Gonne/nixConfig
1
0
Fork 0
forked from Fachschaft/nixConfig
Code Pull requests Activity

Move sieve generator script to stalwart-mail service and make all respective /tmp folders private

Browse source
This commit is contained in:
Gonne 2025-03-24 10:44:31 +01:00 committed by Gonne
parent a469194bce
commit 327d4ec34e
1 changed files with 6 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
nixos/modules/mail.nix
View file

@ -310,12 +310,15 @@ in {
''; '';
in in
lib.strings.concatStringsSep "" (map scriptTemplate cfg.domains); lib.strings.concatStringsSep "" (map scriptTemplate cfg.domains);
unitConfig.JoinsNamespaceOf = "stalwart-mail.service"; # allow access to sieve script
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
User = "stalwart-mail"; User = "stalwart-mail";
NoNewPrivileges = true; NoNewPrivileges = true;
# See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html
PrivateTmp = false; # allow access to sieve script PrivateTmp = true;
ProtectHome = true; ProtectHome = true;
ReadOnlyPaths = "/"; ReadOnlyPaths = "/";
ReadWritePaths = "/tmp"; ReadWritePaths = "/tmp";
@ -337,36 +340,8 @@ in {
# This service is defined by the nixpkgs stalwart module and we only modify it. # This service is defined by the nixpkgs stalwart module and we only modify it.
"stalwart-mail" = { "stalwart-mail" = {
restartTriggers = lib.attrsets.mapAttrsToList (_: aliaslist: aliaslist.sopsFile) config.sops.secrets; # restart if secrets, especially alias files, have changed. restartTriggers = lib.attrsets.mapAttrsToList (_: aliaslist: aliaslist.sopsFile) config.sops.secrets; # restart if secrets, especially alias files, have changed.
serviceConfig.PrivateTmp = lib.mkForce false; # enable access to generated Sieve script #Generate a sieve script from the virtual alias file
serviceConfig.ProtectSystem = lib.mkForce "full"; # "strict" does not allow writing to /tmp which we need for unpacking the webadmin interface. "full" is less strict. preStart = lib.strings.concatStringsSep "" (["${pkgs.alias-to-sieve}/bin/alias_to_sieve "] ++ map (x: "${x.virt_aliases} ${x.domain} ") cfg.domains ++ ["> /tmp/virt_aliases"]);
};
"virt-aliases-generator" = {
description = "Virtual Aliases Generator: Generate a sieve script from the virtual alias file";
script = lib.strings.concatStringsSep "" (["${pkgs.alias-to-sieve}/bin/alias_to_sieve "] ++ map (x: "${x.virt_aliases} ${x.domain} ") cfg.domains ++ ["> /tmp/virt_aliases"]);
wantedBy = ["stalwart-mail.service"]; # Rerun on stalwart restart because forwardings may have changed.
serviceConfig = {
Type = "oneshot";
User = "stalwart-mail";
NoNewPrivileges = true;
# See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html
PrivateTmp = false;
ProtectHome = true;
ReadOnlyPaths = "/";
ReadWritePaths = "/tmp";
InaccessiblePaths = "-/lost+found";
PrivateDevices = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
};
}; };
}; };
}; };