Add dovecot revert patch
This commit is contained in:
parent
cfa090c0d7
commit
153e2b2213
SSH key fingerprint:
SHA256:s9rb8jBVfdahqWHuBAcHCBP1wmj4eYQXZfqgz4H3E9E
3 changed files with 100 additions and 5 deletions
8
flake.lock
generated
8
flake.lock
generated
|
|
@ -394,17 +394,17 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1751271578,
|
"lastModified": 1751792365,
|
||||||
"narHash": "sha256-P/SQmKDu06x8yv7i0s8bvnnuJYkxVGBWLWHaU+tt4YY=",
|
"narHash": "sha256-J1kI6oAj25IG4EdVlg2hQz8NZTBNYvIS0l4wpr9KcUo=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "3016b4b15d13f3089db8a41ef937b13a9e33a8df",
|
"rev": "1fd8bada0b6117e6c7eb54aad5813023eed37ccb",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
|
"ref": "nixos-unstable",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "3016b4b15d13f3089db8a41ef937b13a9e33a8df",
|
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
|
||||||
|
|
@ -73,7 +73,7 @@
|
||||||
url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
|
url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
nixpkgs.url = "github:nixos/nixpkgs/3016b4b15d13f3089db8a41ef937b13a9e33a8df";
|
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||||
nix-index-database = {
|
nix-index-database = {
|
||||||
url = "github:Mic92/nix-index-database";
|
url = "github:Mic92/nix-index-database";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
|
||||||
95
patches/422817.patch
Normal file
95
patches/422817.patch
Normal file
|
|
@ -0,0 +1,95 @@
|
||||||
|
diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix
|
||||||
|
index 6ebf5cf95742fb..01b9c278c6307d 100644
|
||||||
|
--- a/nixos/modules/services/mail/dovecot.nix
|
||||||
|
+++ b/nixos/modules/services/mail/dovecot.nix
|
||||||
|
@@ -692,67 +692,23 @@ in
|
||||||
|
|
||||||
|
environment.etc."dovecot/dovecot.conf".source = cfg.configFile;
|
||||||
|
|
||||||
|
- systemd.services.dovecot = {
|
||||||
|
- aliases = [ "dovecot2.service" ];
|
||||||
|
+ systemd.services.dovecot2 = {
|
||||||
|
description = "Dovecot IMAP/POP3 server";
|
||||||
|
- documentation = [
|
||||||
|
- "man:dovecot(1)"
|
||||||
|
- "https://doc.dovecot.org"
|
||||||
|
- ];
|
||||||
|
|
||||||
|
after = [ "network.target" ];
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
- restartTriggers = [ cfg.configFile ];
|
||||||
|
+ restartTriggers = [
|
||||||
|
+ cfg.configFile
|
||||||
|
+ ];
|
||||||
|
|
||||||
|
startLimitIntervalSec = 60; # 1 min
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "notify";
|
||||||
|
ExecStart = "${dovecotPkg}/sbin/dovecot -F";
|
||||||
|
ExecReload = "${dovecotPkg}/sbin/doveadm reload";
|
||||||
|
-
|
||||||
|
- CapabilityBoundingSet = [
|
||||||
|
- "CAP_CHOWN"
|
||||||
|
- "CAP_DAC_OVERRIDE"
|
||||||
|
- "CAP_FOWNER"
|
||||||
|
- "CAP_NET_BIND_SERVICE"
|
||||||
|
- "CAP_SETGID"
|
||||||
|
- "CAP_SETUID"
|
||||||
|
- "CAP_SYS_CHROOT"
|
||||||
|
- "CAP_SYS_RESOURCE"
|
||||||
|
- ];
|
||||||
|
- LockPersonality = true;
|
||||||
|
- MemoryDenyWriteExecute = true;
|
||||||
|
- NoNewPrivileges = true;
|
||||||
|
- OOMPolicy = "continue";
|
||||||
|
- PrivateTmp = true;
|
||||||
|
- ProcSubset = "pid";
|
||||||
|
- ProtectClock = true;
|
||||||
|
- ProtectControlGroups = true;
|
||||||
|
- ProtectHome = lib.mkDefault false;
|
||||||
|
- ProtectHostname = true;
|
||||||
|
- ProtectKernelLogs = true;
|
||||||
|
- ProtectKernelModules = true;
|
||||||
|
- ProtectKernelTunables = true;
|
||||||
|
- ProtectProc = "invisible";
|
||||||
|
- ProtectSystem = "full";
|
||||||
|
- PrivateDevices = true;
|
||||||
|
Restart = "on-failure";
|
||||||
|
RestartSec = "1s";
|
||||||
|
- RestrictAddressFamilies = [
|
||||||
|
- "AF_INET"
|
||||||
|
- "AF_INET6"
|
||||||
|
- "AF_UNIX"
|
||||||
|
- ];
|
||||||
|
- RestrictNamespaces = true;
|
||||||
|
- RestrictRealtime = true;
|
||||||
|
- RestrictSUIDSGID = false; # sets sgid on maildirs
|
||||||
|
RuntimeDirectory = [ "dovecot2" ];
|
||||||
|
- SystemCallArchitectures = "native";
|
||||||
|
- SystemCallFilter = [
|
||||||
|
- "@system-service @resources"
|
||||||
|
- "~@privileged"
|
||||||
|
- "@chown @setuid capset chroot"
|
||||||
|
- ];
|
||||||
|
};
|
||||||
|
|
||||||
|
# When copying sieve scripts preserve the original time stamp
|
||||||
|
diff --git a/nixos/tests/dovecot.nix b/nixos/tests/dovecot.nix
|
||||||
|
index 83b3781c773d6b..3d2b8c45b12c77 100644
|
||||||
|
--- a/nixos/tests/dovecot.nix
|
||||||
|
+++ b/nixos/tests/dovecot.nix
|
||||||
|
@@ -84,13 +84,11 @@
|
||||||
|
|
||||||
|
testScript = ''
|
||||||
|
machine.wait_for_unit("postfix.service")
|
||||||
|
- machine.wait_for_unit("dovecot.service")
|
||||||
|
+ machine.wait_for_unit("dovecot2.service")
|
||||||
|
machine.succeed("send-testmail")
|
||||||
|
machine.succeed("send-lda")
|
||||||
|
machine.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
|
||||||
|
machine.succeed("test-imap")
|
||||||
|
machine.succeed("test-pop")
|
||||||
|
-
|
||||||
|
- machine.log(machine.succeed("systemd-analyze security dovecot.service | grep -v ✓"))
|
||||||
|
'';
|
||||||
|
}
|
||||||
Loading…
Add table
Add a link
Reference in a new issue