From 8545bb05ca55d479a6f58fdc48890678fe14ed4c Mon Sep 17 00:00:00 2001
From: Benedikt Peetz <benedikt.peetz@b-peetz.de>
Date: Tue, 4 Mar 2025 20:20:43 +0100
Subject: modules/stalwart-mail: Select DKIM keys per-domain

---
 modules/by-name/st/stalwart-mail/module.nix | 64 +++++++++++++++++++++++------
 1 file changed, 52 insertions(+), 12 deletions(-)

(limited to 'modules/by-name/st/stalwart-mail/module.nix')

diff --git a/modules/by-name/st/stalwart-mail/module.nix b/modules/by-name/st/stalwart-mail/module.nix
index 76149c3..3ef7d85 100644
--- a/modules/by-name/st/stalwart-mail/module.nix
+++ b/modules/by-name/st/stalwart-mail/module.nix
@@ -100,12 +100,46 @@ in {
     security = lib.mkOption {
       type = lib.types.nullOr (lib.types.submodule {
         options = {
-          dkimPrivateKeyPath = lib.mkOption {
-            type = lib.types.path;
+          verificationMode = lib.mkOption {
+            type = lib.types.enum ["relaxed" "strict"];
             description = ''
-              The path to the dkim private key agenix file.
+              Whether to allow invalid signatures/checks or not.
             '';
+            default = "relaxed";
           };
+
+          dkimKeys = lib.mkOption {
+            type = lib.types.attrsOf (lib.types.submodule {
+              options = {
+                dkimPublicKey = lib.mkOption {
+                  type = lib.types.str;
+                  description = ''
+                    The base 64 encoded representation of the public dkim key.
+                  '';
+                };
+                dkimPrivateKeyPath = lib.mkOption {
+                  type = lib.types.path;
+                  description = ''
+                    The path to the dkim private key agenix file.
+                    Generate it via the `./gen_key` script:
+                  '';
+                };
+                keyAlgorithm = lib.mkOption {
+                  type = lib.types.enum ["ed25519-sha256" "rsa-sha-256" "rsa-sha-1"];
+                  description = "The algorithm of the used key";
+                };
+              };
+            });
+            description = ''
+              Which key to use for which domain. The attr keys are the domains
+            '';
+            default = {};
+          };
+          allowInsecureSmtp = lib.mkEnableOption ''
+            insecure SMTP listener (on port 25).
+
+            This is important, if an legacy mail server might want to send you mail.
+          '';
         };
       });
       description = ''
@@ -130,7 +164,6 @@ in {
       inherit (cfg) package;
       # dataDir = cfg.dataDirectory;
     };
-
     security.acme.certs = {
       "${cfg.fqdn}" = {
         domain = cfg.fqdn;
@@ -138,14 +171,21 @@ in {
       };
     };
 
-    age.secrets = lib.mkIf (cfg.security != null) {
-      stalwartMailDkim = {
-        file = cfg.security.dkimPrivateKeyPath;
-        mode = "600";
-        owner = "stalwart-mail";
-        group = "stalwart-mail";
-      };
-    };
+    age.secrets = let
+      keys =
+        lib.mapAttrs' (
+          keyDomain: keyConfig:
+            lib.nameValuePair "stalwartMail${keyDomain}"
+            {
+              file = keyConfig.dkimPrivateKeyPath;
+              mode = "600";
+              owner = "stalwart-mail";
+              group = "stalwart-mail";
+            }
+        )
+        cfg.security.dkimKeys;
+    in
+      lib.mkIf (cfg.security != null) keys;
 
     vhack.persist.directories = [
       {
-- 
cgit 1.4.1