]>
Commit | Line | Data |
---|---|---|
ab8f306d | 1 | { lib, pkgs, config, ... }: |
af421a8f | 2 | { |
a929614f IB |
3 | options.myServices.mail.milters.sockets = lib.mkOption { |
4 | type = lib.types.attrsOf lib.types.path; | |
5 | default = { | |
6 | opendkim = "/run/opendkim/opendkim.sock"; | |
7 | opendmarc = "/run/opendmarc/opendmarc.sock"; | |
8 | openarc = "/run/openarc/openarc.sock"; | |
af421a8f | 9 | }; |
a929614f IB |
10 | readOnly = true; |
11 | description = '' | |
12 | milters sockets | |
13 | ''; | |
af421a8f | 14 | }; |
8415083e IB |
15 | config = lib.mkIf config.myServices.mail.enable { |
16 | secrets.keys = [ | |
17 | { | |
18 | dest = "opendkim/eldiron.private"; | |
19 | user = config.services.opendkim.user; | |
20 | group = config.services.opendkim.group; | |
21 | permissions = "0400"; | |
ab8f306d | 22 | text = config.myEnv.mail.dkim.eldiron.private; |
8415083e IB |
23 | } |
24 | { | |
25 | dest = "opendkim/eldiron.txt"; | |
26 | user = config.services.opendkim.user; | |
27 | group = config.services.opendkim.group; | |
28 | permissions = "0444"; | |
29 | text = '' | |
ab8f306d | 30 | eldiron._domainkey IN TXT ${config.myEnv.mail.dkim.eldiron.public}''; |
8415083e IB |
31 | } |
32 | { | |
33 | dest = "opendmarc/ignore.hosts"; | |
34 | user = config.services.opendmarc.user; | |
35 | group = config.services.opendmarc.group; | |
36 | permissions = "0400"; | |
ab8f306d | 37 | text = config.myEnv.mail.dmarc.ignore_hosts; |
8415083e | 38 | } |
411af8e3 | 39 | ]; |
8415083e IB |
40 | users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ]; |
41 | services.opendkim = { | |
42 | enable = true; | |
43 | socket = "local:${config.myServices.mail.milters.sockets.opendkim}"; | |
44 | domains = builtins.concatStringsSep "," (lib.flatten (map | |
45 | (zone: map | |
46 | (e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}") | |
47 | (zone.withEmail or []) | |
48 | ) | |
ab8f306d | 49 | config.myEnv.dns.masterZones |
8415083e IB |
50 | )); |
51 | keyPath = "${config.secrets.location}/opendkim"; | |
52 | selector = "eldiron"; | |
53 | configFile = pkgs.writeText "opendkim.conf" '' | |
54 | SubDomains yes | |
55 | UMask 002 | |
56 | ''; | |
57 | group = config.services.postfix.group; | |
58 | }; | |
59 | systemd.services.opendkim.preStart = lib.mkBefore '' | |
60 | # Skip the prestart script as keys are handled in secrets | |
61 | exit 0 | |
411af8e3 | 62 | ''; |
8415083e IB |
63 | services.filesWatcher.opendkim = { |
64 | restart = true; | |
65 | paths = [ | |
66 | config.secrets.fullPaths."opendkim/eldiron.private" | |
67 | ]; | |
68 | }; | |
69 | ||
70 | users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; | |
71 | services.opendmarc = { | |
72 | enable = true; | |
73 | socket = "local:${config.myServices.mail.milters.sockets.opendmarc}"; | |
74 | configFile = pkgs.writeText "opendmarc.conf" '' | |
75 | AuthservID HOSTNAME | |
76 | FailureReports false | |
77 | FailureReportsBcc postmaster@localhost.immae.eu | |
78 | FailureReportsOnNone true | |
79 | FailureReportsSentBy postmaster@immae.eu | |
80 | IgnoreAuthenticatedClients true | |
81 | IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"} | |
82 | SoftwareHeader true | |
83 | SPFSelfValidate true | |
84 | TrustedAuthservIDs HOSTNAME, immae.eu, nef2.ens.fr | |
85 | UMask 002 | |
86 | ''; | |
87 | group = config.services.postfix.group; | |
88 | }; | |
89 | services.filesWatcher.opendmarc = { | |
90 | restart = true; | |
91 | paths = [ | |
92 | config.secrets.fullPaths."opendmarc/ignore.hosts" | |
93 | ]; | |
94 | }; | |
411af8e3 | 95 | |
8415083e IB |
96 | services.openarc = { |
97 | enable = true; | |
98 | user = "opendkim"; | |
99 | socket = "local:${config.myServices.mail.milters.sockets.openarc}"; | |
100 | group = config.services.postfix.group; | |
101 | configFile = pkgs.writeText "openarc.conf" '' | |
102 | AuthservID mail.immae.eu | |
103 | Domain mail.immae.eu | |
104 | KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"} | |
105 | Mode sv | |
106 | Selector eldiron | |
107 | SoftwareHeader yes | |
108 | Syslog Yes | |
109 | ''; | |
110 | }; | |
111 | systemd.services.openarc.postStart = lib.optionalString | |
112 | (lib.strings.hasPrefix "local:" config.services.openarc.socket) '' | |
113 | while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do | |
114 | sleep 0.5 | |
115 | done | |
116 | chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket} | |
411af8e3 | 117 | ''; |
8415083e IB |
118 | services.filesWatcher.openarc = { |
119 | restart = true; | |
120 | paths = [ | |
121 | config.secrets.fullPaths."opendkim/eldiron.private" | |
122 | ]; | |
123 | }; | |
411af8e3 | 124 | }; |
af421a8f | 125 | } |