more maddy fixes

Signed-off-by: Jeff Carr <jcarr@wit.com>

maddy/Makefile

@@ -2,7 +2,9 @@
 
 # ~/go/src/github.com/foxcpp/maddy/build/maddy version
 
-VERSION=0.6.2+9a87d73
+# VERSION=0.6.2+9a87d73
+GITVERSION=$(shell ~/go/src/github.com/foxcpp/maddy/build/maddy version |cut -f1 -d\ |head -n 1)
+VERSION=$(GITVERSION).3
 BASENAME=maddy
 
 all: clean extract DEBIAN build
@@ -26,13 +28,11 @@ clean:
 	rm -rf DEBIAN
 
 extract:
-	# cp -a files ../
+	cp ~/go/src/github.com/foxcpp/maddy/build/maddy.conf files/etc/maddy/orig-maddy.conf
+	cp ~/go/src/github.com/foxcpp/maddy/build/systemd/maddy* files/lib/systemd/system/
+	cp -a files ../
 	mkdir -p ../files/usr/bin
 	cp ~/go/src/github.com/foxcpp/maddy/build/maddy ../files/usr/bin
-	# mkdir -p ../files/etc/maddy
-	# cp ~/go/src/github.com/foxcpp/maddy/build/maddy.conf ../files/etc/maddy/
-	mkdir -p ../files/lib/systemd/system
-	cp ~/go/src/github.com/foxcpp/maddy/build/systemd/maddy* ../files/lib/systemd/system/
 
 # makes the DEBIAN/ directory
 DEBIAN:

maddy/control

@@ -13,3 +13,5 @@ Description: A modern mail server written in GO
  .
  It replaces Postfix, Dovecot, OpenDKIM, OpenSPF, OpenDMARC and more
  with one daemon with uniform configuration and minimal maintenance cost.
+ .
+ Instructions: https://maddy.email/tutorials/setting-up/

maddy/files/etc/maddy/maddy.conf

@@ -1 +0,0 @@
-orig-maddy.conf

maddy/files/lib/systemd/system/maddy.service

@@ -0,0 +1,81 @@
+[Unit]
+Description=maddy mail server
+Documentation=man:maddy(1)
+Documentation=man:maddy.conf(5)
+Documentation=https://maddy.email
+After=network.target
+
+[Service]
+Type=notify
+NotifyAccess=main
+
+User=maddy
+Group=maddy
+
+# cd to state directory to make sure any relative paths
+# in config will be relative to it unless handled specially.
+WorkingDirectory=/var/lib/maddy
+
+ConfigurationDirectory=maddy
+RuntimeDirectory=maddy
+StateDirectory=maddy
+LogsDirectory=maddy
+ReadOnlyPaths=/usr/lib/maddy
+ReadWritePaths=/var/lib/maddy
+
+# Strict sandboxing. You have no reason to trust code written by strangers from GitHub.
+PrivateTmp=true
+ProtectHome=true
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectHostname=true
+ProtectClock=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+
+# Additional sandboxing. You need to disable all of these options
+# for privileged helper binaries (for system auth) to work correctly.
+NoNewPrivileges=true
+PrivateDevices=true
+DeviceAllow=/dev/syslog
+RestrictSUIDSGID=true
+ProtectKernelModules=true
+MemoryDenyWriteExecute=true
+RestrictNamespaces=true
+RestrictRealtime=true
+LockPersonality=true
+
+# Graceful shutdown with a reasonable timeout.
+TimeoutStopSec=7s
+KillMode=mixed
+KillSignal=SIGTERM
+
+# Required to bind on ports lower than 1024.
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
+# Force all files created by maddy to be only readable by it.
+UMask=0027
+
+# Bump FD limitations. Even idle mail server can have a lot of FDs open (think
+# of idle IMAP connections, especially ones abandoned on the other end and
+# slowly timing out).
+LimitNOFILE=131072
+
+# Limit processes count to something reasonable to
+# prevent resources exhausting due to big amounts of helper
+# processes launched.
+LimitNPROC=512
+
+# Restart server on any problem.
+Restart=on-failure
+# ... Unless it is a configuration problem.
+RestartPreventExitStatus=2
+
+ExecStart=/usr/local/bin/maddy run
+
+ExecReload=/bin/kill -USR1 $MAINPID
+ExecReload=/bin/kill -USR2 $MAINPID
+
+[Install]
+WantedBy=multi-user.target

maddy/files/lib/systemd/system/maddy@.service

@@ -0,0 +1,77 @@
+[Unit]
+Description=maddy mail server (using %i.conf)
+Documentation=man:maddy(1)
+Documentation=man:maddy.conf(5)
+Documentation=https://maddy.email
+After=network.target
+
+[Service]
+Type=notify
+NotifyAccess=main
+
+User=maddy
+Group=maddy
+
+ConfigurationDirectory=maddy
+RuntimeDirectory=maddy
+StateDirectory=maddy
+LogsDirectory=maddy
+ReadOnlyPaths=/usr/lib/maddy
+ReadWritePaths=/var/lib/maddy
+
+# Strict sandboxing. You have no reason to trust code written by strangers from GitHub.
+PrivateTmp=true
+PrivateHome=true
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectHostname=true
+ProtectClock=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+DeviceAllow=/dev/syslog
+
+# Additional sandboxing. You need to disable all of these options
+# for privileged helper binaries (for system auth) to work correctly.
+NoNewPrivileges=true
+PrivateDevices=true
+RestrictSUIDSGID=true
+ProtectKernelModules=true
+MemoryDenyWriteExecute=true
+RestrictNamespaces=true
+RestrictRealtime=true
+LockPersonality=true
+
+# Graceful shutdown with a reasonable timeout.
+TimeoutStopSec=7s
+KillMode=mixed
+KillSignal=SIGTERM
+
+# Required to bind on ports lower than 1024.
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
+# Force all files created by maddy to be only readable by it.
+UMask=0027
+
+# Bump FD limitations. Even idle mail server can have a lot of FDs open (think
+# of idle IMAP connections, especially ones abandoned on the other end and
+# slowly timing out).
+LimitNOFILE=131072
+
+# Limit processes count to something reasonable to
+# prevent resources exhausting due to big amounts of helper
+# processes launched.
+LimitNPROC=512
+
+# Restart server on any problem.
+Restart=on-failure
+# ... Unless it is a configuration problem.
+RestartPreventExitStatus=2
+
+ExecStart=/usr/local/bin/maddy --config /etc/maddy/%i.conf run
+
+ExecReload=/bin/kill -USR1 $MAINPID
+ExecReload=/bin/kill -USR2 $MAINPID
+
+[Install]
+WantedBy=multi-user.target