mirror of
https://github.com/NixOS/nixpkgs.git
synced 2026-07-06 17:13:24 -05:00
nixos/postfix-tlspol: migrate to socket activation
Allows further confining the service. Socket activation is not supported for the metrics-address.
This commit is contained in:
parent
00b60a8c61
commit
f547405d88
2 changed files with 27 additions and 8 deletions
|
|
@ -164,6 +164,20 @@ in
|
|||
};
|
||||
users.groups.postfix-tlspol = { };
|
||||
|
||||
systemd.sockets.postfix-tlspol = {
|
||||
wantedBy = [ "sockets.target" ];
|
||||
socketConfig = {
|
||||
Accept = false;
|
||||
ListenStream = [
|
||||
(lib.removePrefix "unix:" cfg.settings.server.address)
|
||||
];
|
||||
SocketUser = "postfix-tlspol";
|
||||
SocketGroup = "postfix-tlspol";
|
||||
SocketMode = cfg.settings.server.socket-permissions;
|
||||
DirectoryMode = "0755";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.postfix-tlspol = {
|
||||
after = [
|
||||
"nss-lookup.target"
|
||||
|
|
@ -173,7 +187,6 @@ in
|
|||
"nss-lookup.target"
|
||||
"network-online.target"
|
||||
];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
description = "Postfix DANE/MTA-STS TLS policy socketmap service";
|
||||
documentation = [ "https://github.com/Zuplu/postfix-tlspol" ];
|
||||
|
|
@ -217,9 +230,6 @@ in
|
|||
RestrictAddressFamilies = [
|
||||
"AF_INET"
|
||||
"AF_INET6"
|
||||
]
|
||||
++ lib.optionals (lib.hasPrefix "unix:" cfg.settings.server.address) [
|
||||
"AF_UNIX"
|
||||
];
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
|
|
@ -237,7 +247,7 @@ in
|
|||
RuntimeDirectory = "postfix-tlspol";
|
||||
RuntimeDirectoryMode = "1750";
|
||||
WorkingDirectory = "/var/cache/postfix-tlspol";
|
||||
UMask = "0117";
|
||||
UMask = "0077";
|
||||
};
|
||||
};
|
||||
})
|
||||
|
|
|
|||
|
|
@ -9,7 +9,10 @@
|
|||
|
||||
containers.machine = {
|
||||
services.postfix.enable = true;
|
||||
services.postfix-tlspol.enable = true;
|
||||
services.postfix-tlspol = {
|
||||
enable = true;
|
||||
settings.server.metrics-address = "127.0.0.1:8642";
|
||||
};
|
||||
|
||||
services.dnsmasq = {
|
||||
enable = true;
|
||||
|
|
@ -26,13 +29,19 @@
|
|||
with subtest("Interact with the service"):
|
||||
machine.succeed("postfix-tlspol -purge")
|
||||
|
||||
response = json.loads((machine.succeed("postfix-tlspol -query localhost")))
|
||||
response = machine.log(machine.succeed("postfix-tlspol -query localhost"))
|
||||
response = json.loads(machine.succeed("postfix-tlspol -query localhost"))
|
||||
machine.log(json.dumps(response, indent=2))
|
||||
|
||||
assert response["dane"]["policy"] == "", f"Unexpected DANE policy for localhost: {response["dane"]["policy"]}"
|
||||
assert response["mta-sts"]["policy"] == "TEMP", f"Unexpected MTA-STS policy for localhost: {response["mta-sts"]["policy"]}"
|
||||
|
||||
machine.log(machine.execute("systemd-analyze security postfix-tlspol.service | grep -v ✓")[1])
|
||||
with subtest("Metrics listener"):
|
||||
machine.log(machine.succeed("curl --silent --fail http://localhost:8642/metrics | grep --quiet postfix_tlspol_queries_total"))
|
||||
|
||||
|
||||
with subtest("Hardening"):
|
||||
machine.log(machine.execute("systemd-analyze security postfix-tlspol.service | grep -v ✓")[1])
|
||||
'';
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue