chore: add carbonio-mta.slice to PKGBUILD

mta/PKGBUILD

@@ -54,6 +54,7 @@ source=(
   "carbonio-mta-sidecar.service"
   "carbonio-mta.hcl"
   "carbonio-mta.sh"
+  "carbonio-mta.slice"
   "carbonio-mta.target"
   "intentions.json"
   "policies.json"
@@ -67,9 +68,10 @@ source=(
 
 sha256sums=(
   'de81be5f1bb32a01b6e7ec31686ea49935adc5120500729318e66f84639dead7'
-  'db832d544723e9e8b26b63bfc05d8e3e12799f30bb233bbd9426751761484ca5'
+  '17ae1dd79c04045709adcc6be9a54b0c30236b2a5f88c20ed5d14b3a16404b9d'
   'f45c5c1150c2fe1b5bbb8936e746c9073659e2491eec96891b667c48d27e2779'
   '7fa8be2620f890a41f9939e72c6f9b45df5a5145f319e3c08b1cd23399e1276c'
+  '6d8cc0dc0ef0615dec2428cc57e3b3653cc240d18611bb52134269e9267b2c48'
   '4599ec6711a850b73ee453c187f3629e3a7b31b460e9bec109496db8832bea2f'
   '87e996a4e37d29d0f575e987faf5166d33a2f4970041b6c880702a41566d3315'
   '240157c8b9bbd1686abd45f5936ccbaf4a63aeab2414b551a6ff6b70de9b4524'
@@ -125,6 +127,8 @@ package() {
   # systemd units and target
   mkdir -p "${pkgdir}/usr/lib/systemd/system/carbonio.target.wants"
   mkdir "${pkgdir}/usr/lib/systemd/system/${pkgname}.target.wants"
+  install -Dm644 "${pkgname}.slice" \
+    "${pkgdir}/usr/lib/systemd/system/${pkgname}.slice"
   install -Dm644 "${pkgname}.target" \
     "${pkgdir}/usr/lib/systemd/system/${pkgname}.target"
   ln -sf "/usr/lib/systemd/system/${pkgname}.target" \

mta/carbonio-mta-sidecar.service

@@ -1,21 +1,42 @@
 [Unit]
-Description=Carbonio MTA sidecar proxy
+Description=Carbonio MTA Sidecar
 Documentation=https://docs.zextras.com/
 Requires=network-online.target
 After=network-online.target
 PartOf=carbonio-mta.target
 
 [Service]
+Slice=carbonio-mta.slice
 User=carbonio-mta
 ExecStart=/usr/bin/consul connect envoy \
     -token-file /etc/carbonio/mta/service-discover/token \
     -admin-bind localhost:0 \
     -sidecar-for carbonio-mta
-ExecReload=/usr/bin/kill -HUP $MAINPID
 Restart=on-failure
-RestartSec=15
+RestartSec=15s
+ExecReload=/usr/bin/kill -HUP $MAINPID
 KillSignal=SIGINT
 LimitNOFILE=65536
 
+# Security hardening (strict)
+ProtectSystem=strict
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+NoNewPrivileges=yes
+CapabilityBoundingSet=
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+ProtectKernelLogs=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+LockPersonality=yes
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+SystemCallArchitectures=native
+ProtectHostname=yes
+ProtectClock=yes
+
 [Install]
 WantedBy=multi-user.target

mta/carbonio-mta.slice

@@ -0,0 +1,29 @@
+[Unit]
+Description=Carbonio MTA Slice
+Documentation=man:systemd.slice(5)
+Before=slices.target
+PartOf=carbonio-mta.target
+StopWhenUnneeded=yes
+
+[Slice]
+# MTA services: postfix, milter, mailthreat, opendkim, saslauthd, policyd
+# Mail processing requires good I/O performance
+#
+# Scaling guide:
+#   Small  (8GB RAM):   ~1.2GB effective (15% of 8GB)
+#   Medium (32GB RAM):  ~4.8GB effective (15% of 32GB)
+#   Large  (64GB RAM):  ~9.6GB effective (15% of 64GB)
+
+# Memory controls - percentage-based for automatic scaling
+MemoryMax=15%
+MemoryHigh=12%
+
+# CPU weight: high priority for mail flow
+CPUWeight=80
+
+# I/O weight: highest priority (mail queue disk operations)
+IOWeight=100
+
+# Process/thread limit
+# Postfix spawns processes per connection; scale with mail volume
+TasksMax=2048