nixpkgs/nixos/modules/services/mail/postgrey.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

206 lines
6.6 KiB
Nix
Raw Normal View History

{ config, lib, pkgs, ... }:
with lib; let
cfg = config.services.postgrey;
2017-01-02 15:09:50 +01:00
natural = with types; addCheck int (x: x >= 0);
natural' = with types; addCheck int (x: x > 0);
2019-08-13 23:52:01 +02:00
socket = with types; addCheck (either (submodule unixSocket) (submodule inetSocket)) (x: x ? path || x ? port);
2017-01-02 15:09:50 +01:00
inetSocket = with types; {
2017-01-02 15:19:00 +01:00
options = {
addr = mkOption {
type = nullOr str;
2017-01-02 15:19:00 +01:00
default = null;
example = "127.0.0.1";
description = lib.mdDoc "The address to bind to. Localhost if null";
2017-01-02 15:19:00 +01:00
};
port = mkOption {
type = natural';
default = 10030;
description = lib.mdDoc "Tcp port to bind to";
2017-01-02 15:19:00 +01:00
};
2017-01-02 15:09:50 +01:00
};
};
unixSocket = with types; {
2017-01-02 15:19:00 +01:00
options = {
path = mkOption {
type = path;
2018-12-19 22:37:15 +01:00
default = "/run/postgrey.sock";
description = lib.mdDoc "Path of the unix socket";
2017-01-02 15:19:00 +01:00
};
2017-01-02 15:09:50 +01:00
2017-01-02 15:19:00 +01:00
mode = mkOption {
type = str;
2017-01-02 15:19:00 +01:00
default = "0777";
description = lib.mdDoc "Mode of the unix socket";
2017-01-02 15:19:00 +01:00
};
2017-01-02 15:09:50 +01:00
};
};
in {
imports = [
(mkMergedOptionModule [ [ "services" "postgrey" "inetAddr" ] [ "services" "postgrey" "inetPort" ] ] [ "services" "postgrey" "socket" ] (config: let
value = p: getAttrFromPath p config;
inetAddr = [ "services" "postgrey" "inetAddr" ];
inetPort = [ "services" "postgrey" "inetPort" ];
in
if value inetAddr == null
then { path = "/run/postgrey.sock"; }
else { addr = value inetAddr; port = value inetPort; }
))
];
options = {
2016-09-14 02:18:18 +02:00
services.postgrey = with types; {
enable = mkOption {
2016-09-14 02:18:18 +02:00
type = bool;
default = false;
description = lib.mdDoc "Whether to run the Postgrey daemon";
};
2017-01-02 15:09:50 +01:00
socket = mkOption {
type = socket;
2017-01-02 15:32:50 +01:00
default = {
2018-12-19 22:37:15 +01:00
path = "/run/postgrey.sock";
2017-01-02 15:32:50 +01:00
mode = "0777";
};
2017-01-02 15:09:50 +01:00
example = {
addr = "127.0.0.1";
port = 10030;
};
description = lib.mdDoc "Socket to bind to";
};
greylistText = mkOption {
type = str;
default = "Greylisted for %%s seconds";
description = lib.mdDoc "Response status text for greylisted messages; use %%s for seconds left until greylisting is over and %%r for mail domain of recipient";
2017-01-02 15:09:50 +01:00
};
greylistAction = mkOption {
type = str;
2017-01-02 15:09:50 +01:00
default = "DEFER_IF_PERMIT";
description = lib.mdDoc "Response status for greylisted messages (see access(5))";
2017-01-02 15:09:50 +01:00
};
greylistHeader = mkOption {
type = str;
2017-01-02 15:09:50 +01:00
default = "X-Greylist: delayed %%t seconds by postgrey-%%v at %%h; %%d";
description = lib.mdDoc "Prepend header to greylisted mails; use %%t for seconds delayed due to greylisting, %%v for the version of postgrey, %%d for the date, and %%h for the host";
2017-01-02 15:09:50 +01:00
};
delay = mkOption {
type = natural;
default = 300;
description = lib.mdDoc "Greylist for N seconds";
2017-01-02 15:09:50 +01:00
};
maxAge = mkOption {
type = natural;
default = 35;
description = lib.mdDoc "Delete entries from whitelist if they haven't been seen for N days";
2017-01-02 15:09:50 +01:00
};
retryWindow = mkOption {
type = either str natural;
2017-01-02 15:09:50 +01:00
default = 2;
example = "12h";
description = lib.mdDoc "Allow N days for the first retry. Use string with appended 'h' to specify time in hours";
2017-01-02 15:09:50 +01:00
};
lookupBySubnet = mkOption {
type = bool;
default = true;
description = lib.mdDoc "Strip the last N bits from IP addresses, determined by IPv4CIDR and IPv6CIDR";
2017-01-02 15:09:50 +01:00
};
IPv4CIDR = mkOption {
type = natural;
default = 24;
description = lib.mdDoc "Strip N bits from IPv4 addresses if lookupBySubnet is true";
2017-01-02 15:09:50 +01:00
};
IPv6CIDR = mkOption {
type = natural;
default = 64;
description = lib.mdDoc "Strip N bits from IPv6 addresses if lookupBySubnet is true";
2017-01-02 15:09:50 +01:00
};
privacy = mkOption {
type = bool;
default = true;
description = lib.mdDoc "Store data using one-way hash functions (SHA1)";
2017-01-02 15:09:50 +01:00
};
autoWhitelist = mkOption {
type = nullOr natural';
default = 5;
description = lib.mdDoc "Whitelist clients after successful delivery of N messages";
};
2017-01-02 15:40:54 +01:00
whitelistClients = mkOption {
type = listOf path;
default = [];
description = lib.mdDoc "Client address whitelist files (see postgrey(8))";
2017-01-02 15:40:54 +01:00
};
whitelistRecipients = mkOption {
type = listOf path;
default = [];
description = lib.mdDoc "Recipient address whitelist files (see postgrey(8))";
2017-01-02 15:40:54 +01:00
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.postgrey ];
users = {
users = {
postgrey = {
description = "Postgrey Daemon";
uid = config.ids.uids.postgrey;
group = "postgrey";
};
};
groups = {
postgrey = {
gid = config.ids.gids.postgrey;
};
};
};
systemd.services.postgrey = let
2019-08-13 23:52:01 +02:00
bind-flag = if cfg.socket ? path then
"--unix=${cfg.socket.path} --socketmode=${cfg.socket.mode}"
else
2017-01-02 15:27:00 +01:00
''--inet=${optionalString (cfg.socket.addr != null) (cfg.socket.addr + ":")}${toString cfg.socket.port}'';
in {
description = "Postfix Greylisting Service";
wantedBy = [ "multi-user.target" ];
before = [ "postfix.service" ];
preStart = ''
mkdir -p /var/postgrey
chown postgrey:postgrey /var/postgrey
chmod 0770 /var/postgrey
'';
serviceConfig = {
Type = "simple";
2017-01-02 15:42:51 +01:00
ExecStart = ''${pkgs.postgrey}/bin/postgrey \
${bind-flag} \
--group=postgrey --user=postgrey \
--dbdir=/var/postgrey \
--delay=${toString cfg.delay} \
--max-age=${toString cfg.maxAge} \
--retry-window=${toString cfg.retryWindow} \
${if cfg.lookupBySubnet then "--lookup-by-subnet" else "--lookup-by-host"} \
--ipv4cidr=${toString cfg.IPv4CIDR} --ipv6cidr=${toString cfg.IPv6CIDR} \
${optionalString cfg.privacy "--privacy"} \
--auto-whitelist-clients=${toString (if cfg.autoWhitelist == null then 0 else cfg.autoWhitelist)} \
--greylist-action=${cfg.greylistAction} \
--greylist-text="${cfg.greylistText}" \
--x-greylist-header="${cfg.greylistHeader}" \
${concatMapStringsSep " " (x: "--whitelist-clients=" + x) cfg.whitelistClients} \
${concatMapStringsSep " " (x: "--whitelist-recipients=" + x) cfg.whitelistRecipients}
'';
Restart = "always";
RestartSec = 5;
TimeoutSec = 10;
};
};
};
}