Is there a way to configure email accounts without putting personal info in cleartext? (home-manager)

As far as I can tell, there’s no way around hardcoding email adresses, full names, email server addresses,… inside accounts.email.accounts."account name".

I feel like this is a bad idea. Ideally, I’d want to treat personal info like any other secret, by storing it in encrypted form with the help of sops-nix.

I’m using Thunderbird, so where the contents of this config end up is in $HOME/.thunderbird/profilename/user.js. The closest I can tell could work is letting home-manager generate that file once, then copying it in its entirety into a secrets file, then linking the decrypted file (/run/user/1000/secrets/mail or whatever) to user.js.

Trouble is, at that point Thunderbird itself largely stops being configurable via home-manager itself, since programs.thunderbird.profiles.profilename.settings wants to write to that file as well.

So I guess my problem has to possible solution paths, with the first more preferable than the second:

  • is there a way to use accounts.email.accounts without putting cleartext info?
  • or is there a way to append to a nix/hm-generated config file?

Cheers, and thanks in advance to anyone who ansers :slight_smile:

1 Like

No to both, you’ll have to write your own module if you want this.

Depends on your threat model.

If you are generating a file through Nix – it ends up in clear text in the store which is world-readable. Secret management technologies that store the file encrypted in the store do not expect the file to change after it’s been decrypted, i.e. the files are edited, then encrypted, then decrypted, At this point the secrets are readable but cannot be written to.

If you don’t want to publish some details about your account name in a public repository and are using flakes – you can have a private flake define the secrets in a module and then import that module in your public flake.

Alright, thank you, guess that’s what I will do. I have no problem putting that info into a private repo, just don’t want personal information in a public one.