1 files changed, 105 insertions, 103 deletions
diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix
index c4bd990..123af4a 100644
--- a/modules/private/mail/milters.nix
+++ b/modules/private/mail/milters.nix
@@ -12,112 +12,114 @@
      milters sockets
      '';
  };
-  config.secrets.keys = [
+  config = lib.mkIf config.myServices.mail.enable {
-    {
+    secrets.keys = [
-      dest = "opendkim/eldiron.private";
+      {
-      user = config.services.opendkim.user;
+        dest = "opendkim/eldiron.private";
-      group = config.services.opendkim.group;
+        user = config.services.opendkim.user;
-      permissions = "0400";
+        group = config.services.opendkim.group;
-      text = myconfig.env.mail.dkim.eldiron.private;
+        permissions = "0400";
-    }
+        text = myconfig.env.mail.dkim.eldiron.private;
-    {
+      }
-      dest = "opendkim/eldiron.txt";
+      {
-      user = config.services.opendkim.user;
+        dest = "opendkim/eldiron.txt";
-      group = config.services.opendkim.group;
+        user = config.services.opendkim.user;
-      permissions = "0444";
+        group = config.services.opendkim.group;
-      text = ''
+        permissions = "0444";
-        eldiron._domainkey      IN      TXT     ${myconfig.env.mail.dkim.eldiron.public}'';
+        text = ''
-    }
+          eldiron._domainkey    IN      TXT     ${myconfig.env.mail.dkim.eldiron.public}'';
-    {
+      }
-      dest = "opendmarc/ignore.hosts";
+      {
-      user = config.services.opendmarc.user;
+        dest = "opendmarc/ignore.hosts";
-      group = config.services.opendmarc.group;
+        user = config.services.opendmarc.user;
-      permissions = "0400";
+        group = config.services.opendmarc.group;
-      text = myconfig.env.mail.dmarc.ignore_hosts;
+        permissions = "0400";
-    }
+        text = myconfig.env.mail.dmarc.ignore_hosts;
-  ];
+      }
-  config.users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
-  config.services.opendkim = {
-    enable = true;
-    socket = "local:${config.myServices.mail.milters.sockets.opendkim}";
-    domains = builtins.concatStringsSep "," (lib.flatten (map
-      (zone: map
-        (e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}")
-        (zone.withEmail or [])
-      )
-      myconfig.env.dns.masterZones
-    ));
-    keyPath = "${config.secrets.location}/opendkim";
-    selector = "eldiron";
-    configFile = pkgs.writeText "opendkim.conf" ''
-      SubDomains     yes
-      UMask          002
-      '';
-    group = config.services.postfix.group;
-  };
-  config.systemd.services.opendkim.preStart = lib.mkBefore ''
-    # Skip the prestart script as keys are handled in secrets
-    exit 0
-    '';
-  config.services.filesWatcher.opendkim = {
-    restart = true;
-    paths = [
-      config.secrets.fullPaths."opendkim/eldiron.private"
    ];
-  };
+    users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
+    services.opendkim = {
-  config.users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
+      enable = true;
-  config.services.opendmarc = {
+      socket = "local:${config.myServices.mail.milters.sockets.opendkim}";
-    enable = true;
+      domains = builtins.concatStringsSep "," (lib.flatten (map
-    socket = "local:${config.myServices.mail.milters.sockets.opendmarc}";
+        (zone: map
-    configFile = pkgs.writeText "opendmarc.conf" ''
+          (e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}")
-      AuthservID                  HOSTNAME
+          (zone.withEmail or [])
-      FailureReports              false
+        )
-      FailureReportsBcc           postmaster@localhost.immae.eu
+        myconfig.env.dns.masterZones
-      FailureReportsOnNone        true
+      ));
-      FailureReportsSentBy        postmaster@immae.eu
+      keyPath = "${config.secrets.location}/opendkim";
-      IgnoreAuthenticatedClients  true
+      selector = "eldiron";
-      IgnoreHosts                 ${config.secrets.fullPaths."opendmarc/ignore.hosts"}
+      configFile = pkgs.writeText "opendkim.conf" ''
-      SoftwareHeader              true
+        SubDomains     yes
-      SPFSelfValidate             true
+        UMask          002
-      TrustedAuthservIDs          HOSTNAME, immae.eu, nef2.ens.fr
+        '';
-      UMask                       002
+      group = config.services.postfix.group;
+    };
+    systemd.services.opendkim.preStart = lib.mkBefore ''
+      # Skip the prestart script as keys are handled in secrets
+      exit 0
      '';
-    group = config.services.postfix.group;
+    services.filesWatcher.opendkim = {
-  };
+      restart = true;
-  config.services.filesWatcher.opendmarc = {
+      paths = [
-    restart = true;
+        config.secrets.fullPaths."opendkim/eldiron.private"
-    paths = [
+      ];
-      config.secrets.fullPaths."opendmarc/ignore.hosts"
+    };
-    ];
-  };
+    users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
+    services.opendmarc = {
+      enable = true;
+      socket = "local:${config.myServices.mail.milters.sockets.opendmarc}";
+      configFile = pkgs.writeText "opendmarc.conf" ''
+        AuthservID                  HOSTNAME
+        FailureReports              false
+        FailureReportsBcc           postmaster@localhost.immae.eu
+        FailureReportsOnNone        true
+        FailureReportsSentBy        postmaster@immae.eu
+        IgnoreAuthenticatedClients  true
+        IgnoreHosts                 ${config.secrets.fullPaths."opendmarc/ignore.hosts"}
+        SoftwareHeader              true
+        SPFSelfValidate             true
+        TrustedAuthservIDs          HOSTNAME, immae.eu, nef2.ens.fr
+        UMask                       002
+        '';
+      group = config.services.postfix.group;
+    };
+    services.filesWatcher.opendmarc = {
+      restart = true;
+      paths = [
+        config.secrets.fullPaths."opendmarc/ignore.hosts"
+      ];
+    };
-  config.services.openarc = {
+    services.openarc = {
-    enable = true;
+      enable = true;
-    user = "opendkim";
+      user = "opendkim";
-    socket = "local:${config.myServices.mail.milters.sockets.openarc}";
+      socket = "local:${config.myServices.mail.milters.sockets.openarc}";
-    group = config.services.postfix.group;
+      group = config.services.postfix.group;
-    configFile = pkgs.writeText "openarc.conf" ''
+      configFile = pkgs.writeText "openarc.conf" ''
-      AuthservID              mail.immae.eu
+        AuthservID              mail.immae.eu
-      Domain                  mail.immae.eu
+        Domain                  mail.immae.eu
-      KeyFile                 ${config.secrets.fullPaths."opendkim/eldiron.private"}
+        KeyFile                 ${config.secrets.fullPaths."opendkim/eldiron.private"}
-      Mode                    sv
+        Mode                    sv
-      Selector                eldiron
+        Selector                eldiron
-      SoftwareHeader          yes
+        SoftwareHeader          yes
-      Syslog                  Yes
+        Syslog                  Yes
+        '';
+    };
+    systemd.services.openarc.postStart = lib.optionalString
+          (lib.strings.hasPrefix "local:" config.services.openarc.socket) ''
+      while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do
+        sleep 0.5
+      done
+      chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket}
      '';
-  };
+    services.filesWatcher.openarc = {
-  config.systemd.services.openarc.postStart = lib.optionalString
+      restart = true;
-        (lib.strings.hasPrefix "local:" config.services.openarc.socket) ''
+      paths = [
-    while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do
+        config.secrets.fullPaths."opendkim/eldiron.private"
-      sleep 0.5
+      ];
-    done
+    };
-    chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket}
-    '';
-  config.services.filesWatcher.openarc = {
-    restart = true;
-    paths = [
-      config.secrets.fullPaths."opendkim/eldiron.private"
-    ];
  };
 }

diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix index c4bd990..123af4a 100644 --- a/modules/private/mail/milters.nix +++ b/modules/private/mail/milters.nix
@@ -12,112 +12,114 @@
12	milters sockets	12	milters sockets
13	'';	13	'';
14	};	14	};
15	config.secrets.keys = [	15	config = lib.mkIf config.myServices.mail.enable {
16	{	16	secrets.keys = [
17	dest = "opendkim/eldiron.private";	17	{
18	user = config.services.opendkim.user;	18	dest = "opendkim/eldiron.private";
19	group = config.services.opendkim.group;	19	user = config.services.opendkim.user;
20	permissions = "0400";	20	group = config.services.opendkim.group;
21	text = myconfig.env.mail.dkim.eldiron.private;	21	permissions = "0400";
22	}	22	text = myconfig.env.mail.dkim.eldiron.private;
23	{	23	}
24	dest = "opendkim/eldiron.txt";	24	{
25	user = config.services.opendkim.user;	25	dest = "opendkim/eldiron.txt";
26	group = config.services.opendkim.group;	26	user = config.services.opendkim.user;
27	permissions = "0444";	27	group = config.services.opendkim.group;
28	text = ''	28	permissions = "0444";
29	eldiron._domainkey IN TXT ${myconfig.env.mail.dkim.eldiron.public}'';	29	text = ''
30	}	30	eldiron._domainkey IN TXT ${myconfig.env.mail.dkim.eldiron.public}'';
31	{	31	}
32	dest = "opendmarc/ignore.hosts";	32	{
33	user = config.services.opendmarc.user;	33	dest = "opendmarc/ignore.hosts";
34	group = config.services.opendmarc.group;	34	user = config.services.opendmarc.user;
35	permissions = "0400";	35	group = config.services.opendmarc.group;
36	text = myconfig.env.mail.dmarc.ignore_hosts;	36	permissions = "0400";
37	}	37	text = myconfig.env.mail.dmarc.ignore_hosts;
38	];	38	}
39	config.users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
40	config.services.opendkim = {
41	enable = true;
42	socket = "local:${config.myServices.mail.milters.sockets.opendkim}";
43	domains = builtins.concatStringsSep "," (lib.flatten (map
44	(zone: map
45	(e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}")
46	(zone.withEmail or [])
47	)
48	myconfig.env.dns.masterZones
49	));
50	keyPath = "${config.secrets.location}/opendkim";
51	selector = "eldiron";
52	configFile = pkgs.writeText "opendkim.conf" ''
53	SubDomains yes
54	UMask 002
55	'';
56	group = config.services.postfix.group;
57	};
58	config.systemd.services.opendkim.preStart = lib.mkBefore ''
59	# Skip the prestart script as keys are handled in secrets
60	exit 0
61	'';
62	config.services.filesWatcher.opendkim = {
63	restart = true;
64	paths = [
65	config.secrets.fullPaths."opendkim/eldiron.private"
66	];	39	];
67	};	40	users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
68		41	services.opendkim = {
69	config.users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];	42	enable = true;
70	config.services.opendmarc = {	43	socket = "local:${config.myServices.mail.milters.sockets.opendkim}";
71	enable = true;	44	domains = builtins.concatStringsSep "," (lib.flatten (map
72	socket = "local:${config.myServices.mail.milters.sockets.opendmarc}";	45	(zone: map
73	configFile = pkgs.writeText "opendmarc.conf" ''	46	(e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}")
74	AuthservID HOSTNAME	47	(zone.withEmail or [])
75	FailureReports false	48	)
76	FailureReportsBcc postmaster@localhost.immae.eu	49	myconfig.env.dns.masterZones
77	FailureReportsOnNone true	50	));
78	FailureReportsSentBy postmaster@immae.eu	51	keyPath = "${config.secrets.location}/opendkim";
79	IgnoreAuthenticatedClients true	52	selector = "eldiron";
80	IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"}	53	configFile = pkgs.writeText "opendkim.conf" ''
81	SoftwareHeader true	54	SubDomains yes
82	SPFSelfValidate true	55	UMask 002
83	TrustedAuthservIDs HOSTNAME, immae.eu, nef2.ens.fr	56	'';
84	UMask 002	57	group = config.services.postfix.group;
		58	};
		59	systemd.services.opendkim.preStart = lib.mkBefore ''
		60	# Skip the prestart script as keys are handled in secrets
		61	exit 0
85	'';	62	'';
86	group = config.services.postfix.group;	63	services.filesWatcher.opendkim = {
87	};	64	restart = true;
88	config.services.filesWatcher.opendmarc = {	65	paths = [
89	restart = true;	66	config.secrets.fullPaths."opendkim/eldiron.private"
90	paths = [	67	];
91	config.secrets.fullPaths."opendmarc/ignore.hosts"	68	};
92	];	69
93	};	70	users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
		71	services.opendmarc = {
		72	enable = true;
		73	socket = "local:${config.myServices.mail.milters.sockets.opendmarc}";
		74	configFile = pkgs.writeText "opendmarc.conf" ''
		75	AuthservID HOSTNAME
		76	FailureReports false
		77	FailureReportsBcc postmaster@localhost.immae.eu
		78	FailureReportsOnNone true
		79	FailureReportsSentBy postmaster@immae.eu
		80	IgnoreAuthenticatedClients true
		81	IgnoreHosts ${config.secrets.fullPaths."opendmarc/ignore.hosts"}
		82	SoftwareHeader true
		83	SPFSelfValidate true
		84	TrustedAuthservIDs HOSTNAME, immae.eu, nef2.ens.fr
		85	UMask 002
		86	'';
		87	group = config.services.postfix.group;
		88	};
		89	services.filesWatcher.opendmarc = {
		90	restart = true;
		91	paths = [
		92	config.secrets.fullPaths."opendmarc/ignore.hosts"
		93	];
		94	};
94		95
95	config.services.openarc = {	96	services.openarc = {
96	enable = true;	97	enable = true;
97	user = "opendkim";	98	user = "opendkim";
98	socket = "local:${config.myServices.mail.milters.sockets.openarc}";	99	socket = "local:${config.myServices.mail.milters.sockets.openarc}";
99	group = config.services.postfix.group;	100	group = config.services.postfix.group;
100	configFile = pkgs.writeText "openarc.conf" ''	101	configFile = pkgs.writeText "openarc.conf" ''
101	AuthservID mail.immae.eu	102	AuthservID mail.immae.eu
102	Domain mail.immae.eu	103	Domain mail.immae.eu
103	KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"}	104	KeyFile ${config.secrets.fullPaths."opendkim/eldiron.private"}
104	Mode sv	105	Mode sv
105	Selector eldiron	106	Selector eldiron
106	SoftwareHeader yes	107	SoftwareHeader yes
107	Syslog Yes	108	Syslog Yes
		109	'';
		110	};
		111	systemd.services.openarc.postStart = lib.optionalString
		112	(lib.strings.hasPrefix "local:" config.services.openarc.socket) ''
		113	while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do
		114	sleep 0.5
		115	done
		116	chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket}
108	'';	117	'';
109	};	118	services.filesWatcher.openarc = {
110	config.systemd.services.openarc.postStart = lib.optionalString	119	restart = true;
111	(lib.strings.hasPrefix "local:" config.services.openarc.socket) ''	120	paths = [
112	while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do	121	config.secrets.fullPaths."opendkim/eldiron.private"
113	sleep 0.5	122	];
114	done	123	};
115	chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket}
116	'';
117	config.services.filesWatcher.openarc = {
118	restart = true;
119	paths = [
120	config.secrets.fullPaths."opendkim/eldiron.private"
121	];
122	};	124	};
123	}	125	}