]>
Commit | Line | Data |
---|---|---|
1 | { lib, pkgs, config, name, ... }: | |
2 | { | |
3 | imports = | |
4 | builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/openarc).nixosModules; | |
5 | ||
6 | options.myServices.mail.milters.sockets = lib.mkOption { | |
7 | type = lib.types.attrsOf lib.types.path; | |
8 | default = { | |
9 | opendkim = "/run/opendkim/opendkim.sock"; | |
10 | opendmarc = "/run/opendmarc/opendmarc.sock"; | |
11 | openarc = "/run/openarc/openarc.sock"; | |
12 | }; | |
13 | readOnly = true; | |
14 | description = '' | |
15 | milters sockets | |
16 | ''; | |
17 | }; | |
18 | config = lib.mkIf (config.myServices.mail.enable || config.myServices.mailBackup.enable) { | |
19 | secrets.keys = [ | |
20 | { | |
21 | dest = "opendkim/eldiron.private"; | |
22 | user = config.services.opendkim.user; | |
23 | group = config.services.opendkim.group; | |
24 | permissions = "0400"; | |
25 | text = config.myEnv.mail.dkim.eldiron.private; | |
26 | } | |
27 | { | |
28 | dest = "opendkim/eldiron.txt"; | |
29 | user = config.services.opendkim.user; | |
30 | group = config.services.opendkim.group; | |
31 | permissions = "0444"; | |
32 | text = '' | |
33 | eldiron._domainkey IN TXT ${config.myEnv.mail.dkim.eldiron.public}''; | |
34 | } | |
35 | { | |
36 | dest = "opendmarc/ignore.hosts"; | |
37 | user = config.services.opendmarc.user; | |
38 | group = config.services.opendmarc.group; | |
39 | permissions = "0400"; | |
40 | text = let | |
41 | mxes = lib.attrsets.filterAttrs | |
42 | (n: v: v.mx.enable) | |
43 | config.myEnv.servers; | |
44 | in | |
45 | builtins.concatStringsSep "\n" ([ | |
46 | config.myEnv.mail.dmarc.ignore_hosts | |
47 | ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes); | |
48 | } | |
49 | ]; | |
50 | users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ]; | |
51 | services.opendkim = { | |
52 | enable = true; | |
53 | socket = "local:${config.myServices.mail.milters.sockets.opendkim}"; | |
54 | domains = builtins.concatStringsSep "," (lib.flatten (map | |
55 | (zone: map | |
56 | (e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}") | |
57 | (zone.withEmail or []) | |
58 | ) | |
59 | config.myEnv.dns.masterZones | |
60 | )); | |
61 | keyPath = "${config.secrets.location}/opendkim"; | |
62 | selector = "eldiron"; | |
63 | configFile = pkgs.writeText "opendkim.conf" '' | |
64 | SubDomains yes | |
65 | UMask 002 | |
66 | AlwaysAddARHeader yes | |
67 | ''; | |
68 | group = config.services.postfix.group; | |
69 | }; | |
70 | systemd.services.opendkim.serviceConfig.Slice = "mail.slice"; | |
71 | systemd.services.opendkim.preStart = lib.mkBefore '' | |
72 | # Skip the prestart script as keys are handled in secrets | |
73 | exit 0 | |
74 | ''; | |
75 | services.filesWatcher.opendkim = { | |
76 | restart = true; | |
77 | paths = [ | |
78 | config.secrets.fullPaths."opendkim/eldiron.private" | |
79 | ]; | |
80 | }; | |
81 | ||
82 | users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; | |
83 | systemd.services.opendmarc.serviceConfig.Slice = "mail.slice"; | |
84 | services.opendmarc = { | |
85 | enable = true; | |
86 | socket = "local:${config.myServices.mail.milters.sockets.opendmarc}"; | |
87 | configFile = pkgs.writeText "opendmarc.conf" '' | |
88 | AuthservID HOSTNAME | |
89 | FailureReports false | |
90 | FailureReportsBcc postmaster@immae.eu | |
91 | FailureReportsOnNone true | |
92 | FailureReportsSentBy postmaster@immae.eu | |
93 | IgnoreAuthenticatedClients true | |
94 | IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"} | |
95 | SoftwareHeader true | |
96 | SPFIgnoreResults true | |
97 | SPFSelfValidate true | |
98 | UMask 002 | |
99 | ''; | |
100 | group = config.services.postfix.group; | |
101 | }; | |
102 | services.filesWatcher.opendmarc = { | |
103 | restart = true; | |
104 | paths = [ | |
105 | config.secrets.fullPaths."opendmarc/ignore.hosts" | |
106 | ]; | |
107 | }; | |
108 | ||
109 | systemd.services.milter_verify_from = { | |
110 | description = "Verify from milter"; | |
111 | after = [ "network.target" ]; | |
112 | wantedBy = [ "multi-user.target" ]; | |
113 | ||
114 | serviceConfig = { | |
115 | Slice = "mail.slice"; | |
116 | User = "postfix"; | |
117 | Group = "postfix"; | |
118 | ExecStart = let python = pkgs.python3.withPackages (p: [ p.pymilter ]); | |
119 | in "${python}/bin/python ${./verify_from.py} -s /run/milter_verify_from/verify_from.sock"; | |
120 | RuntimeDirectory = "milter_verify_from"; | |
121 | }; | |
122 | }; | |
123 | }; | |
124 | } |