nixos/postfix-tlspol: migrate to static user/group
This fixes postfix' membership in the postfix-tlspol group, since memberships in a dynamically allocated group don't seem to work out. Additionally this fixes a typo in the systemd hardening and the test now prints the results of systemd-analyze security.
This commit is contained in:
parent
16ce859442
commit
df0eb78b31
@ -153,6 +153,12 @@ in
|
|||||||
|
|
||||||
environment.systemPackages = [ cfg.package ];
|
environment.systemPackages = [ cfg.package ];
|
||||||
|
|
||||||
|
users.users.postfix-tlspol = {
|
||||||
|
isSystemUser = true;
|
||||||
|
group = "postfix-tlspol";
|
||||||
|
};
|
||||||
|
users.groups.postfix-tlspol = { };
|
||||||
|
|
||||||
systemd.services.postfix-tlspol = {
|
systemd.services.postfix-tlspol = {
|
||||||
after = [
|
after = [
|
||||||
"nss-lookup.target"
|
"nss-lookup.target"
|
||||||
@ -178,7 +184,8 @@ in
|
|||||||
Restart = "always";
|
Restart = "always";
|
||||||
RestartSec = 5;
|
RestartSec = 5;
|
||||||
|
|
||||||
DynamicUser = true;
|
User = "postfix-tlspol";
|
||||||
|
Group = "postfix-tlspol";
|
||||||
|
|
||||||
CacheDirectory = "postfix-tlspol";
|
CacheDirectory = "postfix-tlspol";
|
||||||
CapabilityBoundingSet = [ "" ];
|
CapabilityBoundingSet = [ "" ];
|
||||||
@ -208,7 +215,7 @@ in
|
|||||||
++ lib.optionals (lib.hasPrefix "unix:" cfg.settings.server.address) [
|
++ lib.optionals (lib.hasPrefix "unix:" cfg.settings.server.address) [
|
||||||
"AF_UNIX"
|
"AF_UNIX"
|
||||||
];
|
];
|
||||||
RestrictNamespace = true;
|
RestrictNamespaces = true;
|
||||||
RestrictRealtime = true;
|
RestrictRealtime = true;
|
||||||
RestrictSUIDSGID = true;
|
RestrictSUIDSGID = true;
|
||||||
SystemCallArchitectures = "native";
|
SystemCallArchitectures = "native";
|
||||||
|
@ -18,7 +18,7 @@
|
|||||||
import json
|
import json
|
||||||
|
|
||||||
machine.wait_for_unit("postfix-tlspol.service")
|
machine.wait_for_unit("postfix-tlspol.service")
|
||||||
machine.succeed("systemctl show -P SupplementaryGroups postfix.service | grep postfix-tlspol")
|
machine.succeed("getent group postfix-tlspol | grep :postfix")
|
||||||
|
|
||||||
with subtest("Interact with the service"):
|
with subtest("Interact with the service"):
|
||||||
machine.succeed("postfix-tlspol -purge")
|
machine.succeed("postfix-tlspol -purge")
|
||||||
@ -26,6 +26,8 @@
|
|||||||
response = json.loads((machine.succeed("postfix-tlspol -query localhost")))
|
response = json.loads((machine.succeed("postfix-tlspol -query localhost")))
|
||||||
machine.log(json.dumps(response, indent=2))
|
machine.log(json.dumps(response, indent=2))
|
||||||
|
|
||||||
|
|
||||||
|
machine.log(machine.execute("systemd-analyze security postfix-tlspol.service | grep -v ✓")[1])
|
||||||
'';
|
'';
|
||||||
|
|
||||||
}
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user