nixfiles/hosts/hetzner-vm/modules/mailserver/opendkim.nix

{ config, lib, pkgs, ... }:
let
  mail_config = config.mailserver;
  dkimUser = config.services.opendkim.user;
  dkimGroup = config.services.opendkim.group;

  keyDir = mail_config.dkim_directory;
  selector = "mail";

  domains = mail_config.domains;

  createDomainDkimCert = dom:
    let
      dkim_key = "${keyDir}/${dom}.${selector}.key";
      dkim_txt = "${keyDir}/${dom}.${selector}.txt";
    in ''
      if [ ! -f "${dkim_key}" ]
      then
          ${pkgs.opendkim}/bin/opendkim-genkey -s "${selector}" \
                                               -d "${dom}" \
                                               --bits="1024" \
                                               --directory="${keyDir}"
          mv "${keyDir}/${selector}.private" "${dkim_key}"
          mv "${keyDir}/${selector}.txt" "${dkim_txt}"
          echo "Generated key for domain ${dom} selector ${selector}"
      fi
    '';

  createAllCerts =
    lib.concatStringsSep "\n" (map createDomainDkimCert mail_config.domains);

  keyTable = pkgs.writeText "opendkim-KeyTable" (lib.concatStringsSep "\n"
    (lib.flip map domains
      (dom: "${dom} ${dom}:${selector}:${keyDir}/${dom}.${selector}.key")));

  signingTable = pkgs.writeText "opendkim-SigningTable"
    (lib.concatStringsSep "\n" (lib.flip map domains (dom: "${dom} ${dom}")));

  dkim = config.services.opendkim;
  args = [ "-f" "-l" ]
    ++ lib.optionals (dkim.configFile != null) [ "-x" dkim.configFile ];
in {
  config = (lib.mkIf (mail_config.enable) {
    services.opendkim = {
      enable = true;
      selector = selector;
      keyPath = keyDir;
      domains = "csl:${builtins.concatStringsSep "," domains}";
      configFile = pkgs.writeText "opendkim.conf" (''
        Canonicalization relaxed/relaxed
        UMask 0002
        Socket ${dkim.socket}
        KeyTable file:${keyTable}
        SigningTable file:${signingTable}
      '' + (lib.optionalString mail_config.debug_mode ''
        Syslog yes
        SyslogSuccess yes
        LogWhy yes
      ''));
    };

    users.users =
      lib.optionalAttrs (config.services.postfix.user == "postfix") {
        postfix.extraGroups = [ "${dkimGroup}" ];
      };

    systemd.services.opendkim = {
      preStart = lib.mkForce createAllCerts;
      serviceConfig = {
        ExecStart = lib.mkForce
          "${pkgs.opendkim}/bin/opendkim ${lib.escapeShellArgs args}";
        PermissionsStartOnly = lib.mkForce false;
      };
    };
    systemd.tmpfiles.rules = [ "d '${keyDir}' - ${dkimUser} ${dkimGroup} - -" ];
  });
}
webmail dkim shenanigan backup 2022-06-22 16:59:41 +01:00			`{ config, lib, pkgs, ... }:`
			`let`
move mailserver to module 2022-11-17 12:06:16 +00:00			`mail_config = config.mailserver;`
webmail dkim shenanigan backup 2022-06-22 16:59:41 +01:00			`dkimUser = config.services.opendkim.user;`
			`dkimGroup = config.services.opendkim.group;`

			`keyDir = mail_config.dkim_directory;`
			`selector = "mail";`

			`domains = mail_config.domains;`

			`createDomainDkimCert = dom:`
			`let`
			`dkim_key = "${keyDir}/${dom}.${selector}.key";`
			`dkim_txt = "${keyDir}/${dom}.${selector}.txt";`
			`in ''`
			`if [ ! -f "${dkim_key}" ]`
			`then`
			`${pkgs.opendkim}/bin/opendkim-genkey -s "${selector}" \`
			`-d "${dom}" \`
			`--bits="1024" \`
			`--directory="${keyDir}"`
			`mv "${keyDir}/${selector}.private" "${dkim_key}"`
			`mv "${keyDir}/${selector}.txt" "${dkim_txt}"`
			`echo "Generated key for domain ${dom} selector ${selector}"`
			`fi`
			`'';`

			`createAllCerts =`
			`lib.concatStringsSep "\n" (map createDomainDkimCert mail_config.domains);`

			`keyTable = pkgs.writeText "opendkim-KeyTable" (lib.concatStringsSep "\n"`
			`(lib.flip map domains`
			`(dom: "${dom} ${dom}:${selector}:${keyDir}/${dom}.${selector}.key")));`

			`signingTable = pkgs.writeText "opendkim-SigningTable"`
			`(lib.concatStringsSep "\n" (lib.flip map domains (dom: "${dom} ${dom}")));`

			`dkim = config.services.opendkim;`
			`args = [ "-f" "-l" ]`
			`++ lib.optionals (dkim.configFile != null) [ "-x" dkim.configFile ];`
			`in {`
move mailserver to module 2022-11-17 12:06:16 +00:00			`config = (lib.mkIf (mail_config.enable) {`
			`services.opendkim = {`
			`enable = true;`
			`selector = selector;`
			`keyPath = keyDir;`
			`domains = "csl:${builtins.concatStringsSep "," domains}";`
			`configFile = pkgs.writeText "opendkim.conf" (''`
			`Canonicalization relaxed/relaxed`
			`UMask 0002`
			`Socket ${dkim.socket}`
			`KeyTable file:${keyTable}`
			`SigningTable file:${signingTable}`
			`'' + (lib.optionalString mail_config.debug_mode ''`
			`Syslog yes`
			`SyslogSuccess yes`
			`LogWhy yes`
			`''));`
			`};`
webmail dkim shenanigan backup 2022-06-22 16:59:41 +01:00
move mailserver to module 2022-11-17 12:06:16 +00:00			`users.users =`
			`lib.optionalAttrs (config.services.postfix.user == "postfix") {`
			`postfix.extraGroups = [ "${dkimGroup}" ];`
			`};`
webmail dkim shenanigan backup 2022-06-22 16:59:41 +01:00
move mailserver to module 2022-11-17 12:06:16 +00:00			`systemd.services.opendkim = {`
			`preStart = lib.mkForce createAllCerts;`
			`serviceConfig = {`
			`ExecStart = lib.mkForce`
			`"${pkgs.opendkim}/bin/opendkim ${lib.escapeShellArgs args}";`
			`PermissionsStartOnly = lib.mkForce false;`
			`};`
webmail dkim shenanigan backup 2022-06-22 16:59:41 +01:00			`};`
move mailserver to module 2022-11-17 12:06:16 +00:00			`systemd.tmpfiles.rules = [ "d '${keyDir}' - ${dkimUser} ${dkimGroup} - -" ];`
			`});`
webmail dkim shenanigan backup 2022-06-22 16:59:41 +01:00			`}`