diff options
| author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2025-03-04 20:20:43 +0100 |
|---|---|---|
| committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2025-03-09 13:44:30 +0100 |
| commit | 8545bb05ca55d479a6f58fdc48890678fe14ed4c (patch) | |
| tree | fa4322ca30982436e800fca84314c712050a0f30 /modules/by-name/st/stalwart-mail/module.nix | |
| parent | modules/stalwart-mail: Avoid hardcoding `vhack.eu` email address (diff) | |
| download | nixos-server-8545bb05ca55d479a6f58fdc48890678fe14ed4c.zip | |
modules/stalwart-mail: Select DKIM keys per-domain
Diffstat (limited to 'modules/by-name/st/stalwart-mail/module.nix')
| -rw-r--r-- | modules/by-name/st/stalwart-mail/module.nix | 64 |
1 files changed, 52 insertions, 12 deletions
diff --git a/modules/by-name/st/stalwart-mail/module.nix b/modules/by-name/st/stalwart-mail/module.nix index 76149c3..3ef7d85 100644 --- a/modules/by-name/st/stalwart-mail/module.nix +++ b/modules/by-name/st/stalwart-mail/module.nix @@ -100,12 +100,46 @@ in { security = lib.mkOption { type = lib.types.nullOr (lib.types.submodule { options = { - dkimPrivateKeyPath = lib.mkOption { - type = lib.types.path; + verificationMode = lib.mkOption { + type = lib.types.enum ["relaxed" "strict"]; description = '' - The path to the dkim private key agenix file. + Whether to allow invalid signatures/checks or not. ''; + default = "relaxed"; }; + + dkimKeys = lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule { + options = { + dkimPublicKey = lib.mkOption { + type = lib.types.str; + description = '' + The base 64 encoded representation of the public dkim key. + ''; + }; + dkimPrivateKeyPath = lib.mkOption { + type = lib.types.path; + description = '' + The path to the dkim private key agenix file. + Generate it via the `./gen_key` script: + ''; + }; + keyAlgorithm = lib.mkOption { + type = lib.types.enum ["ed25519-sha256" "rsa-sha-256" "rsa-sha-1"]; + description = "The algorithm of the used key"; + }; + }; + }); + description = '' + Which key to use for which domain. The attr keys are the domains + ''; + default = {}; + }; + allowInsecureSmtp = lib.mkEnableOption '' + insecure SMTP listener (on port 25). + + This is important, if an legacy mail server might want to send you mail. + ''; }; }); description = '' @@ -130,7 +164,6 @@ in { inherit (cfg) package; # dataDir = cfg.dataDirectory; }; - security.acme.certs = { "${cfg.fqdn}" = { domain = cfg.fqdn; @@ -138,14 +171,21 @@ in { }; }; - age.secrets = lib.mkIf (cfg.security != null) { - stalwartMailDkim = { - file = cfg.security.dkimPrivateKeyPath; - mode = "600"; - owner = "stalwart-mail"; - group = "stalwart-mail"; - }; - }; + age.secrets = let + keys = + lib.mapAttrs' ( + keyDomain: keyConfig: + lib.nameValuePair "stalwartMail${keyDomain}" + { + file = keyConfig.dkimPrivateKeyPath; + mode = "600"; + owner = "stalwart-mail"; + group = "stalwart-mail"; + } + ) + cfg.security.dkimKeys; + in + lib.mkIf (cfg.security != null) keys; vhack.persist.directories = [ { |