Merge branch 'scintill/nixos-mailserver-fix-tests'

2019-08-13 19:51:16 +02:00 · 2019-08-13 19:51:16 +02:00 · 0bf2bb0b54
commit 0bf2bb0b54
parent 76922632ca 7e718e0e33
8 changed files with 110 additions and 42 deletions
--- a/mail-server/opendkim.nix
+++ b/mail-server/opendkim.nix
@ -40,16 +40,6 @@ let
          fi
        '';
  createAllCerts = lib.concatStringsSep "\n" (map createDomainDkimCert cfg.domains);
-  create_dkim_cert =
-        ''
-          # Create dkim dir
-          mkdir -p "${cfg.dkimKeyDirectory}"
-          chown ${dkimUser}:${dkimGroup} "${cfg.dkimKeyDirectory}"
-
-          ${createAllCerts}
-
-          chown -R ${dkimUser}:${dkimGroup} "${cfg.dkimKeyDirectory}"
-        '';

  keyTable = pkgs.writeText "opendkim-KeyTable" 
    (lib.concatStringsSep "\n" (lib.flip map cfg.domains 
@ -80,11 +70,17 @@ in
      };

      users.users = optionalAttrs (config.services.postfix.user == "postfix") {
-        postfix.extraGroups = [ "${config.services.opendkim.group}" ];
+        postfix.extraGroups = [ "${dkimGroup}" ];
      };
      systemd.services.opendkim = {
-        preStart = create_dkim_cert;
-        serviceConfig.ExecStart = lib.mkForce "${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}";
+        preStart = lib.mkForce createAllCerts;
+        serviceConfig = {
+          ExecStart = lib.mkForce "${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}";
+          PermissionsStartOnly = lib.mkForce false;
+        };
      };
+      systemd.tmpfiles.rules = [
+        "d '${cfg.dkimKeyDirectory}' - ${dkimUser} ${dkimGroup} - -"
+      ];
    };
-}
+}
--- a/mail-server/rspamd.nix
+++ b/mail-server/rspamd.nix
@ -27,19 +27,22 @@ in
  config = with cfg; lib.mkIf enable {
    services.rspamd = {
      enable = true;
-      extraConfig = ''
-        extended_spam_headers = yes;
-      '' + (lib.optionalString cfg.virusScanning ''
-        antivirus {
-          clamav {
-            action = "reject";
-            symbol = "CLAM_VIRUS";
-            type = "clamav";
-            log_clean = true;
-            servers = "/run/clamav/clamd.ctl";
-          }
-        }
-      '');
+      inherit debug;
+      locals = {
+          "milter_headers.conf" = { text = ''
+              extended_spam_headers = yes;
+          ''; };
+          "antivirus.conf" = lib.mkIf cfg.virusScanning { text = ''
+              clamav {
+                action = "reject";
+                symbol = "CLAM_VIRUS";
+                type = "clamav";
+                log_clean = true;
+                servers = "/run/clamav/clamd.ctl";
+                scan_mime_parts = false; # scan mail as a whole unit, not parts. seems to be needed to work at all
+              }
+          ''; };
+      };

      overrides = {
        "milter_headers.conf" = {