196 lines
6.4 KiB
Nix
196 lines
6.4 KiB
Nix
{
|
|
lib,
|
|
config,
|
|
...
|
|
}:
|
|
let
|
|
cfg = config.khscodes.infrastructure.mailserver;
|
|
publicKeyBegin = ''"-----BEGIN PUBLIC KEY-----\n"'';
|
|
publicKeyEnd = ''"-----END PUBLIC KEY-----\n"'';
|
|
rsaKeyPath = domain: "/run/secret/dkim/${domain}.snm_rsa.key";
|
|
ed25519KeyPath = domain: "/run/secret/dkim/${domain}.snm_ed25519.key";
|
|
domainKeyPaths = lib.lists.flatten (
|
|
lib.lists.map (domain: [
|
|
(rsaKeyPath domain)
|
|
(ed25519KeyPath domain)
|
|
]) cfg.domains
|
|
);
|
|
# Currently (2025-07-25) I canot get rspamd to sign with ed25519 key,
|
|
# it appears it attempts to parse it as an RSA key
|
|
# {
|
|
# path: "${ed25519KeyPath domain}";
|
|
# selector: "snm_ed25519";
|
|
# }
|
|
dkimSigningForDomain = domain: ''
|
|
${domain} {
|
|
selectors [
|
|
{
|
|
path: "${rsaKeyPath domain}";
|
|
selector: "snm_rsa";
|
|
}
|
|
]
|
|
}
|
|
'';
|
|
dkimPublicKey =
|
|
tls_key:
|
|
''''${ replace(trimprefix(trimsuffix(${tls_key}.public_key_pem, ${publicKeyEnd}), ${publicKeyBegin}), "\n", "") }'';
|
|
in
|
|
{
|
|
options.khscodes.infrastructure.mailserver.dkim = {
|
|
vault = {
|
|
mount = lib.mkOption {
|
|
type = lib.types.str;
|
|
};
|
|
mountExpr = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "\${ vault_mount.${lib.khscodes.sanitize-terraform-name cfg.dkim.vault.mount}.path }";
|
|
};
|
|
prefixPath = lib.mkOption {
|
|
type = lib.types.str;
|
|
};
|
|
};
|
|
};
|
|
config = lib.mkIf (cfg.enable) {
|
|
khscodes.infrastructure.vault-server-approle.policy = {
|
|
"${cfg.dkim.vault.mount}/data/${cfg.dkim.vault.prefixPath}/*" = {
|
|
capabilities = [ "read" ];
|
|
};
|
|
};
|
|
khscodes.infrastructure.provisioning.pre.modules = [
|
|
(
|
|
{ ... }:
|
|
{
|
|
terraform.required_providers.tls = {
|
|
source = "hashicorp/tls";
|
|
version = "4.1.0";
|
|
};
|
|
provider.tls = { };
|
|
|
|
khscodes.cloudflare.enable = true;
|
|
resource.tls_private_key =
|
|
(lib.listToAttrs (
|
|
lib.lists.map (domain: {
|
|
name = "${lib.khscodes.sanitize-terraform-name domain}_dkim_rsa";
|
|
value = {
|
|
algorithm = "RSA";
|
|
rsa_bits = 2048;
|
|
};
|
|
}) cfg.domains
|
|
))
|
|
// (lib.listToAttrs (
|
|
lib.lists.map (domain: {
|
|
name = "${lib.khscodes.sanitize-terraform-name domain}_dkim_ed25519";
|
|
value = {
|
|
algorithm = "ED25519";
|
|
};
|
|
}) cfg.domains
|
|
));
|
|
|
|
khscodes.cloudflare.dns.txtRecords =
|
|
(lib.lists.map (domain: {
|
|
fqdn = "snm_rsa._domainkey.${domain}";
|
|
content = ''"''${ join("\" \"", regexall(".{1,255}", "v=DKIM1;k=rsa;p=${dkimPublicKey "tls_private_key.${lib.khscodes.sanitize-terraform-name domain}_dkim_rsa"}" )) }"'';
|
|
ttl = 600;
|
|
}) cfg.domains)
|
|
++ (lib.lists.map (domain: {
|
|
fqdn = "snm_ed25519._domainkey.${domain}";
|
|
content = ''"''${ join("\" \"", regexall(".{1,255}", "v=DKIM1;k=ed25519;p=${dkimPublicKey "tls_private_key.${lib.khscodes.sanitize-terraform-name domain}_dkim_ed25519"}" )) }"'';
|
|
ttl = 600;
|
|
}) cfg.domains);
|
|
|
|
resource.vault_kv_secret_v2 =
|
|
(lib.listToAttrs (
|
|
lib.lists.map (domain: {
|
|
name = "${lib.khscodes.sanitize-terraform-name domain}_dkim_rsa";
|
|
value = {
|
|
mount = cfg.dkim.vault.mountExpr;
|
|
name = cfg.dkim.vault.prefixPath + "/${domain}/rsa";
|
|
data_json = ''
|
|
{ "dkim_private_key": ''${ jsonencode(resource.tls_private_key.${lib.khscodes.sanitize-terraform-name domain}_dkim_rsa.private_key_pem) } }
|
|
'';
|
|
};
|
|
}) cfg.domains
|
|
))
|
|
// (lib.listToAttrs (
|
|
lib.lists.map (domain: {
|
|
name = "${lib.khscodes.sanitize-terraform-name domain}_dkim_ed25519";
|
|
value = {
|
|
mount = cfg.dkim.vault.mountExpr;
|
|
name = cfg.dkim.vault.prefixPath + "/${domain}/ed25519";
|
|
data_json = ''
|
|
{ "dkim_private_key": ''${ jsonencode(resource.tls_private_key.${lib.khscodes.sanitize-terraform-name domain}_dkim_ed25519.private_key_pem) } }
|
|
'';
|
|
};
|
|
}) cfg.domains
|
|
));
|
|
}
|
|
)
|
|
];
|
|
khscodes.services.vault-agent.templates = lib.lists.flatten (
|
|
lib.lists.map (domain: [
|
|
{
|
|
contents = ''
|
|
{{- with secret "${cfg.dkim.vault.mount}/data/${cfg.dkim.vault.prefixPath}/${domain}/rsa" -}}
|
|
{{ .Data.data.dkim_private_key }}
|
|
{{- end -}}
|
|
'';
|
|
destination = rsaKeyPath domain;
|
|
perms = "0600";
|
|
owner = "rspamd";
|
|
group = "rspamd";
|
|
restartUnits = [
|
|
"rspamd.service"
|
|
];
|
|
}
|
|
{
|
|
contents = ''
|
|
{{- with secret "${cfg.dkim.vault.mount}/data/${cfg.dkim.vault.prefixPath}/${domain}/ed25519" -}}
|
|
{{ .Data.data.dkim_private_key }}
|
|
{{- end -}}
|
|
'';
|
|
destination = ed25519KeyPath domain;
|
|
perms = "0600";
|
|
owner = "rspamd";
|
|
group = "rspamd";
|
|
restartUnits = [
|
|
"rspamd.service"
|
|
];
|
|
}
|
|
]) cfg.domains
|
|
);
|
|
mailserver = {
|
|
dkimSigning = false;
|
|
};
|
|
services.rspamd.locals."dkim_signing.conf" = lib.mkForce {
|
|
text = ''
|
|
enabled = true;
|
|
allow_username_mismatch = true;
|
|
domain {
|
|
${lib.strings.concatStringsSep "\n " (lib.lists.map dkimSigningForDomain cfg.domains)}
|
|
}
|
|
'';
|
|
};
|
|
services.rspamd.locals."arc.conf" = lib.mkForce {
|
|
text = ''
|
|
enabled = true;
|
|
allow_username_mismatch = true;
|
|
domain {
|
|
${lib.strings.concatStringsSep "\n " (lib.lists.map dkimSigningForDomain cfg.domains)}
|
|
}
|
|
'';
|
|
};
|
|
services.postfix.config = {
|
|
# Need to include this as I disabled the in built support for dkim signing
|
|
# without this postfix won't forward the mails to rspamd to be signed.
|
|
non_smtpd_milters = [ "unix:/run/rspamd/rspamd-milter.sock" ];
|
|
};
|
|
systemd.services.rspamd = {
|
|
unitConfig = {
|
|
ConditionPathExists = domainKeyPaths;
|
|
};
|
|
serviceConfig = {
|
|
ReadOnlyPaths = domainKeyPaths;
|
|
};
|
|
};
|
|
};
|
|
}
|