From 0512baf6dd03ea0e9ac5e74d81b530d75c40e5df Mon Sep 17 00:00:00 2001 From: sefidel Date: Wed, 15 Feb 2023 23:24:03 +0900 Subject: feat(home/messaging): use sops for mail secret --- home/.sops.yaml | 9 +++++++++ home/alpha/zach.nix | 3 +++ home/default.nix | 3 +++ home/kompakt/sefidel.nix | 3 +++ home/profiles/base/default.nix | 4 ---- home/profiles/messaging/default.nix | 6 ++++-- home/secrets/secrets.yaml | 23 +++++++++++++++++++++++ nixos/alpha/configuration.nix | 12 ------------ 8 files changed, 45 insertions(+), 18 deletions(-) create mode 100644 home/.sops.yaml create mode 100644 home/secrets/secrets.yaml diff --git a/home/.sops.yaml b/home/.sops.yaml new file mode 100644 index 0000000..7bfe113 --- /dev/null +++ b/home/.sops.yaml @@ -0,0 +1,9 @@ +keys: + - &sefidel 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2 + - &host_alpha c62b0336ff6e444e5f2041e8074ca855641a5b7f + - &host_kompakt e6a9ee28ea91e2dbf24d817d0c5936391be59DC0 +creation_rules: + - path_regex: secrets/[^/]+\.yaml$ + key_groups: + - pgp: + - *sefidel diff --git a/home/alpha/zach.nix b/home/alpha/zach.nix index 126ac6b..336217c 100644 --- a/home/alpha/zach.nix +++ b/home/alpha/zach.nix @@ -5,5 +5,8 @@ activeProfiles = [ "base" "browsing" "development" "messaging" "multimedia" "research" ]; programs.htop.settings.detailed_cpu_time = true; + + sops.defaultSopsFile = ../secrets/secrets.yaml; + sops.gnupg.home = "/home/zach/.gnupg"; }; } diff --git a/home/default.nix b/home/default.nix index c264ac2..f13678e 100644 --- a/home/default.nix +++ b/home/default.nix @@ -16,6 +16,9 @@ ./profiles/messaging ./profiles/multimedia ./profiles/research + + + inputs.sops-nix.homeManagerModules.sops ]; version = "22.05"; diff --git a/home/kompakt/sefidel.nix b/home/kompakt/sefidel.nix index 126ac6b..333e62f 100644 --- a/home/kompakt/sefidel.nix +++ b/home/kompakt/sefidel.nix @@ -5,5 +5,8 @@ activeProfiles = [ "base" "browsing" "development" "messaging" "multimedia" "research" ]; programs.htop.settings.detailed_cpu_time = true; + + sops.defaultSopsFile = ../secrets/secrets.yaml; + sops.gnupg.home = "/home/sefidel/.gnupg"; }; } diff --git a/home/profiles/base/default.nix b/home/profiles/base/default.nix index 98f767f..530c8e6 100644 --- a/home/profiles/base/default.nix +++ b/home/profiles/base/default.nix @@ -292,9 +292,5 @@ in longitude = "127.2"; }; }; - - home.file.".pam-gnupg".text = '' - 77FE99210D6D1175076B284229CE8818A7112C9B - ''; }; } diff --git a/home/profiles/messaging/default.nix b/home/profiles/messaging/default.nix index 14b31a1..d0978a0 100644 --- a/home/profiles/messaging/default.nix +++ b/home/profiles/messaging/default.nix @@ -12,7 +12,6 @@ let key = lib.elemAt x' 1; action = lib.last x'; }); - mailPass = x: if pkgs.stdenv.isLinux then "${pkgs.pass}/bin/pass show emails/${x}" else ""; mbsyncCmd = if pkgs.stdenv.isLinux then "${config.programs.mbsync.package}/bin/mbsync" else ""; in { @@ -25,6 +24,9 @@ in config = lib.mkIf cfg.enable (lib.mkMerge [ (lib.mkIf pkgs.stdenv.isLinux { + + sops.secrets.sef-imap-password = { }; + accounts.email = { maildirBasePath = "${config.home.homeDirectory}/mail"; @@ -74,7 +76,7 @@ in primary = true; realName = "***REMOVED***"; userName = poorObfuscation "sefidel.com" "contact"; - passwordCommand = mailPass "sef"; + passwordCommand = "cat ${config.sops.secrets.sef-imap-password.path}"; }; accounts.zach = { diff --git a/home/secrets/secrets.yaml b/home/secrets/secrets.yaml new file mode 100644 index 0000000..4a492de --- /dev/null +++ b/home/secrets/secrets.yaml @@ -0,0 +1,23 @@ +sef-imap-password: ENC[AES256_GCM,data:HsdWSqGe3JrpeUzYNGzYKlpimu12QjTD1ENCV4ke,iv:Rl+wtmBKj4uyN1WWljncZf0g9QAbRhqdOY0gR4MPb5w=,tag:YCPZQHKa6sK5YQPj9oearg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-02-15T14:11:59Z" + mac: ENC[AES256_GCM,data:haJT0zXhCUXrHajLWvdpNRyD9mvudMvmxwDittd1MDxk6ShkPLgp4gWJOvaKMhlzfA38BImTLsD18TSu4LsyywGSIEJWtl+yvWx8oPnSM3ag6qVosR+lFZscExIfVHLl3TlpDqwQjYhEI+zJ/4CUHYMx47CiVJ8Pv3gNS1gPCik=,iv:QmfmrDTPy9ccm5phCN3MEyMUM89NfYtFLz1rCnTzEbU=,tag:SksJursT3QY/plT/mWF78Q==,type:str] + pgp: + - created_at: "2023-02-15T14:09:50Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4Dr9flwPWa1q8SAQdA74x1F2fT6BMnBcQn3vlRxNrbjpWVm4/iSxvQvcBFvBsw + J080DN3DqgU7EQyE5Tp+NgsNnntusf37gdObzzday9W9kRU5tTTdKdjPwKyCOzbP + 0l4BM90zEP36xz5v+w3H4kGNbRmI7KRNJn5objmt7s+vRiS9JKJEmeyZ7ZyfCBnC + S7HkR8w1XyBCS5D/MPoCb1cQObrS2seJqF3jYxGMkK/8kE3E5BFIsIGP55dlNO6g + =+RWr + -----END PGP MESSAGE----- + fp: 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2 + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nixos/alpha/configuration.nix b/nixos/alpha/configuration.nix index 3abc636..42675bd 100644 --- a/nixos/alpha/configuration.nix +++ b/nixos/alpha/configuration.nix @@ -8,18 +8,6 @@ doas.enable = true; doas.wheelNeedsPassword = false; sudo.wheelNeedsPassword = false; - - pam.services = { - login.gnupg.enable = true; - login.gnupg.storeOnly = true; - - greetd.gnupg.enable = true; - greetd.gnupg.storeOnly = true; - - swaylock.gnupg.enable = true; - i3lock.gnupg.enable = true; - i3lock-color.gnupg.enable = true; - }; }; boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; -- cgit 1.4.1