Merge pull request #29452 from jerith666/pfix-srsd-1709

nixos/pfix-srsd: add module

authored by

Joachim F and committed by
GitHub
cb3d4437 0a3dae82

+71
+1
nixos/modules/module-list.nix
··· 269 269 ./services/mail/offlineimap.nix 270 270 ./services/mail/opendkim.nix 271 271 ./services/mail/opensmtpd.nix 272 + ./services/mail/pfix-srsd.nix 272 273 ./services/mail/postfix.nix 273 274 ./services/mail/postsrsd.nix 274 275 ./services/mail/postgrey.nix
+56
nixos/modules/services/mail/pfix-srsd.nix
··· 1 + { config, lib, pkgs, ... }: 2 + 3 + with lib; 4 + 5 + { 6 + 7 + ###### interface 8 + 9 + options = { 10 + 11 + services.pfix-srsd = { 12 + enable = mkOption { 13 + default = false; 14 + type = types.bool; 15 + description = "Whether to run the postfix sender rewriting scheme daemon."; 16 + }; 17 + 18 + domain = mkOption { 19 + description = "The domain for which to enable srs"; 20 + type = types.str; 21 + example = "example.com"; 22 + }; 23 + 24 + secretsFile = mkOption { 25 + description = '' 26 + The secret data used to encode the SRS address. 27 + to generate, use a command like: 28 + <literal>for n in $(seq 5); do dd if=/dev/urandom count=1 bs=1024 status=none | sha256sum | sed 's/ -$//' | sed 's/^/ /'; done</literal> 29 + ''; 30 + type = types.path; 31 + default = "/var/lib/pfix-srsd/secrets"; 32 + }; 33 + }; 34 + }; 35 + 36 + ###### implementation 37 + 38 + config = mkIf config.services.pfix-srsd.enable { 39 + environment = { 40 + systemPackages = [ pkgs.pfixtools ]; 41 + }; 42 + 43 + systemd.services."pfix-srsd" = { 44 + description = "Postfix sender rewriting scheme daemon"; 45 + before = [ "postfix.service" ]; 46 + #note that we use requires rather than wants because postfix 47 + #is unable to process (almost) all mail without srsd 48 + requiredBy = [ "postfix.service" ]; 49 + serviceConfig = { 50 + Type = "forking"; 51 + PIDFile = "/var/run/pfix-srsd.pid"; 52 + ExecStart = "${pkgs.pfixtools}/bin/pfix-srsd -p /var/run/pfix-srsd.pid -I ${config.services.pfix-srsd.domain} ${config.services.pfix-srsd.secretsFile}"; 53 + }; 54 + }; 55 + }; 56 + }
+14
nixos/modules/services/mail/postfix.nix
··· 79 79 // optionalAttrs haveTransport { transport_maps = "hash:/etc/postfix/transport"; } 80 80 // optionalAttrs haveVirtual { virtual_alias_maps = "${cfg.virtualMapType}:/etc/postfix/virtual"; } 81 81 // optionalAttrs (cfg.dnsBlacklists != []) { smtpd_client_restrictions = clientRestrictions; } 82 + // optionalAttrs cfg.useSrs { 83 + sender_canonical_maps = "tcp:127.0.0.1:10001"; 84 + sender_canonical_classes = "envelope_sender"; 85 + recipient_canonical_maps = "tcp:127.0.0.1:10002"; 86 + recipient_canonical_classes= "envelope_recipient"; 87 + } 82 88 // optionalAttrs cfg.enableHeaderChecks { header_checks = "regexp:/etc/postfix/header_checks"; } 83 89 // optionalAttrs (cfg.sslCert != "") { 84 90 smtp_tls_CAfile = cfg.sslCACert; ··· 626 632 description = "Maps to be compiled and placed into /var/lib/postfix/conf."; 627 633 }; 628 634 635 + useSrs = mkOption { 636 + type = types.bool; 637 + default = false; 638 + description = "Whether to enable sender rewriting scheme"; 639 + }; 640 + 629 641 }; 630 642 631 643 }; ··· 645 657 # This makes comfortable for root to run 'postqueue' for example. 646 658 systemPackages = [ pkgs.postfix ]; 647 659 }; 660 + 661 + services.pfix-srsd.enable = config.services.postfix.useSrs; 648 662 649 663 services.mail.sendmailSetuidWrapper = mkIf config.services.postfix.setSendmail { 650 664 program = "sendmail";