diff options
author | Philipp Bartsch <phil@grmr.de> | 2020-07-16 04:15:44 +0200 |
---|---|---|
committer | Philipp Bartsch <phil@grmr.de> | 2020-07-16 21:15:22 +0200 |
commit | 7e9f3e9eb16ca1814199872f2d44ece88297e9cb (patch) | |
tree | 2d9dd9391bf745f6ac4c3b056fff82364dbd725c | |
parent | 5e1d1418095bc1faf910914eee81effad070b0bc (diff) | |
download | nixpkgs-7e9f3e9eb16ca1814199872f2d44ece88297e9cb.tar nixpkgs-7e9f3e9eb16ca1814199872f2d44ece88297e9cb.tar.gz nixpkgs-7e9f3e9eb16ca1814199872f2d44ece88297e9cb.tar.bz2 nixpkgs-7e9f3e9eb16ca1814199872f2d44ece88297e9cb.tar.lz nixpkgs-7e9f3e9eb16ca1814199872f2d44ece88297e9cb.tar.xz nixpkgs-7e9f3e9eb16ca1814199872f2d44ece88297e9cb.tar.zst nixpkgs-7e9f3e9eb16ca1814199872f2d44ece88297e9cb.zip |
nixos/rspamd: add systemd service sandbox
Drop preStart script in favour of systemd StateDirectory parameter.
-rw-r--r-- | nixos/modules/services/mail/rspamd.nix | 39 |
1 files changed, 33 insertions, 6 deletions
diff --git a/nixos/modules/services/mail/rspamd.nix b/nixos/modules/services/mail/rspamd.nix index aacdbe2aeed..2707bd16cdb 100644 --- a/nixos/modules/services/mail/rspamd.nix +++ b/nixos/modules/services/mail/rspamd.nix @@ -394,16 +394,43 @@ in restartTriggers = [ rspamdDir ]; serviceConfig = { - ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} --user=${cfg.user} --group=${cfg.group} --pid=/run/rspamd.pid -c /etc/rspamd/rspamd.conf -f"; + ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} -c /etc/rspamd/rspamd.conf -f"; Restart = "always"; + + User = "${cfg.user}"; + Group = "${cfg.group}"; + RuntimeDirectory = "rspamd"; + RuntimeDirectoryMode = "0755"; + StateDirectory = "rspamd"; + StateDirectoryMode = "0700"; + + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + DevicePolicy = "closed"; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + UMask = "0077"; }; - - preStart = '' - ${pkgs.coreutils}/bin/mkdir -p /var/lib/rspamd - ${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group} /var/lib/rspamd - ''; }; }; imports = [ |