]>
Commit | Line | Data |
---|---|---|
74a10960 | 1 | { lib, pkgs, config, name, ... }: |
af421a8f | 2 | { |
74a10960 | 3 | imports = |
ef43c362 IB |
4 | builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/private/openarc).nixosModules |
5 | ++ builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/private/opendmarc).nixosModules; | |
74a10960 | 6 | |
a929614f IB |
7 | options.myServices.mail.milters.sockets = lib.mkOption { |
8 | type = lib.types.attrsOf lib.types.path; | |
9 | default = { | |
10 | opendkim = "/run/opendkim/opendkim.sock"; | |
910c2e9e IB |
11 | opendmarc = config.services.opendmarc.socket; |
12 | openarc = config.services.openarc.socket; | |
af421a8f | 13 | }; |
a929614f IB |
14 | readOnly = true; |
15 | description = '' | |
16 | milters sockets | |
17 | ''; | |
af421a8f | 18 | }; |
619e4f46 | 19 | config = lib.mkIf (config.myServices.mail.enable || config.myServices.mailBackup.enable) { |
8415083e | 20 | secrets.keys = [ |
da30ae4f IB |
21 | { |
22 | dest = "opendkim"; | |
23 | isDir = true; | |
24 | user = config.services.opendkim.user; | |
25 | group = config.services.opendkim.group; | |
26 | permissions = "0550"; | |
27 | } | |
8415083e IB |
28 | { |
29 | dest = "opendkim/eldiron.private"; | |
30 | user = config.services.opendkim.user; | |
31 | group = config.services.opendkim.group; | |
32 | permissions = "0400"; | |
ab8f306d | 33 | text = config.myEnv.mail.dkim.eldiron.private; |
8415083e IB |
34 | } |
35 | { | |
36 | dest = "opendkim/eldiron.txt"; | |
37 | user = config.services.opendkim.user; | |
38 | group = config.services.opendkim.group; | |
39 | permissions = "0444"; | |
40 | text = '' | |
ab8f306d | 41 | eldiron._domainkey IN TXT ${config.myEnv.mail.dkim.eldiron.public}''; |
8415083e | 42 | } |
411af8e3 | 43 | ]; |
8415083e IB |
44 | users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ]; |
45 | services.opendkim = { | |
46 | enable = true; | |
47 | socket = "local:${config.myServices.mail.milters.sockets.opendkim}"; | |
48 | domains = builtins.concatStringsSep "," (lib.flatten (map | |
49 | (zone: map | |
50 | (e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}") | |
51 | (zone.withEmail or []) | |
52 | ) | |
ab8f306d | 53 | config.myEnv.dns.masterZones |
8415083e | 54 | )); |
da30ae4f | 55 | keyPath = config.secrets.fullPaths."opendkim"; |
8415083e IB |
56 | selector = "eldiron"; |
57 | configFile = pkgs.writeText "opendkim.conf" '' | |
619e4f46 IB |
58 | SubDomains yes |
59 | UMask 002 | |
60 | AlwaysAddARHeader yes | |
8415083e IB |
61 | ''; |
62 | group = config.services.postfix.group; | |
63 | }; | |
850adcf4 | 64 | systemd.services.opendkim.serviceConfig.Slice = "mail.slice"; |
8415083e IB |
65 | systemd.services.opendkim.preStart = lib.mkBefore '' |
66 | # Skip the prestart script as keys are handled in secrets | |
67 | exit 0 | |
411af8e3 | 68 | ''; |
8415083e IB |
69 | services.filesWatcher.opendkim = { |
70 | restart = true; | |
71 | paths = [ | |
72 | config.secrets.fullPaths."opendkim/eldiron.private" | |
73 | ]; | |
74 | }; | |
75 | ||
45730653 IB |
76 | systemd.services.milter_verify_from = { |
77 | description = "Verify from milter"; | |
78 | after = [ "network.target" ]; | |
79 | wantedBy = [ "multi-user.target" ]; | |
80 | ||
81 | serviceConfig = { | |
850adcf4 | 82 | Slice = "mail.slice"; |
45730653 IB |
83 | User = "postfix"; |
84 | Group = "postfix"; | |
85 | ExecStart = let python = pkgs.python3.withPackages (p: [ p.pymilter ]); | |
86 | in "${python}/bin/python ${./verify_from.py} -s /run/milter_verify_from/verify_from.sock"; | |
87 | RuntimeDirectory = "milter_verify_from"; | |
88 | }; | |
89 | }; | |
411af8e3 | 90 | }; |
af421a8f | 91 | } |