[perso/Immae/Config/Nix.git] / modules / private / mail.nix

{ lib, pkgs, config, myconfig,  ... }:
{
  config.users.users.nullmailer.uid = config.ids.uids.nullmailer;
  config.users.groups.nullmailer.gid = config.ids.gids.nullmailer;

  config.services.nullmailer = {
    enable = true;
    config = {
      me = myconfig.env.mail.host;
      remotes = "${myconfig.env.mail.relay} smtp";
    };
  };

  config.secrets.keys = [
    {
      dest = "opendkim/eldiron.private";
      user = config.services.opendkim.user;
      group = config.services.opendkim.group;
      permissions = "0400";
      text = myconfig.env.mail.dkim.eldiron.private;
    }
    {
      dest = "opendkim/eldiron.txt";
      user = config.services.opendkim.user;
      group = config.services.opendkim.group;
      permissions = "0444";
      text = ''
        eldiron._domainkey	IN	TXT	${myconfig.env.mail.dkim.eldiron.public}'';
    }
    {
      dest = "opendmarc/ignore.hosts";
      user = config.services.opendmarc.user;
      group = config.services.opendmarc.group;
      permissions = "0400";
      text = myconfig.env.mail.dmarc.ignore_hosts;
    }
  ];
  config.users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
  config.services.opendkim = {
    enable = true;
    domains = builtins.concatStringsSep "," (lib.flatten (map
      (zone: map
        (e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}")
        (zone.withEmail or [])
      )
      myconfig.env.dns.masterZones
    ));
    keyPath = "${config.secrets.location}/opendkim";
    selector = "eldiron";
    configFile = pkgs.writeText "opendkim.conf" ''
      SubDomains     yes
      UMask          002
      '';
  };
  config.systemd.services.opendkim.preStart = lib.mkBefore ''
    # Skip the prestart script as keys are handled in secrets
    exit 0
    '';
  config.services.filesWatcher.opendkim = {
    restart = true;
    paths = [
      config.secrets.fullPaths."opendkim/eldiron.private"
    ];
  };

  config.users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
  config.services.opendmarc = {
    enable = true;
    configFile = pkgs.writeText "opendmarc.conf" ''
      AuthservID                  HOSTNAME
      FailureReports              false
      FailureReportsBcc           postmaster@localhost.immae.eu
      FailureReportsOnNone        true
      FailureReportsSentBy        postmaster@immae.eu
      IgnoreAuthenticatedClients  true
      IgnoreHosts                 ${config.secrets.fullPaths."opendmarc/ignore.hosts"}
      SoftwareHeader              true
      SPFSelfValidate             true
      TrustedAuthservIDs          HOSTNAME, immae.eu, nef2.ens.fr
      UMask                       002
      '';
  };
  config.services.filesWatcher.opendmarc = {
    restart = true;
    paths = [
      config.secrets.fullPaths."opendmarc/ignore.hosts"
    ];
  };

  config.services.openarc = {
    enable = true;
    user = "opendkim";
    group = "opendkim";
    configFile = pkgs.writeText "openarc.conf" ''
      AuthservID              mail.immae.eu
      Domain                  mail.immae.eu
      KeyFile                 ${config.secrets.fullPaths."opendkim/eldiron.private"}
      Mode                    sv
      Selector                eldiron
      SoftwareHeader          yes
      Syslog                  Yes
      '';
  };
  config.systemd.services.openarc.postStart = lib.optionalString
        (lib.strings.hasPrefix "local:" config.services.openarc.socket) ''
    while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do
      sleep 0.5
    done
    chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket}
    '';
  config.services.filesWatcher.openarc = {
    restart = true;
    paths = [
      config.secrets.fullPaths."opendkim/eldiron.private"
    ];
  };
}
Commit	Line	Data
8a964143	1	{ lib, pkgs, config, myconfig, ... }:
af421a8f	2	{
52c3e9e7 IB	3	config.users.users.nullmailer.uid = config.ids.uids.nullmailer;
	4	config.users.groups.nullmailer.gid = config.ids.gids.nullmailer;
	5
af421a8f IB	6	config.services.nullmailer = {
	7	enable = true;
	8	config = {
	9	me = myconfig.env.mail.host;
	10	remotes = "${myconfig.env.mail.relay} smtp";
	11	};
	12	};
411af8e3 IB	13
	14	config.secrets.keys = [
	15	{
	16	dest = "opendkim/eldiron.private";
	17	user = config.services.opendkim.user;
	18	group = config.services.opendkim.group;
	19	permissions = "0400";
	20	text = myconfig.env.mail.dkim.eldiron.private;
	21	}
	22	{
	23	dest = "opendkim/eldiron.txt";
	24	user = config.services.opendkim.user;
	25	group = config.services.opendkim.group;
	26	permissions = "0444";
	27	text = ''
	28	eldiron._domainkey IN TXT ${myconfig.env.mail.dkim.eldiron.public}'';
	29	}
	30	{
	31	dest = "opendmarc/ignore.hosts";
	32	user = config.services.opendmarc.user;
	33	group = config.services.opendmarc.group;
	34	permissions = "0400";
	35	text = myconfig.env.mail.dmarc.ignore_hosts;
	36	}
	37	];
	38	config.users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
	39	config.services.opendkim = {
	40	enable = true;
	41	domains = builtins.concatStringsSep "," (lib.flatten (map
	42	(zone: map
	43	(e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}")
	44	(zone.withEmail or [])
	45	)
	46	myconfig.env.dns.masterZones
	47	));
	48	keyPath = "${config.secrets.location}/opendkim";
	49	selector = "eldiron";
	50	configFile = pkgs.writeText "opendkim.conf" ''
	51	SubDomains yes
	52	UMask 002
	53	'';
	54	};
	55	config.systemd.services.opendkim.preStart = lib.mkBefore ''
	56	# Skip the prestart script as keys are handled in secrets
	57	exit 0
	58	'';
	59	config.services.filesWatcher.opendkim = {
	60	restart = true;
	61	paths = [
	62	config.secrets.fullPaths."opendkim/eldiron.private"
	63	];
	64	};
	65
	66	config.users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
	67	config.services.opendmarc = {
	68	enable = true;
	69	configFile = pkgs.writeText "opendmarc.conf" ''
	70	AuthservID HOSTNAME
	71	FailureReports false
	72	FailureReportsBcc postmaster@localhost.immae.eu
	73	FailureReportsOnNone true
	74	FailureReportsSentBy postmaster@immae.eu
	75	IgnoreAuthenticatedClients true
	76	IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"}
77	SoftwareHeader true
78	SPFSelfValidate true
79	TrustedAuthservIDs HOSTNAME, immae.eu, nef2.ens.fr
80	UMask 002
81	'';
82	};
83	config.services.filesWatcher.opendmarc = {
84	restart = true;
85	paths = [
86	config.secrets.fullPaths."opendmarc/ignore.hosts"
87	];
88	};
89
90	config.services.openarc = {
91	enable = true;
92	user = "opendkim";
93	group = "opendkim";
94	configFile = pkgs.writeText "openarc.conf" ''
95	AuthservID mail.immae.eu
96	Domain mail.immae.eu
97	KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"}
98	Mode sv
99	Selector eldiron
100	SoftwareHeader yes
101	Syslog Yes
102	'';
103	};
104	config.systemd.services.openarc.postStart = lib.optionalString
105	(lib.strings.hasPrefix "local:" config.services.openarc.socket) ''
106	while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do
107	sleep 0.5
108	done
109	chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket}
110	'';
111	config.services.filesWatcher.openarc = {
112	restart = true;
113	paths = [
114	config.secrets.fullPaths."opendkim/eldiron.private"
115	];
116	};
af421a8f	117	}