X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fmail%2Fmilters.nix;h=4b93a7aea78847d9a575dd2ad912fef061b2fa0c;hb=4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0;hp=02c35c8a97e9f1e9f753c57113f00a46e04a54b6;hpb=850adcf4b17afb6f5429b030f3c814d502d2b53e;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix
index 02c35c8..4b93a7a 100644
--- a/modules/private/mail/milters.nix
+++ b/modules/private/mail/milters.nix
@@ -1,11 +1,15 @@
-{ lib, pkgs, config, ... }:
+{ lib, pkgs, config, name, ... }:
 {
+  imports =
+       builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/private/openarc).nixosModules
+    ++ builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/private/opendmarc).nixosModules;
+
   options.myServices.mail.milters.sockets = lib.mkOption {
     type = lib.types.attrsOf lib.types.path;
     default = {
       opendkim = "/run/opendkim/opendkim.sock";
-      opendmarc = "/run/opendmarc/opendmarc.sock";
-      openarc = "/run/openarc/openarc.sock";
+      opendmarc = config.services.opendmarc.socket;
+      openarc = config.services.openarc.socket;
     };
     readOnly = true;
     description = ''
@@ -13,37 +17,27 @@
       '';
   };
   config = lib.mkIf (config.myServices.mail.enable || config.myServices.mailBackup.enable) {
-    secrets.keys = [
-      {
-        dest = "opendkim/eldiron.private";
+    secrets.keys = {
+      "opendkim" = {
+        isDir = true;
+        user = config.services.opendkim.user;
+        group = config.services.opendkim.group;
+        permissions = "0550";
+      };
+      "opendkim/eldiron.private" = {
         user = config.services.opendkim.user;
         group = config.services.opendkim.group;
         permissions = "0400";
         text = config.myEnv.mail.dkim.eldiron.private;
-      }
-      {
-        dest = "opendkim/eldiron.txt";
+      };
+      "opendkim/eldiron.txt" = {
         user = config.services.opendkim.user;
         group = config.services.opendkim.group;
         permissions = "0444";
         text = ''
           eldiron._domainkey	IN	TXT	${config.myEnv.mail.dkim.eldiron.public}'';
-      }
-      {
-        dest = "opendmarc/ignore.hosts";
-        user = config.services.opendmarc.user;
-        group = config.services.opendmarc.group;
-        permissions = "0400";
-        text = let
-          mxes = lib.attrsets.filterAttrs
-            (n: v: v.mx.enable)
-            config.myEnv.servers;
-          in
-            builtins.concatStringsSep "\n" ([
-              config.myEnv.mail.dmarc.ignore_hosts
-            ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes);
-      }
-    ];
+      };
+    };
     users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
     services.opendkim = {
       enable = true;
@@ -55,7 +49,7 @@
         )
         config.myEnv.dns.masterZones
       ));
-      keyPath = "${config.secrets.location}/opendkim";
+      keyPath = config.secrets.fullPaths."opendkim";
       selector = "eldiron";
       configFile = pkgs.writeText "opendkim.conf" ''
         SubDomains        yes
@@ -76,63 +70,6 @@
       ];
     };
 
-    users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
-    systemd.services.opendmarc.serviceConfig.Slice = "mail.slice";
-    services.opendmarc = {
-      enable = true;
-      socket = "local:${config.myServices.mail.milters.sockets.opendmarc}";
-      configFile = pkgs.writeText "opendmarc.conf" ''
-        AuthservID                  HOSTNAME
-        FailureReports              false
-        FailureReportsBcc           postmaster@immae.eu
-        FailureReportsOnNone        true
-        FailureReportsSentBy        postmaster@immae.eu
-        IgnoreAuthenticatedClients  true
-        IgnoreHosts                 ${config.secrets.fullPaths."opendmarc/ignore.hosts"}
-        SoftwareHeader              true
-        SPFIgnoreResults            true
-        SPFSelfValidate             true
-        UMask                       002
-        '';
-      group = config.services.postfix.group;
-    };
-    services.filesWatcher.opendmarc = {
-      restart = true;
-      paths = [
-        config.secrets.fullPaths."opendmarc/ignore.hosts"
-      ];
-    };
-
-    services.openarc = {
-      enable = true;
-      user = "opendkim";
-      socket = "local:${config.myServices.mail.milters.sockets.openarc}";
-      group = config.services.postfix.group;
-      configFile = pkgs.writeText "openarc.conf" ''
-        AuthservID              mail.immae.eu
-        Domain                  mail.immae.eu
-        KeyFile                 ${config.secrets.fullPaths."opendkim/eldiron.private"}
-        Mode                    sv
-        Selector                eldiron
-        SoftwareHeader          yes
-        Syslog                  Yes
-        '';
-    };
-    systemd.services.openarc.serviceConfig.Slice = "mail.slice";
-    systemd.services.openarc.postStart = lib.optionalString
-          (lib.strings.hasPrefix "local:" config.services.openarc.socket) ''
-      while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do
-        sleep 0.5
-      done
-      chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket}
-      '';
-    services.filesWatcher.openarc = {
-      restart = true;
-      paths = [
-        config.secrets.fullPaths."opendkim/eldiron.private"
-      ];
-    };
-
     systemd.services.milter_verify_from = {
       description  = "Verify from milter";
       after = [ "network.target" ];