From fbc56958afdf83f0b1bc3be6d9540bcc0deb0971 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Tue, 15 Jul 2025 20:08:24 +0200
Subject: [PATCH] nixos/pfix-srsd: migrate postfix integration from postfix
 module

The postfix module is too big to host every individual integration option
and moving it here has no downside.
---
 .../manual/release-notes/rl-2511.section.md   |  2 +
 nixos/modules/services/mail/pfix-srsd.nix     | 57 +++++++++++++------
 nixos/modules/services/mail/postfix.nix       | 15 +----
 3 files changed, 43 insertions(+), 31 deletions(-)

diff --git a/nixos/doc/manual/release-notes/rl-2511.section.md b/nixos/doc/manual/release-notes/rl-2511.section.md
index be57fec927a0..683724e11fc7 100644
--- a/nixos/doc/manual/release-notes/rl-2511.section.md
+++ b/nixos/doc/manual/release-notes/rl-2511.section.md
@@ -122,6 +122,8 @@
 
 - `services.postsrsd` now automatically integrates with the local Postfix instance, when enabled. This behavior can disabled using the [services.postsrsd.configurePostfix](#opt-services.postsrsd.configurePostfix) option.
 
+- `services.pfix-srsd` now automatically integrates with the local Postfix instance, when enabled. This behavior can disabled using the [services.pfix-srsd.configurePostfix](#opt-services.pfix-srsd.configurePostfix) option.
+
 - `services.monero` now includes the `environmentFile` option for adding secrets to the Monero daemon config.
 
 - `amdgpu` kernel driver overdrive mode can now be enabled by setting [hardware.amdgpu.overdrive.enable](#opt-hardware.amdgpu.overdrive.enable) and customized through [hardware.amdgpu.overdrive.ppfeaturemask](#opt-hardware.amdgpu.overdrive.ppfeaturemask).
diff --git a/nixos/modules/services/mail/pfix-srsd.nix b/nixos/modules/services/mail/pfix-srsd.nix
index fb6a395e3ab8..035f331dcf6d 100644
--- a/nixos/modules/services/mail/pfix-srsd.nix
+++ b/nixos/modules/services/mail/pfix-srsd.nix
@@ -4,6 +4,10 @@
   pkgs,
   ...
 }:
+
+let
+  cfg = config.services.pfix-srsd;
+in
 {
 
   ###### interface
@@ -32,27 +36,46 @@
         type = lib.types.path;
         default = "/var/lib/pfix-srsd/secrets";
       };
+
+      configurePostfix = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = ''
+          Whether to configure the required settings to use pfix-srsd in the local Postfix instance.
+        '';
+      };
     };
   };
 
   ###### implementation
 
-  config = lib.mkIf config.services.pfix-srsd.enable {
-    environment = {
-      systemPackages = [ pkgs.pfixtools ];
-    };
-
-    systemd.services.pfix-srsd = {
-      description = "Postfix sender rewriting scheme daemon";
-      before = [ "postfix.service" ];
-      #note that we use requires rather than wants because postfix
-      #is unable to process (almost) all mail without srsd
-      requiredBy = [ "postfix.service" ];
-      serviceConfig = {
-        Type = "forking";
-        PIDFile = "/run/pfix-srsd.pid";
-        ExecStart = "${pkgs.pfixtools}/bin/pfix-srsd -p /run/pfix-srsd.pid -I ${config.services.pfix-srsd.domain} ${config.services.pfix-srsd.secretsFile}";
+  config = lib.mkMerge [
+    (lib.mkIf (cfg.enable && cfg.configurePostfix && config.services.postfix.enable) {
+      services.postfix.config = {
+        sender_canonical_maps = [ "tcp:127.0.0.1:10001" ];
+        sender_canonical_classes = [ "envelope_sender" ];
+        recipient_canonical_maps = [ "tcp:127.0.0.1:10002" ];
+        recipient_canonical_classes = [ "envelope_recipient" ];
       };
-    };
-  };
+    })
+
+    (lib.mkIf cfg.enable {
+      environment = {
+        systemPackages = [ pkgs.pfixtools ];
+      };
+
+      systemd.services.pfix-srsd = {
+        description = "Postfix sender rewriting scheme daemon";
+        before = [ "postfix.service" ];
+        #note that we use requires rather than wants because postfix
+        #is unable to process (almost) all mail without srsd
+        requiredBy = [ "postfix.service" ];
+        serviceConfig = {
+          Type = "forking";
+          PIDFile = "/run/pfix-srsd.pid";
+          ExecStart = "${pkgs.pfixtools}/bin/pfix-srsd -p /run/pfix-srsd.pid -I ${config.services.pfix-srsd.domain} ${config.services.pfix-srsd.secretsFile}";
+        };
+      };
+    })
+  ];
 }
diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix
index 7b2d62e1fc97..710f2d381e6a 100644
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@@ -785,12 +785,6 @@ in
         description = "Maps to be compiled and placed into /var/lib/postfix/conf.";
       };
 
-      useSrs = lib.mkOption {
-        type = lib.types.bool;
-        default = false;
-        description = "Whether to enable sender rewriting scheme";
-      };
-
     };
 
   };
@@ -808,8 +802,6 @@ in
           systemPackages = [ pkgs.postfix ];
         };
 
-        services.pfix-srsd.enable = config.services.postfix.useSrs;
-
         services.mail.sendmailSetuidWrapper = lib.mkIf config.services.postfix.setSendmail {
           program = "sendmail";
           source = "${pkgs.postfix}/bin/sendmail";
@@ -1002,12 +994,6 @@ in
             ] ++ lib.optional haveAliases "$alias_maps";
           }
           // lib.optionalAttrs (cfg.dnsBlacklists != [ ]) { smtpd_client_restrictions = clientRestrictions; }
-          // lib.optionalAttrs cfg.useSrs {
-            sender_canonical_maps = [ "tcp:127.0.0.1:10001" ];
-            sender_canonical_classes = [ "envelope_sender" ];
-            recipient_canonical_maps = [ "tcp:127.0.0.1:10002" ];
-            recipient_canonical_classes = [ "envelope_recipient" ];
-          }
           // lib.optionalAttrs cfg.enableHeaderChecks {
             header_checks = [ "regexp:/etc/postfix/header_checks" ];
           }
@@ -1190,5 +1176,6 @@ in
       [ "services" "postfix" "config" "smtp_tls_security_level" ]
       (config: lib.mkIf config.services.postfix.useDane "dane")
     )
+    (lib.mkRenamedOptionModule [ "services" "postfix" "useSrs" ] [ "services" "pfix-srsd" "enable" ])
   ];
 }