libkookie: implement mail module handling via external configuration

infra/libkookie/.gitignore

@@ -0,0 +1,2 @@
+result
+ext/*

infra/libkookie/configuration/workstation/mail/default.nix

@@ -0,0 +1,8 @@
+{ config, pkgs, ... }:
+
+{
+  home.packages = with pkgs;
+    [
+      msmtp neomutt notmuch thunderbird
+    ];
+}

infra/libkookie/modules/harness/users.nix

@@ -29,6 +29,11 @@ in
   config = {
     users.mutableUsers = false;
     users.users = builtins.listToAttrs (map ({ name, cfg, ... }:
-      nameValuePair "${name}" cfg) config.libkookie.activeUsers); 
+      nameValuePair "${name}"
+        (cfg // { group = "${name}"; })) config.libkookie.activeUsers);
+
+    users.groups = builtins.listToAttrs (map ({ name, ... }:
+      nameValuePair "${name}" {}) config.libkookie.activeUsers);
+
   };
 }

infra/libkookie/modules/workstation/default.nix

@@ -4,5 +4,6 @@
     # Exposes both a nixos, and home-manager module
     ./ui/i3
     ./audio
+    ./mail
   ];
 }

infra/libkookie/modules/workstation/mail/core/default.nix

@@ -0,0 +1,35 @@
+{ pkgs, config, ... } @ args:
+
+let cfg = config.libkookie.workstation.mail;
+in
+{
+  # Might want to run mbsync manually
+  environment.systemPackages = with pkgs; [ isync ];
+
+  # Setup user to fetch mail
+  users.users.mail-user = {
+    createHome = true;
+    inherit (cfg.access) group;
+    home = "/var/lib/mail";
+  };
+
+  systemd.services.isync = (import ./isync.nix) args;
+  
+  systemd.timers.isync = {
+    timerConfig.Unit = "isync.service";
+    timerConfig.OnCalendar = "*:0/5";
+    timerConfig.Persistent = "true";
+    after = [ "network-online.target" ];
+    wantedBy = [ "timers.target" ];
+  };
+
+  # FIXME: this doesn't work and has never worked
+  # This sudoers rule allows anyone in the wheel group to run this
+  # particular command without a password. Make sure that 'startISync'
+  # is present in a path (environment.systemPackages above)!
+  # security.sudo.extraRules = [
+  #   { commands = [ { command = "${startISync}/bin/start-isync";
+  #                    options = [ "NOPASSWD" ]; } ];
+  #     groups = [ "wheel" ];  }
+  # ];
+}

infra/libkookie/modules/workstation/mail/core/isync.nix

@@ -0,0 +1,32 @@
+{ config, pkgs, ... }:
+
+let cfg = config.libkookie.workstation.mail;
+in
+with pkgs;
+{
+  serviceConfig.Type = "oneshot";
+
+  script = let
+    cfgPath = (cfg.configPath + "/mbsyncrc.nix");
+    mbsyncBody = (import cfgPath cfg.mailArchive);
+    mbsyncrc = (writeText "mbsyncrc" mbsyncBody);
+  in
+    ''
+      ${sudo}/bin/sudo -u mail-user ${isync}/bin/mbsync -a -V -c ${mbsyncrc}
+    '';
+  
+  # This script loops through the mail archive and changes file
+  # permissions and ownership to allow the main user to access them.
+  # It then also runs `notmuch new` to update applications.
+  #
+  # Yes this script could use a single `find` invocation, but
+  # personally I've found that to be unclear, and this script running
+  # in the background means that speed is not of much concearn.
+  postStart = ''
+    ${findutils}/bin/find ${cfg.mailArchive} ! -name .mbsyncstate* | xargs chgrp ${cfg.access.group}
+    ${findutils}/bin/find ${cfg.mailArchive} -type f | xargs chmod 660
+    ${findutils}/bin/find ${cfg.mailArchive} -type d | xargs chmod 770
+
+    ${sudo}/bin/sudo -u ${cfg.access.user} ${notmuch}/bin/notmuch new
+  '';
+}

infra/libkookie/modules/workstation/mail/default.nix

@@ -0,0 +1,41 @@
+{ config, lib, pkgs, home-manager, ... } @ args:
+
+let cfg = config.libkookie.workstation.mail;
+in
+with lib;
+{
+  options.libkookie.workstation.mail = {
+    enable = mkEnableOption "libkookie mail system handling";
+
+    configPath = mkOption {
+      type = types.path;
+      description = ''
+        Set of configuration to configure sieve rules, and mail settings
+
+        These are not contained in this repository to avoid having to 
+        make them public.
+      '';
+    };
+
+    authPath = mkOption {
+      type = types.str;
+      default = "/var/lib/mail/";
+      description = ''
+        Path to the authentication secret.  This is not an actual path, 
+        to avoid it being copied to the nix store for any user to read.
+      '';
+    };
+
+    mailArchive = mkOption {
+      type = types.str;
+      description = "Path to the mail archive to sync into";
+    };
+
+    access = mkOption {
+      type = types.attrs;
+      description = "User and group to give the mail user for permissions";
+    };
+  };
+
+  config = mkIf cfg.enable (import ./core args);
+}

infra/libkookie/roots/tempest.nix

@@ -41,6 +41,7 @@ in
     (loadModule <configuration/workstation/audio> "default")
     (loadModule <configuration/workstation/kitty> "default")
     (loadModule <configuration/workstation/office> "default")
+    (loadModule <configuration/workstation/mail> "default")
     (loadModule <configuration/workstation/firefox> "default")
 
     # Development tools
@@ -63,6 +64,14 @@ in
   # Enable fish shell handling on the system
   libkookie.base.fish.enable = true;
 
+  # Configure mail handling
+  libkookie.workstation.mail = {
+    enable = true;
+    configPath = ../ext/mail;
+    mailArchive = "/home/Office/mail";
+    access = { user = "spacekookie"; group = "spacekookie"; };
+  };
+  
   # Enable desired users
   libkookie.activeUsers = [ (klib.load <configuration/users/spacekookie>) ];