Add opendmarc openarc and opendkim configuration and packages

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-06-04 09:53:11 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-06-04 23:57:44 +0200
commit: 411af8e3f754278c5b54dfef7e1bd144a6007c39 (patch)
tree: b5076223d0a6fec0561e2f7da772ee6dd873e944 /modules/private
parent: 9247b444929061f32be9b003621e1da555ebc770 (diff)
download: Nix-411af8e3f754278c5b54dfef7e1bd144a6007c39.tar.gz
Nix-411af8e3f754278c5b54dfef7e1bd144a6007c39.tar.zst
Nix-411af8e3f754278c5b54dfef7e1bd144a6007c39.zip
1 files changed, 104 insertions, 0 deletions
diff --git a/modules/private/mail.nix b/modules/private/mail.nix
index 611c8b4..eb869ba 100644
--- a/modules/private/mail.nix
+++ b/modules/private/mail.nix
@@ -10,4 +10,108 @@
      remotes = "${myconfig.env.mail.relay} smtp";
    };
  };
+  config.secrets.keys = [
+    {
+      dest = "opendkim/eldiron.private";
+      user = config.services.opendkim.user;
+      group = config.services.opendkim.group;
+      permissions = "0400";
+      text = myconfig.env.mail.dkim.eldiron.private;
+    }
+    {
+      dest = "opendkim/eldiron.txt";
+      user = config.services.opendkim.user;
+      group = config.services.opendkim.group;
+      permissions = "0444";
+      text = ''
+        eldiron._domainkey      IN      TXT     ${myconfig.env.mail.dkim.eldiron.public}'';
+    }
+    {
+      dest = "opendmarc/ignore.hosts";
+      user = config.services.opendmarc.user;
+      group = config.services.opendmarc.group;
+      permissions = "0400";
+      text = myconfig.env.mail.dmarc.ignore_hosts;
+    }
+  ];
+  config.users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
+  config.services.opendkim = {
+    enable = true;
+    domains = builtins.concatStringsSep "," (lib.flatten (map
+      (zone: map
+        (e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}")
+        (zone.withEmail or [])
+      )
+      myconfig.env.dns.masterZones
+    ));
+    keyPath = "${config.secrets.location}/opendkim";
+    selector = "eldiron";
+    configFile = pkgs.writeText "opendkim.conf" ''
+      SubDomains     yes
+      UMask          002
+      '';
+  };
+  config.systemd.services.opendkim.preStart = lib.mkBefore ''
+    # Skip the prestart script as keys are handled in secrets
+    exit 0
+    '';
+  config.services.filesWatcher.opendkim = {
+    restart = true;
+    paths = [
+      config.secrets.fullPaths."opendkim/eldiron.private"
+    ];
+  };
+  config.users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
+  config.services.opendmarc = {
+    enable = true;
+    configFile = pkgs.writeText "opendmarc.conf" ''
+      AuthservID                  HOSTNAME
+      FailureReports              false
+      FailureReportsBcc           postmaster@localhost.immae.eu
+      FailureReportsOnNone        true
+      FailureReportsSentBy        postmaster@immae.eu
+      IgnoreAuthenticatedClients  true
+      IgnoreHosts                 ${config.secrets.fullPaths."opendmarc/ignore.hosts"}
+      SoftwareHeader              true
+      SPFSelfValidate             true
+      TrustedAuthservIDs          HOSTNAME, immae.eu, nef2.ens.fr
+      UMask                       002
+      '';
+  };
+  config.services.filesWatcher.opendmarc = {
+    restart = true;
+    paths = [
+      config.secrets.fullPaths."opendmarc/ignore.hosts"
+    ];
+  };
+  config.services.openarc = {
+    enable = true;
+    user = "opendkim";
+    group = "opendkim";
+    configFile = pkgs.writeText "openarc.conf" ''
+      AuthservID              mail.immae.eu
+      Domain                  mail.immae.eu
+      KeyFile                 ${config.secrets.fullPaths."opendkim/eldiron.private"}
+      Mode                    sv
+      Selector                eldiron
+      SoftwareHeader          yes
+      Syslog                  Yes
+      '';
+  };
+  config.systemd.services.openarc.postStart = lib.optionalString
+        (lib.strings.hasPrefix "local:" config.services.openarc.socket) ''
+    while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do
+      sleep 0.5
+    done
+    chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket}
+    '';
+  config.services.filesWatcher.openarc = {
+    restart = true;
+    paths = [
+      config.secrets.fullPaths."opendkim/eldiron.private"
+    ];
+  };
 }
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-06-04 09:53:11 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-06-04 23:57:44 +0200
commit	411af8e3f754278c5b54dfef7e1bd144a6007c39 (patch)
tree	b5076223d0a6fec0561e2f7da772ee6dd873e944 /modules/private
parent	9247b444929061f32be9b003621e1da555ebc770 (diff)
download	Nix-411af8e3f754278c5b54dfef7e1bd144a6007c39.tar.gz Nix-411af8e3f754278c5b54dfef7e1bd144a6007c39.tar.zst Nix-411af8e3f754278c5b54dfef7e1bd144a6007c39.zip

diff --git a/modules/private/mail.nix b/modules/private/mail.nix index 611c8b4..eb869ba 100644 --- a/modules/private/mail.nix +++ b/modules/private/mail.nix
@@ -10,4 +10,108 @@
10	remotes = "${myconfig.env.mail.relay} smtp";	10	remotes = "${myconfig.env.mail.relay} smtp";
11	};	11	};
12	};	12	};
		13
		14	config.secrets.keys = [
		15	{
		16	dest = "opendkim/eldiron.private";
		17	user = config.services.opendkim.user;
		18	group = config.services.opendkim.group;
		19	permissions = "0400";
		20	text = myconfig.env.mail.dkim.eldiron.private;
		21	}
		22	{
		23	dest = "opendkim/eldiron.txt";
		24	user = config.services.opendkim.user;
		25	group = config.services.opendkim.group;
		26	permissions = "0444";
		27	text = ''
		28	eldiron._domainkey IN TXT ${myconfig.env.mail.dkim.eldiron.public}'';
		29	}
		30	{
		31	dest = "opendmarc/ignore.hosts";
		32	user = config.services.opendmarc.user;
		33	group = config.services.opendmarc.group;
		34	permissions = "0400";
		35	text = myconfig.env.mail.dmarc.ignore_hosts;
		36	}
		37	];
		38	config.users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
		39	config.services.opendkim = {
		40	enable = true;
		41	domains = builtins.concatStringsSep "," (lib.flatten (map
		42	(zone: map
		43	(e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}")
		44	(zone.withEmail or [])
		45	)
		46	myconfig.env.dns.masterZones
		47	));
		48	keyPath = "${config.secrets.location}/opendkim";
		49	selector = "eldiron";
		50	configFile = pkgs.writeText "opendkim.conf" ''
		51	SubDomains yes
		52	UMask 002
		53	'';
		54	};
		55	config.systemd.services.opendkim.preStart = lib.mkBefore ''
		56	# Skip the prestart script as keys are handled in secrets
		57	exit 0
		58	'';
		59	config.services.filesWatcher.opendkim = {
		60	restart = true;
		61	paths = [
		62	config.secrets.fullPaths."opendkim/eldiron.private"
		63	];
		64	};
		65
		66	config.users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
		67	config.services.opendmarc = {
		68	enable = true;
		69	configFile = pkgs.writeText "opendmarc.conf" ''
		70	AuthservID HOSTNAME
		71	FailureReports false
		72	FailureReportsBcc postmaster@localhost.immae.eu
		73	FailureReportsOnNone true
		74	FailureReportsSentBy postmaster@immae.eu
		75	IgnoreAuthenticatedClients true
		76	IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"}
		77	SoftwareHeader true
		78	SPFSelfValidate true
		79	TrustedAuthservIDs HOSTNAME, immae.eu, nef2.ens.fr
		80	UMask 002
		81	'';
		82	};
		83	config.services.filesWatcher.opendmarc = {
		84	restart = true;
		85	paths = [
		86	config.secrets.fullPaths."opendmarc/ignore.hosts"
		87	];
		88	};
		89
		90	config.services.openarc = {
		91	enable = true;
		92	user = "opendkim";
		93	group = "opendkim";
		94	configFile = pkgs.writeText "openarc.conf" ''
		95	AuthservID mail.immae.eu
		96	Domain mail.immae.eu
		97	KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"}
		98	Mode sv
		99	Selector eldiron
		100	SoftwareHeader yes
		101	Syslog Yes
		102	'';
		103	};
		104	config.systemd.services.openarc.postStart = lib.optionalString
		105	(lib.strings.hasPrefix "local:" config.services.openarc.socket) ''
		106	while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do
		107	sleep 0.5
		108	done
		109	chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket}
		110	'';
		111	config.services.filesWatcher.openarc = {
		112	restart = true;
		113	paths = [
		114	config.secrets.fullPaths."opendkim/eldiron.private"
		115	];
		116	};
13	}	117	}