talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

nixos/postsrsd: harden and modernize systemd unit

Browse Source 
This replaces the previous confinement settings with a more complete and
context-sensitive hardening setup.

Also exposes the current config at /etc/postsrsd.conf, which makes it
easily inspectable.
This commit is contained in:
Martin Weinelt 2025-07-14 01:21:08 +02:00
parent 83af4a9aed
commit 819c34cb7f
No known key found for this signature in database
GPG Key ID: 87C1E9888F856759
1 changed files with 92 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
nixos/modules/services/mail/postsrsd.nix
View File

@ -2,6 +2,7 @@
config, config,
lib, lib,
pkgs, pkgs,
utils,
... ...
}: }:
let let
@ -253,6 +254,8 @@ in
}; };
}; };
environment.etc."postsrsd.conf".source = configFile;
systemd.services.postsrsd = { systemd.services.postsrsd = {
description = "PostSRSd SRS rewriting server"; description = "PostSRSd SRS rewriting server";
after = [ after = [
@ -262,21 +265,109 @@ in
before = [ "postfix.service" ]; before = [ "postfix.service" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
requires = [ "postsrsd-generate-secrets.service" ]; requires = [ "postsrsd-generate-secrets.service" ];
restartTriggers = [ configFile ];
serviceConfig = { serviceConfig = {
ExecStart = "${lib.getExe pkgs.postsrsd} -C ${configFile}"; ExecStart = toString [
(lib.getExe pkgs.postsrsd)
"-C"
"/etc/postsrsd.conf"
];
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
RuntimeDirectory = "postsrsd"; RuntimeDirectory = "postsrsd";
RuntimeDirectoryMode = "0750";
LoadCredential = "secrets-file:${cfg.secretsFile}"; LoadCredential = "secrets-file:${cfg.secretsFile}";
CapabilityBoundingSet = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true; PrivateDevices = true;
PrivateMounts = true; PrivateMounts = true;
PrivateNetwork = lib.hasPrefix "unix:" cfg.settings.socketmap;
PrivateTmp = true; PrivateTmp = true;
PrivateUsers = true; PrivateUsers = true;
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
ProtectSystem = "strict";
ProtectProc = "invisible";
ProcSubset = "pid";
RemoveIPC = true;
RestrictAddressFamilies =
if lib.hasPrefix "unix:" cfg.settings.socketmap then
[ "AF_UNIX" ]
else
[
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged @resources"
];
UMask = "0027";
before = [ "postfix.service" ];
wantedBy = [ "multi-user.target" ];
requires = [ "postsrsd-generate-secrets.service" ];
restartTriggers = [ configFile ];
serviceConfig = {
ExecStart = utils.escapeSystemdExecArgs [
(lib.getExe cfg.package)
"-C"
"/etc/postsrsd.conf"
];
User = cfg.user;
Group = cfg.group;
RuntimeDirectory = "postsrsd";
RuntimeDirectoryMode = "0750";
LoadCredential = "secrets-file:${cfg.secretsFile}";
CapabilityBoundingSet = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateNetwork = lib.hasPrefix "unix:" cfg.settings.socketmap;
PrivateTmp = true;
PrivateUsers = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
ProtectProc = "invisible";
ProcSubset = "pid";
RemoveIPC = true;
RestrictAddressFamilies =
if lib.hasPrefix "unix:" cfg.settings.socketmap then
[ "AF_UNIX" ]
else
[
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged @resources"
];
UMask = "0027";
};
}; };
}; };
}; };