{ lib, pkgs, config, name, ... }: { imports = builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/openarc).nixosModules; options.myServices.mail.milters.sockets = lib.mkOption { type = lib.types.attrsOf lib.types.path; default = { opendkim = "/run/opendkim/opendkim.sock"; opendmarc = "/run/opendmarc/opendmarc.sock"; openarc = "/run/openarc/openarc.sock"; }; readOnly = true; description = '' milters sockets ''; }; config = lib.mkIf (config.myServices.mail.enable || config.myServices.mailBackup.enable) { secrets.keys = [ { dest = "opendkim/eldiron.private"; user = config.services.opendkim.user; group = config.services.opendkim.group; permissions = "0400"; text = config.myEnv.mail.dkim.eldiron.private; } { dest = "opendkim/eldiron.txt"; user = config.services.opendkim.user; group = config.services.opendkim.group; permissions = "0444"; text = '' eldiron._domainkey IN TXT ${config.myEnv.mail.dkim.eldiron.public}''; } { dest = "opendmarc/ignore.hosts"; user = config.services.opendmarc.user; group = config.services.opendmarc.group; permissions = "0400"; text = let mxes = lib.attrsets.filterAttrs (n: v: v.mx.enable) config.myEnv.servers; in builtins.concatStringsSep "\n" ([ config.myEnv.mail.dmarc.ignore_hosts ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes); } ]; users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ]; services.opendkim = { enable = true; socket = "local:${config.myServices.mail.milters.sockets.opendkim}"; domains = builtins.concatStringsSep "," (lib.flatten (map (zone: map (e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}") (zone.withEmail or []) ) config.myEnv.dns.masterZones )); keyPath = "${config.secrets.location}/opendkim"; selector = "eldiron"; configFile = pkgs.writeText "opendkim.conf" '' SubDomains yes UMask 002 AlwaysAddARHeader yes ''; group = config.services.postfix.group; }; systemd.services.opendkim.serviceConfig.Slice = "mail.slice"; systemd.services.opendkim.preStart = lib.mkBefore '' # Skip the prestart script as keys are handled in secrets exit 0 ''; services.filesWatcher.opendkim = { restart = true; paths = [ config.secrets.fullPaths."opendkim/eldiron.private" ]; }; users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; systemd.services.opendmarc.serviceConfig.Slice = "mail.slice"; services.opendmarc = { enable = true; socket = "local:${config.myServices.mail.milters.sockets.opendmarc}"; configFile = pkgs.writeText "opendmarc.conf" '' AuthservID HOSTNAME FailureReports false FailureReportsBcc postmaster@immae.eu FailureReportsOnNone true FailureReportsSentBy postmaster@immae.eu IgnoreAuthenticatedClients true IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"} SoftwareHeader true SPFIgnoreResults true SPFSelfValidate true UMask 002 ''; group = config.services.postfix.group; }; services.filesWatcher.opendmarc = { restart = true; paths = [ config.secrets.fullPaths."opendmarc/ignore.hosts" ]; }; systemd.services.milter_verify_from = { description = "Verify from milter"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { Slice = "mail.slice"; User = "postfix"; Group = "postfix"; ExecStart = let python = pkgs.python3.withPackages (p: [ p.pymilter ]); in "${python}/bin/python ${./verify_from.py} -s /run/milter_verify_from/verify_from.sock"; RuntimeDirectory = "milter_verify_from"; }; }; }; }