nixpkgs/nixos/tests/postfix-tlspol.nix

{
  lib,
  ...
}:
{
  name = "postfix-tlspol";

  meta.maintainers = with lib.maintainers; [ hexa ];

  nodes.machine = {
    services.postfix.enable = true;
    services.postfix-tlspol.enable = true;

    services.dnsmasq = {
      enable = true;
      settings.selfmx = true;
    };
  };

  testScript = ''
    import json

    machine.wait_for_unit("postfix-tlspol.service")
    machine.succeed("getent group postfix-tlspol | grep :postfix")

    with subtest("Interact with the service"):
      machine.succeed("postfix-tlspol -purge")

      response = json.loads((machine.succeed("postfix-tlspol -query localhost")))
      machine.log(json.dumps(response, indent=2))

      assert response["dane"]["policy"] == "", f"Unexpected DANE policy for localhost: {response["dane"]["policy"]}"
      assert response["mta-sts"]["policy"] == "", f"Unexpected MTA-STS policy for localhost: {response["mta-sts"]["policy"]}"

    machine.log(machine.execute("systemd-analyze security postfix-tlspol.service | grep -v ✓")[1])
  '';

}
nixos/tests/postfix-tlspol: init Simple test if the service comes up and the CLI can interact with it and gives reasonable results. 2025-06-10 05:27:52 +02:00			`{`
			`lib,`
			`...`
			`}:`
			`{`
			`name = "postfix-tlspol";`

			`meta.maintainers = with lib.maintainers; [ hexa ];`

			`nodes.machine = {`
nixos/postfix-tlspol: fix postfix integration Fixes the group membership for postfix processes in the postfix-tlspol group. Makes the postfix.service start up after postfix-tlspol.service, because it depends on it for the TLS policy lookups. 2025-06-21 00:35:23 +02:00			`services.postfix.enable = true;`
nixos/tests/postfix-tlspol: init Simple test if the service comes up and the CLI can interact with it and gives reasonable results. 2025-06-10 05:27:52 +02:00			`services.postfix-tlspol.enable = true;`

nixos/tests/postfix-tlspol: assert empty policies for localhost 2025-06-29 00:01:13 +02:00			`services.dnsmasq = {`
			`enable = true;`
			`settings.selfmx = true;`
			`};`
			`};`
nixos/tests/postfix-tlspol: init Simple test if the service comes up and the CLI can interact with it and gives reasonable results. 2025-06-10 05:27:52 +02:00
			`testScript = ''`
			`import json`

			`machine.wait_for_unit("postfix-tlspol.service")`
nixos/postfix-tlspol: migrate to static user/group This fixes postfix' membership in the postfix-tlspol group, since memberships in a dynamically allocated group don't seem to work out. Additionally this fixes a typo in the systemd hardening and the test now prints the results of systemd-analyze security. 2025-06-28 23:39:34 +02:00			`machine.succeed("getent group postfix-tlspol \| grep :postfix")`
nixos/tests/postfix-tlspol: init Simple test if the service comes up and the CLI can interact with it and gives reasonable results. 2025-06-10 05:27:52 +02:00
			`with subtest("Interact with the service"):`
			`machine.succeed("postfix-tlspol -purge")`

			`response = json.loads((machine.succeed("postfix-tlspol -query localhost")))`
			`machine.log(json.dumps(response, indent=2))`

nixos/tests/postfix-tlspol: assert empty policies for localhost 2025-06-29 00:01:13 +02:00			`assert response["dane"]["policy"] == "", f"Unexpected DANE policy for localhost: {response["dane"]["policy"]}"`
			`assert response["mta-sts"]["policy"] == "", f"Unexpected MTA-STS policy for localhost: {response["mta-sts"]["policy"]}"`
nixos/postfix-tlspol: migrate to static user/group This fixes postfix' membership in the postfix-tlspol group, since memberships in a dynamically allocated group don't seem to work out. Additionally this fixes a typo in the systemd hardening and the test now prints the results of systemd-analyze security. 2025-06-28 23:39:34 +02:00
			`machine.log(machine.execute("systemd-analyze security postfix-tlspol.service \| grep -v ✓")[1])`
nixos/tests/postfix-tlspol: init Simple test if the service comes up and the CLI can interact with it and gives reasonable results. 2025-06-10 05:27:52 +02:00			`'';`

			`}`