security: harden some SP modules NixOS config evaluation permissions

2024-12-26 18:42:41 +04:00
parent 3a904f599e
commit f07b867af2
3 changed files with 17 additions and 17 deletions
--- a/sp-modules/auth/config-paths-needed.json
+++ b/sp-modules/auth/config-paths-needed.json
@@ -1,11 +1,10 @@
 [
-  ["mailserver", "fqdn"],
+  [ "passthru", "selfprivacy", "auth" ],
-  ["mailserver", "ldap"],
+  [ "security", "acme", "certs" ],
-  ["mailserver", "vmailUID"],
+  [ "selfprivacy", "domain" ],
-  ["passthru", "selfprivacy", "auth"],
+  [ "selfprivacy", "modules", "auth" ],
-  ["security", "acme", "certs"],
+  [ "services", "kanidm" ],
-  ["selfprivacy", "domain"],
+  [ "services", "oauth2-proxy", "enable" ],
-  ["selfprivacy", "modules"],
+  [ "services", "oauth2-proxy", "nginx" ],
-  ["services"],
+  [ "systemd", "services", "kanidm" ]
  ["systemd", "services", "kanidm"]
 ]
--- a/sp-modules/roundcube/config-paths-needed.json
+++ b/sp-modules/roundcube/config-paths-needed.json
@@ -1,9 +1,8 @@
 [
-  ["mailserver", "fqdn"],
+  [ "mailserver", "fqdn" ],
-  ["passthru", "selfprivacy", "auth", "auth-fqdn"],
+  [ "passthru", "selfprivacy", "auth", "auth-fqdn" ],
-  ["passthru", "selfprivacy", "auth", "oauth2-provider-name"],
+  [ "passthru", "selfprivacy", "auth", "oauth2-provider-name" ],
-  ["selfprivacy", "domain"],
+  [ "selfprivacy", "domain" ],
-  ["selfprivacy", "modules", "auth"],
+  [ "selfprivacy", "modules", "auth" ],
-  ["selfprivacy", "modules", "roundcube"],
+  [ "selfprivacy", "modules", "roundcube" ]
  ["service", "kanidm"]
 ]
--- a/sp-modules/simple-nixos-mailserver/config-paths-needed.json
+++ b/sp-modules/simple-nixos-mailserver/config-paths-needed.json
@@ -13,6 +13,8 @@
  [ "services", "opendkim" ],
  [ "services", "postfix", "group" ],
  [ "services", "postfix", "user" ],
-  [ "services", "redis" ],
+  [ "services", "redis", "servers", "rspamd", "bind" ],
  [ "services", "redis", "servers", "rspamd", "port" ],
  [ "services", "redis", "servers", "rspamd", "requirePass" ],
  [ "services", "rspamd" ]
 ]