enable dkim signing

mail-config.nix

@@ -105,7 +105,7 @@ let
   # This is the folder where the certificate will be created. The name is
   # hardcoded to "cert-${domain}.pem" and "key-${domain}.pem" and the
   # certificate is valid for 10 years.
-  cert_dir = "/root/certs";
+  cert_dir = "/var/certs";
 
   #
   # Whether to enable imap / pop3. Both variants are only supported in the
@@ -124,7 +124,7 @@ let
   # Whether to activate virus scanning. Note that virus scanning is _very_
   # expensive memory wise.
   #
-  virus_scanning = true;
+  virus_scanning = false;
 
   #
   # Whether to activate dkim signing.
@@ -132,12 +132,14 @@ let
   # TODO: Implement
   #
   dkim_signing = true;
+  dkim_selector = "mail";
+  dkim_dir = "/var/dkim";
 in
 {
   services = import ./mail-server/services.nix {
     inherit mail_dir vmail_user_name vmail_group_name valiases domain
-            enable_imap enable_pop3 virus_scanning dkim_signing
-            certificate_scheme cert_file key_file cert_dir;
+            enable_imap enable_pop3 virus_scanning dkim_signing dkim_selector
+            dkim_dir certificate_scheme cert_file key_file cert_dir;
  };
 
   environment = import ./mail-server/environment.nix {
@@ -150,7 +152,7 @@ in
 
   systemd = import ./mail-server/systemd.nix {
     inherit mail_dir vmail_group_name certificate_scheme cert_dir host_prefix
-            domain pkgs;
+            domain pkgs dkim_selector dkim_dir;
   };
 
   users = import ./mail-server/users.nix {

mail-server/rmilter.nix

@@ -14,7 +14,7 @@
 #  You should have received a copy of the GNU General Public License
 #  along with this program. If not, see <http://www.gnu.org/licenses/>
 
-{ domain, virus_scanning, dkim_signing }:
+{ domain, virus_scanning, dkim_signing, dkim_dir, dkim_selector }:
 
 let
   clamav = if virus_scanning
@@ -30,9 +30,9 @@ let
          ''
             dkim {
               domain {
-                key = /etc/nixos/dkim/${domain}.pem;
-                domain = "${domain}";
-                selector = "dkim";
+                key = "${dkim_dir}";
+                domain = "*";
+                selector = "${dkim_selector}";
               };
               sign_alg = sha256;
               auth_only = yes;

mail-server/services.nix

@@ -15,8 +15,8 @@
 #  along with this program. If not, see <http://www.gnu.org/licenses/>
 
 { mail_dir, vmail_user_name, vmail_group_name, valiases, domain, enable_imap,
-enable_pop3, virus_scanning, dkim_signing, certificate_scheme, cert_file,
-key_file, cert_dir }:
+enable_pop3, virus_scanning, dkim_signing, dkim_selector, dkim_dir,
+certificate_scheme, cert_file, key_file, cert_dir }:
 
 let
   # cert :: PATH
@@ -39,8 +39,12 @@ in
     enable = true;
   };
 
+  opendkim = import ./opendkim.nix {
+    inherit dkim_signing dkim_dir dkim_selector domain;
+  };
+
   rmilter = import ./rmilter.nix {
-    inherit domain virus_scanning dkim_signing;
+    inherit domain virus_scanning dkim_signing dkim_selector dkim_dir;
   };
 
   postfix = import ./postfix.nix {

mail-server/systemd.nix

@@ -15,7 +15,7 @@
 #  along with this program. If not, see <http://www.gnu.org/licenses/>
 
 { pkgs, mail_dir, vmail_group_name, certificate_scheme, cert_dir, host_prefix,
-domain }:
+domain, dkim_selector, dkim_dir}:
 
 let
   create_certificate = if certificate_scheme == 2 then
@@ -36,6 +36,24 @@ let
           fi
         ''
         else "";
+
+  dkim_key = "${dkim_dir}/${dkim_selector}.private";
+  dkim_txt = "${dkim_dir}/${dkim_selector}.txt";
+  create_dkim_cert =
+        ''
+          # Create dkim dir
+          mkdir -p "${dkim_dir}"
+          chown opendkim:rmilter "${dkim_dir}"
+
+          if [ ! -f "${dkim_key}" ] || [ ! -f "${dkim_txt}" ]
+          then
+
+              ${pkgs.opendkim}/bin/opendkim-genkey -s "${dkim_selector}" \
+                                                   -d ${domain} \
+                                                   --directory="${dkim_dir}"
+              chown opendkim:rmilter "${dkim_key}"
+          fi
+        '';
 in
 {
   # Set the correct permissions for dovecot vmail folder. See
@@ -54,8 +72,12 @@ in
 
   # Check for certificate before both postfix and dovecot to make sure it
   # exists.
-  services.postfix.preStart = 
-  ''
-    ${create_certificate}
-  '';
+  services.postfix.after = ["dovecot2.service"];
+  services.opendkim = {
+    after = ["dovecot2.service"];
+    preStart =
+    ''
+      ${create_dkim_cert}
+    '';
+  };
 }