Set & use Redis password

2023-09-27 12:03:17 -07:00 · 2023-09-27 12:03:17 -07:00 · c87fb3f639
parent d10830785b
commit c87fb3f639
2 changed files with 25 additions and 2 deletions
--- a/mail-server.nix
+++ b/mail-server.nix
@ -258,6 +258,10 @@ in {
    ];

    virtualisation.arion.projects.mail-server.settings = let
+      redisPasswdFile =
+        pkgs.lib.passwd.stablerandom-password-file "mail-server-redis-passwd"
+        config.instance.build-seed;
+
      image = { pkgs, ... }: {
        project.name = "mail-server";
        networks = {
@ -401,6 +405,7 @@ in {
              ];
              capabilities.SYS_ADMIN = true;
              depends_on = [ "antivirus" "redis" ];
+              volumes = [ "${redisPasswdFile}:/run/redis.passwd" ];
            };
            nixos = {
              useSystemd = true;
@ -419,6 +424,7 @@ in {
                    host = "antivirus";
                    port = antivirusPort;
                  };
+                  redis.password-file = "/run/redis.passwd";
                };
              };
            };
@ -469,7 +475,10 @@ in {
          };
          redis = {
            service = {
-              volumes = [ "${cfg.state-directory}/redis:/var/lib/redis" ];
+              volumes = [
+                "${cfg.state-directory}/redis:/var/lib/redis"
+                "${redisPasswdFile}:/run/redis/passwd"
+              ];
              networks = [ "redis_network" ];
            };
            nixos = {
@ -482,6 +491,7 @@ in {
                  # null -> all
                  bind = null;
                  port = 6379;
+                  requirePassFile = "/run/redis/passwd";
                };
              };
            };
--- a/rspamd.nix
+++ b/rspamd.nix
@ -37,6 +37,11 @@ in {
        description = "Port at which to reach ClamAV";
      };
    };
+
+    redis.password-file = {
+      type = str;
+      description = "Password with which to connect to Redis.";
+    };
  };

  config = mkIf cfg.enable {
@ -46,7 +51,8 @@ in {
      port = cfg.ports.metrics;
    };

-    services.rspamd = {
+    services.rspamd = let redisPasswd = readFile cfg.redis.password-file;
+    in {
      enable = true;

      locals = {
@ -59,6 +65,7 @@ in {
            type = "clamav";
            log_clean = true;
            servers = "${cfg.antivirus.host}:${toString cfg.antivirus.port}";
+            password = "${redisPasswd}";
            scan_mime_parts = false; # scan mail as a whole unit, not parts. seems to be needed to work at all
          }
        '';
@ -79,6 +86,7 @@ in {
        "dmark.conf".text = ''
          dmarc = {
            servers = "redis";
+            password = "${redisPasswd}";
          }
        '';

@ -86,6 +94,7 @@ in {
          enabled = true;

          servers = "redis";
+          password = "${redisPasswd}";

          timeout = 10.0;

@ -102,6 +111,7 @@ in {
              }
              backend "redis" {
                servers = "redis";
+                password = "${redisPasswd}";
              }

              symbol = "IP_REPUTATION";
@ -111,6 +121,7 @@ in {
              }
              backend "redis" {
                servers = "redis";
+                password = "${redisPasswd}";
              }

              symbol = "SPF_REPUTATION";
@ -120,6 +131,7 @@ in {
              }
              backend "redis" {
                servers = "redis";
+                password = "${redisPasswd}";
              }

              symbol = "DKIM_REPUTATION"; # Also adjusts scores for DKIM_ALLOW, DKIM_REJECT
@ -130,6 +142,7 @@ in {
              }
              backend "redis" {
                servers = "redis";
+                password = "${redisPasswd}";
              }

              symbol = "GENERIC_REPUTATION";