nixos/tlsrpt: fix permissions for postfix

Same as with other services giving postfix access, this needs to happen for the postfix user. Adding supplementary group permissions to the systemd unit does not propagate to child processes that ultimately call the unix domain socket.
2025-07-24 02:12:43 +02:00 · 2025-07-24 02:12:43 +02:00 · e48d12554c
commit e48d12554c
parent 6290b93391
2 changed files with 12 additions and 4 deletions
--- a/nixos/modules/services/mail/tlsrpt.nix
+++ b/nixos/modules/services/mail/tlsrpt.nix
@ -270,9 +270,17 @@ in
      };
    };

-    systemd.services.postfix.serviceConfig.SupplementaryGroups = mkIf (
-      config.services.postfix.enable && cfg.collectd.configurePostfix
-    ) [ "tlsrpt" ];
+    users.users.tlsrpt = {
+      isSystemUser = true;
+      group = "tlsrpt";
+    };
+    users.groups.tlsrpt = { };
+
+    users.users.postfix.extraGroups =
+      lib.mkIf (config.services.postfix.enable && cfg.collectd.configurePostfix)
+        [
+          "tlsrpt"
+        ];

    systemd.services.tlsrpt-collectd = {
      description = "TLSRPT datagram collector";
--- a/nixos/tests/tlsrpt.nix
+++ b/nixos/tests/tlsrpt.nix
@ -35,7 +35,7 @@

    # Enabling postfix should put sendmail as the sendmail setting
    machine.succeed("grep -q sendmail_script=sendmail /etc/tlsrpt/reportd.cfg")
-    machine.succeed("systemctl show --property SupplementaryGroups postfix.service | grep tlsrpt")
+    machine.succeed("getent group tlsrpt | grep -q postfix")

    machine.log(machine.succeed("systemd-analyze security tlsrpt-collectd.service tlsrpt-reportd.service | grep -v ✓"))
  '';