about summary refs log tree commit diff
path: root/nixos/modules/services/mail/dkimproxy-out.nix
blob: 48ccf2dda60131dd7ce17941ca0f3c091604bbfc (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
{ config, lib, pkgs, ... }:

with lib;
let
  cfg = config.services.dkimproxy-out;
  keydir = "/var/lib/dkimproxy-out";
  privkey = "${keydir}/private.key";
  pubkey = "${keydir}/public.key";
in
{
  ##### interface
  options = {
    services.dkimproxy-out = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
            Whether to enable dkimproxy_out.

            Note that a key will be auto-generated, and can be found in
            ${keydir}.
          '';
      };

      listen = mkOption {
        type = types.str;
        example = "127.0.0.1:10027";
        description = "Address:port DKIMproxy should listen on.";
      };

      relay = mkOption {
        type = types.str;
        example = "127.0.0.1:10028";
        description = "Address:port DKIMproxy should forward mail to.";
      };

      domains = mkOption {
        type = with types; listOf str;
        example = [ "example.org" "example.com" ];
        description = "List of domains DKIMproxy can sign for.";
      };

      selector = mkOption {
        type = types.str;
        example = "selector1";
        description = ''
            The selector to use for DKIM key identification.

            For example, if 'selector1' is used here, then for each domain
            'example.org' given in `domain`, 'selector1._domainkey.example.org'
            should contain the TXT record indicating the public key is the one
            in ${pubkey}: "v=DKIM1; t=s; p=[THE PUBLIC KEY]".
          '';
      };

      keySize = mkOption {
        type = types.int;
        default = 2048;
        description = ''
            Size of the RSA key to use to sign outgoing emails. Note that the
            maximum mandatorily verified as per RFC6376 is 2048.
          '';
      };

      # TODO: allow signature for other schemes than dkim(c=relaxed/relaxed)?
      # This being the scheme used by gmail, maybe nothing more is needed for
      # reasonable use.
    };
  };

  ##### implementation
  config = let
    configfile = pkgs.writeText "dkimproxy_out.conf"
      ''
        listen ${cfg.listen}
        relay ${cfg.relay}

        domain ${concatStringsSep "," cfg.domains}
        selector ${cfg.selector}

        signature dkim(c=relaxed/relaxed)

        keyfile ${privkey}
      '';
  in
    mkIf cfg.enable {
      users.groups.dkimproxy-out = {};
      users.users.dkimproxy-out = {
        description = "DKIMproxy_out daemon";
        group = "dkimproxy-out";
        isSystemUser = true;
      };

      systemd.services.dkimproxy-out = {
        description = "DKIMproxy_out";
        wantedBy = [ "multi-user.target" ];
        preStart = ''
          if [ ! -d "${keydir}" ]; then
            mkdir -p "${keydir}"
            chmod 0700 "${keydir}"
            ${pkgs.openssl}/bin/openssl genrsa -out "${privkey}" ${toString cfg.keySize}
            ${pkgs.openssl}/bin/openssl rsa -in "${privkey}" -pubout -out "${pubkey}"
            chown -R dkimproxy-out:dkimproxy-out "${keydir}"
          fi
        '';
        script = ''
          exec ${pkgs.dkimproxy}/bin/dkimproxy.out --conf_file=${configfile}
        '';
        serviceConfig = {
          User = "dkimproxy-out";
          PermissionsStartOnly = true;
        };
      };
    };

  meta.maintainers = with lib.maintainers; [ ekleog ];
}