nixpkgs/nixos/modules/services/mail/exim.nix
pacien 54be076ae7 nixos/exim: apply privilege restrictions
Since 816614bd62, the service is set to use the exim user so that
systemd takes care of the credentials ownership. The executable is
still required to run as root, to then drop privileges. The prefix '+'
that was used however interfers with the use of privilege restrictions
and other sandboxing options. Since we only want to escape the "User"
setting, we can use the '!' prefix instead.
2023-06-05 20:04:48 +02:00

133 lines
3.3 KiB
Nix

{ config, lib, pkgs, ... }:
let
inherit (lib) literalExpression mkIf mkOption singleton types;
inherit (pkgs) coreutils;
cfg = config.services.exim;
in
{
###### interface
options = {
services.exim = {
enable = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Whether to enable the Exim mail transfer agent.";
};
config = mkOption {
type = types.lines;
default = "";
description = lib.mdDoc ''
Verbatim Exim configuration. This should not contain exim_user,
exim_group, exim_path, or spool_directory.
'';
};
user = mkOption {
type = types.str;
default = "exim";
description = lib.mdDoc ''
User to use when no root privileges are required.
In particular, this applies when receiving messages and when doing
remote deliveries. (Local deliveries run as various non-root users,
typically as the owner of a local mailbox.) Specifying this value
as root is not supported.
'';
};
group = mkOption {
type = types.str;
default = "exim";
description = lib.mdDoc ''
Group to use when no root privileges are required.
'';
};
spoolDir = mkOption {
type = types.path;
default = "/var/spool/exim";
description = lib.mdDoc ''
Location of the spool directory of exim.
'';
};
package = mkOption {
type = types.package;
default = pkgs.exim;
defaultText = literalExpression "pkgs.exim";
description = lib.mdDoc ''
The Exim derivation to use.
This can be used to enable features such as LDAP or PAM support.
'';
};
queueRunnerInterval = mkOption {
type = types.str;
default = "5m";
description = lib.mdDoc ''
How often to spawn a new queue runner.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
environment = {
etc."exim.conf".text = ''
exim_user = ${cfg.user}
exim_group = ${cfg.group}
exim_path = /run/wrappers/bin/exim
spool_directory = ${cfg.spoolDir}
${cfg.config}
'';
systemPackages = [ cfg.package ];
};
users.users.${cfg.user} = {
description = "Exim mail transfer agent user";
uid = config.ids.uids.exim;
group = cfg.group;
};
users.groups.${cfg.group} = {
gid = config.ids.gids.exim;
};
security.wrappers.exim =
{ setuid = true;
owner = "root";
group = "root";
source = "${cfg.package}/bin/exim";
};
systemd.services.exim = {
description = "Exim Mail Daemon";
wantedBy = [ "multi-user.target" ];
restartTriggers = [ config.environment.etc."exim.conf".source ];
serviceConfig = {
ExecStart = "!${cfg.package}/bin/exim -bdf -q${cfg.queueRunnerInterval}";
ExecReload = "!${coreutils}/bin/kill -HUP $MAINPID";
User = cfg.user;
};
preStart = ''
if ! test -d ${cfg.spoolDir}; then
${coreutils}/bin/mkdir -p ${cfg.spoolDir}
${coreutils}/bin/chown ${cfg.user}:${cfg.group} ${cfg.spoolDir}
fi
'';
};
};
}