[Unit]
Description=Postfix PolicyD 2.0 Cluebringer in chroot
After=mariadb-admin.service
Before=postfix-chroot.service
BindsTo=chr-maild.target

# https://blog.hqcodeshop.fi/archives/93-Handling-varrun-with-systemd.html

[Service]
Type=forking

RootDirectory=/chroot/maild
RootDirectoryStartOnly=no

User=cluebringer
PermissionsStartOnly=yes

ExecStartPre=/bin/mkdir -p /run/cluebringer
ExecStartPre=/bin/chown -R cluebringer:www-data /run/cluebringer
ExecStartPre=/bin/chmod 750 /run/cluebringer
ExecStart=/usr/sbin/cbpolicyd --config=/etc/cluebringer/cluebringer.conf
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/cluebringer/cbpolicyd.pid

PIDFile=/chroot/maild/run/cluebringer/cbpolicyd.pid

TimeoutStopSec=30
KillMode=mixed

# If, after 5s (--retry QUIT/5) cb is still running, systemd takes control
# and sends SIGTERM (fast shutdown) to the main process.
# After another 5s (TimeoutStopSec=5), and if cb is alive, systemd sends
# SIGKILL to all the remaining processes in the process group (KillMode=mixed).

PrivateTmp=true
MountAPIVFS=true
NoNewPrivileges=true
PrivateDevices=true
DevicePolicy=closed
ProtectSystem=full
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectProc=invisible
ProcSubset=pid
ProtectControlGroups=true
ProtectClock=true
ProtectHome=true
#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
#RestrictNamespaces=uts ipc pid user cgroup
#RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
#MemoryDenyWriteExecute=yes
#LockPersonality=yes
#ReadOnlyPaths=/bin /sbin /lib /lib64 /usr /boot /etc
ReadOnlyPaths=/chroot/maild/bin /chroot/maild/sbin /chroot/maild/lib /chroot/maild/lib64 /chroot/maild/usr /chroot/maild/etc
InaccessiblePaths=/chroot/maild/boot /chroot/maild/sys /chroot/maild/proc

# run
BindPaths=/chroot/maild/run:/run:norbind
# log, systemd notify
BindPaths=/run/systemd/notify:/run/systemd/notify:norbind /run/systemd/journal/dev-log:/run/systemd/journal/dev-log:norbind
# admin mysql
BindPaths=-/chroot/admin/run/mysqld:/run/mysqld:norbind


[Install]
#WantedBy=multi-user.target
WantedBy=chr-maild.target