{ lib, pkgs, config, myconfig, ... }: { options.myServices.mail.milters.sockets = lib.mkOption { type = lib.types.attrsOf lib.types.path; default = { opendkim = "/run/opendkim/opendkim.sock"; opendmarc = "/run/opendmarc/opendmarc.sock"; openarc = "/run/openarc/openarc.sock"; }; readOnly = true; description = '' milters sockets ''; }; config = lib.mkIf config.myServices.mail.enable { secrets.keys = [ { dest = "opendkim/eldiron.private"; user = config.services.opendkim.user; group = config.services.opendkim.group; permissions = "0400"; text = myconfig.env.mail.dkim.eldiron.private; } { dest = "opendkim/eldiron.txt"; user = config.services.opendkim.user; group = config.services.opendkim.group; permissions = "0444"; text = '' eldiron._domainkey IN TXT ${myconfig.env.mail.dkim.eldiron.public}''; } { dest = "opendmarc/ignore.hosts"; user = config.services.opendmarc.user; group = config.services.opendmarc.group; permissions = "0400"; text = myconfig.env.mail.dmarc.ignore_hosts; } ]; users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ]; services.opendkim = { enable = true; socket = "local:${config.myServices.mail.milters.sockets.opendkim}"; domains = builtins.concatStringsSep "," (lib.flatten (map (zone: map (e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}") (zone.withEmail or []) ) myconfig.env.dns.masterZones )); keyPath = "${config.secrets.location}/opendkim"; selector = "eldiron"; configFile = pkgs.writeText "opendkim.conf" '' SubDomains yes UMask 002 ''; group = config.services.postfix.group; }; systemd.services.opendkim.preStart = lib.mkBefore '' # Skip the prestart script as keys are handled in secrets exit 0 ''; services.filesWatcher.opendkim = { restart = true; paths = [ config.secrets.fullPaths."opendkim/eldiron.private" ]; }; users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; services.opendmarc = { enable = true; socket = "local:${config.myServices.mail.milters.sockets.opendmarc}"; configFile = pkgs.writeText "opendmarc.conf" '' AuthservID HOSTNAME FailureReports false FailureReportsBcc postmaster@localhost.immae.eu FailureReportsOnNone true FailureReportsSentBy postmaster@immae.eu IgnoreAuthenticatedClients true IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"} SoftwareHeader true SPFSelfValidate true TrustedAuthservIDs HOSTNAME, immae.eu, nef2.ens.fr UMask 002 ''; group = config.services.postfix.group; }; services.filesWatcher.opendmarc = { restart = true; paths = [ config.secrets.fullPaths."opendmarc/ignore.hosts" ]; }; services.openarc = { enable = true; user = "opendkim"; socket = "local:${config.myServices.mail.milters.sockets.openarc}"; group = config.services.postfix.group; configFile = pkgs.writeText "openarc.conf" '' AuthservID mail.immae.eu Domain mail.immae.eu KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"} Mode sv Selector eldiron SoftwareHeader yes Syslog Yes ''; }; systemd.services.openarc.postStart = lib.optionalString (lib.strings.hasPrefix "local:" config.services.openarc.socket) '' while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do sleep 0.5 done chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket} ''; services.filesWatcher.openarc = { restart = true; paths = [ config.secrets.fullPaths."opendkim/eldiron.private" ]; }; }; }