2 inputs.secrets.url = "path:../../secrets";
3 inputs.environment.url = "path:../environment";
4 inputs.files-watcher.url = "path:../../files-watcher";
5 inputs.opendmarc.url = "path:../../opendmarc";
6 inputs.openarc.url = "path:../../openarc";
7 outputs = { self, secrets, environment, opendmarc, openarc, files-watcher }: {
8 nixosModule = self.nixosModules.milters;
9 nixosModules.milters = { lib, pkgs, config, nodes, ... }:
13 environment.nixosModule
14 files-watcher.nixosModule
18 options.myServices.mail.milters.enable = lib.mkEnableOption "enable Mail milters";
19 options.myServices.mail.milters.sockets = lib.mkOption {
20 type = lib.types.attrsOf lib.types.path;
22 opendkim = "/run/opendkim/opendkim.sock";
23 opendmarc = config.services.opendmarc.socket;
24 openarc = config.services.openarc.socket;
31 config = lib.mkIf config.myServices.mail.milters.enable {
35 user = config.services.opendkim.user;
36 group = config.services.opendkim.group;
39 "opendkim/eldiron.private" = {
40 user = config.services.opendkim.user;
41 group = config.services.opendkim.group;
43 text = config.myEnv.mail.dkim.eldiron.private;
45 "opendkim/eldiron2.private" = {
46 user = config.services.opendkim.user;
47 group = config.services.opendkim.group;
49 text = config.myEnv.mail.dkim.eldiron2.private;
52 users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
55 socket = "local:${config.myServices.mail.milters.sockets.opendkim}";
58 getDomains = p: lib.mapAttrsToList (n: v: v.fqdn) p.emailPolicies;
59 bydomain = builtins.mapAttrs (n: getDomains) nodes.eldiron.config.myServices.dns.zones;
60 domains' = lib.flatten (builtins.attrValues bydomain);
62 builtins.concatStringsSep "," domains';
63 keyPath = config.secrets.fullPaths."opendkim";
64 selector = "eldiron2";
65 configFile = pkgs.writeText "opendkim.conf" ''
70 group = config.services.postfix.group;
72 systemd.services.opendkim.serviceConfig.Slice = "mail.slice";
73 systemd.services.opendkim.preStart = lib.mkBefore ''
74 # Skip the prestart script as keys are handled in secrets
77 services.filesWatcher.opendkim = {
80 config.secrets.fullPaths."opendkim/eldiron.private"
81 config.secrets.fullPaths."opendkim/eldiron2.private"
85 systemd.services.milter_verify_from = {
86 description = "Verify from milter";
87 after = [ "network.target" ];
88 wantedBy = [ "multi-user.target" ];
95 pymilter = with pkgs.python38Packages; buildPythonPackage rec {
99 inherit pname version;
100 sha256 = "1bpcvq7d72q0zi7c8h5knhasywwz9gxc23n9fxmw874n5k8hsn7k";
103 buildInputs = [ pkgs.libmilter ];
105 python = pkgs.python38.withPackages (p: [ pymilter ]);
106 in "${python}/bin/python ${./verify_from.py} -s /run/milter_verify_from/verify_from.sock";
107 RuntimeDirectory = "milter_verify_from";