]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - flakes/private/milters/flake.nix
projects / perso / Immae / Config / Nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Squash changes containing private information
[perso/Immae/Config/Nix.git] / flakes / private / milters / flake.nix
1 {
2 inputs.secrets.url = "path:../../secrets";
3 inputs.environment.url = "path:../environment";
4 inputs.files-watcher.url = "path:../../files-watcher";
5 inputs.opendmarc.url = "path:../../opendmarc";
6 inputs.openarc.url = "path:../../openarc";
7 outputs = { self, secrets, environment, opendmarc, openarc, files-watcher }: {
8 nixosModule = self.nixosModules.milters;
9 nixosModules.milters = { lib, pkgs, config, nodes, ... }:
10 {
11 imports = [
12 secrets.nixosModule
13 environment.nixosModule
14 files-watcher.nixosModule
15 opendmarc.nixosModule
16 openarc.nixosModule
17 ];
18 options.myServices.mail.milters.enable = lib.mkEnableOption "enable Mail milters";
19 options.myServices.mail.milters.sockets = lib.mkOption {
20 type = lib.types.attrsOf lib.types.path;
21 default = {
22 opendkim = "/run/opendkim/opendkim.sock";
23 opendmarc = config.services.opendmarc.socket;
24 openarc = config.services.openarc.socket;
25 };
26 readOnly = true;
27 description = ''
28 milters sockets
29 '';
30 };
31 config = lib.mkIf config.myServices.mail.milters.enable {
32 secrets.keys = {
33 "opendkim" = {
34 isDir = true;
35 user = config.services.opendkim.user;
36 group = config.services.opendkim.group;
37 permissions = "0550";
38 };
39 "opendkim/eldiron.private" = {
40 user = config.services.opendkim.user;
41 group = config.services.opendkim.group;
42 permissions = "0400";
43 text = config.myEnv.mail.dkim.eldiron.private;
44 };
45 };
46 users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
47 services.opendkim = {
48 enable = true;
49 socket = "local:${config.myServices.mail.milters.sockets.opendkim}";
50 domains =
51 let
52 getDomains = p: lib.mapAttrsToList (n: v: v.fqdn) p.emailPolicies;
53 bydomain = builtins.mapAttrs (n: getDomains) nodes.eldiron.config.myServices.dns.zones;
54 domains' = lib.flatten (builtins.attrValues bydomain);
55 in
56 builtins.concatStringsSep "," domains';
57 keyPath = config.secrets.fullPaths."opendkim";
58 selector = "eldiron";
59 configFile = pkgs.writeText "opendkim.conf" ''
60 SubDomains yes
61 UMask 002
62 AlwaysAddARHeader yes
63 '';
64 group = config.services.postfix.group;
65 };
66 systemd.services.opendkim.serviceConfig.Slice = "mail.slice";
67 systemd.services.opendkim.preStart = lib.mkBefore ''
68 # Skip the prestart script as keys are handled in secrets
69 exit 0
70 '';
71 services.filesWatcher.opendkim = {
72 restart = true;
73 paths = [
74 config.secrets.fullPaths."opendkim/eldiron.private"
75 ];
76 };
77
78 systemd.services.milter_verify_from = {
79 description = "Verify from milter";
80 after = [ "network.target" ];
81 wantedBy = [ "multi-user.target" ];
82
83 serviceConfig = {
84 Slice = "mail.slice";
85 User = "postfix";
86 Group = "postfix";
87 ExecStart = let
88 pymilter = with pkgs.python38Packages; buildPythonPackage rec {
89 pname = "pymilter";
90 version = "1.0.4";
91 src = fetchPypi {
92 inherit pname version;
93 sha256 = "1bpcvq7d72q0zi7c8h5knhasywwz9gxc23n9fxmw874n5k8hsn7k";
94 };
95 doCheck = false;
96 buildInputs = [ pkgs.libmilter ];
97 };
98 python = pkgs.python38.withPackages (p: [ pymilter ]);
99 in "${python}/bin/python ${./verify_from.py} -s /run/milter_verify_from/verify_from.sock";
100 RuntimeDirectory = "milter_verify_from";
101 };
102 };
103 };
104 };
105 };
106 }
My infrastructure configuration