From 5045e2b167e2c54cf6c8ff687e753ec043c474f1 Mon Sep 17 00:00:00 2001 From: Charlotte Van Petegem Date: Fri, 10 Nov 2023 12:11:22 +0100 Subject: [PATCH] mail: Use oauth and mfauth to access work mail directly instead of forwarding --- flake.lock | 50 ++++++++++++++++++ flake.nix | 10 +++- modules/graphical/mail/default.nix | 36 +++++++++---- modules/services/mail/default.nix | 28 ---------- secrets/files/services/tunnel/env.age | 13 ----- secrets/files/services/tunnel/key.age | Bin 892 -> 0 bytes .../services/mail/ugent_at_cvpetegem.be.age | Bin 633 -> 0 bytes 7 files changed, 86 insertions(+), 51 deletions(-) delete mode 100644 secrets/files/services/tunnel/env.age delete mode 100644 secrets/files/services/tunnel/key.age delete mode 100644 secrets/passwords/services/mail/ugent_at_cvpetegem.be.age diff --git a/flake.lock b/flake.lock index 10d629a7..c9bb83da 100644 --- a/flake.lock +++ b/flake.lock @@ -383,6 +383,30 @@ "type": "github" } }, + "mfauth": { + "inputs": { + "flake-utils": [ + "flake-utils" + ], + "nixpkgs": [ + "nixpkgs" + ], + "rust-overlay": "rust-overlay_2" + }, + "locked": { + "lastModified": 1656592749, + "narHash": "sha256-7Rzjvegv6wb6LLWrNUvFkDmbYIhiBNH6zTcNgtOEWqk=", + "owner": "rien", + "repo": "mfauth", + "rev": "b88b9f431449495737f0cb43860fdc78756156ed", + "type": "github" + }, + "original": { + "owner": "rien", + "repo": "mfauth", + "type": "github" + } + }, "nix-index-database": { "inputs": { "nixpkgs": [ @@ -565,6 +589,7 @@ "flake-utils": "flake-utils", "home-manager": "home-manager", "lanzaboote": "lanzaboote", + "mfauth": "mfauth", "nix-index-database": "nix-index-database", "nixos-mailserver": "nixos-mailserver", "nixpkgs": "nixpkgs", @@ -598,6 +623,31 @@ "type": "github" } }, + "rust-overlay_2": { + "inputs": { + "flake-utils": [ + "mfauth", + "flake-utils" + ], + "nixpkgs": [ + "mfauth", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1656567145, + "narHash": "sha256-2xlv+g7kIb3f+1QdHlqpHPFfFw4myXUCC+cWk+6C4aE=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "3e95d6696b51f88b3ebfc7a21aefaeeb70a245bd", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 3bd38ae3..6c8e0614 100644 --- a/flake.nix +++ b/flake.nix @@ -55,6 +55,13 @@ url = "github:nix-community/lanzaboote/v0.3.0"; inputs.nixpkgs.follows = "nixpkgs"; }; + mfauth = { + url = "github:rien/mfauth"; + inputs = { + nixpkgs.follows = "nixpkgs"; + flake-utils.follows = "flake-utils"; + }; + }; nixos-mailserver = { url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; inputs = { @@ -86,7 +93,7 @@ }; }; - outputs = inputs@{ self, nixpkgs, accentor, accentor-api, accentor-web, agenix, devshell, emacs-overlay, flake-utils, home-manager, lanzaboote, nix-index-database, nixos-mailserver, nur, tetris, www-chvp-be }: + outputs = inputs@{ self, nixpkgs, accentor, accentor-api, accentor-web, agenix, devshell, emacs-overlay, flake-utils, home-manager, lanzaboote, mfauth, nix-index-database, nixos-mailserver, nur, tetris, www-chvp-be }: let patches = builtins.map (patch: ./patches + "/${patch}") (builtins.filter (x: x != ".keep") (builtins.attrNames (builtins.readDir ./patches))); # Avoid IFD if there are no patches @@ -107,6 +114,7 @@ devshell.overlays.default emacs-overlay.overlay (self: super: { + mfauth = mfauth.packages.${self.system}.mfauth; tetris = tetris.packages.${self.system}.default; }) nur.overlay diff --git a/modules/graphical/mail/default.nix b/modules/graphical/mail/default.nix index 1006f143..e040f488 100644 --- a/modules/graphical/mail/default.nix +++ b/modules/graphical/mail/default.nix @@ -13,7 +13,7 @@ let ${pkgs.libnotify}/bin/notify-send -t 5000 'New ${name} mail arrived' "$unseen_count unseen mails" fi ''; - makeAccount = { name, address, host ? "", imapHost ? host, smtpHost ? host, useStartTls ? false, secretToolId, extraConfig ? { } }: (lib.recursiveUpdate + makeAccount = { name, address, host ? "", imapHost ? host, smtpHost ? host, useStartTls ? false, secretToolId, extraConfig ? { }, oauth ? false }: (lib.recursiveUpdate { inherit address; gpg = { @@ -30,6 +30,7 @@ let boxes = [ "INBOX" ]; onNotify = "${pkgs.isync}/bin/mbsync ${name}:INBOX"; onNotifyPost = "${config.chvp.base.emacs.package}/bin/emacsclient --eval \"(mu4e-update-index)\" && ${notifyScript name}"; + extraConfig = lib.mkIf oauth { xoauth2 = true; }; }; mbsync = { enable = true; @@ -37,11 +38,14 @@ let expunge = "both"; flatten = "."; remove = "both"; - extraConfig.account.AuthMechs = "LOGIN"; + extraConfig.account.AuthMechs = if (oauth) then "XOAUTH2" else "LOGIN"; + }; + msmtp = { + enable = true; + extraConfig = lib.mkIf oauth { auth = "xoauth2"; }; }; - msmtp.enable = true; mu.enable = true; - passwordCommand = "${passwordScript} ${secretToolId}"; + passwordCommand = if oauth then "${pkgs.mfauth}/bin/mfauth access ${name}" else "${passwordScript} ${secretToolId}"; realName = "Charlotte Van Petegem"; signature = { showSignature = "none"; @@ -82,6 +86,11 @@ in }; config = lib.mkIf config.chvp.graphical.mail.enable { + nixpkgs.overlays = [ + (self: super: rec { + isync = super.isync.override { withCyrusSaslXoauth2 = true; }; + }) + ]; chvp = { base = { emacs.extraConfig = @@ -205,6 +214,16 @@ in }; }; home-manager.users.charlotte = { ... }: { + home.packages = [ pkgs.mfauth ]; + xdg.configFile."mfauth/config.toml".text = '' + # Public thunderbird secrets + [accounts.work] + client_id = "08162f7c-0fd2-4200-a84a-f25a4db0b584" + client_secret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82" + authorize_url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize" + token_url = "https://login.microsoftonline.com/common/oauth2/v2.0/token" + scope = "https://outlook.office365.com/IMAP.AccessAsUser.All https://outlook.office365.com/POP.AccessAsUser.All https://outlook.office365.com/SMTP.Send offline_access" + ''; accounts.email = { maildirBasePath = "/home/charlotte/mail"; accounts = { @@ -221,13 +240,12 @@ in work = makeAccount { name = "work"; address = "charlotte.vanpetegem@ugent.be"; - host = "mail.vanpetegem.me"; + host = "outlook.office365.com"; + smtpHost = "smtp.office365.com"; secretToolId = "work-mail"; useStartTls = true; - extraConfig = { - folders = { drafts = "Drafts"; inbox = "INBOX"; sent = "INBOX"; trash = "Trash"; }; - userName = "ugent@cvpetegem.be"; - }; + oauth = true; + extraConfig.folders = { drafts = "Drafts"; inbox = "INBOX"; sent = "INBOX"; trash = "Trash"; }; }; posteo = makeAccount { name = "posteo"; diff --git a/modules/services/mail/default.nix b/modules/services/mail/default.nix index ace201be..c25e6fed 100644 --- a/modules/services/mail/default.nix +++ b/modules/services/mail/default.nix @@ -59,10 +59,6 @@ in hashedPasswordFile = config.age.secrets."passwords/services/mail/hallo@robbe.be".path; aliases = [ "@robbe.be" "@robbevp.be" ]; }; - "ugent@cvpetegem.be" = { - hashedPasswordFile = config.age.secrets."passwords/services/mail/ugent@cvpetegem.be".path; - aliases = [ "charlotte.vanpetegem@ugent.be" ]; - }; "webmaster@vanpetegem.me".hashedPasswordFile = config.age.secrets."passwords/services/mail/webmaster@vanpetegem.me".path; }; indexDir = "${config.chvp.cachePrefix}/var/lib/dovecot/indices"; @@ -83,16 +79,6 @@ in certificateFile = certFile; keyFile = keyFile; dkimKeyDirectory = "${config.chvp.dataPrefix}/var/dkim"; - policydSPFExtraConfig = '' - whitelist = 40.92.0.0/15,40.107.0.0/16,52.100.0.0/14,104.47.0.0/17,2a01:111:f400::/48,2a01:111:f403::/49,2a01:111:f403:8000::/50,2a01:111:f403:c000::/51,2a01:111:f403:f000::/52 - ''; - }; - - services.postfix = { - config.sender_dependent_default_transport_maps = [ "hash:/etc/postfix/sender_map" ]; - mapFiles.sender_map = pkgs.writeText "postfix-sender-map" '' - charlotte.vanpetegem@ugent.be smtp:[127.0.0.1]:9797 - ''; }; services.rspamd.extraConfig = '' @@ -103,20 +89,7 @@ in } ''; - systemd.services.tunnel = { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - script = "${pkgs.openssh}/bin/ssh -i ${config.age.secrets."files/services/tunnel/key".path} -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -o ControlPath=none -NT -p $SSH_PORT -L 0.0.0.0:9797:$CONN_HOST:$CONN_PORT $USER@$SSH_HOST"; - serviceConfig = { - RestartSec = "5s"; - Restart = "on-failure"; - EnvironmentFile = config.age.secrets."files/services/tunnel/env".path; - }; - }; - age.secrets = { - "files/services/tunnel/key".file = ../../../secrets/files/services/tunnel/key.age; - "files/services/tunnel/env".file = ../../../secrets/files/services/tunnel/env.age; "passwords/services/mail/charlotte@vanpetegem.me".file = ../../../secrets/passwords/services/mail/charlotte_at_vanpetegem.me.age; "passwords/services/mail/hallo@robbe.be".file = ../../../secrets/passwords/services/mail/hallo_at_robbe.be.age; "passwords/services/mail/huis@vanpetegem.me".file = ../../../secrets/passwords/services/mail/huis_at_vanpetegem.me.age; @@ -125,7 +98,6 @@ in "passwords/services/mail/postbot@vanpetegem.me".file = ../../../secrets/passwords/services/mail/postbot_at_vanpetegem.me.age; "passwords/services/mail/robbe@robbevanpetegem.be".file = ../../../secrets/passwords/services/mail/robbe_at_robbevanpetegem.be.age; "passwords/services/mail/robbe@vanpetegem.me".file = ../../../secrets/passwords/services/mail/robbe_at_vanpetegem.me.age; - "passwords/services/mail/ugent@cvpetegem.be".file = ../../../secrets/passwords/services/mail/ugent_at_cvpetegem.be.age; "passwords/services/mail/webmaster@vanpetegem.me".file = ../../../secrets/passwords/services/mail/webmaster_at_vanpetegem.me.age; }; }; diff --git a/secrets/files/services/tunnel/env.age b/secrets/files/services/tunnel/env.age deleted file mode 100644 index e9b98c22..00000000 --- a/secrets/files/services/tunnel/env.age +++ /dev/null @@ -1,13 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 yad4VQ 4EZbasW5A0791VTZy5+OBXLVJ+/G5kTRvlnMeg4lSDg -Aj4iFFHEjEW0SyMrgQTt9hcAed42N/jL60FjARqlHFo --> ssh-ed25519 s9rb8g cRHZludrYSvCJy15kHhxUH516CfOtwQ3VEk4FYJdW2U -NbzPbwg5rkgzVAFeHJqfpFdExIMexIZpdLBZFz1miHE --> ssh-ed25519 hKAFvQ rNrDoQWNd76bpvoWFh31ClZQ5VIRAfe2BDEpS/bN0Ug -6uKJeY1fL3pryI9ynX9dVEXrsLQg+hrBvkz0FY2fOUI --> k-grease M=!N`9 6bU -CtgiHxZfRbY81i9AiltE2ZY0M2xFtIZ7Q7ClL49HU67SimSdJxSLC382I0xk08O9 -3JRWjOQqvRtcSosB ---- vUl2LYnVGXcLs4jdkc9IDYX7HM78TCPTJ5BCvD6fJ1Q -PV매I MRyPP6E^.Kk2%oD: مA>Ib><< A -z[!%P)ХR-z$܃<7q:݉f \ No newline at end of file diff --git a/secrets/files/services/tunnel/key.age b/secrets/files/services/tunnel/key.age deleted file mode 100644 index 72f3d0dd432d2e36e07e981c0821e8a8a1e30d59..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 892 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCTyOiVEe3slI_eB3+@VC_mIUB*)yvSl`{T ztkf_g)x|xkAkrhOMBCpivbex9H!vuqpeWecJ(4RT(^ucpu*yf@&B>?GS>MRTDAGGp z+c+a2(KtKZ-7+~dD!3@S!YIGoyByuN3~xubvOoprk_unWMX8C!sS4T(S_aPXRtiyWhK>r383}Q|T=}Wqeo@+< z$=SZ?<^>iOCS1C@x(eAY>52NmfnJ7AX+@^4+TkIF{yF94p&`i?LEd?8CK39nh2>Qi zp=Lp0j$B7B9aq-p{W&Y$>fBz7pqUJ!KlZPb4)NRVz4T|v?rFu>a*G_7PG_HUm(ezG z(j+d8&D(bslo;RlyJqwto%pxTB5du-bP|x$K(fCu)!W@X=s1?Ppw4vFv;ezocV-_p2G3 zb$_3ovnR2I|B}Ol?=C7QHKsUrvUrx^n81 zcEk6Fnv7Q^q&xOqa$aD0VY9^K!H(uq-R{wm`S7*s>_eB3;4K$K2Dy$JwC7&A*~J zGt4X7FgG`~B0VL^Gu1CWAkDuj+1S-F%cvkdH=nD}GqkcQBg4SoB-Oao%t<@b!o#h& zs=PQgz$4emtuoTXxHPFuKQPTZCm-Fm%ET0tut0^XH2;w7eDfd!i&8IlZ~wq-(-3bb zLsPf1ipa8Xr((B~)Dq)#Kf^#nw?HmK@ASMBUswGS(}Hw;eK#k6e{I9?q?{mAFV`ST z=W>tY^bn)$g1pe2B2SQQVY=x>sfop@3JD6q$qH6nnFe`DCIv1b;g)G3zM1C5?v7?b zA;oU`sgadF+S)}C>G~ewk*Q@t{>Is*QGV%V6^U6%{*e`CS?&hLrTO83T&95)28l&Z zVL_3pX^DlF8J_7m#`>8C720_jzImZx*_oLk5n&Y-`S}^;PF%XWx(Y5i?iKk3RgMvs z>CS$R`R+*;RVB_5iD?yOULh{oB}sWznI4AjPA(4K1uzwa00JHhsUH||9