSmm+8T7kvCUvJG+TEu1qOaR16RSWHSv/A9F4IfmE0V8YTRdgbgrQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-03-09T07:55:37Z" + mac: ENC[AES256_GCM,data:SzuAZEwRy/sziLdHJ+IpjUJRTY6FTv8l5lKWM/Ylhww58/VzoDvPGbcr6npV3uKPy/B+bUFkzrhtF+DnlD44o8aVGfwXOrVNT5+2mxzG3+u22ZYBDOQE/LB84EkV4/0XVJ8pZGBCTQlqI+rmoNdT1tzsdH4oh4bMZp+6+vLGGzU=,iv:WOpM7Rn0s9w+t0kLdSSmWU2EOOqdnylnmNxyYqyfMmk=,tag:3IQ2k0vIVnONSXvUQ0XALA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 |