aboutsummaryrefslogtreecommitdiff
path: root/nixpkgs/nixos/modules/services/mail/opendkim.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixpkgs/nixos/modules/services/mail/opendkim.nix')
-rw-r--r--nixpkgs/nixos/modules/services/mail/opendkim.nix30
1 files changed, 30 insertions, 0 deletions
diff --git a/nixpkgs/nixos/modules/services/mail/opendkim.nix b/nixpkgs/nixos/modules/services/mail/opendkim.nix
index eb6a426684d..9bf6f338d93 100644
--- a/nixpkgs/nixos/modules/services/mail/opendkim.nix
+++ b/nixpkgs/nixos/modules/services/mail/opendkim.nix
@@ -129,6 +129,36 @@ in {
User = cfg.user;
Group = cfg.group;
RuntimeDirectory = optional (cfg.socket == defaultSock) "opendkim";
+ StateDirectory = "opendkim";
+ StateDirectoryMode = "0700";
+ ReadWritePaths = [ cfg.keyPath ];
+
+ AmbientCapabilities = [];
+ CapabilityBoundingSet = [];
+ DevicePolicy = "closed";
+ LockPersonality = true;
+ MemoryDenyWriteExecute = true;
+ NoNewPrivileges = true;
+ PrivateDevices = true;
+ PrivateMounts = true;
+ PrivateTmp = true;
+ PrivateUsers = true;
+ ProtectClock = true;
+ ProtectControlGroups = true;
+ ProtectHome = true;
+ ProtectHostname = true;
+ ProtectKernelLogs = true;
+ ProtectKernelModules = true;
+ ProtectKernelTunables = true;
+ ProtectSystem = "strict";
+ RemoveIPC = true;
+ RestrictAddressFamilies = [ "AF_INET" "AF_INET6 AF_UNIX" ];
+ RestrictNamespaces = true;
+ RestrictRealtime = true;
+ RestrictSUIDSGID = true;
+ SystemCallArchitectures = "native";
+ SystemCallFilter = [ "@system-service" "~@privileged @resources" ];
+ UMask = "0077";
};
};
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-28 08:38:25 +0000