From ceef35af966e29a4c8af80199647c7bd5ea5ed04 Mon Sep 17 00:00:00 2001 From: colin Date: Mon, 20 Jun 2022 23:55:43 -0700 Subject: [PATCH] add aerc accounts.conf to secret store (and home-manager) --- .sops.yaml | 2 +- modules/universal/home-manager.nix | 20 +++++++++--- secrets/universal/aerc_accounts.conf | 48 ++++++++++++++++++++++++++++ 3 files changed, 64 insertions(+), 6 deletions(-) create mode 100644 secrets/universal/aerc_accounts.conf diff --git a/.sops.yaml b/.sops.yaml index 36987b0f..13f7ba83 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -8,7 +8,7 @@ keys: - &host_servo age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf - &host_moby age1t957gf0z865gya0khgc9x59wy76hzps3sgejjqtwcngn2xl273msxsmpe6 creation_rules: - - path_regex: secrets/universal.yaml$ + - path_regex: secrets/universal* key_groups: - age: - *user_desko_colin diff --git a/modules/universal/home-manager.nix b/modules/universal/home-manager.nix index 23729b03..8e11fcf2 100644 --- a/modules/universal/home-manager.nix +++ b/modules/universal/home-manager.nix @@ -34,11 +34,18 @@ in sops.secrets."colinsane_email_passwd" = { owner = config.users.users.colin.name; }; + sops.secrets."aerc_accounts" = { + owner = config.users.users.colin.name; + sopsFile = ../../secrets/universal/aerc_accounts.conf; + format = "binary"; + }; home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; - home-manager.users.colin = { + # XXX this weird rename + closure is to get home-manager's `config.lib.file` to exist. + # see: https://github.com/nix-community/home-manager/issues/589#issuecomment-950474105 + home-manager.users.colin = let sysconfig = config; in { config, ... }: { home.stateVersion = "21.11"; home.username = "colin"; home.homeDirectory = "/home/colin"; @@ -58,6 +65,9 @@ in videos = "$HOME/Videos"; }; + xdg.configFile."aerc/accounts.conf".source = + config.lib.file.mkOutOfStoreSymlink sysconfig.sops.secrets.aerc_accounts.path; + accounts.email.accounts.colinsane = { address = "colin@uninsane.org"; userName = "colin"; @@ -70,7 +80,7 @@ in port = 465; }; realName = "Colin Sane"; - passwordCommand = "cat ${config.sops.secrets.colinsane_email_passwd.path}"; + passwordCommand = "cat ${sysconfig.sops.secrets.colinsane_email_passwd.path}"; primary = true; @@ -155,7 +165,7 @@ in ''; }; - firefox = lib.mkIf (config.colinsane.gui.enable) { + firefox = lib.mkIf (sysconfig.colinsane.gui.enable) { enable = true; profiles.default = { @@ -255,7 +265,7 @@ in youtube-dl zola ] - ++ (if config.colinsane.gui.enable then + ++ (if sysconfig.colinsane.gui.enable then with pkgs; [ # GUI only @@ -283,7 +293,7 @@ in whalebird # pleroma client. input is broken on phosh xterm # broken on phosh ] else []) - ++ (if config.colinsane.gui.enable && pkgs.system == "x86_64-linux" then + ++ (if sysconfig.colinsane.gui.enable && pkgs.system == "x86_64-linux" then with pkgs; [ # x86_64 only diff --git a/secrets/universal/aerc_accounts.conf b/secrets/universal/aerc_accounts.conf new file mode 100644 index 00000000..32fa94db --- /dev/null +++ b/secrets/universal/aerc_accounts.conf @@ -0,0 +1,48 @@ +{ + "data": "ENC[AES256_GCM,data:ddTt5eiIjelY93j1GAX3fwZqT4HG2nkK5aKRAVm9bkE8ziE2Jk7beXNKps+iDUZGoB6di45srTRmKb79AlagtaLekz6vpjtPnifFzjdNHx+XmEGi9qKKutssNxbc4wFhGVLoJp04DSolYDvTRsyIy+VG+G9vhyUVDvRgXYpZD1XymqGFhY00gn5prM6PJQRDt45xEaNieaT0HpTn3+r9TaKQxFDea+jiFcXlT8qOiuGRGs2kxsCS8Dc5+fZlcczvducSY00iKMUAz9HCxR5YeBas4f3YwD/3iECJn9E+CA9yuf2sbg8onlUraxkkZryt5RKekG0CEJGLnO9RNJpy2YyY8br2CW1gUt0x3tgrGyM+j0bEse8EFr2+vxvRo7ngwFhthRN2YuBxgirXcXHfn3ez9xT8tOKkY4IccA7NapjZ3MKZEZSAtgd14Q3xmYaLjVw7a5YlQpKFFCpSJcMzgjKK92MoLnrGFrW9FHCoFQhdnj5i6rOSFkSpiMS5RuyRk0QANoqyeVS4kfIzW+yI8ZbVx7wd0GtSo3mxEPBfiIh5QNpI+2dAViL7AIOon90CBmc=,iv:Ix+dzGaqe3TqbJl+9f3ynvKnQELJ4yhwExQIF4s0ae4=,tag:tP633Tje5mpbUoFnX5kmAw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmQXFUV0NVb0I3UjF6d2lx\nQXlCZURBai9qSERxWlYyQ3k2VGNhVnhPWGxRCk01aVZPbE96NDZ3WVUyRkp1UzFm\ndWNGb1JPNFBWS2hzTEVnTzFsOFRPWFEKLS0tIHVVT2Q0bDkvcmZOYzZqQVZJclVO\nWEpHRS9jUFpuVHZrS2paWHNuRzN4ZzAKOioqqTsqyD4Wa+amWaRNgb/6ZspWDI1K\nKvrIZ8uqunnUjjjNSJJlM8dl1OfyJlrRWEi8QOkqD21FcBTQiljVgg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtT2gwSnJENUgrcUZQS21K\nL05BOW15ajJDVkhGajNzZE1pQTc5WVlwM3hVCjJMVFJDT1laOTlUNk9qM2ppMDZn\ndEdNOXBmMmw4Z1hMMFhIcjlsbFAzNFkKLS0tIFdIS0xzZm5vOGg0S0x5SzJXL1Bt\nWHcyeTVBRkdwS0FzTWU1eTJ6dGhiNkUK6YycEWUOh8M9iYF+2SSnU6cTcxtsFctD\nPcOfrTp+OBX18yXjRraWNLq2+jNj+IQtoRVFBUv2VsZAFFjz7d2oyQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoZGZBN1FSQno0bmcrdmJs\nZFBFb3RRUitZVGFDQkh6S05xSUxGS3l2Z1dFCmNSL3VxZjY1MFNnMlpZbW1MQmUx\nS0FCbnNCREZlSzJiTE1WUDN2U2RQS1UKLS0tICtjeHhzY01XSE4ydFJsLzYrZlND\nOUFURnA4WHhySVBnc0I1cUNwWVlETlkKmvoUt+hvm9QknH12NTEKvilnBUaN8uhx\nYhPEbZkOr1QC8Eakn+b4G8A//COsxzm6cQW10FAiEBOrUybQGopW0g==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1lt739n2tq7dmpglvntjr9j2r7426md7rat7x9w930gagtx4jyvnqwts2al", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsYm5qaVhqb2t6c2ZFUVBr\nYUlSb3FsS3FyTWhOL3prblBSK08zMmRmckdFCmxmK2NabGVmMWZiQnRUNHRDdUhK\nejlwbnZvbm1ndmIvdzIxR0k4U3M5TFkKLS0tIFYyRFhJQXhkdEN5TDN2d1M3Rytq\nc2tZNjQxVGNnUnFvayttbzBPN2dYRjgK2vKIWq3BMn2v+FgZ+F13703FPGMsEGsr\nHYtrnbDnd2fnPz4PTFUwvKldBTOtEymnRd5nfxqAAz9OdZBsahzRxA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZlBQR0txRVh2YUFmdjBJ\naG50NU5FVjY2S20rM3I4ZlVrOTVrdHRTZ1NnCklUVGYxUDdza1hmbW5Gc2sxUmw4\nb0hDS3MxbENqclU2QWxic2d4RC9KZVUKLS0tIFhwaURkelNUdlFMWWJlTUN0dUJo\nWWhQaEVmTTJlNE5qS2wvcmtuK2pNSEEKuKeGKXPLLTA9RWoOSacIVEZ2l3/uW96s\nM91c2ezYFOTV6Md23jYAmAnje7dTivTCmFPnPuWdbEGXYbHLzz/O9Q==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFUVN4WEpEcnpjdkFucXlE\nVTRjRlZHM0k2SVVXTkh1V0hLTXl0TVpZSG5rCnl0N2JuR2NsV1BUeXRPZStqRnJl\nR0wzb3l3Ymc2NytlZkw4ZmpoN09kcDAKLS0tIDRVTll5VmdFOWpPV1UwTithNElp\nWnVzU0s2YXR2Y25HcmZ4VUpleFM4TGcKFxi53+wTYdoaIMGvgcy0C6yTPDDPgZps\naWZcXfkberil26xNhRsRV6KwBje61Qd6vwU8hEa7P+hDcbBEavXwhw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuYjZWaXJpdVoyZHpVbkhW\nbEErbUNQa0M4Ty9iakkwblE4TDVBY2ozVFZvCnpiNlRPRTFxbTBQR1E0cGxYdmN2\nUUhSQVFWZ3VyV2VVR2lPNWhpY28rWTQKLS0tIDhLQlFGTncrKzErNnVCTDZZb0NW\nTFZxR2RFR3pBQkY0aVl5bWw2ZDlwOGMKakhqNNF7R4pgXEsXSaO7F5LGCw3yE53d\nItWXIoyCa0c78xk+YdMUNUOlzn39y8itXXpZAH2ZAC1sUrvq0elRew==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1t957gf0z865gya0khgc9x59wy76hzps3sgejjqtwcngn2xl273msxsmpe6", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzdHpmNks0Q3FLV3NiRThx\ncTVTODdYTStiUmdpM0gyaGZCdzNLRUlqalZnClNXbVI2dU9XMGNXTlh1U2trTnFi\ncEkvZllmM09WZDBBKzFTNDVuUjBpTE0KLS0tIDc5ZGJPTHJ6b2ZOaVdWUWl0Tng5\ndm1jRTRrZnltVm5sbW1uVjhTNnRyZGsKq9o7VkxWsf8k9wGi7ICC1M782MMdvQrY\nDDVlH7ITiDpJ1GGRDWAbfxB4izyb3MWoRqkhvcvcHt0WXR51FNa5NA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2022-06-21T06:49:05Z", + "mac": "ENC[AES256_GCM,data:hhNjqYQibzPgwo+wjzGW3jDhgewGszOrujVQirm1LrZvxA0QF3GQw/yUYjB8S0naDHXdXoAAMSHVrt+6jtf83V54eCN8YNwNIJ0K6bkuG7PfnWo5V9JhlCF/de2Sc/fJV1B7gH1nnGaLDfJtMewk31sy0i/A+Adq4UJj3ZnaR3o=,iv:CLZj9amsD0sIDrnE9n1v4D6xs5YuPaFPVrTtmULhZJc=,tag:BBOw1HWy2O3wrWZUOMHazQ==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file