{ pkgs , config , ... }: let domain = "amz.at"; selector = "amzebs-01"; localConfig = pkgs.writeText "local.conf" '' logging { level = "notice"; } # DKIM signing configuration with host-specific selector dkim_signing { path = "/var/lib/rspamd/dkim/${domain}.${selector}.key"; selector = "${selector}"; allow_username_mismatch = true; } # ARC signing (Authenticated Received Chain) arc { path = "/var/lib/rspamd/dkim/${domain}.${selector}.key"; selector = "${selector}"; allow_username_mismatch = true; } # Add authentication results to headers milter_headers { use = ["authentication-results"]; authenticated_headers = ["authentication-results"]; } ''; in { services.rspamd = { enable = true; extraConfig = '' .include(priority=1,duplicate=merge) "${localConfig}" ''; # Enable Postfix milter integration postfix.enable = true; }; # Copy DKIM key from sops secret to rspamd directory systemd.services.rspamd-dkim-setup = { description = "Setup DKIM key from sops secret for ${domain}"; wantedBy = [ "multi-user.target" ]; before = [ "rspamd.service" ]; after = [ "sops-nix.service" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; script = '' DKIM_DIR="/var/lib/rspamd/dkim" DKIM_KEY="$DKIM_DIR/${domain}.${selector}.key" # Create directory if it doesn't exist mkdir -p "$DKIM_DIR" # Copy key from sops secret if [ -f "${config.sops.secrets.rspamd-dkim-key.path}" ]; then cp "${config.sops.secrets.rspamd-dkim-key.path}" "$DKIM_KEY" chown rspamd:rspamd "$DKIM_KEY" chmod 600 "$DKIM_KEY" echo "DKIM key deployed successfully from sops secret" else echo "ERROR: DKIM key not found in sops secrets!" echo "Please ensure rspamd-dkim-key is defined in secrets.yaml" exit 1 fi ''; }; sops.secrets.rspamd-dkim-key = { owner = "rspamd"; group = "rspamd"; mode = "0400"; }; }