diff --git a/flake.lock b/flake.lock index e55ae8b2..6e865c53 100644 --- a/flake.lock +++ b/flake.lock @@ -394,17 +394,17 @@ }, "nixpkgs": { "locked": { - "lastModified": 1751271578, - "narHash": "sha256-P/SQmKDu06x8yv7i0s8bvnnuJYkxVGBWLWHaU+tt4YY=", + "lastModified": 1751792365, + "narHash": "sha256-J1kI6oAj25IG4EdVlg2hQz8NZTBNYvIS0l4wpr9KcUo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "3016b4b15d13f3089db8a41ef937b13a9e33a8df", + "rev": "1fd8bada0b6117e6c7eb54aad5813023eed37ccb", "type": "github" }, "original": { "owner": "nixos", + "ref": "nixos-unstable", "repo": "nixpkgs", - "rev": "3016b4b15d13f3089db8a41ef937b13a9e33a8df", "type": "github" } }, diff --git a/flake.nix b/flake.nix index 1afc8424..09e4b48a 100644 --- a/flake.nix +++ b/flake.nix @@ -73,7 +73,7 @@ url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; inputs.nixpkgs.follows = "nixpkgs"; }; - nixpkgs.url = "github:nixos/nixpkgs/3016b4b15d13f3089db8a41ef937b13a9e33a8df"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nix-index-database = { url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/patches/422817.patch b/patches/422817.patch new file mode 100644 index 00000000..e993f983 --- /dev/null +++ b/patches/422817.patch @@ -0,0 +1,95 @@ +diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix +index 6ebf5cf95742fb..01b9c278c6307d 100644 +--- a/nixos/modules/services/mail/dovecot.nix ++++ b/nixos/modules/services/mail/dovecot.nix +@@ -692,67 +692,23 @@ in + + environment.etc."dovecot/dovecot.conf".source = cfg.configFile; + +- systemd.services.dovecot = { +- aliases = [ "dovecot2.service" ]; ++ systemd.services.dovecot2 = { + description = "Dovecot IMAP/POP3 server"; +- documentation = [ +- "man:dovecot(1)" +- "https://doc.dovecot.org" +- ]; + + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; +- restartTriggers = [ cfg.configFile ]; ++ restartTriggers = [ ++ cfg.configFile ++ ]; + + startLimitIntervalSec = 60; # 1 min + serviceConfig = { + Type = "notify"; + ExecStart = "${dovecotPkg}/sbin/dovecot -F"; + ExecReload = "${dovecotPkg}/sbin/doveadm reload"; +- +- CapabilityBoundingSet = [ +- "CAP_CHOWN" +- "CAP_DAC_OVERRIDE" +- "CAP_FOWNER" +- "CAP_NET_BIND_SERVICE" +- "CAP_SETGID" +- "CAP_SETUID" +- "CAP_SYS_CHROOT" +- "CAP_SYS_RESOURCE" +- ]; +- LockPersonality = true; +- MemoryDenyWriteExecute = true; +- NoNewPrivileges = true; +- OOMPolicy = "continue"; +- PrivateTmp = true; +- ProcSubset = "pid"; +- ProtectClock = true; +- ProtectControlGroups = true; +- ProtectHome = lib.mkDefault false; +- ProtectHostname = true; +- ProtectKernelLogs = true; +- ProtectKernelModules = true; +- ProtectKernelTunables = true; +- ProtectProc = "invisible"; +- ProtectSystem = "full"; +- PrivateDevices = true; + Restart = "on-failure"; + RestartSec = "1s"; +- RestrictAddressFamilies = [ +- "AF_INET" +- "AF_INET6" +- "AF_UNIX" +- ]; +- RestrictNamespaces = true; +- RestrictRealtime = true; +- RestrictSUIDSGID = false; # sets sgid on maildirs + RuntimeDirectory = [ "dovecot2" ]; +- SystemCallArchitectures = "native"; +- SystemCallFilter = [ +- "@system-service @resources" +- "~@privileged" +- "@chown @setuid capset chroot" +- ]; + }; + + # When copying sieve scripts preserve the original time stamp +diff --git a/nixos/tests/dovecot.nix b/nixos/tests/dovecot.nix +index 83b3781c773d6b..3d2b8c45b12c77 100644 +--- a/nixos/tests/dovecot.nix ++++ b/nixos/tests/dovecot.nix +@@ -84,13 +84,11 @@ + + testScript = '' + machine.wait_for_unit("postfix.service") +- machine.wait_for_unit("dovecot.service") ++ machine.wait_for_unit("dovecot2.service") + machine.succeed("send-testmail") + machine.succeed("send-lda") + machine.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]') + machine.succeed("test-imap") + machine.succeed("test-pop") +- +- machine.log(machine.succeed("systemd-analyze security dovecot.service | grep -v ✓")) + ''; + }