nixos/modules/services/mail/dkimproxy-out.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / mail / dkimproxy-out.nix
at 25.11-pre 3.4 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7let
  8  cfg = config.services.dkimproxy-out;
  9  keydir = "/var/lib/dkimproxy-out";
 10  privkey = "${keydir}/private.key";
 11  pubkey = "${keydir}/public.key";
 12in
 13{
 14  ##### interface
 15  options = {
 16    services.dkimproxy-out = {
 17      enable = lib.mkOption {
 18        type = lib.types.bool;
 19        default = false;
 20        description = ''
 21          Whether to enable dkimproxy_out.
 22
 23          Note that a key will be auto-generated, and can be found in
 24          ${keydir}.
 25        '';
 26      };
 27
 28      listen = lib.mkOption {
 29        type = lib.types.str;
 30        example = "127.0.0.1:10027";
 31        description = "Address:port DKIMproxy should listen on.";
 32      };
 33
 34      relay = lib.mkOption {
 35        type = lib.types.str;
 36        example = "127.0.0.1:10028";
 37        description = "Address:port DKIMproxy should forward mail to.";
 38      };
 39
 40      domains = lib.mkOption {
 41        type = with lib.types; listOf str;
 42        example = [
 43          "example.org"
 44          "example.com"
 45        ];
 46        description = "List of domains DKIMproxy can sign for.";
 47      };
 48
 49      selector = lib.mkOption {
 50        type = lib.types.str;
 51        example = "selector1";
 52        description = ''
 53          The selector to use for DKIM key identification.
 54
 55          For example, if 'selector1' is used here, then for each domain
 56          'example.org' given in `domain`, 'selector1._domainkey.example.org'
 57          should contain the TXT record indicating the public key is the one
 58          in ${pubkey}: "v=DKIM1; t=s; p=[THE PUBLIC KEY]".
 59        '';
 60      };
 61
 62      keySize = lib.mkOption {
 63        type = lib.types.int;
 64        default = 2048;
 65        description = ''
 66          Size of the RSA key to use to sign outgoing emails. Note that the
 67          maximum mandatorily verified as per RFC6376 is 2048.
 68        '';
 69      };
 70
 71      # TODO: allow signature for other schemes than dkim(c=relaxed/relaxed)?
 72      # This being the scheme used by gmail, maybe nothing more is needed for
 73      # reasonable use.
 74    };
 75  };
 76
 77  ##### implementation
 78  config =
 79    let
 80      configfile = pkgs.writeText "dkimproxy_out.conf" ''
 81        listen ${cfg.listen}
 82        relay ${cfg.relay}
 83
 84        domain ${lib.concatStringsSep "," cfg.domains}
 85        selector ${cfg.selector}
 86
 87        signature dkim(c=relaxed/relaxed)
 88
 89        keyfile ${privkey}
 90      '';
 91    in
 92    lib.mkIf cfg.enable {
 93      users.groups.dkimproxy-out = { };
 94      users.users.dkimproxy-out = {
 95        description = "DKIMproxy_out daemon";
 96        group = "dkimproxy-out";
 97        isSystemUser = true;
 98      };
 99
100      systemd.services.dkimproxy-out = {
101        description = "DKIMproxy_out";
102        wantedBy = [ "multi-user.target" ];
103        preStart = ''
104          if [ ! -d "${keydir}" ]; then
105            mkdir -p "${keydir}"
106            chmod 0700 "${keydir}"
107            ${pkgs.openssl}/bin/openssl genrsa -out "${privkey}" ${toString cfg.keySize}
108            ${pkgs.openssl}/bin/openssl rsa -in "${privkey}" -pubout -out "${pubkey}"
109            chown -R dkimproxy-out:dkimproxy-out "${keydir}"
110          fi
111        '';
112        script = ''
113          exec ${pkgs.dkimproxy}/bin/dkimproxy.out --conf_file=${configfile}
114        '';
115        serviceConfig = {
116          User = "dkimproxy-out";
117          PermissionsStartOnly = true;
118        };
119      };
120    };
121
122  meta.maintainers = with lib.maintainers; [ ekleog ];
123}