From b438f32b2a8d2b9374644289725ffaf05101970c Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Mon, 28 Jul 2025 02:16:08 +0200
Subject: [PATCH] nixos/tlsrpt: fix permissions to execute postdrop

Calling to sendmail without AF_NETLINK causes:

> sendmail: fatal: inet_addr_local[getifaddrs]: getifaddrs: Address family not supported by protocol

and without AF_INET/AF_INET6:

> sendmail: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol
> sendmail: warning: inet_protocols: disabling IPv4 name/address support: Address family not supported by protocol

Move the configurePostfix option one level up, since it now also
reconfigures the reportd systemd unit.
---
 nixos/modules/services/mail/tlsrpt.nix | 29 ++++++++++++++------------
 1 file changed, 16 insertions(+), 13 deletions(-)

diff --git a/nixos/modules/services/mail/tlsrpt.nix b/nixos/modules/services/mail/tlsrpt.nix
index 05d8377514c0..309ce400462c 100644
--- a/nixos/modules/services/mail/tlsrpt.nix
+++ b/nixos/modules/services/mail/tlsrpt.nix
@@ -59,6 +59,8 @@ let
   reportdConfigFile = format.generate "tlsrpt-reportd.cfg" {
     tlsrpt_reportd = dropNullValues cfg.reportd.settings;
   };
+
+  withPostfix = config.services.postfix.enable && cfg.configurePostfix;
 in
 
 {
@@ -126,14 +128,6 @@ in
           See {manpage}`tlsrpt-collectd(1)` for possible flags.
         '';
       };
-
-      configurePostfix = mkOption {
-        type = types.bool;
-        default = true;
-        description = ''
-          Whether to modify the local Postfix service to grant access to the collectd socket.
-        '';
-      };
     };
 
     fetcher = {
@@ -271,6 +265,14 @@ in
         '';
       };
     };
+
+    configurePostfix = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Whether to configure permissions to allow integration with Postfix.
+      '';
+    };
   };
 
   config = mkIf cfg.enable {
@@ -286,11 +288,9 @@ in
     };
     users.groups.tlsrpt = { };
 
-    users.users.postfix.extraGroups =
-      lib.mkIf (config.services.postfix.enable && cfg.collectd.configurePostfix)
-        [
-          "tlsrpt"
-        ];
+    users.users.postfix.extraGroups = lib.mkIf withPostfix [
+      "tlsrpt"
+    ];
 
     systemd.services.tlsrpt-collectd = {
       description = "TLSRPT datagram collector";
@@ -334,7 +334,10 @@ in
         RestrictAddressFamilies = [
           "AF_INET"
           "AF_INET6"
+          "AF_NETLINK"
         ];
+        ReadWritePaths = lib.optionals withPostfix [ "/var/lib/postfix/queue/maildrop" ];
+        SupplementaryGroups = lib.optionals withPostfix [ "postdrop" ];
         UMask = "0077";
       };
     };