{ config, lib, pkgs, ... }: let mail_config = (import ./config.nix { config = config; }); dkimUser = config.services.opendkim.user; dkimGroup = config.services.opendkim.group; keyDir = mail_config.dkim_directory; selector = "mail"; domains = mail_config.domains; createDomainDkimCert = dom: let dkim_key = "${keyDir}/${dom}.${selector}.key"; dkim_txt = "${keyDir}/${dom}.${selector}.txt"; in '' if [ ! -f "${dkim_key}" ] then ${pkgs.opendkim}/bin/opendkim-genkey -s "${selector}" \ -d "${dom}" \ --bits="1024" \ --directory="${keyDir}" mv "${keyDir}/${selector}.private" "${dkim_key}" mv "${keyDir}/${selector}.txt" "${dkim_txt}" echo "Generated key for domain ${dom} selector ${selector}" fi ''; createAllCerts = lib.concatStringsSep "\n" (map createDomainDkimCert mail_config.domains); keyTable = pkgs.writeText "opendkim-KeyTable" (lib.concatStringsSep "\n" (lib.flip map domains (dom: "${dom} ${dom}:${selector}:${keyDir}/${dom}.${selector}.key"))); signingTable = pkgs.writeText "opendkim-SigningTable" (lib.concatStringsSep "\n" (lib.flip map domains (dom: "${dom} ${dom}"))); dkim = config.services.opendkim; args = [ "-f" "-l" ] ++ lib.optionals (dkim.configFile != null) [ "-x" dkim.configFile ]; in { services.opendkim = { enable = true; selector = selector; keyPath = keyDir; domains = "csl:${builtins.concatStringsSep "," domains}"; configFile = pkgs.writeText "opendkim.conf" ('' Canonicalization relaxed/relaxed UMask 0002 Socket ${dkim.socket} KeyTable file:${keyTable} SigningTable file:${signingTable} '' + (lib.optionalString mail_config.debug_mode '' Syslog yes SyslogSuccess yes LogWhy yes '')); }; users.users = lib.optionalAttrs (config.services.postfix.user == "postfix") { postfix.extraGroups = [ "${dkimGroup}" ]; }; systemd.services.opendkim = { preStart = lib.mkForce createAllCerts; serviceConfig = { ExecStart = lib.mkForce "${pkgs.opendkim}/bin/opendkim ${lib.escapeShellArgs args}"; PermissionsStartOnly = lib.mkForce false; }; }; systemd.tmpfiles.rules = [ "d '${keyDir}' - ${dkimUser} ${dkimGroup} - -" ]; }