Add systemd units (examples)

- daemon - socket activation - socket activation (inetd mode)
author: Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> 2022-10-22 23:15:44 +0200
committer: Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> 2022-10-25 01:32:23 +0200
commit: a822e981b4e89c8e439f59a35c52e206b330713f (patch)
tree: 806e95f23c621d902847b5d72ab9ae14f3be8f7e
parent: 12fb3842f81bcbd4a4519d5728f2d7e0e3ca1445 (diff)
download: exim4-a822e981b4e89c8e439f59a35c52e206b330713f.tar.gz
12 files changed, 217 insertions, 1 deletions
diff --git a/.gitignore b/.gitignore
index 3fd0b2440..60b54b7df 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,4 @@
-exim-*
+!/system-integration/
 !/test/aux-fixed/exim-ca
 *~
 *.bak
diff --git a/src/system-integration/README.md b/src/system-integration/README.md
new file mode 100644
index 000000000..cac965ed5
--- /dev/null
+++ b/src/system-integration/README.md
@@ -0,0 +1,8 @@
+# System Integration
+
+Various systems use various ways to integrate Exim into the system,
+mainly for:
+
+- startup procedure
+- privilege separation
+- regular maintenance tasks
diff --git a/src/system-integration/systemd/README.md b/src/system-integration/systemd/README.md
new file mode 100644
index 000000000..5ac8e0af7
--- /dev/null
+++ b/src/system-integration/systemd/README.md
@@ -0,0 +1,67 @@
+# System Unit Examples for Exim
+
+This directory contains several examples for Systemd units to manage an Exim installation.
+There is room for improvement, so please share your ideas or setups that are proven to work
+in your environment.
+
+All the service units try to protect the system from unintentional
+writes to locations outside of Exim's spool, and log directories.  You
+may need to override specific settings, we recommend using Systemd's
+override mechanism.
+
+## Daemon
+
+This is best suited for *average to high traffic systems*, as it engages
+all built-in Exim facilities, as queue runner management, and system load
+depended message processing.
+
+It starts the Exim main process. This process listens on the ports
+configured in the _runtime configuration_, and supervises all other
+activities, including management of queue runner startup (`exim -odf
+-q...`).
+
+For regular maintenance tasks (log rotation, database cleanup)
+additional units are required.
+
+## Socket
+
+This is best suited for *low traffic* systems, which experience a
+message *burst* from time to time. Regular desktop, and edge systems fit this
+pattern.
+
+Exim's start is delayed until the first connection. Once a connection is
+initiated, Exim starts a listener on the port configured in the [systemd
+socket unit](./socket/exim.socket) and waits for more connections, and exits after being idle
+(`exim -bw...`).
+
+Additional [_queue runner_ timer and service units](#queue-runner) are required.
+
+For regular maintenance tasks (log rotation, database cleanup)
+additional units are required.
+
+## Inetd-like Socket
+
+This is best suited for systems with *low traffic*, if the
+[socket](#socket) approach doesn't work.
+
+For each incoming connection a new Exim instance starts, handling
+exactly this connection and then exits. The listener port is configured
+in the [systemd socket unit](./inetd/exim.socket).
+
+Additional [_queue runner_ timer and service units](#queue-runner) are required.
+
+For regular maintenance tasks (log rotation, database cleanup)
+additional units are required.
+
+## Queue Runner
+
+This is a *timer*, and a service unit which starts Exim queue runner
+processes. This is necessary, as the socket activated Exim instances
+(from [socket](#socket) and [inetd](#inetd-like-socket))
+do not care once the first delivery attempt is done.
+
+## Maintenance
+
+This is a *timer* and triggers regular cleanup tasks.
+For security it is recommended to use the `User=` Systemd directive in a
+local override file.
diff --git a/src/system-integration/systemd/daemon/exim.service b/src/system-integration/systemd/daemon/exim.service
new file mode 100644
index 000000000..b4675919f
--- /dev/null
+++ b/src/system-integration/systemd/daemon/exim.service
@@ -0,0 +1,25 @@
+[Unit]
+Description=Exim MTA (daemon)
+Documentation=man:exim
+Documentation=https://exim.org/docs.html
+
+Requires=network.target
+After=networking.target
+
+[Service]
+Environment=DAEMON_OPTS=
+Environment=QUEUE_OPTS=-q15m
+EnvironmentFile=-/etc/default/exim
+
+Type=exec
+ExecStart=exim -bdf $DAEMON_OPTS $QUEUE_OPTS
+ExecReload=kill -HUP ${MAINPID}
+
+ProtectSystem=strict
+ReadWriteDirectories=/var/spool/exim
+ReadWriteDirectories=/var/log/exim
+
+Slice=exim.slice
+
+[Install]
+WantedBy=multi-user.target
diff --git a/src/system-integration/systemd/inetd/exim.socket b/src/system-integration/systemd/inetd/exim.socket
new file mode 100644
index 000000000..f412c7aad
--- /dev/null
+++ b/src/system-integration/systemd/inetd/exim.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=Exim MTA
+Documentation=man:exim
+Documentation=https://exim.org/docs.html
+
+[Socket]
+ListenStream=25
+Accept=yes
+
+[Install]
+WantedBy=sockets.target
diff --git a/src/system-integration/systemd/inetd/exim@.service b/src/system-integration/systemd/inetd/exim@.service
new file mode 100644
index 000000000..b4a638ebe
--- /dev/null
+++ b/src/system-integration/systemd/inetd/exim@.service
@@ -0,0 +1,20 @@
+[Unit]
+Description=Exim MTA (socket activated)
+Documentation=man:exim
+Documentation=https://exim.org/docs.html
+
+[Service]
+Type=exec
+ExecStart=exim -bs
+
+StandardInput=socket
+StandardError=journal
+
+# Don't kill the delivery process we spawned as a child
+KillMode=process
+
+ProtectSystem=strict
+ReadWriteDirectories=/var/spool/exim
+ReadWriteDirectories=/var/log/exim
+
+Slice=exim.slice
diff --git a/src/system-integration/systemd/maintenance/exim-maintenance.service b/src/system-integration/systemd/maintenance/exim-maintenance.service
new file mode 100644
index 000000000..4883829f9
--- /dev/null
+++ b/src/system-integration/systemd/maintenance/exim-maintenance.service
@@ -0,0 +1,24 @@
+[Unit]
+Description=Exim MTA (maintenance)
+Documentation=man:exim
+Documentation=https://exim.org/docs.html
+
+[Service]
+Type=oneshot
+ExecReload=kill -HUP ${MAINPID}
+
+ExecStart=sh -ec 'cd "`exim -n -bP spool_directory`" \
+	&& for db in db/retry db/misc db/wait-* db/callout db/tls; \
+		do \
+			[ "$${db##*.}" = lockfile ] && continue; \
+			test -f "$$db" || continue; \
+			exim_tidydb $PWD "$${db##*/}"; \
+		done'
+
+ProtectSystem=strict
+ReadWriteDirectories=/var/spool/exim
+
+Slice=exim.slice
+
+[Install]
+WantedBy=multi-user.target
diff --git a/src/system-integration/systemd/maintenance/exim-maintenance.timer b/src/system-integration/systemd/maintenance/exim-maintenance.timer
new file mode 100644
index 000000000..bd192cd07
--- /dev/null
+++ b/src/system-integration/systemd/maintenance/exim-maintenance.timer
@@ -0,0 +1,11 @@
+[Unit]
+Description=Exim MTA (maintenance timer)
+Documentation=man:exim
+Documentation=https://exim.org/docs.html
+
+[Timer]
+OnActiveSec=1h
+OnUnitActiveSec=1d
+
+[Install]
+WantedBy=timers.target
diff --git a/src/system-integration/systemd/queuerunner/exim-queuerunner.service b/src/system-integration/systemd/queuerunner/exim-queuerunner.service
new file mode 100644
index 000000000..81116fff9
--- /dev/null
+++ b/src/system-integration/systemd/queuerunner/exim-queuerunner.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Exim MTA (queue runner service)
+Documentation=man:exim
+Documentation=https://exim.org/docs.html
+
+[Service]
+ExecStart=exim -q
+
+ProtectSystem=strict
+ReadWriteDirectories=/var/spool/exim
+ReadWriteDirectories=/var/log/exim
+
+Slice=exim.slice
diff --git a/src/system-integration/systemd/queuerunner/exim-queuerunner.timer b/src/system-integration/systemd/queuerunner/exim-queuerunner.timer
new file mode 100644
index 000000000..6988b7c29
--- /dev/null
+++ b/src/system-integration/systemd/queuerunner/exim-queuerunner.timer
@@ -0,0 +1,11 @@
+[Unit]
+Description=Exim MTA (queue runner timer)
+Documentation=man:exim
+Documentation=https://exim.org/docs.html
+
+[Timer]
+OnActiveSec=120
+OnUnitActiveSec=15m
+
+[Install]
+WantedBy=timers.target
diff --git a/src/system-integration/systemd/socket/exim.service b/src/system-integration/systemd/socket/exim.service
new file mode 100644
index 000000000..d708b1f3b
--- /dev/null
+++ b/src/system-integration/systemd/socket/exim.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=Exim MTA (socket activated)
+Documentation=man:exim
+Documentation=https://exim.org/docs.html
+
+[Service]
+Environment=INACTIVITY_TIMEOUT=5m
+ExecStart=exim -bw${INACTIVITY_TIMEOUT}
+StandardInput=socket
+StandardError=journal
+
+ProtectSystem=strict
+ReadWriteDirectories=/var/spool/exim
+ReadWriteDirectories=/var/log/exim
+
+Slice=exim.slice
diff --git a/src/system-integration/systemd/socket/exim.socket b/src/system-integration/systemd/socket/exim.socket
new file mode 100644
index 000000000..8b3876663
--- /dev/null
+++ b/src/system-integration/systemd/socket/exim.socket
@@ -0,0 +1,10 @@
+[Unit]
+Description=Exim MTA (socket)
+Documentation=man:exim
+Documentation=https://exim.org/docs.html
+
+[Socket]
+ListenStream=25
+
+[Install]
+WantedBy=sockets.target
author	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>	2022-10-22 23:15:44 +0200
committer	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>	2022-10-25 01:32:23 +0200
commit	a822e981b4e89c8e439f59a35c52e206b330713f (patch)
tree	806e95f23c621d902847b5d72ab9ae14f3be8f7e
parent	12fb3842f81bcbd4a4519d5728f2d7e0e3ca1445 (diff)
download	exim4-a822e981b4e89c8e439f59a35c52e206b330713f.tar.gz