| 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
 | {
  config,
  lib,
  pkgs,
  ...
}:
let
  cfg = config.services.postsrsd;
  runtimeDirectoryName = "postsrsd";
  runtimeDirectory = "/run/${runtimeDirectoryName}";
  # TODO: follow RFC 42, but we need a libconfuse format first:
  #       https://github.com/NixOS/nixpkgs/issues/401565
  # Arrays in `libconfuse` look like this: {"Life", "Universe", "Everything"}
  # See https://www.nongnu.org/confuse/tutorial-html/ar01s03.html.
  #
  # Note: We're using `builtins.toJSON` to escape strings, but JSON strings
  # don't have exactly the same semantics as libconfuse strings. For example,
  # "${F}" gets treated as an env var reference, see above issue for details.
  libconfuseDomains = "{ " + lib.concatMapStringsSep ", " builtins.toJSON cfg.domains + " }";
  configFile = pkgs.writeText "postsrsd.conf" ''
    secrets-file = "''${CREDENTIALS_DIRECTORY}/secrets-file"
    domains = ${libconfuseDomains}
    separator = "${cfg.separator}"
    # Disable postsrsd's jailing in favor of confinement with systemd.
    unprivileged-user = ""
    chroot-dir = ""
    ${cfg.extraConfig}
  '';
in
{
  imports =
    map
      (
        name:
        lib.mkRemovedOptionModule [ "services" "postsrsd" name ] ''
          `postsrsd` was upgraded to `>= 2.0.0`, with some different behaviors and configuration settings:
            - NixOS Release Notes: https://nixos.org/manual/nixos/unstable/release-notes#sec-nixpkgs-release-25.05-incompatibilities
            - NixOS Options Reference: https://nixos.org/manual/nixos/unstable/options#opt-services.postsrsd.enable
            - Migration instructions: https://github.com/roehling/postsrsd/blob/2.0.10/README.rst#migrating-from-version-1x
            - Postfix Setup: https://github.com/roehling/postsrsd/blob/2.0.10/README.rst#postfix-setup
        ''
      )
      [
        "domain"
        "forwardPort"
        "reversePort"
        "timeout"
        "excludeDomains"
      ];
  disabledModules = [ "services/mail/postsrsd.nix" ];
  options = {
    services.postsrsd = {
      enable = lib.mkOption {
        type = lib.types.bool;
        default = false;
        description = "Whether to enable the postsrsd SRS server for Postfix.";
      };
      secretsFile = lib.mkOption {
        type = lib.types.path;
        default = "/var/lib/postsrsd/postsrsd.secret";
        description = "Secret keys used for signing and verification";
      };
      domains = lib.mkOption {
        type = lib.types.listOf lib.types.str;
        description = "Domain names for rewrite";
        default = [ config.networking.hostName ];
        defaultText = lib.literalExpression "[ config.networking.hostName ]";
      };
      separator = lib.mkOption {
        type = lib.types.enum [
          "-"
          "="
          "+"
        ];
        default = "=";
        description = "First separator character in generated addresses";
      };
      user = lib.mkOption {
        type = lib.types.str;
        default = "postsrsd";
        description = "User for the daemon";
      };
      group = lib.mkOption {
        type = lib.types.str;
        default = "postsrsd";
        description = "Group for the daemon";
      };
      extraConfig = lib.mkOption {
        type = lib.types.lines;
        default = "";
      };
    };
  };
  config = lib.mkIf cfg.enable {
    users.users = lib.optionalAttrs (cfg.user == "postsrsd") {
      postsrsd = {
        group = cfg.group;
        uid = config.ids.uids.postsrsd;
      };
    };
    users.groups = lib.optionalAttrs (cfg.group == "postsrsd") {
      postsrsd.gid = config.ids.gids.postsrsd;
    };
    systemd.services.postsrsd-generate-secrets = {
      path = [ pkgs.coreutils ];
      script = ''
        if [ -e "${cfg.secretsFile}" ]; then
          echo "Secrets file exists. Nothing to do!"
        else
          echo "WARNING: secrets file not found, autogenerating!"
          DIR="$(dirname "${cfg.secretsFile}")"
          install -m 750 -o ${cfg.user} -g ${cfg.group} -d "$DIR"
          install -m 600 -o ${cfg.user} -g ${cfg.group} <(dd if=/dev/random bs=18 count=1 | base64) "${cfg.secretsFile}"
        fi
      '';
      serviceConfig = {
        Type = "oneshot";
      };
    };
    systemd.services.postsrsd = {
      description = "PostSRSd SRS rewriting server";
      after = [
        "network.target"
        "postsrsd-generate-secrets.service"
      ];
      before = [ "postfix.service" ];
      wantedBy = [ "multi-user.target" ];
      requires = [ "postsrsd-generate-secrets.service" ];
      confinement.enable = true;
      serviceConfig = {
        ExecStart = "${lib.getExe pkgs.postsrsd} -C ${configFile}";
        User = cfg.user;
        Group = cfg.group;
        PermissionsStartOnly = true;
        RuntimeDirectory = runtimeDirectoryName;
        LoadCredential = "secrets-file:${cfg.secretsFile}";
      };
    };
  };
}
 |