nixos-mailserver/mail-server/assertions.nix

{ config, lib, ... }:
{
  assertions = lib.optionals config.mailserver.ldap.enable [
    {
      assertion = config.mailserver.loginAccounts == {};
      message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.loginAccounts";
    }
    {
      assertion = config.mailserver.extraVirtualAliases == {};
      message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.extraVirtualAliases";
    }
  ] ++ lib.optionals (config.mailserver.enable && config.mailserver.certificateScheme != "acme") [
    {
      assertion = config.mailserver.acmeCertificateName == config.mailserver.fqdn;
      message = "When the certificate scheme is not 'acme' (mailserver.certificateScheme != \"acme\"), it is not possible to define mailserver.acmeCertificateName";
    }
  ] ++ (
    let
      sortedDomains = builtins.sort (a: b: a < b) config.mailserver.domains;
      sortedDkimDomains = builtins.attrNames config.mailserver.dkimDomainPrivateKeyFiles;
      prettyDomains = builtins.concatStringsSep ", " sortedDomains;
      prettyDkimDomains = builtins.concatStringsSep ", " sortedDkimDomains;
    in
    lib.optionals (config.mailserver.enable && config.mailserver.dkimDomainPrivateKeyFiles != null && sortedDomains != sortedDkimDomains) [
      {
        assertion = config.mailserver.dkimKeyBits != null;
        message = "When you bring your own DKIM private keys (mailserver.dkimDomainPrivateKeyFiles != null), the DKIM domains (${prettyDkimDomains}) must be identical to the mailserver.domains (${prettyDomains}).";
      }
    ]
  ) ++ lib.optionals (config.mailserver.enable && config.mailserver.dkimDomainPrivateKeyFiles != null) [
    {
      assertion = config.mailserver.dkimKeyBits == null;
      message = "When you bring your own DKIM private keys (mailserver.dkimDomainPrivateKeyFiles != null), you must not specify key generation options (mailserver.dkimKeyBits)";
    }
  ] ++ lib.optionals (config.mailserver.enable && config.mailserver.dkimDomainPrivateKeyFiles == null) [
    {
      assertion = config.mailserver.dkimKeyBits != null;
      message = "When generating DKIM private keys (mailserver.dkimDomainPrivateKeyFiles = null), you must specify key generation options (mailserver.dkimKeyBits)";
    }
  ];
}
assertions: Allow mailserver.forwards with LDAP set up 2023-12-27 20:27:11 +02:00			`{ config, lib, ... }:`
ldap: set assertions to forbid ldap and loginAccounts simultaneously 2023-05-20 09:52:25 +02:00			`{`
			`assertions = lib.optionals config.mailserver.ldap.enable [`
			`{`
			`assertion = config.mailserver.loginAccounts == {};`
			`message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.loginAccounts";`
			`}`
			`{`
			`assertion = config.mailserver.extraVirtualAliases == {};`
			`message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.extraVirtualAliases";`
			`}`
acme: test acmeCertificateName if module is enabled 2024-06-04 15:31:28 +00:00			`] ++ lib.optionals (config.mailserver.enable && config.mailserver.certificateScheme != "acme") [`
acme: Add new option acmeCertificateName Allow the user to specify the name of the ACME configuration that the mailserver should use. This allows users that request certificates that aren't the FQDN of the mailserver, for example a wildcard certificate. 2023-06-28 20:42:37 +01:00			`{`
			`assertion = config.mailserver.acmeCertificateName == config.mailserver.fqdn;`
			`message = "When the certificate scheme is not 'acme' (mailserver.certificateScheme != \"acme\"), it is not possible to define mailserver.acmeCertificateName";`
			`}`
feat: add support for DKIM private key files This gives people an option to declaratively manage these secrets, rather than having them generated. 2024-10-31 15:07:47 -05:00			`] ++ (`
			`let`
			`sortedDomains = builtins.sort (a: b: a < b) config.mailserver.domains;`
			`sortedDkimDomains = builtins.attrNames config.mailserver.dkimDomainPrivateKeyFiles;`
			`prettyDomains = builtins.concatStringsSep ", " sortedDomains;`
			`prettyDkimDomains = builtins.concatStringsSep ", " sortedDkimDomains;`
			`in`
			`lib.optionals (config.mailserver.enable && config.mailserver.dkimDomainPrivateKeyFiles != null && sortedDomains != sortedDkimDomains) [`
			`{`
			`assertion = config.mailserver.dkimKeyBits != null;`
			`message = "When you bring your own DKIM private keys (mailserver.dkimDomainPrivateKeyFiles != null), the DKIM domains (${prettyDkimDomains}) must be identical to the mailserver.domains (${prettyDomains}).";`
			`}`
			`]`
			`) ++ lib.optionals (config.mailserver.enable && config.mailserver.dkimDomainPrivateKeyFiles != null) [`
			`{`
			`assertion = config.mailserver.dkimKeyBits == null;`
			`message = "When you bring your own DKIM private keys (mailserver.dkimDomainPrivateKeyFiles != null), you must not specify key generation options (mailserver.dkimKeyBits)";`
			`}`
			`] ++ lib.optionals (config.mailserver.enable && config.mailserver.dkimDomainPrivateKeyFiles == null) [`
			`{`
			`assertion = config.mailserver.dkimKeyBits != null;`
			`message = "When generating DKIM private keys (mailserver.dkimDomainPrivateKeyFiles = null), you must specify key generation options (mailserver.dkimKeyBits)";`
			`}`
ldap: set assertions to forbid ldap and loginAccounts simultaneously 2023-05-20 09:52:25 +02:00			`];`
			`}`