ForkMaster/nixos-mailserver
1
0
Fork 0
mirror of https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git synced 2025-04-02 05:44:33 +05:00
Code Issues Packages Projects Releases Wiki Activity

Add assertions between dkimPrivateKeyFiles and dkimKeyBits

Browse Source
This commit is contained in:
Jeremy Fleischman 2024-11-30 17:14:53 -06:00
parent 5468858a77
commit e50df75c25
No known key found for this signature in database
2 changed files with 13 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
default.nix
View File

@ -806,12 +806,6 @@ in
If `null`, then the keys are auto generated. If `null`, then the keys are auto generated.
If set, then there must be an entry for every domain in If set, then there must be an entry for every domain in
{option}`config.mailserver.domains`. {option}`config.mailserver.domains`.
>>> TODO: explain/assert how this interacts with `dkimKeyBits`. would
this be cleaner if we had an explicit "generate dkim keys" option that
defaults to true, and perhaps we move the generation option (just
`dkimKeyBits` right now) under an optional `generateOpts` section? this
is not backward compatible, though <<<
''; '';
}; };
@ -824,8 +818,8 @@ in
}; };
dkimKeyBits = mkOption { dkimKeyBits = mkOption {
type = types.int; type = types.nullOr types.int;
default = 1024; default = if cfg.dkimPrivateKeyFiles == null then 1024 else null;
description = '' description = ''
How many bits in generated DKIM keys. RFC6376 advises minimum 1024-bit keys. How many bits in generated DKIM keys. RFC6376 advises minimum 1024-bit keys.

12
mail-server/assertions.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, lib, ... }:
{ {
assertions = lib.optionals config.mailserver.ldap.enable [ assertions = lib.optionals config.mailserver.ldap.enable [
{ {
@ -18,5 +18,15 @@
assertion = config.mailserver.acmeCertificateName == config.mailserver.fqdn; assertion = config.mailserver.acmeCertificateName == config.mailserver.fqdn;
message = "When the certificate scheme is not 'acme' (mailserver.certificateScheme != \"acme\"), it is not possible to define mailserver.acmeCertificateName"; message = "When the certificate scheme is not 'acme' (mailserver.certificateScheme != \"acme\"), it is not possible to define mailserver.acmeCertificateName";
} }
] ++ lib.optionals (config.mailserver.enable && config.mailserver.dkimPrivateKeyFiles != null) [
{
assertion = config.mailserver.dkimKeyBits == null;
message = "When you bring your own DKIM private keys (mailserver.dkimPrivateKeyFiles != null), you must not specify key generation options (mailserver.dkimKeyBits)";
}
] ++ lib.optionals (config.mailserver.enable && config.mailserver.dkimPrivateKeyFiles == null) [
{
assertion = config.mailserver.dkimKeyBits != null;
message = "When generating DKIM private keys (mailserver.dkimPrivateKeyFiles = null), you must specify key generation options (mailserver.dkimKeyBits)";
}
]; ];
} }