chvp/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

mail: Use oauth and mfauth to access work mail directly instead of forwarding

Browse source
This commit is contained in:
Charlotte Van Petegem 2023-11-10 12:11:22 +01:00
parent 83e00a1a81
commit 5045e2b167
No known key found for this signature in database
GPG key ID: 019E764B7184435A
7 changed files with 86 additions and 51 deletions
Download patch file Download diff file Expand all files Collapse all files

36
modules/graphical/mail/default.nix
View file

@ -13,7 +13,7 @@ let
${pkgs.libnotify}/bin/notify-send -t 5000 'New ${name} mail arrived' "$unseen_count unseen mails"
fi
'';
makeAccount = { name, address, host ? "", imapHost ? host, smtpHost ? host, useStartTls ? false, secretToolId, extraConfig ? { } }: (lib.recursiveUpdate
makeAccount = { name, address, host ? "", imapHost ? host, smtpHost ? host, useStartTls ? false, secretToolId, extraConfig ? { }, oauth ? false }: (lib.recursiveUpdate
{
inherit address;
gpg = {
@ -30,6 +30,7 @@ let
boxes = [ "INBOX" ];
onNotify = "${pkgs.isync}/bin/mbsync ${name}:INBOX";
onNotifyPost = "${config.chvp.base.emacs.package}/bin/emacsclient --eval \"(mu4e-update-index)\" && ${notifyScript name}";
extraConfig = lib.mkIf oauth { xoauth2 = true; };
};
mbsync = {
enable = true;
@ -37,11 +38,14 @@ let
expunge = "both";
flatten = ".";
remove = "both";
extraConfig.account.AuthMechs = "LOGIN";
extraConfig.account.AuthMechs = if (oauth) then "XOAUTH2" else "LOGIN";
};
msmtp = {
enable = true;
extraConfig = lib.mkIf oauth { auth = "xoauth2"; };
};
msmtp.enable = true;
mu.enable = true;
passwordCommand = "${passwordScript} ${secretToolId}";
passwordCommand = if oauth then "${pkgs.mfauth}/bin/mfauth access ${name}" else "${passwordScript} ${secretToolId}";
realName = "Charlotte Van Petegem";
signature = {
showSignature = "none";
@ -82,6 +86,11 @@ in
};
config = lib.mkIf config.chvp.graphical.mail.enable {
nixpkgs.overlays = [
(self: super: rec {
isync = super.isync.override { withCyrusSaslXoauth2 = true; };
})
];
chvp = {
base = {
emacs.extraConfig =
@ -205,6 +214,16 @@ in
};
};
home-manager.users.charlotte = { ... }: {
home.packages = [ pkgs.mfauth ];
xdg.configFile."mfauth/config.toml".text = ''
# Public thunderbird secrets
[accounts.work]
client_id = "08162f7c-0fd2-4200-a84a-f25a4db0b584"
client_secret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82"
authorize_url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
token_url = "https://login.microsoftonline.com/common/oauth2/v2.0/token"
scope = "https://outlook.office365.com/IMAP.AccessAsUser.All https://outlook.office365.com/POP.AccessAsUser.All https://outlook.office365.com/SMTP.Send offline_access"
'';
accounts.email = {
maildirBasePath = "/home/charlotte/mail";
accounts = {
@ -221,13 +240,12 @@ in
work = makeAccount {
name = "work";
address = "charlotte.vanpetegem@ugent.be";
host = "mail.vanpetegem.me";
host = "outlook.office365.com";
smtpHost = "smtp.office365.com";
secretToolId = "work-mail";
useStartTls = true;
extraConfig = {
folders = { drafts = "Drafts"; inbox = "INBOX"; sent = "INBOX"; trash = "Trash"; };
userName = "ugent@cvpetegem.be";
};
oauth = true;
extraConfig.folders = { drafts = "Drafts"; inbox = "INBOX"; sent = "INBOX"; trash = "Trash"; };
};
posteo = makeAccount {
name = "posteo";

28
modules/services/mail/default.nix
View file

@ -59,10 +59,6 @@ in
hashedPasswordFile = config.age.secrets."passwords/services/mail/hallo@robbe.be".path;
aliases = [ "@robbe.be" "@robbevp.be" ];
};
"ugent@cvpetegem.be" = {
hashedPasswordFile = config.age.secrets."passwords/services/mail/ugent@cvpetegem.be".path;
aliases = [ "charlotte.vanpetegem@ugent.be" ];
};
"webmaster@vanpetegem.me".hashedPasswordFile = config.age.secrets."passwords/services/mail/webmaster@vanpetegem.me".path;
};
indexDir = "${config.chvp.cachePrefix}/var/lib/dovecot/indices";
@ -83,16 +79,6 @@ in
certificateFile = certFile;
keyFile = keyFile;
dkimKeyDirectory = "${config.chvp.dataPrefix}/var/dkim";
policydSPFExtraConfig = ''
whitelist = 40.92.0.0/15,40.107.0.0/16,52.100.0.0/14,104.47.0.0/17,2a01:111:f400::/48,2a01:111:f403::/49,2a01:111:f403:8000::/50,2a01:111:f403:c000::/51,2a01:111:f403:f000::/52
'';
};
services.postfix = {
config.sender_dependent_default_transport_maps = [ "hash:/etc/postfix/sender_map" ];
mapFiles.sender_map = pkgs.writeText "postfix-sender-map" ''
charlotte.vanpetegem@ugent.be smtp:[127.0.0.1]:9797
'';
};
services.rspamd.extraConfig = ''
@ -103,20 +89,7 @@ in
}
'';
systemd.services.tunnel = {
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
script = "${pkgs.openssh}/bin/ssh -i ${config.age.secrets."files/services/tunnel/key".path} -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -o ControlPath=none -NT -p $SSH_PORT -L 0.0.0.0:9797:$CONN_HOST:$CONN_PORT $USER@$SSH_HOST";
serviceConfig = {
RestartSec = "5s";
Restart = "on-failure";
EnvironmentFile = config.age.secrets."files/services/tunnel/env".path;
};
};
age.secrets = {
"files/services/tunnel/key".file = ../../../secrets/files/services/tunnel/key.age;
"files/services/tunnel/env".file = ../../../secrets/files/services/tunnel/env.age;
"passwords/services/mail/charlotte@vanpetegem.me".file = ../../../secrets/passwords/services/mail/charlotte_at_vanpetegem.me.age;
"passwords/services/mail/hallo@robbe.be".file = ../../../secrets/passwords/services/mail/hallo_at_robbe.be.age;
"passwords/services/mail/huis@vanpetegem.me".file = ../../../secrets/passwords/services/mail/huis_at_vanpetegem.me.age;
@ -125,7 +98,6 @@ in
"passwords/services/mail/postbot@vanpetegem.me".file = ../../../secrets/passwords/services/mail/postbot_at_vanpetegem.me.age;
"passwords/services/mail/robbe@robbevanpetegem.be".file = ../../../secrets/passwords/services/mail/robbe_at_robbevanpetegem.be.age;
"passwords/services/mail/robbe@vanpetegem.me".file = ../../../secrets/passwords/services/mail/robbe_at_vanpetegem.me.age;
"passwords/services/mail/ugent@cvpetegem.be".file = ../../../secrets/passwords/services/mail/ugent_at_cvpetegem.be.age;
"passwords/services/mail/webmaster@vanpetegem.me".file = ../../../secrets/passwords/services/mail/webmaster_at_vanpetegem.me.age;
};
};