1 files changed, 65 insertions, 0 deletions
diff --git a/modules/postfwd.nix b/modules/postfwd.nix
new file mode 100644
index 00000000..4afea0a1
--- /dev/null
+++ b/modules/postfwd.nix
@@ -0,0 +1,65 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let
+  cfg = config.services.postfwd;
+in {
+  options = {
+    services.postfwd = with types; {
+      enable = mkEnableOption "postfwd3 - postfix firewall daemon";
+      rules = mkOption {
+        type = lines;
+        default = "";
+      };
+    };
+  };
+  config = mkIf cfg.enable {
+    systemd.services.postfwd = {
+      description = "postfwd3 - postfix firewall daemon";
+      wantedBy = ["multi-user.target"];
+      before = ["postfix.service"];
+      serviceConfig = {
+        Type = "forking";
+        ExecStart = "${pkgs.postfwd}/bin/postfwd3 ${escapeShellArgs [
+          "-vv"
+          "--daemon" "--user" "postfwd" "--group" "postfwd"
+          "--pidfile" "/run/postfwd3/postfwd3.pid"
+          "--proto" "unix"
+          "--port" "/run/postfwd3/postfwd3.sock"
+          "--save_rates" "/var/lib/postfwd/rates"
+          "--file" (pkgs.writeText "postfwd3-rules" cfg.rules)
+        ]}";
+        PIDFile = "/run/postfwd3/postfwd3.pid";
+        Restart = "always";
+        RestartSec = 5;
+        TimeoutSec = 10;
+        RuntimeDirectory = ["postfwd3"];
+        StateDirectory = ["postfwd"];
+        DynamicUser = true;
+        ProtectSystem = "strict";
+        SystemCallFilter = "@system-service";
+        NoNewPrivileges = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        MemoryDenyWriteExecute = true;
+        RestrictSUIDSGID = true;
+        KeyringMode = "private";
+        ProtectClock = true;
+        RestrictRealtime = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ProtectHostname = true;
+      };
+    };
+  };
+}

diff --git a/modules/postfwd.nix b/modules/postfwd.nix new file mode 100644 index 00000000..4afea0a1 --- /dev/null +++ b/modules/postfwd.nix
@@ -0,0 +1,65 @@
	1	{ config, lib, pkgs, ... }:
	2
	3	with lib;
	4
	5	let
	6	cfg = config.services.postfwd;
	7	in {
	8	options = {
	9	services.postfwd = with types; {
	10	enable = mkEnableOption "postfwd3 - postfix firewall daemon";
	11
	12	rules = mkOption {
	13	type = lines;
	14	default = "";
	15	};
	16	};
	17	};
	18
	19	config = mkIf cfg.enable {
	20	systemd.services.postfwd = {
	21	description = "postfwd3 - postfix firewall daemon";
	22	wantedBy = ["multi-user.target"];
	23	before = ["postfix.service"];
	24
	25	serviceConfig = {
	26	Type = "forking";
	27
	28	ExecStart = "${pkgs.postfwd}/bin/postfwd3 ${escapeShellArgs [
	29	"-vv"
	30	"--daemon" "--user" "postfwd" "--group" "postfwd"
	31	"--pidfile" "/run/postfwd3/postfwd3.pid"
	32	"--proto" "unix"
	33	"--port" "/run/postfwd3/postfwd3.sock"
	34	"--save_rates" "/var/lib/postfwd/rates"
	35	"--file" (pkgs.writeText "postfwd3-rules" cfg.rules)
	36	]}";
	37	PIDFile = "/run/postfwd3/postfwd3.pid";
	38
	39	Restart = "always";
	40	RestartSec = 5;
	41	TimeoutSec = 10;
	42
	43	RuntimeDirectory = ["postfwd3"];
	44	StateDirectory = ["postfwd"];
	45
	46	DynamicUser = true;
	47	ProtectSystem = "strict";
	48	SystemCallFilter = "@system-service";
	49	NoNewPrivileges = true;
	50	ProtectKernelTunables = true;
	51	ProtectKernelModules = true;
	52	ProtectKernelLogs = true;
	53	ProtectControlGroups = true;
	54	MemoryDenyWriteExecute = true;
	55	RestrictSUIDSGID = true;
	56	KeyringMode = "private";
	57	ProtectClock = true;
	58	RestrictRealtime = true;
	59	PrivateDevices = true;
	60	PrivateTmp = true;
	61	ProtectHostname = true;
	62	};
	63	};
	64	};
	65	}