+++ /dev/null
-{ lib, pkgs, config, name, ... }:
-{
- imports =
- builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/private/openarc).nixosModules
- ++ builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/private/opendmarc).nixosModules;
-
- options.myServices.mail.milters.sockets = lib.mkOption {
- type = lib.types.attrsOf lib.types.path;
- default = {
- opendkim = "/run/opendkim/opendkim.sock";
- opendmarc = config.services.opendmarc.socket;
- openarc = config.services.openarc.socket;
- };
- readOnly = true;
- description = ''
- milters sockets
- '';
- };
- config = lib.mkIf (config.myServices.mail.enable || config.myServices.mailBackup.enable) {
- secrets.keys = {
- "opendkim" = {
- isDir = true;
- user = config.services.opendkim.user;
- group = config.services.opendkim.group;
- permissions = "0550";
- };
- "opendkim/eldiron.private" = {
- user = config.services.opendkim.user;
- group = config.services.opendkim.group;
- permissions = "0400";
- text = config.myEnv.mail.dkim.eldiron.private;
- };
- "opendkim/eldiron.txt" = {
- user = config.services.opendkim.user;
- group = config.services.opendkim.group;
- permissions = "0444";
- text = ''
- eldiron._domainkey IN TXT ${config.myEnv.mail.dkim.eldiron.public}'';
- };
- };
- users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
- services.opendkim = {
- enable = true;
- socket = "local:${config.myServices.mail.milters.sockets.opendkim}";
- domains = builtins.concatStringsSep "," (lib.flatten (map
- (zone: map
- (e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}")
- (zone.withEmail or [])
- )
- config.myEnv.dns.masterZones
- ));
- keyPath = config.secrets.fullPaths."opendkim";
- selector = "eldiron";
- configFile = pkgs.writeText "opendkim.conf" ''
- SubDomains yes
- UMask 002
- AlwaysAddARHeader yes
- '';
- group = config.services.postfix.group;
- };
- systemd.services.opendkim.serviceConfig.Slice = "mail.slice";
- systemd.services.opendkim.preStart = lib.mkBefore ''
- # Skip the prestart script as keys are handled in secrets
- exit 0
- '';
- services.filesWatcher.opendkim = {
- restart = true;
- paths = [
- config.secrets.fullPaths."opendkim/eldiron.private"
- ];
- };
-
- systemd.services.milter_verify_from = {
- description = "Verify from milter";
- after = [ "network.target" ];
- wantedBy = [ "multi-user.target" ];
-
- serviceConfig = {
- Slice = "mail.slice";
- User = "postfix";
- Group = "postfix";
- ExecStart = let python = pkgs.python3.withPackages (p: [ p.pymilter ]);
- in "${python}/bin/python ${./verify_from.py} -s /run/milter_verify_from/verify_from.sock";
- RuntimeDirectory = "milter_verify_from";
- };
- };
- };
-}