]>
Commit | Line | Data |
---|---|---|
1a64deeb IB |
1 | { |
2 | inputs.secrets.url = "path:../../secrets"; | |
3 | inputs.environment.url = "path:../environment"; | |
4 | inputs.files-watcher.url = "path:../../files-watcher"; | |
5 | inputs.opendmarc.url = "path:../../opendmarc"; | |
6 | inputs.openarc.url = "path:../../openarc"; | |
7 | outputs = { self, secrets, environment, opendmarc, openarc, files-watcher }: { | |
8 | nixosModule = self.nixosModules.milters; | |
9 | nixosModules.milters = { lib, pkgs, config, nodes, ... }: | |
10 | { | |
11 | imports = [ | |
12 | secrets.nixosModule | |
13 | environment.nixosModule | |
14 | files-watcher.nixosModule | |
15 | opendmarc.nixosModule | |
16 | openarc.nixosModule | |
17 | ]; | |
18 | options.myServices.mail.milters.enable = lib.mkEnableOption "enable Mail milters"; | |
19 | options.myServices.mail.milters.sockets = lib.mkOption { | |
20 | type = lib.types.attrsOf lib.types.path; | |
21 | default = { | |
22 | opendkim = "/run/opendkim/opendkim.sock"; | |
23 | opendmarc = config.services.opendmarc.socket; | |
24 | openarc = config.services.openarc.socket; | |
25 | }; | |
26 | readOnly = true; | |
27 | description = '' | |
28 | milters sockets | |
29 | ''; | |
30 | }; | |
31 | config = lib.mkIf config.myServices.mail.milters.enable { | |
32 | secrets.keys = { | |
33 | "opendkim" = { | |
34 | isDir = true; | |
35 | user = config.services.opendkim.user; | |
36 | group = config.services.opendkim.group; | |
37 | permissions = "0550"; | |
38 | }; | |
39 | "opendkim/eldiron.private" = { | |
40 | user = config.services.opendkim.user; | |
41 | group = config.services.opendkim.group; | |
42 | permissions = "0400"; | |
43 | text = config.myEnv.mail.dkim.eldiron.private; | |
44 | }; | |
c4511c38 IB |
45 | "opendkim/eldiron2.private" = { |
46 | user = config.services.opendkim.user; | |
47 | group = config.services.opendkim.group; | |
48 | permissions = "0400"; | |
49 | text = config.myEnv.mail.dkim.eldiron2.private; | |
50 | }; | |
1a64deeb IB |
51 | }; |
52 | users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ]; | |
53 | services.opendkim = { | |
54 | enable = true; | |
55 | socket = "local:${config.myServices.mail.milters.sockets.opendkim}"; | |
56 | domains = | |
57 | let | |
58 | getDomains = p: lib.mapAttrsToList (n: v: v.fqdn) p.emailPolicies; | |
59 | bydomain = builtins.mapAttrs (n: getDomains) nodes.eldiron.config.myServices.dns.zones; | |
60 | domains' = lib.flatten (builtins.attrValues bydomain); | |
61 | in | |
62 | builtins.concatStringsSep "," domains'; | |
63 | keyPath = config.secrets.fullPaths."opendkim"; | |
c4511c38 | 64 | selector = "eldiron2"; |
1a64deeb IB |
65 | configFile = pkgs.writeText "opendkim.conf" '' |
66 | SubDomains yes | |
67 | UMask 002 | |
68 | AlwaysAddARHeader yes | |
69 | ''; | |
70 | group = config.services.postfix.group; | |
71 | }; | |
72 | systemd.services.opendkim.serviceConfig.Slice = "mail.slice"; | |
73 | systemd.services.opendkim.preStart = lib.mkBefore '' | |
74 | # Skip the prestart script as keys are handled in secrets | |
75 | exit 0 | |
76 | ''; | |
77 | services.filesWatcher.opendkim = { | |
78 | restart = true; | |
79 | paths = [ | |
80 | config.secrets.fullPaths."opendkim/eldiron.private" | |
c4511c38 | 81 | config.secrets.fullPaths."opendkim/eldiron2.private" |
1a64deeb IB |
82 | ]; |
83 | }; | |
84 | ||
85 | systemd.services.milter_verify_from = { | |
86 | description = "Verify from milter"; | |
87 | after = [ "network.target" ]; | |
88 | wantedBy = [ "multi-user.target" ]; | |
89 | ||
90 | serviceConfig = { | |
91 | Slice = "mail.slice"; | |
92 | User = "postfix"; | |
93 | Group = "postfix"; | |
94 | ExecStart = let | |
95 | pymilter = with pkgs.python38Packages; buildPythonPackage rec { | |
96 | pname = "pymilter"; | |
97 | version = "1.0.4"; | |
98 | src = fetchPypi { | |
99 | inherit pname version; | |
100 | sha256 = "1bpcvq7d72q0zi7c8h5knhasywwz9gxc23n9fxmw874n5k8hsn7k"; | |
101 | }; | |
102 | doCheck = false; | |
103 | buildInputs = [ pkgs.libmilter ]; | |
104 | }; | |
105 | python = pkgs.python38.withPackages (p: [ pymilter ]); | |
106 | in "${python}/bin/python ${./verify_from.py} -s /run/milter_verify_from/verify_from.sock"; | |
107 | RuntimeDirectory = "milter_verify_from"; | |
108 | }; | |
109 | }; | |
110 | }; | |
111 | }; | |
112 | }; | |
113 | } |