From 86d8b31e00b267f0ed67798e966c16ef06faf9ba Mon Sep 17 00:00:00 2001
From: Izorkin <izorkin@elven.pw>
Date: Wed, 24 Mar 2021 13:13:47 +0300
Subject: [PATCH 1/2] nixos/redis: add option unixSocketPerm

---
 nixos/modules/services/databases/redis.nix | 10 ++++++++--
 nixos/tests/redis.nix                      |  2 +-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix
index 117e6366225..b5921a6dead 100644
--- a/nixos/modules/services/databases/redis.nix
+++ b/nixos/modules/services/databases/redis.nix
@@ -88,6 +88,13 @@ in
         example = "/run/redis/redis.sock";
       };
 
+      unixSocketPerm = mkOption {
+        type = types.int;
+        default = 750;
+        description = "Change permissions for the socket";
+        example = 700;
+      };
+
       logLevel = mkOption {
         type = types.str;
         default = "notice"; # debug, verbose, notice, warning
@@ -204,7 +211,6 @@ in
         '';
         example = literalExample ''
           {
-            unixsocketperm = "700";
             loadmodule = [ "/path/to/my_module.so" "/path/to/other_module.so" ];
           }
         '';
@@ -256,7 +262,7 @@ in
         slowlog-max-len = cfg.slowLogMaxLen;
       }
       (mkIf (cfg.bind != null) { bind = cfg.bind; })
-      (mkIf (cfg.unixSocket != null) { unixsocket = cfg.unixSocket; })
+      (mkIf (cfg.unixSocket != null) { unixsocket = cfg.unixSocket; unixsocketperm = "${toString cfg.unixSocketPerm}"; })
       (mkIf (cfg.slaveOf != null) { slaveof = "${cfg.slaveOf.ip} ${cfg.slaveOf.port}"; })
       (mkIf (cfg.masterAuth != null) { masterauth = cfg.masterAuth; })
       (mkIf (cfg.requirePass != null) { requirepass = cfg.requirePass; })
diff --git a/nixos/tests/redis.nix b/nixos/tests/redis.nix
index ca171561435..79a7847414a 100644
--- a/nixos/tests/redis.nix
+++ b/nixos/tests/redis.nix
@@ -17,7 +17,7 @@ in
         services.redis.unixSocket = redisSocket;
 
         # Allow access to the unix socket for the "redis" group.
-        services.redis.settings.unixsocketperm = "770";
+        services.redis.unixSocketPerm = 770;
 
         users.users."member" = {
           createHome = false;

From 9d4aaf236627f8b9d8556fc0ed834a9837b2e76b Mon Sep 17 00:00:00 2001
From: Izorkin <izorkin@elven.pw>
Date: Wed, 24 Mar 2021 13:33:34 +0300
Subject: [PATCH 2/2] nixos/redis: allow access to runtime and state
 directories to only redis user

---
 nixos/modules/services/databases/redis.nix | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix
index b5921a6dead..3ddc7aad81e 100644
--- a/nixos/modules/services/databases/redis.nix
+++ b/nixos/modules/services/databases/redis.nix
@@ -283,11 +283,18 @@ in
 
       serviceConfig = {
         ExecStart = "${cfg.package}/bin/redis-server /run/redis/redis.conf";
-        RuntimeDirectory = "redis";
-        StateDirectory = "redis";
         Type = "notify";
+        # User and group
         User = "redis";
         Group = "redis";
+        # Runtime directory and mode
+        RuntimeDirectory = "redis";
+        RuntimeDirectoryMode = "0750";
+        # State directory and mode
+        StateDirectory = "redis";
+        StateDirectoryMode = "0700";
+        # Access write directories
+        UMask = "0077";
       };
     };
   };