Harden desktop mail bootstrap workflow

2026-05-30 23:49:56 +00:00 · 2026-03-26 16:36:28 +01:00
parent ab530b9b9b
commit 6c54a7ace0
4 changed files with 91 additions and 27 deletions
--- a/ansible/inventory/group_vars/desktop.yml
+++ b/ansible/inventory/group_vars/desktop.yml
@@ -1,5 +1,6 @@
 ---
 desktop_manage_icloud_keyring: false
+desktop_protonmail_bridge_cert_path: ~/.var/app/ch.protonmail.protonmail-bridge/config/protonmail/bridge-v3/cert.pem

 profile_packages:
  - i3
--- a/ansible/templates/desktop/.mbsyncrc.j2
+++ b/ansible/templates/desktop/.mbsyncrc.j2
@@ -5,8 +5,8 @@ IMAPStore iCloud-remote
    User {{ vault_icloud_email }}
    PassCmd "secret-tool lookup icloud-mail icloud"
    AuthMechs *
-    SSLType IMAPS
-    SSLVersions TLSv1.2 TLSv1.3
+    TLSType IMAPS
+    TLSVersions +1.2 +1.3
    PipelineDepth 1

 MaildirStore iCloud-local
@@ -29,9 +29,9 @@ IMAPStore protonmail-remote
    User {{ vault_protonmail_email }}
    PassCmd "secret-tool lookup protonmail-bridge protonmail"
    AuthMechs *
-    SSLType STARTTLS
+    TLSType STARTTLS
    PipelineDepth 1
-    CertificateFile  ~/.config/protonmail/bridge-v3/cert.pem
+    CertificateFile  {{ desktop_protonmail_bridge_cert_path }}

 MaildirStore protonmail-local
    Path ~/Maildir/ProtonMailAccount/
--- a/ansible/templates/desktop/.msmtprc.j2
+++ b/ansible/templates/desktop/.msmtprc.j2
@@ -40,7 +40,7 @@ from           {{ vault_protonmail_email }}

 # Security
 tls on
-tls_trust_file ~/.config/protonmail/bridge-v3/cert.pem
+tls_trust_file {{ desktop_protonmail_bridge_cert_path }}

 # Authentication
 auth           on