nixos/postfix-tlspol: migrate to static user/group

This fixes postfix' membership in the postfix-tlspol group, since
memberships in a dynamically allocated group don't seem to work out.

Additionally this fixes a typo in the systemd hardening and the test now
prints the results of systemd-analyze security.
This commit is contained in:
Martin Weinelt 2025-06-28 23:39:34 +02:00
parent 16ce859442
commit df0eb78b31
No known key found for this signature in database
GPG Key ID: 87C1E9888F856759
2 changed files with 12 additions and 3 deletions

View File

@ -153,6 +153,12 @@ in
environment.systemPackages = [ cfg.package ]; environment.systemPackages = [ cfg.package ];
users.users.postfix-tlspol = {
isSystemUser = true;
group = "postfix-tlspol";
};
users.groups.postfix-tlspol = { };
systemd.services.postfix-tlspol = { systemd.services.postfix-tlspol = {
after = [ after = [
"nss-lookup.target" "nss-lookup.target"
@ -178,7 +184,8 @@ in
Restart = "always"; Restart = "always";
RestartSec = 5; RestartSec = 5;
DynamicUser = true; User = "postfix-tlspol";
Group = "postfix-tlspol";
CacheDirectory = "postfix-tlspol"; CacheDirectory = "postfix-tlspol";
CapabilityBoundingSet = [ "" ]; CapabilityBoundingSet = [ "" ];
@ -208,7 +215,7 @@ in
++ lib.optionals (lib.hasPrefix "unix:" cfg.settings.server.address) [ ++ lib.optionals (lib.hasPrefix "unix:" cfg.settings.server.address) [
"AF_UNIX" "AF_UNIX"
]; ];
RestrictNamespace = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";

View File

@ -18,7 +18,7 @@
import json import json
machine.wait_for_unit("postfix-tlspol.service") machine.wait_for_unit("postfix-tlspol.service")
machine.succeed("systemctl show -P SupplementaryGroups postfix.service | grep postfix-tlspol") machine.succeed("getent group postfix-tlspol | grep :postfix")
with subtest("Interact with the service"): with subtest("Interact with the service"):
machine.succeed("postfix-tlspol -purge") machine.succeed("postfix-tlspol -purge")
@ -26,6 +26,8 @@
response = json.loads((machine.succeed("postfix-tlspol -query localhost"))) response = json.loads((machine.succeed("postfix-tlspol -query localhost")))
machine.log(json.dumps(response, indent=2)) machine.log(json.dumps(response, indent=2))
machine.log(machine.execute("systemd-analyze security postfix-tlspol.service | grep -v ")[1])
''; '';
} }