nixfiles/hosts/hetzner-arm/containers/mail/modules/mailserver/opendkim.nix

86 lines
2.5 KiB
Nix

{
config,
lib,
pkgs,
...
}: let
inherit (lib.modules) mkIf mkForce;
inherit (lib.trivial) flip;
inherit (lib.strings) optionalString escapeShellArgs;
inherit (builtins) toFile concatStringsSep;
mailConfig = config.services.mailserver;
opendkimConfig = config.services.opendkim;
opendkimArgs = ["-f" "-l" "-x" opendkimConfig.configFile];
dkimUser = opendkimConfig.user;
dkimGroup = opendkimConfig.group;
keyDir = mailConfig.dkim.directory;
selector = "mail";
inherit (mailConfig) domains;
createDomainDkimCert = dom: let
dkimKey = "${keyDir}/${dom}.${selector}.key";
dkimDNSFile = "${keyDir}/${dom}.${selector}.txt";
in ''
if [ ! -f "${dkimKey}" ]
then
${pkgs.opendkim}/bin/opendkim-genkey -s "${selector}" \
-d "${dom}" \
--bits="1024" \
--directory="${keyDir}"
mv "${keyDir}/${selector}.private" "${dkimKey}"
mv "${keyDir}/${selector}.txt" "${dkimDNSFile}"
echo "Generated key for domain ${dom} selector ${selector}"
fi
'';
createAllCerts =
concatStringsSep "\n" (map createDomainDkimCert mailConfig.domains);
keyTable = toFile "opendkim-KeyTable" (concatStringsSep "\n"
(flip map domains
(dom: "${dom} ${dom}:${selector}:${keyDir}/${dom}.${selector}.key")));
signingTable =
toFile "opendkim-SigningTable"
(concatStringsSep "\n" (flip map domains (dom: "${dom} ${dom}")));
in {
config = mkIf (mailConfig.enable && mailConfig.dkim.enable) {
services.opendkim = {
enable = true;
inherit selector;
keyPath = keyDir;
domains = "csl:${concatStringsSep "," domains}";
configFile = toFile "opendkim.conf" (''
Canonicalization relaxed/relaxed
UMask 0002
Socket ${opendkimConfig.socket}
KeyTable file:${keyTable}
SigningTable file:${signingTable}
''
+ (optionalString mailConfig.debugMode ''
Syslog yes
SyslogSuccess yes
LogWhy yes
''));
};
systemd.tmpfiles.rules = ["d '${keyDir}' - ${dkimUser} ${dkimGroup} - -"];
users.users.postfix.extraGroups = ["${dkimGroup}"];
systemd.services.opendkim = {
preStart = mkForce createAllCerts;
serviceConfig = {
ExecStart =
mkForce
"${pkgs.opendkim}/bin/opendkim ${escapeShellArgs opendkimArgs}";
PermissionsStartOnly = mkForce false;
};
};
};
}