nixos/pfix-srsd: migrate postfix integration from postfix module

The postfix module is too big to host every individual integration option and moving it here has no downside.
2025-07-15 20:08:24 +02:00 · 2025-07-15 20:08:24 +02:00 · fbc56958af
commit fbc56958af
parent c915f104b0
3 changed files with 43 additions and 31 deletions
--- a/nixos/doc/manual/release-notes/rl-2511.section.md
+++ b/nixos/doc/manual/release-notes/rl-2511.section.md
@ -122,6 +122,8 @@

 - `services.postsrsd` now automatically integrates with the local Postfix instance, when enabled. This behavior can disabled using the [services.postsrsd.configurePostfix](#opt-services.postsrsd.configurePostfix) option.

+- `services.pfix-srsd` now automatically integrates with the local Postfix instance, when enabled. This behavior can disabled using the [services.pfix-srsd.configurePostfix](#opt-services.pfix-srsd.configurePostfix) option.
+
 - `services.monero` now includes the `environmentFile` option for adding secrets to the Monero daemon config.

 - `amdgpu` kernel driver overdrive mode can now be enabled by setting [hardware.amdgpu.overdrive.enable](#opt-hardware.amdgpu.overdrive.enable) and customized through [hardware.amdgpu.overdrive.ppfeaturemask](#opt-hardware.amdgpu.overdrive.ppfeaturemask).
--- a/nixos/modules/services/mail/pfix-srsd.nix
+++ b/nixos/modules/services/mail/pfix-srsd.nix
@ -4,6 +4,10 @@
  pkgs,
  ...
 }:
+
+let
+  cfg = config.services.pfix-srsd;
+in
 {

  ###### interface
@ -32,27 +36,46 @@
        type = lib.types.path;
        default = "/var/lib/pfix-srsd/secrets";
      };
+
+      configurePostfix = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = ''
+          Whether to configure the required settings to use pfix-srsd in the local Postfix instance.
+        '';
+      };
    };
  };

  ###### implementation

-  config = lib.mkIf config.services.pfix-srsd.enable {
-    environment = {
-      systemPackages = [ pkgs.pfixtools ];
-    };
-
-    systemd.services.pfix-srsd = {
-      description = "Postfix sender rewriting scheme daemon";
-      before = [ "postfix.service" ];
-      #note that we use requires rather than wants because postfix
-      #is unable to process (almost) all mail without srsd
-      requiredBy = [ "postfix.service" ];
-      serviceConfig = {
-        Type = "forking";
-        PIDFile = "/run/pfix-srsd.pid";
-        ExecStart = "${pkgs.pfixtools}/bin/pfix-srsd -p /run/pfix-srsd.pid -I ${config.services.pfix-srsd.domain} ${config.services.pfix-srsd.secretsFile}";
+  config = lib.mkMerge [
+    (lib.mkIf (cfg.enable && cfg.configurePostfix && config.services.postfix.enable) {
+      services.postfix.config = {
+        sender_canonical_maps = [ "tcp:127.0.0.1:10001" ];
+        sender_canonical_classes = [ "envelope_sender" ];
+        recipient_canonical_maps = [ "tcp:127.0.0.1:10002" ];
+        recipient_canonical_classes = [ "envelope_recipient" ];
      };
-    };
-  };
+    })
+
+    (lib.mkIf cfg.enable {
+      environment = {
+        systemPackages = [ pkgs.pfixtools ];
+      };
+
+      systemd.services.pfix-srsd = {
+        description = "Postfix sender rewriting scheme daemon";
+        before = [ "postfix.service" ];
+        #note that we use requires rather than wants because postfix
+        #is unable to process (almost) all mail without srsd
+        requiredBy = [ "postfix.service" ];
+        serviceConfig = {
+          Type = "forking";
+          PIDFile = "/run/pfix-srsd.pid";
+          ExecStart = "${pkgs.pfixtools}/bin/pfix-srsd -p /run/pfix-srsd.pid -I ${config.services.pfix-srsd.domain} ${config.services.pfix-srsd.secretsFile}";
+        };
+      };
+    })
+  ];
 }
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@ -785,12 +785,6 @@ in
        description = "Maps to be compiled and placed into /var/lib/postfix/conf.";
      };

-      useSrs = lib.mkOption {
-        type = lib.types.bool;
-        default = false;
-        description = "Whether to enable sender rewriting scheme";
-      };
-
    };

  };
@ -808,8 +802,6 @@ in
          systemPackages = [ pkgs.postfix ];
        };

-        services.pfix-srsd.enable = config.services.postfix.useSrs;
-
        services.mail.sendmailSetuidWrapper = lib.mkIf config.services.postfix.setSendmail {
          program = "sendmail";
          source = "${pkgs.postfix}/bin/sendmail";
@ -1002,12 +994,6 @@ in
            ] ++ lib.optional haveAliases "$alias_maps";
          }
          // lib.optionalAttrs (cfg.dnsBlacklists != [ ]) { smtpd_client_restrictions = clientRestrictions; }
-          // lib.optionalAttrs cfg.useSrs {
-            sender_canonical_maps = [ "tcp:127.0.0.1:10001" ];
-            sender_canonical_classes = [ "envelope_sender" ];
-            recipient_canonical_maps = [ "tcp:127.0.0.1:10002" ];
-            recipient_canonical_classes = [ "envelope_recipient" ];
-          }
          // lib.optionalAttrs cfg.enableHeaderChecks {
            header_checks = [ "regexp:/etc/postfix/header_checks" ];
          }
@ -1190,5 +1176,6 @@ in
      [ "services" "postfix" "config" "smtp_tls_security_level" ]
      (config: lib.mkIf config.services.postfix.useDane "dane")
    )
+    (lib.mkRenamedOptionModule [ "services" "postfix" "useSrs" ] [ "services" "pfix-srsd" "enable" ])
  ];
 }