nixos/rspamd: fix postfix integration
This commit is contained in:
parent
9cca2eb4c8
commit
3b6ef967f3
@ -371,6 +371,9 @@ in
|
|||||||
};
|
};
|
||||||
services.postfix.config = mkIf cfg.postfix.enable cfg.postfix.config;
|
services.postfix.config = mkIf cfg.postfix.enable cfg.postfix.config;
|
||||||
|
|
||||||
|
systemd.services.postfix.serviceConfig.SupplementaryGroups =
|
||||||
|
mkIf cfg.postfix.enable [ postfixCfg.group ];
|
||||||
|
|
||||||
# Allow users to run 'rspamc' and 'rspamadm'.
|
# Allow users to run 'rspamc' and 'rspamadm'.
|
||||||
environment.systemPackages = [ pkgs.rspamd ];
|
environment.systemPackages = [ pkgs.rspamd ];
|
||||||
|
|
||||||
@ -399,6 +402,7 @@ in
|
|||||||
|
|
||||||
User = "${cfg.user}";
|
User = "${cfg.user}";
|
||||||
Group = "${cfg.group}";
|
Group = "${cfg.group}";
|
||||||
|
SupplementaryGroups = mkIf cfg.postfix.enable [ postfixCfg.group ];
|
||||||
|
|
||||||
RuntimeDirectory = "rspamd";
|
RuntimeDirectory = "rspamd";
|
||||||
RuntimeDirectoryMode = "0755";
|
RuntimeDirectoryMode = "0755";
|
||||||
@ -413,7 +417,8 @@ in
|
|||||||
PrivateDevices = true;
|
PrivateDevices = true;
|
||||||
PrivateMounts = true;
|
PrivateMounts = true;
|
||||||
PrivateTmp = true;
|
PrivateTmp = true;
|
||||||
PrivateUsers = true;
|
# we need to chown socket to rspamd-milter
|
||||||
|
PrivateUsers = !cfg.postfix.enable;
|
||||||
ProtectClock = true;
|
ProtectClock = true;
|
||||||
ProtectControlGroups = true;
|
ProtectControlGroups = true;
|
||||||
ProtectHome = true;
|
ProtectHome = true;
|
||||||
|
@ -13,10 +13,12 @@ let
|
|||||||
machine.succeed("id rspamd >/dev/null")
|
machine.succeed("id rspamd >/dev/null")
|
||||||
'';
|
'';
|
||||||
checkSocket = socket: user: group: mode: ''
|
checkSocket = socket: user: group: mode: ''
|
||||||
machine.succeed("ls ${socket} >/dev/null")
|
machine.succeed(
|
||||||
machine.succeed('[[ "$(stat -c %U ${socket})" == "${user}" ]]')
|
"ls ${socket} >/dev/null",
|
||||||
machine.succeed('[[ "$(stat -c %G ${socket})" == "${group}" ]]')
|
'[[ "$(stat -c %U ${socket})" == "${user}" ]]',
|
||||||
machine.succeed('[[ "$(stat -c %a ${socket})" == "${mode}" ]]')
|
'[[ "$(stat -c %G ${socket})" == "${group}" ]]',
|
||||||
|
'[[ "$(stat -c %a ${socket})" == "${mode}" ]]',
|
||||||
|
)
|
||||||
'';
|
'';
|
||||||
simple = name: enableIPv6: makeTest {
|
simple = name: enableIPv6: makeTest {
|
||||||
name = "rspamd-${name}";
|
name = "rspamd-${name}";
|
||||||
@ -54,33 +56,35 @@ in
|
|||||||
services.rspamd = {
|
services.rspamd = {
|
||||||
enable = true;
|
enable = true;
|
||||||
workers.normal.bindSockets = [{
|
workers.normal.bindSockets = [{
|
||||||
socket = "/run/rspamd.sock";
|
socket = "/run/rspamd/rspamd.sock";
|
||||||
mode = "0600";
|
mode = "0600";
|
||||||
owner = "root";
|
owner = "rspamd";
|
||||||
group = "root";
|
group = "rspamd";
|
||||||
}];
|
}];
|
||||||
workers.controller.bindSockets = [{
|
workers.controller.bindSockets = [{
|
||||||
socket = "/run/rspamd-worker.sock";
|
socket = "/run/rspamd/rspamd-worker.sock";
|
||||||
mode = "0666";
|
mode = "0666";
|
||||||
owner = "root";
|
owner = "rspamd";
|
||||||
group = "root";
|
group = "rspamd";
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
testScript = ''
|
testScript = ''
|
||||||
${initMachine}
|
${initMachine}
|
||||||
machine.wait_for_file("/run/rspamd.sock")
|
machine.wait_for_file("/run/rspamd/rspamd.sock")
|
||||||
${checkSocket "/run/rspamd.sock" "root" "root" "600" }
|
${checkSocket "/run/rspamd/rspamd.sock" "rspamd" "rspamd" "600" }
|
||||||
${checkSocket "/run/rspamd-worker.sock" "root" "root" "666" }
|
${checkSocket "/run/rspamd/rspamd-worker.sock" "rspamd" "rspamd" "666" }
|
||||||
machine.log(machine.succeed("cat /etc/rspamd/rspamd.conf"))
|
machine.log(machine.succeed("cat /etc/rspamd/rspamd.conf"))
|
||||||
machine.log(
|
machine.log(
|
||||||
machine.succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf")
|
machine.succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf")
|
||||||
)
|
)
|
||||||
machine.log(machine.succeed("grep 'CONFDIR/worker-normal.inc' /etc/rspamd/rspamd.conf"))
|
machine.log(machine.succeed("grep 'CONFDIR/worker-normal.inc' /etc/rspamd/rspamd.conf"))
|
||||||
machine.log(machine.succeed("rspamc -h /run/rspamd-worker.sock stat"))
|
machine.log(machine.succeed("rspamc -h /run/rspamd/rspamd-worker.sock stat"))
|
||||||
machine.log(
|
machine.log(
|
||||||
machine.succeed("curl --unix-socket /run/rspamd-worker.sock http://localhost/ping")
|
machine.succeed(
|
||||||
|
"curl --unix-socket /run/rspamd/rspamd-worker.sock http://localhost/ping"
|
||||||
|
)
|
||||||
)
|
)
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
@ -91,16 +95,16 @@ in
|
|||||||
services.rspamd = {
|
services.rspamd = {
|
||||||
enable = true;
|
enable = true;
|
||||||
workers.normal.bindSockets = [{
|
workers.normal.bindSockets = [{
|
||||||
socket = "/run/rspamd.sock";
|
socket = "/run/rspamd/rspamd.sock";
|
||||||
mode = "0600";
|
mode = "0600";
|
||||||
owner = "root";
|
owner = "rspamd";
|
||||||
group = "root";
|
group = "rspamd";
|
||||||
}];
|
}];
|
||||||
workers.controller.bindSockets = [{
|
workers.controller.bindSockets = [{
|
||||||
socket = "/run/rspamd-worker.sock";
|
socket = "/run/rspamd/rspamd-worker.sock";
|
||||||
mode = "0666";
|
mode = "0666";
|
||||||
owner = "root";
|
owner = "rspamd";
|
||||||
group = "root";
|
group = "rspamd";
|
||||||
}];
|
}];
|
||||||
workers.controller2 = {
|
workers.controller2 = {
|
||||||
type = "controller";
|
type = "controller";
|
||||||
@ -116,9 +120,9 @@ in
|
|||||||
|
|
||||||
testScript = ''
|
testScript = ''
|
||||||
${initMachine}
|
${initMachine}
|
||||||
machine.wait_for_file("/run/rspamd.sock")
|
machine.wait_for_file("/run/rspamd/rspamd.sock")
|
||||||
${checkSocket "/run/rspamd.sock" "root" "root" "600" }
|
${checkSocket "/run/rspamd/rspamd.sock" "rspamd" "rspamd" "600" }
|
||||||
${checkSocket "/run/rspamd-worker.sock" "root" "root" "666" }
|
${checkSocket "/run/rspamd/rspamd-worker.sock" "rspamd" "rspamd" "666" }
|
||||||
machine.log(machine.succeed("cat /etc/rspamd/rspamd.conf"))
|
machine.log(machine.succeed("cat /etc/rspamd/rspamd.conf"))
|
||||||
machine.log(
|
machine.log(
|
||||||
machine.succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf")
|
machine.succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf")
|
||||||
@ -137,9 +141,11 @@ in
|
|||||||
machine.wait_until_succeeds(
|
machine.wait_until_succeeds(
|
||||||
"journalctl -u rspamd | grep -i 'starting controller process' >&2"
|
"journalctl -u rspamd | grep -i 'starting controller process' >&2"
|
||||||
)
|
)
|
||||||
machine.log(machine.succeed("rspamc -h /run/rspamd-worker.sock stat"))
|
machine.log(machine.succeed("rspamc -h /run/rspamd/rspamd-worker.sock stat"))
|
||||||
machine.log(
|
machine.log(
|
||||||
machine.succeed("curl --unix-socket /run/rspamd-worker.sock http://localhost/ping")
|
machine.succeed(
|
||||||
|
"curl --unix-socket /run/rspamd/rspamd-worker.sock http://localhost/ping"
|
||||||
|
)
|
||||||
)
|
)
|
||||||
machine.log(machine.succeed("curl http://localhost:11335/ping"))
|
machine.log(machine.succeed("curl http://localhost:11335/ping"))
|
||||||
'';
|
'';
|
||||||
|
Loading…
Reference in New Issue
Block a user