...

author: Gregor Kleen <gkleen@yggdrasil.li> 2025-05-14 10:50:27 +0200
committer: Gregor Kleen <gkleen@yggdrasil.li> 2025-05-14 10:50:27 +0200
commit: 43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c (patch)
tree: c1cc8a034395c9bb8188651f6835922b38887f32 /modules
parent: 03d49aa8ec6f51c8f51bfb628e614ac537cca8e0 (diff)
download: nixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.tar
nixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.tar.gz
nixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.tar.bz2
nixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.tar.xz
nixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.zip
3 files changed, 369 insertions, 0 deletions
diff --git a/modules/i18n.nix b/modules/i18n.nix
new file mode 100644
index 00000000..f84e8b64
--- /dev/null
+++ b/modules/i18n.nix
@@ -0,0 +1,156 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  aggregatedLocales =
+    (builtins.map
+      (l: (lib.replaceStrings [ "utf8" "utf-8" "UTF8" ] [ "UTF-8" "UTF-8" "UTF-8" ] l) + "/UTF-8")
+      (
+        [ config.i18n.defaultLocale ]
+        ++ (lib.optionals (builtins.isList config.i18n.extraLocales) config.i18n.extraLocales)
+        ++ (lib.attrValues (lib.filterAttrs (n: _v: lib.hasPrefix "LC_" n) config.i18n.extraLocaleSettings))
+      )
+    )
+    ++ (lib.optional (builtins.isString config.i18n.extraLocales) config.i18n.extraLocales);
+in
+{
+  disabledModules = [ "config/i18n.nix" ];
+  ###### interface
+  options = {
+    i18n = {
+      glibcLocales = lib.mkOption {
+        type = lib.types.path;
+        default = pkgs.glibcLocales.override {
+          allLocales = lib.any (x: x == "all") config.i18n.supportedLocales;
+          locales = config.i18n.supportedLocales;
+        };
+        defaultText = lib.literalExpression ''
+          pkgs.glibcLocales.override {
+            allLocales = lib.any (x: x == "all") config.i18n.supportedLocales;
+            locales = config.i18n.supportedLocales;
+          }
+        '';
+        example = lib.literalExpression "pkgs.glibcLocales";
+        description = ''
+          Customized pkg.glibcLocales package.
+          Changing this option can disable handling of i18n.defaultLocale
+          and supportedLocale.
+        '';
+      };
+      defaultLocale = lib.mkOption {
+        type = lib.types.str;
+        default = "en_US.UTF-8";
+        example = "nl_NL.UTF-8";
+        description = ''
+          The default locale.  It determines the language for program
+          messages, the format for dates and times, sort order, and so on.
+          It also determines the character set, such as UTF-8.
+        '';
+      };
+      extraLocales = lib.mkOption {
+        type = lib.types.either (lib.types.listOf lib.types.str) (lib.types.enum [ "all" ]);
+        default = [ ];
+        example = [ "nl_NL.UTF-8" ];
+        description = ''
+          Additional locales that the system should support, besides the ones
+          configured with {option}`i18n.defaultLocale` and
+          {option}`i18n.extraLocaleSettings`.
+          Set this to `"all"` to install all available locales.
+        '';
+      };
+      extraLocaleSettings = lib.mkOption {
+        type = lib.types.attrsOf lib.types.str;
+        default = { };
+        example = {
+          LC_MESSAGES = "en_US.UTF-8";
+          LC_TIME = "de_DE.UTF-8";
+        };
+        description = ''
+          A set of additional system-wide locale settings other than
+          `LANG` which can be configured with
+          {option}`i18n.defaultLocale`.
+        '';
+      };
+      supportedLocales = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        visible = false;
+        default = lib.unique (
+          [
+            "C.UTF-8/UTF-8"
+            "en_US.UTF-8/UTF-8"
+          ]
+          ++ aggregatedLocales
+        );
+        example = [
+          "en_US.UTF-8/UTF-8"
+          "nl_NL.UTF-8/UTF-8"
+          "nl_NL/ISO-8859-1"
+        ];
+        description = ''
+          List of locales that the system should support.  The value
+          `"all"` means that all locales supported by
+          Glibc will be installed.  A full list of supported locales
+          can be found at <https://sourceware.org/git/?p=glibc.git;a=blob;f=localedata/SUPPORTED>.
+        '';
+      };
+    };
+  };
+  ###### implementation
+  config = {
+    warnings =
+      lib.optional
+        (
+          !(
+            (lib.subtractLists config.i18n.supportedLocales aggregatedLocales) == [ ]
+            || lib.any (x: x == "all") config.i18n.supportedLocales
+          )
+        )
+        ''
+          `i18n.supportedLocales` is deprecated in favor of `i18n.extraLocales`,
+          and it seems you are using `i18n.supportedLocales` and forgot to
+          include some locales specified in `i18n.defaultLocale`,
+          `i18n.extraLocales` or `i18n.extraLocaleSettings`.
+          If you're trying to install additional locales not specified in
+          `i18n.defaultLocale` or `i18n.extraLocaleSettings`, consider adding
+          only those locales to `i18n.extraLocales`.
+        '';
+    environment.systemPackages =
+      # We increase the priority a little, so that plain glibc in systemPackages can't win.
+      lib.optional (config.i18n.supportedLocales != [ ]) (lib.setPrio (-1) config.i18n.glibcLocales);
+    environment.sessionVariables = {
+      LANG = config.i18n.defaultLocale;
+      LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
+    } // config.i18n.extraLocaleSettings;
+    systemd.globalEnvironment = lib.mkIf (config.i18n.supportedLocales != [ ]) {
+      LOCALE_ARCHIVE = "${config.i18n.glibcLocales}/lib/locale/locale-archive";
+    };
+    # ‘/etc/locale.conf’ is used by systemd.
+    environment.etc."locale.conf".source = pkgs.writeText "locale.conf" ''
+      LANG=${config.i18n.defaultLocale}
+      ${lib.concatStringsSep "\n" (
+        lib.mapAttrsToList (n: v: "${n}=${v}") config.i18n.extraLocaleSettings
+      )}
+    '';
+  };
+}
diff --git a/modules/installer.nix b/modules/installer.nix
new file mode 100644
index 00000000..3e5c6d5b
--- /dev/null
+++ b/modules/installer.nix
@@ -0,0 +1,56 @@
+{ flake, config, lib, pkgs, ... }:
+let
+  cfg = config.installer.links;
+  installerOutPath = {
+    "cd-dvd" = _: installerBuild: "${installerBuild.config.system.build.isoImage}/iso";
+    "netboot" = {system, variant}: installerBuild: pkgs.runCommandLocal "${system}-${variant}" {} ''
+      mkdir $out
+      install -m 0444 -t $out \
+        ${installerBuild.config.system.build.netbootRamdisk}/initrd \
+        ${installerBuild.config.system.build.kernel}/${config.system.boot.loader.kernelFile} \
+        ${installerBuild.config.system.build.netbootIpxeScript}/netboot.ipxe \
+        ${pkgs.ipxe.override {
+          additionalTargets = {
+            "bin-i386-efi/ipxe.efi" = "i386-ipxe.efi";
+          };
+          additionalOptions = [
+            "NSLOOKUP_CMD"
+            "PING_CMD"
+            "CONSOLE_CMD"
+          ];
+          embedScript = pkgs.writeText "netboot.ipxe" ''
+            #!ipxe
+            chain netboot.ipxe
+          '';
+        }}/{ipxe.efi,i386-ipxe.efi,ipxe.lkrn}
+    '';
+  };
+in {
+  options = {
+    installer.links = lib.mkOption {
+      type = lib.types.listOf (lib.types.submodule {
+        options = {
+          system = lib.mkOption {
+            type = lib.types.str;
+          };
+          variant = lib.mkOption {
+            type = lib.types.str;
+          };
+        };
+      });
+      default = [];
+    };
+  };
+  config = lib.mkIf (cfg != []) {
+    systemd.tmpfiles.rules = map (installer'@{system, variant}:
+      let
+        installer = "${system}-${variant}";
+        installerBuild = builtins.addErrorContext "while evaluating installer-${installer}" flake.nixosConfigurations.${"installer-${installer}"};
+      in "L+ /run/installer-${installer} - - - - ${installerOutPath.${variant} installer' installerBuild}"
+    ) cfg;
+  };
+}
diff --git a/modules/postsrsd.nix b/modules/postsrsd.nix
new file mode 100644
index 00000000..205e669d
--- /dev/null
+++ b/modules/postsrsd.nix
@@ -0,0 +1,157 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.postsrsd;
+  runtimeDirectoryName = "postsrsd";
+  runtimeDirectory = "/run/${runtimeDirectoryName}";
+  # TODO: follow RFC 42, but we need a libconfuse format first:
+  #       https://github.com/NixOS/nixpkgs/issues/401565
+  # Arrays in `libconfuse` look like this: {"Life", "Universe", "Everything"}
+  # See https://www.nongnu.org/confuse/tutorial-html/ar01s03.html.
+  #
+  # Note: We're using `builtins.toJSON` to escape strings, but JSON strings
+  # don't have exactly the same semantics as libconfuse strings. For example,
+  # "${F}" gets treated as an env var reference, see above issue for details.
+  libconfuseDomains = "{ " + lib.concatMapStringsSep ", " builtins.toJSON cfg.domains + " }";
+  configFile = pkgs.writeText "postsrsd.conf" ''
+    secrets-file = "''${CREDENTIALS_DIRECTORY}/secrets-file"
+    domains = ${libconfuseDomains}
+    separator = "${cfg.separator}"
+    # Disable postsrsd's jailing in favor of confinement with systemd.
+    unprivileged-user = ""
+    chroot-dir = ""
+    ${cfg.extraConfig}
+  '';
+in
+{
+  imports =
+    map
+      (
+        name:
+        lib.mkRemovedOptionModule [ "services" "postsrsd" name ] ''
+          `postsrsd` was upgraded to `>= 2.0.0`, with some different behaviors and configuration settings:
+            - NixOS Release Notes: https://nixos.org/manual/nixos/unstable/release-notes#sec-nixpkgs-release-25.05-incompatibilities
+            - NixOS Options Reference: https://nixos.org/manual/nixos/unstable/options#opt-services.postsrsd.enable
+            - Migration instructions: https://github.com/roehling/postsrsd/blob/2.0.10/README.rst#migrating-from-version-1x
+            - Postfix Setup: https://github.com/roehling/postsrsd/blob/2.0.10/README.rst#postfix-setup
+        ''
+      )
+      [
+        "domain"
+        "forwardPort"
+        "reversePort"
+        "timeout"
+        "excludeDomains"
+      ];
+  disabledModules = [ "services/mail/postsrsd.nix" ];
+  options = {
+    services.postsrsd = {
+      enable = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "Whether to enable the postsrsd SRS server for Postfix.";
+      };
+      secretsFile = lib.mkOption {
+        type = lib.types.path;
+        default = "/var/lib/postsrsd/postsrsd.secret";
+        description = "Secret keys used for signing and verification";
+      };
+      domains = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        description = "Domain names for rewrite";
+        default = [ config.networking.hostName ];
+        defaultText = lib.literalExpression "[ config.networking.hostName ]";
+      };
+      separator = lib.mkOption {
+        type = lib.types.enum [
+          "-"
+          "="
+          "+"
+        ];
+        default = "=";
+        description = "First separator character in generated addresses";
+      };
+      user = lib.mkOption {
+        type = lib.types.str;
+        default = "postsrsd";
+        description = "User for the daemon";
+      };
+      group = lib.mkOption {
+        type = lib.types.str;
+        default = "postsrsd";
+        description = "Group for the daemon";
+      };
+      extraConfig = lib.mkOption {
+        type = lib.types.lines;
+        default = "";
+      };
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    users.users = lib.optionalAttrs (cfg.user == "postsrsd") {
+      postsrsd = {
+        group = cfg.group;
+        uid = config.ids.uids.postsrsd;
+      };
+    };
+    users.groups = lib.optionalAttrs (cfg.group == "postsrsd") {
+      postsrsd.gid = config.ids.gids.postsrsd;
+    };
+    systemd.services.postsrsd-generate-secrets = {
+      path = [ pkgs.coreutils ];
+      script = ''
+        if [ -e "${cfg.secretsFile}" ]; then
+          echo "Secrets file exists. Nothing to do!"
+        else
+          echo "WARNING: secrets file not found, autogenerating!"
+          DIR="$(dirname "${cfg.secretsFile}")"
+          install -m 750 -o ${cfg.user} -g ${cfg.group} -d "$DIR"
+          install -m 600 -o ${cfg.user} -g ${cfg.group} <(dd if=/dev/random bs=18 count=1 | base64) "${cfg.secretsFile}"
+        fi
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+      };
+    };
+    systemd.services.postsrsd = {
+      description = "PostSRSd SRS rewriting server";
+      after = [
+        "network.target"
+        "postsrsd-generate-secrets.service"
+      ];
+      before = [ "postfix.service" ];
+      wantedBy = [ "multi-user.target" ];
+      requires = [ "postsrsd-generate-secrets.service" ];
+      confinement.enable = true;
+      serviceConfig = {
+        ExecStart = "${lib.getExe pkgs.postsrsd} -C ${configFile}";
+        User = cfg.user;
+        Group = cfg.group;
+        PermissionsStartOnly = true;
+        RuntimeDirectory = runtimeDirectoryName;
+        LoadCredential = "secrets-file:${cfg.secretsFile}";
+      };
+    };
+  };
+}
author	Gregor Kleen <gkleen@yggdrasil.li>	2025-05-14 10:50:27 +0200
committer	Gregor Kleen <gkleen@yggdrasil.li>	2025-05-14 10:50:27 +0200
commit	43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c (patch)
tree	c1cc8a034395c9bb8188651f6835922b38887f32 /modules
parent	03d49aa8ec6f51c8f51bfb628e614ac537cca8e0 (diff)
download	nixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.tar nixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.tar.gz nixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.tar.bz2 nixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.tar.xz nixos-43c9825e49d25fbd2c19abcdeb8f73aee8be2a4c.zip

diff --git a/modules/i18n.nix b/modules/i18n.nix new file mode 100644 index 00000000..f84e8b64 --- /dev/null +++ b/modules/i18n.nix
@@ -0,0 +1,156 @@
	1	{
	2	config,
	3	lib,
	4	pkgs,
	5	...
	6	}:
	7	let
	8	aggregatedLocales =
	9	(builtins.map
	10	(l: (lib.replaceStrings [ "utf8" "utf-8" "UTF8" ] [ "UTF-8" "UTF-8" "UTF-8" ] l) + "/UTF-8")
	11	(
	12	[ config.i18n.defaultLocale ]
	13	++ (lib.optionals (builtins.isList config.i18n.extraLocales) config.i18n.extraLocales)
	14	++ (lib.attrValues (lib.filterAttrs (n: _v: lib.hasPrefix "LC_" n) config.i18n.extraLocaleSettings))
	15	)
	16	)
	17	++ (lib.optional (builtins.isString config.i18n.extraLocales) config.i18n.extraLocales);
	18	in
	19	{
	20	disabledModules = [ "config/i18n.nix" ];
	21
	22	###### interface
	23
	24	options = {
	25
	26	i18n = {
	27	glibcLocales = lib.mkOption {
	28	type = lib.types.path;
	29	default = pkgs.glibcLocales.override {
	30	allLocales = lib.any (x: x == "all") config.i18n.supportedLocales;
	31	locales = config.i18n.supportedLocales;
	32	};
	33	defaultText = lib.literalExpression ''
	34	pkgs.glibcLocales.override {
	35	allLocales = lib.any (x: x == "all") config.i18n.supportedLocales;
	36	locales = config.i18n.supportedLocales;
	37	}
	38	'';
	39	example = lib.literalExpression "pkgs.glibcLocales";
	40	description = ''
	41	Customized pkg.glibcLocales package.
	42
	43	Changing this option can disable handling of i18n.defaultLocale
	44	and supportedLocale.
	45	'';
	46	};
	47
	48	defaultLocale = lib.mkOption {
	49	type = lib.types.str;
	50	default = "en_US.UTF-8";
	51	example = "nl_NL.UTF-8";
	52	description = ''
	53	The default locale. It determines the language for program
	54	messages, the format for dates and times, sort order, and so on.
	55	It also determines the character set, such as UTF-8.
	56	'';
	57	};
	58
	59	extraLocales = lib.mkOption {
	60	type = lib.types.either (lib.types.listOf lib.types.str) (lib.types.enum [ "all" ]);
	61	default = [ ];
	62	example = [ "nl_NL.UTF-8" ];
	63	description = ''
	64	Additional locales that the system should support, besides the ones
	65	configured with {option}`i18n.defaultLocale` and
	66	{option}`i18n.extraLocaleSettings`.
	67	Set this to `"all"` to install all available locales.
	68	'';
	69	};
	70
	71	extraLocaleSettings = lib.mkOption {
	72	type = lib.types.attrsOf lib.types.str;
	73	default = { };
	74	example = {
	75	LC_MESSAGES = "en_US.UTF-8";
	76	LC_TIME = "de_DE.UTF-8";
	77	};
	78	description = ''
	79	A set of additional system-wide locale settings other than
	80	`LANG` which can be configured with
	81	{option}`i18n.defaultLocale`.
	82	'';
	83	};
	84
	85	supportedLocales = lib.mkOption {
	86	type = lib.types.listOf lib.types.str;
	87	visible = false;
	88	default = lib.unique (
	89	[
	90	"C.UTF-8/UTF-8"
	91	"en_US.UTF-8/UTF-8"
	92	]
	93	++ aggregatedLocales
	94	);
	95	example = [
	96	"en_US.UTF-8/UTF-8"
	97	"nl_NL.UTF-8/UTF-8"
	98	"nl_NL/ISO-8859-1"
	99	];
	100	description = ''
	101	List of locales that the system should support. The value
	102	`"all"` means that all locales supported by
	103	Glibc will be installed. A full list of supported locales
	104	can be found at <https://sourceware.org/git/?p=glibc.git;a=blob;f=localedata/SUPPORTED>.
	105	'';
	106	};
	107
	108	};
	109
	110	};
	111
	112	###### implementation
	113
	114	config = {
	115	warnings =
	116	lib.optional
	117	(
	118	!(
	119	(lib.subtractLists config.i18n.supportedLocales aggregatedLocales) == [ ]
	120	\|\| lib.any (x: x == "all") config.i18n.supportedLocales
	121	)
	122	)
	123	''
	124	`i18n.supportedLocales` is deprecated in favor of `i18n.extraLocales`,
	125	and it seems you are using `i18n.supportedLocales` and forgot to
	126	include some locales specified in `i18n.defaultLocale`,
	127	`i18n.extraLocales` or `i18n.extraLocaleSettings`.
	128
	129	If you're trying to install additional locales not specified in
	130	`i18n.defaultLocale` or `i18n.extraLocaleSettings`, consider adding
	131	only those locales to `i18n.extraLocales`.
	132	'';
	133
	134	environment.systemPackages =
	135	# We increase the priority a little, so that plain glibc in systemPackages can't win.
	136	lib.optional (config.i18n.supportedLocales != [ ]) (lib.setPrio (-1) config.i18n.glibcLocales);
	137
	138	environment.sessionVariables = {
	139	LANG = config.i18n.defaultLocale;
	140	LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
	141	} // config.i18n.extraLocaleSettings;
	142
	143	systemd.globalEnvironment = lib.mkIf (config.i18n.supportedLocales != [ ]) {
	144	LOCALE_ARCHIVE = "${config.i18n.glibcLocales}/lib/locale/locale-archive";
	145	};
	146
	147	# ‘/etc/locale.conf’ is used by systemd.
	148	environment.etc."locale.conf".source = pkgs.writeText "locale.conf" ''
	149	LANG=${config.i18n.defaultLocale}
	150	${lib.concatStringsSep "\n" (
	151	lib.mapAttrsToList (n: v: "${n}=${v}") config.i18n.extraLocaleSettings
	152	)}
	153	'';
	154
	155	};
	156	}


diff --git a/modules/installer.nix b/modules/installer.nix new file mode 100644 index 00000000..3e5c6d5b --- /dev/null +++ b/modules/installer.nix
@@ -0,0 +1,56 @@
	1	{ flake, config, lib, pkgs, ... }:
	2
	3	let
	4	cfg = config.installer.links;
	5
	6	installerOutPath = {
	7	"cd-dvd" = _: installerBuild: "${installerBuild.config.system.build.isoImage}/iso";
	8	"netboot" = {system, variant}: installerBuild: pkgs.runCommandLocal "${system}-${variant}" {} ''
	9	mkdir $out
	10	install -m 0444 -t $out \
	11	${installerBuild.config.system.build.netbootRamdisk}/initrd \
	12	${installerBuild.config.system.build.kernel}/${config.system.boot.loader.kernelFile} \
	13	${installerBuild.config.system.build.netbootIpxeScript}/netboot.ipxe \
	14	${pkgs.ipxe.override {
	15	additionalTargets = {
	16	"bin-i386-efi/ipxe.efi" = "i386-ipxe.efi";
	17	};
	18	additionalOptions = [
	19	"NSLOOKUP_CMD"
	20	"PING_CMD"
	21	"CONSOLE_CMD"
	22	];
	23	embedScript = pkgs.writeText "netboot.ipxe" ''
	24	#!ipxe
	25
	26	chain netboot.ipxe
	27	'';
	28	}}/{ipxe.efi,i386-ipxe.efi,ipxe.lkrn}
	29	'';
	30	};
	31	in {
	32	options = {
	33	installer.links = lib.mkOption {
	34	type = lib.types.listOf (lib.types.submodule {
	35	options = {
	36	system = lib.mkOption {
	37	type = lib.types.str;
	38	};
	39	variant = lib.mkOption {
	40	type = lib.types.str;
	41	};
	42	};
	43	});
	44	default = [];
	45	};
	46	};
	47
	48	config = lib.mkIf (cfg != []) {
	49	systemd.tmpfiles.rules = map (installer'@{system, variant}:
	50	let
	51	installer = "${system}-${variant}";
	52	installerBuild = builtins.addErrorContext "while evaluating installer-${installer}" flake.nixosConfigurations.${"installer-${installer}"};
	53	in "L+ /run/installer-${installer} - - - - ${installerOutPath.${variant} installer' installerBuild}"
	54	) cfg;
	55	};
	56	}


diff --git a/modules/postsrsd.nix b/modules/postsrsd.nix new file mode 100644 index 00000000..205e669d --- /dev/null +++ b/modules/postsrsd.nix
@@ -0,0 +1,157 @@
	1	{
	2	config,
	3	lib,
	4	pkgs,
	5	...
	6	}:
	7	let
	8
	9	cfg = config.services.postsrsd;
	10	runtimeDirectoryName = "postsrsd";
	11	runtimeDirectory = "/run/${runtimeDirectoryName}";
	12	# TODO: follow RFC 42, but we need a libconfuse format first:
	13	# https://github.com/NixOS/nixpkgs/issues/401565
	14	# Arrays in `libconfuse` look like this: {"Life", "Universe", "Everything"}
	15	# See https://www.nongnu.org/confuse/tutorial-html/ar01s03.html.
	16	#
	17	# Note: We're using `builtins.toJSON` to escape strings, but JSON strings
	18	# don't have exactly the same semantics as libconfuse strings. For example,
	19	# "${F}" gets treated as an env var reference, see above issue for details.
	20	libconfuseDomains = "{ " + lib.concatMapStringsSep ", " builtins.toJSON cfg.domains + " }";
	21	configFile = pkgs.writeText "postsrsd.conf" ''
	22	secrets-file = "''${CREDENTIALS_DIRECTORY}/secrets-file"
	23	domains = ${libconfuseDomains}
	24	separator = "${cfg.separator}"
	25
	26	# Disable postsrsd's jailing in favor of confinement with systemd.
	27	unprivileged-user = ""
	28	chroot-dir = ""
	29
	30	${cfg.extraConfig}
	31	'';
	32
	33	in
	34	{
	35	imports =
	36	map
	37	(
	38	name:
	39	lib.mkRemovedOptionModule [ "services" "postsrsd" name ] ''
	40	`postsrsd` was upgraded to `>= 2.0.0`, with some different behaviors and configuration settings:
	41	- NixOS Release Notes: https://nixos.org/manual/nixos/unstable/release-notes#sec-nixpkgs-release-25.05-incompatibilities
	42	- NixOS Options Reference: https://nixos.org/manual/nixos/unstable/options#opt-services.postsrsd.enable
	43	- Migration instructions: https://github.com/roehling/postsrsd/blob/2.0.10/README.rst#migrating-from-version-1x
	44	- Postfix Setup: https://github.com/roehling/postsrsd/blob/2.0.10/README.rst#postfix-setup
	45	''
	46	)
	47	[
	48	"domain"
	49	"forwardPort"
	50	"reversePort"
	51	"timeout"
	52	"excludeDomains"
	53	];
	54
	55	disabledModules = [ "services/mail/postsrsd.nix" ];
	56
	57	options = {
	58	services.postsrsd = {
	59	enable = lib.mkOption {
	60	type = lib.types.bool;
	61	default = false;
	62	description = "Whether to enable the postsrsd SRS server for Postfix.";
	63	};
	64
	65	secretsFile = lib.mkOption {
	66	type = lib.types.path;
	67	default = "/var/lib/postsrsd/postsrsd.secret";
	68	description = "Secret keys used for signing and verification";
	69	};
	70
	71	domains = lib.mkOption {
	72	type = lib.types.listOf lib.types.str;
	73	description = "Domain names for rewrite";
	74	default = [ config.networking.hostName ];
	75	defaultText = lib.literalExpression "[ config.networking.hostName ]";
	76	};
	77
	78	separator = lib.mkOption {
	79	type = lib.types.enum [
	80	"-"
	81	"="
	82	"+"
	83	];
	84	default = "=";
	85	description = "First separator character in generated addresses";
	86	};
	87
	88	user = lib.mkOption {
	89	type = lib.types.str;
	90	default = "postsrsd";
	91	description = "User for the daemon";
	92	};
	93
	94	group = lib.mkOption {
	95	type = lib.types.str;
	96	default = "postsrsd";
	97	description = "Group for the daemon";
	98	};
	99
	100	extraConfig = lib.mkOption {
	101	type = lib.types.lines;
	102	default = "";
	103	};
	104	};
	105	};
	106
	107	config = lib.mkIf cfg.enable {
	108	users.users = lib.optionalAttrs (cfg.user == "postsrsd") {
	109	postsrsd = {
	110	group = cfg.group;
	111	uid = config.ids.uids.postsrsd;
	112	};
	113	};
	114
	115	users.groups = lib.optionalAttrs (cfg.group == "postsrsd") {
	116	postsrsd.gid = config.ids.gids.postsrsd;
	117	};
	118
	119	systemd.services.postsrsd-generate-secrets = {
	120	path = [ pkgs.coreutils ];
	121	script = ''
	122	if [ -e "${cfg.secretsFile}" ]; then
	123	echo "Secrets file exists. Nothing to do!"
	124	else
	125	echo "WARNING: secrets file not found, autogenerating!"
	126	DIR="$(dirname "${cfg.secretsFile}")"
	127	install -m 750 -o ${cfg.user} -g ${cfg.group} -d "$DIR"
	128	install -m 600 -o ${cfg.user} -g ${cfg.group} <(dd if=/dev/random bs=18 count=1 \| base64) "${cfg.secretsFile}"
	129	fi
	130	'';
	131	serviceConfig = {
	132	Type = "oneshot";
	133	};
	134	};
	135
	136	systemd.services.postsrsd = {
	137	description = "PostSRSd SRS rewriting server";
	138	after = [
	139	"network.target"
	140	"postsrsd-generate-secrets.service"
	141	];
	142	before = [ "postfix.service" ];
	143	wantedBy = [ "multi-user.target" ];
	144	requires = [ "postsrsd-generate-secrets.service" ];
	145	confinement.enable = true;
	146
	147	serviceConfig = {
	148	ExecStart = "${lib.getExe pkgs.postsrsd} -C ${configFile}";
	149	User = cfg.user;
	150	Group = cfg.group;
	151	PermissionsStartOnly = true;
	152	RuntimeDirectory = runtimeDirectoryName;
	153	LoadCredential = "secrets-file:${cfg.secretsFile}";
	154	};
	155	};
	156	};
	157	}