nixos/modules/services/mail/dkimproxy-out.nix at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / mail / dkimproxy-out.nix
at 24.11-pre 3.4 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3with lib;
  4let
  5  cfg = config.services.dkimproxy-out;
  6  keydir = "/var/lib/dkimproxy-out";
  7  privkey = "${keydir}/private.key";
  8  pubkey = "${keydir}/public.key";
  9in
 10{
 11  ##### interface
 12  options = {
 13    services.dkimproxy-out = {
 14      enable = mkOption {
 15        type = types.bool;
 16        default = false;
 17        description = ''
 18            Whether to enable dkimproxy_out.
 19
 20            Note that a key will be auto-generated, and can be found in
 21            ${keydir}.
 22          '';
 23      };
 24
 25      listen = mkOption {
 26        type = types.str;
 27        example = "127.0.0.1:10027";
 28        description = "Address:port DKIMproxy should listen on.";
 29      };
 30
 31      relay = mkOption {
 32        type = types.str;
 33        example = "127.0.0.1:10028";
 34        description = "Address:port DKIMproxy should forward mail to.";
 35      };
 36
 37      domains = mkOption {
 38        type = with types; listOf str;
 39        example = [ "example.org" "example.com" ];
 40        description = "List of domains DKIMproxy can sign for.";
 41      };
 42
 43      selector = mkOption {
 44        type = types.str;
 45        example = "selector1";
 46        description = ''
 47            The selector to use for DKIM key identification.
 48
 49            For example, if 'selector1' is used here, then for each domain
 50            'example.org' given in `domain`, 'selector1._domainkey.example.org'
 51            should contain the TXT record indicating the public key is the one
 52            in ${pubkey}: "v=DKIM1; t=s; p=[THE PUBLIC KEY]".
 53          '';
 54      };
 55
 56      keySize = mkOption {
 57        type = types.int;
 58        default = 2048;
 59        description = ''
 60            Size of the RSA key to use to sign outgoing emails. Note that the
 61            maximum mandatorily verified as per RFC6376 is 2048.
 62          '';
 63      };
 64
 65      # TODO: allow signature for other schemes than dkim(c=relaxed/relaxed)?
 66      # This being the scheme used by gmail, maybe nothing more is needed for
 67      # reasonable use.
 68    };
 69  };
 70
 71  ##### implementation
 72  config = let
 73    configfile = pkgs.writeText "dkimproxy_out.conf"
 74      ''
 75        listen ${cfg.listen}
 76        relay ${cfg.relay}
 77
 78        domain ${concatStringsSep "," cfg.domains}
 79        selector ${cfg.selector}
 80
 81        signature dkim(c=relaxed/relaxed)
 82
 83        keyfile ${privkey}
 84      '';
 85  in
 86    mkIf cfg.enable {
 87      users.groups.dkimproxy-out = {};
 88      users.users.dkimproxy-out = {
 89        description = "DKIMproxy_out daemon";
 90        group = "dkimproxy-out";
 91        isSystemUser = true;
 92      };
 93
 94      systemd.services.dkimproxy-out = {
 95        description = "DKIMproxy_out";
 96        wantedBy = [ "multi-user.target" ];
 97        preStart = ''
 98          if [ ! -d "${keydir}" ]; then
 99            mkdir -p "${keydir}"
100            chmod 0700 "${keydir}"
101            ${pkgs.openssl}/bin/openssl genrsa -out "${privkey}" ${toString cfg.keySize}
102            ${pkgs.openssl}/bin/openssl rsa -in "${privkey}" -pubout -out "${pubkey}"
103            chown -R dkimproxy-out:dkimproxy-out "${keydir}"
104          fi
105        '';
106        script = ''
107          exec ${pkgs.dkimproxy}/bin/dkimproxy.out --conf_file=${configfile}
108        '';
109        serviceConfig = {
110          User = "dkimproxy-out";
111          PermissionsStartOnly = true;
112        };
113      };
114    };
115
116  meta.maintainers = with lib.maintainers; [ ekleog ];
117}