From 6622930ce8c7df38f973ec7980dcdc0292385b75 Mon Sep 17 00:00:00 2001
From: nd <git@notandy.de>
Date: Sat, 23 Oct 2021 21:52:05 +0200
Subject: [PATCH] add untested systemd socket and service units

---
 uffd-socketmap@.service | 42 +++++++++++++++++++++++++++++++++++++++++
 uffd-socketmap@.socket  | 12 ++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 uffd-socketmap@.service
 create mode 100644 uffd-socketmap@.socket

diff --git a/uffd-socketmap@.service b/uffd-socketmap@.service
new file mode 100644
index 0000000..50344e7
--- /dev/null
+++ b/uffd-socketmap@.service
@@ -0,0 +1,42 @@
+[Unit]
+Description=Socketmap proxy for uffd mail alias lookup
+After=network.target
+Before=postfix.service
+
+[Service]
+ExecStart=/usr/bin/uffd-socketmap --socket-fd 3
+
+Restart=always
+RestartSec=10
+StandardOutput=syslog
+StandardError=syslog
+SyslogIdentifier=uffd-socketmap-%I
+
+PrivateUsers=true
+CapabilityBoundingSet=
+NoNewPrivileges=true
+RemoveIPC=true
+LockPersonality=true
+ProtectControlGroups=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectClock=true
+ProtectHostname=true
+ProtectProc=noaccess
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RestrictNamespaces=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+EnvironmentFile=/etc/uffd-socketmap/defaults
+EnvironmentFile=/etc/uffd-socketmap/$I.env
+
+[Install]
+WantedBy=default.target
diff --git a/uffd-socketmap@.socket b/uffd-socketmap@.socket
new file mode 100644
index 0000000..7ebeac2
--- /dev/null
+++ b/uffd-socketmap@.socket
@@ -0,0 +1,12 @@
+[Unit]
+Description=Socket proxy for uffd mail alias lookup
+PartOf=socketmap-proxy@%i.service
+
+[Socket]
+ListenStream=/run/socketmap-proxy/%I.sock
+SocketUser=postfix
+SocketGroup=postfix
+SocketMode=0640
+
+[Install]
+WantedBy=sockets.target
-- 
GitLab