From 9b0959797b83fa7159143827c713170befd0eb9b Mon Sep 17 00:00:00 2001 From: Ray Andrew Date: Tue, 4 Mar 2025 16:14:32 -0600 Subject: [PATCH] add email sync-ing using mbsync --- .sops.yaml | 7 + flake.lock | 21 +++ flake.nix | 2 + home/email/default.nix | 186 +++++++++++++++++++ home/email/mailcap.nix | 48 +++++ home/email/neomutt/colors.nix | 72 ++++++++ home/email/neomutt/default.nix | 66 +++++++ home/email/neomutt/keybind.nix | 316 +++++++++++++++++++++++++++++++++ home/email/secrets.yaml | 22 +++ hosts/default.nix | 2 + hosts/pickwick/default.nix | 1 + nixos/default.nix | 2 + nixos/gnupg.nix | 15 ++ nixos/sops.nix | 39 ++++ 14 files changed, 799 insertions(+) create mode 100644 .sops.yaml create mode 100644 home/email/mailcap.nix create mode 100644 home/email/neomutt/colors.nix create mode 100644 home/email/neomutt/default.nix create mode 100644 home/email/neomutt/keybind.nix create mode 100644 home/email/secrets.yaml create mode 100644 nixos/gnupg.nix create mode 100644 nixos/sops.nix diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..5d49d29 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &pickwick age13cfe8fhp4m978qlcur46vkkxepsl93ggwe53kmhue9xtpgr5zu5q4y6ln2 +creation_rules: + - path_regex: home/email/secrets.yaml$ + key_groups: + - age: + - *pickwick diff --git a/flake.lock b/flake.lock index 8fd9ae8..a18305d 100644 --- a/flake.lock +++ b/flake.lock @@ -249,10 +249,31 @@ "nix-index-database": "nix-index-database", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix", "treefmt-nix": "treefmt-nix", "zen-browser": "zen-browser" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1741043164, + "narHash": "sha256-9lfmSZLz6eq9Ygr6cCmvQiiBEaPb54pUBcjvbEMPORc=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "3f2412536eeece783f0d0ad3861417f347219f4d", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index d391ec8..d869b80 100644 --- a/flake.nix +++ b/flake.nix @@ -17,6 +17,8 @@ treefmt-nix.inputs.nixpkgs.follows = "nixpkgs"; git-hooks.url = "github:cachix/git-hooks.nix"; git-hooks.inputs.nixpkgs.follows = "nixpkgs"; + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = { diff --git a/home/email/default.nix b/home/email/default.nix index 9acf65e..75b24d3 100644 --- a/home/email/default.nix +++ b/home/email/default.nix @@ -10,6 +10,7 @@ { imports = [ ./davmail.nix + ./neomutt ]; options.custom.email = with lib; { @@ -23,9 +24,194 @@ url = "https://outlook.office365.com/EWS/Exchange.asmx"; config = { davmail.mode = "O365Manual"; + # davmail.mode = "O365Modern"; davmail.keepDelay = 30; # log4j.logger.davmail = "DEBUG"; }; }; + + programs = { + neomutt = { + macros = [ + { + map = [ + "index" + "pager" + ]; + key = ""; + action = "source ~/.config/neomutt/uchicago!"; + } + { + map = [ + "index" + "pager" + ]; + key = ""; + action = "source ~/.config/neomutt/personal!"; + } + ]; + }; + mbsync.enable = true; + msmtp = { + enable = true; + }; + }; + + services = { + mbsync = { + enable = false; + frequency = "*:0/1"; + }; + }; + + accounts.email = let + cat = lib.getExe' pkgs.coreutils "cat"; + in rec { + maildirBasePath = "${home-dir}/mail"; + accounts = lib.mkMerge ([ + { + "personal" = { + userName = "raydreww@gmail.com"; + address = "raydreww@gmail.com"; + realName = "Ray Andrew"; + primary = !config.custom.email.davmail; + signature = { + text = '' + -- Ray Andrew + ''; + showSignature = "append"; + }; + passwordCommand = "${cat} ${config.sops.secrets."personal".path}"; + gpg = { + key = "1913ECC8FD7076BC8330E11607AA5254804C009F"; + signByDefault = true; + }; + smtp = { + host = "smtp.gmail.com"; + }; + imap = { + host = "imap.gmail.com"; + }; + mbsync = { + enable = true; + create = "both"; + expunge = "both"; + patterns = [ + "*" + "!\"[Airmail]/Done\"" + "!\"[Airmail]/Snooze\"" + "!\"[Airmail]/To Do\"" + "!\"[Airmail]/Send Later\"" + "!\"[Gmail]/All Mail\"" + "!\"[Gmail]/Important\"" + "!\"[Gmail]/Starred\"" + "!\"[Gmail]/Bin\"" + ]; + }; + msmtp = { + enable = true; + }; + neomutt = rec { + enable = true; + mailboxName = "p"; + extraConfig = '' + set use_from = yes + set pgp_verify_sig = yes + set pgp_sign_as = 0x07AA5254804C009F + set pgp_timeout = 3600 + named-mailboxes "${mailboxName}/inbox" =Inbox + named-mailboxes "${mailboxName}/drafts" =Drafts + named-mailboxes "${mailboxName}/sent" =Sent + named-mailboxes "${mailboxName}/important" =Important + named-mailboxes "${mailboxName}/trash" =Trash + named-mailboxes "${mailboxName}/archive" =Archive + ''; + }; + }; + } + (lib.mkIf config.custom.email.davmail { + "uchicago" = { + userName = "rayandrew@uchicago.edu"; + address = "rayandrew@uchicago.edu"; + realName = "Ray Andrew"; + primary = true; + signature = { + text = '' + -- Ray Andrew + ''; + showSignature = "append"; + }; + passwordCommand = "${cat} ${config.sops.secrets."uchicago".path}"; + gpg = { + key = "0BADFAD0FB93296C84956F9CEEF04CFFE9DFE5FC"; + signByDefault = false; + }; + smtp = { + host = "127.0.0.1"; + port = 1025; + tls = { + enable = false; + certificatesFile = null; + }; + }; + imap = { + host = "127.0.0.1"; + port = 1143; + tls.enable = false; + }; + mbsync = { + enable = true; + create = "both"; + expunge = "both"; + patterns = [ + "*" + "!\"[Airmail]/Done\"" + "!\"[Airmail]/Snooze\"" + "!\"[Airmail]/To Do\"" + "!\"[Airmail]/Send Later\"" + ]; + extraConfig.account = { + TLSType = "None"; + AuthMechs = "LOGIN"; + Timeout = 0; + }; + }; + msmtp = { + enable = true; + extraConfig = { + auth = "plain"; + }; + }; + neomutt = rec { + enable = true; + mailboxName = "u"; + extraConfig = '' + set use_from = yes + set pgp_sign_as = 0xEEF04CFFE9DFE5FC + set pgp_verify_sig = yes + set pgp_timeout = 3600 + named-mailboxes "${mailboxName}/inbox" =Inbox + named-mailboxes "${mailboxName}/drafts" =Drafts + named-mailboxes "${mailboxName}/sent" =Sent + named-mailboxes "${mailboxName}/important" =Important + named-mailboxes "${mailboxName}/trash" =Trash + named-mailboxes "${mailboxName}/archive" =Archive + named-mailboxes "${mailboxName}/teaching" =Teaching + ''; + }; + }; + }) + ]); + }; + + sops = { + age.keyFile = "${home-dir}/.config/sops/age/keys.txt"; + age.generateKey = true; + defaultSopsFile = ./secrets.yaml; + secrets = { + "personal" = { }; + "uchicago" = { }; + }; + }; }; } diff --git a/home/email/mailcap.nix b/home/email/mailcap.nix new file mode 100644 index 0000000..4af9daa --- /dev/null +++ b/home/email/mailcap.nix @@ -0,0 +1,48 @@ +{ + pkgs, + lib, + config, + ... +}: + +let + w3m = lib.getExe pkgs.w3m; + zathura = lib.getExe config.programs.zathura.package; + # term = lib.getExe config.programs.kitty.package; + term = lib.getExe config.programs.wezterm.package; +in +{ + options.custom.email = with lib; { + mailcap = mkEnableOption "Enable mailcap"; + }; + + config = lib.mkIf config.custom.email.mailcap { + home.packages = with pkgs; [ + mailcap + ]; + + home.file.".mailcap" = { + text = '' + # HTML + text/html; ${w3m} -sixel -o tmp_dir=~/.cache/w3m -o auto_image=TRUE -o display_image=1 -T text/html %s; nametemplate=%s.html + # text/html; ${w3m} -o inline_img_protocol=4 -o tmp_dir=~/.cache/w3m -o auto_image=TRUE -o display_image=1 -T text/html %s; nametemplate=%s.html + + # This second one is chosen by auto_view due to the copiousoutput tag + text/html; ${w3m} -I %{charset} -T text/html -cols 140 -o tmp_dir=~/.cache/w3m -o display_link_number=1 -dump; copiousoutput + text/plain; nvim %s + + #PDFs + application/x-pdf; ${zathura} '%s'; test=test -n "$DISPLAY" + application/pdf; ${zathura} '%s'; test=test -n "$DISPLAY" + + message/rfc822; nvim %s + + #Images + # image/png; /usr/bin/feh %s + # image/jpeg; /usr/bin/feh %s + # image/*; (clear && ${term} +kitten icat %s); needsterminal + image/*; (clear && ${term} imgcat %s); needsterminal + ''; + }; + }; +} diff --git a/home/email/neomutt/colors.nix b/home/email/neomutt/colors.nix new file mode 100644 index 0000000..6bb1a80 --- /dev/null +++ b/home/email/neomutt/colors.nix @@ -0,0 +1,72 @@ +{ pkgs, ... }: + +'' + # Header colors: + color header blue default ".*" + color header brightmagenta default "^(From)" + color header brightcyan default "^(Subject)" + color header brightwhite default "^(CC|BCC)" + + mono bold bold + mono underline underline + mono indicator reverse + mono error bold + color normal default default + color indicator brightyellow default # currently selected message. default makes bar clear, disabled arrow to save space. + color sidebar_highlight red default + color sidebar_divider brightblack black + color sidebar_flagged red black + color sidebar_new green black + color normal brightyellow default + color error red default + color tilde black default + color message cyan default + color markers red white + color attachment white default + color search brightmagenta default + color status brightyellow black + color hdrdefault brightgreen default + color quoted green default + color quoted1 blue default + color quoted2 cyan default + color quoted3 yellow default + color quoted4 red default + color quoted5 brightred default + color signature brightgreen default + color bold black default + color underline black default + color normal default default + + color body brightred default "[\-\.+_a-zA-Z0-9]+@[\-\.a-zA-Z0-9]+" # Email addresses + color body brightblue default "(https?|ftp)://[\-\.,/%~_:?&=\#a-zA-Z0-9]+" # URL + color body green default "\`[^\`]*\`" # Green text between ` and ` + color body brightblue default "^# \.*" # Headings as bold blue + color body brightcyan default "^## \.*" # Subheadings as bold cyan + color body brightgreen default "^### \.*" # Subsubheadings as bold green + color body yellow default "^(\t| )*(-|\\*) \.*" # List items as yellow + color body brightcyan default "[;:][-o][)/(|]" # emoticons + color body brightcyan default "[;:][)(|]" # emoticons + color body brightcyan default "[ ][*][^*]*[*][ ]?" # more emoticon? + color body brightcyan default "[ ]?[*][^*]*[*][ ]" # more emoticon? + color body red default "(BAD signature)" + color body cyan default "(Good signature)" + color body brightblack default "^gpg: Good signature .*" + color body brightyellow default "^gpg: " + color body brightyellow red "^gpg: BAD signature from.*" + mono body bold "^gpg: Good signature" + # mohttps://neomutt.org/code/config_vars.htmlno body bold "^gpg: BAD signature from.*" + color body red default "([a-z][a-z0-9+-]*://(((([a-z0-9_.!~*'();:&=+$,-]|%[0-9a-f][0-9a-f])*@)?((([a-z0-9]([a-z0-9-]*[a-z0-9])?)\\.)*([a-z]([a-z0-9-]*[a-z0-9])?)\\.?|[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)(:[0-9]+)?)|([a-z0-9_.!~*'()$,;:@&=+-]|%[0-9a-f][0-9a-f])+)(/([a-z0-9_.!~*'():@&=+$,-]|%[0-9a-f][0-9a-f])*(;([a-z0-9_.!~*'():@&=+$,-]|%[0-9a-f][0-9a-f])*)*(/([a-z0-9_.!~*'():@&=+$,-]|%[0-9a-f][0-9a-f])*(;([a-z0-9_.!~*'():@&=+$,-]|%[0-9a-f][0-9a-f])*)*)*)?(\\?([a-z0-9_.!~*'();/?:@&=+$,-]|%[0-9a-f][0-9a-f])*)?(#([a-z0-9_.!~*'();/?:@&=+$,-]|%[0-9a-f][0-9a-f])*)?|(www|ftp)\\.(([a-z0-9]([a-z0-9-]*[a-z0-9])?)\\.)*([a-z]([a-z0-9-]*[a-z0-9])?)\\.?(:[0-9]+)?(/([-a-z0-9_.!~*'():@&=+$,]|%[0-9a-f][0-9a-f])*(;([-a-z0-9_.!~*'():@&=+$,]|%[0-9a-f][0-9a-f])*)*(/([-a-z0-9_.!~*'():@&=+$,]|%[0-9a-f][0-9a-f])*(;([-a-z0-9_.!~*'():@&=+$,]|%[0-9a-f][0-9a-f])*)*)*)?(\\?([-a-z0-9_.!~*'();/?:@&=+$,]|%[0-9a-f][0-9a-f])*)?(#([-a-z0-9_.!~*'();/?:@&=+$,]|%[0-9a-f][0-9a-f])*)?)[^].,:;!)? \t\r\n<>\"]" + + # Default index colors: + color index yellow default '.*' + color index_author red default '.*' + color index_number blue default + color index_subject cyan default '.*' + + # For new mail: + color index brightyellow black "~N" + color index_author brightred black "~N" + color index_subject brightcyan black "~N" + + color progress black cyan +'' diff --git a/home/email/neomutt/default.nix b/home/email/neomutt/default.nix new file mode 100644 index 0000000..8776f17 --- /dev/null +++ b/home/email/neomutt/default.nix @@ -0,0 +1,66 @@ +{ + pkgs, + config, + lib, + ... +}: + +let + keybinds = import ./keybind.nix rec { + inherit config lib pkgs; + }; + colors = import ./colors.nix rec { + inherit config lib pkgs; + }; +in +{ + + options.custom.email = with lib; { + neomutt = mkEnableOption "Enable NeoMutt"; + }; + + config = lib.mkIf (config.custom.email.enable && config.custom.email.neomutt) { + programs.neomutt = { + enable = true; + vimKeys = false; + sort = "threads"; + unmailboxes = true; + binds = keybinds.binds ++ [ ]; + macros = keybinds.macros ++ [ ]; + extraConfig = '' + set abort_key = "" + + set editor = "nvim" + + set edit_headers = yes + set sidebar_visible + set sidebar_format = "%D%?F? [%F]?%* %?N?%N/?%S" + set mail_check_stats + # set new_mail_command="notify-send 'New Email' '%n new messages, %u unread.' &" + + # status bar, date format, finding stuff etc. + set status_chars = " *%A" + # set status_format = "[ Folder: %f ] [%r%m messages%?n? (%n new)?%?d? (%d to delete)?%?t? (%t tagged)? ]%>─%?p?( %p postponed )?" + set status_format = "[ Folder: %D ] [%r%m messages%?n? (%n new)?%?d? (%d to delete)?%?t? (%t tagged)? ]%>─%?p?( %p postponed )?" + set date_format = "%d.%m.%Y %H:%M" + set uncollapse_jump + set sort_re + set reply_regexp = "^(([Rr][Ee]?(\[[0-9]+\])?: *)?(\[[^]]+\] *)?)*" + set quote_regexp = "^( {0,4}[>|:#%]| {0,4}[a-z0-9]+[>|]+)+" + set send_charset = "utf-8:iso-8859-1:us-ascii" + set charset = "utf-8" + set arrow_cursor = "no" # Change `color indicator` depending + + # Pager View Options + set pager_index_lines = 10 # Shows 10 lines of index when pager is active + set pager_context = 3 + set pager_stop + set menu_scroll + set tilde + unset markers + + ${colors} + ''; + }; + }; +} diff --git a/home/email/neomutt/keybind.nix b/home/email/neomutt/keybind.nix new file mode 100644 index 0000000..6f1e4a7 --- /dev/null +++ b/home/email/neomutt/keybind.nix @@ -0,0 +1,316 @@ +{ pkgs, ... }: + +{ + binds = [ + { + map = [ "attach" ]; + key = ""; + action = "view-mailcap"; + } + { + map = [ "attach" ]; + key = "l"; + action = "view-mailcap"; + } + # { + # map = [ "attach" ]; + # key = "O"; + # action = "unset wait_keyrm -f /tmp/mutt-attach/tmp/mutt-attach^A"; + # } + { + map = [ "editor" ]; + key = ""; + action = "noop"; + } + { + map = [ "pager" ]; + key = "c"; + action = "imap-fetch-mail"; + } + { + map = [ "index" ]; + key = "G"; + action = "last-entry"; + } + { + map = [ "index" ]; + key = "g"; + action = "noop"; + } + { + map = [ "index" ]; + key = "gg"; + action = "first-entry"; + } + { + map = [ + "pager" + "attach" + ]; + key = "h"; + action = "exit"; + } + { + map = [ "pager" ]; + key = "j"; + action = "next-line"; + } + { + map = [ "pager" ]; + key = "k"; + action = "previous-line"; + } + { + map = [ "pager" ]; + key = "l"; + action = "view-attachments"; + } + { + map = [ "index" ]; + key = "D"; + action = "delete-message"; + } + { + map = [ "index" ]; + key = "U"; + action = "undelete-message"; + } + { + map = [ "index" ]; + key = "L"; + action = "limit"; + } + { + map = [ "index" ]; + key = "h"; + action = "noop"; + } + { + map = [ + "browser" + "pager" + "index" + ]; + key = "n"; + action = "search-next"; + } + { + map = [ + "browser" + "pager" + "index" + ]; + key = "N"; + action = "search-opposite"; + } + { + map = [ "index" ]; + key = "l"; + action = "display-message"; + } + { + map = [ "browser" ]; + key = "h"; + action = "goto-parent"; + } + { + map = [ "browser" ]; + key = "l"; + action = "select-entry"; + } + { + map = [ + "pager" + "browser" + ]; + key = "gg"; + action = "top-page"; + } + { + map = [ + "pager" + "browser" + ]; + key = "G"; + action = "bottom-page"; + } + { + map = [ + "index" + "pager" + "browser" + ]; + key = "d"; + action = "half-down"; + } + { + map = [ + "index" + "pager" + "browser" + ]; + key = "u"; + action = "half-up"; + } + { + map = [ "index" ]; + key = "R"; + action = "group-reply"; + } + { + map = [ "index" ]; + key = "\\031"; + action = "previous-undeleted"; + } + { + map = [ "index" ]; + key = "\\005"; + action = "next-undeleted"; + } + { + map = [ "pager" ]; + key = "\\031"; + action = "previous-line"; + } + { + map = [ "pager" ]; + key = "\\005"; + action = "next-line"; + } + { + map = [ "editor" ]; + key = ""; + action = "complete-query"; + } + { + map = [ + "index" + "pager" + ]; + key = "\\Ck"; + action = "sidebar-prev"; + } + { + map = [ + "index" + "pager" + ]; + key = "\\Cj"; + action = "sidebar-next"; + } + { + map = [ + "index" + "pager" + ]; + key = "\\Co"; + action = "sidebar-open"; + } + { + map = [ + "index" + "pager" + ]; + key = "\\Cp"; + action = "sidebar-prev-new"; + } + { + map = [ + "index" + "pager" + ]; + key = "\\Cn"; + action = "sidebar-next-new"; + } + { + map = [ + "index" + "pager" + ]; + key = "B"; + action = "sidebar-toggle-visible"; + } + { + map = [ + "index" + "pager" + ]; + key = "@"; + action = "compose-to-sender"; + } + { + map = [ + "index" + "pager" + ]; + key = "D"; + action = "purge-message"; + } + { + map = [ "index" ]; + key = ""; + action = "sync-mailbox"; + } + { + map = [ "index" ]; + key = ""; + action = "collapse-thread"; + } + { + map = [ "editor" ]; + key = ""; + action = "complete-query"; + } + { + map = [ "editor" ]; + key = "^T"; + action = "complete"; + } + # { + # map = [ + # "index" + # "pager" + # ]; + # key = ""; + # action = "source ~/.config/neomutt/accounts/uchicago!"; + # } + # { + # map = [ + # "index" + # "pager" + # ]; + # key = ""; + # action = "source ~/.config/neomutt/accounts/personal!"; + # } + # { + # map = [ "attach" ]; + # key = "V"; + # action = "iconv -c --to-code=UTF8 > ~/.cache/mutt-mail.htmlxdg-open ~/.cache/mutt-mail.html"; + # } + ]; + macros = [ + { + map = [ + "index" + "pager" + ]; + key = "a"; + action = ":set confirmappend=no delete=yes\\n=Archive\\n:set confirmappend=yes delete=ask-yes\\n"; + } + { + map = [ + "index" + "pager" + ]; + key = "n"; + action = "N.\\n"; + } + { + map = [ + "attach" + ]; + key = "O"; + action = "unset wait_keyrm -f /tmp/mutt-attach/tmp/mutt-attach^A"; + } + ]; +} diff --git a/home/email/secrets.yaml b/home/email/secrets.yaml new file mode 100644 index 0000000..f715503 --- /dev/null +++ b/home/email/secrets.yaml @@ -0,0 +1,22 @@ +personal: ENC[AES256_GCM,data:aaZAYmnoQfGIH6bBneKtTA==,iv:xiy1eCyBhFulfRXGz0WDFLaqPj3kXsMD4Xkk7D4s5XA=,tag:Nk0KsgICo505VEMwVUt3TA==,type:str] +uchicago: ENC[AES256_GCM,data:3ZkuIfvzOkKfQD0iyTk=,iv:aCfFrxDM5Ly/qLdLAQkK2tOxb89dFkCc9RhN5GVSGRw=,tag:7D54pkVX2F6IhM38JOUFQg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age13cfe8fhp4m978qlcur46vkkxepsl93ggwe53kmhue9xtpgr5zu5q4y6ln2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwTkZDUjFSaXFNMlJDc2xY + VHE4WWo4K0xCWElFMUxwbmRSNE1BUS9LOHpzCjEwRjRjS1pDeGkzMnBnRjc2ZUpp + SEpFaFQrUXZCbko4bkFRU3R0L2NtVTQKLS0tIGUwREh6TDJvMld5RnFmNVhXK3Fj + MWt0T2FzeE1Zd3Yrck04T05DRkVRUzQKtqX30UPHvyKhxNSpbqUNFY+elXugzG9r + /18Itxj/YqjlzY3HN+3AvwvCxUUP/OdOhyUl0YHiGx6ec5nevYiNkw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-04T21:54:28Z" + mac: ENC[AES256_GCM,data:r+2SOcW7xLHee9kL8369yB6l/Z2XdnzGkeFygSrDgcZVfBfp/fT1xeMvu5tuu8aqsUeJ7lkFD2VKiBue95XSojdlM+5YyTerqdzLyMCRbkRivC3O2xXe90B4hVqm+twE9uu74mIznAQ2e0EO9E0MMlMNBo3EwsEcYA8gyVuB5mc=,iv:plNu3BircQ+kpPaXqlNvYlLAL5V5RX/yiETs+nY1pfw=,tag:7gVuOpzx5YsHtwodIRr4TQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/hosts/default.nix b/hosts/default.nix index a9eadc1..7a8b63c 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -43,6 +43,7 @@ let users.${user} = { imports = [ inputs.nix-index-database.hmModules.nix-index + inputs.sops-nix.homeManagerModules.sops ../home ] ++ lib.optional(builtins.pathExists ./${host}/home.nix) ./${host}/home.nix; }; @@ -55,6 +56,7 @@ let user ]) inputs.home-manager.nixosModules.home-manager + inputs.sops-nix.nixosModules.sops ]; }; in diff --git a/hosts/pickwick/default.nix b/hosts/pickwick/default.nix index 518951d..418549b 100644 --- a/hosts/pickwick/default.nix +++ b/hosts/pickwick/default.nix @@ -27,6 +27,7 @@ _1password.enable = true; audio.enable = true; bluetooth.enable = true; + sops.enable = true; }; services.fwupd.enable = true; diff --git a/nixos/default.nix b/nixos/default.nix index 151e87c..a9ee12b 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -13,6 +13,8 @@ ./bluetooth.nix ./displaymanager.nix ./keyd.nix + ./gnupg.nix + ./sops.nix ]; nix = let diff --git a/nixos/gnupg.nix b/nixos/gnupg.nix new file mode 100644 index 0000000..28b9900 --- /dev/null +++ b/nixos/gnupg.nix @@ -0,0 +1,15 @@ +{ + pkgs, + config, + lib, + ... +}: + +{ + programs.gnupg = { + agent = { + enable = true; + enableSSHSupport = true; + }; + }; +} diff --git a/nixos/sops.nix b/nixos/sops.nix new file mode 100644 index 0000000..960f1b9 --- /dev/null +++ b/nixos/sops.nix @@ -0,0 +1,39 @@ +{ + config, + lib, + pkgs, + user, + ... +}: +let + home-dir = config.hm.home.homeDirectory; +in +{ + options.custom = with lib; { + sops.enable = mkEnableOption "sops" // { + default = true; + }; + }; + + config = lib.mkIf config.custom.sops.enable { + environment.systemPackages = with pkgs; [ + sops + ]; + + sops = { + defaultSopsFile = ../hosts/secrets.yaml; + defaultSopsFormat = "yaml"; + + # use full path to persist as the secrets activation script runs at the start + # of stage 2 boot before impermanence + gnupg.sshKeyPaths = [ ]; + + age = { + sshKeyPaths = [ "${home-dir}/.ssh/id_ed25519" ]; + keyFile = "${home-dir}/.config/sops/age/keys.txt"; + # This will generate a new key if the key specified above does not exist + generateKey = false; + }; + }; + }; +}