ForkMaster/nixos-mailserver
1
0
Fork 0
mirror of https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git synced 2025-04-02 05:44:33 +05:00
Code Issues Packages Projects Releases Wiki Activity

feat: add support for DKIM private key files

Browse Source 
This gives people an option to declaratively manage these secrets,
rather than having them generated.
This commit is contained in:
Jeremy Fleischman 2024-10-31 15:07:47 -05:00
parent b4fbffe79c
commit 909681c13a
No known key found for this signature in database
2 changed files with 38 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
default.nix
View File

@ -794,6 +794,27 @@ in
''; '';
}; };
dkimPrivateKeyFiles = mkOption {
type = types.nullOr (types.attrsOf types.path);
default = null;
example = {
"mail.example.com" = "/run/secrets/dkim/mail.example.com.mail.key";
};
description = ''
Paths to opendkim private keys generated with `opendkim-genkey`,
indexed by domain name.
If `null`, then the keys are auto generated.
If not `null`, then there must be an entry for every domain in
{option}`config.mailserver.domains`.
>>> TODO: explain/assert how this interacts with `dkimKeyBits`. would
this be cleaner if we had an explicit "generate dkim keys" option that
defaults to true, and perhaps we move the generation option (just
`dkimKeyBits` right now) under an optional `generateOpts` section? this
is not backward compatible, though <<<
'';
};
dkimKeyDirectory = mkOption { dkimKeyDirectory = mkOption {
type = types.path; type = types.path;
default = "/var/dkim"; default = "/var/dkim";

22
mail-server/opendkim.nix
View File

@ -23,14 +23,26 @@ let
dkimUser = config.services.opendkim.user; dkimUser = config.services.opendkim.user;
dkimGroup = config.services.opendkim.group; dkimGroup = config.services.opendkim.group;
createDomainDkimCert = dom: createOrLinkDkimCerts = dom:
let let
dkim_key = "${cfg.dkimKeyDirectory}/${dom}.${cfg.dkimSelector}.key"; dkim_key = "${cfg.dkimKeyDirectory}/${dom}.${cfg.dkimSelector}.key";
dkim_txt = "${cfg.dkimKeyDirectory}/${dom}.${cfg.dkimSelector}.txt"; dkim_txt = "${cfg.dkimKeyDirectory}/${dom}.${cfg.dkimSelector}.txt";
in in
if cfg.dkimPrivateKeyFiles != null then
let
dkimPrivateKeyFile = cfg.dkimPrivateKeyFiles.${dom};
in
'' ''
if [ ! -f "${dkim_key}" ] if [ ! -f "${dkimPrivateKeyFile}" ]; then
then echo "DKIM keyfile does not exist: ${dkimPrivateKeyFile}"
exit 1
fi
ln -sf "${dkimPrivateKeyFile}" "${dkim_key}"
''
else
''
if [ ! -f "${dkim_key}" ]; then
${pkgs.opendkim}/bin/opendkim-genkey -s "${cfg.dkimSelector}" \ ${pkgs.opendkim}/bin/opendkim-genkey -s "${cfg.dkimSelector}" \
-d "${dom}" \ -d "${dom}" \
--bits="${toString cfg.dkimKeyBits}" \ --bits="${toString cfg.dkimKeyBits}" \
@ -41,7 +53,7 @@ let
echo "Generated key for domain ${dom} selector ${cfg.dkimSelector}" echo "Generated key for domain ${dom} selector ${cfg.dkimSelector}"
fi fi
''; '';
createAllCerts = lib.concatStringsSep "\n" (map createDomainDkimCert cfg.domains); createOrLinkAllCerts = lib.concatStringsSep "\n" (map createOrLinkDkimCerts cfg.domains);
keyTable = pkgs.writeText "opendkim-KeyTable" keyTable = pkgs.writeText "opendkim-KeyTable"
(lib.concatStringsSep "\n" (lib.flip map cfg.domains (lib.concatStringsSep "\n" (lib.flip map cfg.domains
@ -76,7 +88,7 @@ in
postfix.extraGroups = [ "${dkimGroup}" ]; postfix.extraGroups = [ "${dkimGroup}" ];
}; };
systemd.services.opendkim = { systemd.services.opendkim = {
preStart = lib.mkForce createAllCerts; preStart = lib.mkForce createOrLinkAllCerts;
serviceConfig = { serviceConfig = {
ExecStart = lib.mkForce "${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}"; ExecStart = lib.mkForce "${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}";
PermissionsStartOnly = lib.mkForce false; PermissionsStartOnly = lib.mkForce false;