From 7f04383e716b8b5b67e28422d7d72896fb080918 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Mon, 11 Jul 2022 09:28:58 +0200
Subject: bouncy.email: MTA-STS

---
 modules/postfix-mta-sts-resolver.nix | 63 ++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)
 create mode 100644 modules/postfix-mta-sts-resolver.nix

(limited to 'modules')

diff --git a/modules/postfix-mta-sts-resolver.nix b/modules/postfix-mta-sts-resolver.nix
new file mode 100644
index 00000000..9e126361
--- /dev/null
+++ b/modules/postfix-mta-sts-resolver.nix
@@ -0,0 +1,63 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.services.postfix-mta-sts-resolver;
+in {
+  options = {
+    services.postfix-mta-sts-resolver = {
+      enable = mkEnableOption "mta-sts-daemon";
+      package = mkPackageOption pkgs "postfix-mta-sts-resolver";
+
+      redis = mkEnableOption "redis cache" // { default = true; example = false; };
+
+      settings = mkOption {
+        type = types.attrs;
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.postfix-mta-sts-resolver.settings.path = "/run/postfix-mta-sts-resolver/map.sock";
+    services.postfix-mta-sts-resolver.settings.mode = 432; # 0o0660
+    
+    services.postfix-mta-sts-resolver.settings.cache = mkIf cfg.redis {
+      redis.url = "unix://${toString config.services.redis.servers.postfix-mta-sts-resolver.unixSocket}";
+    };
+
+    services.redis.servers.postfix-mta-sts-resolver = mkIf cfg.redis {
+      enable = true;
+    };
+
+    users.users.postfix-mta-sts-resolver = {
+      isSystemUser = true;
+      group = "postfix-mta-sts-resolver";
+    };
+    users.groups.postfix-mta-sts-resolver = {
+      members = ["postfix"];
+    };
+
+    systemd.services."postfix-mta-sts-resolver" = {
+      wantedBy = ["postfix.service"];
+      before = ["postfix.service"];
+
+      serviceConfig = {
+        ExecStart = "${pkgs.postfix-mta-sts-resolver}/bin/mta-sts-daemon -c ${pkgs.writeText "mta-sts-daemon.yml" (generators.toYAML {} cfg.settings)}";
+        SupplementaryGroups = mkIf cfg.redis config.services.redis.servers.postfix-mta-sts-resolver.user;
+        RuntimeDirectory = "postfix-mta-sts-resolver";
+
+        User = "postfix-mta-sts-resolver";
+        Group = "postfix-mta-sts-resolver";
+
+        RemoveIPC = true;
+        PrivateTmp = true;
+        NoNewPrivileges = true;
+        RestrictSUIDSGID = true;
+        ProtectSystem = "strict";
+        ProtectHome = "read-only";
+        ReadWritePaths = mkIf cfg.redis ["/run/redis-postfix-mta-sts-resolver"];
+      };
+    };
+  };
+}
-- 
cgit v1.2.3