...

1 files changed, 65 insertions, 0 deletions

diff --git a/modules/postfwd.nix b/modules/postfwd.nix
new file mode 100644
index 00000000..4afea0a1
--- /dev/null
+++ b/modules/postfwd.nix
@@ -0,0 +1,65 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.postfwd;
+in {
+  options = {
+    services.postfwd = with types; {
+      enable = mkEnableOption "postfwd3 - postfix firewall daemon";
+
+      rules = mkOption {
+        type = lines;
+        default = "";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.postfwd = {
+      description = "postfwd3 - postfix firewall daemon";
+      wantedBy = ["multi-user.target"];
+      before = ["postfix.service"];
+
+      serviceConfig = {
+        Type = "forking";
+
+        ExecStart = "${pkgs.postfwd}/bin/postfwd3 ${escapeShellArgs [
+          "-vv"
+          "--daemon" "--user" "postfwd" "--group" "postfwd"
+          "--pidfile" "/run/postfwd3/postfwd3.pid"
+          "--proto" "unix"
+          "--port" "/run/postfwd3/postfwd3.sock"
+          "--save_rates" "/var/lib/postfwd/rates"
+          "--file" (pkgs.writeText "postfwd3-rules" cfg.rules)
+        ]}";
+        PIDFile = "/run/postfwd3/postfwd3.pid";
+
+        Restart = "always";
+        RestartSec = 5;
+        TimeoutSec = 10;
+
+        RuntimeDirectory = ["postfwd3"];
+        StateDirectory = ["postfwd"];
+
+        DynamicUser = true;
+        ProtectSystem = "strict";
+        SystemCallFilter = "@system-service";
+        NoNewPrivileges = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        MemoryDenyWriteExecute = true;
+        RestrictSUIDSGID = true;
+        KeyringMode = "private";
+        ProtectClock = true;
+        RestrictRealtime = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ProtectHostname = true;
+      };
+    };
+  };
+}