From 61089ddceec7d05a05efd4db9bbdf4b45d102b9c Mon Sep 17 00:00:00 2001
From: joachim schiele <js@lastlog.de>
Date: Wed, 13 Sep 2017 12:13:08 +0200
Subject: opendkim: automated key generation (no manual changes for service
 initialization required anymore)

---
 nixos/modules/services/mail/opendkim.nix | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

(limited to 'nixos/modules/services/mail/opendkim.nix')

diff --git a/nixos/modules/services/mail/opendkim.nix b/nixos/modules/services/mail/opendkim.nix
index f065208ddfc1..59a8373843a1 100644
--- a/nixos/modules/services/mail/opendkim.nix
+++ b/nixos/modules/services/mail/opendkim.nix
@@ -8,10 +8,12 @@ let
 
   defaultSock = "local:/run/opendkim/opendkim.sock";
 
+  keyFile = "${cfg.keyPath}/${cfg.selector}.private";
+
   args = [ "-f" "-l"
            "-p" cfg.socket
            "-d" cfg.domains
-           "-k" cfg.keyFile
+           "-k" keyFile
            "-s" cfg.selector
          ] ++ optionals (cfg.configFile != null) [ "-x" cfg.configFile ];
 
@@ -57,9 +59,13 @@ in {
         '';
       };
 
-      keyFile = mkOption {
+      keyPath = mkOption {
         type = types.path;
-        description = "Secret key file used for signing messages.";
+        description = ''
+          The path that opendkim should put its generated private keys into.
+          The DNS settings will be found in this directory with the name selector.txt.
+        '';
+        default = "/var/lib/opendkim/keys";
       };
 
       selector = mkOption {
@@ -100,11 +106,25 @@ in {
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
 
+      preStart = ''
+        mkdir -p "${cfg.keyPath}"
+        cd "${cfg.keyPath}"
+        if ! test -f ${cfg.selector}.private; then
+          ${pkgs.opendkim}/bin/opendkim-genkey -s ${cfg.selector} -d all-domains-generic-key
+          echo "Generated OpenDKIM key! Please update your DNS settings:\n"
+          echo "-------------------------------------------------------------"
+          cat ${cfg.selector}.txt
+          echo "-------------------------------------------------------------"
+        fi
+        chown ${cfg.user}:${cfg.group} ${cfg.selector}.private
+      '';
+
       serviceConfig = {
         ExecStart = "${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}";
         User = cfg.user;
         Group = cfg.group;
         RuntimeDirectory = optional (cfg.socket == defaultSock) "opendkim";
+        PermissionsStartOnly = true;
       };
     };
 
-- 
cgit 1.4.1