Add assertions between dkimPrivateKeyFiles and dkimKeyBits

This commit is contained in:
Jeremy Fleischman 2024-11-30 17:14:53 -06:00
parent 5468858a77
commit e50df75c25
No known key found for this signature in database
2 changed files with 13 additions and 9 deletions

View File

@ -806,12 +806,6 @@ in
If `null`, then the keys are auto generated.
If set, then there must be an entry for every domain in
{option}`config.mailserver.domains`.
>>> TODO: explain/assert how this interacts with `dkimKeyBits`. would
this be cleaner if we had an explicit "generate dkim keys" option that
defaults to true, and perhaps we move the generation option (just
`dkimKeyBits` right now) under an optional `generateOpts` section? this
is not backward compatible, though <<<
'';
};
@ -824,8 +818,8 @@ in
};
dkimKeyBits = mkOption {
type = types.int;
default = 1024;
type = types.nullOr types.int;
default = if cfg.dkimPrivateKeyFiles == null then 1024 else null;
description = ''
How many bits in generated DKIM keys. RFC6376 advises minimum 1024-bit keys.

View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, lib, ... }:
{
assertions = lib.optionals config.mailserver.ldap.enable [
{
@ -18,5 +18,15 @@
assertion = config.mailserver.acmeCertificateName == config.mailserver.fqdn;
message = "When the certificate scheme is not 'acme' (mailserver.certificateScheme != \"acme\"), it is not possible to define mailserver.acmeCertificateName";
}
] ++ lib.optionals (config.mailserver.enable && config.mailserver.dkimPrivateKeyFiles != null) [
{
assertion = config.mailserver.dkimKeyBits == null;
message = "When you bring your own DKIM private keys (mailserver.dkimPrivateKeyFiles != null), you must not specify key generation options (mailserver.dkimKeyBits)";
}
] ++ lib.optionals (config.mailserver.enable && config.mailserver.dkimPrivateKeyFiles == null) [
{
assertion = config.mailserver.dkimKeyBits != null;
message = "When generating DKIM private keys (mailserver.dkimPrivateKeyFiles = null), you must specify key generation options (mailserver.dkimKeyBits)";
}
];
}