[Unit]
Description=OpenDKIM DomainKeys Identified Mail (DKIM) Milter in chroot
Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html
After=network.target nss-lookup.target local-fs.target
PartOf=chr-maild.target

[Service]
Type=forking

RootDirectory=/chroot/maild
RootDirectoryStartOnly=no

PIDFile=/chroot/maild/run/opendkim/opendkim.pid
UMask=0002
ExecStart=/usr/sbin/opendkim -x /etc/opendkim.conf
Restart=on-failure
ExecReload=/bin/kill -USR1 $MAINPID

PrivateTmp=true
MountAPIVFS=true
NoNewPrivileges=true
PrivateDevices=true
DevicePolicy=closed
ProtectSystem=full
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectProc=invisible
ProcSubset=pid
ProtectControlGroups=true
ProtectClock=true
ProtectHome=true
#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
#RestrictNamespaces=uts ipc pid user cgroup
#RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
#LockPersonality=yes
ReadOnlyPaths=/bin /sbin /lib /lib64 /usr /boot /etc
ReadOnlyPaths=/chroot/maild
ReadWritePaths=/chroot/maild/run
# compatibility
ReadWritePaths=/chroot/maild/var/spool/postfix/run/opendkim
InaccessiblePaths=/chroot/maild/boot /chroot/maild/sys /chroot/maild/proc


# run
BindPaths=/chroot/maild/run:/run:norbind
# log, systemd notify
BindPaths=/run/systemd/notify:/run/systemd/notify:norbind /run/systemd/journal/dev-log:/run/systemd/journal/dev-log:norbind
# opendkim run dir
BindPaths=/run/opendkim:/run/opendkim:norbind
# compatibility
BindPaths=/run/opendkim:/var/spool/postfix/run/opendkim:norbind

[Install]
WantedBy=chr-maild.target