From d865e5d63914da74bb9a5e4d56a8519ea8a4aa67 Mon Sep 17 00:00:00 2001 From: liberodark Date: Wed, 12 Feb 2025 13:17:55 +0100 Subject: [PATCH 1/3] nixos/opendkim: add selector in multi domain --- nixos/modules/services/mail/opendkim.nix | 128 ++++++++++++++++++----- 1 file changed, 99 insertions(+), 29 deletions(-) diff --git a/nixos/modules/services/mail/opendkim.nix b/nixos/modules/services/mail/opendkim.nix index cf5d27405b7af..df9492fd86f1d 100644 --- a/nixos/modules/services/mail/opendkim.nix +++ b/nixos/modules/services/mail/opendkim.nix @@ -10,27 +10,47 @@ let defaultSock = "local:/run/opendkim/opendkim.sock"; - args = - [ - "-f" - "-l" - "-p" - cfg.socket - "-d" - cfg.domains - "-k" - "${cfg.keyPath}/${cfg.selector}.private" - "-s" - cfg.selector - ] - ++ lib.optionals (cfg.configFile != null) [ - "-x" - cfg.configFile - ]; + mergedSettings = + if cfg.domainConfigs != { } then + cfg.settings + // { + KeyTable = "refile:${cfg.keyPath}/KeyTable"; + SigningTable = "refile:${cfg.keyPath}/SigningTable"; + } + else + cfg.settings; configFile = pkgs.writeText "opendkim.conf" ( - lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value: "${name} ${value}") cfg.settings) + lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value: "${name} ${value}") mergedSettings) ); + + args = + if cfg.domainConfigs != { } then + [ + "-f" + "-l" + "-p" + cfg.socket + "-x" + configFile + ] + else + [ + "-f" + "-l" + "-p" + cfg.socket + "-d" + cfg.domains + "-k" + "${cfg.keyPath}/${cfg.selector}.private" + "-s" + cfg.selector + ] + ++ lib.optionals (cfg.configFile != null) [ + "-x" + cfg.configFile + ]; in { imports = [ @@ -100,6 +120,21 @@ in default = { }; description = "Additional opendkim configuration"; }; + + domainConfigs = lib.mkOption { + type = + with lib.types; + attrsOf (submodule { + options = { + selector = lib.mkOption { + type = lib.types.str; + description = "Selector to use for this domain"; + }; + }; + }); + default = { }; + description = "Optional per-domain configurations for selectors"; + }; }; }; @@ -116,7 +151,7 @@ in }; environment = { - etc = lib.mkIf (cfg.settings != { }) { + etc = lib.mkIf (mergedSettings != { }) { "opendkim/opendkim.conf".source = configFile; }; systemPackages = [ pkgs.opendkim ]; @@ -133,16 +168,51 @@ in after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - preStart = '' - cd "${cfg.keyPath}" - if ! test -f ${cfg.selector}.private; then - ${pkgs.opendkim}/bin/opendkim-genkey -s ${cfg.selector} -d all-domains-generic-key - echo "Generated OpenDKIM key! Please update your DNS settings:\n" - echo "-------------------------------------------------------------" - cat ${cfg.selector}.txt - echo "-------------------------------------------------------------" - fi - ''; + preStart = + if cfg.domainConfigs != { } then + '' + cd "${cfg.keyPath}" + ${lib.concatStringsSep "\n" ( + lib.mapAttrsToList (domain: conf: '' + mkdir -p "${cfg.keyPath}/${domain}" + if ! test -f ${domain}/${conf.selector}.private; then + ${pkgs.opendkim}/bin/opendkim-genkey -s ${conf.selector} -d ${domain} -D "${cfg.keyPath}/${domain}" + echo "Generated OpenDKIM key for ${domain}! Please update your DNS settings:\n" + echo "-------------------------------------------------------------" + cat ${domain}/${conf.selector}.txt + echo "-------------------------------------------------------------" + fi + '') cfg.domainConfigs + )} + + cat > ${cfg.keyPath}/KeyTable < ${cfg.keyPath}/SigningTable < Date: Fri, 14 Feb 2025 15:07:11 +0100 Subject: [PATCH 2/3] nixos/opendkim: Add TrustedHosts support --- nixos/modules/services/mail/opendkim.nix | 40 +++++++++++++++++++++--- 1 file changed, 35 insertions(+), 5 deletions(-) diff --git a/nixos/modules/services/mail/opendkim.nix b/nixos/modules/services/mail/opendkim.nix index df9492fd86f1d..67457b1b641dd 100644 --- a/nixos/modules/services/mail/opendkim.nix +++ b/nixos/modules/services/mail/opendkim.nix @@ -9,16 +9,25 @@ let cfg = config.services.opendkim; defaultSock = "local:/run/opendkim/opendkim.sock"; + trustedHostsFile = pkgs.writeText "TrustedHosts" (lib.concatStringsSep "\n" cfg.trustedHosts); mergedSettings = if cfg.domainConfigs != { } then - cfg.settings + (lib.optionalAttrs (cfg.trustedHosts != [ ]) { + InternalHosts = "refile:/etc/opendkim/TrustedHosts"; + ExternalIgnoreList = "refile:/etc/opendkim/TrustedHosts"; + }) + // cfg.settings // { KeyTable = "refile:${cfg.keyPath}/KeyTable"; SigningTable = "refile:${cfg.keyPath}/SigningTable"; } else - cfg.settings; + (lib.optionalAttrs (cfg.trustedHosts != [ ]) { + InternalHosts = "refile:/etc/opendkim/TrustedHosts"; + ExternalIgnoreList = "refile:/etc/opendkim/TrustedHosts"; + }) + // cfg.settings; configFile = pkgs.writeText "opendkim.conf" ( lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value: "${name} ${value}") mergedSettings) @@ -135,6 +144,22 @@ in default = { }; description = "Optional per-domain configurations for selectors"; }; + + trustedHosts = lib.mkOption { + type = with lib.types; listOf str; + default = [ ]; + example = [ + "127.0.0.1" + "::1" + "localhost" + "192.168.1.0/24" + "*.example.com" + ]; + description = '' + List of hosts that are considered trusted and allowed to send emails. + These hosts will be added to TrustedHosts file used by InternalHosts and ExternalIgnoreList. + ''; + }; }; }; @@ -151,9 +176,14 @@ in }; environment = { - etc = lib.mkIf (mergedSettings != { }) { - "opendkim/opendkim.conf".source = configFile; - }; + etc = lib.mkMerge [ + (lib.mkIf (mergedSettings != { }) { + "opendkim/opendkim.conf".source = configFile; + }) + (lib.mkIf (cfg.trustedHosts != [ ]) { + "opendkim/TrustedHosts".source = trustedHostsFile; + }) + ]; systemPackages = [ pkgs.opendkim ]; }; From e4392ed7faa28ec2c97bce75613968a78a7760db Mon Sep 17 00:00:00 2001 From: liberodark Date: Fri, 14 Feb 2025 16:44:39 +0100 Subject: [PATCH 3/3] nixos/opendkim: Add KeySize Support --- nixos/modules/services/mail/opendkim.nix | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/mail/opendkim.nix b/nixos/modules/services/mail/opendkim.nix index 67457b1b641dd..92386fe636d32 100644 --- a/nixos/modules/services/mail/opendkim.nix +++ b/nixos/modules/services/mail/opendkim.nix @@ -160,6 +160,15 @@ in These hosts will be added to TrustedHosts file used by InternalHosts and ExternalIgnoreList. ''; }; + + keySize = lib.mkOption { + type = lib.types.int; + default = 2048; + description = '' + Key size in bits for RSA key generation. + Common values are 1024, 2048, or 4096. + ''; + }; }; }; @@ -206,7 +215,7 @@ in lib.mapAttrsToList (domain: conf: '' mkdir -p "${cfg.keyPath}/${domain}" if ! test -f ${domain}/${conf.selector}.private; then - ${pkgs.opendkim}/bin/opendkim-genkey -s ${conf.selector} -d ${domain} -D "${cfg.keyPath}/${domain}" + ${pkgs.opendkim}/bin/opendkim-genkey -b ${toString cfg.keySize} -s ${conf.selector} -d ${domain} -D "${cfg.keyPath}/${domain}" echo "Generated OpenDKIM key for ${domain}! Please update your DNS settings:\n" echo "-------------------------------------------------------------" cat ${domain}/${conf.selector}.txt @@ -236,7 +245,7 @@ in '' cd "${cfg.keyPath}" if ! test -f ${cfg.selector}.private; then - ${pkgs.opendkim}/bin/opendkim-genkey -s ${cfg.selector} -d all-domains-generic-key + ${pkgs.opendkim}/bin/opendkim-genkey -b ${toString cfg.keySize} -s ${cfg.selector} -d all-domains-generic-key echo "Generated OpenDKIM key! Please update your DNS settings:\n" echo "-------------------------------------------------------------" cat ${cfg.selector}.txt