]>
Commit | Line | Data |
---|---|---|
1 | { lib, pkgs, config, myconfig, ... }: | |
2 | { | |
3 | options.myServices.mail.milters.sockets = lib.mkOption { | |
4 | type = lib.types.attrsOf lib.types.path; | |
5 | default = { | |
6 | opendkim = "/run/opendkim/opendkim.sock"; | |
7 | opendmarc = "/run/opendmarc/opendmarc.sock"; | |
8 | openarc = "/run/openarc/openarc.sock"; | |
9 | }; | |
10 | readOnly = true; | |
11 | description = '' | |
12 | milters sockets | |
13 | ''; | |
14 | }; | |
15 | config.secrets.keys = [ | |
16 | { | |
17 | dest = "opendkim/eldiron.private"; | |
18 | user = config.services.opendkim.user; | |
19 | group = config.services.opendkim.group; | |
20 | permissions = "0400"; | |
21 | text = myconfig.env.mail.dkim.eldiron.private; | |
22 | } | |
23 | { | |
24 | dest = "opendkim/eldiron.txt"; | |
25 | user = config.services.opendkim.user; | |
26 | group = config.services.opendkim.group; | |
27 | permissions = "0444"; | |
28 | text = '' | |
29 | eldiron._domainkey IN TXT ${myconfig.env.mail.dkim.eldiron.public}''; | |
30 | } | |
31 | { | |
32 | dest = "opendmarc/ignore.hosts"; | |
33 | user = config.services.opendmarc.user; | |
34 | group = config.services.opendmarc.group; | |
35 | permissions = "0400"; | |
36 | text = myconfig.env.mail.dmarc.ignore_hosts; | |
37 | } | |
38 | ]; | |
39 | config.users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ]; | |
40 | config.services.opendkim = { | |
41 | enable = true; | |
42 | socket = "local:${config.myServices.mail.milters.sockets.opendkim}"; | |
43 | domains = builtins.concatStringsSep "," (lib.flatten (map | |
44 | (zone: map | |
45 | (e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}") | |
46 | (zone.withEmail or []) | |
47 | ) | |
48 | myconfig.env.dns.masterZones | |
49 | )); | |
50 | keyPath = "${config.secrets.location}/opendkim"; | |
51 | selector = "eldiron"; | |
52 | configFile = pkgs.writeText "opendkim.conf" '' | |
53 | SubDomains yes | |
54 | UMask 002 | |
55 | ''; | |
56 | group = config.services.postfix.group; | |
57 | }; | |
58 | config.systemd.services.opendkim.preStart = lib.mkBefore '' | |
59 | # Skip the prestart script as keys are handled in secrets | |
60 | exit 0 | |
61 | ''; | |
62 | config.services.filesWatcher.opendkim = { | |
63 | restart = true; | |
64 | paths = [ | |
65 | config.secrets.fullPaths."opendkim/eldiron.private" | |
66 | ]; | |
67 | }; | |
68 | ||
69 | config.users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; | |
70 | config.services.opendmarc = { | |
71 | enable = true; | |
72 | socket = "local:${config.myServices.mail.milters.sockets.opendmarc}"; | |
73 | configFile = pkgs.writeText "opendmarc.conf" '' | |
74 | AuthservID HOSTNAME | |
75 | FailureReports false | |
76 | FailureReportsBcc postmaster@localhost.immae.eu | |
77 | FailureReportsOnNone true | |
78 | FailureReportsSentBy postmaster@immae.eu | |
79 | IgnoreAuthenticatedClients true | |
80 | IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"} | |
81 | SoftwareHeader true | |
82 | SPFSelfValidate true | |
83 | TrustedAuthservIDs HOSTNAME, immae.eu, nef2.ens.fr | |
84 | UMask 002 | |
85 | ''; | |
86 | group = config.services.postfix.group; | |
87 | }; | |
88 | config.services.filesWatcher.opendmarc = { | |
89 | restart = true; | |
90 | paths = [ | |
91 | config.secrets.fullPaths."opendmarc/ignore.hosts" | |
92 | ]; | |
93 | }; | |
94 | ||
95 | config.services.openarc = { | |
96 | enable = true; | |
97 | user = "opendkim"; | |
98 | socket = "local:${config.myServices.mail.milters.sockets.openarc}"; | |
99 | group = config.services.postfix.group; | |
100 | configFile = pkgs.writeText "openarc.conf" '' | |
101 | AuthservID mail.immae.eu | |
102 | Domain mail.immae.eu | |
103 | KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"} | |
104 | Mode sv | |
105 | Selector eldiron | |
106 | SoftwareHeader yes | |
107 | Syslog Yes | |
108 | ''; | |
109 | }; | |
110 | config.systemd.services.openarc.postStart = lib.optionalString | |
111 | (lib.strings.hasPrefix "local:" config.services.openarc.socket) '' | |
112 | while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do | |
113 | sleep 0.5 | |
114 | done | |
115 | chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket} | |
116 | ''; | |
117 | config.services.filesWatcher.openarc = { | |
118 | restart = true; | |
119 | paths = [ | |
120 | config.secrets.fullPaths."opendkim/eldiron.private" | |
121 | ]; | |
122 | }; | |
123 | } |