blob: 6f6a1799bc0a452c5e40b8db1ea67fa072b87734 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.zeyple;
ini = pkgs.formats.ini { };
gpgHome = pkgs.runCommand "zeyple-gpg-home" { } ''
mkdir -p $out
for file in ${lib.concatStringsSep " " cfg.keys}; do
${config.programs.gnupg.package}/bin/gpg --homedir="$out" --import "$file"
done
# Remove socket files
rm -f $out/S.*
'';
in {
options.services.zeyple = {
enable = mkEnableOption "Zeyple, an utility program to automatically encrypt outgoing emails with GPG";
user = mkOption {
type = types.str;
default = "zeyple";
description = ''
User to run Zeyple as.
::: {.note}
If left as the default value this user will automatically be created
on system activation, otherwise the sysadmin is responsible for
ensuring the user exists.
:::
'';
};
group = mkOption {
type = types.str;
default = "zeyple";
description = ''
Group to use to run Zeyple.
::: {.note}
If left as the default value this group will automatically be created
on system activation, otherwise the sysadmin is responsible for
ensuring the user exists.
:::
'';
};
settings = mkOption {
type = ini.type;
default = { };
description = ''
Zeyple configuration. refer to
<https://github.com/infertux/zeyple/blob/master/zeyple/zeyple.conf.example>
for details on supported values.
'';
};
keys = mkOption {
type = with types; listOf path;
description = "List of public key files that will be imported by gpg.";
};
rotateLogs = mkOption {
type = types.bool;
default = true;
description = "Whether to enable rotation of log files.";
};
};
config = mkIf cfg.enable {
users.groups = optionalAttrs (cfg.group == "zeyple") { "${cfg.group}" = { }; };
users.users = optionalAttrs (cfg.user == "zeyple") {
"${cfg.user}" = {
isSystemUser = true;
group = cfg.group;
};
};
services.zeyple.settings = {
zeyple = mapAttrs (name: mkDefault) {
log_file = "/var/log/zeyple/zeyple.log";
force_encrypt = true;
};
gpg = mapAttrs (name: mkDefault) { home = "${gpgHome}"; };
relay = mapAttrs (name: mkDefault) {
host = "localhost";
port = 10026;
};
};
environment.etc."zeyple.conf".source = ini.generate "zeyple.conf" cfg.settings;
systemd.tmpfiles.settings."10-zeyple".${cfg.settings.zeyple.log_file}.f = {
inherit (cfg) user group;
mode = "0600";
};
services.logrotate = mkIf cfg.rotateLogs {
enable = true;
settings.zeyple = {
files = cfg.settings.zeyple.log_file;
frequency = "weekly";
rotate = 5;
compress = true;
copytruncate = true;
};
};
services.postfix.extraMasterConf = ''
zeyple unix - n n - - pipe
user=${cfg.user} argv=${pkgs.zeyple}/bin/zeyple ''${recipient}
localhost:${toString cfg.settings.relay.port} inet n - n - 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8,[::1]/128
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
'';
services.postfix.extraConfig = "content_filter = zeyple";
};
}
|
