Add opendmarc flake

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2021-01-02 02:32:12 +0100
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2021-01-02 02:32:12 +0100
commit: a1a2455f53bde1235b221a842d3c888c51fcecac (patch)
tree: 33b2471d4397a876a6211a339dce8fc6801ddf3f
parent: 749623765bef80615fc21e73aff89521d262e277 (diff)
download: Nix-a1a2455f53bde1235b221a842d3c888c51fcecac.tar.gz
Nix-a1a2455f53bde1235b221a842d3c888c51fcecac.tar.zst
Nix-a1a2455f53bde1235b221a842d3c888c51fcecac.zip
9 files changed, 310 insertions, 197 deletions
diff --git a/flakes/opendmarc/flake.lock b/flakes/opendmarc/flake.lock
new file mode 100644
index 0000000..9e6a869
--- /dev/null
+++ b/flakes/opendmarc/flake.lock
@@ -0,0 +1,112 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1609246779,
+        "narHash": "sha256-eq6ZXE/VWo3EMC65jmIT6H/rrUc9UWOWVujkzav025k=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "08c7ad4a0844adc4a7f9f5bb3beae482e789afa4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
+      "locked": {
+        "lastModified": 1609246779,
+        "narHash": "sha256-eq6ZXE/VWo3EMC65jmIT6H/rrUc9UWOWVujkzav025k=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "08c7ad4a0844adc4a7f9f5bb3beae482e789afa4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "libspf2": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "dir": "flakes/libspf2",
+        "lastModified": 1609548509,
+        "narHash": "sha256-d9gssVdKV0EaeDU/L5QgQpQwFuxWMbwNQ71i7z4LdDs=",
+        "ref": "master",
+        "rev": "749623765bef80615fc21e73aff89521d262e277",
+        "revCount": 796,
+        "type": "git",
+        "url": "https://git.immae.eu/perso/Immae/Config/Nix.git"
+      },
+      "original": {
+        "dir": "flakes/libspf2",
+        "type": "git",
+        "url": "https://git.immae.eu/perso/Immae/Config/Nix.git"
+      }
+    },
+    "myuids": {
+      "locked": {
+        "dir": "flakes/myuids",
+        "lastModified": 1609548509,
+        "narHash": "sha256-d9gssVdKV0EaeDU/L5QgQpQwFuxWMbwNQ71i7z4LdDs=",
+        "ref": "master",
+        "rev": "749623765bef80615fc21e73aff89521d262e277",
+        "revCount": 796,
+        "type": "git",
+        "url": "https://git.immae.eu/perso/Immae/Config/Nix.git"
+      },
+      "original": {
+        "dir": "flakes/myuids",
+        "type": "git",
+        "url": "https://git.immae.eu/perso/Immae/Config/Nix.git"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1597943282,
+        "narHash": "sha256-G/VQBlqO7YeFOSvn29RqdvABZxmQBtiRYVA6kjqWZ6o=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c59ea8b8a0e7f927e7291c14ea6cd1bd3a16ff38",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1597943282,
+        "narHash": "sha256-G/VQBlqO7YeFOSvn29RqdvABZxmQBtiRYVA6kjqWZ6o=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c59ea8b8a0e7f927e7291c14ea6cd1bd3a16ff38",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "libspf2": "libspf2",
+        "myuids": "myuids",
+        "nixpkgs": "nixpkgs_2"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flakes/opendmarc/flake.nix b/flakes/opendmarc/flake.nix
new file mode 100644
index 0000000..4d6354b
--- /dev/null
+++ b/flakes/opendmarc/flake.nix
@@ -0,0 +1,145 @@
+{
+  description = "Open source ARC implementation";
+  inputs.myuids = {
+    url = "https://git.immae.eu/perso/Immae/Config/Nix.git";
+    type = "git";
+    dir = "flakes/myuids";
+  };
+  inputs.libspf2 = {
+    url = "https://git.immae.eu/perso/Immae/Config/Nix.git";
+    type = "git";
+    dir = "flakes/libspf2";
+  };
+  inputs.flake-utils.url = "github:numtide/flake-utils";
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs";
+  outputs = { self, myuids, libspf2, flake-utils, nixpkgs }: flake-utils.lib.eachSystem ["aarch64-linux" "i686-linux" "x86_64-linux"] (system:
+    let
+      libspf2' = libspf2.defaultPackage."${system}";
+      pkgs = import nixpkgs { inherit system; overlays = []; };
+      inherit (pkgs) fetchurl stdenv libbsd perl openssl libmilter file libnsl;
+    in rec {
+      packages.opendmarc = stdenv.mkDerivation rec {
+        pname = "opendmarc";
+        version = "1.3.2";
+        src = fetchurl {
+          url = "mirror://sourceforge/opendmarc/files/${pname}-${version}.tar.gz";
+          sha256 = "1yrggj8yq0915y2i34gfz2xpl1w2lgb1vggp67rwspgzm40lng11";
+        };
+        configureFlags= [
+          "--with-spf"
+          "--with-spf2-include=${libspf2'}/include/spf2"
+          "--with-spf2-lib=${libspf2'}/lib/"
+          "--with-milter=${libmilter}"
+        ];
+        buildInputs = [ libspf2' libbsd openssl libmilter perl libnsl ];
+        meta = {
+          description = "Free open source software implementation of the DMARC specification";
+          homepage = "http://www.trusteddomain.org/opendmarc/";
+          platforms = stdenv.lib.platforms.unix;
+        };
+      };
+      defaultPackage = packages.opendmarc;
+      legacyPackages.opendmarc = packages.opendmarc;
+      apps.opendmarc = flake-utils.lib.mkApp { drv = packages.opendmarc; };
+      defaultApp = apps.opendmarc;
+      hydraJobs = checks;
+      checks = {
+        build = defaultPackage;
+      } // pkgs.lib.optionalAttrs (builtins.elem system pkgs.lib.systems.doubles.linux) {
+        test =
+          let testing = import (nixpkgs + "/nixos/lib/testing-python.nix") { inherit system; };
+          in testing.makeTest {
+            nodes = {
+              server = { pkgs, ... }: {
+                imports = [ self.nixosModule ];
+                config.services.opendmarc.enable = true;
+              };
+            };
+            testScript = ''
+              start_all()
+              server.wait_for_unit("opendmarc.service")
+              server.succeed("[ -S /run/opendmarc/opendmarc.sock ]")
+            '';
+          };
+        };
+    }) // {
+     nixosModules = (if builtins.pathExists ../private/opendmarc.nix then import ../private/opendmarc.nix nixpkgs else {});
+     nixosModule = { config, lib, pkgs, ... }:
+       let
+         cfg = config.services.opendmarc;
+         defaultSock = "local:/run/opendmarc/opendmarc.sock";
+         args = [ "-f" "-l" "-p" cfg.socket ] ++ lib.optionals (cfg.configFile != null) [ "-c" cfg.configFile ];
+       in {
+         options = {
+           services.opendmarc = {
+             enable = lib.mkOption {
+               type = lib.types.bool;
+               default = false;
+               description = "Whether to enable the OpenDMARC sender authentication system.";
+             };
+             socket = lib.mkOption {
+               type = lib.types.str;
+               default = defaultSock;
+               description = "Socket which is used for communication with OpenDMARC.";
+             };
+             user = lib.mkOption {
+               type = lib.types.str;
+               default = "opendmarc";
+               description = "User for the daemon.";
+             };
+             group = lib.mkOption {
+               type = lib.types.str;
+               default = "opendmarc";
+               description = "Group for the daemon.";
+             };
+             configFile = lib.mkOption {
+               type = lib.types.nullOr lib.types.path;
+               default = null;
+               description = "Additional OpenDMARC configuration.";
+             };
+           };
+         };
+         config = lib.mkIf cfg.enable {
+           users.users = lib.optionalAttrs (cfg.user == "opendmarc") {
+             opendmarc = {
+               group = cfg.group;
+               uid = myuids.lib.uids.opendmarc;
+             };
+           };
+           users.groups = lib.optionalAttrs (cfg.group == "opendmarc") {
+             opendmarc.gid = myuids.lib.gids.opendmarc;
+           };
+           environment.systemPackages = [ self.defaultPackage."${pkgs.system}" ];
+           systemd.services.opendmarc = {
+             description = "OpenDMARC daemon";
+             after = [ "network.target" ];
+             wantedBy = [ "multi-user.target" ];
+             serviceConfig = {
+               ExecStart = "${self.defaultApp."${pkgs.system}".program} ${lib.escapeShellArgs args}";
+               User = cfg.user;
+               Group = cfg.group;
+               RuntimeDirectory = lib.optional (cfg.socket == defaultSock) "opendmarc";
+               PermissionsStartOnly = true;
+             };
+           };
+         };
+       };
+    };
+  }
diff --git a/flakes/private/opendmarc.nix b/flakes/private/opendmarc.nix
new file mode 100644
index 0000000..d6e8920
--- /dev/null
+++ b/flakes/private/opendmarc.nix
@@ -0,0 +1,49 @@
+pkgs:
+let
+  cfg = name': { config, lib, pkgs, name, ... }: lib.mkIf (name == name') {
+    users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
+    systemd.services.opendmarc.serviceConfig.Slice = "mail.slice";
+    services.opendmarc = {
+      enable = true;
+      socket = "local:${config.myServices.mail.milters.sockets.opendmarc}";
+      configFile = pkgs.writeText "opendmarc.conf" ''
+        AuthservID                  HOSTNAME
+        FailureReports              false
+        FailureReportsBcc           postmaster@immae.eu
+        FailureReportsOnNone        true
+        FailureReportsSentBy        postmaster@immae.eu
+        IgnoreAuthenticatedClients  true
+        IgnoreHosts                 ${config.secrets.fullPaths."opendmarc/ignore.hosts"}
+        SoftwareHeader              true
+        SPFIgnoreResults            true
+        SPFSelfValidate             true
+        UMask                       002
+        '';
+      group = config.services.postfix.group;
+    };
+    services.filesWatcher.opendmarc = {
+      restart = true;
+      paths = [
+        config.secrets.fullPaths."opendmarc/ignore.hosts"
+      ];
+    };
+    secrets.keys = [
+      {
+        dest = "opendmarc/ignore.hosts";
+        user = config.services.opendmarc.user;
+        group = config.services.opendmarc.group;
+        permissions = "0400";
+        text = let
+          mxes = lib.attrsets.filterAttrs
+            (n: v: v.mx.enable)
+            config.myEnv.servers;
+          in
+            builtins.concatStringsSep "\n" ([
+              config.myEnv.mail.dmarc.ignore_hosts
+            ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes);
+      }
+    ];
+  };
+in
+  pkgs.lib.genAttrs ["eldiron" "backup-2"] cfg
diff --git a/modules/default.nix b/modules/default.nix
index 53e3932..abf4547 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -14,7 +14,7 @@ in
  peertube = ./webapps/peertube.nix;
  fiche = ./webapps/fiche.nix;
-  opendmarc = ./opendmarc.nix;
+  opendmarc = (flakeCompat ../flakes/opendmarc).nixosModule;
  openarc = (flakeCompat ../flakes/openarc).nixosModule;
  duplyBackup = ./duply_backup;
diff --git a/modules/opendmarc.nix b/modules/opendmarc.nix
deleted file mode 100644
index 6137d10..0000000
--- a/modules/opendmarc.nix
+++ /dev/null
@@ -1,92 +0,0 @@
-{ config, lib, pkgs, ... }:
-with lib;
-let
-  cfg = config.services.opendmarc;
-  defaultSock = "local:/run/opendmarc/opendmarc.sock";
-  args = [ "-f" "-l"
-           "-p" cfg.socket
-         ] ++ optionals (cfg.configFile != null) [ "-c" cfg.configFile ];
-in {
-  ###### interface
-  options = {
-    services.opendmarc = {
-      enable = mkOption {
-        type = types.bool;
-        default = false;
-        description = "Whether to enable the OpenDMARC sender authentication system.";
-      };
-      socket = mkOption {
-        type = types.str;
-        default = defaultSock;
-        description = "Socket which is used for communication with OpenDMARC.";
-      };
-      user = mkOption {
-        type = types.str;
-        default = "opendmarc";
-        description = "User for the daemon.";
-      };
-      group = mkOption {
-        type = types.str;
-        default = "opendmarc";
-        description = "Group for the daemon.";
-      };
-      configFile = mkOption {
-        type = types.nullOr types.path;
-        default = null;
-        description = "Additional OpenDMARC configuration.";
-      };
-    };
-  };
-  ###### implementation
-  config = mkIf cfg.enable {
-    users.users = optionalAttrs (cfg.user == "opendmarc") {
-      opendmarc = {
-        group = cfg.group;
-        uid = config.ids.uids.opendmarc;
-      };
-    };
-    users.groups = optionalAttrs (cfg.group == "opendmarc") {
-      opendmarc = {
-        gid = config.ids.gids.opendmarc;
-      };
-    };
-    environment.systemPackages = [ pkgs.opendmarc ];
-    systemd.services.opendmarc = {
-      description = "OpenDMARC daemon";
-      after = [ "network.target" ];
-      wantedBy = [ "multi-user.target" ];
-      serviceConfig = {
-        ExecStart = "${pkgs.opendmarc}/bin/opendmarc ${escapeShellArgs args}";
-        User = cfg.user;
-        Group = cfg.group;
-        RuntimeDirectory = optional (cfg.socket == defaultSock) "opendmarc";
-        PermissionsStartOnly = true;
-      };
-    };
-  };
-}
diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix
index 96c2800..49c5dfd 100644
--- a/modules/private/mail/milters.nix
+++ b/modules/private/mail/milters.nix
@@ -1,7 +1,8 @@
 { lib, pkgs, config, name, ... }:
 {
  imports =
-    builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/openarc).nixosModules;
+       builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/openarc).nixosModules
+    ++ builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/opendmarc).nixosModules;
  options.myServices.mail.milters.sockets = lib.mkOption {
    type = lib.types.attrsOf lib.types.path;
@@ -32,20 +33,6 @@
        text = ''
          eldiron._domainkey    IN      TXT     ${config.myEnv.mail.dkim.eldiron.public}'';
      }
-      {
-        dest = "opendmarc/ignore.hosts";
-        user = config.services.opendmarc.user;
-        group = config.services.opendmarc.group;
-        permissions = "0400";
-        text = let
-          mxes = lib.attrsets.filterAttrs
-            (n: v: v.mx.enable)
-            config.myEnv.servers;
-          in
-            builtins.concatStringsSep "\n" ([
-              config.myEnv.mail.dmarc.ignore_hosts
-            ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes);
-      }
    ];
    users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
    services.opendkim = {
@@ -79,33 +66,6 @@
      ];
    };
-    users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
-    systemd.services.opendmarc.serviceConfig.Slice = "mail.slice";
-    services.opendmarc = {
-      enable = true;
-      socket = "local:${config.myServices.mail.milters.sockets.opendmarc}";
-      configFile = pkgs.writeText "opendmarc.conf" ''
-        AuthservID                  HOSTNAME
-        FailureReports              false
-        FailureReportsBcc           postmaster@immae.eu
-        FailureReportsOnNone        true
-        FailureReportsSentBy        postmaster@immae.eu
-        IgnoreAuthenticatedClients  true
-        IgnoreHosts                 ${config.secrets.fullPaths."opendmarc/ignore.hosts"}
-        SoftwareHeader              true
-        SPFIgnoreResults            true
-        SPFSelfValidate             true
-        UMask                       002
-        '';
-      group = config.services.postfix.group;
-    };
-    services.filesWatcher.opendmarc = {
-      restart = true;
-      paths = [
-        config.secrets.fullPaths."opendmarc/ignore.hosts"
-      ];
-    };
    systemd.services.milter_verify_from = {
      description  = "Verify from milter";
      after = [ "network.target" ];
diff --git a/pkgs/default.nix b/pkgs/default.nix
index ff21a20..5b347be 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -23,7 +23,7 @@ rec {
  notmuch-python3 = callPackage ./notmuch/notmuch-python { pythonPackages = python3Packages; };
  notmuch-vim = callPackage ./notmuch/notmuch-vim {};
  openarc = (mylibs.flakeCompat ../flakes/openarc).default;
-  opendmarc = callPackage ./opendmarc { libspf2 = callPackage ./opendmarc/libspf2.nix {}; };
+  opendmarc = (mylibs.flakeCompat ../flakes/opendmarc).default;
  pg_activity = callPackage ./pg_activity { inherit mylibs; };
  pgloader = callPackage ./pgloader {};
  predixy = callPackage ./predixy { inherit mylibs; };
diff --git a/pkgs/opendmarc/default.nix b/pkgs/opendmarc/default.nix
deleted file mode 100644
index 1c50248..0000000
--- a/pkgs/opendmarc/default.nix
+++ /dev/null
@@ -1,26 +0,0 @@
-{ stdenv, fetchurl, pkgconfig, libbsd, openssl, libmilter , perl, makeWrapper, libspf2 }:
-stdenv.mkDerivation rec {
-  name = "opendmarc-${version}";
-  version = "1.3.2";
-  src = fetchurl {
-    url = "mirror://sourceforge/opendmarc/files/${name}.tar.gz";
-    sha256 = "1yrggj8yq0915y2i34gfz2xpl1w2lgb1vggp67rwspgzm40lng11";
-  };
-  configureFlags= [
-    "--with-spf"
-    "--with-spf2-include=${libspf2}/include/spf2"
-    "--with-spf2-lib=${libspf2}/lib/"
-    "--with-milter=${libmilter}"
-  ];
-  buildInputs = [ libspf2 libbsd openssl libmilter perl ];
-  meta = with stdenv.lib; {
-    description = "Free open source software implementation of the DMARC specification";
-    homepage = http://www.trusteddomain.org/opendmarc/;
-    platforms = platforms.unix;
-  };
-}
diff --git a/pkgs/opendmarc/libspf2.nix b/pkgs/opendmarc/libspf2.nix
deleted file mode 100644
index ca02d59..0000000
--- a/pkgs/opendmarc/libspf2.nix
+++ /dev/null
@@ -1,35 +0,0 @@
-{ stdenv, file, fetchurl, fetchpatch, libnsl }:
-stdenv.mkDerivation rec {
-  name = "libspf2-${version}";
-  version = "1.2.10";
-  patches = [
-    (fetchpatch {
-      name = "fix-variadic-macros.patch";
-      url = "https://git.archlinux.org/svntogit/community.git/plain/trunk/fix-variadic-macros.patch?h=packages/libspf2";
-      sha256 = "00dqpcgjr9jy2qprgqv2qiyvq8y3wlz4yns9xzabf2064jzqh2ic";
-    })
-  ];
-  preConfigure = ''
-    sed -i -e "s@/usr/bin/file@${file}/bin/file@" ./configure
-    '';
-  configureFlags = [
-    "--enable-static"
-  ];
-  postInstall = ''
-    rm $out/bin/*_static
-    '';
-  src = fetchurl {
-    url = "https://www.libspf2.org/spf/${name}.tar.gz";
-    sha256 = "1j91p0qiipzf89qxq4m1wqhdf01hpn1h5xj4djbs51z23bl3s7nr";
-  };
-  buildInputs = [ libnsl ];
-  meta = with stdenv.lib; {
-    description = "Sender Policy Framework record checking library";
-    homepage = https://www.libspf2.org/;
-    platforms = platforms.unix;
-  };
-}
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2021-01-02 02:32:12 +0100
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2021-01-02 02:32:12 +0100
commit	a1a2455f53bde1235b221a842d3c888c51fcecac (patch)
tree	33b2471d4397a876a6211a339dce8fc6801ddf3f
parent	749623765bef80615fc21e73aff89521d262e277 (diff)
download	Nix-a1a2455f53bde1235b221a842d3c888c51fcecac.tar.gz Nix-a1a2455f53bde1235b221a842d3c888c51fcecac.tar.zst Nix-a1a2455f53bde1235b221a842d3c888c51fcecac.zip

diff --git a/flakes/opendmarc/flake.lock b/flakes/opendmarc/flake.lock new file mode 100644 index 0000000..9e6a869 --- /dev/null +++ b/flakes/opendmarc/flake.lock
@@ -0,0 +1,112 @@
		1	{
		2	"nodes": {
		3	"flake-utils": {
		4	"locked": {
		5	"lastModified": 1609246779,
		6	"narHash": "sha256-eq6ZXE/VWo3EMC65jmIT6H/rrUc9UWOWVujkzav025k=",
		7	"owner": "numtide",
		8	"repo": "flake-utils",
		9	"rev": "08c7ad4a0844adc4a7f9f5bb3beae482e789afa4",
		10	"type": "github"
		11	},
		12	"original": {
		13	"owner": "numtide",
		14	"repo": "flake-utils",
		15	"type": "github"
		16	}
		17	},
		18	"flake-utils_2": {
		19	"locked": {
		20	"lastModified": 1609246779,
		21	"narHash": "sha256-eq6ZXE/VWo3EMC65jmIT6H/rrUc9UWOWVujkzav025k=",
		22	"owner": "numtide",
		23	"repo": "flake-utils",
		24	"rev": "08c7ad4a0844adc4a7f9f5bb3beae482e789afa4",
		25	"type": "github"
		26	},
		27	"original": {
		28	"owner": "numtide",
		29	"repo": "flake-utils",
		30	"type": "github"
		31	}
		32	},
		33	"libspf2": {
		34	"inputs": {
		35	"flake-utils": "flake-utils_2",
		36	"nixpkgs": "nixpkgs"
		37	},
		38	"locked": {
		39	"dir": "flakes/libspf2",
		40	"lastModified": 1609548509,
		41	"narHash": "sha256-d9gssVdKV0EaeDU/L5QgQpQwFuxWMbwNQ71i7z4LdDs=",
		42	"ref": "master",
		43	"rev": "749623765bef80615fc21e73aff89521d262e277",
		44	"revCount": 796,
		45	"type": "git",
		46	"url": "https://git.immae.eu/perso/Immae/Config/Nix.git"
		47	},
		48	"original": {
		49	"dir": "flakes/libspf2",
		50	"type": "git",
		51	"url": "https://git.immae.eu/perso/Immae/Config/Nix.git"
		52	}
		53	},
		54	"myuids": {
		55	"locked": {
		56	"dir": "flakes/myuids",
		57	"lastModified": 1609548509,
		58	"narHash": "sha256-d9gssVdKV0EaeDU/L5QgQpQwFuxWMbwNQ71i7z4LdDs=",
		59	"ref": "master",
		60	"rev": "749623765bef80615fc21e73aff89521d262e277",
		61	"revCount": 796,
		62	"type": "git",
		63	"url": "https://git.immae.eu/perso/Immae/Config/Nix.git"
		64	},
		65	"original": {
		66	"dir": "flakes/myuids",
		67	"type": "git",
		68	"url": "https://git.immae.eu/perso/Immae/Config/Nix.git"
		69	}
		70	},
		71	"nixpkgs": {
		72	"locked": {
		73	"lastModified": 1597943282,
		74	"narHash": "sha256-G/VQBlqO7YeFOSvn29RqdvABZxmQBtiRYVA6kjqWZ6o=",
		75	"owner": "NixOS",
		76	"repo": "nixpkgs",
		77	"rev": "c59ea8b8a0e7f927e7291c14ea6cd1bd3a16ff38",
		78	"type": "github"
		79	},
		80	"original": {
		81	"owner": "NixOS",
		82	"repo": "nixpkgs",
		83	"type": "github"
		84	}
		85	},
		86	"nixpkgs_2": {
		87	"locked": {
		88	"lastModified": 1597943282,
		89	"narHash": "sha256-G/VQBlqO7YeFOSvn29RqdvABZxmQBtiRYVA6kjqWZ6o=",
		90	"owner": "NixOS",
		91	"repo": "nixpkgs",
		92	"rev": "c59ea8b8a0e7f927e7291c14ea6cd1bd3a16ff38",
		93	"type": "github"
		94	},
		95	"original": {
		96	"owner": "NixOS",
		97	"repo": "nixpkgs",
		98	"type": "github"
		99	}
		100	},
		101	"root": {
		102	"inputs": {
		103	"flake-utils": "flake-utils",
		104	"libspf2": "libspf2",
		105	"myuids": "myuids",
		106	"nixpkgs": "nixpkgs_2"
		107	}
		108	}
		109	},
		110	"root": "root",
		111	"version": 7
		112	}


diff --git a/flakes/opendmarc/flake.nix b/flakes/opendmarc/flake.nix new file mode 100644 index 0000000..4d6354b --- /dev/null +++ b/flakes/opendmarc/flake.nix
@@ -0,0 +1,145 @@
		1	{
		2	description = "Open source ARC implementation";
		3
		4	inputs.myuids = {
		5	url = "https://git.immae.eu/perso/Immae/Config/Nix.git";
		6	type = "git";
		7	dir = "flakes/myuids";
		8	};
		9	inputs.libspf2 = {
		10	url = "https://git.immae.eu/perso/Immae/Config/Nix.git";
		11	type = "git";
		12	dir = "flakes/libspf2";
		13	};
		14	inputs.flake-utils.url = "github:numtide/flake-utils";
		15	inputs.nixpkgs.url = "github:NixOS/nixpkgs";
		16
		17	outputs = { self, myuids, libspf2, flake-utils, nixpkgs }: flake-utils.lib.eachSystem ["aarch64-linux" "i686-linux" "x86_64-linux"] (system:
		18	let
		19	libspf2' = libspf2.defaultPackage."${system}";
		20	pkgs = import nixpkgs { inherit system; overlays = []; };
		21	inherit (pkgs) fetchurl stdenv libbsd perl openssl libmilter file libnsl;
		22	in rec {
		23	packages.opendmarc = stdenv.mkDerivation rec {
		24	pname = "opendmarc";
		25	version = "1.3.2";
		26
		27	src = fetchurl {
		28	url = "mirror://sourceforge/opendmarc/files/${pname}-${version}.tar.gz";
		29	sha256 = "1yrggj8yq0915y2i34gfz2xpl1w2lgb1vggp67rwspgzm40lng11";
		30	};
		31
		32	configureFlags= [
		33	"--with-spf"
		34	"--with-spf2-include=${libspf2'}/include/spf2"
		35	"--with-spf2-lib=${libspf2'}/lib/"
		36	"--with-milter=${libmilter}"
		37	];
		38
		39	buildInputs = [ libspf2' libbsd openssl libmilter perl libnsl ];
		40
		41	meta = {
		42	description = "Free open source software implementation of the DMARC specification";
		43	homepage = "http://www.trusteddomain.org/opendmarc/";
		44	platforms = stdenv.lib.platforms.unix;
		45	};
		46	};
		47
		48	defaultPackage = packages.opendmarc;
		49	legacyPackages.opendmarc = packages.opendmarc;
		50	apps.opendmarc = flake-utils.lib.mkApp { drv = packages.opendmarc; };
		51	defaultApp = apps.opendmarc;
		52	hydraJobs = checks;
		53	checks = {
		54	build = defaultPackage;
		55	} // pkgs.lib.optionalAttrs (builtins.elem system pkgs.lib.systems.doubles.linux) {
		56	test =
		57	let testing = import (nixpkgs + "/nixos/lib/testing-python.nix") { inherit system; };
		58	in testing.makeTest {
		59	nodes = {
		60	server = { pkgs, ... }: {
		61	imports = [ self.nixosModule ];
		62	config.services.opendmarc.enable = true;
		63	};
		64	};
		65	testScript = ''
		66	start_all()
		67	server.wait_for_unit("opendmarc.service")
		68	server.succeed("[ -S /run/opendmarc/opendmarc.sock ]")
		69	'';
		70	};
		71	};
		72	}) // {
		73	nixosModules = (if builtins.pathExists ../private/opendmarc.nix then import ../private/opendmarc.nix nixpkgs else {});
		74	nixosModule = { config, lib, pkgs, ... }:
		75	let
		76	cfg = config.services.opendmarc;
		77	defaultSock = "local:/run/opendmarc/opendmarc.sock";
		78	args = [ "-f" "-l" "-p" cfg.socket ] ++ lib.optionals (cfg.configFile != null) [ "-c" cfg.configFile ];
		79	in {
		80	options = {
		81	services.opendmarc = {
		82	enable = lib.mkOption {
		83	type = lib.types.bool;
		84	default = false;
		85	description = "Whether to enable the OpenDMARC sender authentication system.";
		86	};
		87
		88	socket = lib.mkOption {
		89	type = lib.types.str;
		90	default = defaultSock;
		91	description = "Socket which is used for communication with OpenDMARC.";
		92	};
		93
		94	user = lib.mkOption {
		95	type = lib.types.str;
		96	default = "opendmarc";
		97	description = "User for the daemon.";
		98	};
		99
		100	group = lib.mkOption {
		101	type = lib.types.str;
		102	default = "opendmarc";
		103	description = "Group for the daemon.";
		104	};
		105
		106	configFile = lib.mkOption {
		107	type = lib.types.nullOr lib.types.path;
		108	default = null;
		109	description = "Additional OpenDMARC configuration.";
		110	};
		111
		112	};
		113	};
		114
		115	config = lib.mkIf cfg.enable {
		116	users.users = lib.optionalAttrs (cfg.user == "opendmarc") {
		117	opendmarc = {
		118	group = cfg.group;
		119	uid = myuids.lib.uids.opendmarc;
		120	};
		121	};
		122
		123	users.groups = lib.optionalAttrs (cfg.group == "opendmarc") {
		124	opendmarc.gid = myuids.lib.gids.opendmarc;
		125	};
		126
		127	environment.systemPackages = [ self.defaultPackage."${pkgs.system}" ];
		128
		129	systemd.services.opendmarc = {
		130	description = "OpenDMARC daemon";
		131	after = [ "network.target" ];
		132	wantedBy = [ "multi-user.target" ];
		133
		134	serviceConfig = {
		135	ExecStart = "${self.defaultApp."${pkgs.system}".program} ${lib.escapeShellArgs args}";
		136	User = cfg.user;
		137	Group = cfg.group;
		138	RuntimeDirectory = lib.optional (cfg.socket == defaultSock) "opendmarc";
		139	PermissionsStartOnly = true;
		140	};
		141	};
		142	};
		143	};
		144	};
		145	}


diff --git a/flakes/private/opendmarc.nix b/flakes/private/opendmarc.nix new file mode 100644 index 0000000..d6e8920 --- /dev/null +++ b/flakes/private/opendmarc.nix
@@ -0,0 +1,49 @@
		1	pkgs:
		2	let
		3	cfg = name': { config, lib, pkgs, name, ... }: lib.mkIf (name == name') {
		4	users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
		5	systemd.services.opendmarc.serviceConfig.Slice = "mail.slice";
		6	services.opendmarc = {
		7	enable = true;
		8	socket = "local:${config.myServices.mail.milters.sockets.opendmarc}";
		9	configFile = pkgs.writeText "opendmarc.conf" ''
		10	AuthservID HOSTNAME
		11	FailureReports false
		12	FailureReportsBcc postmaster@immae.eu
		13	FailureReportsOnNone true
		14	FailureReportsSentBy postmaster@immae.eu
		15	IgnoreAuthenticatedClients true
		16	IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"}
		17	SoftwareHeader true
		18	SPFIgnoreResults true
		19	SPFSelfValidate true
		20	UMask 002
		21	'';
		22	group = config.services.postfix.group;
		23	};
		24	services.filesWatcher.opendmarc = {
		25	restart = true;
		26	paths = [
		27	config.secrets.fullPaths."opendmarc/ignore.hosts"
		28	];
		29	};
		30	secrets.keys = [
		31	{
		32	dest = "opendmarc/ignore.hosts";
		33	user = config.services.opendmarc.user;
		34	group = config.services.opendmarc.group;
		35	permissions = "0400";
		36	text = let
		37	mxes = lib.attrsets.filterAttrs
		38	(n: v: v.mx.enable)
		39	config.myEnv.servers;
		40	in
		41	builtins.concatStringsSep "\n" ([
		42	config.myEnv.mail.dmarc.ignore_hosts
		43	] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes);
		44	}
		45	];
		46	};
		47	in
		48	pkgs.lib.genAttrs ["eldiron" "backup-2"] cfg
		49


diff --git a/modules/default.nix b/modules/default.nix index 53e3932..abf4547 100644 --- a/modules/default.nix +++ b/modules/default.nix
@@ -14,7 +14,7 @@ in
14	peertube = ./webapps/peertube.nix;	14	peertube = ./webapps/peertube.nix;
15	fiche = ./webapps/fiche.nix;	15	fiche = ./webapps/fiche.nix;
16		16
17	opendmarc = ./opendmarc.nix;	17	opendmarc = (flakeCompat ../flakes/opendmarc).nixosModule;
18	openarc = (flakeCompat ../flakes/openarc).nixosModule;	18	openarc = (flakeCompat ../flakes/openarc).nixosModule;
19		19
20	duplyBackup = ./duply_backup;	20	duplyBackup = ./duply_backup;


diff --git a/modules/opendmarc.nix b/modules/opendmarc.nix deleted file mode 100644 index 6137d10..0000000 --- a/modules/opendmarc.nix +++ /dev/null
@@ -1,92 +0,0 @@
1	{ config, lib, pkgs, ... }:
2
3	with lib;
4
5	let
6
7	cfg = config.services.opendmarc;
8
9	defaultSock = "local:/run/opendmarc/opendmarc.sock";
10
11	args = [ "-f" "-l"
12	"-p" cfg.socket
13	] ++ optionals (cfg.configFile != null) [ "-c" cfg.configFile ];
14
15	in {
16
17	###### interface
18
19	options = {
20
21	services.opendmarc = {
22
23	enable = mkOption {
24	type = types.bool;
25	default = false;
26	description = "Whether to enable the OpenDMARC sender authentication system.";
27	};
28
29	socket = mkOption {
30	type = types.str;
31	default = defaultSock;
32	description = "Socket which is used for communication with OpenDMARC.";
33	};
34
35	user = mkOption {
36	type = types.str;
37	default = "opendmarc";
38	description = "User for the daemon.";
39	};
40
41	group = mkOption {
42	type = types.str;
43	default = "opendmarc";
44	description = "Group for the daemon.";
45	};
46
47	configFile = mkOption {
48	type = types.nullOr types.path;
49	default = null;
50	description = "Additional OpenDMARC configuration.";
51	};
52
53	};
54
55	};
56
57
58	###### implementation
59
60	config = mkIf cfg.enable {
61
62	users.users = optionalAttrs (cfg.user == "opendmarc") {
63	opendmarc = {
64	group = cfg.group;
65	uid = config.ids.uids.opendmarc;
66	};
67	};
68
69	users.groups = optionalAttrs (cfg.group == "opendmarc") {
70	opendmarc = {
71	gid = config.ids.gids.opendmarc;
72	};
73	};
74
75	environment.systemPackages = [ pkgs.opendmarc ];
76
77	systemd.services.opendmarc = {
78	description = "OpenDMARC daemon";
79	after = [ "network.target" ];
80	wantedBy = [ "multi-user.target" ];
81
82	serviceConfig = {
83	ExecStart = "${pkgs.opendmarc}/bin/opendmarc ${escapeShellArgs args}";
84	User = cfg.user;
85	Group = cfg.group;
86	RuntimeDirectory = optional (cfg.socket == defaultSock) "opendmarc";
87	PermissionsStartOnly = true;
88	};
89	};
90
91	};
92	}


diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix index 96c2800..49c5dfd 100644 --- a/modules/private/mail/milters.nix +++ b/modules/private/mail/milters.nix
@@ -1,7 +1,8 @@
1	{ lib, pkgs, config, name, ... }:	1	{ lib, pkgs, config, name, ... }:
2	{	2	{
3	imports =	3	imports =
4	builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/openarc).nixosModules;	4	builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/openarc).nixosModules
		5	++ builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/opendmarc).nixosModules;
5		6
6	options.myServices.mail.milters.sockets = lib.mkOption {	7	options.myServices.mail.milters.sockets = lib.mkOption {
7	type = lib.types.attrsOf lib.types.path;	8	type = lib.types.attrsOf lib.types.path;
@@ -32,20 +33,6 @@
32	text = ''	33	text = ''
33	eldiron._domainkey IN TXT ${config.myEnv.mail.dkim.eldiron.public}'';	34	eldiron._domainkey IN TXT ${config.myEnv.mail.dkim.eldiron.public}'';
34	}	35	}
35	{
36	dest = "opendmarc/ignore.hosts";
37	user = config.services.opendmarc.user;
38	group = config.services.opendmarc.group;
39	permissions = "0400";
40	text = let
41	mxes = lib.attrsets.filterAttrs
42	(n: v: v.mx.enable)
43	config.myEnv.servers;
44	in
45	builtins.concatStringsSep "\n" ([
46	config.myEnv.mail.dmarc.ignore_hosts
47	] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes);
48	}
49	];	36	];
50	users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];	37	users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
51	services.opendkim = {	38	services.opendkim = {
@@ -79,33 +66,6 @@
79	];	66	];
80	};	67	};
81		68
82	users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
83	systemd.services.opendmarc.serviceConfig.Slice = "mail.slice";
84	services.opendmarc = {
85	enable = true;
86	socket = "local:${config.myServices.mail.milters.sockets.opendmarc}";
87	configFile = pkgs.writeText "opendmarc.conf" ''
88	AuthservID HOSTNAME
89	FailureReports false
90	FailureReportsBcc postmaster@immae.eu
91	FailureReportsOnNone true
92	FailureReportsSentBy postmaster@immae.eu
93	IgnoreAuthenticatedClients true
94	IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"}
95	SoftwareHeader true
96	SPFIgnoreResults true
97	SPFSelfValidate true
98	UMask 002
99	'';
100	group = config.services.postfix.group;
101	};
102	services.filesWatcher.opendmarc = {
103	restart = true;
104	paths = [
105	config.secrets.fullPaths."opendmarc/ignore.hosts"
106	];
107	};
108
109	systemd.services.milter_verify_from = {	69	systemd.services.milter_verify_from = {
110	description = "Verify from milter";	70	description = "Verify from milter";
111	after = [ "network.target" ];	71	after = [ "network.target" ];


diff --git a/pkgs/default.nix b/pkgs/default.nix index ff21a20..5b347be 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix
@@ -23,7 +23,7 @@ rec {
23	notmuch-python3 = callPackage ./notmuch/notmuch-python { pythonPackages = python3Packages; };	23	notmuch-python3 = callPackage ./notmuch/notmuch-python { pythonPackages = python3Packages; };
24	notmuch-vim = callPackage ./notmuch/notmuch-vim {};	24	notmuch-vim = callPackage ./notmuch/notmuch-vim {};
25	openarc = (mylibs.flakeCompat ../flakes/openarc).default;	25	openarc = (mylibs.flakeCompat ../flakes/openarc).default;
26	opendmarc = callPackage ./opendmarc { libspf2 = callPackage ./opendmarc/libspf2.nix {}; };	26	opendmarc = (mylibs.flakeCompat ../flakes/opendmarc).default;
27	pg_activity = callPackage ./pg_activity { inherit mylibs; };	27	pg_activity = callPackage ./pg_activity { inherit mylibs; };
28	pgloader = callPackage ./pgloader {};	28	pgloader = callPackage ./pgloader {};
29	predixy = callPackage ./predixy { inherit mylibs; };	29	predixy = callPackage ./predixy { inherit mylibs; };


diff --git a/pkgs/opendmarc/default.nix b/pkgs/opendmarc/default.nix deleted file mode 100644 index 1c50248..0000000 --- a/pkgs/opendmarc/default.nix +++ /dev/null
@@ -1,26 +0,0 @@
1	{ stdenv, fetchurl, pkgconfig, libbsd, openssl, libmilter , perl, makeWrapper, libspf2 }:
2
3	stdenv.mkDerivation rec {
4	name = "opendmarc-${version}";
5	version = "1.3.2";
6
7	src = fetchurl {
8	url = "mirror://sourceforge/opendmarc/files/${name}.tar.gz";
9	sha256 = "1yrggj8yq0915y2i34gfz2xpl1w2lgb1vggp67rwspgzm40lng11";
10	};
11
12	configureFlags= [
13	"--with-spf"
14	"--with-spf2-include=${libspf2}/include/spf2"
15	"--with-spf2-lib=${libspf2}/lib/"
16	"--with-milter=${libmilter}"
17	];
18
19	buildInputs = [ libspf2 libbsd openssl libmilter perl ];
20
21	meta = with stdenv.lib; {
22	description = "Free open source software implementation of the DMARC specification";
23	homepage = http://www.trusteddomain.org/opendmarc/;
24	platforms = platforms.unix;
25	};
26	}


diff --git a/pkgs/opendmarc/libspf2.nix b/pkgs/opendmarc/libspf2.nix deleted file mode 100644 index ca02d59..0000000 --- a/pkgs/opendmarc/libspf2.nix +++ /dev/null
@@ -1,35 +0,0 @@
1	{ stdenv, file, fetchurl, fetchpatch, libnsl }:
2
3	stdenv.mkDerivation rec {
4	name = "libspf2-${version}";
5	version = "1.2.10";
6
7	patches = [
8	(fetchpatch {
9	name = "fix-variadic-macros.patch";
10	url = "https://git.archlinux.org/svntogit/community.git/plain/trunk/fix-variadic-macros.patch?h=packages/libspf2";
11	sha256 = "00dqpcgjr9jy2qprgqv2qiyvq8y3wlz4yns9xzabf2064jzqh2ic";
12	})
13	];
14	preConfigure = ''
15	sed -i -e "s@/usr/bin/file@${file}/bin/file@" ./configure
16	'';
17	configureFlags = [
18	"--enable-static"
19	];
20	postInstall = ''
21	rm $out/bin/*_static
22	'';
23	src = fetchurl {
24	url = "https://www.libspf2.org/spf/${name}.tar.gz";
25	sha256 = "1j91p0qiipzf89qxq4m1wqhdf01hpn1h5xj4djbs51z23bl3s7nr";
26	};
27
28	buildInputs = [ libnsl ];
29
30	meta = with stdenv.lib; {
31	description = "Sender Policy Framework record checking library";
32	homepage = https://www.libspf2.org/;
33	platforms = platforms.unix;
34	};
35	}