nixos/modules/services/mail/dkimproxy-out.nix at 18.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / mail / dkimproxy-out.nix
at 18.09-beta 3.3 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3with lib;
  4let
  5  cfg = config.services.dkimproxy-out;
  6  keydir = "/var/lib/dkimproxy-out";
  7  privkey = "${keydir}/private.key";
  8  pubkey = "${keydir}/public.key";
  9in
 10{
 11  ##### interface
 12  options = {
 13    services.dkimproxy-out = {
 14      enable = mkOption {
 15        type = types.bool;
 16        default = false;
 17        description =
 18          ''
 19            Whether to enable dkimproxy_out.
 20
 21            Note that a key will be auto-generated, and can be found in
 22            ${keydir}.
 23          '';
 24      };
 25
 26      listen = mkOption {
 27        type = types.str;
 28        example = "127.0.0.1:10027";
 29        description = "Address:port DKIMproxy should listen on.";
 30      };
 31
 32      relay = mkOption {
 33        type = types.str;
 34        example = "127.0.0.1:10028";
 35        description = "Address:port DKIMproxy should forward mail to.";
 36      };
 37
 38      domains = mkOption {
 39        type = with types; listOf str;
 40        example = [ "example.org" "example.com" ];
 41        description = "List of domains DKIMproxy can sign for.";
 42      };
 43
 44      selector = mkOption {
 45        type = types.str;
 46        example = "selector1";
 47        description =
 48          ''
 49            The selector to use for DKIM key identification.
 50
 51            For example, if 'selector1' is used here, then for each domain
 52            'example.org' given in `domain`, 'selector1._domainkey.example.org'
 53            should contain the TXT record indicating the public key is the one
 54            in ${pubkey}: "v=DKIM1; t=s; p=[THE PUBLIC KEY]".
 55          '';
 56      };
 57
 58      keySize = mkOption {
 59        type = types.int;
 60        default = 2048;
 61        description =
 62          ''
 63            Size of the RSA key to use to sign outgoing emails. Note that the
 64            maximum mandatorily verified as per RFC6376 is 2048.
 65          '';
 66      };
 67
 68      # TODO: allow signature for other schemes than dkim(c=relaxed/relaxed)?
 69      # This being the scheme used by gmail, maybe nothing more is needed for
 70      # reasonable use.
 71    };
 72  };
 73
 74  ##### implementation
 75  config = let
 76    configfile = pkgs.writeText "dkimproxy_out.conf"
 77      ''
 78        listen ${cfg.listen}
 79        relay ${cfg.relay}
 80
 81        domain ${concatStringsSep "," cfg.domains}
 82        selector ${cfg.selector}
 83
 84        signature dkim(c=relaxed/relaxed)
 85
 86        keyfile ${privkey}
 87      '';
 88  in
 89    mkIf cfg.enable {
 90      users.groups.dkimproxy-out = {};
 91      users.users.dkimproxy-out = {
 92        description = "DKIMproxy_out daemon";
 93        group = "dkimproxy-out";
 94        isSystemUser = true;
 95      };
 96
 97      systemd.services.dkimproxy-out = {
 98        description = "DKIMproxy_out";
 99        wantedBy = [ "multi-user.target" ];
100        preStart = ''
101          if [ ! -d "${keydir}" ]; then
102            mkdir -p "${keydir}"
103            chmod 0700 "${keydir}"
104            ${pkgs.openssl}/bin/openssl genrsa -out "${privkey}" ${toString cfg.keySize}
105            ${pkgs.openssl}/bin/openssl rsa -in "${privkey}" -pubout -out "${pubkey}"
106            chown -R dkimproxy-out:dkimproxy-out "${keydir}"
107          fi
108        '';
109        script = ''
110          exec ${pkgs.dkimproxy}/bin/dkimproxy.out --conf_file=${configfile}
111        '';
112        serviceConfig = {
113          User = "dkimproxy-out";
114          PermissionsStartOnly = true;
115        };
116      };
117    };
118}