{ config, pkgs, ... }:

{
  sops.secrets.rspamd-dkim-fueltide-io-key = {
    owner = "rspamd";
    group = "rspamd";
    mode = "0400";
  };

  # rspamd's dkim_signing module in rspamd.nix picks up per-domain keys from
  # /var/lib/rspamd/dkim/$domain.$selector.key. This one-shot drops the
  # fueltide.io key into place before rspamd starts.
  systemd.services.rspamd-dkim-fueltide-setup = {
    description = "Install fueltide.io DKIM key into rspamd";
    wantedBy = [ "multi-user.target" ];
    before = [ "rspamd.service" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
    };
    script = ''
      install -d -o rspamd -g rspamd -m 0750 /var/lib/rspamd/dkim
      install -o rspamd -g rspamd -m 0400 \
        ${config.sops.secrets.rspamd-dkim-fueltide-io-key.path} \
        /var/lib/rspamd/dkim/fueltide.io.default.key
    '';
  };
}