diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-06-23 21:04:55 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-06-29 15:14:43 +0200 |
commit | a929614f94d11a4f397e72e74f38b3212c24cdee (patch) | |
tree | a81b3cee45586d685c1b7c6e5c39372f203aa00d /modules/private/mail/milters.nix | |
parent | 53fa9f9e7d87835d6137a029fe80b3195e635797 (diff) | |
download | Nix-a929614f94d11a4f397e72e74f38b3212c24cdee.tar.gz Nix-a929614f94d11a4f397e72e74f38b3212c24cdee.tar.zst Nix-a929614f94d11a4f397e72e74f38b3212c24cdee.zip |
Configure mail (dovecot, postfix, spam checks)
Diffstat (limited to 'modules/private/mail/milters.nix')
-rw-r--r-- | modules/private/mail/milters.nix | 123 |
1 files changed, 123 insertions, 0 deletions
diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix new file mode 100644 index 0000000..c4bd990 --- /dev/null +++ b/modules/private/mail/milters.nix | |||
@@ -0,0 +1,123 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | { | ||
3 | options.myServices.mail.milters.sockets = lib.mkOption { | ||
4 | type = lib.types.attrsOf lib.types.path; | ||
5 | default = { | ||
6 | opendkim = "/run/opendkim/opendkim.sock"; | ||
7 | opendmarc = "/run/opendmarc/opendmarc.sock"; | ||
8 | openarc = "/run/openarc/openarc.sock"; | ||
9 | }; | ||
10 | readOnly = true; | ||
11 | description = '' | ||
12 | milters sockets | ||
13 | ''; | ||
14 | }; | ||
15 | config.secrets.keys = [ | ||
16 | { | ||
17 | dest = "opendkim/eldiron.private"; | ||
18 | user = config.services.opendkim.user; | ||
19 | group = config.services.opendkim.group; | ||
20 | permissions = "0400"; | ||
21 | text = myconfig.env.mail.dkim.eldiron.private; | ||
22 | } | ||
23 | { | ||
24 | dest = "opendkim/eldiron.txt"; | ||
25 | user = config.services.opendkim.user; | ||
26 | group = config.services.opendkim.group; | ||
27 | permissions = "0444"; | ||
28 | text = '' | ||
29 | eldiron._domainkey IN TXT ${myconfig.env.mail.dkim.eldiron.public}''; | ||
30 | } | ||
31 | { | ||
32 | dest = "opendmarc/ignore.hosts"; | ||
33 | user = config.services.opendmarc.user; | ||
34 | group = config.services.opendmarc.group; | ||
35 | permissions = "0400"; | ||
36 | text = myconfig.env.mail.dmarc.ignore_hosts; | ||
37 | } | ||
38 | ]; | ||
39 | config.users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ]; | ||
40 | config.services.opendkim = { | ||
41 | enable = true; | ||
42 | socket = "local:${config.myServices.mail.milters.sockets.opendkim}"; | ||
43 | domains = builtins.concatStringsSep "," (lib.flatten (map | ||
44 | (zone: map | ||
45 | (e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}") | ||
46 | (zone.withEmail or []) | ||
47 | ) | ||
48 | myconfig.env.dns.masterZones | ||
49 | )); | ||
50 | keyPath = "${config.secrets.location}/opendkim"; | ||
51 | selector = "eldiron"; | ||
52 | configFile = pkgs.writeText "opendkim.conf" '' | ||
53 | SubDomains yes | ||
54 | UMask 002 | ||
55 | ''; | ||
56 | group = config.services.postfix.group; | ||
57 | }; | ||
58 | config.systemd.services.opendkim.preStart = lib.mkBefore '' | ||
59 | # Skip the prestart script as keys are handled in secrets | ||
60 | exit 0 | ||
61 | ''; | ||
62 | config.services.filesWatcher.opendkim = { | ||
63 | restart = true; | ||
64 | paths = [ | ||
65 | config.secrets.fullPaths."opendkim/eldiron.private" | ||
66 | ]; | ||
67 | }; | ||
68 | |||
69 | config.users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; | ||
70 | config.services.opendmarc = { | ||
71 | enable = true; | ||
72 | socket = "local:${config.myServices.mail.milters.sockets.opendmarc}"; | ||
73 | configFile = pkgs.writeText "opendmarc.conf" '' | ||
74 | AuthservID HOSTNAME | ||
75 | FailureReports false | ||
76 | FailureReportsBcc postmaster@localhost.immae.eu | ||
77 | FailureReportsOnNone true | ||
78 | FailureReportsSentBy postmaster@immae.eu | ||
79 | IgnoreAuthenticatedClients true | ||
80 | IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"} | ||
81 | SoftwareHeader true | ||
82 | SPFSelfValidate true | ||
83 | TrustedAuthservIDs HOSTNAME, immae.eu, nef2.ens.fr | ||
84 | UMask 002 | ||
85 | ''; | ||
86 | group = config.services.postfix.group; | ||
87 | }; | ||
88 | config.services.filesWatcher.opendmarc = { | ||
89 | restart = true; | ||
90 | paths = [ | ||
91 | config.secrets.fullPaths."opendmarc/ignore.hosts" | ||
92 | ]; | ||
93 | }; | ||
94 | |||
95 | config.services.openarc = { | ||
96 | enable = true; | ||
97 | user = "opendkim"; | ||
98 | socket = "local:${config.myServices.mail.milters.sockets.openarc}"; | ||
99 | group = config.services.postfix.group; | ||
100 | configFile = pkgs.writeText "openarc.conf" '' | ||
101 | AuthservID mail.immae.eu | ||
102 | Domain mail.immae.eu | ||
103 | KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"} | ||
104 | Mode sv | ||
105 | Selector eldiron | ||
106 | SoftwareHeader yes | ||
107 | Syslog Yes | ||
108 | ''; | ||
109 | }; | ||
110 | config.systemd.services.openarc.postStart = lib.optionalString | ||
111 | (lib.strings.hasPrefix "local:" config.services.openarc.socket) '' | ||
112 | while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do | ||
113 | sleep 0.5 | ||
114 | done | ||
115 | chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket} | ||
116 | ''; | ||
117 | config.services.filesWatcher.openarc = { | ||
118 | restart = true; | ||
119 | paths = [ | ||
120 | config.secrets.fullPaths."opendkim/eldiron.private" | ||
121 | ]; | ||
122 | }; | ||
123 | } | ||