X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=flakes%2Fprivate%2Fopendmarc%2Fflake.nix;h=e2575e7f56d7089b5798fc6e530415637d4b95c4;hb=4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0;hp=384bf98cd352ce1783e4a1b65a2ded60160dd7f1;hpb=ada96f10e64d34f06853d9915a8db580420e69b4;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/flakes/private/opendmarc/flake.nix b/flakes/private/opendmarc/flake.nix index 384bf98..e2575e7 100644 --- a/flakes/private/opendmarc/flake.nix +++ b/flakes/private/opendmarc/flake.nix @@ -3,57 +3,75 @@ path = "../../opendmarc"; type = "path"; }; - inputs.nixpkgs.url = "github:NixOS/nixpkgs"; + inputs.secrets = { + path = "../../secrets"; + type = "path"; + }; + inputs.files-watcher = { + path = "../../files-watcher"; + type = "path"; + }; + inputs.my-lib = { + path = "../../lib"; + type = "path"; + }; + inputs.nix-lib.url = "github:NixOS/nixpkgs"; description = "Private configuration for opendmarc"; - outputs = { self, nixpkgs, opendmarc }: + outputs = { self, nix-lib, opendmarc, my-lib, files-watcher, secrets }: let - cfg = name': { config, lib, pkgs, name, ... }: lib.mkIf (name == name') { - users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; - systemd.services.opendmarc.serviceConfig.Slice = "mail.slice"; - services.opendmarc = { - enable = true; - socket = "local:${config.myServices.mail.milters.sockets.opendmarc}"; - configFile = pkgs.writeText "opendmarc.conf" '' - AuthservID HOSTNAME - FailureReports false - FailureReportsBcc postmaster@immae.eu - FailureReportsOnNone true - FailureReportsSentBy postmaster@immae.eu - IgnoreAuthenticatedClients true - IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"} - SoftwareHeader true - SPFIgnoreResults true - SPFSelfValidate true - UMask 002 - ''; - group = config.services.postfix.group; - }; - services.filesWatcher.opendmarc = { - restart = true; - paths = [ - config.secrets.fullPaths."opendmarc/ignore.hosts" - ]; - }; - secrets.keys = [ - { - dest = "opendmarc/ignore.hosts"; - user = config.services.opendmarc.user; - group = config.services.opendmarc.group; - permissions = "0400"; - text = let - mxes = lib.attrsets.filterAttrs - (n: v: v.mx.enable) - config.myEnv.servers; - in - builtins.concatStringsSep "\n" ([ - config.myEnv.mail.dmarc.ignore_hosts - ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes); - } + cfg = name': { config, lib, pkgs, name, ... }: { + imports = [ + (my-lib.lib.withNarKey files-watcher "nixosModule") + (my-lib.lib.withNarKey opendmarc "nixosModule") + (my-lib.lib.withNarKey secrets "nixosModule") ]; + config = lib.mkIf (name == name') { + users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; + systemd.services.opendmarc.serviceConfig.Slice = "mail.slice"; + services.opendmarc = { + enable = true; + socket = "/run/opendmarc/opendmarc.sock"; + configFile = pkgs.writeText "opendmarc.conf" '' + AuthservID HOSTNAME + FailureReports false + FailureReportsBcc postmaster@immae.eu + FailureReportsOnNone true + FailureReportsSentBy postmaster@immae.eu + IgnoreAuthenticatedClients true + IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"} + SoftwareHeader true + SPFIgnoreResults true + SPFSelfValidate true + UMask 002 + ''; + group = config.services.postfix.group; + }; + services.filesWatcher.opendmarc = { + restart = true; + paths = [ + config.secrets.fullPaths."opendmarc/ignore.hosts" + ]; + }; + secrets.keys = { + "opendmarc/ignore.hosts" = { + user = config.services.opendmarc.user; + group = config.services.opendmarc.group; + permissions = "0400"; + text = let + mxes = lib.attrsets.filterAttrs + (n: v: v.mx.enable) + config.myEnv.servers; + in + builtins.concatStringsSep "\n" ([ + config.myEnv.mail.dmarc.ignore_hosts + ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes); + }; + }; + }; }; in opendmarc.outputs // - { nixosModules = opendmarc.nixosModules or {} // nixpkgs.lib.genAttrs ["eldiron" "backup-2"] cfg; }; + { nixosModules = opendmarc.nixosModules or {} // nix-lib.lib.genAttrs ["eldiron" "backup-2"] cfg; }; }