{ config, lib, pkgs, ... }: with lib; let cfg = config.services.postfwd; in { options = { services.postfwd = with types; { enable = mkEnableOption "postfwd3 - postfix firewall daemon"; rules = mkOption { type = lines; default = ""; }; }; }; config = mkIf cfg.enable { systemd.services.postfwd = { description = "postfwd3 - postfix firewall daemon"; wantedBy = ["multi-user.target"]; before = ["postfix.service"]; serviceConfig = { Type = "forking"; ExecStart = "${pkgs.postfwd}/bin/postfwd3 ${escapeShellArgs [ "-vv" "--daemon" "--user" "postfwd" "--group" "postfwd" "--pidfile" "/run/postfwd3/postfwd3.pid" "--proto" "unix" "--port" "/run/postfwd3/postfwd3.sock" "--save_rates" "/var/lib/postfwd/rates" "--save_groups" "/var/lib/postfwd/groups" "--summary" "3600" "--cache" "600" "--cache_proto" "unix" "--cache_port" "/run/postfwd3/cache.sock" "--file" (pkgs.writeText "postfwd3-rules" cfg.rules) ]}"; PIDFile = "/run/postfwd3/postfwd3.pid"; Restart = "always"; RestartSec = 5; TimeoutSec = 10; RuntimeDirectory = ["postfwd3"]; StateDirectory = ["postfwd"]; DynamicUser = true; ProtectSystem = "strict"; ProtectHome = true; SystemCallFilter = ["@system-service" "~@resources @obsolete"]; NoNewPrivileges = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectKernelLogs = true; ProtectControlGroups = true; MemoryDenyWriteExecute = true; RestrictSUIDSGID = true; KeyringMode = "private"; ProtectClock = true; RestrictRealtime = true; PrivateDevices = true; PrivateTmp = true; ProtectHostname = true; RestrictNamespaces = true; CapabilityBoundingSet = ""; RestrictAddressFamilies = ["AF_UNIX"]; PrivateNetwork = true; PrivateUsers = true; SystemCallArchitectures = "native"; LockPersonality = true; ProtectProc = "invisible"; ProcSubset = "pid"; DevicePolicy = "closed"; IPAddressDeny = "any"; }; }; }; }