Set & use Redis password

2023-09-27 12:03:17 -07:00 · 2023-09-27 12:03:17 -07:00 · c87fb3f639
parent d10830785b
commit c87fb3f639
2 changed files with 25 additions and 2 deletions
--- a/mail-server.nix
+++ b/mail-server.nix
@ -258,6 +258,10 @@ in {
    ];
    virtualisation.arion.projects.mail-server.settings = let
      redisPasswdFile =
        pkgs.lib.passwd.stablerandom-password-file "mail-server-redis-passwd"
        config.instance.build-seed;
      image = { pkgs, ... }: {
        project.name = "mail-server";
        networks = {
@ -401,6 +405,7 @@ in {
              ];
              capabilities.SYS_ADMIN = true;
              depends_on = [ "antivirus" "redis" ];
              volumes = [ "${redisPasswdFile}:/run/redis.passwd" ];
            };
            nixos = {
              useSystemd = true;
@ -419,6 +424,7 @@ in {
                    host = "antivirus";
                    port = antivirusPort;
                  };
                  redis.password-file = "/run/redis.passwd";
                };
              };
            };
@ -469,7 +475,10 @@ in {
          };
          redis = {
            service = {
-              volumes = [ "${cfg.state-directory}/redis:/var/lib/redis" ];
+              volumes = [
                "${cfg.state-directory}/redis:/var/lib/redis"
                "${redisPasswdFile}:/run/redis/passwd"
              ];
              networks = [ "redis_network" ];
            };
            nixos = {
@ -482,6 +491,7 @@ in {
                  # null -> all
                  bind = null;
                  port = 6379;
                  requirePassFile = "/run/redis/passwd";
                };
              };
            };
--- a/rspamd.nix
+++ b/rspamd.nix
@ -37,6 +37,11 @@ in {
        description = "Port at which to reach ClamAV";
      };
    };
    redis.password-file = {
      type = str;
      description = "Password with which to connect to Redis.";
    };
  };
  config = mkIf cfg.enable {
@ -46,7 +51,8 @@ in {
      port = cfg.ports.metrics;
    };
-    services.rspamd = {
+    services.rspamd = let redisPasswd = readFile cfg.redis.password-file;
    in {
      enable = true;
      locals = {
@ -59,6 +65,7 @@ in {
            type = "clamav";
            log_clean = true;
            servers = "${cfg.antivirus.host}:${toString cfg.antivirus.port}";
            password = "${redisPasswd}";
            scan_mime_parts = false; # scan mail as a whole unit, not parts. seems to be needed to work at all
          }
        '';
@ -79,6 +86,7 @@ in {
        "dmark.conf".text = ''
          dmarc = {
            servers = "redis";
            password = "${redisPasswd}";
          }
        '';
@ -86,6 +94,7 @@ in {
          enabled = true;
          servers = "redis";
          password = "${redisPasswd}";
          timeout = 10.0;
@ -102,6 +111,7 @@ in {
              }
              backend "redis" {
                servers = "redis";
                password = "${redisPasswd}";
              }
              symbol = "IP_REPUTATION";
@ -111,6 +121,7 @@ in {
              }
              backend "redis" {
                servers = "redis";
                password = "${redisPasswd}";
              }
              symbol = "SPF_REPUTATION";
@ -120,6 +131,7 @@ in {
              }
              backend "redis" {
                servers = "redis";
                password = "${redisPasswd}";
              }
              symbol = "DKIM_REPUTATION"; # Also adjusts scores for DKIM_ALLOW, DKIM_REJECT
@ -130,6 +142,7 @@ in {
              }
              backend "redis" {
                servers = "redis";
                password = "${redisPasswd}";
              }
              symbol = "GENERIC_REPUTATION";