add aerc accounts.conf to secret store (and home-manager)

2022-06-20 23:55:43 -07:00 · 2022-06-20 23:55:43 -07:00 · ceef35af96
parent 27ce21cda4
commit ceef35af96
3 changed files with 64 additions and 6 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -8,7 +8,7 @@ keys:
  - &host_servo age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf
  - &host_moby age1t957gf0z865gya0khgc9x59wy76hzps3sgejjqtwcngn2xl273msxsmpe6
 creation_rules:
-  - path_regex: secrets/universal.yaml$
+  - path_regex: secrets/universal*
    key_groups:
    - age:
      - *user_desko_colin
--- a/modules/universal/home-manager.nix
+++ b/modules/universal/home-manager.nix
@ -34,11 +34,18 @@ in
    sops.secrets."colinsane_email_passwd" = {
      owner = config.users.users.colin.name;
    };
+    sops.secrets."aerc_accounts" = {
+      owner = config.users.users.colin.name;
+      sopsFile = ../../secrets/universal/aerc_accounts.conf;
+      format = "binary";
+    };

    home-manager.useGlobalPkgs = true;
    home-manager.useUserPackages = true;

-    home-manager.users.colin = {
+    # XXX this weird rename + closure is to get home-manager's `config.lib.file` to exist.
+    # see: https://github.com/nix-community/home-manager/issues/589#issuecomment-950474105
+    home-manager.users.colin = let sysconfig = config; in { config, ... }: {
      home.stateVersion = "21.11";
      home.username = "colin";
      home.homeDirectory = "/home/colin";
@ -58,6 +65,9 @@ in
        videos = "$HOME/Videos";
      };

+      xdg.configFile."aerc/accounts.conf".source =
+        config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.aerc_accounts.path;
+
      accounts.email.accounts.colinsane = {
        address = "colin@uninsane.org";
        userName = "colin";
@ -70,7 +80,7 @@ in
          port = 465;
        };
        realName = "Colin Sane";
-        passwordCommand = "cat ${config.sops.secrets.colinsane_email_passwd.path}";
+        passwordCommand = "cat ${sysconfig.sops.secrets.colinsane_email_passwd.path}";

        primary = true;

@ -155,7 +165,7 @@ in
          '';
        };

-        firefox = lib.mkIf (config.colinsane.gui.enable) {
+        firefox = lib.mkIf (sysconfig.colinsane.gui.enable) {
          enable = true;

          profiles.default = {
@ -255,7 +265,7 @@ in
        youtube-dl
        zola
      ]
-      ++ (if config.colinsane.gui.enable then
+      ++ (if sysconfig.colinsane.gui.enable then
      with pkgs;
      [
        # GUI only
@ -283,7 +293,7 @@ in
        whalebird # pleroma client. input is broken on phosh
        xterm  # broken on phosh
      ] else [])
-      ++ (if config.colinsane.gui.enable && pkgs.system == "x86_64-linux" then
+      ++ (if sysconfig.colinsane.gui.enable && pkgs.system == "x86_64-linux" then
      with pkgs;
      [
        # x86_64 only
--- a/secrets/universal/aerc_accounts.conf
+++ b/secrets/universal/aerc_accounts.conf
@ -0,0 +1,48 @@
+{
+	"data": "ENC[AES256_GCM,data:ddTt5eiIjelY93j1GAX3fwZqT4HG2nkK5aKRAVm9bkE8ziE2Jk7beXNKps+iDUZGoB6di45srTRmKb79AlagtaLekz6vpjtPnifFzjdNHx+XmEGi9qKKutssNxbc4wFhGVLoJp04DSolYDvTRsyIy+VG+G9vhyUVDvRgXYpZD1XymqGFhY00gn5prM6PJQRDt45xEaNieaT0HpTn3+r9TaKQxFDea+jiFcXlT8qOiuGRGs2kxsCS8Dc5+fZlcczvducSY00iKMUAz9HCxR5YeBas4f3YwD/3iECJn9E+CA9yuf2sbg8onlUraxkkZryt5RKekG0CEJGLnO9RNJpy2YyY8br2CW1gUt0x3tgrGyM+j0bEse8EFr2+vxvRo7ngwFhthRN2YuBxgirXcXHfn3ez9xT8tOKkY4IccA7NapjZ3MKZEZSAtgd14Q3xmYaLjVw7a5YlQpKFFCpSJcMzgjKK92MoLnrGFrW9FHCoFQhdnj5i6rOSFkSpiMS5RuyRk0QANoqyeVS4kfIzW+yI8ZbVx7wd0GtSo3mxEPBfiIh5QNpI+2dAViL7AIOon90CBmc=,iv:Ix+dzGaqe3TqbJl+9f3ynvKnQELJ4yhwExQIF4s0ae4=,tag:tP633Tje5mpbUoFnX5kmAw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmQXFUV0NVb0I3UjF6d2lx\nQXlCZURBai9qSERxWlYyQ3k2VGNhVnhPWGxRCk01aVZPbE96NDZ3WVUyRkp1UzFm\ndWNGb1JPNFBWS2hzTEVnTzFsOFRPWFEKLS0tIHVVT2Q0bDkvcmZOYzZqQVZJclVO\nWEpHRS9jUFpuVHZrS2paWHNuRzN4ZzAKOioqqTsqyD4Wa+amWaRNgb/6ZspWDI1K\nKvrIZ8uqunnUjjjNSJJlM8dl1OfyJlrRWEi8QOkqD21FcBTQiljVgg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtT2gwSnJENUgrcUZQS21K\nL05BOW15ajJDVkhGajNzZE1pQTc5WVlwM3hVCjJMVFJDT1laOTlUNk9qM2ppMDZn\ndEdNOXBmMmw4Z1hMMFhIcjlsbFAzNFkKLS0tIFdIS0xzZm5vOGg0S0x5SzJXL1Bt\nWHcyeTVBRkdwS0FzTWU1eTJ6dGhiNkUK6YycEWUOh8M9iYF+2SSnU6cTcxtsFctD\nPcOfrTp+OBX18yXjRraWNLq2+jNj+IQtoRVFBUv2VsZAFFjz7d2oyQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoZGZBN1FSQno0bmcrdmJs\nZFBFb3RRUitZVGFDQkh6S05xSUxGS3l2Z1dFCmNSL3VxZjY1MFNnMlpZbW1MQmUx\nS0FCbnNCREZlSzJiTE1WUDN2U2RQS1UKLS0tICtjeHhzY01XSE4ydFJsLzYrZlND\nOUFURnA4WHhySVBnc0I1cUNwWVlETlkKmvoUt+hvm9QknH12NTEKvilnBUaN8uhx\nYhPEbZkOr1QC8Eakn+b4G8A//COsxzm6cQW10FAiEBOrUybQGopW0g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1lt739n2tq7dmpglvntjr9j2r7426md7rat7x9w930gagtx4jyvnqwts2al",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsYm5qaVhqb2t6c2ZFUVBr\nYUlSb3FsS3FyTWhOL3prblBSK08zMmRmckdFCmxmK2NabGVmMWZiQnRUNHRDdUhK\nejlwbnZvbm1ndmIvdzIxR0k4U3M5TFkKLS0tIFYyRFhJQXhkdEN5TDN2d1M3Rytq\nc2tZNjQxVGNnUnFvayttbzBPN2dYRjgK2vKIWq3BMn2v+FgZ+F13703FPGMsEGsr\nHYtrnbDnd2fnPz4PTFUwvKldBTOtEymnRd5nfxqAAz9OdZBsahzRxA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZlBQR0txRVh2YUFmdjBJ\naG50NU5FVjY2S20rM3I4ZlVrOTVrdHRTZ1NnCklUVGYxUDdza1hmbW5Gc2sxUmw4\nb0hDS3MxbENqclU2QWxic2d4RC9KZVUKLS0tIFhwaURkelNUdlFMWWJlTUN0dUJo\nWWhQaEVmTTJlNE5qS2wvcmtuK2pNSEEKuKeGKXPLLTA9RWoOSacIVEZ2l3/uW96s\nM91c2ezYFOTV6Md23jYAmAnje7dTivTCmFPnPuWdbEGXYbHLzz/O9Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFUVN4WEpEcnpjdkFucXlE\nVTRjRlZHM0k2SVVXTkh1V0hLTXl0TVpZSG5rCnl0N2JuR2NsV1BUeXRPZStqRnJl\nR0wzb3l3Ymc2NytlZkw4ZmpoN09kcDAKLS0tIDRVTll5VmdFOWpPV1UwTithNElp\nWnVzU0s2YXR2Y25HcmZ4VUpleFM4TGcKFxi53+wTYdoaIMGvgcy0C6yTPDDPgZps\naWZcXfkberil26xNhRsRV6KwBje61Qd6vwU8hEa7P+hDcbBEavXwhw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuYjZWaXJpdVoyZHpVbkhW\nbEErbUNQa0M4Ty9iakkwblE4TDVBY2ozVFZvCnpiNlRPRTFxbTBQR1E0cGxYdmN2\nUUhSQVFWZ3VyV2VVR2lPNWhpY28rWTQKLS0tIDhLQlFGTncrKzErNnVCTDZZb0NW\nTFZxR2RFR3pBQkY0aVl5bWw2ZDlwOGMKakhqNNF7R4pgXEsXSaO7F5LGCw3yE53d\nItWXIoyCa0c78xk+YdMUNUOlzn39y8itXXpZAH2ZAC1sUrvq0elRew==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1t957gf0z865gya0khgc9x59wy76hzps3sgejjqtwcngn2xl273msxsmpe6",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzdHpmNks0Q3FLV3NiRThx\ncTVTODdYTStiUmdpM0gyaGZCdzNLRUlqalZnClNXbVI2dU9XMGNXTlh1U2trTnFi\ncEkvZllmM09WZDBBKzFTNDVuUjBpTE0KLS0tIDc5ZGJPTHJ6b2ZOaVdWUWl0Tng5\ndm1jRTRrZnltVm5sbW1uVjhTNnRyZGsKq9o7VkxWsf8k9wGi7ICC1M782MMdvQrY\nDDVlH7ITiDpJ1GGRDWAbfxB4izyb3MWoRqkhvcvcHt0WXR51FNa5NA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2022-06-21T06:49:05Z",
+		"mac": "ENC[AES256_GCM,data:hhNjqYQibzPgwo+wjzGW3jDhgewGszOrujVQirm1LrZvxA0QF3GQw/yUYjB8S0naDHXdXoAAMSHVrt+6jtf83V54eCN8YNwNIJ0K6bkuG7PfnWo5V9JhlCF/de2Sc/fJV1B7gH1nnGaLDfJtMewk31sy0i/A+Adq4UJj3ZnaR3o=,iv:CLZj9amsD0sIDrnE9n1v4D6xs5YuPaFPVrTtmULhZJc=,tag:BBOw1HWy2O3wrWZUOMHazQ==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}