[perso/Immae/Config/Nix.git] / modules / private / mail / milters.nix

{ lib, pkgs, config, name, ... }:
{
  imports =
       builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/private/openarc).nixosModules
    ++ builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/private/opendmarc).nixosModules;

  options.myServices.mail.milters.sockets = lib.mkOption {
    type = lib.types.attrsOf lib.types.path;
    default = {
      opendkim = "/run/opendkim/opendkim.sock";
      opendmarc = config.services.opendmarc.socket;
      openarc = config.services.openarc.socket;
    };
    readOnly = true;
    description = ''
      milters sockets
      '';
  };
  config = lib.mkIf (config.myServices.mail.enable || config.myServices.mailBackup.enable) {
    secrets.keys = [
      {
        dest = "opendkim";
        isDir = true;
        user = config.services.opendkim.user;
        group = config.services.opendkim.group;
        permissions = "0550";
      }
      {
        dest = "opendkim/eldiron.private";
        user = config.services.opendkim.user;
        group = config.services.opendkim.group;
        permissions = "0400";
        text = config.myEnv.mail.dkim.eldiron.private;
      }
      {
        dest = "opendkim/eldiron.txt";
        user = config.services.opendkim.user;
        group = config.services.opendkim.group;
        permissions = "0444";
        text = ''
          eldiron._domainkey	IN	TXT	${config.myEnv.mail.dkim.eldiron.public}'';
      }
    ];
    users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
    services.opendkim = {
      enable = true;
      socket = "local:${config.myServices.mail.milters.sockets.opendkim}";
      domains = builtins.concatStringsSep "," (lib.flatten (map
        (zone: map
          (e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}")
          (zone.withEmail or [])
        )
        config.myEnv.dns.masterZones
      ));
      keyPath = config.secrets.fullPaths."opendkim";
      selector = "eldiron";
      configFile = pkgs.writeText "opendkim.conf" ''
        SubDomains        yes
        UMask             002
        AlwaysAddARHeader yes
        '';
      group = config.services.postfix.group;
    };
    systemd.services.opendkim.serviceConfig.Slice = "mail.slice";
    systemd.services.opendkim.preStart = lib.mkBefore ''
      # Skip the prestart script as keys are handled in secrets
      exit 0
      '';
    services.filesWatcher.opendkim = {
      restart = true;
      paths = [
        config.secrets.fullPaths."opendkim/eldiron.private"
      ];
    };

    systemd.services.milter_verify_from = {
      description  = "Verify from milter";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];

      serviceConfig = {
        Slice = "mail.slice";
        User = "postfix";
        Group = "postfix";
        ExecStart = let python = pkgs.python3.withPackages (p: [ p.pymilter ]);
          in "${python}/bin/python ${./verify_from.py} -s /run/milter_verify_from/verify_from.sock";
        RuntimeDirectory = "milter_verify_from";
      };
    };
  };
}
Commit	Line	Data
74a10960	1	{ lib, pkgs, config, name, ... }:
af421a8f	2	{
74a10960	3	imports =
ef43c362 IB	4	builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/private/openarc).nixosModules
ef43c362 IB	5	++ builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/private/opendmarc).nixosModules;
74a10960	6
a929614f IB	7	options.myServices.mail.milters.sockets = lib.mkOption {
	8	type = lib.types.attrsOf lib.types.path;
	9	default = {
	10	opendkim = "/run/opendkim/opendkim.sock";
910c2e9e IB	11	opendmarc = config.services.opendmarc.socket;
910c2e9e IB	12	openarc = config.services.openarc.socket;
af421a8f	13	};
a929614f IB	14	readOnly = true;
	15	description = ''
	16	milters sockets
	17	'';
af421a8f	18	};
619e4f46	19	config = lib.mkIf (config.myServices.mail.enable \|\| config.myServices.mailBackup.enable) {
8415083e	20	secrets.keys = [
da30ae4f IB	21	{
	22	dest = "opendkim";
	23	isDir = true;
	24	user = config.services.opendkim.user;
	25	group = config.services.opendkim.group;
	26	permissions = "0550";
	27	}
8415083e IB	28	{
	29	dest = "opendkim/eldiron.private";
	30	user = config.services.opendkim.user;
	31	group = config.services.opendkim.group;
	32	permissions = "0400";
ab8f306d	33	text = config.myEnv.mail.dkim.eldiron.private;
8415083e IB	34	}
	35	{
	36	dest = "opendkim/eldiron.txt";
	37	user = config.services.opendkim.user;
	38	group = config.services.opendkim.group;
	39	permissions = "0444";
	40	text = ''
ab8f306d	41	eldiron._domainkey IN TXT ${config.myEnv.mail.dkim.eldiron.public}'';
8415083e	42	}
411af8e3	43	];
8415083e IB	44	users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
	45	services.opendkim = {
	46	enable = true;
	47	socket = "local:${config.myServices.mail.milters.sockets.opendkim}";
	48	domains = builtins.concatStringsSep "," (lib.flatten (map
	49	(zone: map
	50	(e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}")
	51	(zone.withEmail or [])
	52	)
ab8f306d	53	config.myEnv.dns.masterZones
8415083e	54	));
da30ae4f	55	keyPath = config.secrets.fullPaths."opendkim";
8415083e IB	56	selector = "eldiron";
8415083e IB	57	configFile = pkgs.writeText "opendkim.conf" ''
619e4f46 IB	58	SubDomains yes
	59	UMask 002
	60	AlwaysAddARHeader yes
8415083e IB	61	'';
	62	group = config.services.postfix.group;
	63	};
850adcf4	64	systemd.services.opendkim.serviceConfig.Slice = "mail.slice";
8415083e IB	65	systemd.services.opendkim.preStart = lib.mkBefore ''
	66	# Skip the prestart script as keys are handled in secrets
	67	exit 0
411af8e3	68	'';
8415083e IB	69	services.filesWatcher.opendkim = {
	70	restart = true;
	71	paths = [
	72	config.secrets.fullPaths."opendkim/eldiron.private"
	73	];
	74	};
	75
45730653 IB	76	systemd.services.milter_verify_from = {
	77	description = "Verify from milter";
	78	after = [ "network.target" ];
	79	wantedBy = [ "multi-user.target" ];
	80
	81	serviceConfig = {
850adcf4	82	Slice = "mail.slice";
45730653 IB	83	User = "postfix";
	84	Group = "postfix";
	85	ExecStart = let python = pkgs.python3.withPackages (p: [ p.pymilter ]);
	86	in "${python}/bin/python ${./verify_from.py} -s /run/milter_verify_from/verify_from.sock";
	87	RuntimeDirectory = "milter_verify_from";
	88	};
	89	};
411af8e3	90	};
af421a8f	91	}