nixos/postsrsd: integrate with postfix by default (9a9073fc) · Commits · nix / nixpkgs

nixos/doc/manual/release-notes/rl-2511.section.md

+2 −0

Original line number	Diff line number	Diff line
		@@ -120,6 +120,8 @@

		- `services.ntpd-rs` now performs configuration validation.

		- `services.postsrsd` now automatically integrates with the local Postfix instance, when enabled. This behavior can disabled using the [services.postsrsd.configurePostfix](#opt-services.postsrsd.configurePostfix) option.

		- `services.monero` now includes the `environmentFile` option for adding secrets to the Monero daemon config.

		- `amdgpu` kernel driver overdrive mode can now be enabled by setting [hardware.amdgpu.overdrive.enable](#opt-hardware.amdgpu.overdrive.enable) and customized through [hardware.amdgpu.overdrive.ppfeaturemask](#opt-hardware.amdgpu.overdrive.ppfeaturemask).

nixos/modules/services/mail/postsrsd.nix

+57 −85

Original line number	Diff line number	Diff line
		@@ -211,6 +211,14 @@ in
		'';
		};

		configurePostfix = lib.mkOption {
		type = lib.types.bool;
		default = true;
		description = ''
		Whether to configure the required settings to use postsrsd in the local Postfix instance.
		'';
		};

		user = lib.mkOption {
		type = lib.types.str;
		default = "postsrsd";
		@@ -225,7 +233,23 @@ in
		};
		};

		config = lib.mkIf cfg.enable {
		config = lib.mkMerge [
		(lib.mkIf (cfg.enable && cfg.configurePostfix && config.services.postfix.enable) {
		services.postfix.config = {
		# https://github.com/roehling/postsrsd#configuration
		sender_canonical_maps = "socketmap:${cfg.settings.socketmap}:forward";
		sender_canonical_classes = "envelope_sender";
		recipient_canonical_maps = "socketmap:${cfg.settings.socketmap}:reverse";
		recipient_canonical_classes = [
		"envelope_recipient"
		"header_recipient"
		];
		};

		users.users.postfix.extraGroups = [ cfg.group ];
		})

		(lib.mkIf cfg.enable {
		users.users = lib.optionalAttrs (cfg.user == "postsrsd") {
		postsrsd = {
		group = cfg.group;
		@@ -267,61 +291,9 @@ in
		requires = [ "postsrsd-generate-secrets.service" ];
		restartTriggers = [ configFile ];

		serviceConfig = {
		ExecStart = toString [
		(lib.getExe pkgs.postsrsd)
		"-C"
		"/etc/postsrsd.conf"
		];
		User = cfg.user;
		Group = cfg.group;
		RuntimeDirectory = "postsrsd";
		RuntimeDirectoryMode = "0750";
		LoadCredential = "secrets-file:${cfg.secretsFile}";

		CapabilityBoundingSet = [ "" ];
		LockPersonality = true;
		MemoryDenyWriteExecute = true;
		NoNewPrivileges = true;
		PrivateDevices = true;
		PrivateMounts = true;
		PrivateNetwork = lib.hasPrefix "unix:" cfg.settings.socketmap;
		PrivateTmp = true;
		PrivateUsers = true;
		ProtectControlGroups = true;
		ProtectHome = true;
		ProtectHostname = true;
		ProtectKernelLogs = true;
		ProtectKernelModules = true;
		ProtectKernelTunables = true;
		ProtectSystem = "strict";
		ProtectProc = "invisible";
		ProcSubset = "pid";
		RemoveIPC = true;
		RestrictAddressFamilies =
		if lib.hasPrefix "unix:" cfg.settings.socketmap then
		[ "AF_UNIX" ]
		else
		[
		"AF_INET"
		"AF_INET6"
		];
		RestrictNamespaces = true;
		RestrictRealtime = true;
		RestrictSUIDSGID = true;
		SystemCallArchitectures = "native";
		SystemCallFilter = [
		"@system-service"
		"~@privileged @resources"
		];
		UMask = "0027";
		before = [ "postfix.service" ];
		wantedBy = [ "multi-user.target" ];
		requires = [ "postsrsd-generate-secrets.service" ];
		restartTriggers = [ configFile ];
		serviceConfig = {
		ExecStart = utils.escapeSystemdExecArgs [
		(lib.getExe cfg.package)
		(lib.getExe pkgs.postsrsd)
		"-C"
		"/etc/postsrsd.conf"
		];
		@@ -369,6 +341,6 @@ in
		UMask = "0027";
		};
		};
		};
		};
		})
		];
		}

Admin message