diff options
author | David Runge <dave@sleepmap.de> | 2022-03-16 15:19:23 +0100 |
---|---|---|
committer | David Runge <dave@sleepmap.de> | 2022-03-16 15:19:23 +0100 |
commit | e45f5d7531cc0c95b0b5c120dba3c18b2a7d0a35 (patch) | |
tree | 502bd61f6ab6596700224c92f21849ea7586a599 /.config/systemd/system/mbsync@.service | |
parent | 5949d84b3f0f5c40828a8879da04ad60800f2335 (diff) | |
download | dotfiles-e45f5d7531cc0c95b0b5c120dba3c18b2a7d0a35.tar.gz dotfiles-e45f5d7531cc0c95b0b5c120dba3c18b2a7d0a35.tar.bz2 dotfiles-e45f5d7531cc0c95b0b5c120dba3c18b2a7d0a35.tar.xz dotfiles-e45f5d7531cc0c95b0b5c120dba3c18b2a7d0a35.zip |
mbsync: Add systemd system service and timer
.config/systemd/system/mbsync@.service:
Add a systemd system service that is supposed to rely on
SetCredentialEncrypted to retrieve a given user's mails.
.config/systemd/system/mbsync@.timer:
Run the accompanying mbsync@.service every 5 minutes.
Diffstat (limited to '.config/systemd/system/mbsync@.service')
-rw-r--r-- | .config/systemd/system/mbsync@.service | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/.config/systemd/system/mbsync@.service b/.config/systemd/system/mbsync@.service new file mode 100644 index 0000000..a081e14 --- /dev/null +++ b/.config/systemd/system/mbsync@.service @@ -0,0 +1,34 @@ +[Unit] +Description=Mailbox synchronization service for %i + +[Service] +Type=oneshot +ExecStart=-/usr/bin/mbsync -Va +ExecStartPost=/home/%i/bin/mbsync2mutt_mailboxes /home/%i/.mutt/mailboxes.rc +ExecStartPost=/usr/bin/notmuch new + +User=%i +Group=%i + +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYS_NICE CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_TTY_CONFIG CAP_LINUX_IMMUTABLE CAP_SETUID CAP_SETGID CAP_SETPCAP +DeviceAllow= +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectClock=true +ProtectControlGroups=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=noaccess +ProtectSystem=strict +RemoveIPC=true +RestrictAddressFamilies=~AF_PACKET AF_NETLINK AF_UNIX +RestrictNamespaces=~user pid net uts mnt cgroup ipc +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallFilter=@system-service |