From a929614f94d11a4f397e72e74f38b3212c24cdee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Sun, 23 Jun 2019 21:04:55 +0200
Subject: Configure mail (dovecot, postfix, spam checks)

---
 modules/private/mail/milters.nix | 123 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 123 insertions(+)
 create mode 100644 modules/private/mail/milters.nix

(limited to 'modules/private/mail/milters.nix')

diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix
new file mode 100644
index 0000000..c4bd990
--- /dev/null
+++ b/modules/private/mail/milters.nix
@@ -0,0 +1,123 @@
+{ lib, pkgs, config, myconfig,  ... }:
+{
+  options.myServices.mail.milters.sockets = lib.mkOption {
+    type = lib.types.attrsOf lib.types.path;
+    default = {
+      opendkim = "/run/opendkim/opendkim.sock";
+      opendmarc = "/run/opendmarc/opendmarc.sock";
+      openarc = "/run/openarc/openarc.sock";
+    };
+    readOnly = true;
+    description = ''
+      milters sockets
+      '';
+  };
+  config.secrets.keys = [
+    {
+      dest = "opendkim/eldiron.private";
+      user = config.services.opendkim.user;
+      group = config.services.opendkim.group;
+      permissions = "0400";
+      text = myconfig.env.mail.dkim.eldiron.private;
+    }
+    {
+      dest = "opendkim/eldiron.txt";
+      user = config.services.opendkim.user;
+      group = config.services.opendkim.group;
+      permissions = "0444";
+      text = ''
+        eldiron._domainkey	IN	TXT	${myconfig.env.mail.dkim.eldiron.public}'';
+    }
+    {
+      dest = "opendmarc/ignore.hosts";
+      user = config.services.opendmarc.user;
+      group = config.services.opendmarc.group;
+      permissions = "0400";
+      text = myconfig.env.mail.dmarc.ignore_hosts;
+    }
+  ];
+  config.users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
+  config.services.opendkim = {
+    enable = true;
+    socket = "local:${config.myServices.mail.milters.sockets.opendkim}";
+    domains = builtins.concatStringsSep "," (lib.flatten (map
+      (zone: map
+        (e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}")
+        (zone.withEmail or [])
+      )
+      myconfig.env.dns.masterZones
+    ));
+    keyPath = "${config.secrets.location}/opendkim";
+    selector = "eldiron";
+    configFile = pkgs.writeText "opendkim.conf" ''
+      SubDomains     yes
+      UMask          002
+      '';
+    group = config.services.postfix.group;
+  };
+  config.systemd.services.opendkim.preStart = lib.mkBefore ''
+    # Skip the prestart script as keys are handled in secrets
+    exit 0
+    '';
+  config.services.filesWatcher.opendkim = {
+    restart = true;
+    paths = [
+      config.secrets.fullPaths."opendkim/eldiron.private"
+    ];
+  };
+
+  config.users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
+  config.services.opendmarc = {
+    enable = true;
+    socket = "local:${config.myServices.mail.milters.sockets.opendmarc}";
+    configFile = pkgs.writeText "opendmarc.conf" ''
+      AuthservID                  HOSTNAME
+      FailureReports              false
+      FailureReportsBcc           postmaster@localhost.immae.eu
+      FailureReportsOnNone        true
+      FailureReportsSentBy        postmaster@immae.eu
+      IgnoreAuthenticatedClients  true
+      IgnoreHosts                 ${config.secrets.fullPaths."opendmarc/ignore.hosts"}
+      SoftwareHeader              true
+      SPFSelfValidate             true
+      TrustedAuthservIDs          HOSTNAME, immae.eu, nef2.ens.fr
+      UMask                       002
+      '';
+    group = config.services.postfix.group;
+  };
+  config.services.filesWatcher.opendmarc = {
+    restart = true;
+    paths = [
+      config.secrets.fullPaths."opendmarc/ignore.hosts"
+    ];
+  };
+
+  config.services.openarc = {
+    enable = true;
+    user = "opendkim";
+    socket = "local:${config.myServices.mail.milters.sockets.openarc}";
+    group = config.services.postfix.group;
+    configFile = pkgs.writeText "openarc.conf" ''
+      AuthservID              mail.immae.eu
+      Domain                  mail.immae.eu
+      KeyFile                 ${config.secrets.fullPaths."opendkim/eldiron.private"}
+      Mode                    sv
+      Selector                eldiron
+      SoftwareHeader          yes
+      Syslog                  Yes
+      '';
+  };
+  config.systemd.services.openarc.postStart = lib.optionalString
+        (lib.strings.hasPrefix "local:" config.services.openarc.socket) ''
+    while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do
+      sleep 0.5
+    done
+    chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket}
+    '';
+  config.services.filesWatcher.openarc = {
+    restart = true;
+    paths = [
+      config.secrets.fullPaths."opendkim/eldiron.private"
+    ];
+  };
+}
-- 
cgit v1.2.3