From e82cbd6f35c85ce4aeb2e0f4572e6742c536d941 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Tue, 4 Jan 2022 20:30:02 +0100
Subject: exim: set User= but run as root

LoadCredential= will set the owner of $CREDENTIALS_DIRECTORY and the
credentials to User=.  As currently Exim is currently has to be run as
root in order to use the standard SMTP port and for local deliveries[1],
set User=exim, but run all processes as root.

[1]: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-security_considerations.html#SECID270
---
 krebs/3modules/exim.nix | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/krebs/3modules/exim.nix b/krebs/3modules/exim.nix
index 972c7f437..0f0aa67f0 100644
--- a/krebs/3modules/exim.nix
+++ b/krebs/3modules/exim.nix
@@ -65,8 +65,9 @@ in {
         config.environment.etc."exim.conf".source
       ];
       serviceConfig = {
-        ExecStart = "${pkgs.exim}/bin/exim -bdf -q30m";
-        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+        ExecStart = "+${pkgs.exim}/bin/exim -bdf -q30m";
+        ExecReload = "+${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+        User = cfg.user.name;
       };
       wantedBy = [ "multi-user.target" ];
     };
-- 
cgit v1.2.3