talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

nixos/postfix-tlspol: fix postfix integration

Browse Source 
Fixes the group membership for postfix processes in the postfix-tlspol
group.

Makes the postfix.service start up after postfix-tlspol.service, because
it depends on it for the TLS policy lookups.
This commit is contained in:
Martin Weinelt 2025-06-21 00:35:23 +02:00
parent 30d29123c6
commit 64e7fad038
No known key found for this signature in database
GPG Key ID: 87C1E9888F856759
2 changed files with 109 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
nixos/modules/services/mail/postfix-tlspol.nix
View File

@ -10,6 +10,7 @@ let
hasPrefix
mkEnableOption
mkIf
mkMerge
mkOption
mkPackageOption
types
@ -121,14 +122,10 @@ in
};
};
config = mkIf cfg.enable {
environment.etc."postfix-tlspol/config.yaml".source =
format.generate "postfix-tlspol.yaml" cfg.settings;
environment.systemPackages = [ cfg.package ];
config = mkMerge [
(mkIf (cfg.enable && config.services.postfix.enable && cfg.configurePostfix) {
# https://github.com/Zuplu/postfix-tlspol#postfix-configuration
services.postfix.config = mkIf (config.services.postfix.enable && cfg.configurePostfix) {
services.postfix.config = {
smtp_dns_support_level = "dnssec";
smtp_tls_security_level = "dane";
smtp_tls_policy_maps =
@ -142,6 +139,20 @@ in
[ "socketmap:${address}:QUERYwithTLSRPT" ];
};
systemd.services.postfix = {
wants = [ "postfix-tlspol.service" ];
after = [ "postfix-tlspol.service" ];
};
users.users.postfix.extraGroups = [ "postfix-tlspol" ];
})
(mkIf cfg.enable {
environment.etc."postfix-tlspol/config.yaml".source =
format.generate "postfix-tlspol.yaml" cfg.settings;
environment.systemPackages = [ cfg.package ];
systemd.services.postfix-tlspol = {
after = [
"nss-lookup.target"
@ -216,5 +227,6 @@ in
UMask = "0117";
};
};
};
})
];
}

2
nixos/tests/postfix-tlspol.nix
View File

@ -8,6 +8,7 @@
meta.maintainers = with lib.maintainers; [ hexa ];
nodes.machine = {
services.postfix.enable = true;
services.postfix-tlspol.enable = true;
};
@ -17,6 +18,7 @@
import json
machine.wait_for_unit("postfix-tlspol.service")
machine.succeed("systemctl show -P SupplementaryGroups postfix.service | grep postfix-tlspol")
with subtest("Interact with the service"):
machine.succeed("postfix-tlspol -purge")