X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fmail%2Fmilters.nix;h=49c5dfdc573bdfc18d7c88e0134eaddd873ad783;hb=a1a2455f53bde1235b221a842d3c888c51fcecac;hp=6b033e86102c4b684c115cf11cf31e220c0c3949;hpb=ab8f306d7c2c49b8116e1af7b355ed2384617ed9;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix
index 6b033e8..49c5dfd 100644
--- a/modules/private/mail/milters.nix
+++ b/modules/private/mail/milters.nix
@@ -1,5 +1,9 @@
-{ lib, pkgs, config, ... }:
+{ lib, pkgs, config, name, ... }:
 {
+  imports =
+       builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/openarc).nixosModules
+    ++ builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/opendmarc).nixosModules;
+
   options.myServices.mail.milters.sockets = lib.mkOption {
     type = lib.types.attrsOf lib.types.path;
     default = {
@@ -12,7 +16,7 @@
       milters sockets
       '';
   };
-  config = lib.mkIf config.myServices.mail.enable {
+  config = lib.mkIf (config.myServices.mail.enable || config.myServices.mailBackup.enable) {
     secrets.keys = [
       {
         dest = "opendkim/eldiron.private";
@@ -29,13 +33,6 @@
         text = ''
           eldiron._domainkey	IN	TXT	${config.myEnv.mail.dkim.eldiron.public}'';
       }
-      {
-        dest = "opendmarc/ignore.hosts";
-        user = config.services.opendmarc.user;
-        group = config.services.opendmarc.group;
-        permissions = "0400";
-        text = config.myEnv.mail.dmarc.ignore_hosts;
-      }
     ];
     users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
     services.opendkim = {
@@ -51,11 +48,13 @@
       keyPath = "${config.secrets.location}/opendkim";
       selector = "eldiron";
       configFile = pkgs.writeText "opendkim.conf" ''
-        SubDomains     yes
-        UMask          002
+        SubDomains        yes
+        UMask             002
+        AlwaysAddARHeader yes
         '';
       group = config.services.postfix.group;
     };
+    systemd.services.opendkim.serviceConfig.Slice = "mail.slice";
     systemd.services.opendkim.preStart = lib.mkBefore ''
       # Skip the prestart script as keys are handled in secrets
       exit 0
@@ -67,59 +66,19 @@
       ];
     };
 
-    users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
-    services.opendmarc = {
-      enable = true;
-      socket = "local:${config.myServices.mail.milters.sockets.opendmarc}";
-      configFile = pkgs.writeText "opendmarc.conf" ''
-        AuthservID                  HOSTNAME
-        FailureReports              false
-        FailureReportsBcc           postmaster@localhost.immae.eu
-        FailureReportsOnNone        true
-        FailureReportsSentBy        postmaster@immae.eu
-        IgnoreAuthenticatedClients  true
-        IgnoreHosts                 ${config.secrets.fullPaths."opendmarc/ignore.hosts"}
-        SoftwareHeader              true
-        SPFSelfValidate             true
-        TrustedAuthservIDs          HOSTNAME, immae.eu, nef2.ens.fr
-        UMask                       002
-        '';
-      group = config.services.postfix.group;
-    };
-    services.filesWatcher.opendmarc = {
-      restart = true;
-      paths = [
-        config.secrets.fullPaths."opendmarc/ignore.hosts"
-      ];
-    };
+    systemd.services.milter_verify_from = {
+      description  = "Verify from milter";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
 
-    services.openarc = {
-      enable = true;
-      user = "opendkim";
-      socket = "local:${config.myServices.mail.milters.sockets.openarc}";
-      group = config.services.postfix.group;
-      configFile = pkgs.writeText "openarc.conf" ''
-        AuthservID              mail.immae.eu
-        Domain                  mail.immae.eu
-        KeyFile                 ${config.secrets.fullPaths."opendkim/eldiron.private"}
-        Mode                    sv
-        Selector                eldiron
-        SoftwareHeader          yes
-        Syslog                  Yes
-        '';
-    };
-    systemd.services.openarc.postStart = lib.optionalString
-          (lib.strings.hasPrefix "local:" config.services.openarc.socket) ''
-      while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do
-        sleep 0.5
-      done
-      chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket}
-      '';
-    services.filesWatcher.openarc = {
-      restart = true;
-      paths = [
-        config.secrets.fullPaths."opendkim/eldiron.private"
-      ];
+      serviceConfig = {
+        Slice = "mail.slice";
+        User = "postfix";
+        Group = "postfix";
+        ExecStart = let python = pkgs.python3.withPackages (p: [ p.pymilter ]);
+          in "${python}/bin/python ${./verify_from.py} -s /run/milter_verify_from/verify_from.sock";
+        RuntimeDirectory = "milter_verify_from";
+      };
     };
   };
 }