nixos/tlsrpt: fix permissions to execute postdrop

Calling to sendmail without AF_NETLINK causes: > sendmail: fatal: inet_addr_local[getifaddrs]: getifaddrs: Address family not supported by protocol and without AF_INET/AF_INET6: > sendmail: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol > sendmail: warning: inet_protocols: disabling IPv4 name/address support: Address family not supported by protocol Move the configurePostfix option one level up, since it now also reconfigures the reportd systemd unit. (cherry picked from commit b438f32b2a)
2026-01-11 18:32:23 +08:00 · 2025-07-28 02:16:08 +02:00
parent c3246b01ba
commit 007eb35d91
1 changed files with 16 additions and 13 deletions
--- a/nixos/modules/services/mail/tlsrpt.nix
+++ b/nixos/modules/services/mail/tlsrpt.nix
@@ -59,6 +59,8 @@ let
  reportdConfigFile = format.generate "tlsrpt-reportd.cfg" {
    tlsrpt_reportd = dropNullValues cfg.reportd.settings;
  };
+
+  withPostfix = config.services.postfix.enable && cfg.configurePostfix;
 in

 {
@@ -126,14 +128,6 @@ in
          See {manpage}`tlsrpt-collectd(1)` for possible flags.
        '';
      };
-
-      configurePostfix = mkOption {
-        type = types.bool;
-        default = true;
-        description = ''
-          Whether to modify the local Postfix service to grant access to the collectd socket.
-        '';
-      };
    };

    fetcher = {
@@ -271,6 +265,14 @@ in
        '';
      };
    };
+
+    configurePostfix = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Whether to configure permissions to allow integration with Postfix.
+      '';
+    };
  };

  config = mkIf cfg.enable {
@@ -286,11 +288,9 @@ in
    };
    users.groups.tlsrpt = { };

-    users.users.postfix.extraGroups =
-      lib.mkIf (config.services.postfix.enable && cfg.collectd.configurePostfix)
-        [
-          "tlsrpt"
-        ];
+    users.users.postfix.extraGroups = lib.mkIf withPostfix [
+      "tlsrpt"
+    ];

    systemd.services.tlsrpt-collectd = {
      description = "TLSRPT datagram collector";
@@ -334,7 +334,10 @@ in
        RestrictAddressFamilies = [
          "AF_INET"
          "AF_INET6"
+          "AF_NETLINK"
        ];
+        ReadWritePaths = lib.optionals withPostfix [ "/var/lib/postfix/queue/maildrop" ];
+        SupplementaryGroups = lib.optionals withPostfix [ "postdrop" ];
        UMask = "0077";
      };
    };