mirror of
https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git
synced 2025-05-05 02:00:50 +05:00
15306cba72
OpenDKIM has not been updated in the last 7 years and failed to adopt RFC8463, which introduces Ed25519-SHA256 signatures. It has thereby held back the DKIM ecosystem, which relies on the DNS system to publish its public keys. The DNS system in turn does not handle large record sizes well (see RFC8301), which is why Ed25519 public keys would be preferable, but I'm not sure the ecosystem has caught up, so we stay on the conservative side with RSA for now. Closes: #210
83 lines
2.9 KiB
Nix
83 lines
2.9 KiB
Nix
# nixos-mailserver: a simple mail server
|
|
# Copyright (C) 2016-2018 Robin Raymond
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>
|
|
|
|
{ config, pkgs, lib, ... }:
|
|
|
|
let
|
|
cfg = config.mailserver;
|
|
certificatesDeps =
|
|
if cfg.certificateScheme == "manual" then
|
|
[]
|
|
else if cfg.certificateScheme == "selfsigned" then
|
|
[ "mailserver-selfsigned-certificate.service" ]
|
|
else
|
|
[ "acme-finished-${cfg.fqdn}.target" ];
|
|
in
|
|
{
|
|
config = with cfg; lib.mkIf enable {
|
|
# Create self signed certificate
|
|
systemd.services.mailserver-selfsigned-certificate = lib.mkIf (cfg.certificateScheme == "selfsigned") {
|
|
after = [ "local-fs.target" ];
|
|
script = ''
|
|
# Create certificates if they do not exist yet
|
|
dir="${cfg.certificateDirectory}"
|
|
fqdn="${cfg.fqdn}"
|
|
[[ $fqdn == /* ]] && fqdn=$(< "$fqdn")
|
|
key="$dir/key-${cfg.fqdn}.pem";
|
|
cert="$dir/cert-${cfg.fqdn}.pem";
|
|
|
|
if [[ ! -f $key || ! -f $cert ]]; then
|
|
mkdir -p "${cfg.certificateDirectory}"
|
|
(umask 077; "${pkgs.openssl}/bin/openssl" genrsa -out "$key" 2048) &&
|
|
"${pkgs.openssl}/bin/openssl" req -new -key "$key" -x509 -subj "/CN=$fqdn" \
|
|
-days 3650 -out "$cert"
|
|
fi
|
|
'';
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
PrivateTmp = true;
|
|
};
|
|
};
|
|
|
|
# Create maildir folder before dovecot startup
|
|
systemd.services.dovecot2 = {
|
|
wants = certificatesDeps;
|
|
after = certificatesDeps;
|
|
preStart = let
|
|
directories = lib.strings.escapeShellArgs (
|
|
[ mailDirectory ]
|
|
++ lib.optional (cfg.indexDir != null) cfg.indexDir
|
|
);
|
|
in ''
|
|
# Create mail directory and set permissions. See
|
|
# <https://doc.dovecot.org/main/core/config/shared_mailboxes.html#filesystem-permissions-1>.
|
|
# Prevent world-readable paths, even temporarily.
|
|
umask 007
|
|
mkdir -p ${directories}
|
|
chgrp "${vmailGroupName}" ${directories}
|
|
chmod 02770 ${directories}
|
|
'';
|
|
};
|
|
|
|
# Postfix requires dovecot lmtp socket, dovecot auth socket and certificate to work
|
|
systemd.services.postfix = {
|
|
wants = certificatesDeps;
|
|
after = [ "dovecot2.service" ] ++ certificatesDeps;
|
|
requires = [ "dovecot2.service" ];
|
|
};
|
|
};
|
|
}
|