diff options
Diffstat (limited to 'module.nix')
-rw-r--r-- | module.nix | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/module.nix b/module.nix new file mode 100644 index 0000000..85e033d --- /dev/null +++ b/module.nix @@ -0,0 +1,78 @@ +{ config, pkgs, lib, runCommand, ... }: +let + package = pkgs.callPackage ./default.nix {}; + cfg = config.services.smtp-forward; +in { + options.services.smtp-forward = { + enable = lib.mkEnableOption "the smtp-forward service"; + mapping = lib.mkOption { + type = lib.types.str; + default = "prefix1:addres@host,prefix2:address@host"; + description = "-m maps prefixes to email addresses"; + }; + listen = lib.mkOption { + type = lib.types.str; + default = ":25"; + description = "Adress to listen on"; + }; + hostname = lib.mkOption { + type = lib.types.str; + default = "localhost"; + description = "-h sets the server hostname"; + }; + key = lib.mkOption { + type = lib.types.str; + default = "setme"; + description = "-k sets the TLS key"; + }; + cert = lib.mkOption { + type = lib.types.str; + default = "setme"; + description = "-c sets the TLS key"; + }; + }; + config = lib.mkIf config.services.smtp-forward.enable { + systemd.services.smtp-forward = { + description = "Run smtp-forward"; + path = [ package ]; + wantedBy = [ "default.target" ]; + script = '' + ${package}/bin/smtp-forward -l ${cfg.listen} -m ${cfg.mapping} -h ${cfg.hostname} -k ${cfg.key} -c ${cfg.cert} + ''; + serviceConfig = { + User = "smtp-forward"; + # Security + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; + NoNewPrivileges = true; + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + ProtectUsers = true; + ProtectKernelLogs = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + SystemCallArchitectures = "native"; + ProtectClock = true; + SystemCallFilter= [ "~@mount" "~@reboot" "~@swap" "~@module" "~@debug" "~@cpu-emulation" "SystemCallFilter=~@obsolete" ]; + }; + }; + + users.users.smtp-forward = { + description = "smtp-forward user"; + group = "nogroup"; + extraGroups = [ "keys" ]; + uid = config.ids.uids.firebird; + }; + }; +} |