nixfiles/hosts/hetzner-vm/containers/mail/modules/mailserver/opendkim.nix

86 lines
2.5 KiB
Nix
Raw Normal View History

{
config,
lib,
pkgs,
...
2023-09-18 03:56:58 +01:00
}: let
inherit (lib.modules) mkIf mkForce;
inherit (lib.trivial) flip;
inherit (lib.strings) optionalString escapeShellArgs;
inherit (builtins) toFile concatStringsSep;
2022-06-22 16:59:41 +01:00
2023-09-18 03:56:58 +01:00
mailConfig = config.services.mailserver;
opendkimConfig = config.services.opendkim;
opendkimArgs = ["-f" "-l" "-x" opendkimConfig.configFile];
dkimUser = opendkimConfig.user;
dkimGroup = opendkimConfig.group;
keyDir = mailConfig.dkim.directory;
2022-06-22 16:59:41 +01:00
selector = "mail";
2023-09-18 03:56:58 +01:00
domains = mailConfig.domains;
2022-06-22 16:59:41 +01:00
createDomainDkimCert = dom: let
2023-09-18 03:56:58 +01:00
dkimKey = "${keyDir}/${dom}.${selector}.key";
dkimDNSFile = "${keyDir}/${dom}.${selector}.txt";
in ''
2023-09-18 03:56:58 +01:00
if [ ! -f "${dkimKey}" ]
then
${pkgs.opendkim}/bin/opendkim-genkey -s "${selector}" \
-d "${dom}" \
--bits="1024" \
--directory="${keyDir}"
2023-09-18 03:56:58 +01:00
mv "${keyDir}/${selector}.private" "${dkimKey}"
mv "${keyDir}/${selector}.txt" "${dkimDNSFile}"
echo "Generated key for domain ${dom} selector ${selector}"
fi
'';
2022-06-22 16:59:41 +01:00
createAllCerts =
2023-09-18 03:56:58 +01:00
concatStringsSep "\n" (map createDomainDkimCert mailConfig.domains);
2022-06-22 16:59:41 +01:00
2023-09-18 03:56:58 +01:00
keyTable = toFile "opendkim-KeyTable" (concatStringsSep "\n"
(flip map domains
2022-06-22 16:59:41 +01:00
(dom: "${dom} ${dom}:${selector}:${keyDir}/${dom}.${selector}.key")));
signingTable =
2023-09-18 03:56:58 +01:00
toFile "opendkim-SigningTable"
(concatStringsSep "\n" (flip map domains (dom: "${dom} ${dom}")));
2022-06-22 16:59:41 +01:00
in {
2023-09-18 03:56:58 +01:00
config = mkIf (mailConfig.enable && mailConfig.dkim.enable) {
2022-11-17 12:06:16 +00:00
services.opendkim = {
enable = true;
selector = selector;
keyPath = keyDir;
2023-09-18 03:56:58 +01:00
domains = "csl:${concatStringsSep "," domains}";
configFile = toFile "opendkim.conf" (''
Canonicalization relaxed/relaxed
UMask 0002
2023-09-18 03:56:58 +01:00
Socket ${opendkimConfig.socket}
KeyTable file:${keyTable}
SigningTable file:${signingTable}
''
2023-09-18 03:56:58 +01:00
+ (optionalString mailConfig.debugMode ''
Syslog yes
SyslogSuccess yes
LogWhy yes
''));
2022-11-17 12:06:16 +00:00
};
2022-06-22 16:59:41 +01:00
2023-09-18 03:56:58 +01:00
systemd.tmpfiles.rules = ["d '${keyDir}' - ${dkimUser} ${dkimGroup} - -"];
users.users.postfix.extraGroups = ["${dkimGroup}"];
2022-06-22 16:59:41 +01:00
2022-11-17 12:06:16 +00:00
systemd.services.opendkim = {
preStart = mkForce createAllCerts;
2022-11-17 12:06:16 +00:00
serviceConfig = {
ExecStart =
mkForce
2023-09-18 03:56:58 +01:00
"${pkgs.opendkim}/bin/opendkim ${escapeShellArgs opendkimArgs}";
PermissionsStartOnly = mkForce false;
2022-11-17 12:06:16 +00:00
};
2022-06-22 16:59:41 +01:00
};
};
2022-06-22 16:59:41 +01:00
}