From 3b6ef967f3ff3f9c86ac0b406f2b1513f7b56c5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 29 Nov 2020 12:51:53 +0100 Subject: [PATCH] nixos/rspamd: fix postfix integration --- nixos/modules/services/mail/rspamd.nix | 7 +++- nixos/tests/rspamd.nix | 58 ++++++++++++++------------ 2 files changed, 38 insertions(+), 27 deletions(-) diff --git a/nixos/modules/services/mail/rspamd.nix b/nixos/modules/services/mail/rspamd.nix index 07ef5461d05..515e2880056 100644 --- a/nixos/modules/services/mail/rspamd.nix +++ b/nixos/modules/services/mail/rspamd.nix @@ -371,6 +371,9 @@ in }; services.postfix.config = mkIf cfg.postfix.enable cfg.postfix.config; + systemd.services.postfix.serviceConfig.SupplementaryGroups = + mkIf cfg.postfix.enable [ postfixCfg.group ]; + # Allow users to run 'rspamc' and 'rspamadm'. environment.systemPackages = [ pkgs.rspamd ]; @@ -399,6 +402,7 @@ in User = "${cfg.user}"; Group = "${cfg.group}"; + SupplementaryGroups = mkIf cfg.postfix.enable [ postfixCfg.group ]; RuntimeDirectory = "rspamd"; RuntimeDirectoryMode = "0755"; @@ -413,7 +417,8 @@ in PrivateDevices = true; PrivateMounts = true; PrivateTmp = true; - PrivateUsers = true; + # we need to chown socket to rspamd-milter + PrivateUsers = !cfg.postfix.enable; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; diff --git a/nixos/tests/rspamd.nix b/nixos/tests/rspamd.nix index bf3f0de6204..e461fc834a8 100644 --- a/nixos/tests/rspamd.nix +++ b/nixos/tests/rspamd.nix @@ -13,10 +13,12 @@ let machine.succeed("id rspamd >/dev/null") ''; checkSocket = socket: user: group: mode: '' - machine.succeed("ls ${socket} >/dev/null") - machine.succeed('[[ "$(stat -c %U ${socket})" == "${user}" ]]') - machine.succeed('[[ "$(stat -c %G ${socket})" == "${group}" ]]') - machine.succeed('[[ "$(stat -c %a ${socket})" == "${mode}" ]]') + machine.succeed( + "ls ${socket} >/dev/null", + '[[ "$(stat -c %U ${socket})" == "${user}" ]]', + '[[ "$(stat -c %G ${socket})" == "${group}" ]]', + '[[ "$(stat -c %a ${socket})" == "${mode}" ]]', + ) ''; simple = name: enableIPv6: makeTest { name = "rspamd-${name}"; @@ -54,33 +56,35 @@ in services.rspamd = { enable = true; workers.normal.bindSockets = [{ - socket = "/run/rspamd.sock"; + socket = "/run/rspamd/rspamd.sock"; mode = "0600"; - owner = "root"; - group = "root"; + owner = "rspamd"; + group = "rspamd"; }]; workers.controller.bindSockets = [{ - socket = "/run/rspamd-worker.sock"; + socket = "/run/rspamd/rspamd-worker.sock"; mode = "0666"; - owner = "root"; - group = "root"; + owner = "rspamd"; + group = "rspamd"; }]; }; }; testScript = '' ${initMachine} - machine.wait_for_file("/run/rspamd.sock") - ${checkSocket "/run/rspamd.sock" "root" "root" "600" } - ${checkSocket "/run/rspamd-worker.sock" "root" "root" "666" } + machine.wait_for_file("/run/rspamd/rspamd.sock") + ${checkSocket "/run/rspamd/rspamd.sock" "rspamd" "rspamd" "600" } + ${checkSocket "/run/rspamd/rspamd-worker.sock" "rspamd" "rspamd" "666" } machine.log(machine.succeed("cat /etc/rspamd/rspamd.conf")) machine.log( machine.succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf") ) machine.log(machine.succeed("grep 'CONFDIR/worker-normal.inc' /etc/rspamd/rspamd.conf")) - machine.log(machine.succeed("rspamc -h /run/rspamd-worker.sock stat")) + machine.log(machine.succeed("rspamc -h /run/rspamd/rspamd-worker.sock stat")) machine.log( - machine.succeed("curl --unix-socket /run/rspamd-worker.sock http://localhost/ping") + machine.succeed( + "curl --unix-socket /run/rspamd/rspamd-worker.sock http://localhost/ping" + ) ) ''; }; @@ -91,16 +95,16 @@ in services.rspamd = { enable = true; workers.normal.bindSockets = [{ - socket = "/run/rspamd.sock"; + socket = "/run/rspamd/rspamd.sock"; mode = "0600"; - owner = "root"; - group = "root"; + owner = "rspamd"; + group = "rspamd"; }]; workers.controller.bindSockets = [{ - socket = "/run/rspamd-worker.sock"; + socket = "/run/rspamd/rspamd-worker.sock"; mode = "0666"; - owner = "root"; - group = "root"; + owner = "rspamd"; + group = "rspamd"; }]; workers.controller2 = { type = "controller"; @@ -116,9 +120,9 @@ in testScript = '' ${initMachine} - machine.wait_for_file("/run/rspamd.sock") - ${checkSocket "/run/rspamd.sock" "root" "root" "600" } - ${checkSocket "/run/rspamd-worker.sock" "root" "root" "666" } + machine.wait_for_file("/run/rspamd/rspamd.sock") + ${checkSocket "/run/rspamd/rspamd.sock" "rspamd" "rspamd" "600" } + ${checkSocket "/run/rspamd/rspamd-worker.sock" "rspamd" "rspamd" "666" } machine.log(machine.succeed("cat /etc/rspamd/rspamd.conf")) machine.log( machine.succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf") @@ -137,9 +141,11 @@ in machine.wait_until_succeeds( "journalctl -u rspamd | grep -i 'starting controller process' >&2" ) - machine.log(machine.succeed("rspamc -h /run/rspamd-worker.sock stat")) + machine.log(machine.succeed("rspamc -h /run/rspamd/rspamd-worker.sock stat")) machine.log( - machine.succeed("curl --unix-socket /run/rspamd-worker.sock http://localhost/ping") + machine.succeed( + "curl --unix-socket /run/rspamd/rspamd-worker.sock http://localhost/ping" + ) ) machine.log(machine.succeed("curl http://localhost:11335/ping")) '';