simple-nixos-mailserver/mail-server/assertions.nix

{
  config,
  lib,
  ...
}:

let
  mailserverRelease = "26.05";
  nixpkgsRelease = lib.trivial.release;
  releaseMismatch =
    config.mailserver.enableNixpkgsReleaseCheck && mailserverRelease != nixpkgsRelease;
in

{
  warnings =
    lib.optionals releaseMismatch [
      ''
        You are using

          NixOS Mailserver version ${mailserverRelease} and
          Nixpkgs version ${nixpkgsRelease}.

        Using mismatched versions is likely to cause compatibility issues
        and may require migrations that make an eventual rollback tricky.

        It is therefore highly recommended to use a release of
        NixOS mailserver that corresponds with your chosen release of Nixpkgs.

        If you insist then you can disable this warning by adding

          mailserver.enableNixpkgsReleaseCheck = false;

        to your configuration.
      ''
    ]
    ++ lib.optionals config.mailserver.borgbackup.enable [
      ''
        `mailserver.borgbackup` will be removed after 26.05.

        The borgbackup integration will be removed with the recommendation to
        migrate to the upstream `services.borgbackup` module, which receives far
        superior maintenance and testing.

        NixOS manual: https://nixos.org/manual/nixos/stable/#module-borgbase
      ''
    ]
    ++ lib.optionals config.mailserver.backup.enable [
      ''
        `mailserver.backup` will be removed after 26.05.

        The rsnapshot integration will be removed due to lack of maintenance,
        expertise and tests to make sure it still works. Please use the upstream
        module directly instead.
      ''
    ]
    ++ lib.optionals config.mailserver.monitoring.enable [
      ''
        `mailserver.monitoring` will be removed after 26.05.

        The monit integration will be removed due to lack of maintenance,
        expertise and tests to make sure it still works.
      ''
    ];

  # We guard all assertions by requiring mailserver to be actually enabled
  assertions = lib.optionals config.mailserver.enable (
    [
      {
        assertion = config.mailserver.stateVersion != null;
        message = "The `mailserver.stateVersion` option is not set. Check https://nixos-mailserver.readthedocs.io/en/latest/migrations.html to determine the proper value to initialize it at.";
      }
      {
        assertion =
          config.mailserver.x509.useACMEHost != null
          -> config.mailserver.x509.certificateFile == null && config.mailserver.x509.privateKeyFile == null;
        message = "Configuring an ACME certificate (`mailserver.x509.useACMEHost`) is not possible while also passing an existing certificate (`mailserver.x509.certificateFile`, `mailserver.x509.privateKeyFile`).";
      }
      {
        assertion =
          config.mailserver.x509.useACMEHost != null
          || (
            config.mailserver.x509.certificateFile != null && config.mailserver.x509.privateKeyFile != null
          );
        message = "Configure either an ACME certificate (`mailserver.x509.useACMEHost`) or pass an existing certificate (`mailserver.x509.certificateFile`, `mailserver.x509.privateKeyFile`).";
      }
    ]
    ++ lib.optionals config.mailserver.dkim.enable (
      lib.flatten (
        lib.mapAttrsToList (
          domain: domainAttrs:
          lib.mapAttrsToList (selector: selectorAttrs: [
            {
              assertion =
                selectorAttrs.keyFile != null -> (selectorAttrs.keyType == null && selectorAttrs.keyLength == null);
              message = "${domain} DKIM selector ${selector} can only use either `keyType`, `keyLength` OR `keyFile` not both.";
            }
          ]) domainAttrs.selectors
        ) config.mailserver.dkim.domains
      )
    )
    ++ lib.optionals config.mailserver.ldap.enable [
      {
        assertion = config.mailserver.loginAccounts == { };
        message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.loginAccounts";
      }
      {
        assertion = config.mailserver.extraVirtualAliases == { };
        message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.extraVirtualAliases";
      }
    ]
    ++
      lib.optionals (config.mailserver.ldap.enable && config.mailserver.mailDirectory != "/var/vmail")
        [
          {
            assertion = config.mailserver.stateVersion != null -> config.mailserver.stateVersion >= 2;
            message = ''
              Issue: The dovecot homedir for LDAP users was previously not respecting `mailserver.mailDirectory`.
              Remediation:
                - Stop the `dovecot.service`
                - Move `/var/vmail/ldap` below your `mailserver.mailDirectory`
                - Increase the `stateVersion` to 2.

              Check https://nixos-mailserver.readthedocs.io/en/latest/migrations.html#dovecot-ldap-home-directory-migration for more information.
            '';
          }
        ]
    ++ [
      {
        assertion = config.mailserver.stateVersion != null -> config.mailserver.stateVersion >= 3;
        message = ''
          Issue: The dovecot mail location for all users has changed and need to be migrated.

          Check https://nixos-mailserver.readthedocs.io/en/latest/migrations.html#dovecot-mail-directory-migration for the required remediation steps.
        '';
      }
    ]
    ++ lib.optionals (config.mailserver.ldap.enable) [
      {
        assertion = config.mailserver.stateVersion != null -> config.mailserver.stateVersion >= 4;
        message = ''
          NixOS Mailserver requires migrating LDAP home directories to UUID scheme

          Check https://nixos-mailserver.readthedocs.io/en/latest/migrations.html#dovecot-ldap-uuid-based-home-directories for required migration steps.
        '';
      }
    ]
  );
}