felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-05-25 07:41:13 +02:00
Code Issues Projects Releases Wiki Activity
Files
7ecfdce5ca42cbdb09425ee1960e608a9d5df868
pvv-nixos-config/hosts/temmie/services/userweb/mail.nix

83 lines
1.8 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
{
services.postfix.enable = lib.mkForce false;
services.nullmailer = {
enable = true;
config = {
me = config.networking.fqdn;
remotes = "mail.pvv.ntnu.no smtp --port=25";
};
};
services.bro = {
enable = true;
instances.userweb-sendmail = {
enable = true;
client = {
settings.BRO_FILE_FLAGS = [
"-C"
];
};
server = {
settings = {
executable = lib.getExe pkgs.system-sendmail;
# allowed-env = [ ];
};
};
};
};
environment.systemPackages = [
(config.services.bro.instances.userweb-sendmail.client.package.overrideAttrs (prev: {
postInstall = (prev.postInstall or "") + ''
mv "$out/bin/sendmail" "$out/bin/bro-sendmail"
'';
}))
];
systemd.services.bro-userweb-sendmail = {
serviceConfig = {
User = "nobody";
Group = "nobody";
AmbientCapabilities = "";
CapabilityBoundingSet = "";
NoNewPrivileges = false;
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateUsers = false;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateMounts = true;
ProcSubset = "pid";
ProtectProc = "invisible";
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
UMask = "0027";
SystemCallArchitectures = "native";
# SystemCallFilter = [
# ];
};
};
}
Reference in New Issue View Git Blame Copy Permalink