From e50df75c254d8160be6deab1a240f71264b4dfc1 Mon Sep 17 00:00:00 2001
From: Jeremy Fleischman <jeremyfleischman@gmail.com>
Date: Sat, 30 Nov 2024 17:14:53 -0600
Subject: [PATCH] Add assertions between `dkimPrivateKeyFiles` and
 `dkimKeyBits`

---
 default.nix                | 10 ++--------
 mail-server/assertions.nix | 12 +++++++++++-
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/default.nix b/default.nix
index b67e9ba..b187868 100644
--- a/default.nix
+++ b/default.nix
@@ -806,12 +806,6 @@ in
         If `null`, then the keys are auto generated.
         If set, then there must be an entry for every domain in
         {option}`config.mailserver.domains`.
-
-        >>> TODO: explain/assert how this interacts with `dkimKeyBits`. would
-        this be cleaner if we had an explicit "generate dkim keys" option that
-        defaults to true, and perhaps we move the generation option (just
-        `dkimKeyBits` right now) under an optional `generateOpts` section? this
-        is not backward compatible, though <<<
       '';
     };
 
@@ -824,8 +818,8 @@ in
     };
 
     dkimKeyBits = mkOption {
-        type = types.int;
-        default = 1024;
+        type = types.nullOr types.int;
+        default = if cfg.dkimPrivateKeyFiles == null then 1024 else null;
         description = ''
             How many bits in generated DKIM keys. RFC6376 advises minimum 1024-bit keys.
 
diff --git a/mail-server/assertions.nix b/mail-server/assertions.nix
index 0e5b15b..f4b6633 100644
--- a/mail-server/assertions.nix
+++ b/mail-server/assertions.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:
 {
   assertions = lib.optionals config.mailserver.ldap.enable [
     {
@@ -18,5 +18,15 @@
       assertion = config.mailserver.acmeCertificateName == config.mailserver.fqdn;
       message = "When the certificate scheme is not 'acme' (mailserver.certificateScheme != \"acme\"), it is not possible to define mailserver.acmeCertificateName";
     }
+  ] ++ lib.optionals (config.mailserver.enable && config.mailserver.dkimPrivateKeyFiles != null) [
+    {
+      assertion = config.mailserver.dkimKeyBits == null;
+      message = "When you bring your own DKIM private keys (mailserver.dkimPrivateKeyFiles != null), you must not specify key generation options (mailserver.dkimKeyBits)";
+    }
+  ] ++ lib.optionals (config.mailserver.enable && config.mailserver.dkimPrivateKeyFiles == null) [
+    {
+      assertion = config.mailserver.dkimKeyBits != null;
+      message = "When generating DKIM private keys (mailserver.dkimPrivateKeyFiles = null), you must specify key generation options (mailserver.dkimKeyBits)";
+    }
   ];
 }