Unverified Commit e48d1255 authored by Martin Weinelt's avatar Martin Weinelt
Browse files

nixos/tlsrpt: fix permissions for postfix 

Same as with other services giving postfix access, this needs to happen
for the postfix user. Adding supplementary group permissions to the
systemd unit does not propagate to child processes that ultimately call
the unix domain socket.
parent 6290b933

nixos/modules/services/mail/tlsrpt.nix

+11 −3
Original line number Diff line number Diff line
@@ -270,9 +270,17 @@ in 
      };

    };



    systemd.services.postfix.serviceConfig.SupplementaryGroups = mkIf (

      config.services.postfix.enable && cfg.collectd.configurePostfix

    ) [ "tlsrpt" ];

    users.users.tlsrpt = {

      isSystemUser = true;

      group = "tlsrpt";

    };

    users.groups.tlsrpt = { };



    users.users.postfix.extraGroups =

      lib.mkIf (config.services.postfix.enable && cfg.collectd.configurePostfix)

        [

          "tlsrpt"

        ];



    systemd.services.tlsrpt-collectd = {

      description = "TLSRPT datagram collector";

nixos/tests/tlsrpt.nix

+1 −1
Original line number Diff line number Diff line
@@ -35,7 +35,7 @@ 


    # Enabling postfix should put sendmail as the sendmail setting

    machine.succeed("grep -q sendmail_script=sendmail /etc/tlsrpt/reportd.cfg")

    machine.succeed("systemctl show --property SupplementaryGroups postfix.service | grep tlsrpt")

    machine.succeed("getent group tlsrpt | grep -q postfix")



    machine.log(machine.succeed("systemd-analyze security tlsrpt-collectd.service tlsrpt-reportd.service | grep -v ✓"))

  '';