Add opendmarc flake

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2021-01-02 02:32:12 +0100
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2021-01-02 02:32:12 +0100
commit: a1a2455f53bde1235b221a842d3c888c51fcecac (patch)
tree: 33b2471d4397a876a6211a339dce8fc6801ddf3f /modules
parent: 749623765bef80615fc21e73aff89521d262e277 (diff)
download: Nix-a1a2455f53bde1235b221a842d3c888c51fcecac.tar.gz
Nix-a1a2455f53bde1235b221a842d3c888c51fcecac.tar.zst
Nix-a1a2455f53bde1235b221a842d3c888c51fcecac.zip
3 files changed, 3 insertions, 135 deletions
diff --git a/modules/default.nix b/modules/default.nix
index 53e3932..abf4547 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -14,7 +14,7 @@ in
  peertube = ./webapps/peertube.nix;
  fiche = ./webapps/fiche.nix;
-  opendmarc = ./opendmarc.nix;
+  opendmarc = (flakeCompat ../flakes/opendmarc).nixosModule;
  openarc = (flakeCompat ../flakes/openarc).nixosModule;
  duplyBackup = ./duply_backup;
diff --git a/modules/opendmarc.nix b/modules/opendmarc.nix
deleted file mode 100644
index 6137d10..0000000
--- a/modules/opendmarc.nix
+++ /dev/null
@@ -1,92 +0,0 @@
-{ config, lib, pkgs, ... }:
-with lib;
-let
-  cfg = config.services.opendmarc;
-  defaultSock = "local:/run/opendmarc/opendmarc.sock";
-  args = [ "-f" "-l"
-           "-p" cfg.socket
-         ] ++ optionals (cfg.configFile != null) [ "-c" cfg.configFile ];
-in {
-  ###### interface
-  options = {
-    services.opendmarc = {
-      enable = mkOption {
-        type = types.bool;
-        default = false;
-        description = "Whether to enable the OpenDMARC sender authentication system.";
-      };
-      socket = mkOption {
-        type = types.str;
-        default = defaultSock;
-        description = "Socket which is used for communication with OpenDMARC.";
-      };
-      user = mkOption {
-        type = types.str;
-        default = "opendmarc";
-        description = "User for the daemon.";
-      };
-      group = mkOption {
-        type = types.str;
-        default = "opendmarc";
-        description = "Group for the daemon.";
-      };
-      configFile = mkOption {
-        type = types.nullOr types.path;
-        default = null;
-        description = "Additional OpenDMARC configuration.";
-      };
-    };
-  };
-  ###### implementation
-  config = mkIf cfg.enable {
-    users.users = optionalAttrs (cfg.user == "opendmarc") {
-      opendmarc = {
-        group = cfg.group;
-        uid = config.ids.uids.opendmarc;
-      };
-    };
-    users.groups = optionalAttrs (cfg.group == "opendmarc") {
-      opendmarc = {
-        gid = config.ids.gids.opendmarc;
-      };
-    };
-    environment.systemPackages = [ pkgs.opendmarc ];
-    systemd.services.opendmarc = {
-      description = "OpenDMARC daemon";
-      after = [ "network.target" ];
-      wantedBy = [ "multi-user.target" ];
-      serviceConfig = {
-        ExecStart = "${pkgs.opendmarc}/bin/opendmarc ${escapeShellArgs args}";
-        User = cfg.user;
-        Group = cfg.group;
-        RuntimeDirectory = optional (cfg.socket == defaultSock) "opendmarc";
-        PermissionsStartOnly = true;
-      };
-    };
-  };
-}
diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix
index 96c2800..49c5dfd 100644
--- a/modules/private/mail/milters.nix
+++ b/modules/private/mail/milters.nix
@@ -1,7 +1,8 @@
 { lib, pkgs, config, name, ... }:
 {
  imports =
-    builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/openarc).nixosModules;
+       builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/openarc).nixosModules
+    ++ builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/opendmarc).nixosModules;
  options.myServices.mail.milters.sockets = lib.mkOption {
    type = lib.types.attrsOf lib.types.path;
@@ -32,20 +33,6 @@
        text = ''
          eldiron._domainkey    IN      TXT     ${config.myEnv.mail.dkim.eldiron.public}'';
      }
-      {
-        dest = "opendmarc/ignore.hosts";
-        user = config.services.opendmarc.user;
-        group = config.services.opendmarc.group;
-        permissions = "0400";
-        text = let
-          mxes = lib.attrsets.filterAttrs
-            (n: v: v.mx.enable)
-            config.myEnv.servers;
-          in
-            builtins.concatStringsSep "\n" ([
-              config.myEnv.mail.dmarc.ignore_hosts
-            ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes);
-      }
    ];
    users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
    services.opendkim = {
@@ -79,33 +66,6 @@
      ];
    };
-    users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
-    systemd.services.opendmarc.serviceConfig.Slice = "mail.slice";
-    services.opendmarc = {
-      enable = true;
-      socket = "local:${config.myServices.mail.milters.sockets.opendmarc}";
-      configFile = pkgs.writeText "opendmarc.conf" ''
-        AuthservID                  HOSTNAME
-        FailureReports              false
-        FailureReportsBcc           postmaster@immae.eu
-        FailureReportsOnNone        true
-        FailureReportsSentBy        postmaster@immae.eu
-        IgnoreAuthenticatedClients  true
-        IgnoreHosts                 ${config.secrets.fullPaths."opendmarc/ignore.hosts"}
-        SoftwareHeader              true
-        SPFIgnoreResults            true
-        SPFSelfValidate             true
-        UMask                       002
-        '';
-      group = config.services.postfix.group;
-    };
-    services.filesWatcher.opendmarc = {
-      restart = true;
-      paths = [
-        config.secrets.fullPaths."opendmarc/ignore.hosts"
-      ];
-    };
    systemd.services.milter_verify_from = {
      description  = "Verify from milter";
      after = [ "network.target" ];
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2021-01-02 02:32:12 +0100
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2021-01-02 02:32:12 +0100
commit	a1a2455f53bde1235b221a842d3c888c51fcecac (patch)
tree	33b2471d4397a876a6211a339dce8fc6801ddf3f /modules
parent	749623765bef80615fc21e73aff89521d262e277 (diff)
download	Nix-a1a2455f53bde1235b221a842d3c888c51fcecac.tar.gz Nix-a1a2455f53bde1235b221a842d3c888c51fcecac.tar.zst Nix-a1a2455f53bde1235b221a842d3c888c51fcecac.zip

diff --git a/modules/default.nix b/modules/default.nix index 53e3932..abf4547 100644 --- a/modules/default.nix +++ b/modules/default.nix
@@ -14,7 +14,7 @@ in
14	peertube = ./webapps/peertube.nix;	14	peertube = ./webapps/peertube.nix;
15	fiche = ./webapps/fiche.nix;	15	fiche = ./webapps/fiche.nix;
16		16
17	opendmarc = ./opendmarc.nix;	17	opendmarc = (flakeCompat ../flakes/opendmarc).nixosModule;
18	openarc = (flakeCompat ../flakes/openarc).nixosModule;	18	openarc = (flakeCompat ../flakes/openarc).nixosModule;
19		19
20	duplyBackup = ./duply_backup;	20	duplyBackup = ./duply_backup;


diff --git a/modules/opendmarc.nix b/modules/opendmarc.nix deleted file mode 100644 index 6137d10..0000000 --- a/modules/opendmarc.nix +++ /dev/null
@@ -1,92 +0,0 @@
1	{ config, lib, pkgs, ... }:
2
3	with lib;
4
5	let
6
7	cfg = config.services.opendmarc;
8
9	defaultSock = "local:/run/opendmarc/opendmarc.sock";
10
11	args = [ "-f" "-l"
12	"-p" cfg.socket
13	] ++ optionals (cfg.configFile != null) [ "-c" cfg.configFile ];
14
15	in {
16
17	###### interface
18
19	options = {
20
21	services.opendmarc = {
22
23	enable = mkOption {
24	type = types.bool;
25	default = false;
26	description = "Whether to enable the OpenDMARC sender authentication system.";
27	};
28
29	socket = mkOption {
30	type = types.str;
31	default = defaultSock;
32	description = "Socket which is used for communication with OpenDMARC.";
33	};
34
35	user = mkOption {
36	type = types.str;
37	default = "opendmarc";
38	description = "User for the daemon.";
39	};
40
41	group = mkOption {
42	type = types.str;
43	default = "opendmarc";
44	description = "Group for the daemon.";
45	};
46
47	configFile = mkOption {
48	type = types.nullOr types.path;
49	default = null;
50	description = "Additional OpenDMARC configuration.";
51	};
52
53	};
54
55	};
56
57
58	###### implementation
59
60	config = mkIf cfg.enable {
61
62	users.users = optionalAttrs (cfg.user == "opendmarc") {
63	opendmarc = {
64	group = cfg.group;
65	uid = config.ids.uids.opendmarc;
66	};
67	};
68
69	users.groups = optionalAttrs (cfg.group == "opendmarc") {
70	opendmarc = {
71	gid = config.ids.gids.opendmarc;
72	};
73	};
74
75	environment.systemPackages = [ pkgs.opendmarc ];
76
77	systemd.services.opendmarc = {
78	description = "OpenDMARC daemon";
79	after = [ "network.target" ];
80	wantedBy = [ "multi-user.target" ];
81
82	serviceConfig = {
83	ExecStart = "${pkgs.opendmarc}/bin/opendmarc ${escapeShellArgs args}";
84	User = cfg.user;
85	Group = cfg.group;
86	RuntimeDirectory = optional (cfg.socket == defaultSock) "opendmarc";
87	PermissionsStartOnly = true;
88	};
89	};
90
91	};
92	}


diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix index 96c2800..49c5dfd 100644 --- a/modules/private/mail/milters.nix +++ b/modules/private/mail/milters.nix
@@ -1,7 +1,8 @@
1	{ lib, pkgs, config, name, ... }:	1	{ lib, pkgs, config, name, ... }:
2	{	2	{
3	imports =	3	imports =
4	builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/openarc).nixosModules;	4	builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/openarc).nixosModules
		5	++ builtins.attrValues (import ../../../lib/flake-compat.nix ../../../flakes/opendmarc).nixosModules;
5		6
6	options.myServices.mail.milters.sockets = lib.mkOption {	7	options.myServices.mail.milters.sockets = lib.mkOption {
7	type = lib.types.attrsOf lib.types.path;	8	type = lib.types.attrsOf lib.types.path;
@@ -32,20 +33,6 @@
32	text = ''	33	text = ''
33	eldiron._domainkey IN TXT ${config.myEnv.mail.dkim.eldiron.public}'';	34	eldiron._domainkey IN TXT ${config.myEnv.mail.dkim.eldiron.public}'';
34	}	35	}
35	{
36	dest = "opendmarc/ignore.hosts";
37	user = config.services.opendmarc.user;
38	group = config.services.opendmarc.group;
39	permissions = "0400";
40	text = let
41	mxes = lib.attrsets.filterAttrs
42	(n: v: v.mx.enable)
43	config.myEnv.servers;
44	in
45	builtins.concatStringsSep "\n" ([
46	config.myEnv.mail.dmarc.ignore_hosts
47	] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes);
48	}
49	];	36	];
50	users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];	37	users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
51	services.opendkim = {	38	services.opendkim = {
@@ -79,33 +66,6 @@
79	];	66	];
80	};	67	};
81		68
82	users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
83	systemd.services.opendmarc.serviceConfig.Slice = "mail.slice";
84	services.opendmarc = {
85	enable = true;
86	socket = "local:${config.myServices.mail.milters.sockets.opendmarc}";
87	configFile = pkgs.writeText "opendmarc.conf" ''
88	AuthservID HOSTNAME
89	FailureReports false
90	FailureReportsBcc postmaster@immae.eu
91	FailureReportsOnNone true
92	FailureReportsSentBy postmaster@immae.eu
93	IgnoreAuthenticatedClients true
94	IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"}
95	SoftwareHeader true
96	SPFIgnoreResults true
97	SPFSelfValidate true
98	UMask 002
99	'';
100	group = config.services.postfix.group;
101	};
102	services.filesWatcher.opendmarc = {
103	restart = true;
104	paths = [
105	config.secrets.fullPaths."opendmarc/ignore.hosts"
106	];
107	};
108
109	systemd.services.milter_verify_from = {	69	systemd.services.milter_verify_from = {
110	description = "Verify from milter";	70	description = "Verify from milter";
111	after = [ "network.target" ];	71	after = [ "network.target" ];