simple-nixos-mailserver/mail-server/assertions.nix

{
  config,
  lib,
  ...
}:

let
  mailserverRelease = "26.05";
  nixpkgsRelease = lib.trivial.release;
  releaseMismatch =
    config.mailserver.enableNixpkgsReleaseCheck && mailserverRelease != nixpkgsRelease;
in

{
  warnings = lib.optional releaseMismatch ''
    You are using

      NixOS Mailserver version ${mailserverRelease} and
      Nixpkgs version ${nixpkgsRelease}.

    Using mismatched versions is likely to cause compatibility issues
    and may require migrations that make an eventual rollback tricky.

    It is therefore highly recommended to use a release of
    NixOS mailserver that corresponds with your chosen release of Nixpkgs.

    If you insist then you can disable this warning by adding

      mailserver.enableNixpkgsReleaseCheck = false;

    to your configuration.
  '';

  # We guard all assertions by requiring mailserver to be actually enabled
  assertions = lib.optionals config.mailserver.enable (
    [
      {
        assertion = config.mailserver.stateVersion != null;
        message = "The `mailserver.stateVersion` option is not set. Check https://nixos-mailserver.readthedocs.io/en/latest/migrations.html to determine the proper value to initialize it at.";
      }
      {
        assertion =
          config.mailserver.x509.useACMEHost != null
          -> config.mailserver.x509.certificateFile == null && config.mailserver.x509.privateKeyFile == null;
        message = "Configuring an ACME certificate (`mailserver.x509.useACMEHost`) is not possible while also passing an existing certificate (`mailserver.x509.certificateFile`, `mailserver.x509.privateKeyFile`).";
      }
      {
        assertion =
          config.mailserver.x509.useACMEHost != null
          || (
            config.mailserver.x509.certificateFile != null && config.mailserver.x509.privateKeyFile != null
          );
        message = "Configure either an ACME certificate (`mailserver.x509.useACMEHost`) or pass an existing certificate (`mailserver.x509.certificateFile`, `mailserver.x509.privateKeyFile`).";
      }
    ]
    ++ lib.optionals config.mailserver.dkim.enable (
      lib.flatten (
        lib.mapAttrsToList (
          domain: domainAttrs:
          lib.mapAttrsToList (selector: selectorAttrs: [
            {
              assertion =
                selectorAttrs.keyFile != null -> (selectorAttrs.keyType == null && selectorAttrs.keyLength == null);
              message = "${domain} DKIM selector ${selector} can only use either `keyType`, `keyLength` OR `keyFile` not both.";
            }
          ]) domainAttrs.selectors
        ) config.mailserver.dkim.domains
      )
    )
    ++ lib.optionals config.mailserver.ldap.enable [
      {
        assertion = config.mailserver.loginAccounts == { };
        message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.loginAccounts";
      }
      {
        assertion = config.mailserver.extraVirtualAliases == { };
        message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.extraVirtualAliases";
      }
    ]
    ++
      lib.optionals (config.mailserver.ldap.enable && config.mailserver.mailDirectory != "/var/vmail")
        [
          {
            assertion = config.mailserver.stateVersion != null -> config.mailserver.stateVersion >= 2;
            message = ''
              Issue: The dovecot homedir for LDAP users was previously not respecting `mailserver.mailDirectory`.
              Remediation:
                - Stop the `dovecot.service`
                - Move `/var/vmail/ldap` below your `mailserver.mailDirectory`
                - Increase the `stateVersion` to 2.

              Check https://nixos-mailserver.readthedocs.io/en/latest/migrations.html#dovecot-ldap-home-directory-migration for more information.
            '';
          }
        ]
    ++ [
      {
        assertion = config.mailserver.stateVersion != null -> config.mailserver.stateVersion >= 3;
        message = ''
          Issue: The dovecot mail location for all users has changed and need to be migrated.

          Check https://nixos-mailserver.readthedocs.io/en/latest/migrations.html#dovecot-mail-directory-migration for the required remediation steps.
        '';
      }
    ]
  );
}