aboutsummaryrefslogtreecommitdiffstats
path: root/.config/systemd/system/mbsync@.service
diff options
context:
space:
mode:
authorDavid Runge <dave@sleepmap.de>2022-03-16 15:19:23 +0100
committerDavid Runge <dave@sleepmap.de>2022-03-16 15:19:23 +0100
commite45f5d7531cc0c95b0b5c120dba3c18b2a7d0a35 (patch)
tree502bd61f6ab6596700224c92f21849ea7586a599 /.config/systemd/system/mbsync@.service
parent5949d84b3f0f5c40828a8879da04ad60800f2335 (diff)
downloaddotfiles-e45f5d7531cc0c95b0b5c120dba3c18b2a7d0a35.tar.gz
dotfiles-e45f5d7531cc0c95b0b5c120dba3c18b2a7d0a35.tar.bz2
dotfiles-e45f5d7531cc0c95b0b5c120dba3c18b2a7d0a35.tar.xz
dotfiles-e45f5d7531cc0c95b0b5c120dba3c18b2a7d0a35.zip
mbsync: Add systemd system service and timer
.config/systemd/system/mbsync@.service: Add a systemd system service that is supposed to rely on SetCredentialEncrypted to retrieve a given user's mails. .config/systemd/system/mbsync@.timer: Run the accompanying mbsync@.service every 5 minutes.
Diffstat (limited to '.config/systemd/system/mbsync@.service')
-rw-r--r--.config/systemd/system/mbsync@.service34
1 files changed, 34 insertions, 0 deletions
diff --git a/.config/systemd/system/mbsync@.service b/.config/systemd/system/mbsync@.service
new file mode 100644
index 0000000..a081e14
--- /dev/null
+++ b/.config/systemd/system/mbsync@.service
@@ -0,0 +1,34 @@
+[Unit]
+Description=Mailbox synchronization service for %i
+
+[Service]
+Type=oneshot
+ExecStart=-/usr/bin/mbsync -Va
+ExecStartPost=/home/%i/bin/mbsync2mutt_mailboxes /home/%i/.mutt/mailboxes.rc
+ExecStartPost=/usr/bin/notmuch new
+
+User=%i
+Group=%i
+
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYS_NICE CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_TTY_CONFIG CAP_LINUX_IMMUTABLE CAP_SETUID CAP_SETGID CAP_SETPCAP
+DeviceAllow=
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=noaccess
+ProtectSystem=strict
+RemoveIPC=true
+RestrictAddressFamilies=~AF_PACKET AF_NETLINK AF_UNIX
+RestrictNamespaces=~user pid net uts mnt cgroup ipc
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service