From b931543508377c0e48a6801e4ea217eb523e2b03 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 13 Sep 2022 10:29:35 +0200 Subject: ... --- modules/postfwd.nix | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 modules/postfwd.nix (limited to 'modules/postfwd.nix') diff --git a/modules/postfwd.nix b/modules/postfwd.nix new file mode 100644 index 00000000..4afea0a1 --- /dev/null +++ b/modules/postfwd.nix @@ -0,0 +1,65 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.postfwd; +in { + options = { + services.postfwd = with types; { + enable = mkEnableOption "postfwd3 - postfix firewall daemon"; + + rules = mkOption { + type = lines; + default = ""; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.postfwd = { + description = "postfwd3 - postfix firewall daemon"; + wantedBy = ["multi-user.target"]; + before = ["postfix.service"]; + + serviceConfig = { + Type = "forking"; + + ExecStart = "${pkgs.postfwd}/bin/postfwd3 ${escapeShellArgs [ + "-vv" + "--daemon" "--user" "postfwd" "--group" "postfwd" + "--pidfile" "/run/postfwd3/postfwd3.pid" + "--proto" "unix" + "--port" "/run/postfwd3/postfwd3.sock" + "--save_rates" "/var/lib/postfwd/rates" + "--file" (pkgs.writeText "postfwd3-rules" cfg.rules) + ]}"; + PIDFile = "/run/postfwd3/postfwd3.pid"; + + Restart = "always"; + RestartSec = 5; + TimeoutSec = 10; + + RuntimeDirectory = ["postfwd3"]; + StateDirectory = ["postfwd"]; + + DynamicUser = true; + ProtectSystem = "strict"; + SystemCallFilter = "@system-service"; + NoNewPrivileges = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + MemoryDenyWriteExecute = true; + RestrictSUIDSGID = true; + KeyringMode = "private"; + ProtectClock = true; + RestrictRealtime = true; + PrivateDevices = true; + PrivateTmp = true; + ProtectHostname = true; + }; + }; + }; +} -- cgit v1.2.3