Commit d9cedad203eb

Vincent Demeester <vincent@sbr.pm>
2026-01-13 13:14:29
feat(imapfilter): switch from passage to agenix for password management
Fix authentication issues on athena by using agenix secrets instead of passage for the iCloud password. This resolves the "login request failed" errors caused by password not being passed correctly via process substitution. Changes: - Add icloud-vdemeester password secret to secrets.nix - Update imapfilter.nix to use /run/agenix/icloud-vdemeester-password - Configure age secret in athena/extra.nix with proper permissions The secret file needs to be created separately: mkdir -p secrets/mails agenix -e secrets/mails/icloud-vdemeester.age Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
main
1 parent 96a402b
Changed files (3)
home
common
services
imapfilter.nix
systems
athena
extra.nix
secrets.nix
home/common/services/imapfilter.nix
@@ -13,11 +13,11 @@
 
     Service = {
       Type = "oneshot";
-      # Use passage to get the password
+      # Use agenix secret for password
       # Verbose mode enabled for testing new filters
-      ExecStart = "${pkgs.bash}/bin/bash -c '${pkgs.imapfilter}/bin/imapfilter -v -c ${./imapfilter-config.lua} -p <(${pkgs.passage}/bin/passage show mails/icloud/vdemeester)'";
+      ExecStart = "${pkgs.imapfilter}/bin/imapfilter -v -c ${./imapfilter-config.lua} -p /run/agenix/icloud-vdemeester-password";
       # Standard mode (use after testing is complete)
-      # ExecStart = "${pkgs.bash}/bin/bash -c '${pkgs.imapfilter}/bin/imapfilter -c ${./imapfilter-config.lua} -p <(${pkgs.passage}/bin/passage show mails/icloud/vdemeester)'";
+      # ExecStart = "${pkgs.imapfilter}/bin/imapfilter -c ${./imapfilter-config.lua} -p /run/agenix/icloud-vdemeester-password";
     };
   };
systems/athena/extra.nix
@@ -15,6 +15,14 @@
   # TODO make it an option ? (otherwise I'll add it for all)
   users.users.vincent.linger = true;
 
+  # Age secrets for imapfilter
+  age.secrets."icloud-vdemeester-password" = {
+    file = ../../secrets/mails/icloud-vdemeester.age;
+    mode = "400";
+    owner = "vincent";
+    group = "users";
+  };
+
   services = {
     wireguard = {
       enable = true;
secrets.nix
@@ -37,6 +37,9 @@ let
   systems = servers ++ desktops;
 in
 {
+  # Mail passwords
+  "secrets/mails/icloud-vdemeester.age".publicKeys = users ++ [ athena ];
+
   # Red Hat
   "secrets/redhat/krb5.conf.age".publicKeys = users ++ [
     aomi