feat: work email qol changes

SwarselSystems.org

@@ -10386,7 +10386,6 @@ Options that I need specifically at work. There are more options at [[#h:f0b2ea9
         gh
       ];
 
-
       services = {
         spice-vdagentd.enable = true;
         openssh = {
@@ -11980,22 +11979,76 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
       # this is needed so that mbsync can use the passwords from sops
       systemd.user.services.mbsync.Unit.After = [ "sops-nix.service" ];
 
-      accounts = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) {
+      programs.thunderbird = {
-        email = {
+        enable = true;
-          maildirBasePath = "Mail";
+        profiles.default = {
-          accounts = {
+          isDefault = true;
-            leon = {
+          withExternalGnupg = true;
-              primary = true;
+          settings = {
-              address = address1;
+            "mail.identity.default.archive_enabled" = true;
-              userName = address1;
+            "mail.identity.default.archive_keep_folder_structure" = true;
-              realName = fullName;
+            "mail.identity.default.compose_html" = false;
-              passwordCommand = "cat ${nixosConfig.sops.secrets.address1-token.path}";
+            "mail.identity.default.protectSubject" = true;
-              gpg = {
+            "mail.identity.default.reply_on_top" = 1;
-                key = "0x76FD3810215AE097";
+            "mail.identity.default.sig_on_reply" = false;
-                signByDefault = true;
+            "mail.identity.default.sig_bottom" = false;
+
+            "gfx.webrender.all" = true;
+            "gfx.webrender.enabled" = true;
+          };
+        };
+
+        settings = {
+          "mail.server.default.allow_utf8_accept" = true;
+          "mail.server.default.max_articles" = 1000;
+          "mail.server.default.check_all_folders_for_new" = true;
+          "mail.show_headers" = 1;
+          "mail.identity.default.auto_quote" = true;
+          "mail.identity.default.attachPgpKey" = true;
+          "mailnews.default_sort_order" = 2;
+          "mailnews.default_sort_type" = 18;
+          "mailnews.default_view_flags" = 0;
+          "mailnews.sort_threads_by_root" = true;
+          "mailnews.headers.showMessageId" = true;
+          "mailnews.headers.showOrganization" = true;
+          "mailnews.headers.showReferences" = true;
+          "mailnews.headers.showUserAgent" = true;
+          "mail.imap.expunge_after_delete" = true;
+          "mail.server.default.delete_model" = 2;
+          "mail.warn_on_delete_from_trash" = false;
+          "mail.warn_on_shift_delete" = false;
+          "toolkit.telemetry.enabled" = false;
+          "toolkit.telemetry.rejected" = true;
+          "toolkit.telemetry.prompted" = 2;
+          "app.update.auto" = false;
+          "privacy.donottrackheader.enabled" = true;
+        };
+      };
+
+      xdg.mimeApps.defaultApplications = {
+        "x-scheme-handler/mailto" = [ "thunderbird.desktop" ];
+        "x-scheme-handler/mid" = [ "thunderbird.desktop" ];
+        "message/rfc822" = [ "thunderbird.desktop" ];
+      };
+
+      accounts = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) {
+        email =
+          let
+            defaultSettings = {
+              imap = {
+                host = "imap.gmail.com";
+                port = 993;
+                tls.enable = true; # SSL/TLS
+              };
+              smtp = {
+                host = "smtp.gmail.com";
+                port = 465;
+                tls.enable = true; # SSL/TLS
+              };
+              thunderbird = {
+                enable = true;
+                profiles = [ "default" ];
               };
-              imap.host = "imap.gmail.com";
-              smtp.host = "smtp.gmail.com";
               mu.enable = true;
               msmtp = {
                 enable = true;
@@ -12016,7 +12069,10 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
                 };
               };
             };
-
+          in
+          {
+            maildirBasePath = "Mail";
+            accounts = {
               swarsel = {
                 address = address4;
                 userName = address4-user;
@@ -12039,59 +12095,39 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
                 };
               };
 
-            nautilus = {
+              leon = lib.recursiveUpdate
+                {
+                  primary = true;
+                  address = address1;
+                  userName = address1;
+                  realName = fullName;
+                  passwordCommand = "cat ${nixosConfig.sops.secrets.address1-token.path}";
+                  gpg = {
+                    key = "0x76FD3810215AE097";
+                    signByDefault = true;
+                  };
+                }
+                defaultSettings;
+
+              nautilus = lib.recursiveUpdate
+                {
                   primary = false;
                   address = address2;
                   userName = address2;
                   realName = address2-name;
                   passwordCommand = "cat ${nixosConfig.sops.secrets.address2-token.path}";
-              imap.host = "imap.gmail.com";
+                }
-              smtp.host = "smtp.gmail.com";
+                defaultSettings;
-              msmtp.enable = true;
-              mu.enable = true;
-              mbsync = {
-                enable = true;
-                create = "maildir";
-                expunge = "both";
-                patterns = [ "*" "![Gmail]*" "[Gmail]/Sent Mail" "[Gmail]/Starred" "[Gmail]/All Mail" ];
-                extraConfig = {
-                  channel = {
-                    Sync = "All";
-                  };
-                  account = {
-                    Timeout = 120;
-                    PipelineDepth = 1;
-                  };
-                };
-              };
-            };
 
-            mrswarsel = {
+              mrswarsel = lib.recursiveUpdate
+                {
                   primary = false;
                   address = address3;
                   userName = address3;
                   realName = address3-name;
                   passwordCommand = "cat ${nixosConfig.sops.secrets.address3-token.path}";
-              imap.host = "imap.gmail.com";
+                }
-              smtp.host = "smtp.gmail.com";
+                defaultSettings;
-              msmtp.enable = true;
-              mu.enable = true;
-              mbsync = {
-                enable = true;
-                create = "maildir";
-                expunge = "both";
-                patterns = [ "*" "![Gmail]*" "[Gmail]/Sent Mail" "[Gmail]/Starred" "[Gmail]/All Mail" ];
-                extraConfig = {
-                  channel = {
-                    Sync = "All";
-                  };
-                  account = {
-                    Timeout = 120;
-                    PipelineDepth = 1;
-                  };
-                };
-              };
-            };
 
             };
           };
@@ -13614,7 +13650,8 @@ The rest of the settings is at [[#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf][work]]
   in
   {
     options.swarselmodules.optional.work = lib.mkEnableOption "optional work settings";
-    config = lib.mkIf config.swarselmodules.optional.work {
+    config = lib.mkIf config.swarselmodules.optional.work
+      {
         home.packages = with pkgs; [
           stable.teams-for-linux
           shellcheck
@@ -13627,13 +13664,92 @@ The rest of the settings is at [[#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf][work]]
           stable.prometheus.cli
           tigervnc
           openstackclient
+          pizauth
         ];
 
+        systemd.user.services.pizauth = {
+          Unit = {
+            Description = "Pizauth OAuth2 token manager";
+          };
+
+          Service = {
+            Type = "simple";
+            ExecStart = "${pkgs.pizauth}/bin/pizauth server -vvvv -d";
+            ExecReload = "${pkgs.pizauth}/bin/pizauth reload";
+            ExecStop = "${pkgs.pizauth}/bin/pizauth shutdown";
+          };
+
+          Install = {
+            WantedBy = [ "default.target" ];
+          };
+        };
+
         home.sessionVariables = {
           DOCUMENT_DIR_PRIV = lib.mkForce "${homeDir}/Documents/Private";
           DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work";
         };
 
+        accounts.email.accounts.work =
+          let
+            inherit (nixosConfig.repo.secrets.local.work) mailAddress mailName;
+          in
+          {
+            primary = false;
+            address = mailAddress;
+            userName = mailAddress;
+            realName = mailName;
+            passwordCommand = "pizauth show work";
+            imap = {
+              host = "outlook.office365.com";
+              port = 993;
+              tls.enable = true; # SSL/TLS
+            };
+            smtp = {
+              host = "outlook.office365.com";
+              port = 587;
+              tls = {
+                enable = true; # SSL/TLS
+                useStartTls = true;
+              };
+            };
+            thunderbird = {
+              enable = true;
+              profiles = [ "default" ];
+              settings = id: {
+                "mail.smtpserver.smtp_${id}.authMethod" = 10; # oauth
+                "mail.server.server_${id}.authMethod" = 10; # oauth
+                # "toolkit.telemetry.enabled" = false;
+                # "toolkit.telemetry.rejected" = true;
+                # "toolkit.telemetry.prompted" = 2;
+              };
+            };
+            msmtp = {
+              enable = false;
+              extraConfig = {
+                account = "work";
+                auth = "xoauth2";
+                host = "outlook.office365.com";
+                protocol = "smtp";
+                port = "587";
+                tls = "on";
+                tls_starttls = "on";
+                from = "${mailAddress}";
+                user = "${mailAddress}";
+                passwordeval = "pizauth show work";
+              };
+            };
+            mu.enable = false;
+            mbsync = {
+              enable = false;
+              expunge = "both";
+              extraConfig = {
+                account = {
+                  AuthMechs = "XOAUTH2";
+                };
+              };
+            };
+          };
+
         wayland.windowManager.sway.config = {
           output = {
             "Applied Creative Technology Transmitter QUATTRO201811" = {
@@ -13906,6 +14022,23 @@ The rest of the settings is at [[#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf][work]]
             inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
           in
           {
+            configFile."pizauth.conf".text = ''
+                account "work" {
+                auth_uri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
+                token_uri = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
+                client_id = "08162f7c-0fd2-4200-a84a-f25a4db0b584";
+                client_secret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82";
+                scopes = [
+                  "https://outlook.office365.com/IMAP.AccessAsUser.All",
+                  "https://outlook.office365.com/SMTP.Send",
+                  "offline_access"
+                ];
+                // You don't have to specify login_hint, but it does make
+                // authentication a little easier.
+                login_hint = "${nixosConfig.repo.secrets.local.work.mailAddress}";
+              }
+            '';
+
             mimeApps = {
               defaultApplications = {
                 "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ];

hosts/nixos/pyramid/secrets/pii.nix.enc

@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:SEQIHMS8xUj6vsC1+1zTRG+h5BbqL0miA77UEh0UbiFOP7RgqhUlZgq+LmO7BRiIf4RHO13BZ5PXdKiZ96lgGcaquVnaEEQqv2NvkstXpwm3eLjUTJryMxfVupeir5g/FNXHETzhN425KD93EyMr4g7INJW4N4mHXmDnHJOJgS8rlKnSLG64cpgrlef8GAsGfp+i3ky2dig4jNQG8Ijdc46qtiyH9bs7k0d/YuNNmcZSaSIukNyyIMVTqlt6MV+9iUQ4Lj5h0pxgDLfjM1TNQAHRkWW4eozt7SO17U9td1DxvBF9TUdj3xbFCVo4c1OGw4hrjahvUAF8u1TEXBhhJfLqApDUBddRMxybk8Dy98jOHcb6Qwu3qUcgRt9XgkOktwgovS/B2WWAIWMTIZhyKm5ENriaTZWSp6n7hzkw1C1wXyCaP6YT0A4SSPPJt/DuTcBZ5BOFM10237NNgZA0Q7B5J5C57W88bhtzZ2aJZexyQYqQPrr5c38RwR00OAVGJeCgcq70JqeA5EpTuud20rBE0/dHHEPeVUBkrq8pjBHh4SYeMOh8g85CnlF31cxAcnrVJbO14hQQ8sQd4ZmkRNcY3EL981ruDy6Okd3K5AifmF/E9IEZwbvCSLY8EYANA+NV97ZsL4zJOWC6tnA1QHFDoqCR/POsupvGQetYpembrUY0WoB5XkfAvMicQCeLJe2H7S6pOVMDOIIZLx57vcO855LlIJiCpMw2ytqbBXRZolM2WXEBZDEL6BnrEydUnoiUCxqsUrdvQE3HTzktXKQww9jc6HLfBV1MvfScWq2fisGDlkrC2rI5VcWamm8Xbke4uTVcdbKlDpgbpC8NaWmmgNhFe50VNf7M/L5etnvuWWbY68epLZo7dsaaWVE584pdVFT+2K2GwWmGnMHKW+KKA6O9hFfdPUOsJj+eJiF9JX7OwLPAJILTjesWfHXivILBwjDyY5CBCHg91fsrPF37222O/HPPukveY/u6WBOt+co3Ch9mq9usdD7fhieo59IZ7aOJb7dxHSa99nBD8NZbwn6nJkgn3hpLfP9q/2TWcF/zSD1oGY7f1GVbEKEHj2hHv+OHMhFzgRhi5NtvGOO4l0aa1QE1eyRJgHLeqS5aL119Fh1+PSSN9/+v1q6l2JjYuQAV1BqzVdG2GS64J4PBxVqmZ3M9Qv2ZvH0Zwjs64M3MDUMNa5+HZAkPpThvrUWSCEFivIfiOi4Bt/h+HmyQb04LB5QuNFSiRpuF+fQcA+MmMQ==,iv:PL7Z5mKqbNbPfptREw9xFTiOQ1qiVkyxLPvDSoPvbbY=,tag:OPlhVLtN5IDdL/nkkj8+CQ==,type:str]",
+	"data": "ENC[AES256_GCM,data:kkwEMOzab5JK9G+rSfYygcAI6Y+b1tXkUFPdxN8e2Rnz2Uv4bDfITu8bmKqJ1q5kmHxQjQukioZkdQkabqBR8cx/CG3dRJfPAjEwMz4v8UYGSNSf8blJvdb4YKSizeOEALCuawBIm5hmvwuskXlol6UfkK66h9UnP94wwdh0KKemWinANxbIUX+cl6kK4X1eZrWRGr5Ts2HmjcowIbA+SmA8yVAwqoP6L1DuavilLGPfWhBI4Kj7ZTI3LRlvu4DZZ+DCAea3FgrrjbTWiWZfFW0YX2fDgNQkIxpp3N203zDu23HebZcmCrVBkfvFS7awBr5iVnwfsqOJR0LH92lIlUb8YoFShlJU/Day80i9uyYDCTHc4l2NBvjIH8NlpiYaA2A+rCW3VkVX3WzCGxBfi/kIqoNE3RdLJAYrIimsYaHSmk4o6jslR3xIRyQzDcNtWa92kINdCwBuJXc0UYe/HnR8tFlmOrlixMlVINTy45PRNYJoy7cuoJPd+aNIPQ2V31TB/CjUSZhEptVJSnQnKDui1xuV7vqcyPv06xftJGZRk/LL2cl3+HDLflkZYE7NVlLaOWMBOkX99W/WokF3NGBWuVeUp9bLCwpuEmzFafpCjKhGrQSDGkw17jmYWCULN9v3q6OvyylwqVuDDQZNSxGZFsSPr7qOxeENwTDQvRwpydthPRMMHh/wf3t5pyV/jW79SBuxIWvn4JbO8TBsd9TmVgXMgpd97+Zg3CnTqZApVVRzM8NzF25fMYHJv12YvkEmyOm0otFU84COhgNkpBRTJhyJdjKWVOTJFJyQviwy6BTBF6jqHyS+YP7BEZO2UID/9ODKVrSACCatSQlNtLQRrXOiE9h3g43uAJc/TyJ+A0IceUJ3BM+6PEJiqDWUfO5ucP3pLDdb4IDOAi/YeV9HQdyCdEVRf6a0CHmPcnkb+X+fxxcmZQCvuzQjOZQZw8UUwfhdJms6jTWqaN9leb3z4u8RPxOM1T+Qsu5dL5ouady7xVSO4c1Fw+EiiL9yOh42DTa4OyBlcTJiz5iigqmkaiQOwdwn+FlOYNraOd24h8+x7dDVQBbHjnV7xF7I1rmpOfA/lUbfovLU5SrIxLPT64J25ucudJWBTCDiYADUwhv+QmfJJsdt11+NWPkS3ymFbbWPtpZvhCaawrNKb3s/ohOEi8JIAyY9dtfRGuRoTsCcsJ4xjeSLehX4TgR0cl31Jmm+0kO2uuP7veDrqyUg1Swqsq4+BKfimprh/QzwSoB9lOdEPu0bdQza9sk+D5+H2ooXsVXA2YJscBZ/Kv+YYW57LlfwEvfpJDx5XiQtAYYlUeN8SPx72i9QzYugm339gj+eB8gtbX3W8Sl+D9Vs0P+GZ4G7K03JvzEExtA=,iv:Go3U5S9ZxtPawFoVjknH8j8WDg2TJLIU6mp5DQDj9BE=,tag:0QPJYyQsuZ4hz8xZZ2V4xw==,type:str]",
 	"sops": {
 		"age": [
 			{
@@ -11,8 +11,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Z2tONmQxTUhZUW12Z2Jm\nUnoxSnpYcnZDNGNzSko1ckl2RDh3NG1VS2dFCmIwUXhmSk1OUk02S0JPVDR5UWJ4\na0gwWlg0V005ZWxYa29PZ0laS2VqM0kKLS0tIHN5SU9pQ090eHljeXJGWm5hRFQ4\nZ001Nzkyb29RYkNUMDNDNlo4YnVQeTQK34bNIBgxId2+DHKQNVV3Iro3KGkE03Sp\niB1+dADT6nRvGvoyPqnLq/NYfw7eQ6XqYt55zkdCta8v6L1UNUkw8g==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-07-13T23:20:32Z",
+		"lastmodified": "2025-08-07T12:21:20Z",
-		"mac": "ENC[AES256_GCM,data:ibG9NVwVLf4UgdxnHbAToq5n12v4PPgPmnTn8PYg0LZfU2x6GaxRtNvWoFxDa9bEWMRzrlC5oV+hXsTxzJdYliafNTOxWjtOI/ME/HgEE8cU17HuJViWkR+CL+kzCelgFjCD3XajbTRzdTBtcI9icsUvnaManjlSvsgWmqNP36Y=,iv:uCy8Mv5HM611Qd4cvvEiDovnv1uuLZVSN7p7SV10zRA=,tag:fRjfyRkIIh5L97WVyNyxSQ==,type:str]",
+		"mac": "ENC[AES256_GCM,data:JxNvTsW6D7IbaczGsdgfTJcACm5VLrOw6Ep+RU9PoXn2LJZeJ9U8KIlnNdODtxMpiIpZ+ZPeJgQk+EXlUVd5n2dJQEr6vqfs4o85givDWE29Pki12Zb7jMhiW8/z9GYQ/TcskkWUfA0Brz9fKVKXLARvQdL1/9Rlw+F1VwWWBOo=,iv:V31hoIpUgq6X47D0B+MtBMsdD0oDpPkh2kvQWRJtS3w=,tag:dsW9SUIdGipX5rKyLAvCvQ==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-06-14T22:31:01Z",

modules/home/common/mail.nix

@@ -33,22 +33,76 @@ in
     # this is needed so that mbsync can use the passwords from sops
     systemd.user.services.mbsync.Unit.After = [ "sops-nix.service" ];
 
-    accounts = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) {
+    programs.thunderbird = {
-      email = {
+      enable = true;
-        maildirBasePath = "Mail";
+      profiles.default = {
-        accounts = {
+        isDefault = true;
-          leon = {
+        withExternalGnupg = true;
-            primary = true;
+        settings = {
-            address = address1;
+          "mail.identity.default.archive_enabled" = true;
-            userName = address1;
+          "mail.identity.default.archive_keep_folder_structure" = true;
-            realName = fullName;
+          "mail.identity.default.compose_html" = false;
-            passwordCommand = "cat ${nixosConfig.sops.secrets.address1-token.path}";
+          "mail.identity.default.protectSubject" = true;
-            gpg = {
+          "mail.identity.default.reply_on_top" = 1;
-              key = "0x76FD3810215AE097";
+          "mail.identity.default.sig_on_reply" = false;
-              signByDefault = true;
+          "mail.identity.default.sig_bottom" = false;
+
+          "gfx.webrender.all" = true;
+          "gfx.webrender.enabled" = true;
+        };
+      };
+
+      settings = {
+        "mail.server.default.allow_utf8_accept" = true;
+        "mail.server.default.max_articles" = 1000;
+        "mail.server.default.check_all_folders_for_new" = true;
+        "mail.show_headers" = 1;
+        "mail.identity.default.auto_quote" = true;
+        "mail.identity.default.attachPgpKey" = true;
+        "mailnews.default_sort_order" = 2;
+        "mailnews.default_sort_type" = 18;
+        "mailnews.default_view_flags" = 0;
+        "mailnews.sort_threads_by_root" = true;
+        "mailnews.headers.showMessageId" = true;
+        "mailnews.headers.showOrganization" = true;
+        "mailnews.headers.showReferences" = true;
+        "mailnews.headers.showUserAgent" = true;
+        "mail.imap.expunge_after_delete" = true;
+        "mail.server.default.delete_model" = 2;
+        "mail.warn_on_delete_from_trash" = false;
+        "mail.warn_on_shift_delete" = false;
+        "toolkit.telemetry.enabled" = false;
+        "toolkit.telemetry.rejected" = true;
+        "toolkit.telemetry.prompted" = 2;
+        "app.update.auto" = false;
+        "privacy.donottrackheader.enabled" = true;
+      };
+    };
+
+    xdg.mimeApps.defaultApplications = {
+      "x-scheme-handler/mailto" = [ "thunderbird.desktop" ];
+      "x-scheme-handler/mid" = [ "thunderbird.desktop" ];
+      "message/rfc822" = [ "thunderbird.desktop" ];
+    };
+
+    accounts = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) {
+      email =
+        let
+          defaultSettings = {
+            imap = {
+              host = "imap.gmail.com";
+              port = 993;
+              tls.enable = true; # SSL/TLS
+            };
+            smtp = {
+              host = "smtp.gmail.com";
+              port = 465;
+              tls.enable = true; # SSL/TLS
+            };
+            thunderbird = {
+              enable = true;
+              profiles = [ "default" ];
             };
-            imap.host = "imap.gmail.com";
-            smtp.host = "smtp.gmail.com";
             mu.enable = true;
             msmtp = {
               enable = true;
@@ -69,7 +123,10 @@ in
               };
             };
           };
-
+        in
+        {
+          maildirBasePath = "Mail";
+          accounts = {
             swarsel = {
               address = address4;
               userName = address4-user;
@@ -92,59 +149,39 @@ in
               };
             };
 
-          nautilus = {
+            leon = lib.recursiveUpdate
+              {
+                primary = true;
+                address = address1;
+                userName = address1;
+                realName = fullName;
+                passwordCommand = "cat ${nixosConfig.sops.secrets.address1-token.path}";
+                gpg = {
+                  key = "0x76FD3810215AE097";
+                  signByDefault = true;
+                };
+              }
+              defaultSettings;
+
+            nautilus = lib.recursiveUpdate
+              {
                 primary = false;
                 address = address2;
                 userName = address2;
                 realName = address2-name;
                 passwordCommand = "cat ${nixosConfig.sops.secrets.address2-token.path}";
-            imap.host = "imap.gmail.com";
+              }
-            smtp.host = "smtp.gmail.com";
+              defaultSettings;
-            msmtp.enable = true;
-            mu.enable = true;
-            mbsync = {
-              enable = true;
-              create = "maildir";
-              expunge = "both";
-              patterns = [ "*" "![Gmail]*" "[Gmail]/Sent Mail" "[Gmail]/Starred" "[Gmail]/All Mail" ];
-              extraConfig = {
-                channel = {
-                  Sync = "All";
-                };
-                account = {
-                  Timeout = 120;
-                  PipelineDepth = 1;
-                };
-              };
-            };
-          };
 
-          mrswarsel = {
+            mrswarsel = lib.recursiveUpdate
+              {
                 primary = false;
                 address = address3;
                 userName = address3;
                 realName = address3-name;
                 passwordCommand = "cat ${nixosConfig.sops.secrets.address3-token.path}";
-            imap.host = "imap.gmail.com";
+              }
-            smtp.host = "smtp.gmail.com";
+              defaultSettings;
-            msmtp.enable = true;
-            mu.enable = true;
-            mbsync = {
-              enable = true;
-              create = "maildir";
-              expunge = "both";
-              patterns = [ "*" "![Gmail]*" "[Gmail]/Sent Mail" "[Gmail]/Starred" "[Gmail]/All Mail" ];
-              extraConfig = {
-                channel = {
-                  Sync = "All";
-                };
-                account = {
-                  Timeout = 120;
-                  PipelineDepth = 1;
-                };
-              };
-            };
-          };
 
           };
         };

modules/home/optional/work.nix

@@ -4,7 +4,8 @@ let
 in
 {
   options.swarselmodules.optional.work = lib.mkEnableOption "optional work settings";
-  config = lib.mkIf config.swarselmodules.optional.work {
+  config = lib.mkIf config.swarselmodules.optional.work
+    {
       home.packages = with pkgs; [
         stable.teams-for-linux
         shellcheck
@@ -17,13 +18,92 @@ in
         stable.prometheus.cli
         tigervnc
         openstackclient
+        pizauth
       ];
 
+      systemd.user.services.pizauth = {
+        Unit = {
+          Description = "Pizauth OAuth2 token manager";
+        };
+
+        Service = {
+          Type = "simple";
+          ExecStart = "${pkgs.pizauth}/bin/pizauth server -vvvv -d";
+          ExecReload = "${pkgs.pizauth}/bin/pizauth reload";
+          ExecStop = "${pkgs.pizauth}/bin/pizauth shutdown";
+        };
+
+        Install = {
+          WantedBy = [ "default.target" ];
+        };
+      };
+
       home.sessionVariables = {
         DOCUMENT_DIR_PRIV = lib.mkForce "${homeDir}/Documents/Private";
         DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work";
       };
 
+      accounts.email.accounts.work =
+        let
+          inherit (nixosConfig.repo.secrets.local.work) mailAddress mailName;
+        in
+        {
+          primary = false;
+          address = mailAddress;
+          userName = mailAddress;
+          realName = mailName;
+          passwordCommand = "pizauth show work";
+          imap = {
+            host = "outlook.office365.com";
+            port = 993;
+            tls.enable = true; # SSL/TLS
+          };
+          smtp = {
+            host = "outlook.office365.com";
+            port = 587;
+            tls = {
+              enable = true; # SSL/TLS
+              useStartTls = true;
+            };
+          };
+          thunderbird = {
+            enable = true;
+            profiles = [ "default" ];
+            settings = id: {
+              "mail.smtpserver.smtp_${id}.authMethod" = 10; # oauth
+              "mail.server.server_${id}.authMethod" = 10; # oauth
+              # "toolkit.telemetry.enabled" = false;
+              # "toolkit.telemetry.rejected" = true;
+              # "toolkit.telemetry.prompted" = 2;
+            };
+          };
+          msmtp = {
+            enable = false;
+            extraConfig = {
+              account = "work";
+              auth = "xoauth2";
+              host = "outlook.office365.com";
+              protocol = "smtp";
+              port = "587";
+              tls = "on";
+              tls_starttls = "on";
+              from = "${mailAddress}";
+              user = "${mailAddress}";
+              passwordeval = "pizauth show work";
+            };
+          };
+          mu.enable = false;
+          mbsync = {
+            enable = false;
+            expunge = "both";
+            extraConfig = {
+              account = {
+                AuthMechs = "XOAUTH2";
+              };
+            };
+          };
+        };
+
       wayland.windowManager.sway.config = {
         output = {
           "Applied Creative Technology Transmitter QUATTRO201811" = {
@@ -296,6 +376,23 @@ in
           inherit (nixosConfig.repo.secrets.local.work) user1 user2 user3;
         in
         {
+          configFile."pizauth.conf".text = ''
+              account "work" {
+              auth_uri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
+              token_uri = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
+              client_id = "08162f7c-0fd2-4200-a84a-f25a4db0b584";
+              client_secret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82";
+              scopes = [
+                "https://outlook.office365.com/IMAP.AccessAsUser.All",
+                "https://outlook.office365.com/SMTP.Send",
+                "offline_access"
+              ];
+              // You don't have to specify login_hint, but it does make
+              // authentication a little easier.
+              login_hint = "${nixosConfig.repo.secrets.local.work.mailAddress}";
+            }
+          '';
+
           mimeApps = {
             defaultApplications = {
               "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ];

modules/nixos/optional/work.nix

@@ -213,7 +213,6 @@ in
       gh
     ];
 
-
     services = {
       spice-vdagentd.enable = true;
       openssh = {