diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2017-03-17 23:01:24 +0100 |
---|---|---|
committer | Franz Pletz <fpletz@fnordicwalking.de> | 2017-03-17 23:01:24 +0100 |
commit | 00239ce8e9baeef0ea55fd0995a55e0b15a25ac9 (patch) | |
tree | dd198eba4108aedbf97a509c7e81ca8268d117dc /nixos | |
parent | 8ab2d2ee27b84bfeb2e2077e87f5ccc7b0d129fe (diff) | |
download | nixlib-00239ce8e9baeef0ea55fd0995a55e0b15a25ac9.tar nixlib-00239ce8e9baeef0ea55fd0995a55e0b15a25ac9.tar.gz nixlib-00239ce8e9baeef0ea55fd0995a55e0b15a25ac9.tar.bz2 nixlib-00239ce8e9baeef0ea55fd0995a55e0b15a25ac9.tar.lz nixlib-00239ce8e9baeef0ea55fd0995a55e0b15a25ac9.tar.xz nixlib-00239ce8e9baeef0ea55fd0995a55e0b15a25ac9.tar.zst nixlib-00239ce8e9baeef0ea55fd0995a55e0b15a25ac9.zip |
rmilter/rspamd service: tighten unix socket permissions
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/mail/rmilter.nix | 13 | ||||
-rw-r--r-- | nixos/modules/services/mail/rspamd.nix | 5 |
2 files changed, 12 insertions, 6 deletions
diff --git a/nixos/modules/services/mail/rmilter.nix b/nixos/modules/services/mail/rmilter.nix index 3153b1c79124..e17b7516bfff 100644 --- a/nixos/modules/services/mail/rmilter.nix +++ b/nixos/modules/services/mail/rmilter.nix @@ -5,6 +5,7 @@ with lib; let rspamdCfg = config.services.rspamd; + postfixCfg = config.services.postfix; cfg = config.services.rmilter; inetSocket = addr: port: "inet:[${toString port}@${addr}]"; @@ -219,7 +220,7 @@ in PermissionsStartOnly = true; Restart = "always"; RuntimeDirectory = "rmilter"; - RuntimeDirectoryMode = "0755"; + RuntimeDirectoryMode = "0750"; }; }; @@ -231,16 +232,18 @@ in ListenStream = systemdSocket; SocketUser = cfg.user; SocketGroup = cfg.group; - SocketMode = "0666"; + SocketMode = "0660"; }; }; }) - (mkIf (cfg.enable && cfg.postfix.enable) { + (mkIf (cfg.enable && cfg.rspamd.enable && rspamdCfg.enable) { + users.extraUsers.${cfg.user}.extraGroups = [ rspamdCfg.group ]; + }) + (mkIf (cfg.enable && cfg.postfix.enable) { services.postfix.extraConfig = cfg.postfix.configFragment; - users.users.postfix.extraGroups = [ cfg.group ]; - + users.extraUsers.${postfixCfg.user}.extraGroups = [ cfg.group ]; }) ]; } diff --git a/nixos/modules/services/mail/rspamd.nix b/nixos/modules/services/mail/rspamd.nix index 98489df78517..6d403e448e04 100644 --- a/nixos/modules/services/mail/rspamd.nix +++ b/nixos/modules/services/mail/rspamd.nix @@ -53,8 +53,11 @@ in bindSocket = mkOption { type = types.listOf types.str; default = [ - "/run/rspamd/rspamd.sock mode=0666 owner=${cfg.user}" + "/run/rspamd/rspamd.sock mode=0660 owner=${cfg.user} group=${cfg.group}" ]; + defaultText = ''[ + "/run/rspamd/rspamd.sock mode=0660 owner=${cfg.user} group=${cfg.group}" + ]''; description = '' List of sockets to listen, in format acceptable by rspamd ''; |