Fuck domain-specific keys

2023-09-28 22:34:58 -07:00 · 2023-09-28 22:34:58 -07:00 · 7112e4722a
commit 7112e4722a
parent e3e6305647
2 changed files with 2 additions and 69 deletions
--- a/dkim.nix
+++ b/dkim.nix
@ -1,41 +1,7 @@
 { config, lib, pkgs, ... }:
 with lib;
-let
+let cfg = config.fudo.mail.dkim;
  cfg = config.fudo.mail.dkim;
  ensureDomainDkimCert = keyDir: domain:
    let
      dkimKey = "${keyDir}/${domain}.${cfg.selector}.key";
      dkimTxt = "${keyDir}/${domain}.${cfg.selector}.txt";
    in ''
      if [ ! -f "${dkimKey}" ] || [ ! -f ${dkimTxt} ]; then
        OUT=$(${pkgs.coreutils}/bin/mktemp -d -t dkim-XXXXXXXXXX)
        opendkim-genkey \
          --selector=${cfg.selector} \
          --domain=${domain} \
          --bits="${toString cfg.key-bits}" \
          --directory=$OUT
        mv $OUT/${cfg.selector}.private ${dkimKey}
        mv $OUT/${cfg.selector}.txt ${dkimTxt}
      fi
    '';
  ensureAllDkimCerts = keyDir: domains:
    concatStringsSep "\n" (map (ensureDomainDkimCert keyDir) domains);
  makeKeyTable = keyDir: domains:
    pkgs.writeTextDir "key.table" (concatStrings (map (dom: ''
      ${dom} ${dom}:${cfg.selector}:${keyDir}/${dom}.${cfg.selector}.key
    '') domains));
  makeSigningTable = domains:
    pkgs.writeTextDir "signing.table" (concatStrings (map (dom: ''
      ${dom} ${dom}
    '') domains));
  keyTableDir = makeKeyTable cfg.state-directory cfg.domains;
  signingTableDir = makeSigningTable cfg.domains;
 in {
  options.fudo.mail.dkim = with types; {
@ -55,19 +21,6 @@ in {
      default = "mail";
    };
    key-bits = mkOption {
      type = int;
      description = ''
        How many bits in generated DKIM keys. RFC6376 advises minimum 1024-bit keys.
        If you have already deployed a key with a different number of bits than specified
        here, then you should use a different selector (dkimSelector). In order to get
        this package to generate a key with the new number of bits, you will either have to
        change the selector or delete the old key file.
      '';
      default = 2048;
    };
    port = mkOption {
      type = port;
      description = "Port at which to listen for incoming signing requests.";
@ -100,28 +53,8 @@ in {
      in pkgs.writeText "opendkim.conf" ''
        Canonicalization relaxed/simple
        Socket inet:${toString cfg.port}
        # KeyTable file:${keyTableDir}/key.table
        # SigningTable file:${signingTableDir}/signing.table
        ${optionalString cfg.debug debugString}
      '';
    };
    systemd = {
      tmpfiles.rules = let
        user = config.services.opendkim.user;
        group = config.services.opendkim.group;
      in [ "d ${cfg.state-directory} 0700 ${user} ${group} - -" ];
      services.opendkim = {
        path = with pkgs; [ opendkim ];
        serviceConfig = {
          # ExecStartPre = [
          #   (pkgs.writeShellScript "ensure-dkim-certs.sh"
          #     (ensureAllDkimCerts cfg.state-directory cfg.domains))
          # ];
          ReadWritePaths = [ cfg.state-directory ];
          ReadOnlyPaths = [ keyTableDir signingTableDir ];
        };
      };
    };
  };
 }
--- a/mail-server.nix
+++ b/mail-server.nix
@ -459,7 +459,7 @@ in {
          dkim = {
            service = {
              networks = [ "internal_network" ];
-              volumes = [ "${cfg.state-directory}/dkim:/state" ];
+              volumes = [ "${cfg.state-directory}/dkim:/var/lib/opendkim" ];
            };
            nixos = {
              useSystemd = true;