diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-07-11 09:28:58 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-07-11 09:28:58 +0200 |
commit | 7f04383e716b8b5b67e28422d7d72896fb080918 (patch) | |
tree | 31e64aaf5e49fa0ffbc56962c35f83bd17f7b9c7 /modules/postfix-mta-sts-resolver.nix | |
parent | a834240c59d3cbec274a5249463f339ede65bc85 (diff) | |
download | nixos-7f04383e716b8b5b67e28422d7d72896fb080918.tar nixos-7f04383e716b8b5b67e28422d7d72896fb080918.tar.gz nixos-7f04383e716b8b5b67e28422d7d72896fb080918.tar.bz2 nixos-7f04383e716b8b5b67e28422d7d72896fb080918.tar.xz nixos-7f04383e716b8b5b67e28422d7d72896fb080918.zip |
bouncy.email: MTA-STS
Diffstat (limited to 'modules/postfix-mta-sts-resolver.nix')
-rw-r--r-- | modules/postfix-mta-sts-resolver.nix | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/modules/postfix-mta-sts-resolver.nix b/modules/postfix-mta-sts-resolver.nix new file mode 100644 index 00000000..9e126361 --- /dev/null +++ b/modules/postfix-mta-sts-resolver.nix | |||
@@ -0,0 +1,63 @@ | |||
1 | { config, pkgs, lib, ... }: | ||
2 | |||
3 | with lib; | ||
4 | |||
5 | let | ||
6 | cfg = config.services.postfix-mta-sts-resolver; | ||
7 | in { | ||
8 | options = { | ||
9 | services.postfix-mta-sts-resolver = { | ||
10 | enable = mkEnableOption "mta-sts-daemon"; | ||
11 | package = mkPackageOption pkgs "postfix-mta-sts-resolver"; | ||
12 | |||
13 | redis = mkEnableOption "redis cache" // { default = true; example = false; }; | ||
14 | |||
15 | settings = mkOption { | ||
16 | type = types.attrs; | ||
17 | }; | ||
18 | }; | ||
19 | }; | ||
20 | |||
21 | config = mkIf cfg.enable { | ||
22 | services.postfix-mta-sts-resolver.settings.path = "/run/postfix-mta-sts-resolver/map.sock"; | ||
23 | services.postfix-mta-sts-resolver.settings.mode = 432; # 0o0660 | ||
24 | |||
25 | services.postfix-mta-sts-resolver.settings.cache = mkIf cfg.redis { | ||
26 | redis.url = "unix://${toString config.services.redis.servers.postfix-mta-sts-resolver.unixSocket}"; | ||
27 | }; | ||
28 | |||
29 | services.redis.servers.postfix-mta-sts-resolver = mkIf cfg.redis { | ||
30 | enable = true; | ||
31 | }; | ||
32 | |||
33 | users.users.postfix-mta-sts-resolver = { | ||
34 | isSystemUser = true; | ||
35 | group = "postfix-mta-sts-resolver"; | ||
36 | }; | ||
37 | users.groups.postfix-mta-sts-resolver = { | ||
38 | members = ["postfix"]; | ||
39 | }; | ||
40 | |||
41 | systemd.services."postfix-mta-sts-resolver" = { | ||
42 | wantedBy = ["postfix.service"]; | ||
43 | before = ["postfix.service"]; | ||
44 | |||
45 | serviceConfig = { | ||
46 | ExecStart = "${pkgs.postfix-mta-sts-resolver}/bin/mta-sts-daemon -c ${pkgs.writeText "mta-sts-daemon.yml" (generators.toYAML {} cfg.settings)}"; | ||
47 | SupplementaryGroups = mkIf cfg.redis config.services.redis.servers.postfix-mta-sts-resolver.user; | ||
48 | RuntimeDirectory = "postfix-mta-sts-resolver"; | ||
49 | |||
50 | User = "postfix-mta-sts-resolver"; | ||
51 | Group = "postfix-mta-sts-resolver"; | ||
52 | |||
53 | RemoveIPC = true; | ||
54 | PrivateTmp = true; | ||
55 | NoNewPrivileges = true; | ||
56 | RestrictSUIDSGID = true; | ||
57 | ProtectSystem = "strict"; | ||
58 | ProtectHome = "read-only"; | ||
59 | ReadWritePaths = mkIf cfg.redis ["/run/redis-postfix-mta-sts-resolver"]; | ||
60 | }; | ||
61 | }; | ||
62 | }; | ||
63 | } | ||