{ config, pkgs, lib, ... }:
let
cfg = config.services.zeyple;
ini = pkgs.formats.ini { };
gpgHome = pkgs.runCommand "zeyple-gpg-home" { } ''
mkdir -p $out
for file in ${lib.concatStringsSep " " cfg.keys}; do
${config.programs.gnupg.package}/bin/gpg --homedir="$out" --import "$file"
done
# Remove socket files
rm -f $out/S.*
'';
in {
options.services.zeyple = {
enable = lib.mkEnableOption "Zeyple, an utility program to automatically encrypt outgoing emails with GPG";
user = lib.mkOption {
type = lib.types.str;
default = "zeyple";
description = ''
User to run Zeyple as.
::: {.note}
If left as the default value this user will automatically be created
on system activation, otherwise the sysadmin is responsible for
ensuring the user exists.
:::
'';
};
group = lib.mkOption {
type = lib.types.str;
default = "zeyple";
description = ''
Group to use to run Zeyple.
::: {.note}
If left as the default value this group will automatically be created
on system activation, otherwise the sysadmin is responsible for
ensuring the user exists.
:::
'';
};
settings = lib.mkOption {
type = ini.type;
default = { };
description = ''
Zeyple configuration. refer to
<https://github.com/infertux/zeyple/blob/master/zeyple/zeyple.conf.example>
for details on supported values.
'';
};
keys = lib.mkOption {
type = with lib.types; listOf path;
description = "List of public key files that will be imported by gpg.";
};
rotateLogs = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Whether to enable rotation of log files.";
};
};
config = lib.mkIf cfg.enable {
users.groups = lib.optionalAttrs (cfg.group == "zeyple") { "${cfg.group}" = { }; };
users.users = lib.optionalAttrs (cfg.user == "zeyple") {
"${cfg.user}" = {
isSystemUser = true;
group = cfg.group;
};
};
services.zeyple.settings = {
zeyple = lib.mapAttrs (name: lib.mkDefault) {
log_file = "/var/log/zeyple/zeyple.log";
force_encrypt = true;
};
gpg = lib.mapAttrs (name: lib.mkDefault) { home = "${gpgHome}"; };
relay = lib.mapAttrs (name: lib.mkDefault) {
host = "localhost";
port = 10026;
};
};
environment.etc."zeyple.conf".source = ini.generate "zeyple.conf" cfg.settings;
systemd.tmpfiles.settings."10-zeyple".${cfg.settings.zeyple.log_file}.f = {
inherit (cfg) user group;
mode = "0600";
};
services.logrotate = lib.mkIf cfg.rotateLogs {
enable = true;
settings.zeyple = {
files = cfg.settings.zeyple.log_file;
frequency = "weekly";
rotate = 5;
compress = true;
copytruncate = true;
};
};
services.postfix.extraMasterConf = ''
zeyple unix - n n - - pipe
user=${cfg.user} argv=${pkgs.zeyple}/bin/zeyple ''${recipient}
localhost:${toString cfg.settings.relay.port} inet n - n - 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8,[::1]/128
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
'';
services.postfix.extraConfig = "content_filter = zeyple";
};
}