1 files changed, 63 insertions, 0 deletions
diff --git a/modules/postfix-mta-sts-resolver.nix b/modules/postfix-mta-sts-resolver.nix
new file mode 100644
index 00000000..9e126361
--- /dev/null
+++ b/modules/postfix-mta-sts-resolver.nix
@@ -0,0 +1,63 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  cfg = config.services.postfix-mta-sts-resolver;
+in {
+  options = {
+    services.postfix-mta-sts-resolver = {
+      enable = mkEnableOption "mta-sts-daemon";
+      package = mkPackageOption pkgs "postfix-mta-sts-resolver";
+      redis = mkEnableOption "redis cache" // { default = true; example = false; };
+      settings = mkOption {
+        type = types.attrs;
+      };
+    };
+  };
+  config = mkIf cfg.enable {
+    services.postfix-mta-sts-resolver.settings.path = "/run/postfix-mta-sts-resolver/map.sock";
+    services.postfix-mta-sts-resolver.settings.mode = 432; # 0o0660
+    
+    services.postfix-mta-sts-resolver.settings.cache = mkIf cfg.redis {
+      redis.url = "unix://${toString config.services.redis.servers.postfix-mta-sts-resolver.unixSocket}";
+    };
+    services.redis.servers.postfix-mta-sts-resolver = mkIf cfg.redis {
+      enable = true;
+    };
+    users.users.postfix-mta-sts-resolver = {
+      isSystemUser = true;
+      group = "postfix-mta-sts-resolver";
+    };
+    users.groups.postfix-mta-sts-resolver = {
+      members = ["postfix"];
+    };
+    systemd.services."postfix-mta-sts-resolver" = {
+      wantedBy = ["postfix.service"];
+      before = ["postfix.service"];
+      serviceConfig = {
+        ExecStart = "${pkgs.postfix-mta-sts-resolver}/bin/mta-sts-daemon -c ${pkgs.writeText "mta-sts-daemon.yml" (generators.toYAML {} cfg.settings)}";
+        SupplementaryGroups = mkIf cfg.redis config.services.redis.servers.postfix-mta-sts-resolver.user;
+        RuntimeDirectory = "postfix-mta-sts-resolver";
+        User = "postfix-mta-sts-resolver";
+        Group = "postfix-mta-sts-resolver";
+        RemoveIPC = true;
+        PrivateTmp = true;
+        NoNewPrivileges = true;
+        RestrictSUIDSGID = true;
+        ProtectSystem = "strict";
+        ProtectHome = "read-only";
+        ReadWritePaths = mkIf cfg.redis ["/run/redis-postfix-mta-sts-resolver"];
+      };
+    };
+  };
+}

diff --git a/modules/postfix-mta-sts-resolver.nix b/modules/postfix-mta-sts-resolver.nix new file mode 100644 index 00000000..9e126361 --- /dev/null +++ b/modules/postfix-mta-sts-resolver.nix
@@ -0,0 +1,63 @@
	1	{ config, pkgs, lib, ... }:
	2
	3	with lib;
	4
	5	let
	6	cfg = config.services.postfix-mta-sts-resolver;
	7	in {
	8	options = {
	9	services.postfix-mta-sts-resolver = {
	10	enable = mkEnableOption "mta-sts-daemon";
	11	package = mkPackageOption pkgs "postfix-mta-sts-resolver";
	12
	13	redis = mkEnableOption "redis cache" // { default = true; example = false; };
	14
	15	settings = mkOption {
	16	type = types.attrs;
	17	};
	18	};
	19	};
	20
	21	config = mkIf cfg.enable {
	22	services.postfix-mta-sts-resolver.settings.path = "/run/postfix-mta-sts-resolver/map.sock";
	23	services.postfix-mta-sts-resolver.settings.mode = 432; # 0o0660
	24
	25	services.postfix-mta-sts-resolver.settings.cache = mkIf cfg.redis {
	26	redis.url = "unix://${toString config.services.redis.servers.postfix-mta-sts-resolver.unixSocket}";
	27	};
	28
	29	services.redis.servers.postfix-mta-sts-resolver = mkIf cfg.redis {
	30	enable = true;
	31	};
	32
	33	users.users.postfix-mta-sts-resolver = {
	34	isSystemUser = true;
	35	group = "postfix-mta-sts-resolver";
	36	};
	37	users.groups.postfix-mta-sts-resolver = {
	38	members = ["postfix"];
	39	};
	40
	41	systemd.services."postfix-mta-sts-resolver" = {
	42	wantedBy = ["postfix.service"];
	43	before = ["postfix.service"];
	44
	45	serviceConfig = {
	46	ExecStart = "${pkgs.postfix-mta-sts-resolver}/bin/mta-sts-daemon -c ${pkgs.writeText "mta-sts-daemon.yml" (generators.toYAML {} cfg.settings)}";
	47	SupplementaryGroups = mkIf cfg.redis config.services.redis.servers.postfix-mta-sts-resolver.user;
	48	RuntimeDirectory = "postfix-mta-sts-resolver";
	49
	50	User = "postfix-mta-sts-resolver";
	51	Group = "postfix-mta-sts-resolver";
	52
	53	RemoveIPC = true;
	54	PrivateTmp = true;
	55	NoNewPrivileges = true;
	56	RestrictSUIDSGID = true;
	57	ProtectSystem = "strict";
	58	ProtectHome = "read-only";
	59	ReadWritePaths = mkIf cfg.redis ["/run/redis-postfix-mta-sts-resolver"];
	60	};
	61	};
	62	};
	63	}