{ config, lib, pkgs, ... }: with lib; let mail_config = config.services.mailserver; dkimUser = config.services.opendkim.user; dkimGroup = config.services.opendkim.group; keyDir = mail_config.dkim_directory; selector = "mail"; domains = mail_config.domains; createDomainDkimCert = dom: let dkim_key = "${keyDir}/${dom}.${selector}.key"; dkim_txt = "${keyDir}/${dom}.${selector}.txt"; in '' if [ ! -f "${dkim_key}" ] then ${pkgs.opendkim}/bin/opendkim-genkey -s "${selector}" \ -d "${dom}" \ --bits="1024" \ --directory="${keyDir}" mv "${keyDir}/${selector}.private" "${dkim_key}" mv "${keyDir}/${selector}.txt" "${dkim_txt}" echo "Generated key for domain ${dom} selector ${selector}" fi ''; createAllCerts = concatStringsSep "\n" (map createDomainDkimCert mail_config.domains); keyTable = pkgs.writeText "opendkim-KeyTable" (concatStringsSep "\n" (flip map domains (dom: "${dom} ${dom}:${selector}:${keyDir}/${dom}.${selector}.key"))); signingTable = pkgs.writeText "opendkim-SigningTable" (concatStringsSep "\n" (flip map domains (dom: "${dom} ${dom}"))); dkim = config.services.opendkim; args = ["-f" "-l"] ++ optionals (dkim.configFile != null) ["-x" dkim.configFile]; in { config = mkIf (mail_config.enable) { services.opendkim = { enable = true; selector = selector; keyPath = keyDir; domains = "csl:${builtins.concatStringsSep "," domains}"; configFile = pkgs.writeText "opendkim.conf" ('' Canonicalization relaxed/relaxed UMask 0002 Socket ${dkim.socket} KeyTable file:${keyTable} SigningTable file:${signingTable} '' + (optionalString mail_config.debug_mode '' Syslog yes SyslogSuccess yes LogWhy yes '')); }; users.users = optionalAttrs (config.services.postfix.user == "postfix") { postfix.extraGroups = ["${dkimGroup}"]; }; systemd.services.opendkim = { preStart = mkForce createAllCerts; serviceConfig = { ExecStart = mkForce "${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}"; PermissionsStartOnly = mkForce false; }; }; systemd.tmpfiles.rules = ["d '${keyDir}' - ${dkimUser} ${dkimGroup} - -"]; }; }