pyrox.dev
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5{
6
7 ###### interface
8
9 options = {
10
11 services.pfix-srsd = {
12 enable = mkOption {
13 default = false;
14 type = types.bool;
15 description = "Whether to run the postfix sender rewriting scheme daemon.";
16 };
17
18 domain = mkOption {
19 description = "The domain for which to enable srs";
20 type = types.str;
21 example = "example.com";
22 };
23
24 secretsFile = mkOption {
25 description = ''
26 The secret data used to encode the SRS address.
27 to generate, use a command like:
28 <literal>for n in $(seq 5); do dd if=/dev/urandom count=1 bs=1024 status=none | sha256sum | sed 's/ -$//' | sed 's/^/ /'; done</literal>
29 '';
30 type = types.path;
31 default = "/var/lib/pfix-srsd/secrets";
32 };
33 };
34 };
35
36 ###### implementation
37
38 config = mkIf config.services.pfix-srsd.enable {
39 environment = {
40 systemPackages = [ pkgs.pfixtools ];
41 };
42
43 systemd.services."pfix-srsd" = {
44 description = "Postfix sender rewriting scheme daemon";
45 before = [ "postfix.service" ];
46 #note that we use requires rather than wants because postfix
47 #is unable to process (almost) all mail without srsd
48 requiredBy = [ "postfix.service" ];
49 serviceConfig = {
50 Type = "forking";
51 PIDFile = "/var/run/pfix-srsd.pid";
52 ExecStart = "${pkgs.pfixtools}/bin/pfix-srsd -p /var/run/pfix-srsd.pid -I ${config.services.pfix-srsd.domain} ${config.services.pfix-srsd.secretsFile}";
53 };
54 };
55 };
56}