From 77afc9ae2a65ef757d5c4edde245c0507b8ac307 Mon Sep 17 00:00:00 2001
From: Julien Malka <julien@malka.sh>
Date: Mon, 25 Nov 2024 21:12:29 +0100
Subject: [PATCH] feat(home-manager/mails): use secrets for passwords

---
 home-manager-modules/mails/default.nix |  25 +++++++++++++++++----
 modules/hmgr/default.nix               |   5 ++++-
 secrets/dgnum-mail-pw.age              |   9 ++++++++
 secrets/ens-mail-pw.age                |   9 ++++++++
 secrets/secrets.nix                    |  30 +++++++++++++++++++++++++
 secrets/telecom-mail-pw.age            |   9 ++++++++
 secrets/work-mail-pw.age               | Bin 0 -> 448 bytes
 7 files changed, 82 insertions(+), 5 deletions(-)
 create mode 100644 secrets/dgnum-mail-pw.age
 create mode 100644 secrets/ens-mail-pw.age
 create mode 100644 secrets/telecom-mail-pw.age
 create mode 100644 secrets/work-mail-pw.age

diff --git a/home-manager-modules/mails/default.nix b/home-manager-modules/mails/default.nix
index 154678b..6485f71 100644
--- a/home-manager-modules/mails/default.nix
+++ b/home-manager-modules/mails/default.nix
@@ -14,6 +14,23 @@ with lib;
   };
 
   config = mkIf cfg.enable {
+
+    age.secrets.work-mail-pw = {
+      file = ../../secrets/work-mail-pw.age;
+    };
+
+    age.secrets.dgnum-mail-pw = {
+      file = ../../secrets/dgnum-mail-pw.age;
+    };
+
+    age.secrets.telecom-mail-pw = {
+      file = ../../secrets/telecom-mail-pw.age;
+    };
+
+    age.secrets.ens-mail-pw = {
+      file = ../../secrets/ens-mail-pw.age;
+    };
+
     programs.mbsync.enable = true;
     programs.mbsync.package = pkgs.stable.isync;
     programs.msmtp.enable = true;
@@ -32,7 +49,7 @@ with lib;
         msmtp.enable = true;
         primary = true;
         realName = "Julien Malka";
-        passwordCommand = "${pkgs.coreutils}/bin/cat /home/julien/.config/ens-mail-pw";
+        passwordCommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets.ens-mail-pw.path}";
         smtp = {
           host = "clipper.ens.fr";
         };
@@ -52,7 +69,7 @@ with lib;
         msmtp.enable = true;
         primary = false;
         realName = "Julien Malka";
-        passwordCommand = "${pkgs.coreutils}/bin/cat /home/julien/.config/work-mail-pw";
+        passwordCommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets.work-mail-pw.path}";
         smtp = {
           host = "mail.luj.fr";
         };
@@ -73,7 +90,7 @@ with lib;
         msmtp.enable = true;
         primary = false;
         realName = "Julien Malka";
-        passwordCommand = "${pkgs.coreutils}/bin/cat /home/julien/.config/telecom-mail-pw";
+        passwordCommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets.telecom-mail-pw.path}";
         smtp = {
           host = "z.imt.fr";
         };
@@ -94,7 +111,7 @@ with lib;
         msmtp.enable = true;
         primary = false;
         realName = "Julien Malka";
-        passwordCommand = "${pkgs.coreutils}/bin/cat /home/julien/.config/dgnum-mail-pw";
+        passwordCommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets.dgnum-mail-pw.path}";
         smtp = {
           host = "kurisu.lahfa.xyz";
         };
diff --git a/modules/hmgr/default.nix b/modules/hmgr/default.nix
index 29d3513..6aab2e2 100644
--- a/modules/hmgr/default.nix
+++ b/modules/hmgr/default.nix
@@ -23,7 +23,10 @@ with lib;
           (map (x: ../../home-manager-modules + "/${x}/default.nix") (
             attrNames (readDir ../../home-manager-modules)
           ))
-          ++ [ "${inputs.impermanence}/home-manager.nix" ];
+          ++ [
+            "${inputs.impermanence}/home-manager.nix"
+            "${inputs.agenix}/modules/age-home.nix"
+          ];
         home.username = "${name}";
         home.homeDirectory = "/home/${name}";
         home.stateVersion = "21.05";
diff --git a/secrets/dgnum-mail-pw.age b/secrets/dgnum-mail-pw.age
new file mode 100644
index 0000000..b9ab04d
--- /dev/null
+++ b/secrets/dgnum-mail-pw.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 u3yXZQ UvMqsBcvKPrejXnWVR9SuIxpKo+kddBlSB47fCwHZi8
+v23yuPXzEI+N27VkiAfxQ8+bwe8UtgzSslPaQbR5H0w
+-> ssh-ed25519 AqX2tg 8BfQ2RcIaGCgNCP/kQvjis85PqeDo8pu5ckaO1/nOh0
+FSE/HK0SdJW2yRGJo5Hi0IrUIeHQP4IB4a+fJSo6aHg
+-> ssh-ed25519 eySVIw PGHzluHCyNHZNYnCXtDENJl10d3xaMolcCoIw0kHKUE
+RXu7r793AWjdR/b2a1Jk0jezXeUDUzqdtVfbkxMxPoY
+--- 4cpHlfDM8VY2YPdVastOV1EjNpdtkkjNQgHsZ2IdEsA
+eòôPJ>f¨¨•l YÒÆÆç’¥i°»ÔˆòøL—ÞÎ¬G>(w´G8 F.1ÛM¿\Á.ðE£IóÙî}ns2‹ÆÂº#S$IjM¯ð‡.g
\ No newline at end of file
diff --git a/secrets/ens-mail-pw.age b/secrets/ens-mail-pw.age
new file mode 100644
index 0000000..e25b2de
--- /dev/null
+++ b/secrets/ens-mail-pw.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 u3yXZQ BiOohWgb2Ab40q0/1xgk40ztCIlkHEYc0XGx/zpCvTw
+kVMM7EFDU5XISQ5H6YHJ68E2uKVrNQwfX3UmiO4lb8k
+-> ssh-ed25519 AqX2tg 9K1CDD/oK4x1ZKGi3Fs0CKfEdb499bGlidPyJcHGD2A
+27EmDJDQ4167g58M+3E+haI8p3g9CmZJr7Q3Zx24MhE
+-> ssh-ed25519 eySVIw V/WYg1kH682lhw2Lsp/C8Krm8k1yOtZ3K1yKa5B06Aw
+KA/sETwxkyRyspYh+cLRV+ZzHv6JXEQfQMBpVkVATwk
+--- mlbwhZrkxEU1cMbcRW5G988a3o7+qLyddmmll72pAk8
+óñä,B¶m6ö_Ž–¶Scþo³Ýý {JŽ¡áÒ7"/ÁÏáBg	À¯Ë
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 485c070..3f93d46 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -9,6 +9,8 @@ let
   lambda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKluGTi+vGRLU2emYBhTJuEy7Qw0xq1e0Ey7wvU9xYHz";
   nuage = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEtPoZXJKPfSPGYb/H9eWL0tNSpAKM6V/AgeE1Uf2Is6";
   gallifrey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEr9QRD7QTNsAFmuJoX1mFzQ5A2ik1/ogMrvW54JMXeQ";
+  gallifrey_home = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMAa0wll9ildhgPiV0DhgJXXtw3TQr5VkNxxxPspHSbX julien@gallifrey";
+  fisher_home = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIADCpuBL/kSZShtXD6p/Nq9ok4w1DnlSoxToYgdOvUqo julien@telecom";
   akhaten = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII5W1rr+VW2TLLytoTExWg4T14lrdLFkSM4YLfbEIb2g";
   servers = [
     gustave
@@ -106,4 +108,32 @@ in
     tower
     lambda
   ];
+  "dgnum-mail-pw.age".publicKeys = [
+    gallifrey
+    tower
+    fischer
+    gallifrey_home
+    fisher_home
+  ];
+  "work-mail-pw.age".publicKeys = [
+    gallifrey
+    tower
+    fischer
+    gallifrey_home
+    fisher_home
+  ];
+  "telecom-mail-pw.age".publicKeys = [
+    gallifrey
+    tower
+    fischer
+    gallifrey_home
+    fisher_home
+  ];
+  "ens-mail-pw.age".publicKeys = [
+    gallifrey
+    tower
+    fischer
+    gallifrey_home
+    fisher_home
+  ];
 }
diff --git a/secrets/telecom-mail-pw.age b/secrets/telecom-mail-pw.age
new file mode 100644
index 0000000..94dc3c5
--- /dev/null
+++ b/secrets/telecom-mail-pw.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 u3yXZQ uq2eZt6aMNsakRc9H5cuz7ntj9Xf+g5S4gbEiq4asm0
+Njp8jWpIP0f/sN3B7bi+MGIohUsAQhMl4GqezHjrcmU
+-> ssh-ed25519 AqX2tg i3y6cWFFEVBWPMP0mxiED+NOsKF449SOcL5hW3jIFCE
+UXhtS+OFgO5+Ykm4zf7YEtaZk9qOiRZ0Yur0y/bdJfI
+-> ssh-ed25519 eySVIw 1K2hCEbc6IbId+bqkKEiz57onn779ymmNDfYF2BHaho
+RpVzqOTE0qKbydlUZkzSPNKkOqxI6Aco6XUBgyb5bm0
+--- cdZo4V8S/feGuDWPq2CoC9TTQnLpLyDc/R32qtVYTqY
+þ_UyµÀZð6¡¥Â$7ö°(gÀ—;À¶Îg?Â$Šl•â%z~)>MØŒËDÚ
\ No newline at end of file
diff --git a/secrets/work-mail-pw.age b/secrets/work-mail-pw.age
new file mode 100644
index 0000000000000000000000000000000000000000..041aee6cc54cb3ec773b77a6d2dd9862ecd387db
GIT binary patch
literal 448
zcmZ9_yKb9M007Xcl{&CS86#1toh*WRI;cvdT!VP~x`2aWvu}7hK;VLbNFB09YS%86
zGW3hObn?<p9lCVMoIU3U&L)Yds6@?p+h$dHS~Us1X9((o#5kp*YgP~#iR`#>9eyHp
zPKu?KX@om(4=+9LW{!kHlf!<Y2`DXA+jL>aqG;d@6YUVRqKocIY_yBYotk33&AS%*
zDyoOIG)q{aW;fe%w^Lqjm-U)$6Vjv=rJAe&4vonmO~s|P029WsswC!%rDsPpl64V;
zcd|_kOxc4B?kiK>!ah;~78zIe1>cr;zNTWm({Ah0SLX8S<ra<ZmEMyf=os9ESx;Yk
z%T|wTuFHAegkBPMz5qBW-vmV*t4%p2m|~7C+RShkjc2e?3Ri~~#Hl0B=*;JC0xr{{
z{klx;fS@RfR5V`YB|)+ReZ%4c8G)0|HO`skg`QVaWVm2-Is~v55bw?ppKF5u^}GD=
o2#-G|NB7|0tN-=4uY99?AMBI&=RY3*{CzqMZ@#>K`|$Jd42Uk38~^|S

literal 0
HcmV?d00001