summaryrefslogtreecommitdiff
path: root/module.nix
diff options
context:
space:
mode:
Diffstat (limited to 'module.nix')
-rw-r--r--module.nix78
1 files changed, 78 insertions, 0 deletions
diff --git a/module.nix b/module.nix
new file mode 100644
index 0000000..85e033d
--- /dev/null
+++ b/module.nix
@@ -0,0 +1,78 @@
+{ config, pkgs, lib, runCommand, ... }:
+let
+ package = pkgs.callPackage ./default.nix {};
+ cfg = config.services.smtp-forward;
+in {
+ options.services.smtp-forward = {
+ enable = lib.mkEnableOption "the smtp-forward service";
+ mapping = lib.mkOption {
+ type = lib.types.str;
+ default = "prefix1:addres@host,prefix2:address@host";
+ description = "-m maps prefixes to email addresses";
+ };
+ listen = lib.mkOption {
+ type = lib.types.str;
+ default = ":25";
+ description = "Adress to listen on";
+ };
+ hostname = lib.mkOption {
+ type = lib.types.str;
+ default = "localhost";
+ description = "-h sets the server hostname";
+ };
+ key = lib.mkOption {
+ type = lib.types.str;
+ default = "setme";
+ description = "-k sets the TLS key";
+ };
+ cert = lib.mkOption {
+ type = lib.types.str;
+ default = "setme";
+ description = "-c sets the TLS key";
+ };
+ };
+ config = lib.mkIf config.services.smtp-forward.enable {
+ systemd.services.smtp-forward = {
+ description = "Run smtp-forward";
+ path = [ package ];
+ wantedBy = [ "default.target" ];
+ script = ''
+ ${package}/bin/smtp-forward -l ${cfg.listen} -m ${cfg.mapping} -h ${cfg.hostname} -k ${cfg.key} -c ${cfg.cert}
+ '';
+ serviceConfig = {
+ User = "smtp-forward";
+ # Security
+ AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+ CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+ NoNewPrivileges = true;
+ ProtectSystem = "strict";
+ ProtectHome = true;
+ PrivateTmp = true;
+ ProtectUsers = true;
+ ProtectKernelLogs = true;
+ PrivateDevices = true;
+ ProtectHostname = true;
+ ProtectKernelTunables = true;
+ ProtectKernelModules = true;
+ ProtectControlGroups = true;
+ RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+ RestrictNamespaces = true;
+ LockPersonality = true;
+ MemoryDenyWriteExecute = true;
+ RestrictRealtime = true;
+ RestrictSUIDSGID = true;
+ PrivateMounts = true;
+ SystemCallArchitectures = "native";
+ ProtectClock = true;
+ SystemCallFilter= [ "~@mount" "~@reboot" "~@swap" "~@module" "~@debug" "~@cpu-emulation" "SystemCallFilter=~@obsolete" ];
+ };
+ };
+
+ users.users.smtp-forward = {
+ description = "smtp-forward user";
+ group = "nogroup";
+ extraGroups = [ "keys" ];
+ uid = config.ids.uids.firebird;
+ };
+ };
+}