diff options
Diffstat (limited to 'flakes/private/opendmarc/flake.nix')
| -rw-r--r-- | flakes/private/opendmarc/flake.nix | 125 |
1 files changed, 55 insertions, 70 deletions
diff --git a/flakes/private/opendmarc/flake.nix b/flakes/private/opendmarc/flake.nix index e2575e7..7e9e8eb 100644 --- a/flakes/private/opendmarc/flake.nix +++ b/flakes/private/opendmarc/flake.nix | |||
| @@ -1,77 +1,62 @@ | |||
| 1 | { | 1 | { |
| 2 | inputs.opendmarc = { | 2 | inputs.opendmarc.url = "path:../../opendmarc"; |
| 3 | path = "../../opendmarc"; | 3 | inputs.environment.url = "path:../environment"; |
| 4 | type = "path"; | 4 | inputs.secrets.url = "path:../../secrets"; |
| 5 | }; | 5 | inputs.files-watcher.url = "path:../../files-watcher"; |
| 6 | inputs.secrets = { | ||
| 7 | path = "../../secrets"; | ||
| 8 | type = "path"; | ||
| 9 | }; | ||
| 10 | inputs.files-watcher = { | ||
| 11 | path = "../../files-watcher"; | ||
| 12 | type = "path"; | ||
| 13 | }; | ||
| 14 | inputs.my-lib = { | ||
| 15 | path = "../../lib"; | ||
| 16 | type = "path"; | ||
| 17 | }; | ||
| 18 | inputs.nix-lib.url = "github:NixOS/nixpkgs"; | ||
| 19 | 6 | ||
| 20 | description = "Private configuration for opendmarc"; | 7 | description = "Private configuration for opendmarc"; |
| 21 | outputs = { self, nix-lib, opendmarc, my-lib, files-watcher, secrets }: | 8 | outputs = { self, environment, opendmarc, files-watcher, secrets }: { |
| 22 | let | 9 | nixosModule = self.nixosModules.opendmarc; |
| 23 | cfg = name': { config, lib, pkgs, name, ... }: { | 10 | nixosModules.opendmarc = { config, lib, pkgs, ... }: { |
| 24 | imports = [ | 11 | imports = [ |
| 25 | (my-lib.lib.withNarKey files-watcher "nixosModule") | 12 | environment.nixosModule |
| 26 | (my-lib.lib.withNarKey opendmarc "nixosModule") | 13 | files-watcher.nixosModule |
| 27 | (my-lib.lib.withNarKey secrets "nixosModule") | 14 | opendmarc.nixosModule |
| 28 | ]; | 15 | secrets.nixosModule |
| 29 | config = lib.mkIf (name == name') { | 16 | ]; |
| 30 | users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; | 17 | config = { |
| 31 | systemd.services.opendmarc.serviceConfig.Slice = "mail.slice"; | 18 | users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; |
| 32 | services.opendmarc = { | 19 | systemd.services.opendmarc.serviceConfig.Slice = "mail.slice"; |
| 33 | enable = true; | 20 | services.opendmarc = { |
| 34 | socket = "/run/opendmarc/opendmarc.sock"; | 21 | enable = true; |
| 35 | configFile = pkgs.writeText "opendmarc.conf" '' | 22 | socket = "/run/opendmarc/opendmarc.sock"; |
| 36 | AuthservID HOSTNAME | 23 | configFile = pkgs.writeText "opendmarc.conf" '' |
| 37 | FailureReports false | 24 | AuthservID HOSTNAME |
| 38 | FailureReportsBcc postmaster@immae.eu | 25 | FailureReports false |
| 39 | FailureReportsOnNone true | 26 | FailureReportsBcc postmaster@immae.eu |
| 40 | FailureReportsSentBy postmaster@immae.eu | 27 | FailureReportsOnNone true |
| 41 | IgnoreAuthenticatedClients true | 28 | FailureReportsSentBy postmaster@immae.eu |
| 42 | IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"} | 29 | IgnoreAuthenticatedClients true |
| 43 | SoftwareHeader true | 30 | IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"} |
| 44 | SPFIgnoreResults true | 31 | SoftwareHeader true |
| 45 | SPFSelfValidate true | 32 | SPFIgnoreResults true |
| 46 | UMask 002 | 33 | SPFSelfValidate true |
| 47 | ''; | 34 | UMask 002 |
| 48 | group = config.services.postfix.group; | 35 | ''; |
| 49 | }; | 36 | group = config.services.postfix.group; |
| 50 | services.filesWatcher.opendmarc = { | 37 | }; |
| 51 | restart = true; | 38 | services.filesWatcher.opendmarc = { |
| 52 | paths = [ | 39 | restart = true; |
| 53 | config.secrets.fullPaths."opendmarc/ignore.hosts" | 40 | paths = [ |
| 54 | ]; | 41 | config.secrets.fullPaths."opendmarc/ignore.hosts" |
| 55 | }; | 42 | ]; |
| 56 | secrets.keys = { | 43 | }; |
| 57 | "opendmarc/ignore.hosts" = { | 44 | secrets.keys = { |
| 58 | user = config.services.opendmarc.user; | 45 | "opendmarc/ignore.hosts" = { |
| 59 | group = config.services.opendmarc.group; | 46 | user = config.services.opendmarc.user; |
| 60 | permissions = "0400"; | 47 | group = config.services.opendmarc.group; |
| 61 | text = let | 48 | permissions = "0400"; |
| 62 | mxes = lib.attrsets.filterAttrs | 49 | text = let |
| 63 | (n: v: v.mx.enable) | 50 | mxes = lib.attrsets.filterAttrs |
| 64 | config.myEnv.servers; | 51 | (n: v: v.mx.enable) |
| 65 | in | 52 | config.myEnv.servers; |
| 66 | builtins.concatStringsSep "\n" ([ | 53 | in |
| 67 | config.myEnv.mail.dmarc.ignore_hosts | 54 | builtins.concatStringsSep "\n" ([ |
| 68 | ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes); | 55 | config.myEnv.mail.dmarc.ignore_hosts |
| 69 | }; | 56 | ] ++ lib.mapAttrsToList (n: v: v.fqdn) mxes); |
| 70 | }; | 57 | }; |
| 71 | }; | 58 | }; |
| 72 | }; | 59 | }; |
| 73 | in | 60 | }; |
| 74 | opendmarc.outputs // | 61 | }; |
| 75 | { nixosModules = opendmarc.nixosModules or {} // nix-lib.lib.genAttrs ["eldiron" "backup-2"] cfg; }; | ||
| 76 | } | 62 | } |
| 77 | |||