2022-12-04 13:45:43 +00:00
|
|
|
{
|
|
|
|
config,
|
|
|
|
lib,
|
|
|
|
pkgs,
|
|
|
|
...
|
2023-09-18 03:56:58 +01:00
|
|
|
}: let
|
|
|
|
inherit (lib.modules) mkIf mkForce;
|
|
|
|
inherit (lib.trivial) flip;
|
|
|
|
inherit (lib.strings) optionalString escapeShellArgs;
|
|
|
|
inherit (builtins) toFile concatStringsSep;
|
2022-06-22 16:59:41 +01:00
|
|
|
|
2023-09-18 03:56:58 +01:00
|
|
|
mailConfig = config.services.mailserver;
|
|
|
|
|
|
|
|
opendkimConfig = config.services.opendkim;
|
|
|
|
opendkimArgs = ["-f" "-l" "-x" opendkimConfig.configFile];
|
|
|
|
dkimUser = opendkimConfig.user;
|
|
|
|
dkimGroup = opendkimConfig.group;
|
|
|
|
|
|
|
|
keyDir = mailConfig.dkim.directory;
|
2022-06-22 16:59:41 +01:00
|
|
|
selector = "mail";
|
|
|
|
|
2023-09-18 03:56:58 +01:00
|
|
|
domains = mailConfig.domains;
|
2022-06-22 16:59:41 +01:00
|
|
|
|
2022-12-04 13:45:43 +00:00
|
|
|
createDomainDkimCert = dom: let
|
2023-09-18 03:56:58 +01:00
|
|
|
dkimKey = "${keyDir}/${dom}.${selector}.key";
|
|
|
|
dkimDNSFile = "${keyDir}/${dom}.${selector}.txt";
|
2022-12-04 13:45:43 +00:00
|
|
|
in ''
|
2023-09-18 03:56:58 +01:00
|
|
|
if [ ! -f "${dkimKey}" ]
|
2022-12-04 13:45:43 +00:00
|
|
|
then
|
|
|
|
${pkgs.opendkim}/bin/opendkim-genkey -s "${selector}" \
|
|
|
|
-d "${dom}" \
|
|
|
|
--bits="1024" \
|
|
|
|
--directory="${keyDir}"
|
2023-09-18 03:56:58 +01:00
|
|
|
mv "${keyDir}/${selector}.private" "${dkimKey}"
|
|
|
|
mv "${keyDir}/${selector}.txt" "${dkimDNSFile}"
|
2022-12-04 13:45:43 +00:00
|
|
|
echo "Generated key for domain ${dom} selector ${selector}"
|
|
|
|
fi
|
|
|
|
'';
|
2022-06-22 16:59:41 +01:00
|
|
|
|
|
|
|
createAllCerts =
|
2023-09-18 03:56:58 +01:00
|
|
|
concatStringsSep "\n" (map createDomainDkimCert mailConfig.domains);
|
2022-06-22 16:59:41 +01:00
|
|
|
|
2023-09-18 03:56:58 +01:00
|
|
|
keyTable = toFile "opendkim-KeyTable" (concatStringsSep "\n"
|
2022-12-04 13:45:43 +00:00
|
|
|
(flip map domains
|
2022-06-22 16:59:41 +01:00
|
|
|
(dom: "${dom} ${dom}:${selector}:${keyDir}/${dom}.${selector}.key")));
|
|
|
|
|
2022-12-04 13:45:43 +00:00
|
|
|
signingTable =
|
2023-09-18 03:56:58 +01:00
|
|
|
toFile "opendkim-SigningTable"
|
2022-12-04 13:45:43 +00:00
|
|
|
(concatStringsSep "\n" (flip map domains (dom: "${dom} ${dom}")));
|
2022-06-22 16:59:41 +01:00
|
|
|
in {
|
2023-09-18 03:56:58 +01:00
|
|
|
config = mkIf (mailConfig.enable && mailConfig.dkim.enable) {
|
2022-11-17 12:06:16 +00:00
|
|
|
services.opendkim = {
|
|
|
|
enable = true;
|
|
|
|
selector = selector;
|
|
|
|
keyPath = keyDir;
|
2023-09-18 03:56:58 +01:00
|
|
|
domains = "csl:${concatStringsSep "," domains}";
|
|
|
|
configFile = toFile "opendkim.conf" (''
|
2022-12-04 13:45:43 +00:00
|
|
|
Canonicalization relaxed/relaxed
|
|
|
|
UMask 0002
|
2023-09-18 03:56:58 +01:00
|
|
|
Socket ${opendkimConfig.socket}
|
2022-12-04 13:45:43 +00:00
|
|
|
KeyTable file:${keyTable}
|
|
|
|
SigningTable file:${signingTable}
|
|
|
|
''
|
2023-09-18 03:56:58 +01:00
|
|
|
+ (optionalString mailConfig.debugMode ''
|
2022-12-04 13:45:43 +00:00
|
|
|
Syslog yes
|
|
|
|
SyslogSuccess yes
|
|
|
|
LogWhy yes
|
|
|
|
''));
|
2022-11-17 12:06:16 +00:00
|
|
|
};
|
2022-06-22 16:59:41 +01:00
|
|
|
|
2023-09-18 03:56:58 +01:00
|
|
|
systemd.tmpfiles.rules = ["d '${keyDir}' - ${dkimUser} ${dkimGroup} - -"];
|
|
|
|
|
|
|
|
users.users.postfix.extraGroups = ["${dkimGroup}"];
|
2022-06-22 16:59:41 +01:00
|
|
|
|
2022-11-17 12:06:16 +00:00
|
|
|
systemd.services.opendkim = {
|
2022-12-04 13:45:43 +00:00
|
|
|
preStart = mkForce createAllCerts;
|
2022-11-17 12:06:16 +00:00
|
|
|
serviceConfig = {
|
2022-12-04 13:45:43 +00:00
|
|
|
ExecStart =
|
|
|
|
mkForce
|
2023-09-18 03:56:58 +01:00
|
|
|
"${pkgs.opendkim}/bin/opendkim ${escapeShellArgs opendkimArgs}";
|
2022-12-04 13:45:43 +00:00
|
|
|
PermissionsStartOnly = mkForce false;
|
2022-11-17 12:06:16 +00:00
|
|
|
};
|
2022-06-22 16:59:41 +01:00
|
|
|
};
|
2022-12-04 13:45:43 +00:00
|
|
|
};
|
2022-06-22 16:59:41 +01:00
|
|
|
}
|