diff options
| author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2025-03-04 21:21:17 +0100 |
|---|---|---|
| committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2025-03-09 13:44:37 +0100 |
| commit | 92f59766c67e4425b4e7fb0e7f157ece68083241 (patch) | |
| tree | bcd150d46f39ed1829b6bdb98b322b96c21f02b4 /modules | |
| parent | pkgs/stalwart-mail-free: Avoid running `stalwart-mail`'s tests (diff) | |
| download | nixos-server-92f59766c67e4425b4e7fb0e7f157ece68083241.zip | |
modules/stalwart-mail-free: Remove all `security` dependent checks if it's null
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/by-name/st/stalwart-mail/module.nix | 11 | ||||
| -rw-r--r-- | modules/by-name/st/stalwart-mail/settings.nix | 21 |
2 files changed, 19 insertions, 13 deletions
diff --git a/modules/by-name/st/stalwart-mail/module.nix b/modules/by-name/st/stalwart-mail/module.nix index 031c35b..0889549 100644 --- a/modules/by-name/st/stalwart-mail/module.nix +++ b/modules/by-name/st/stalwart-mail/module.nix @@ -268,11 +268,12 @@ in { systemd = { services.stalwart-mail = { wantedBy = ["multi-user.target"]; - requires = [ - "redis-stalwart-mail.service" - "network-online.target" - "acme-${cfg.fqdn}.service" - ]; + requires = + [ + "redis-stalwart-mail.service" + "network-online.target" + ] + ++ (lib.optional (cfg.security != null) "acme-${cfg.fqdn}.service"); after = [ "local-fs.target" "network.target" diff --git a/modules/by-name/st/stalwart-mail/settings.nix b/modules/by-name/st/stalwart-mail/settings.nix index 1d63489..7032ae0 100644 --- a/modules/by-name/st/stalwart-mail/settings.nix +++ b/modules/by-name/st/stalwart-mail/settings.nix @@ -13,6 +13,11 @@ }) (lib.attrsToList cfg.security.dkimKeys)) ++ [{"else" = false;}]; + + maybeVerificationMode = + if cfg.security != null + then cfg.security.verificationMode + else "disable"; in { config.services.stalwart-mail.settings = lib.mkIf cfg.enable { # https://www.rfc-editor.org/rfc/rfc6376.html#section-3.3 @@ -51,24 +56,24 @@ in { ]; in { iprev = { - verify = ifNotSmpt cfg.security.verificationMode "disable"; + verify = ifNotSmpt maybeVerificationMode "disable"; }; spf = { verify = { - ehlo = ifNotSmpt cfg.security.verificationMode "disable"; + ehlo = ifNotSmpt maybeVerificationMode "disable"; - mail-from = ifNotSmpt cfg.security.verificationMode "disable"; + mail-from = ifNotSmpt maybeVerificationMode "disable"; }; }; dmarc = { - verify = ifNotSmpt cfg.security.verificationMode "disable"; + verify = ifNotSmpt maybeVerificationMode "disable"; }; arc = { seal = lib.mkIf (cfg.security != null) signaturesByDomain; - verify = ifNotSmpt cfg.security.verificationMode "disable"; + verify = ifNotSmpt maybeVerificationMode "disable"; }; dkim = { - verify = ifNotSmpt cfg.security.verificationMode "disable"; + verify = ifNotSmpt maybeVerificationMode "disable"; # Ignore insecure dkim signed messages (i.e., messages containing both # signed and appended not-signed content.) @@ -140,13 +145,13 @@ in { outbound = { tls = { starttls = - if cfg.security.verificationMode == "strict" + if maybeVerificationMode == "strict" then "require" else "optional"; allow-invalid-certs = false; ip-strategy = "ipv6_then_ipv4"; mta-sts = - if cfg.security.verificationMode == "strict" + if maybeVerificationMode == "strict" then "require" else "optional"; }; |