nixos/exim: apply privilege restrictions

Since 816614bd62, the service is set to use the exim user so that systemd takes care of the credentials ownership. The executable is still required to run as root, to then drop privileges. The prefix '+' that was used however interfers with the use of privilege restrictions and other sandboxing options. Since we only want to escape the "User" setting, we can use the '!' prefix instead.
2023-06-05 20:04:48 +02:00 · 2023-06-05 20:04:48 +02:00 · 54be076ae7
commit 54be076ae7
parent 09720cc41f
1 changed files with 2 additions and 2 deletions
--- a/nixos/modules/services/mail/exim.nix
+++ b/nixos/modules/services/mail/exim.nix
@ -116,8 +116,8 @@ in
      wantedBy = [ "multi-user.target" ];
      restartTriggers = [ config.environment.etc."exim.conf".source ];
      serviceConfig = {
-        ExecStart   = "+${cfg.package}/bin/exim -bdf -q${cfg.queueRunnerInterval}";
-        ExecReload  = "+${coreutils}/bin/kill -HUP $MAINPID";
+        ExecStart   = "!${cfg.package}/bin/exim -bdf -q${cfg.queueRunnerInterval}";
+        ExecReload  = "!${coreutils}/bin/kill -HUP $MAINPID";
        User        = cfg.user;
      };
      preStart = ''