]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - flakes/private/milters/flake.nix
projects / perso / Immae / Config / Nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add monitoring script with smartctl
[perso/Immae/Config/Nix.git] / flakes / private / milters / flake.nix
1 {
2 inputs.secrets.url = "path:../../secrets";
3 inputs.environment.url = "path:../environment";
4 inputs.files-watcher.url = "path:../../files-watcher";
5 inputs.opendmarc.url = "path:../../opendmarc";
6 inputs.openarc.url = "path:../../openarc";
7 outputs = { self, secrets, environment, opendmarc, openarc, files-watcher }: {
8 nixosModule = self.nixosModules.milters;
9 nixosModules.milters = { lib, pkgs, config, nodes, ... }:
10 {
11 imports = [
12 secrets.nixosModule
13 environment.nixosModule
14 files-watcher.nixosModule
15 opendmarc.nixosModule
16 openarc.nixosModule
17 ];
18 options.myServices.mail.milters.enable = lib.mkEnableOption "enable Mail milters";
19 options.myServices.mail.milters.sockets = lib.mkOption {
20 type = lib.types.attrsOf lib.types.path;
21 default = {
22 opendkim = "/run/opendkim/opendkim.sock";
23 opendmarc = config.services.opendmarc.socket;
24 openarc = config.services.openarc.socket;
25 };
26 readOnly = true;
27 description = ''
28 milters sockets
29 '';
30 };
31 config = lib.mkIf config.myServices.mail.milters.enable {
32 secrets.keys = {
33 "opendkim" = {
34 isDir = true;
35 user = config.services.opendkim.user;
36 group = config.services.opendkim.group;
37 permissions = "0550";
38 };
39 "opendkim/eldiron.private" = {
40 user = config.services.opendkim.user;
41 group = config.services.opendkim.group;
42 permissions = "0400";
43 text = config.myEnv.mail.dkim.eldiron.private;
44 };
45 "opendkim/eldiron2.private" = {
46 user = config.services.opendkim.user;
47 group = config.services.opendkim.group;
48 permissions = "0400";
49 text = config.myEnv.mail.dkim.eldiron2.private;
50 };
51 };
52 users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
53 services.opendkim = {
54 enable = true;
55 socket = "local:${config.myServices.mail.milters.sockets.opendkim}";
56 domains =
57 let
58 getDomains = p: lib.mapAttrsToList (n: v: v.fqdn) p.emailPolicies;
59 bydomain = builtins.mapAttrs (n: getDomains) nodes.eldiron.config.myServices.dns.zones;
60 domains' = lib.flatten (builtins.attrValues bydomain);
61 in
62 builtins.concatStringsSep "," domains';
63 keyPath = config.secrets.fullPaths."opendkim";
64 selector = "eldiron2";
65 configFile = pkgs.writeText "opendkim.conf" ''
66 SubDomains yes
67 UMask 002
68 AlwaysAddARHeader yes
69 '';
70 group = config.services.postfix.group;
71 };
72 systemd.services.opendkim.serviceConfig.Slice = "mail.slice";
73 systemd.services.opendkim.preStart = lib.mkBefore ''
74 # Skip the prestart script as keys are handled in secrets
75 exit 0
76 '';
77 services.filesWatcher.opendkim = {
78 restart = true;
79 paths = [
80 config.secrets.fullPaths."opendkim/eldiron.private"
81 config.secrets.fullPaths."opendkim/eldiron2.private"
82 ];
83 };
84
85 systemd.services.milter_verify_from = {
86 description = "Verify from milter";
87 after = [ "network.target" ];
88 wantedBy = [ "multi-user.target" ];
89
90 serviceConfig = {
91 Slice = "mail.slice";
92 User = "postfix";
93 Group = "postfix";
94 ExecStart = let
95 pymilter = with pkgs.python38Packages; buildPythonPackage rec {
96 pname = "pymilter";
97 version = "1.0.4";
98 src = fetchPypi {
99 inherit pname version;
100 sha256 = "1bpcvq7d72q0zi7c8h5knhasywwz9gxc23n9fxmw874n5k8hsn7k";
101 };
102 doCheck = false;
103 buildInputs = [ pkgs.libmilter ];
104 };
105 python = pkgs.python38.withPackages (p: [ pymilter ]);
106 in "${python}/bin/python ${./verify_from.py} -s /run/milter_verify_from/verify_from.sock";
107 RuntimeDirectory = "milter_verify_from";
108 };
109 };
110 };
111 };
112 };
113 }
My infrastructure configuration