mail: Use oauth and mfauth to access work mail directly instead of forwarding

flake.lock

@@ -383,6 +383,30 @@
         "type": "github"
       }
     },
+    "mfauth": {
+      "inputs": {
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "rust-overlay": "rust-overlay_2"
+      },
+      "locked": {
+        "lastModified": 1656592749,
+        "narHash": "sha256-7Rzjvegv6wb6LLWrNUvFkDmbYIhiBNH6zTcNgtOEWqk=",
+        "owner": "rien",
+        "repo": "mfauth",
+        "rev": "b88b9f431449495737f0cb43860fdc78756156ed",
+        "type": "github"
+      },
+      "original": {
+        "owner": "rien",
+        "repo": "mfauth",
+        "type": "github"
+      }
+    },
     "nix-index-database": {
       "inputs": {
         "nixpkgs": [
@@ -565,6 +589,7 @@
         "flake-utils": "flake-utils",
         "home-manager": "home-manager",
         "lanzaboote": "lanzaboote",
+        "mfauth": "mfauth",
         "nix-index-database": "nix-index-database",
         "nixos-mailserver": "nixos-mailserver",
         "nixpkgs": "nixpkgs",
@@ -598,6 +623,31 @@
         "type": "github"
       }
     },
+    "rust-overlay_2": {
+      "inputs": {
+        "flake-utils": [
+          "mfauth",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "mfauth",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1656567145,
+        "narHash": "sha256-2xlv+g7kIb3f+1QdHlqpHPFfFw4myXUCC+cWk+6C4aE=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "3e95d6696b51f88b3ebfc7a21aefaeeb70a245bd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,

flake.nix

@@ -55,6 +55,13 @@
       url = "github:nix-community/lanzaboote/v0.3.0";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    mfauth = {
+      url = "github:rien/mfauth";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        flake-utils.follows = "flake-utils";
+      };
+    };
     nixos-mailserver = {
       url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
       inputs = {
@@ -86,7 +93,7 @@
     };
   };
 
-  outputs = inputs@{ self, nixpkgs, accentor, accentor-api, accentor-web, agenix, devshell, emacs-overlay, flake-utils, home-manager, lanzaboote, nix-index-database, nixos-mailserver, nur, tetris, www-chvp-be }:
+  outputs = inputs@{ self, nixpkgs, accentor, accentor-api, accentor-web, agenix, devshell, emacs-overlay, flake-utils, home-manager, lanzaboote, mfauth, nix-index-database, nixos-mailserver, nur, tetris, www-chvp-be }:
     let
       patches = builtins.map (patch: ./patches + "/${patch}") (builtins.filter (x: x != ".keep") (builtins.attrNames (builtins.readDir ./patches)));
       # Avoid IFD if there are no patches
@@ -107,6 +114,7 @@
         devshell.overlays.default
         emacs-overlay.overlay
         (self: super: {
+          mfauth = mfauth.packages.${self.system}.mfauth;
           tetris = tetris.packages.${self.system}.default;
         })
         nur.overlay

modules/graphical/mail/default.nix

@@ -13,7 +13,7 @@ let
       ${pkgs.libnotify}/bin/notify-send -t 5000 'New ${name} mail arrived' "$unseen_count unseen mails"
     fi
   '';
-  makeAccount = { name, address, host ? "", imapHost ? host, smtpHost ? host, useStartTls ? false, secretToolId, extraConfig ? { } }: (lib.recursiveUpdate
+  makeAccount = { name, address, host ? "", imapHost ? host, smtpHost ? host, useStartTls ? false, secretToolId, extraConfig ? { }, oauth ? false }: (lib.recursiveUpdate
     {
       inherit address;
       gpg = {
@@ -30,6 +30,7 @@ let
         boxes = [ "INBOX" ];
         onNotify = "${pkgs.isync}/bin/mbsync ${name}:INBOX";
         onNotifyPost = "${config.chvp.base.emacs.package}/bin/emacsclient --eval \"(mu4e-update-index)\" && ${notifyScript name}";
+        extraConfig = lib.mkIf oauth { xoauth2 = true; };
       };
       mbsync = {
         enable = true;
@@ -37,11 +38,14 @@ let
         expunge = "both";
         flatten = ".";
         remove = "both";
-        extraConfig.account.AuthMechs = "LOGIN";
+        extraConfig.account.AuthMechs = if (oauth) then "XOAUTH2" else "LOGIN";
+      };
+      msmtp = {
+        enable = true;
+        extraConfig = lib.mkIf oauth { auth = "xoauth2"; };
       };
-      msmtp.enable = true;
       mu.enable = true;
-      passwordCommand = "${passwordScript} ${secretToolId}";
+      passwordCommand = if oauth then "${pkgs.mfauth}/bin/mfauth access ${name}" else "${passwordScript} ${secretToolId}";
       realName = "Charlotte Van Petegem";
       signature = {
         showSignature = "none";
@@ -82,6 +86,11 @@ in
   };
 
   config = lib.mkIf config.chvp.graphical.mail.enable {
+    nixpkgs.overlays = [
+      (self: super: rec {
+        isync = super.isync.override { withCyrusSaslXoauth2 = true; };
+      })
+    ];
     chvp = {
       base = {
         emacs.extraConfig =
@@ -205,6 +214,16 @@ in
       };
     };
     home-manager.users.charlotte = { ... }: {
+      home.packages = [ pkgs.mfauth ];
+      xdg.configFile."mfauth/config.toml".text = ''
+        # Public thunderbird secrets
+        [accounts.work]
+        client_id = "08162f7c-0fd2-4200-a84a-f25a4db0b584"
+        client_secret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82"
+        authorize_url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
+        token_url = "https://login.microsoftonline.com/common/oauth2/v2.0/token"
+        scope = "https://outlook.office365.com/IMAP.AccessAsUser.All https://outlook.office365.com/POP.AccessAsUser.All https://outlook.office365.com/SMTP.Send offline_access"
+      '';
       accounts.email = {
         maildirBasePath = "/home/charlotte/mail";
         accounts = {
@@ -221,13 +240,12 @@ in
           work = makeAccount {
             name = "work";
             address = "charlotte.vanpetegem@ugent.be";
-            host = "mail.vanpetegem.me";
+            host = "outlook.office365.com";
+            smtpHost = "smtp.office365.com";
             secretToolId = "work-mail";
             useStartTls = true;
-            extraConfig = {
+            oauth = true;
-              folders = { drafts = "Drafts"; inbox = "INBOX"; sent = "INBOX"; trash = "Trash"; };
+            extraConfig.folders = { drafts = "Drafts"; inbox = "INBOX"; sent = "INBOX"; trash = "Trash"; };
-              userName = "ugent@cvpetegem.be";
-            };
           };
           posteo = makeAccount {
             name = "posteo";

modules/services/mail/default.nix

@@ -59,10 +59,6 @@ in
           hashedPasswordFile = config.age.secrets."passwords/services/mail/hallo@robbe.be".path;
           aliases = [ "@robbe.be" "@robbevp.be" ];
         };
-        "ugent@cvpetegem.be" = {
-          hashedPasswordFile = config.age.secrets."passwords/services/mail/ugent@cvpetegem.be".path;
-          aliases = [ "charlotte.vanpetegem@ugent.be" ];
-        };
         "webmaster@vanpetegem.me".hashedPasswordFile = config.age.secrets."passwords/services/mail/webmaster@vanpetegem.me".path;
       };
       indexDir = "${config.chvp.cachePrefix}/var/lib/dovecot/indices";
@@ -83,16 +79,6 @@ in
       certificateFile = certFile;
       keyFile = keyFile;
       dkimKeyDirectory = "${config.chvp.dataPrefix}/var/dkim";
-      policydSPFExtraConfig = ''
-        whitelist = 40.92.0.0/15,40.107.0.0/16,52.100.0.0/14,104.47.0.0/17,2a01:111:f400::/48,2a01:111:f403::/49,2a01:111:f403:8000::/50,2a01:111:f403:c000::/51,2a01:111:f403:f000::/52
-      '';
-    };
-
-    services.postfix = {
-      config.sender_dependent_default_transport_maps = [ "hash:/etc/postfix/sender_map" ];
-      mapFiles.sender_map = pkgs.writeText "postfix-sender-map" ''
-        charlotte.vanpetegem@ugent.be smtp:[127.0.0.1]:9797
-      '';
     };
 
     services.rspamd.extraConfig = ''
@@ -103,20 +89,7 @@ in
       }
     '';
 
-    systemd.services.tunnel = {
-      after = [ "network.target" ];
-      wantedBy = [ "multi-user.target" ];
-      script = "${pkgs.openssh}/bin/ssh -i ${config.age.secrets."files/services/tunnel/key".path} -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -o ControlPath=none -NT -p $SSH_PORT -L 0.0.0.0:9797:$CONN_HOST:$CONN_PORT $USER@$SSH_HOST";
-      serviceConfig = {
-        RestartSec = "5s";
-        Restart = "on-failure";
-        EnvironmentFile = config.age.secrets."files/services/tunnel/env".path;
-      };
-    };
-
     age.secrets = {
-      "files/services/tunnel/key".file = ../../../secrets/files/services/tunnel/key.age;
-      "files/services/tunnel/env".file = ../../../secrets/files/services/tunnel/env.age;
       "passwords/services/mail/charlotte@vanpetegem.me".file = ../../../secrets/passwords/services/mail/charlotte_at_vanpetegem.me.age;
       "passwords/services/mail/hallo@robbe.be".file = ../../../secrets/passwords/services/mail/hallo_at_robbe.be.age;
       "passwords/services/mail/huis@vanpetegem.me".file = ../../../secrets/passwords/services/mail/huis_at_vanpetegem.me.age;
@@ -125,7 +98,6 @@ in
       "passwords/services/mail/postbot@vanpetegem.me".file = ../../../secrets/passwords/services/mail/postbot_at_vanpetegem.me.age;
       "passwords/services/mail/robbe@robbevanpetegem.be".file = ../../../secrets/passwords/services/mail/robbe_at_robbevanpetegem.be.age;
       "passwords/services/mail/robbe@vanpetegem.me".file = ../../../secrets/passwords/services/mail/robbe_at_vanpetegem.me.age;
-      "passwords/services/mail/ugent@cvpetegem.be".file = ../../../secrets/passwords/services/mail/ugent_at_cvpetegem.be.age;
       "passwords/services/mail/webmaster@vanpetegem.me".file = ../../../secrets/passwords/services/mail/webmaster_at_vanpetegem.me.age;
     };
   };

secrets/files/services/tunnel/env.age

@@ -1,13 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 yad4VQ 4EZbasW5A0791VTZy5+OBXLVJ+/G5kTRvlnMeg4lSDg
-Aj4iFFHEjEW0SyMrgQTt9hcAed42N/jL60FjARqlHFo
--> ssh-ed25519 s9rb8g cRHZludrYSvCJy15kHhxUH516CfOtwQ3VEk4FYJdW2U
-NbzPbwg5rkgzVAFeHJqfpFdExIMexIZpdLBZFz1miHE
--> ssh-ed25519 hKAFvQ rNrDoQWNd76bpvoWFh31ClZQ5VIRAfe2BDEpS/bN0Ug
-6uKJeY1fL3pryI9ynX9dVEXrsLQg+hrBvkz0FY2fOUI
--> k-grease M=!N`9 6bU
-CtgiHxZfRbY81i9AiltE2ZY0M2xFtIZ7Q7ClL49HU67SimSdJxSLC382I0xk08O9
-3JRWjOQqvRtcSosB
---- vUl2LYnVGXcLs4jdkc9IDYX7HM78TCPTJ5BCvD6fJ1Q
-PVæ매³I
ªºM„ ö<C2A0>ÄRyÙPPå±6E^.K¦’k<>²ÀÚ2%åÇoD€Ÿ:Õ
Ù…ÃA
£‰û>Ib><æ¥Ö<
ÆAæ	ð
-z[!Þ%PØ)«Ð¥ïR-çz$­Üƒ<7´qú:ú<>ï݉f¼