flakes/private/opendmarc/flake.nix

   1 {
   2   inputs.opendmarc.url = "path:../../opendmarc";
   3   inputs.environment.url = "path:../environment";
   4   inputs.secrets.url = "path:../../secrets";
   5   inputs.files-watcher.url = "path:../../files-watcher";
   6
   7   description = "Private configuration for opendmarc";
   8   outputs = { self, environment, opendmarc, files-watcher, secrets }: {
   9     nixosModule = self.nixosModules.opendmarc;
  10     nixosModules.opendmarc = { config, lib, pkgs, ... }: {
  11       imports = [
  12         environment.nixosModule
  13         files-watcher.nixosModule
  14         opendmarc.nixosModule
  15         secrets.nixosModule
  16       ];
  17       config = {
  18         users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
  19         systemd.services.opendmarc.serviceConfig.Slice = "mail.slice";
  20         services.opendmarc = {
  21           enable = true;
  22           socket = "/run/opendmarc/opendmarc.sock";
  23           configFile = pkgs.writeText "opendmarc.conf" ''
  24             AuthservID                  HOSTNAME
  25             FailureReports              false
  26             FailureReportsBcc           postmaster@immae.eu
  27             FailureReportsOnNone        true
  28             FailureReportsSentBy        postmaster@immae.eu
  29             IgnoreAuthenticatedClients  true
  30             IgnoreHosts                 ${config.secrets.fullPaths."opendmarc/ignore.hosts"}
  31             SoftwareHeader              true
  32             SPFIgnoreResults            true
  33             SPFSelfValidate             true
  34             UMask                       002
  35             '';
  36           group = config.services.postfix.group;
  37         };
  38         services.filesWatcher.opendmarc = {
  39           restart = true;
  40           paths = [
  41             config.secrets.fullPaths."opendmarc/ignore.hosts"
  42           ];
  43         };
  44         secrets.keys = {
  45           "opendmarc/ignore.hosts" = {
  46             user = config.services.opendmarc.user;
  47             group = config.services.opendmarc.group;
  48             permissions = "0400";
  49             text = let
  50               mxes = lib.attrsets.filterAttrs
  51                 (n: v: v.mx.enable)
  52                 config.myEnv.servers;
  53               in
  54                 builtins.concatStringsSep "\n" ([
  55                   config.myEnv.mail.dmarc.ignore_hosts
  56                 ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes);
  57           };
  58         };
  59       };
  60     };
  61   };
  62 }