···
+
{ config, lib, pkgs, ... }:
+
cfg = config.services.dkimproxy-out;
+
keydir = "/var/lib/dkimproxy-out";
+
privkey = "${keydir}/private.key";
+
pubkey = "${keydir}/public.key";
+
services.dkimproxy-out = {
+
Whether to enable dkimproxy_out.
+
Note that a key will be auto-generated, and can be found in
+
example = "127.0.0.1:10027";
+
description = "Address:port DKIMproxy should listen on.";
+
example = "127.0.0.1:10028";
+
description = "Address:port DKIMproxy should forward mail to.";
+
type = with types; listOf str;
+
example = [ "example.org" "example.com" ];
+
description = "List of domains DKIMproxy can sign for.";
+
The selector to use for DKIM key identification.
+
For example, if 'selector1' is used here, then for each domain
+
'example.org' given in `domain`, 'selector1._domainkey.example.org'
+
should contain the TXT record indicating the public key is the one
+
in ${pubkey}: "v=DKIM1; t=s; p=[THE PUBLIC KEY]".
+
Size of the RSA key to use to sign outgoing emails. Note that the
+
maximum mandatorily verified as per RFC6376 is 2048.
+
# TODO: allow signature for other schemes than dkim(c=relaxed/relaxed)?
+
# This being the scheme used by gmail, maybe nothing more is needed for
+
configfile = pkgs.writeText "dkimproxy_out.conf"
+
domain ${concatStringsSep "," cfg.domains}
+
selector ${cfg.selector}
+
signature dkim(c=relaxed/relaxed)
+
users.groups.dkimproxy-out = {};
+
users.users.dkimproxy-out = {
+
description = "DKIMproxy_out daemon";
+
group = "dkimproxy-out";
+
systemd.services.dkimproxy-out = {
+
description = "DKIMproxy_out";
+
wantedBy = [ "multi-user.target" ];
+
if [ ! -d "${keydir}" ]; then
+
${pkgs.openssl}/bin/openssl genrsa -out "${privkey}" ${toString cfg.keySize}
+
${pkgs.openssl}/bin/openssl rsa -in "${privkey}" -pubout -out "${pubkey}"
+
chown -R dkimproxy-out:dkimproxy-out "${keydir}"
+
exec ${pkgs.dkimproxy}/bin/dkimproxy.out --conf_file=${configfile}
+
User = "dkimproxy-out";
+
PermissionsStartOnly = true;
pyrox.dev