diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-06-04 09:53:11 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-06-04 23:57:44 +0200 |
commit | 411af8e3f754278c5b54dfef7e1bd144a6007c39 (patch) | |
tree | b5076223d0a6fec0561e2f7da772ee6dd873e944 | |
parent | 9247b444929061f32be9b003621e1da555ebc770 (diff) | |
download | Nix-411af8e3f754278c5b54dfef7e1bd144a6007c39.tar.gz Nix-411af8e3f754278c5b54dfef7e1bd144a6007c39.tar.zst Nix-411af8e3f754278c5b54dfef7e1bd144a6007c39.zip |
Add opendmarc openarc and opendkim configuration and packages
-rw-r--r-- | modules/default.nix | 3 | ||||
-rw-r--r-- | modules/myids.nix | 4 | ||||
-rw-r--r-- | modules/openarc.nix | 90 | ||||
-rw-r--r-- | modules/opendmarc.nix | 90 | ||||
-rw-r--r-- | modules/private/mail.nix | 104 | ||||
-rw-r--r-- | pkgs/default.nix | 2 | ||||
-rw-r--r-- | pkgs/openarc/default.nix | 18 | ||||
-rw-r--r-- | pkgs/openarc/openarc.json | 15 | ||||
-rw-r--r-- | pkgs/opendmarc/default.nix | 26 | ||||
-rw-r--r-- | pkgs/opendmarc/libspf2.nix | 35 |
10 files changed, 387 insertions, 0 deletions
diff --git a/modules/default.nix b/modules/default.nix index dd34870..5346956 100644 --- a/modules/default.nix +++ b/modules/default.nix | |||
@@ -10,6 +10,9 @@ | |||
10 | mediagoblin = ./webapps/mediagoblin.nix; | 10 | mediagoblin = ./webapps/mediagoblin.nix; |
11 | peertube = ./webapps/peertube.nix; | 11 | peertube = ./webapps/peertube.nix; |
12 | 12 | ||
13 | opendmarc = ./opendmarc.nix; | ||
14 | openarc = ./openarc.nix; | ||
15 | |||
13 | php-application = ./websites/php-application.nix; | 16 | php-application = ./websites/php-application.nix; |
14 | websites = ./websites; | 17 | websites = ./websites; |
15 | } // (if builtins.pathExists ./private then import ./private else {}) | 18 | } // (if builtins.pathExists ./private then import ./private else {}) |
diff --git a/modules/myids.nix b/modules/myids.nix index 4fb2626..7ec9c0e 100644 --- a/modules/myids.nix +++ b/modules/myids.nix | |||
@@ -3,6 +3,8 @@ | |||
3 | # Check that there is no clash with nixos/modules/misc/ids.nix | 3 | # Check that there is no clash with nixos/modules/misc/ids.nix |
4 | config = { | 4 | config = { |
5 | ids.uids = { | 5 | ids.uids = { |
6 | opendarc = 391; | ||
7 | opendmarc = 392; | ||
6 | peertube = 394; | 8 | peertube = 394; |
7 | redis = 395; | 9 | redis = 395; |
8 | nullmailer = 396; | 10 | nullmailer = 396; |
@@ -11,6 +13,8 @@ | |||
11 | mastodon = 399; | 13 | mastodon = 399; |
12 | }; | 14 | }; |
13 | ids.gids = { | 15 | ids.gids = { |
16 | opendarc = 392; | ||
17 | opendmarc = 392; | ||
14 | peertube = 394; | 18 | peertube = 394; |
15 | redis = 395; | 19 | redis = 395; |
16 | nullmailer = 396; | 20 | nullmailer = 396; |
diff --git a/modules/openarc.nix b/modules/openarc.nix new file mode 100644 index 0000000..9dc49de --- /dev/null +++ b/modules/openarc.nix | |||
@@ -0,0 +1,90 @@ | |||
1 | { config, lib, pkgs, ... }: | ||
2 | |||
3 | with lib; | ||
4 | |||
5 | let | ||
6 | |||
7 | cfg = config.services.openarc; | ||
8 | |||
9 | defaultSock = "local:/run/openarc/openarc.sock"; | ||
10 | |||
11 | args = [ "-f" | ||
12 | "-p" cfg.socket | ||
13 | ] ++ optionals (cfg.configFile != null) [ "-c" cfg.configFile ]; | ||
14 | |||
15 | in { | ||
16 | |||
17 | ###### interface | ||
18 | |||
19 | options = { | ||
20 | |||
21 | services.openarc = { | ||
22 | |||
23 | enable = mkOption { | ||
24 | type = types.bool; | ||
25 | default = false; | ||
26 | description = "Whether to enable the OpenARC sender authentication system."; | ||
27 | }; | ||
28 | |||
29 | socket = mkOption { | ||
30 | type = types.str; | ||
31 | default = defaultSock; | ||
32 | description = "Socket which is used for communication with OpenARC."; | ||
33 | }; | ||
34 | |||
35 | user = mkOption { | ||
36 | type = types.str; | ||
37 | default = "opendmarc"; | ||
38 | description = "User for the daemon."; | ||
39 | }; | ||
40 | |||
41 | group = mkOption { | ||
42 | type = types.str; | ||
43 | default = "opendmarc"; | ||
44 | description = "Group for the daemon."; | ||
45 | }; | ||
46 | |||
47 | configFile = mkOption { | ||
48 | type = types.nullOr types.path; | ||
49 | default = null; | ||
50 | description = "Additional OpenARC configuration."; | ||
51 | }; | ||
52 | |||
53 | }; | ||
54 | |||
55 | }; | ||
56 | |||
57 | |||
58 | ###### implementation | ||
59 | |||
60 | config = mkIf cfg.enable { | ||
61 | |||
62 | users.users = optionalAttrs (cfg.user == "openarc") (singleton | ||
63 | { name = "openarc"; | ||
64 | group = cfg.group; | ||
65 | uid = config.ids.uids.openarc; | ||
66 | }); | ||
67 | |||
68 | users.groups = optionalAttrs (cfg.group == "openarc") (singleton | ||
69 | { name = "openarc"; | ||
70 | gid = config.ids.gids.openarc; | ||
71 | }); | ||
72 | |||
73 | environment.systemPackages = [ pkgs.openarc ]; | ||
74 | |||
75 | systemd.services.openarc = { | ||
76 | description = "OpenARC daemon"; | ||
77 | after = [ "network.target" ]; | ||
78 | wantedBy = [ "multi-user.target" ]; | ||
79 | |||
80 | serviceConfig = { | ||
81 | ExecStart = "${pkgs.openarc}/bin/openarc ${escapeShellArgs args}"; | ||
82 | User = cfg.user; | ||
83 | Group = cfg.group; | ||
84 | RuntimeDirectory = optional (cfg.socket == defaultSock) "openarc"; | ||
85 | PermissionsStartOnly = true; | ||
86 | }; | ||
87 | }; | ||
88 | |||
89 | }; | ||
90 | } | ||
diff --git a/modules/opendmarc.nix b/modules/opendmarc.nix new file mode 100644 index 0000000..e18ec82 --- /dev/null +++ b/modules/opendmarc.nix | |||
@@ -0,0 +1,90 @@ | |||
1 | { config, lib, pkgs, ... }: | ||
2 | |||
3 | with lib; | ||
4 | |||
5 | let | ||
6 | |||
7 | cfg = config.services.opendmarc; | ||
8 | |||
9 | defaultSock = "local:/run/opendmarc/opendmarc.sock"; | ||
10 | |||
11 | args = [ "-f" "-l" | ||
12 | "-p" cfg.socket | ||
13 | ] ++ optionals (cfg.configFile != null) [ "-c" cfg.configFile ]; | ||
14 | |||
15 | in { | ||
16 | |||
17 | ###### interface | ||
18 | |||
19 | options = { | ||
20 | |||
21 | services.opendmarc = { | ||
22 | |||
23 | enable = mkOption { | ||
24 | type = types.bool; | ||
25 | default = false; | ||
26 | description = "Whether to enable the OpenDMARC sender authentication system."; | ||
27 | }; | ||
28 | |||
29 | socket = mkOption { | ||
30 | type = types.str; | ||
31 | default = defaultSock; | ||
32 | description = "Socket which is used for communication with OpenDMARC."; | ||
33 | }; | ||
34 | |||
35 | user = mkOption { | ||
36 | type = types.str; | ||
37 | default = "opendmarc"; | ||
38 | description = "User for the daemon."; | ||
39 | }; | ||
40 | |||
41 | group = mkOption { | ||
42 | type = types.str; | ||
43 | default = "opendmarc"; | ||
44 | description = "Group for the daemon."; | ||
45 | }; | ||
46 | |||
47 | configFile = mkOption { | ||
48 | type = types.nullOr types.path; | ||
49 | default = null; | ||
50 | description = "Additional OpenDMARC configuration."; | ||
51 | }; | ||
52 | |||
53 | }; | ||
54 | |||
55 | }; | ||
56 | |||
57 | |||
58 | ###### implementation | ||
59 | |||
60 | config = mkIf cfg.enable { | ||
61 | |||
62 | users.users = optionalAttrs (cfg.user == "opendmarc") (singleton | ||
63 | { name = "opendmarc"; | ||
64 | group = cfg.group; | ||
65 | uid = config.ids.uids.opendmarc; | ||
66 | }); | ||
67 | |||
68 | users.groups = optionalAttrs (cfg.group == "opendmarc") (singleton | ||
69 | { name = "opendmarc"; | ||
70 | gid = config.ids.gids.opendmarc; | ||
71 | }); | ||
72 | |||
73 | environment.systemPackages = [ pkgs.opendmarc ]; | ||
74 | |||
75 | systemd.services.opendmarc = { | ||
76 | description = "OpenDMARC daemon"; | ||
77 | after = [ "network.target" ]; | ||
78 | wantedBy = [ "multi-user.target" ]; | ||
79 | |||
80 | serviceConfig = { | ||
81 | ExecStart = "${pkgs.opendmarc}/bin/opendmarc ${escapeShellArgs args}"; | ||
82 | User = cfg.user; | ||
83 | Group = cfg.group; | ||
84 | RuntimeDirectory = optional (cfg.socket == defaultSock) "opendmarc"; | ||
85 | PermissionsStartOnly = true; | ||
86 | }; | ||
87 | }; | ||
88 | |||
89 | }; | ||
90 | } | ||
diff --git a/modules/private/mail.nix b/modules/private/mail.nix index 611c8b4..eb869ba 100644 --- a/modules/private/mail.nix +++ b/modules/private/mail.nix | |||
@@ -10,4 +10,108 @@ | |||
10 | remotes = "${myconfig.env.mail.relay} smtp"; | 10 | remotes = "${myconfig.env.mail.relay} smtp"; |
11 | }; | 11 | }; |
12 | }; | 12 | }; |
13 | |||
14 | config.secrets.keys = [ | ||
15 | { | ||
16 | dest = "opendkim/eldiron.private"; | ||
17 | user = config.services.opendkim.user; | ||
18 | group = config.services.opendkim.group; | ||
19 | permissions = "0400"; | ||
20 | text = myconfig.env.mail.dkim.eldiron.private; | ||
21 | } | ||
22 | { | ||
23 | dest = "opendkim/eldiron.txt"; | ||
24 | user = config.services.opendkim.user; | ||
25 | group = config.services.opendkim.group; | ||
26 | permissions = "0444"; | ||
27 | text = '' | ||
28 | eldiron._domainkey IN TXT ${myconfig.env.mail.dkim.eldiron.public}''; | ||
29 | } | ||
30 | { | ||
31 | dest = "opendmarc/ignore.hosts"; | ||
32 | user = config.services.opendmarc.user; | ||
33 | group = config.services.opendmarc.group; | ||
34 | permissions = "0400"; | ||
35 | text = myconfig.env.mail.dmarc.ignore_hosts; | ||
36 | } | ||
37 | ]; | ||
38 | config.users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ]; | ||
39 | config.services.opendkim = { | ||
40 | enable = true; | ||
41 | domains = builtins.concatStringsSep "," (lib.flatten (map | ||
42 | (zone: map | ||
43 | (e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}") | ||
44 | (zone.withEmail or []) | ||
45 | ) | ||
46 | myconfig.env.dns.masterZones | ||
47 | )); | ||
48 | keyPath = "${config.secrets.location}/opendkim"; | ||
49 | selector = "eldiron"; | ||
50 | configFile = pkgs.writeText "opendkim.conf" '' | ||
51 | SubDomains yes | ||
52 | UMask 002 | ||
53 | ''; | ||
54 | }; | ||
55 | config.systemd.services.opendkim.preStart = lib.mkBefore '' | ||
56 | # Skip the prestart script as keys are handled in secrets | ||
57 | exit 0 | ||
58 | ''; | ||
59 | config.services.filesWatcher.opendkim = { | ||
60 | restart = true; | ||
61 | paths = [ | ||
62 | config.secrets.fullPaths."opendkim/eldiron.private" | ||
63 | ]; | ||
64 | }; | ||
65 | |||
66 | config.users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; | ||
67 | config.services.opendmarc = { | ||
68 | enable = true; | ||
69 | configFile = pkgs.writeText "opendmarc.conf" '' | ||
70 | AuthservID HOSTNAME | ||
71 | FailureReports false | ||
72 | FailureReportsBcc postmaster@localhost.immae.eu | ||
73 | FailureReportsOnNone true | ||
74 | FailureReportsSentBy postmaster@immae.eu | ||
75 | IgnoreAuthenticatedClients true | ||
76 | IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"} | ||
77 | SoftwareHeader true | ||
78 | SPFSelfValidate true | ||
79 | TrustedAuthservIDs HOSTNAME, immae.eu, nef2.ens.fr | ||
80 | UMask 002 | ||
81 | ''; | ||
82 | }; | ||
83 | config.services.filesWatcher.opendmarc = { | ||
84 | restart = true; | ||
85 | paths = [ | ||
86 | config.secrets.fullPaths."opendmarc/ignore.hosts" | ||
87 | ]; | ||
88 | }; | ||
89 | |||
90 | config.services.openarc = { | ||
91 | enable = true; | ||
92 | user = "opendkim"; | ||
93 | group = "opendkim"; | ||
94 | configFile = pkgs.writeText "openarc.conf" '' | ||
95 | AuthservID mail.immae.eu | ||
96 | Domain mail.immae.eu | ||
97 | KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"} | ||
98 | Mode sv | ||
99 | Selector eldiron | ||
100 | SoftwareHeader yes | ||
101 | Syslog Yes | ||
102 | ''; | ||
103 | }; | ||
104 | config.systemd.services.openarc.postStart = lib.optionalString | ||
105 | (lib.strings.hasPrefix "local:" config.services.openarc.socket) '' | ||
106 | while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do | ||
107 | sleep 0.5 | ||
108 | done | ||
109 | chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket} | ||
110 | ''; | ||
111 | config.services.filesWatcher.openarc = { | ||
112 | restart = true; | ||
113 | paths = [ | ||
114 | config.secrets.fullPaths."opendkim/eldiron.private" | ||
115 | ]; | ||
116 | }; | ||
13 | } | 117 | } |
diff --git a/pkgs/default.nix b/pkgs/default.nix index c91f672..74f9d18 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix | |||
@@ -18,6 +18,8 @@ rec { | |||
18 | notmuch-python2 = callPackage ../pkgs/notmuch/notmuch-python { pythonPackages = python2Packages; }; | 18 | notmuch-python2 = callPackage ../pkgs/notmuch/notmuch-python { pythonPackages = python2Packages; }; |
19 | notmuch-python3 = callPackage ../pkgs/notmuch/notmuch-python { pythonPackages = python3Packages; }; | 19 | notmuch-python3 = callPackage ../pkgs/notmuch/notmuch-python { pythonPackages = python3Packages; }; |
20 | notmuch-vim = callPackage ../pkgs/notmuch/notmuch-vim {}; | 20 | notmuch-vim = callPackage ../pkgs/notmuch/notmuch-vim {}; |
21 | openarc = callPackage ../pkgs/openarc { inherit mylibs; }; | ||
22 | opendmarc = callPackage ../pkgs/opendmarc { libspf2 = callPackage ../pkgs/opendmarc/libspf2.nix {}; }; | ||
21 | pg_activity = callPackage ../pkgs/pg_activity { inherit mylibs; }; | 23 | pg_activity = callPackage ../pkgs/pg_activity { inherit mylibs; }; |
22 | pgloader = callPackage ../pkgs/pgloader {}; | 24 | pgloader = callPackage ../pkgs/pgloader {}; |
23 | telegram-cli = callPackage ../pkgs/telegram-cli { inherit mylibs; }; | 25 | telegram-cli = callPackage ../pkgs/telegram-cli { inherit mylibs; }; |
diff --git a/pkgs/openarc/default.nix b/pkgs/openarc/default.nix new file mode 100644 index 0000000..e5c9a81 --- /dev/null +++ b/pkgs/openarc/default.nix | |||
@@ -0,0 +1,18 @@ | |||
1 | { stdenv, autoconf, automake, file, libtool, libbsd, mylibs, openssl, pkg-config, libmilter }: | ||
2 | |||
3 | stdenv.mkDerivation (mylibs.fetchedGithub ./openarc.json // rec { | ||
4 | buildInputs = [ automake autoconf libbsd libtool openssl pkg-config libmilter ]; | ||
5 | |||
6 | configureFlags = [ | ||
7 | "--with-milter=${libmilter}" | ||
8 | ]; | ||
9 | preConfigure = '' | ||
10 | autoreconf --force --install | ||
11 | sed -i -e "s@/usr/bin/file@${file}/bin/file@" ./configure | ||
12 | ''; | ||
13 | meta = with stdenv.lib; { | ||
14 | description = "Open source ARC implementation"; | ||
15 | homepage = https://github.com/trusteddomainproject/OpenARC; | ||
16 | platforms = platforms.unix; | ||
17 | }; | ||
18 | }) | ||
diff --git a/pkgs/openarc/openarc.json b/pkgs/openarc/openarc.json new file mode 100644 index 0000000..1081b09 --- /dev/null +++ b/pkgs/openarc/openarc.json | |||
@@ -0,0 +1,15 @@ | |||
1 | { | ||
2 | "tag": "355ee2a-master", | ||
3 | "meta": { | ||
4 | "name": "openarc", | ||
5 | "url": "https://github.com/trusteddomainproject/OpenARC", | ||
6 | "branch": "master" | ||
7 | }, | ||
8 | "github": { | ||
9 | "owner": "trusteddomainproject", | ||
10 | "repo": "OpenARC", | ||
11 | "rev": "355ee2a1ca85acccce494478991983b54f794f4e", | ||
12 | "sha256": "0101k6hwwf3pb3jrc88x86d4l698gjmynn9v2rpvxwxv200r2i65", | ||
13 | "fetchSubmodules": true | ||
14 | } | ||
15 | } | ||
diff --git a/pkgs/opendmarc/default.nix b/pkgs/opendmarc/default.nix new file mode 100644 index 0000000..1c50248 --- /dev/null +++ b/pkgs/opendmarc/default.nix | |||
@@ -0,0 +1,26 @@ | |||
1 | { stdenv, fetchurl, pkgconfig, libbsd, openssl, libmilter , perl, makeWrapper, libspf2 }: | ||
2 | |||
3 | stdenv.mkDerivation rec { | ||
4 | name = "opendmarc-${version}"; | ||
5 | version = "1.3.2"; | ||
6 | |||
7 | src = fetchurl { | ||
8 | url = "mirror://sourceforge/opendmarc/files/${name}.tar.gz"; | ||
9 | sha256 = "1yrggj8yq0915y2i34gfz2xpl1w2lgb1vggp67rwspgzm40lng11"; | ||
10 | }; | ||
11 | |||
12 | configureFlags= [ | ||
13 | "--with-spf" | ||
14 | "--with-spf2-include=${libspf2}/include/spf2" | ||
15 | "--with-spf2-lib=${libspf2}/lib/" | ||
16 | "--with-milter=${libmilter}" | ||
17 | ]; | ||
18 | |||
19 | buildInputs = [ libspf2 libbsd openssl libmilter perl ]; | ||
20 | |||
21 | meta = with stdenv.lib; { | ||
22 | description = "Free open source software implementation of the DMARC specification"; | ||
23 | homepage = http://www.trusteddomain.org/opendmarc/; | ||
24 | platforms = platforms.unix; | ||
25 | }; | ||
26 | } | ||
diff --git a/pkgs/opendmarc/libspf2.nix b/pkgs/opendmarc/libspf2.nix new file mode 100644 index 0000000..ca02d59 --- /dev/null +++ b/pkgs/opendmarc/libspf2.nix | |||
@@ -0,0 +1,35 @@ | |||
1 | { stdenv, file, fetchurl, fetchpatch, libnsl }: | ||
2 | |||
3 | stdenv.mkDerivation rec { | ||
4 | name = "libspf2-${version}"; | ||
5 | version = "1.2.10"; | ||
6 | |||
7 | patches = [ | ||
8 | (fetchpatch { | ||
9 | name = "fix-variadic-macros.patch"; | ||
10 | url = "https://git.archlinux.org/svntogit/community.git/plain/trunk/fix-variadic-macros.patch?h=packages/libspf2"; | ||
11 | sha256 = "00dqpcgjr9jy2qprgqv2qiyvq8y3wlz4yns9xzabf2064jzqh2ic"; | ||
12 | }) | ||
13 | ]; | ||
14 | preConfigure = '' | ||
15 | sed -i -e "s@/usr/bin/file@${file}/bin/file@" ./configure | ||
16 | ''; | ||
17 | configureFlags = [ | ||
18 | "--enable-static" | ||
19 | ]; | ||
20 | postInstall = '' | ||
21 | rm $out/bin/*_static | ||
22 | ''; | ||
23 | src = fetchurl { | ||
24 | url = "https://www.libspf2.org/spf/${name}.tar.gz"; | ||
25 | sha256 = "1j91p0qiipzf89qxq4m1wqhdf01hpn1h5xj4djbs51z23bl3s7nr"; | ||
26 | }; | ||
27 | |||
28 | buildInputs = [ libnsl ]; | ||
29 | |||
30 | meta = with stdenv.lib; { | ||
31 | description = "Sender Policy Framework record checking library"; | ||
32 | homepage = https://www.libspf2.org/; | ||
33 | platforms = platforms.unix; | ||
34 | }; | ||
35 | } | ||