Merge branch 'system-options' into 'master'

Introduce system name and domain options

See merge request simple-nixos-mailserver/nixos-mailserver!427

default.nix

@@ -69,6 +69,35 @@ in
       description = "The fully qualified domain name of the mail server.";
     };
 
+    systemName = mkOption {
+      type = types.str;
+      default = "${cfg.systemDomain} mail system";
+      defaultText = literalExpression "\${config.mailserver.systemDomain} mail system";
+      example = "ACME Corp.";
+      description = ''
+        The sender name given in automated reports.
+      '';
+    };
+
+    systemDomain = mkOption {
+      type = types.str;
+      default =
+        if (config.networking.domain != null && lib.elem config.networking.domain cfg.domains) then
+          config.networking.domain
+        else
+          lib.head cfg.domains;
+      defaultText = literalExpression ''
+        if config.networking.domain != null && lib.elem config.networking.domain cfg.domains then
+          config.networking.domain
+        else
+          lib.head cfg.domains
+      '';
+      example = literalExpression "config.networking.domain";
+      description = ''
+        The primary domain used for sending automated reports.
+      '';
+    };
+
     domains = mkOption {
       type = types.listOf types.str;
       example = [ "example.com" ];
@@ -972,51 +1001,6 @@ in
         '';
       };
 
-      localpart = mkOption {
-        type = types.str;
-        default = "dmarc-noreply";
-        example = "dmarc-report";
-        description = ''
-          The local part of the email address used for outgoing DMARC reports.
-        '';
-      };
-
-      domain = mkOption {
-        type = types.enum cfg.domains;
-        example = "example.com";
-        description = ''
-          The domain from which outgoing DMARC reports are served.
-        '';
-      };
-
-      email = mkOption {
-        type = types.str;
-        default = with cfg.dmarcReporting; "${localpart}@${domain}";
-        defaultText = literalExpression ''"''${localpart}@''${domain}"'';
-        readOnly = true;
-        description = ''
-          The email address used for outgoing DMARC reports. Read-only.
-        '';
-      };
-
-      organizationName = mkOption {
-        type = types.str;
-        example = "ACME Corp.";
-        description = ''
-          The name of your organization used in the `org_name` attribute in
-          DMARC reports.
-        '';
-      };
-
-      fromName = mkOption {
-        type = types.str;
-        default = cfg.dmarcReporting.organizationName;
-        defaultText = literalMD "{option}`mailserver.dmarcReporting.organizationName`";
-        description = ''
-          The sender name for DMARC reports. Defaults to the organization name.
-        '';
-      };
-
       excludeDomains = mkOption {
         type = types.listOf types.str;
         default = [ ];
@@ -1471,5 +1455,19 @@ in
     (mkRemovedOptionModule [ "mailserver" "smtpdForbidBareNewline" ] ''
       The workaround for the SMTP Smuggling attack is default enabled in Postfix >3.9. Use `services.postfix.config.smtpd_forbid_bare_newline` if you need to deviate from its default.
     '')
+    (mkRenamedOptionModule [ "mailserver" "dmarcReporting" "domain" ] [ "mailserver" "systemDomain" ])
+    (mkRenamedOptionModule
+      [ "mailserver" "dmarcReporting" "organizationName" ]
+      [ "mailserver" "systemName" ]
+    )
+    (mkRemovedOptionModule [ "mailserver" "dmarcReporting" "localpart" ] ''
+      The localpart is now fixed at `noreply-dmarc` to simplify the configuration.
+    '')
+    (mkRemovedOptionModule [ "mailserver" "dmarcReporting" "email" ] ''
+      The address is now fixed at `noreply-dmarc@''${config.mailserver.systemDomain}` to simplify the configuration.
+    '')
+    (mkRemovedOptionModule [ "mailserver" "dmarcReporting" "fromName" ] ''
+      The name in the `FROM` field for DMARC report now uses the `mailserver.systemName`.
+    '')
   ];
 }

docs/release-notes.rst

@@ -1,6 +1,15 @@
 Release Notes
 =============
 
+NixOS 25.11
+-----------
+
+- The ``systemName`` and ``systemDomain`` options have been introduced to have
+  reusable configurations for automated reports (DMARC, TLSRPT). They come with
+  reasonable defaults, but it is suggested to check and change them as needed.
+- DMARC reports are now sent with the ``noreply-dmarc`` localpart from the
+  system domain.
+
 NixOS 25.05
 -----------
 

flake.nix

@@ -94,10 +94,6 @@
                   domains = [
                     "example.com"
                   ];
-                  dmarcReporting = {
-                    organizationName = "Example Corp";
-                    domain = "example.com";
-                  };
                 };
               }
             ];

mail-server/rspamd.nix

@@ -121,11 +121,11 @@ in
             ${lib.optionalString cfg.dmarcReporting.enable ''
               reporting {
                 enabled = true;
-                email = "${cfg.dmarcReporting.email}";
+                email = "noreply-dmarc@${cfg.systemDomain}";
-                domain = "${cfg.dmarcReporting.domain}";
+                domain = "${cfg.systemDomain}";
-                org_name = "${cfg.dmarcReporting.organizationName}";
+                org_name = "${cfg.systemName}";
-                from_name = "${cfg.dmarcReporting.fromName}";
+                from_name = "${cfg.systemName}";
-                msgid_from = "${cfg.dmarcReporting.domain}";
+                msgid_from = "${cfg.systemDomain}";
                 ${lib.optionalString (cfg.dmarcReporting.excludeDomains != [ ]) ''
                   exclude_domains = ${builtins.toJSON cfg.dmarcReporting.excludeDomains};
                 ''}

tests/external.nix

@@ -47,11 +47,7 @@
           ];
           rewriteMessageId = true;
           dkimKeyBits = 1535;
-          dmarcReporting = {
+          dmarcReporting.enable = true;
-            enable = true;
-            domain = "example.com";
-            organizationName = "ACME Corp";
-          };
 
           loginAccounts = {
             "user1@example.com" = {