From 59e54bd97f70711573d321f2d2aeee5da46bf95d Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Sun, 2 Oct 2022 18:46:48 +0200
Subject: ...

---
 modules/postfwd.nix | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

(limited to 'modules/postfwd.nix')

diff --git a/modules/postfwd.nix b/modules/postfwd.nix
index 4afea0a1..e10c04a7 100644
--- a/modules/postfwd.nix
+++ b/modules/postfwd.nix
@@ -32,6 +32,11 @@ in {
           "--proto" "unix"
           "--port" "/run/postfwd3/postfwd3.sock"
           "--save_rates" "/var/lib/postfwd/rates"
+          "--save_groups" "/var/lib/postfwd/groups"
+          "--summary" "3600"
+          "--cache" "600"
+          "--cache_proto" "unix"
+          "--cache_port" "/run/postfwd3/cache.sock"
           "--file" (pkgs.writeText "postfwd3-rules" cfg.rules)
         ]}";
         PIDFile = "/run/postfwd3/postfwd3.pid";
@@ -45,7 +50,8 @@ in {
 
         DynamicUser = true;
         ProtectSystem = "strict";
-        SystemCallFilter = "@system-service";
+        ProtectHome = true;
+        SystemCallFilter = ["@system-service" "~@resources @obsolete"];
         NoNewPrivileges = true;
         ProtectKernelTunables = true;
         ProtectKernelModules = true;
@@ -59,6 +65,17 @@ in {
         PrivateDevices = true;
         PrivateTmp = true;
         ProtectHostname = true;
+        RestrictNamespaces = true;
+        CapabilityBoundingSet = "";
+        RestrictAddressFamilies = ["AF_UNIX"];
+        PrivateNetwork = true;
+        PrivateUsers = true;
+        SystemCallArchitectures = "native";
+        LockPersonality = true;
+        ProtectProc = "invisible";
+        ProcSubset = "pid";
+        DevicePolicy = "closed";
+        IPAddressDeny = "any";
       };
     };
   };
-- 
cgit v1.2.3