From ee7aa1292bd782215b202d330b421fe2a30bc4cd Mon Sep 17 00:00:00 2001
From: Jeff Carr <jcarr@wit.com>
Date: Sun, 29 Jan 2023 16:27:10 -0600
Subject: [PATCH] more maddy fixes

Signed-off-by: Jeff Carr <jcarr@wit.com>
---
 maddy/Makefile                                | 12 +--
 maddy/control                                 |  2 +
 maddy/files/etc/maddy/maddy.conf              |  1 -
 maddy/files/lib/systemd/system/maddy.service  | 81 +++++++++++++++++++
 maddy/files/lib/systemd/system/maddy@.service | 77 ++++++++++++++++++
 5 files changed, 166 insertions(+), 7 deletions(-)
 delete mode 120000 maddy/files/etc/maddy/maddy.conf
 create mode 100644 maddy/files/lib/systemd/system/maddy.service
 create mode 100644 maddy/files/lib/systemd/system/maddy@.service

diff --git a/maddy/Makefile b/maddy/Makefile
index a1a871c..bb23bbd 100644
--- a/maddy/Makefile
+++ b/maddy/Makefile
@@ -2,7 +2,9 @@
 
 # ~/go/src/github.com/foxcpp/maddy/build/maddy version
 
-VERSION=0.6.2+9a87d73
+# VERSION=0.6.2+9a87d73
+GITVERSION=$(shell ~/go/src/github.com/foxcpp/maddy/build/maddy version |cut -f1 -d\ |head -n 1)
+VERSION=$(GITVERSION).3
 BASENAME=maddy
 
 all: clean extract DEBIAN build
@@ -26,13 +28,11 @@ clean:
 	rm -rf DEBIAN
 
 extract:
-	# cp -a files ../
+	cp ~/go/src/github.com/foxcpp/maddy/build/maddy.conf files/etc/maddy/orig-maddy.conf
+	cp ~/go/src/github.com/foxcpp/maddy/build/systemd/maddy* files/lib/systemd/system/
+	cp -a files ../
 	mkdir -p ../files/usr/bin
 	cp ~/go/src/github.com/foxcpp/maddy/build/maddy ../files/usr/bin
-	# mkdir -p ../files/etc/maddy
-	# cp ~/go/src/github.com/foxcpp/maddy/build/maddy.conf ../files/etc/maddy/
-	mkdir -p ../files/lib/systemd/system
-	cp ~/go/src/github.com/foxcpp/maddy/build/systemd/maddy* ../files/lib/systemd/system/
 
 # makes the DEBIAN/ directory
 DEBIAN:
diff --git a/maddy/control b/maddy/control
index 7f68e29..3dff4a5 100644
--- a/maddy/control
+++ b/maddy/control
@@ -13,3 +13,5 @@ Description: A modern mail server written in GO
  .
  It replaces Postfix, Dovecot, OpenDKIM, OpenSPF, OpenDMARC and more
  with one daemon with uniform configuration and minimal maintenance cost.
+ .
+ Instructions: https://maddy.email/tutorials/setting-up/
diff --git a/maddy/files/etc/maddy/maddy.conf b/maddy/files/etc/maddy/maddy.conf
deleted file mode 120000
index 0a42bf7..0000000
--- a/maddy/files/etc/maddy/maddy.conf
+++ /dev/null
@@ -1 +0,0 @@
-orig-maddy.conf
\ No newline at end of file
diff --git a/maddy/files/lib/systemd/system/maddy.service b/maddy/files/lib/systemd/system/maddy.service
new file mode 100644
index 0000000..0f5ace2
--- /dev/null
+++ b/maddy/files/lib/systemd/system/maddy.service
@@ -0,0 +1,81 @@
+[Unit]
+Description=maddy mail server
+Documentation=man:maddy(1)
+Documentation=man:maddy.conf(5)
+Documentation=https://maddy.email
+After=network.target
+
+[Service]
+Type=notify
+NotifyAccess=main
+
+User=maddy
+Group=maddy
+
+# cd to state directory to make sure any relative paths
+# in config will be relative to it unless handled specially.
+WorkingDirectory=/var/lib/maddy
+
+ConfigurationDirectory=maddy
+RuntimeDirectory=maddy
+StateDirectory=maddy
+LogsDirectory=maddy
+ReadOnlyPaths=/usr/lib/maddy
+ReadWritePaths=/var/lib/maddy
+
+# Strict sandboxing. You have no reason to trust code written by strangers from GitHub.
+PrivateTmp=true
+ProtectHome=true
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectHostname=true
+ProtectClock=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+
+# Additional sandboxing. You need to disable all of these options
+# for privileged helper binaries (for system auth) to work correctly.
+NoNewPrivileges=true
+PrivateDevices=true
+DeviceAllow=/dev/syslog
+RestrictSUIDSGID=true
+ProtectKernelModules=true
+MemoryDenyWriteExecute=true
+RestrictNamespaces=true
+RestrictRealtime=true
+LockPersonality=true
+
+# Graceful shutdown with a reasonable timeout.
+TimeoutStopSec=7s
+KillMode=mixed
+KillSignal=SIGTERM
+
+# Required to bind on ports lower than 1024.
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
+# Force all files created by maddy to be only readable by it.
+UMask=0027
+
+# Bump FD limitations. Even idle mail server can have a lot of FDs open (think
+# of idle IMAP connections, especially ones abandoned on the other end and
+# slowly timing out).
+LimitNOFILE=131072
+
+# Limit processes count to something reasonable to
+# prevent resources exhausting due to big amounts of helper
+# processes launched.
+LimitNPROC=512
+
+# Restart server on any problem.
+Restart=on-failure
+# ... Unless it is a configuration problem.
+RestartPreventExitStatus=2
+
+ExecStart=/usr/local/bin/maddy run
+
+ExecReload=/bin/kill -USR1 $MAINPID
+ExecReload=/bin/kill -USR2 $MAINPID
+
+[Install]
+WantedBy=multi-user.target
diff --git a/maddy/files/lib/systemd/system/maddy@.service b/maddy/files/lib/systemd/system/maddy@.service
new file mode 100644
index 0000000..cc77682
--- /dev/null
+++ b/maddy/files/lib/systemd/system/maddy@.service
@@ -0,0 +1,77 @@
+[Unit]
+Description=maddy mail server (using %i.conf)
+Documentation=man:maddy(1)
+Documentation=man:maddy.conf(5)
+Documentation=https://maddy.email
+After=network.target
+
+[Service]
+Type=notify
+NotifyAccess=main
+
+User=maddy
+Group=maddy
+
+ConfigurationDirectory=maddy
+RuntimeDirectory=maddy
+StateDirectory=maddy
+LogsDirectory=maddy
+ReadOnlyPaths=/usr/lib/maddy
+ReadWritePaths=/var/lib/maddy
+
+# Strict sandboxing. You have no reason to trust code written by strangers from GitHub.
+PrivateTmp=true
+PrivateHome=true
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectHostname=true
+ProtectClock=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+DeviceAllow=/dev/syslog
+
+# Additional sandboxing. You need to disable all of these options
+# for privileged helper binaries (for system auth) to work correctly.
+NoNewPrivileges=true
+PrivateDevices=true
+RestrictSUIDSGID=true
+ProtectKernelModules=true
+MemoryDenyWriteExecute=true
+RestrictNamespaces=true
+RestrictRealtime=true
+LockPersonality=true
+
+# Graceful shutdown with a reasonable timeout.
+TimeoutStopSec=7s
+KillMode=mixed
+KillSignal=SIGTERM
+
+# Required to bind on ports lower than 1024.
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
+# Force all files created by maddy to be only readable by it.
+UMask=0027
+
+# Bump FD limitations. Even idle mail server can have a lot of FDs open (think
+# of idle IMAP connections, especially ones abandoned on the other end and
+# slowly timing out).
+LimitNOFILE=131072
+
+# Limit processes count to something reasonable to
+# prevent resources exhausting due to big amounts of helper
+# processes launched.
+LimitNPROC=512
+
+# Restart server on any problem.
+Restart=on-failure
+# ... Unless it is a configuration problem.
+RestartPreventExitStatus=2
+
+ExecStart=/usr/local/bin/maddy --config /etc/maddy/%i.conf run
+
+ExecReload=/bin/kill -USR1 $MAINPID
+ExecReload=/bin/kill -USR2 $MAINPID
+
+[Install]
+WantedBy=multi-user.target