Add mu4e mail provisioning with vault-backed iCloud secret

2026-05-30 15:39:58 +00:00 · 2026-03-17 22:12:05 +01:00
parent 1b463e1cb2
commit 576999d864
8 changed files with 57 additions and 0 deletions
--- a/ansible/inventory/group_vars/desktop.yml
+++ b/ansible/inventory/group_vars/desktop.yml
@@ -29,6 +29,10 @@ profile_packages:
  - network-manager-applet
  - chromium
  - emacs-gtk3
+  - mu4e
+  - isync
+  - msmtp
+  - libsecret
  - libtool
  - libvterm-devel
  - cmake
@@ -120,6 +124,14 @@ desktop_dotfiles:
    src: .themes.gitignore
    dest: .themes.gitignore
    mode: "0644"
+  - name: .mbsyncrc
+    src: .mbsyncrc
+    dest: .mbsyncrc
+    mode: "0600"
+  - name: .msmtprc
+    src: .msmtprc
+    dest: .msmtprc
+    mode: "0600"
  - name: Emacs config
    src: .emacs.d/
    dest: .emacs.d/
--- a/ansible/roles/profile_desktop_i3/tasks/main.yml
+++ b/ansible/roles/profile_desktop_i3/tasks/main.yml
@@ -63,6 +63,15 @@
    group: "{{ user_group }}"
    mode: "0600"

+- name: Store iCloud mail password in GNOME Keyring
+  ansible.builtin.command:
+    cmd: secret-tool store --label="iCloud Mail" icloud-mail icloud
+    stdin: "{{ vault_icloud_mail_password }}"
+    stdin_add_newline: false
+  become: false
+  no_log: true
+  when: (vault_icloud_mail_password | default('')) | length > 0
+
 - name: Ensure local source directory exists
  ansible.builtin.file:
    path: "{{ user_home }}/.local/src"
--- a/ansible/site.yml
+++ b/ansible/site.yml
@@ -7,6 +7,11 @@

 - hosts: void
  become: true
+  pre_tasks:
+    - name: Load local vault variables when available
+      ansible.builtin.include_vars:
+        file: "{{ playbook_dir }}/../secrets/vault.yml"
+      when: lookup('ansible.builtin.fileglob', playbook_dir + '/../secrets/vault.yml', errors='ignore') != ''

  roles:
    - packages_void
--- a/scripts/update_protonmail_bridge_secret.sh
+++ b/scripts/update_protonmail_bridge_secret.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env sh
+
+set -eu
+
+printf "Proton Bridge password: "
+stty -echo
+IFS= read -r proton_bridge_password
+stty echo
+printf "\n"
+
+if [ -z "$proton_bridge_password" ]; then
+  printf "Error: empty password, nothing stored.\n" >&2
+  exit 1
+fi
+
+printf "%s" "$proton_bridge_password" \
+  | secret-tool store --label="ProtonMail Bridge" protonmail-bridge protonmail
+
+printf "ProtonMail Bridge secret updated in GNOME Keyring.\n"
--- a/secrets/.gitignore
+++ b/secrets/.gitignore
@@ -0,0 +1,2 @@
+.vault_pass
+.vault_pass*
--- a/secrets/.gitkeep
+++ b/secrets/.gitkeep
--- a/secrets/vault.yml
+++ b/secrets/vault.yml
@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+35326663666435356232666461316532653434653734613832646461666566373762613863653630
+6661663665613230343037313762643662663339383339320a366562326231663637643639633431
+62663231386339343033633662363531623931386239343532636530353735623233396238613666
+3330653433356539320a353930626335663331333433386139393538343232636161396464306632
+66336530366531656261316634663265363731666638323863313762373766303839363463633835
+66653733373961636165393462376561666531343230626338333333373663613133633937336539
+353632303535393564636232626135313630
--- a/secrets/vault.yml.example
+++ b/secrets/vault.yml.example
@@ -0,0 +1,2 @@
+---
+vault_icloud_mail_password: "REPLACE_ME"