nixos/maddy: Better description, user and group handling

5 files changed, 52 insertions, 26 deletions

diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
index e2bda7604e4..6b706e4aeaa 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
@@ -275,13 +275,6 @@
       </listitem>
       <listitem>
         <para>
-          <link xlink:href="https://maddy.email">maddy</link>, a
-          composable all-in-one mail server. Available as
-          <link xlink:href="options.html#opt-services.maddy.enable">services.maddy</link>.
-        </para>
-      </listitem>
-      <listitem>
-        <para>
           <link xlink:href="https://sr.ht">sourcehut</link>, a
           collection of tools useful for software development. Available
           as
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
index d5e3190bf28..296161fd84d 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
@@ -48,6 +48,13 @@
           <link xlink:href="options.html#opt-services.powerdns-admin.enable">services.powerdns-admin</link>.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://maddy.email">maddy</link>, a
+          composable all-in-one mail server. Available as
+          <link xlink:href="options.html#opt-services.maddy.enable">services.maddy</link>.
+        </para>
+      </listitem>
     </itemizedlist>
   </section>
   <section xml:id="sec-release-22.05-incompatibilities">
diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md
index 2520d176096..48adc4ad33c 100644
--- a/nixos/doc/manual/release-notes/rl-2111.section.md
+++ b/nixos/doc/manual/release-notes/rl-2111.section.md
@@ -74,8 +74,6 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - [PeerTube](https://joinpeertube.org/), developed by Framasoft, is the free and decentralized alternative to video platforms. Available at [services.peertube](options.html#opt-services.peertube.enable).
 
-- [maddy](https://maddy.email), a composable all-in-one mail server. Available as [services.maddy](options.html#opt-services.maddy.enable).
-
 - [sourcehut](https://sr.ht), a collection of tools useful for software development. Available as [services.sourcehut](options.html#opt-services.sourcehut.enable).
 
 - [ucarp](https://download.pureftpd.org/pub/ucarp/README), an userspace implementation of the Common Address Redundancy Protocol (CARP). Available as [networking.ucarp](options.html#opt-networking.ucarp.enable).
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md
index 98709455ae7..94f600537c2 100644
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
@@ -16,6 +16,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - [PowerDNS-Admin](https://github.com/ngoduykhanh/PowerDNS-Admin), a web interface for the PowerDNS server. Available at [services.powerdns-admin](options.html#opt-services.powerdns-admin.enable).
 
+- [maddy](https://maddy.email), a composable all-in-one mail server. Available as [services.maddy](options.html#opt-services.maddy.enable).
+
 ## Backward Incompatibilities {#sec-release-22.05-incompatibilities}
 
 - `pkgs.ghc` now refers to `pkgs.targetPackages.haskellPackages.ghc`.
diff --git a/nixos/modules/services/mail/maddy.nix b/nixos/modules/services/mail/maddy.nix
index 44cfa3c2908..0b06905ac6f 100644
--- a/nixos/modules/services/mail/maddy.nix
+++ b/nixos/modules/services/mail/maddy.nix
@@ -3,9 +3,16 @@
 with lib;
 
 let
+
   name = "maddy";
+
   cfg = config.services.maddy;
+
   defaultConfig = ''
+    # Minimal configuration with TLS disabled, adapted from upstream example
+    # configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf
+    # Do not use this in production!
+
     tls off
 
     auth.pass_table local_authdb {
@@ -131,22 +138,34 @@ let
 in {
   options = {
     services.maddy = {
+
       enable = mkEnableOption "Maddy, a free an open source mail server";
 
       user = mkOption {
         default = "maddy";
         type = with types; uniq string;
         description = ''
-          Name of the user under which maddy will run. If not specified, a
-          default user will be created.
+          User account under which maddy runs.
+
+          <note><para>
+          If left as the default value this user will automatically be created
+          on system activation, otherwise the sysadmin is responsible for
+          ensuring the user exists before the maddy service starts.
+          </para></note>
         '';
       };
+
       group = mkOption {
         default = "maddy";
         type = with types; uniq string;
         description = ''
-          Name of the group under which maddy will run. If not specified, a
-          default group will be created.
+          Group account under which maddy runs.
+
+          <note><para>
+          If left as the default value this group will automatically be created
+          on system activation, otherwise the sysadmin is responsible for
+          ensuring the group exists before the maddy service starts.
+          </para></note>
         '';
       };
 
@@ -158,6 +177,7 @@ in {
           Hostname to use. It should be FQDN.
         '';
       };
+
       primaryDomain = mkOption {
         default = "localhost";
         type = with types; uniq string;
@@ -166,6 +186,7 @@ in {
           Primary MX domain to use. It should be FQDN.
         '';
       };
+
       localDomains = mkOption {
         type = with types; listOf str;
         default = ["$(primary_domain)"];
@@ -178,11 +199,18 @@ in {
           Define list of allowed domains.
         '';
       };
+
       config = mkOption {
         type = with types; nullOr lines;
         default = defaultConfig;
         description = ''
-          Server configuration.
+          Server configuration, see
+          <link xlink:href="https://maddy.email">https://maddy.email</link> for
+          more information. The default configuration of this module will setup
+          minimal maddy instance for mail transfer without TLS encryption.
+          <note><para>
+          This should not be used in a production environment.
+          </para></note>
         '';
       };
 
@@ -203,9 +231,11 @@ in {
       packages = [ pkgs.maddy ];
       services.maddy = {
         serviceConfig = {
-          User = "${cfg.user}";
-          Group = "${cfg.group}";
+          User = cfg.user;
+          Group = cfg.group;
+          StateDirectory = [ "maddy" ];
         };
+        restartTriggers = [ config.environment.etc."maddy/maddy.conf".source ];
         wantedBy = [ "multi-user.target" ];
       };
     };
@@ -220,20 +250,16 @@ in {
       '';
     };
 
-    users.users = optionalAttrs (cfg.user == "maddy") {
-      maddy = {
-        description = "Maddy service user";
-        group = cfg.group;
-        home = "/var/lib/maddy";
-        createHome = true;
+    users.users = optionalAttrs (cfg.user == name) {
+      ${name} = {
         isSystemUser = true;
+        group = cfg.group;
+        description = "Maddy mail transfer agent user";
       };
     };
 
-    users.groups = mkIf (cfg.group == "maddy") {
-      maddy = pkgs.lib.mkForce {
-        name = cfg.group;
-      };
+    users.groups = optionalAttrs (cfg.group == name) {
+      ${cfg.group} = { };
     };
 
     networking.firewall = mkIf cfg.openFirewall {