{ config, pkgs, lib, ... }: with lib; let cfg = config.services.postfix-mta-sts-resolver; in { options = { services.postfix-mta-sts-resolver = { enable = mkEnableOption "mta-sts-daemon"; package = mkPackageOption pkgs "postfix-mta-sts-resolver"; redis = mkEnableOption "redis cache" // { default = true; example = false; }; loglevel = mkOption { type = types.enum ["debug" "info" "warn" "error" "fatal"]; default = "info"; }; settings = mkOption { type = types.attrs; }; }; }; config = mkIf cfg.enable { services.postfix-mta-sts-resolver.settings = { path = "/run/postfix-mta-sts-resolver/map.sock"; mode = 432; # 0o0660 } // (optionalAttrs cfg.redis { cache = { type = "redis"; options.url = "unix://${toString config.services.redis.servers.postfix-mta-sts-resolver.unixSocket}"; }; }); services.redis.servers.postfix-mta-sts-resolver = mkIf cfg.redis { enable = true; }; users.users.postfix-mta-sts-resolver = { isSystemUser = true; group = "postfix-mta-sts-resolver"; }; users.groups.postfix-mta-sts-resolver = { members = ["postfix"]; }; systemd.services."postfix-mta-sts-resolver" = { wantedBy = ["postfix.service"]; before = ["postfix.service"]; wants = mkIf cfg.redis [ "redis-postfix-mta-sts-resolver.service" ]; after = mkIf cfg.redis [ "redis-postfix-mta-sts-resolver.service" ]; serviceConfig = { Type = "notify"; ExecStart = "${pkgs.postfix-mta-sts-resolver}/bin/mta-sts-daemon -v ${cfg.loglevel} -c ${pkgs.writeText "mta-sts-daemon.yml" (generators.toYAML {} cfg.settings)}"; Restart = "always"; KillMode = "process"; TimeoutStartSec = 10; TimeoutStopSec = 30; RuntimeDirectory = "postfix-mta-sts-resolver"; User = "postfix-mta-sts-resolver"; Group = "postfix-mta-sts-resolver"; SupplementaryGroups = mkIf cfg.redis config.services.redis.servers.postfix-mta-sts-resolver.user; RemoveIPC = true; PrivateTmp = true; NoNewPrivileges = true; RestrictSUIDSGID = true; ProtectSystem = "strict"; ProtectHome = "read-only"; ReadWritePaths = mkIf cfg.redis ["/run/redis-postfix-mta-sts-resolver"]; }; }; }; }