nixpkgs/nixos/modules/services/mail/dkimproxy-out.nix
stuebinm 6afb255d97 nixos: remove all uses of lib.mdDoc
these changes were generated with nixq 0.0.2, by running

  nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
  nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
  nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix

two mentions of the mdDoc function remain in nixos/, both of which
are inside of comments.

Since lib.mdDoc is already defined as just id, this commit is a no-op as
far as Nix (and the built manual) is concerned.
2024-04-13 10:07:35 -07:00

117 lines
3.3 KiB
Nix

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.dkimproxy-out;
keydir = "/var/lib/dkimproxy-out";
privkey = "${keydir}/private.key";
pubkey = "${keydir}/public.key";
in
{
##### interface
options = {
services.dkimproxy-out = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable dkimproxy_out.
Note that a key will be auto-generated, and can be found in
${keydir}.
'';
};
listen = mkOption {
type = types.str;
example = "127.0.0.1:10027";
description = "Address:port DKIMproxy should listen on.";
};
relay = mkOption {
type = types.str;
example = "127.0.0.1:10028";
description = "Address:port DKIMproxy should forward mail to.";
};
domains = mkOption {
type = with types; listOf str;
example = [ "example.org" "example.com" ];
description = "List of domains DKIMproxy can sign for.";
};
selector = mkOption {
type = types.str;
example = "selector1";
description = ''
The selector to use for DKIM key identification.
For example, if 'selector1' is used here, then for each domain
'example.org' given in `domain`, 'selector1._domainkey.example.org'
should contain the TXT record indicating the public key is the one
in ${pubkey}: "v=DKIM1; t=s; p=[THE PUBLIC KEY]".
'';
};
keySize = mkOption {
type = types.int;
default = 2048;
description = ''
Size of the RSA key to use to sign outgoing emails. Note that the
maximum mandatorily verified as per RFC6376 is 2048.
'';
};
# TODO: allow signature for other schemes than dkim(c=relaxed/relaxed)?
# This being the scheme used by gmail, maybe nothing more is needed for
# reasonable use.
};
};
##### implementation
config = let
configfile = pkgs.writeText "dkimproxy_out.conf"
''
listen ${cfg.listen}
relay ${cfg.relay}
domain ${concatStringsSep "," cfg.domains}
selector ${cfg.selector}
signature dkim(c=relaxed/relaxed)
keyfile ${privkey}
'';
in
mkIf cfg.enable {
users.groups.dkimproxy-out = {};
users.users.dkimproxy-out = {
description = "DKIMproxy_out daemon";
group = "dkimproxy-out";
isSystemUser = true;
};
systemd.services.dkimproxy-out = {
description = "DKIMproxy_out";
wantedBy = [ "multi-user.target" ];
preStart = ''
if [ ! -d "${keydir}" ]; then
mkdir -p "${keydir}"
chmod 0700 "${keydir}"
${pkgs.openssl}/bin/openssl genrsa -out "${privkey}" ${toString cfg.keySize}
${pkgs.openssl}/bin/openssl rsa -in "${privkey}" -pubout -out "${pubkey}"
chown -R dkimproxy-out:dkimproxy-out "${keydir}"
fi
'';
script = ''
exec ${pkgs.dkimproxy}/bin/dkimproxy.out --conf_file=${configfile}
'';
serviceConfig = {
User = "dkimproxy-out";
PermissionsStartOnly = true;
};
};
};
meta.maintainers = with lib.maintainers; [ ekleog ];
}