misc_nixos-mailserver/mail-server/assertions.nix

{
  config,
  lib,
  ...
}:
{
  # We guard all assertions by requiring mailserver to be actually enabled
  assertions = lib.optionals config.mailserver.enable (
    [
      {
        assertion = config.mailserver.stateVersion != null;
        message = "The `mailserver.stateVersion` option is not set. Check https://nixos-mailserver.readthedocs.io/en/latest/migrations.html to determine the proper value to initialize it at.";
      }
    ]
    ++ lib.optionals config.mailserver.ldap.enable [
      {
        assertion = config.mailserver.loginAccounts == { };
        message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.loginAccounts";
      }
      {
        assertion = config.mailserver.extraVirtualAliases == { };
        message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.extraVirtualAliases";
      }
    ]
    ++
      lib.optionals (config.mailserver.ldap.enable && config.mailserver.mailDirectory != "/var/vmail")
        [
          {
            assertion = config.mailserver.stateVersion >= 2;
            message = ''
              Issue: The dovecot homedir for LDAP users was previously not respecting `mailserver.mailDirectory`.
              Remediation:
                - Stop the `dovecot2.service`
                - Move `/var/vmail/ldap` below your `mailserver.mailDirectory`
                - Increase the `stateVersion` to 2.

              Check https://nixos-mailserver.readthedocs.io/en/latest/migrations.html#dovecot-ldap-home-directory-migration for more information.
            '';
          }
        ]
    ++ [
      {
        assertion = config.mailserver.stateVersion >= 3;
        message = ''
          Issue: The dovecot mail location for all users has changed and need to be migrated.

          Check https://nixos-mailserver.readthedocs.io/en/latest/migrations.html#dovecot-mail-directory-migration for the required remediation steps.
        '';
      }
    ]
    ++ lib.optionals (config.mailserver.certificateScheme != "acme") [
      {
        assertion = config.mailserver.acmeCertificateName == config.mailserver.fqdn;
        message = "When the certificate scheme is not 'acme' (mailserver.certificateScheme != \"acme\"), it is not possible to define mailserver.acmeCertificateName";
      }
    ]
  );
}