summaryrefslogtreecommitdiff
path: root/modules/postfwd.nix
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-10-02 18:46:48 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2022-10-02 18:46:48 +0200
commit59e54bd97f70711573d321f2d2aeee5da46bf95d (patch)
tree57ad9c1e82af6247afde473cb2f1f3a219599059 /modules/postfwd.nix
parent410a63cf1baf627a0b99c34a955b3d02efabb48f (diff)
downloadnixos-59e54bd97f70711573d321f2d2aeee5da46bf95d.tar
nixos-59e54bd97f70711573d321f2d2aeee5da46bf95d.tar.gz
nixos-59e54bd97f70711573d321f2d2aeee5da46bf95d.tar.bz2
nixos-59e54bd97f70711573d321f2d2aeee5da46bf95d.tar.xz
nixos-59e54bd97f70711573d321f2d2aeee5da46bf95d.zip
...
Diffstat (limited to 'modules/postfwd.nix')
-rw-r--r--modules/postfwd.nix19
1 files changed, 18 insertions, 1 deletions
diff --git a/modules/postfwd.nix b/modules/postfwd.nix
index 4afea0a1..e10c04a7 100644
--- a/modules/postfwd.nix
+++ b/modules/postfwd.nix
@@ -32,6 +32,11 @@ in {
32 "--proto" "unix" 32 "--proto" "unix"
33 "--port" "/run/postfwd3/postfwd3.sock" 33 "--port" "/run/postfwd3/postfwd3.sock"
34 "--save_rates" "/var/lib/postfwd/rates" 34 "--save_rates" "/var/lib/postfwd/rates"
35 "--save_groups" "/var/lib/postfwd/groups"
36 "--summary" "3600"
37 "--cache" "600"
38 "--cache_proto" "unix"
39 "--cache_port" "/run/postfwd3/cache.sock"
35 "--file" (pkgs.writeText "postfwd3-rules" cfg.rules) 40 "--file" (pkgs.writeText "postfwd3-rules" cfg.rules)
36 ]}"; 41 ]}";
37 PIDFile = "/run/postfwd3/postfwd3.pid"; 42 PIDFile = "/run/postfwd3/postfwd3.pid";
@@ -45,7 +50,8 @@ in {
45 50
46 DynamicUser = true; 51 DynamicUser = true;
47 ProtectSystem = "strict"; 52 ProtectSystem = "strict";
48 SystemCallFilter = "@system-service"; 53 ProtectHome = true;
54 SystemCallFilter = ["@system-service" "~@resources @obsolete"];
49 NoNewPrivileges = true; 55 NoNewPrivileges = true;
50 ProtectKernelTunables = true; 56 ProtectKernelTunables = true;
51 ProtectKernelModules = true; 57 ProtectKernelModules = true;
@@ -59,6 +65,17 @@ in {
59 PrivateDevices = true; 65 PrivateDevices = true;
60 PrivateTmp = true; 66 PrivateTmp = true;
61 ProtectHostname = true; 67 ProtectHostname = true;
68 RestrictNamespaces = true;
69 CapabilityBoundingSet = "";
70 RestrictAddressFamilies = ["AF_UNIX"];
71 PrivateNetwork = true;
72 PrivateUsers = true;
73 SystemCallArchitectures = "native";
74 LockPersonality = true;
75 ProtectProc = "invisible";
76 ProcSubset = "pid";
77 DevicePolicy = "closed";
78 IPAddressDeny = "any";
62 }; 79 };
63 }; 80 };
64 }; 81 };