From 54be076ae77da1f45fbc6c88419657f828e6237e Mon Sep 17 00:00:00 2001
From: pacien <pacien.trangirard@pacien.net>
Date: Mon, 5 Jun 2023 20:04:48 +0200
Subject: nixos/exim: apply privilege restrictions

Since 816614bd62b, the service is set to use the exim user so that
systemd takes care of the credentials ownership. The executable is
still required to run as root, to then drop privileges. The prefix '+'
that was used however interfers with the use of privilege restrictions
and other sandboxing options. Since we only want to escape the "User"
setting, we can use the '!' prefix instead.
---
 nixos/modules/services/mail/exim.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'nixos/modules/services/mail')

diff --git a/nixos/modules/services/mail/exim.nix b/nixos/modules/services/mail/exim.nix
index a9504acee351..1d1258913b67 100644
--- a/nixos/modules/services/mail/exim.nix
+++ b/nixos/modules/services/mail/exim.nix
@@ -116,8 +116,8 @@ in
       wantedBy = [ "multi-user.target" ];
       restartTriggers = [ config.environment.etc."exim.conf".source ];
       serviceConfig = {
-        ExecStart   = "+${cfg.package}/bin/exim -bdf -q${cfg.queueRunnerInterval}";
-        ExecReload  = "+${coreutils}/bin/kill -HUP $MAINPID";
+        ExecStart   = "!${cfg.package}/bin/exim -bdf -q${cfg.queueRunnerInterval}";
+        ExecReload  = "!${coreutils}/bin/kill -HUP $MAINPID";
         User        = cfg.user;
       };
       preStart = ''
-- 
cgit 1.4.1