diff options
Diffstat (limited to 'flakes/private/milters/flake.nix')
-rw-r--r-- | flakes/private/milters/flake.nix | 106 |
1 files changed, 106 insertions, 0 deletions
diff --git a/flakes/private/milters/flake.nix b/flakes/private/milters/flake.nix new file mode 100644 index 0000000..c4de5b6 --- /dev/null +++ b/flakes/private/milters/flake.nix | |||
@@ -0,0 +1,106 @@ | |||
1 | { | ||
2 | inputs.secrets.url = "path:../../secrets"; | ||
3 | inputs.environment.url = "path:../environment"; | ||
4 | inputs.files-watcher.url = "path:../../files-watcher"; | ||
5 | inputs.opendmarc.url = "path:../../opendmarc"; | ||
6 | inputs.openarc.url = "path:../../openarc"; | ||
7 | outputs = { self, secrets, environment, opendmarc, openarc, files-watcher }: { | ||
8 | nixosModule = self.nixosModules.milters; | ||
9 | nixosModules.milters = { lib, pkgs, config, nodes, ... }: | ||
10 | { | ||
11 | imports = [ | ||
12 | secrets.nixosModule | ||
13 | environment.nixosModule | ||
14 | files-watcher.nixosModule | ||
15 | opendmarc.nixosModule | ||
16 | openarc.nixosModule | ||
17 | ]; | ||
18 | options.myServices.mail.milters.enable = lib.mkEnableOption "enable Mail milters"; | ||
19 | options.myServices.mail.milters.sockets = lib.mkOption { | ||
20 | type = lib.types.attrsOf lib.types.path; | ||
21 | default = { | ||
22 | opendkim = "/run/opendkim/opendkim.sock"; | ||
23 | opendmarc = config.services.opendmarc.socket; | ||
24 | openarc = config.services.openarc.socket; | ||
25 | }; | ||
26 | readOnly = true; | ||
27 | description = '' | ||
28 | milters sockets | ||
29 | ''; | ||
30 | }; | ||
31 | config = lib.mkIf config.myServices.mail.milters.enable { | ||
32 | secrets.keys = { | ||
33 | "opendkim" = { | ||
34 | isDir = true; | ||
35 | user = config.services.opendkim.user; | ||
36 | group = config.services.opendkim.group; | ||
37 | permissions = "0550"; | ||
38 | }; | ||
39 | "opendkim/eldiron.private" = { | ||
40 | user = config.services.opendkim.user; | ||
41 | group = config.services.opendkim.group; | ||
42 | permissions = "0400"; | ||
43 | text = config.myEnv.mail.dkim.eldiron.private; | ||
44 | }; | ||
45 | }; | ||
46 | users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ]; | ||
47 | services.opendkim = { | ||
48 | enable = true; | ||
49 | socket = "local:${config.myServices.mail.milters.sockets.opendkim}"; | ||
50 | domains = | ||
51 | let | ||
52 | getDomains = p: lib.mapAttrsToList (n: v: v.fqdn) p.emailPolicies; | ||
53 | bydomain = builtins.mapAttrs (n: getDomains) nodes.eldiron.config.myServices.dns.zones; | ||
54 | domains' = lib.flatten (builtins.attrValues bydomain); | ||
55 | in | ||
56 | builtins.concatStringsSep "," domains'; | ||
57 | keyPath = config.secrets.fullPaths."opendkim"; | ||
58 | selector = "eldiron"; | ||
59 | configFile = pkgs.writeText "opendkim.conf" '' | ||
60 | SubDomains yes | ||
61 | UMask 002 | ||
62 | AlwaysAddARHeader yes | ||
63 | ''; | ||
64 | group = config.services.postfix.group; | ||
65 | }; | ||
66 | systemd.services.opendkim.serviceConfig.Slice = "mail.slice"; | ||
67 | systemd.services.opendkim.preStart = lib.mkBefore '' | ||
68 | # Skip the prestart script as keys are handled in secrets | ||
69 | exit 0 | ||
70 | ''; | ||
71 | services.filesWatcher.opendkim = { | ||
72 | restart = true; | ||
73 | paths = [ | ||
74 | config.secrets.fullPaths."opendkim/eldiron.private" | ||
75 | ]; | ||
76 | }; | ||
77 | |||
78 | systemd.services.milter_verify_from = { | ||
79 | description = "Verify from milter"; | ||
80 | after = [ "network.target" ]; | ||
81 | wantedBy = [ "multi-user.target" ]; | ||
82 | |||
83 | serviceConfig = { | ||
84 | Slice = "mail.slice"; | ||
85 | User = "postfix"; | ||
86 | Group = "postfix"; | ||
87 | ExecStart = let | ||
88 | pymilter = with pkgs.python38Packages; buildPythonPackage rec { | ||
89 | pname = "pymilter"; | ||
90 | version = "1.0.4"; | ||
91 | src = fetchPypi { | ||
92 | inherit pname version; | ||
93 | sha256 = "1bpcvq7d72q0zi7c8h5knhasywwz9gxc23n9fxmw874n5k8hsn7k"; | ||
94 | }; | ||
95 | doCheck = false; | ||
96 | buildInputs = [ pkgs.libmilter ]; | ||
97 | }; | ||
98 | python = pkgs.python38.withPackages (p: [ pymilter ]); | ||
99 | in "${python}/bin/python ${./verify_from.py} -s /run/milter_verify_from/verify_from.sock"; | ||
100 | RuntimeDirectory = "milter_verify_from"; | ||
101 | }; | ||
102 | }; | ||
103 | }; | ||
104 | }; | ||
105 | }; | ||
106 | } | ||