{ inputs.opendmarc = { path = "../../opendmarc"; type = "path"; }; inputs.files-watcher = { path = "../../files-watcher"; type = "path"; }; inputs.my-lib = { path = "../../lib"; type = "path"; }; inputs.nix-lib.url = "github:NixOS/nixpkgs"; description = "Private configuration for opendmarc"; outputs = { self, nix-lib, opendmarc, my-lib, files-watcher }: let cfg = name': { config, lib, pkgs, name, ... }: { imports = [ (my-lib.lib.withNarKey files-watcher "nixosModule") ]; config = lib.mkIf (name == name') { users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; systemd.services.opendmarc.serviceConfig.Slice = "mail.slice"; services.opendmarc = { enable = true; socket = "local:${config.myServices.mail.milters.sockets.opendmarc}"; configFile = pkgs.writeText "opendmarc.conf" '' AuthservID HOSTNAME FailureReports false FailureReportsBcc postmaster@immae.eu FailureReportsOnNone true FailureReportsSentBy postmaster@immae.eu IgnoreAuthenticatedClients true IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"} SoftwareHeader true SPFIgnoreResults true SPFSelfValidate true UMask 002 ''; group = config.services.postfix.group; }; services.filesWatcher.opendmarc = { restart = true; paths = [ config.secrets.fullPaths."opendmarc/ignore.hosts" ]; }; secrets.keys = [ { dest = "opendmarc/ignore.hosts"; user = config.services.opendmarc.user; group = config.services.opendmarc.group; permissions = "0400"; text = let mxes = lib.attrsets.filterAttrs (n: v: v.mx.enable) config.myEnv.servers; in builtins.concatStringsSep "\n" ([ config.myEnv.mail.dmarc.ignore_hosts ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes); } ]; }; }; in opendmarc.outputs // { nixosModules = opendmarc.nixosModules or {} // nix-lib.lib.genAttrs ["eldiron" "backup-2"] cfg; }; }