feat: add repo-like user secrets, rudimentary config of thunderbird

users/myuser/default.nix

@@ -17,11 +17,16 @@ in {
     shell = pkgs.zsh;
   };
 
-  # Needed for gtk
-  programs.dconf.enable = true;
+  repo.secretFiles.user-myuser = ./secrets/user.nix.age;
 
   age.secrets.my-gpg-pubkey-yubikey = {
-    rekeyFile = ./yubikey.gpg.age;
+    rekeyFile = ./secrets/yubikey.gpg.age;
+    group = myuser;
+    mode = "640";
+  };
+
+  age.secrets.mailpw-206fd3b8 = {
+    rekeyFile = ./secrets/mailpw-206fd3b8.age;
     group = myuser;
     mode = "640";
   };
@@ -38,6 +43,9 @@ in {
       ./ssh.nix
     ];
 
+    # Remove dependence on username (which also comes from these secrets) to
+    # avoid triggering infinite recursion.
+    userSecretsName = "user-myuser";
     home = {
       inherit (config.users.users.${myuser}) uid;
       username = config.users.users.${myuser}.name;

users/myuser/graphical/default.nix

@@ -11,6 +11,7 @@
       ./kitty.nix
       ./signal.nix
       ./theme.nix
+      ./thunderbird.nix
       # XXX: disabled for the time being because gaming under nvidia+wayland has too many bugs
       # XXX: retest this in the future. Problems were flickering under gles, black screens and refresh issues under vulkan, black wine windows.
       # ./sway.nix
@@ -36,6 +37,13 @@
       zathura
     ];
 
+    # TODO accounts.concats accounts.calendar
+    # TODO test different pinentrys (pinentry gtk?)
+    # TODO agenix rekey edit secret should create temp files with same extension
+    # TODO mod+f1-4 for left monitor?
+    # TODO autostart signal, firefox (both windows), etc.
+    # TODO agenix rekey caches in /tmp which is removed each reboot and could be improved
+    # TODO entering devshell takes some time after reboot
     # TODO emoji in firefox are wrong
     # TODO screenshot selection/all and copy clipboard
     # TODO screenshot selection/all and save

users/myuser/graphical/i3.nix

@@ -173,4 +173,8 @@ in {
 
     exec i3
   '';
+
+  home.packages = with pkgs; [
+    xclip
+  ];
 }

users/myuser/graphical/thunderbird.nix

@@ -0,0 +1,53 @@
+{
+  config,
+  lib,
+  nixosConfig,
+  pkgs,
+  ...
+}: let
+  rageWrapper = pkgs.writeShellScript "rage-decrypt-yubikey" ''
+    export PATH="${pkgs.age-plugin-yubikey}:$PATH"
+    exec ${pkgs.rage}/bin/rage
+  '';
+in {
+  accounts.email.accounts =
+    lib.flip lib.mapAttrs' config.userSecrets.accounts.email
+    (n: v:
+      lib.nameValuePair v.address ({
+          # TODO genericize
+          passwordCommand =
+            [rageWrapper.out "-d"]
+            ++ lib.concatMap (x: ["-i" x]) nixosConfig.age.rekey.masterIdentities
+            ++ [nixosConfig.age.secrets.mailpw-206fd3b8.path];
+
+          thunderbird = {
+            enable = true;
+            profiles = ["personal"];
+          };
+        }
+        // v));
+
+  # TODO dont send html setting
+
+  programs.thunderbird = {
+    enable = true;
+
+    profiles.personal = {
+      isDefault = true;
+      withExternalGnupg = true;
+    };
+  };
+
+  home.persistence."/state".directories = [
+    ".cache/thunderbird"
+  ];
+
+  home.persistence."/persist".directories = [
+    ".thunderbird"
+  ];
+
+  xdg.mimeApps.defaultApplications = {
+    "x-scheme-handler/mailto" = ["thunderbird.desktop"];
+    "message/rfc822" = ["thunderbird.desktop"];
+  };
+}

users/myuser/secrets/mailpw-206fd3b8.age

@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> X25519 KwBYl4MrgBJr2FlpJXxOwKCkxTA9ycg0brV6tlypE0M
+Jnr3c/LA2R7aI72DQ5nAprBmMaz6+4SaPzGFSKrfwdg
+-> piv-p256 xqSe8Q AqOoLFvaYXyRGmb08rPlWiHYktjdcQ5uY9LjqEjLpTpU
+vO9wS/mj5N0Hs1ZmQFwN1yl1m5epVJMK92xEOTEff+w
+-> \-grease _8 I%;:'v _2^6n?L
+aOvGg6n0/vXAvbnmJTJhNANyAX2v3kln2cbjjm14ImP4Ka7vNwnn5WpRr1BlRNLE
+GyOvwuiXCn1bElQuISlH08wpRgXIcNw
+--- N9bNR94aimZf89v6R0lOFEH1aEN4+W2l6v2eSGtt8ks
+¨ì×›ÇOÈ}Þ¯Ê
+æYUx"KJÒV¶?åÂÁ
+;eÆ€ß=�÷ÐKÏ‹=÷«ÅcÖó°ç AïÀS ]qtfMvH