X-Git-Url: https://git.immae.eu/?p=perso%2FImmae%2FConfig%2FNix.git;a=blobdiff_plain;f=modules%2Fprivate%2Fmail%2Fmilters.nix;h=123af4ab650b554730fa2fe5b0cc6c0e8aea7a29;hp=c4bd990b2766a3e89fa3d914669663f2a520bcc5;hb=8415083eb6acc343dfa404dbbc12fa0171a48a20;hpb=8fa7ff2c63fb0722144bc90837512d9f8b8c929d diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix index c4bd990..123af4a 100644 --- a/modules/private/mail/milters.nix +++ b/modules/private/mail/milters.nix @@ -12,112 +12,114 @@ milters sockets ''; }; - config.secrets.keys = [ - { - dest = "opendkim/eldiron.private"; - user = config.services.opendkim.user; - group = config.services.opendkim.group; - permissions = "0400"; - text = myconfig.env.mail.dkim.eldiron.private; - } - { - dest = "opendkim/eldiron.txt"; - user = config.services.opendkim.user; - group = config.services.opendkim.group; - permissions = "0444"; - text = '' - eldiron._domainkey IN TXT ${myconfig.env.mail.dkim.eldiron.public}''; - } - { - dest = "opendmarc/ignore.hosts"; - user = config.services.opendmarc.user; - group = config.services.opendmarc.group; - permissions = "0400"; - text = myconfig.env.mail.dmarc.ignore_hosts; - } - ]; - config.users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ]; - config.services.opendkim = { - enable = true; - socket = "local:${config.myServices.mail.milters.sockets.opendkim}"; - domains = builtins.concatStringsSep "," (lib.flatten (map - (zone: map - (e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}") - (zone.withEmail or []) - ) - myconfig.env.dns.masterZones - )); - keyPath = "${config.secrets.location}/opendkim"; - selector = "eldiron"; - configFile = pkgs.writeText "opendkim.conf" '' - SubDomains yes - UMask 002 - ''; - group = config.services.postfix.group; - }; - config.systemd.services.opendkim.preStart = lib.mkBefore '' - # Skip the prestart script as keys are handled in secrets - exit 0 - ''; - config.services.filesWatcher.opendkim = { - restart = true; - paths = [ - config.secrets.fullPaths."opendkim/eldiron.private" + config = lib.mkIf config.myServices.mail.enable { + secrets.keys = [ + { + dest = "opendkim/eldiron.private"; + user = config.services.opendkim.user; + group = config.services.opendkim.group; + permissions = "0400"; + text = myconfig.env.mail.dkim.eldiron.private; + } + { + dest = "opendkim/eldiron.txt"; + user = config.services.opendkim.user; + group = config.services.opendkim.group; + permissions = "0444"; + text = '' + eldiron._domainkey IN TXT ${myconfig.env.mail.dkim.eldiron.public}''; + } + { + dest = "opendmarc/ignore.hosts"; + user = config.services.opendmarc.user; + group = config.services.opendmarc.group; + permissions = "0400"; + text = myconfig.env.mail.dmarc.ignore_hosts; + } ]; - }; - - config.users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; - config.services.opendmarc = { - enable = true; - socket = "local:${config.myServices.mail.milters.sockets.opendmarc}"; - configFile = pkgs.writeText "opendmarc.conf" '' - AuthservID HOSTNAME - FailureReports false - FailureReportsBcc postmaster@localhost.immae.eu - FailureReportsOnNone true - FailureReportsSentBy postmaster@immae.eu - IgnoreAuthenticatedClients true - IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"} - SoftwareHeader true - SPFSelfValidate true - TrustedAuthservIDs HOSTNAME, immae.eu, nef2.ens.fr - UMask 002 + users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ]; + services.opendkim = { + enable = true; + socket = "local:${config.myServices.mail.milters.sockets.opendkim}"; + domains = builtins.concatStringsSep "," (lib.flatten (map + (zone: map + (e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}") + (zone.withEmail or []) + ) + myconfig.env.dns.masterZones + )); + keyPath = "${config.secrets.location}/opendkim"; + selector = "eldiron"; + configFile = pkgs.writeText "opendkim.conf" '' + SubDomains yes + UMask 002 + ''; + group = config.services.postfix.group; + }; + systemd.services.opendkim.preStart = lib.mkBefore '' + # Skip the prestart script as keys are handled in secrets + exit 0 ''; - group = config.services.postfix.group; - }; - config.services.filesWatcher.opendmarc = { - restart = true; - paths = [ - config.secrets.fullPaths."opendmarc/ignore.hosts" - ]; - }; + services.filesWatcher.opendkim = { + restart = true; + paths = [ + config.secrets.fullPaths."opendkim/eldiron.private" + ]; + }; + + users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; + services.opendmarc = { + enable = true; + socket = "local:${config.myServices.mail.milters.sockets.opendmarc}"; + configFile = pkgs.writeText "opendmarc.conf" '' + AuthservID HOSTNAME + FailureReports false + FailureReportsBcc postmaster@localhost.immae.eu + FailureReportsOnNone true + FailureReportsSentBy postmaster@immae.eu + IgnoreAuthenticatedClients true + IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"} + SoftwareHeader true + SPFSelfValidate true + TrustedAuthservIDs HOSTNAME, immae.eu, nef2.ens.fr + UMask 002 + ''; + group = config.services.postfix.group; + }; + services.filesWatcher.opendmarc = { + restart = true; + paths = [ + config.secrets.fullPaths."opendmarc/ignore.hosts" + ]; + }; - config.services.openarc = { - enable = true; - user = "opendkim"; - socket = "local:${config.myServices.mail.milters.sockets.openarc}"; - group = config.services.postfix.group; - configFile = pkgs.writeText "openarc.conf" '' - AuthservID mail.immae.eu - Domain mail.immae.eu - KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"} - Mode sv - Selector eldiron - SoftwareHeader yes - Syslog Yes + services.openarc = { + enable = true; + user = "opendkim"; + socket = "local:${config.myServices.mail.milters.sockets.openarc}"; + group = config.services.postfix.group; + configFile = pkgs.writeText "openarc.conf" '' + AuthservID mail.immae.eu + Domain mail.immae.eu + KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"} + Mode sv + Selector eldiron + SoftwareHeader yes + Syslog Yes + ''; + }; + systemd.services.openarc.postStart = lib.optionalString + (lib.strings.hasPrefix "local:" config.services.openarc.socket) '' + while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do + sleep 0.5 + done + chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket} ''; - }; - config.systemd.services.openarc.postStart = lib.optionalString - (lib.strings.hasPrefix "local:" config.services.openarc.socket) '' - while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do - sleep 0.5 - done - chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket} - ''; - config.services.filesWatcher.openarc = { - restart = true; - paths = [ - config.secrets.fullPaths."opendkim/eldiron.private" - ]; + services.filesWatcher.openarc = { + restart = true; + paths = [ + config.secrets.fullPaths."opendkim/eldiron.private" + ]; + }; }; }