mail-server/dkim.nix

{ config, lib, pkgs, ... }:

with lib;
let
  cfg = config.fudo.mail.dkim;

  ensureDomainDkimCert = keyDir: domain:
    let
      dkimKey = "${keyDir}/${domain}.${cfg.selector}.key";
      dkimTxt = "${keyDir}/${domain}.${cfg.selector}.txt";
    in ''
      if [ ! -f "${dkimKey}" ] || [ ! -f ${dkimTxt} ]; then
        OUT=$(${pkgs.coreutils}/bin/mktemp -d -t dkim-XXXXXXXXXX)
        opendkim-genkey \
          --selector=${cfg.selector} \
          --domain=${domain} \
          --bits="${toString cfg.key-bits}" \
          --directory=$OUT
        mv $OUT/${cfg.selector}.private ${dkimKey}
        mv $OUT/${cfg.selector}.txt ${dkimTxt}
      fi
    '';

  ensureAllDkimCerts = keyDir: domains:
    concatStringsSep "\n" (map (ensureDomainDkimCert keyDir) domains);

  makeKeyTable = keyDir: domains:
    pkgs.writeTextDir "key.table" (concatStrings (map (dom: ''
      ${dom} ${dom}:${cfg.selector}:${keyDir}/${dom}.${cfg.selector}.key
    '') domains));

  makeSigningTable = domains:
    pkgs.writeTextDir "signing.table" (concatStrings (map (dom: ''
      ${dom} ${dom}
    '') domains));

  keyTableDir = makeKeyTable cfg.state-directory cfg.domains;
  signingTableDir = makeSigningTable cfg.domains;

in {
  options.fudo.mail.dkim = with types; {
    enable = mkEnableOption "Enable DKIM signature verification.";

    debug = mkEnableOption "Enable debug logs.";

    domains = mkOption {
      type = listOf str;
      description =
        "List of domains to be considered local, and signed instead of verified.";
    };

    selector = mkOption {
      type = str;
      description = "Name to use for mail-signing keys.";
      default = "mail";
    };

    key-bits = mkOption {
      type = int;
      description = ''
        How many bits in generated DKIM keys. RFC6376 advises minimum 1024-bit keys.

        If you have already deployed a key with a different number of bits than specified
        here, then you should use a different selector (dkimSelector). In order to get
        this package to generate a key with the new number of bits, you will either have to
        change the selector or delete the old key file.
      '';
      default = 2048;
    };

    port = mkOption {
      type = port;
      description = "Port at which to listen for incoming signing requests.";
      default = 5324;
    };

    state-directory = mkOption {
      type = str;
      description = "Directory at which to store DKIM state (i.e. keys).";
    };
  };

  config = mkIf cfg.enable {
    networking.firewall = {
      enable = true;
      allowedTCPPorts = [ cfg.port ];
    };

    services.opendkim = {
      enable = true;
      selector = cfg.selector;
      domains = let domainString = concatStringsSep "," cfg.domains;
      in "csl:${domainString}";
      configFile = let
        debugString = ''
          Syslog yes
          SyslogSuccess yes
          LogWhy yes
        '';
      in pkgs.writeText "opendkim.conf" ''
        Canonicalization relaxed/simple
        Socket inet:${toString cfg.port}
        # KeyTable file:${keyTableDir}/key.table
        # SigningTable file:${signingTableDir}/signing.table
        ${optionalString cfg.debug debugString}
      '';
    };

    systemd = {
      tmpfiles.rules = let
        user = config.services.opendkim.user;
        group = config.services.opendkim.group;
      in [ "d ${cfg.state-directory} 0700 ${user} ${group} - -" ];
      services.opendkim = {
        path = with pkgs; [ opendkim ];
        serviceConfig = {
          # ExecStartPre = [
          #   (pkgs.writeShellScript "ensure-dkim-certs.sh"
          #     (ensureAllDkimCerts cfg.state-directory cfg.domains))
          # ];
          ReadWritePaths = [ cfg.state-directory ];
          ReadOnlyPaths = [ keyTableDir signingTableDir ];
        };
      };
    };
  };
}
Initial checkin 2023-09-17 09:57:55 -07:00			`{ config, lib, pkgs, ... }:`

			`with lib;`
			`let`
			`cfg = config.fudo.mail.dkim;`

			`ensureDomainDkimCert = keyDir: domain:`
			`let`
WTF is the deal with this selector thing 2023-09-28 22:00:55 -07:00			`dkimKey = "${keyDir}/${domain}.${cfg.selector}.key";`
			`dkimTxt = "${keyDir}/${domain}.${cfg.selector}.txt";`
Initial checkin 2023-09-17 09:57:55 -07:00			`in ''`
			`if [ ! -f "${dkimKey}" ] \|\| [ ! -f ${dkimTxt} ]; then`
Seems TMPDIR doesn't exist 2023-09-28 13:00:01 -07:00			`OUT=$(${pkgs.coreutils}/bin/mktemp -d -t dkim-XXXXXXXXXX)`
Initial checkin 2023-09-17 09:57:55 -07:00			`opendkim-genkey \`
WTF is the deal with this selector thing 2023-09-28 22:00:55 -07:00			`--selector=${cfg.selector} \`
Seems TMPDIR doesn't exist 2023-09-28 13:00:01 -07:00			`--domain=${domain} \`
Initial checkin 2023-09-17 09:57:55 -07:00			`--bits="${toString cfg.key-bits}" \`
Seems TMPDIR doesn't exist 2023-09-28 13:00:01 -07:00			`--directory=$OUT`
WTF is the deal with this selector thing 2023-09-28 22:00:55 -07:00			`mv $OUT/${cfg.selector}.private ${dkimKey}`
			`mv $OUT/${cfg.selector}.txt ${dkimTxt}`
Initial checkin 2023-09-17 09:57:55 -07:00			`fi`
			`'';`

Define key tables 2023-09-24 11:00:56 -07:00			`ensureAllDkimCerts = keyDir: domains:`
			`concatStringsSep "\n" (map (ensureDomainDkimCert keyDir) domains);`
Initial checkin 2023-09-17 09:57:55 -07:00
			`makeKeyTable = keyDir: domains:`
Maybe we need a newline... 2023-09-28 20:32:35 -07:00			`pkgs.writeTextDir "key.table" (concatStrings (map (dom: ''`
WTF is the deal with this selector thing 2023-09-28 22:00:55 -07:00			`${dom} ${dom}:${cfg.selector}:${keyDir}/${dom}.${cfg.selector}.key`
Maybe we need a newline... 2023-09-28 20:32:35 -07:00			`'') domains));`
Initial checkin 2023-09-17 09:57:55 -07:00
			`makeSigningTable = domains:`
Don't need the sep then 2023-09-28 20:36:48 -07:00			`pkgs.writeTextDir "signing.table" (concatStrings (map (dom: ''`
Maybe we need a newline... 2023-09-28 20:32:35 -07:00			`${dom} ${dom}`
			`'') domains));`
Initial checkin 2023-09-17 09:57:55 -07:00
Refer to the file in the dir 2023-09-28 17:00:26 -07:00			`keyTableDir = makeKeyTable cfg.state-directory cfg.domains;`
			`signingTableDir = makeSigningTable cfg.domains;`
Need to define key/signing tables earlier 2023-09-28 14:22:47 -07:00
Initial checkin 2023-09-17 09:57:55 -07:00			`in {`
			`options.fudo.mail.dkim = with types; {`
			`enable = mkEnableOption "Enable DKIM signature verification.";`

			`debug = mkEnableOption "Enable debug logs.";`

			`domains = mkOption {`
			`type = listOf str;`
			`description =`
			`"List of domains to be considered local, and signed instead of verified.";`
			`};`

Add selector option 2023-09-24 10:52:57 -07:00			`selector = mkOption {`
			`type = str;`
			`description = "Name to use for mail-signing keys.";`
			`default = "mail";`
			`};`

Make option for dkim key bits 2023-09-24 12:07:48 -07:00			`key-bits = mkOption {`
			`type = int;`
			`description = ''`
			`How many bits in generated DKIM keys. RFC6376 advises minimum 1024-bit keys.`

			`If you have already deployed a key with a different number of bits than specified`
			`here, then you should use a different selector (dkimSelector). In order to get`
			`this package to generate a key with the new number of bits, you will either have to`
			`change the selector or delete the old key file.`
			`'';`
			`default = 2048;`
			`};`

Initial checkin 2023-09-17 09:57:55 -07:00			`port = mkOption {`
			`type = port;`
			`description = "Port at which to listen for incoming signing requests.";`
			`default = 5324;`
			`};`

			`state-directory = mkOption {`
			`type = str;`
			`description = "Directory at which to store DKIM state (i.e. keys).";`
			`};`
			`};`

			`config = mkIf cfg.enable {`
Open firewall ports 2023-09-28 12:31:03 -07:00			`networking.firewall = {`
			`enable = true;`
			`allowedTCPPorts = [ cfg.port ];`
			`};`

Initial checkin 2023-09-17 09:57:55 -07:00			`services.opendkim = {`
			`enable = true;`
Just forget domain-specefic FFS 2023-09-28 22:10:29 -07:00			`selector = cfg.selector;`
Initial checkin 2023-09-17 09:57:55 -07:00			`domains = let domainString = concatStringsSep "," cfg.domains;`
Fix variable typo 2023-09-24 11:27:27 -07:00			`in "csl:${domainString}";`
Initial checkin 2023-09-17 09:57:55 -07:00			`configFile = let`
			`debugString = ''`
			`Syslog yes`
			`SyslogSuccess yes`
			`LogWhy yes`
			`'';`
			`in pkgs.writeText "opendkim.conf" ''`
			`Canonicalization relaxed/simple`
			`Socket inet:${toString cfg.port}`
Just forget domain-specefic FFS 2023-09-28 22:10:29 -07:00			`# KeyTable file:${keyTableDir}/key.table`
			`# SigningTable file:${signingTableDir}/signing.table`
Initial checkin 2023-09-17 09:57:55 -07:00			`${optionalString cfg.debug debugString}`
			`'';`
			`};`

			`systemd = {`
			`tmpfiles.rules = let`
			`user = config.services.opendkim.user;`
			`group = config.services.opendkim.group;`
			`in [ "d ${cfg.state-directory} 0700 ${user} ${group} - -" ];`
			`services.opendkim = {`
Add opendkim to path for keygen 2023-09-27 13:01:06 -07:00			`path = with pkgs; [ opendkim ];`
Define key tables 2023-09-24 11:00:56 -07:00			`serviceConfig = {`
Just forget domain-specefic FFS 2023-09-28 22:10:29 -07:00			`# ExecStartPre = [`
			`# (pkgs.writeShellScript "ensure-dkim-certs.sh"`
			`# (ensureAllDkimCerts cfg.state-directory cfg.domains))`
			`# ];`
Define key tables 2023-09-24 11:00:56 -07:00			`ReadWritePaths = [ cfg.state-directory ];`
Refer to the file in the dir 2023-09-28 17:00:26 -07:00			`ReadOnlyPaths = [ keyTableDir signingTableDir ];`
Define key tables 2023-09-24 11:00:56 -07:00			`};`
Initial checkin 2023-09-17 09:57:55 -07:00			`};`
			`};`
			`};`
			`}`