pyrox.dev / nixpkgs
lol
fork atom

nixos/dkimproxy-out: init (#33229)

Léo Gaspard aa241aed 55dbaba6

options
unified split
Changed files
+119
nixos
modules
module-list.nix
services
mail
dkimproxy-out.nix
+1
nixos/modules/module-list.nix 
···

       
260

       
260

       
 

       
  ./services/logging/rsyslogd.nix


     

       
261

       
261

       
 

       
  ./services/logging/syslog-ng.nix


     

       
262

       
262

       
 

       
  ./services/logging/syslogd.nix


     

       

       
263

       
+

       
  ./services/mail/dkimproxy-out.nix


     

       
263

       
264

       
 

       
  ./services/mail/dovecot.nix


     

       
264

       
265

       
 

       
  ./services/mail/dspam.nix


     

       
265

       
266

       
 

       
  ./services/mail/exim.nix
+118
nixos/modules/services/mail/dkimproxy-out.nix 
···

       

       
1

       
+

       
{ config, lib, pkgs, ... }:


     

       

       
2

       
+

       



     

       

       
3

       
+

       
with lib;


     

       

       
4

       
+

       
let


     

       

       
5

       
+

       
  cfg = config.services.dkimproxy-out;


     

       

       
6

       
+

       
  keydir = "/var/lib/dkimproxy-out";


     

       

       
7

       
+

       
  privkey = "${keydir}/private.key";


     

       

       
8

       
+

       
  pubkey = "${keydir}/public.key";


     

       

       
9

       
+

       
in


     

       

       
10

       
+

       
{


     

       

       
11

       
+

       
  ##### interface


     

       

       
12

       
+

       
  options = {


     

       

       
13

       
+

       
    services.dkimproxy-out = {


     

       

       
14

       
+

       
      enable = mkOption {


     

       

       
15

       
+

       
        type = types.bool;


     

       

       
16

       
+

       
        default = false;


     

       

       
17

       
+

       
        description =


     

       

       
18

       
+

       
          ''


     

       

       
19

       
+

       
            Whether to enable dkimproxy_out.


     

       

       
20

       
+

       



     

       

       
21

       
+

       
            Note that a key will be auto-generated, and can be found in


     

       

       
22

       
+

       
            ${keydir}.


     

       

       
23

       
+

       
          '';


     

       

       
24

       
+

       
      };


     

       

       
25

       
+

       



     

       

       
26

       
+

       
      listen = mkOption {


     

       

       
27

       
+

       
        type = types.str;


     

       

       
28

       
+

       
        example = "127.0.0.1:10027";


     

       

       
29

       
+

       
        description = "Address:port DKIMproxy should listen on.";


     

       

       
30

       
+

       
      };


     

       

       
31

       
+

       



     

       

       
32

       
+

       
      relay = mkOption {


     

       

       
33

       
+

       
        type = types.str;


     

       

       
34

       
+

       
        example = "127.0.0.1:10028";


     

       

       
35

       
+

       
        description = "Address:port DKIMproxy should forward mail to.";


     

       

       
36

       
+

       
      };


     

       

       
37

       
+

       



     

       

       
38

       
+

       
      domains = mkOption {


     

       

       
39

       
+

       
        type = with types; listOf str;


     

       

       
40

       
+

       
        example = [ "example.org" "example.com" ];


     

       

       
41

       
+

       
        description = "List of domains DKIMproxy can sign for.";


     

       

       
42

       
+

       
      };


     

       

       
43

       
+

       



     

       

       
44

       
+

       
      selector = mkOption {


     

       

       
45

       
+

       
        type = types.str;


     

       

       
46

       
+

       
        example = "selector1";


     

       

       
47

       
+

       
        description =


     

       

       
48

       
+

       
          ''


     

       

       
49

       
+

       
            The selector to use for DKIM key identification.


     

       

       
50

       
+

       



     

       

       
51

       
+

       
            For example, if 'selector1' is used here, then for each domain


     

       

       
52

       
+

       
            'example.org' given in `domain`, 'selector1._domainkey.example.org'


     

       

       
53

       
+

       
            should contain the TXT record indicating the public key is the one


     

       

       
54

       
+

       
            in ${pubkey}: "v=DKIM1; t=s; p=[THE PUBLIC KEY]".


     

       

       
55

       
+

       
          '';


     

       

       
56

       
+

       
      };


     

       

       
57

       
+

       



     

       

       
58

       
+

       
      keySize = mkOption {


     

       

       
59

       
+

       
        type = types.int;


     

       

       
60

       
+

       
        default = 2048;


     

       

       
61

       
+

       
        description =


     

       

       
62

       
+

       
          ''


     

       

       
63

       
+

       
            Size of the RSA key to use to sign outgoing emails. Note that the


     

       

       
64

       
+

       
            maximum mandatorily verified as per RFC6376 is 2048.


     

       

       
65

       
+

       
          '';


     

       

       
66

       
+

       
      };


     

       

       
67

       
+

       



     

       

       
68

       
+

       
      # TODO: allow signature for other schemes than dkim(c=relaxed/relaxed)?


     

       

       
69

       
+

       
      # This being the scheme used by gmail, maybe nothing more is needed for


     

       

       
70

       
+

       
      # reasonable use.


     

       

       
71

       
+

       
    };


     

       

       
72

       
+

       
  };


     

       

       
73

       
+

       



     

       

       
74

       
+

       
  ##### implementation


     

       

       
75

       
+

       
  config = let


     

       

       
76

       
+

       
    configfile = pkgs.writeText "dkimproxy_out.conf"


     

       

       
77

       
+

       
      ''


     

       

       
78

       
+

       
        listen ${cfg.listen}


     

       

       
79

       
+

       
        relay ${cfg.relay}


     

       

       
80

       
+

       



     

       

       
81

       
+

       
        domain ${concatStringsSep "," cfg.domains}


     

       

       
82

       
+

       
        selector ${cfg.selector}


     

       

       
83

       
+

       



     

       

       
84

       
+

       
        signature dkim(c=relaxed/relaxed)


     

       

       
85

       
+

       



     

       

       
86

       
+

       
        keyfile ${privkey}


     

       

       
87

       
+

       
      '';


     

       

       
88

       
+

       
  in


     

       

       
89

       
+

       
    mkIf cfg.enable {


     

       

       
90

       
+

       
      users.groups.dkimproxy-out = {};


     

       

       
91

       
+

       
      users.users.dkimproxy-out = {


     

       

       
92

       
+

       
        description = "DKIMproxy_out daemon";


     

       

       
93

       
+

       
        group = "dkimproxy-out";


     

       

       
94

       
+

       
        isSystemUser = true;


     

       

       
95

       
+

       
      };


     

       

       
96

       
+

       



     

       

       
97

       
+

       
      systemd.services.dkimproxy-out = {


     

       

       
98

       
+

       
        description = "DKIMproxy_out";


     

       

       
99

       
+

       
        wantedBy = [ "multi-user.target" ];


     

       

       
100

       
+

       
        preStart = ''


     

       

       
101

       
+

       
          if [ ! -d "${keydir}" ]; then


     

       

       
102

       
+

       
            mkdir -p "${keydir}"


     

       

       
103

       
+

       
            chmod 0700 "${keydir}"


     

       

       
104

       
+

       
            ${pkgs.openssl}/bin/openssl genrsa -out "${privkey}" ${toString cfg.keySize}


     

       

       
105

       
+

       
            ${pkgs.openssl}/bin/openssl rsa -in "${privkey}" -pubout -out "${pubkey}"


     

       

       
106

       
+

       
            chown -R dkimproxy-out:dkimproxy-out "${keydir}"


     

       

       
107

       
+

       
          fi


     

       

       
108

       
+

       
        '';


     

       

       
109

       
+

       
        script = ''


     

       

       
110

       
+

       
          exec ${pkgs.dkimproxy}/bin/dkimproxy.out --conf_file=${configfile}


     

       

       
111

       
+

       
        '';


     

       

       
112

       
+

       
        serviceConfig = {


     

       

       
113

       
+

       
          User = "dkimproxy-out";


     

       

       
114

       
+

       
          PermissionsStartOnly = true;


     

       

       
115

       
+

       
        };


     

       

       
116

       
+

       
      };


     

       

       
117

       
+

       
    };


     

       

       
118

       
+

       
}