install/logical/friot/rmilter.nix

   1 {pkgs, lib, config, ...}:
   2 let inherit (builtins) attrNames;
   3     inherit (lib) types;
   4     inherit (config.services) dkim dovecot2 rmilter;
   5
   6     createDomainDkimCert = dom:
   7       let dkim_key = "${dkim.keyDir}/${dom}.${dkim.selector}.key";
   8           dkim_txt = "${dkim.keyDir}/${dom}.${dkim.selector}.txt";
   9       in ''
  10       if [ ! -f "${dkim_key}" ] || [ ! -f "${dkim_txt}" ]
  11        then
  12         ${pkgs.opendkim}/bin/opendkim-genkey \
  13           -s "${dkim.selector}" \
  14           -d "${dom}" \
  15           --directory="${dkim.keyDir}"
  16         mv "${dkim.keyDir}/${dkim.selector}.private" "${dkim_key}"
  17         mv "${dkim.keyDir}/${dkim.selector}.txt" "${dkim_txt}"
  18        fi
  19     '';
  20 in
  21 {
  22 options.services.dkim = lib.mkOption {
  23   default = {};
  24   type = types.submodule {
  25     options = {
  26       keyDir = lib.mkOption {
  27         type        = types.path;
  28         default     = "/var/dkim";
  29         description = ''
  30         '';
  31       };
  32       selector = lib.mkOption {
  33         type        = types.str;
  34         default     = "mail";
  35         description = ''
  36         '';
  37       };
  38     };
  39   };
  40 };
  41 config = {
  42   services.rspamd = {
  43     enable = true;
  44   };
  45   services.rmilter = {
  46     enable = true;
  47     #debug = true;
  48     postfix = {
  49       enable = true;
  50     };
  51     rspamd = {
  52       enable      = true;
  53       extraConfig = "extended_spam_headers = yes;";
  54     };
  55     extraConfig = ''
  56       use_redis = true;
  57       max_size  = 20M;
  58       #clamav {
  59       #  servers = /var/run/clamav/clamd.ctl;
  60       #};
  61       # NOTE: domain = "*"; causes rmilter to try to search key in the key path
  62       # as keypath/domain.selector.key for any domain.
  63       dkim {
  64         domain {
  65           domain   = "*";
  66           key      = "${dkim.keyDir}";
  67           selector = "${dkim.selector}";
  68         };
  69         sign_alg  = sha256;
  70         auth_only = yes;
  71       };
  72     '';
  73   };
  74   systemd.services.rmilter = {
  75     requires = [ "rmilter.socket" ];
  76     after    = [ "rmilter.socket" ];
  77     preStart = ''
  78       install -D -d -o rmilter -g rmilter ${dkim.keyDir}
  79       ${lib.concatStringsSep "\n" (map createDomainDkimCert (attrNames dovecot2.domains))}
  80       chown -R rmilter:rmilter "${dkim.keyDir}"
  81     '';
  82   };
  83 };
  84 }