diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-10-02 18:46:48 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-10-02 18:46:48 +0200 |
commit | 59e54bd97f70711573d321f2d2aeee5da46bf95d (patch) | |
tree | 57ad9c1e82af6247afde473cb2f1f3a219599059 /modules/postfwd.nix | |
parent | 410a63cf1baf627a0b99c34a955b3d02efabb48f (diff) | |
download | nixos-59e54bd97f70711573d321f2d2aeee5da46bf95d.tar nixos-59e54bd97f70711573d321f2d2aeee5da46bf95d.tar.gz nixos-59e54bd97f70711573d321f2d2aeee5da46bf95d.tar.bz2 nixos-59e54bd97f70711573d321f2d2aeee5da46bf95d.tar.xz nixos-59e54bd97f70711573d321f2d2aeee5da46bf95d.zip |
...
Diffstat (limited to 'modules/postfwd.nix')
-rw-r--r-- | modules/postfwd.nix | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/modules/postfwd.nix b/modules/postfwd.nix index 4afea0a1..e10c04a7 100644 --- a/modules/postfwd.nix +++ b/modules/postfwd.nix | |||
@@ -32,6 +32,11 @@ in { | |||
32 | "--proto" "unix" | 32 | "--proto" "unix" |
33 | "--port" "/run/postfwd3/postfwd3.sock" | 33 | "--port" "/run/postfwd3/postfwd3.sock" |
34 | "--save_rates" "/var/lib/postfwd/rates" | 34 | "--save_rates" "/var/lib/postfwd/rates" |
35 | "--save_groups" "/var/lib/postfwd/groups" | ||
36 | "--summary" "3600" | ||
37 | "--cache" "600" | ||
38 | "--cache_proto" "unix" | ||
39 | "--cache_port" "/run/postfwd3/cache.sock" | ||
35 | "--file" (pkgs.writeText "postfwd3-rules" cfg.rules) | 40 | "--file" (pkgs.writeText "postfwd3-rules" cfg.rules) |
36 | ]}"; | 41 | ]}"; |
37 | PIDFile = "/run/postfwd3/postfwd3.pid"; | 42 | PIDFile = "/run/postfwd3/postfwd3.pid"; |
@@ -45,7 +50,8 @@ in { | |||
45 | 50 | ||
46 | DynamicUser = true; | 51 | DynamicUser = true; |
47 | ProtectSystem = "strict"; | 52 | ProtectSystem = "strict"; |
48 | SystemCallFilter = "@system-service"; | 53 | ProtectHome = true; |
54 | SystemCallFilter = ["@system-service" "~@resources @obsolete"]; | ||
49 | NoNewPrivileges = true; | 55 | NoNewPrivileges = true; |
50 | ProtectKernelTunables = true; | 56 | ProtectKernelTunables = true; |
51 | ProtectKernelModules = true; | 57 | ProtectKernelModules = true; |
@@ -59,6 +65,17 @@ in { | |||
59 | PrivateDevices = true; | 65 | PrivateDevices = true; |
60 | PrivateTmp = true; | 66 | PrivateTmp = true; |
61 | ProtectHostname = true; | 67 | ProtectHostname = true; |
68 | RestrictNamespaces = true; | ||
69 | CapabilityBoundingSet = ""; | ||
70 | RestrictAddressFamilies = ["AF_UNIX"]; | ||
71 | PrivateNetwork = true; | ||
72 | PrivateUsers = true; | ||
73 | SystemCallArchitectures = "native"; | ||
74 | LockPersonality = true; | ||
75 | ProtectProc = "invisible"; | ||
76 | ProcSubset = "pid"; | ||
77 | DevicePolicy = "closed"; | ||
78 | IPAddressDeny = "any"; | ||
62 | }; | 79 | }; |
63 | }; | 80 | }; |
64 | }; | 81 | }; |