summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to 'modules')
-rw-r--r--modules/postfwd.nix19
1 files changed, 18 insertions, 1 deletions
diff --git a/modules/postfwd.nix b/modules/postfwd.nix
index 4afea0a1..e10c04a7 100644
--- a/modules/postfwd.nix
+++ b/modules/postfwd.nix
@@ -32,6 +32,11 @@ in {
32 "--proto" "unix" 32 "--proto" "unix"
33 "--port" "/run/postfwd3/postfwd3.sock" 33 "--port" "/run/postfwd3/postfwd3.sock"
34 "--save_rates" "/var/lib/postfwd/rates" 34 "--save_rates" "/var/lib/postfwd/rates"
35 "--save_groups" "/var/lib/postfwd/groups"
36 "--summary" "3600"
37 "--cache" "600"
38 "--cache_proto" "unix"
39 "--cache_port" "/run/postfwd3/cache.sock"
35 "--file" (pkgs.writeText "postfwd3-rules" cfg.rules) 40 "--file" (pkgs.writeText "postfwd3-rules" cfg.rules)
36 ]}"; 41 ]}";
37 PIDFile = "/run/postfwd3/postfwd3.pid"; 42 PIDFile = "/run/postfwd3/postfwd3.pid";
@@ -45,7 +50,8 @@ in {
45 50
46 DynamicUser = true; 51 DynamicUser = true;
47 ProtectSystem = "strict"; 52 ProtectSystem = "strict";
48 SystemCallFilter = "@system-service"; 53 ProtectHome = true;
54 SystemCallFilter = ["@system-service" "~@resources @obsolete"];
49 NoNewPrivileges = true; 55 NoNewPrivileges = true;
50 ProtectKernelTunables = true; 56 ProtectKernelTunables = true;
51 ProtectKernelModules = true; 57 ProtectKernelModules = true;
@@ -59,6 +65,17 @@ in {
59 PrivateDevices = true; 65 PrivateDevices = true;
60 PrivateTmp = true; 66 PrivateTmp = true;
61 ProtectHostname = true; 67 ProtectHostname = true;
68 RestrictNamespaces = true;
69 CapabilityBoundingSet = "";
70 RestrictAddressFamilies = ["AF_UNIX"];
71 PrivateNetwork = true;
72 PrivateUsers = true;
73 SystemCallArchitectures = "native";
74 LockPersonality = true;
75 ProtectProc = "invisible";
76 ProcSubset = "pid";
77 DevicePolicy = "closed";
78 IPAddressDeny = "any";
62 }; 79 };
63 }; 80 };
64 }; 81 };
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-26 20:20:12 +0000