85 lines
2.4 KiB
Nix
85 lines
2.4 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
with lib; let
|
|
mail_config = config.mailserver;
|
|
dkimUser = config.services.opendkim.user;
|
|
dkimGroup = config.services.opendkim.group;
|
|
|
|
keyDir = mail_config.dkim_directory;
|
|
selector = "mail";
|
|
|
|
domains = mail_config.domains;
|
|
|
|
createDomainDkimCert = dom: let
|
|
dkim_key = "${keyDir}/${dom}.${selector}.key";
|
|
dkim_txt = "${keyDir}/${dom}.${selector}.txt";
|
|
in ''
|
|
if [ ! -f "${dkim_key}" ]
|
|
then
|
|
${pkgs.opendkim}/bin/opendkim-genkey -s "${selector}" \
|
|
-d "${dom}" \
|
|
--bits="1024" \
|
|
--directory="${keyDir}"
|
|
mv "${keyDir}/${selector}.private" "${dkim_key}"
|
|
mv "${keyDir}/${selector}.txt" "${dkim_txt}"
|
|
echo "Generated key for domain ${dom} selector ${selector}"
|
|
fi
|
|
'';
|
|
|
|
createAllCerts =
|
|
concatStringsSep "\n" (map createDomainDkimCert mail_config.domains);
|
|
|
|
keyTable = pkgs.writeText "opendkim-KeyTable" (concatStringsSep "\n"
|
|
(flip map domains
|
|
(dom: "${dom} ${dom}:${selector}:${keyDir}/${dom}.${selector}.key")));
|
|
|
|
signingTable =
|
|
pkgs.writeText "opendkim-SigningTable"
|
|
(concatStringsSep "\n" (flip map domains (dom: "${dom} ${dom}")));
|
|
|
|
dkim = config.services.opendkim;
|
|
args =
|
|
["-f" "-l"]
|
|
++ optionals (dkim.configFile != null) ["-x" dkim.configFile];
|
|
in {
|
|
config = mkIf (mail_config.enable) {
|
|
services.opendkim = {
|
|
enable = true;
|
|
selector = selector;
|
|
keyPath = keyDir;
|
|
domains = "csl:${builtins.concatStringsSep "," domains}";
|
|
configFile = pkgs.writeText "opendkim.conf" (''
|
|
Canonicalization relaxed/relaxed
|
|
UMask 0002
|
|
Socket ${dkim.socket}
|
|
KeyTable file:${keyTable}
|
|
SigningTable file:${signingTable}
|
|
''
|
|
+ (optionalString mail_config.debug_mode ''
|
|
Syslog yes
|
|
SyslogSuccess yes
|
|
LogWhy yes
|
|
''));
|
|
};
|
|
|
|
users.users = optionalAttrs (config.services.postfix.user == "postfix") {
|
|
postfix.extraGroups = ["${dkimGroup}"];
|
|
};
|
|
|
|
systemd.services.opendkim = {
|
|
preStart = mkForce createAllCerts;
|
|
serviceConfig = {
|
|
ExecStart =
|
|
mkForce
|
|
"${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}";
|
|
PermissionsStartOnly = mkForce false;
|
|
};
|
|
};
|
|
systemd.tmpfiles.rules = ["d '${keyDir}' - ${dkimUser} ${dkimGroup} - -"];
|
|
};
|
|
}
|