nixfiles/hosts/hetzner-vm/modules/mailserver/opendkim.nix
2022-11-17 12:06:16 +00:00

78 lines
2.5 KiB
Nix

{ config, lib, pkgs, ... }:
let
mail_config = config.mailserver;
dkimUser = config.services.opendkim.user;
dkimGroup = config.services.opendkim.group;
keyDir = mail_config.dkim_directory;
selector = "mail";
domains = mail_config.domains;
createDomainDkimCert = dom:
let
dkim_key = "${keyDir}/${dom}.${selector}.key";
dkim_txt = "${keyDir}/${dom}.${selector}.txt";
in ''
if [ ! -f "${dkim_key}" ]
then
${pkgs.opendkim}/bin/opendkim-genkey -s "${selector}" \
-d "${dom}" \
--bits="1024" \
--directory="${keyDir}"
mv "${keyDir}/${selector}.private" "${dkim_key}"
mv "${keyDir}/${selector}.txt" "${dkim_txt}"
echo "Generated key for domain ${dom} selector ${selector}"
fi
'';
createAllCerts =
lib.concatStringsSep "\n" (map createDomainDkimCert mail_config.domains);
keyTable = pkgs.writeText "opendkim-KeyTable" (lib.concatStringsSep "\n"
(lib.flip map domains
(dom: "${dom} ${dom}:${selector}:${keyDir}/${dom}.${selector}.key")));
signingTable = pkgs.writeText "opendkim-SigningTable"
(lib.concatStringsSep "\n" (lib.flip map domains (dom: "${dom} ${dom}")));
dkim = config.services.opendkim;
args = [ "-f" "-l" ]
++ lib.optionals (dkim.configFile != null) [ "-x" dkim.configFile ];
in {
config = (lib.mkIf (mail_config.enable) {
services.opendkim = {
enable = true;
selector = selector;
keyPath = keyDir;
domains = "csl:${builtins.concatStringsSep "," domains}";
configFile = pkgs.writeText "opendkim.conf" (''
Canonicalization relaxed/relaxed
UMask 0002
Socket ${dkim.socket}
KeyTable file:${keyTable}
SigningTable file:${signingTable}
'' + (lib.optionalString mail_config.debug_mode ''
Syslog yes
SyslogSuccess yes
LogWhy yes
''));
};
users.users =
lib.optionalAttrs (config.services.postfix.user == "postfix") {
postfix.extraGroups = [ "${dkimGroup}" ];
};
systemd.services.opendkim = {
preStart = lib.mkForce createAllCerts;
serviceConfig = {
ExecStart = lib.mkForce
"${pkgs.opendkim}/bin/opendkim ${lib.escapeShellArgs args}";
PermissionsStartOnly = lib.mkForce false;
};
};
systemd.tmpfiles.rules = [ "d '${keyDir}' - ${dkimUser} ${dkimGroup} - -" ];
});
}