aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-06-04 09:53:11 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-06-04 23:57:44 +0200
commit411af8e3f754278c5b54dfef7e1bd144a6007c39 (patch)
treeb5076223d0a6fec0561e2f7da772ee6dd873e944
parent9247b444929061f32be9b003621e1da555ebc770 (diff)
downloadNix-411af8e3f754278c5b54dfef7e1bd144a6007c39.tar.gz
Nix-411af8e3f754278c5b54dfef7e1bd144a6007c39.tar.zst
Nix-411af8e3f754278c5b54dfef7e1bd144a6007c39.zip
Add opendmarc openarc and opendkim configuration and packages
-rw-r--r--modules/default.nix3
-rw-r--r--modules/myids.nix4
-rw-r--r--modules/openarc.nix90
-rw-r--r--modules/opendmarc.nix90
-rw-r--r--modules/private/mail.nix104
-rw-r--r--pkgs/default.nix2
-rw-r--r--pkgs/openarc/default.nix18
-rw-r--r--pkgs/openarc/openarc.json15
-rw-r--r--pkgs/opendmarc/default.nix26
-rw-r--r--pkgs/opendmarc/libspf2.nix35
10 files changed, 387 insertions, 0 deletions
diff --git a/modules/default.nix b/modules/default.nix
index dd34870..5346956 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -10,6 +10,9 @@
10 mediagoblin = ./webapps/mediagoblin.nix; 10 mediagoblin = ./webapps/mediagoblin.nix;
11 peertube = ./webapps/peertube.nix; 11 peertube = ./webapps/peertube.nix;
12 12
13 opendmarc = ./opendmarc.nix;
14 openarc = ./openarc.nix;
15
13 php-application = ./websites/php-application.nix; 16 php-application = ./websites/php-application.nix;
14 websites = ./websites; 17 websites = ./websites;
15} // (if builtins.pathExists ./private then import ./private else {}) 18} // (if builtins.pathExists ./private then import ./private else {})
diff --git a/modules/myids.nix b/modules/myids.nix
index 4fb2626..7ec9c0e 100644
--- a/modules/myids.nix
+++ b/modules/myids.nix
@@ -3,6 +3,8 @@
3 # Check that there is no clash with nixos/modules/misc/ids.nix 3 # Check that there is no clash with nixos/modules/misc/ids.nix
4 config = { 4 config = {
5 ids.uids = { 5 ids.uids = {
6 opendarc = 391;
7 opendmarc = 392;
6 peertube = 394; 8 peertube = 394;
7 redis = 395; 9 redis = 395;
8 nullmailer = 396; 10 nullmailer = 396;
@@ -11,6 +13,8 @@
11 mastodon = 399; 13 mastodon = 399;
12 }; 14 };
13 ids.gids = { 15 ids.gids = {
16 opendarc = 392;
17 opendmarc = 392;
14 peertube = 394; 18 peertube = 394;
15 redis = 395; 19 redis = 395;
16 nullmailer = 396; 20 nullmailer = 396;
diff --git a/modules/openarc.nix b/modules/openarc.nix
new file mode 100644
index 0000000..9dc49de
--- /dev/null
+++ b/modules/openarc.nix
@@ -0,0 +1,90 @@
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6
7 cfg = config.services.openarc;
8
9 defaultSock = "local:/run/openarc/openarc.sock";
10
11 args = [ "-f"
12 "-p" cfg.socket
13 ] ++ optionals (cfg.configFile != null) [ "-c" cfg.configFile ];
14
15in {
16
17 ###### interface
18
19 options = {
20
21 services.openarc = {
22
23 enable = mkOption {
24 type = types.bool;
25 default = false;
26 description = "Whether to enable the OpenARC sender authentication system.";
27 };
28
29 socket = mkOption {
30 type = types.str;
31 default = defaultSock;
32 description = "Socket which is used for communication with OpenARC.";
33 };
34
35 user = mkOption {
36 type = types.str;
37 default = "opendmarc";
38 description = "User for the daemon.";
39 };
40
41 group = mkOption {
42 type = types.str;
43 default = "opendmarc";
44 description = "Group for the daemon.";
45 };
46
47 configFile = mkOption {
48 type = types.nullOr types.path;
49 default = null;
50 description = "Additional OpenARC configuration.";
51 };
52
53 };
54
55 };
56
57
58 ###### implementation
59
60 config = mkIf cfg.enable {
61
62 users.users = optionalAttrs (cfg.user == "openarc") (singleton
63 { name = "openarc";
64 group = cfg.group;
65 uid = config.ids.uids.openarc;
66 });
67
68 users.groups = optionalAttrs (cfg.group == "openarc") (singleton
69 { name = "openarc";
70 gid = config.ids.gids.openarc;
71 });
72
73 environment.systemPackages = [ pkgs.openarc ];
74
75 systemd.services.openarc = {
76 description = "OpenARC daemon";
77 after = [ "network.target" ];
78 wantedBy = [ "multi-user.target" ];
79
80 serviceConfig = {
81 ExecStart = "${pkgs.openarc}/bin/openarc ${escapeShellArgs args}";
82 User = cfg.user;
83 Group = cfg.group;
84 RuntimeDirectory = optional (cfg.socket == defaultSock) "openarc";
85 PermissionsStartOnly = true;
86 };
87 };
88
89 };
90}
diff --git a/modules/opendmarc.nix b/modules/opendmarc.nix
new file mode 100644
index 0000000..e18ec82
--- /dev/null
+++ b/modules/opendmarc.nix
@@ -0,0 +1,90 @@
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6
7 cfg = config.services.opendmarc;
8
9 defaultSock = "local:/run/opendmarc/opendmarc.sock";
10
11 args = [ "-f" "-l"
12 "-p" cfg.socket
13 ] ++ optionals (cfg.configFile != null) [ "-c" cfg.configFile ];
14
15in {
16
17 ###### interface
18
19 options = {
20
21 services.opendmarc = {
22
23 enable = mkOption {
24 type = types.bool;
25 default = false;
26 description = "Whether to enable the OpenDMARC sender authentication system.";
27 };
28
29 socket = mkOption {
30 type = types.str;
31 default = defaultSock;
32 description = "Socket which is used for communication with OpenDMARC.";
33 };
34
35 user = mkOption {
36 type = types.str;
37 default = "opendmarc";
38 description = "User for the daemon.";
39 };
40
41 group = mkOption {
42 type = types.str;
43 default = "opendmarc";
44 description = "Group for the daemon.";
45 };
46
47 configFile = mkOption {
48 type = types.nullOr types.path;
49 default = null;
50 description = "Additional OpenDMARC configuration.";
51 };
52
53 };
54
55 };
56
57
58 ###### implementation
59
60 config = mkIf cfg.enable {
61
62 users.users = optionalAttrs (cfg.user == "opendmarc") (singleton
63 { name = "opendmarc";
64 group = cfg.group;
65 uid = config.ids.uids.opendmarc;
66 });
67
68 users.groups = optionalAttrs (cfg.group == "opendmarc") (singleton
69 { name = "opendmarc";
70 gid = config.ids.gids.opendmarc;
71 });
72
73 environment.systemPackages = [ pkgs.opendmarc ];
74
75 systemd.services.opendmarc = {
76 description = "OpenDMARC daemon";
77 after = [ "network.target" ];
78 wantedBy = [ "multi-user.target" ];
79
80 serviceConfig = {
81 ExecStart = "${pkgs.opendmarc}/bin/opendmarc ${escapeShellArgs args}";
82 User = cfg.user;
83 Group = cfg.group;
84 RuntimeDirectory = optional (cfg.socket == defaultSock) "opendmarc";
85 PermissionsStartOnly = true;
86 };
87 };
88
89 };
90}
diff --git a/modules/private/mail.nix b/modules/private/mail.nix
index 611c8b4..eb869ba 100644
--- a/modules/private/mail.nix
+++ b/modules/private/mail.nix
@@ -10,4 +10,108 @@
10 remotes = "${myconfig.env.mail.relay} smtp"; 10 remotes = "${myconfig.env.mail.relay} smtp";
11 }; 11 };
12 }; 12 };
13
14 config.secrets.keys = [
15 {
16 dest = "opendkim/eldiron.private";
17 user = config.services.opendkim.user;
18 group = config.services.opendkim.group;
19 permissions = "0400";
20 text = myconfig.env.mail.dkim.eldiron.private;
21 }
22 {
23 dest = "opendkim/eldiron.txt";
24 user = config.services.opendkim.user;
25 group = config.services.opendkim.group;
26 permissions = "0444";
27 text = ''
28 eldiron._domainkey IN TXT ${myconfig.env.mail.dkim.eldiron.public}'';
29 }
30 {
31 dest = "opendmarc/ignore.hosts";
32 user = config.services.opendmarc.user;
33 group = config.services.opendmarc.group;
34 permissions = "0400";
35 text = myconfig.env.mail.dmarc.ignore_hosts;
36 }
37 ];
38 config.users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
39 config.services.opendkim = {
40 enable = true;
41 domains = builtins.concatStringsSep "," (lib.flatten (map
42 (zone: map
43 (e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}")
44 (zone.withEmail or [])
45 )
46 myconfig.env.dns.masterZones
47 ));
48 keyPath = "${config.secrets.location}/opendkim";
49 selector = "eldiron";
50 configFile = pkgs.writeText "opendkim.conf" ''
51 SubDomains yes
52 UMask 002
53 '';
54 };
55 config.systemd.services.opendkim.preStart = lib.mkBefore ''
56 # Skip the prestart script as keys are handled in secrets
57 exit 0
58 '';
59 config.services.filesWatcher.opendkim = {
60 restart = true;
61 paths = [
62 config.secrets.fullPaths."opendkim/eldiron.private"
63 ];
64 };
65
66 config.users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
67 config.services.opendmarc = {
68 enable = true;
69 configFile = pkgs.writeText "opendmarc.conf" ''
70 AuthservID HOSTNAME
71 FailureReports false
72 FailureReportsBcc postmaster@localhost.immae.eu
73 FailureReportsOnNone true
74 FailureReportsSentBy postmaster@immae.eu
75 IgnoreAuthenticatedClients true
76 IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"}
77 SoftwareHeader true
78 SPFSelfValidate true
79 TrustedAuthservIDs HOSTNAME, immae.eu, nef2.ens.fr
80 UMask 002
81 '';
82 };
83 config.services.filesWatcher.opendmarc = {
84 restart = true;
85 paths = [
86 config.secrets.fullPaths."opendmarc/ignore.hosts"
87 ];
88 };
89
90 config.services.openarc = {
91 enable = true;
92 user = "opendkim";
93 group = "opendkim";
94 configFile = pkgs.writeText "openarc.conf" ''
95 AuthservID mail.immae.eu
96 Domain mail.immae.eu
97 KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"}
98 Mode sv
99 Selector eldiron
100 SoftwareHeader yes
101 Syslog Yes
102 '';
103 };
104 config.systemd.services.openarc.postStart = lib.optionalString
105 (lib.strings.hasPrefix "local:" config.services.openarc.socket) ''
106 while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do
107 sleep 0.5
108 done
109 chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket}
110 '';
111 config.services.filesWatcher.openarc = {
112 restart = true;
113 paths = [
114 config.secrets.fullPaths."opendkim/eldiron.private"
115 ];
116 };
13} 117}
diff --git a/pkgs/default.nix b/pkgs/default.nix
index c91f672..74f9d18 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -18,6 +18,8 @@ rec {
18 notmuch-python2 = callPackage ../pkgs/notmuch/notmuch-python { pythonPackages = python2Packages; }; 18 notmuch-python2 = callPackage ../pkgs/notmuch/notmuch-python { pythonPackages = python2Packages; };
19 notmuch-python3 = callPackage ../pkgs/notmuch/notmuch-python { pythonPackages = python3Packages; }; 19 notmuch-python3 = callPackage ../pkgs/notmuch/notmuch-python { pythonPackages = python3Packages; };
20 notmuch-vim = callPackage ../pkgs/notmuch/notmuch-vim {}; 20 notmuch-vim = callPackage ../pkgs/notmuch/notmuch-vim {};
21 openarc = callPackage ../pkgs/openarc { inherit mylibs; };
22 opendmarc = callPackage ../pkgs/opendmarc { libspf2 = callPackage ../pkgs/opendmarc/libspf2.nix {}; };
21 pg_activity = callPackage ../pkgs/pg_activity { inherit mylibs; }; 23 pg_activity = callPackage ../pkgs/pg_activity { inherit mylibs; };
22 pgloader = callPackage ../pkgs/pgloader {}; 24 pgloader = callPackage ../pkgs/pgloader {};
23 telegram-cli = callPackage ../pkgs/telegram-cli { inherit mylibs; }; 25 telegram-cli = callPackage ../pkgs/telegram-cli { inherit mylibs; };
diff --git a/pkgs/openarc/default.nix b/pkgs/openarc/default.nix
new file mode 100644
index 0000000..e5c9a81
--- /dev/null
+++ b/pkgs/openarc/default.nix
@@ -0,0 +1,18 @@
1{ stdenv, autoconf, automake, file, libtool, libbsd, mylibs, openssl, pkg-config, libmilter }:
2
3stdenv.mkDerivation (mylibs.fetchedGithub ./openarc.json // rec {
4 buildInputs = [ automake autoconf libbsd libtool openssl pkg-config libmilter ];
5
6 configureFlags = [
7 "--with-milter=${libmilter}"
8 ];
9 preConfigure = ''
10 autoreconf --force --install
11 sed -i -e "s@/usr/bin/file@${file}/bin/file@" ./configure
12 '';
13 meta = with stdenv.lib; {
14 description = "Open source ARC implementation";
15 homepage = https://github.com/trusteddomainproject/OpenARC;
16 platforms = platforms.unix;
17 };
18})
diff --git a/pkgs/openarc/openarc.json b/pkgs/openarc/openarc.json
new file mode 100644
index 0000000..1081b09
--- /dev/null
+++ b/pkgs/openarc/openarc.json
@@ -0,0 +1,15 @@
1{
2 "tag": "355ee2a-master",
3 "meta": {
4 "name": "openarc",
5 "url": "https://github.com/trusteddomainproject/OpenARC",
6 "branch": "master"
7 },
8 "github": {
9 "owner": "trusteddomainproject",
10 "repo": "OpenARC",
11 "rev": "355ee2a1ca85acccce494478991983b54f794f4e",
12 "sha256": "0101k6hwwf3pb3jrc88x86d4l698gjmynn9v2rpvxwxv200r2i65",
13 "fetchSubmodules": true
14 }
15}
diff --git a/pkgs/opendmarc/default.nix b/pkgs/opendmarc/default.nix
new file mode 100644
index 0000000..1c50248
--- /dev/null
+++ b/pkgs/opendmarc/default.nix
@@ -0,0 +1,26 @@
1{ stdenv, fetchurl, pkgconfig, libbsd, openssl, libmilter , perl, makeWrapper, libspf2 }:
2
3stdenv.mkDerivation rec {
4 name = "opendmarc-${version}";
5 version = "1.3.2";
6
7 src = fetchurl {
8 url = "mirror://sourceforge/opendmarc/files/${name}.tar.gz";
9 sha256 = "1yrggj8yq0915y2i34gfz2xpl1w2lgb1vggp67rwspgzm40lng11";
10 };
11
12 configureFlags= [
13 "--with-spf"
14 "--with-spf2-include=${libspf2}/include/spf2"
15 "--with-spf2-lib=${libspf2}/lib/"
16 "--with-milter=${libmilter}"
17 ];
18
19 buildInputs = [ libspf2 libbsd openssl libmilter perl ];
20
21 meta = with stdenv.lib; {
22 description = "Free open source software implementation of the DMARC specification";
23 homepage = http://www.trusteddomain.org/opendmarc/;
24 platforms = platforms.unix;
25 };
26}
diff --git a/pkgs/opendmarc/libspf2.nix b/pkgs/opendmarc/libspf2.nix
new file mode 100644
index 0000000..ca02d59
--- /dev/null
+++ b/pkgs/opendmarc/libspf2.nix
@@ -0,0 +1,35 @@
1{ stdenv, file, fetchurl, fetchpatch, libnsl }:
2
3stdenv.mkDerivation rec {
4 name = "libspf2-${version}";
5 version = "1.2.10";
6
7 patches = [
8 (fetchpatch {
9 name = "fix-variadic-macros.patch";
10 url = "https://git.archlinux.org/svntogit/community.git/plain/trunk/fix-variadic-macros.patch?h=packages/libspf2";
11 sha256 = "00dqpcgjr9jy2qprgqv2qiyvq8y3wlz4yns9xzabf2064jzqh2ic";
12 })
13 ];
14 preConfigure = ''
15 sed -i -e "s@/usr/bin/file@${file}/bin/file@" ./configure
16 '';
17 configureFlags = [
18 "--enable-static"
19 ];
20 postInstall = ''
21 rm $out/bin/*_static
22 '';
23 src = fetchurl {
24 url = "https://www.libspf2.org/spf/${name}.tar.gz";
25 sha256 = "1j91p0qiipzf89qxq4m1wqhdf01hpn1h5xj4djbs51z23bl3s7nr";
26 };
27
28 buildInputs = [ libnsl ];
29
30 meta = with stdenv.lib; {
31 description = "Sender Policy Framework record checking library";
32 homepage = https://www.libspf2.org/;
33 platforms = platforms.unix;
34 };
35}