rebmit/nixos-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

services/mail: hardening postfix and dovecot

Browse source
This commit is contained in:
Lu Wang 2024-12-20 21:41:02 +08:00
parent 22700c13c7
commit bc44eb8424
Signed by: rebmit
SSH key fingerprint: SHA256:3px8QV1zEerIrEWHaqtH5rR9kjetyRST5EipOPrd+bU
6 changed files with 53 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
flake.lock
View file

@ -413,11 +413,11 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1734683762,
"narHash": "sha256-GnwQCZ9tx9Cb4PjPySnJrCYB4Fc3c288fw+sAeATXJY=",
"lastModified": 1734694533,
"narHash": "sha256-OPww6Fzq7qnHctBcu6J9vmVdZ4NS8vpdG8JRvWm4i3s=",
"owner": "rebmit",
"repo": "nix-exprs",
"rev": "13d8ed59016e492edc92407d4691e45b4fc09d4e",
"rev": "4a958c802908b90f60f7aac2c85de433c86ec76c",
"type": "github"
},
"original": {

1
nixos/modules/networking/netns/port-forward.nix
View file

@ -105,6 +105,7 @@ in
"CAP_SYS_ADMIN"
"CAP_SYS_PTRACE"
];
SystemCallFilter = [ "@system-service" ];
};
after = [
"network.target"

15
nixos/profiles/services/caddy/default.nix
View file

@ -15,13 +15,14 @@
};
systemd.services.caddy.serviceConfig = mylib.misc.serviceHardened // {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
};
systemd.services.caddy-api.serviceConfig = mylib.misc.serviceHardened // {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
AmbientCapabilities = [
""
"CAP_NET_BIND_SERVICE"
];
CapabilityBoundingSet = [
""
"CAP_NET_BIND_SERVICE"
];
};
services.restic.backups.b2.paths = [ config.services.caddy.dataDir ];

22
nixos/profiles/services/mail/dovecot.nix
View file

@ -4,6 +4,7 @@
config,
lib,
pkgs,
mylib,
...
}:
let
@ -95,9 +96,6 @@ in
listen = 127.0.0.1
haproxy_trusted_networks = 127.0.0.1/8
default_internal_user = ${cfg.user}
default_internal_group = ${cfg.group}
auth_username_format = %Ln
mail_home = ${maildir}/%u
@ -170,5 +168,23 @@ in
}
'';
systemd.services.dovecot2.serviceConfig = mylib.misc.serviceHardened // {
StateDirectory = "dovecot";
ReadWritePaths = [ maildir ];
CapabilityBoundingSet = [
"CAP_CHOWN"
"CAP_KILL"
"CAP_SYS_CHROOT"
"CAP_SETUID"
"CAP_SETGID"
"CAP_NET_BIND_SERVICE"
"CAP_DAC_OVERRIDE"
];
SystemCallFilter = [
"@system-service"
"chroot"
];
};
services.restic.backups.b2.paths = [ maildir ];
}

21
nixos/profiles/services/mail/postfix.nix
View file

@ -4,14 +4,33 @@
config,
lib,
pkgs,
mylib,
...
}:
{
systemd.services.postfix.serviceConfig = {
systemd.services.postfix.serviceConfig = mylib.misc.serviceHardened // {
StateDirectory = "postfix";
PrivateTmp = true;
ExecStartPre = ''
${pkgs.openssl}/bin/openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout /tmp/selfsigned.key -out /tmp/selfsigned.crt -batch
'';
ProtectSystem = lib.mkForce "strict";
RestrictAddressFamilies = lib.mkForce [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
"AF_UNIX"
];
CapabilityBoundingSet = lib.mkForce [
""
"CAP_DAC_READ_SEARCH"
"CAP_DAC_OVERRIDE"
"CAP_KILL"
"CAP_SETUID"
"CAP_SETGID"
"CAP_NET_BIND_SERVICE"
];
SystemCallFilter = lib.mkForce [ "@system-service" ];
};
services.postfix = {

2
nixos/profiles/services/ntfy/default.nix
View file

@ -16,6 +16,8 @@
};
systemd.services.ntfy-sh.serviceConfig = mylib.misc.serviceHardened // {
AmbientCapabilities = lib.mkForce [ "" ];
CapabilityBoundingSet = lib.mkForce [ "" ];
DynamicUser = lib.mkForce false;
};