diff options
Diffstat (limited to 'modules/private/mail/milters.nix')
-rw-r--r-- | modules/private/mail/milters.nix | 208 |
1 files changed, 105 insertions, 103 deletions
diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix index c4bd990..123af4a 100644 --- a/modules/private/mail/milters.nix +++ b/modules/private/mail/milters.nix | |||
@@ -12,112 +12,114 @@ | |||
12 | milters sockets | 12 | milters sockets |
13 | ''; | 13 | ''; |
14 | }; | 14 | }; |
15 | config.secrets.keys = [ | 15 | config = lib.mkIf config.myServices.mail.enable { |
16 | { | 16 | secrets.keys = [ |
17 | dest = "opendkim/eldiron.private"; | 17 | { |
18 | user = config.services.opendkim.user; | 18 | dest = "opendkim/eldiron.private"; |
19 | group = config.services.opendkim.group; | 19 | user = config.services.opendkim.user; |
20 | permissions = "0400"; | 20 | group = config.services.opendkim.group; |
21 | text = myconfig.env.mail.dkim.eldiron.private; | 21 | permissions = "0400"; |
22 | } | 22 | text = myconfig.env.mail.dkim.eldiron.private; |
23 | { | 23 | } |
24 | dest = "opendkim/eldiron.txt"; | 24 | { |
25 | user = config.services.opendkim.user; | 25 | dest = "opendkim/eldiron.txt"; |
26 | group = config.services.opendkim.group; | 26 | user = config.services.opendkim.user; |
27 | permissions = "0444"; | 27 | group = config.services.opendkim.group; |
28 | text = '' | 28 | permissions = "0444"; |
29 | eldiron._domainkey IN TXT ${myconfig.env.mail.dkim.eldiron.public}''; | 29 | text = '' |
30 | } | 30 | eldiron._domainkey IN TXT ${myconfig.env.mail.dkim.eldiron.public}''; |
31 | { | 31 | } |
32 | dest = "opendmarc/ignore.hosts"; | 32 | { |
33 | user = config.services.opendmarc.user; | 33 | dest = "opendmarc/ignore.hosts"; |
34 | group = config.services.opendmarc.group; | 34 | user = config.services.opendmarc.user; |
35 | permissions = "0400"; | 35 | group = config.services.opendmarc.group; |
36 | text = myconfig.env.mail.dmarc.ignore_hosts; | 36 | permissions = "0400"; |
37 | } | 37 | text = myconfig.env.mail.dmarc.ignore_hosts; |
38 | ]; | 38 | } |
39 | config.users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ]; | ||
40 | config.services.opendkim = { | ||
41 | enable = true; | ||
42 | socket = "local:${config.myServices.mail.milters.sockets.opendkim}"; | ||
43 | domains = builtins.concatStringsSep "," (lib.flatten (map | ||
44 | (zone: map | ||
45 | (e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}") | ||
46 | (zone.withEmail or []) | ||
47 | ) | ||
48 | myconfig.env.dns.masterZones | ||
49 | )); | ||
50 | keyPath = "${config.secrets.location}/opendkim"; | ||
51 | selector = "eldiron"; | ||
52 | configFile = pkgs.writeText "opendkim.conf" '' | ||
53 | SubDomains yes | ||
54 | UMask 002 | ||
55 | ''; | ||
56 | group = config.services.postfix.group; | ||
57 | }; | ||
58 | config.systemd.services.opendkim.preStart = lib.mkBefore '' | ||
59 | # Skip the prestart script as keys are handled in secrets | ||
60 | exit 0 | ||
61 | ''; | ||
62 | config.services.filesWatcher.opendkim = { | ||
63 | restart = true; | ||
64 | paths = [ | ||
65 | config.secrets.fullPaths."opendkim/eldiron.private" | ||
66 | ]; | 39 | ]; |
67 | }; | 40 | users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ]; |
68 | 41 | services.opendkim = { | |
69 | config.users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; | 42 | enable = true; |
70 | config.services.opendmarc = { | 43 | socket = "local:${config.myServices.mail.milters.sockets.opendkim}"; |
71 | enable = true; | 44 | domains = builtins.concatStringsSep "," (lib.flatten (map |
72 | socket = "local:${config.myServices.mail.milters.sockets.opendmarc}"; | 45 | (zone: map |
73 | configFile = pkgs.writeText "opendmarc.conf" '' | 46 | (e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}") |
74 | AuthservID HOSTNAME | 47 | (zone.withEmail or []) |
75 | FailureReports false | 48 | ) |
76 | FailureReportsBcc postmaster@localhost.immae.eu | 49 | myconfig.env.dns.masterZones |
77 | FailureReportsOnNone true | 50 | )); |
78 | FailureReportsSentBy postmaster@immae.eu | 51 | keyPath = "${config.secrets.location}/opendkim"; |
79 | IgnoreAuthenticatedClients true | 52 | selector = "eldiron"; |
80 | IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"} | 53 | configFile = pkgs.writeText "opendkim.conf" '' |
81 | SoftwareHeader true | 54 | SubDomains yes |
82 | SPFSelfValidate true | 55 | UMask 002 |
83 | TrustedAuthservIDs HOSTNAME, immae.eu, nef2.ens.fr | 56 | ''; |
84 | UMask 002 | 57 | group = config.services.postfix.group; |
58 | }; | ||
59 | systemd.services.opendkim.preStart = lib.mkBefore '' | ||
60 | # Skip the prestart script as keys are handled in secrets | ||
61 | exit 0 | ||
85 | ''; | 62 | ''; |
86 | group = config.services.postfix.group; | 63 | services.filesWatcher.opendkim = { |
87 | }; | 64 | restart = true; |
88 | config.services.filesWatcher.opendmarc = { | 65 | paths = [ |
89 | restart = true; | 66 | config.secrets.fullPaths."opendkim/eldiron.private" |
90 | paths = [ | 67 | ]; |
91 | config.secrets.fullPaths."opendmarc/ignore.hosts" | 68 | }; |
92 | ]; | 69 | |
93 | }; | 70 | users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; |
71 | services.opendmarc = { | ||
72 | enable = true; | ||
73 | socket = "local:${config.myServices.mail.milters.sockets.opendmarc}"; | ||
74 | configFile = pkgs.writeText "opendmarc.conf" '' | ||
75 | AuthservID HOSTNAME | ||
76 | FailureReports false | ||
77 | FailureReportsBcc postmaster@localhost.immae.eu | ||
78 | FailureReportsOnNone true | ||
79 | FailureReportsSentBy postmaster@immae.eu | ||
80 | IgnoreAuthenticatedClients true | ||
81 | IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"} | ||
82 | SoftwareHeader true | ||
83 | SPFSelfValidate true | ||
84 | TrustedAuthservIDs HOSTNAME, immae.eu, nef2.ens.fr | ||
85 | UMask 002 | ||
86 | ''; | ||
87 | group = config.services.postfix.group; | ||
88 | }; | ||
89 | services.filesWatcher.opendmarc = { | ||
90 | restart = true; | ||
91 | paths = [ | ||
92 | config.secrets.fullPaths."opendmarc/ignore.hosts" | ||
93 | ]; | ||
94 | }; | ||
94 | 95 | ||
95 | config.services.openarc = { | 96 | services.openarc = { |
96 | enable = true; | 97 | enable = true; |
97 | user = "opendkim"; | 98 | user = "opendkim"; |
98 | socket = "local:${config.myServices.mail.milters.sockets.openarc}"; | 99 | socket = "local:${config.myServices.mail.milters.sockets.openarc}"; |
99 | group = config.services.postfix.group; | 100 | group = config.services.postfix.group; |
100 | configFile = pkgs.writeText "openarc.conf" '' | 101 | configFile = pkgs.writeText "openarc.conf" '' |
101 | AuthservID mail.immae.eu | 102 | AuthservID mail.immae.eu |
102 | Domain mail.immae.eu | 103 | Domain mail.immae.eu |
103 | KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"} | 104 | KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"} |
104 | Mode sv | 105 | Mode sv |
105 | Selector eldiron | 106 | Selector eldiron |
106 | SoftwareHeader yes | 107 | SoftwareHeader yes |
107 | Syslog Yes | 108 | Syslog Yes |
109 | ''; | ||
110 | }; | ||
111 | systemd.services.openarc.postStart = lib.optionalString | ||
112 | (lib.strings.hasPrefix "local:" config.services.openarc.socket) '' | ||
113 | while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do | ||
114 | sleep 0.5 | ||
115 | done | ||
116 | chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket} | ||
108 | ''; | 117 | ''; |
109 | }; | 118 | services.filesWatcher.openarc = { |
110 | config.systemd.services.openarc.postStart = lib.optionalString | 119 | restart = true; |
111 | (lib.strings.hasPrefix "local:" config.services.openarc.socket) '' | 120 | paths = [ |
112 | while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do | 121 | config.secrets.fullPaths."opendkim/eldiron.private" |
113 | sleep 0.5 | 122 | ]; |
114 | done | 123 | }; |
115 | chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket} | ||
116 | ''; | ||
117 | config.services.filesWatcher.openarc = { | ||
118 | restart = true; | ||
119 | paths = [ | ||
120 | config.secrets.fullPaths."opendkim/eldiron.private" | ||
121 | ]; | ||
122 | }; | 124 | }; |
123 | } | 125 | } |