New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/opendkim: systemd sandbox #93314
Conversation
9702215
to
4f07e51
Compare
CC @nlewo : this breaks simple nixos mailserver, because it uses PreStart to generate the key apparently. relevant log:
|
@tnias I think we need to add a |
@tnias what do you think about #93314 (comment)? |
@nlewo sorry, forgot to respond. Sounds good. 👍 Added it as a new commit to this PR. |
simple-nixos-mailserver tests now pass with this diff: diff --git a/mail-server/opendkim.nix b/mail-server/opendkim.nix
index d381519..6fd0bef 100644
--- a/mail-server/opendkim.nix
+++ b/mail-server/opendkim.nix
@@ -56,6 +56,7 @@ in
services.opendkim = {
enable = true;
selector = cfg.dkimSelector;
+ keyPath = cfg.dkimKeyDirectory;
domains = "csl:${builtins.concatStringsSep "," cfg.domains}";
configFile = pkgs.writeText "opendkim.conf" (''
Canonicalization relaxed/simple |
These PRs probably deserve (succinct) release notes. |
Yep, @tnias could you please add a sentence saying opendkim is now sanboxed in the section "Other Notable Changes" of the 20.09 release notes? |
Yes, will add it. |
5d80003
to
c46dd4e
Compare
@nlewo I rebased the patches against current master, as to not interfere with other releasenote changes. |
Thanks! |
Motivation for this change
Add systemd service sandbox features.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)cc opendkim maintainer @abbradar