commit 88565a8620161e9fe3f951676886f28097d15ef0 · pyrox.dev/nixpkgs

+48 -4

nixos/modules/services/mail/dovecot.nix

···

       692
       692
        
       

     

       693
       693
        
           environment.etc."dovecot/dovecot.conf".source = cfg.configFile;

     

       694
       694
        
       

     

       695
       695
       -
           systemd.services.dovecot2 = {

     

       695
       695
       +
           systemd.services.dovecot = {

     

       696
       696
       +
             aliases = [ "dovecot2.service" ];

     

       696
       697
        
             description = "Dovecot IMAP/POP3 server";

     

       698
       698
       +
             documentation = [

     

       699
       699
       +
               "man:dovecot(1)"

     

       700
       700
       +
               "https://doc.dovecot.org"

     

       701
       701
       +
             ];

     

       697
       702
        
       

     

       698
       703
        
             after = [ "network.target" ];

     

       699
       704
        
             wantedBy = [ "multi-user.target" ];

     

       700
       700
       -
             restartTriggers = [

     

       701
       701
       -
               cfg.configFile

     

       702
       702
       -
             ];

     

       705
       705
       +
             restartTriggers = [ cfg.configFile ];

     

       703
       706
        
       

     

       704
       707
        
             startLimitIntervalSec = 60; # 1 min

     

       705
       708
        
             serviceConfig = {

     

       706
       709
        
               Type = "notify";

     

       707
       710
        
               ExecStart = "${dovecotPkg}/sbin/dovecot -F";

     

       708
       711
        
               ExecReload = "${dovecotPkg}/sbin/doveadm reload";

     

       712
       712
       +
       

     

       713
       713
       +
               CapabilityBoundingSet = [

     

       714
       714
       +
                 "CAP_CHOWN"

     

       715
       715
       +
                 "CAP_DAC_OVERRIDE"

     

       716
       716
       +
                 "CAP_FOWNER"

     

       717
       717
       +
                 "CAP_NET_BIND_SERVICE"

     

       718
       718
       +
                 "CAP_SETGID"

     

       719
       719
       +
                 "CAP_SETUID"

     

       720
       720
       +
                 "CAP_SYS_CHROOT"

     

       721
       721
       +
                 "CAP_SYS_RESOURCE"

     

       722
       722
       +
               ];

     

       723
       723
       +
               LockPersonality = true;

     

       724
       724
       +
               MemoryDenyWriteExecute = true;

     

       725
       725
       +
               NoNewPrivileges = true;

     

       726
       726
       +
               OOMPolicy = "continue";

     

       727
       727
       +
               PrivateTmp = true;

     

       728
       728
       +
               ProcSubset = "pid";

     

       729
       729
       +
               ProtectClock = true;

     

       730
       730
       +
               ProtectControlGroups = true;

     

       731
       731
       +
               ProtectHome = lib.mkDefault false;

     

       732
       732
       +
               ProtectHostname = true;

     

       733
       733
       +
               ProtectKernelLogs = true;

     

       734
       734
       +
               ProtectKernelModules = true;

     

       735
       735
       +
               ProtectKernelTunables = true;

     

       736
       736
       +
               ProtectProc = "invisible";

     

       737
       737
       +
               ProtectSystem = "full";

     

       738
       738
       +
               PrivateDevices = true;

     

       709
       739
        
               Restart = "on-failure";

     

       710
       740
        
               RestartSec = "1s";

     

       741
       741
       +
               RestrictAddressFamilies = [

     

       742
       742
       +
                 "AF_INET"

     

       743
       743
       +
                 "AF_INET6"

     

       744
       744
       +
                 "AF_UNIX"

     

       745
       745
       +
               ];

     

       746
       746
       +
               RestrictNamespaces = true;

     

       747
       747
       +
               RestrictRealtime = true;

     

       748
       748
       +
               RestrictSUIDSGID = false; # sets sgid on maildirs

     

       711
       749
        
               RuntimeDirectory = [ "dovecot2" ];

     

       750
       750
       +
               SystemCallArchitectures = "native";

     

       751
       751
       +
               SystemCallFilter = [

     

       752
       752
       +
                 "@system-service @resources"

     

       753
       753
       +
                 "~@privileged"

     

       754
       754
       +
                 "@chown @setuid capset chroot"

     

       755
       755
       +
               ];

     

       712
       756
        
             };

     

       713
       757
        
       

     

       714
       758
        
             # When copying sieve scripts preserve the original time stamp

+3 -1

nixos/tests/dovecot.nix

···

       84
       84
        
       

     

       85
       85
        
         testScript = ''

     

       86
       86
        
           machine.wait_for_unit("postfix.service")

     

       87
       87
       -
           machine.wait_for_unit("dovecot2.service")

     

       87
       87
       +
           machine.wait_for_unit("dovecot.service")

     

       88
       88
        
           machine.succeed("send-testmail")

     

       89
       89
        
           machine.succeed("send-lda")

     

       90
       90
        
           machine.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')

     

       91
       91
        
           machine.succeed("test-imap")

     

       92
       92
        
           machine.succeed("test-pop")

     

       93
       93
       +
       

     

       94
       94
       +
           machine.log(machine.succeed("systemd-analyze security dovecot.service | grep -v ✓"))

     

       93
       95
        
         '';

     

       94
       96
        
       }