nixos/postfix-tlspol: migrate to static user/group

This fixes postfix' membership in the postfix-tlspol group, since
memberships in a dynamically allocated group don't seem to work out.

Additionally this fixes a typo in the systemd hardening and the test now
prints the results of systemd-analyze security.

nixos/modules/services/mail/postfix-tlspol.nix

@@ -153,6 +153,12 @@ in
 
       environment.systemPackages = [ cfg.package ];
 
+      users.users.postfix-tlspol = {
+        isSystemUser = true;
+        group = "postfix-tlspol";
+      };
+      users.groups.postfix-tlspol = { };
+
       systemd.services.postfix-tlspol = {
         after = [
           "nss-lookup.target"
@@ -178,7 +184,8 @@ in
           Restart = "always";
           RestartSec = 5;
 
-          DynamicUser = true;
+          User = "postfix-tlspol";
+          Group = "postfix-tlspol";
 
           CacheDirectory = "postfix-tlspol";
           CapabilityBoundingSet = [ "" ];
@@ -208,7 +215,7 @@ in
             ++ lib.optionals (lib.hasPrefix "unix:" cfg.settings.server.address) [
               "AF_UNIX"
             ];
-          RestrictNamespace = true;
+          RestrictNamespaces = true;
           RestrictRealtime = true;
           RestrictSUIDSGID = true;
           SystemCallArchitectures = "native";

nixos/tests/postfix-tlspol.nix

@@ -18,7 +18,7 @@
     import json
 
     machine.wait_for_unit("postfix-tlspol.service")
-    machine.succeed("systemctl show -P SupplementaryGroups postfix.service | grep postfix-tlspol")
+    machine.succeed("getent group postfix-tlspol | grep :postfix")
 
     with subtest("Interact with the service"):
       machine.succeed("postfix-tlspol -purge")
@@ -26,6 +26,8 @@
       response = json.loads((machine.succeed("postfix-tlspol -query localhost")))
       machine.log(json.dumps(response, indent=2))
 
+
+    machine.log(machine.execute("systemd-analyze security postfix-tlspol.service | grep -v ✓")[1])
   '';
 
 }