From e48d12554c410e16fc5ece2458023ed31b5a4f53 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 24 Jul 2025 02:12:43 +0200 Subject: [PATCH] nixos/tlsrpt: fix permissions for postfix Same as with other services giving postfix access, this needs to happen for the postfix user. Adding supplementary group permissions to the systemd unit does not propagate to child processes that ultimately call the unix domain socket. --- nixos/modules/services/mail/tlsrpt.nix | 14 +++++++++++--- nixos/tests/tlsrpt.nix | 2 +- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/nixos/modules/services/mail/tlsrpt.nix b/nixos/modules/services/mail/tlsrpt.nix index 732679c9b05a..83b219443fd0 100644 --- a/nixos/modules/services/mail/tlsrpt.nix +++ b/nixos/modules/services/mail/tlsrpt.nix @@ -270,9 +270,17 @@ in }; }; - systemd.services.postfix.serviceConfig.SupplementaryGroups = mkIf ( - config.services.postfix.enable && cfg.collectd.configurePostfix - ) [ "tlsrpt" ]; + users.users.tlsrpt = { + isSystemUser = true; + group = "tlsrpt"; + }; + users.groups.tlsrpt = { }; + + users.users.postfix.extraGroups = + lib.mkIf (config.services.postfix.enable && cfg.collectd.configurePostfix) + [ + "tlsrpt" + ]; systemd.services.tlsrpt-collectd = { description = "TLSRPT datagram collector"; diff --git a/nixos/tests/tlsrpt.nix b/nixos/tests/tlsrpt.nix index d93ac78b5240..92a7d0cda78e 100644 --- a/nixos/tests/tlsrpt.nix +++ b/nixos/tests/tlsrpt.nix @@ -35,7 +35,7 @@ # Enabling postfix should put sendmail as the sendmail setting machine.succeed("grep -q sendmail_script=sendmail /etc/tlsrpt/reportd.cfg") - machine.succeed("systemctl show --property SupplementaryGroups postfix.service | grep tlsrpt") + machine.succeed("getent group tlsrpt | grep -q postfix") machine.log(machine.succeed("systemd-analyze security tlsrpt-collectd.service tlsrpt-reportd.service | grep -v ✓")) '';