remotes = "${myconfig.env.mail.relay} smtp";
};
};
+
+ config.secrets.keys = [
+ {
+ dest = "opendkim/eldiron.private";
+ user = config.services.opendkim.user;
+ group = config.services.opendkim.group;
+ permissions = "0400";
+ text = myconfig.env.mail.dkim.eldiron.private;
+ }
+ {
+ dest = "opendkim/eldiron.txt";
+ user = config.services.opendkim.user;
+ group = config.services.opendkim.group;
+ permissions = "0444";
+ text = ''
+ eldiron._domainkey IN TXT ${myconfig.env.mail.dkim.eldiron.public}'';
+ }
+ {
+ dest = "opendmarc/ignore.hosts";
+ user = config.services.opendmarc.user;
+ group = config.services.opendmarc.group;
+ permissions = "0400";
+ text = myconfig.env.mail.dmarc.ignore_hosts;
+ }
+ ];
+ config.users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
+ config.services.opendkim = {
+ enable = true;
+ domains = builtins.concatStringsSep "," (lib.flatten (map
+ (zone: map
+ (e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}")
+ (zone.withEmail or [])
+ )
+ myconfig.env.dns.masterZones
+ ));
+ keyPath = "${config.secrets.location}/opendkim";
+ selector = "eldiron";
+ configFile = pkgs.writeText "opendkim.conf" ''
+ SubDomains yes
+ UMask 002
+ '';
+ };
+ config.systemd.services.opendkim.preStart = lib.mkBefore ''
+ # Skip the prestart script as keys are handled in secrets
+ exit 0
+ '';
+ config.services.filesWatcher.opendkim = {
+ restart = true;
+ paths = [
+ config.secrets.fullPaths."opendkim/eldiron.private"
+ ];
+ };
+
+ config.users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
+ config.services.opendmarc = {
+ enable = true;
+ configFile = pkgs.writeText "opendmarc.conf" ''
+ AuthservID HOSTNAME
+ FailureReports false
+ FailureReportsBcc postmaster@localhost.immae.eu
+ FailureReportsOnNone true
+ FailureReportsSentBy postmaster@immae.eu
+ IgnoreAuthenticatedClients true
+ IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"}
+ SoftwareHeader true
+ SPFSelfValidate true
+ TrustedAuthservIDs HOSTNAME, immae.eu, nef2.ens.fr
+ UMask 002
+ '';
+ };
+ config.services.filesWatcher.opendmarc = {
+ restart = true;
+ paths = [
+ config.secrets.fullPaths."opendmarc/ignore.hosts"
+ ];
+ };
+
+ config.services.openarc = {
+ enable = true;
+ user = "opendkim";
+ group = "opendkim";
+ configFile = pkgs.writeText "openarc.conf" ''
+ AuthservID mail.immae.eu
+ Domain mail.immae.eu
+ KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"}
+ Mode sv
+ Selector eldiron
+ SoftwareHeader yes
+ Syslog Yes
+ '';
+ };
+ config.systemd.services.openarc.postStart = lib.optionalString
+ (lib.strings.hasPrefix "local:" config.services.openarc.socket) ''
+ while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do
+ sleep 0.5
+ done
+ chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket}
+ '';
+ config.services.filesWatcher.openarc = {
+ restart = true;
+ paths = [
+ config.secrets.fullPaths."opendkim/eldiron.private"
+ ];
+ };
}
projects / perso / Immae / Config / Nix.git / blobdiff