feat: add repo-like user secrets, rudimentary config of thunderbird

2025-10-11 07:10:39 +02:00 · 2023-09-16 14:04:02 +02:00 · 2023-09-16 14:04:02 +02:00 · 926787528b
commit 926787528b
parent 0994bba279
10 changed files with 115 additions and 3 deletions
--- a/modules/optional/graphical/default.nix
+++ b/modules/optional/graphical/default.nix
@ -21,4 +21,9 @@ in {
    default = false;
    type = types.bool;
  };
+
+  config = {
+    # Needed for gtk
+    programs.dconf.enable = true;
+  };
 }
--- a/users/modules/default.nix
+++ b/users/modules/default.nix
@ -1,5 +1,6 @@
 {...}: {
  imports = [
+    ./secrets.nix
    ./uid.nix

    ./config/htop.nix
--- a/users/modules/secrets.nix
+++ b/users/modules/secrets.nix
@ -0,0 +1,21 @@
+{
+  config,
+  lib,
+  nixosConfig,
+  ...
+}: let
+  inherit (lib) mkOption types;
+in {
+  options.userSecretsName = mkOption {
+    default = "user-${config._module.args.name}";
+    type = types.str;
+    description = "The secrets attribute name that should be made available as userSecrets";
+  };
+
+  options.userSecrets = mkOption {
+    readOnly = true;
+    default = nixosConfig.repo.secrets.${config.userSecretsName};
+    type = types.unspecified;
+    description = "Conveniently exposes the secrets for this user, if any.";
+  };
+}
--- a/users/myuser/default.nix
+++ b/users/myuser/default.nix
@ -17,11 +17,16 @@ in {
    shell = pkgs.zsh;
  };

-  # Needed for gtk
-  programs.dconf.enable = true;
+  repo.secretFiles.user-myuser = ./secrets/user.nix.age;

  age.secrets.my-gpg-pubkey-yubikey = {
-    rekeyFile = ./yubikey.gpg.age;
+    rekeyFile = ./secrets/yubikey.gpg.age;
+    group = myuser;
+    mode = "640";
+  };
+
+  age.secrets.mailpw-206fd3b8 = {
+    rekeyFile = ./secrets/mailpw-206fd3b8.age;
    group = myuser;
    mode = "640";
  };
@ -38,6 +43,9 @@ in {
      ./ssh.nix
    ];

+    # Remove dependence on username (which also comes from these secrets) to
+    # avoid triggering infinite recursion.
+    userSecretsName = "user-myuser";
    home = {
      inherit (config.users.users.${myuser}) uid;
      username = config.users.users.${myuser}.name;
--- a/users/myuser/graphical/default.nix
+++ b/users/myuser/graphical/default.nix
@ -11,6 +11,7 @@
      ./kitty.nix
      ./signal.nix
      ./theme.nix
+      ./thunderbird.nix
      # XXX: disabled for the time being because gaming under nvidia+wayland has too many bugs
      # XXX: retest this in the future. Problems were flickering under gles, black screens and refresh issues under vulkan, black wine windows.
      # ./sway.nix
@ -36,6 +37,13 @@
      zathura
    ];

+    # TODO accounts.concats accounts.calendar
+    # TODO test different pinentrys (pinentry gtk?)
+    # TODO agenix rekey edit secret should create temp files with same extension
+    # TODO mod+f1-4 for left monitor?
+    # TODO autostart signal, firefox (both windows), etc.
+    # TODO agenix rekey caches in /tmp which is removed each reboot and could be improved
+    # TODO entering devshell takes some time after reboot
    # TODO emoji in firefox are wrong
    # TODO screenshot selection/all and copy clipboard
    # TODO screenshot selection/all and save
--- a/users/myuser/graphical/i3.nix
+++ b/users/myuser/graphical/i3.nix
@ -173,4 +173,8 @@ in {

    exec i3
  '';
+
+  home.packages = with pkgs; [
+    xclip
+  ];
 }
--- a/users/myuser/graphical/thunderbird.nix
+++ b/users/myuser/graphical/thunderbird.nix
@ -0,0 +1,53 @@
+{
+  config,
+  lib,
+  nixosConfig,
+  pkgs,
+  ...
+}: let
+  rageWrapper = pkgs.writeShellScript "rage-decrypt-yubikey" ''
+    export PATH="${pkgs.age-plugin-yubikey}:$PATH"
+    exec ${pkgs.rage}/bin/rage
+  '';
+in {
+  accounts.email.accounts =
+    lib.flip lib.mapAttrs' config.userSecrets.accounts.email
+    (n: v:
+      lib.nameValuePair v.address ({
+          # TODO genericize
+          passwordCommand =
+            [rageWrapper.out "-d"]
+            ++ lib.concatMap (x: ["-i" x]) nixosConfig.age.rekey.masterIdentities
+            ++ [nixosConfig.age.secrets.mailpw-206fd3b8.path];
+
+          thunderbird = {
+            enable = true;
+            profiles = ["personal"];
+          };
+        }
+        // v));
+
+  # TODO dont send html setting
+
+  programs.thunderbird = {
+    enable = true;
+
+    profiles.personal = {
+      isDefault = true;
+      withExternalGnupg = true;
+    };
+  };
+
+  home.persistence."/state".directories = [
+    ".cache/thunderbird"
+  ];
+
+  home.persistence."/persist".directories = [
+    ".thunderbird"
+  ];
+
+  xdg.mimeApps.defaultApplications = {
+    "x-scheme-handler/mailto" = ["thunderbird.desktop"];
+    "message/rfc822" = ["thunderbird.desktop"];
+  };
+}
--- a/users/myuser/secrets/mailpw-206fd3b8.age
+++ b/users/myuser/secrets/mailpw-206fd3b8.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> X25519 KwBYl4MrgBJr2FlpJXxOwKCkxTA9ycg0brV6tlypE0M
+Jnr3c/LA2R7aI72DQ5nAprBmMaz6+4SaPzGFSKrfwdg
+-> piv-p256 xqSe8Q AqOoLFvaYXyRGmb08rPlWiHYktjdcQ5uY9LjqEjLpTpU
+vO9wS/mj5N0Hs1ZmQFwN1yl1m5epVJMK92xEOTEff+w
+-> \-grease _8 I%;:'v _2^6n?L
+aOvGg6n0/vXAvbnmJTJhNANyAX2v3kln2cbjjm14ImP4Ka7vNwnn5WpRr1BlRNLE
+GyOvwuiXCn1bElQuISlH08wpRgXIcNw
+--- N9bNR94aimZf89v6R0lOFEH1aEN4+W2l6v2eSGtt8ks
+¨ì×›ÇOÈ}Þ¯Ê
+æYUx"KJÒV¶?åÂÁ
+;eÆ€ß=�÷ÐKÏ‹=÷«ÅcÖó°ç AïÀS ]qtfMvH
--- a/users/myuser/secrets/user.nix.age
+++ b/users/myuser/secrets/user.nix.age
--- a/users/myuser/secrets/yubikey.gpg.age
+++ b/users/myuser/secrets/yubikey.gpg.age