From 926787528b2c597a4cd7c761824a49798e127102 Mon Sep 17 00:00:00 2001 From: oddlama Date: Sat, 16 Sep 2023 14:04:02 +0200 Subject: [PATCH] feat: add repo-like user secrets, rudimentary config of thunderbird --- modules/optional/graphical/default.nix | 5 ++ users/modules/default.nix | 1 + users/modules/secrets.nix | 21 ++++++++ users/myuser/default.nix | 14 ++++-- users/myuser/graphical/default.nix | 8 ++++ users/myuser/graphical/i3.nix | 4 ++ users/myuser/graphical/thunderbird.nix | 53 +++++++++++++++++++++ users/myuser/secrets/mailpw-206fd3b8.age | 12 +++++ users/myuser/secrets/user.nix.age | Bin 0 -> 855 bytes users/myuser/{ => secrets}/yubikey.gpg.age | Bin 10 files changed, 115 insertions(+), 3 deletions(-) create mode 100644 users/modules/secrets.nix create mode 100644 users/myuser/graphical/thunderbird.nix create mode 100644 users/myuser/secrets/mailpw-206fd3b8.age create mode 100644 users/myuser/secrets/user.nix.age rename users/myuser/{ => secrets}/yubikey.gpg.age (100%) diff --git a/modules/optional/graphical/default.nix b/modules/optional/graphical/default.nix index a55e95a..8fe5d42 100644 --- a/modules/optional/graphical/default.nix +++ b/modules/optional/graphical/default.nix @@ -21,4 +21,9 @@ in { default = false; type = types.bool; }; + + config = { + # Needed for gtk + programs.dconf.enable = true; + }; } diff --git a/users/modules/default.nix b/users/modules/default.nix index 8630191..37ea52a 100644 --- a/users/modules/default.nix +++ b/users/modules/default.nix @@ -1,5 +1,6 @@ {...}: { imports = [ + ./secrets.nix ./uid.nix ./config/htop.nix diff --git a/users/modules/secrets.nix b/users/modules/secrets.nix new file mode 100644 index 0000000..a7e9ab0 --- /dev/null +++ b/users/modules/secrets.nix @@ -0,0 +1,21 @@ +{ + config, + lib, + nixosConfig, + ... +}: let + inherit (lib) mkOption types; +in { + options.userSecretsName = mkOption { + default = "user-${config._module.args.name}"; + type = types.str; + description = "The secrets attribute name that should be made available as userSecrets"; + }; + + options.userSecrets = mkOption { + readOnly = true; + default = nixosConfig.repo.secrets.${config.userSecretsName}; + type = types.unspecified; + description = "Conveniently exposes the secrets for this user, if any."; + }; +} diff --git a/users/myuser/default.nix b/users/myuser/default.nix index 5a9b17a..97e9c75 100644 --- a/users/myuser/default.nix +++ b/users/myuser/default.nix @@ -17,11 +17,16 @@ in { shell = pkgs.zsh; }; - # Needed for gtk - programs.dconf.enable = true; + repo.secretFiles.user-myuser = ./secrets/user.nix.age; age.secrets.my-gpg-pubkey-yubikey = { - rekeyFile = ./yubikey.gpg.age; + rekeyFile = ./secrets/yubikey.gpg.age; + group = myuser; + mode = "640"; + }; + + age.secrets.mailpw-206fd3b8 = { + rekeyFile = ./secrets/mailpw-206fd3b8.age; group = myuser; mode = "640"; }; @@ -38,6 +43,9 @@ in { ./ssh.nix ]; + # Remove dependence on username (which also comes from these secrets) to + # avoid triggering infinite recursion. + userSecretsName = "user-myuser"; home = { inherit (config.users.users.${myuser}) uid; username = config.users.users.${myuser}.name; diff --git a/users/myuser/graphical/default.nix b/users/myuser/graphical/default.nix index d6087f7..a0e59f3 100644 --- a/users/myuser/graphical/default.nix +++ b/users/myuser/graphical/default.nix @@ -11,6 +11,7 @@ ./kitty.nix ./signal.nix ./theme.nix + ./thunderbird.nix # XXX: disabled for the time being because gaming under nvidia+wayland has too many bugs # XXX: retest this in the future. Problems were flickering under gles, black screens and refresh issues under vulkan, black wine windows. # ./sway.nix @@ -36,6 +37,13 @@ zathura ]; + # TODO accounts.concats accounts.calendar + # TODO test different pinentrys (pinentry gtk?) + # TODO agenix rekey edit secret should create temp files with same extension + # TODO mod+f1-4 for left monitor? + # TODO autostart signal, firefox (both windows), etc. + # TODO agenix rekey caches in /tmp which is removed each reboot and could be improved + # TODO entering devshell takes some time after reboot # TODO emoji in firefox are wrong # TODO screenshot selection/all and copy clipboard # TODO screenshot selection/all and save diff --git a/users/myuser/graphical/i3.nix b/users/myuser/graphical/i3.nix index fb06e9a..f293502 100644 --- a/users/myuser/graphical/i3.nix +++ b/users/myuser/graphical/i3.nix @@ -173,4 +173,8 @@ in { exec i3 ''; + + home.packages = with pkgs; [ + xclip + ]; } diff --git a/users/myuser/graphical/thunderbird.nix b/users/myuser/graphical/thunderbird.nix new file mode 100644 index 0000000..14e48df --- /dev/null +++ b/users/myuser/graphical/thunderbird.nix @@ -0,0 +1,53 @@ +{ + config, + lib, + nixosConfig, + pkgs, + ... +}: let + rageWrapper = pkgs.writeShellScript "rage-decrypt-yubikey" '' + export PATH="${pkgs.age-plugin-yubikey}:$PATH" + exec ${pkgs.rage}/bin/rage + ''; +in { + accounts.email.accounts = + lib.flip lib.mapAttrs' config.userSecrets.accounts.email + (n: v: + lib.nameValuePair v.address ({ + # TODO genericize + passwordCommand = + [rageWrapper.out "-d"] + ++ lib.concatMap (x: ["-i" x]) nixosConfig.age.rekey.masterIdentities + ++ [nixosConfig.age.secrets.mailpw-206fd3b8.path]; + + thunderbird = { + enable = true; + profiles = ["personal"]; + }; + } + // v)); + + # TODO dont send html setting + + programs.thunderbird = { + enable = true; + + profiles.personal = { + isDefault = true; + withExternalGnupg = true; + }; + }; + + home.persistence."/state".directories = [ + ".cache/thunderbird" + ]; + + home.persistence."/persist".directories = [ + ".thunderbird" + ]; + + xdg.mimeApps.defaultApplications = { + "x-scheme-handler/mailto" = ["thunderbird.desktop"]; + "message/rfc822" = ["thunderbird.desktop"]; + }; +} diff --git a/users/myuser/secrets/mailpw-206fd3b8.age b/users/myuser/secrets/mailpw-206fd3b8.age new file mode 100644 index 0000000..78cc4c1 --- /dev/null +++ b/users/myuser/secrets/mailpw-206fd3b8.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> X25519 KwBYl4MrgBJr2FlpJXxOwKCkxTA9ycg0brV6tlypE0M +Jnr3c/LA2R7aI72DQ5nAprBmMaz6+4SaPzGFSKrfwdg +-> piv-p256 xqSe8Q AqOoLFvaYXyRGmb08rPlWiHYktjdcQ5uY9LjqEjLpTpU +vO9wS/mj5N0Hs1ZmQFwN1yl1m5epVJMK92xEOTEff+w +-> \-grease _8 I%;:'v _2^6n?L +aOvGg6n0/vXAvbnmJTJhNANyAX2v3kln2cbjjm14ImP4Ka7vNwnn5WpRr1BlRNLE +GyOvwuiXCn1bElQuISlH08wpRgXIcNw +--- N9bNR94aimZf89v6R0lOFEH1aEN4+W2l6v2eSGtt8ks +כO}ޯ +YUx"KJV? +;eƀ=K=cAS]qtfMvH \ No newline at end of file diff --git a/users/myuser/secrets/user.nix.age b/users/myuser/secrets/user.nix.age new file mode 100644 index 0000000000000000000000000000000000000000..773d9ec1bb14b69a4c06cbf23d86b0e25ba2688a GIT binary patch literal 855 zcmV-d1E~CAXJsvAZewzJaCB*JZZ2f)=HAX^kNoR9aQ#oZgL1J}5RYzAgLw5=tNlH#uFhzDWPkL5W zXG3>+VlPQcS8sAjQb;sfZfb8rXLkxMJ|J*ub}eu+H8vo4aZ_bDQ6NEWMOtVwZcsH% zXD?Sxa#K`Sc4#YQRb*38G(#|LPGMtZb80ntab;pqL{M`toYOjQakJ|HJ-HZ5mzWnpt=ASobxM>`;PS37e^ zAVN-fQ9OQJ3U@O@Zfb5~Fmh!uW;r%#Yeqy+PEANiQ)pySc2G2HRCGgHR&a7fPc>Fb zNJ1-FMP*JxM{F=+Y)Ua?M0Yl4aSBIcdPrnwGfYu+Losr7Mno|$HEBmxT4;KBNaG~S}<*HZdET+aYlD$K}|(dcSA^4 zMpjW_MPgM)P(=z?l>fAhQ&iyg%=ZYvqVHq2*2K9}6LeOllJKYnA~&r<^i*`sVb6!I zh#pz5>LG~eXqBz<7DE#zYTqyeDd)i}a=~`8hyD-iJzlI;#pN_!IPbnXWgZ39SG1WM zzfxnrihF;GoId7jaWFA>_R1E% zajJks?Gi_gvHP5~3drZNPiT&v7^MalX-IH*g@hzc^0$P{?I>;u@%+XoFDiMU_Q1R0 zOU+U!@{K$%qMWSe(5Y_f@?|3MabW5Bk+szZX$sRG8Xz>8!YH+d?YsSZ+)9t5PU;r{ h;`3q)_Kw^r*Tlw_v