summaryrefslogtreecommitdiff
path: root/modules/postfwd.nix
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-09-13 10:29:35 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2022-09-13 10:29:35 +0200
commitb931543508377c0e48a6801e4ea217eb523e2b03 (patch)
tree373c8ab46c6e78cb69654d816fadf8d6fef1fd28 /modules/postfwd.nix
parent92dab2dbad09bee9698fc0a9734140af37ca550a (diff)
downloadnixos-b931543508377c0e48a6801e4ea217eb523e2b03.tar
nixos-b931543508377c0e48a6801e4ea217eb523e2b03.tar.gz
nixos-b931543508377c0e48a6801e4ea217eb523e2b03.tar.bz2
nixos-b931543508377c0e48a6801e4ea217eb523e2b03.tar.xz
nixos-b931543508377c0e48a6801e4ea217eb523e2b03.zip
...
Diffstat (limited to 'modules/postfwd.nix')
-rw-r--r--modules/postfwd.nix65
1 files changed, 65 insertions, 0 deletions
diff --git a/modules/postfwd.nix b/modules/postfwd.nix
new file mode 100644
index 00000000..4afea0a1
--- /dev/null
+++ b/modules/postfwd.nix
@@ -0,0 +1,65 @@
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6 cfg = config.services.postfwd;
7in {
8 options = {
9 services.postfwd = with types; {
10 enable = mkEnableOption "postfwd3 - postfix firewall daemon";
11
12 rules = mkOption {
13 type = lines;
14 default = "";
15 };
16 };
17 };
18
19 config = mkIf cfg.enable {
20 systemd.services.postfwd = {
21 description = "postfwd3 - postfix firewall daemon";
22 wantedBy = ["multi-user.target"];
23 before = ["postfix.service"];
24
25 serviceConfig = {
26 Type = "forking";
27
28 ExecStart = "${pkgs.postfwd}/bin/postfwd3 ${escapeShellArgs [
29 "-vv"
30 "--daemon" "--user" "postfwd" "--group" "postfwd"
31 "--pidfile" "/run/postfwd3/postfwd3.pid"
32 "--proto" "unix"
33 "--port" "/run/postfwd3/postfwd3.sock"
34 "--save_rates" "/var/lib/postfwd/rates"
35 "--file" (pkgs.writeText "postfwd3-rules" cfg.rules)
36 ]}";
37 PIDFile = "/run/postfwd3/postfwd3.pid";
38
39 Restart = "always";
40 RestartSec = 5;
41 TimeoutSec = 10;
42
43 RuntimeDirectory = ["postfwd3"];
44 StateDirectory = ["postfwd"];
45
46 DynamicUser = true;
47 ProtectSystem = "strict";
48 SystemCallFilter = "@system-service";
49 NoNewPrivileges = true;
50 ProtectKernelTunables = true;
51 ProtectKernelModules = true;
52 ProtectKernelLogs = true;
53 ProtectControlGroups = true;
54 MemoryDenyWriteExecute = true;
55 RestrictSUIDSGID = true;
56 KeyringMode = "private";
57 ProtectClock = true;
58 RestrictRealtime = true;
59 PrivateDevices = true;
60 PrivateTmp = true;
61 ProtectHostname = true;
62 };
63 };
64 };
65}